fix: dangerous-exec-command-87 (#6999 )

Co-authored-by: root <root@ai-guardian-remediation-54f45fdc58-g5zpm>
Fix: Enhance shared resource handling to avoid last-applied-configuration pollution (#6998 )
2025-11-26 06:52:34 -08:00 · 2025-11-26 11:08:22 +00:00 · 2025-11-25 11:36:27 +00:00 · 2025-11-25 11:35:08 +00:00 · 2025-11-18 08:47:44 +00:00 · 2025-11-17 18:14:40 -08:00
791 changed files with 78447 additions and 16383 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,35 +1,35 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811 @briankane @jguionnet

 # Owner of Core Controllers
-pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq
+pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of Standard Controllers
-pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive
+pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong @briankane @jguionnet

 # Owner of CUE
-pkg/cue                            @leejanee @FogDong @Somefive
-pkg/stdlib                         @leejanee @FogDong @Somefive
+pkg/cue                            @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet
+pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet

 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq
+pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of vela CLI
-references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq
+references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong @briankane @jguionnet

 # Owner of vela addon framework
-pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129
+pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong @briankane @jguionnet

 # Owner of resource keeper and tracker
-pkg/resourcekeeper                 @Somefive @FogDong @chivalryq
-pkg/resourcetracker                @Somefive @FogDong @chivalryq
+pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet
+pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet

-.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
+.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet

--- a/.github/actions/deploy-current-branch/README.md
+++ b/.github/actions/deploy-current-branch/README.md
@ -0,0 +1,35 @@
+# Deploy Current Branch Action
+
+This GitHub composite action builds a Docker image from the current branch commit and deploys it to a KubeVela cluster for development testing.
+
+## What it does
+
+- Generates a unique image tag from the latest commit hash
+- Builds and loads the Docker image into a KinD cluster
+- Applies KubeVela CRDs for upgrade safety
+- Upgrades the KubeVela Helm release to use the local development image
+- Verifies deployment status and the running image version
+
+## Usage
+
+```yaml
+- name: Deploy Current Branch
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Docker, Helm, kubectl, and KinD must be available in your runner environment
+- Kubernetes cluster access
+- `charts/vela-core/crds` directory with CRDs
+- Valid Helm chart at `charts/vela-core`
+
+## Steps performed
+
+1. **Generate commit hash for image tag**
+2. **Build & load Docker image into KinD**
+3. **Pre-apply chart CRDs**
+4. **Upgrade KubeVela using local image**
+5. **Verify deployment and image version**
+
+---
--- a/.github/actions/deploy-current-branch/action.yaml
+++ b/.github/actions/deploy-current-branch/action.yaml
@ -0,0 +1,89 @@
+name: 'Deploy Current Branch'
+description: 'Builds Docker image from current branch commit and deploys it to KubeVela cluster for development testing'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Git Commit Hash Generation
+    # Generate unique image tag from current branch's latest commit
+    # ========================================================================
+    - name: Get commit hash
+      id: commit_hash
+      shell: bash
+      run: |
+        COMMIT_HASH="git-$(git rev-parse --short HEAD)"
+        echo "Using commit hash: $COMMIT_HASH"
+        echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
+    # ========================================================================
+    # Docker Image Build and Cluster Loading
+    # Build development image from current code and load into KinD cluster
+    # ========================================================================
+    - name: Build and load Docker image
+      shell: bash
+      run: |
+        echo "Building development image: vela-core-test:${{ env.COMMIT_HASH }}"
+
+        mkdir -p $HOME/tmp/
+
+        docker build --no-cache \
+          -t vela-core-test:${{ env.COMMIT_HASH }} \
+          -f Dockerfile .
+
+        echo "Loading image into KinD cluster..."
+        TMPDIR=$HOME/tmp/ kind load docker-image vela-core-test:${{ env.COMMIT_HASH }}
+
+    # ========================================================================
+    # Custom Resource Definitions Application
+    # Pre-apply CRDs to ensure upgrade compatibility and prevent conflicts
+    # ========================================================================
+    - name: Pre-apply CRDs from target chart (upgrade-safe)
+      shell: bash
+      run: |
+        CRD_DIR="charts/vela-core/crds"
+
+        echo "Applying CRDs idempotently..."
+        kubectl apply -f "${CRD_DIR}"
+
+    # ========================================================================
+    # KubeVela Helm Chart Upgrade
+    # Upgrade existing installation to use locally built development image
+    # ========================================================================
+    - name: Upgrade KubeVela to development image
+      shell: bash
+      run: |
+        echo "Upgrading KubeVela to development version..."
+        helm upgrade kubevela ./charts/vela-core \
+          --namespace vela-system \
+          --set image.repository=vela-core-test \
+          --set image.tag=${{ env.COMMIT_HASH }} \
+          --set image.pullPolicy=IfNotPresent \
+          --timeout 5m \
+          --wait \
+          --debug
+
+    # ========================================================================
+    # Deployment Status Verification
+    # Verify successful upgrade and confirm correct image deployment
+    # ========================================================================
+    - name: Verify deployment status
+      shell: bash
+      run: |
+        echo "=== DEPLOYMENT VERIFICATION ==="
+        echo "Verifying upgrade to local development image..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "--- Deployed Image Version ---"
+        kubectl get deployment kubevela-vela-core \
+          -n vela-system \
+          -o yaml | grep "image:" | head -1
+
+        echo "Deployment verification completed successfully!"
--- a/.github/actions/deploy-latest-release/README.md
+++ b/.github/actions/deploy-latest-release/README.md
@ -0,0 +1,32 @@
+# Install Latest KubeVela Release Action
+
+This GitHub composite action installs the latest stable KubeVela release from the official Helm repository and verifies its deployment status.
+
+## What it does
+
+- Discovers the latest stable KubeVela release tag from GitHub
+- Adds and updates the official KubeVela Helm chart repository
+- Installs KubeVela into the `vela-system` namespace (using Helm)
+- Verifies pod status and deployment rollout for successful installation
+
+## Usage
+
+```yaml
+- name: Install Latest KubeVela Release
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Helm, kubectl, jq, and curl must be available in your runner environment
+- Kubernetes cluster access
+
+## Steps performed
+
+1. **Release Tag Discovery:** Fetches latest stable tag (without `v` prefix)
+2. **Helm Repo Setup:** Adds/updates KubeVela Helm chart repo
+3. **Install KubeVela:** Installs latest release in the `vela-system` namespace
+4. **Status Verification:** Checks pod status and rollout for readiness
+
+---
+
--- a/.github/actions/deploy-latest-release/action.yaml
+++ b/.github/actions/deploy-latest-release/action.yaml
@ -0,0 +1,68 @@
+name: 'Install Latest KubeVela Release'
+description: 'Installs the latest stable KubeVela release from official Helm repository with status verification'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Latest Release Tag Discovery
+    # Fetch current stable release version from GitHub API
+    # ========================================================================
+    - name: Get latest KubeVela release tag (no v prefix)
+      id: get_latest_tag
+      shell: bash
+      run: |
+        TAG=$(curl -s https://api.github.com/repos/kubevela/kubevela/releases/latest | \
+              jq -r ".tag_name" | \
+              awk '{sub(/^v/, ""); print}')
+        echo "LATEST_TAG=$TAG" >> $GITHUB_ENV
+        echo "Discovered latest release: $TAG"
+
+    # ========================================================================
+    # Helm Repository Configuration
+    # Add and update official KubeVela chart repository
+    # ========================================================================
+    - name: Add KubeVela Helm repo
+      shell: bash
+      run: |
+        echo "Adding KubeVela Helm repository..."
+        helm repo add kubevela https://kubevela.github.io/charts
+        helm repo update
+        echo "Helm repository configuration completed"
+
+    # ========================================================================
+    # KubeVela Stable Release Installation
+    # Deploy latest stable version to vela-system namespace
+    # ========================================================================
+    - name: Install KubeVela ${{ env.LATEST_TAG }}
+      shell: bash
+      run: |
+        echo "Installing KubeVela version: ${{ env.LATEST_TAG }}"
+        helm install \
+          --create-namespace \
+          -n vela-system \
+          kubevela kubevela/vela-core \
+          --version ${{ env.LATEST_TAG }} \
+          --timeout 10m \
+          --wait
+        echo "KubeVela installation completed"
+
+    # ========================================================================
+    # Installation Status Verification
+    # Verify successful deployment and readiness of KubeVela components
+    # ========================================================================
+    - name: Post-install status
+      shell: bash
+      run: |
+        echo "=== INSTALLATION VERIFICATION ==="
+        echo "Verifying KubeVela deployment status..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "KubeVela installation verification completed successfully!"
--- a/.github/actions/e2e-test/README.md
+++ b/.github/actions/e2e-test/README.md
@ -0,0 +1,51 @@
+# Kubevela K8s Upgrade E2E Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade end-to-end (E2E) tests with complete environment setup, multiple test suites, and failure diagnostics.
+
+
+> **Note**: This action requires the `GO_VERSION` environment variable to be set in your workflow.
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    env:
+      GO_VERSION: '1.23.8'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela E2E Tests
+        uses: ./.github/actions/upgrade-e2e-test
+```
+
+## Test Flow Diagram
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│ Environment     │    │ E2E Environment  │    │ Test Execution  │
+│ Setup           │───▶│ Preparation      │───▶│ (3 Suites)      │
+│                 │    │                  │    │                 │
+│ • Install tools │    │ • Cleanup        │    │ • API tests     │
+│ • Setup Go      │    │ • Core setup     │    │ • Addon tests   │
+│ • Dependencies  │    │ • Helm tests     │    │ • General tests │
+│ • Build project │    │                  │    │                 │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                                        │
+                                                        ▼
+                                                ┌─────────────────┐
+                                                │ Diagnostics     │
+                                                │ (On Failure)    │
+                                                │                 │
+                                                │ • Cluster logs  │
+                                                │ • System events │
+                                                │ • Test artifacts│
+                                                └─────────────────┘
+```
--- a/.github/actions/e2e-test/action.yaml
+++ b/.github/actions/e2e-test/action.yaml
@ -0,0 +1,100 @@
+name: 'Kubevela K8s Upgrade e2e Test'
+description: 'Runs Kubevela K8s upgrade e2e tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'false'
+        install-kustomize: 'false'
+
+    - name: Build project
+      shell: bash
+      run: make
+
+    # ========================================================================
+    # E2E Test Environment Preparation
+    # ========================================================================
+    - name: Prepare e2e environment
+      shell: bash
+      run: |
+        echo "Preparing e2e test environment..."
+        make e2e-cleanup
+        make e2e-setup-core
+
+        echo "Running Helm tests..."
+        helm test -n vela-system kubevela --timeout 5m
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Run API e2e tests
+      shell: bash
+      run: |
+        echo "Running API e2e tests..."
+        make e2e-api-test
+
+    - name: Run addon e2e tests
+      shell: bash
+      run: |
+        echo "Running addon e2e tests..."
+        make e2e-addon-test
+
+    - name: Run general e2e tests
+      shell: bash
+      run: |
+        echo "Running general e2e tests..."
+        make e2e-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Helm Release Status ---"
+        helm list -A || true
+        helm status kubevela -n vela-system || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -type f -exec echo "=== {} ===" \; -exec cat {} \; || true
--- a/.github/actions/env-setup/README.md
+++ b/.github/actions/env-setup/README.md
@ -0,0 +1,67 @@
+# Kubevela Test Environment Setup Action
+
+A GitHub Actions composite action that sets up a complete testing environment for Kubevela projects with Go, Kubernetes tools, and the Ginkgo testing framework.
+
+## Features
+
+- 🛠️ **System Dependencies**: Installs essential build tools (make, gcc, jq, curl, etc.)
+- ☸️ **Kubernetes Tools**: Sets up kubectl and Helm for cluster operations
+- 🐹 **Go Environment**: Configurable Go version with module caching
+- 📦 **Dependency Management**: Downloads and verifies Go module dependencies
+- 🧪 **Testing Framework**: Installs Ginkgo v2 for BDD-style testing
+
+## Usage
+
+```yaml
+- name: Setup Kubevela Test Environment
+  uses: ./path/to/this/action
+  with:
+    go-version: '1.23.8'      # Optional: Go version (default: 1.23.8)
+```
+
+### Example Workflow
+
+```yaml
+name: Kubevela Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Test Environment
+        uses: ./path/to/this/action
+        with:
+          go-version: '1.21'
+          
+      - name: Run Tests
+        run: |
+          ginkgo -r ./tests/e2e/
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Usage |
+|-------|-------------|----------|---------|-------|
+| `go-version` | Go version to install and use | No | `1.23.8` | Specify Go version for your project |
+
+## What This Action Installs
+
+### System Tools
+- **make**: Build automation tool
+- **gcc**: GNU Compiler Collection
+- **jq**: JSON processor for shell scripts
+- **ca-certificates**: SSL/TLS certificates
+- **curl**: HTTP client for downloads
+- **gnupg**: GNU Privacy Guard for security
+
+### Kubernetes Ecosystem
+- **kubectl**: Kubernetes command-line tool (latest stable)
+- **helm**: Kubernetes package manager (latest stable)
+
+### Go Development
+- **Go Runtime**: Specified version with module caching enabled
+- **Go Modules**: Downloaded and verified dependencies
+- **Ginkgo v2.14.0**: BDD testing framework for Go
--- a/.github/actions/env-setup/action.yaml
+++ b/.github/actions/env-setup/action.yaml
@ -0,0 +1,118 @@
+name: 'Kubevela Test Environment Setup'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and testing frameworks.'
+
+inputs:
+  go-version:
+    description: 'Go version to use for testing'
+    required: false
+    default: '1.23.8'
+  install-ginkgo:
+    description: 'Install Ginkgo testing framework'
+    required: false
+    default: 'true'
+  install-setup-envtest:
+    description: 'Install setup-envtest for integration testing'
+    required: false
+    default: 'false'
+  install-kustomize:
+    description: 'Install kustomize for manifest management'
+    required: false
+    default: 'false'
+  kustomize-version:
+    description: 'Kustomize version to install'
+    required: false
+    default: '4.5.4'
+
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        # Update package manager and install essential tools
+        sudo apt-get update
+        sudo apt-get install -y \
+          make \
+          gcc \
+          jq \
+          ca-certificates \
+          curl \
+          gnupg
+
+    - name: Install kubectl and helm
+      shell: bash
+      run: |
+        # Detect architecture
+        ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+        
+        # Install kubectl
+        echo "Installing kubectl for architecture: $ARCH"
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl"
+        chmod +x kubectl
+        sudo mv kubectl /usr/local/bin/
+        
+        # Install helm using the official script (more reliable)
+        echo "Installing Helm using official script..."
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+        rm get_helm.sh
+        
+        # Verify installations
+        echo "Verifying installations..."
+        kubectl version --client
+        helm version
+    
+
+    - name: Setup Go environment
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      with:
+        go-version: ${{ inputs.go-version }}
+        cache: true
+
+    - name: Download Go dependencies
+      shell: bash
+      run: |
+        # Download and cache Go module dependencies
+        go mod download
+        go mod verify
+
+    - name: Install Ginkgo testing framework
+      if: ${{ inputs.install-ginkgo == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing Ginkgo testing framework..."
+        go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0
+        echo "Ginkgo installed successfully"
+
+    - name: Install setup-envtest
+      if: ${{ inputs.install-setup-envtest == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing setup-envtest for integration testing..."
+        mkdir -p ./bin
+        GOBIN=$(pwd)/bin go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20240522175850-2e9781e9fc60
+        echo "setup-envtest installed successfully at ./bin/setup-envtest"
+        ls -la ./bin/setup-envtest
+
+        # Download and cache the Kubernetes binaries for envtest
+        echo "Downloading Kubernetes binaries for envtest..."
+        KUBEBUILDER_ASSETS=$(./bin/setup-envtest use 1.31.0 --bin-dir ./bin -p path)
+        echo "Kubernetes binaries downloaded successfully"
+        echo "KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS}"
+        # Export for subsequent steps
+        echo "KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS}" >> $GITHUB_ENV
+
+    - name: Install kustomize
+      if: ${{ inputs.install-kustomize == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing kustomize version ${{ inputs.kustomize-version }}..."
+        mkdir -p ./bin
+        curl -sS https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash -s ${{ inputs.kustomize-version }} $(pwd)/bin
+        echo "kustomize installed successfully at ./bin/kustomize"
+        ./bin/kustomize version
--- a/.github/actions/multicluster-test/README.md
+++ b/.github/actions/multicluster-test/README.md
@ -0,0 +1,35 @@
+# Kubevela K8s Upgrade Multicluster E2E Test Action
+
+A comprehensive GitHub Actions composite action for running Kubevela Kubernetes upgrade multicluster end-to-end tests with automated coverage reporting and failure diagnostics.
+
+## Usage
+
+
+```yaml
+name: Kubevela Multicluster E2E Tests
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  multicluster-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Multicluster E2E Tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Type |
+|-------|-------------|----------|---------|------|
+| `codecov-token` | Codecov token for uploading coverage reports | No | `''` | string |
+| `codecov-enable` | Enable codecov coverage upload | No | `'false'` | string |
--- a/.github/actions/multicluster-test/action.yaml
+++ b/.github/actions/multicluster-test/action.yaml
@ -0,0 +1,80 @@
+name: 'Kubevela K8s Upgrade Multicluster E2E Test'
+description: 'Runs Kubevela Kubernetes upgrade multicluster end-to-end tests, uploads coverage, and collects diagnostics on failure.'
+author: 'viskumar_gwre'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'false'
+        install-kustomize: 'false'
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Prepare e2e test environment
+      shell: bash
+      run: |
+        # Build CLI tools and prepare test environment
+        echo "Building KubeVela CLI..."
+        make vela-cli
+
+        echo "Cleaning up previous test artifacts..."
+        make e2e-cleanup
+
+        echo "Setting up core authentication for e2e tests..."
+        make e2e-setup-core-auth
+
+    - name: Execute multicluster upgrade e2e tests
+      shell: bash
+      run: |
+        # Add built CLI to PATH and run multicluster tests
+        export PATH=$(pwd)/bin:$PATH
+
+        echo "Running e2e multicluster upgrade tests..."
+        make e2e-multicluster-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
+        flags: e2e-multicluster-test
+        name: codecov-umbrella
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
--- a/.github/actions/setup-kind-cluster/README.md
+++ b/.github/actions/setup-kind-cluster/README.md
@ -0,0 +1,78 @@
+# Setup Kind Cluster Action
+
+A GitHub Action that sets up a Kubernetes testing environment using Kind (Kubernetes in Docker) for E2E testing.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `k8s-version` | Kubernetes version for the kind cluster | No | `v1.31.9` |
+
+## Quick Start
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      
+      - name: Setup Kind Cluster
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: 'v1.31.9'
+      
+      - name: Run tests
+        run: |
+          kubectl cluster-info
+          make test-e2e
+```
+
+## What it does
+
+1. **Installs Kind CLI** - Downloads Kind v0.29.0 using Go
+2. **Cleans up** - Removes any existing Kind clusters
+3. **Creates cluster** - Spins up Kubernetes v1.31.9 cluster
+4. **Sets up environment** - Configures KUBECONFIG for kubectl access
+5. **Loads images** - Builds and loads Docker images using `make image-load`
+
+## File Structure
+
+Save as `.github/actions/setup-kind-cluster/action.yaml`:
+
+```yaml
+name: 'SetUp kind cluster'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        kind delete cluster || true
+        kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+      shell: bash
+
+    - name: Load image
+      run: |
+        mkdir -p $HOME/tmp/
+        TMPDIR=$HOME/tmp/ make image-load
+      shell: bash
+```
--- a/.github/actions/setup-kind-cluster/action.yaml
+++ b/.github/actions/setup-kind-cluster/action.yaml
@ -0,0 +1,36 @@
+name: 'SetUp kind cluster'
+description: 'Sets up a KinD (Kubernetes in Docker) cluster with configurable Kubernetes version and optional cluster naming for testing and development workflows.'
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+  name:
+    description: 'Name of the kind cluster'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        if [ -n "${{ inputs.name }}" ]; then
+          kind delete cluster --name="${{ inputs.name }}" || true
+          kind create cluster --name="${{ inputs.name }}" --image=kindest/node:${{ inputs.k8s-version }}
+          kind export kubeconfig --internal --name="${{ inputs.name }}" --kubeconfig /tmp/${{ inputs.name }}.kubeconfig
+        else
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+        fi
+      shell: bash
+
+    - name: Load image
+      run: |
+        if [ -z "${{ inputs.name }}" ]; then
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+        fi
+      shell: bash
--- a/.github/actions/unit-test/README.md
+++ b/.github/actions/unit-test/README.md
@ -0,0 +1,34 @@
+# Kubevela K8s Upgrade Unit Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade unit tests with coverage reporting and failure diagnostics.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `codecov-token` | Codecov token for uploading coverage reports | ❌ | `''` |
+| `codecov-enable` | Enable Codecov coverage upload (`'true'` or `'false'`) | ❌ | `'false'` |
+| `go-version` | Go version to use for testing | ❌ | `'1.23.8'` |
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: Unit Tests with Coverage
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela Unit Tests
+        uses: viskumar_gwre/kubevela-k8s-upgrade-unit-test-action@v1
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          go-version: '1.23.8'
+```
--- a/.github/actions/unit-test/action.yaml
+++ b/.github/actions/unit-test/action.yaml
@ -0,0 +1,71 @@
+name: 'Kubevela K8s Upgrade Unit Test'
+description: 'Runs Kubevela K8s upgrade unit tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'true'
+        install-kustomize: 'true'
+
+    # ========================================================================
+    # Unit Test Execution
+    # ========================================================================
+    - name: Run unit tests
+      shell: bash
+      run: |
+        echo "Running unit tests..."
+        make test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Go Environment ---"
+        go version || true
+        go env || true
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -o -name "*test*.xml" -o -name "coverage.*" | head -20 || true
--- a/.github/comment.userlist
+++ b/.github/comment.userlist
@ -11,4 +11,7 @@ wangyuan249
 chivalryq
 FogDong
 leejanee
-barnettZQG
+barnettZQG
+anoop2811 
+briankane 
+jguionnet
--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@ -17,7 +17,7 @@ jobs:
      HELM_CHART_NAME: vela-core
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Get git revision
        id: vars
        shell: bash
@ -28,7 +28,7 @@ jobs:
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: '14'
      - name: Generate helm doc
@ -47,7 +47,7 @@ jobs:
          chart_smever=${chart_version#"v"}
          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml

-      - uses: jnwng/github-app-installation-token-action@v2
+      - uses: jnwng/github-app-installation-token-action@c54add4c02866dc41e106745ac6dcf5cdd6339e5 # v2
        id: get_app_token
        with:
          appId: 340472
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -23,15 +23,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
-        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@ -15,7 +15,7 @@ jobs:
  check:
    runs-on: ubuntu-22.04
    steps:
-      - uses: thehanimo/pr-title-checker@v1.4.0
+      - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388 # v1.4.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@ -16,16 +16,16 @@ jobs:
  core-api-test:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go 1.19
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+      - name: Set up Go 1.23.8
+        uses: actions/setup-go@v5
        env:
-          GO_VERSION: '1.19'
+          GO_VERSION: '1.23.8'
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@ -16,26 +16,26 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:
  definition-doc:
    runs-on: ubuntu-22.04
    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind create cluster
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: linter

      - name: Definition Doc generate check
        run: |
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@ -39,75 +39,45 @@ jobs:
        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.31.9"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          go-version: ${{ env.GO_VERSION }}
+          name: worker
+          k8s-version: ${{ matrix.k8s-version }}

-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster --name worker || true
-          kind create cluster --name worker --image=kindest/node:v1.26.4
-          kind export kubeconfig --internal --name worker --kubeconfig /tmp/worker.kubeconfig
-          kind delete cluster || true
-          kind create cluster --image=kindest/node:v1.26.4
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/ 
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core-auth
-
-      - name: Run e2e multicluster tests
-        run: |
-          export PATH=$(pwd)/bin:$PATH
-          make e2e-multicluster-test
-
-      - name: Stop kubevela, get profile
-        run: |
-          make end-e2e-core-shards
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+      - name: Setup master cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
-          flags: e2e-multicluster-test
-          name: codecov-umbrella
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Run upgrade multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@ -39,83 +39,40 @@ jobs:
        continue-on-error: true

  e2e-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.31"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-
-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster || true
-          kind create cluster
+        uses: ./.github/actions/setup-kind-cluster

-      - name: Get Ginkgo
-        run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.10.0
-          go get github.com/onsi/gomega/...
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Run Make
-        run: make
-
-      - name: Prepare for e2e tests
-        run: |
-          make e2e-cleanup
-          make e2e-setup-core
-          helm test -n vela-system kubevela --timeout 5m
-
-      - name: Run api e2e tests
-        run: make e2e-api-test
-
-      - name: Run addons e2e tests
-        run: make e2e-addon-test
-
-      - name: Run e2e tests
-        run: make e2e-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
-          flags: e2etests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -11,16 +11,15 @@ on:
      - master
      - release-*

-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+  GO_VERSION: "1.23.8"
+  GOLANGCI_VERSION: "v1.60.1"

 jobs:
-
  detect-noop:
    runs-on: ubuntu-22.04
    outputs:
@ -30,7 +29,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@ -44,12 +43,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

@ -64,17 +63,17 @@ jobs:
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

@ -83,7 +82,7 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+        uses: golangci/golangci-lint-action@v6
        with:
          version: ${{ env.GOLANGCI_VERSION }}

@ -94,41 +93,62 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
-        with:
-          node-version: '14'
-
-      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Setup KinD
+      - name: Free Disk Space
        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster --name kind || true
-          kind create cluster --name kind --image=kindest/node:v1.26.4 --kubeconfig ~/.kube/config
+          echo "Disk space before cleanup:"
+          df -h
+
+          # Remove unnecessary software to free up disk space
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo docker image prune --all --force
+
+          echo "Disk space after cleanup:"
+          df -h
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+        
+      - name: Setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "14"
+
+      - name: Setup kinD
+        uses: ./.github/actions/setup-kind-cluster

      - name: Run cross-build
        run: make cross-build

+      - name: Free Disk Space After Cross-Build
+        run: |
+          echo "Disk space before cleanup:"
+          df -h
+
+          # Remove cross-build artifacts to free up space
+          # (make build will rebuild binaries for current platform)
+          rm -rf _bin
+
+          # Clean Go build cache and test cache
+          go clean -cache -testcache
+
+          # Remove Docker build cache
+          sudo docker builder prune --all --force || true
+
+          echo "Disk space after cleanup:"
+          df -h
+
      - name: Check Diff
        run: |
          export PATH=$(pwd)/bin/:$PATH
          make check-diff
-              
+
      - name: Cleanup binary
        run: make build-cleanup

@ -139,17 +159,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@ -170,15 +190,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
      - name: Build Test for vela core
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
          file: Dockerfile
@ -190,15 +210,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
-      - name: Build Test for CLI
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build Test for CLI 
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
-          file: Dockerfile.cli
+          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@ -7,6 +7,7 @@ on:

 permissions:
  contents: read
+  issues: write

 jobs:
  bot:
@ -16,23 +17,23 @@ jobs:
      issues: write
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
-          node-version: '14'
-          cache: 'npm'
+          node-version: "14"
+          cache: "npm"
          cache-dependency-path: ./actions/package-lock.json
      - name: Install Dependencies
        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GH_KUBEVELA_COMMAND_WORKFLOW }}
          configPath: issue-commands

  backport:
@ -47,14 +48,14 @@ jobs:
        id: command
        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88
        with:
-          repo-token: ${{ secrets.VELA_BOT_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: backport
          reaction: "true"
          reaction-type: "eyes"
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@ -75,11 +76,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
@ -93,7 +94,7 @@ jobs:
      issues: write
    steps:
      - name: Retest the current pull request
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          PULL_REQUEST_ID: ${{ github.event.issue.number }}
          COMMENT_ID: ${{ github.event.comment.id }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@ -9,7 +9,6 @@ on:
    branches:
      - master
      - release-*
-      -
 permissions:
  contents: read

@ -18,9 +17,9 @@ jobs:
    runs-on: ubuntu-22.04
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
        with:
          ruby-version: 2.6
      - name: Install dependencies
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@ -1,23 +1,45 @@
 name: Registry
+
 on:
  push:
    branches:
      - master
    tags:
-      - "v*"
+      - 'v*'
  workflow_dispatch: {}

 permissions:
  contents: read

 jobs:
-  publish-core-images:
+  publish-vela-images:
+    name: Build and Push Vela Images
    permissions:
      packages: write
+      id-token: write
+      attestations: write
+      contents: write
    runs-on: ubuntu-22.04
+    outputs:
+      vela_core_image: ${{ steps.meta-vela-core.outputs.image }}
+      vela_core_digest: ${{ steps.meta-vela-core.outputs.digest }}
+      vela_core_dockerhub_image: ${{ steps.meta-vela-core.outputs.dockerhub_image }}
+      vela_cli_image: ${{ steps.meta-vela-cli.outputs.image }}
+      vela_cli_digest: ${{ steps.meta-vela-cli.outputs.digest }}
+      vela_cli_dockerhub_image: ${{ steps.meta-vela-cli.outputs.dockerhub_image }}
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-      - name: Get the version
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
+
+      - name: Install Crane
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # main
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: Get the image version
        id: get_version
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
@ -25,34 +47,41 @@ jobs:
            VERSION=latest
          fi
          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+
      - name: Get git revision
        id: vars
        shell: bash
        run: |
          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-      - name: Login ghcr.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login docker.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
-      - uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
-        name: Build & Pushing vela-core for Dockerhub, GHCR
+      - name: Build & Push Vela Core for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@ -61,16 +90,55 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
-        name: Build & Pushing CLI for Dockerhub, GHCR
+      - name: Get Vela Core Image Digest
+        id: meta-vela-core
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-core
+          DOCKER_IMAGE=docker.io/oamdev/vela-core
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela Core Image
+        id: generate_vela_core_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-core.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-core.spdx.json
+
+      - name: Sign Vela Core Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela core images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          echo "attesting SBOM against the vela core image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+      - name: Build & Push Vela CLI for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile.cli
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@ -79,6 +147,100 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+
+      - name: Get Vela CLI Image Digest
+        id: meta-vela-cli
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli
+          DOCKER_IMAGE=docker.io/oamdev/vela-cli
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela CLI Image
+        id: generate_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-cli.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-cli.spdx.json
+
+      - name: Sign Vela CLI Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela CLI images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}      
+
+          echo "attesting SBOM against the vela cli image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+      - name: Publish SBOMs as release artifacts
+        uses: anchore/sbom-action/publish-sbom@v0.17.0
+
+  provenance-ghcr:
+    name: Generate and Push Provenance to GCHR
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  provenance-dockerhub:
+    name: Generate and Push Provenance to DockerHub
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKER_USERNAME }}
+      registry-password: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,13 +4,15 @@ on:
  push:
    tags:
      - "v*"
-  workflow_dispatch: { }
+  workflow_dispatch: {}

 permissions:
  contents: read

 jobs:
-  build:
+  goreleaser:
+    name: goreleaser
+    runs-on: ubuntu-22.04
    permissions:
      contents: write
      actions: read
@ -20,27 +22,83 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    runs-on: ubuntu-22.04
-    name: goreleaser
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
+      - name: Check disk (before)
+        run: |
+          df -h
+          sudo du -sh /usr/local/lib/android /usr/share/dotnet /opt/ghc || true
+
+      - name: Free Disk Space (Ubuntu)
+        uses: insightsengineering/disk-space-reclaimer@v1
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tools-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+          docker-images: true
+
+      # Extra prune in case your job builds/pulls images
+      - name: Deep Docker prune
+        run: |
+          docker system prune -af || true
+          docker builder prune -af || true
+
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
-      - run: git fetch --force --tags
+
+      - name: Get Git tags
+        run: git fetch --force --tags
+
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
-          go-version: 1.19
+          go-version: 1.23.8
          cache: true
-      - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v2.5.0"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          distribution: goreleaser
          version: 1.14.1
          args: release --rm-dist --timeout 60m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate hashes
+        id: hash
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          set -euo pipefail
+          HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
+          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
+
+      - name: Check disk (after)
+        run: df -h
+
  upload-plugin-homebrew:
+    name: upload-sha256sums
+    needs: goreleaser
+    runs-on: ubuntu-22.04
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    permissions:
      contents: write
      actions: read
@ -50,20 +108,22 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    needs: build
-    runs-on: ubuntu-22.04
-    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
-    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
      - name: Update kubectl plugin version in krew-index
        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
-      - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@d3667e5ae14df19579e4414897498e3e88f2f458 # v3.10.0
-        with:
-          token: ${{ secrets.HOMEBREW_TOKEN }}
-          formula: kubevela
-          tag: ${{ github.ref }}
-          revision: ${{ github.sha }}
-          force: false
+
+  provenance-vela-bins:
+    name: generate provenance for binaries
+    needs: [goreleaser]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -23,12 +23,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # tag=v2.1.3
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # tag=v2.4.1
        with:
          results_file: results.sarif
          results_format: sarif
@ -47,7 +47,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@134dcf33c0b9454c4b17a936843d7e21dccdc335 # v4.3.6
        with:
          name: SARIF file
          path: results.sarif
@ -55,6 +55,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@ -16,28 +16,26 @@ on:
 permissions:
  contents: read

-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-
 jobs:
  sdk-tests:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Setup Env
+        uses: ./.github/actions/env-setup

      - name: Install Go tools
        run: |
          make goimports
          make golangci

+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sdk-test
+
      - name: Build CLI
        run: make vela-cli

--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@ -10,20 +10,15 @@ on:
 permissions:
  contents: read

-env:
-  GO_VERSION: '1.19'
-
 jobs:
  sync-core-api:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup

      - name: Get the version
        id: get_version
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@ -14,36 +14,33 @@ on:
 permissions:
  contents: read

-env:
-  GO_VERSION: '1.19'
-
 jobs:
  sync_sdk:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

-      - name: Get the version
-        id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
+      - name: Env setup
+        uses: ./.github/actions/env-setup

      - name: Install Go tools
        run: |
          make goimports
-          
+
      - name: Build CLI
        run: make vela-cli

+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sync-sdk
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF}" >> $GITHUB_OUTPUT
+
      - name: Sync SDK to kubevela/kubevela-go-sdk
        run: bash ./hack/sdk/sync.sh
        env:
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@ -13,21 +13,21 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Build Vela Core image from Dockerfile
        run: |
          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
        with:
          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@ -5,7 +5,7 @@ on:
    branches:
      - master
      - release-*
-  workflow_dispatch: { }
+  workflow_dispatch: {}
  pull_request:
    branches:
      - master
@ -14,22 +14,17 @@ on:
 permissions:
  contents: read

-env:
-  # Common versions
-  GO_VERSION: '1.19'
-
 jobs:
-
  detect-noop:
    permissions:
-      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@ -42,48 +37,19 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD with Kubernetes
+        uses: ./.github/actions/setup-kind-cluster
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo sed -i 's/azure\.//' /etc/apt/sources.list
-          sudo apt-get update
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind create cluster
-
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@ed0e300b13152c2c2bfb104475665c7bf609332f
-        with:
-          version: 3.9.1
-          kubebuilderOnly: false
-          kubernetesVersion: v1.26.2
-
-      - name: Run Make test
-        run: make test
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: core-unittests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/upgrade-e2e-multicluster-test.yml
+++ b/.github/workflows/upgrade-e2e-multicluster-test.yml
@ -0,0 +1,98 @@
+# =============================================================================
+# E2E Upgrade Multicluster Test Workflow
+# =============================================================================
+# This workflow performs end-to-end testing for KubeVela multicluster upgrades.
+# It tests the upgrade path from the latest released version to the current
+# development branch across multiple Kubernetes versions.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run multicluster e2e tests to verify functionality
+# =============================================================================
+
+name: E2E Upgrade Multicluster Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Global Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'  # Go version for building and testing
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-multicluster-tests:
+    name: Upgrade Multicluster Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 60  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: worker
+
+      - name: Setup KinD master clusters for multicluster testing
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run upgarde multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/upgrade-e2e-test.yml
+++ b/.github/workflows/upgrade-e2e-test.yml
@ -0,0 +1,102 @@
+# =============================================================================
+# Upgrade E2E Test Workflow
+# =============================================================================
+# This workflow performs comprehensive end-to-end testing for KubeVela upgrades.
+# It validates the upgrade path from the latest stable release to the current
+# development version by running multiple test suites including API, addon,
+# and general e2e tests.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run comprehensive e2e test suites (API, addon, general)
+# 4. Validate upgrade functionality and compatibility
+# =============================================================================
+
+name: Upgrade E2E Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade E2E Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 90  # Extended timeout for comprehensive e2e testing
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Repository Setup
+      # ========================================================================
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Build vela CLI
+        run: make vela-cli
+
+      - name: Build kubectl-vela plugin
+        run: make kubectl-vela
+
+      - name: Install kustomize
+        run: make kustomize
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
--- a/.github/workflows/upgrade-unit-test.yml
+++ b/.github/workflows/upgrade-unit-test.yml
@ -0,0 +1,83 @@
+# =============================================================================
+# Upgrade Unit Test Workflow
+# =============================================================================
+# This workflow performs unit testing for KubeVela upgrades by:
+# 1. Installing the latest stable KubeVela release
+# 2. Building and upgrading to the current development version
+# 3. Running unit tests to validate the upgrade functionality
+# =============================================================================
+
+name: Upgrade Unit Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main and release branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade Unit Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 45  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/webhook-upgrade-validation.yml
+++ b/.github/workflows/webhook-upgrade-validation.yml
@ -0,0 +1,165 @@
+name: Webhook Upgrade Validation
+
+on:
+  push:
+    branches:
+      - master
+      - release-*
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.23.8'
+
+jobs:
+  webhook-upgrade-check:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD
+        run: |
+          go install sigs.k8s.io/kind@v0.29.0
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:v1.31.9
+
+      - name: Install KubeVela CLI
+        run: curl -fsSL https://kubevela.io/script/install.sh | bash
+
+      - name: Install KubeVela baseline
+        run: |
+          vela install --set featureGates.enableCueValidation=true
+          kubectl wait --namespace vela-system --for=condition=Available deployment/kubevela-vela-core --timeout=300s
+
+      - name: Prepare failing chart changes
+        run: |
+          cat <<'CHART' > charts/vela-core/templates/defwithtemplate/resource.yaml
+          # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+          # Definition source cue file: vela-templates/definitions/internal/resource.cue
+          apiVersion: core.oam.dev/v1beta1
+          kind: TraitDefinition
+          metadata:
+            annotations:
+              definition.oam.dev/description: Add resource requests and limits on K8s pod for your workload which follows the pod spec in path 'spec.template.'
+            name: resource
+            namespace: {{ include "systemDefinitionNamespace" . }}
+          spec:
+            appliesToWorkloads:
+              - deployments.apps
+              - statefulsets.apps
+              - daemonsets.apps
+              - jobs.batch
+              - cronjobs.batch
+            podDisruptive: true
+            schematic:
+              cue:
+                template: |2
+                  let resourceContent = {
+                    resources: {
+                      if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                      }
+                      if parameter.requests != _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.requests.cpu
+                          memory: parameter.requests.memory
+                        }
+                      }
+                      if parameter.limits != _|_ {
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.limits.cpu
+                          memory: parameter.limits.memory
+                        }
+                      }
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.template != _|_ {
+                    patch: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+                    patch: spec: jobTemplate: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  parameter: {
+                    // +usage=Specify the amount of cpu for requests and limits
+                    cpu?: *1 | number | string
+                    // +usage=Specify the amount of memory for requests and limits
+                    memory?: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    // +usage=Specify the resources in requests
+                    requests?: {
+                      // +usage=Specify the amount of cpu for requests
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for requests
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                    // +usage=Specify the resources in limits
+                    limits?: {
+                      // +usage=Specify the amount of cpu for limits
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for limits
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                  }
+
+      - name: Load image
+        run: |
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+
+      - name: Run Helm upgrade (expected to fail)
+        run: |
+          set +e
+          helm upgrade \
+            --set image.repository=vela-core-test \
+            --set image.tag=$(git rev-parse --short HEAD) \
+            --set featureGates.enableCueValidation=true \
+            --wait kubevela ./charts/vela-core --debug -n vela-system
+          status=$?
+          echo "Helm upgrade exit code: ${status}"
+          if [ $status -eq 0 ]; then
+            echo "Expected helm upgrade to fail" >&2
+            exit 1
+          fi
+          echo "Helm upgrade failed as expected"
+
+      - name: Dump webhook configurations
+        if: ${{ always() }}
+        run: |
+          kubectl get mutatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+          kubectl get validatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+
+      - name: Verify webhook validation remains active
+        run: ginkgo -v --focus-file requiredparam_validation_test.go ./test/e2e-test
+
+      - name: Cleanup kind cluster
+        if: ${{ always() }}
+        run: kind delete cluster --name kind
--- a/.gitignore
+++ b/.gitignore
@ -35,12 +35,21 @@ vendor/
 .vscode
 .history

+# Debug binaries generated by VS Code/Delve
+__debug_bin*
+*/__debug_bin*
+
+# Webhook certificates generated at runtime
+k8s-webhook-server/
+options.go.bak 
+
 pkg/test/vela
 config/crd/bases
 _tmp/

 references/cmd/cli/fake/source.go
 references/cmd/cli/fake/chart_source.go
+references/vela-sdk-gen/*
 charts/vela-core/crds/_.yaml
 .test_vela
 tmp/
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,18 +1,6 @@
 run:
  timeout: 10m

-  skip-files:
-    - "zz_generated\\..+\\.go$"
-    - ".*_test.go$"
-
-  skip-dirs:
-    - "hack"
-    - "e2e"
-
-output:
-  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
-
 linters-settings:
  errcheck:
    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
@ -23,24 +11,12 @@ linters-settings:
    # default is false: such cases aren't reported by default.
    check-blank: false

-    # [deprecated] comma-separated list of pairs of the form pkg:regex
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
-    ignore: fmt:.*,io/ioutil:^Read.*
-
  exhaustive:
    # indicates that switch statements are to be considered exhaustive if a
    # 'default' case is present, even if all enum members aren't listed in the
    # switch
    default-signifies-exhaustive: true

-  govet:
-    # report about shadowed variables
-    check-shadowing: false
-
-  revive:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0.8

  gofmt:
    # simplify code: gofmt with `-s` option, true by default
@ -55,9 +31,6 @@ linters-settings:
    # minimal code complexity to report, 30 by default (but we recommend 10-20)
    min-complexity: 30

-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true

  dupl:
    # tokens count to trigger issue, 150 by default
@ -73,13 +46,6 @@ linters-settings:
    # tab width in spaces. Default to 1.
    tab-width: 1

-  unused:
-    # treat code as a program (not a library) and report unused exported identifiers; default is false.
-    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-
  unparam:
    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
@ -107,9 +73,13 @@ linters-settings:
    # Allow only slices initialized with a length of zero. Default is false.
    always: false

+  revive:
+    rules:
+      - name: unused-parameter
+        disabled: true
+
 linters:
  enable:
-    - megacheck
    - govet
    - gocyclo
    - gocritic
@ -121,11 +91,10 @@ linters:
    - misspell
    - nakedret
    - exportloopref
+    - unused
+    - gosimple
+    - staticcheck
  disable:
-    - deadcode
-    - scopelint
-    - structcheck
-    - varcheck
    - rowserrcheck
    - sqlclosecheck
    - errchkjson
@ -137,8 +106,28 @@ linters:


 issues:
+
+  exclude-files:
+    - "zz_generated\\..+\\.go$"
+    - ".*_test.go$"
+
+  exclude-dirs:
+    - "hack"
+    - "e2e"
+
  # Excluding configuration per-path and per-linter
  exclude-rules:
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "fmt\\."
+
+    # Ignore unchecked errors from io/ioutil functions starting with Read
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "io/ioutil.*Read"
+      
    # Exclude some linters from running on tests files.
    - path: _test(ing)?\.go
      linters:
@ -155,6 +144,13 @@ issues:
      linters:
        - gocritic

+    # Gosmopolitan complains of internationalization issues on the file that actually defines
+    # the translation.
+    - path: i18n\.go
+      text: "Han"
+      linters:
+        - gosmopolitan
+
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
@ -220,7 +216,7 @@ issues:
  new: false

  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-per-linter: 0
+  max-issues-per-linter: 0

  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+  max-same-issues: 0
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -31,6 +31,28 @@ builds:
    ldflags:
      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}

+sboms:
+  - id: kubevela-binaries-sboms
+    artifacts: binary
+    documents:
+      - "${artifact}-{{ .Version }}-{{ .Os }}-{{ .Arch }}.spdx.sbom.json"
+
+signs:
+  - id: kubevela-cosign-keyless
+    artifacts: checksum # sign the checksum file over individual artifacts
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args:
+      - "sign-blob"
+      - "--yes"
+      - "--output-signature"
+      - "${artifact}-keyless.sig"
+      - "--output-certificate"
+      - "${artifact}-keyless.pem"
+      - "${artifact}"
+    output: true
+
 archives:
  - format: tar.gz
    id: vela-cli-tgz
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +1,3 @@
 # CONTRIBUTING Guide

-Please refer to https://kubevela.io/docs/contributor/overview for details.
+Please refer to https://kubevela.io/docs/contributor/overview for details.
--- a/4
+++ b/4
@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501}
+FROM ${BASE_IMAGE:-alpine:3.18}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}
 WORKDIR /workspace
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/20
+++ b/20
@ -12,7 +12,7 @@ all: build
 # Targets

 ## test: Run tests
-test: unit-test-core test-cli-gen
+test: envtest unit-test-core test-cli-gen
 	@$(OK) unit-tests pass

 ## test-cli-gen: Run the unit tests for cli gen
@ -22,8 +22,8 @@ test-cli-gen:

 ## unit-test-core: Run the unit tests for core
 unit-test-core:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
-	go test $(shell go list ./references/... | grep -v apiserver)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test $(shell go list ./references/... | grep -v apiserver)

 ## build: Build vela cli binary
 build: vela-cli kubectl-vela
@ -41,9 +41,8 @@ fmt: goimports installcue
 	$(CUE) fmt ./vela-templates/definitions/internal/*
 	$(CUE) fmt ./vela-templates/definitions/deprecated/*
 	$(CUE) fmt ./vela-templates/definitions/registry/*
-	$(CUE) fmt ./pkg/stdlib/pkgs/*
-	$(CUE) fmt ./pkg/stdlib/op.cue
-	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
+	$(CUE) fmt ./pkg/workflow/template/static/*
+	$(CUE) fmt ./pkg/workflow/providers/...

 ## sdk_fmt: Run go fmt against code
 sdk_fmt:
@ -62,11 +61,11 @@ staticcheck: staticchecktool
 ## lint: Run the golangci-lint
 lint: golangci
 	@$(INFO) lint
-	@$(GOLANGCILINT) run --skip-dirs 'scaffold'
+	@GOLANGCILINT=$(GOLANGCILINT) ./hack/utils/golangci-lint-wrapper.sh

 ## reviewable: Run the reviewable
-reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
-	go mod tidy
+## Run make build to compile vela binary before running this target to ensure all generated definitions are up to date.
+reviewable: build manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt

 # check-diff: Execute auto-gen code commands and ensure branch is clean.
 check-diff: reviewable
@ -104,11 +103,10 @@ manager:
 	$(GOBUILD_ENV) go build -o bin/manager -a -ldflags $(LDFLAGS) ./cmd/core/main.go

 ## manifests: Generate manifests e.g. CRD, RBAC etc.
-manifests: installcue kustomize
+manifests: tidy installcue kustomize sync-crds
 	go generate $(foreach t,pkg apis,./$(t)/...)
 	# TODO(yangsoon): kustomize will merge all CRD into a whole file, it may not work if we want patch more than one CRD in this way
 	$(KUSTOMIZE) build config/crd -o config/crd/base/core.oam.dev_applications.yaml
-	./hack/crd/cleanup.sh
 	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds
 	rm -f config/crd/base/*
 	./vela-templates/gen_definitions.sh
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
 ![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://scorecard.dev/viewer/?uri=github.com/kubevela/kubevela)
 [![](https://img.shields.io/badge/KubeVela-Check%20Your%20Contribution-orange)](https://opensource.alibaba.com/contribution_leaderboard/details?projectValue=kubevela)

 ## Introduction
@ -59,6 +59,14 @@ and share the large growing community [addons](https://kubevela.net/docs/referen
 * [Installation](https://kubevela.io/docs/install)
 * [Deploy Your Application](https://kubevela.io/docs/quick-start)

+### Get Your Own Demo with Alibaba Cloud
+
+- install KubeVela on a Serverless K8S cluster in 3 minutes, try:
+
+  <a href="https://acs.console.aliyun.com/quick-deploy?repo=kubevela/kubevela&branch=master" target="_blank">
+    <img src="https://img.alicdn.com/imgextra/i1/O1CN01aiPSuA1Wiz7wkgF5u_!!6000000002823-55-tps-399-70.svg" width="200" alt="Deploy on Alibaba Cloud">
+  </a>
+
 ## Documentation

 Full documentation is available on the [KubeVela website](https://kubevela.io/).
@ -99,7 +107,7 @@ Check out [KubeVela videos](https://kubevela.io/videos/talks/en/oam-dapr) for th

 ## Contributing

-Check out [CONTRIBUTING](https://kubevela.io/docs/contributor/overview) to see how to develop with KubeVela.
+Check out [CONTRIBUTING](https://kubevela.io/docs/contributor/overview) to see how to develop with KubeVela

 ## Report Vulnerability

@ -107,4 +115,4 @@ Security is a first priority thing for us at KubeVela. If you come across a rela

 ## Code of Conduct

-KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@ -135,6 +135,9 @@ type Status struct {
 	// HealthPolicy defines the health check policy for the abstraction
 	// +optional
 	HealthPolicy string `json:"healthPolicy,omitempty"`
+	// Details stores a string representation of a CUE status map to be evaluated at runtime for display
+	// +optional
+	Details string `json:"details,omitempty"`
 }

 // ApplicationPhase is a label for the condition of an application at the current time
@ -172,6 +175,7 @@ type ApplicationComponentStatus struct {
 	// WorkloadDefinition is the definition of a WorkloadDefinition, such as deployments/apps.v1
 	WorkloadDefinition WorkloadGVK              `json:"workloadDefinition,omitempty"`
 	Healthy            bool                     `json:"healthy"`
+	Details            map[string]string        `json:"details,omitempty"`
 	Message            string                   `json:"message,omitempty"`
 	Traits             []ApplicationTraitStatus `json:"traits,omitempty"`
 	Scopes             []corev1.ObjectReference `json:"scopes,omitempty"`
@ -185,9 +189,10 @@ func (in ApplicationComponentStatus) Equal(r ApplicationComponentStatus) bool {

 // ApplicationTraitStatus records the trait health status
 type ApplicationTraitStatus struct {
-	Type    string `json:"type"`
-	Healthy bool   `json:"healthy"`
-	Message string `json:"message,omitempty"`
+	Type    string            `json:"type"`
+	Healthy bool              `json:"healthy"`
+	Details map[string]string `json:"details,omitempty"`
+	Message string            `json:"message,omitempty"`
 }

 // Revision has name and revision number
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
@ -131,10 +130,19 @@ func (in *ApplicationComponent) DeepCopy() *ApplicationComponent {
 func (in *ApplicationComponentStatus) DeepCopyInto(out *ApplicationComponentStatus) {
 	*out = *in
 	out.WorkloadDefinition = in.WorkloadDefinition
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.Traits != nil {
 		in, out := &in.Traits, &out.Traits
 		*out = make([]ApplicationTraitStatus, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.Scopes != nil {
 		in, out := &in.Scopes, &out.Scopes
@ -176,6 +184,13 @@ func (in *ApplicationTrait) DeepCopy() *ApplicationTrait {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationTraitStatus) DeepCopyInto(out *ApplicationTraitStatus) {
 	*out = *in
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationTraitStatus.
--- a/apis/core.oam.dev/condition/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/condition/zz_generated.deepcopy.go
@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
@ -102,16 +102,16 @@ func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstruct
 }

 // FindDeleteOption find delete option for target resource
-func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) []client.DeleteOption {
+func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) (bool, []client.DeleteOption) {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) && rule.Propagation != nil {
 			switch *rule.Propagation {
 			case GarbageCollectPropagationOrphan:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
+				return true, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
 			case GarbageCollectPropagationCascading:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
+				return false, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
 			}
 		}
 	}
-	return nil
+	return false, nil
 }
--- a/apis/core.oam.dev/v1alpha1/register.go
+++ b/apis/core.oam.dev/v1alpha1/register.go
@ -60,3 +60,8 @@ func init() {
 	SchemeBuilder.Register(&workflowv1alpha1.Workflow{}, &workflowv1alpha1.WorkflowList{})
 	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
 }
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
--- a/apis/core.oam.dev/v1alpha1/resource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_policy_types.go
@ -18,7 +18,7 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	stringslices "k8s.io/utils/strings/slices"

 	"github.com/oam-dev/kubevela/pkg/oam"
@ -52,7 +52,7 @@ func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured)
 		if len(src) == 0 {
 			return nil
 		}
-		return pointer.Bool(val != "" && stringslices.Contains(src, val))
+		return ptr.To(val != "" && stringslices.Contains(src, val))
 	}
 	conditions := []*bool{
 		match(in.CompNames, compName),
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1beta1/componentdefinition_types.go
+++ b/apis/core.oam.dev/v1beta1/componentdefinition_types.go
@ -27,6 +27,9 @@ import (

 // ComponentDefinitionSpec defines the desired state of ComponentDefinition
 type ComponentDefinitionSpec struct {
+	// +optional
+	Version string `json:"version,omitempty"`
+
 	// Workload is a workload type descriptor
 	Workload common.WorkloadTypeDescriptor `json:"workload"`

--- a/apis/core.oam.dev/v1beta1/core_types.go
+++ b/apis/core.oam.dev/v1beta1/core_types.go
@ -164,6 +164,9 @@ type TraitDefinitionSpec struct {
 	// pre-process and post-process respectively.
 	// +optional
 	Stage StageType `json:"stage,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // StageType describes how the manifests should be dispatched.
--- a/apis/core.oam.dev/v1beta1/policy_definition.go
+++ b/apis/core.oam.dev/v1beta1/policy_definition.go
@ -37,6 +37,9 @@ type PolicyDefinitionSpec struct {
 	// ManageHealthCheck means the policy will handle health checking and skip application controller
 	// built-in health checking.
 	ManageHealthCheck bool `json:"manageHealthCheck,omitempty"`
+
+	//+optional
+	Version string `json:"version,omitempty"`
 }

 // PolicyDefinitionStatus is the status of PolicyDefinition
--- a/apis/core.oam.dev/v1beta1/register.go
+++ b/apis/core.oam.dev/v1beta1/register.go
@ -49,6 +49,7 @@ var (
 	ComponentDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ComponentDefinitionKind}.String()
 	ComponentDefinitionKindAPIVersion   = ComponentDefinitionKind + "." + SchemeGroupVersion.String()
 	ComponentDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ComponentDefinitionKind)
+	ComponentDefinitionGVR              = SchemeGroupVersion.WithResource("componentdefinitions")
 )

 // WorkloadDefinition type metadata.
@ -65,6 +66,7 @@ var (
 	TraitDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: TraitDefinitionKind}.String()
 	TraitDefinitionKindAPIVersion   = TraitDefinitionKind + "." + SchemeGroupVersion.String()
 	TraitDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(TraitDefinitionKind)
+	TraitDefinitionGVR              = SchemeGroupVersion.WithResource("traitdefinitions")
 )

 // PolicyDefinition type metadata.
@ -73,6 +75,7 @@ var (
 	PolicyDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: PolicyDefinitionKind}.String()
 	PolicyDefinitionKindAPIVersion   = PolicyDefinitionKind + "." + SchemeGroupVersion.String()
 	PolicyDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(PolicyDefinitionKind)
+	PolicyDefinitionGVR              = SchemeGroupVersion.WithResource("policydefinitions")
 )

 // WorkflowStepDefinition type metadata.
@ -81,6 +84,7 @@ var (
 	WorkflowStepDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: WorkflowStepDefinitionKind}.String()
 	WorkflowStepDefinitionKindAPIVersion   = WorkflowStepDefinitionKind + "." + SchemeGroupVersion.String()
 	WorkflowStepDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(WorkflowStepDefinitionKind)
+	WorkflowStepDefinitionGVR              = SchemeGroupVersion.WithResource("workflowstepdefinitions")
 )

 // DefinitionRevision type metadata.
@ -115,6 +119,20 @@ var (
 	ResourceTrackerKindVersionKind = SchemeGroupVersion.WithKind(ResourceTrackerKind)
 )

+// DefinitionTypeInfo contains the mapping information for a definition type
+type DefinitionTypeInfo struct {
+	GVR  schema.GroupVersionResource
+	Kind string
+}
+
+// DefinitionTypeMap maps definition types to their corresponding GVR and Kind
+var DefinitionTypeMap = map[reflect.Type]DefinitionTypeInfo{
+	reflect.TypeOf(ComponentDefinition{}):    {GVR: ComponentDefinitionGVR, Kind: ComponentDefinitionKind},
+	reflect.TypeOf(TraitDefinition{}):        {GVR: TraitDefinitionGVR, Kind: TraitDefinitionKind},
+	reflect.TypeOf(PolicyDefinition{}):       {GVR: PolicyDefinitionGVR, Kind: PolicyDefinitionKind},
+	reflect.TypeOf(WorkflowStepDefinition{}): {GVR: WorkflowStepDefinitionGVR, Kind: WorkflowStepDefinitionKind},
+}
+
 func init() {
 	SchemeBuilder.Register(&ComponentDefinition{}, &ComponentDefinitionList{})
 	SchemeBuilder.Register(&WorkloadDefinition{}, &WorkloadDefinitionList{})
--- a/apis/core.oam.dev/v1beta1/register_test.go
+++ b/apis/core.oam.dev/v1beta1/register_test.go
@ -0,0 +1,117 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestDefinitionTypeMap(t *testing.T) {
+	tests := []struct {
+		name         string
+		defType      reflect.Type
+		expectedGVR  schema.GroupVersionResource
+		expectedKind string
+	}{
+		{
+			name:         "ComponentDefinition",
+			defType:      reflect.TypeOf(ComponentDefinition{}),
+			expectedGVR:  ComponentDefinitionGVR,
+			expectedKind: ComponentDefinitionKind,
+		},
+		{
+			name:         "TraitDefinition",
+			defType:      reflect.TypeOf(TraitDefinition{}),
+			expectedGVR:  TraitDefinitionGVR,
+			expectedKind: TraitDefinitionKind,
+		},
+		{
+			name:         "PolicyDefinition",
+			defType:      reflect.TypeOf(PolicyDefinition{}),
+			expectedGVR:  PolicyDefinitionGVR,
+			expectedKind: PolicyDefinitionKind,
+		},
+		{
+			name:         "WorkflowStepDefinition",
+			defType:      reflect.TypeOf(WorkflowStepDefinition{}),
+			expectedGVR:  WorkflowStepDefinitionGVR,
+			expectedKind: WorkflowStepDefinitionKind,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			info, ok := DefinitionTypeMap[tt.defType]
+			assert.Truef(t, ok, "Type %v should exist in DefinitionTypeMap", tt.defType)
+			assert.Equal(t, tt.expectedGVR, info.GVR)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+
+			// Verify GVR follows Kubernetes conventions
+			assert.Equal(t, Group, info.GVR.Group)
+			assert.Equal(t, Version, info.GVR.Version)
+			// Resource should be lowercase plural of Kind
+			assert.Equal(t, strings.ToLower(info.Kind)+"s", info.GVR.Resource)
+		})
+	}
+}
+
+func TestDefinitionTypeMapCompleteness(t *testing.T) {
+	// Ensure all expected definition types are in the map
+	expectedTypes := []reflect.Type{
+		reflect.TypeOf(ComponentDefinition{}),
+		reflect.TypeOf(TraitDefinition{}),
+		reflect.TypeOf(PolicyDefinition{}),
+		reflect.TypeOf(WorkflowStepDefinition{}),
+	}
+
+	assert.Equal(t, len(expectedTypes), len(DefinitionTypeMap), "DefinitionTypeMap should contain exactly %d entries", len(expectedTypes))
+
+	for _, expectedType := range expectedTypes {
+		_, ok := DefinitionTypeMap[expectedType]
+		assert.Truef(t, ok, "DefinitionTypeMap should contain %v", expectedType)
+	}
+}
+
+func TestDefinitionKindValues(t *testing.T) {
+	// Verify that the Kind values match the actual type names
+	tests := []struct {
+		defType      interface{}
+		expectedKind string
+	}{
+		{ComponentDefinition{}, "ComponentDefinition"},
+		{TraitDefinition{}, "TraitDefinition"},
+		{PolicyDefinition{}, "PolicyDefinition"},
+		{WorkflowStepDefinition{}, "WorkflowStepDefinition"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expectedKind, func(t *testing.T) {
+			actualKind := reflect.TypeOf(tt.defType).Name()
+			assert.Equal(t, tt.expectedKind, actualKind)
+
+			// Also verify it matches what's in the map
+			info, ok := DefinitionTypeMap[reflect.TypeOf(tt.defType)]
+			assert.True(t, ok)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+		})
+	}
+}
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
@ -31,7 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
@ -133,7 +133,7 @@ func TestManagedResourceKeys(t *testing.T) {
 	r.Equal("cluster/component", input.ComponentKey())
 	r.Equal("Deployment name (Cluster: cluster, Namespace: namespace)", input.DisplayName())
 	var deploy1, deploy2 appsv1.Deployment
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	bs, err := json.Marshal(deploy1)
 	r.NoError(err)
 	r.ErrorIs(input.UnmarshalTo(&deploy2), errors.ManagedResourceHasNoDataError{})
@ -168,7 +168,7 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	pod3 := corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: "pod3"}}
 	input.AddManagedResource(&pod3, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	input.AddManagedResource(&deploy1, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
@ -203,7 +203,7 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
-		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
+		"../../../pkg/workflow/providers/legacy/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
 	}
 	for _, p := range paths {
 		b, err := os.ReadFile(p)
--- a/apis/core.oam.dev/v1beta1/workflow_step_definition.go
+++ b/apis/core.oam.dev/v1beta1/workflow_step_definition.go
@ -33,6 +33,9 @@ type WorkflowStepDefinitionSpec struct {
 	// Only CUE schematic is supported for now.
 	// +optional
 	Schematic *common.Schematic `json:"schematic,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
@ -147,7 +146,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(ComponentDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@ -169,7 +169,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(TraitDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@ -191,7 +192,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(WorkflowStepDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@ -550,6 +552,22 @@ func (in *DefinitionRevisionSpec) DeepCopy() *DefinitionRevisionSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DefinitionTypeInfo) DeepCopyInto(out *DefinitionTypeInfo) {
+	*out = *in
+	out.GVR = in.GVR
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefinitionTypeInfo.
+func (in *DefinitionTypeInfo) DeepCopy() *DefinitionTypeInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(DefinitionTypeInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedResource) DeepCopyInto(out *ManagedResource) {
 	*out = *in
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@ -32,22 +32,6 @@ type CRDInfo struct {
 	Kind       string `json:"kind"`
 }

-// Chart defines all necessary information to install a whole chart
-type Chart struct {
-	Repo      string                 `json:"repo"`
-	URL       string                 `json:"url"`
-	Name      string                 `json:"name"`
-	Namespace string                 `json:"namespace,omitempty"`
-	Version   string                 `json:"version"`
-	Values    map[string]interface{} `json:"values"`
-}
-
-// Installation defines the installation method for this Capability, currently only helm is supported
-type Installation struct {
-	Helm Chart `json:"helm"`
-	// TODO(wonderflow) add raw yaml file support for install capability
-}
-
 // CapType defines the type of capability
 type CapType string

@ -107,7 +91,6 @@ type Capability struct {
 	CueTemplateURI string             `json:"templateURI,omitempty"`
 	Parameters     []Parameter        `json:"parameters,omitempty"`
 	CrdName        string             `json:"crdName,omitempty"`
-	Center         string             `json:"center,omitempty"`
 	Status         string             `json:"status,omitempty"`
 	Description    string             `json:"description,omitempty"`
 	Example        string             `json:"example,omitempty"`
@ -121,8 +104,7 @@ type Capability struct {
 	Namespace string `json:"namespace,omitempty"`

 	// Plugin Source
-	Source  *Source  `json:"source,omitempty"`
-	CrdInfo *CRDInfo `json:"crdInfo,omitempty"`
+	Source *Source `json:"source,omitempty"`

 	// Terraform
 	TerraformConfiguration string `json:"terraformConfiguration,omitempty"`
--- a/apis/types/componentmanifest.go
+++ b/apis/types/componentmanifest.go
@ -26,13 +26,8 @@ type ComponentManifest struct {
 	Namespace    string
 	RevisionName string
 	RevisionHash string
-	// StandardWorkload contains K8s resource generated from "output" block of ComponentDefinition
-	StandardWorkload *unstructured.Unstructured
-	// Traits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
-	Traits []*unstructured.Unstructured
-
-	// PackagedWorkloadResources contain all the workload related resources. It could be a Helm
-	// Release, Git Repo or anything that can package and run a workload.
-	PackagedWorkloadResources []*unstructured.Unstructured
-	PackagedTraitResources    map[string][]*unstructured.Unstructured
+	// ComponentOutput contains K8s resource generated from "output" block of ComponentDefinition
+	ComponentOutput *unstructured.Unstructured
+	// ComponentOutputsAndTraits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
+	ComponentOutputsAndTraits []*unstructured.Unstructured
 }
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@ -25,7 +25,7 @@ multi-cloud environments. At the mean time, it is highly extensible and programm
 ## TL;DR

 ```bash
-helm repo add kubevela https://charts.kubevela.net/core
+helm repo add kubevela https://kubevela.github.io/charts
 helm repo update
 helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wait
 ```
@ -48,12 +48,14 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### KubeVela workflow parameters

-| Name                                   | Description                                            | Value   |
-| -------------------------------------- | ------------------------------------------------------ | ------- |
-| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |
+| Name                                                    | Description                                             | Value   |
+| ------------------------------------------------------- | ------------------------------------------------------- | ------- |
+| `workflow.enableSuspendOnFailure`                       | Enable suspend on workflow failure                      | `false` |
+| `workflow.enableExternalPackageForDefaultCompiler`      | Enable external package for default cuex compiler       | `true`  |
+| `workflow.enableExternalPackageWatchForDefaultCompiler` | Enable external package watch for default cuex compiler | `false` |
+| `workflow.backoff.maxTime.waitState`                    | The max backoff time of workflow in a wait condition    | `60`    |
+| `workflow.backoff.maxTime.failedState`                  | The max backoff time of workflow in a failed condition  | `300`   |
+| `workflow.step.errorRetryTimes`                         | The max retry times of a failed workflow step           | `10`    |

 ### KubeVela controller parameters

@ -96,26 +98,31 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `featureGates.informerCacheFilterUnnecessaryFields`          | filter unnecessary fields for informer cache                                                                                                                                                                                     | `true`  |
 | `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields                                                                                    | `true`  |
 | `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |
+| `featureGates.enableCueValidation`                           | enable the strict cue validation for cue required parameter fields                                                                                                                                                               | `false` |
+| `featureGates.enableApplicationStatusMetrics`                | enable application status metrics and structured logging                                                                                                                                                                         | `false` |
+| `featureGates.validateResourcesExist`                        | enable webhook validation to check if resource types referenced in definition templates exist in the cluster                                                                                                                     | `false` |

 ### MultiCluster parameters

-| Name                                                        | Description                                                                                 | Value                            |
-| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                      | Whether to enable multi-cluster                                                             | `true`                           |
-| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect                                             | `false`                          |
-| `multicluster.clusterGateway.direct`                        | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
-| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                                                                | `1`                              |
-| `multicluster.clusterGateway.port`                          | ClusterGateway port                                                                         | `9443`                           |
-| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
-| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.requests.cpu`        | ClusterGateway cpu request                                                                  | `50m`                            |
-| `multicluster.clusterGateway.resources.requests.memory`     | ClusterGateway memory request                                                               | `20Mi`                           |
-| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                                                                    | `500m`                           |
-| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                                                                 | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                                                                | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
-| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                                                              | `false`                          |
+| Name                                                          | Description                                                                                 | Value                            |
+| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                        | Whether to enable multi-cluster                                                             | `true`                           |
+| `multicluster.metrics.enabled`                                | Whether to enable multi-cluster metrics collect                                             | `false`                          |
+| `multicluster.clusterGateway.direct`                          | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
+| `multicluster.clusterGateway.replicaCount`                    | ClusterGateway replica count                                                                | `1`                              |
+| `multicluster.clusterGateway.port`                            | ClusterGateway port                                                                         | `9443`                           |
+| `multicluster.clusterGateway.image.repository`                | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                       | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
+| `multicluster.clusterGateway.image.pullPolicy`                | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`          | ClusterGateway cpu request                                                                  | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory`       | ClusterGateway memory request                                                               | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`            | ClusterGateway cpu limit                                                                    | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`         | ClusterGateway memory limit                                                                 | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`               | Whether to enable secure TLS                                                                | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`              | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled`   | Whether to enable cert-manager                                                              | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.enabled`          | Whether to enable service monitor                                                           | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                       | `{}`                             |

 ### Test parameters

@ -128,29 +135,35 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### Common parameters

-| Name                          | Description                                                                                                                                                        | Value                |
-| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
-| `imagePullSecrets`            | Image pull secrets                                                                                                                                                 | `[]`                 |
-| `nameOverride`                | Override name                                                                                                                                                      | `""`                 |
-| `fullnameOverride`            | Fullname override                                                                                                                                                  | `""`                 |
-| `serviceAccount.create`       | Specifies whether a service account should be created                                                                                                              | `true`               |
-| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                                                          | `{}`                 |
-| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
-| `nodeSelector`                | Node selector                                                                                                                                                      | `{}`                 |
-| `tolerations`                 | Tolerations                                                                                                                                                        | `[]`                 |
-| `affinity`                    | Affinity                                                                                                                                                           | `{}`                 |
-| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
-| `logDebug`                    | Enable debug logs for development purpose                                                                                                                          | `false`              |
-| `logFilePath`                 | If non-empty, write log files in this path                                                                                                                         | `""`                 |
-| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients                                                                                                                                      | `400`                |
-| `kubeClient.burst`            | The burst for reconcile clients                                                                                                                                    | `600`                |
-| `authentication.enabled`      | Enable authentication for application                                                                                                                              | `false`              |
-| `authentication.withUser`     | Application authentication will impersonate as the request User                                                                                                    | `true`               |
-| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
-| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
-| `sharding.enabled`            | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
-| `sharding.schedulableShards`  | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| Name                                           | Description                                                                                                                                                        | Value                |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `imagePullSecrets`                             | Image pull secrets                                                                                                                                                 | `[]`                 |
+| `nameOverride`                                 | Override name                                                                                                                                                      | `""`                 |
+| `fullnameOverride`                             | Fullname override                                                                                                                                                  | `""`                 |
+| `serviceAccount.create`                        | Specifies whether a service account should be created                                                                                                              | `true`               |
+| `serviceAccount.annotations`                   | Annotations to add to the service account                                                                                                                          | `{}`                 |
+| `serviceAccount.name`                          | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
+| `nodeSelector`                                 | Node selector                                                                                                                                                      | `{}`                 |
+| `tolerations`                                  | Tolerations                                                                                                                                                        | `[]`                 |
+| `affinity`                                     | Affinity                                                                                                                                                           | `{}`                 |
+| `rbac.create`                                  | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
+| `logDebug`                                     | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `devLogs`                                      | Enable formatted logging support for development purpose                                                                                                           | `false`              |
+| `logFilePath`                                  | If non-empty, write log files in this path                                                                                                                         | `""`                 |
+| `logFileMaxSize`                               | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
+| `admissionWebhookTimeout`                      | Timeout seconds for admission webhooks                                                                                                                             | `10`                 |
+| `kubeClient.qps`                               | The qps for reconcile clients                                                                                                                                      | `400`                |
+| `kubeClient.burst`                             | The burst for reconcile clients                                                                                                                                    | `600`                |
+| `authentication.enabled`                       | Enable authentication framework for applications                                                                                                                   | `false`              |
+| `authentication.withUser`                      | Application authentication will impersonate as the request User (must be true for security)                                                                        | `true`               |
+| `authentication.defaultUser`                   | Application authentication will impersonate as the User if no user provided or withUser is false                                                                   | `kubevela:vela-core` |
+| `authentication.groupPattern`                  | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
+| `authorization.definitionValidationEnabled`    | Enable definition permission validation for RBAC checks on definitions                                                                                             | `false`              |
+| `sharding.enabled`                             | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
+| `sharding.schedulableShards`                   | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| `core.metrics.enabled`                         | Enable metrics for vela-core                                                                                                                                       | `false`              |
+| `core.metrics.serviceMonitor.enabled`          | Enable service monitor for metrics                                                                                                                                 | `false`              |
+| `core.metrics.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                                                                                              | `{}`                 |


 ## Uninstallation
@ -186,6 +199,21 @@ if [ $fluxcd ]; then
 fi
 ```

+Make sure all existing KubeVela resources deleted before uninstallation:
+```shell
+kubectl delete applicationrevisions.core.oam.dev --all
+kubectl delete applications.core.oam.dev --all
+kubectl delete componentdefinitions.core.oam.dev --all
+kubectl delete definitionrevisions.core.oam.dev --all
+kubectl delete policies.core.oam.dev --all
+kubectl delete policydefinitions.core.oam.dev --all
+kubectl delete resourcetrackers.core.oam.dev --all
+kubectl delete traitdefinitions.core.oam.dev --all
+kubectl delete workflows.core.oam.dev --all
+kubectl delete workflowstepdefinitions.core.oam.dev --all
+kubectl delete workloaddefinitions.core.oam.dev --all
+```
+
 To uninstall the KubeVela helm release:

 ```shell
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  annotations:
    cert-manager.io/inject-ca-from: vela-system/kubevela-vela-core-root-cert
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: applications.core.oam.dev
 spec:
  group: core.oam.dev
@ -44,14 +44,19 @@ spec:
        description: Application is the Schema for the applications API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -104,10 +109,9 @@ spec:
                    scopes:
                      additionalProperties:
                        type: string
-                      description: scopes in ApplicationComponent defines the component-level
-                        scopes the format is <scope-type:scope-instance-name> pairs,
-                        the key represents type of `ScopeDefinition` while the value
-                        represent the name of scope instance.
+                      description: |-
+                        scopes in ApplicationComponent defines the component-level scopes
+                        the format is <scope-type:scope-instance-name> pairs, the key represents type of `ScopeDefinition` while the value represent the name of scope instance.
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    traits:
@ -133,10 +137,10 @@ spec:
                  type: object
                type: array
              policies:
-                description: Policies defines the global policies for all components
-                  in the app, e.g. security, metrics, gitops, multi-cluster placement
-                  rules, etc. Policies are applied after components are rendered and
-                  before workflow steps are executed.
+                description: |-
+                  Policies defines the global policies for all components in the app, e.g. security, metrics, gitops,
+                  multi-cluster placement rules, etc.
+                  Policies are applied after components are rendered and before workflow steps are executed.
                items:
                  description: AppPolicy defines a global policy for all components
                    in the app.
@ -155,11 +159,12 @@ spec:
                  type: object
                type: array
              workflow:
-                description: 'Workflow defines how to customize the control logic.
-                  If workflow is specified, Vela won''t apply any resource, but provide
-                  rendered output in AppRevision. Workflow steps are executed in array
-                  order, and each step: - will have a context in annotation. - should
-                  mark "finish" phase in status.conditions.'
+                description: |-
+                  Workflow defines how to customize the control logic.
+                  If workflow is specified, Vela won't apply any resource, but provide rendered output in AppRevision.
+                  Workflow steps are executed in array order, and each step:
+                  - will have a context in annotation.
+                  - should mark "finish" phase in status.conditions.
                properties:
                  mode:
                    description: WorkflowExecuteMode defines the mode of workflow
@ -332,33 +337,39 @@ spec:
                    creator:
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@ -367,63 +378,46 @@ spec:
                description: Components record the related Components created by Application
                  Controller
                items:
-                  description: "ObjectReference contains enough information to let
-                    you inspect or modify the referred object. --- New uses of this
-                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs. 1. Ignored fields.  It includes many fields
-                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
-                    usage help.  It is impossible to add specific help for individual
-                    usage.  In most embedded usages, there are particular restrictions
-                    like, \"must refer only to types A and B\" or \"UID not honored\"
-                    or \"name must be restricted\". Those cannot be well described
-                    when embedded. 3. Inconsistent validation.  Because the usages
-                    are different, the validation rules are different by usage, which
-                    makes it hard for users to predict what will happen. 4. The fields
-                    are both imprecise and overly precise.  Kind is not a precise
-                    mapping to a URL. This can produce ambiguity during interpretation
-                    and require a REST mapping.  In most cases, the dependency is
-                    on the group,resource tuple and the version of the actual struct
-                    is irrelevant. 5. We cannot easily change it.  Because this type
-                    is embedded in many locations, updates to this type will affect
-                    numerous schemas.  Don't make new APIs embed an underspecified
-                    API type they do not control. \n Instead of using this type, create
-                    a locally provided and used type that is well-focused on your
-                    reference. For example, ServiceReferences for admission registration:
-                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                    ."
+                  description: ObjectReference contains enough information to let
+                    you inspect or modify the referred object.
                  properties:
                    apiVersion:
                      description: API version of the referent.
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@ -434,13 +428,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@ -451,8 +447,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
@ -482,10 +479,13 @@ spec:
                format: int64
                type: integer
              policy:
-                description: PolicyStatus records the status of policy Deprecated
-                  This field is only used by EnvBinding Policy which is deprecated.
+                description: |-
+                  PolicyStatus records the status of policy
+                  Deprecated This field is only used by EnvBinding Policy which is deprecated.
                items:
-                  description: PolicyStatus records the status of policy Deprecated
+                  description: |-
+                    PolicyStatus records the status of policy
+                    Deprecated
                  properties:
                    name:
                      type: string
@ -507,6 +507,10 @@ spec:
                  properties:
                    cluster:
                      type: string
+                    details:
+                      additionalProperties:
+                        type: string
+                      type: object
                    env:
                      type: string
                    healthy:
@ -519,66 +523,46 @@ spec:
                      type: string
                    scopes:
                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
+                        description: ObjectReference contains enough information to
+                          let you inspect or modify the referred object.
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
                            type: string
                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                            type: string
                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            type: string
                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            type: string
                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                            type: string
                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
@ -588,6 +572,10 @@ spec:
                        description: ApplicationTraitStatus records the trait health
                          status
                        properties:
+                          details:
+                            additionalProperties:
+                              type: string
+                            type: object
                          healthy:
                            type: boolean
                          message:
@ -626,63 +614,46 @@ spec:
                  appRevision:
                    type: string
                  contextBackend:
-                    description: "ObjectReference contains enough information to let
-                      you inspect or modify the referred object. --- New uses of this
-                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs. 1. Ignored fields.  It includes many
-                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage. 2.
-                      Invalid usage help.  It is impossible to add specific help for
-                      individual usage.  In most embedded usages, there are particular
-                      restrictions like, \"must refer only to types A and B\" or \"UID
-                      not honored\" or \"name must be restricted\". Those cannot be
-                      well described when embedded. 3. Inconsistent validation.  Because
-                      the usages are different, the validation rules are different
-                      by usage, which makes it hard for users to predict what will
-                      happen. 4. The fields are both imprecise and overly precise.
-                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
-                      during interpretation and require a REST mapping.  In most cases,
-                      the dependency is on the group,resource tuple and the version
-                      of the actual struct is irrelevant. 5. We cannot easily change
-                      it.  Because this type is embedded in many locations, updates
-                      to this type will affect numerous schemas.  Don't make new APIs
-                      embed an underspecified API type they do not control. \n Instead
-                      of using this type, create a locally provided and used type
-                      that is well-focused on your reference. For example, ServiceReferences
-                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                      ."
+                    description: ObjectReference contains enough information to let
+                      you inspect or modify the referred object.
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
-                        description: 'If referring to a piece of an object instead
-                          of an entire object, this string should contain a valid
-                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                          For example, if the object reference is to a container within
-                          a pod, this would take on a value like: "spec.containers{name}"
-                          (where "name" refers to the name of the container that triggered
-                          the event) or if no container name is specified "spec.containers[2]"
-                          (container with index 2 in this pod). This syntax is chosen
-                          only to have some well-defined way of referencing a part
-                          of an object. TODO: this design is not final and this field
-                          is subject to change in the future.'
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
                        type: string
                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                        type: string
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        type: string
                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        type: string
                      resourceVersion:
-                        description: 'Specific resourceVersion to which this reference
-                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                        type: string
                      uid:
-                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
--- a/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: componentdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@ -32,14 +32,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -76,14 +81,14 @@ spec:
                type: object
                x-kubernetes-preserve-unknown-fields: true
              podSpecPath:
-                description: PodSpecPath indicates where/if this workload has K8s
-                  podSpec field if one workload has podSpec, trait can do lot's of
-                  assumption such as port, env, volume fields.
+                description: |-
+                  PodSpecPath indicates where/if this workload has K8s podSpec field
+                  if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                type: string
              revisionLabel:
-                description: RevisionLabel indicates which label for underlying resources(e.g.
-                  pods) of this workload can be used by trait to create resource selectors(e.g.
-                  label selector for pods).
+                description: |-
+                  RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                  can be used by trait to create resource selectors(e.g. label selector for pods).
                type: string
              schematic:
                description: Schematic defines the data format and template of the
@ -93,10 +98,9 @@ spec:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@ -159,11 +163,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@ -186,11 +190,17 @@ spec:
                    description: CustomStatus defines the custom status message that
                      could display to user
                    type: string
+                  details:
+                    description: Details stores a string representation of a CUE status
+                      map to be evaluated at runtime for display
+                    type: string
                  healthPolicy:
                    description: HealthPolicy defines the health check policy for
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workload:
                description: Workload is a workload type descriptor
                properties:
@ -222,13 +232,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@ -239,8 +251,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: definitionrevisions.core.oam.dev
 spec:
  group: core.oam.dev
@ -34,14 +34,19 @@ spec:
        description: DefinitionRevision is the Schema for the DefinitionRevision API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -53,16 +58,19 @@ spec:
                  ComponentDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@ -117,14 +125,14 @@ spec:
                        type: object
                        x-kubernetes-preserve-unknown-fields: true
                      podSpecPath:
-                        description: PodSpecPath indicates where/if this workload
-                          has K8s podSpec field if one workload has podSpec, trait
-                          can do lot's of assumption such as port, env, volume fields.
+                        description: |-
+                          PodSpecPath indicates where/if this workload has K8s podSpec field
+                          if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                        type: string
                      revisionLabel:
-                        description: RevisionLabel indicates which label for underlying
-                          resources(e.g. pods) of this workload can be used by trait
-                          to create resource selectors(e.g. label selector for pods).
+                        description: |-
+                          RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                          can be used by trait to create resource selectors(e.g. label selector for pods).
                        type: string
                      schematic:
                        description: Schematic defines the data format and template
@ -134,10 +142,9 @@ spec:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@ -202,12 +209,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@ -230,11 +236,17 @@ spec:
                            description: CustomStatus defines the custom status message
                              that could display to user
                            type: string
+                          details:
+                            description: Details stores a string representation of
+                              a CUE status map to be evaluated at runtime for display
+                            type: string
                          healthPolicy:
                            description: HealthPolicy defines the health check policy
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workload:
                        description: Workload is a workload type descriptor
                        properties:
@ -266,14 +278,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@ -284,9 +297,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@ -330,16 +343,19 @@ spec:
                  PolicyDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@ -372,31 +388,30 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      manageHealthCheck:
-                        description: ManageHealthCheck means the policy will handle
-                          health checking and skip application controller built-in
-                          health checking.
+                        description: |-
+                          ManageHealthCheck means the policy will handle health checking and skip application controller
+                          built-in health checking.
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the policy definition. Only CUE
-                          schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the policy definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@ -461,12 +476,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@ -481,6 +495,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: PolicyDefinitionStatus is the status of PolicyDefinition
@ -491,14 +507,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@ -509,9 +526,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@ -555,16 +572,19 @@ spec:
                  TraitDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@ -590,21 +610,25 @@ spec:
                      a TraitDefinition.
                    properties:
                      appliesToWorkloads:
-                        description: AppliesToWorkloads specifies the list of workload
-                          kinds this trait applies to. Workload kinds are specified
-                          in resource.group/version format, e.g. server.core.oam.dev/v1alpha2.
-                          Traits that omit this field apply to all workload kinds.
+                        description: |-
+                          AppliesToWorkloads specifies the list of workload kinds this trait
+                          applies to. Workload kinds are specified in resource.group/version format,
+                          e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                          all workload kinds.
                        items:
                          type: string
                        type: array
                      conflictsWith:
-                        description: 'ConflictsWith specifies the list of traits(CRD
-                          name, Definition name, CRD group) which could not apply
-                          to the same workloads with this trait. Traits that omit
-                          this field can work with any other traits. Example rules:
-                          "service" # Trait definition name "services.k8s.io" # API
-                          resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                          # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                        description: |-
+                          ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                          which could not apply to the same workloads with this trait.
+                          Traits that omit this field can work with any other traits.
+                          Example rules:
+                          "service" # Trait definition name
+                          "services.k8s.io" # API resource/crd name
+                          "*.networking.k8s.io" # API group
+                          "labelSelector:foo=bar" # label selector
+                          labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                        items:
                          type: string
                        type: array
@ -620,9 +644,9 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
@ -645,18 +669,17 @@ spec:
                          component revision
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the trait. Only CUE and Kube schematic
-                          are supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the trait.
+                          Only CUE and Kube schematic are supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@ -721,12 +744,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@ -742,10 +764,10 @@ spec:
                            type: object
                        type: object
                      stage:
-                        description: Stage defines the stage information to which
-                          this trait resource processing belongs. Currently, PreDispatch
-                          and PostDispatch are provided, which are used to control
-                          resource pre-process and post-process respectively.
+                        description: |-
+                          Stage defines the stage information to which this trait resource processing belongs.
+                          Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                          pre-process and post-process respectively.
                        type: string
                      status:
                        description: Status defines the custom health policy and status
@ -755,11 +777,17 @@ spec:
                            description: CustomStatus defines the custom status message
                              that could display to user
                            type: string
+                          details:
+                            description: Details stores a string representation of
+                              a CUE status map to be evaluated at runtime for display
+                            type: string
                          healthPolicy:
                            description: HealthPolicy defines the health check policy
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workloadRefPath:
                        description: WorkloadRefPath indicates where/if a trait accepts
                          a workloadRef object
@ -774,14 +802,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@ -792,9 +821,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@ -830,16 +859,19 @@ spec:
                  WorkflowStepDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@ -872,26 +904,25 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the workflow step definition. Only
-                          CUE schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@ -956,12 +987,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@ -976,6 +1006,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@ -986,14 +1018,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@ -1004,9 +1037,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_policies.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policies.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: policies.core.oam.dev
 spec:
  group: core.oam.dev
@ -26,14 +26,19 @@ spec:
        description: Policy is the Schema for the policy API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
--- a/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: policydefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@ -24,14 +24,19 @@ spec:
        description: PolicyDefinition is the Schema for the policydefinitions API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -46,30 +51,30 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              manageHealthCheck:
-                description: ManageHealthCheck means the policy will handle health
-                  checking and skip application controller built-in health checking.
+                description: |-
+                  ManageHealthCheck means the policy will handle health checking and skip application controller
+                  built-in health checking.
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the policy definition. Only CUE schematic is supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the policy definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@ -132,11 +137,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@ -151,6 +156,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: PolicyDefinitionStatus is the status of PolicyDefinition
@ -161,13 +168,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@ -178,8 +187,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
+++ b/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: resourcetrackers.core.oam.dev
 spec:
  group: core.oam.dev
@ -38,14 +38,19 @@ spec:
          resources
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -83,33 +88,37 @@ spec:
                      description: Deleted marks the resource to be deleted
                      type: boolean
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    raw:
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    skipGC:
                      description: SkipGC marks the resource to skip gc
@ -117,7 +126,9 @@ spec:
                    trait:
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
--- a/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: traitdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@ -28,20 +28,26 @@ spec:
    name: v1beta1
    schema:
      openAPIV3Schema:
-        description: A TraitDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM trait kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the trait when it is embedded in an
-          OAM ApplicationConfiguration.
+        description: |-
+          A TraitDefinition registers a kind of Kubernetes custom resource as a valid
+          OAM trait kind by referencing its CustomResourceDefinition. The CRD is used
+          to validate the schema of the trait when it is embedded in an OAM
+          ApplicationConfiguration.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -49,20 +55,25 @@ spec:
            description: A TraitDefinitionSpec defines the desired state of a TraitDefinition.
            properties:
              appliesToWorkloads:
-                description: AppliesToWorkloads specifies the list of workload kinds
-                  this trait applies to. Workload kinds are specified in resource.group/version
-                  format, e.g. server.core.oam.dev/v1alpha2. Traits that omit this
-                  field apply to all workload kinds.
+                description: |-
+                  AppliesToWorkloads specifies the list of workload kinds this trait
+                  applies to. Workload kinds are specified in resource.group/version format,
+                  e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                  all workload kinds.
                items:
                  type: string
                type: array
              conflictsWith:
-                description: 'ConflictsWith specifies the list of traits(CRD name,
-                  Definition name, CRD group) which could not apply to the same workloads
-                  with this trait. Traits that omit this field can work with any other
-                  traits. Example rules: "service" # Trait definition name "services.k8s.io"
-                  # API resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                  # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                description: |-
+                  ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                  which could not apply to the same workloads with this trait.
+                  Traits that omit this field can work with any other traits.
+                  Example rules:
+                  "service" # Trait definition name
+                  "services.k8s.io" # API resource/crd name
+                  "*.networking.k8s.io" # API group
+                  "labelSelector:foo=bar" # label selector
+                  labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                items:
                  type: string
                type: array
@ -78,9 +89,9 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
@ -103,18 +114,17 @@ spec:
                  revision
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the trait. Only CUE and Kube schematic are supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the trait.
+                  Only CUE and Kube schematic are supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@ -177,11 +187,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@ -197,10 +207,10 @@ spec:
                    type: object
                type: object
              stage:
-                description: Stage defines the stage information to which this trait
-                  resource processing belongs. Currently, PreDispatch and PostDispatch
-                  are provided, which are used to control resource pre-process and
-                  post-process respectively.
+                description: |-
+                  Stage defines the stage information to which this trait resource processing belongs.
+                  Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                  pre-process and post-process respectively.
                type: string
              status:
                description: Status defines the custom health policy and status message
@ -210,11 +220,17 @@ spec:
                    description: CustomStatus defines the custom status message that
                      could display to user
                    type: string
+                  details:
+                    description: Details stores a string representation of a CUE status
+                      map to be evaluated at runtime for display
+                    type: string
                  healthPolicy:
                    description: HealthPolicy defines the health check policy for
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workloadRefPath:
                description: WorkloadRefPath indicates where/if a trait accepts a
                  workloadRef object
@ -229,13 +245,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@ -246,8 +264,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_workflows.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflows.yaml
@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: workflows.core.oam.dev
 spec:
  group: core.oam.dev
@ -23,14 +22,19 @@ spec:
        description: Workflow is the Schema for the workflow API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -59,6 +63,7 @@ spec:
                inputs:
                  description: Inputs is the inputs of the step
                  items:
+                    description: InputItem defines an input variable of WorkflowStep
                    properties:
                      from:
                        type: string
@ -66,7 +71,6 @@ spec:
                        type: string
                    required:
                    - from
-                    - parameterKey
                    type: object
                  type: array
                meta:
@ -75,12 +79,18 @@ spec:
                    alias:
                      type: string
                  type: object
+                mode:
+                  description: Mode is only valid for sub steps, it defines the mode
+                    of the sub steps
+                  nullable: true
+                  type: string
                name:
                  description: Name is the unique name of the workflow step.
                  type: string
                outputs:
                  description: Outputs is the outputs of the step
                  items:
+                    description: OutputItem defines an output variable of WorkflowStep
                    properties:
                      name:
                        type: string
@ -110,6 +120,7 @@ spec:
                      inputs:
                        description: Inputs is the inputs of the step
                        items:
+                          description: InputItem defines an input variable of WorkflowStep
                          properties:
                            from:
                              type: string
@ -117,7 +128,6 @@ spec:
                              type: string
                          required:
                          - from
-                          - parameterKey
                          type: object
                        type: array
                      meta:
@ -132,6 +142,7 @@ spec:
                      outputs:
                        description: Outputs is the outputs of the step
                        items:
+                          description: OutputItem defines an output variable of WorkflowStep
                          properties:
                            name:
                              type: string
@ -153,7 +164,6 @@ spec:
                        description: Type is the type of the workflow step.
                        type: string
                    required:
-                    - name
                    - type
                    type: object
                  type: array
@ -164,7 +174,6 @@ spec:
                  description: Type is the type of the workflow step.
                  type: string
              required:
-              - name
              - type
              type: object
            type: array
--- a/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: workflowstepdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@ -25,14 +25,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@ -47,26 +52,25 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the workflow step definition. Only CUE schematic
-                  is supported for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@ -129,11 +133,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@ -148,6 +152,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@ -158,13 +164,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@ -175,8 +183,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/cue.oam.dev_packages.yaml
+++ b/charts/vela-core/crds/cue.oam.dev_packages.yaml
@ -0,0 +1,81 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: packages.cue.oam.dev
+spec:
+  group: cue.oam.dev
+  names:
+    kind: Package
+    listKind: PackageList
+    plural: packages
+    shortNames:
+    - pkg
+    - cpkg
+    - cuepkg
+    - cuepackage
+    singular: package
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.path
+      name: PATH
+      type: string
+    - jsonPath: .spec.provider.protocol
+      name: PROTO
+      type: string
+    - jsonPath: .spec.provider.endpoint
+      name: ENDPOINT
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Package is an extension for cuex engine
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PackageSpec the spec for Package
+            properties:
+              path:
+                type: string
+              provider:
+                description: Provider the external Provider in Package for cuex to
+                  run functions
+                properties:
+                  endpoint:
+                    type: string
+                  protocol:
+                    description: ProviderProtocol the protocol type for external Provider
+                    type: string
+                required:
+                - endpoint
+                - protocol
+                type: object
+              templates:
+                additionalProperties:
+                  type: string
+                type: object
+            required:
+            - path
+            - templates
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
--- a/charts/vela-core/templates/NOTES.txt
+++ b/charts/vela-core/templates/NOTES.txt
@ -29,3 +29,36 @@ Welcome to use the KubeVela! Enjoy your shipping application journey!


 You can refer to https://kubevela.io for more details.
+
+{{- if and .Values.authentication.enabled (not .Values.authentication.withUser) }}
+
+WARNING: Authentication is enabled but withUser is disabled.
+   This configuration provides NO security benefit:
+   - All applications will run as '{{ .Values.authentication.defaultUser }}' regardless of who creates them
+   - User groups matching '{{ .Values.authentication.groupPattern }}' are still collected but not used effectively
+   - Service account annotations are blocked
+   
+   To enable true user impersonation for security:
+     --set authentication.withUser=true
+{{- end }}
+
+{{- if and (not .Values.authorization.definitionValidationEnabled) (not .Values.authentication.enabled) }}
+
+SECURITY RECOMMENDATION: Both authentication and definition validation are disabled.
+   If KubeVela is running with cluster-admin or other high-level permissions,
+   consider enabling one or both security features:
+
+   1. Authentication with impersonation (recommended for multi-tenant environments):
+      --set authentication.enabled=true 
+      --set authentication.withUser=true
+      This makes KubeVela impersonate the requesting user, applying their RBAC permissions.
+      Note: Both flags must be enabled for user impersonation to work.
+
+   2. Definition permission validation (lightweight RBAC for definitions):
+      --set authorization.definitionValidationEnabled=true
+      This ensures users can only reference definitions they have access to.
+
+   Using both features together provides defense in depth.
+   Without these protections, users can leverage KubeVela's permissions to deploy
+   resources beyond their intended access level.
+{{- end }}
--- a/charts/vela-core/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -4,7 +4,7 @@ kind: ClusterRole
 metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@ -4,7 +4,7 @@ kind: ClusterRoleBinding
 metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-create
+  name: {{ template "kubevela.fullname" . }}-admission-create
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-create
+      name: {{ template "kubevela.fullname" . }}-admission-create
      labels:
        app: {{ template "kubevela.name" . }}-admission-create
        {{- include "kubevela.labels" . | nindent 8 }}
@ -39,17 +39,26 @@ spec:
            - --cert-name=tls.crt
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
      nodeSelector:
-      {{- toYaml . | nindent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.affinity }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
      affinity:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -2,10 +2,10 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-patch
+  name: {{ template "kubevela.fullname" . }}-admission-patch
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook": post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission-patch
@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-patch
+      name: {{ template "kubevela.fullname" . }}-admission-patch
      labels:
        app: {{ template "kubevela.name" . }}-admission-patch
        {{- include "kubevela.labels" . | nindent 8 }}
@ -41,13 +41,26 @@ spec:
            {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
+      affinity:
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/role.yaml
@ -5,7 +5,7 @@ metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/rolebinding.yaml
@ -5,7 +5,7 @@ metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/serviceaccount.yaml
@ -5,7 +5,7 @@ metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/mutatingWebhookConfiguration.yaml
+++ b/charts/vela-core/templates/admission-webhooks/mutatingWebhookConfiguration.yaml
@ -1,4 +1,14 @@
 {{- if .Values.admissionWebhooks.enabled -}}
+{{- /* Preserve existing caBundle on upgrade to avoid breaking admission if hooks fail. */}}
+{{- $mName := printf "%s-admission" (include "kubevela.fullname" .) -}}
+{{- $existing := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" "" $mName) -}}
+{{- $vals := dict "apps" "" "comps" "" -}}
+{{- if $existing -}}
+{{- range $existing.webhooks -}}
+{{- if eq .name "mutating.core.oam.dev.v1beta1.applications" -}}{{- $_ := set $vals "apps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "mutating.core.oam-dev.v1beta1.componentdefinitions" -}}{{- $_ := set $vals "comps" .clientConfig.caBundle -}}{{- end -}}
+{{- end -}}
+{{- end -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@ -10,7 +20,7 @@ metadata:
  {{- end }}
 webhooks:
  - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "apps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
@ -35,8 +45,9 @@ webhooks:
          - UPDATE
        resources:
          - applications
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
  - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "comps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
@ -61,5 +72,6 @@ webhooks:
          - UPDATE
        resources:
          - componentdefinitions
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}

 {{- end -}}
--- a/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
+++ b/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
@ -1,4 +1,16 @@
 {{- if .Values.admissionWebhooks.enabled -}}
+{{- /* Preserve existing caBundle on upgrade to avoid breaking admission if hooks fail. */}}
+{{- $vName := printf "%s-admission" (include "kubevela.fullname" .) -}}
+{{- $existing := (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" "" $vName) -}}
+{{- $vals := dict "traits" "" "apps" "" "comps" "" "policies" "" -}}
+{{- if $existing -}}
+{{- range $existing.webhooks -}}
+{{- if eq .name "validating.core.oam.dev.v1beta1.traitdefinitions" -}}{{- $_ := set $vals "traits" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam.dev.v1beta1.applications" -}}{{- $_ := set $vals "apps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam-dev.v1beta1.componentdefinitions" -}}{{- $_ := set $vals "comps" .clientConfig.caBundle -}}{{- end -}}
+{{- if eq .name "validating.core.oam-dev.v1beta1.policydefinitions" -}}{{- $_ := set $vals "policies" .clientConfig.caBundle -}}{{- end -}}
+{{- end -}}
+{{- end -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@ -10,17 +22,17 @@ metadata:
  {{- end }}
 webhooks:
  - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "traits") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validating-core-oam-dev-v1alpha2-traitdefinitions
+        path: /validating-core-oam-dev-v1beta1-traitdefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
    {{- end }}
-    name: validating.core.oam.dev.v1alpha2.traitdefinitions
+    name: validating.core.oam.dev.v1beta1.traitdefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
@ -29,16 +41,15 @@ webhooks:
      - apiGroups:
          - core.oam.dev
        apiVersions:
-          - v1alpha2
+          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - traitdefinitions
-        scope: Cluster
-    timeoutSeconds: 5
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
  - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "apps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
@ -63,8 +74,9 @@ webhooks:
          - UPDATE
        resources:
          - applications
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
  - clientConfig:
-      caBundle: Cg==
+      caBundle: {{ default "Cg==" (get $vals "comps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
@ -89,4 +101,59 @@ webhooks:
          - UPDATE
        resources:
          - componentdefinitions
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
+  - clientConfig:
+      caBundle: {{ default "Cg==" (get $vals "policies") }}
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validating-core-oam-dev-v1beta1-policydefinitions
+    {{- if .Values.admissionWebhooks.patch.enabled  }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: validating.core.oam-dev.v1beta1.policydefinitions
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - policydefinitions
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validating-core-oam-dev-v1beta1-workflowstepdefinitions
+    {{- if .Values.admissionWebhooks.patch.enabled  }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: validating.core.oam-dev.v1beta1.workflowstepdefinitions
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - workflowstepdefinitions
+    timeoutSeconds: {{ .Values.admissionWebhookTimeout }}
 {{- end -}}
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@ -124,6 +124,7 @@ spec:
    - protocol: TCP
      port: {{ .Values.multicluster.clusterGateway.port }}
      targetPort: {{ .Values.multicluster.clusterGateway.port }}
+      name: default
 ---
 # 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
 # 2.a If the APIService doesn't exist, create it.
@ -189,4 +190,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
-{{ end }}
+{{ end }}
--- a/charts/vela-core/templates/cluster-gateway/job-patch.yaml
+++ b/charts/vela-core/templates/cluster-gateway/job-patch.yaml
@ -95,6 +95,18 @@ spec:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -138,4 +150,16 @@ spec:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
-{{ end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{ end }}
--- a/charts/vela-core/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-core/templates/defwithtemplate/affinity.yaml
@ -31,6 +31,9 @@ spec:
        						if k.namespace != _|_ {
        							namespace: k.namespace
        						}
+        						if k.namespaces != _|_ {
+        							namespaces: k.namespaces
+        						}
        						topologyKey: k.topologyKey
        						if k.namespaceSelector != _|_ {
        							namespaceSelector: k.namespaceSelector
@ -57,6 +60,9 @@ spec:
        						if k.namespace != _|_ {
        							namespace: k.namespace
        						}
+        						if k.namespaces != _|_ {
+        							namespaces: k.namespaces
+        						}
        						topologyKey: k.topologyKey
        						if k.namespaceSelector != _|_ {
        							namespaceSelector: k.namespaceSelector
--- a/charts/vela-core/templates/defwithtemplate/annotations.yaml
+++ b/charts/vela-core/templates/defwithtemplate/annotations.yaml
@ -4,7 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: Add annotations on your workload. if it generates pod, add same annotations for generated pods.
+    definition.oam.dev/description: Add annotations on your workload. If it generates pod or job, add same annotations for generated pods.
  name: annotations
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@ -16,17 +16,21 @@ spec:
      template: |
        // +patchStrategy=jsonMergePatch
        patch: {
-        	metadata: annotations: {
+        	let annotationsContent = {
        		for k, v in parameter {
        			(k): v
        		}
        	}
-        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
-        		spec: template: metadata: annotations: {
-        			for k, v in parameter {
-        				(k): v
-        			}
-        		}
+
+        	metadata: annotations: annotationsContent
+        	if context.output.spec != _|_ if context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+        		spec: jobTemplate: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ if context.output.spec.jobTemplate.spec != _|_ if context.output.spec.jobTemplate.spec.template != _|_ {
+        		spec: jobTemplate: spec: template: metadata: annotations: annotationsContent
        	}
        }
        parameter: [string]: string | null
--- a/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
@ -15,9 +15,7 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"

        output: op.#ApplyApplicationInParallel & {}

--- a/charts/vela-core/templates/defwithtemplate/apply-application.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application.yaml
@ -16,9 +16,7 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"

        // apply application
        output: op.#ApplyApplication & {}
--- a/charts/vela-core/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-component.yaml
@ -19,5 +19,7 @@ spec:
        	component: string
        	// +usage=Specify the cluster
        	cluster: *"" | string
+        	// +usage=Specify the namespace
+        	namespace: *"" | string
        }

--- a/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
@ -13,39 +13,38 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"strconv"
-        	"strings"
-        	"vela/op"
-        )
+        import "vela/kube"
+        import "vela/builtin"

-        output: op.#Apply & {
-        	cluster: parameter.cluster
-        	value: {
-        		apiVersion: "apps/v1"
-        		kind:       "Deployment"
-        		metadata: {
-        			name:      context.stepName
-        			namespace: context.namespace
-        		}
-        		spec: {
-        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
-        			replicas: parameter.replicas
-        			template: {
-        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
-        				spec: containers: [{
-        					name:  context.stepName
-        					image: parameter.image
-        					if parameter["cmd"] != _|_ {
-        						command: parameter.cmd
-        					}
-        				}]
+        output: kube.#Apply & {
+        	$params: {
+        		cluster: parameter.cluster
+        		value: {
+        			apiVersion: "apps/v1"
+        			kind:       "Deployment"
+        			metadata: {
+        				name:      context.stepName
+        				namespace: context.namespace
+        			}
+        			spec: {
+        				selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				replicas: parameter.replicas
+        				template: {
+        					metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        					spec: containers: [{
+        						name:  context.stepName
+        						image: parameter.image
+        						if parameter["cmd"] != _|_ {
+        							command: parameter.cmd
+        						}
+        					}]
+        				}
        			}
        		}
        	}
        }
-        wait: op.#ConditionalWait & {
-        	continue: output.value.status.readyReplicas == parameter.replicas
+        wait: builtin.#ConditionalWait & {
+        	$params: continue: output.$returns.value.status.readyReplicas == parameter.replicas
        }
        parameter: {
        	image:    string
--- a/charts/vela-core/templates/defwithtemplate/apply-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-object.yaml
@ -12,14 +12,12 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/kube"

-        apply: op.#Apply & {
-        	value:   parameter.value
-        	cluster: parameter.cluster
+        apply: kube.#Apply & {
+        	$params: parameter
        }
+
        parameter: {
        	// +usage=Specify Kubernetes native resource object to be applied
        	value: {...}
--- a/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
@ -16,9 +16,7 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/op"

        // apply remaining components and traits
        apply: op.#ApplyRemaining & {
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
@ -13,12 +13,11 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        )
+        import "vela/kube"
+        import "vela/builtin"

-        apply: op.#Apply & {
-        	value: {
+        apply: kube.#Apply & {
+        	$params: value: {
        		apiVersion: "terraform.core.oam.dev/v1beta2"
        		kind:       "Configuration"
        		metadata: {
@ -53,8 +52,10 @@ spec:
        		}
        	}
        }
-        check: op.#ConditionalWait & {
-        	continue: apply.value.status != _|_ && apply.value.status.apply != _|_ && apply.value.status.apply.state == "Available"
+        check: builtin.#ConditionalWait & {
+        	if apply.$returns.value.status != _|_ if apply.$returns.value.status.apply != _|_ {
+        		$params: continue: apply.$returns.value.status.apply.state == "Available"
+        	}
        }
        parameter: {
        	// +usage=specify the source of the terraform configuration
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
@ -13,62 +13,63 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        	"strings"
-        )
+        import "vela/config"
+        import "vela/kube"
+        import "vela/builtin"

-        config: op.#CreateConfig & {
-        	name:      "\(context.name)-\(context.stepName)"
-        	namespace: context.namespace
-        	template:  "terraform-\(parameter.type)"
-        	config: {
-        		name: parameter.name
-        		if parameter.type == "alibaba" {
-        			ALICLOUD_ACCESS_KEY: parameter.accessKey
-        			ALICLOUD_SECRET_KEY: parameter.secretKey
-        			ALICLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "aws" {
-        			AWS_ACCESS_KEY_ID:     parameter.accessKey
-        			AWS_SECRET_ACCESS_KEY: parameter.secretKey
-        			AWS_DEFAULT_REGION:    parameter.region
-        			AWS_SESSION_TOKEN:     parameter.token
-        		}
-        		if parameter.type == "azure" {
-        			ARM_CLIENT_ID:       parameter.clientID
-        			ARM_CLIENT_SECRET:   parameter.clientSecret
-        			ARM_SUBSCRIPTION_ID: parameter.subscriptionID
-        			ARM_TENANT_ID:       parameter.tenantID
-        		}
-        		if parameter.type == "baidu" {
-        			BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
-        			BAIDUCLOUD_SECRET_KEY: parameter.secretKey
-        			BAIDUCLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "ec" {
-        			EC_API_KEY: parameter.apiKey
-        		}
-        		if parameter.type == "gcp" {
-        			GOOGLE_CREDENTIALS: parameter.credentials
-        			GOOGLE_REGION:      parameter.region
-        			GOOGLE_PROJECT:     parameter.project
-        		}
-        		if parameter.type == "tencent" {
-        			TENCENTCLOUD_SECRET_ID:  parameter.secretID
-        			TENCENTCLOUD_SECRET_KEY: parameter.secretKey
-        			TENCENTCLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "ucloud" {
-        			UCLOUD_PRIVATE_KEY: parameter.privateKey
-        			UCLOUD_PUBLIC_KEY:  parameter.publicKey
-        			UCLOUD_PROJECT_ID:  parameter.projectID
-        			UCLOUD_REGION:      parameter.region
+        cfg: config.#CreateConfig & {
+        	$params: {
+        		name:      "\(context.name)-\(context.stepName)"
+        		namespace: context.namespace
+        		template:  "terraform-\(parameter.type)"
+        		config: {
+        			name: parameter.name
+        			if parameter.type == "alibaba" {
+        				ALICLOUD_ACCESS_KEY: parameter.accessKey
+        				ALICLOUD_SECRET_KEY: parameter.secretKey
+        				ALICLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "aws" {
+        				AWS_ACCESS_KEY_ID:     parameter.accessKey
+        				AWS_SECRET_ACCESS_KEY: parameter.secretKey
+        				AWS_DEFAULT_REGION:    parameter.region
+        				AWS_SESSION_TOKEN:     parameter.token
+        			}
+        			if parameter.type == "azure" {
+        				ARM_CLIENT_ID:       parameter.clientID
+        				ARM_CLIENT_SECRET:   parameter.clientSecret
+        				ARM_SUBSCRIPTION_ID: parameter.subscriptionID
+        				ARM_TENANT_ID:       parameter.tenantID
+        			}
+        			if parameter.type == "baidu" {
+        				BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
+        				BAIDUCLOUD_SECRET_KEY: parameter.secretKey
+        				BAIDUCLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "ec" {
+        				EC_API_KEY: parameter.apiKey
+        			}
+        			if parameter.type == "gcp" {
+        				GOOGLE_CREDENTIALS: parameter.credentials
+        				GOOGLE_REGION:      parameter.region
+        				GOOGLE_PROJECT:     parameter.project
+        			}
+        			if parameter.type == "tencent" {
+        				TENCENTCLOUD_SECRET_ID:  parameter.secretID
+        				TENCENTCLOUD_SECRET_KEY: parameter.secretKey
+        				TENCENTCLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "ucloud" {
+        				UCLOUD_PRIVATE_KEY: parameter.privateKey
+        				UCLOUD_PUBLIC_KEY:  parameter.publicKey
+        				UCLOUD_PROJECT_ID:  parameter.projectID
+        				UCLOUD_REGION:      parameter.region
+        			}
        		}
        	}
        }
-        read: op.#Read & {
-        	value: {
+        read: kube.#Read & {
+        	$params: value: {
        		apiVersion: "terraform.core.oam.dev/v1beta1"
        		kind:       "Provider"
        		metadata: {
@ -77,18 +78,15 @@ spec:
        		}
        	}
        }
-        check: op.#ConditionalWait & {
-        	if read.value.status != _|_ {
-        		continue: read.value.status.state == "ready"
-        	}
-        	if read.value.status == _|_ {
-        		continue: false
+        check: builtin.#ConditionalWait & {
+        	if read.$returns.value.status != _|_ {
+        		$params: continue: read.$returns.value.status.state == "ready"
        	}
        }
        providerBasic: {
-        	accessKey: string
-        	secretKey: string
-        	region:    string
+        	accessKey!: string
+        	secretKey!: string
+        	region!:    string
        }
        #AlibabaProvider: {
        	providerBasic
@ -140,5 +138,5 @@ spec:
        	type:       "ucloud"
        	name:       *"ucloud-provider" | string
        }
-        parameter: *#AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
+        parameter: #AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider

--- a/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
@ -13,11 +13,10 @@ spec:
  schematic:
    cue:
      template: |
-        import (
-        	"vela/op"
-        	"encoding/json"
-        	"strings"
-        )
+        import "vela/builtin"
+        import "vela/kube"
+        import "vela/util"
+        import "strings"

        url: {
        	if parameter.context.git != _|_ {
@ -28,8 +27,8 @@ spec:
        		value: parameter.context
        	}
        }
-        kaniko: op.#Apply & {
-        	value: {
+        kaniko: kube.#Apply & {
+        	$params: value: {
        		apiVersion: "v1"
        		kind:       "Pod"
        		metadata: {
@ -95,14 +94,14 @@ spec:
        		}
        	}
        }
-        log: op.#Log & {
-        	source: resources: [{
+        log: util.#Log & {
+        	$params: source: resources: [{
        		name:      "\(context.name)-\(context.stepSessionID)-kaniko"
        		namespace: context.namespace
        	}]
        }
-        read: op.#Read & {
-        	value: {
+        read: kube.#Read & {
+        	$params: value: {
        		apiVersion: "v1"
        		kind:       "Pod"
        		metadata: {
@ -111,8 +110,10 @@ spec:
        		}
        	}
        }
-        wait: op.#ConditionalWait & {
-        	continue: read.value.status != _|_ && read.value.status.phase == "Succeeded"
+        wait: builtin.#ConditionalWait & {
+        	if read.$returns.value.status != _|_ {
+        		$params: continue: read.$returns.value.status.phase == "Succeeded"
+        	}
        }
        #secret: {
        	name: string
--- a/Show More
+++ b/Show More