Fix: Enhance shared resource handling to avoid last-applied-configuration pollution (#6998 ) (#7000 )

(cherry picked from commit 552764d48f) Signed-off-by: Brian Kane <briankane1@gmail.com> Co-authored-by: Ayush Kumar <65535504+roguepikachu@users.noreply.github.com>
Fix: upgrade workflow to fix suspend (#6623 )
2026-02-28 00:33:56 +00:00 · 2025-11-26 08:06:12 -08:00 · 2024-09-29 01:57:45 +05:30 · 2024-09-19 09:53:07 +08:00 · 2024-09-19 09:51:43 +08:00 · 2024-04-22 15:31:51 +08:00
139 changed files with 2196 additions and 1147 deletions
--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -17,7 +17,7 @@ jobs:
      HELM_CHART_NAME: vela-core
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Get git revision
        id: vars
        shell: bash
@@ -28,7 +28,7 @@ jobs:
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
        with:
          node-version: '14'
      - name: Generate helm doc
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Initialize CodeQL
        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -15,7 +15,7 @@ jobs:
  check:
    runs-on: ubuntu-22.04
    steps:
-      - uses: thehanimo/pr-title-checker@v1.4.0
+      - uses: thehanimo/pr-title-checker@v1.4.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Set up Go 1.19
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        env:
          GO_VERSION: '1.19'
        with:
@@ -25,7 +25,7 @@ jobs:
        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -23,12 +23,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Install tools
        run: |
@@ -61,7 +61,7 @@ jobs:
          sudo snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.22'

 jobs:

@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Install tools
        run: |
@@ -61,7 +61,7 @@ jobs:
          sudo snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -78,7 +78,8 @@ jobs:
      - name: Get Ginkgo
        run: |
          go install github.com/onsi/ginkgo/v2/ginkgo@v2.10.0
-          go get github.com/onsi/gomega/...
+          go get github.com/onsi/gomega@v1.34.2
+          go mod tidy

      - name: Load image
        run: |
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -30,7 +30,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -44,12 +44,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

@@ -69,12 +69,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

@@ -83,7 +83,7 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
        with:
          version: ${{ env.GOLANGCI_VERSION }}

@@ -94,22 +94,22 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
        with:
          node-version: '14'

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -139,17 +139,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -170,15 +170,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
      - name: Build Test for vela core
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          file: Dockerfile
@@ -190,15 +190,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
      - name: Build Test for CLI
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          context: .
          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -17,13 +17,13 @@ jobs:
      issues: write
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
        with:
          node-version: '14'
          cache: 'npm'
@@ -76,11 +76,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,7 +9,6 @@ on:
    branches:
      - master
      - release-*
-      -
 permissions:
  contents: read

@@ -18,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -16,7 +16,7 @@ jobs:
      packages: write
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Get the version
        id: get_version
        run: |
@@ -31,23 +31,23 @@ jobs:
        run: |
          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Login ghcr.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login docker.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
-      - uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+      - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        name: Build & Pushing vela-core for Dockerhub, GHCR
        with:
          context: .
@@ -65,7 +65,7 @@ jobs:
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+      - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        name: Build & Pushing CLI for Dockerhub, GHCR
        with:
          context: .
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,16 +24,16 @@ jobs:
    name: goreleaser
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - run: git fetch --force --tags
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: 1.19
          cache: true
-      - uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+      - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
        with:
          distribution: goreleaser
          version: 1.14.1
@@ -56,7 +56,7 @@ jobs:
    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Update kubectl plugin version in krew-index
        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
      - name: Update Homebrew formula
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,12 +23,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # tag=v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
@@ -47,7 +47,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: SARIF file
          path: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -26,10 +26,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -18,12 +18,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -22,12 +22,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Build Vela Core image from Dockerfile
        run: |
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -29,7 +29,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -43,17 +43,17 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -155,6 +155,13 @@ issues:
      linters:
        - gocritic

+    # Gosmopolitan complains of internationalization issues on the file that actually defines
+    # the translation.
+    - path: i18n\.go
+      text: "Han"
+      linters:
+        - gosmopolitan
+
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22.7-alpine@sha256:48eab5e3505d8c8b42a06fe5f1cf4c346c167cc6a89e772f31cb9e5c301dcf60 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/2
+++ b/2
@@ -62,7 +62,7 @@ staticcheck: staticchecktool
 ## lint: Run the golangci-lint
 lint: golangci
 	@$(INFO) lint
-	@$(GOLANGCILINT) run --skip-dirs 'scaffold'
+	@$(GOLANGCILINT) run --fix --verbose --skip-dirs 'scaffold'

 ## reviewable: Run the reviewable
 reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
--- a/apis/types/componentmanifest.go
+++ b/apis/types/componentmanifest.go
@@ -26,13 +26,8 @@ type ComponentManifest struct {
 	Namespace    string
 	RevisionName string
 	RevisionHash string
-	// StandardWorkload contains K8s resource generated from "output" block of ComponentDefinition
-	StandardWorkload *unstructured.Unstructured
-	// Traits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
-	Traits []*unstructured.Unstructured
-
-	// PackagedWorkloadResources contain all the workload related resources. It could be a Helm
-	// Release, Git Repo or anything that can package and run a workload.
-	PackagedWorkloadResources []*unstructured.Unstructured
-	PackagedTraitResources    map[string][]*unstructured.Unstructured
+	// ComponentOutput contains K8s resource generated from "output" block of ComponentDefinition
+	ComponentOutput *unstructured.Unstructured
+	// ComponentOutputsAndTraits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
+	ComponentOutputsAndTraits []*unstructured.Unstructured
 }
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -186,6 +186,21 @@ if [ $fluxcd ]; then
 fi
 ```

+Make sure all existing KubeVela resources deleted before uninstallation:
+```shell
+kubectl delete applicationrevisions.core.oam.dev --all
+kubectl delete applications.core.oam.dev --all
+kubectl delete componentdefinitions.core.oam.dev --all
+kubectl delete definitionrevisions.core.oam.dev --all
+kubectl delete policies.core.oam.dev --all
+kubectl delete policydefinitions.core.oam.dev --all
+kubectl delete resourcetrackers.core.oam.dev --all
+kubectl delete traitdefinitions.core.oam.dev --all
+kubectl delete workflows.core.oam.dev --all
+kubectl delete workflowstepdefinitions.core.oam.dev --all
+kubectl delete workloaddefinitions.core.oam.dev --all
+```
+
 To uninstall the KubeVela helm release:

 ```shell
--- a/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
+++ b/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
@@ -29,7 +29,7 @@ webhooks:
      - apiGroups:
          - core.oam.dev
        apiVersions:
-          - v1alpha2
+          - v1beta1
        operations:
          - CREATE
          - UPDATE
@@ -89,4 +89,30 @@ webhooks:
          - UPDATE
        resources:
          - componentdefinitions
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validating-core-oam-dev-v1beta1-policydefinitions
+    {{- if .Values.admissionWebhooks.patch.enabled  }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: validating.core.oam-dev.v1beta1.policydefinitions
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - policydefinitions
 {{- end -}}
--- a/charts/vela-core/templates/defwithtemplate/annotations.yaml
+++ b/charts/vela-core/templates/defwithtemplate/annotations.yaml
@@ -4,7 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: Add annotations on your workload. if it generates pod, add same annotations for generated pods.
+    definition.oam.dev/description: Add annotations on your workload. If it generates pod or job, add same annotations for generated pods.
  name: annotations
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -16,17 +16,21 @@ spec:
      template: |
        // +patchStrategy=jsonMergePatch
        patch: {
-        	metadata: annotations: {
+        	let annotationsContent = {
        		for k, v in parameter {
        			(k): v
        		}
        	}
-        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
-        		spec: template: metadata: annotations: {
-        			for k, v in parameter {
-        				(k): v
-        			}
-        		}
+
+        	metadata: annotations: annotationsContent
+        	if context.output.spec != _|_ if context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+        		spec: jobTemplate: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ if context.output.spec.jobTemplate.spec != _|_ if context.output.spec.jobTemplate.spec.template != _|_ {
+        		spec: jobTemplate: spec: template: metadata: annotations: annotationsContent
        	}
        }
        parameter: [string]: string | null
--- a/charts/vela-core/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-component.yaml
@@ -19,5 +19,7 @@ spec:
        	component: string
        	// +usage=Specify the cluster
        	cluster: *"" | string
+        	// +usage=Specify the namespace
+        	namespace: *"" | string
        }

--- a/charts/vela-core/templates/defwithtemplate/container-ports.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-ports.yaml
@@ -70,6 +70,7 @@ spec:
        			ports: [ for portVar in _basePorts {
        				containerPort: portVar.containerPort
        				protocol:      portVar.protocol
+        				name:          portVar.name
        				_uniqueKey:    strings.ToLower(portVar.protocol) + strconv.FormatInt(portVar.containerPort, 10)
        				if _portsMap[_uniqueKey] != _|_ {
        					if _portsMap[_uniqueKey].hostPort != _|_ {
@@ -79,11 +80,6 @@ spec:
        						hostIP: _portsMap[_uniqueKey].hostIP
        					}
        				}
-        				if _portsMap[_uniqueKey] == _|_ {
-        					if portVar.name != _|_ {
-        						name: portVar.name
-        					}
-        				}
        			}] + [ for port in _params.ports if _basePortsMap[strings.ToLower(port.protocol)+strconv.FormatInt(port.containerPort, 10)] == _|_ {
        				if port.containerPort != _|_ {
        					containerPort: port.containerPort
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -11,6 +11,138 @@ spec:
  schematic:
    cue:
      template: |
+        mountsArray: {
+        	pvc: *[
+        		for v in parameter.volumeMounts.pvc {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	configMap: *[
+        			for v in parameter.volumeMounts.configMap {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	secret: *[
+        		for v in parameter.volumeMounts.secret {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	emptyDir: *[
+        			for v in parameter.volumeMounts.emptyDir {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	hostPath: *[
+        			for v in parameter.volumeMounts.hostPath {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+        }
+        volumesArray: {
+        	pvc: *[
+        		for v in parameter.volumeMounts.pvc {
+        			{
+        				name: v.name
+        				persistentVolumeClaim: claimName: v.claimName
+        			}
+        		},
+        	] | []
+
+        	configMap: *[
+        			for v in parameter.volumeMounts.configMap {
+        			{
+        				name: v.name
+        				configMap: {
+        					defaultMode: v.defaultMode
+        					name:        v.cmName
+        					if v.items != _|_ {
+        						items: v.items
+        					}
+        				}
+        			}
+        		},
+        	] | []
+
+        	secret: *[
+        		for v in parameter.volumeMounts.secret {
+        			{
+        				name: v.name
+        				secret: {
+        					defaultMode: v.defaultMode
+        					secretName:  v.secretName
+        					if v.items != _|_ {
+        						items: v.items
+        					}
+        				}
+        			}
+        		},
+        	] | []
+
+        	emptyDir: *[
+        			for v in parameter.volumeMounts.emptyDir {
+        			{
+        				name: v.name
+        				emptyDir: medium: v.medium
+        			}
+        		},
+        	] | []
+
+        	hostPath: *[
+        			for v in parameter.volumeMounts.hostPath {
+        			{
+        				name: v.name
+        				hostPath: path: v.path
+        			}
+        		},
+        	] | []
+        }
+        volumesList: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
        output: {
        	if context.clusterVersion.minor < 25 {
        		apiVersion: "batch/v1beta1"
@@ -90,15 +222,18 @@ spec:
        									requests: memory: parameter.memory
        								}
        							}
-        							if parameter["volumes"] != _|_ {
+        							if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
        								volumeMounts: [ for v in parameter.volumes {
        									{
        										mountPath: v.mountPath
        										name:      v.name
        									}}]
        							}
+        							if parameter["volumeMounts"] != _|_ {
+        								volumeMounts: mountsArray.pvc + mountsArray.configMap + mountsArray.secret + mountsArray.emptyDir + mountsArray.hostPath
+        							}
        						}]
-        						if parameter["volumes"] != _|_ {
+        						if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
        							volumes: [ for v in parameter.volumes {
        								{
        									name: v.name
@@ -128,6 +263,9 @@ spec:
        									}
        								}}]
        						}
+        						if parameter["volumeMounts"] != _|_ {
+        							volumes: deDupVolumesArray
+        						}
        						if parameter["imagePullSecrets"] != _|_ {
        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
        								name: v
@@ -224,7 +362,58 @@ spec:
        	// +usage=Specifies the attributes of the memory resource required for the container.
        	memory?: string

-        	// +usage=Declare volumes and volumeMounts
+        	volumeMounts?: {
+        		// +usage=Mount PVC type volume
+        		pvc?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			// +usage=The name of the PVC
+        			claimName: string
+        		}]
+        		// +usage=Mount ConfigMap type volume
+        		configMap?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount Secret type volume
+        		secret?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount EmptyDir type volume
+        		emptyDir?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			medium:    *"" | "Memory"
+        		}]
+        		// +usage=Mount HostPath type volume
+        		hostPath?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			path:      string
+        		}]
+        	}
+
+        	// +usage=Deprecated field, use volumeMounts instead.
        	volumes?: [...{
        		name:      string
        		mountPath: string
--- a/charts/vela-core/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-core/templates/defwithtemplate/gateway.yaml
@@ -14,26 +14,35 @@ spec:
  podDisruptive: false
  schematic:
    cue:
-      template: |2
+      template: |
+        import "strconv"
+
        let nameSuffix = {
        	if parameter.name != _|_ {"-" + parameter.name}
        	if parameter.name == _|_ {""}
        }
-        let serviceOutputName = "service" + nameSuffix
-        let serviceMetaName = context.name + nameSuffix

-        outputs: (serviceOutputName): {
-        	apiVersion: "v1"
-        	kind:       "Service"
-        	metadata: name: "\(serviceMetaName)"
-        	spec: {
-        		selector: "app.oam.dev/component": context.name
-        		ports: [
-        			for k, v in parameter.http {
-        				port:       v
-        				targetPort: v
-        			},
-        		]
+        let serviceMetaName = {
+        	if (parameter.existingServiceName != _|_) {parameter.existingServiceName}
+        	if (parameter.existingServiceName == _|_) {context.name + nameSuffix}
+        }
+
+        if (parameter.existingServiceName == _|_) {
+        	let serviceOutputName = "service" + nameSuffix
+        	outputs: (serviceOutputName): {
+        		apiVersion: "v1"
+        		kind:       "Service"
+        		metadata: name: "\(serviceMetaName)"
+        		spec: {
+        			selector: "app.oam.dev/component": context.name
+        			ports: [
+        				for k, v in parameter.http {
+        					name:       "port-" + strconv.FormatInt(v, 10)
+        					port:       v
+        					targetPort: v
+        				},
+        			]
+        		}
        	}
        }

@@ -58,6 +67,18 @@ spec:
        			if parameter.gatewayHost != _|_ {
        				"ingress.controller/host": parameter.gatewayHost
        			}
+        			if parameter.annotations != _|_ {
+        				for key, value in parameter.annotations {
+        					"\(key)": "\(value)"
+        				}
+        			}
+        		}
+        		labels: {
+        			if parameter.labels != _|_ {
+        				for key, value in parameter.labels {
+        					"\(key)": "\(value)"
+        				}
+        			}
        		}
        	}
        	spec: {
@@ -122,6 +143,15 @@ spec:

        	// +usage=Specify a pathType for the ingress rules, defaults to "ImplementationSpecific"
        	pathType: *"ImplementationSpecific" | "Prefix" | "Exact"
+
+        	// +usage=Specify the annotations to be added to the ingress
+        	annotations?: [string]: string
+
+        	// +usage=Specify the labels to be added to the ingress
+        	labels?: [string]: string
+
+        	// +usage=If specified, use an existing Service rather than creating one
+        	existingServiceName?: string
        }
  status:
    customStatus: |-
--- a/charts/vela-core/templates/defwithtemplate/hpa.yaml
+++ b/charts/vela-core/templates/defwithtemplate/hpa.yaml
@@ -55,11 +55,11 @@ spec:
        						name: "memory"
        						target: {
        							type: parameter.mem.type
-        							if parameter.cpu.type == "Utilization" {
-        								averageUtilization: parameter.cpu.value
+        							if parameter.mem.type == "Utilization" {
+        								averageUtilization: parameter.mem.value
        							}
-        							if parameter.cpu.type == "AverageValue" {
-        								averageValue: parameter.cpu.value
+        							if parameter.mem.type == "AverageValue" {
+        								averageValue: parameter.mem.value
        							}
        						}
        					}
--- a/charts/vela-core/templates/defwithtemplate/resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/resource.yaml
@@ -13,43 +13,54 @@ spec:
    - statefulsets.apps
    - daemonsets.apps
    - jobs.batch
+    - cronjobs.batch
  podDisruptive: true
  schematic:
    cue:
-      template: |
-        patch: spec: template: spec: {
-        	// +patchKey=name
-        	containers: [{
-        		resources: {
-        			if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
-        				// +patchStrategy=retainKeys
-        				requests: {
-        					cpu:    parameter.cpu
-        					memory: parameter.memory
-        				}
-        				// +patchStrategy=retainKeys
-        				limits: {
-        					cpu:    parameter.cpu
-        					memory: parameter.memory
-        				}
+      template: |2
+        let resourceContent = {
+        	resources: {
+        		if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+        			// +patchStrategy=retainKeys
+        			requests: {
+        				cpu:    parameter.cpu
+        				memory: parameter.memory
        			}
-
-        			if parameter.requests != _|_ {
-        				// +patchStrategy=retainKeys
-        				requests: {
-        					cpu:    parameter.requests.cpu
-        					memory: parameter.requests.memory
-        				}
-        			}
-        			if parameter.limits != _|_ {
-        				// +patchStrategy=retainKeys
-        				limits: {
-        					cpu:    parameter.limits.cpu
-        					memory: parameter.limits.memory
-        				}
+        			// +patchStrategy=retainKeys
+        			limits: {
+        				cpu:    parameter.cpu
+        				memory: parameter.memory
        			}
        		}
-        	}]
+
+        		if parameter.requests != _|_ {
+        			// +patchStrategy=retainKeys
+        			requests: {
+        				cpu:    parameter.requests.cpu
+        				memory: parameter.requests.memory
+        			}
+        		}
+        		if parameter.limits != _|_ {
+        			// +patchStrategy=retainKeys
+        			limits: {
+        				cpu:    parameter.limits.cpu
+        				memory: parameter.limits.memory
+        			}
+        		}
+        	}
+        }
+
+        if context.output.spec != _|_ if context.output.spec.template != _|_ {
+        	patch: spec: template: spec: {
+        		// +patchKey=name
+        		containers: [resourceContent]
+        	}
+        }
+        if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+        	patch: spec: jobTemplate: spec: template: spec: {
+        		// +patchKey=name
+        		containers: [resourceContent]
+        	}
        }

        parameter: {
--- a/charts/vela-core/templates/defwithtemplate/startup-probe.yaml
+++ b/charts/vela-core/templates/defwithtemplate/startup-probe.yaml
@@ -65,7 +65,7 @@ spec:
        	// +usage=Instructions for assessing container startup status by probing a TCP socket. Either this attribute or the exec attribute or the tcpSocket attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the gRPC attribute.
        	tcpSocket?: {
        		// +usage=Number or name of the port to access on the container.
-        		port: string
+        		port: int
        		// +usage=Host name to connect to, defaults to the pod IP.
        		host?: string
        	}
@@ -144,7 +144,7 @@ spec:
        					grpc: parameter.grpc
        				}
        				if parameter.tcpSocket != _|_ {
-        					tcpSocket: parameter.grtcpSocketpc
+        					tcpSocket: parameter.tcpSocket
        				}
        			}}
        		}]
--- a/charts/vela-core/templates/defwithtemplate/vela-cli.yaml
+++ b/charts/vela-core/templates/defwithtemplate/vela-cli.yaml
@@ -46,11 +46,11 @@ spec:
        				}
        			}
        		}
-        		if parameter.storage != _|_ && parameter.storage.hostPath != _|_ for v in parameter.storage.hostPath {
-        			{
-        				name: "hostpath-" + v.name
-        				path: v.path
-        			}
+        	},
+        	if parameter.storage != _|_ && parameter.storage.hostPath != _|_ for v in parameter.storage.hostPath {
+        		{
+        			name: "hostpath-" + v.name
+        			path: v.path
        		}
        	},
        ]
--- a/charts/vela-core/templates/defwithtemplate/webservice.yaml
+++ b/charts/vela-core/templates/defwithtemplate/webservice.yaml
@@ -165,14 +165,20 @@ spec:
        					if parameter["ports"] != _|_ {
        						ports: [ for v in parameter.ports {
        							{
-        								containerPort: v.port
-        								protocol:      v.protocol
+        								containerPort: {
+        									if v.containerPort != _|_ {v.containerPort}
+        									if v.containerPort == _|_ {v.port}
+        								}
+        								protocol: v.protocol
        								if v.name != _|_ {
        									name: v.name
        								}
        								if v.name == _|_ {
-        									_name: "port-" + strconv.FormatInt(v.port, 10)
-        									name:  *_name | string
+        									_name: {
+        										if v.containerPort != _|_ {"port-" + strconv.FormatInt(v.containerPort, 10)}
+        										if v.containerPort == _|_ {"port-" + strconv.FormatInt(v.port, 10)}
+        									}
+        									name: *_name | string
        									if v.protocol != "TCP" {
        										name: _name + "-" + strings.ToLower(v.protocol)
        									}
@@ -290,14 +296,20 @@ spec:

        exposePorts: [
        	if parameter.ports != _|_ for v in parameter.ports if v.expose == true {
-        		port:       v.port
-        		targetPort: v.port
-        		if v.name != _|_ {
-        			name: v.name
-        		}
+        		port: v.port
+        		if v.containerPort != _|_ {targetPort: v.containerPort}
+        		if v.containerPort == _|_ {targetPort: v.port}
+        		if v.name != _|_ {name: v.name}
        		if v.name == _|_ {
-        			_name: "port-" + strconv.FormatInt(v.port, 10)
-        			name:  *_name | string
+        			_name: {
+        				if v.containerPort != _|_ {
+        					"port-" + strconv.FormatInt(v.containerPort, 10)
+        				}
+        				if v.containerPort == _|_ {
+        					"port-" + strconv.FormatInt(v.port, 10)
+        				}
+        			}
+        			name: *_name | string
        			if v.protocol != "TCP" {
        				name: _name + "-" + strings.ToLower(v.protocol)
        			}
@@ -352,6 +364,8 @@ spec:
        	ports?: [...{
        		// +usage=Number of port to expose on the pod's IP address
        		port: int
+        		// +usage=Number of container port to connect to, defaults to port
+        		containerPort?: int
        		// +usage=Name of the port
        		name?: string
        		// +usage=Protocol for port. Must be UDP, TCP, or SCTP
--- a/charts/vela-core/templates/kubevela-controller.yaml
+++ b/charts/vela-core/templates/kubevela-controller.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "kubevela.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubevela.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
@@ -121,6 +122,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "kubevela.fullname" . }}:leader-election-role
+  namespace: {{ .Release.Namespace }}
 rules:
  - apiGroups:
      - ""
@@ -154,6 +156,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "kubevela.fullname" . }}:leader-election-rolebinding
+  namespace: {{ .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -168,6 +171,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "kubevela.fullname" . }}:template-reader-role
+  namespace: {{ .Release.Namespace }}
 rules:
  - apiGroups:
      - ""
@@ -188,6 +192,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "kubevela.fullname" . }}:template-reader-binding
+  namespace: {{ .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/cmd/core/app/server.go
+++ b/cmd/core/app/server.go
@@ -75,6 +75,10 @@ func NewCoreCommand() *cobra.Command {
 			return run(signals.SetupSignalHandler(), s)
 		},
 		SilenceUsage: true,
+		FParseErrWhitelist: cobra.FParseErrWhitelist{
+			// Allow unknown flags for backward-compatibility.
+			UnknownFlags: true,
+		},
 	}

 	fs := cmd.Flags()
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/bluele/gcache v0.0.2
 	github.com/briandowns/spinner v1.23.0
 	github.com/chartmuseum/helm-push v0.10.4
-	github.com/containerd/containerd v1.7.2
+	github.com/containerd/containerd v1.7.5
 	github.com/crossplane/crossplane-runtime v0.19.2
 	github.com/cue-exp/kubevelafix v0.0.0-20220922150317-aead819d979d
 	github.com/dave/jennifer v1.6.1
@@ -25,19 +25,19 @@ require (
 	github.com/gdamore/tcell/v2 v2.6.0
 	github.com/getkin/kin-openapi v0.118.0
 	github.com/go-git/go-git/v5 v5.8.1
-	github.com/go-logr/logr v1.2.4
-	github.com/go-resty/resty/v2 v2.7.0
+	github.com/go-logr/logr v1.3.0
+	github.com/go-resty/resty/v2 v2.8.0
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.9
+	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.16.1
 	github.com/google/go-github/v32 v32.1.0
 	github.com/gosuri/uitable v0.0.4
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/hcl/v2 v2.17.0
+	github.com/hashicorp/hcl/v2 v2.18.0
 	github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174
 	github.com/imdario/mergo v0.3.16
-	github.com/kubevela/pkg v1.8.1-0.20230522085329-7d5e1241a86d
-	github.com/kubevela/workflow v0.6.0
+	github.com/kubevela/pkg v1.9.2
+	github.com/kubevela/workflow v0.6.1
 	github.com/kyokomi/emoji v2.2.4+incompatible
 	github.com/magiconair/properties v1.8.7
 	github.com/mattn/go-runewidth v0.0.15
@@ -46,10 +46,10 @@ require (
 	github.com/oam-dev/cluster-gateway v1.9.0-alpha.2
 	github.com/oam-dev/cluster-register v1.0.4-0.20230424040021-147f7c1fefe5
 	github.com/oam-dev/terraform-config-inspect v0.0.0-20210418082552-fc72d929aa28
-	github.com/oam-dev/terraform-controller v0.7.11
+	github.com/oam-dev/terraform-controller v0.8.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/onsi/ginkgo/v2 v2.11.0
-	github.com/onsi/gomega v1.27.8
+	github.com/onsi/ginkgo/v2 v2.13.1
+	github.com/onsi/gomega v1.29.0
 	github.com/openkruise/kruise-api v1.4.0
 	github.com/openkruise/rollouts v0.3.0
 	github.com/pelletier/go-toml v1.9.5
@@ -64,16 +64,16 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/tidwall/gjson v1.14.4
 	github.com/wercker/stern v0.0.0-20190705090245-4fa46dd6987f
-	github.com/xanzy/go-gitlab v0.86.0
+	github.com/xanzy/go-gitlab v0.91.1
 	github.com/xlab/treeprint v1.2.0
 	go.uber.org/multierr v1.11.0
-	golang.org/x/crypto v0.11.0
-	golang.org/x/oauth2 v0.10.0
-	golang.org/x/sync v0.3.0
-	golang.org/x/term v0.10.0
-	golang.org/x/text v0.12.0
-	golang.org/x/tools v0.11.0
-	gomodules.xyz/jsonpatch/v2 v2.3.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/oauth2 v0.12.0
+	golang.org/x/sync v0.4.0
+	golang.org/x/term v0.18.0
+	golang.org/x/text v0.14.0
+	golang.org/x/tools v0.14.0
+	gomodules.xyz/jsonpatch/v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.11.2
 	k8s.io/api v0.26.3
@@ -99,7 +99,7 @@ require (

 require (
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -117,6 +117,7 @@ require (
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1704 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -131,7 +132,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/creack/pty v1.1.18 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.0+incompatible // indirect
@@ -268,15 +269,16 @@ require (
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -10,8 +10,8 @@ cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AlecAivazis/survey/v2 v2.1.1 h1:LEMbHE0pLj75faaVEKClEX1TM4AJmmnOh9eimREzLWI=
 github.com/AlecAivazis/survey/v2 v2.1.1/go.mod h1:9FJRdMdDm8rnT+zHVbvQT2RTSTLq0Ttd6q3Vl2fahjk=
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
@@ -71,7 +71,7 @@ github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agiledragon/gomonkey/v2 v2.4.0 h1:YDQJYiSQ8o78dCMXehU1E4F/Kh4jPX+MV+/iK/yfL7s=
+github.com/agiledragon/gomonkey/v2 v2.9.0 h1:PDiKKybR596O6FHW+RVSG0Z7uGCBNbmbUXh3uCNQ7Hc=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -91,6 +91,8 @@ github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:o
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
+github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
+github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -163,9 +165,9 @@ github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
-github.com/containerd/containerd v1.7.2 h1:UF2gdONnxO8I6byZXDi5sXWiWvlW3D/sci7dTQimEJo=
-github.com/containerd/containerd v1.7.2/go.mod h1:afcz74+K10M/+cjGHIVQrCt3RAQhUSCAjJ9iMYhhkuI=
-github.com/containerd/continuity v0.4.1 h1:wQnVrjIyQ8vhU2sgOiL5T07jo+ouqc2bnKsv5/EqGhU=
+github.com/containerd/containerd v1.7.5 h1:i9T9XpAWMe11BHMN7pu1BZqOGjXaKTPyz2v+KYOZgkY=
+github.com/containerd/containerd v1.7.5/go.mod h1:ieJNCSzASw2shSGYLHx8NAE7WsZ/gEigo5fQ78W5Zvw=
+github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
@@ -193,8 +195,8 @@ github.com/crossplane/crossplane-runtime v0.19.2 h1:9qBnhpqKN4x6apF2siaQ6PvgxqBX
 github.com/crossplane/crossplane-runtime v0.19.2/go.mod h1:OJQ1NxtQK2ZTRmvtnQPoy8LsXsARTnVydRVDQEgIuz4=
 github.com/cue-exp/kubevelafix v0.0.0-20220922150317-aead819d979d h1:VNJA1nSKA8Xna5wjUIMItHlWmEej8Bb9fZ3vCNtIAX0=
 github.com/cue-exp/kubevelafix v0.0.0-20220922150317-aead819d979d/go.mod h1:SyTryzw/zYJIogw3H2IRcYdV5gsSoVMJiKGElcQK09I=
-github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/dave/jennifer v1.6.1 h1:T4T/67t6RAA5AIV6+NP8Uk/BIsXgDoqEowgycdQQLuk=
 github.com/dave/jennifer v1.6.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -325,8 +327,8 @@ github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTg
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro=
@@ -343,8 +345,8 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
-github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
+github.com/go-resty/resty/v2 v2.8.0 h1:J29d0JFWwSWrDCysnOK/YjsPMLQTx0TvgJEHVGvf2L8=
+github.com/go-resty/resty/v2 v2.8.0/go.mod h1:UCui0cMHekLrSntoMyofdSTaPpinlRHFtPpizuyDW2w=
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -428,8 +430,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
 github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/go-github/v32 v32.1.0 h1:GWkQOdXqviCPx7Q7Fj+KyPoGm4SwHRh8rheoPhd27II=
@@ -511,8 +514,8 @@ github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.0.0/go.mod h1:oVVDG71tEinNGYCxinCYadcmKU9bglqW9pV3txagJ90=
-github.com/hashicorp/hcl/v2 v2.17.0 h1:z1XvSUyXd1HP10U4lrLg5e0JMVz6CPaJvAgxM0KNZVY=
-github.com/hashicorp/hcl/v2 v2.17.0/go.mod h1:gJyW2PTShkJqQBKpAmPO3yxMxIuoXkOF2TpqXzrQyx4=
+github.com/hashicorp/hcl/v2 v2.18.0 h1:wYnG7Lt31t2zYkcquwgKo6MWXzRUDIeIVU5naZwHLl8=
+github.com/hashicorp/hcl/v2 v2.18.0/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
@@ -598,10 +601,10 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubevela/pkg v1.8.1-0.20230522085329-7d5e1241a86d h1:QMmTg33lUZEfTz94eYJKa6Nb7GDcEOmuXsXRt/dA5vk=
-github.com/kubevela/pkg v1.8.1-0.20230522085329-7d5e1241a86d/go.mod h1:3ZWrl2+zb5ROdC2NJPPrL/4sun4M10wYfRP/9gF9WJE=
-github.com/kubevela/workflow v0.6.0 h1:fYXviOYD5zqHs3J61tNbM4HZ85EcZlPm7Fyz8Q5o9Fk=
-github.com/kubevela/workflow v0.6.0/go.mod h1:sjLcYqKHKeCQ+w77gijoNILwIShJKnCU+e3q7ETtZGI=
+github.com/kubevela/pkg v1.9.2 h1:K6pGoJikf6l8vlfehewmb36hyToX0KpUaQP4NVET/S8=
+github.com/kubevela/pkg v1.9.2/go.mod h1:u/MGuFXVSECxvIWdTKS4AQs1H+USfAMQgi30BUrOb04=
+github.com/kubevela/workflow v0.6.1 h1:x6ro6dTzi5Rrh0pnnqRbNMlhvhP5Rzsls44gP1C3qzw=
+github.com/kubevela/workflow v0.6.1/go.mod h1:sjLcYqKHKeCQ+w77gijoNILwIShJKnCU+e3q7ETtZGI=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
@@ -742,8 +745,8 @@ github.com/oam-dev/stern v1.13.2 h1:jlGgtJbKmIVhzkH44ft5plkgs8XEfvxbFrQdX60CQR4=
 github.com/oam-dev/stern v1.13.2/go.mod h1:0pLjZt0amXE/ErF16Rdrgd98H2owN8Hmn3/7CX5+AeA=
 github.com/oam-dev/terraform-config-inspect v0.0.0-20210418082552-fc72d929aa28 h1:tD8HiFKnt0jnwdTWjeqUnfnUYLD/+Nsmj8ZGIxqDWiU=
 github.com/oam-dev/terraform-config-inspect v0.0.0-20210418082552-fc72d929aa28/go.mod h1:Mu8i0/DdplvnjwRbAYPsc8+LRR27n/mp8VWdkN10GzE=
-github.com/oam-dev/terraform-controller v0.7.11 h1:uucdSBLL0PUz60hOZfjsAe/ivrd/K/2u0Iko8nVQIE0=
-github.com/oam-dev/terraform-controller v0.7.11/go.mod h1:xvgChKG0pij0WEKRrX7w30SdVBPVOlRl/+Mv7+2C1cI=
+github.com/oam-dev/terraform-controller v0.8.0 h1:/881bAELCsceSj+Zh3Nsu8Ym5N7D5Ho0HsWzO+TDc1w=
+github.com/oam-dev/terraform-controller v0.8.0/go.mod h1:ydc9iHjgLzwuWB+MlE2vRA8gOZsif0T4E2FL34K8CZ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
@@ -761,8 +764,8 @@ github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8Ay
 github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo=
 github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw=
 github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc=
-github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
-github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
+github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU=
+github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -774,8 +777,8 @@ github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ
 github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
-github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
-github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
@@ -816,6 +819,7 @@ github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
 github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
@@ -966,8 +970,8 @@ github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN
 github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/xanzy/go-gitlab v0.86.0 h1:jR8V9cK9jXRQDb46KOB20NCF3ksY09luaG0IfXE6p7w=
-github.com/xanzy/go-gitlab v0.86.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw=
+github.com/xanzy/go-gitlab v0.91.1 h1:gnV57IPGYywWer32oXKBcdmc8dVxeKl3AauV8Bu17rw=
+github.com/xanzy/go-gitlab v0.91.1/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -1079,6 +1083,8 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
+go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
@@ -1121,8 +1127,9 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
@@ -1145,8 +1152,8 @@ golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1185,7 +1192,6 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -1198,8 +1204,10 @@ golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1211,8 +1219,8 @@ golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
-golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
+golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1225,8 +1233,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1300,8 +1308,10 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1313,8 +1323,10 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -1326,8 +1338,10 @@ golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1366,15 +1380,15 @@ golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
-golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
+golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
-gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
-gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
@@ -1456,8 +1470,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
--- a/makefiles/build.mk
+++ b/makefiles/build.mk
@@ -9,7 +9,7 @@ kubectl-vela:

 # Build the docker image
 .PHONY: docker-build
-docker-build: docker-build-core docker-build-apiserver docker-build-cli
+docker-build: docker-build-core docker-build-cli
 	@$(OK)

 .PHONY: docker-build-core
--- a/makefiles/dependency.mk
+++ b/makefiles/dependency.mk
@@ -46,12 +46,13 @@ else
 GOIMPORTS=$(shell which goimports)
 endif

+CUE_VERSION ?= v0.6.0
 .PHONY: installcue
 installcue:
 ifeq (, $(shell which cue))
 	@{ \
 	set -e ;\
-	go install cuelang.org/go/cmd/cue@latest ;\
+	go install cuelang.org/go/cmd/cue@$(CUE_VERSION) ;\
 	}
 CUE=$(GOBIN)/cue
 else
--- a/pkg/addon/addon.go
+++ b/pkg/addon/addon.go
@@ -124,6 +124,9 @@ const (

 	// InstallerRuntimeOption inject install runtime info into addon options
 	InstallerRuntimeOption string = "installerRuntimeOption"
+
+	// CUEExtension with the expected extension for CUE files
+	CUEExtension = ".cue"
 )

 // ParameterFileName is the addon resources/parameter.cue file name
@@ -396,7 +399,7 @@ func readResFile(a *InstallPackage, reader AsyncReader, readPath string) error {
 	}
 	file := ElementFile{Data: b, Name: filepath.Base(readPath)}
 	switch filepath.Ext(filename) {
-	case ".cue":
+	case CUEExtension:
 		a.CUETemplates = append(a.CUETemplates, file)
 	case ".yaml", ".yml":
 		a.YAMLTemplates = append(a.YAMLTemplates, file)
@@ -425,7 +428,7 @@ func readDefFile(a *UIData, reader AsyncReader, readPath string) error {
 	filename := path.Base(readPath)
 	file := ElementFile{Data: b, Name: filepath.Base(readPath)}
 	switch filepath.Ext(filename) {
-	case ".cue":
+	case CUEExtension:
 		a.CUEDefinitions = append(a.CUEDefinitions, file)
 	case ".yaml", ".yml":
 		a.Definitions = append(a.Definitions, file)
@@ -442,7 +445,7 @@ func readConfigTemplateFile(a *UIData, reader AsyncReader, readPath string) erro
 		return err
 	}
 	filename := path.Base(readPath)
-	if filepath.Ext(filename) != ".cue" {
+	if filepath.Ext(filename) != CUEExtension {
 		return nil
 	}
 	file := ElementFile{Data: b, Name: filepath.Base(readPath)}
@@ -458,7 +461,7 @@ func readViewFile(a *InstallPackage, reader AsyncReader, readPath string) error
 	}
 	filename := path.Base(readPath)
 	switch filepath.Ext(filename) {
-	case ".cue":
+	case CUEExtension:
 		a.CUEViews = append(a.CUEViews, ElementFile{Data: b, Name: filepath.Base(readPath)})
 	case ".yaml", ".yml":
 		a.YAMLViews = append(a.YAMLViews, ElementFile{Data: b, Name: filepath.Base(readPath)})
@@ -582,7 +585,7 @@ func unmarshalToContent(content []byte) (fileContent *github.RepositoryContent,
 	if directoryUnmarshalError == nil {
 		return nil, directoryContent, nil
 	}
-	return nil, nil, fmt.Errorf("unmarshalling failed for both file and directory content: %s and %w", fileUnmarshalError, directoryUnmarshalError)
+	return nil, nil, fmt.Errorf("unmarshalling failed for both file and directory content: %s and %w", fileUnmarshalError.Error(), directoryUnmarshalError)
 }

 func genAddonAPISchema(addonRes *UIData) error {
--- a/pkg/addon/addon_test.go
+++ b/pkg/addon/addon_test.go
@@ -1135,13 +1135,16 @@ func TestPackageAddon(t *testing.T) {
 }

 func TestGenerateAnnotation(t *testing.T) {
-	meta := Meta{SystemRequirements: &SystemRequirements{
-		VelaVersion:       ">1.4.0",
-		KubernetesVersion: ">1.20.0",
-	}}
+	meta := Meta{
+		Name: "test-addon",
+		SystemRequirements: &SystemRequirements{
+			VelaVersion:       ">1.4.0",
+			KubernetesVersion: ">1.20.0",
+		}}
 	res := generateAnnotation(&meta)
 	assert.Equal(t, res[velaSystemRequirement], ">1.4.0")
 	assert.Equal(t, res[kubernetesSystemRequirement], ">1.20.0")
+	assert.Equal(t, res[addonSystemRequirement], meta.Name)

 	meta = Meta{}
 	meta.SystemRequirements = &SystemRequirements{KubernetesVersion: ">=1.20.1"}
--- a/pkg/addon/cache.go
+++ b/pkg/addon/cache.go
@@ -337,6 +337,11 @@ func (u *Cache) listVersionRegistryUIDataAndCache(r Registry) ([]*UIData, error)
 			klog.Errorf("fail to get addon from versioned registry %s, addon %s version %s for cache updating, %v", r.Name, addon.Name, addon.Version, err)
 			continue
 		}
+		// identity an addon from helm chart structure
+		if uiData.Name == "" {
+			addon.Name = ""
+			continue
+		}
 		u.putVersionedUIData2Cache(r.Name, addon.Name, addon.Version, uiData)
 		// we also no version key, if use get addonUIData without version will return this vale as latest data.
 		u.putVersionedUIData2Cache(r.Name, addon.Name, "latest", uiData)
--- a/pkg/addon/push.go
+++ b/pkg/addon/push.go
@@ -167,7 +167,9 @@ func (p *PushCmd) Push(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 	return handlePushResponse(resp)
 }

--- a/pkg/addon/utils.go
+++ b/pkg/addon/utils.go
@@ -448,6 +448,7 @@ func generateAnnotation(meta *Meta) map[string]string {
 			res[kubernetesSystemRequirement] = meta.SystemRequirements.KubernetesVersion
 		}
 	}
+	res[addonSystemRequirement] = meta.Name
 	return res
 }

--- a/pkg/addon/versioned_registry.go
+++ b/pkg/addon/versioned_registry.go
@@ -38,6 +38,8 @@ const (
 	velaSystemRequirement = `system.vela`
 	// kubernetesSystemRequirement is the kubernetes requirement annotation key
 	kubernetesSystemRequirement = `system.kubernetes`
+	// addonSystemRequirement is the annotation key to identity an addon from helm chart structure
+	addonSystemRequirement = `addon.name`
 )

 // VersionedRegistry is the interface of support version registry
@@ -159,7 +161,7 @@ func (i versionedRegistry) loadAddon(ctx context.Context, name, version string)
 	sort.Sort(sort.Reverse(versions))
 	addonVersion, availableVersions := chooseVersion(version, versions)
 	if addonVersion == nil {
-		return nil, errors.Errorf("specified version %s not exist", utils.Sanitize(version))
+		return nil, errors.Errorf("specified version %s for addon %s not exist", utils.Sanitize(version), name)
 	}
 	for _, chartURL := range addonVersion.URLs {
 		if !utils.IsValidURL(chartURL) {
@@ -229,6 +231,7 @@ func loadAddonPackage(addonName string, files []*loader.BufferedFile) (*WholeAdd
 }

 // chooseVersion will return the target version and all available versions
+// This function is not sensitive to v-prefix, which means if specifiedVersion=0.3.0, v0.3.0 can be chosen.
 func chooseVersion(specifiedVersion string, versions []*repo.ChartVersion) (*repo.ChartVersion, []string) {
 	var addonVersion *repo.ChartVersion
 	var availableVersions []string
@@ -239,7 +242,7 @@ func chooseVersion(specifiedVersion string, versions []*repo.ChartVersion) (*rep
 			continue
 		}
 		if len(specifiedVersion) != 0 {
-			if v.Version == specifiedVersion {
+			if utils.IgnoreVPrefix(v.Version) == utils.IgnoreVPrefix(specifiedVersion) {
 				addonVersion = versions[i]
 			}
 		} else {
--- a/pkg/addon/versioned_registry_test.go
+++ b/pkg/addon/versioned_registry_test.go
@@ -51,13 +51,36 @@ func TestChooseAddonVersion(t *testing.T) {
 			},
 		},
 	}
-	targetVersion, availableVersion := chooseVersion("v1.2.0", versions)
-	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
-	assert.Equal(t, targetVersion.Version, "v1.2.0")
-
-	targetVersion, availableVersion = chooseVersion("", versions)
-	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
-	assert.Equal(t, targetVersion.Version, "v1.3.6")
+	avs := []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"}
+	for _, tc := range []struct {
+		name             string
+		specifiedVersion string
+		wantVersion      string
+		wantAVersions    []string
+	}{
+		{
+			name:             "choose specified",
+			specifiedVersion: "v1.2.0",
+			wantVersion:      "v1.2.0",
+			wantAVersions:    avs,
+		},
+		{
+			name:             "choose specified, ignore v prefix",
+			specifiedVersion: "1.2.0",
+			wantVersion:      "v1.2.0",
+			wantAVersions:    avs,
+		},
+		{
+			name:             "not specifying version, choose non-prerelease && highest version",
+			specifiedVersion: "",
+			wantVersion:      "v1.3.6",
+			wantAVersions:    avs,
+		},
+	} {
+		targetVersion, availableVersion := chooseVersion(tc.specifiedVersion, versions)
+		assert.Equal(t, availableVersion, tc.wantAVersions)
+		assert.Equal(t, targetVersion.Version, tc.wantVersion)
+	}
 }

 var versionedHandler http.HandlerFunc = func(writer http.ResponseWriter, request *http.Request) {
--- a/pkg/appfile/appfile.go
+++ b/pkg/appfile/appfile.go
@@ -203,7 +203,7 @@ type Appfile struct {

 // GeneratePolicyManifests generates policy manifests from an appFile
 // internal policies like apply-once, topology, will not render manifests
-func (af *Appfile) GeneratePolicyManifests(ctx context.Context) ([]*unstructured.Unstructured, error) {
+func (af *Appfile) GeneratePolicyManifests(_ context.Context) ([]*unstructured.Unstructured, error) {
 	var manifests []*unstructured.Unstructured
 	for _, policy := range af.ParsedPolicies {
 		un, err := af.generatePolicyUnstructured(policy)
@@ -266,10 +266,10 @@ func generatePolicyUnstructuredFromCUEModule(comp *Component, artifacts []*types
 func prepareArtifactsData(comps []*types.ComponentManifest) map[string]interface{} {
 	artifacts := unstructured.Unstructured{Object: make(map[string]interface{})}
 	for _, pComp := range comps {
-		if pComp.StandardWorkload != nil {
-			_ = unstructured.SetNestedField(artifacts.Object, pComp.StandardWorkload.Object, pComp.Name, "workload")
+		if pComp.ComponentOutput != nil {
+			_ = unstructured.SetNestedField(artifacts.Object, pComp.ComponentOutput.Object, pComp.Name, "workload")
 		}
-		for _, t := range pComp.Traits {
+		for _, t := range pComp.ComponentOutputsAndTraits {
 			if t == nil {
 				continue
 			}
@@ -325,14 +325,14 @@ func (af *Appfile) SetOAMContract(comp *types.ComponentManifest) error {

 	compName := comp.Name
 	commonLabels := af.generateAndFilterCommonLabels(compName)
-	af.assembleWorkload(comp.StandardWorkload, compName, commonLabels)
+	af.assembleWorkload(comp.ComponentOutput, compName, commonLabels)

 	workloadRef := corev1.ObjectReference{
-		APIVersion: comp.StandardWorkload.GetAPIVersion(),
-		Kind:       comp.StandardWorkload.GetKind(),
-		Name:       comp.StandardWorkload.GetName(),
+		APIVersion: comp.ComponentOutput.GetAPIVersion(),
+		Kind:       comp.ComponentOutput.GetKind(),
+		Name:       comp.ComponentOutput.GetName(),
 	}
-	for _, trait := range comp.Traits {
+	for _, trait := range comp.ComponentOutputsAndTraits {
 		af.assembleTrait(trait, comp.Name, commonLabels)
 		if err := af.setWorkloadRefToTrait(workloadRef, trait); err != nil && !IsNotFoundInAppFile(err) {
 			return errors.WithMessagef(err, "cannot set workload reference to trait %q", trait.GetName())
@@ -586,10 +586,10 @@ func evalWorkloadWithContext(pCtx process.Context, comp *Component, ns, appName
 	if err != nil {
 		return nil, err
 	}
-	compManifest.StandardWorkload = workload
+	compManifest.ComponentOutput = workload

 	_, assists := pCtx.Output()
-	compManifest.Traits = make([]*unstructured.Unstructured, len(assists))
+	compManifest.ComponentOutputsAndTraits = make([]*unstructured.Unstructured, len(assists))
 	commonLabels := definition.GetCommonLabels(definition.GetBaseContextLabels(pCtx))
 	for i, assist := range assists {
 		tr, err := assist.Ins.Unstructured()
@@ -601,7 +601,7 @@ func evalWorkloadWithContext(pCtx process.Context, comp *Component, ns, appName
 			labels[oam.TraitResource] = assist.Name
 		}
 		util.AddLabels(tr, labels)
-		compManifest.Traits[i] = tr
+		compManifest.ComponentOutputsAndTraits[i] = tr
 	}
 	return compManifest, nil
 }
--- a/pkg/appfile/appfile_test.go
+++ b/pkg/appfile/appfile_test.go
@@ -194,7 +194,7 @@ variable "password" {

 		expectCompManifest := &oamtypes.ComponentManifest{
 			Name: compName,
-			StandardWorkload: func() *unstructured.Unstructured {
+			ComponentOutput: func() *unstructured.Unstructured {
 				r, _ := util.Object2Unstructured(workload)
 				return r
 			}(),
@@ -404,7 +404,7 @@ variable "password" {
 		}, args.wl.Name)
 		pCtx := NewBasicContext(ctxData, args.wl.Params)
 		comp, err := evalWorkloadWithContext(pCtx, args.wl, ns, args.appName)
-		Expect(comp.StandardWorkload).ShouldNot(BeNil())
+		Expect(comp.ComponentOutput).ShouldNot(BeNil())
 		Expect(comp.Name).Should(Equal(""))
 		Expect(err).Should(BeNil())
 	})
@@ -629,10 +629,10 @@ func TestPrepareArtifactsData(t *testing.T) {
 			Name:         "readyComp",
 			Namespace:    "ns",
 			RevisionName: "readyComp-v1",
-			StandardWorkload: &unstructured.Unstructured{Object: map[string]interface{}{
+			ComponentOutput: &unstructured.Unstructured{Object: map[string]interface{}{
 				"fake": "workload",
 			}},
-			Traits: func() []*unstructured.Unstructured {
+			ComponentOutputsAndTraits: func() []*unstructured.Unstructured {
 				ingressYAML := `apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -733,9 +733,9 @@ if context.componentType == "stateless" {
 	wl := &Component{Type: "stateful", Traits: []*Trait{tr}}
 	cm, err := baseGenerateComponent(pContext, wl, appName, ns)
 	assert.NoError(t, err)
-	assert.Equal(t, cm.Traits[0].Object["kind"], "StatefulSet")
-	assert.Equal(t, cm.Traits[0].Object["workflowName"], workflowName)
-	assert.Equal(t, cm.Traits[0].Object["publishVersion"], publishVersion)
+	assert.Equal(t, cm.ComponentOutputsAndTraits[0].Object["kind"], "StatefulSet")
+	assert.Equal(t, cm.ComponentOutputsAndTraits[0].Object["workflowName"], workflowName)
+	assert.Equal(t, cm.ComponentOutputsAndTraits[0].Object["publishVersion"], publishVersion)
 }

 var _ = Describe("Test use context.appLabels& context.appAnnotations in componentDefinition ", func() {
@@ -817,7 +817,7 @@ var _ = Describe("Test use context.appLabels& context.appAnnotations in componen
 		Expect(err).To(BeNil())
 		By("Verify expected ComponentManifest")
 		deployment := &appsv1.Deployment{}
-		runtime.DefaultUnstructuredConverter.FromUnstructured(componentManifests[0].StandardWorkload.Object, deployment)
+		runtime.DefaultUnstructuredConverter.FromUnstructured(componentManifests[0].ComponentOutput.Object, deployment)
 		labels := deployment.Spec.Template.Labels
 		annotations := deployment.Spec.Template.Annotations
 		Expect(cmp.Diff(len(labels), 2)).Should(BeEmpty())
--- a/pkg/appfile/dryrun/diff.go
+++ b/pkg/appfile/dryrun/diff.go
@@ -441,8 +441,8 @@ func generateManifest(app *v1beta1.Application, comps []*types.ComponentManifest
 			Name: comp.Name,
 			Kind: RawCompKind,
 		}
-		removeRevisionRelatedLabelAndAnnotation(comp.StandardWorkload)
-		b, err := yaml.Marshal(comp.StandardWorkload)
+		removeRevisionRelatedLabelAndAnnotation(comp.ComponentOutput)
+		b, err := yaml.Marshal(comp.ComponentOutput)
 		if err != nil {
 			return nil, errors.Wrapf(err, "cannot marshal component %q", comp.Name)
 		}
@@ -460,7 +460,7 @@ func generateManifest(app *v1beta1.Application, comps []*types.ComponentManifest
 		comp.RevisionName = ""
 		// get matched raw component and add it into appConfigComponent's subs
 		subs := []*manifest{rawCompManifests[comp.Name]}
-		for _, t := range comp.Traits {
+		for _, t := range comp.ComponentOutputsAndTraits {
 			removeRevisionRelatedLabelAndAnnotation(t)

 			tType := t.GetLabels()[oam.TraitTypeLabel]
--- a/pkg/appfile/dryrun/dryrun.go
+++ b/pkg/appfile/dryrun/dryrun.go
@@ -171,7 +171,7 @@ func (d *Option) ExecuteDryRun(ctx context.Context, application *v1beta1.Applica
 func (d *Option) PrintDryRun(buff *bytes.Buffer, appName string, comps []*types.ComponentManifest, policies []*unstructured.Unstructured) error {
 	var components = make(map[string]*unstructured.Unstructured)
 	for _, comp := range comps {
-		components[comp.Name] = comp.StandardWorkload
+		components[comp.Name] = comp.ComponentOutput
 	}
 	for _, c := range comps {
 		if _, err := fmt.Fprintf(buff, "---\n# Application(%s) -- Component(%s) \n---\n\n", appName, c.Name); err != nil {
@@ -183,13 +183,13 @@ func (d *Option) PrintDryRun(buff *bytes.Buffer, appName string, comps []*types.
 		}
 		buff.Write(result)
 		buff.WriteString("\n---\n")
-		for _, t := range c.Traits {
+		for _, t := range c.ComponentOutputsAndTraits {
 			traitType := t.GetLabels()[oam.TraitTypeLabel]
 			switch {
 			case traitType == definition.AuxiliaryWorkload:
 				buff.WriteString("## From the auxiliary workload \n")
 			case traitType != "":
-				buff.WriteString(fmt.Sprintf("## From the trait %s \n", traitType))
+				fmt.Fprintf(buff, "## From the trait %s \n", traitType)
 			}
 			result, err := yaml.Marshal(t)
 			if err != nil {
--- a/pkg/appfile/dryrun/testdata/dryrun-exp-comp.yaml
+++ b/pkg/appfile/dryrun/testdata/dryrun-exp-comp.yaml
@@ -6,7 +6,7 @@ PackagedWorkloadResources: null
 RevisionHash: ""
 RevisionName: ""
 Scopes: []
-StandardWorkload:
+ComponentOutput:
  apiVersion: apps/v1
  kind: Deployment
  metadata:
@@ -35,7 +35,7 @@ StandardWorkload:
          - "1000"
          image: busybox
          name: myweb
-Traits:
+ComponentOutputsAndTraits:
 - apiVersion: v1
  kind: Service
  metadata:
--- a/pkg/builtin/http/http_test.go
+++ b/pkg/builtin/http/http_test.go
@@ -111,7 +111,7 @@ url: "https://127.0.0.1:8443/api/v1/token?val=test-token"`)
 	runner, _ := newHTTPCmd(cue.Value{})
 	got, err := runner.Run(&registry.Meta{Obj: reqInst.Value()})
 	if err != nil {
-		t.Error(err)
+		t.Fatal(err)
 	}
 	body := (got.(map[string]interface{}))["body"].(string)

@@ -162,7 +162,10 @@ func newMockHttpsServer() *httptest.Server {

 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM([]byte(decodeCert(testdata.MockCerts.Ca)))
-	cert, _ := tls.X509KeyPair([]byte(decodeCert(testdata.MockCerts.ServerCrt)), []byte(decodeCert(testdata.MockCerts.ServerKey)))
+	cert, err := tls.X509KeyPair([]byte(decodeCert(testdata.MockCerts.ServerCrt)), []byte(decodeCert(testdata.MockCerts.ServerKey)))
+	if err != nil {
+		panic(err)
+	}
 	ts.TLS = &tls.Config{
 		ClientCAs:    pool,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
--- a/pkg/builtin/http/testdata/certs.go
+++ b/pkg/builtin/http/testdata/certs.go
@@ -17,12 +17,12 @@ limitations under the License.
 package testdata

 var (
-	_         = `LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcHRMN21JQmdaaDVEd1FYYkJXaHRSeURGK01qaytQeStNU1Vyck5pc1EyeXF4cnphCjhEeWw5a0pRWW5oMnVYVFV1RnBzbDRhM1J5dEJaVkdrMDNQT0RXOWJIblR2QUNPZHJjMnR2WmR5ZXRXU1ZtQ2cKOHhuc3Y3WHVQS0VGb0VwakVaMDdCWjY2blFIRDg2MHFMeGFGRWtMNHk2MzU5SThWVlRBYk5RejVPQ3dmM29mUQpMN0JPL2RVNUJtRTNXTDhhVHF3SXRSa0hJeE5pWCs4OWU2Z3dCY3RHdUZLR3ZacFhGaW1VeXA1Y0crVWI2RzkyCi9KUTZJWm45dGFIZ3NFYWIvWUNwZ2U1Rkp5WVR1dzVlakhRajRYNVh3ZVRKU0tsN0UwUmZhMjl5VnM5aXdhNDQKcmVNSzVXR2hVUFl6T1o0MURGZnU1MmJnMjVPODF6QWJFSFpLUndJREFRQUJBb0lCQUNUVUJ2OFB1RGhURGhvYQp0Tk5vemxjWmdSci9IcTFvL29QUzlPVmZvQWZ5Z1hFR1dEOFk1SHFOQVRuNzVobmpGT0x0ODNNd0psM3J5ckFYCmFnL1VUUFRpVkhkUTBVSnltbWk0TTFiYmpFWlp4OGlSNUhaR2p1Rnp4SGhXQSt2ekFCUHZaZ3hEa21iKzhNZG0KdngxT0YycUVwbkF3cERHOU5MUnR2bFBqM1ZEczhVODU2c2hWeDdBdFE3RGJUWkQwdEpsQ0pzTzR5TitjL1oxOApiRzJKNDB2RWFLalVGTE9HNitScE43NEZLeGtvOFJJejZxeERQMk5VMUg1ajVVVi9tZXdRdDBsRTNqbEc5MmcvCnVwTngyK0xnYUkrMWhCR3AzV2prQlRWcWloZWxrUk5XZkNLczdXOHJtYk83V3MvK2cwcVNidnAvUjBWQWpQd0MKdGt4SENFRUNnWUVBM2s3K0hOVkNZY0YxN2k2ZTJnNTJDVHV0cDJBYzkvSUNMdVJzNGFRZlB4MkxFc2VDalJnNgovaHNsOGpLbmRDS1JQdTBJbkoxckF4NzVrZXBKZWpWcTBIbkFEN2VtcVhuMDN0UjJmb3hvbkxBOEtQMzdSSnJqClhlZ0k5NiswWUU3QUY5dWZqQVhPeXpFU3RQVkNSVDlJOFRMSlEwRFhraW56bDhVUm5aZ1RjdmtDZ1lFQXdCdFYKLzNnbFR5Z0syNTFpMS9FakdrK3I3THF5NzdCY29LVzZHTm91K0FiQ3gxalhZVE1URDNTRXVyMzBueHB6VWNkdgpIbEI1NkI2Q1JmRkdXN0o1U0tkeXI5WmhQUUtITUQ1TkZhbm00S1F4NmZmVFhubExRdnhhT2c2TFRnTDRSdjFyCjVaeUdEbDhBKzRRckpNVk1OOTZOVEY1VDB0TXRUaHlIVnpLbHR6OENnWUJ3Q3BQYjZFZUtpVHhzakthVzg4N2QKbkd4Sy9RL2NqdVkyeC8xd1E0MVQvQW5KcnkvRytMMVNzRkFSbnlIeVVER3Y2enI1NUFTNUQvVnNhdzRaUDY3VAozMmpEQXlaR0tDY1gzekRSV3VhbWdkUHdQUUZVZEZPL1VtQ2lwTFZlREpLWDg2S1hxWjJ0bnMvMHo5OVVreTZxCkVaU0tCclllL25HOHZoL0FzNUtwMFFLQmdRQzFxT1BncWFkMk8rSlFuSHE4d3UwejAwVTduYXpabFlkeDdtV1YKWExUdm04MFNuME5FU2Z6ckwzN1g3QXJuYlNiQm5YckpTc2FNcGxVQWVORFVvMmVuT1pqdENDZDVmdXVCeGxnMApkUzY3SE9tS1d1ekl1S0JmM3F3Zm5HTkV5UEFvaVRvL3JZempDQm13dmVIaWFxUFJiU1Ztb3doWEk1VUMrVjFPCktybWtGd0tCZ1FEVERDWlg1WWQ5ZUdXZG1OM3pUU2Z6YkRrRkxqZkYyYTVBK2lDL281TmoyVmpHRG4xTjRvVUwKajF0dVZLb0xoVjhVZzd0Lzc4V0V0UkRnK1p3QVZhSW84bE1zU244dDVQNFFrY2pkSDI4bHpFaTQwWHpxQkF0Lwpoalppb1pNN2ZHUmJWK29yakZSQ2tZWnNaMUdua2FrbG5Mdk4vYVRuM25HV2tEZjFaZGM0YVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==` //ca.key
-	caCrt     = `LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lVR0JyQzVnODhaamxOSVlmbzVHdnFSbUhFNFY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNQjRYRFRJeU1Ea3lOekE0TkRBd05sb1hEVEl6TURreApPREE0TkRBd05sb3dGREVTTUJBR0ExVUVBd3dKTVRJM0xqQXVNQzR4TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBdWJyNFNXQVJneDM4dzcxanVVNFdJZ0NLZVpYKzRDR1A1WHBSVVQ0SFg2VmsKaENadGlrZmJPc0ErZUpmdWlHZVNhUDlPL0lFRUlRZXhya2lrY3F2SzNseVJ0YzNuWnhPK1NzakY3WTVsM1ROZwpGSWh3L25GMWkxdVJuMUxwc0Y2b1hWdUtGb0QvTVNCdU1rWU82Z2VRaEZnTmZNNXdEU3NsVHFRR2pIRUlPZWkyCmRYeTh6UHFNMVowREFQOUxRZHdXN1BKeG9NRWVkNTN6Y2hhYlJWNlZXTE45WkxjWURJLzhpVG5CTWlPNDdnRVQKeXo5Q1B0N0htWjM4N0JsWUQwN3REMWlkLzFieUhCSGt5Mng2YU9OOUo3dEpOU1Zna0VKRmozUVBFQzFlVUp0NgpWbFRUS1c3cGRUVTBybWFDNDBhbmgyVExnYlYwR0pKdnI4ZDVkeUhvMlFJREFRQUJvMU13VVRBZEJnTlZIUTRFCkZnUVVhKzJHeWswdE9oaFpTanNjaGQ0bnV1K1IrUEl3SHdZRFZSMGpCQmd3Rm9BVWErMkd5azB0T2hoWlNqc2MKaGQ0bnV1K1IrUEl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWlpHeApsSlhGUDJZVDlCaDdaYnFkWTllcEViRTNJWENzZEsvS3E2Rmx4T0RKTUJqTUIrUVM0R2QzeUMwVEU3NFZGY3lpCk5tSUxPQ2g4amJUR01QNVRuYUR0Z0pQaXpGaEZySzQwYjhnVXVqVXVZUDdJWTFlUkE1Sno5V3lSSjNFeG5RYmcKaGFkekJWQUJVdkl5RS9BUHZIeGNEKzgzcEhWd1VlS3JIcVZHU1Qxc2hmdWVDeHVnQ1pvMUg3OFVET1NNM0tsdAplQkFTbUhZc1Rtb3VTa2RVR2JwbXpvUEc0YlJyYzk3M3JycDZLcSsxZmMwQmF5NVZna2YzUXJGdFFQSE5WSVlNCnVWaTBKaHAraVpSN0MyTXVHbUFKc2U4dHRWNHBpUTY2RlBrNjdPNmZwa0NGbnp2VlYyNko2MTMwNjAwMURtOUkKTHFPajFFUVhOK29RMWJpRFFnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`
-	serverKey = `LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTNOaUF5Um91aVQ3ZkpaTmhIZWt1TjgwSnh2ZVpDMStwYVVYZk00UVBoNUE1R0MyCkdLN2psMXlpUC9wQ0U4NHoyWmdSQldnalh3UWVqa0UweU1QdDdHUkxEZzVmYmhsSGNVUUZ3UDRyd3BFRjRBSDkKYVRYeVNONUxqUDFzbyswMU80bHJ1L0FPRXlibUxKYjdYSkJOc1dlZ2lqM1dYWlR3NWpYeWFjWWxwT2ZKVE1ObQpQQ0thOHpRNlVMNk1QUmZFaERGNHB4SXhnUTVuaFMxcUcxWUtqUkUycTdkRU95R0o3cFUrT3Vjdm83dzRTSlNpCkdRUDFteVRiVGV0YkxXZ3h0N2tqVUlxRVZFNERHU0h1TUszeks3V2t2bzVrcDRBVytCYjZkRk96Ulg5OVFWN08KM0pZV1U3eGVWSm5zZHFpVXh6d0Z2WjA2ZEtWeCtlOEswK0RGUFFJREFRQUJBb0lCQURvMVgwYzRoQ2pobVJLYwpIZUEzd3ZnQm45RlJMeU1PbVpoWWhzMmpzNW1HallJZG9nNVNLS3gxQUpFN1prOStKYzI1RWZnSzJZa0UzM1F2ClBYUG1tN2hmZ0lzUjNZSno2U0o4REFsZEpEdWNDeVgvbURDV3B2RUh6cEF1bGhEbGRUVlN2QmkxTjdtc3g2Y3IKRDAwMEpsd2pvTStzMmlkZk85dFEvMERuWGdNeHlvYUJSVjd0OGF6enJVaFYxM01xenF5eHcvbjI5dDFXcld0ZQpjaTNkN3g4RWx3Yk5YNFJpOUk2dk9lZktOSDN4bEUrNWpjdlJSWmR4ajhXaHUzMlhhcTA1SG0za0h4SGw2ODM4Cm12aDlyeU9Ec3NTTm5RS0R3VVRYRjdsYXZFMDJyaW9scmoyRUJNcUErVE1jQ2ZvTnJ4elNGajVtVUxDamxGNWsKQnZxRVVpVUNnWUVBNndyYTVGR3U2MUZsTjlqY0p2dVNiNmlTUHN3RTczWE5pOWx1anhxSmFTeHVkSDFnMk9GTgp4WUNIZFR2WFhsdTc3TThadHVmMGFUMUM3UWQxcU8vVngyVFJTSVpOTG95RzJpRHBEL0RXdlBwKzBCTWN3K0orCitKTEpsWFlnbnZYQjlXRmk5eFljWnZDblR2eDJwS0ZFV1M4bTkvbDBQQUU4eUhDdVUxd1VPM2NDZ1lFQXpDb3YKdFIrVkp0dis2STRQV3o0bGQ1VTE0UWwrdk1hV3pXNDhHWnNsSm8zdjducnFPS2piU2xjakgrc3NNVldjYVprVQp0TFRRbFljcWFOdUJONkJydEtXQTVlSi9mV0VyVlF4azRpa0o4c3BLL2VCSTBGcnRPSnAxSm41amc0TTIvYmdvCjdBYUFHTDUvbjFNOTBscmNpZHNRYkg2TlhNN29JOTZjU2ZKQkNlc0NnWUVBdkNrdmZOS0xkcVR0bzl5K3VaSngKODJOKzJEalp4cDJIRkdyWFlFWjlOSzQyS3Bsb201Y2FmSDdkY2hPYTRWWU14cEl3NHNVa1c4K0lNVnJrYlg2NgpwR3BvUkdnSGg3bEdCMytMTkpDNFNBYzgxL1JFOWVmdmY2MTdKV1N3enJDdE9uUmhGcThqdzZEcVA0aEtycGJQCnNablcxM05qQXRwMnYzdTlnc3hYQWhjQ2dZQXRnR0Z0am9KaFRMcDgvZHd5UzZGeUMxRWN2RThBcDRuSWN2NzEKL2Z2RG9mS05SZHVaa1JoK2N2a2pEZmlsYmgwVDg4Z0hsaHkrbG9jL0kxeWpGeCtwL1JEREt6MmFwZU5RYXhpNAp4c2l1MGFMdy9lRjhmaWRNYkRBYnlpTkhsaURWWHd2UHZvc2grS0xjMFdKLzFUdzloUk1kK3Y1cVpycVo4KzBGCkZmYWt6UUtCZ1FDWk5DT3huWHlYQ2JYZ2RCY0txbE84L3BoWXBFOVVDMS81WktBMm1icng3ejBFdVdyR2pLNjUKU09QNDVQcithUDBTa3hTMll2QyttM3dCU0dJZU93QWEvb1dMY0dmbmdUbUpoMHNiYVJ1OXR5Y1QrR2hZemlGawp3ajV4TENBTzdFLzFKT3VkaGgramtwdGVMMVJiSUh2eXRwU3ZiN0VtUUVIbytOQWxBMHFPQkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=`
-	serverCrt = `LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVRHd3UklLMnRLVlVVMHJlZXF3U3htZVhEQWVNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNQjRYRFRJeU1Ea3lOekE0TkRJeU5Wb1hEVEl6TURreQpOekE0TkRJeU5Wb3dLekVSTUE4R0ExVUVDZ3dJUzNWaVpWWmxiR0V4RmpBVUJnTlZCQU1NRFNvdWEzVmlaWFpsCmJHRXVhVzh3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzdjMklESkdpNkpQdDgKbGsyRWQ2UzQzelFuRzk1a0xYNmxwUmQ4emhBK0hrRGtZTFlZcnVPWFhLSS8ra0lUempQWm1CRUZhQ05mQkI2TwpRVFRJdyszc1pFc09EbDl1R1VkeFJBWEEvaXZDa1FYZ0FmMXBOZkpJM2t1TS9XeWo3VFU3aVd1NzhBNFRKdVlzCmx2dGNrRTJ4WjZDS1BkWmRsUERtTmZKcHhpV2s1OGxNdzJZOElwcnpORHBRdm93OUY4U0VNWGluRWpHQkRtZUYKTFdvYlZncU5FVGFydDBRN0lZbnVsVDQ2NXkranZEaElsS0laQS9XYkpOdE42MXN0YURHM3VTTlFpb1JVVGdNWgpJZTR3cmZNcnRhUytqbVNuZ0JiNEZ2cDBVN05GZjMxQlhzN2NsaFpUdkY1VW1leDJxSlRIUEFXOW5UcDBwWEg1Cjd3clQ0TVU5QWdNQkFBR2pXVEJYTUI4R0ExVWRJd1FZTUJhQUZHdnRoc3BOTFRvWVdVbzdISVhlSjdydmtmankKTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRREFnVHdNQndHQTFVZEVRUVZNQk9DQzJ0MVltVjJaV3hoTG1sdgpod1IvQUFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1Y2S3VjTmNKdGVMelpNQW1acE9CR0Y0NWZJVGVrCnRDeUZPMGRXWVRabDgzRXlSbWtCd1hSQzJoekZSQ3RaMU5jY2hGNE5SaVhMbWIwM0FnTGhRRGxUR09PN3hlNFcKVUF4MjRtdlNteW05a3ljZGIyUUhqZ2xzRHJVS040QWJuRWpoYzladWxTeVNnVG15YTl2bEh5SHBoZ3V0YUhSQgpKNkVTWHJlYzUwZUxtSC9sSjkyTEwwV01JNW4rd05lajdyTkltbktQeWZ5dUhhaXdmUlZzeVJ1ZXZETWJhSXdpCmhVNmhFOXZGTEkwa0hKaEdYa05ZOEFWbTFoYXhyWGp5Q2xwaWlsQ04xcnV1U3QzYUplN2NpUkVCL08xR2JEeGwKaFQxMUtnMTZzMEJWZHZjL2lzaVZ5SVZTQmozdVRDRCtQWStaMjUzWUc1cnd3U2xxWUlWa2QzdFkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`
-	clientKey = `LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTNOaUF5Um91aVQ3ZkpaTmhIZWt1TjgwSnh2ZVpDMStwYVVYZk00UVBoNUE1R0MyCkdLN2psMXlpUC9wQ0U4NHoyWmdSQldnalh3UWVqa0UweU1QdDdHUkxEZzVmYmhsSGNVUUZ3UDRyd3BFRjRBSDkKYVRYeVNONUxqUDFzbyswMU80bHJ1L0FPRXlibUxKYjdYSkJOc1dlZ2lqM1dYWlR3NWpYeWFjWWxwT2ZKVE1ObQpQQ0thOHpRNlVMNk1QUmZFaERGNHB4SXhnUTVuaFMxcUcxWUtqUkUycTdkRU95R0o3cFUrT3Vjdm83dzRTSlNpCkdRUDFteVRiVGV0YkxXZ3h0N2tqVUlxRVZFNERHU0h1TUszeks3V2t2bzVrcDRBVytCYjZkRk96Ulg5OVFWN08KM0pZV1U3eGVWSm5zZHFpVXh6d0Z2WjA2ZEtWeCtlOEswK0RGUFFJREFRQUJBb0lCQURvMVgwYzRoQ2pobVJLYwpIZUEzd3ZnQm45RlJMeU1PbVpoWWhzMmpzNW1HallJZG9nNVNLS3gxQUpFN1prOStKYzI1RWZnSzJZa0UzM1F2ClBYUG1tN2hmZ0lzUjNZSno2U0o4REFsZEpEdWNDeVgvbURDV3B2RUh6cEF1bGhEbGRUVlN2QmkxTjdtc3g2Y3IKRDAwMEpsd2pvTStzMmlkZk85dFEvMERuWGdNeHlvYUJSVjd0OGF6enJVaFYxM01xenF5eHcvbjI5dDFXcld0ZQpjaTNkN3g4RWx3Yk5YNFJpOUk2dk9lZktOSDN4bEUrNWpjdlJSWmR4ajhXaHUzMlhhcTA1SG0za0h4SGw2ODM4Cm12aDlyeU9Ec3NTTm5RS0R3VVRYRjdsYXZFMDJyaW9scmoyRUJNcUErVE1jQ2ZvTnJ4elNGajVtVUxDamxGNWsKQnZxRVVpVUNnWUVBNndyYTVGR3U2MUZsTjlqY0p2dVNiNmlTUHN3RTczWE5pOWx1anhxSmFTeHVkSDFnMk9GTgp4WUNIZFR2WFhsdTc3TThadHVmMGFUMUM3UWQxcU8vVngyVFJTSVpOTG95RzJpRHBEL0RXdlBwKzBCTWN3K0orCitKTEpsWFlnbnZYQjlXRmk5eFljWnZDblR2eDJwS0ZFV1M4bTkvbDBQQUU4eUhDdVUxd1VPM2NDZ1lFQXpDb3YKdFIrVkp0dis2STRQV3o0bGQ1VTE0UWwrdk1hV3pXNDhHWnNsSm8zdjducnFPS2piU2xjakgrc3NNVldjYVprVQp0TFRRbFljcWFOdUJONkJydEtXQTVlSi9mV0VyVlF4azRpa0o4c3BLL2VCSTBGcnRPSnAxSm41amc0TTIvYmdvCjdBYUFHTDUvbjFNOTBscmNpZHNRYkg2TlhNN29JOTZjU2ZKQkNlc0NnWUVBdkNrdmZOS0xkcVR0bzl5K3VaSngKODJOKzJEalp4cDJIRkdyWFlFWjlOSzQyS3Bsb201Y2FmSDdkY2hPYTRWWU14cEl3NHNVa1c4K0lNVnJrYlg2NgpwR3BvUkdnSGg3bEdCMytMTkpDNFNBYzgxL1JFOWVmdmY2MTdKV1N3enJDdE9uUmhGcThqdzZEcVA0aEtycGJQCnNablcxM05qQXRwMnYzdTlnc3hYQWhjQ2dZQXRnR0Z0am9KaFRMcDgvZHd5UzZGeUMxRWN2RThBcDRuSWN2NzEKL2Z2RG9mS05SZHVaa1JoK2N2a2pEZmlsYmgwVDg4Z0hsaHkrbG9jL0kxeWpGeCtwL1JEREt6MmFwZU5RYXhpNAp4c2l1MGFMdy9lRjhmaWRNYkRBYnlpTkhsaURWWHd2UHZvc2grS0xjMFdKLzFUdzloUk1kK3Y1cVpycVo4KzBGCkZmYWt6UUtCZ1FDWk5DT3huWHlYQ2JYZ2RCY0txbE84L3BoWXBFOVVDMS81WktBMm1icng3ejBFdVdyR2pLNjUKU09QNDVQcithUDBTa3hTMll2QyttM3dCU0dJZU93QWEvb1dMY0dmbmdUbUpoMHNiYVJ1OXR5Y1QrR2hZemlGawp3ajV4TENBTzdFLzFKT3VkaGgramtwdGVMMVJiSUh2eXRwU3ZiN0VtUUVIbytOQWxBMHFPQkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=`
-	clientCrt = `LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVRHd3UklLMnRLVlVVMHJlZXF3U3htZVhEQWVNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNQjRYRFRJeU1Ea3lOekE0TkRJeU5Wb1hEVEl6TURreQpOekE0TkRJeU5Wb3dLekVSTUE4R0ExVUVDZ3dJUzNWaVpWWmxiR0V4RmpBVUJnTlZCQU1NRFNvdWEzVmlaWFpsCmJHRXVhVzh3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzdjMklESkdpNkpQdDgKbGsyRWQ2UzQzelFuRzk1a0xYNmxwUmQ4emhBK0hrRGtZTFlZcnVPWFhLSS8ra0lUempQWm1CRUZhQ05mQkI2TwpRVFRJdyszc1pFc09EbDl1R1VkeFJBWEEvaXZDa1FYZ0FmMXBOZkpJM2t1TS9XeWo3VFU3aVd1NzhBNFRKdVlzCmx2dGNrRTJ4WjZDS1BkWmRsUERtTmZKcHhpV2s1OGxNdzJZOElwcnpORHBRdm93OUY4U0VNWGluRWpHQkRtZUYKTFdvYlZncU5FVGFydDBRN0lZbnVsVDQ2NXkranZEaElsS0laQS9XYkpOdE42MXN0YURHM3VTTlFpb1JVVGdNWgpJZTR3cmZNcnRhUytqbVNuZ0JiNEZ2cDBVN05GZjMxQlhzN2NsaFpUdkY1VW1leDJxSlRIUEFXOW5UcDBwWEg1Cjd3clQ0TVU5QWdNQkFBR2pXVEJYTUI4R0ExVWRJd1FZTUJhQUZHdnRoc3BOTFRvWVdVbzdISVhlSjdydmtmankKTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRREFnVHdNQndHQTFVZEVRUVZNQk9DQzJ0MVltVjJaV3hoTG1sdgpod1IvQUFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1Y2S3VjTmNKdGVMelpNQW1acE9CR0Y0NWZJVGVrCnRDeUZPMGRXWVRabDgzRXlSbWtCd1hSQzJoekZSQ3RaMU5jY2hGNE5SaVhMbWIwM0FnTGhRRGxUR09PN3hlNFcKVUF4MjRtdlNteW05a3ljZGIyUUhqZ2xzRHJVS040QWJuRWpoYzladWxTeVNnVG15YTl2bEh5SHBoZ3V0YUhSQgpKNkVTWHJlYzUwZUxtSC9sSjkyTEwwV01JNW4rd05lajdyTkltbktQeWZ5dUhhaXdmUlZzeVJ1ZXZETWJhSXdpCmhVNmhFOXZGTEkwa0hKaEdYa05ZOEFWbTFoYXhyWGp5Q2xwaWlsQ04xcnV1U3QzYUplN2NpUkVCL08xR2JEeGwKaFQxMUtnMTZzMEJWZHZjL2lzaVZ5SVZTQmozdVRDRCtQWStaMjUzWUc1cnd3U2xxWUlWa2QzdFkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`
+	_         = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQytxS2xxbUZXZVhLMmYKU1EwN1BYbmorbVZUTzVndXlhRFhiNU1UZUo2SFhQZTUxKzFrU01ZY3hSM3NCMFlKdkdFSFY0Q1R1Y0s1M0FrdgppU1lRbHMxTnJBL0E4OUlRZDIrWDVXRG81V0h1d3h2VWEvbkFWQVM3cFZZRVZDTlVydHRCKzJsc0J3YysxR2J6Cm4wMmxONFEvc2hES0JUSm1ja2xRTTFvZlI3Q2oyREFGOGl4TlVGRjYvMUZJYkJPVDliU3JBL1M1aFhVeDlTYzEKenJrVjdkbmp4a1hKR2pOdThBcTcwZWQ2cGFPWFRmOW9CM2I0UXh3bEdocXRyMTkvYzFTNVhSakJnN3I4MFFKOQpCcXBqMTFzdG94Qy9lNG03YkdMMWZ6UGtBdlZwdWNibnNxYmQza0hZSWR6QVlaN2M1RllsR2NicTFCaGlHbVJrCjduVDdLWWM5QWdNQkFBRUNnZ0VBSzlnZmRacm9mWTEwZzkvSndpakdBZzVRQk03OGxTM2E1aEFMYzN2V2dPeDUKTDJ5ZmMrTmtZN05VeVRWMi9zQXFWQVRrVlpSdldreG1kRjhHdU9Qay9JcW42TWhwTTA0MEJHdEVXT3AvRmVnYQpXMFFsWC93eVJuQ2tFa1REQnpOYXlwYWxUS2xsR2liQU1pQWRPL1JEWGw1MWkrK2NBb0VmcU9qV1BjRS90cjJXCjllbkFhWlgyS0pyVGNoajB2TEE0TitJVGI0YzNkMDhEemhEcCtzWGpDVlJhb1U5cE1WN1cyRmtaeW5IUEVHa0gKcWNkT0lwVmRITkVPajNhNDN5cStUb29jSWFoRlI2VkVmVGxvcEwrb1ZsZ1dNUW9tWEdDaG1pbFBTK0V0dWxHbwo2U2dSU1lKODhSTXMrZjdCUm1mMG1pNmlVdDFScENXWGlpTnRDTk1VNVFLQmdRRDhIL2RkMDZuWHY5V04xbWdaCkozNHg0K2hxTTNsTGVDZmNCVlF0NGFWRnoyVFRVUXB4cFFQRWpRUldxaDk0djJzemlyUTBnWWdGS2pmQUw2MVAKUlBmaTBmQU5YMEl3OExYc053SGM2NTdkRGJvQmZjUnRlYTNzQ2NuRlRIcC9SMU9RTVI2Q0x3WkRhR0pBM1E4NwpZMW1OUHhtaGFIY1A1bk5mVUlWT3d2ajRHd0tCZ1FEQmx0aDR4aFVHeG9LZUpSUHl0ODA1b2hicVdaRCs1UDFsCm1nVGxhQmdJOFFJMHNoWC8xK0tXbkE4L3pEdTk3SFJtdjZJL1NneG9mbmxTTFZYaWlZcjJXNnhCaGVMbzZzQ2kKQXR0WFpUbVVEY3U3Y2I4aldSNERPeFpIcC93VG4yQ3NHNy9PdEtnbkpKM0JJczNYRko5d25sVGRqQVNHcnR5dgpUYjF1cFFramh3S0JnRXJGZ0NzSFZ0dHhQUGd2bWZlN3lxVXBIZ2hBODd2NkNuZ3A3R2tlL2xEUnpPa09vN1pJClpmR29rSnpUSHpwRUtwckNpK2IyYzB4MDFNdmVWOXVtYkkyTURWRXA2d3R3bDhOU0hPOVR3VzExWUxDSWgvU2YKbllEZTlrUFpCb3N3c0F1WFJhRCtLVEZjaDZjTTZET0lwMHBJYUdXQ0FhMXBmdFhKbjM5WU8xWDVBb0dCQUpvTgo2WnhLdlliVHlEUURlNWxtalNsMUJObGZoMVJnZEFvN2cvUHZYMWtXT2RRbmQveE9GMklWTk1sblJJK0NNS3RuCmlyemt0M1VjV0gxOTJGL2JacnRmL25keURUMmZPc1p5a1l3OTRKRWlYV09BUkVQajhrOU40UkFLN1QzTVVna0UKV0NJdGY3Y09tMytMcTlTaDg3T1NQQ1RGL1FBVS9VZUFET1NVN3UzWEFvR0JBTXduaDJHcDRyMTFpLzA0OUZKVwpVVjBTZ3NTSng2U1NkU3pDNklZeS8ySlN4aVpxZUdtODR0aGRDYzFiWnpHNDhiSUZhNHQwNUEwU2E2QTRlM2VLCmpFK1ZRNVRuUFlOOS9MMXNFdThNN0Zub1EyRFJZT3ZPQTk2K3R3aURBT0FwT2dxdmNWekhLU0RYUDRJNFVHeGYKUmRtNUNyTFlsOXI3Tmo5dkZJQ050UGRYCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" // ca.key
+	caCrt     = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDRENDQWZBQ0NRREQ2WFQ1T0hOaWR6QU5CZ2txaGtpRzl3MEJBUXNGQURCRk1Rc3dDUVlEVlFRR0V3SkQKVGpFUU1BNEdBMVVFQ0F3SFFtVnBhbWx1WnpFUU1BNEdBMVVFQnd3SFFtVnBhbWx1WnpFU01CQUdBMVVFQXd3SgpNVEkzTGpBdU1DNHhNQ0FYRFRJek1Ea3hPVEF6TWpneU4xb1lEekl4TWpNd09ESTJNRE15T0RJM1dqQkZNUXN3CkNRWURWUVFHRXdKRFRqRVFNQTRHQTFVRUNBd0hRbVZwYW1sdVp6RVFNQTRHQTFVRUJ3d0hRbVZwYW1sdVp6RVMKTUJBR0ExVUVBd3dKTVRJM0xqQXVNQzR4TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQwpBUUVBdnFpcGFwaFZubHl0bjBrTk96MTU0L3BsVXp1WUxzbWcxMitURTNpZWgxejN1ZGZ0WkVqR0hNVWQ3QWRHCkNieGhCMWVBazduQ3Vkd0pMNGttRUpiTlRhd1B3UFBTRUhkdmwrVmc2T1ZoN3NNYjFHdjV3RlFFdTZWV0JGUWoKVks3YlFmdHBiQWNIUHRSbTg1OU5wVGVFUDdJUXlnVXlabkpKVUROYUgwZXdvOWd3QmZJc1RWQlJldjlSU0d3VAprL1cwcXdQMHVZVjFNZlVuTmM2NUZlM1o0OFpGeVJvemJ2QUt1OUhuZXFXamwwMy9hQWQyK0VNY0pSb2FyYTlmCmYzTlV1VjBZd1lPNi9ORUNmUWFxWTlkYkxhTVF2M3VKdTJ4aTlYOHo1QUwxYWJuRzU3S20zZDVCMkNIY3dHR2UKM09SV0pSbkc2dFFZWWhwa1pPNTAreW1IUFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUI2Vm1xbApBVEFuWFBpZXdvUS9SOGNaU2wzSHRHVEk5OWJwYjF1NVlxWnllRTFjZjBOY3pRR29EOGFUUW9odWRzUnd2by96ClVkc2R1a3JyT2crTGlRMW1NZTNBYkN6WGVxOStOT1pScFdJcVVtRW1GeFNDcjYwbGRIekpvdmc1ZkM1eWVYbUUKQkJaRmpvQm45SXBzOUtpRUgvajk3Z25JR3FlQnkxVm1rZzFKTkR4eUZaVlVaYTZEVm02RzQwMVVZWjNra3FsVQp4RGRrVFpVeUxSZzNOcGE2SkliQmdwK3JoZ05nLzkwdmZFTlE2dHR1R3pOVWxQYnFaM3ViM1M3eGRDQXhnWXFkCnJtK1pxb29sblRUYzhIbnI0UUV6ZTBBdVBsd3RUV0VhdENrS0VqOEg3WHBnelpid3JoMjFDZEdCYjlMZlVMQTAKcjN1SHhCdi9oZC9yc0xJQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+	serverKey = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb0o1Tzl0bHVzTW5OaTVNQVNwYklDRWVyYnpUc1JDNmNKZ1R3czBkK3l2bTVnT1ZBCnVkU1RkaHJ3NG1URjNZaVJ2SHF2NWhiRWtBKzAvNTRaVGtXQ1hXSi9NOXpGMTIvZlJPQU9wWDBZTmlsNi9kSEQKeUhTbXB4R3FtUkpwRzVzc1ltc0dFQndMRzN5MVJmN2ZmQ3EwWkpiUzRldzJNRmxDejZuM095c3I5V1ExT0VFNApJNXJMYUhvOHdoekhJbVdXS3R6N2tHcWpscWtJU0ZSdThyUVROaVhlMTY3WUZhdUNiUU02eEZiUTdyV29VM3JOCmswVkgwQUs3QVp3Y0xBYTQ0QkpEcmdZSGJHM3U1Q0I1YnVKdnF0SUtBa09nUWhBb3RWY0g2WjBFNGhHb0hhZHkKdEdaYVRPN2pQdnUrT29CVGZ3dUd4UERVZ3hqdkZuaUVqNWk2aVFJREFRQUJBb0lCQUN6OVN0Yi8vbTVNaUdPQgpFSUxVQzBHdWVZbVR4RjR3eEJJdUxoRzVnLzFzeDVZZ0lPb3NiZ1dWOUVVbHZ2cVhoMkxJNXI1SFFGV3Q0Si84Cjg4K2x6cWREc0tlaFBsVmpBNkh5TklnTUt4ejRyM2VyS3ZEYUk5Z0dMY2ZralVaclI1cGxxZlFYTnRGRE5DOWYKL2M5MDBzU2VMb0dUdlhYN2VxaGFUbUxuYTgrM0NVUEd1RVNPWDk4NHRCS1FKTWlBeFhhSXFIemszZ2w0OEZBNApSdjlidnJoeU5nR2FRTHFUZ2lDMzM3a1l0TU1LaEk3M3FYbmtwdmgxeVZZOUhiOU5ibk5NL25KbmxRMzE3eGhrCm04VDFORGVUblBXZzg2Y20xYWRKa3E1MG9ORVYxbVZWOVdHS293RmNRSlBHdWhXNTJreEVzSm9JM1RWMkl4NkwKZkMyVFR4RUNnWUVBejdiSFhUVGpVa3RnVzd0YmZXbEsyMWMydVQvdWNteTBGZ01rTll3WnRKS0c4bmdyUlRTdApTV0pnV1BLbThwVGpjV1FTeFg4Q1dWMVYyUEdZdTVSa1Y0S3p3RmY3K0tNNWZuMzArSkc2Z0t1Q0FqNFlReVpCCk1EaWtQTDJtZzB0SEtIVDRNaWRYdy8xcW1nbExxZE9HWEpQbkhnT0FiajM0Um1vRGVLQU9WOVVDZ1lFQXhmVFYKb1h5UURvaG5tNTJCR3ZmaFFxT1hVcTNLV0NheG9qOTloWmREVGxXREl5ZDJmUFZ2SGVvRWRCdjBtRGpIc1BQawp6NWR5UEtkTHE3NXo2elRCMit3MVI0RDJxcnQvRnRtQkpDak1KNmxYRkZCaFNaeDJ6eDltSW9wdEkwNTgyMHNUCm1FM01vWEJ6NXBYMjEzN1BkVGp4OFJlTC9wZjVTRUlMS1VwWkJlVUNnWUFLeTRjRTh4QzFZREY3MHZyb1E2YWUKUzZRT2NLSWwxRHh2d0c0TFVtS3JuY25ocEJrcm1aYy83eHJ1eEgya3NkUTRPbWszVm1oNjJIenpyMnF1cFFHcQpBcUx3NWlHMFJGZGltWTAzdGVzcGNNQnErV3N0WWptVkZmeURJNkFaeHJuR0FuNDdyUXZFcGRENmZHMHdRRXdGClY3SjFQdDFYM1dTZjFEYWwrRHVHbVFLQmdRQ1E0R3NwVU55dGhpOHR1TXd3VEpKVUR4NUVxR1NhdDFieUE3MTkKOUFLU1pnc2Z3MVg0aGpmWWtOakprVndsdkFpSi9UWE1xRzQyN2NsMzNGOUNHTTU0Z2h0TVJacEJ3ZzkxVGFJeQpNSm1adlZtNXlFb3JjWk9TYXN4NUl3NVU5TEIwWGpIdEdhTlYwOU0vUXludzlTSW9ESkVsZmJJN2xrWWZHQmJMCkZWcXA4UUtCZ0NCVEdpd1ZsOXJkU0tLdXFUeXVSVmt0ZXFVOUtERTJ2K1BSVStyT3RQQ3pyVEwzKzdmaURzZDQKUE1iZUVQTWRlYk9oMzRaUFgxYlg4UTIwUlA3dmRVS3d1Y25QaE9kQ2NabG00UlRxa0o2L1RVZ2N6VmFHWDV6dwpITml1cFBXZlZGcnEzVnBkc3c4RjBpN1M2WllqNzBiSUFNMFF5V1FtWk9PaVhhanJlMllSCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
+	serverCrt = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzRENDQXBpZ0F3SUJBZ0lKQUlkVDl3UHIrTlJJTUEwR0NTcUdTSWIzRFFFQkN3VUFNRVV4Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDWldscWFXNW5NUkF3RGdZRFZRUUhEQWRDWldscWFXNW5NUkl3RUFZRApWUVFEREFreE1qY3VNQzR3TGpFd0lCY05Nak13T1RFNU1EWXlPVE15V2hnUE1qRXlNekE0TWpZd05qSTVNekphCk1GZ3hDekFKQmdOVkJBWVRBa05PTVJBd0RnWURWUVFJREFkQ1pXbHFhVzVuTVJBd0RnWURWUVFIREFkQ1pXbHEKYVc1bk1SRXdEd1lEVlFRS0RBaExkV0psVm1Wc1lURVNNQkFHQTFVRUF3d0pNVEkzTGpBdU1DNHhNSUlCSWpBTgpCZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFvSjVPOXRsdXNNbk5pNU1BU3BiSUNFZXJielRzClJDNmNKZ1R3czBkK3l2bTVnT1ZBdWRTVGRocnc0bVRGM1lpUnZIcXY1aGJFa0ErMC81NFpUa1dDWFdKL005ekYKMTIvZlJPQU9wWDBZTmlsNi9kSER5SFNtcHhHcW1SSnBHNXNzWW1zR0VCd0xHM3kxUmY3ZmZDcTBaSmJTNGV3MgpNRmxDejZuM095c3I5V1ExT0VFNEk1ckxhSG84d2h6SEltV1dLdHo3a0dxamxxa0lTRlJ1OHJRVE5pWGUxNjdZCkZhdUNiUU02eEZiUTdyV29VM3JOazBWSDBBSzdBWndjTEFhNDRCSkRyZ1lIYkczdTVDQjVidUp2cXRJS0FrT2cKUWhBb3RWY0g2WjBFNGhHb0hhZHl0R1phVE83alB2dStPb0JUZnd1R3hQRFVneGp2Rm5pRWo1aTZpUUlEQVFBQgpvNEdOTUlHS01GOEdBMVVkSXdSWU1GYWhTYVJITUVVeEN6QUpCZ05WQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDClpXbHFhVzVuTVJBd0RnWURWUVFIREFkQ1pXbHFhVzVuTVJJd0VBWURWUVFEREFreE1qY3VNQzR3TGpHQ0NRREQKNlhUNU9ITmlkekFKQmdOVkhSTUVBakFBTUJ3R0ExVWRFUVFWTUJPQ0MydDFZbVYyWld4aExtbHZod1IvQUFBQgpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFyc0owQ01aWUtkRWZKRHFFYlhicVlLRkJOMHdNTnhUSVZBMmdWCldTVkYxOEh3UC9UaEFOUUZQbHlKdVhKc2xETnBLdkpMTCtybHVpZnUxSHNhaWRMUk9uZDhQUG0yWUpHZWJIWk0KYi8rRW4zT3ZaQks5UmFNemJxWDBaY0NOeGNIVkMrLzNvbjVhb0VDekNwMUpsYUU0amNtRkJ0US93ZjJPMkkwTgpBdUJPYTBxMnQyNXAwdDFUQldwVkNnaGxocXpuME5rc2VERTdIUzI1WGNpU0YzZkNSUnNNS2QrclNuOHcxc3NYCnE4RkI2R09MQ1lTS3hXaElzV3IxNmVhZTBXYWFNUldYSTMvQ0JVR0hUZ05sektnb2VVUTVKdVNqL2VNdDZhTUMKclpoTWVhRVpobXhkMGVqZHRJOFcvT1YvUXhxbTdDSTdjcGowU0hrNC9MbS94K0RsCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+	clientKey = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTd1c1ozazNrRERYaStlTEo5L3dRTURxZHFDbVhyUlQycDgvSXh1WlNESTdZUVJGCjk1T0RDSllGVnY0M3hoRTRldWZtR0VqQk9CcGV5N2t4SDNjU2JKbjhNTUFpK09XaGViZ2o3Z0EyNjdGSVhJVnIKemRpNFVtaStRRDJISE05YytQREdBWHpoVFRBc0l3M0NSdjlzL01pM0FMVCswZnUwekR1ZmlWYUJnSWs2c1ZoSgphb0pIOG5hTUlTMUpwZjlWcDFyTVNnRWo2c1ZGWXlPdGk4T1JGYkExbHFNOE8vTS9FZHhzUDI1dXlianI1My9JClA5SHZjQWE4Snh3SS80ZlRVTWhiMGNsRnRWUm5Mak1hL1BwNXAvd1MvNDdEbkIzT3BuWlVzckJsQXZOemtXMTEKWUVyeVJUTlp1RWdSeEdsTEY5WmZtbmREcUpETjlFbVdDcEJnSHdJREFRQUJBb0lCQUZncm9LRkljU3dyaEZDVgpBdXBMWnM5Q3k5dkRQK0FpMlc5SWM2TE5oNFE4ODE1eFgxc1QwT3JyYXI2Y3p4MGJZV2Q0R3IwMURtcUhHQmFlCmQ4L0xZTC9ZNG5VVENGblZuNjFIS3JqUktQb3hYVWIyOHRiTy9tTFdCdVN0QVJRcTRBT2JNYVBwUHZlOXREMFMKYlRoakpwRGl3L0IxRVdrVnlxaFJLSENjVEY1TlJ3VHpZZEZCdHcwQVBmdzRZSFhMbmdGTU5IYjBMUTZmdXhFTQp1MWJPazh3Zk9mVzl3eVVCdU1URVhQNlZRdnpJSktiY2tPVzFJU2VlK2ozVHI4OUYwU2lVWGFuekcyV2R3R1Y3ClNlbWUydExWV05YV285U3A0QStRWjVyV2YydWJUeGMxNW0wakV0R24xNkt2WFhGK0hXR0E5a2tUSm1RaDN4WW0KU3BiVG1zRUNnWUVBNmRlZEpZZ0twaVowRDlyZHM0eXFlbEtMaHF6U3hsM2pHQ1puMXpmMFFWdXBMbFpiKzJtSwpGakt1UGR4OVpIWHQ2cTgwaTFYUlhMaDhhUENiUCtxSEJ1c0FBNzAvYlhOSTdubWw5TEc4Yy81V3NBMEovQTZWCnByd2QveWphaEhBcWN4SC9UdmhOSnptS3ZiUDFMSXFOQm9nblRFY294aS9hckcwQVh4VW5NWGtDZ1lFQXpZV1QKUzRCKzh0RG44aHQ1a0xtRW1UZ3VOSVZqajdxZTllZk5JaTdkc2VtVGVGSjZlcWNPRGw2V3VwOFNiYi9iR0QvNApBS1ZyVnpvVmtpWmltUE9PRFdKUFhKWGhJVFdnVENIT3FQYm1qbENtMm1NejlPL0sybHJhMGMxUnlIZzIzV2wzCkJPRTFjNU8wUGh6UlVHald5YlJUZlUwc1hIbXNqbUhoZ3RXZkVGY0NnWUJoNTZ0YzNtT1BBd1NPNnRUdDZ0UXAKbU12Z0hCVzNoZkdoMTlxY0trb3kzeHlyVU83OENVa09XRFBKcExvL1NIelBTSUhZWUpyaWxqOUlkSXlicXliVApoNnFlNWlwYk9leHNKRFNPaWFmY2JMMkF3a1RPNnBCUG1lMTVPbktiQnBkUFRGYTNpcEJLL3ZXT3pYeTJKR0E5ClB0NHRPcEhnd0lKdXRNaDJCdFk5Q1FLQmdRQ0hNMjAvaVF0Nlh6V0d6czQ5Qjk0VUVhSkx5TWhEWUNoOGFuNUgKRTMraUw1OWsweFZocEk0Wm85NFNiTnpwdUFIQXhTdzMrSnBScXBOUUx0SkQvazBmdnVHb2JhekpkUWE3cnEzTgo5NGFhYnJJbERvZTZoUmowWmpwM05GT3R4bStKWG56K2g4enErR3JsUlgzcElON1RtRDRvT3VHSkFENGsrSDBxCjNhOGpSd0tCZ1FDMnB4OTc4Zm1PZ0tjRGJpMCtnajdYSUlqNFRjNHIvL0t5MnIzd2xuOFlPWEt1L3lNbXFXR3kKNUVyOFJNTWhINDlYWHdnWk1od0g5cEdocGo2M2Y3WnBEWllJUGRIU2s3TDhjZXJoaHRIWWdtN3o2L3NWVnREcgpmazM3S2NjQ1RrZitWZXl4eVRvaDNKL3VMelNyRVlScVhxbldlckE2YjQ3MUhublppQTBwR2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo="
+	clientCrt = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuVENDQW9XZ0F3SUJBZ0lKQUlkVDl3UHIrTlJGTUEwR0NTcUdTSWIzRFFFQkN3VUFNRVV4Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDWldscWFXNW5NUkF3RGdZRFZRUUhEQWRDWldscWFXNW5NUkl3RUFZRApWUVFEREFreE1qY3VNQzR3TGpFd0lCY05Nak13T1RFNU1ETTFOVEUxV2hnUE1qRXlNekE0TWpZd016VTFNVFZhCk1FUXhDekFKQmdOVkJBWVRBa05PTVJBd0RnWURWUVFJREFkQ1pXbHFhVzVuTVJBd0RnWURWUVFIREFkQ1pXbHEKYVc1bk1SRXdEd1lEVlFRS0RBaExkV0psVm1Wc1lUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFMdTdyR2Q1TjVBdzE0dm5peWZmOEVEQTZuYWdwbDYwVTlxZlB5TWJtVWd5TzJFRVJmZVRnd2lXCkJWYitOOFlST0hybjVoaEl3VGdhWHN1NU1SOTNFbXlaL0REQUl2amxvWG00SSs0QU51dXhTRnlGYTgzWXVGSm8KdmtBOWh4elBYUGp3eGdGODRVMHdMQ01Od2tiL2JQekl0d0MwL3RIN3RNdzduNGxXZ1lDSk9yRllTV3FDUi9KMgpqQ0V0U2FYL1ZhZGF6RW9CSStyRlJXTWpyWXZEa1JXd05aYWpQRHZ6UHhIY2JEOXVic200NitkL3lEL1I3M0FHCnZDY2NDUCtIMDFESVc5SEpSYlZVWnk0ekd2ejZlYWY4RXYrT3c1d2R6cVoyVkxLd1pRTHpjNUZ0ZFdCSzhrVXoKV2JoSUVjUnBTeGZXWDVwM1E2aVF6ZlJKbGdxUVlCOENBd0VBQWFPQmpqQ0JpekJmQmdOVkhTTUVXREJXb1VtawpSekJGTVFzd0NRWURWUVFHRXdKRFRqRVFNQTRHQTFVRUNBd0hRbVZwYW1sdVp6RVFNQTRHQTFVRUJ3d0hRbVZwCmFtbHVaekVTTUJBR0ExVUVBd3dKTVRJM0xqQXVNQzR4Z2drQXcrbDArVGh6WW5jd0NRWURWUjBUQkFJd0FEQWQKQmdOVkhSRUVGakFVZ2hKamJHbGxiblF1YTNWaVpYWmxiR0V1YVc4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBS2VZTVJHR25kaXJJeS9OMjd0eU81VExxSDh3Q1pocXI3VFU2bW1BUjUrS09PTDVqU0U0SkNOTkFiNXpXSDVLCmsrSVVpR1prNHprOWtCSmNtaG02dDNIdWVMVmMwUkZyWjZHQUhwV2hjclBGN0ZkTWpmTzRYNHFiT1IwL2k4OVkKVi9VRkxpYTMyOTUvZ3RiWkJmTWhpZGxzWXZ5aS9kMXhUR25Ba1FDRTR0cHEyK0l3RzNwZ05LRmErRlpvWmU0Ygo3YllyUDcvTXBKYWd5bVJXUGZ1anlRZXVCMzlabFNYZlNTQzZoUU41RHlpTmQxTGZhNXFNd1JtTmxlMGtUdE12Ci9QRkVIWDR2T1R4SFMvYmc1T2lPVEpBenBNZnZ1bHA2YmxrbHR3SmFJMmw2b0N6RU9VVlpNKzJPKzBHZzEzS3UKNFpTZjg0Z3FQYmF4UzgwQkphTVlhNDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
 	MockCerts = struct {
 		Ca        string
 		ServerKey string
--- a/pkg/cmd/utils.go
+++ b/pkg/cmd/utils.go
@@ -25,7 +25,7 @@ import (
 )

 // GetNamespace get namespace from command flags and env
-func GetNamespace(f Factory, cmd *cobra.Command) string {
+func GetNamespace(_ Factory, cmd *cobra.Command) string {
 	namespace, err := cmd.Flags().GetString(flagNamespace)
 	cmdutil.CheckErr(err)
 	if namespace != "" {
--- a/pkg/config/factory.go
+++ b/pkg/config/factory.go
@@ -197,8 +197,8 @@ type Distribution struct {

 // CreateDistributionSpec the spec of the distribution
 type CreateDistributionSpec struct {
-	Configs []*NamespacedName
-	Targets []*ClusterTarget
+	Configs []*NamespacedName `json:"configs"`
+	Targets []*ClusterTarget  `json:"targets"`
 }

 // Validation the response of the validation
@@ -612,13 +612,13 @@ func (k *kubeConfigFactory) GetConfig(ctx context.Context, namespace, name strin

 // CreateOrUpdateConfig create or update the config.
 // Write the expand config to the target server.
-func (k *kubeConfigFactory) CreateOrUpdateConfig(ctx context.Context, i *Config, ns string) error {
+func (k *kubeConfigFactory) CreateOrUpdateConfig(ctx context.Context, i *Config, _ string) error {
 	var secret v1.Secret
 	if err := k.cli.Get(ctx, pkgtypes.NamespacedName{Namespace: i.Namespace, Name: i.Name}, &secret); err == nil {
 		if secret.Labels[types.LabelConfigType] != i.Template.Name {
 			return ErrChangeTemplate
 		}
-		if secret.Type != i.Secret.Type {
+		if i.Secret.Type != "" && secret.Type != i.Secret.Type {
 			return ErrChangeSecretType
 		}
 	}
--- a/pkg/config/provider/provider.go
+++ b/pkg/config/provider/provider.go
@@ -56,7 +56,7 @@ type Response struct {
 	Message string `json:"message"`
 }

-func (p *provider) Create(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (p *provider) Create(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	var ccp CreateConfigProperties
 	if err := v.UnmarshalTo(&ccp); err != nil {
 		return ErrRequestInvalid
@@ -84,7 +84,7 @@ func (p *provider) Create(ctx monitorContext.Context, wfCtx wfContext.Context, v
 	return p.factory.CreateOrUpdateConfig(ctx.GetContext(), configItem, ccp.Namespace)
 }

-func (p *provider) Read(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (p *provider) Read(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	var nn config.NamespacedName
 	if err := v.UnmarshalTo(&nn); err != nil {
 		return ErrRequestInvalid
@@ -96,7 +96,7 @@ func (p *provider) Read(ctx monitorContext.Context, wfCtx wfContext.Context, v *
 	return v.FillObject(content, "config")
 }

-func (p *provider) List(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (p *provider) List(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	template, err := v.GetString("template")
 	if err != nil {
 		return ErrRequestInvalid
@@ -125,7 +125,7 @@ func (p *provider) List(ctx monitorContext.Context, wfCtx wfContext.Context, v *
 	return v.FillObject(contents, "configs")
 }

-func (p *provider) Delete(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (p *provider) Delete(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	var nn config.NamespacedName
 	if err := v.UnmarshalTo(&nn); err != nil {
 		return errors.New("the request is in valid")
--- a/pkg/controller/core.oam.dev/v1beta1/application/application_controller.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/application_controller.go
@@ -539,49 +539,49 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 			// filter the changes in workflow status
 			// let workflow handle its reconcile
 			UpdateFunc: func(e ctrlEvent.UpdateEvent) bool {
-				new, isNewApp := e.ObjectNew.DeepCopyObject().(*v1beta1.Application)
+				newApp, isNewApp := e.ObjectNew.DeepCopyObject().(*v1beta1.Application)
 				old, isOldApp := e.ObjectOld.DeepCopyObject().(*v1beta1.Application)
 				if !isNewApp || !isOldApp {
 					return filterManagedFieldChangesUpdate(e)
 				}

 				// We think this event is triggered by resync
-				if reflect.DeepEqual(old, new) {
+				if reflect.DeepEqual(old, newApp) {
 					return true
 				}

 				// filter managedFields changes
 				old.ManagedFields = nil
-				new.ManagedFields = nil
+				newApp.ManagedFields = nil

 				// if the generation is changed, return true to let the controller handle it
-				if old.Generation != new.Generation {
+				if old.Generation != newApp.Generation {
 					return true
 				}

 				// filter the events triggered by initial application status
-				if new.Status.Phase == common.ApplicationRendering || (old.Status.Phase == common.ApplicationRendering && new.Status.Phase == common.ApplicationRunningWorkflow) {
+				if newApp.Status.Phase == common.ApplicationRendering || (old.Status.Phase == common.ApplicationRendering && newApp.Status.Phase == common.ApplicationRunningWorkflow) {
 					return false
 				}

 				// ignore the changes in workflow status
-				if old.Status.Workflow != nil && new.Status.Workflow != nil {
+				if old.Status.Workflow != nil && newApp.Status.Workflow != nil {
 					// only workflow execution will change the status.workflow
 					// let workflow backoff to requeue the event
-					new.Status.Workflow.Steps = old.Status.Workflow.Steps
-					new.Status.Workflow.ContextBackend = old.Status.Workflow.ContextBackend
-					new.Status.Workflow.Message = old.Status.Workflow.Message
-					new.Status.Workflow.EndTime = old.Status.Workflow.EndTime
+					newApp.Status.Workflow.Steps = old.Status.Workflow.Steps
+					newApp.Status.Workflow.ContextBackend = old.Status.Workflow.ContextBackend
+					newApp.Status.Workflow.Message = old.Status.Workflow.Message
+					newApp.Status.Workflow.EndTime = old.Status.Workflow.EndTime
 				}

 				// appliedResources and Services will be changed during the execution of workflow
 				// once the resources is added, the managed fields will also be changed
-				new.Status.AppliedResources = old.Status.AppliedResources
-				new.Status.Services = old.Status.Services
+				newApp.Status.AppliedResources = old.Status.AppliedResources
+				newApp.Status.Services = old.Status.Services
 				// the resource version will be changed if the object is changed
 				// ignore this change and let reflect.DeepEqual to compare the rest of the object
-				new.ResourceVersion = old.ResourceVersion
-				return !reflect.DeepEqual(old, new)
+				newApp.ResourceVersion = old.ResourceVersion
+				return !reflect.DeepEqual(old, newApp)
 			},
 			CreateFunc: func(e ctrlEvent.CreateEvent) bool {
 				return true
@@ -616,14 +616,14 @@ func updateObservedGeneration(app *v1beta1.Application) {
 // For old k8s version like 1.18.5, the managedField could always update and cause infinite loop
 // this function helps filter those events and prevent infinite loop
 func filterManagedFieldChangesUpdate(e ctrlEvent.UpdateEvent) bool {
-	new, isNewRT := e.ObjectNew.DeepCopyObject().(*v1beta1.ResourceTracker)
+	newTracker, isNewRT := e.ObjectNew.DeepCopyObject().(*v1beta1.ResourceTracker)
 	old, isOldRT := e.ObjectOld.DeepCopyObject().(*v1beta1.ResourceTracker)
 	if !isNewRT || !isOldRT {
 		return true
 	}
-	new.ManagedFields = old.ManagedFields
-	new.ResourceVersion = old.ResourceVersion
-	return !reflect.DeepEqual(new, old)
+	newTracker.ManagedFields = old.ManagedFields
+	newTracker.ResourceVersion = old.ResourceVersion
+	return !reflect.DeepEqual(newTracker, old)
 }

 func findObjectForResourceTracker(rt client.Object) []reconcile.Request {
--- a/pkg/controller/core.oam.dev/v1beta1/application/application_controller_test.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/application_controller_test.go
@@ -524,9 +524,9 @@ var _ = Describe("Test Application Controller", func() {
 		Expect(len(comps) > 0).Should(BeTrue())
 		comp := comps[0]

-		Expect(comp.StandardWorkload).ShouldNot(BeNil())
+		Expect(comp.ComponentOutput).ShouldNot(BeNil())
 		gotDeploy := &v1.Deployment{}
-		Expect(runtime.DefaultUnstructuredConverter.FromUnstructured(comp.StandardWorkload.Object, gotDeploy)).Should(Succeed())
+		Expect(runtime.DefaultUnstructuredConverter.FromUnstructured(comp.ComponentOutput.Object, gotDeploy)).Should(Succeed())
 		gotDeploy.Annotations = nil
 		Expect(cmp.Diff(gotDeploy, expDeployment)).Should(BeEmpty())

@@ -747,7 +747,7 @@ var _ = Describe("Test Application Controller", func() {
 		comp := comps[0]

 		gotD := &v1.Deployment{}
-		runtime.DefaultUnstructuredConverter.FromUnstructured(comp.StandardWorkload.Object, gotD)
+		runtime.DefaultUnstructuredConverter.FromUnstructured(comp.ComponentOutput.Object, gotD)
 		gotD.Annotations = nil
 		Expect(cmp.Diff(gotD, expDeployment)).Should(BeEmpty())

--- a/pkg/controller/core.oam.dev/v1beta1/application/apply.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/apply.go
@@ -223,11 +223,6 @@ func (h *AppHandler) addServiceStatus(cover bool, svcs ...common.ApplicationComp
 	}
 }

-// ProduceArtifacts will produce Application artifacts that will be saved in configMap.
-func (h *AppHandler) ProduceArtifacts(ctx context.Context, comps []*types.ComponentManifest, policies []*unstructured.Unstructured) error {
-	return h.createResourcesConfigMap(ctx, h.currentAppRev, comps, policies)
-}
-
 // collectTraitHealthStatus collect trait health status
 func (h *AppHandler) collectTraitHealthStatus(comp *appfile.Component, tr *appfile.Trait, appRev *v1beta1.ApplicationRevision, overrideNamespace string) (common.ApplicationTraitStatus, []*unstructured.Unstructured, error) {
 	defer func(clusterName string) {
--- a/pkg/controller/core.oam.dev/v1beta1/application/assemble/assemble.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/assemble/assemble.go
@@ -17,7 +17,6 @@ limitations under the License.
 package assemble

 import (
-	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/klog/v2"

@@ -27,22 +26,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/oam/util"
 )

-// WorkloadOption will be applied to each workloads AFTER it has been assembled by generic rules shown below:
-// 1) use component name as workload name
-// 2) use application namespace as workload namespace if unspecified
-// 3) set application as workload's owner
-// 4) pass all application's labels and annotations to workload's
-// Component and ComponentDefinition are enough for caller to manipulate workloads.
-// Caller can use below labels of workload to get more information:
-// - oam.LabelAppName
-// - oam.LabelAppRevision
-// - oam.LabelAppRevisionHash
-// - oam.LabelAppComponent
-// - oam.LabelAppComponentRevision
-type WorkloadOption interface {
-	ApplyToWorkload(*unstructured.Unstructured, *v1beta1.ComponentDefinition, []*unstructured.Unstructured) error
-}
-
 // checkAutoDetectComponent will check if the standardWorkload is empty,
 // currently only Helm-based component is possible to be auto-detected
 // TODO implement auto-detect mechanism
@@ -51,8 +34,8 @@ func checkAutoDetectComponent(wl *unstructured.Unstructured) bool {
 }

 // PrepareBeforeApply will prepare for some necessary info before apply
-func PrepareBeforeApply(comp *types.ComponentManifest, appRev *v1beta1.ApplicationRevision, workloadOpt []WorkloadOption) (*unstructured.Unstructured, []*unstructured.Unstructured, error) {
-	if checkAutoDetectComponent(comp.StandardWorkload) {
+func PrepareBeforeApply(comp *types.ComponentManifest, appRev *v1beta1.ApplicationRevision) (*unstructured.Unstructured, []*unstructured.Unstructured, error) {
+	if checkAutoDetectComponent(comp.ComponentOutput) {
 		return nil, nil, nil
 	}
 	compRevisionName := comp.RevisionName
@@ -61,16 +44,13 @@ func PrepareBeforeApply(comp *types.ComponentManifest, appRev *v1beta1.Applicati
 		oam.LabelAppComponentRevision: compRevisionName,
 		oam.LabelAppRevisionHash:      appRev.Labels[oam.LabelAppRevisionHash],
 	}
-	wl, err := assembleWorkload(compName, comp.StandardWorkload, additionalLabel, comp.PackagedWorkloadResources, appRev, workloadOpt)
-	if err != nil {
-		return nil, nil, err
-	}
+	wl := assembleWorkload(compName, comp.ComponentOutput, additionalLabel)

-	assembledTraits := make([]*unstructured.Unstructured, len(comp.Traits))
+	assembledTraits := make([]*unstructured.Unstructured, len(comp.ComponentOutputsAndTraits))

 	HandleCheckManageWorkloadTrait(*appRev, []*types.ComponentManifest{comp})

-	for i, trait := range comp.Traits {
+	for i, trait := range comp.ComponentOutputsAndTraits {
 		setTraitLabels(trait, additionalLabel)
 		assembledTraits[i] = trait
 	}
@@ -78,8 +58,7 @@ func PrepareBeforeApply(comp *types.ComponentManifest, appRev *v1beta1.Applicati
 	return wl, assembledTraits, nil
 }

-func assembleWorkload(compName string, wl *unstructured.Unstructured,
-	labels map[string]string, resources []*unstructured.Unstructured, appRev *v1beta1.ApplicationRevision, wop []WorkloadOption) (*unstructured.Unstructured, error) {
+func assembleWorkload(compName string, wl *unstructured.Unstructured, labels map[string]string) *unstructured.Unstructured {
 	// use component name as workload name if workload name is not specified
 	// don't override the name set in render phase if exist
 	if len(wl.GetName()) == 0 {
@@ -87,21 +66,8 @@ func assembleWorkload(compName string, wl *unstructured.Unstructured,
 	}
 	setWorkloadLabels(wl, labels)

-	workloadType := wl.GetLabels()[oam.WorkloadTypeLabel]
-	compDefinition := appRev.Spec.ComponentDefinitions[workloadType]
-	copyPackagedResources := make([]*unstructured.Unstructured, len(resources))
-	for i, v := range resources {
-		copyPackagedResources[i] = v.DeepCopy()
-	}
-	for _, wo := range wop {
-		if err := wo.ApplyToWorkload(wl, compDefinition.DeepCopy(), copyPackagedResources); err != nil {
-			klog.ErrorS(err, "Failed applying a workload option", "workload", klog.KObj(wl), "name", wl.GetName())
-			return nil, errors.Wrapf(err, "cannot apply workload option for component %q", compName)
-		}
-		klog.InfoS("Successfully apply a workload option", "workload", klog.KObj(wl), "name", wl.GetName())
-	}
 	klog.InfoS("Successfully assemble a workload", "workload", klog.KObj(wl), "APIVersion", wl.GetAPIVersion(), "Kind", wl.GetKind())
-	return wl, nil
+	return wl
 }

 // component revision label added here
@@ -131,7 +97,7 @@ func HandleCheckManageWorkloadTrait(appRev v1beta1.ApplicationRevision, comps []
 		return
 	}
 	for _, comp := range comps {
-		for _, trait := range comp.Traits {
+		for _, trait := range comp.ComponentOutputsAndTraits {
 			traitType := trait.GetLabels()[oam.TraitTypeLabel]
 			if manageWorkloadTrait[traitType] {
 				trait.SetLabels(util.MergeMapOverrideWithDst(trait.GetLabels(), map[string]string{oam.LabelManageWorkloadTrait: "true"}))
--- a/pkg/controller/core.oam.dev/v1beta1/application/assemble/options.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/assemble/options.go
@@ -1,110 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package assemble
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/pkg/errors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/klog/v2"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	helmapi "github.com/oam-dev/kubevela/pkg/appfile/helm/flux2apis"
-)
-
-// WorkloadOptionFn implement interface WorkloadOption
-type WorkloadOptionFn func(*unstructured.Unstructured, *v1beta1.ComponentDefinition, []*unstructured.Unstructured) error
-
-// ApplyToWorkload will apply the manipulation defined in the function to assembled workload
-func (fn WorkloadOptionFn) ApplyToWorkload(wl *unstructured.Unstructured,
-	compDefinition *v1beta1.ComponentDefinition, packagedWorkloadResources []*unstructured.Unstructured) error {
-	return fn(wl, compDefinition, packagedWorkloadResources)
-}
-
-// DiscoveryHelmBasedWorkload only works for Helm-based component. It computes a qualifiedFullName for the workload and
-// try to get it from K8s cluster.
-// If not found, block down-streaming process until Helm creates the workload successfully.
-func DiscoveryHelmBasedWorkload(ctx context.Context, c client.Reader) WorkloadOption {
-	return WorkloadOptionFn(func(assembledWorkload *unstructured.Unstructured, compDef *v1beta1.ComponentDefinition, resources []*unstructured.Unstructured) error {
-		return discoverHelmModuleWorkload(ctx, c, assembledWorkload, compDef, resources)
-	})
-}
-
-func discoverHelmModuleWorkload(ctx context.Context, c client.Reader, assembledWorkload *unstructured.Unstructured,
-	_ *v1beta1.ComponentDefinition, helmResources []*unstructured.Unstructured) error {
-	if len(helmResources) == 0 {
-		return nil
-	}
-	if len(assembledWorkload.GetAPIVersion()) == 0 &&
-		len(assembledWorkload.GetKind()) == 0 {
-		// workload GVK remains to auto-detect
-		// we cannot discover workload without GVK, and caller should skip dispatching the assembled workload
-		return nil
-	}
-	ns := assembledWorkload.GetNamespace()
-	var rls *unstructured.Unstructured
-	for _, v := range helmResources {
-		if v.GetKind() == helmapi.HelmReleaseGVK.Kind {
-			rls = v.DeepCopy()
-			break
-		}
-	}
-	if rls == nil {
-		return errors.New("cannot get helm release")
-	}
-	rlsName := rls.GetName()
-	chartName, ok, err := unstructured.NestedString(rls.Object, helmapi.HelmChartNamePath...)
-	if err != nil || !ok {
-		return errors.New("cannot get helm chart name")
-	}
-
-	// qualifiedFullName is used as the name of target workload.
-	// It strictly follows the convention that Helm generate default full name as below:
-	// > We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-	// > If release name contains chart name it will be used as a full name.
-	qualifiedWorkloadName := rlsName
-	if !strings.Contains(rlsName, chartName) {
-		qualifiedWorkloadName = fmt.Sprintf("%s-%s", rlsName, chartName)
-		if len(qualifiedWorkloadName) > 63 {
-			qualifiedWorkloadName = strings.TrimSuffix(qualifiedWorkloadName[:63], "-")
-		}
-	}
-
-	workloadByHelm := assembledWorkload.DeepCopy()
-	if err := c.Get(ctx, client.ObjectKey{Namespace: ns, Name: qualifiedWorkloadName}, workloadByHelm); err != nil {
-		return err
-	}
-
-	// check it's created by helm and match the release info
-	annots := workloadByHelm.GetAnnotations()
-	labels := workloadByHelm.GetLabels()
-	if annots == nil || labels == nil ||
-		annots["meta.helm.sh/release-name"] != rlsName ||
-		annots["meta.helm.sh/release-namespace"] != ns ||
-		labels["app.kubernetes.io/managed-by"] != "Helm" {
-		err := fmt.Errorf("the workload is found but not match with helm info(meta.helm.sh/release-name: %s, meta.helm.sh/namespace: %s, app.kubernetes.io/managed-by: Helm)", rlsName, ns)
-		klog.ErrorS(err, "Found a name-matched workload but not managed by Helm", "name", qualifiedWorkloadName,
-			"annotations", annots, "labels", labels)
-		return err
-	}
-	assembledWorkload.SetName(qualifiedWorkloadName)
-	return nil
-}
--- a/pkg/controller/core.oam.dev/v1beta1/application/assemble/options_test.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/assemble/options_test.go
@@ -1,160 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package assemble
-
-import (
-	"context"
-	"fmt"
-	"os"
-
-	"github.com/google/go-cmp/cmp"
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-	"github.com/pkg/errors"
-	"sigs.k8s.io/yaml"
-
-	"github.com/crossplane/crossplane-runtime/pkg/test"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	helmapi "github.com/oam-dev/kubevela/pkg/appfile/helm/flux2apis"
-)
-
-var _ = Describe("Test WorkloadOption", func() {
-	var (
-		appRev *v1beta1.ApplicationRevision
-	)
-
-	BeforeEach(func() {
-		appRev = &v1beta1.ApplicationRevision{}
-		b, err := os.ReadFile("./testdata/apprevision.yaml")
-		Expect(err).Should(BeNil())
-		err = yaml.Unmarshal(b, appRev)
-		Expect(err).Should(BeNil())
-	})
-
-	Describe("test DiscoveryHelmBasedWorkload", func() {
-		ns := "test-ns"
-		releaseName := "test-rls"
-		chartName := "test-chart"
-		release := &unstructured.Unstructured{}
-		release.SetGroupVersionKind(helmapi.HelmReleaseGVK)
-		release.SetName(releaseName)
-		unstructured.SetNestedMap(release.Object, map[string]interface{}{
-			"chart": map[string]interface{}{
-				"spec": map[string]interface{}{
-					"chart":   chartName,
-					"version": "1.0.0",
-				},
-			},
-		}, "spec")
-
-		rlsWithoutChart := release.DeepCopy()
-		unstructured.SetNestedMap(rlsWithoutChart.Object, nil, "spec", "chart")
-
-		wl := &unstructured.Unstructured{}
-		wl.SetAPIVersion("apps/v1")
-		wl.SetKind("Deployment")
-		wl.SetLabels(map[string]string{
-			"app.kubernetes.io/managed-by": "Helm",
-		})
-		wl.SetAnnotations(map[string]string{
-			"meta.helm.sh/release-name":      releaseName,
-			"meta.helm.sh/release-namespace": ns,
-		})
-		type SubCase struct {
-			reason         string
-			c              client.Reader
-			helm           *unstructured.Unstructured
-			workloadInComp *unstructured.Unstructured
-			wantWorkload   *unstructured.Unstructured
-			wantErr        error
-		}
-
-		DescribeTable("Test cases for DiscoveryHelmBasedWorkload", func(tc SubCase) {
-			By(tc.reason)
-			assembledWorkload := &unstructured.Unstructured{}
-			assembledWorkload.SetAPIVersion("apps/v1")
-			assembledWorkload.SetKind("Deployment")
-			assembledWorkload.SetNamespace(ns)
-			err := discoverHelmModuleWorkload(context.Background(), tc.c, assembledWorkload, nil, []*unstructured.Unstructured{tc.helm})
-
-			By("Verify error")
-			diff := cmp.Diff(tc.wantErr, err, test.EquateErrors())
-			Expect(diff).Should(BeEmpty())
-
-			if tc.wantErr == nil {
-				By("Verify found workload")
-				diff = cmp.Diff(tc.wantWorkload, assembledWorkload)
-				Expect(diff).Should(BeEmpty())
-			}
-		},
-			Entry("CannotGetReleaseFromComp", SubCase{
-				reason:  "An error should occur because cannot get release",
-				helm:    &unstructured.Unstructured{},
-				wantErr: errors.New("cannot get helm release"),
-			}),
-			Entry("CannotGetChartFromRelease", SubCase{
-				reason:  "An error should occur because cannot get chart info",
-				helm:    rlsWithoutChart.DeepCopy(),
-				wantErr: errors.New("cannot get helm chart name"),
-			}),
-			Entry("CannotGetWorkload", SubCase{
-				reason:         "An error should occur because cannot get workload from k8s cluster",
-				helm:           release.DeepCopy(),
-				workloadInComp: &unstructured.Unstructured{},
-				c:              &test.MockClient{MockGet: test.NewMockGetFn(errors.New("boom"))},
-				wantErr:        errors.New("boom"),
-			}),
-			Entry("GetNotMatchedWorkload", SubCase{
-				reason:         "An error should occur because the found workload is not managed by Helm",
-				helm:           release.DeepCopy(),
-				workloadInComp: &unstructured.Unstructured{},
-				c: &test.MockClient{MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
-					o, _ := obj.(*unstructured.Unstructured)
-					*o = unstructured.Unstructured{}
-					o.SetLabels(map[string]string{
-						"app.kubernetes.io/managed-by": "non-helm",
-					})
-					return nil
-				})},
-				wantErr: fmt.Errorf("the workload is found but not match with helm info(meta.helm.sh/release-name: %s,"+
-					" meta.helm.sh/namespace: %s, app.kubernetes.io/managed-by: Helm)", "test-rls", "test-ns"),
-			}),
-			Entry("DiscoverSuccessfully", SubCase{
-				reason: "No error should occur and the workload should be found",
-				c: &test.MockClient{MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
-					o, _ := obj.(*unstructured.Unstructured)
-					*o = *wl.DeepCopy()
-					return nil
-				})},
-				workloadInComp: wl.DeepCopy(),
-				helm:           release.DeepCopy(),
-				wantWorkload: func() *unstructured.Unstructured {
-					r := &unstructured.Unstructured{}
-					r.SetAPIVersion("apps/v1")
-					r.SetKind("Deployment")
-					r.SetNamespace(ns)
-					r.SetName("test-rls-test-chart")
-					return r
-				}(),
-				wantErr: nil,
-			}),
-		)
-	})
-})
--- a/pkg/controller/core.oam.dev/v1beta1/application/generator.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/generator.go
@@ -105,8 +105,10 @@ func (h *AppHandler) GenerateApplicationSteps(ctx monitorContext.Context,
 		}
 		return h.resourceKeeper.Dispatch(ctx, resources, applyOptions)
 	})
-	oamProvider.Install(handlerProviders, app, af, h.Client, h.applyComponentFunc(
-		appParser, appRev, af), h.renderComponentFunc(appParser, appRev, af))
+	oamProvider.Install(handlerProviders, app, af, h.Client,
+		h.applyComponentFunc(appParser, appRev, af),
+		h.renderComponentFunc(appParser, appRev, af),
+	)
 	pCtx := velaprocess.NewContext(generateContextDataFromApp(app, appRev.Name))
 	renderer := func(ctx context.Context, comp common.ApplicationComponent) (*appfile.Component, error) {
 		return appParser.ParseComponentFromRevisionAndClient(ctx, comp, appRev)
@@ -252,6 +254,7 @@ func convertStepProperties(step *workflowv1alpha1.WorkflowStep, app *v1beta1.App
 	o := struct {
 		Component string `json:"component"`
 		Cluster   string `json:"cluster"`
+		Namespace string `json:"namespace"`
 	}{}
 	js, err := common.RawExtensionPointer{RawExtension: step.Properties}.MarshalJSON()
 	if err != nil {
@@ -291,6 +294,9 @@ func convertStepProperties(step *workflowv1alpha1.WorkflowStep, app *v1beta1.App
 				"value":   c,
 				"cluster": o.Cluster,
 			}
+			if o.Namespace != "" {
+				stepProperties["namespace"] = o.Namespace
+			}
 			step.Properties = util.Object2RawExtension(stepProperties)
 			return nil
 		}
@@ -319,7 +325,7 @@ func (h *AppHandler) renderComponentFunc(appParser *appfile.Parser, appRev *v1be
 		if err != nil {
 			return nil, nil, err
 		}
-		return renderComponentsAndTraits(h.Client, manifest, appRev, clusterName, overrideNamespace)
+		return renderComponentsAndTraits(manifest, appRev, clusterName, overrideNamespace)
 	}
 }

@@ -335,7 +341,7 @@ func (h *AppHandler) checkComponentHealth(appParser *appfile.Parser, appRev *v1b
 		}
 		wl.Ctx.SetCtx(auth.ContextWithUserInfo(ctx, h.app))

-		readyWorkload, readyTraits, err := renderComponentsAndTraits(h.Client, manifest, appRev, clusterName, overrideNamespace)
+		readyWorkload, readyTraits, err := renderComponentsAndTraits(manifest, appRev, clusterName, overrideNamespace)
 		if err != nil {
 			return false, nil, nil, err
 		}
@@ -371,14 +377,9 @@ func (h *AppHandler) applyComponentFunc(appParser *appfile.Parser, appRev *v1bet
 		if err != nil {
 			return nil, nil, false, err
 		}
-		if len(manifest.PackagedWorkloadResources) != 0 {
-			if err := h.Dispatch(ctx, clusterName, common.WorkflowResourceCreator, manifest.PackagedWorkloadResources...); err != nil {
-				return nil, nil, false, errors.WithMessage(err, "cannot dispatch packaged workload resources")
-			}
-		}
 		wl.Ctx.SetCtx(auth.ContextWithUserInfo(ctx, h.app))

-		readyWorkload, readyTraits, err := renderComponentsAndTraits(h.Client, manifest, appRev, clusterName, overrideNamespace)
+		readyWorkload, readyTraits, err := renderComponentsAndTraits(manifest, appRev, clusterName, overrideNamespace)
 		if err != nil {
 			return nil, nil, false, err
 		}
@@ -419,8 +420,8 @@ func (h *AppHandler) applyComponentFunc(appParser *appfile.Parser, appRev *v1bet
 	}
 }

-// overrideTraits will override cluster field to be local for traits which are control plane only
-func overrideTraits(appRev *v1beta1.ApplicationRevision, readyTraits []*unstructured.Unstructured) []*unstructured.Unstructured {
+// redirectTraitToLocalIfNeed will override cluster field to be local for traits which are control plane only
+func redirectTraitToLocalIfNeed(appRev *v1beta1.ApplicationRevision, readyTraits []*unstructured.Unstructured) []*unstructured.Unstructured {
 	traits := readyTraits
 	for index, readyTrait := range readyTraits {
 		for _, trait := range appRev.Spec.TraitDefinitions {
@@ -469,8 +470,8 @@ func (h *AppHandler) prepareWorkloadAndManifests(ctx context.Context,
 	return wl, manifest, nil
 }

-func renderComponentsAndTraits(client client.Client, manifest *types.ComponentManifest, appRev *v1beta1.ApplicationRevision, clusterName string, overrideNamespace string) (*unstructured.Unstructured, []*unstructured.Unstructured, error) {
-	readyWorkload, readyTraits, err := assemble.PrepareBeforeApply(manifest, appRev, []assemble.WorkloadOption{assemble.DiscoveryHelmBasedWorkload(context.TODO(), client)})
+func renderComponentsAndTraits(manifest *types.ComponentManifest, appRev *v1beta1.ApplicationRevision, clusterName string, overrideNamespace string) (*unstructured.Unstructured, []*unstructured.Unstructured, error) {
+	readyWorkload, readyTraits, err := assemble.PrepareBeforeApply(manifest, appRev)
 	if err != nil {
 		return nil, nil, errors.WithMessage(err, "assemble resources before apply fail")
 	}
@@ -486,7 +487,7 @@ func renderComponentsAndTraits(client client.Client, manifest *types.ComponentMa
 			readyTrait.SetNamespace(overrideNamespace)
 		}
 	}
-	readyTraits = overrideTraits(appRev, readyTraits)
+	readyTraits = redirectTraitToLocalIfNeed(appRev, readyTraits)
 	return readyWorkload, readyTraits, nil
 }

@@ -505,14 +506,14 @@ func getComponentResources(ctx context.Context, manifest *types.ComponentManifes
 		traits   []*unstructured.Unstructured
 	)
 	if !skipStandardWorkload {
-		v := manifest.StandardWorkload.DeepCopy()
-		if err := cli.Get(ctx, client.ObjectKeyFromObject(manifest.StandardWorkload), v); err != nil {
+		v := manifest.ComponentOutput.DeepCopy()
+		if err := cli.Get(ctx, client.ObjectKeyFromObject(manifest.ComponentOutput), v); err != nil {
 			return nil, nil, err
 		}
 		workload = v
 	}

-	for _, trait := range manifest.Traits {
+	for _, trait := range manifest.ComponentOutputsAndTraits {
 		v := trait.DeepCopy()
 		remoteCtx := multicluster.ContextWithClusterName(ctx, oam.GetCluster(v))
 		if err := cli.Get(remoteCtx, client.ObjectKeyFromObject(trait), v); err != nil {
--- a/pkg/controller/core.oam.dev/v1beta1/application/revision.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/revision.go
@@ -27,7 +27,6 @@ import (
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	ktypes "k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
@@ -43,7 +42,6 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/appfile"
 	"github.com/oam-dev/kubevela/pkg/cache"
 	"github.com/oam-dev/kubevela/pkg/component"
@@ -56,17 +54,6 @@ import (

 type contextKey int

-const (
-	// ConfigMapKeyComponents is the key in ConfigMap Data field for containing data of components
-	ConfigMapKeyComponents = "components"
-	// ConfigMapKeyPolicy is the key in ConfigMap Data field for containing data of policies
-	ConfigMapKeyPolicy = "policies"
-	// ManifestKeyWorkload is the key in Component Manifest for containing workload cr.
-	ManifestKeyWorkload = "StandardWorkload"
-	// ManifestKeyTraits is the key in Component Manifest for containing Trait cr.
-	ManifestKeyTraits = "Traits"
-)
-
 var (
 	// DisableAllComponentRevision disable component revision creation
 	DisableAllComponentRevision = false
@@ -92,64 +79,6 @@ func replicaKeyFromContext(ctx context.Context) string {
 	return key
 }

-func (h *AppHandler) createResourcesConfigMap(ctx context.Context,
-	appRev *v1beta1.ApplicationRevision,
-	comps []*types.ComponentManifest,
-	policies []*unstructured.Unstructured) error {
-
-	components := map[string]interface{}{}
-	for _, c := range comps {
-		components[c.Name] = SprintComponentManifest(c)
-	}
-	cm := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      appRev.Name,
-			Namespace: appRev.Namespace,
-			OwnerReferences: []metav1.OwnerReference{
-				*metav1.NewControllerRef(appRev, v1beta1.ApplicationRevisionGroupVersionKind),
-			},
-		},
-		Data: map[string]string{
-			ConfigMapKeyComponents: string(util.MustJSONMarshal(components)),
-			ConfigMapKeyPolicy:     string(util.MustJSONMarshal(policies)),
-		},
-	}
-	err := h.Client.Get(ctx, client.ObjectKey{Name: appRev.Name, Namespace: appRev.Namespace}, &corev1.ConfigMap{})
-	if err == nil {
-		return nil
-	}
-	if err != nil && !apierrors.IsNotFound(err) {
-		return err
-	}
-	return h.Client.Create(ctx, cm)
-}
-
-// SprintComponentManifest formats and returns the resulting string.
-func SprintComponentManifest(cm *types.ComponentManifest) string {
-	if cm.StandardWorkload.GetName() == "" {
-		cm.StandardWorkload.SetName(cm.Name)
-	}
-	if cm.StandardWorkload.GetNamespace() == "" {
-		cm.StandardWorkload.SetNamespace(cm.Namespace)
-	}
-	cl := map[string]interface{}{
-		ManifestKeyWorkload: string(util.MustJSONMarshal(cm.StandardWorkload)),
-	}
-
-	trs := []string{}
-	for _, tr := range cm.Traits {
-		if tr.GetName() == "" {
-			tr.SetName(cm.Name)
-		}
-		if tr.GetNamespace() == "" {
-			tr.SetNamespace(cm.Namespace)
-		}
-		trs = append(trs, string(util.MustJSONMarshal(tr)))
-	}
-	cl[ManifestKeyTraits] = trs
-	return string(util.MustJSONMarshal(cl))
-}
-
 // PrepareCurrentAppRevision will generate a pure revision without metadata and rendered result
 // the generated revision will be compare with the last revision to see if there's any difference.
 func (h *AppHandler) PrepareCurrentAppRevision(ctx context.Context, af *appfile.Appfile) error {
@@ -321,7 +250,8 @@ func ComputeAppRevisionHash(appRevision *v1beta1.ApplicationRevision) (string, e
 		return "", err
 	}
 	for key, wd := range appRevision.Spec.WorkloadDefinitions {
-		hash, err := utils.ComputeSpecHash(&wd.Spec)
+		wdCopy := wd
+		hash, err := utils.ComputeSpecHash(&wdCopy.Spec)
 		if err != nil {
 			return "", err
 		}
@@ -342,7 +272,8 @@ func ComputeAppRevisionHash(appRevision *v1beta1.ApplicationRevision) (string, e
 		revHash.TraitDefinitionHash[key] = hash
 	}
 	for key, pd := range appRevision.Spec.PolicyDefinitions {
-		hash, err := utils.ComputeSpecHash(&pd.Spec)
+		pdCopy := pd
+		hash, err := utils.ComputeSpecHash(&pdCopy.Spec)
 		if err != nil {
 			return "", err
 		}
@@ -504,35 +435,6 @@ func deepEqualAppInRevision(old, new *v1beta1.ApplicationRevision) bool {
 	return deepEqualAppSpec(&old.Spec.Application, &new.Spec.Application)
 }

-// ComputeComponentRevisionHash to compute component hash
-func ComputeComponentRevisionHash(comp *types.ComponentManifest) (string, error) {
-	compRevisionHash := struct {
-		WorkloadHash          string
-		PackagedResourcesHash []string
-	}{}
-	wl := comp.StandardWorkload.DeepCopy()
-	if wl != nil {
-		// Only calculate spec for component revision
-		spec := wl.Object["spec"]
-		hash, err := utils.ComputeSpecHash(spec)
-		if err != nil {
-			return "", err
-		}
-		compRevisionHash.WorkloadHash = hash
-	}
-
-	// take packaged workload resources into account because they determine the workload
-	compRevisionHash.PackagedResourcesHash = make([]string, len(comp.PackagedWorkloadResources))
-	for i, v := range comp.PackagedWorkloadResources {
-		hash, err := utils.ComputeSpecHash(v)
-		if err != nil {
-			return "", err
-		}
-		compRevisionHash.PackagedResourcesHash[i] = hash
-	}
-	return utils.ComputeSpecHash(&compRevisionHash)
-}
-
 // FinalizeAndApplyAppRevision finalise AppRevision object and apply it
 func (h *AppHandler) FinalizeAndApplyAppRevision(ctx context.Context) error {
 	if DisableAllApplicationRevision {
--- a/pkg/controller/core.oam.dev/v1beta1/application/revision_test.go
+++ b/pkg/controller/core.oam.dev/v1beta1/application/revision_test.go
@@ -37,7 +37,6 @@ import (

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	oamtypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/appfile"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/oam/util"
@@ -49,7 +48,6 @@ var _ = Describe("test generate revision ", func() {
 	cd := v1beta1.ComponentDefinition{}
 	webCompDef := v1beta1.ComponentDefinition{}
 	var handler *AppHandler
-	var comps []*oamtypes.ComponentManifest
 	var namespaceName string
 	var ns corev1.Namespace
 	ctx := context.Background()
@@ -171,8 +169,6 @@ var _ = Describe("test generate revision ", func() {
 		ctx = util.SetNamespaceInCtx(ctx, app.Namespace)
 		generatedAppfile, err := appParser.GenerateAppFile(ctx, &app)
 		Expect(err).Should(Succeed())
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
 		prevHash := generatedAppfile.AppRevisionHash
@@ -196,11 +192,8 @@ var _ = Describe("test generate revision ", func() {
 		app.SetAnnotations(map[string]string{annoKey1: "true"})
 		generatedAppfile, err := appParser.GenerateAppFile(ctx, &app)
 		Expect(err).Should(Succeed())
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Expect(handler.UpdateAppLatestRevisionStatus(ctx, reconciler.patchStatus)).Should(Succeed())

 		curApp := &v1beta1.Application{}
@@ -234,11 +227,8 @@ var _ = Describe("test generate revision ", func() {
 		annoKey2 := "testKey2"
 		app.SetAnnotations(map[string]string{annoKey2: "true"})
 		lastRevision := curApp.Status.LatestRevision.Name
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Eventually(
 			func() error {
 				return handler.Get(ctx,
@@ -272,12 +262,9 @@ var _ = Describe("test generate revision ", func() {
 		Expect(k8sClient.Update(ctx, &app)).Should(SatisfyAny(BeNil(), &util.AlreadyExistMatcher{}))
 		generatedAppfile, err = appParser.GenerateAppFile(ctx, &app)
 		Expect(err).Should(Succeed())
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		handler.app = &app
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Expect(handler.UpdateAppLatestRevisionStatus(ctx, reconciler.patchStatus)).Should(Succeed())
 		Eventually(
 			func() error {
@@ -316,12 +303,9 @@ var _ = Describe("test generate revision ", func() {
 		Expect(k8sClient.Update(ctx, &app)).Should(SatisfyAny(BeNil(), &util.AlreadyExistMatcher{}))
 		generatedAppfile, err = appParser.GenerateAppFile(ctx, &app)
 		Expect(err).Should(Succeed())
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		handler.app = &app
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Expect(handler.UpdateAppLatestRevisionStatus(ctx, reconciler.patchStatus)).Should(Succeed())
 		Eventually(
 			func() error {
@@ -361,11 +345,8 @@ var _ = Describe("test generate revision ", func() {
 		app.SetAnnotations(map[string]string{annoKey1: "true"})
 		generatedAppfile, err := appParser.GenerateAppFile(ctx, &app)
 		Expect(err).Should(Succeed())
-		comps, err = generatedAppfile.GenerateComponentManifests()
-		Expect(err).Should(Succeed())
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Expect(handler.UpdateAppLatestRevisionStatus(ctx, reconciler.patchStatus)).Should(Succeed())

 		curApp := &v1beta1.Application{}
@@ -396,7 +377,6 @@ var _ = Describe("test generate revision ", func() {
 		lastRevision := curApp.Status.LatestRevision.Name
 		Expect(handler.PrepareCurrentAppRevision(ctx, generatedAppfile)).Should(Succeed())
 		Expect(handler.FinalizeAndApplyAppRevision(ctx)).Should(Succeed())
-		Expect(handler.ProduceArtifacts(context.Background(), comps, nil)).Should(Succeed())
 		Eventually(
 			func() error {
 				return handler.Get(ctx, types.NamespacedName{Namespace: ns.Name, Name: app.Name}, curApp)
--- a/pkg/cue/process/keyword.go
+++ b/pkg/cue/process/keyword.go
@@ -21,8 +21,6 @@ const (
 	OutputFieldName = "output"
 	// OutputsFieldName is the reference of context Auxiliaries
 	OutputsFieldName = "outputs"
-	// ConfigFieldName is the reference of context config
-	ConfigFieldName = "config"
 	// ParameterFieldName is the keyword in CUE template to define users' input and the reference to the context parameter
 	ParameterFieldName = "parameter"
 	// ContextName is the name of context
--- a/pkg/definition/gen_sdk/gen_sdk.go
+++ b/pkg/definition/gen_sdk/gen_sdk.go
@@ -463,6 +463,9 @@ func (g *Generator) completeOpenAPISchema(doc *openapi3.T) {
 // GenerateCode will call openapi-generator to generate code and modify it
 func (g *Generator) GenerateCode() (err error) {
 	tmpFile, err := os.CreateTemp("", g.meta.name+"-*.json")
+	if err != nil {
+		return err
+	}
 	_, err = tmpFile.Write(g.openapiSchema)
 	if err != nil {
 		return errors.Wrap(err, "write openapi schema to temporary file")
--- a/pkg/oam/mock/mocks.go
+++ b/pkg/oam/mock/mocks.go
@@ -44,7 +44,9 @@ func (m *Conditioned) GetCondition(ct condition.ConditionType) condition.Conditi
 }

 // ManagedResourceReferencer is a mock that implements ManagedResourceReferencer interface.
-type ManagedResourceReferencer struct{ Ref *corev1.ObjectReference }
+type ManagedResourceReferencer struct {
+	Ref *corev1.ObjectReference `json:"ref"`
+}

 // SetResourceReference sets the ResourceReference.
 func (m *ManagedResourceReferencer) SetResourceReference(r *corev1.ObjectReference) { m.Ref = r }
@@ -53,7 +55,9 @@ func (m *ManagedResourceReferencer) SetResourceReference(r *corev1.ObjectReferen
 func (m *ManagedResourceReferencer) GetResourceReference() *corev1.ObjectReference { return m.Ref }

 // A WorkloadReferencer references an OAM Workload type.
-type WorkloadReferencer struct{ Ref corev1.ObjectReference }
+type WorkloadReferencer struct {
+	Ref corev1.ObjectReference `json:"ref"`
+}

 // GetWorkloadReference gets the WorkloadReference.
 func (w *WorkloadReferencer) GetWorkloadReference() corev1.ObjectReference {
@@ -201,7 +205,7 @@ type LocalSecretReference struct {

 // LocalConnectionSecretWriterTo is a mock that implements LocalConnectionSecretWriterTo interface.
 type LocalConnectionSecretWriterTo struct {
-	Ref *LocalSecretReference
+	Ref *LocalSecretReference `json:"local_secret_ref"`
 }

 // SetWriteConnectionSecretToReference sets the WriteConnectionSecretToReference.
--- a/pkg/policy/override.go
+++ b/pkg/policy/override.go
@@ -31,7 +31,7 @@ import (
 )

 // ParseOverridePolicyRelatedDefinitions get definitions inside override policy
-func ParseOverridePolicyRelatedDefinitions(ctx context.Context, cli client.Client, app *v1beta1.Application, policy v1beta1.AppPolicy) (compDefs []*v1beta1.ComponentDefinition, traitDefs []*v1beta1.TraitDefinition, err error) {
+func ParseOverridePolicyRelatedDefinitions(ctx context.Context, cli client.Client, _ *v1beta1.Application, policy v1beta1.AppPolicy) (compDefs []*v1beta1.ComponentDefinition, traitDefs []*v1beta1.TraitDefinition, err error) {
 	if policy.Properties == nil {
 		return compDefs, traitDefs, fmt.Errorf("override policy %s must not have empty properties", policy.Name)
 	}
--- a/pkg/resourcekeeper/admission.go
+++ b/pkg/resourcekeeper/admission.go
@@ -58,7 +58,7 @@ type NamespaceAdmissionHandler struct {
 }

 // Validate check if cross namespace is available
-func (h *NamespaceAdmissionHandler) Validate(ctx context.Context, manifests []*unstructured.Unstructured) error {
+func (h *NamespaceAdmissionHandler) Validate(_ context.Context, manifests []*unstructured.Unstructured) error {
 	if !AllowCrossNamespaceResource {
 		for _, manifest := range manifests {
 			if manifest.GetNamespace() != h.app.GetNamespace() {
@@ -77,7 +77,7 @@ type ResourceTypeAdmissionHandler struct {
 }

 // Validate check if resource type is valid
-func (h *ResourceTypeAdmissionHandler) Validate(ctx context.Context, manifests []*unstructured.Unstructured) error {
+func (h *ResourceTypeAdmissionHandler) Validate(_ context.Context, manifests []*unstructured.Unstructured) error {
 	if AllowResourceTypes != "" {
 		if !h.initialized {
 			h.initialized = true
--- a/pkg/utils/apply/apply.go
+++ b/pkg/utils/apply/apply.go
@@ -18,7 +18,6 @@ package apply

 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"reflect"

@@ -206,6 +205,20 @@ func (a *APIApplicator) Apply(ctx context.Context, desired client.Object, ao ...
 		return nil
 	}

+	// Short-circuit for shared resources: only patch the shared-by annotation
+	// This avoids the three-way merge which could pollute last-applied-configuration
+	if applyAct.isShared {
+		loggingApply("patching shared resource annotation only", desired, applyAct.quiet)
+		sharedBy := desired.GetAnnotations()[oam.AnnotationAppSharedBy]
+		patch := []byte(fmt.Sprintf(`{"metadata":{"annotations":{"%s":"%s"}}}`, oam.AnnotationAppSharedBy, sharedBy))
+		var patchOpts []client.PatchOption
+		if applyAct.dryRun {
+			patchOpts = append(patchOpts, client.DryRunAll)
+		}
+		return errors.Wrapf(a.c.Patch(ctx, existing, client.RawPatch(types.MergePatchType, patch), patchOpts...),
+			"cannot patch shared resource annotation")
+	}
+
 	strategy := applyAct.updateStrategy
 	if strategy.Op == "" {
 		if utilfeature.DefaultMutableFeatureGate.Enabled(features.ApplyResourceByReplace) && isUpdatableResource(desired) {
@@ -349,7 +362,7 @@ func NotUpdateRenderHashEqual() ApplyOption {
 		if !ok {
 			return nil
 		}
-		oldSt := existing.(*unstructured.Unstructured)
+		oldSt, ok := existing.(*unstructured.Unstructured)
 		if !ok {
 			return nil
 		}
@@ -466,39 +479,39 @@ func DisableUpdateAnnotation() ApplyOption {
 // SharedByApp let the resource be sharable
 func SharedByApp(app *v1beta1.Application) ApplyOption {
 	return func(act *applyAction, existing, desired client.Object) error {
-		// calculate the shared-by annotation
-		// if resource exists, add the current application into the resource shared-by field
+		// Calculate the shared-by annotation value
 		var sharedBy string
 		if existing != nil && existing.GetAnnotations() != nil {
 			sharedBy = existing.GetAnnotations()[oam.AnnotationAppSharedBy]
 		}
 		sharedBy = AddSharer(sharedBy, app)
+
+		// Always add the shared-by annotation to desired (for create case)
 		util.AddAnnotations(desired, map[string]string{oam.AnnotationAppSharedBy: sharedBy})
+
 		if existing == nil {
 			return nil
 		}

-		// resource exists and controlled by current application
+		// Resource exists - check if controlled by current application
 		appKey, controlledBy := GetAppKey(app), GetControlledBy(existing)
 		if controlledBy == "" || appKey == controlledBy {
+			// Owner app - use normal three-way merge flow
 			return nil
 		}

-		// resource exists but not controlled by current application
+		// Resource exists but not controlled by current application
 		if existing.GetAnnotations() == nil || existing.GetAnnotations()[oam.AnnotationAppSharedBy] == "" {
-			// if the application that controls the resource does not allow sharing, return error
+			// Owner doesn't allow sharing
 			return fmt.Errorf("application is controlled by %s but is not sharable", controlledBy)
 		}
-		// the application that controls the resource allows sharing, then only mutate the shared-by annotation
+
+		// Non-owner sharer: set flags for short-circuit in Apply()
+		// The short-circuit will only patch the shared-by annotation, avoiding
+		// any manipulation of the resource spec or last-applied-configuration
 		act.isShared = true
-		bs, err := json.Marshal(existing)
-		if err != nil {
-			return err
-		}
-		if err = json.Unmarshal(bs, desired); err != nil {
-			return err
-		}
-		util.AddAnnotations(desired, map[string]string{oam.AnnotationAppSharedBy: sharedBy})
+		act.updateAnnotation = false
+
 		return nil
 	}
 }
--- a/pkg/utils/apply/apply_test.go
+++ b/pkg/utils/apply/apply_test.go
@@ -445,10 +445,11 @@ func TestSharedByApp(t *testing.T) {
 	app := &v1beta1.Application{ObjectMeta: metav1.ObjectMeta{Name: "app"}}
 	ao := SharedByApp(app)
 	testCases := map[string]struct {
-		existing client.Object
-		desired  client.Object
-		output   client.Object
-		hasError bool
+		existing       client.Object
+		desired        client.Object
+		output         client.Object
+		hasError       bool
+		expectIsShared bool
 	}{
 		"create new resource": {
 			existing: nil,
@@ -492,17 +493,17 @@ func TestSharedByApp(t *testing.T) {
 				"kind": "ConfigMap",
 				"data": "y",
 			}},
+			// Non-owner sharer: desired only gets the shared-by annotation added
+			// The actual resource content is NOT modified - the short-circuit in Apply()
+			// will patch only the annotation on the server
 			output: &unstructured.Unstructured{Object: map[string]interface{}{
 				"kind": "ConfigMap",
 				"metadata": map[string]interface{}{
-					"labels": map[string]interface{}{
-						oam.LabelAppName:      "example",
-						oam.LabelAppNamespace: "default",
-					},
 					"annotations": map[string]interface{}{oam.AnnotationAppSharedBy: "x/y,default/app"},
 				},
-				"data": "x",
+				"data": "y",
 			}},
+			expectIsShared: true,
 		},
 		"add sharer to existing sharing resource owned by self": {
 			existing: &unstructured.Unstructured{Object: map[string]interface{}{
@@ -554,16 +555,102 @@ func TestSharedByApp(t *testing.T) {
 			}},
 			hasError: true,
 		},
+		"non-owner sharer sets short-circuit flags": {
+			existing: &unstructured.Unstructured{Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"name":            "test-pod",
+					"resourceVersion": "12345",
+					"labels": map[string]interface{}{
+						oam.LabelAppName:      "app1",
+						oam.LabelAppNamespace: "default",
+					},
+					"annotations": map[string]interface{}{
+						oam.AnnotationAppSharedBy: "default/app1",
+					},
+				},
+			}},
+			desired: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "Pod",
+				"metadata": map[string]interface{}{
+					"name": "test-pod",
+				},
+			}},
+			// For non-owner sharers, desired only gets the shared-by annotation added
+			// The actual patching happens in Apply() via short-circuit
+			output: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "Pod",
+				"metadata": map[string]interface{}{
+					"name": "test-pod",
+					"annotations": map[string]interface{}{
+						oam.AnnotationAppSharedBy: "default/app1,default/app",
+					},
+				},
+			}},
+			// These flags are checked in the test loop
+			expectIsShared: true,
+		},
+		"non-owner sharer works without last-applied-configuration": {
+			existing: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "ConfigMap",
+				"metadata": map[string]interface{}{
+					"name": "test-cm",
+					"labels": map[string]interface{}{
+						oam.LabelAppName:      "app1",
+						oam.LabelAppNamespace: "default",
+					},
+					"annotations": map[string]interface{}{
+						oam.AnnotationAppSharedBy: "default/app1",
+					},
+				},
+				"data": map[string]interface{}{
+					"key": "value",
+				},
+			}},
+			desired: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "ConfigMap",
+				"metadata": map[string]interface{}{
+					"name": "test-cm",
+				},
+			}},
+			// For non-owner sharers, desired only gets the shared-by annotation added
+			output: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "ConfigMap",
+				"metadata": map[string]interface{}{
+					"name": "test-cm",
+					"annotations": map[string]interface{}{
+						oam.AnnotationAppSharedBy: "default/app1,default/app",
+					},
+				},
+			}},
+			expectIsShared: true,
+		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			r := require.New(t)
-			err := ao(&applyAction{}, tc.existing, tc.desired)
+			act := &applyAction{}
+			err := ao(act, tc.existing, tc.desired)
 			if tc.hasError {
 				r.Error(err)
 			} else {
 				r.NoError(err)
 				r.Equal(tc.output, tc.desired)
+
+				// Verify short-circuit flags for non-owner sharers
+				if tc.expectIsShared {
+					r.True(act.isShared, "isShared should be true for non-owner sharers")
+					r.False(act.updateAnnotation, "updateAnnotation should be false for non-owner sharers")
+				}
+
+				// Legacy check: When a resource is shared by another app, updateAnnotation should be false
+				if tc.existing != nil && tc.existing.GetAnnotations() != nil && tc.existing.GetAnnotations()[oam.AnnotationAppSharedBy] != "" {
+					existingController := GetControlledBy(tc.existing)
+					if existingController != "" && existingController != GetAppKey(app) {
+						r.False(act.updateAnnotation, "updateAnnotation should be false when sharing resource controlled by another app")
+					}
+				}
 			}
 		})
 	}
--- a/pkg/utils/common/args.go
+++ b/pkg/utils/common/args.go
@@ -128,7 +128,7 @@ func (a *Args) GetFakeClient(defs []*unstructured.Unstructured) (client.Client,
 		return a.client, nil
 	}
 	if a.config == nil {
-		if err := a.SetConfig(nil); err != nil {
+		if err := a.SetConfig(&rest.Config{}); err != nil {
 			return nil, err
 		}
 	}
--- a/pkg/utils/common/common.go
+++ b/pkg/utils/common/common.go
@@ -63,6 +63,8 @@ import (
 	terraformapiv1 "github.com/oam-dev/terraform-controller/api/v1beta1"
 	terraformapi "github.com/oam-dev/terraform-controller/api/v1beta2"

+	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+
 	oamcore "github.com/oam-dev/kubevela/apis/core.oam.dev"
 	"github.com/oam-dev/kubevela/apis/types"
 	velacue "github.com/oam-dev/kubevela/pkg/cue"
@@ -93,6 +95,7 @@ func init() {
 	_ = metricsV1beta1api.AddToScheme(Scheme)
 	_ = kruisev1alpha1.AddToScheme(Scheme)
 	_ = gatewayv1beta1.AddToScheme(Scheme)
+	_ = workflowv1alpha1.AddToScheme(Scheme)
 	// +kubebuilder:scaffold:scheme
 }

--- a/pkg/utils/helm/repo_index.go
+++ b/pkg/utils/helm/repo_index.go
@@ -33,7 +33,7 @@ import (
 const IndexYaml = "index.yaml"

 // LoadRepoIndex load helm repo index
-func LoadRepoIndex(ctx context.Context, u string, cred *RepoCredential) (*helmrepo.IndexFile, error) {
+func LoadRepoIndex(_ context.Context, u string, cred *RepoCredential) (*helmrepo.IndexFile, error) {

 	if !strings.HasSuffix(u, "/") {
 		u = fmt.Sprintf("%s/%s", u, IndexYaml)
--- a/pkg/utils/k8s.go
+++ b/pkg/utils/k8s.go
@@ -399,9 +399,8 @@ func contains(object *runtime.Object, fieldSelector fields.Selector) bool {
 		if (negative && fmt.Sprintf("%v", result.String()) != value) ||
 			(!negative && fmt.Sprintf("%v", result.String()) == value) {
 			continue
-		} else {
-			return false
 		}
+		return false
 	}
 	return true
 }
--- a/pkg/utils/parse.go
+++ b/pkg/utils/parse.go
@@ -42,6 +42,9 @@ const TypeGitlab = "gitlab"
 // TypeUnknown represents parse failed
 const TypeUnknown = "unknown"

+// errInvalidFormatMsg with the message to be returned in case of a format error.
+const errInvalidFormatMsg = "invalid format "
+
 // Content contains different type of content needed when building Registry
 type Content struct {
 	OssContent
@@ -103,12 +106,12 @@ func Parse(addr string) (string, *Content, error) {
 			// 1. https://github.com/<owner>/<repo>/tree/<branch>/<path-to-dir>
 			// 2. https://github.com/<owner>/<repo>/<path-to-dir>
 			if len(l) < 3 {
-				return "", nil, errors.New("invalid format " + addr)
+				return "", nil, errors.New(errInvalidFormatMsg + addr)
 			}
 			if l[2] == "tree" {
 				// https://github.com/<owner>/<repo>/tree/<branch>/<path-to-dir>
 				if len(l) < 5 {
-					return "", nil, errors.New("invalid format " + addr)
+					return "", nil, errors.New(errInvalidFormatMsg + addr)
 				}
 				return TypeGithub, &Content{
 					GithubContent: GithubContent{
@@ -131,7 +134,7 @@ func Parse(addr string) (string, *Content, error) {
 				nil
 		case "api.github.com":
 			if len(l) != 5 {
-				return "", nil, errors.New("invalid format " + addr)
+				return "", nil, errors.New(errInvalidFormatMsg + addr)
 			}
 			//https://api.github.com/repos/<owner>/<repo>/contents/<path-to-dir>
 			return TypeGithub, &Content{
@@ -148,13 +151,13 @@ func Parse(addr string) (string, *Content, error) {
 			// 1. https://gitee.com/<owner>/<repo>/tree/<branch>/<path-to-dir>
 			// 2. https://gitee.com/<owner>/<repo>/<path-to-dir>
 			if len(l) < 3 {
-				return "", nil, errors.New("invalid format " + addr)
+				return "", nil, errors.New(errInvalidFormatMsg + addr)
 			}
 			switch l[2] {
 			case "tree":
 				// https://gitee.com/<owner>/<repo>/tree/<branch>/<path-to-dir>
 				if len(l) < 5 {
-					return "", nil, errors.New("invalid format " + addr)
+					return "", nil, errors.New(errInvalidFormatMsg + addr)
 				}
 				return TypeGitee, &Content{
 					GiteeContent: GiteeContent{
--- a/pkg/utils/strings.go
+++ b/pkg/utils/strings.go
@@ -80,3 +80,8 @@ func Sanitize(s string) string {
 	s = strings.ReplaceAll(s, "\r", "")
 	return s
 }
+
+// IgnoreVPrefix removes the leading "v" from a string
+func IgnoreVPrefix(s string) string {
+	return strings.TrimPrefix(s, "v")
+}
--- a/pkg/utils/strings_test.go
+++ b/pkg/utils/strings_test.go
@@ -26,3 +26,8 @@ func TestSanitize(t *testing.T) {
 	s := "abc\ndef\rgh"
 	require.Equal(t, "abcdefgh", Sanitize(s))
 }
+
+func TestIgnoreVPrefix(t *testing.T) {
+	require.Equal(t, "1.2.0", IgnoreVPrefix("v1.2.0"))
+	require.Equal(t, "1.2.0", IgnoreVPrefix("1.2.0"))
+}
--- a/pkg/velaql/context.go
+++ b/pkg/velaql/context.go
@@ -60,34 +60,34 @@ func (c ViewContext) GetStore() *corev1.ConfigMap {
 }

 // GetMutableValue get mutable data from workflow context.
-func (c ViewContext) GetMutableValue(paths ...string) string {
+func (c ViewContext) GetMutableValue(_ ...string) string {
 	return ""
 }

 // SetMutableValue set mutable data in workflow context config map.
-func (c ViewContext) SetMutableValue(data string, paths ...string) {
+func (c ViewContext) SetMutableValue(_ string, _ ...string) {
 }

 // IncreaseCountValueInMemory increase count in workflow context memory store.
-func (c ViewContext) IncreaseCountValueInMemory(paths ...string) int {
+func (c ViewContext) IncreaseCountValueInMemory(_ ...string) int {
 	return 0
 }

 // SetValueInMemory set data in workflow context memory store.
-func (c ViewContext) SetValueInMemory(data interface{}, paths ...string) {
+func (c ViewContext) SetValueInMemory(_ interface{}, _ ...string) {
 }

 // GetValueInMemory get data in workflow context memory store.
-func (c ViewContext) GetValueInMemory(paths ...string) (interface{}, bool) {
+func (c ViewContext) GetValueInMemory(_ ...string) (interface{}, bool) {
 	return "", true
 }

 // DeleteValueInMemory delete data in workflow context memory store.
-func (c ViewContext) DeleteValueInMemory(paths ...string) {
+func (c ViewContext) DeleteValueInMemory(_ ...string) {
 }

 // DeleteMutableValue delete mutable data in workflow context.
-func (c ViewContext) DeleteMutableValue(paths ...string) {
+func (c ViewContext) DeleteMutableValue(_ ...string) {
 }

 // Commit the workflow context and persist it's content.
--- a/pkg/velaql/providers/query/endpoint.go
+++ b/pkg/velaql/providers/query/endpoint.go
@@ -48,7 +48,7 @@ import (
 // CollectServiceEndpoints generator service endpoints is available for common component type,
 // such as webservice or helm
 // it can not support the cloud service component currently
-func (h *provider) CollectServiceEndpoints(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) CollectServiceEndpoints(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	val, err := v.LookupValue("app")
 	if err != nil {
 		return err
--- a/pkg/velaql/providers/query/handler.go
+++ b/pkg/velaql/providers/query/handler.go
@@ -92,7 +92,7 @@ type FilterOption struct {
 }

 // ListResourcesInApp lists CRs created by Application, this provider queries the object data.
-func (h *provider) ListResourcesInApp(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) ListResourcesInApp(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	val, err := v.LookupValue("app")
 	if err != nil {
 		return err
@@ -113,7 +113,7 @@ func (h *provider) ListResourcesInApp(ctx monitorContext.Context, wfCtx wfContex
 }

 // ListAppliedResources list applied resource from tracker, this provider only queries the metadata.
-func (h *provider) ListAppliedResources(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) ListAppliedResources(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	val, err := v.LookupValue("app")
 	if err != nil {
 		return err
@@ -138,7 +138,7 @@ func (h *provider) ListAppliedResources(ctx monitorContext.Context, wfCtx wfCont
 	return fillQueryResult(v, appResList, "list")
 }

-func (h *provider) CollectResources(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) CollectResources(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	val, err := v.LookupValue("app")
 	if err != nil {
 		return err
@@ -180,7 +180,7 @@ func (h *provider) CollectResources(ctx monitorContext.Context, wfCtx wfContext.
 	return fillQueryResult(v, resources, "list")
 }

-func (h *provider) SearchEvents(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) SearchEvents(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	val, err := v.LookupValue("value")
 	if err != nil {
 		return err
@@ -209,7 +209,7 @@ func (h *provider) SearchEvents(ctx monitorContext.Context, wfCtx wfContext.Cont
 	return fillQueryResult(v, eventList.Items, "list")
 }

-func (h *provider) CollectLogsInPod(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act types.Action) error {
+func (h *provider) CollectLogsInPod(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ types.Action) error {
 	cluster, err := v.GetString("cluster")
 	if err != nil {
 		return errors.Wrapf(err, "invalid cluster")
--- a/pkg/velaql/view.go
+++ b/pkg/velaql/view.go
@@ -159,7 +159,7 @@ func (handler *ViewHandler) QueryView(ctx context.Context, qv QueryView) (*value
 	return viewCtx.GetVar(qv.Export)
 }

-func (handler *ViewHandler) dispatch(ctx context.Context, cluster string, owner string, manifests ...*unstructured.Unstructured) error {
+func (handler *ViewHandler) dispatch(ctx context.Context, cluster string, _ string, manifests ...*unstructured.Unstructured) error {
 	ctx = multicluster.ContextWithClusterName(ctx, cluster)
 	applicator := apply.NewAPIApplicator(handler.cli)
 	for _, manifest := range manifests {
@@ -170,7 +170,7 @@ func (handler *ViewHandler) dispatch(ctx context.Context, cluster string, owner
 	return nil
 }

-func (handler *ViewHandler) delete(ctx context.Context, cluster string, owner string, manifest *unstructured.Unstructured) error {
+func (handler *ViewHandler) delete(ctx context.Context, _ string, _ string, manifest *unstructured.Unstructured) error {
 	return handler.cli.Delete(ctx, manifest)
 }

--- a/pkg/webhook/core.oam.dev/register.go
+++ b/pkg/webhook/core.oam.dev/register.go
@@ -23,6 +23,7 @@ import (
 	controller "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev"
 	"github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev/v1beta1/application"
 	"github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev/v1beta1/componentdefinition"
+	"github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev/v1beta1/policydefinition"
 	"github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev/v1beta1/traitdefinition"
 )

@@ -33,6 +34,7 @@ func Register(mgr manager.Manager, args controller.Args) {
 	componentdefinition.RegisterMutatingHandler(mgr, args)
 	componentdefinition.RegisterValidatingHandler(mgr)
 	traitdefinition.RegisterValidatingHandler(mgr, args)
+	policydefinition.RegisterValidatingHandler(mgr)
 	server := mgr.GetWebhookServer()
 	server.Register("/convert", &conversion.Webhook{})
 }
--- a/pkg/webhook/core.oam.dev/v1beta1/application/mutating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/application/mutating_handler.go
@@ -49,7 +49,7 @@ var _ admission.Handler = &MutatingHandler{}

 type appMutator func(ctx context.Context, req admission.Request, oldApp *v1beta1.Application, newApp *v1beta1.Application) (bool, error)

-func (h *MutatingHandler) handleIdentity(ctx context.Context, req admission.Request, _ *v1beta1.Application, app *v1beta1.Application) (bool, error) {
+func (h *MutatingHandler) handleIdentity(_ context.Context, req admission.Request, _ *v1beta1.Application, app *v1beta1.Application) (bool, error) {
 	if !utilfeature.DefaultMutableFeatureGate.Enabled(features.AuthenticateApplication) {
 		return false, nil
 	}
@@ -66,7 +66,7 @@ func (h *MutatingHandler) handleIdentity(ctx context.Context, req admission.Requ
 	return true, nil
 }

-func (h *MutatingHandler) handleWorkflow(ctx context.Context, req admission.Request, _ *v1beta1.Application, app *v1beta1.Application) (modified bool, err error) {
+func (h *MutatingHandler) handleWorkflow(_ context.Context, _ admission.Request, _ *v1beta1.Application, app *v1beta1.Application) (modified bool, err error) {
 	if app.Spec.Workflow != nil {
 		for i, step := range app.Spec.Workflow.Steps {
 			if step.Name == "" {
@@ -84,7 +84,7 @@ func (h *MutatingHandler) handleWorkflow(ctx context.Context, req admission.Requ
 	return modified, nil
 }

-func (h *MutatingHandler) handleSharding(ctx context.Context, req admission.Request, oldApp *v1beta1.Application, newApp *v1beta1.Application) (bool, error) {
+func (h *MutatingHandler) handleSharding(_ context.Context, _ admission.Request, oldApp *v1beta1.Application, newApp *v1beta1.Application) (bool, error) {
 	if sharding.EnableSharding && !utilfeature.DefaultMutableFeatureGate.Enabled(features.DisableWebhookAutoSchedule) {
 		oid, scheduled := sharding.GetScheduledShardID(oldApp)
 		_, newScheduled := sharding.GetScheduledShardID(newApp)
--- a/pkg/webhook/core.oam.dev/v1beta1/application/validation.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/application/validation.go
@@ -33,7 +33,7 @@ import (
 )

 // ValidateWorkflow validates the Application workflow
-func (h *ValidatingHandler) ValidateWorkflow(ctx context.Context, app *v1beta1.Application) field.ErrorList {
+func (h *ValidatingHandler) ValidateWorkflow(_ context.Context, app *v1beta1.Application) field.ErrorList {
 	var errs field.ErrorList
 	if app.Spec.Workflow != nil {
 		stepName := make(map[string]interface{})
@@ -117,7 +117,7 @@ func (h *ValidatingHandler) ValidateCreate(ctx context.Context, app *v1beta1.App
 }

 // ValidateUpdate validates the Application on update
-func (h *ValidatingHandler) ValidateUpdate(ctx context.Context, newApp, oldApp *v1beta1.Application) field.ErrorList {
+func (h *ValidatingHandler) ValidateUpdate(ctx context.Context, newApp, _ *v1beta1.Application) field.ErrorList {
 	// check if the newApp is valid
 	errs := h.ValidateCreate(ctx, newApp)
 	// TODO: add more validating
--- a/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/mutating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/mutating_handler.go
@@ -49,7 +49,7 @@ type MutatingHandler struct {
 var _ admission.Handler = &MutatingHandler{}

 // Handle handles admission requests.
-func (h *MutatingHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
+func (h *MutatingHandler) Handle(_ context.Context, req admission.Request) admission.Response {
 	obj := &v1beta1.ComponentDefinition{}

 	err := h.Decoder.Decode(req, obj)
--- a/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler.go
@@ -75,6 +75,14 @@ func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) a
 			return admission.Denied(err.Error())
 		}

+		// validate cueTemplate
+		if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
+			err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
+			if err != nil {
+				return admission.Denied(err.Error())
+			}
+		}
+
 		revisionName := obj.GetAnnotations()[oam.AnnotationDefinitionRevisionName]
 		if len(revisionName) != 0 {
 			defRevName := fmt.Sprintf("%s-v%s", obj.Name, revisionName)
--- a/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler_test.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/componentdefinition/validating_handler_test.go
@@ -49,13 +49,19 @@ var cdRaw []byte
 var testScheme = runtime.NewScheme()
 var testEnv *envtest.Environment
 var cfg *rest.Config
+var validCueTemplate string
+var inValidCueTemplate string

-func TestTraitdefinition(t *testing.T) {
+func TestComponentdefinition(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Traitdefinition Suite")
+	RunSpecs(t, "Componentdefinition Suite")
 }

 var _ = BeforeSuite(func() {
+
+	validCueTemplate = "{hello: 'world'}"
+	inValidCueTemplate = "{hello: world}"
+
 	var yamlPath string
 	if _, set := os.LookupEnv("COMPATIBILITY_TEST"); set {
 		yamlPath = "../../../../../test/compatibility-test/testdata"
@@ -81,7 +87,6 @@ var _ = BeforeSuite(func() {

 	cd = v1beta1.ComponentDefinition{}
 	cd.SetGroupVersionKind(v1beta1.ComponentDefinitionGroupVersionKind)
-	cdRaw, _ = json.Marshal(cd)
 })

 var _ = AfterSuite(func() {
@@ -169,5 +174,60 @@ var _ = Describe("Test ComponentDefinition validating handler", func() {
 			Expect(resp.Allowed).Should(BeFalse())
 			Expect(resp.Result.Reason).Should(Equal(metav1.StatusReason("the type and the definition of the workload field in ComponentDefinition wrongCd should represent the same workload")))
 		})
+		It("Test cue template validation passed", func() {
+			cd.Spec = v1beta1.ComponentDefinitionSpec{
+				Workload: common.WorkloadTypeDescriptor{
+					Type: "deployments.apps",
+					Definition: common.WorkloadGVK{
+						APIVersion: "apps/v1",
+						Kind:       "Deployment",
+					},
+				},
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: validCueTemplate,
+					},
+				},
+			}
+			cdRaw, _ = json.Marshal(cd)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: cdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeTrue())
+		})
+		It("Test cue template validation failed", func() {
+			cd.Spec = v1beta1.ComponentDefinitionSpec{
+				Workload: common.WorkloadTypeDescriptor{
+					Type: "deployments.apps",
+					Definition: common.WorkloadGVK{
+						APIVersion: "apps/v1",
+						Kind:       "Deployment",
+					},
+				},
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: inValidCueTemplate,
+					},
+				},
+			}
+			cdRaw, _ = json.Marshal(cd)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: cdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeFalse())
+			Expect(string(resp.Result.Reason)).Should(ContainSubstring("hello: reference \"world\" not found"))
+		})
 	})
 })
--- a/pkg/webhook/core.oam.dev/v1beta1/policydefinition/validating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/policydefinition/validating_handler.go
@@ -0,0 +1,103 @@
+/*
+ Copyright 2021. The KubeVela Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package policydefinition
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/pkg/oam"
+	webhookutils "github.com/oam-dev/kubevela/pkg/webhook/utils"
+)
+
+var policyDefGVR = v1beta1.SchemeGroupVersion.WithResource("policydefinitions")
+
+// ValidatingHandler handles validation of policy definition
+type ValidatingHandler struct {
+	// Decoder decodes object
+	Decoder *admission.Decoder
+	Client  client.Client
+}
+
+var _ inject.Client = &ValidatingHandler{}
+
+// InjectClient injects the client into the ApplicationValidateHandler
+func (h *ValidatingHandler) InjectClient(c client.Client) error {
+	if h.Client != nil {
+		return nil
+	}
+	h.Client = c
+	return nil
+}
+
+var _ admission.Handler = &ValidatingHandler{}
+
+// Handle validate component definition
+func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
+	obj := &v1beta1.PolicyDefinition{}
+	if req.Resource.String() != policyDefGVR.String() {
+		return admission.Errored(http.StatusBadRequest, fmt.Errorf("expect resource to be %s", policyDefGVR))
+	}
+
+	if req.Operation == admissionv1.Create || req.Operation == admissionv1.Update {
+		err := h.Decoder.Decode(req, obj)
+		if err != nil {
+			return admission.Errored(http.StatusBadRequest, err)
+		}
+
+		// validate cueTemplate
+		if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
+			err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
+			if err != nil {
+				return admission.Denied(err.Error())
+			}
+		}
+
+		revisionName := obj.GetAnnotations()[oam.AnnotationDefinitionRevisionName]
+		if len(revisionName) != 0 {
+			defRevName := fmt.Sprintf("%s-v%s", obj.Name, revisionName)
+			err = webhookutils.ValidateDefinitionRevision(ctx, h.Client, obj, client.ObjectKey{Namespace: obj.Namespace, Name: defRevName})
+			if err != nil {
+				return admission.Denied(err.Error())
+			}
+		}
+	}
+	return admission.ValidationResponse(true, "")
+}
+
+var _ admission.DecoderInjector = &ValidatingHandler{}
+
+// InjectDecoder injects the decoder into the ValidatingHandler
+func (h *ValidatingHandler) InjectDecoder(d *admission.Decoder) error {
+	h.Decoder = d
+	return nil
+}
+
+// RegisterValidatingHandler will register ComponentDefinition validation to webhook
+func RegisterValidatingHandler(mgr manager.Manager) {
+	server := mgr.GetWebhookServer()
+	server.Register("/validating-core-oam-dev-v1beta1-policydefinitions", &webhook.Admission{Handler: &ValidatingHandler{}})
+}
--- a/pkg/webhook/core.oam.dev/v1beta1/policydefinition/validating_handler_test.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/policydefinition/validating_handler_test.go
@@ -0,0 +1,143 @@
+/*
+Copyright 2021. The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policydefinition
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var handler ValidatingHandler
+var req admission.Request
+var reqResource metav1.GroupVersionResource
+var decoder *admission.Decoder
+var pd v1beta1.PolicyDefinition
+var pdRaw []byte
+var scheme = runtime.NewScheme()
+var validCueTemplate string
+var inValidCueTemplate string
+
+func TestPolicydefinition(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Policydefinition Suite")
+}
+
+var _ = BeforeSuite(func() {
+
+	validCueTemplate = "{hello: 'world'}"
+	inValidCueTemplate = "{hello: world}"
+
+	pd = v1beta1.PolicyDefinition{}
+	pd.SetGroupVersionKind(v1beta1.PolicyDefinitionGroupVersionKind)
+
+	var err error
+	decoder, err = admission.NewDecoder(scheme)
+	Expect(err).Should(BeNil())
+})
+
+var _ = Describe("Test PolicyDefinition validating handler", func() {
+	BeforeEach(func() {
+		reqResource = metav1.GroupVersionResource{
+			Group:    v1beta1.Group,
+			Version:  v1beta1.Version,
+			Resource: "policydefinitions"}
+		handler = ValidatingHandler{}
+		handler.InjectDecoder(decoder)
+	})
+
+	It("Test wrong resource of admission request", func() {
+		wrongReqResource := metav1.GroupVersionResource{
+			Group:    v1beta1.Group,
+			Version:  v1beta1.Version,
+			Resource: "foos"}
+		req = admission.Request{
+			AdmissionRequest: admissionv1.AdmissionRequest{
+				Operation: admissionv1.Create,
+				Resource:  wrongReqResource,
+				Object:    runtime.RawExtension{Raw: []byte("")},
+			},
+		}
+		resp := handler.Handle(context.TODO(), req)
+		Expect(resp.Allowed).Should(BeFalse())
+	})
+
+	It("Test bad admission request", func() {
+		req = admission.Request{
+			AdmissionRequest: admissionv1.AdmissionRequest{
+				Operation: admissionv1.Create,
+				Resource:  reqResource,
+				Object:    runtime.RawExtension{Raw: []byte("bad request")},
+			},
+		}
+		resp := handler.Handle(context.TODO(), req)
+		Expect(resp.Allowed).Should(BeFalse())
+	})
+
+	Context("Test create/update operation admission request", func() {
+		It("Test cue template validation passed", func() {
+			pd.Spec = v1beta1.PolicyDefinitionSpec{
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: validCueTemplate,
+					},
+				},
+			}
+			pdRaw, _ = json.Marshal(pd)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: pdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeTrue())
+		})
+		It("Test cue template validation failed", func() {
+			pd.Spec = v1beta1.PolicyDefinitionSpec{
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: inValidCueTemplate,
+					},
+				},
+			}
+			pdRaw, _ = json.Marshal(pd)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: pdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeFalse())
+		})
+	})
+})
--- a/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler.go
@@ -89,6 +89,15 @@ func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) a
 				return admission.Denied(err.Error())
 			}
 		}
+
+		// validate cueTemplate
+		if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
+			err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
+			if err != nil {
+				return admission.Denied(err.Error())
+			}
+		}
+
 		revisionName := obj.GetAnnotations()[oam.AnnotationDefinitionRevisionName]
 		if len(revisionName) != 0 {
 			defRevName := fmt.Sprintf("%s-v%s", obj.Name, revisionName)
@@ -119,7 +128,7 @@ func (h *ValidatingHandler) InjectDecoder(d *admission.Decoder) error {
 }

 // RegisterValidatingHandler will register TraitDefinition validation to webhook
-func RegisterValidatingHandler(mgr manager.Manager, args controller.Args) {
+func RegisterValidatingHandler(mgr manager.Manager, _ controller.Args) {
 	server := mgr.GetWebhookServer()
 	server.Register("/validating-core-oam-dev-v1alpha2-traitdefinitions", &webhook.Admission{Handler: &ValidatingHandler{
 		Validators: []TraitDefValidator{
@@ -141,11 +150,11 @@ func ValidateDefinitionReference(_ context.Context, td v1beta1.TraitDefinition)
 	if len(td.Spec.Reference.Name) > 0 {
 		return nil
 	}
-	cap, err := appfile.ConvertTemplateJSON2Object(td.Name, td.Spec.Extension, td.Spec.Schematic)
+	capability, err := appfile.ConvertTemplateJSON2Object(td.Name, td.Spec.Extension, td.Spec.Schematic)
 	if err != nil {
 		return errors.WithMessage(err, errValidateDefRef)
 	}
-	if cap.CueTemplate == "" {
+	if capability.CueTemplate == "" {
 		return errors.New(failInfoDefRefOmitted)

 	}
--- a/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler_test.go
+++ b/pkg/webhook/core.oam.dev/v1beta1/traitdefinition/validating_handler_test.go
@@ -21,16 +21,16 @@ import (
 	"encoding/json"
 	"testing"

-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/pkg/errors"
-
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 )

 var handler ValidatingHandler
@@ -40,6 +40,8 @@ var decoder *admission.Decoder
 var td v1beta1.TraitDefinition
 var tdRaw []byte
 var scheme = runtime.NewScheme()
+var validCueTemplate string
+var inValidCueTemplate string

 func TestTraitdefinition(t *testing.T) {
 	RegisterFailHandler(Fail)
@@ -47,9 +49,12 @@ func TestTraitdefinition(t *testing.T) {
 }

 var _ = BeforeSuite(func() {
+
+	validCueTemplate = "{hello: 'world'}"
+	inValidCueTemplate = "{hello: world}"
+
 	td = v1beta1.TraitDefinition{}
 	td.SetGroupVersionKind(v1beta1.TraitDefinitionGroupVersionKind)
-	tdRaw, _ = json.Marshal(td)

 	var err error
 	decoder, err = admission.NewDecoder(scheme)
@@ -104,6 +109,7 @@ var _ = Describe("Test TraitDefinition validating handler", func() {
 			handler.Validators = []TraitDefValidator{
 				TraitDefValidatorFn(mockValidator),
 			}
+			tdRaw, _ = json.Marshal(td)
 			req = admission.Request{
 				AdmissionRequest: admissionv1.AdmissionRequest{
 					Operation: admissionv1.Create,
@@ -122,6 +128,7 @@ var _ = Describe("Test TraitDefinition validating handler", func() {
 			handler.Validators = []TraitDefValidator{
 				TraitDefValidatorFn(mockValidator),
 			}
+			tdRaw, _ = json.Marshal(td)
 			req = admission.Request{
 				AdmissionRequest: admissionv1.AdmissionRequest{
 					Operation: admissionv1.Create,
@@ -133,5 +140,45 @@ var _ = Describe("Test TraitDefinition validating handler", func() {
 			Expect(resp.Allowed).Should(BeFalse())
 			Expect(resp.Result.Reason).Should(Equal(metav1.StatusReason("mock validator error")))
 		})
+		It("Test cue template validation passed", func() {
+			td.Spec = v1beta1.TraitDefinitionSpec{
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: validCueTemplate,
+					},
+				},
+			}
+			tdRaw, _ = json.Marshal(td)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: tdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeTrue())
+		})
+		It("Test cue template validation failed", func() {
+			td.Spec = v1beta1.TraitDefinitionSpec{
+				Schematic: &common.Schematic{
+					CUE: &common.CUE{
+						Template: inValidCueTemplate,
+					},
+				},
+			}
+			tdRaw, _ = json.Marshal(td)
+
+			req = admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Resource:  reqResource,
+					Object:    runtime.RawExtension{Raw: tdRaw},
+				},
+			}
+			resp := handler.Handle(context.TODO(), req)
+			Expect(resp.Allowed).Should(BeFalse())
+		})
 	})
 })
--- a/pkg/webhook/utils/utils.go
+++ b/pkg/webhook/utils/utils.go
@@ -18,8 +18,11 @@ package utils

 import (
 	"context"
+	"regexp"
 	"strings"

+	"cuelang.org/go/cue/cuecontext"
+	cueErrors "cuelang.org/go/cue/errors"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -30,6 +33,9 @@ import (
 	"github.com/oam-dev/kubevela/pkg/controller/core.oam.dev/v1beta1/core"
 )

+// ContextRegex to match '**: reference "context" not found'
+var ContextRegex = `^.+:\sreference\s\"context\"\snot\sfound$`
+
 // ValidateDefinitionRevision validate whether definition will modify the immutable object definitionRevision
 func ValidateDefinitionRevision(ctx context.Context, cli client.Client, def runtime.Object, defRevNamespacedName types.NamespacedName) error {
 	if errs := validation.IsQualifiedName(defRevNamespacedName.Name); len(errs) != 0 {
@@ -53,3 +59,31 @@ func ValidateDefinitionRevision(ctx context.Context, cli client.Client, def runt
 	}
 	return nil
 }
+
+// ValidateCueTemplate validate cueTemplate
+func ValidateCueTemplate(cueTemplate string) error {
+
+	val := cuecontext.New().CompileString(cueTemplate)
+	if e := checkError(val.Err()); e != nil {
+		return e
+	}
+
+	err := val.Validate()
+	if e := checkError(err); e != nil {
+		return e
+	}
+	return nil
+}
+
+func checkError(err error) error {
+	re := regexp.MustCompile(ContextRegex)
+	if err != nil {
+		// ignore context not found error
+		for _, e := range cueErrors.Errors(err) {
+			if !re.MatchString(e.Error()) {
+				return cueErrors.New(e.Error())
+			}
+		}
+	}
+	return nil
+}
--- a/pkg/webhook/utils/utils_test.go
+++ b/pkg/webhook/utils/utils_test.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"testing"
+
+	"cuelang.org/go/cue/errors"
+	"github.com/crossplane/crossplane-runtime/pkg/test"
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestValidateCueTemplate(t *testing.T) {
+	cases := map[string]struct {
+		cueTemplate string
+		want        error
+	}{
+		"normalCueTemp": {
+			cueTemplate: "name: 'name'",
+			want:        nil,
+		},
+		"contextNouFoundCueTemp": {
+			cueTemplate: `
+				output: {
+					metadata: {
+						name: context.name
+						label: context.label
+						annotation: "default"
+					}
+				}`,
+			want: nil,
+		},
+		"inValidCueTemp": {
+			cueTemplate: `
+				output: {
+					metadata: {
+						name: context.name
+						label: context.label
+						annotation: "default"
+					},
+					hello: world 
+				}`,
+			want: errors.New("output.hello: reference \"world\" not found"),
+		},
+	}
+
+	for caseName, cs := range cases {
+		t.Run(caseName, func(t *testing.T) {
+			err := ValidateCueTemplate(cs.cueTemplate)
+			if diff := cmp.Diff(cs.want, err, test.EquateErrors()); diff != "" {
+				t.Errorf("\n%s\nValidateCueTemplate: -want , +got \n%s\n", cs.want, diff)
+			}
+		})
+	}
+}
--- a/pkg/workflow/providers/multicluster/multicluster.go
+++ b/pkg/workflow/providers/multicluster/multicluster.go
@@ -50,7 +50,7 @@ type provider struct {

 // MakePlacementDecisions
 // Deprecated
-func (p *provider) MakePlacementDecisions(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) MakePlacementDecisions(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	policy, err := v.GetString("inputs", "policyName")
 	if err != nil {
 		return err
@@ -108,7 +108,7 @@ func (p *provider) MakePlacementDecisions(ctx monitorContext.Context, wfCtx wfCo

 // PatchApplication
 // Deprecated
-func (p *provider) PatchApplication(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) PatchApplication(_ monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	env, err := v.GetString("inputs", "envName")
 	if err != nil {
 		return err
@@ -138,7 +138,7 @@ func (p *provider) PatchApplication(ctx monitorContext.Context, wfCtx wfContext.
 	return v.FillObject(newApp, "outputs")
 }

-func (p *provider) ListClusters(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) ListClusters(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	secrets, err := multicluster.ListExistingClusterSecrets(ctx, p.Client)
 	if err != nil {
 		return err
@@ -169,7 +169,7 @@ func (p *provider) Deploy(ctx monitorContext.Context, _ wfContext.Context, v *va
 	return nil
 }

-func (p *provider) GetPlacementsFromTopologyPolicies(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) GetPlacementsFromTopologyPolicies(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	policyNames, err := v.GetStringSlice("policies")
 	if err != nil {
 		return err
--- a/pkg/workflow/providers/oam/apply.go
+++ b/pkg/workflow/providers/oam/apply.go
@@ -64,7 +64,7 @@ type provider struct {
 }

 // RenderComponent render component
-func (p *provider) RenderComponent(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) RenderComponent(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	comp, patcher, clusterName, overrideNamespace, err := lookUpCompInfo(v)
 	if err != nil {
 		return err
@@ -93,7 +93,7 @@ func (p *provider) RenderComponent(ctx monitorContext.Context, wfCtx wfContext.C
 }

 // ApplyComponent apply component.
-func (p *provider) ApplyComponent(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) ApplyComponent(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, act wfTypes.Action) error {
 	comp, patcher, clusterName, overrideNamespace, err := lookUpCompInfo(v)
 	if err != nil {
 		return err
@@ -155,7 +155,7 @@ func lookUpCompInfo(v *value.Value) (*common.ApplicationComponent, *value.Value,
 }

 // LoadComponent load component describe info in application.
-func (p *provider) LoadComponent(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) LoadComponent(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	app := &v1beta1.Application{}
 	// if specify `app`, use specified application otherwise use default application from provider
 	appSettings, err := v.LookupValue("app")
@@ -200,7 +200,7 @@ func (p *provider) LoadComponent(ctx monitorContext.Context, wfCtx wfContext.Con
 }

 // LoadComponentInOrder load component describe info in application output will be a list with order defined in application.
-func (p *provider) LoadComponentInOrder(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) LoadComponentInOrder(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	app := &v1beta1.Application{}
 	// if specify `app`, use specified application otherwise use default application from provider
 	appSettings, err := v.LookupValue("app")
@@ -232,7 +232,7 @@ func (p *provider) LoadComponentInOrder(ctx monitorContext.Context, wfCtx wfCont
 }

 // LoadPolicies load policy describe info in application.
-func (p *provider) LoadPolicies(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) LoadPolicies(_ monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	for _, po := range p.app.Spec.Policies {
 		if err := v.FillObject(po, "value", po.Name); err != nil {
 			return err
--- a/pkg/workflow/providers/terraform/terraform.go
+++ b/pkg/workflow/providers/terraform/terraform.go
@@ -40,7 +40,7 @@ type provider struct {
 	renderer oamProvider.WorkloadRenderer
 }

-func (p *provider) LoadTerraformComponents(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) LoadTerraformComponents(ctx monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	var components []common.ApplicationComponent
 	for _, comp := range p.app.Spec.Components {
 		wl, err := p.renderer(ctx, comp)
@@ -55,7 +55,7 @@ func (p *provider) LoadTerraformComponents(ctx monitorContext.Context, wfCtx wfC
 	return v.FillObject(components, "outputs", "components")
 }

-func (p *provider) GetConnectionStatus(ctx monitorContext.Context, wfCtx wfContext.Context, v *value.Value, act wfTypes.Action) error {
+func (p *provider) GetConnectionStatus(_ monitorContext.Context, _ wfContext.Context, v *value.Value, _ wfTypes.Action) error {
 	componentName, err := v.GetString("inputs", "componentName")
 	if err != nil {
 		return errors.Wrapf(err, "failed to get component name")
--- a/Show More
+++ b/Show More