feat: update strategy for reinstall (#2019 )

* feat: Add updateStrategy option in the state file with 'reinstall'/'reinstallIfForbidden' choices to uninstall and apply the specific release(s) (if forbidden to update) Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Fix unit tests related to the new updateStrategy feature Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Fix unit tests related to the new updateStrategy feature Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Resolve linter issue due to cognitive complexity Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Updated index.md to describe the possible values of updateStrategy Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Add validation of updateStrategy parameter and unit test Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Updated unit test Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Removed 'reinstall' update strategy option to only have reinstallIfForbidden, cleanup of pre-sync changes, adapted unit tests Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Display affected releases that were reinstalled Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Make sure to add --wait when deleting a release to be reinstalled due to reinstallIfForbidden Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> * Apply suggestions from Copilot code review Signed-off-by: Simon Bouchard <sbouchard@rbbn.com> --------- Signed-off-by: Simon Bouchard <sbouchard@rbbn.com>
build(deps): bump actions/download-artifact from 5 to 6 (#2235 )
2025-10-29 08:47:46 +08:00 · 2025-10-28 07:29:24 +08:00 · 2025-10-28 07:29:03 +08:00 · 2025-10-26 19:41:39 -04:00 · 2025-10-26 10:16:26 +08:00 · 2025-10-25 08:45:32 +08:00
858 changed files with 96032 additions and 34199 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,105 +0,0 @@
-version: 2
-
-jobs:
-
-  build:
-    docker:
-      - image: circleci/golang:1.10.1
-    working_directory: /go/src/github.com/roboll/helmfile
-    steps:
-      - checkout
-      - run: make build
-      - persist_to_workspace:
-          root: /go/src/github.com/roboll/helmfile
-          paths:
-            - .
-
-  test:
-    docker:
-      - image: circleci/golang:1.10.1
-    working_directory: /go/src/github.com/roboll/helmfile
-    steps:
-      - checkout
-      - run: make check
-      - run: make pristine
-      - run: make test
-
-  # thanks to https://raw.githubusercontent.com/weaveworks/launcher/master/.circleci/config.yml
-  integration_tests:
-    machine: true
-    environment:
-      CHANGE_MINIKUBE_NONE_USER: true
-    steps:
-      - checkout
-      - run: mkdir ~/build
-      - attach_workspace:
-          at: ~/build
-      - run: cp ~/build/helmfile ~/project/helmfile
-      - run:
-          name: Install helm
-          environment:
-            HELM_VERSION: v2.9.0
-          command: |
-            HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-            curl -Lo ${HELM_FILENAME} "https://kubernetes-helm.storage.googleapis.com/${HELM_FILENAME}"
-            tar zxf ${HELM_FILENAME} linux-amd64/helm
-            chmod +x linux-amd64/helm
-            sudo mv linux-amd64/helm /usr/local/bin/
-      - run:
-          name: Deploy minikube
-          environment:
-            CHANGE_MINIKUBE_NONE_USER: true
-            K8S_VERSION: v1.9.0
-            MINIKUBE_VERSION: v0.25.2
-          command: |
-            curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl
-            chmod +x kubectl && sudo mv kubectl /usr/local/bin/
-            curl -Lo minikube https://storage.googleapis.com/minikube/releases/${MINIKUBE_VERSION}/minikube-linux-amd64
-            chmod +x minikube && sudo mv minikube /usr/local/bin/
-            sudo minikube config set WantReportErrorPrompt false
-            sudo -E minikube start --vm-driver=none --kubernetes-version=${K8S_VERSION}
-            sudo -E minikube update-context
-      - run:
-          name: Wait for nodes to become ready
-          command: JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}'; until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do sleep 1; done
-      - run:
-          name: Execute integration tests
-          command: |
-            export TERM=xterm
-            make integration
-
-# GITHUB_TOKEN env var must be setup in circleci console
-
-  release:
-    docker:
-      - image: circleci/golang:1.10.1
-    working_directory: /go/src/github.com/roboll/helmfile
-    steps:
-    - checkout
-    - setup_remote_docker
-    - run:
-        command: |
-          docker login -u="$DOCKER_USER" -p="$DOCKER_PASS" quay.io
-          make tools
-          BUILD_URL="$CIRCLE_BUILD_URL" make push release
-
-workflows:
-  version: 2
-  build_and_test:
-    jobs:
-      - build
-      - test
-      - integration_tests:
-          requires:
-            - build
-          filters:
-            branches:
-              only:
-                - master
-                - /pull.*/
-      - release:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /v.*/
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
+Dockerfile*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,5 @@
+root = true
+
+[*.md]
+insert_final_newline = true
+trim_trailing_whitespace = true
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: mumoshu
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@ -0,0 +1,81 @@
+name: Bug
+description: File a bug report
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before opening a bug report, please search for the behaviour in the existing issues.
+
+        Go ahead to https://github.com/helmfile/helmfile/search?q=&type= and fill in the error message you received from Helmfile or the keywords you think appropriate.
+  - type: markdown
+    id: thankyou
+    attributes:
+      value: |
+        Thank you for taking your time to file a bug report! To confirm it's a bug, we need some information to reproduce it.
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      description: "Which operating system do you use? Please provide the version as well."
+      placeholder: "ex. Ubuntu 20.04.4 LTS"
+    validations:
+      required: true
+  - type: input
+    id: helmfile
+    attributes:
+      label: Helmfile Version
+      description: "Please provide the version number of Helmfile you used. If it isn't the latest, please upgrade first."
+      placeholder: "Run `helmfile version` to print it."
+    validations:
+      required: true
+  - type: input
+    id: helm
+    attributes:
+      label: Helm Version
+      description: "Please provide the version number of Helm you used. If it isn't the latest, please upgrade first."
+      placeholder: "Run `helm version` to print it."
+    validations:
+      required: true
+  - type: textarea
+    id: bug-description
+    attributes:
+      label: Bug description
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: helmfile-yaml
+    attributes:
+      label: Example helmfile.yaml
+      description: "Please provide an example helmfile.yaml that can be used to reproduce the issue locally."
+    validations:
+      required: true
+  - type: textarea
+    id: helmfile-error
+    attributes:
+      label: "Error message you've seen (if any)"
+      description: "Please provide the error message emitted by Helmfile."
+    validations:
+      required: true
+  - type: input
+    id: repo
+    attributes:
+      label: Steps to reproduce
+      description: Please provide the URL to a GitHub repository that contains a helmfile.yaml, other companion files, and a README.md with the steps to reproduce the bug.
+    validations:
+      required: true
+  - type: input
+    id: helmfile_working_ver
+    attributes:
+      label: Working Helmfile Version
+      description: "Please provide the highest version number of Helmfile that doesn't result in the above problem."
+      placeholder: "Run `helmfile version` to print it."
+    validations:
+      required: true
+  - type: input
+    id: discussion
+    attributes:
+      label: Relevant discussion
+      description: Please provide the URL to a relevant GitHub Discussion.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,14 @@
+blank_issues_enabled: false
+contact_links:
+- name: Sponsor Helmfile Maintainers
+  about: If your business relies on the continued maintainance of Helmfile, please consider sponsoring maintainers.
+  url: https://github.com/helmfile/helmfile/tree/main/CODEOWNERS
+- name: Ideas and Feature Requests
+  about: Wanna request a feature? Create a discussion and collect :+1:s first.
+  url: https://github.com/helmfile/helmfile/discussions/new?category=ideas
+- name: Questions and User Support
+  about: Need support using Helmfile? We use Discussions as the place to provide community support.
+  url: https://github.com/helmfile/helmfile/discussions/new?category=questions
+- name: Need Paid Support?
+  about: Consider contracting with any of the Helmfile maintainers.
+  url: https://github.com/helmfile/helmfile/tree/main/CODEOWNERS
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@ -0,0 +1,234 @@
+# Copilot Instructions for Helmfile
+
+## Repository Overview
+
+Helmfile is a tool for deploying Helm charts that manages Kubernetes deployments as code. It provides templating, environment management, and GitOps workflows for Helm chart deployments.
+
+Helmfile is a declarative tool. In Helmfile, all elements of the desired state for deployments must be included in the `helmfile.yaml` config file and any associated files. Only operational matters can be provided dynamically, via command-line flags and environment variables.
+
+**Key Details:**
+- **Language:** Go 1.24.2+
+- **Type:** CLI tool / Kubernetes deployment management
+- **Size:** Large codebase (~229MB binary, 200+ dependencies)
+- **Runtime:** Requires Helm 3.x as external dependency
+- **Target Platform:** Linux/macOS/Windows, Kubernetes clusters
+
+## Build and Validation Commands
+
+### Essential Setup
+Helmfile requires Helm 3.x and Kustomize 5.x as runtime dependencies:
+```bash
+# Check for Helm dependency (REQUIRED)
+helm version  # Must show version 3.x
+
+# Initialize Helm plugins after helmfile installation
+./helmfile init  # Installs required helm-diff plugin
+
+# Alternative: Force install without prompts
+./helmfile init --force
+```
+
+### Build Process
+```bash
+# Standard build (takes 2-3 minutes due to many dependencies)
+make build
+
+# Alternative direct build
+go build -o helmfile .
+
+# Build with test tools (required for integration tests, ~1 minute)
+make build-test-tools  # Creates diff-yamls and downloads dyff
+
+# Cross-platform builds
+make cross
+```
+
+**Build Timing:** First build downloads 200+ Go packages and takes 2-3 minutes. Subsequent builds are faster due to module cache. Test tools build is faster (~1 minute).
+
+### Validation Pipeline
+Run in this exact order to match CI requirements:
+
+```bash
+# 1. Code formatting and linting  
+make check           # Run go vet (required - always works)
+# Note: make fmt requires gci tool (go install github.com/daixiang0/gci@latest)
+
+# 2. Unit tests (fast, ~30 seconds)
+go test -v ./pkg/... -race -p=1
+
+# 3. Integration tests (requires Kubernetes - see Environment Setup)
+make integration     # Takes 5-10 minutes, needs minikube/k8s cluster
+
+# 4. E2E tests (optional, needs expect package)
+sudo apt-get install expect  # On Ubuntu/Debian
+bash test/e2e/helmfile-init/init_linux.sh
+```
+
+### Linting Configuration
+Uses golangci-lint with configuration in `.golangci.yaml`. Install via:
+```bash
+# For local development
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.1.6
+golangci-lint run
+```
+
+**Critical Lint Rules:** staticcheck, errcheck, revive, unused. Fix lint errors before committing.
+
+## Environment Setup Requirements
+
+### Dependencies for Development
+```bash
+# Required for building/testing
+go version            # Must be 1.24.2+
+helm version         # Must be 3.x
+kubectl version      # For K8s integration
+
+# Required for integration tests
+minikube start       # Or other K8s cluster
+kustomize version    # v5.2.1+ for some tests
+```
+
+### Integration Test Environment
+Integration tests require a running Kubernetes cluster:
+
+```bash
+# Using minikube (recommended for CI)
+minikube start
+export KUBECONFIG=$(minikube kubeconfig-path)
+
+# Using kind (alternative)
+kind create cluster --name helmfile-test
+
+# Verify cluster access
+kubectl cluster-info
+```
+
+**Timing:** Integration tests take 5-10 minutes and may fail due to timing issues in resource-constrained environments.
+
+## Project Architecture and Layout
+
+### Core Directory Structure
+```
+/
+├── main.go                    # Entry point - CLI initialization and signal handling
+├── cmd/                       # CLI commands (apply, diff, sync, template, etc.)
+│   ├── root.go               # Main cobra command setup and global flags  
+│   ├── apply.go              # helmfile apply command
+│   ├── diff.go               # helmfile diff command
+│   └── ...                   # Other subcommands
+├── pkg/                       # Core library packages
+│   ├── app/                  # Main application logic and execution
+│   ├── state/                # Helmfile state management and chart dependencies
+│   ├── helmexec/             # Helm execution and command wrapper
+│   ├── tmpl/                 # Go template processing and functions
+│   ├── environment/          # Environment and values management  
+│   └── ...                   # Other core packages
+├── test/                      # Test suites
+│   ├── integration/          # Integration tests with real K8s clusters
+│   ├── e2e/                  # End-to-end user workflow tests
+│   └── advanced/             # Advanced feature tests
+├── docs/                      # Documentation (mkdocs format)
+├── examples/                  # Example helmfile configurations
+└── .github/workflows/        # CI/CD pipeline definitions
+```
+
+### Key Source Files
+- **main.go:** Signal handling, CLI execution entry point
+- **cmd/root.go:** Global CLI configuration, error handling, logging setup  
+- **pkg/app/app.go:** Main application orchestration, state management
+- **pkg/state/state.go:** Helmfile state parsing, release management
+- **pkg/helmexec/exec.go:** Helm command execution, version detection
+
+### Configuration Files
+- **go.mod/go.sum:** Go dependencies (many cloud providers, k8s libraries)
+- **.golangci.yaml:** Linting rules and settings
+- **Makefile:** Build targets and development workflows
+- **mkdocs.yml:** Documentation generation configuration
+- **.github/workflows/ci.yaml:** Complete CI pipeline definition
+
+## Continuous Integration Pipeline
+
+### GitHub Actions Workflow (`.github/workflows/ci.yaml`)
+1. **Lint Job:** golangci-lint with custom configuration (~5 minutes)
+2. **Test Job:** Unit tests + binary build (~10 minutes)  
+3. **Integration Job:** Tests with multiple Helm/Kustomize versions (~15-20 minutes each)
+4. **E2E Job:** User workflow validation (~5 minutes)
+
+**Matrix Testing:** CI tests against multiple Helm versions (3.17.x, 3.18.x) and Kustomize versions (5.2.x, 5.4.x).
+
+### Pre-commit Validation Steps
+Always run these locally before pushing:
+```bash
+make check           # Format and vet (required)
+go test ./pkg/...    # Unit tests  
+make build          # Verify build works
+# Note: make fmt requires gci tool: go install github.com/daixiang0/gci@latest
+```
+
+### Common CI Failure Causes
+- **Linting errors:** Run `golangci-lint run` locally first
+- **Integration test timeouts:** K8s cluster setup timing issues
+- **Version compatibility:** Ensure Go 1.24.2+ and Helm 3.x
+- **Race conditions:** Some tests are sensitive to parallel execution
+
+## Development Gotchas and Known Issues
+
+### Build Issues
+- **Long initial build time:** First `make build` downloads 200+ packages (~2-3 minutes)
+- **Memory usage:** Large binary size due to embedded dependencies  
+- **Git tags:** Build may show version warnings if not on tagged commit
+- **Tool dependencies:** `make fmt` requires `gci` tool installation
+
+### Testing Issues  
+- **Integration tests require K8s:** Will fail without cluster access
+- **Test isolation:** Use `-p=1` flag to avoid race conditions
+- **Minikube timing:** May need to wait for cluster ready state
+- **Plugin dependencies:** Tests need helm-diff and helm-secrets plugins
+
+### Runtime Requirements
+- **Helm dependency:** Always required at runtime, not just build time (available in CI)
+- **kubectl access:** Most operations need valid kubeconfig
+- **Plugin management:** `helmfile init` must be run after installation
+
+### Common Error Patterns
+```bash
+# Missing Helm
+"helm: command not found" → Install Helm first
+
+# Plugin missing  
+"Error: plugin 'diff' not found" → Run helmfile init
+
+# K8s access
+"connection refused" → Check kubectl cluster-info
+
+# Permission errors
+"permission denied" → Check kubeconfig and cluster access
+
+# Missing tools
+"gci: No such file or directory" → go install github.com/daixiang0/gci@latest
+```
+
+## Working with the Codebase
+
+### Making Changes
+- **Follow Helmfile design**: Helmfile is a declarative deployment tool. Anything that is part of the desired state of the deployments needs to be managed by Helmfile configs. Only operational knowledge that affects "how" to apply the desired state needs to be runtime options, like command-like flags and environment variables.
+- **Small, focused changes:** Each PR should address single concern
+- **Test coverage:** Add unit tests for new pkg/ functionality
+- **Integration tests:** Update test-cases/ for new CLI features
+- **Documentation:** Update docs/ for user-facing changes
+
+### Key Packages to Understand
+- **pkg/app:** Main business logic, start here for feature changes
+- **pkg/state:** Helmfile parsing and release orchestration  
+- **cmd/:** CLI interface changes and new subcommands
+- **pkg/helmexec:** Helm integration and command execution
+
+### Architecture Patterns
+- **Dependency injection:** App uses interfaces for testability
+- **State management:** Immutable state objects, functional transforms
+- **Error handling:** Custom error types with exit codes
+- **Plugin system:** Extensible via Helm plugins and Go templates
+
+---
+
+**Trust these instructions:** This information is validated against the current codebase. Only search for additional details if these instructions are incomplete or found to be incorrect for your specific task.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,19 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 14
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - in progress
+  - pinned
+  - security
+  - bug
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
--- a/.github/workflows/Makefile
+++ b/.github/workflows/Makefile
@ -0,0 +1,68 @@
+HELM_VERSION ?= v3.7.2
+KUSTOMIZE_VERSION ?= v5.4.3
+K8S_VERSION ?= v1.32.1
+MINIKUBE_VERSION ?= v1.31.1
+SOPS_VERSION ?= v3.9.3
+
+# ---
+CHANGE_MINIKUBE_NONE_USER ?= true
+MINIKUBE_WANTUPDATENOTIFICATION ?= false
+MINIKUBE_WANTREPORTERRORPROMPT ?= false
+
+VAULT_ADDR := http://127.0.0.1:8200
+VAULT_TOKEN := toor
+
+tmp := $(shell mktemp -d)
+HELM_FILENAME := helm-${HELM_VERSION}-linux-amd64.tar.gz
+KUSTOMIZE_FILENAME := kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz
+
+
+all: vault sops helm kustomize minikube/destroy minikube
+
+helm:
+	curl -sSLo $(tmp)/${HELM_FILENAME} "https://get.helm.sh/${HELM_FILENAME}"
+	tar zxf $(tmp)/${HELM_FILENAME} --directory ${tmp} linux-amd64/helm
+	chmod +x ${tmp}/linux-amd64/helm
+	sudo mv ${tmp}/linux-amd64/helm /usr/local/bin/
+.PHONY: helm
+
+kustomize:
+	curl -sSLo $(tmp)/${KUSTOMIZE_FILENAME} "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}"
+	tar zxf $(tmp)/${KUSTOMIZE_FILENAME} --directory ${tmp} kustomize
+	chmod +x ${tmp}/kustomize
+	sudo mv ${tmp}/kustomize /usr/local/bin/
+.PHONY: kustomize
+
+minikube/destroy:
+	sudo -E minikube delete || true
+	sudo -E rm -rf /etc/kubernetes || true
+	sudo -E rm -rf $$HOME/.minikube/* || true
+.PHONY: minikube/destroy
+.EXPORT_ALL_VARIABLES: minikube/destroy
+
+minikube:
+	curl -sSLo ${tmp}/kubectl https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/amd64/kubectl
+	chmod +x ${tmp}/kubectl && sudo mv ${tmp}/kubectl /usr/local/bin/
+	curl -sSLo ${tmp}/minikube https://storage.googleapis.com/minikube/releases/${MINIKUBE_VERSION}/minikube-linux-amd64
+	chmod +x ${tmp}/minikube && sudo mv ${tmp}/minikube /usr/local/bin/
+	sudo -E minikube delete || true
+	sudo -E rm -rf /etc/kubernetes || true
+	sudo -E rm -rf $$HOME/.minikube/* || true
+	sudo -E minikube start --vm-driver=none --kubernetes-version=${K8S_VERSION}
+	sudo -E minikube update-context
+	kubectl wait node/minikube --for=condition=Ready
+.PHONY: minikube
+.EXPORT_ALL_VARIABLES: minikube
+
+vault:
+	docker kill $$(docker ps -a --filter "name=vault" -q) || true
+	docker run -d -p8200:8200 --rm --name vault vault:1.2.0 server -dev -dev-root-token-id=toor
+	docker run --rm --network="host" --cap-add IPC_LOCK -e VAULT_ADDR=$$VAULT_ADDR -e VAULT_TOKEN=$$VAULT_TOKEN  vault:1.2.0 secrets enable -path=sops transit
+	docker run --rm --network="host" --cap-add IPC_LOCK -e VAULT_ADDR=$$VAULT_ADDR -e VAULT_TOKEN=$$VAULT_TOKEN  vault:1.2.0 write sops/keys/key type=rsa-4096
+.PHONY: vault
+
+sops:
+	curl -sSLo $(tmp)/sops "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64"
+	chmod +x $(tmp)/sops
+	sudo mv ${tmp}/sops /usr/local/bin/
+.PHONY: sops
--- a/.github/workflows/cache.yaml
+++ b/.github/workflows/cache.yaml
@ -0,0 +1,26 @@
+name: Cleanup cache
+
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup-cache:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          gh extension install actions/gh-actions-cache
+
+          echo "Fetching list of cache keys"
+          cacheKeys=$(gh actions-cache list -R $GITHUB_REPOSITORY -B $BRANCH | cut -f 1 )
+
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeys; do
+            gh actions-cache delete $cacheKey -R $GITHUB_REPOSITORY -B $BRANCH --confirm
+          done
+        shell: bash
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -0,0 +1,142 @@
+name: Go
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore: [ '**.md', '**/docs/**' ]
+  pull_request:
+    branches: [ main ]
+    paths-ignore: [ '**.md', '**/docs/**' ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: false
+      - uses: golangci/golangci-lint-action@v8
+        with:
+          version: v2.1.6
+
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: Build
+        run: make build build-test-tools
+      - name: Test
+        run: make check test
+      - name: Archive built binaries
+        run: tar -cvf built-binaries.tar helmfile diff-yamls dyff
+      - uses: actions/upload-artifact@v5
+        with:
+          name: built-binaries-${{ github.run_id }}
+          path: built-binaries.tar
+          retention-days: 1
+      - name: Display built binaries
+        run: ls -l helmfile diff-yamls dyff
+
+  integration_tests:
+    needs: tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Helm maintains the latest minor version only and therefore each Helmfile version supports 2 Helm minor versions.
+          # That's why we cover only 2 Helm minor versions in this matrix.
+          # See https://github.com/helmfile/helmfile/pull/286#issuecomment-1250161182 for more context.
+          - helm-version: v3.18.6
+            kustomize-version: v5.2.1
+            plugin-secrets-version: 4.6.5
+            plugin-diff-version: 3.11.0
+            extra-helmfile-flags: ''
+          - helm-version: v3.18.6
+            kustomize-version: v5.4.3
+            # We assume that the helm-secrets plugin is supposed to
+            # work with the two most recent helm minor versions.
+            # Once it turned out to be not practically true,
+            # we will mark this combination as failable,
+            # and instruct users to upgrade helm and helm-secrets at once.
+            plugin-secrets-version: 4.6.5
+            plugin-diff-version: 3.12.5
+            extra-helmfile-flags: ''
+          - helm-version: v3.19.0
+            kustomize-version: v5.2.1
+            plugin-secrets-version: 4.6.5
+            plugin-diff-version: 3.11.0
+            extra-helmfile-flags: ''
+          - helm-version: v3.19.0
+            kustomize-version: v5.4.3
+            plugin-secrets-version: 4.6.5
+            plugin-diff-version: 3.12.5
+            extra-helmfile-flags: ''
+          # In case you need to test some optional helmfile features,
+          # enable it via extra-helmfile-flags below.
+          - helm-version: v3.19.0
+            kustomize-version: v5.4.3
+            plugin-secrets-version: 4.6.5
+            plugin-diff-version: 3.12.5
+            extra-helmfile-flags: '--enable-live-output'
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - uses: actions/download-artifact@v6
+        with:
+          name: built-binaries-${{ github.run_id }}
+      - name: install semver
+        run: go install github.com/ffurrer2/semver/v2/cmd/semver@latest
+      - name: Extract tar to get built binaries
+        run: tar -xvf built-binaries.tar
+      - name: Display built binaries
+        run: ls -l helmfile diff-yamls dyff
+
+      - name: Install test dependencies
+        env:
+          HELM_VERSION: ${{ matrix.helm-version }}
+          KUSTOMIZE_VERSION: ${{ matrix.kustomize-version }}
+        run: make -C .github/workflows helm vault sops kustomize
+      - name: Start minikube
+        uses: medyagh/setup-minikube@latest
+        with:
+          kubernetes-version: v1.33.1 
+      - name: Execute integration tests
+        run: make integration
+        env:
+          HELM_SECRETS_VERSION: ${{ matrix.plugin-secrets-version }}
+          HELM_DIFF_VERSION: ${{ matrix.plugin-diff-version }}
+          HELMFILE_HELM3: 1
+          TERM: xterm
+          EXTRA_HELMFILE_FLAGS: ${{ matrix.extra-helmfile-flags }}
+
+  e2e_tests:
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/download-artifact@v6
+        with:
+          name: built-binaries-${{ github.run_id }}
+      - name: Extract tar to get built binaries
+        run: tar -xvf built-binaries.tar
+      - name: Display built binaries
+        run: ls -l helmfile diff-yamls dyff
+      - name: Install package
+        run: sudo apt-get -y install expect
+      - name: Run helmfile init
+        run: bash test/e2e/helmfile-init/init_linux.sh
+        env:
+          TERM: xterm
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@ -0,0 +1,83 @@
+name: Images
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches:
+      - main
+      - "image/**"
+      - "*image"
+      - "image*"
+    tags:
+      - 'v*'
+    paths-ignore:
+      - .github/workflows/ci.yml
+      - .github/workflows/lock.yml
+      - ".github/ISSUE_TEMPLATE/**"
+      - "docs/**"
+      - "hack/**"
+      - "**.md"
+      - ".gitignore"
+      - "Makefile"
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        image:
+          - dockerfile: Dockerfile
+            suffix: ""
+          - dockerfile: Dockerfile.debian-stable-slim
+            suffix: "-debian-stable-slim"
+          - dockerfile: Dockerfile.ubuntu
+            suffix: "-ubuntu"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: latest
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}${{ matrix.image.suffix }}
+          flavor: latest=false
+          tags: |
+            type=raw,value=canary,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=ref,event=pr
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build / Push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ matrix.image.dockerfile }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/.github/workflows/lock.yaml
+++ b/.github/workflows/lock.yaml
@ -0,0 +1,30 @@
+# Copyright 2022 The Helmfile Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Lock closed'
+on:
+  schedule:
+  - cron: '0 0 * * *'
+
+jobs:
+  lock:
+    runs-on: 'ubuntu-latest'
+    steps:
+    - uses: 'dessant/lock-threads@v5'
+      with:
+        github-token: '${{ github.token }}'
+        issue-lock-inactive-days: 1
+        issue-lock-reason: 'resolved'
+        pr-lock-inactive-days: 1
+        pr-lock-reason: 'resolved'
--- a/.github/workflows/releaser.yaml
+++ b/.github/workflows/releaser.yaml
@ -0,0 +1,47 @@
+name: GoReleaser
+
+on:
+  push:
+    tags:
+      - 'v0*'
+      - 'v1*'
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+
+permissions:
+  contents: write
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  SNAPSHOT: ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }}
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: check disk usage
+        run: df -h
+      - name: cleanup disk
+        run: |
+            sudo rm -rf /usr/share/dotnet
+            sudo rm -rf /opt/ghc
+            sudo rm -rf /usr/local/share/boost
+            sudo rm -fr /usr/local/lib/android
+            sudo rm -fr /opt/hostedtoolcache/CodeQL
+            sudo docker image prune --all --force
+            sudo docker builder prune -a
+      - name: check disk usage
+        run: df -h
+      - uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean ${{ env.SNAPSHOT }}
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,14 @@
 dist/
 .idea/
-helmfile
+/helmfile
+/helmfile.lock
+/diff-yamls
+/dyff
+test/integration/tmp$
+vendor/
+*.log
+.vagrant/
+*.lock
+test/integration/.gnupg/
+.vscode/launch.json
+cover.out
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,146 @@
+version: "2"
+run:
+  issues-exit-code: 1
+  tests: true
+output:
+  formats:
+    text:
+      path: stdout
+      print-linter-name: true
+      print-issued-lines: true
+      colors: false
+linters:
+  default: none
+  enable:
+    - bodyclose
+    - copyloopvar
+    - errcheck
+    - funlen
+    - gocognit
+    - goconst
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - reassign
+    - revive
+    - staticcheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-ST1005", "-QF1001", "-QF1008"]
+
+    dogsled:
+      max-blank-identifiers: 2
+    dupl:
+      threshold: 100
+    errcheck:
+      check-type-assertions: false
+      check-blank: false
+    funlen:
+      lines: 280
+      statements: 140
+    gocognit:
+      min-complexity: 110
+    goconst:
+      min-len: 3
+      min-occurrences: 8
+    gocritic:
+      settings:
+        captLocal:
+          paramsOnly: true
+    gocyclo:
+      min-complexity: 30
+    godox:
+      keywords:
+        - TODO
+        - BUG
+        - FIXME
+        - NOTE
+        - OPTIMIZE
+        - HACK
+    gosec:
+      excludes:
+        - G104
+    govet:
+      disable:
+        - shadow
+      settings:
+        printf:
+          funcs:
+            - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof
+            - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
+            - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
+            - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
+    lll:
+      line-length: 120
+      tab-width: 1
+    misspell:
+      locale: US
+      ignore-rules:
+        - GitLab
+    nakedret:
+      max-func-lines: 50
+    prealloc:
+      simple: true
+      range-loops: true
+      for-loops: false
+    revive:
+      confidence: 0.8
+      severity: warning
+    unparam:
+      check-exported: false
+    whitespace:
+      multi-if: false
+      multi-func: false
+    wsl:
+      strict-append: true
+      allow-assign-and-call: true
+      allow-multiline-assign: true
+      force-case-trailing-whitespace: 0
+      allow-trailing-comment: false
+      allow-cuddle-declarations: false
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - dupl
+          - errcheck
+          - funlen
+          - gocyclo
+          - gosec
+        path: _test\.go
+      - linters:
+          - lll
+        source: '^//go:generate '
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  new: false
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/helmfile/helmfile)
+    gofmt:
+      simplify: true
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -0,0 +1,45 @@
+version: 2
+project_name: helmfile
+builds:
+  - id: helmfile
+    main: .
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s -w
+      - -X go.szostok.io/version.version={{.Version}}
+      - -X go.szostok.io/version.buildDate={{.Date}}
+      - -X go.szostok.io/version.commit={{.FullCommit}}
+      - -X go.szostok.io/version.commitDate={{.CommitDate}}
+      - -X go.szostok.io/version.dirtyBuild=false
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - "386"
+archives:
+  - id: helmfile
+    ids:
+      - helmfile
+    builds_info:
+      group: root
+      owner: root
+      mode: 0644
+changelog:
+  use: github
+  sort: asc
+  groups:
+    - title: Features
+      regexp: '^.*[Ff]eat[(\\w)]*:+.*$'
+      order: 0
+    - title: "Fixes"
+      regexp: '^.*fix[(\\w)]*.*$'
+      order: 1
+    - title: "Dependencies"
+      regexp: '^.*(deps|bump)[(\\w)]*.*$'
+      order: 2
+    - title: Others
+      order: 999
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@ -0,0 +1,14 @@
+version: 2
+
+mkdocs:
+  configuration: mkdocs.yml
+  fail_on_warning: false
+
+build:
+  os: ubuntu-24.04
+  tools:
+    python: "3.12"
+
+python:
+   install:
+   - requirements: docs/requirements.txt
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+# Helmfile Maintainers
+* @mumoshu @itscaro @yxxhero @xiaomudk @zhaque44
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,39 @@
+# DCO + License
+
+By contributing to `helmfile`, you accept and agree to the following DCO and license terms and
+conditions for your present and future Contributions submitted to the `helmfile` project.
+
+[DCO](https://developercertificate.org/)
+[License](https://github.com/helmfile/helmfile/blob/main/LICENSE)
+
+# Developing helmfile
+
+Locate your `GOPATH`, usually `~/go`, and run:
+
+```console
+$ go get github.com/helmfile/helmfile
+
+$ cd $GOPATH/src/github.com/helmfile/helmfile
+
+$ git checkout -b your-shiny-new-feature origin/main
+
+...
+
+$ git commit -m 'feat: do whatever for whatever purpose
+
+This adds ... by:
+
+- Adding ...
+- Changing ...
+- Removing...
+
+Resolves #ISSUE_NUMBER
+'
+
+$ hub fork
+$ git push YOUR_GITHUB_USER your-shiny-new-feature
+$ hub pull-request
+```
+
+Note that the above tutorial uses [hub](https://github.com/github/hub) just for ease of explanation.
+Please use whatever tool or way to author your pull request!
--- a/114
+++ b/114
@ -1,29 +1,107 @@
-FROM golang:1.10.1-alpine3.7 as builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder

 RUN apk add --no-cache make git
-WORKDIR /go/src/github.com/roboll/helmfile/
-COPY . /go/src/github.com/roboll/helmfile/
-RUN make static-linux
+WORKDIR /workspace/helmfile
+
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
+COPY . /workspace/helmfile
+ARG TARGETARCH TARGETOS
+RUN make static-${TARGETOS}-${TARGETARCH}

 # -----------------------------------------------------------------------------

-FROM alpine:3.7
+FROM alpine:3.22

-RUN apk add --no-cache ca-certificates git bash curl
+LABEL org.opencontainers.image.source=https://github.com/helmfile/helmfile

-ARG HELM_VERSION=v2.9.1
-ARG HELM_LOCATION="https://kubernetes-helm.storage.googleapis.com"
-ARG HELM_FILENAME="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-ARG HELM_SHA256="56ae2d5d08c68d6e7400d462d6ed10c929effac929fedce18d2636a9b4e166ba"
-RUN wget ${HELM_LOCATION}/${HELM_FILENAME} && \
-    sha256sum ${HELM_FILENAME} | grep -q "${HELM_SHA256}" && \
-    tar zxf ${HELM_FILENAME} && mv /linux-amd64/helm /usr/local/bin/ && \
-    rm ${HELM_FILENAME} && rm -r /linux-amd64
+RUN apk add --no-cache ca-certificates git bash curl jq yq openssh-client gnupg

-RUN mkdir -p "$(helm home)/plugins"
-RUN helm plugin install https://github.com/databus23/helm-diff && \
-    helm plugin install https://github.com/futuresimple/helm-secrets
+ARG TARGETARCH TARGETOS TARGETPLATFORM

-COPY --from=builder /go/src/github.com/roboll/helmfile/dist/helmfile_linux_amd64 /usr/local/bin/helmfile
+# Set Helm home variables so that also non-root users can use plugins etc.
+ARG HOME="/helm"
+ENV HOME="${HOME}"
+ARG HELM_CACHE_HOME="${HOME}/.cache/helm"
+ENV HELM_CACHE_HOME="${HELM_CACHE_HOME}"
+ARG HELM_CONFIG_HOME="${HOME}/.config/helm"
+ENV HELM_CONFIG_HOME="${HELM_CONFIG_HOME}"
+ARG HELM_DATA_HOME="${HOME}/.local/share/helm"
+ENV HELM_DATA_HOME="${HELM_DATA_HOME}"
+
+ARG HELM_VERSION="v3.19.0"
+ENV HELM_VERSION="${HELM_VERSION}"
+ARG HELM_LOCATION="https://get.helm.sh"
+ARG HELM_FILENAME="helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \
+    echo Verifying ${HELM_FILENAME}... && \
+    case ${TARGETPLATFORM} in \
+    "linux/amd64")  HELM_SHA256="a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496"  ;; \
+    "linux/arm64")  HELM_SHA256="440cf7add0aee27ebc93fada965523c1dc2e0ab340d4348da2215737fc0d76ad"  ;; \
+    esac && \
+    echo "${HELM_SHA256}  ${HELM_FILENAME}" | sha256sum -c && \
+    echo Extracting ${HELM_FILENAME}... && \
+    tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 ${TARGETOS}-${TARGETARCH}/helm && \
+    rm "${HELM_FILENAME}" && \
+    [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ]
+
+# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
+# for now but in a future version of alpine (in the testing version at the time of writing)
+# we should be able to install using apk add.
+ENV KUBECTL_VERSION="v1.32.1"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \
+    case ${TARGETPLATFORM} in \
+    "linux/amd64")  KUBECTL_SHA256="e16c80f1a9f94db31063477eb9e61a2e24c1a4eee09ba776b029048f5369db0c"  ;; \
+    "linux/arm64")  KUBECTL_SHA256="98206fd83a4fd17f013f8c61c33d0ae8ec3a7c53ec59ef3d6a0a9400862dc5b2"  ;; \
+    esac && \
+    echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c && \
+    chmod +x kubectl && \
+    mv kubectl /usr/local/bin/kubectl && \
+    [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ]
+
+ENV KUSTOMIZE_VERSION="v5.4.3"
+ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \
+    case ${TARGETPLATFORM} in \
+    # Checksums are available at https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/checksums.txt
+    "linux/amd64")  KUSTOMIZE_SHA256="3669470b454d865c8184d6bce78df05e977c9aea31c30df3c669317d43bcc7a7"  ;; \
+    "linux/arm64")  KUSTOMIZE_SHA256="1b515578b0af12c15d9856720066ce2fe66756d63785b2cbccaf2885beb2381c"  ;; \
+    esac && \
+    echo "${KUSTOMIZE_SHA256}  ${KUSTOMIZE_FILENAME}" | sha256sum -c && \
+    tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \
+    rm "${KUSTOMIZE_FILENAME}" && \
+    [ "$(kustomize version)" = "${KUSTOMIZE_VERSION}" ]
+
+ENV SOPS_VERSION="v3.10.2"
+ARG SOPS_FILENAME="sops-${SOPS_VERSION}.${TARGETOS}.${TARGETARCH}"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \
+    chmod +x "${SOPS_FILENAME}" && \
+    mv "${SOPS_FILENAME}" /usr/local/bin/sops && \
+    sops --version --disable-version-check | grep -E "^sops ${SOPS_VERSION#v}"
+
+ENV AGE_VERSION="v1.2.1"
+ARG AGE_FILENAME="age-${AGE_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \
+    tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \
+    rm "${AGE_FILENAME}" && \
+    [ "$(age --version)" = "${AGE_VERSION}" ] && \
+    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.13.1 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.6.5 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.16.3 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v1.3.0 && \
+    rm -rf ${HELM_CACHE_HOME}/plugins
+
+# Allow users other than root to use helm plugins located in root home
+RUN chmod 751 ${HOME}
+
+COPY --from=builder /workspace/helmfile/dist/helmfile_${TARGETOS}_${TARGETARCH} /usr/local/bin/helmfile

 CMD ["/usr/local/bin/helmfile"]
--- a/Dockerfile.debian-stable-slim
+++ b/Dockerfile.debian-stable-slim
@ -0,0 +1,116 @@
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+
+RUN apk add --no-cache make git
+WORKDIR /workspace/helmfile
+
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
+COPY . /workspace/helmfile
+ARG TARGETARCH TARGETOS
+RUN make static-${TARGETOS}-${TARGETARCH}
+
+# -----------------------------------------------------------------------------
+
+FROM debian:stable-slim
+
+LABEL org.opencontainers.image.source=https://github.com/helmfile/helmfile
+
+RUN apt update -qq && \
+    apt install --no-install-recommends -y \
+    ca-certificates \
+    gnupg \
+    git bash curl jq wget openssh-client && \
+    rm -rf /var/lib/apt/lists/*
+
+ARG TARGETARCH TARGETOS TARGETPLATFORM
+
+RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_${TARGETOS}_${TARGETARCH} -O /usr/local/bin/yq &&\
+    chmod +x /usr/local/bin/yq
+
+# Set Helm home variables so that also non-root users can use plugins etc.
+ARG HOME="/helm"
+ENV HOME="${HOME}"
+ARG HELM_CACHE_HOME="${HOME}/.cache/helm"
+ENV HELM_CACHE_HOME="${HELM_CACHE_HOME}"
+ARG HELM_CONFIG_HOME="${HOME}/.config/helm"
+ENV HELM_CONFIG_HOME="${HELM_CONFIG_HOME}"
+ARG HELM_DATA_HOME="${HOME}/.local/share/helm"
+ENV HELM_DATA_HOME="${HELM_DATA_HOME}"
+
+ARG HELM_VERSION="v3.19.0"
+ENV HELM_VERSION="${HELM_VERSION}"
+ARG HELM_LOCATION="https://get.helm.sh"
+ARG HELM_FILENAME="helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \
+    echo Verifying ${HELM_FILENAME}... && \
+    case ${TARGETPLATFORM} in \
+    "linux/amd64")  HELM_SHA256="a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496"  ;; \
+    "linux/arm64")  HELM_SHA256="440cf7add0aee27ebc93fada965523c1dc2e0ab340d4348da2215737fc0d76ad"  ;; \
+    esac && \
+    echo "${HELM_SHA256}  ${HELM_FILENAME}" | sha256sum -c && \
+    echo Extracting ${HELM_FILENAME}... && \
+    tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 ${TARGETOS}-${TARGETARCH}/helm && \
+    rm "${HELM_FILENAME}" && \
+    [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ]
+
+# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
+# for now but in a future version of alpine (in the testing version at the time of writing)
+# we should be able to install using apk add.
+ENV KUBECTL_VERSION="v1.32.1"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \
+    case ${TARGETPLATFORM} in \
+    # checksums are available at https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl.sha256
+    "linux/amd64")  KUBECTL_SHA256="e16c80f1a9f94db31063477eb9e61a2e24c1a4eee09ba776b029048f5369db0c"  ;; \
+    "linux/arm64")  KUBECTL_SHA256="98206fd83a4fd17f013f8c61c33d0ae8ec3a7c53ec59ef3d6a0a9400862dc5b2"  ;; \
+    esac && \
+    echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c && \
+    chmod +x kubectl && \
+    mv kubectl /usr/local/bin/kubectl && \
+    [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ]
+
+ENV KUSTOMIZE_VERSION="v5.4.3"
+ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \
+    case ${TARGETPLATFORM} in \
+    # Checksums are available at https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/checksums.txt
+    "linux/amd64")  KUSTOMIZE_SHA256="3669470b454d865c8184d6bce78df05e977c9aea31c30df3c669317d43bcc7a7"  ;; \
+    "linux/arm64")  KUSTOMIZE_SHA256="1b515578b0af12c15d9856720066ce2fe66756d63785b2cbccaf2885beb2381c"  ;; \
+    esac && \
+    echo "${KUSTOMIZE_SHA256}  ${KUSTOMIZE_FILENAME}" | sha256sum -c && \
+    tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \
+    rm "${KUSTOMIZE_FILENAME}" && \
+    [ "$(kustomize version)" = "${KUSTOMIZE_VERSION}" ]
+
+ENV SOPS_VERSION="v3.10.2"
+ARG SOPS_FILENAME="sops-${SOPS_VERSION}.${TARGETOS}.${TARGETARCH}"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \
+    chmod +x "${SOPS_FILENAME}" && \
+    mv "${SOPS_FILENAME}" /usr/local/bin/sops && \
+    sops --version --disable-version-check | grep -E "^sops ${SOPS_VERSION#v}"
+
+ENV AGE_VERSION="v1.2.1"
+ARG AGE_FILENAME="age-${AGE_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \
+    tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \
+    rm "${AGE_FILENAME}" && \
+    [ "$(age --version)" = "${AGE_VERSION}" ] && \
+    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.13.1 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.6.5 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.16.3 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v1.3.0 && \
+    rm -rf ${HELM_CACHE_HOME}/plugins
+
+# Allow users other than root to use helm plugins located in root home
+RUN chmod 751 ${HOME}
+
+COPY --from=builder /workspace/helmfile/dist/helmfile_${TARGETOS}_${TARGETARCH} /usr/local/bin/helmfile
+
+CMD ["/usr/local/bin/helmfile"]
--- a/Dockerfile.ubuntu
+++ b/Dockerfile.ubuntu
@ -0,0 +1,116 @@
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+
+RUN apk add --no-cache make git
+WORKDIR /workspace/helmfile
+
+COPY go.mod go.sum /workspace/helmfile/
+RUN go mod download
+
+COPY . /workspace/helmfile
+ARG TARGETARCH TARGETOS
+RUN make static-${TARGETOS}-${TARGETARCH}
+
+# -----------------------------------------------------------------------------
+
+FROM ubuntu:24.04
+
+LABEL org.opencontainers.image.source=https://github.com/helmfile/helmfile
+
+RUN apt update -qq && \
+    apt install --no-install-recommends -y \
+    ca-certificates \
+    gnupg \
+    git bash curl jq wget openssh-client && \
+    rm -rf /var/lib/apt/lists/*
+
+ARG TARGETARCH TARGETOS TARGETPLATFORM
+
+RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_${TARGETOS}_${TARGETARCH} -O /usr/local/bin/yq &&\
+    chmod +x /usr/local/bin/yq
+
+# Set Helm home variables so that also non-root users can use plugins etc.
+ARG HOME="/helm"
+ENV HOME="${HOME}"
+ARG HELM_CACHE_HOME="${HOME}/.cache/helm"
+ENV HELM_CACHE_HOME="${HELM_CACHE_HOME}"
+ARG HELM_CONFIG_HOME="${HOME}/.config/helm"
+ENV HELM_CONFIG_HOME="${HELM_CONFIG_HOME}"
+ARG HELM_DATA_HOME="${HOME}/.local/share/helm"
+ENV HELM_DATA_HOME="${HELM_DATA_HOME}"
+
+ARG HELM_VERSION="v3.19.0"
+ENV HELM_VERSION="${HELM_VERSION}"
+ARG HELM_LOCATION="https://get.helm.sh"
+ARG HELM_FILENAME="helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \
+    echo Verifying ${HELM_FILENAME}... && \
+    case ${TARGETPLATFORM} in \
+    "linux/amd64")  HELM_SHA256="a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496"  ;; \
+    "linux/arm64")  HELM_SHA256="440cf7add0aee27ebc93fada965523c1dc2e0ab340d4348da2215737fc0d76ad"  ;; \
+    esac && \
+    echo "${HELM_SHA256}  ${HELM_FILENAME}" | sha256sum -c && \
+    echo Extracting ${HELM_FILENAME}... && \
+    tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 ${TARGETOS}-${TARGETARCH}/helm && \
+    rm "${HELM_FILENAME}" && \
+    [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ]
+
+# using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/
+# for now but in a future version of alpine (in the testing version at the time of writing)
+# we should be able to install using apk add.
+ENV KUBECTL_VERSION="v1.32.1"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \
+    case ${TARGETPLATFORM} in \
+    # checksums are available at https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl.sha256
+    "linux/amd64")  KUBECTL_SHA256="e16c80f1a9f94db31063477eb9e61a2e24c1a4eee09ba776b029048f5369db0c"  ;; \
+    "linux/arm64")  KUBECTL_SHA256="98206fd83a4fd17f013f8c61c33d0ae8ec3a7c53ec59ef3d6a0a9400862dc5b2"  ;; \
+    esac && \
+    echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c && \
+    chmod +x kubectl && \
+    mv kubectl /usr/local/bin/kubectl && \
+    [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ]
+
+ENV KUSTOMIZE_VERSION="v5.4.3"
+ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \
+    case ${TARGETPLATFORM} in \
+    # Checksums are available at https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/checksums.txt
+    "linux/amd64")  KUSTOMIZE_SHA256="3669470b454d865c8184d6bce78df05e977c9aea31c30df3c669317d43bcc7a7"  ;; \
+    "linux/arm64")  KUSTOMIZE_SHA256="1b515578b0af12c15d9856720066ce2fe66756d63785b2cbccaf2885beb2381c"  ;; \
+    esac && \
+    echo "${KUSTOMIZE_SHA256}  ${KUSTOMIZE_FILENAME}" | sha256sum -c && \
+    tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \
+    rm "${KUSTOMIZE_FILENAME}" && \
+    [ "$(kustomize version)" = "${KUSTOMIZE_VERSION}" ]
+
+ENV SOPS_VERSION="v3.10.2"
+ARG SOPS_FILENAME="sops-${SOPS_VERSION}.${TARGETOS}.${TARGETARCH}"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \
+    chmod +x "${SOPS_FILENAME}" && \
+    mv "${SOPS_FILENAME}" /usr/local/bin/sops && \
+    sops --version --disable-version-check | grep -E "^sops ${SOPS_VERSION#v}"
+
+ENV AGE_VERSION="v1.2.1"
+ARG AGE_FILENAME="age-${AGE_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz"
+RUN set -x && \
+    curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \
+    tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \
+    rm "${AGE_FILENAME}" && \
+    [ "$(age --version)" = "${AGE_VERSION}" ] && \
+    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]
+
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.13.1 && \
+    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.6.5 && \
+    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.16.3 && \
+    helm plugin install https://github.com/aslafy-z/helm-git.git --version v1.3.0 && \
+    rm -rf ${HELM_CACHE_HOME}/plugins
+
+# Allow users other than root to use helm plugins located in root home
+RUN chmod 751 ${HOME}
+
+COPY --from=builder /workspace/helmfile/dist/helmfile_${TARGETOS}_${TARGETARCH} /usr/local/bin/helmfile
+
+CMD ["/usr/local/bin/helmfile"]
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -1,90 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  name = "github.com/Masterminds/semver"
-  packages = ["."]
-  revision = "8d82589cda2d7b5b9167396841975c4535c9bec6"
-  version = "v1.4.1"
-
-[[projects]]
-  name = "github.com/Masterminds/sprig"
-  packages = ["."]
-  revision = "6b2a58267f6a8b1dc8e2eb5519b984008fa85e8c"
-  version = "v2.15.0"
-
-[[projects]]
-  name = "github.com/aokoli/goutils"
-  packages = ["."]
-  revision = "3391d3790d23d03408670993e957e8f408993c34"
-  version = "v1.0.1"
-
-[[projects]]
-  name = "github.com/google/uuid"
-  packages = ["."]
-  revision = "064e2069ce9c359c118179501254f67d7d37ba24"
-  version = "0.2"
-
-[[projects]]
-  name = "github.com/huandu/xstrings"
-  packages = ["."]
-  revision = "2bf18b218c51864a87384c06996e40ff9dcff8e1"
-  version = "v1.0.0"
-
-[[projects]]
-  name = "github.com/imdario/mergo"
-  packages = ["."]
-  revision = "9d5f1277e9a8ed20c3684bda8fde67c05628518c"
-  version = "v0.3.4"
-
-[[projects]]
-  name = "github.com/urfave/cli"
-  packages = ["."]
-  revision = "6011f165dc288c72abd8acd7722f837c5c64198d"
-
-[[projects]]
-  name = "go.uber.org/atomic"
-  packages = ["."]
-  revision = "1ea20fb1cbb1cc08cbd0d913a96dead89aa18289"
-  version = "v1.3.2"
-
-[[projects]]
-  name = "go.uber.org/multierr"
-  packages = ["."]
-  revision = "3c4937480c32f4c13a875a1829af76c98ca3d40a"
-  version = "v1.1.0"
-
-[[projects]]
-  name = "go.uber.org/zap"
-  packages = [
-    ".",
-    "buffer",
-    "internal/bufferpool",
-    "internal/color",
-    "internal/exit",
-    "zapcore"
-  ]
-  revision = "eeedf312bc6c57391d84767a4cd413f02a917974"
-  version = "v1.8.0"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/crypto"
-  packages = [
-    "pbkdf2",
-    "scrypt"
-  ]
-  revision = "b2aa35443fbc700ab74c586ae79b81c171851023"
-
-[[projects]]
-  name = "gopkg.in/yaml.v2"
-  packages = ["."]
-  revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183"
-  version = "v2.2.1"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  inputs-digest = "57e868f6ae57c81a07ee682742f3b71bf5c7956311a3bb8ea76459677fc104c7"
-  solver-name = "gps-cdcl"
-  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -1,11 +0,0 @@
-[[constraint]]
-  name = "github.com/Masterminds/sprig"
-  version = "2.15.0"
-
-[[constraint]]
-  branch = "v2"
-  name = "gopkg.in/yaml.v2"
-
-[prune]
-  go-tests = true
-  unused-packages = true
--- a/87
+++ b/87
@ -1,8 +1,28 @@
 ORG     ?= $(shell basename $(realpath ..))
 PKGS    := $(shell go list ./... | grep -v /vendor/)

+TAG  ?= $(shell git describe --tags --abbrev=0 HEAD)
+LAST = $(shell git describe --tags --abbrev=0 HEAD^)
+BODY = "`git log ${LAST}..HEAD --oneline --decorate` `printf '\n\#\#\# [Build Info](${BUILD_URL})'`"
+DATE_FMT = +"%Y-%m-%dT%H:%M:%S%z"
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
+else
+    BUILD_DATE ?= $(shell date "$(DATE_FMT)")
+endif
+
+
+# The ldflags for the Go build process to set the version related data
+GO_BUILD_VERSION_LDFLAGS=\
+  -X go.szostok.io/version.version=$(TAG) \
+  -X go.szostok.io/version.buildDate=$(BUILD_DATE) \
+  -X go.szostok.io/version.commit=$(shell git rev-parse --short HEAD) \
+  -X go.szostok.io/version.commitDate=$(shell git log -1 --date=format:"%Y-%m-%dT%H:%M:%S%z" --format=%cd) \
+  -X go.szostok.io/version.dirtyBuild=false
+
+
 build:
-	go build ${TARGETS}
+	go build -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
 .PHONY: build

 generate:
@ -11,38 +31,67 @@ generate:

 fmt:
 	go fmt ${PKGS}
+	gci write --skip-generated -s standard -s default -s 'prefix(github.com/helmfile/helmfile)' .
 .PHONY: fmt

 check:
 	go vet ${PKGS}
 .PHONY: check

+build-test-tools:
+	go build test/diff-yamls/diff-yamls.go
+	curl --progress-bar --location https://github.com/homeport/dyff/releases/download/v1.5.6/dyff_1.5.6_linux_amd64.tar.gz  | tar -xzf - -C `pwd` dyff
+.PHONY: build-test-tools
+
 test:
-	go test -v ${PKGS} -cover -race -p=1
+	@which helm &> /dev/null || (echo "helm binary not found. Please see: https://helm.sh/docs/intro/install/" && exit 1)
+	go build -o helmfile .
+	go test -v ${PKGS} -coverprofile cover.out -race -p=1
+	go tool cover -func cover.out
 .PHONY: test

 integration:
 	bash test/integration/run.sh
 .PHONY: integration

+integration/vagrant:
+	$(MAKE) build GOOS=linux GOARCH=amd64
+	$(MAKE) build-test-tools GOOS=linux GOARCH=amd64
+	vagrant up
+	vagrant ssh -c 'HELMFILE_HELM3=1 make -C /vagrant integration'
+.PHONY: integration/vagrant
+
 cross:
-	env CGO_ENABLED=0 gox -os '!freebsd !netbsd' -arch '!arm' -output "dist/{{.Dir}}_{{.OS}}_{{.Arch}}" -ldflags '-X main.Version=${TAG}' ${TARGETS}
+	env CGO_ENABLED=0 gox -parallel 4 -os 'windows darwin linux' -arch '386 amd64 arm64' -osarch '!darwin/386' -output "dist/{{.Dir}}_{{.OS}}_{{.Arch}}" -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
 .PHONY: cross

 static-linux:
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o "dist/helmfile_linux_amd64" -ldflags '-X main.Version=${TAG}' ${TARGETS}
-.PHONY: linux
+	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GOFLAGS=-mod=readonly go build -o "dist/helmfile_linux_amd64" -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
+.PHONY: static-linux
+
+static-linux-amd64:
+	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GOFLAGS=-mod=readonly go build -o "dist/helmfile_linux_amd64" -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
+.PHONY: static-linux-amd64
+
+static-linux-arm64:
+	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOFLAGS=-mod=readonly go build -o "dist/helmfile_linux_arm64" -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
+.PHONY: static-linux-arm64
+
+install:
+	env CGO_ENABLED=0 go install -ldflags="$(GO_BUILD_VERSION_LDFLAGS)" ${TARGETS}
+.PHONY: install

 clean:
 	rm dist/helmfile_*
 .PHONY: clean

 pristine: generate fmt
-	git ls-files --exclude-standard --modified --deleted --others | diff /dev/null -
+	git diff | cat
+	git ls-files --exclude-standard --modified --deleted --others -x vendor  | grep -v '^go.' | diff /dev/null -
 .PHONY: pristine

 release: pristine cross
-	@ghr -b ${BODY} -t ${GITHUB_TOKEN} -u ${ORG} -recreate ${TAG} dist
+	@ghr -b ${BODY} -t ${GITHUB_TOKEN} -u ${ORG} ${TAG} dist
 .PHONY: release

 image:
@ -54,10 +103,28 @@ run: image
 push: image
 	docker push quay.io/${ORG}/helmfile:${TAG}

+image/debian:
+	docker build -f Dockerfile.debian -t quay.io/${ORG}/helmfile:${TAG}-stable-slim .
+
+push/debian: image/debian
+	docker push quay.io/${ORG}/helmfile:${TAG}-stable-slim
+
 tools:
 	go get -u github.com/tcnksm/ghr github.com/mitchellh/gox
 .PHONY: tools

-TAG  = $(shell git describe --tags --abbrev=0 HEAD)
-LAST = $(shell git describe --tags --abbrev=0 HEAD^)
-BODY = "`git log ${LAST}..HEAD --oneline --decorate` `printf '\n\#\#\# [Build Info](${BUILD_URL})'`"
+release/minor:
+	git checkout master
+	git pull --rebase origin master
+	bash -c 'if git branch | grep autorelease; then git branch -D autorelease; else echo no branch to be cleaned; fi'
+	git checkout -b autorelease origin/master
+	bash -c 'SEMTAG_REMOTE=origin hack/semtag final -s minor'
+	git checkout master
+
+release/patch:
+	git checkout master
+	git pull --rebase origin master
+	bash -c 'if git branch | grep autorelease; then git branch -D autorelease; else echo no branch to be cleaned; fi'
+	git checkout -b autorelease origin/master
+	bash -c 'SEMTAG_REMOTE=origin hack/semtag final -s patch'
+	git checkout master
--- a/README-zh_CN.md
+++ b/README-zh_CN.md
@ -0,0 +1,121 @@
+<!-- markdownlint-configure-file {
+  "MD013": {
+    "code_blocks": false,
+    "tables": false
+  },
+  "MD033": false,
+  "MD041": false
+} -->
+
+<div align="center" markdown="1">
+
+# Helmfile
+
+[![Tests](https://github.com/helmfile/helmfile/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/helmfile/helmfile/actions/workflows/ci.yaml?query=branch%3Amain)
+[![Container Image Repository on GHCR](https://ghcr-badge.egpl.dev/helmfile/helmfile/latest_tag?trim=major&label=latest "Docker Repository on ghcr")](https://github.com/helmfile/helmfile/pkgs/container/helmfile)
+[![Go Report Card](https://goreportcard.com/badge/github.com/helmfile/helmfile)](https://goreportcard.com/report/github.com/helmfile/helmfile)
+[![Slack Community #helmfile](https://slack.sweetops.com/badge.svg)](https://slack.sweetops.com)
+[![Documentation](https://readthedocs.org/projects/helmfile/badge/?version=latest&style=flat)](https://helmfile.readthedocs.io/en/latest/)
+[![Gurubase](https://img.shields.io/badge/Gurubase-Ask%20Helmfile%20Guru-006BFF)](https://gurubase.io/g/helmfile)
+[![zread](https://img.shields.io/badge/Ask_Zread-_.svg?style=flat&color=00b0aa&labelColor=000000&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB3aWR0aD0iMTYiIGhlaWdodD0iMTYiIHZpZXdCb3g9IjAgMCAxNiAxNiIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTQuOTYxNTYgMS42MDAxSDIuMjQxNTZDMS44ODgxIDEuNjAwMSAxLjYwMTU2IDEuODg2NjQgMS42MDE1NiAyLjI0MDFWNC45NjAxQzEuNjAxNTYgNS4zMTM1NiAxLjg4ODEgNS42MDAxIDIuMjQxNTYgNS42MDAxSDQuOTYxNTZDNS4zMTUwMiA1LjYwMDEgNS42MDE1NiA1LjMxMzU2IDUuNjAxNTYgNC45NjAxVjIuMjQwMUM1LjYwMTU2IDEuODg2NjQgNS4zMTUwMiAxLjYwMDEgNC45NjE1NiAxLjYwMDFaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik00Ljk2MTU2IDEwLjM5OTlIMi4yNDE1NkMxLjg4ODEgMTAuMzk5OSAxLjYwMTU2IDEwLjY4NjQgMS42MDE1NiAxMS4wMzk5VjEzLjc1OTlDMS42MDE1NiAxNC4xMTM0IDEuODg4MSAxNC4zOTk5IDIuMjQxNTYgMTQuMzk5OUg0Ljk2MTU2QzUuMzE1MDIgMTQuMzk5OSA1LjYwMTU2IDE0LjExMzQgNS42MDE1NiAxMy43NTk5VjExLjAzOTlDNS42MDE1NiAxMC42ODY0IDUuMzE1MDIgMTAuMzk5OSA0Ljk2MTU2IDEwLjM5OTlaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik0xMy43NTg0IDEuNjAwMUgxMS4wMzg0QzEwLjY4NSAxLjYwMDEgMTAuMzk4NCAxLjg4NjY0IDEwLjM5ODQgMi4yNDAxVjQuOTYwMUMxMC4zOTg0IDUuMzEzNTYgMTAuNjg1IDUuNjAwMSAxMS4wMzg0IDUuNjAwMUgxMy43NTg0QzE0LjExMTkgNS42MDAxIDE0LjM5ODQgNS4zMTM1NiAxNC4zOTg0IDQuOTYwMVYyLjI0MDFDMTQuMzk4NCAxLjg4NjY0IDE0LjExMTkgMS42MDAxIDEzLjc1ODQgMS42MDAxWiIgZmlsbD0iI2ZmZiIvPgo8cGF0aCBkPSJNNCAxMkwxMiA0TDQgMTJaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik00IDEyTDEyIDQiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLXdpZHRoPSIxLjUiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIvPgo8L3N2Zz4K&logoColor=ffffff)](https://zread.ai/helmfile/helmfile)
+
+声明式Helm Chart管理工具
+<br />
+
+</div>
+
+[English](./README.md) | [简体中文]
+
+# 关于
+
+Helmfile 是一个声明式Helm Chart管理工具
+
+> Helmfile 项目已经从原仓库 roboll/helmfile 转移到了 helmfile/helmfile。有关更多信息，请参见 roboll/helmfile#1824
+
+## 特性
+
+- 通过一个YAML集中管理集群中多个Helm Chart， 类似于Docker Compose统一管理Docker
+- 对Helm Chart根据部署环境区分管理
+- Helm Chart版本控制，比如指定版本范围、锁定某一版本
+- 快速识别 Kubernetes 集群内已经部署应用与新更改之间的差异
+- Helmfile支持Go Templates语法定义Helm Chart
+- 在部署阶段支持配置hook，可以执行脚本等，实现变量远程获取，报错清理，成功提醒等
+
+
+## 安装
+
+**方式1: 二进制安装**
+
+下载 [releases](https://github.com/helmfile/helmfile/releases)
+
+**方式2: 包管理工具**
+
+* Archlinux: `pacman -S helmfile`
+* openSUSE: `zypper in helmfile`
+* Windows: ([scoop](https://scoop.sh/)): `scoop install helmfile`
+* macOS ([homebrew](https://brew.sh/)): `brew install helmfile`
+
+**方式3: 容器**
+
+详细见：[run as a container](https://helmfile.readthedocs.io/en/latest/#running-as-a-container)
+
+> 安装后请运行一次 `helmfile init`。 检查[helm-diff](https://github.com/databus23/helm-diff) 等插件安装正确。
+
+## 使用
+
+让我们从最简单的 helmfile 开始，逐渐改进它以适应您的用例！
+
+假设表示您 helm releases 的期望状态的 helmfile.yaml 看起来像这样：
+
+```yaml
+repositories:
+- name: prometheus-community
+  url: https://prometheus-community.github.io/helm-charts
+
+releases:
+- name: prom-norbac-ubuntu
+  namespace: prometheus
+  chart: prometheus-community/prometheus
+  set:
+  - name: rbac.create
+    value: false
+```
+
+通过运行来同步您的Kubernetes集群状态到期望状态:
+
+```console
+helmfile apply
+```
+
+恭喜！您现在已经在集群内部运行了第一个Prometheus部署。
+
+
+## 文档
+
+[Documentation](https://helmfile.readthedocs.io/)
+
+
+## 参与贡献
+
+欢迎贡献！ 让我们一起使helmfile变得更好：[贡献指南](https://helmfile.readthedocs.io/en/latest/contributing/)
+
+
+## 使用者
+
+Helmfile 已经被许多用户在生产环境中使用:
+
+* [gitlab.com](https://gitlab.com)
+* [reddit.com](https://reddit.com)
+* [Jenkins](https://jenkins.io)
+* ...
+
+更多用户请参见: [Users](https://helmfile.readthedocs.io/en/latest/users/)
+
+
+## License
+
+[MIT](https://github.com/helmfile/helmfile/blob/main/LICENSE)
+
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=helmfile/helmfile&type=Date)](https://star-history.com/#helmfile/helmfile&Date)
--- a/README.md
+++ b/README.md
@ -1,18 +1,32 @@
-# helmfile [![CircleCI](https://circleci.com/gh/roboll/helmfile.svg?style=svg)](https://circleci.com/gh/roboll/helmfile)
+<!-- markdownlint-configure-file {
+  "MD013": {
+    "code_blocks": false,
+    "tables": false
+  },
+  "MD033": false,
+  "MD041": false
+} -->
+
+<div align="center" markdown="1">
+
+# Helmfile
+
+[![Tests](https://github.com/helmfile/helmfile/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/helmfile/helmfile/actions/workflows/ci.yaml?query=branch%3Amain)
+[![Container Image Repository on GHCR](https://ghcr-badge.egpl.dev/helmfile/helmfile/latest_tag?trim=major&label=latest "Docker Repository on ghcr")](https://github.com/helmfile/helmfile/pkgs/container/helmfile)
+[![Go Report Card](https://goreportcard.com/badge/github.com/helmfile/helmfile)](https://goreportcard.com/report/github.com/helmfile/helmfile)
+[![Slack Community #helmfile](https://slack.sweetops.com/badge.svg)](https://slack.sweetops.com)
+[![Documentation](https://readthedocs.org/projects/helmfile/badge/?version=latest&style=flat)](https://helmfile.readthedocs.io/en/latest/)
+[![Gurubase](https://img.shields.io/badge/Gurubase-Ask%20Helmfile%20Guru-006BFF)](https://gurubase.io/g/helmfile)
+[![zread](https://img.shields.io/badge/Ask_Zread-_.svg?style=flat&color=00b0aa&labelColor=000000&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB3aWR0aD0iMTYiIGhlaWdodD0iMTYiIHZpZXdCb3g9IjAgMCAxNiAxNiIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTQuOTYxNTYgMS42MDAxSDIuMjQxNTZDMS44ODgxIDEuNjAwMSAxLjYwMTU2IDEuODg2NjQgMS42MDE1NiAyLjI0MDFWNC45NjAxQzEuNjAxNTYgNS4zMTM1NiAxLjg4ODEgNS42MDAxIDIuMjQxNTYgNS42MDAxSDQuOTYxNTZDNS4zMTUwMiA1LjYwMDEgNS42MDE1NiA1LjMxMzU2IDUuNjAxNTYgNC45NjAxVjIuMjQwMUM1LjYwMTU2IDEuODg2NjQgNS4zMTUwMiAxLjYwMDEgNC45NjE1NiAxLjYwMDFaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik00Ljk2MTU2IDEwLjM5OTlIMi4yNDE1NkMxLjg4ODEgMTAuMzk5OSAxLjYwMTU2IDEwLjY4NjQgMS42MDE1NiAxMS4wMzk5VjEzLjc1OTlDMS42MDE1NiAxNC4xMTM0IDEuODg4MSAxNC4zOTk5IDIuMjQxNTYgMTQuMzk5OUg0Ljk2MTU2QzUuMzE1MDIgMTQuMzk5OSA1LjYwMTU2IDE0LjExMzQgNS42MDE1NiAxMy43NTk5VjExLjAzOTlDNS42MDE1NiAxMC42ODY0IDUuMzE1MDIgMTAuMzk5OSA0Ljk2MTU2IDEwLjM5OTlaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik0xMy43NTg0IDEuNjAwMUgxMS4wMzg0QzEwLjY4NSAxLjYwMDEgMTAuMzk4NCAxLjg4NjY0IDEwLjM5ODQgMi4yNDAxVjQuOTYwMUMxMC4zOTg0IDUuMzEzNTYgMTAuNjg1IDUuNjAwMSAxMS4wMzg0IDUuNjAwMUgxMy43NTg0QzE0LjExMTkgNS42MDAxIDE0LjM5ODQgNS4zMTM1NiAxNC4zOTg0IDQuOTYwMVYyLjI0MDFDMTQuMzk4NCAxLjg4NjY0IDE0LjExMTkgMS42MDAxIDEzLjc1ODQgMS42MDAxWiIgZmlsbD0iI2ZmZiIvPgo8cGF0aCBkPSJNNCAxMkwxMiA0TDQgMTJaIiBmaWxsPSIjZmZmIi8%2BCjxwYXRoIGQ9Ik00IDEyTDEyIDQiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLXdpZHRoPSIxLjUiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIvPgo8L3N2Zz4K&logoColor=ffffff)](https://zread.ai/helmfile/helmfile)

 Deploy Kubernetes Helm Charts
+<br />

-[![Docker Repository on Quay](https://quay.io/repository/roboll/helmfile/status "Docker Repository on Quay")](https://quay.io/repository/roboll/helmfile)
+</div>

-## status
+English | [简体中文](./README-zh_CN.md)

-Even though Helmfile is used in production environments [across multiple organizations](USERS.md), it is still in its early stage of development, hence versioned 0.x.
-
-Helmfile complies to Semantic Versioning 2.0.0 in which v0.x means that there could be backward-incompatible changes for every release.
-
-Note that we will try our best to document any backward incompatibility.
-
-## about
+## About

 Helmfile is a declarative spec for deploying helm charts. It lets you...

@ -20,134 +34,61 @@ Helmfile is a declarative spec for deploying helm charts. It lets you...
 * Apply CI/CD to configuration changes.
 * Periodically sync to avoid skew in environments.

-To avoid upgrades for each iteration of `helm`, the `helmfile` executable delegates to `helm` - as a result, `helm` must be installed.
+To avoid upgrades for each iteration of `helm`, the `helmfile` executable delegates to `helm` - as a result, the following must be installed
+- [helm](https://helm.sh/docs/intro/install/)
+- [helm-diff](https://github.com/databus23/helm-diff)

-## configuration syntax
+## Highlights

-**CAUTION**: This documentation is for the development version of helmfile. If you are looking for the documentation for any of releases, please switch to the corresponding branch like [v0.12.0](https://github.com/roboll/helmfile/tree/v0.12.0).
+**Declarative**: Write, version-control, apply the desired state file for visibility and reproducibility.

-The default helmfile is `helmfile.yaml`:
+**Modules**: Modularize common patterns of your infrastructure, distribute it via Git, S3, etc. to be reused across the entire company (See [#648](https://github.com/roboll/helmfile/pull/648))

-```yaml
-repositories:
-  - name: roboll
-    url: http://roboll.io/charts
-    certFile: optional_client_cert
-    keyFile: optional_client_key
-    username: optional_username
-    password: optional_password
+**Versatility**: Manage your cluster consisting of charts, [kustomizations](https://github.com/kubernetes-sigs/kustomize), and directories of Kubernetes resources, turning everything to Helm releases (See [#673](https://github.com/roboll/helmfile/pull/673))

-context: kube-context					 # kube-context (--kube-context)
+**Patch**: JSON/Strategic-Merge Patch Kubernetes resources before `helm-install`ing, without forking upstream charts (See [#673](https://github.com/roboll/helmfile/pull/673))

-#default values to set for args along with dedicated keys that can be set by contributers, cli args take precedence overe these
-helmDefaults:           
-  tillerNamespace: tiller-namespace  #dedicated default key for tiller-namespace
-  kubeContext: kube-context          #dedicated default key for kube-context
-  args:
-    - "--recreate-pods"
-    - "--timeout=600"
-    - "--force"
+## Status

-releases:
-  # Published chart example
-  - name: vault                            # name of this release
-    namespace: vault                       # target namespace
-    labels:                                  # Arbitrary key value pairs for filtering releases
-      foo: bar
-    chart: roboll/vault-secret-manager     # the chart being installed to create this release, referenced by `repository/chart` syntax
-    version: ~1.24.1                       # the semver of the chart. range constraint is supported
-    values:
-      # value files passed via --values
-      - vault.yaml
-      # inline values, passed via a temporary values file and --values
-      - address: https://vault.example.com
-        db:
-          username: {{ requiredEnv "DB_USERNAME" }}
-          # value taken from environment variable. Quotes are necessary. Will throw an error if the environment variable is not set. $DB_PASSWORD needs to be set in the calling environment ex: export DB_PASSWORD='password1'
-          password: {{ requiredEnv "DB_PASSWORD" }}
-        proxy:
-          # Interpolate environment variable with a fixed string
-          domain: {{ requiredEnv "PLATFORM_ID" }}.my-domain.com
-          scheme: {{ env "SCHEME" | default "https" }}
-    set:
-    # single value loaded from a local file, translates to --set-file foo.config=path/to/file
-    - name: foo.config
-      file: path/to/file
-    # set a single array value in an array, translates to --set bar[0]={1,2}
-    - name: bar[0]
-      values:
-      - 1
-      - 2
-    # will attempt to decrypt it using helm-secrets plugin
-    secrets:
-      - vault_secret.yaml
-    # wait for k8s resources via --wait. Defaults to `false`
-    wait: true
+May 2025 Update

-  # Local chart example
-  - name: grafana                            # name of this release
-    namespace: another                       # target namespace
-    chart: ../my-charts/grafana              # the chart being installed to create this release, referenced by relative path to local chart
-    values:
-    - "../../my-values/grafana/values.yaml"             # Values file (relative path to manifest)
-    - ./values/{{ requiredEnv "PLATFORM_ENV" }}/config.yaml # Values file taken from path with environment variable. $PLATFORM_ENV must be set in the calling environment.
-    wait: true
+* Helmfile v1.0 and v1.1 has been released. We recommend upgrading directly to v1.1 if you are still using v0.x.
+* If you haven't already upgraded, please go over this v1 proposal [here](docs/proposals/towards-1.0.md) to see a small list of breaking changes.

-```
+## Installation

-## Templating
+**1: Binary Installation**

-Helmfile uses [Go templates](https://godoc.org/text/template) for templating your helmfile.yaml. While go ships several built-in functions, we have added all of the functions in the [Sprig library](https://godoc.org/github.com/Masterminds/sprig).
+download one of [releases](https://github.com/helmfile/helmfile/releases)

-We also added one special template function: `requiredEnv`.
-The `requiredEnv` function allows you to declare a particular environment variable as required for template rendering.
-If the environment variable is unset or empty, the template rendering will fail with an error message.
+**2: Package Manager**

-## Using environment variables
+* Archlinux: install via `pacman -S helmfile`
+* openSUSE: install via `zypper in helmfile` assuming you are on Tumbleweed; if you are on Leap you must add the [kubic](https://download.opensuse.org/repositories/devel:/kubic/) repo for your distribution version once before that command, e.g. `zypper ar https://download.opensuse.org/repositories/devel:/kubic/openSUSE_Leap_\$releasever kubic`
+* Windows (using [scoop](https://scoop.sh/)): `scoop install helmfile`
+* macOS (using [homebrew](https://brew.sh/)): `brew install helmfile`

-Environment variables can be used in most places for templating the helmfile. Currently this is supported for `name`, `namespace`, `value` (in set), `values` and `url` (in repositories).
+**3: Container**

-Examples:
+For more details, see [run as a container](https://helmfile.readthedocs.io/en/latest/#running-as-a-container)

-```yaml
-respositories:
- name: your-private-git-repo-hosted-charts
-  url: https://{{ requiredEnv "GITHUB_TOKEN"}}@raw.githubusercontent.com/kmzfs/helm-repo-in-github/master/
-```
+> Make sure to run `helmfile init` once after installation. Helmfile uses the [helm-diff](https://github.com/databus23/helm-diff) plugin.

-```yaml
-releases:
-  - name: {{ requiredEnv "NAME" }}-vault
-    namespace: {{ requiredEnv "NAME" }}
-    chart: roboll/vault-secret-manager
-    values:
-      - db:
-          username: {{ requiredEnv "DB_USERNAME" }}
-          password: {{ requiredEnv "DB_PASSWORD" }}
-    set:
-      - name: proxy.domain
-        value: {{ requiredEnv "PLATFORM_ID" }}.my-domain.com
-      - name: proxy.scheme
-        value: {{ env "SCHEME" | default "https" }}
-```
-
-## installation
-
- `go get github.com/roboll/helmfile` or
- download one of [releases](https://github.com/roboll/helmfile/releases) or
- run as a [container](https://quay.io/roboll/helmfile)
-
-## getting started
+## Getting Started

 Let's start with a simple `helmfile` and gradually improve it to fit your use-case!

 Suppose the `helmfile.yaml` representing the desired state of your helm releases looks like:

 ```yaml
+repositories:
+- name: prometheus-community
+  url: https://prometheus-community.github.io/helm-charts
+
 releases:
 - name: prom-norbac-ubuntu
  namespace: prometheus
-  chart: stable/prometheus
+  chart: prometheus-community/prometheus
  set:
  - name: rbac.create
    value: false
@ -156,126 +97,53 @@ releases:
 Sync your Kubernetes cluster state to the desired one by running:

 ```console
-helmfile sync
+helmfile apply
 ```

-Congratulations! You now have your first Prometheus deployment running inside your cluster.
+Congratulations! You now have your first Prometheus deployment running inside
+ your cluster.

-Iterate on the `helmfile.yaml` by referencing the [configuration syntax](#configuration-syntax) and the [cli reference](#cli-reference).
+Iterate on the `helmfile.yaml` by referencing:

-## cli reference
+* [Configuration](https://helmfile.readthedocs.io/en/latest/#configuration)
+* [CLI reference](https://helmfile.readthedocs.io/en/latest/#cli-reference)
+* [Helmfile Best Practices Guide](https://helmfile.readthedocs.io/en/latest/writing-helmfile/)

-```
-NAME:
-   helmfile -
+## More complex examples

-USAGE:
-   helmfile [global options] command [command options] [arguments...]
+See: [multi-env-helmfile](https://github.com/helmfile/multi-env-helmfile)

-COMMANDS:
-     repos   sync repositories from state file (helm repo add && helm repo update)
-     charts  sync charts from state file (helm upgrade --install)
-     diff    diff charts from state file against env (helm diff)
-     lint    lint charts from state file (helm lint)
-     sync    sync all resources from state file (repos, charts and local chart deps)
-     status  retrieve status of releases in state file
-     delete  delete charts from state file (helm delete)
-     test    tets releases from state file (helm test)
+## Docs

-GLOBAL OPTIONS:
-   --file FILE, -f FILE         load config from FILE (default: "helmfile.yaml")
-   --quiet, -q                  silence output
-   --namespace value, -n value  Set namespace. Uses the namespace set in the context by default
-   --selector,l value           Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar.
-	                              A release must match all labels in a group in order to be used. Multiple groups can be specified at once.
-	                              --selector tier=frontend,tier!=proxy --selector tier=backend. Will match all frontend, non-proxy releases AND all backend releases.
-	                              The name of a release can be used as a label. --selector name=myrelease
-   --kube-context value         Set kubectl context. Uses current context by default
-   --help, -h                   show help
-   --version, -v                print the version
-```
+Please read [complete documentation](https://helmfile.readthedocs.io/)

-### sync
+## Contributing

-The `helmfile sync` sub-command sync your cluster state as described in your `helmfile`. The default helmfile is `helmfile.yaml`, but any yaml file can be passed by specifying a `--file path/to/your/yaml/file` flag.
+Welcome to contribute together to make helmfile better: [contributing doc](https://helmfile.readthedocs.io/en/latest/contributing/)

-Under the covers, Helmfile executes `helm upgrade --install` for each `release` declared in the manifest, by optionally decrypting [secrets](#secrets) to be consumed as helm chart values. It also updates specified chart repositories and updates the
-dependencies of any referenced local charts.
+## Attribution

-For Helm 2.9+ you can use a username and password to authenticate to a remote repository.
+We use:

-### diff
+* [semtag](https://github.com/pnikosis/semtag) for automated semver tagging.
+I greatly appreciate the author(pnikosis)'s effort on creating it and their
+kindness to share it!

-The `helmfile diff` sub-command executes the [helm-diff](https://github.com/databus23/helm-diff) plugin across all of
-the charts/releases defined in the manifest.
+## Users

-To supply the diff functionality Helmfile needs the [helm-diff](https://github.com/databus23/helm-diff) plugin v2.9.0+1 or greater installed. For Helm 2.3+
-you should be able to simply execute `helm plugin install https://github.com/databus23/helm-diff`. For more details
-please look at their [documentation](https://github.com/databus23/helm-diff#helm-diff-plugin).
+Helmfile has been used by many users in production:

-### delete
+* [gitlab.com](https://gitlab.com)
+* [reddit.com](https://reddit.com)
+* [Jenkins](https://jenkins.io)
+* ...

-The `helmfile delete` sub-command deletes all the releases defined in the manfiests
+For more users, please see: [Users](https://helmfile.readthedocs.io/en/latest/users/)

-Note that `delete` doesn't purge releases. So `helmfile delete && helmfile sync` results in sync failed due to that releases names are not deleted but preserved for future references. If you really want to remove releases for reuse, add `--purge` flag to run it like `helmfile delete --purge`.
+## License

-### secrets
+[MIT](https://github.com/helmfile/helmfile/blob/main/LICENSE)

-The `secrets` parameter in a `helmfile.yaml` causes the [helm-secrets](https://github.com/futuresimple/helm-secrets) plugin to be executed to decrypt the file.
+## Star History

-To supply the secret functionality Helmfile needs the `helm secrets` plugin installed. For Helm 2.3+
-you should be able to simply execute `helm plugin install https://github.com/futuresimple/helm-secrets
-`.
-
-### test
-
-The `helmfile test` sub-command runs a `helm test` against specified releases in the manifest, default to all
-
-Use `--cleanup` to delete pods upon completion.
-
-### lint
-
-The `helmfile lint` sub-command runs a `helm lint` across all of the charts/releases defined in the manifest. Non local charts will be fetched into a temporary folder which will be deleted once the task is completed.
-
-## Paths Overview
-Using manifest files in conjunction with command line argument can be a bit confusing.
-
-A few rules to clear up this ambiguity:
-
- Absolute paths are always resolved as absolute paths
- Relative paths referenced *in* the helmfile manifest itself are relative to that manifest
- Relative paths referenced on the command line are relative to the current working directory the user is in
-
-For additional context, take a look at [paths examples](PATHS.md)
-
-## Labels Overview
-A selector can be used to only target a subset of releases when running helmfile. This is useful for large helmfiles with releases that are logically grouped together.
-
-Labels are simple key value pairs that are an optional field of the release spec. When selecting by label, the search can be inverted. `tier!=backend` would match all releases that do NOT have the `tier: backend` label. `tier=fronted` would only match releases with the `tier: frontend` label.
-
-Multiple labels can be specified using `,` as a separator. A release must match all selectors in order to be selected for the final helm command.
-
-The `selector` parameter can be specified multiple times. Each parameter is resolved independently so a release that matches any parameter will be used.
-
-`--selector tier=frontend --selector tier=backend` will select all the charts
-
-## Using env files
-
-helmfile itself doesn't have an ability to load env files. But you can write some bash script to achieve the goal:
-
-```console
-set -a; . .env; set +a; helmfile sync
-```
-
-Please see #203 for more context.
-
-## Running helmfile without an Internet connection
-
-Once you download all required charts into your machine, you can run `helmfile charts` to deploy your apps.
-It basically run only `helm upgrade --install` with your already-downloaded charts, hence no Internet connection is required.
-See #155 for more information on this topic.
-
-
-## Examples
-
-For more examples, see the [examples/README.md](https://github.com/roboll/helmfile/blob/master/examples/README.md) or the [`helmfile.d`](https://github.com/cloudposse/helmfiles/tree/master/helmfile.d) distribution of helmfiles by [Cloud Posse](https://github.com/cloudposse/).
+[![Star History Chart](https://api.star-history.com/svg?repos=helmfile/helmfile&type=Date)](https://star-history.com/#helmfile/helmfile&Date)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,25 @@
+# Security Policy
+
+##  Sponsoring the project
+
+This project is maintained by a small team of four and therefore lacks the resource to provide security fixes in a very timely manner.
+
+That said, even though we are very passionate about making Helmfile rock solid security wise, all issues are handled on the best effort basis.
+
+If you have important business(es) that relies on this project, please consider sponsoring the maintainers, so that they can commit more on providing such service.
+
+> *Note* that we don't currently have project-wide sponsorship enabled as we don't know how to share the amount of sponsorships with fairness.
+> Please sponsor individuals instead! Thanks for your understanding.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.144.0  | :white_check_mark: |
+| < 0.144.0| :x:                |
+
+## Reporting a Vulnerability
+
+To report a security issue, please email helmfile-security@googlegroups.com with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+A maintainer will try to respond within 5 working days. If the issue is confirmed as a vulnerability, a Security Advisory will be opened. This project currently tries to follow a 90 day disclosure timeline.
--- a/USERS.md
+++ b/USERS.md
@ -1,18 +1,44 @@
 # Helmfile Users

-The following table is compiled from public information or from survey responses. If you are using Helmfile in your
-company or organization, we would like to invite you to [participate in our user survey](https://docs.google.com/forms/d/e/1FAIpQLSfrF5kR9nXsr5yWqNZGgN-KquM1mBTuYNn5lRmEVXEvhq0VIQ/viewform)
-to help us extend this list.
+Who's actually using Helmfile? The following table is compiled from public information, survey response and PRs. It's
+likely this is only a small selection of actual users, but it's a start.
+
+If you are using Helmfile in your company or organization, we would like to invite you to create a PR to add your
+information to this file.

 <!-- TABLE_START -->
-| Organization | Workload | More Info | Location |
-|---|---|---|---|
-| [reddit.com](https://www.reddit.com/) | production | [GitHub issue](https://github.com/roboll/helmfile/issues/96#issue-312012249) | San Francisco, CA, US |
-| [ricardo.ch](https://www.ricardo.ch/) | proof-of-concept | | Zug, Switzerland |
+| Organization | Workload | More Info | Location | Added |
+|---|---|---|---|---|
+| [reddit.com](https://www.reddit.com/) | production | [GitHub issue](https://github.com/roboll/helmfile/issues/96#issue-312012249), [Talk](https://www.slideshare.net/GregoryTaylor11/helm-at-reddit-from-local-dev-staging-to-production) | San Francisco, CA | April 2018 |
+| [gitlab.com](https://gitlab.com/) | production | [Gitlab Project](https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/tree/master) | * | August 2022 |
+| [ricardo.ch](https://www.ricardo.ch/) | production | We're deploying our complete application platform using Helmfile. | Zug, Switzerland | April 2018 |
+| [Hellofresh](https://engineering.hellofresh.com/) | production | We've been using helmfile in production since April 2018 for deploying all our infrastructure applications | Berlin, Germany | April 2018 |
+| [Cherre](https://cherre.com/) | production | We have no public posts about using Helmfile, but we have been using it for a long time now | New York, NY | October 2018 |
+| [Sight Machine](https://sightmachine.com/) | production | We don't have anything publicly posted about it, but have been using it for quite a while in production. | San Francisco, CA and Ann Arbor, MI | December 2018 |
+| [TailorMed](https://tailormed.co/) | production | We're deploying all of our platform and all K8s resources using Helmfile. The power of Helmfile are more then amazing. Thank you! | Tel-Aviv, Israel | September 2020 |
+| [VSHN – The DevOps Company](https://vshn.ch) | production	| | Zurich, Switzerland | March 2019 |
+| [Vlocity](https://vlocity.com/) | proof-of-concept | | Melbourne, Australia | March 2019 |
+| [transit](https://transit.app/) | production | [Blog post](https://medium.com/@naseem_60378/helmfile-its-like-a-helm-for-your-helm-74a908581599). | Montreal, Canada | March 2019 |
+| [uniqkey](https://uniqkey.eu/) | production | [Wiki Page](https://ocd-scm.github.io/ocd-meta/) | Copenhagen, Denmark | April 2019 |
+| [bitsofinfo](https://github.com/bitsofinfo/helmfile-deploy) | production | Used with [helmfile-deploy](https://github.com/bitsofinfo/helmfile-deploy) to manage releases for dozens of apps | USA | July 2019 |
+| [kloeckner-i](https://www.kloeckner-i.com/) | production | We are deploying our standard tools via helmfile to all our clusters.  | Berlin, Germany | September 2019 |
+| [American Express](https://www.americanexpress.com) | proof-of-concept | Orchestration of both internal cluster workloads and local developer environments. | London, GB | January 2020 |
+| [Sportradar](https://www.sportradar.com) | production | Since mid-2019, we've been deploying our core infrastructure and several application stacks with Helmfile. | St. Gallen, Switzerland | March 2020 |
+| [PedidosYa](https://www.pedidosya.com) | production | | Montevideo, Uruguay | June 2020 |
+| [Jenkins](https://jenkins.io) | production | [jenkins-infra/kubernetes-management](https://github.com/jenkins-infra/kubernetes-management) | * | July 2020 |
+| [SettleMint](https://settlemint.com) | production | The SettleMint platform allows enterprises to spin up k8s clusters and deploy production grade blockchain networks and additional services. Helmfile is in charge of deploying these networks and services on demand out of the self service management ui. | Belgium, Singapore, UAE, India | October 2020 |
+| [AutoTrader (UK)](https://www.autotrader.co.uk) | production | We've used Helmfile for 2+ years to deploy 400+ services | UK | October 2020 |
+| [Trend Micro](https://www.trendmicro.com) | production | We manage 9 k8s clusters in a mono git repository with Helmfile | Taipei, Taiwan |  December 2019 |
+| [William Hill](https://www.williamhill.com) | production | We have standardised on Helmfile for managing both our application services and our Kubernetes platform components. | International |  March 2021 |
+| [The Hyve](https://www.thehyve.nl) | production | We've been using Helmfile since 2019 to deploy [Radar-base applications](https://github.com/RADAR-base/RADAR-Kubernetes). [Blog Post](https://www.thehyve.nl/articles/kubernetes-added-to-radar-base) | Utrecht, Netherlands |  April 2021 |
+| [IKEA US](https://www.ikea.com) | production | We started using Helmfile this year to shrink the boilerplate involved in deploying or microservices to cloud Kubernetes clusters. | Utrecht, Netherlands |  April 2021 |
+| [ShareGate](https://www.sharegate.com) | production | Used to deploy and sync our kubernetes workloads in Azure, using Azure Pipelines and custom extensions to [install](https://marketplace.visualstudio.com/items?itemName=GSoft.HelmfileInstaller) and [execute](https://marketplace.visualstudio.com/items?itemName=GSoft.HelmfileRunner) the cli. | Montreal, Canada |  June 2021 |
+| [subshell](https://subshell.com) | production | We're using helmfile since 2021 to deploy all our Kubernetes workloads into our clusters. We love helmfile for its simplicity and power. Thank you! | Hamburg, Germany | August 2022 |
+| [Norddeutscher Rundfunk](https://www.ndr.de) | production | Using Helmfile since 2020 to deploy workloads to several similar clusters (dev, qa, prod, test, etc.) for sites tagesschau.de and sportschau.de. Thank you so much for your awesome work! | Hamburg, Germany | August 2022 |
+| [Dealhub](https://dealhub.io/) | production | Helmfile was an essential part of our k8s migration. Keep up the good work! | Holon, Israel | January 2023 |
+| [BlueLabs](https://bluelabs.eu/) | production | Helmfile is the cornerstone of our lightweight, auditable and centralized GKE deployments. | Europe | February 2021 |
+| [Zhihu](https://www.zhihu.com/) | production | helmfile is an important tool for the deployment of our basic components, which can achieve standardization and auditability. |China, Beijing | December 2023 |
+| [Tudock](https://tudock.de) | production | We have no public post about it, but we recently started using Helmfile to deploy developer applications and have been very happy with the results! | Hamburg, Germany | March 2024 |
+| [Incentive.me](https://incentive.me/) | production | We use helmfile as the main tool for deploying our Kubernetes workloads. | Rio de Janeiro, Brazil | November 2021 |
+| [RightCapital](https://www.rightcapital.com/) | production | We use helmfile as the main tool for deploying our Kubernetes workloads. | Shelton, CT, USA | May 2019 |
 <!-- TABLE_END -->
-
-## Contact
-
-Please fill out [the Google form](https://docs.google.com/forms/d/e/1FAIpQLSfrF5kR9nXsr5yWqNZGgN-KquM1mBTuYNn5lRmEVXEvhq0VIQ/viewform) to add your organization instead of opening a PR.
-
-You can also [reach the maintainer on Twitter](https://twitter.com/DerCed).
--- a/args/args.go
+++ b/args/args.go
@ -1,100 +0,0 @@
-package args
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/roboll/helmfile/state"
-)
-
-type argMap struct {
-	m     map[string]string
-	flags []string
-}
-
-func (a *argMap) SetArg(flag, arg string) {
-	if _, exists := a.m[flag]; !exists {
-		a.m[flag] = arg
-		a.flags = append(a.flags, flag)
-	}
-}
-
-func newArgMap() *argMap {
-	return &argMap{m: map[string]string{}}
-}
-
-func GetArgs(args string, state *state.HelmState) []string {
-	//args := c.String("args")
-	argsMap := newArgMap()
-	spaceflagArg := map[string]bool{}
-
-	if len(args) > 0 {
-		argsVals := strings.Split(args, " ")
-		prevFlag := ""
-		for _, arg := range argsVals {
-			if strings.HasPrefix(arg, "--") {
-				argVal := strings.SplitN(arg, "=", 2)
-				if len(argVal) > 1 {
-					arg := argVal[0]
-					value := argVal[1]
-					argsMap.SetArg(arg, value)
-				} else {
-					argsMap.SetArg(arg, "")
-				}
-				prevFlag = arg
-			} else {
-				spaceflagArg[prevFlag] = true
-				argsMap.m[prevFlag] = arg
-			}
-		}
-	}
-
-	if len(state.HelmDefaults.Args) > 0 {
-		for _, arg := range state.HelmDefaults.Args {
-			var flag string
-			var val string
-
-			argsNum, _ := fmt.Sscanf(arg, "--%s %s", &flag, &val)
-			if argsNum == 2 {
-				argsMap.SetArg(flag, arg)
-			} else {
-				argVal := strings.SplitN(arg, "=", 2)
-				argFirst := argVal[0]
-				if len(argVal) > 1 {
-					val = argVal[1]
-					argsMap.SetArg(argFirst, val)
-				} else {
-					argsMap.SetArg(argFirst, "")
-				}
-			}
-		}
-	}
-
-	if state.HelmDefaults.TillerNamespace != "" {
-		argsMap.SetArg("--tiller-namespace", state.HelmDefaults.TillerNamespace)
-	}
-	if state.HelmDefaults.KubeContext != "" {
-		argsMap.SetArg("--kube-context", state.HelmDefaults.KubeContext)
-	}
-
-	var argArr []string
-
-	for _, flag := range argsMap.flags {
-		val := argsMap.m[flag]
-
-		if val != "" {
-			if spaceflagArg[flag] {
-				argArr = append(argArr, fmt.Sprintf("%s %s", flag, val))
-			} else {
-				argArr = append(argArr, fmt.Sprintf("%s=%s", flag, val))
-			}
-
-		} else {
-			argArr = append(argArr, fmt.Sprintf("%s", flag))
-		}
-	}
-
-	state.HelmDefaults.Args = argArr
-
-	return state.HelmDefaults.Args
-}
--- a/args/args_test.go
+++ b/args/args_test.go
@ -1,34 +0,0 @@
-package args
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/roboll/helmfile/state"
-)
-
-func TestGetArgs(t *testing.T) {
-	args := "--timeout=3600 --set app1.bootstrap=true,app2.bootstrap=false --tiller-namespace ns"
-	defaultArgs := []string{"--recreate-pods", "--force"}
-	fmt.Println(defaultArgs)
-	fmt.Println(len(defaultArgs))
-	Helmdefaults := state.HelmSpec{KubeContext: "test", TillerNamespace: "test-namespace", Args: defaultArgs}
-	testState := &state.HelmState{HelmDefaults: Helmdefaults}
-	receivedArgs := GetArgs(args, testState)
-
-	expectedOutput := "--timeout=3600 --set app1.bootstrap=true,app2.bootstrap=false --tiller-namespace ns --recreate-pods --force --kube-context=test"
-
-	if compareArgs(expectedOutput, receivedArgs) == false {
-		t.Errorf("expected %s, got %s", expectedOutput, strings.Join(receivedArgs, " "))
-	}
-}
-
-func compareArgs(expectedArgs string, args []string) bool {
-
-	if strings.Compare(strings.Join(args, " "), expectedArgs) != 0 {
-		return false
-	}
-	return true
-
-}
--- a/cmd/apply.go
+++ b/cmd/apply.go
@ -0,0 +1,72 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewApplyCmd returns apply subcmd
+func NewApplyCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	applyOptions := &config.ApplyOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "apply",
+		Short: "Apply all resources from state file only when there are changes",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			applyImpl := config.NewApplyImpl(globalCfg, applyOptions)
+
+			err := config.NewCLIConfigImpl(applyImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := applyImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(applyImpl)
+			return toCLIError(applyImpl.GlobalImpl, a.Apply(applyImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringArrayVar(&applyOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&applyOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.IntVar(&applyOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&applyOptions.Validate, "validate", false, "validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the list of available API versions")
+	f.IntVar(&applyOptions.Context, "context", 0, "output NUM lines of context around changes")
+	f.StringVar(&applyOptions.Output, "output", "", "output format for diff plugin")
+	f.BoolVar(&applyOptions.DetailedExitcode, "detailed-exitcode", false, "return a non-zero exit code 2 instead of 0 when there were changes detected AND the changes are synced successfully")
+	f.BoolVar(&applyOptions.StripTrailingCR, "strip-trailing-cr", false, "strip trailing carriage return on input")
+	f.StringVar(&applyOptions.DiffArgs, "diff-args", "", `pass args to helm helm-diff`)
+	f.StringVar(&applyOptions.SyncArgs, "sync-args", "", `pass args to helm upgrade`)
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.BoolVar(&applyOptions.SkipCleanup, "skip-cleanup", false, "Stop cleaning up temporary values generated by helmfile and helm-secrets. Useful for debugging. Don't use in production for security")
+	f.BoolVar(&applyOptions.SkipCRDs, "skip-crds", false, "if set, no CRDs will be installed on sync. By default, CRDs are installed if not already present")
+	f.BoolVar(&applyOptions.SkipNeeds, "skip-needs", true, `do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided`)
+	f.BoolVar(&applyOptions.IncludeNeeds, "include-needs", false, `automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided`)
+	f.BoolVar(&applyOptions.IncludeTransitiveNeeds, "include-transitive-needs", false, `like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.`)
+	f.BoolVar(&applyOptions.SkipDiffOnInstall, "skip-diff-on-install", false, "Skips running helm-diff on releases being newly installed on this apply. Useful when the release manifests are too huge to be reviewed, or it's too time-consuming to diff at all")
+	f.BoolVar(&applyOptions.IncludeTests, "include-tests", false, "enable the diffing of the helm test hooks")
+	f.StringArrayVar(&applyOptions.Suppress, "suppress", nil, "suppress specified Kubernetes objects in the diff output. Can be provided multiple times. For example: --suppress KeycloakClient --suppress VaultSecret")
+	f.BoolVar(&applyOptions.SuppressSecrets, "suppress-secrets", false, "suppress secrets in the diff output. highly recommended to specify on CI/CD use-cases")
+	f.BoolVar(&applyOptions.ShowSecrets, "show-secrets", false, "do not redact secret values in the diff output. should be used for debug purpose only")
+	f.BoolVar(&applyOptions.NoHooks, "no-hooks", false, "do not diff changes made by hooks.")
+	f.BoolVar(&applyOptions.HideNotes, "hide-notes", false, "add --hide-notes flag to helm")
+	f.BoolVar(&applyOptions.TakeOwnership, "take-ownership", false, "add --take-ownership flag to helm")
+	f.BoolVar(&applyOptions.SyncReleaseLabels, "sync-release-labels", false, "sync release labels to the target release")
+	f.BoolVar(&applyOptions.SuppressDiff, "suppress-diff", false, "suppress diff in the output. Usable in new installs")
+	f.BoolVar(&applyOptions.Wait, "wait", false, `Override helmDefaults.wait setting "helm upgrade --install --wait"`)
+	f.BoolVar(&applyOptions.WaitForJobs, "wait-for-jobs", false, `Override helmDefaults.waitForJobs setting "helm upgrade --install --wait-for-jobs"`)
+	f.BoolVar(&applyOptions.ReuseValues, "reuse-values", false, `Override helmDefaults.reuseValues "helm upgrade --install --reuse-values"`)
+	f.BoolVar(&applyOptions.ResetValues, "reset-values", false, `Override helmDefaults.reuseValues "helm upgrade --install --reset-values"`)
+	f.StringVar(&applyOptions.PostRenderer, "post-renderer", "", `pass --post-renderer to "helm template" or "helm upgrade --install"`)
+	f.StringArrayVar(&applyOptions.PostRendererArgs, "post-renderer-args", nil, `pass --post-renderer-args to "helm template" or "helm upgrade --install"`)
+	f.BoolVar(&applyOptions.SkipSchemaValidation, "skip-schema-validation", false, `pass --skip-schema-validation to "helm template" or "helm upgrade --install"`)
+	f.StringVar(&applyOptions.Cascade, "cascade", "", "pass cascade to helm exec, default: background")
+	f.StringArrayVar(&applyOptions.SuppressOutputLineRegex, "suppress-output-line-regex", nil, "a list of regex patterns to suppress output lines from the diff output")
+
+	return cmd
+}
--- a/cmd/build.go
+++ b/cmd/build.go
@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewBuildCmd returns build subcmd
+func NewBuildCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	buildOptions := config.NewBuildOptions()
+
+	cmd := &cobra.Command{
+		Use:   "build",
+		Short: "Build all resources from state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			buildImpl := config.NewBuildImpl(globalCfg, buildOptions)
+			err := config.NewCLIConfigImpl(buildImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := buildImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(buildImpl)
+			return toCLIError(buildImpl.GlobalImpl, a.PrintState(buildImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.BoolVar(&buildOptions.EmbedValues, "embed-values", false, "Read all the values files for every release and embed into the output helmfile.yaml")
+
+	return cmd
+}
--- a/cmd/cache.go
+++ b/cmd/cache.go
@ -0,0 +1,69 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+func NewCacheInfoSubcommand(cacheImpl *config.CacheImpl) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "info",
+		Short: "cache info",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := config.NewCLIConfigImpl(cacheImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := cacheImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(cacheImpl)
+			return toCLIError(cacheImpl.GlobalImpl, a.ShowCacheDir(cacheImpl))
+		},
+	}
+
+	return cmd
+}
+
+func NewCacheCleanupSubcommand(cacheImpl *config.CacheImpl) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "cleanup",
+		Short: "clean up cache directory",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := config.NewCLIConfigImpl(cacheImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := cacheImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(cacheImpl)
+			return toCLIError(cacheImpl.GlobalImpl, a.CleanCacheDir(cacheImpl))
+		},
+	}
+	return cmd
+}
+
+// NewCacheCmd returns cache subcmd
+func NewCacheCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	cacheOptions := config.NewCacheOptions()
+	cacheImpl := config.NewCacheImpl(globalCfg, cacheOptions)
+
+	cmd := &cobra.Command{
+		Use:   "cache",
+		Short: "Cache management",
+	}
+
+	cmd.AddCommand(
+		NewCacheCleanupSubcommand(cacheImpl),
+		NewCacheInfoSubcommand(cacheImpl),
+	)
+
+	return cmd
+}
--- a/cmd/deps.go
+++ b/cmd/deps.go
@ -0,0 +1,39 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewDepsCmd returns deps subcmd
+func NewDepsCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	depsOptions := config.NewDepsOptions()
+
+	cmd := &cobra.Command{
+		Use:   "deps",
+		Short: "Update charts based on their requirements",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			depsImpl := config.NewDepsImpl(globalCfg, depsOptions)
+			err := config.NewCLIConfigImpl(depsImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := depsImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(depsImpl)
+			return toCLIError(depsImpl.GlobalImpl, a.Deps(depsImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.BoolVar(&depsOptions.SkipRepos, "skip-repos", false, `skip running "helm repo update" and "helm dependency build"`)
+	f.IntVar(&depsOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+
+	return cmd
+}
--- a/cmd/destroy.go
+++ b/cmd/destroy.go
@ -0,0 +1,42 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewDestroyCmd returns destroy subcmd
+func NewDestroyCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	destroyOptions := config.NewDestroyOptions()
+
+	cmd := &cobra.Command{
+		Use:   "destroy",
+		Short: "Destroys and then purges releases",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			destroyImpl := config.NewDestroyImpl(globalCfg, destroyOptions)
+			err := config.NewCLIConfigImpl(destroyImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := destroyImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(destroyImpl)
+			return toCLIError(destroyImpl.GlobalImpl, a.Destroy(destroyImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.StringVar(&destroyOptions.Cascade, "cascade", "", "pass cascade to helm exec, default: background")
+	f.IntVar(&destroyOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&destroyOptions.SkipCharts, "skip-charts", false, "don't prepare charts when destroying releases")
+	f.BoolVar(&destroyOptions.DeleteWait, "deleteWait", false, `override helmDefaults.wait setting "helm uninstall --wait"`)
+	f.IntVar(&destroyOptions.DeleteTimeout, "deleteTimeout", 300, `time in seconds to wait for helm uninstall, default: 300`)
+
+	return cmd
+}
--- a/cmd/diff.go
+++ b/cmd/diff.go
@ -0,0 +1,61 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewDiffCmd returns diff subcmd
+func NewDiffCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	diffOptions := config.NewDiffOptions()
+
+	cmd := &cobra.Command{
+		Use:   "diff",
+		Short: "Diff releases defined in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			diffImpl := config.NewDiffImpl(globalCfg, diffOptions)
+			err := config.NewCLIConfigImpl(diffImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := diffImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(diffImpl)
+			return toCLIError(diffImpl.GlobalImpl, a.Diff(diffImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&diffOptions.DiffArgs, "diff-args", "", `pass args to helm helm-diff`)
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm diff")
+	f.StringArrayVar(&diffOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&diffOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.IntVar(&diffOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&diffOptions.Validate, "validate", false, "validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the diff of available API versions")
+	f.BoolVar(&diffOptions.SkipNeeds, "skip-needs", true, `do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided`)
+	f.BoolVar(&diffOptions.IncludeTests, "include-tests", false, "enable the diffing of the helm test hooks")
+	f.BoolVar(&diffOptions.IncludeNeeds, "include-needs", false, `automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided`)
+	f.BoolVar(&diffOptions.IncludeTransitiveNeeds, "include-transitive-needs", false, `like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.`)
+	f.BoolVar(&diffOptions.SkipDiffOnInstall, "skip-diff-on-install", false, "Skips running helm-diff on releases being newly installed on this apply. Useful when the release manifests are too huge to be reviewed, or it's too time-consuming to diff at all")
+	f.BoolVar(&diffOptions.ShowSecrets, "show-secrets", false, "do not redact secret values in the output. should be used for debug purpose only")
+	f.BoolVar(&diffOptions.NoHooks, "no-hooks", false, "do not diff changes made by hooks.")
+	f.BoolVar(&diffOptions.DetailedExitcode, "detailed-exitcode", false, "return a detailed exit code")
+	f.BoolVar(&diffOptions.StripTrailingCR, "strip-trailing-cr", false, "strip trailing carriage return on input")
+	f.IntVar(&diffOptions.Context, "context", 0, "output NUM lines of context around changes")
+	f.StringVar(&diffOptions.Output, "output", "", "output format for diff plugin")
+	f.BoolVar(&diffOptions.SuppressSecrets, "suppress-secrets", false, "suppress secrets in the output. highly recommended to specify on CI/CD use-cases")
+	f.StringArrayVar(&diffOptions.Suppress, "suppress", nil, "suppress specified Kubernetes objects in the output. Can be provided multiple times. For example: --suppress KeycloakClient --suppress VaultSecret")
+	f.BoolVar(&diffOptions.ReuseValues, "reuse-values", false, `Override helmDefaults.reuseValues "helm diff upgrade --install --reuse-values"`)
+	f.BoolVar(&diffOptions.ResetValues, "reset-values", false, `Override helmDefaults.reuseValues "helm diff upgrade --install --reset-values"`)
+	f.BoolVar(&diffOptions.TakeOwnership, "take-ownership", false, "add --take-ownership flag to helm")
+	f.StringVar(&diffOptions.PostRenderer, "post-renderer", "", `pass --post-renderer to "helm template" or "helm upgrade --install"`)
+	f.StringArrayVar(&diffOptions.PostRendererArgs, "post-renderer-args", nil, `pass --post-renderer-args to "helm template" or "helm upgrade --install"`)
+	f.StringArrayVar(&diffOptions.SuppressOutputLineRegex, "suppress-output-line-regex", nil, "a list of regex patterns to suppress output lines from the diff output")
+
+	return cmd
+}
--- a/cmd/fetch.go
+++ b/cmd/fetch.go
@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+	"github.com/helmfile/helmfile/pkg/state"
+)
+
+// NewFetchCmd returns fetch subcmd
+func NewFetchCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	fetchOptions := config.NewFetchOptions()
+
+	cmd := &cobra.Command{
+		Use:   "fetch",
+		Short: "Fetch charts from state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			fetchImpl := config.NewFetchImpl(globalCfg, fetchOptions)
+			err := config.NewCLIConfigImpl(fetchImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := fetchImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(fetchImpl)
+			return toCLIError(fetchImpl.GlobalImpl, a.Fetch(fetchImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.IntVar(&fetchOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.StringVar(&fetchOptions.OutputDir, "output-dir", "", "directory to store charts (default: temporary directory which is deleted when the command terminates)")
+	f.StringVar(&fetchOptions.OutputDirTemplate, "output-dir-template", state.DefaultFetchOutputDirTemplate, "go text template for generating the output directory")
+
+	return cmd
+}
--- a/cmd/init.go
+++ b/cmd/init.go
@ -0,0 +1,35 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewInitCmd helmfile checks and installs deps
+func NewInitCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	options := config.NewInitOptions()
+	cmd := &cobra.Command{
+		Use:   "init",
+		Short: "Initialize the helmfile, includes version checking and installation of helm and plug-ins",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			initImpl := config.NewInitImpl(globalCfg, options)
+			err := config.NewCLIConfigImpl(initImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := initImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(initImpl)
+			return toCLIError(initImpl.GlobalImpl, a.Init(initImpl))
+		},
+	}
+	f := cmd.Flags()
+	f.BoolVar(&options.Force, "force", false, "Do not prompt, install dependencies required by helmfile")
+
+	return cmd
+}
--- a/cmd/lint.go
+++ b/cmd/lint.go
@ -0,0 +1,43 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewLintCmd returns lint subcmd
+func NewLintCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	lintOptions := config.NewLintOptions()
+
+	cmd := &cobra.Command{
+		Use:   "lint",
+		Short: "Lint charts from state file (helm lint)",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			lintImpl := config.NewLintImpl(globalCfg, lintOptions)
+			err := config.NewCLIConfigImpl(lintImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := lintImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(lintImpl)
+			return toCLIError(lintImpl.GlobalImpl, a.Lint(lintImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.IntVar(&lintOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.StringArrayVar(&lintOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&lintOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.BoolVar(&lintOptions.SkipNeeds, "skip-needs", true, `do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided`)
+	f.BoolVar(&lintOptions.IncludeNeeds, "include-needs", false, `automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided`)
+	f.BoolVar(&lintOptions.IncludeTransitiveNeeds, "include-transitive-needs", false, `like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.`)
+
+	return cmd
+}
--- a/cmd/list.go
+++ b/cmd/list.go
@ -0,0 +1,39 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewListCmd returns list subcmd
+func NewListCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	listOptions := config.NewListOptions()
+
+	cmd := &cobra.Command{
+		Use:   "list",
+		Short: "List releases defined in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			listImpl := config.NewListImpl(globalCfg, listOptions)
+			err := config.NewCLIConfigImpl(listImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := listImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(listImpl)
+			return toCLIError(listImpl.GlobalImpl, a.ListReleases(listImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.BoolVar(&listOptions.KeepTempDir, "keep-temp-dir", false, "Keep temporary directory")
+	f.BoolVar(&listOptions.SkipCharts, "skip-charts", false, "don't prepare charts when listing releases")
+	f.StringVar(&listOptions.Output, "output", "", "output releases list as a json string")
+
+	return cmd
+}
--- a/cmd/repos.go
+++ b/cmd/repos.go
@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewReposCmd returns repos subcmd
+func NewReposCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	reposOptions := config.NewReposOptions()
+
+	cmd := &cobra.Command{
+		Use:   "repos",
+		Short: "Add chart repositories defined in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			reposImpl := config.NewReposImpl(globalCfg, reposOptions)
+			err := config.NewCLIConfigImpl(reposImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := reposImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(reposImpl)
+			return toCLIError(reposImpl.GlobalImpl, a.Repos(reposImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+
+	return cmd
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@ -0,0 +1,146 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"go.szostok.io/version/extension"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/app/version"
+	"github.com/helmfile/helmfile/pkg/config"
+	"github.com/helmfile/helmfile/pkg/envvar"
+	"github.com/helmfile/helmfile/pkg/errors"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+	"github.com/helmfile/helmfile/pkg/runtime"
+)
+
+var logger *zap.SugaredLogger
+var globalUsage = "Declaratively deploy your Kubernetes manifests, Kustomize configs, and Charts as Helm releases in one shot\n" + runtime.Info()
+
+func toCLIError(g *config.GlobalImpl, err error) error {
+	if err != nil {
+		switch e := err.(type) {
+		case *app.NoMatchingHelmfileError:
+			noMatchingExitCode := 3
+			if g.AllowNoMatchingRelease {
+				noMatchingExitCode = 0
+			}
+			return errors.NewExitError(e.Error(), noMatchingExitCode)
+		case *app.MultiError:
+			return errors.NewExitError(e.Error(), 1)
+		case *app.Error:
+			return errors.NewExitError(e.Error(), e.Code())
+		default:
+			panic(fmt.Errorf("BUG: please file an github issue for this unhandled error: %T: %v", e, e))
+		}
+	}
+	return err
+}
+
+// NewRootCmd creates the root command for the CLI.
+func NewRootCmd(globalConfig *config.GlobalOptions) (*cobra.Command, error) {
+	cmd := &cobra.Command{
+		Use:           "helmfile",
+		Short:         globalUsage,
+		Long:          globalUsage,
+		Version:       version.Version(),
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		PersistentPreRunE: func(c *cobra.Command, args []string) error {
+			// Valid levels:
+			// https://github.com/uber-go/zap/blob/7e7e266a8dbce911a49554b945538c5b950196b8/zapcore/level.go#L126
+			logLevel := globalConfig.LogLevel
+			switch {
+			case globalConfig.Debug:
+				logLevel = "debug"
+			case globalConfig.Quiet:
+				logLevel = "warn"
+			}
+
+			// If the log output is not set, default to stderr.
+			logOut := globalConfig.LogOutput
+			if logOut == nil {
+				logOut = os.Stderr
+			}
+			logger = helmexec.NewLogger(logOut, logLevel)
+			globalConfig.SetLogger(logger)
+			return nil
+		},
+	}
+	flags := cmd.PersistentFlags()
+
+	// Set the global options for the root command.
+	setGlobalOptionsForRootCmd(flags, globalConfig)
+
+	flags.ParseErrorsAllowlist.UnknownFlags = true
+
+	globalImpl := config.NewGlobalImpl(globalConfig)
+
+	// when set environment HELMFILE_UPGRADE_NOTICE_DISABLED any value, skip upgrade notice.
+	var versionOpts []extension.CobraOption
+	if os.Getenv(envvar.UpgradeNoticeDisabled) == "" {
+		versionOpts = append(versionOpts, extension.WithUpgradeNotice("helmfile", "helmfile"))
+	}
+
+	cmd.AddCommand(
+		NewInitCmd(globalImpl),
+		NewApplyCmd(globalImpl),
+		NewBuildCmd(globalImpl),
+		NewCacheCmd(globalImpl),
+		NewDepsCmd(globalImpl),
+		NewDestroyCmd(globalImpl),
+		NewFetchCmd(globalImpl),
+		NewListCmd(globalImpl),
+		NewReposCmd(globalImpl),
+		NewLintCmd(globalImpl),
+		NewWriteValuesCmd(globalImpl),
+		NewTestCmd(globalImpl),
+		NewTemplateCmd(globalImpl),
+		NewSyncCmd(globalImpl),
+		NewDiffCmd(globalImpl),
+		NewStatusCmd(globalImpl),
+		NewShowDAGCmd(globalImpl),
+		extension.NewVersionCobraCmd(
+			versionOpts...,
+		),
+	)
+
+	return cmd, nil
+}
+
+func setGlobalOptionsForRootCmd(fs *pflag.FlagSet, globalOptions *config.GlobalOptions) {
+	fs.StringVarP(&globalOptions.HelmBinary, "helm-binary", "b", app.DefaultHelmBinary, "Path to the helm binary")
+	fs.StringVarP(&globalOptions.KustomizeBinary, "kustomize-binary", "k", app.DefaultKustomizeBinary, "Path to the kustomize binary")
+	fs.StringVarP(&globalOptions.File, "file", "f", "", "load config from file or directory. defaults to \"`helmfile.yaml`\" or \"helmfile.yaml.gotmpl\" or \"helmfile.d\" (means \"helmfile.d/*.yaml\" or \"helmfile.d/*.yaml.gotmpl\") in this preference. Specify - to load the config from the standard input.")
+	fs.StringVarP(&globalOptions.Environment, "environment", "e", "", `specify the environment name. Overrides "HELMFILE_ENVIRONMENT" OS environment variable when specified. defaults to "default"`)
+	fs.StringArrayVar(&globalOptions.StateValuesSet, "state-values-set", nil, "set state values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).")
+	fs.StringArrayVar(&globalOptions.StateValuesSetString, "state-values-set-string", nil, "set state STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2). Used to override .Values within the helmfile template (not values template).")
+	fs.StringArrayVar(&globalOptions.StateValuesFile, "state-values-file", nil, "specify state values in a YAML file. Used to override .Values within the helmfile template (not values template).")
+	fs.BoolVar(&globalOptions.SkipDeps, "skip-deps", false, `skip running "helm repo update" and "helm dependency build"`)
+	fs.BoolVar(&globalOptions.SkipRefresh, "skip-refresh", false, `skip running "helm repo update"`)
+	fs.BoolVar(&globalOptions.StripArgsValuesOnExitError, "strip-args-values-on-exit-error", true, `Strip the potential secret values of the helm command args contained in a helmfile error message`)
+	fs.BoolVar(&globalOptions.DisableForceUpdate, "disable-force-update", false, `do not force helm repos to update when executing "helm repo add"`)
+	fs.BoolVarP(&globalOptions.Quiet, "quiet", "q", false, "Silence output. Equivalent to log-level warn")
+	fs.StringVar(&globalOptions.Kubeconfig, "kubeconfig", "", "Use a particular kubeconfig file")
+	fs.StringVar(&globalOptions.KubeContext, "kube-context", "", "Set kubectl context. Uses current context by default")
+	fs.BoolVar(&globalOptions.Debug, "debug", false, "Enable verbose output for Helm and set log-level to debug, this disables --quiet/-q effect")
+	fs.BoolVar(&globalOptions.Color, "color", false, "Output with color")
+	fs.BoolVar(&globalOptions.NoColor, "no-color", false, "Output without color")
+	fs.StringVar(&globalOptions.LogLevel, "log-level", "info", "Set log level, default info")
+	fs.StringVarP(&globalOptions.Namespace, "namespace", "n", "", "Set namespace. Uses the namespace set in the context by default, and is available in templates as {{ .Namespace }}")
+	fs.StringVarP(&globalOptions.Chart, "chart", "c", "", "Set chart. Uses the chart set in release by default, and is available in template as {{ .Chart }}")
+	fs.StringArrayVarP(&globalOptions.Selector, "selector", "l", nil, `Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar.
+A release must match all labels in a group in order to be used. Multiple groups can be specified at once.
+"--selector tier=frontend,tier!=proxy --selector tier=backend" will match all frontend, non-proxy releases AND all backend releases.
+The name of a release can be used as a label: "--selector name=myrelease"`)
+	fs.BoolVar(&globalOptions.AllowNoMatchingRelease, "allow-no-matching-release", false, `Do not exit with an error code if the provided selector has no matching releases.`)
+	fs.BoolVar(&globalOptions.EnableLiveOutput, "enable-live-output", globalOptions.EnableLiveOutput, `Show live output from the Helm binary Stdout/Stderr into Helmfile own Stdout/Stderr.
+It only applies for the Helm CLI commands, Stdout/Stderr for Hooks are still displayed only when it's execution finishes.`)
+	fs.BoolVarP(&globalOptions.Interactive, "interactive", "i", false, "Request confirmation before attempting to modify clusters")
+	// avoid 'pflag: help requested' error (#251)
+	fs.BoolP("help", "h", false, "help for helmfile")
+}
--- a/cmd/show-dag.go
+++ b/cmd/show-dag.go
@ -0,0 +1,32 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+func NewShowDAGCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	showDAGOptions := config.NewShowDAGOptions()
+
+	cmd := &cobra.Command{
+		Use:   "show-dag",
+		Short: "It prints a table with 3 columns, GROUP, RELEASE, and DEPENDENCIES. GROUP is the unsigned, monotonically increasing integer starting from 1. All the releases with the same GROUP are deployed concurrently. Everything in GROUP 2 starts being deployed only after everything in GROUP 1 got successfully deployed. RELEASE is the release that belongs to the GROUP. DEPENDENCIES is the list of releases that the RELEASE depends on. It should always be empty for releases in GROUP 1. DEPENDENCIES for a release in GROUP 2 should have some or all dependencies appeared in GROUP 1. It can be \"some\" because Helmfile simplifies the DAGs of releases into a DAG of groups, so that Helmfile always produce a single DAG for everything written in helmfile.yaml, even when there are technically two or more independent DAGs of releases in it.",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			showDAGImpl := config.NewShowDAGImpl(globalCfg, showDAGOptions)
+			err := config.NewCLIConfigImpl(showDAGImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := showDAGImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(showDAGImpl)
+			return toCLIError(showDAGImpl.GlobalImpl, a.PrintDAGState(showDAGImpl))
+		},
+	}
+	return cmd
+}
--- a/cmd/status.go
+++ b/cmd/status.go
@ -0,0 +1,38 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewStatusCmd returns status subcmd
+func NewStatusCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	statusOptions := config.NewStatusOptions()
+
+	cmd := &cobra.Command{
+		Use:   "status",
+		Short: "Retrieve status of releases in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			statusImpl := config.NewStatusImpl(globalCfg, statusOptions)
+			err := config.NewCLIConfigImpl(statusImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := statusImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(statusImpl)
+			return toCLIError(statusImpl.GlobalImpl, a.Status(statusImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.IntVar(&statusOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+
+	return cmd
+}
--- a/cmd/sync.go
+++ b/cmd/sync.go
@ -0,0 +1,58 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewSyncCmd returns sync subcmd
+func NewSyncCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	syncOptions := config.NewSyncOptions()
+
+	cmd := &cobra.Command{
+		Use:   "sync",
+		Short: "Sync releases defined in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			syncImpl := config.NewSyncImpl(globalCfg, syncOptions)
+			err := config.NewCLIConfigImpl(syncImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := syncImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(syncImpl)
+			return toCLIError(syncImpl.GlobalImpl, a.Sync(syncImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm sync")
+	f.StringVar(&syncOptions.SyncArgs, "sync-args", "", "pass args to helm upgrade")
+	f.StringArrayVar(&syncOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&syncOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.IntVar(&syncOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&syncOptions.Validate, "validate", false, "validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the sync of available API versions")
+	f.BoolVar(&syncOptions.SkipNeeds, "skip-needs", true, `do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided`)
+	f.BoolVar(&syncOptions.SkipCRDs, "skip-crds", false, "if set, no CRDs will be installed on sync. By default, CRDs are installed if not already present")
+	f.BoolVar(&syncOptions.IncludeNeeds, "include-needs", false, `automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided`)
+	f.BoolVar(&syncOptions.IncludeTransitiveNeeds, "include-transitive-needs", false, `like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.`)
+	f.BoolVar(&syncOptions.HideNotes, "hide-notes", false, "add --hide-notes flag to helm")
+	f.BoolVar(&syncOptions.TakeOwnership, "take-ownership", false, `add --take-ownership flag to helm`)
+	f.BoolVar(&syncOptions.SyncReleaseLabels, "sync-release-labels", false, "sync release labels to the target release")
+	f.BoolVar(&syncOptions.Wait, "wait", false, `Override helmDefaults.wait setting "helm upgrade --install --wait"`)
+	f.BoolVar(&syncOptions.WaitForJobs, "wait-for-jobs", false, `Override helmDefaults.waitForJobs setting "helm upgrade --install --wait-for-jobs"`)
+	f.IntVar(&syncOptions.Timeout, "timeout", 0, `Override helmDefaults.timeout setting "helm upgrade --install --timeout" (default 0, which means no timeout)`)
+	f.BoolVar(&syncOptions.ReuseValues, "reuse-values", false, `Override helmDefaults.reuseValues "helm upgrade --install --reuse-values"`)
+	f.BoolVar(&syncOptions.ResetValues, "reset-values", false, `Override helmDefaults.reuseValues "helm upgrade --install --reset-values"`)
+	f.StringVar(&syncOptions.PostRenderer, "post-renderer", "", `pass --post-renderer to "helm template" or "helm upgrade --install"`)
+	f.StringArrayVar(&syncOptions.PostRendererArgs, "post-renderer-args", nil, `pass --post-renderer-args to "helm template" or "helm upgrade --install"`)
+	f.BoolVar(&syncOptions.SkipSchemaValidation, "skip-schema-validation", false, `pass --skip-schema-validation to "helm template" or "helm upgrade --install"`)
+	f.StringVar(&syncOptions.Cascade, "cascade", "", "pass cascade to helm exec, default: background")
+
+	return cmd
+}
--- a/cmd/template.go
+++ b/cmd/template.go
@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewTemplateCmd returm template subcmd
+func NewTemplateCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	templateOptions := config.NewTemplateOptions()
+
+	cmd := &cobra.Command{
+		Use:   "template",
+		Short: "Template releases defined in state file",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			templateImpl := config.NewTemplateImpl(globalCfg, templateOptions)
+			err := config.NewCLIConfigImpl(templateImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := templateImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(templateImpl)
+			return toCLIError(templateImpl.GlobalImpl, a.Template(templateImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm template")
+	f.StringArrayVar(&templateOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&templateOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.StringVar(&templateOptions.OutputDir, "output-dir", "", "output directory to pass to helm template (helm template --output-dir)")
+	f.StringVar(&templateOptions.OutputDirTemplate, "output-dir-template", "", "go text template for generating the output directory. Default: {{ .OutputDir }}/{{ .State.BaseName }}-{{ .State.AbsPathSHA1 }}-{{ .Release.Name}}")
+	f.IntVar(&templateOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&templateOptions.Validate, "validate", false, "validate your manifests against the Kubernetes cluster you are currently pointing at. Note that this requires access to a Kubernetes cluster to obtain information necessary for validating, like the template of available API versions")
+	f.BoolVar(&templateOptions.IncludeCRDs, "include-crds", false, "include CRDs in the templated output")
+	f.BoolVar(&templateOptions.SkipTests, "skip-tests", false, "skip tests from templated output")
+	f.BoolVar(&templateOptions.SkipNeeds, "skip-needs", true, `do not automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided. Defaults to true when --include-needs or --include-transitive-needs is not provided`)
+	f.BoolVar(&templateOptions.IncludeNeeds, "include-needs", false, `automatically include releases from the target release's "needs" when --selector/-l flag is provided. Does nothing when --selector/-l flag is not provided`)
+	f.BoolVar(&templateOptions.IncludeTransitiveNeeds, "include-transitive-needs", false, `like --include-needs, but also includes transitive needs (needs of needs). Does nothing when --selector/-l flag is not provided. Overrides exclusions of other selectors and conditions.`)
+	f.BoolVar(&templateOptions.SkipCleanup, "skip-cleanup", false, "Stop cleaning up temporary values generated by helmfile and helm-secrets. Useful for debugging. Don't use in production for security")
+	f.BoolVar(&templateOptions.NoHooks, "no-hooks", false, "do not template files made by hooks.")
+	f.StringVar(&templateOptions.PostRenderer, "post-renderer", "", `pass --post-renderer to "helm template" or "helm upgrade --install"`)
+	f.StringArrayVar(&templateOptions.PostRendererArgs, "post-renderer-args", nil, `pass --post-renderer-args to "helm template" or "helm upgrade --install"`)
+	f.BoolVar(&templateOptions.SkipSchemaValidation, "skip-schema-validation", false, `pass skip-schema-validation to "helm template" or "helm upgrade --install"`)
+	f.StringVar(&templateOptions.KubeVersion, "kube-version", "", `pass --kube-version to "helm template". Overrides kubeVersion in helmfile.yaml`)
+	f.StringArrayVar(&templateOptions.ShowOnly, "show-only", nil, `pass --show-only to "helm template"`)
+
+	return cmd
+}
--- a/cmd/test.go
+++ b/cmd/test.go
@ -0,0 +1,42 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewTestCmd returns test subcmd
+func NewTestCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	testOptions := config.NewTestOptions()
+	testImpl := config.NewTestImpl(globalCfg, testOptions)
+
+	cmd := &cobra.Command{
+		Use:   "test",
+		Short: "Test charts from state file (helm test)",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := config.NewCLIConfigImpl(testImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := testImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(testImpl)
+			return toCLIError(testImpl.GlobalImpl, a.Test(testImpl))
+		},
+	}
+	testImpl.Cmd = cmd
+
+	f := cmd.Flags()
+	f.IntVar(&testOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.BoolVar(&testOptions.Cleanup, "cleanup", false, "delete test pods upon completion")
+	f.BoolVar(&testOptions.Logs, "logs", false, "Dump the logs from test pods (this runs after all tests are complete, but before any cleanup)")
+	f.StringVar(&globalCfg.GlobalOptions.Args, "args", "", "pass args to helm exec")
+	f.IntVar(&testOptions.Timeout, "timeout", 300, "maximum time for tests to run before being considered failed")
+
+	return cmd
+}
--- a/cmd/write-values.go
+++ b/cmd/write-values.go
@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+)
+
+// NewWriteValuesCmd returns write-values subcmd
+func NewWriteValuesCmd(globalCfg *config.GlobalImpl) *cobra.Command {
+	writeValuesOptions := config.NewWriteValuesOptions()
+
+	cmd := &cobra.Command{
+		Use:   "write-values",
+		Short: "Write values files for releases. Similar to `helmfile template`, write values files instead of manifests.",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			writeValuesImpl := config.NewWriteValuesImpl(globalCfg, writeValuesOptions)
+			err := config.NewCLIConfigImpl(writeValuesImpl.GlobalImpl)
+			if err != nil {
+				return err
+			}
+
+			if err := writeValuesImpl.ValidateConfig(); err != nil {
+				return err
+			}
+
+			a := app.New(writeValuesImpl)
+			return toCLIError(writeValuesImpl.GlobalImpl, a.WriteValues(writeValuesImpl))
+		},
+	}
+
+	f := cmd.Flags()
+	f.IntVar(&writeValuesOptions.Concurrency, "concurrency", 0, "maximum number of concurrent helm processes to run, 0 is unlimited")
+	f.StringArrayVar(&writeValuesOptions.Set, "set", nil, "additional values to be merged into the helm command --set flag")
+	f.StringArrayVar(&writeValuesOptions.Values, "values", nil, "additional value files to be merged into the helm command --values flag")
+	f.StringVar(&writeValuesOptions.OutputFileTemplate, "output-file-template", "", "go text template for generating the output file. Default: {{ .State.BaseName }}-{{ .State.AbsPathSHA1 }}/{{ .Release.Name}}.yaml")
+
+	return cmd
+}
--- a/docs/advanced-features.md
+++ b/docs/advanced-features.md
@ -0,0 +1,335 @@
+## Advanced Features
+
+- [Import Configuration Parameters into Helmfile](#import-configuration-parameters-into-helmfile)
+- [Deploy Kustomization with Helmfile](#deploy-kustomizations-with-helmfile)
+- [Adhoc Kustomization of Helm Charts](#adhoc-kustomization-of-helm-charts)
+- [Adding dependencies without forking the chart](#adding-dependencies-without-forking-the-chart)
+
+### Import Configuration Parameters into Helmfile
+
+Helmfile integrates [vals]() to import configuration parameters from following backends:
+
+- AWS SSM Parameter Store
+- AWS SecretsManager
+- Vault
+- SOPS
+
+See [Vals "Supported Backends"](https://github.com/helmfile/vals#supported-backends) for the full list of available backends.
+
+This feature was implemented in https://github.com/roboll/helmfile/pull/906.
+If you're curious about how it's designed and how it works, please review the pull request.
+
+### Deploy Kustomizations with Helmfile
+
+You can deploy [kustomize](https://github.com/kubernetes-sigs/kustomize) "kustomization"s with Helmfile.
+
+Most Kustomize operations are usually done with `kustomize edit` and can be done declaratively via Helm `values.yaml` files.
+
+Under the hood, Helmfile transforms the kustomization into a local chart in a temporary directory so that it can be `helm upgrade --install`ed.
+
+The transformation is done by generating (1)a temporary kustomization from various options and (2)temporary chart from the temporary kustomization.
+
+An example pseudo code for the transformation logic can be written as:
+
+```console
+$ TMPCHART=/tmp/sometmpdir
+$ mkdir -p ${TMPCHART}/templates
+$ somehow_generate_chart_yaml ${TMPCHART}/Chart.yaml
+
+$ TMPKUSTOMIZATION=/tmp/sometmpdir2
+$ somehow_generate_temp_kustomization_yaml ${TMPKUSTOMIZATION}/kustomization.yaml
+$ kustomize build ${TMPKUSTOMIZATION}/kustomization.yaml > ${TMPCHART}/templates/all.yaml
+```
+
+Let's say you have a `helmfile.yaml` that looks like the below:
+
+```yaml
+releases:
+- name: myapp
+  chart: mykustomization
+  values:
+  - values.yaml
+```
+
+Helmfile firstly generates a temporary `kustomization.yaml` that looks like:
+
+```yaml
+bases:
+- $(ABS_PATH_TO_HELMFILE_YAML}/mykustomization
+```
+
+Followed by the below steps:
+
+- Running `kustomize edit set image $IMAGE` for every `$IMAGE` generated from your values.yaml
+- Running `kustomize edit set nameprefix $NAMEPREFIX` with the nameprefix specified in your values.yaml
+- Running `kustomize edit set namesuffix $NAMESUFFIX` with the namesuffix specified in your values.yaml
+- Running `kustomize edit set namespace $NS` with the namespace specified in your values.yaml
+
+A `values.yaml` file for kustomization would look like the below:
+
+```yaml
+images:
+# kustomize edit set image mysql=eu.gcr.io/my-project/mysql@canary
+- name: mysql
+  newName: eu.gcr.io/my-project/mysql
+  newTag: canary
+# kustomize edit set image myapp=my-registry/my-app@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
+- name: myapp
+  digest: sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
+  newName: my-registry/my-app
+
+# kustomize edit set nameprefix foo-
+namePrefix: foo-
+
+# kustomize edit set namesuffix -bar
+nameSuffix: -bar
+
+# kustomize edit set namespace myapp
+namespace: myapp
+```
+
+At this point, Helmfile can generate a complete kustomization from the base kustomization you specified in `releases[].chart` of your helmfile.yaml and `values.yaml`,
+which can be included in the temporary chart.
+
+After all, Helmfile just installs the temporary chart like standard charts, which allows you to manage everything with Helmfile regardless of each app is declared using a Helm chart or a kustomization.
+
+Please also see [test/advanced/helmfile.yaml](https://github.com/helmfile/helmfile/tree/master/test/advanced/helmfile.yaml) for an example of kustomization support and more.
+
+### Adhoc Kustomization of Helm charts
+
+With Helmfile's integration with Kustomize, not only deploying Kustomization as a Helm chart, you can kustomize charts before installation.
+
+.. Hint:: The following fields can also specify files, in the same manner as
+   the `values` field.
+
+Currently, Helmfile allows you to set the following fields for kustomizing the chart:
+
+- [`releases[].strategicMergePatches`](#strategicmergepatches)
+- `releases[].jsonPatches`
+- [`releases[].transformers`](#transformers)
+
+#### `strategicMergePatches`
+
+You can add/update any Kubernetes resource field rendered from a Helm chart by specifying `releases[].strategicMergePatches`:
+
+```
+repositories:
+- name: incubator
+  url: https://charts.helm.sh/incubator
+
+releases:
+- name: raw1
+  chart: incubator/raw
+  values:
+  - resources:
+    - apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: raw1
+        namespace: default
+      data:
+        foo: FOO
+  strategicMergePatches:
+    - apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: raw1
+        namespace: default
+      data:
+        bar: BAR
+```
+
+Running `helmfile template` on the above example results in a ConfigMap called `raw` whose `data` is:
+
+```yaml
+foo: FOO
+bar: BAR
+```
+
+Please note that the second `data` field `bar` is coming from the strategic-merge patch defined in the above helmfile.yaml.
+
+There's also `releases[].jsonPatches` that works similarly to `strategicMergePatches` but has additional capability to remove fields.
+
+Please also see [test/advanced/helmfile.yaml](https://github.com/helmfile/helmfile/tree/master/test/advanced/helmfile.yaml) for an example of patching support and more.
+
+#### `transformers`
+
+You can set `transformers` to apply [Kustomize's transformers](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/configureBuiltinPlugin.md#configuring-the-builtin-plugins-instead).
+
+Each item can be a path to a YAML or Go template file, or an embedded transformer declaration as a YAML hash.
+
+It's often used to add common labels and annotations to your resources.
+
+In the below example, we add common annotations and labels every resource rendered from the `aws-load-balancer-controller` chart:
+
+```yaml
+releases:
+- name: "aws-load-balancer-controller"
+  namespace: "kube-system"
+  forceNamespace: "kube-system"
+  chart: "center/aws/aws-load-balancer-controller"
+  transformers:
+  - apiVersion: builtin
+    kind: AnnotationsTransformer
+    metadata:
+      name: notImportantHere
+    annotations:
+      area: 51
+      greeting: take me to your leader
+    fieldSpecs:
+    - path: metadata/annotations
+      create: true
+  - apiVersion: builtin
+    kind: LabelTransformer
+    metadata:
+      name: notImportantHere
+    labels:
+      foo: bar
+    fieldSpecs:
+    - path: metadata/labels
+      create: true
+```
+
+As explained earlier, `transformers` can be not only a list of embedded transformers, but also YAML or Go template files, or a mix of those three kinds.
+
+```yaml
+transformers:
+# Embedded transformer
+- apiVersion: builtin
+  kind: AnnotationsTransformer
+  metadata:
+    name: notImportantHere
+  annotations:
+    area: 51
+    greeting: take me to your leader
+  fieldSpecs:
+  - path: metadata/annotations
+    create: true
+# YAML file
+- path/to/transformer.yaml
+# Go template
+# The same set of template parameters as release values files templates is available.
+- path/to/transformer.yaml.gotmpl
+```
+
+Please see https://github.com/kubernetes-sigs/kustomize/blob/master/examples/configureBuiltinPlugin.md#configuring-the-builtin-plugins-instead for more information on how to declare transformers.
+
+### Adding dependencies without forking the chart
+
+With Helmfile, you can add chart dependencies to a Helm chart without forking it.
+
+An example `helmfile.yaml` that adds a `stable/envoy` dependency to the release `foo` looks like the below:
+
+```yaml
+repositories:
+- name: stable
+  url: https://charts.helm.sh/stable
+
+releases:
+- name: foo
+  chart: ./path/to/foo
+  dependencies:
+  - chart: stable/envoy
+    version: 1.5
+```
+
+When Helmfile encounters `releases[].dependencies`, it creates another temporary chart from `./path/to/foo` and adds the following `dependencies` to the `Chart.yaml`, so that you don't need to fork the chart.
+
+```yaml
+dependencies:
+- name: envoy
+  repo: https://charts.helm.sh/stable
+  condition: envoy.enabled
+```
+
+A Helm chart can have two or more dependencies for the same chart with different `alias`es. To give your dependency an `alias`, define it like you would do in a standard `Chart.yaml`:
+
+```yaml
+repositories:
+- name: stable
+  url: https://charts.helm.sh/stable
+
+releases:
+- name: foo
+  chart: ./path/to/foo
+  dependencies:
+  - chart: stable/envoy
+    version: 1.5
+    alias: bar
+  - chart: stable/envoy
+    version: 1.5
+    alias: baz
+```
+
+which will tweaks the temporary chart's `Chart.yaml` to have:
+
+
+```yaml
+dependencies:
+- alias: bar
+  name: envoy
+  repo: https://charts.helm.sh/stable
+  condition: bar.enabled
+- alias: baz
+  name: envoy
+  repo: https://charts.helm.sh/stable
+  condition: baz.enabled
+```
+
+Please see #649 for more context around this feature.
+
+After the support for adhoc dependency to local chart (#1765),
+you can even write local file paths relative to `helmfile.yaml` in `chart`:
+
+```yaml
+releases:
+- name: foo
+  chart: ./path/to/foo
+  dependencies:
+  - chart: ./path/to/bar
+```
+
+Internally, Helmfile creates another temporary chart from the local chart `./path/to/foo`, and modifies the chart's `Chart.yaml` dependencies to look like:
+
+```yaml
+dependencies:
+- alias: bar
+  name: bar
+  repo: file:///abs/path/to/bar
+  condition: bar.enabled
+```
+
+Please read https://github.com/roboll/helmfile/issues/1762#issuecomment-816341251 for more details.
+
+#### OCI chart dependencies
+
+With Helmfile version v0.146.0 or later, you can add OCI chart to chart dependencies.
+
+An example `helmfile.yaml` that adds a OCI chart dependency to the release `foo` looks like the below:
+
+```yaml
+releases:
+- name: foo
+  chart: ./path/to/foo
+  dependencies:
+  - chart: oci://my-oci-registry/helm-repo/envoy
+    version: 1.5
+```
+
+### Lockfile per environment
+
+In some cases it can be handy for CI/CD pipelines to be able to roll out updates gradually for environments, such as staging and production while using the same
+set of charts. This can be achieved by using `lockFilePath` in combination with environments, such as:
+
+```yaml
+environments:
+  staging:
+  production
+
+---
+lockFilePath: .helmfile.{{ .Environment.Name}}.lock
+
+releases:
+- name: myapp
+  chart: charts/myapp
+```
--- a/docs/builtin-objects.md
+++ b/docs/builtin-objects.md
@ -0,0 +1,68 @@
+# helmfile template built-in objects
+
+- `Environment`: The information about the environment. This is set by the
+  `--environment` flag. It has several objects inside of it:
+  - `Environment.Name`: The name of the environment
+  - `Environment.KubeContext`: The kube context to be used by default for releases in the environment.
+- `Values`: Values passed into the environment.
+- `StateValues`: alias for `Values`.
+- `Namespace`: The namespace to be released into
+
+# release template built-in objects
+
+it be used for the below two cases:
+
+1. release definition
+```
+templates:
+  default:
+    chart: stable/{{`{{ .Release.Name }}`}}
+    namespace: kube-system
+    values:
+    - config/{{`{{ .Release.Name }}`}}/values.yaml
+    - config/{{`{{ .Release.Name }}`}}/{{`{{ .Environment.Name }}`}}.yaml
+    secrets:
+    - config/{{`{{ .Release.Name }}`}}/secrets.yaml
+    - config/{{`{{ .Release.Name }}`}}/{{`{{ .Environment.Name }}`}}-secrets.yaml
+releases:
+- name: heapster
+  version: 0.3.2
+  inherit:
+  - template: default
+- name: kubernetes-dashboard
+  version: 0.10.0
+  inherit:
+  - template: default
+```
+
+2. release values template
+```
+releases:
+- name: some-release
+  chart: my-chart
+  values:
+    # This is a template file can use the built-in objects
+    - path/to/values.gotmpl
+```
+
+- `Release`: This object describes the release itself. It has several objects
+  inside of it:
+  - `Release.Name`: The release name
+  - `Release.Namespace`: The namespace to be released into
+  - `Release.Labels`: The labels to be applied to the release
+  - `Release.Chart`: The chart name of the release
+  - `Release.KubeContext`: The kube context to be used for the release
+  - `Release.ChartVersion`: The version of the current chart
+- `Values`: Values passed into the environment.
+- `StateValues`: alias for `Values`.
+- `Environment`: The information about the environment. This is set by the
+  `--environment` flag. It has several objects inside of it:
+  - `Environment.Name`: The name of the environment
+  - `Environment.KubeContext`: The kube context to be used by default for releases in the environment.
+- `Chart`: The chart name for the release.
+- `KubeContext`: The kube context to be used for the release
+- `Namespace`: The namespace to be released into
+
+The built-in values always begin with a capital letter. This is in keeping with
+Go's naming convention. When you define your own values and template variables, you are free to use a
+convention that suits your team.
--- a/docs/contributing.md
+++ b/docs/contributing.md
@ -0,0 +1 @@
+../CONTRIBUTING.md
--- a/docs/experimental-features.md
+++ b/docs/experimental-features.md
@ -0,0 +1,7 @@
+# Experimental Features
+
+This document describes the experimental features that are available in Helmfile v1.
+
+Any experimental feature may be removed or changed in a future release without notice.
+
+- HCL helmfile-values-file support (PR #1423)
--- a/docs/hcl_funcs.md
+++ b/docs/hcl_funcs.md
@ -0,0 +1,667 @@
+# HCL Functions
+
+## Standard Library
+The following functions are all from the [go-cty](https://pkg.go.dev/github.com/zclconf/go-cty/cty/function/stdlib#pkg-functions), [go-cty-yaml](https://pkg.go.dev/github.com/zclconf/go-cty-yaml) and [hcl](https://pkg.go.dev/github.com/hashicorp/hcl/v2@v2.20.1/ext/tryfunc#section-readme) libraries
+#### abs
+`abs` returns the absolute value
+```
+abs(number)
+```
+```
+abs(-1)
+# 1
+abs(2)
+# 2
+```
+#### can
+`can` evaluates an expression and returns a boolean if a result can be produced without any error
+```
+can(expr)
+```
+```
+map = {
+  myvar = "myvar"
+}
+can1 = can(hv.map.myVar)
+# true
+can2 = can(hv.map.notMyVar) 
+# false
+```
+#### ceil
+`ceil` returns the ceiling value of a given number
+```
+ceil(number)
+```
+```
+ceil(1) 
+# 1
+ceil(1.1) 
+# 2
+```
+#### chomp
+`chomp` removes newline characters at the end of a string. 
+```
+chomp(string)
+```
+```
+chomp("myVar\n")
+# myVar
+```
+#### coalesce
+
+`coalesce` returns the first of the given arguments that is not null. If all arguments are null, an error is produced.
+All arguments must be of the same type apart from some cases
+```
+coalesce(any...)
+```
+```
+coalesce(null, 2)
+# 2
+coalesce(null, "value")
+# value
+```
+Use the three dots notation `...` to expand a list
+```
+coalesce([null, "value"]...)
+# value
+```
+#### coalescelist
+`coalescelist` takes any number of list arguments and returns the first one that isn't empty. 
+```
+coalescelist(list)
+```
+```
+coalescelist([], ["value"])
+# ["value"]
+```
+Use the three dots notation `...` when using list of lists
+```
+coalescelist([[], ["val1", "val2"]]...)
+# ["val1", "val2"]
+```
+#### compact
+`compact` returns a new list with any empty string elements removed.
+```
+compact(list)
+```
+```
+compact(["", "val1", "val2"])
+# ["val1", "val2"]
+```
+#### concat
+`concat` takes one or more sequences (lists or tuples) and returns the single sequence that results from concatenating them together in order. 
+```
+concat(list, list...)
+```
+```
+concat(["val1"], ["val2", "val3"])
+# ["val1", "val2", "val3"]
+```
+#### contains
+`contains` returns a boolean if a list contains a given value
+```
+contains(list, value)
+```
+```
+contains(["val1", "val2"], "val2")
+# true
+```
+#### csvdecode
+`csvdecode` decodes a CSV-formatted string into a list of maps
+```
+csvdecode(string)
+```
+```
+csvdecode("col1,col2\nv1,v2\nv3,v4")
+###
+[
+  {
+    "col1" = "v1"
+    "col2" = "v2"
+  },
+  {
+    "col1" = "v3"
+    "col2" = "v4"
+  }
+]
+```
+#### distinct
+`distinct` returns a new list from another by removing all duplicates
+```
+distinct(list)
+```
+```
+distinct(["v1","v1","v2"])
+["v1", "v2"]
+```
+#### element
+`element` returns a single element from a given list at the given index. If index is greater than the length of the list then it is wrapped modulo the list length
+```
+element(list, index)
+```
+```
+element(["val1","val2"], 1)
+# val2
+```
+
+#### chunklist
+`chunklist` splits a single list into fixed-size chunks, returning a list of lists. 
+```
+chunklist(list, size)
+```
+```
+chunklist(["a","b"], 1)
+# [["a"], ["b"]]
+```
+#### flatten
+`flatten` takes a list and replaces any elements that are lists with a flattened sequence of the list contents. 
+```
+flatten(list)
+```
+```
+flatten([["a"], ["a","b"], ["c"]])
+# ["a","a","b","c"]
+```
+#### floor
+`floor` returns the closest whole number lesser than or equal to the given value. 
+```
+floor(number)
+```
+```
+floor(1)
+# 1
+floor(0.7)
+# 0
+```
+#### format
+`format` produces a string representation of zero or more values using a format string similar to the "printf" function in C.
+[Verbs details](https://pkg.go.dev/github.com/zclconf/go-cty/cty/function/stdlib#Format)
+```
+format(format, values)
+```
+```
+format("Hello %s", "world")
+# Hello world
+``` 
+#### formatdate
+`formatdate` reformats a timestamp given in RFC3339 syntax into another time syntax defined by a given format string.
+[Syntax details](https://pkg.go.dev/github.com/zclconf/go-cty/cty/function/stdlib#FormatDate)
+```
+formatdate(string, timestampString)
+```
+```
+formatdate("MMM DD YYYY", "2024-01-01T00:12:00Z")
+# Jan 01 2024
+```
+
+#### formatlist
+`formatlist` does the same as `format` but for a list of strings
+```
+formatlist(formatString, values...)
+```
+```
+formatlist("%s", ["Hello", "World"])
+###
+[
+  "Hello",
+  "World"
+]
+
+formatlist("%s %s", "hello", ["World", "You"])
+###
+[
+  "hello World",
+  "hello You",
+]
+```
+#### indent
+`indent` adds a given number of spaces to the beginnings of all but the first line in a given multi-line string. 
+```
+indent(number, string)
+```
+
+```
+indent(4, "hello,\nWorld\n!")
+###
+hello
+    World
+    !
+```
+#### int
+`int` removes the fractional component of the given number returning an integer representing the whole number component, rounding towards zero.
+
+```
+int(number)
+```
+```
+int(6.2)
+# 6
+```
+
+#### join
+`join` concatenates together the string elements of one or more lists with a given separator. 
+```
+join(listOfStrings, separator)
+```
+```
+join(" ", ["hello", "world"])
+# hello world
+```
+
+#### jsondecode
+`jsondecode` parses the given JSON string and, if it is valid, returns the value it represents. 
+```
+jsonencode(string)
+```
+Example :
+```
+jsonencode({"hello"="world"})
+# {"hello": "world"}
+```
+
+#### jsonencode
+`jsonencode` returns a JSON serialization of the given value. 
+```
+jsondecode(string)
+```
+Example :
+```
+jsondecode("{\"hello\": \"world\"}")
+# { hello = "world" }
+```
+#### keys
+`keys` takes a map and returns a sorted list of the map keys.
+
+```
+keys(map)
+```
+ 
+```
+keys({val1=1, val2=2, val3=3})
+# ["val1","val2","val3"]
+```
+#### length
+`length` returns the number of elements in the given __collection__. 
+See `strlen` for strings
+```
+length(list)
+```
+
+```
+length([1,2,3])
+# 3
+```
+#### log
+`log` returns returns the logarithm of a given number in a given base. 
+```
+log(number, base)
+```
+
+```
+log(1, 10)
+# 0
+```
+#### lookup
+`lookup` performs a dynamic lookup into a map. There are three required arguments, inputMap and key, plus a defaultValue, which is a value to return if the given key is not found in the inputMap. 
+```
+lookup(inputMap, key, defaultValue)
+```
+
+```
+map = { "luke" = "skywalker"}
+lookup(hv.maptest, "luke", "none")
+# skywalker
+lookup(hv.maptest, "leia", "none")
+# none
+```
+#### lower
+`lower` is a Function that converts a given string to lowercase.
+```
+lower(string)
+```
+
+```
+lower("HELLO world")
+# hello world
+```
+#### max
+`max` returns the maximum number from the given numbers. 
+```
+max(numbers)
+```
+
+```
+max(1,128,70)
+# 128
+
+```
+#### merge
+`merge` takes an arbitrary number of maps and returns a single map that contains a merged set of elements from all of the maps.
+```
+merge(maps)
+```
+```
+merge({a="1"}, {a=[1,2], c="world"}, {d=40})
+# { a = [1,2], c = "world", d = 40}
+
+```
+#### min
+`min` returns the minimum number from the given numbers. 
+```
+min(numbers)
+```
+```
+min(1,128,70)
+# 1
+```
+#### parseint
+`parseint` parses a string argument and returns an integer of the specified base. 
+```
+parseint(string, base)
+```
+```
+parseint("190", 10)
+# 190
+parseint("11001", 2)
+# 25
+```
+#### pow
+`pow` returns the logarithm of a given number in a given base. 
+```
+pow(number, power)
+```
+
+```
+pow(1, 10)
+# 1
+pow(3, 12)
+# 531441
+```
+#### range
+`range` creates a list of numbers by starting from the given starting value, then adding the given step value until the result is greater than or equal to the given stopping value. Each intermediate result becomes an element in the resulting list.
+```
+range(startingNumber, stoppingNumber, stepNumber)
+```
+
+```
+range(1, 10, 3)
+# [1, 4, 7]
+```
+#### regex
+`regex` is a function that extracts one or more substrings from a given string by applying a regular expression pattern, describing the first match. 
+The return type depends on the composition of the capture groups (if any) in the pattern:
+
+    If there are no capture groups at all, the result is a single string representing the entire matched pattern.
+    If all of the capture groups are named, the result is an object whose keys are the named groups and whose values are their sub-matches, or null if a particular sub-group was inside another group that didn't match.
+    If none of the capture groups are named, the result is a tuple whose elements are the sub-groups in order and whose values are their sub-matches, or null if a particular sub-group was inside another group that didn't match.
+    It is invalid to use both named and un-named capture groups together in the same pattern.
+
+If the pattern doesn't match, this function returns an error. To test for a match, call `regexall` and check if the length of the result is greater than zero. 
+```
+regex(pattern, string)
+```
+
+```
+regex("[0-9]+", "v1.2.3")
+# 1
+```
+#### regexall
+`regexall` is similar to Regex but it finds all of the non-overlapping matches in the given string and returns a list of them.
+
+The result type is always a list, whose element type is deduced from the pattern in the same way as the return type for Regex is decided.
+
+If the pattern doesn't match at all, this function returns an empty list. 
+```
+regexall(pattern, string)
+```
+
+```
+regexall("[0-9]+", "v1.2.3")
+# [1 2 3]
+```
+#### setintersection
+`setintersection` returns a new set containing the elements that exist in all of the given sets, which must have element types that can all be converted to some common type using the standard type unification rules. If conversion is not possible, an error is returned. 
+```
+setintersection(sets...)
+```
+
+```
+setintersection(["val1", "val2"], ["val1", "val3"], ["val1", "val2"])
+# ["val1"]
+```
+#### setproduct
+`setproduct` computes the Cartesian product of sets or sequences.
+```
+setproduct(sets...)
+```
+```
+setproduct(["host1", "host2"], ["stg.domain", "prod.domain"])
+### 
+[
+  [
+    "host1",
+    "stg.domain"
+  ],
+  [
+    "host2",
+    "stg.domain"
+  ],
+  [
+    "host1",
+    "prod.domain"
+  ],
+  [
+    "host2",
+    "prod.domain"
+  ],
+]
+``` 
+#### setsubtract
+`setsubtract` returns a new set containing the elements from the first set that are not present in the second set. The sets must have element types that can both be converted to some common type using the standard type unification rules. If conversion is not possible, an error is returned. 
+```
+setsubtract(sets...)
+```
+```
+setsubtract(["a", "b", "c"], ["a", "b"])
+### 
+["c"]
+``` 
+#### setunion
+`setunion` returns a new set containing all of the elements from the given sets, which must have element types that can all be converted to some common type using the standard type unification rules. If conversion is not possible, an error is returned. 
+```
+setunion(sets...)
+```
+
+```
+setunion(["a", "b"], ["b", "c"], ["a", "d"])
+### 
+["a", "b", "c", "d"]
+``` 
+#### signum
+`signum` determines the sign of a number, returning a number between -1 and 1 to represent the sign. 
+```
+signum(number)
+```
+```
+signum(-182)
+# -1
+``` 
+#### slice
+`slice` extracts some consecutive elements from within a list.
+startIndex is inclusive, endIndex is exclusive
+```
+slice(list, startIndex, endIndex)
+```
+```
+slice([{"a" = "b"}, {"c" = "d"}, , {"e" = "f"}], 1, 1)
+# []
+slice([{"a" = "b"}, {"c" = "d"}, {"e" = "f"}], 1, 2)
+# [{"c" = "d"}]
+``` 
+#### sort
+`sort` re-orders the elements of a given list of strings so that they are in ascending lexicographical order.
+```
+sort(list)
+```
+```
+sort(["1", "h", "r", "p", "word"])
+# ["1", "h", "p", "r", "word"]
+``` 
+#### split
+`split` divides a given string by a given separator, returning a list of strings containing the characters between the separator sequences. 
+```
+split(separatorString, string)
+```
+```
+split(".", "host.domain")
+# ["host", "domain"]
+``` 
+#### strlen
+`strlen` is a Function that returns the length of the given string in characters. 
+```
+strlen(string)
+```
+```
+strlen("yes")
+# 3
+``` 
+#### strrev
+`strrev` is a Function that reverses the order of the characters in the given string.
+```
+strrev(string)
+```
+```
+strrev("yes")
+# "sey"
+``` 
+#### substr
+`substr` is a Function that extracts a sequence of characters from another string and creates a new string. 
+```
+substr(string, offsetNumber, length)
+```
+```
+substr("host.domain", 0, 4)
+# "host"
+``` 
+#### timeadd
+`timeadd` adds a duration to a timestamp, returning a new timestamp.
+Only units "inferior" or equal to `h` are supported.
+The duration can be negative.
+```
+substr(timestamp, duration)
+```
+```
+timeadd("2024-01-01T00:00:00Z", "-2600h10m")
+# 2023-09-14T15:50:00Z
+``` 
+#### trim
+`trim` removes the specified characters from the start and end of the given string.
+```
+trim(string, string)
+```
+```
+trim("Can you do that ? Yes ?", "?")
+# "Can you do that ? Yes"
+``` 
+#### trimprefix
+`trimprefix` removes the specified prefix from the start of the given string. 
+```
+trimprefix(stringToTrim, trimmingString)
+```
+```
+trimprefix("please, do it", "please, ")
+# "do it"
+``` 
+#### trimspace
+`trimspace` removes any space characters from the start and end of the given string.
+```
+trimspace(string)
+```
+```
+trimspace("   Hello World   ")
+# "Hello World"
+``` 
+#### trimsuffix
+`trimsuffix` removes the specified suffix from the end of the given string. 
+```
+trimsuffix(stringToTrim, trimmingString)
+```
+```
+trimsuffix("Hello World", " World")
+# "Hello"
+``` 
+#### try
+`try` is a variadic function that tries to evaluate all of is arguments in sequence until one succeeds, in which case it returns that result, or returns an error if none of them succeed. 
+```
+try(expressions...)
+```
+```
+values {
+  map = {
+    hello = "you"
+    world = "us"
+  }
+  try(hv.map.do_not_exist, hv.map.world)
+}
+# "us"
+``` 
+#### upper
+`upper` is a Function that converts a given string to uppercase. 
+```
+upper(string)
+```
+```
+upper("up")
+# "UP"
+``` 
+#### values
+`values` returns a list of the map values, in the order of the sorted keys. This function only works on flat maps.
+```
+values(map)
+```
+```
+values({"a" = 1,"b" = 2})
+# [1, 2]
+``` 
+#### yamldecode
+`yamldecode` parses the given JSON string and, if it is valid, returns the value it represents. 
+```
+yamldecode(string)
+```
+```
+yamldecode("hello: world\narray: [1, 2, 3]")
+###
+{
+  array = [1, 2, 3]
+  hello = "world"
+}
+``` 
+#### yamlencode
+`yamlencode` returns a JSON serialization of the given value.
+```
+yamlencode({array = [1, 2, 3], hello = "world"})
+```
+
+```
+yamlencode({array = [1, 2, 3], hello = "world"})
+###
+"array":
+- 1
+- 2
+- 3
+"hello": "world"
+``` 
+#### zipmap
+`zipmap` constructs a map from a list of keys and a corresponding list of values.
+The lenght of each list must be equal
+```
+zipmap(keysList, valuesList)
+```
+```
+zipmap(["key1", "key2"], ["val1", "val2"])
+###
+{
+  "key1" = "val1"
+  "key2" = "val2"
+}
+``` 
--- a/docs/index.md
+++ b/docs/index.md
--- a/docs/license.md
+++ b/docs/license.md
@ -0,0 +1 @@
+../LICENSE
--- a/docs/paths.md
+++ b/docs/paths.md
@ -1,25 +1,29 @@
-# Paths Overivew 
-Using manifest files in conjunction with command line argument can be a bit confusing.  
+# Paths Overview

-A few rules to clear up this ambiguity: 
+Using manifest files in conjunction with command line argument can be a bit confusing.
+
+A few rules to clear up this ambiguity:

 - Absolute paths are always resolved as absolute paths
 - Relative paths referenced *in* the helmfile manifest itself are relative to that manifest
 - Relative paths referenced on the command line are relative to the current working directory the user is in
+- Relative paths referenced from within the helmfile loaded from the standard input using `helmfile -f -` are relative to the current working directory
+

 ### Examples
-There are several examples that we can go through in the `/examples` folder which demonstrate this.
+
+There are several examples that we can go through in the [`/examples`](../examples/) folder which demonstrate this.

 **Local Execution**

-This is an example of a Helmfile manifest referencing a local value directly. 
+This is an example of a Helmfile manifest referencing a local value directly.

 Indirect:
 ```
-helmfile -f examples/deployments/local/charts.yaml sync
+helmfile -f examples/deployments/local/helmfile.yaml sync
 ```

-Direct: 
+Direct:
 ```
 cd examples/deployments/local/
 helmfile sync
@ -27,14 +31,14 @@ helmfile sync

 **Relative Paths in Helmfile**

-This is an example of a Helmfile manifest using relative paths for values. 
+This is an example of a Helmfile manifest using relative paths for values.

 Indirect:
 ```
-helmfile -f examples/deployments/dev/charts.yaml sync
+helmfile -f examples/deployments/dev/helmfile.yaml sync
 ```

-Direct: 
+Direct:
 ```
 cd examples/deployments/dev/
 helmfile sync
@ -42,16 +46,16 @@ helmfile sync

 **Relative Paths in Helmfile w/ --values overrides**

-This is an example of a Helmfile manifest using relative paths for values including an additional `--values` from the command line.  
+This is an example of a Helmfile manifest using relative paths for values including an additional `--values` from the command line.

 NOTE: The `--values` is resolved relative to the CWD of the terminal *not* the Helmfile manifest.  You can see this with the `replicas` being adjusted to 3 now for the deployment.

 Indirect:
 ```
-helmfile -f examples/deployments/dev/charts.yaml sync --values values/replica-values.yaml
+helmfile -f examples/deployments/dev/helmfile.yaml sync --values values/replica-values.yaml
 ```

-Direct: 
+Direct:
 ```
 cd examples/deployments/dev/
 helmfile sync --values ../../values/replica-values.yaml
--- a/docs/proposals/towards-1.0.md
+++ b/docs/proposals/towards-1.0.md
@ -0,0 +1,121 @@
+# Towards Helmfile 1.0
+
+I'd like to make 3 breaking changes to Helmfile and mark it as 1.0, so that we can better communicate with the current and future Helmfile users about our stance on maintaining Helmfile.
+
+Note that every breaking change should have an easy alternative way to achieve the same goal achieved using the removed functionality.
+
+## Backward compatibility
+
+v1 is backward-compatible with v0.x, except for the following breaking changes.
+
+Each breaking change has an easy alternative way to achieve the same goal achieved using the removed functionality.
+
+We also provide the alternative way in the latest v0.x release before v1.0. That way you can start using the alternative way today and be ready for v1.0. Note that in v0.x, some of those alternative ways are enabled only when `HELMFILE_V1MODE=true` is set.
+
+> Context:
+>
+> Even though Helmfile had been used in production environments [across multiple organizations](USERS.md), it had been considered to be in its early stage of development, hence versioned 0.x.
+>
+> Helmfile complies to Semantic Versioning 2.0.0 in which v0.x means that there could be backward-incompatible changes for every release. However, Helmfile has been very conservative about breaking changes, and we had no breaking change for a year or so before start thinking about v1.
+>
+> That said, you can expect Helmfile v1 to be backward-compatible as much as it was in v0.x.
+
+## The changes in 1.0
+
+1. [Forbid the use of `environments` and `releases` within a single helmfile.yaml.gotmpl part](#forbid-the-use-of-environments-and-releases-within-a-single-helmfileyamlgotmpl-part)
+2. [Force `.gotmpl` file extension for `helmfile.yaml` in case you want helmfile to render it as a go template before yaml parsing.](#force-gotmpl-file-extension-for-helmfileyaml-in-case-you-want-helmfile-to-render-it-as-a-go-template-before-yaml-parsing)
+3. [Remove the `--args` flag from the `helmfile` command](#remove-the---args-flag-from-the-helmfile-command)
+4. [Remove `HELMFILE_SKIP_INSECURE_TEMPLATE_FUNCTIONS` in favor of `HELMFILE_DISABLE_INSECURE_FEATURES`](#remove-helmfile_skip_insecure_template_functions-in-favor-of-helmfile_disable_insecure_features)
+5. [The long deprecated `charts.yaml` has been finally removed](#the-long-deprecated-chartsyaml-has-been-finally-removed)
+6. [List experimental features](#list-experimental-features)
+7. [Remove charts and delete sub-commands](#remove-charts-and-delete-subcommands)
+
+### Forbid the use of `environments` and `releases` within a single helmfile.yaml.gotmpl part
+
+  - Helmfile currently relies on a hack called "double rendering" which no one understands correctly (I suppose) to solve the chicken-and-egg problem of rendering the helmfile template(which requires helmfile to parse `environments` as yaml first) and parsing the rendered helmfile as yaml(which requires helmfile to render the template first).
+  - By forcing (or print a big warning) the user to do separate helmfile parts for `environments` and `releases`, it's very unlikely Helmfile needs double-rendering at all.
+  - After this change, every helmfile.yaml written this way:
+
+        environments:
+          default:
+            values:
+            - foo: bar
+        releases:
+        - name: myapp
+          chart: charts/myapp
+          values:
+          - {{ .Values | toYaml | nindent 4 }}
+
+    must be rewritten like:
+
+        environments:
+          default:
+            values:
+            - foo: bar
+        ---
+        releases:
+        - name: myapp
+          chart: charts/myapp
+          values:
+          - {{ .Values | toYaml | nindent 4 }}
+
+    It might not be a deal breaker as you already had to separate helmfile parts when you need to generate `environments` dynamically:
+
+        environments:
+          default:
+            values:
+            - foo: bar
+        ---
+        environments:
+          default:
+            values:
+            - {{ .Values | toYaml | nindent 6}}}
+            - bar: baz
+        ---
+        releases:
+        - name: myapp
+          chart: charts/myapp
+          values:
+          - {{ .Values | toYaml | nindent 4 }}
+
+    If you're already using any helmfile.yaml files that are written in the first style, do start using `---` today! It will probably reveal and fix unintended template evaluations. If you start using `---` today, you won't need to do anything after Helmfile 1.0.
+
+### Force `.gotmpl` file extension for `helmfile.yaml` in case you want helmfile to render it as a go template before yaml parsing.
+
+  - As the primary maintainer of the project, I'm tired of explaining why Helmfile renders go template expressions embedded in a yaml comment. [The latest example of it](https://github.com/helmfile/helmfile/issues/127).
+  - When we first introduced helmfile the ability to render helmfile.yaml as a go template, I did propose it to require `.gotmpl` file extension to enable the feature. But none of active helmfile users and contributors at that time agreed with it (although I didn't have a very strong opinion on the matter either), so we enabled it without the extension. I consider it as a tech debt now.
+
+### Remove the `--args` flag from the `helmfile` command
+
+  - It has been provided as-is, and never intended to work reliably because it's fundamentally flawed because we have no way to specify which args to be passed to which `helm` commands being called by which `helmfile` command.
+  - However, I periodically see a new user finds it's not working and reporting it as a bug([the most recent example](https://github.com/roboll/helmfile/issues/2034#issuecomment-1147059088)). It's not a fault of the user. It's our fault that left this broken feature.
+  - Every use-case previsouly covered (by any chance) with `--args` should be covered in new `helmfile.yaml` fields or flags.
+
+### Remove `HELMFILE_SKIP_INSECURE_TEMPLATE_FUNCTIONS` in favor of `HELMFILE_DISABLE_INSECURE_FEATURES`
+
+  - This option didn't make much sense in practice. Generally, you'd want to disable all the insecure features altogether to make your deployment secure, or not disable any features. Disabling all is already possible via `HELMFILE_DISABLE_INSECURE_FEATURES `. In addition, `HELMFILE_SKIP_INSECURE_TEMPLATE_FUNCTIONS` literally made every insecure template function to silently skipped without any error or warning, which made debugging unnecessarily hard when the user accidentally used an insecure function.
+  - See https://github.com/helmfile/helmfile/pull/564 for more context.
+
+### The long deprecated `charts.yaml` has been finally removed
+
+Helmfile used to load `helmfile.yaml` or `charts.yaml` when you omitted the `-f` flag. `charts.yaml` has been deprecated for a long time but never been removed. We take v1 as a chance to finally remove it.
+
+### List experimental features
+
+We have some experimental features that are not stable yet. We should list them in a list and mark them as experimental.
+
+In Helmfile v1.x, all features should be backward-compatible within v1.x as we follow semver. We can't fix features in a backward incompatible way by default. To do so, we need a list of experimental features and say "anything in the experimentals can be modified backward-incompatible ways", and include features that are consireded experimental into the list beforehand.
+
+Why now?
+
+In Helmfile v0.x, all features considered experimental as we follow semver. However, we "ended up" preserving backward-compatibility within v0 and between v0 and v1 "by chance". This doesn't mean anything
+introduced in v0 is stable. For example, we might have some features implemented in a very later stage of v0 that are not stable yet. We should mark them as experimental, or we can't fix them in a backward-incompatible way in v1.x. That's why we need to list experimental features now.
+
+### remove-charts-and-delete-subcommands
+Now we remove `helmfile charts` and `helmfile delete` subcommands. you can use `helmfile destroy` and `helmfile sync` instead.
+
+## After 1.0
+
+We won't add any backward-incompatible changes while in 1.x, as long as it's inevitable to fix unseen important bug(s).
+
+We also quit saying [Helmfile is in its early days](https://github.com/helmfile/helmfile#status) in your README as... it's just untrue today.
--- a/docs/remote-secrets.md
+++ b/docs/remote-secrets.md
@ -0,0 +1,57 @@
+# Secrets
+
+helmfile can handle secrets using [helm-secrets](https://github.com/jkroepke/helm-secrets) plugin or using remote secrets storage
+(everything that package [vals](https://github.com/helmfile/vals) can handle vault, AWS SSM etc)
+This section will describe the second use case.
+
+# Remote secrets
+
+This paragraph will describe how to use remote secrets storage (vault, SSM etc) in helmfile
+
+## Fetching single key
+
+To fetch single key from remote secret storage you can use `fetchSecretValue` template function example below
+
+```yaml
+# helmfile.yaml
+
+repositories:
+  - name: stable
+    url: https://charts.helm.sh/stable
+---
+environments:
+  default:
+    values:
+      - service:
+          password: ref+vault://svc/#pass
+          login: ref+vault://svc/#login
+releases:
+  - name: service
+    namespace: default
+    labels:
+      cluster: services
+      secrets: vault
+    chart: stable/svc
+    version: 0.1.0
+    values:
+      - service:
+          login: {{ .Values.service.login | fetchSecretValue }} # this will resolve ref+vault://svc/#pass and fetch secret from vault
+          password: {{ .Values.service.password | fetchSecretValue | quote }}
+      # - values/service.yaml.gotmpl   # alternatively
+```
+## Fetching multiple keys
+Alternatively you can use `expandSecretRefs` to fetch a map of secrets
+```yaml
+# values/service.yaml.gotmpl
+service:
+{{ .Values.service | expandSecretRefs | toYaml | nindent 2 }}
+```
+
+This will produce
+```yaml
+# values/service.yaml
+service:
+  login: svc-login # fetched from vault
+  password: pass
+
+```
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@ -0,0 +1,22 @@
+Babel==2.17.0
+click==8.1.2
+ghp-import==2.0.2
+gitdb==4.0.9
+GitPython==3.1.41
+importlib-metadata==4.11.3
+Jinja2==3.1.6
+Markdown==3.6
+MarkupSafe==2.1.1
+mergedeep==1.3.4
+mkdocs==1.6.0
+mkdocs-git-revision-date-localized-plugin==1.0.1
+packaging==21.3
+pyparsing==3.0.7
+python-dateutil==2.8.2
+pytz==2022.1
+PyYAML==6.0.2
+pyyaml_env_tag==0.1
+six==1.16.0
+smmap==5.0.0
+watchdog==2.1.7
+zipp==3.19.1
--- a/docs/shared-configuration-across-teams.md
+++ b/docs/shared-configuration-across-teams.md
@ -0,0 +1,152 @@
+# Shared Configuration Across Teams
+
+Assume you have two or more teams, each work for a different internal or external service, like:
+
+- Product 1
+- Product 2
+- Observability
+
+The simplest `helmfile.yaml` that declares the whole cluster that is composed of the three services would look like the below:
+
+```yaml
+releases:
+- name: product1-api
+  chart: product1-charts/api
+  # snip
+- name: product1-web
+  chart: product1-charts/web
+  # snip
+- name: product2-api
+  chart: saas-charts/api
+  # snip
+- name: product2-web
+  chart: product2-charts/web
+  # snip
+- name: observability-prometheus-operator
+  chart: stable/prometheus-operator
+  # snip
+- name: observability-process-exporter
+  chart: stable/prometheus-operator
+  # snip
+```
+
+This works, but what if you wanted to a separate cluster per service to achieve a smaller blast radius?
+
+Let's start by creating a `helmfile.yaml` for each service.
+
+`product1/helmfile.yaml`:
+
+```yaml
+releases:
+- name: product1-api
+  chart: product1-charts/api
+  # snip
+- name: product1-web
+  chart: product1-charts/web
+  # snip
+- name: observability-prometheus-operator
+  chart: stable/prometheus-operator
+  # snip
+- name: observability-process-exporter
+  chart: stable/prometheus-operator
+  # snip
+```
+
+`product2/helmfile.yaml`:
+
+```yaml
+releases:
+- name: product2-api
+  chart: product2-charts/api
+  # snip
+- name: product2-web
+  chart: product2-charts/web
+  # snip
+- name: observability-prometheus-operator
+  chart: stable/prometheus-operator
+  # snip
+- name: observability-process-exporter
+  chart: stable/prometheus-operator
+  # snip
+```
+
+You will (of course!) notice this isn't DRY.
+
+To remove the duplication of observability stack between the two helmfiles, create a "sub-helmfile" for the observability stack.
+
+`observability/helmfile.yaml`:
+
+```yaml
+- name: observability-prometheus-operator
+  chart: stable/prometheus-operator
+  # snip
+- name: observability-process-exporter
+  chart: stable/prometheus-operator
+  # snip
+```
+
+As you might have imagined, the observability helmfile can be reused from the two product helmfiles by declaring `helmfiles`.
+
+`product1/helmfile.yaml`:
+
+```yaml
+helmfiles:
+- ../observability/helmfile.yaml
+
+releases:
+- name: product1-api
+  chart: product1-charts/api
+  # snip
+- name: product1-web
+  chart: product1-charts/web
+  # snip
+```
+
+`product2/helmfile.yaml`:
+
+```yaml
+helmfiles:
+- ../observability/helmfile.yaml
+
+releases:
+- name: product2-api
+  chart: product2-charts/api
+  # snip
+- name: product2-web
+  chart: product2-charts/web
+  # snip
+```
+
+## Using sub-helmfile as a template
+
+You can go even further by generalizing the product related releases as a pair of `api` and `web`:
+
+`shared/helmfile.yaml`:
+
+```yaml
+releases:
+- name: product{{ env "PRODUCT_ID" }}-api
+  chart: product{{ env "PRODUCT_ID" }}-charts/api
+  # snip
+- name: product{{ env "PRODUCT_ID" }}-web
+  chart: product{{ env "PRODUCT_ID" }}-charts/web
+  # snip
+```
+
+Then you only need one single product helmfile
+
+
+`product/helmfile.yaml`:
+
+```yaml
+helmfiles:
+- ../observability/helmfile.yaml
+- ../shared/helmfile.yaml
+```
+
+Now that we use the environment variable `PRODUCT_ID` to as the parameters of release names, you need to set it before running `helmfile`, so that it produces the differently named releases per product:
+
+```console
+$ PRODUCT_ID=1 helmfile -f product/helmfile.yaml apply
+$ PRODUCT_ID=2 helmfile -f product/helmfile.yaml apply
+```
--- a/docs/templating_funcs.md
+++ b/docs/templating_funcs.md
@ -0,0 +1,150 @@
+# Template Functions
+
+#### `env`
+The `env` function allows you to declare a particular environment variable as an optional for template rendering.
+If the environment variable is unset or empty, the template rendering will continue with an empty string as a value.
+
+```yaml
+{{ $envValue := env "envName" }}
+```
+
+#### `requiredEnv`
+The `requiredEnv` function allows you to declare a particular environment variable as required for template rendering.
+If the environment variable is unset or empty, the template rendering will fail with an error message.
+
+```yaml
+{{ $envValue := requiredEnv "envName" }}
+```
+
+> If the environment variable value starts with '/' (forward slash) and [Git for Windows](https://git-scm.com/download/win) is used, you must set `MSYS_NO_PATHCONV=1` to preserve values as-is, or the environment variable value will be prefixed with the `C:\Program Files\Git`. [reference](https://github.com/git-for-windows/build-extra/blob/main/ReleaseNotes.md#known-issues)
+
+#### `exec`
+The `exec` function allows you to run a command, returning the stdout of the command. When the command fails, the template rendering will fail with an error message.
+
+```yaml
+{{ $cmdOutpot := exec "./mycmd" (list "arg1" "arg2" "--flag1") }}
+```
+
+#### `envExec`
+The `envExec` function allows you to run a command with environment variables declared on-the-fly in addition to existing environment variables, returning the stdout of the command. When the command fails, the template rendering will fail with an error message.
+
+```yaml
+{{ $cmdOutpot := envExec (dict "envKey" "envValue") "./mycmd" (list "arg1" "arg2" "--flag1") }}
+```
+
+#### `isFile`
+The `isFile` function allows you to check if a file exists. On failure, the template rendering will fail with an error message.
+
+```yaml
+{{ if isFile "./myfile" }}
+```
+
+#### `isDir`
+The `isDir` function allows you to check if a directory exists. On failure, the template rendering will fail with an error message.
+
+```yaml
+{{ if isDir "./mydirectory" }}
+```
+
+#### `readFile`
+The `readFile` function allows you to read a file and return its content as the function output. On failure, the template rendering will fail with an error message.
+
+```yaml
+{{ $fileContent := readFile "./myfile" }}
+```
+
+#### `readDir`
+The `readDir` function returns a list of the relative paths to the files contained within the directory. (No folders included. Use `readDirEntries` if you need folders too)
+
+```yaml
+{{ range $index,$item := readDir "./testdata/tmpl/sample_folder/" }}
+  {{- $itemSplit := splitList  "/" $item -}}
+  {{- if contains "\\" $item -}}
+  {{- $itemSplit = splitList "\\" $item -}}
+  {{- end -}}
+  {{- $itemValue := $itemSplit | last -}}
+  {{- $itemValue -}}
+{{- end -}}
+```
+
+#### `readDirEntries`
+The `readDirEntries` function returns a list of [DirEntry](https://pkg.go.dev/os#DirEntry) contained within the directory
+
+```yaml
+{{ range $index,$item := readDirEntries "./testdata/tmpl/sample_folder/" }}
+  {{- if $item.IsDir -}}
+  {{- $item.Name -}}
+  {{- end -}}
+{{- end -}}
+```
+
+#### `toYaml`
+The `toYaml` function allows you to convert a value to YAML string. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $yaml :=  $value | toYaml }}
+```
+
+#### `fromYaml`
+The `fromYaml` function allows you to convert a YAML string to a value. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $value :=  $yamlString | fromYaml }}
+```
+
+#### `setValueAtPath`
+The `setValueAtPath` function allows you to set a value at a path. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $value | setValueAtPath "path.key" $newValue }}
+```
+
+#### `get`
+The `get` function allows you to get a value at a path. you can set a default value when the path is not found. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $Getvalue :=  $value | get "path.key" "defaultValue" }}
+```
+
+#### `getOrNil`
+The `getOrNil` function allows you to get a value at a path. it will return nil when the value of path is not found. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $GetOrNlvalue :=  $value | getOrNil "path.key" }}
+```
+
+#### `tpl`
+The `tpl` function allows you to render a template. When has failed, the template rendering will fail with an error message.
+
+```yaml
+{{ $tplValue :=  $value | tpl "{{ .Value.key }}" }}
+```
+
+#### `required`
+The `required` function returns the second argument as-is only if it is not empty. If empty, the template rendering will fail with an error message containing the first argument.
+
+```yaml
+{{ $requiredValue :=  $value | required "value not set" }}
+```
+
+#### `fetchSecretValue`
+The `fetchSecretValue` function parses the argument as a [vals](https://github.com/helmfile/vals) ref URL, retrieves and returns the remote secret value referred by the URL. In case it failed to access the remote secret backend for whatever reason or the URL was invalid, the template rendering will fail with an error message.
+
+```yaml
+{{ $fetchSecretValue :=  fetchSecretValue "secret/path" }}
+```
+
+#### `expandSecretRefs`
+The `expandSecretRefs` function takes an object as the argument and expands every [vals](https://github.com/helmfile/vals) secret reference URL embedded in the object's values. See ["Remote Secrets" page in our documentation](./remote-secrets.md) for more information.
+
+```yaml
+{{ $expandSecretRefs :=  $value | expandSecretRefs }}
+```
+
+#### `include`
+The 'include' function allows including and rendering nested templates. The function returns the created template or an error if any occurred. It will load functions from `_*.tpl` files in the directory where the helmfile.yaml is located.
+
+For nested helmfile.yaml files, it will load `_*.tpl` files in the directory where each nested helmfile.yaml is located. example: [include](https://github.com/helmfile/helmfile/tree/main/test/integration/test-cases/include-template-func/input)
+```yaml
+{{ include "my-template" . }}
+```
--- a/docs/users.md
+++ b/docs/users.md
@ -0,0 +1 @@
+../USERS.md
--- a/docs/writing-helmfile.md
+++ b/docs/writing-helmfile.md
@ -0,0 +1,425 @@
+# The Helmfile Best Practices Guide
+
+This guide covers the Helmfile’s considered patterns for writing advanced helmfiles. It focuses on how helmfile should be structured and executed.
+
+## Helmfile .Values vs Helm .Values
+
+Templating engine of Helmfile uses the same pipeline name `.Values` as Helm, so in some use-cases `.Values` of Helmfile and
+Helm can be seen in the same file. To distinguish these two kinds of `.Values`, Helmfile provides an alias `.StateValues`
+for its `.Values`.
+
+```
+app:
+  project: {{.Environment.Name}}-{{.StateValues.project}} # Same as {{.Environment.Name}}-{{.Values.project}}
+
+{{`
+extraEnvVars:
+- name: APP_PROJECT
+  value: {{.Values.app.project}}
+`}}
+```
+
+## Missing keys and Default values
+
+helmfile tries its best to inform users for noticing potential mistakes.
+
+One example of how helmfile achieves it is that, `helmfile` fails when you tried to access missing keys in environment values.
+
+That is, the following example let `helmfile` fail when you have no `eventApi.replicas` defined in environment values.
+
+```
+{{ .Values.eventApi.replicas | default 1 }}
+```
+
+In case it isn't a mistake and you do want to allow missing keys, use the `get` template function:
+
+```
+{{ .Values | get "eventApi.replicas" nil }}
+```
+
+This result in printing `<no value` in your template, that may or may not result in a failure.
+
+If you want a kind of default values that is used when a missing key was referenced, use `default` like:
+
+```
+{{ .Values | get "eventApi.replicas" 1 }}
+```
+
+Now, you get `1` when there is no `eventApi.replicas` defined in environment values.
+
+## Release Template / Conventional Directory Structure
+
+Introducing helmfile into a large-scale project that involves dozens of releases often results in a lot of repetitions in `helmfile.yaml` files.
+
+The example below shows repetitions in `namespace`, `chart`, `values`, and `secrets`:
+
+```yaml
+releases:
+# *snip*
+- name: heapster
+  namespace: kube-system
+  chart: stable/heapster
+  version: 0.3.2
+  values:
+  - "./config/heapster/values.yaml"
+  - "./config/heapster/{{ .Environment.Name }}.yaml"
+  secrets:
+  - "./config/heapster/secrets.yaml"
+  - "./config/heapster/{{ .Environment.Name }}-secrets.yaml"
+
+- name: kubernetes-dashboard
+  namespace: kube-system
+  chart: stable/kubernetes-dashboard
+  version: 0.10.0
+  values:
+  - "./config/kubernetes-dashboard/values.yaml"
+  - "./config/kubernetes-dashboard/{{ .Environment.Name }}.yaml"
+  secrets:
+  - "./config/kubernetes-dashboard/secrets.yaml"
+  - "./config/kubernetes-dashboard/{{ .Environment.Name }}-secrets.yaml"
+```
+
+This is where Helmfile's advanced feature called Release Template comes handy.
+
+It allows you to abstract away the repetitions in releases into a template, which is then included and executed by using YAML anchor/alias:
+
+```yaml
+templates:
+  default:
+    chart: stable/{{`{{ .Release.Name }}`}}
+    namespace: kube-system
+    # This prevents helmfile exiting when it encounters a missing file
+    # Valid values are "Error", "Warn", "Info", "Debug". The default is "Error"
+    # Use "Debug" to make missing files errors invisible at the default log level(--log-level=INFO)
+    missingFileHandler: Warn
+    values:
+    - config/{{`{{ .Release.Name }}`}}/values.yaml
+    - config/{{`{{ .Release.Name }}`}}/{{`{{ .Environment.Name }}`}}.yaml
+    secrets:
+    - config/{{`{{ .Release.Name }}`}}/secrets.yaml
+    - config/{{`{{ .Release.Name }}`}}/{{`{{ .Environment.Name }}`}}-secrets.yaml
+
+releases:
+- name: heapster
+  version: 0.3.2
+  inherit:
+  - template: default
+    except:
+      - secrets
+- name: kubernetes-dashboard
+  version: 0.10.0
+  inherit:
+  - template: default
+```
+
+Release Templating supports the following parts of release definition:
+
+- basic fields: `name`, `namespace`, `chart`, `version`
+
+- boolean fields: `installed`, `wait`, `waitForJobs`, `verify` by the means of additional text
+  fields designed for templating only: `installedTemplate`, `waitTemplate`, `verifyTemplate`
+
+        # ...
+          installedTemplate: '{{`{{ eq .Release.Namespace "kube-system" }}`}}'
+          waitTemplate: '{{`{{ eq .Release.Labels.tag "safe" | not }}`}}'
+        # ...
+
+- `set` block values:
+
+        # ...
+          setTemplate:
+          - name: '{{`{{ .Release.Name }}`}}'
+            values: '{{`{{ .Release.Namespace }}`}}'
+        # ...
+
+- `values` and `secrets` file paths:
+
+        # ...
+          valuesTemplate:
+          - config/{{`{{ .Release.Name }}`}}/values.yaml
+          secrets:
+          - config/{{`{{ .Release.Name }}`}}/secrets.yaml
+        # ...
+
+- inline `values` map:
+
+        # ...
+          valuesTemplate:
+          - image:
+              tag: '{{`{{ .Release.Labels.tag }}`}}'
+        # ...
+
+Previously, we've been using YAML anchors for release template inheritance.
+It turned out not work well when you wanted to nest templates for complex use cases and/or you want a fine control over which fields to inherit or not.
+Thus we added a new way for inheritance, which uses the `inherit` field we introduced above.
+
+See [issue helmfile/helmfile#435](https://github.com/helmfile/helmfile/issues/435#issuecomment-1362177510) for more context.
+
+You might also find [issue roboll/helmfile#428](https://github.com/roboll/helmfile/issues/428) useful for more context on how we originally designed the release template and what it's supposed to solve.
+
+## Layering Release Values
+
+Please note, that it is not possible to layer `values` sections. If `values` is defined in the release and in the release template, only the `values` defined in the release will be considered. The same applies to `secrets` and `set`.
+
+## Layering State Files
+
+> See **Layering State Template Files** if you're layering templates.
+
+You may occasionally end up with many helmfiles that shares common parts like which repositories to use, and which release to be bundled by default.
+
+Use Layering to extract the common parts into a dedicated *library helmfile*s, so that each helmfile becomes DRY.
+
+Let's assume that your `helmfile.yaml` looks like:
+
+```yaml
+bases:
+- environments.yaml
+
+releases:
+- name: metricbeat
+  chart: stable/metricbeat
+- name: myapp
+  chart: mychart
+```
+
+Whereas `environments.yaml` contained well-known environments:
+
+```yaml
+environments:
+  development:
+  production:
+```
+
+At run time, `bases` in your `helmfile.yaml` are evaluated to produce:
+
+```yaml
+---
+# environments.yaml
+environments:
+  development:
+  production:
+---
+# helmfile.yaml
+releases:
+- name: myapp
+  chart: mychart
+- name: metricbeat
+  chart: stable/metricbeat
+```
+
+Finally the resulting YAML documents are merged in the order of occurrence,
+so that your `helmfile.yaml` becomes:
+
+```yaml
+environments:
+  development:
+  production:
+
+releases:
+- name: metricbeat
+  chart: stable/metricbeat
+- name: myapp
+  chart: mychart
+```
+
+Great!
+
+Now, repeat the above steps for each your `helmfile.yaml`, so that all your helmfiles becomes DRY.
+
+Please also see [the discussion in the issue 388](https://github.com/roboll/helmfile/issues/388#issuecomment-491710348) for more advanced layering examples.
+
+## Merging Arrays in Layers
+
+Helmfile doesn't merge arrays across layers. That is, the below example doesn't work as you might have expected:
+
+```yaml
+releases:
+- name: metricbeat
+  chart: stable/metricbeat
+---
+releases:
+- name: myapp
+  chart: mychart
+```
+
+Helmfile overrides the `releases` array with the latest layer so the resulting state file will be:
+
+```yaml
+releases:
+# metricbeat release disappeared! but that's how helmfile works
+- name: myapp
+  chart: mychart
+```
+
+A work-around is to treat the state file as a go template and use `readFile` template function to import the common part of your state file as a plain text:
+
+`common.yaml`:
+
+```yaml
+templates:
+  metricbeat: &metricbeat
+    name: metricbeat
+    chart: stable/metricbeat
+```
+
+`helmfile.yaml`:
+
+```yaml
+{{ readFile "common.yaml" }}
+
+releases:
+- <<: *metricbeat
+- name: myapp
+  chart: mychart
+```
+
+## Layering State Template Files
+
+Do you need to make your state file even more DRY?
+
+Turned out layering state files wasn't enough for you?
+
+Helmfile supports an advanced feature that allows you to compose state "template" files to generate the final state to be processed.
+
+In the following example `helmfile.yaml.gotmpl`, each `---` separated part of the file is a go template.
+
+`helmfile.yaml.gotmpl`:
+
+```yaml
+# Part 1: Reused Environment Values
+bases:
+  - myenv.yaml
+---
+# Part 2: Reused Defaults
+bases:
+  - mydefaults.yaml.gotmpl
+---
+# Part 3: Dynamic Releases
+releases:
+  - name: test1
+    chart: mychart-{{ .Values.myname }}
+    values:
+      - replicaCount: 1
+        image:
+          repository: "nginx"
+          tag: "latest"
+```
+
+Suppose the `myenv.yaml` and `test.env.yaml` loaded in the first part looks like:
+
+`myenv.yaml`:
+
+```yaml
+environments:
+  test:
+    values:
+      - test.env.yaml
+```
+
+`test.env.yaml`:
+
+```yaml
+kubeContext: test
+wait: false
+cvOnly: false
+myname: "dog"
+```
+
+Where the gotmpl file loaded in the second part looks like:
+
+`mydefaults.yaml.gotmpl`:
+
+```yaml
+helmDefaults:
+  kubeContext: {{ .Values.kubeContext }}
+  verify: false
+  {{ if .Values.wait }}
+  wait: true
+  {{ else }}
+  wait: false
+  {{ end }}
+  timeout: 600
+  recreatePods: false
+  force: true
+```
+
+Each go template is rendered in the context where `.Values` is inherited from the previous part.
+
+So in `mydefaults.yaml.gotmpl`, both `.Values.kubeContext` and `.Values.wait` are valid as they do exist in the environment values inherited from the previous part(=the first part) of your `helmfile.yaml.gotmpl`, and therefore the template is rendered to:
+
+```yaml
+helmDefaults:
+  kubeContext: test
+  verify: false
+  wait: false
+  timeout: 600
+  recreatePods: false
+  force: true
+```
+
+Similarly, the third part of the top-level `helmfile.yaml.gotmpl`, `.Values.myname` is valid as it is included in the environment values inherited from the previous parts:
+
+```yaml
+# Part 3: Dynamic Releases
+releases:
+  - name: test1
+    chart: mychart-{{ .Values.myname }}
+    values:
+      replicaCount: 1
+      image:
+        repository: "nginx"
+        tag: "latest"
+```
+
+hence rendered to:
+
+```yaml
+# Part 3: Dynamic Releases
+releases:
+  - name: test1
+    chart: mychart-dog
+    values:
+      replicaCount: 1
+      image:
+        repository: "nginx"
+        tag: "latest"
+```
+
+## Re-using environment state in sub-helmfiles
+
+Do you want to decouple the environment state loading from the sub-helmfiles and load it only once?
+
+This example shows how to do this:
+
+```yaml
+environments:
+  stage:
+    values:
+    - env/stage.yaml
+  prod:
+    values:
+    - env/prod.yaml
+---
+
+helmfiles:
+- path: releases/myrelease/helmfile.yaml
+  values:
+  - {{ toYaml .Values | nindent 4 }}
+  # pass the current state values to the sub-helmfile
+  # add other values to use overlay logic here
+```
+
+and `releases/myrelease/helmfile.yaml` is as DRY as
+
+```yaml
+releases:
+- name: mychart-{{ .Values.myrelease.myname }}
+  installed: {{ .Values | get "myrelease.enabled" false }}
+  chart: mychart
+  version: {{ .Values.myrelease.version }}
+  labels:
+    chart: mychart
+  values:
+  - values.yaml.gotmpl
+  # templated values would also inherit the values passed from upstream
+```
--- a/examples/README.md
+++ b/examples/README.md
@ -17,7 +17,7 @@ releases:
    # DB host, port, and connection opts for the environment
    values:
    - "deploy/environments/{{ env "RAILS_ENV" }}/values.yaml"
-    # DB username and password encrypted with helm-secrets(mozilla/sops)
+    # DB username and password encrypted with helm-secrets (getsops/sops)
    secrets:
    - "deploy/environments/{{ env "RAILS_ENV" }}/secrets.yaml"
 ```
@ -26,7 +26,7 @@ You would then start a database migration job by executing:

 ```console
 # Start a database migration for the prod environment
-$ RAILS_ENV=prod helmfile sync --selector job=dbmigrator
+$ RAILS_ENV=prod helmfile --selector job=dbmigrator sync

 # Tail log until you are satisfied
 $ kubectl logs -l job=dbmigrator
--- a/examples/charts/argocd-helmfile-deployment/Chart.yaml
+++ b/examples/charts/argocd-helmfile-deployment/Chart.yaml
@ -0,0 +1,11 @@
+apiVersion: v2
+name: argo-cd
+description: Kubernetes continuous deployment system
+type: application
+version: 3.2.0
+appVersion: "3.2.0"  # ArgoCD version
+
+dependencies:
+- name: argo-cd
+  version: 3.2.0
+  repository: https://argoproj.github.io/argo-helm
--- a/examples/charts/argocd-helmfile-deployment/README.md
+++ b/examples/charts/argocd-helmfile-deployment/README.md
@ -0,0 +1,136 @@
+# ArgoCD Deployment
+
+This example is intended to show how you can use Helmfile with ArgoCD in a private way. The example deployment demonstrates how to deploy ArgoCD with the helmfile plugin, and how to use helmfile within ArgoCD to connect to various private external systems.
+
+If you intend to follow this example, please pay close attention to the caveats. This chart will not work if you deploy it as-is, you will need to customise many parts of it to match the infrastructure of your organisation.
+
+## What is the point of this chart?
+
+There are many organisations out there which would like to widen Kubernetes adoption but struggle with the requirement to keep all data confidential and follow best practices. For example, one best practice is to to implement a CI/CD process for all deployments including Helm charts. As part of this process we may want to keep secrets in private Vault secret storage, use Helm charts from a private chart museum, customised Helm values from a private Git repository and docker images from a private docker repository. ArgoCD alone cannot do all of these things at once, but we can achieve this if we configure it with Helmfile.
+
+This example is intended to show how you COULD use ArgoCD together with Helmfile to implement a fully private CI/CD system. Your deployment may be a litte bit different, or very different to this example. It's intended only as an example.
+
+The helm chart in this repo can be deployed with Helmfile, if you follow the prerequisites. In order for the deployment to work correctly, you will need to follow the prerequisites and update all of the `values.yaml` file entries with a `# TODO` comment.
+
+# Deployment planning
+
+* Getting started: https://argoproj.github.io/argo-cd/getting_started/
+* Helm Chart: https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
+* SSO Setup: https://argoproj.github.io/argo-cd/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc
+* RBAC: https://medium.com/dzerolabs/configuring-sso-with-azure-active-directory-on-argocd-d20be4ba753b
+* Vault
+* Private Chartmuseum (Harbor)
+
+What are the interactions between the different systems?
+
+* ArgoCD will run on Kubernetes. We must use a custom build of ArgoCD as the official build doesn't ship with the runtime binaries which we will need to execute Helmfile and interact with Vault.
+* ArgoCD interacts with AzureAD for SSO. ArgoCD has to be configured as an enterprise app in Azure AD for authorization and authentication by an administrator. We put the client ID and client secrets into Vault for safe keeping.
+* ArgoCD interacts with Vault in order to pull secrets for customising Helm deployments. Sometimes we need to inject secrets into the values.yaml file of a Helm deployment. ArgoCD will use an AppRole for authentication into Vault, and this is done once during the deployment. The ArgoCD Vault credentials are saved in Vault for safe keeping.
+* ArgoCD may need to interact with a private Git server. This is so that ArgoCD can access the `helmfile.yaml` files before executing Helmfile. Additional configuration files (like `conf.d` and other `values.yaml`) files can be kept in here.
+* ArgoCD will authenticate to a private chart museum. This is so that we can keep the private helm charts private.
+
+# Prerequisites
+
+## Docker image
+
+* Build the docker image from the `argocd.dockerfile` file in this folder.
+* Upload the image to your private docker registry and make a note of the registry URL and tag.
+* Customise the `values.yaml` file in this folder.
+  Replace `argo-cd.global.image.repository` for the docker registry URL of your private registry.
+  Replace `argo-cd.global.image.tag` for the tag which you used to upload your private docker image.
+
+## Configure Single Sign-On for ArgoCD
+
+* Log into AzureAD as an administrator.
+* Create a new App Registration in your tenant for ArgoCD.
+* Create a new Client ID and client secret.
+* Save the client ID and client secret into your vault server.
+  - Save the client ID and client secret into Vault. Suggested keys: `internal/argocd/auth#azure_oidc_client_id` and `internal/argocd/auth#azure_oidc_client_secret`.
+* Update `values.yaml` for your deployment
+  - Update `argo-cd.server.config.oidc.config` - replace `SOME_AZURE_AD_TENANT` for your actual plaintext AzureAD tenant ID.
+  - Update `argo-cd.server.config.oidc.config` - replace `SOME_AZURE_AD_UUID` for your actual plaintext AzureAD client app ID.
+  - Verify that the Vault path specified in `argo-cd.config.secret.extra.oidc.azure.clientSecret` is the correct path in Vault.
+* Customise the ingress objects in the source to match what your expected external URL will be. Update `values.yaml` to have the correct values for the hostname you plan to use.
+  - `argo-cd.config.server.(url|hostname)`
+    ```yaml
+    url: 'https://my.argocd.deployment.org' # TODO
+    hostname: my.argocd.deployment.org      # TODO
+    ```
+
+## Configure authentication from ArgoCD into Vault (or read next section on how to disable it)
+
+* Read the documentation from Hashicorp on AppRoles. Provision a new AppRole for ArgoCD with policies.
+  - In the example the authentication path in Vault is assumed to be `auth/approle/login`. If that's not the case then update line 123 in `values.yaml`.
+* Store the AppRole credentials for ArgoCD in Vault. We will use Helmfile to pull them from here when we launch the chart.
+  - Suggested paths: `internal/vault/argocd#role_id` and `internal/vault/argocd#secret_id`
+* Verify that the Vault paths in `values.yaml` are correct
+  - `argo-cd.config.secret.extra.vault_role_id`
+  - `argo-cd.config.secret.extra.vault_secret_id`
+* Replace `ROLE_ID` and `SECRET_ID` in `values.yaml` (line 124) with the actual plaintext values (values key `argocd.server.config.configManagementPlugins`). This is not 100% secure but was the only way that I could manage to get the rest of the deployment working. I advise you add `values.yaml` to `.gitignore` after doing this step.
+
+## Disable Vault (optional)
+
+If you are not going to use Vault, then you need to update the values to get your deployment to use Helmfile.
+* If you are not going to use Vault, then remove the line in `values.yaml` that starts with `export VAULT_TOKEN=...`.
+
+## Configure authentication from ArgoCD into private Git repository
+
+* Create a new API user in your Git system (username + password auth). ArgoCD will use these credentials to pull `values.yaml` and `helmfile.yaml` for your project.
+* Save the username and password into Vault
+  - Recommended keys: `internal/git/users/argocd#username` and `internal/git/users/argocd#password`
+* Verify that the Vault paths in `values.yaml` are correct
+  - `argo-cd.config.secret.extra.git_username`
+  - `argo-cd.config.secret.extra.git_password`
+* Update the settings in `values.yaml` for repositories - remove the example Git URLS and replace with actual Git URLs for your project.
+  - `https://my.git.server.org/my-team/my-repo-one.git`
+  - `https://my.git.server.org/my-team/my-repo-two.git`
+
+## Configure authentication from ArgoCD to your private Docker registry and Chartmuseum
+
+* This guide is written with Harbor in mind, which is both a docker registry and chart museum. If you have separate systems in place you might need to configure these things separately.
+* Create a new set of credentials for Harbor and save them into Vault.
+  - Suggested paths: `internal/harbor/users/argocd#username`, `internal/harbor/users/argocd#username`.
+* Verify that the Vault paths in `values.yaml` are correct
+  - `argo-cd.config.secret.extra.harbor_username`
+  - `argo-cd.config.secret.extra.harbor_password`
+* Change the Helm URL on line 95 in `values.yaml` for the actual URL of your Helm Chartmuseum deployment.
+  - `https://my.harbor.deployment.org/chartrepo/my-project`
+
+# Deploy ArgoCD for the first time
+
+Once you've completed the prerequisites you are ready to deploy ArgoCD for the first time. There is a helmfile that you can use to do this.
+
+Steps:
+
+* Auth to Vault and Kubernetes
+* Add ArgoCD Helm repo
+  - ```bash
+    helm repo add argo https://argoproj.github.io/argo-helm
+    helm install --name argocd --namespace argocd argo/argo-cd
+    ```
+* Download dependencies (`helmfile dep update`)
+* Deploy chart (`helmfile apply`)
+  - If everything worked correctly, then ArgoCD should have deployed using your customised docker image into your cluster.
+
+* If the ingress deployed correctly then we should be able to access the UI: https://my.argocd.deployment.org
+* Grab the admin password from `argocd-initial-admin-secret secret` and use it to log into the UI.
+```bash
+    echo "<password>" | base64 -d
+```
+* Verify that SSO works by signing on with AzureAD.
+* Verify that Helmfile appears in the list of configured plugins in the UI.
+
+# Configure ArgoCD apps for deployment with Helmfile
+
+* Log into ArgoCD in the UI and configure a new app.
+* Make sure that it's using the Helmfile plugin.
+* For the source, select one of the Git repos which you configured previously.
+* Make sure that your Helm repo (including `helmfile.yaml` is present in the Git repository).
+* ArgoCD will pull the project from your private Git server and read the `helmfile.yaml` file.
+* ArgoCD will also execute helmfile directly in the container using the files checked out from your project.
+* If you configured ArgoCD with logins for Vault and private Chartmuseums, these can be used in ArgoCD by Helmfile.
+* You can use the diff feature and resource views in ArgoCD when using Helmfile. Unfortunately you can no longer use the `values.yaml` editor in the UI. You can change `values.yaml` for deployments by creating `values.yaml` files and committing them to the folders in your project Git repo. You can also customise them using `!vault` tags.
+
+If you would like an example, this ArgoCD + helmfile deployment can itself be deployed by ArgoCD + helmfile (you may need to drop the pods after you do deploy this way). Any other projects - just structure them in the same way as this example.
+
+Be careful when reconfiguring a project which was previously deploy by ArgoCD with Helmfile. There are some differences around the way in which annotations are used.
--- a/examples/charts/argocd-helmfile-deployment/argocd.dockerfile
+++ b/examples/charts/argocd-helmfile-deployment/argocd.dockerfile
@ -0,0 +1,27 @@
+# Custom Dockerfile to install required helm plugins
+FROM argoproj/argocd:latest
+
+USER root
+# Download OS dependencies
+RUN apt-get update && \
+    apt-get install -y \
+        curl git wget unzip && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Download helmfile
+RUN wget https://github.com/roboll/helmfile/releases/download/v0.138.7/helmfile_linux_amd64 && \
+    mv helmfile_linux_amd64 /usr/local/bin/helmfile && \
+    chmod a+x /usr/local/bin/helmfile
+
+# Download Vault
+RUN wget https://releases.hashicorp.com/vault/1.5.0/vault_1.5.0_linux_amd64.zip -O /tmp/vault.zip --quiet && \
+    unzip -p /tmp/vault.zip vault > /usr/local/bin/vault && \
+    chmod a+x /usr/local/bin/vault && \
+    rm /tmp/vault.zip
+
+USER argocd
+
+# Install helm-secrets plugin (as argocd user)
+RUN helm plugin install https://github.com/jkroepke/helm-secrets --version v3.6.0
+
+ENV HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/"
--- a/examples/charts/argocd-helmfile-deployment/helmfile.yaml
+++ b/examples/charts/argocd-helmfile-deployment/helmfile.yaml
@ -0,0 +1,43 @@
+#   What is a helmfile? Read here...
+#   https://github.com/helmfile/helmfile
+
+# Before deployment, export the required env vars
+# export HELM_SECRETS_DRIVER=vault
+
+# Commands to deploy:
+# helmfile deps   # < download dependencies
+# helmfile template # < template stuff. You might have to be signed into vault
+# helmfile sync   # < deploy everything
+# helmfile apply  # < deploy diff only
+
+helmDefaults:
+  wait: true
+  timeout: 600
+  recreatePods: true
+  force: false
+
+commonLabels:
+  system: argocd
+
+releases:
+  - name: argocd                           # name of this release
+    namespace: argocd                      # target namespace
+    createNamespace: true                  # helm 3.2+ automatically create release namespace (default true)
+    labels:                                # Arbitrary key value pairs for filtering releases
+      env: prod
+    chart: "."                             # the chart being installed to create this release, referenced by `repository/chart` syntax
+    version: 3.2.2                         # the semver of the chart. range constraint is supported
+    missingFileHandler: Warn # set to either "Error" or "Warn". "Error" instructs helmfile to fail when unable to find a values or secrets file. When "Warn", it prints the file and continues.
+
+    # will attempt to decrypt secrets using helm-secrets plugin
+    secrets:
+      # {{ requiredEnv "HELM_SECRETS_DRIVER" }}
+      - values.yaml
+    verify: false
+    wait: true
+    timeout: 600
+    recreatePods: true
+    force: false
+    installed: true
+    atomic: true
+    cleanupOnFail: false
--- a/examples/charts/argocd-helmfile-deployment/templates/argocd-ingress.yaml
+++ b/examples/charts/argocd-helmfile-deployment/templates/argocd-ingress.yaml
@ -0,0 +1,26 @@
+kind: Ingress
+apiVersion: extensions/v1beta1
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  labels:
+    app: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: ingress
+    app.kubernetes.io/name: argocd-ingress
+    app.kubernetes.io/part-of: argocd
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: {{ .Values.argo-cd.server.config.hostname }}
+spec:
+  tls:
+    - hosts:
+        - {{ .Values.argo-cd.server.config.hostname }}
+      secretName: argocd-secret
+  rules:
+    - host: {{ .Values.argo-cd.server.config.hostname }}
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: argocd-server
+              servicePort: http
--- a/examples/charts/argocd-helmfile-deployment/templates/dockerpullsecrets.yaml
+++ b/examples/charts/argocd-helmfile-deployment/templates/dockerpullsecrets.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: dockerpullsecrets
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths" : {
+        "my.harbor.deployment.org" : {
+          {{ $authstring := (printf "%v:%v" .Values.secrets.harbor.username .Values.secrets.harbor.password ) }}
+          "auth": "{{ $authstring | b64enc }}"
+        }
+      }
+    }
--- a/examples/charts/argocd-helmfile-deployment/templates/git-secrets.yaml
+++ b/examples/charts/argocd-helmfile-deployment/templates/git-secrets.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: secret
+metadata:
+  name: argocd-git
+stringData:
+  username: "{{ .Values.secrets.git.username }}"
+  password: "{{ .Values.secrets.git.password }}"
--- a/examples/charts/argocd-helmfile-deployment/templates/harbor-secrets.yaml
+++ b/examples/charts/argocd-helmfile-deployment/templates/harbor-secrets.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: secret
+metadata:
+  name: argocd-harbor
+stringData:
+  username: "{{ .Values.secrets.harbor.username }}"
+  password: "{{ .Values.secrets.harbor.password }}"
--- a/examples/charts/argocd-helmfile-deployment/templates/vault-secrets.yaml
+++ b/examples/charts/argocd-helmfile-deployment/templates/vault-secrets.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: secret
+metadata:
+  name: argocd-vault
+stringData:
+  role_id: "{{ .Values.secrets.vault.role_id }}"
+  secret_id: "{{ .Values.secrets.vault.secret_id }}"
--- a/examples/charts/argocd-helmfile-deployment/values.yaml
+++ b/examples/charts/argocd-helmfile-deployment/values.yaml
@ -0,0 +1,154 @@
+# TODO - Any of the fields with TODO must be changed for the deployment to work.
+secrets:
+  harbor:
+    username: !vault internal/harbor/users/argocd#username # TODO
+    password: !vault internal/harbor/users/argocd#password # TODO
+  git:
+    username: !vault internal/git/users/argocd#username # TODO
+    password: !vault internal/git/users/argocd#password # TODO
+  vault:
+    role_id: !vault internal/vault/argocd#role_id       # TODO
+    secret_id: !vault internal/vault/argocd#secret_id   # TODO
+
+argo-cd:
+  global:
+    image:
+      repository: my.private.docker.registry.local/internal/argocd  # TODO
+      tag: 1.2.3   # TODO
+      imagePullPolicy: IfNotPresent
+    securityContext: {}
+    #  runAsUser: 999
+    #  runAsGroup: 999
+    #  fsGroup: 999
+    imagePullSecrets:
+      - name: dockerpullsecrets
+    hostAliases: []
+    # - ip: 10.20.30.40
+    #   hostnames:
+    #   - git.myhostname
+# set harbor creds in environment, set HELM_SECRET_DRIVER as well
+  server:
+    ## Argo server log format: text|json
+    logFormat: text
+    ## Argo server log level
+    logLevel: debug
+    env:
+      - name: "HELM_SECRETS_DRIVER"
+        value: "vault"
+      - name: "HARBOR_USERNAME"
+        valueFrom:
+          secretKeyRef:
+            name: argocd-harbor
+            key: username
+      - name: "HARBOR_PASSWORD"
+        valueFrom:
+          secretKeyRef:
+            name: argocd-harbor
+            key: password
+      # Unfortunately these envvars don't seem to be working correctly.
+      - name: "VAULT_APPROLE_ID"
+        valueFrom:
+          secretKeyRef:
+            name: argocd-vault
+            key: role_id
+      - name: "VAULT_APPROLE_SECRET"
+        valueFrom:
+          secretKeyRef:
+            name: argocd-vault
+            key: secret_id
+    config:
+      application.instanceLabelKey: argocd.argoproj.io/instance
+      # TODO - customise oidc.config - replace SOME_AZURE_AD_TENANT and SOME_AZURE_AD_UUID with the plaintext values
+      oidc.config: |
+        name: Azure
+        issuer: SOME_AZURE_AD_TENANT
+        clientID: SOME_AZURE_AD_UUID
+        clientSecret: $oidc.azure.clientSecret
+        requestedIDTokenClaims:
+          groups:
+            essential: true
+        requestedScopes:
+          - openid
+          - profile
+          - email
+      # TODO - customise repositories to include correct git URLs
+      repositories: |
+        - type: git
+          url: https://my.git.server.org/my-team/my-repo-one.git
+          usernameSecret:
+            key: username
+            name: argocd-git
+          passwordSecret:
+            key: password
+            name: argocd-git
+        - type: git
+          url: https://my.git.server.org/my-team/my-repo-two.git
+          usernameSecret:
+            name: argocd-git
+            key: username
+          passwordSecret:
+            name: argocd-git
+            key: password
+
+        - type: helm
+          url: https://my.harbor.deployment.org/chartrepo/my-project
+          usernameSecret:
+            name: argocd-harbor
+            key: username
+          passwordSecret:
+            name: argocd-harbor
+            key: password
+
+      url: 'https://my.argocd.deployment.org' # TODO
+      hostname: my.argocd.deployment.org      # TODO
+      configManagementPlugins: |
+        # If you just want to use helm-secrets this will work.
+        - name: helm-secrets
+          generate:                      # Command to generate manifests YAML
+            command: ["/bin/bash", "-c"]
+            args: ["echo \"$HELM_VALUES\" > ./values-local.yaml && helm secrets -d vault template $HELM_OPTS -n $ARGOCD_APP_NAMESPACE -f ./values-local.yaml $ARGOCD_APP_NAME . && rm ./values-local.yaml"]
+
+        # You can use helm-secrets via helmfile also.
+        - name: helmfile
+          init:
+            command: ["/bin/bash", "-c"]
+            args:
+              - >
+                helmfile repos ;
+                helm dependency update ;
+                true
+          generate:
+            command: ["/bin/bash", "-c"]
+            args:
+              - >
+                export VAULT_TOKEN=$(vault write auth/approle/login role_id=ROLE_ID secret_id=SECRET_ID | grep token | head -n 1 | tr -s ' ' | cut -d ' ' -f 2) &&
+                helmfile template --skip-deps
+    # ^^^ I am not sure why but I can't seem to get it working without hardcoding the secrets here :(
+    # TODO - replace ROLE_ID and SECRET_ID with the actual plaintext values
+
+    ## ArgoCD rbac config
+    ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
+    rbacConfig:
+      policy.csv: |
+        p, role:org-admin, applications, *, */*, allow
+        p, role:org-admin, clusters, get, *, allow
+        p, role:org-admin, repositories, get, *, allow
+        p, role:org-admin, repositories, create, *, allow
+        p, role:org-admin, repositories, update, *, allow
+        p, role:org-admin, repositories, delete, *, allow
+        g, "OrgAdmin", role:org-admin
+        g, "ReadOnly", role:readonly
+      policy.default: 'role:readonly'
+      scopes: '[roles, email]'
+
+  ## Argo Configs
+  configs:
+    secret:
+      extra:
+        oidc.azure.clientSecret: !vault internal/argocd/auth#azure_oidc_client_secret # TODO
+        harbor_username: !vault internal/harbor/users/argocd#username # TODO
+        harbor_password: !vault internal/harbor/users/argocd#password # TODO
+        git_username: !vault internal/git/users/argocd#username # TODO
+        git_password: !vault internal/git/users/argocd#password # TODO
+        vault_role_id: !vault internal/vault/argocd#role_id     # TODO
+        vault_secret_id: !vault internal/vault/argocd#secret_id # TODO
--- a/examples/deployments/dev/helmfile.yaml
+++ b/examples/deployments/dev/helmfile.yaml
@ -1,4 +1,4 @@
-charts:
+releases:
  - name: dev-paths-example
    namespace: dev
    chart: ../../charts/paths-example/
--- a/examples/deployments/local/helmfile.yaml
+++ b/examples/deployments/local/helmfile.yaml
@ -1,4 +1,4 @@
-charts:
+releases:
  - name: local-paths-example
    namespace: local
    chart: ../../charts/paths-example/
--- a/examples/deployments/prod/helmfile.yaml
+++ b/examples/deployments/prod/helmfile.yaml
@ -1,4 +1,4 @@
-charts:
+releases:
  - name: prod-paths-example
    namespace: prod
    chart: ../../charts/paths-example/
--- a/examples/deployments/published/helmfile.yaml
+++ b/examples/deployments/published/helmfile.yaml
@ -1,4 +1,4 @@
-charts:
+releases:
  # Published chart example
  - name: grafana                         # helm release name
    namespace: grafana                    # target namespace
--- a/examples/remote/helmfile.yaml
+++ b/examples/remote/helmfile.yaml
@ -0,0 +1,10 @@
+helmfiles:
+- path: git::https://github.com/cloudposse/helmfiles.git@releases/echo-server/helmfile.yaml?ref=master
+  values:
+  - installed: true
+    stage: test
+    environment: test
+
+releases:
+- name: apache
+  chart: git::https://github.com/bitnami/charts.git@bitnami/apache?ref=master
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,326 @@
+module github.com/helmfile/helmfile
+
+go 1.24.6
+
+require (
+	dario.cat/mergo v1.0.2
+	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/Masterminds/sprig/v3 v3.3.0
+	github.com/aws/aws-sdk-go-v2/config v1.31.15
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.88.7
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
+	github.com/go-test/deep v1.1.1
+	github.com/golang/mock v1.6.0
+	github.com/google/go-cmp v0.7.0
+	github.com/gosuri/uitable v0.0.4
+	github.com/hashicorp/go-getter v1.8.2
+	github.com/hashicorp/hcl/v2 v2.24.0
+	github.com/helmfile/chartify v0.25.0
+	github.com/helmfile/vals v0.42.4
+	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.10
+	github.com/stretchr/testify v1.11.1
+	github.com/tatsushid/go-prettytable v0.0.0-20141013043238-ed2d14c29939
+	github.com/tj/assert v0.0.3
+	github.com/variantdev/dag v1.1.0
+	github.com/zclconf/go-cty v1.17.0
+	github.com/zclconf/go-cty-yaml v1.1.0
+	go.szostok.io/version v1.2.0
+	go.uber.org/zap v1.27.0
+	go.yaml.in/yaml/v2 v2.4.3
+	go.yaml.in/yaml/v3 v3.0.4
+	golang.org/x/sync v0.17.0
+	golang.org/x/term v0.36.0
+	helm.sh/helm/v3 v3.19.0
+	k8s.io/apimachinery v0.34.1
+)
+
+require (
+	cloud.google.com/go v0.121.6 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/storage v1.57.0 // indirect
+	filippo.io/age v1.2.1 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/a8m/envsubst v1.4.3 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/fatih/color v1.18.0
+	github.com/fujiwara/tfstate-lookup v1.7.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/goware/prefixer v0.0.0-20160118172347-395022866408 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-slug v0.16.4 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/go-tfe v1.84.0 // indirect
+	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/hashicorp/jsonapi v1.4.3-0.20250220162346-81a76b606f3e // indirect
+	github.com/hashicorp/vault/api v1.22.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/itchyny/gojq v0.12.16 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/otiai10/copy v1.14.1
+	github.com/pkg/errors v0.9.1
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/oauth2 v0.31.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/time v0.13.0 // indirect
+	google.golang.org/api v0.252.0 // indirect
+	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/grpc v1.75.1 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)
+
+require (
+	al.essio.dev/pkg/shellescape v1.6.0 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/kms v1.23.0 // indirect
+	cloud.google.com/go/longrunning v0.6.7 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/secretmanager v1.15.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/1Password/connect-sdk-go v1.5.3 // indirect
+	github.com/1password/onepassword-sdk-go v0.3.1 // indirect
+	github.com/AlecAivazis/survey/v2 v2.3.6 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
+	github.com/DopplerHQ/cli v0.5.11-0.20230908185655-7aef4713e1a4 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/antchfx/jsonquery v1.3.6 // indirect
+	github.com/antchfx/xpath v1.3.5 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.4 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.19 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.65.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 // indirect
+	github.com/aws/smithy-go v1.23.1 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
+	github.com/containerd/containerd v1.7.28 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/cyberark/conjur-api-go v0.13.7 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/extism/go-sdk v1.7.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e // indirect
+	github.com/getsops/sops/v3 v3.11.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.24.0 // indirect
+	github.com/go-openapi/errors v0.22.3 // indirect
+	github.com/go-openapi/jsonpointer v0.22.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.2 // indirect
+	github.com/go-openapi/loads v0.23.1 // indirect
+	github.com/go-openapi/runtime v0.29.0 // indirect
+	github.com/go-openapi/spec v0.22.0 // indirect
+	github.com/go-openapi/strfmt v0.24.0 // indirect
+	github.com/go-openapi/swag v0.24.1 // indirect
+	github.com/go-openapi/swag/cmdutils v0.24.0 // indirect
+	github.com/go-openapi/swag/conv v0.25.1 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.1 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.1 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.1 // indirect
+	github.com/go-openapi/swag/loading v0.25.1 // indirect
+	github.com/go-openapi/swag/mangling v0.25.1 // indirect
+	github.com/go-openapi/swag/netutils v0.24.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.1 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.1 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
+	github.com/go-openapi/validate v0.25.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-yaml v1.17.1 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-jsonnet v0.20.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.65 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/hcp-sdk-go v0.162.0 // indirect
+	github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect
+	github.com/itchyny/timefmt-go v0.1.6 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/muesli/termenv v0.15.1 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/otiai10/mint v1.6.3 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect
+	github.com/tetratelabs/wazero v1.9.0 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
+	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
+	github.com/urfave/cli v1.22.17 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/yandex-cloud/go-genproto v0.29.0 // indirect
+	github.com/yandex-cloud/go-sdk v0.22.0 // indirect
+	github.com/zalando/go-keyring v0.2.6 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.mongodb.org/mongo-driver v1.17.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/gookit/color.v1 v1.1.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.34.1 // indirect
+	k8s.io/apiextensions-apiserver v0.34.0 // indirect
+	k8s.io/cli-runtime v0.34.0 // indirect
+	k8s.io/client-go v0.34.1 // indirect
+	k8s.io/component-base v0.34.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kubectl v0.34.0 // indirect
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
+	sigs.k8s.io/kustomize/api v0.20.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,927 @@
+al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA=
+al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
+cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
+cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
+cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI=
+cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
+cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
+cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
+cloud.google.com/go/kms v1.23.0 h1:WaqAZsUptyHwOo9II8rFC1Kd2I+yvNsNP2IJ14H2sUw=
+cloud.google.com/go/kms v1.23.0/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g=
+cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
+cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
+cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
+cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
+cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
+cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
+cloud.google.com/go/secretmanager v1.15.0 h1:RtkCMgTpaBMbzozcRUGfZe46jb9a3qh5EdEtVRUATF8=
+cloud.google.com/go/secretmanager v1.15.0/go.mod h1:1hQSAhKK7FldiYw//wbR/XPfPc08eQ81oBsnRUHEvUc=
+cloud.google.com/go/storage v1.57.0 h1:4g7NB7Ta7KetVbOMpCqy89C+Vg5VE8scqlSHUPm7Rds=
+cloud.google.com/go/storage v1.57.0/go.mod h1:329cwlpzALLgJuu8beyJ/uvQznDHpa2U5lGjWednkzg=
+cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
+cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/1Password/connect-sdk-go v1.5.3 h1:KyjJ+kCKj6BwB2Y8tPM1Ixg5uIS6HsB0uWA8U38p/Uk=
+github.com/1Password/connect-sdk-go v1.5.3/go.mod h1:5rSymY4oIYtS4G3t0oMkGAXBeoYiukV3vkqlnEjIDJs=
+github.com/1password/onepassword-sdk-go v0.3.1 h1:dz0LrYuIh/HrZ7rxr8NMymikNLBIXhyj4NBmo5Tdamc=
+github.com/1password/onepassword-sdk-go v0.3.1/go.mod h1:kssODrGGqHtniqPR91ZPoCMEo79mKulKat7RaD1bunk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
+github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 h1:/g8S6wk65vfC6m3FIxJ+i5QDyN9JWwXI8Hb0Img10hU=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0/go.mod h1:gpl+q95AzZlKVI3xSoseF9QPrypk0hQqBiJYeB/cR/I=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 h1:nVocQV40OQne5613EeLayJiRAJuKlBGy+m22qWG+WRg=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0/go.mod h1:7QJP7dr2wznCMeqIrhMgWGf7XpAQnVrJqDm9nvV3Cu4=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
+github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=
+github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
+github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
+github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
+github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
+github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
+github.com/DopplerHQ/cli v0.5.11-0.20230908185655-7aef4713e1a4 h1:s7/zwMi5w+KnlumDVbX1+P6mNAk5o7Wvx0VmvrQ7Bm0=
+github.com/DopplerHQ/cli v0.5.11-0.20230908185655-7aef4713e1a4/go.mod h1:ipnA9Lpn5YM+FDSQZ7VWNjcuVurchInoGKm+v7O0sGs=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0/go.mod h1:jUZ5LYlw40WMd07qxcQJD5M40aUxrfwqQX1g7zxYnrQ=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo=
+github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
+github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
+github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
+github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
+github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
+github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/a8m/envsubst v1.4.3 h1:kDF7paGK8QACWYaQo6KtyYBozY2jhQrTuNNuUxQkhJY=
+github.com/a8m/envsubst v1.4.3/go.mod h1:4jjHWQlZoaXPoLQUb7H2qT4iLkZDdmEQiOUogdUmqVU=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/antchfx/jsonquery v1.3.6 h1:TaSfeAh7n6T11I74bsZ1FswreIfrbJ0X+OyLflx6mx4=
+github.com/antchfx/jsonquery v1.3.6/go.mod h1:fGzSGJn9Y826Qd3pC8Wx45avuUwpkePsACQJYy+58BU=
+github.com/antchfx/xpath v1.3.2/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
+github.com/antchfx/xpath v1.3.5 h1:PqbXLC3TkfeZyakF5eeh3NTWEbYl4VHNVeufANzDbKQ=
+github.com/antchfx/xpath v1.3.5/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
+github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
+github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=
+github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=
+github.com/aws/aws-sdk-go-v2 v1.39.4 h1:qTsQKcdQPHnfGYBBs+Btl8QwxJeoWcOcPcixK90mRhg=
+github.com/aws/aws-sdk-go-v2 v1.39.4/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 h1:t9yYsydLYNBk9cJ73rgPhPWqOh/52fcWDQB5b1JsKSY=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2/go.mod h1:IusfVNTmiSN3t4rhxWFaBAqn+mcNdwKtPcV16eYdgko=
+github.com/aws/aws-sdk-go-v2/config v1.31.15 h1:gE3M4xuNXfC/9bG4hyowGm/35uQTi7bUKeYs5e/6uvU=
+github.com/aws/aws-sdk-go-v2/config v1.31.15/go.mod h1:HvnvGJoE2I95KAIW8kkWVPJ4XhdrlvwJpV6pEzFQa8o=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.19 h1:Jc1zzwkSY1QbkEcLujwqRTXOdvW8ppND3jRBb/VhBQc=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.19/go.mod h1:DIfQ9fAk5H0pGtnqfqkbSIzky82qYnGvh06ASQXXg6A=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 h1:X7X4YKb+c0rkI6d4uJ5tEMxXgCZ+jZ/D6mvkno8c8Uw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11/go.mod h1:EqM6vPZQsZHYvC4Cai35UDg/f5NCEU+vp0WfbVqVcZc=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.9 h1:Z1897HnnfLLgbs3pcUv8xLvtbai9TEfPUZfA0BFw968=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.9/go.mod h1:8oVESJIPBYGWdZhaHcIvTm7BnI6hbsR3ggKn0uyRMhk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 h1:7AANQZkF3ihM8fbdftpjhken0TP9sBzFbV/Ze/Y4HXA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11/go.mod h1:NTF4QCGkm6fzVwncpkFQqoquQyOolcyXfbpC98urj+c=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 h1:ShdtWUZT37LCAA4Mw2kJAJtzaszfSHFb5n25sdcv4YE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11/go.mod h1:7bUb2sSr2MZ3M/N+VyETLTQtInemHXb/Fl3s8CLzm0Y=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.11 h1:bKgSxk1TW//00PGQqYmrq83c+2myGidEclp+t9pPqVI=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.11/go.mod h1:vrPYCQ6rFHL8jzQA8ppu3gWX18zxjLIDGTeqDxkBmSI=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.2 h1:DGFpGybmutVsCuF6vSuLZ25Vh55E3VmsnJmFfjeBx4M=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.2/go.mod h1:hm/wU1HDvXCFEDzOLorQnZZ/CVvPXvWEmHMSmqgQRuA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 h1:GpMf3z2KJa4RnJ0ew3Hac+hRFYLZ9DDjfgXjuW+pB54=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11/go.mod h1:6MZP3ZI4QQsgUCFTwMZA2V0sEriNQ8k2hmoHF3qjimQ=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.11 h1:weapBOuuFIBEQ9OX/NVW3tFQCvSutyjZYk/ga5jDLPo=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.11/go.mod h1:3C1gN4FmIVLwYSh8etngUS+f1viY6nLCDVtZmrFbDy0=
+github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 h1:Br3kil4j7RPW+7LoLVkYt8SuhIWlg6ylmbmzXJ7PgXY=
+github.com/aws/aws-sdk-go-v2/service/kms v1.45.6/go.mod h1:FKXkHzw1fJZtg1P1qoAIiwen5thz/cDRTTDCIu8ljxc=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.88.7 h1:Wer3W0GuaedWT7dv/PiWNZGSQFSTcBY2rZpbiUp5xcA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.88.7/go.mod h1:UHKgcRSx8PVtvsc1Poxb/Co3PD3wL7P+f49P0+cWtuY=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.6 h1:9PWl450XOG+m5lKv+qg5BXso1eLxpsZLqq7VPug5km0=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.6/go.mod h1:hwt7auGsDcaNQ8pzLgE2kCNyIWouYlAKSjuUu5Dqr7I=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.65.1 h1:TFg6XiS7EsHN0/jpV3eVNczZi/sPIVP5jxIs+euIESQ=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.65.1/go.mod h1:OIezd9K0sM/64DDP4kXx/i0NdgXu6R5KE6SCsIPJsjc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 h1:M5nimZmugcZUO9wG7iVtROxPhiqyZX6ejS1lxlDPbTU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.29.8/go.mod h1:mbef/pgKhtKRwrigPPs7SSSKZgytzP8PQ6P6JAAdqyM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 h1:S5GuJZpYxE0lKeMHKn+BRTz6PTFpgThyJ+5mYfux7BM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3/go.mod h1:X4OF+BTd7HIb3L+tc4UlWHVrpgwZZIVENU15pRDVTI0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 h1:Ekml5vGg6sHSZLZJQJagefnVe6PmqC2oiRkBq4F7fU0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.38.9/go.mod h1:/e15V+o1zFHWdH3u7lpI3rVBcxszktIKuHKCY2/py+k=
+github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M=
+github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
+github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
+github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
+github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/containerd/containerd v1.7.28 h1:Nsgm1AtcmEh4AHAJ4gGlNSaKgXiNccU270Dnf81FQ3c=
+github.com/containerd/containerd v1.7.28/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
+github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
+github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
+github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
+github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
+github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyberark/conjur-api-go v0.13.7 h1:pyjdGKYLuMEdtFklin6c+TY8AvLKePw77rbQFwATMTI=
+github.com/cyberark/conjur-api-go v0.13.7/go.mod h1:xGi4RCulvsc+x/jYRrxUoEShznhlKP/4hJC/4+lueFg=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
+github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
+github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM=
+github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v28.0.4+incompatible h1:pBJSJeNd9QeIWPjRcV91RVJihd/TXB77q1ef64XEu4A=
+github.com/docker/cli v28.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.0.4+incompatible h1:JNNkBctYKurkw6FrHfKqY0nKIDf5nrbxjVBtS+cdcok=
+github.com/docker/docker v28.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q=
+github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
+github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
+github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
+github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
+github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
+github.com/extism/go-sdk v1.7.0 h1:yHbSa2JbcF60kjGsYiGEOcClfbknqCJchyh9TRibFWo=
+github.com/extism/go-sdk v1.7.0/go.mod h1:Dhuc1qcD0aqjdqJ3ZDyGdkZPEj/EHKVjbE4P+1XRMqc=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fujiwara/tfstate-lookup v1.7.1 h1:zuZj5tSHIkD5HJG2ZyPL1H3bmlb6sgj5M46YBhwnevw=
+github.com/fujiwara/tfstate-lookup v1.7.1/go.mod h1:D1/ehHmOvN06Hdpob66BUg6851257fxzNrpRilhnwxQ=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e h1:y/1nzrdF+RPds4lfoEpNhjfmzlgZtPqyO3jMzrqDQws=
+github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e/go.mod h1:awFzISqLJoZLm+i9QQ4SgMNHDqljH6jWV0B36V5MrUM=
+github.com/getsops/sops/v3 v3.11.0 h1:HsJhfZDcLMBZSphnTXIcsS9oR5jJgzSivo0j9zf8KVY=
+github.com/getsops/sops/v3 v3.11.0/go.mod h1:KiyVXNRMIEPCSAiapB8e8u+AaQGFgLlWo4Sk9PNTso0=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
+github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
+github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
+github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
+github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
+github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
+github.com/go-openapi/errors v0.22.3/go.mod h1:+WvbaBBULWCOna//9B9TbLNGSFOfF8lY9dw4hGiEiKQ=
+github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk=
+github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM=
+github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU=
+github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ=
+github.com/go-openapi/loads v0.23.1 h1:H8A0dX2KDHxDzc797h0+uiCZ5kwE2+VojaQVaTlXvS0=
+github.com/go-openapi/loads v0.23.1/go.mod h1:hZSXkyACCWzWPQqizAv/Ye0yhi2zzHwMmoXQ6YQml44=
+github.com/go-openapi/runtime v0.29.0 h1:Y7iDTFarS9XaFQ+fA+lBLngMwH6nYfqig1G+pHxMRO0=
+github.com/go-openapi/runtime v0.29.0/go.mod h1:52HOkEmLL/fE4Pg3Kf9nxc9fYQn0UsIWyGjGIJE9dkg=
+github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0Tw=
+github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0=
+github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc=
+github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4=
+github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8=
+github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A=
+github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I=
+github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8=
+github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0=
+github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs=
+github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU=
+github.com/go-openapi/swag/fileutils v0.25.1/go.mod h1:+NXtt5xNZZqmpIpjqcujqojGFek9/w55b3ecmOdtg8M=
+github.com/go-openapi/swag/jsonname v0.25.1 h1:Sgx+qbwa4ej6AomWC6pEfXrA6uP2RkaNjA9BR8a1RJU=
+github.com/go-openapi/swag/jsonname v0.25.1/go.mod h1:71Tekow6UOLBD3wS7XhdT98g5J5GR13NOTQ9/6Q11Zo=
+github.com/go-openapi/swag/jsonutils v0.25.1 h1:AihLHaD0brrkJoMqEZOBNzTLnk81Kg9cWr+SPtxtgl8=
+github.com/go-openapi/swag/jsonutils v0.25.1/go.mod h1:JpEkAjxQXpiaHmRO04N1zE4qbUEg3b7Udll7AMGTNOo=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1 h1:DSQGcdB6G0N9c/KhtpYc71PzzGEIc/fZ1no35x4/XBY=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1/go.mod h1:kjmweouyPwRUEYMSrbAidoLMGeJ5p6zdHi9BgZiqmsg=
+github.com/go-openapi/swag/loading v0.25.1 h1:6OruqzjWoJyanZOim58iG2vj934TysYVptyaoXS24kw=
+github.com/go-openapi/swag/loading v0.25.1/go.mod h1:xoIe2EG32NOYYbqxvXgPzne989bWvSNoWoyQVWEZicc=
+github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync=
+github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ=
+github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w=
+github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM=
+github.com/go-openapi/swag/stringutils v0.25.1 h1:Xasqgjvk30eUe8VKdmyzKtjkVjeiXx1Iz0zDfMNpPbw=
+github.com/go-openapi/swag/stringutils v0.25.1/go.mod h1:JLdSAq5169HaiDUbTvArA2yQxmgn4D6h4A+4HqVvAYg=
+github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3I3ysiFZqukA=
+github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8=
+github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk=
+github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg=
+github.com/go-openapi/validate v0.25.0 h1:JD9eGX81hDTjoY3WOzh6WqxVBVl7xjsLnvDo1GL5WPU=
+github.com/go-openapi/validate v0.25.0/go.mod h1:SUY7vKrN5FiwK6LyvSwKjDfLNirSfWwHNgxd2l29Mmw=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
+github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
+github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-jsonnet v0.20.0 h1:WG4TTSARuV7bSm4PMB4ohjxe33IHT5WVTrJSU33uT4g=
+github.com/google/go-jsonnet v0.20.0/go.mod h1:VbgWF9JX7ztlv770x/TolZNGGFfiHEVx9G6ca2eUmeA=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
+github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
+github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
+github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
+github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw=
+github.com/goware/prefixer v0.0.0-20160118172347-395022866408/go.mod h1:PE1ycukgRPJ7bJ9a1fdfQ9j8i/cEcRAoLZzbxYpNB/s=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.65 h1:81+kWbE1yErFBMjME0I5k3x3kojjKsWtPYHEAutoPow=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.65/go.mod h1:WtMzv9T++tfWVea+qB2MXoaqxw33S8bpJslzUike2mQ=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-getter v1.8.2 h1:CGCK+bZQLl44PYiwJweVzfpjg7bBwtuXu3AGcLiod2o=
+github.com/hashicorp/go-getter v1.8.2/go.mod h1:CUTt9x2bCtJ/sV8ihgrITL3IUE+0BE1j/e4n5P/GIM4=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
+github.com/hashicorp/go-slug v0.16.4 h1:kI0mOUVjbBsyocwO29pZIQzzkBnfQNdU4eqlUpNdNVA=
+github.com/hashicorp/go-slug v0.16.4/go.mod h1:THWVTAXwJEinbsp4/bBRcmbaO5EYNLTqxbG4tZ3gCYQ=
+github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw=
+github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
+github.com/hashicorp/go-tfe v1.84.0 h1:aq4zLtr0beMjoe1bjMPkv9tW4wWTix37SBX8ct8vJWw=
+github.com/hashicorp/go-tfe v1.84.0/go.mod h1:6dUFMBKh0jkxlRsrw7bYD2mby0efdwE4dtlAuTogIzA=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
+github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
+github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
+github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
+github.com/hashicorp/golang-lru/v2 v2.0.5/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
+github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
+github.com/hashicorp/hcp-sdk-go v0.162.0 h1:1agUnqQKSiig3Wcz1ht4Hko/ikfpxZ7+uy/2uX0QHaE=
+github.com/hashicorp/hcp-sdk-go v0.162.0/go.mod h1:v2vbpNIrmgUTelW4Z+ur+aQuSPxeaVK3xytFdpEXvSg=
+github.com/hashicorp/jsonapi v1.4.3-0.20250220162346-81a76b606f3e h1:xwy/1T0cxHWaLx2MM0g4BlaQc1BXn/9835mPrBqwSPU=
+github.com/hashicorp/jsonapi v1.4.3-0.20250220162346-81a76b606f3e/go.mod h1:kWfdn49yCjQvbpnvY1dxxAuAFzISwrrMDQOcu6NsFoM=
+github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
+github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/helmfile/chartify v0.25.0 h1:+stKeRpDRo2LVJkCc2G/HqYmYdGJ214f2pMTdIafW3w=
+github.com/helmfile/chartify v0.25.0/go.mod h1:8b44e/7P0nceSodE9C5e5F6DoyCkiqKf3PeVprcIkQ4=
+github.com/helmfile/vals v0.42.4 h1:K5rDqhyN7EG5BeU+MyY8u8yWVdBCzRXUtGu4JcZVqKk=
+github.com/helmfile/vals v0.42.4/go.mod h1:Dj1nuqfJ2whuZTe6sGrz1405vVpn16YNBxd6DdAaTc0=
+github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
+github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
+github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f h1:7LYC+Yfkj3CTRcShK0KOL/w6iTiKyqqBA9a41Wnggw8=
+github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f/go.mod h1:pFlLw2CfqZiIBOx6BuCeRLCrfxBJipTY0nIOF/VbGcI=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/itchyny/gojq v0.12.16 h1:yLfgLxhIr/6sJNVmYfQjTIv0jGctu6/DgDoivmxTr7g=
+github.com/itchyny/gojq v0.12.16/go.mod h1:6abHbdC2uB9ogMS38XsErnfqJ94UlngIJGlRAIj4jTM=
+github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
+github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
+github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
+github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
+github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
+github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
+github.com/muesli/termenv v0.15.1 h1:UzuTb/+hhlBugQz28rpzey4ZuKcZ03MeKsoG7IJZIxs=
+github.com/muesli/termenv v0.15.1/go.mod h1:HeAQPTzpfs016yGtA4g00CsdYnVLJvxsS4ANqrZs2sQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
+github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
+github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk=
+github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/ory/dockertest/v3 v3.12.0 h1:3oV9d0sDzlSQfHtIaB5k6ghUCVMVLpAY8hwrqoCyRCw=
+github.com/ory/dockertest/v3 v3.12.0/go.mod h1:aKNDTva3cp8dwOWwb9cWuX84aH5akkxXRvO7KCwWVjE=
+github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
+github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
+github.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=
+github.com/otiai10/mint v1.6.3/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM=
+github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
+github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ=
+github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
+github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o=
+github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 h1:KhF0WejiUTDbL5X55nXowP7zNopwpowa6qaMAWyIE+0=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33/go.mod h1:792k1RTU+5JeMXm35/e2Wgp71qPH/DmDoZrRc+EFZDk=
+github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
+github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tatsushid/go-prettytable v0.0.0-20141013043238-ed2d14c29939 h1:BhIUXV2ySTLrKgh/Hnts+QTQlIbWtomXt3LMdzME0A0=
+github.com/tatsushid/go-prettytable v0.0.0-20141013043238-ed2d14c29939/go.mod h1:omGxs4/6hNjxPKUTjmaNkPzehSnNJOJN6pMEbrlYIT4=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834/go.mod h1:m9ymHTgNSEjuxvw8E7WWe4Pl4hZQHXONY8wE6dMLaRk=
+github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZBf/I=
+github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
+github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
+github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
+github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
+github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
+github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
+github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
+github.com/variantdev/dag v1.1.0 h1:xodYlSng33KWGvIGMpKUyLcIZRXKiNUx612mZJqYrDg=
+github.com/variantdev/dag v1.1.0/go.mod h1:pH1TQsNSLj2uxMo9NNl9zdGy01Wtn+/2MT96BrKmVyE=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
+github.com/yandex-cloud/go-genproto v0.29.0 h1:iCVJ8YKvC9XMcxbPQkV2pp60iNtNVnU4UMv1JIBmPuI=
+github.com/yandex-cloud/go-genproto v0.29.0/go.mod h1:0LDD/IZLIUIV4iPH+YcF+jysO3jkSvADFGm4dCAuwQo=
+github.com/yandex-cloud/go-sdk v0.22.0 h1:COUDkpFouZ1d6NfZyG4tPgFNAPZh2Oyje77efUrErQs=
+github.com/yandex-cloud/go-sdk v0.22.0/go.mod h1:9CPEoMSje/vw0LJKcJ950szZoX4W4IfLDm2Ah/xI6Bo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
+github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0=
+github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
+github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
+github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
+github.com/zclconf/go-cty-yaml v1.1.0 h1:nP+jp0qPHv2IhUVqmQSzjvqAWcObN0KBkUl2rWBdig0=
+github.com/zclconf/go-cty-yaml v1.1.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
+go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk=
+go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw=
+go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 h1:cMyu9O88joYEaI47CnQkxO1XZdpoTF9fEnW2duIddhw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0/go.mod h1:6Am3rn7P9TVVeXYG+wtcGE7IE1tsQ+bP3AuWcKt/gOI=
+go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU=
+go.opentelemetry.io/otel/exporters/prometheus v0.54.0/go.mod h1:QyjcV9qDP6VeK5qPyKETvNjmaaEc7+gqjh4SS0ZYzDU=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s=
+go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk=
+go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
+go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.szostok.io/version v1.2.0 h1:8eMMdfsonjbibwZRLJ8TnrErY8bThFTQsZYV16mcXms=
+go.szostok.io/version v1.2.0/go.mod h1:EiU0gPxaXb6MZ+apSN0WgDO6F4JXyC99k9PIXf2k2E8=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
+golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
+golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/api v0.252.0 h1:xfKJeAJaMwb8OC9fesr369rjciQ704AjU/psjkKURSI=
+google.golang.org/api v0.252.0/go.mod h1:dnHOv81x5RAmumZ7BWLShB/u7JZNeyalImxHmtTHxqw=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 h1:CirRxTOwnRWVLKzDNrs0CXAaVozJoR4G9xvdRecrdpk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ=
+google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
+google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/gookit/color.v1 v1.1.6 h1:5fB10p6AUFjhd2ayq9JgmJWr9WlTrguFdw3qlYtKNHk=
+gopkg.in/gookit/color.v1 v1.1.6/go.mod h1:IcEkFGaveVShJ+j8ew+jwe9epHyGpJ9IrptHmW3laVY=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+helm.sh/helm/v3 v3.19.0 h1:krVyCGa8fa/wzTZgqw0DUiXuRT5BPdeqE/sQXujQ22k=
+helm.sh/helm/v3 v3.19.0/go.mod h1:Lk/SfzN0w3a3C3o+TdAKrLwJ0wcZ//t1/SDXAvfgDdc=
+k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
+k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
+k8s.io/apiextensions-apiserver v0.34.0 h1:B3hiB32jV7BcyKcMU5fDaDxk882YrJ1KU+ZSkA9Qxoc=
+k8s.io/apiextensions-apiserver v0.34.0/go.mod h1:hLI4GxE1BDBy9adJKxUxCEHBGZtGfIg98Q+JmTD7+g0=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
+k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/cli-runtime v0.34.0 h1:N2/rUlJg6TMEBgtQ3SDRJwa8XyKUizwjlOknT1mB2Cw=
+k8s.io/cli-runtime v0.34.0/go.mod h1:t/skRecS73Piv+J+FmWIQA2N2/rDjdYSQzEE67LUUs8=
+k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
+k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
+k8s.io/component-base v0.34.0 h1:bS8Ua3zlJzapklsB1dZgjEJuJEeHjj8yTu1gxE2zQX8=
+k8s.io/component-base v0.34.0/go.mod h1:RSCqUdvIjjrEm81epPcjQ/DS+49fADvGSCkIP3IC6vg=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
+k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
+k8s.io/kubectl v0.34.0 h1:NcXz4TPTaUwhiX4LU+6r6udrlm0NsVnSkP3R9t0dmxs=
+k8s.io/kubectl v0.34.0/go.mod h1:bmd0W5i+HuG7/p5sqicr0Li0rR2iIhXL0oUyLF3OjR4=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
+k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
+oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
+sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
+sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
+sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/hack/semtag
+++ b/hack/semtag
@ -0,0 +1,623 @@
+#!/usr/bin/env bash
+
+PROG=semtag
+PROG_VERSION="v0.1.0"
+
+SEMVER_REGEX="^v?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(\-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$"
+IDENTIFIER_REGEX="^\-([0-9A-Za-z-]+)\.([0-9A-Za-z-]+)*$"
+
+# Global variables
+FIRST_VERSION="v0.0.0"
+finalversion=$FIRST_VERSION
+lastversion=$FIRST_VERSION
+hasversiontag="false"
+scope="patch"
+displayonly="false"
+forcetag="false"
+forcedversion=
+versionname=
+identifier=
+
+HELP="\
+Usage:
+  $PROG
+  $PROG getlast
+  $PROG getfinal
+  $PROG (final|alpha|beta|candidate) [-s <scope> (major|minor|patch|auto) | -o]
+  $PROG --help
+  $PROG --version
+Options:
+  -s         The scope that must be increased, can be major, minor or patch.
+               The resulting version will match X.Y.Z(-PRERELEASE)(+BUILD)
+               where X, Y and Z are positive integers, PRERELEASE is an optionnal
+               string composed of alphanumeric characters describing if the build is
+               a release candidate, alpha or beta version, with a number.
+               BUILD is also an optional string composed of alphanumeric
+               characters and hyphens.
+               Setting the scope as 'auto', the script will chose the scope between
+               'minor' and 'patch', depending on the amount of lines added (<10% will
+               choose patch).
+  -v         Specifies manually the version to be tagged, must be a valid semantic version
+               in the format X.Y.Z where X, Y and Z are positive integers.
+  -o         Output the version only, shows the bumped version, but doesn't tag.
+  -f         Forces to tag, even if there are unstaged or uncommited changes.
+Commands:
+  --help     Print this help message.
+  --version  Prints the program's version.
+  get        Returns both current final version and last tagged version.
+  getlast    Returns the latest tagged version.
+  getfinal   Returns the latest tagged final version.
+  getcurrent Returns the current version, based on the latest one, if there are uncommited or
+               unstaged changes, they will be reflected in the version, adding the number of
+               pending commits, current branch and commit hash.
+  final      Tags the current build as a final version, this only can be done on the master branch.
+  candidate  Tags the current build as a release candidate, the tag will contain all
+               the commits from the last final version.
+  alpha      Tags the current build as an alpha version, the tag will contain all
+               the commits from the last final version.
+  beta       Tags the current build as a beta version, the tag will contain all
+               the commits from the last final version."
+
+# Commands and options
+ACTION="getlast"
+ACTION="$1"
+shift
+
+# We get the parameters
+while getopts "v:s:of" opt; do
+  case $opt in
+    v)
+      forcedversion="$OPTARG"
+      ;;
+    s)
+      scope="$OPTARG"
+      ;;
+    o)
+      displayonly="true"
+      ;;
+    f)
+      forcetag="true"
+      ;;
+    \?)
+      echo "Invalid option: -$OPTARG" >&2
+      exit 1
+      ;;
+    :)
+      echo "Option -$OPTARG requires an argument." >&2
+      exit 1
+      ;;
+  esac
+done
+
+# Gets a string with the version and returns an array of maximum size of 5 with all the parts of the sematinc version
+# $1 The string containing the version in semantic format
+# $2 The variable to store the result array:
+#      position 0: major number
+#      position 1: minor number
+#      position 2: patch number
+#      position 3: identifier (or prerelease identifier)
+#      position 4: build info
+function explode_version {
+  local __version=$1
+  local __result=$2
+  if [[ $__version =~ $SEMVER_REGEX ]] ; then
+    local __major=${BASH_REMATCH[1]}
+    local __minor=${BASH_REMATCH[2]}
+    local __patch=${BASH_REMATCH[3]}
+    local __prere=${BASH_REMATCH[4]}
+    local __build=${BASH_REMATCH[5]}
+    eval "$__result=(\"$__major\" \"$__minor\" \"$__patch\" \"$__prere\" \"$__build\")"
+  else
+    eval "$__result="
+  fi
+}
+
+# Compare two versions and returns -1, 0 or 1
+# $1 The first version to compare
+# $2 The second version to compare
+# $3 The variable where to store the result
+function compare_versions {
+  local __first
+  local __second
+  explode_version $1 __first
+  explode_version $2 __second
+  local lv=$3
+
+  # Compares MAJOR, MINOR and PATCH
+  for i in 0 1 2; do
+    local __numberfirst=${__first[$i]}
+    local __numbersecond=${__second[$i]}
+    case $(($__numberfirst - $__numbersecond)) in
+      0)
+        ;;
+      -[0-9]*)
+        eval "$lv=-1"
+        return 0
+        ;;
+      [0-9]*)
+        eval "$lv=1"
+        return 0
+        ;;
+    esac
+  done
+
+  # Identifiers should compare with the ASCII order.
+  local __identifierfirst=${__first[3]}
+  local __identifiersecond=${__second[3]}
+  if [[ -n "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then
+    if [[ "$__identifierfirst" > "$__identifiersecond" ]]; then
+      eval "$lv=1"
+      return 0
+    elif [[ "$__identifierfirst" < "$__identifiersecond" ]]; then
+      eval "$lv=-1"
+      return 0
+    fi
+  elif [[ -z "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then
+    eval "$lv=1"
+    return 0
+  elif [[ -n "$__identifierfirst" ]] && [[ -z "$__identifiersecond" ]]; then
+    eval "$lv=-1"
+    return 0
+  fi
+
+  eval "$lv=0"
+}
+
+# Returns the last version of two
+# $1 The first version to compare
+# $2 The second version to compare
+# $3 The variable where to store the last one
+function get_latest_of_two {
+  local __first=$1
+  local __second=$2
+  local __result
+  local __latest=$3
+  compare_versions $__first $__second __result
+  case $__result in
+    0)
+      eval "$__latest=$__second"
+      ;;
+    -1)
+      eval "$__latest=$__second"
+      ;;
+    1)
+      eval "$__latest=$__first"
+      ;;
+  esac
+}
+
+# Assigns a 2 size array with the identifier, having the identifier at pos 0, and the number in pos 1
+# $1 The identifier in the format -id.#
+# $2 The vferiable where to store the 2 size array
+function explode_identifier {
+  local __identifier=$1
+  local __result=$2
+  if [[ $__identifier =~ $IDENTIFIER_REGEX ]] ; then
+    local __id=${BASH_REMATCH[1]}
+    local __number=${BASH_REMATCH[2]}
+    if [[ -z "$__number" ]]; then
+      __number=1
+    fi
+    eval "$__result=(\"$__id\" \"$__number\")"
+  else
+    eval "$__result="
+  fi
+}
+
+# Gets a list of tags and assigns the base and latest versions
+# Receives an array with the tags containing the versions
+# Assigns to the global variables finalversion and lastversion the final version and the latest version
+function get_latest {
+  local __taglist=("$@")
+  local __tagsnumber=${#__taglist[@]}
+  local __current
+  case $__tagsnumber in
+    0)
+      finalversion=$FIRST_VERSION
+      lastversion=$FIRST_VERSION
+      ;;
+    1)
+      __current=${__taglist[0]}
+      explode_version $__current ver
+      if [ -n "$ver" ]; then
+        if [ -n "${ver[3]}" ]; then
+          finalversion=$FIRST_VERSION
+        else
+          finalversion=$__current
+        fi
+        lastversion=$__current
+      else
+        finalversion=$FIRST_VERSION
+        lastversion=$FIRST_VERSION
+      fi
+      ;;
+    *)
+      local __lastpos=$(($__tagsnumber-1))
+      for i in $(seq 0 $__lastpos)
+      do
+        __current=${__taglist[i]}
+        explode_version ${__taglist[i]} ver
+        if [ -n "$ver" ]; then
+          if [ -z "${ver[3]}" ]; then
+            get_latest_of_two $finalversion $__current finalversion
+            get_latest_of_two $lastversion $finalversion lastversion
+          else
+            get_latest_of_two $lastversion $__current lastversion
+          fi
+        fi
+      done
+      ;;
+  esac
+
+  if git rev-parse -q --verify "refs/tags/$lastversion" >/dev/null; then
+    hasversiontag="true"
+  else
+    hasversiontag="false"
+  fi
+}
+
+# Gets the next version given the provided scope
+# $1 The version that is going to be bumped
+# $2 The scope to bump
+# $3 The variable where to stoer the result
+function get_next_version {
+  local __exploded
+  local __fromversion=$1
+  local __scope=$2
+  local __result=$3
+  explode_version $__fromversion __exploded
+  case $__scope in
+    major)
+      __exploded[0]=$((${__exploded[0]}+1))
+      __exploded[1]=0
+      __exploded[2]=0
+    ;;
+    minor)
+      __exploded[1]=$((${__exploded[1]}+1))
+      __exploded[2]=0
+    ;;
+    patch)
+      __exploded[2]=$((${__exploded[2]}+1))
+    ;;
+  esac
+
+  eval "$__result=v${__exploded[0]}.${__exploded[1]}.${__exploded[2]}"
+}
+
+function bump_version {
+  ## First we try to get the next version based on the existing last one
+  if [ "$scope" == "auto" ]; then
+    get_scope_auto scope
+  fi
+
+  local __candidatefromlast=$FIRST_VERSION
+  local __explodedlast
+  explode_version $lastversion __explodedlast
+  if [[ -n "${__explodedlast[3]}" ]]; then
+    # Last version is not final
+    local __idlast
+    explode_identifier ${__explodedlast[3]} __idlast
+    
+    # We get the last, given the desired id based on the scope
+    __candidatefromlast="v${__explodedlast[0]}.${__explodedlast[1]}.${__explodedlast[2]}"
+    if [[ -n "$identifier" ]]; then
+      local __nextid="$identifier.1"
+      if [ "$identifier" == "${__idlast[0]}" ]; then
+        # We target the same identifier as the last so we increase one
+        __nextid="$identifier.$(( ${__idlast[1]}+1 ))"
+        __candidatefromlast="$__candidatefromlast-$__nextid"
+      else
+        # Different identifiers, we make sure we are assigning a higher identifier, if not, we increase the version
+        __candidatefromlast="$__candidatefromlast-$__nextid"
+        local __comparedwithlast
+        compare_versions $__candidatefromlast $lastversion __comparedwithlast
+        if [ "$__comparedwithlast" == -1 ]; then
+          get_next_version $__candidatefromlast $scope __candidatefromlast
+          __candidatefromlast="$__candidatefromlast-$__nextid"
+        fi
+      fi
+    fi
+  fi
+
+  # Then we try to get the version based on the latest final one
+  local __candidatefromfinal=$FIRST_VERSION
+  get_next_version $finalversion $scope __candidatefromfinal
+  if [[ -n "$identifier" ]]; then
+    __candidatefromfinal="$__candidatefromfinal-$identifier.1"
+  fi
+
+  # Finally we compare both candidates
+  local __resultversion
+  local __result
+  compare_versions $__candidatefromlast $__candidatefromfinal __result
+  case $__result in
+    0)
+      __resultversion=$__candidatefromlast
+      ;;
+    -1)
+      __resultversion="$__candidatefromfinal"
+      ;;
+    1)
+      __resultversion=$__candidatefromlast
+      ;;
+  esac
+
+  eval "$1=$__resultversion"
+}
+
+function increase_version {
+  local __version=
+
+  if [ -z $forcedversion ]; then
+    bump_version __version
+  else
+    if [[ $forcedversion =~ $SEMVER_REGEX ]] ; then
+      compare_versions $forcedversion $lastversion __result
+      if [ $__result -le 0 ]; then
+        echo "Version can't be lower than last version: $lastversion"
+        exit 1
+      fi
+    else
+      echo "Non valid version to bump"
+      exit 1
+    fi
+    __version=$forcedversion
+  fi
+
+  if [ "$displayonly" == "true" ]; then
+    echo "$__version"
+  else
+    if [ "$forcetag" == "false" ]; then
+      check_git_dirty_status
+    fi
+    local __commitlist
+    if [ "$finalversion" == "$FIRST_VERSION" ] || [ "$hasversiontag" != "true" ]; then
+      __commitlist="$(git log --pretty=oneline | cat)"
+    else
+      __commitlist="$(git log --pretty=oneline $finalversion... | cat)"
+    fi
+
+    # If we are forcing a bump, we add bump to the commit list
+    if [[ -z $__commitlist && "$forcetag" == "true" ]]; then
+      __commitlist="bump"
+    fi
+
+    if [[ -z $__commitlist ]]; then
+      echo "No commits since the last final version, not bumping version"
+    else
+      if [[ -z $versionname ]]; then
+        versionname=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+      fi
+      local __message="$versionname
+$__commitlist"
+
+      # We check we have info on the user
+      local __username=$(git config user.name)
+      if [ -z "$__username" ]; then
+        __username=$(id -u -n)
+        git config user.name $__username
+      fi
+      local __useremail=$(git config user.email)
+      if [ -z "$__useremail" ]; then
+        __useremail=$(hostname)
+        git config user.email "$__username@$__useremail"
+      fi
+
+      git tag -a $__version -m "$__message" 
+
+      # If we have a remote, we push there
+      local __remote=${SEMTAG_REMOTE:-$(git remote)}
+      if [[ -n $__remote ]]; then
+        git push $__remote $__version > /dev/null
+        if [ $? -eq 0 ]; then
+          echo "$__version"
+        else
+          echo "Error pushing the tag $__version to $__remote"
+          exit 1
+        fi
+      else
+        echo "$__version"
+      fi
+    fi
+  fi
+}
+
+function check_git_dirty_status {
+  local __repostatus=
+  get_work_tree_status __repostatus
+
+  if [ "$__repostatus" == "uncommitted" ]; then
+    echo "ERROR: You have uncommitted changes"
+    git status --porcelain
+    exit 1
+  fi
+
+  if [ "$__repostatus" == "unstaged" ]; then
+    echo "ERROR: You have unstaged changes"
+    git status --porcelain
+    exit 1
+  fi
+}
+
+# Get the total amount of lines of code in the repo
+function get_total_lines {
+  local __empty_id="$(git hash-object -t tree /dev/null)"
+  local __changes="$(git diff --numstat $__empty_id | cat)"
+  local __added_deleted=$1
+  get_changed_lines "$__changes" $__added_deleted
+}
+
+# Get the total amount of lines of code since the provided tag
+function get_sincetag_lines {
+  local __sincetag=$1
+  local __changes="$(git diff --numstat $__sincetag | cat)"
+  local __added_deleted=$2
+  get_changed_lines "$__changes" $__added_deleted
+}
+
+function get_changed_lines {
+  local __changes_numstat=$1
+  local __result=$2
+  IFS=$'\n' read -rd '' -a __changes_array <<<"$__changes_numstat"
+  local __diff_regex="^([0-9]+)[[:space:]]+([0-9]+)[[:space:]]+.+$"
+
+  local __total_added=0
+  local __total_deleted=0
+  for i in "${__changes_array[@]}"
+  do
+    if [[ $i =~ $__diff_regex ]] ; then
+      local __added=${BASH_REMATCH[1]}
+      local __deleted=${BASH_REMATCH[2]}
+      __total_added=$(( $__total_added+$__added ))
+      __total_deleted=$(( $__total_deleted+$__deleted ))
+    fi
+  done
+  eval "$2=( $__total_added $__total_deleted )"
+}
+
+function get_scope_auto {
+  local __verbose=$2
+  local __total=0
+  local __since=0
+  local __scope=
+
+  get_total_lines __total
+  get_sincetag_lines $finalversion __since
+
+  local __percentage=0
+  if [ "$__total" != "0" ]; then
+    local __percentage=$(( 100*$__since/$__total ))
+    if [ $__percentage -gt "10" ]; then
+      __scope="minor"
+    else
+      __scope="patch"
+    fi
+  fi
+
+  eval "$1=$__scope"
+  if [[ -n "$__verbose" ]]; then
+    echo "[Auto Scope] Percentage of lines changed: $__percentage"
+    echo "[Auto Scope] : $__scope"
+  fi
+}
+
+function get_work_tree_status {
+  # Update the index
+  git update-index -q --ignore-submodules --refresh > /dev/null
+  eval "$1="
+
+  if ! git diff-files --quiet --ignore-submodules -- > /dev/null
+  then
+    eval "$1=unstaged"
+  fi
+
+  if ! git diff-index --cached --quiet HEAD --ignore-submodules -- > /dev/null
+  then
+    eval "$1=uncommitted"
+  fi
+}
+
+function get_current {
+  if [ "$hasversiontag" == "true" ]; then
+    local __commitcount="$(git rev-list $lastversion.. --count)"
+  else
+    local __commitcount="$(git rev-list --count HEAD)"
+  fi
+  local __status=
+  get_work_tree_status __status
+  
+  if [ "$__commitcount" == "0" ] && [ -z "$__status" ]; then
+    eval "$1=$lastversion"
+  else
+    local __buildinfo="$(git rev-parse --short HEAD)"
+    local __currentbranch="$(git rev-parse --abbrev-ref HEAD)"
+    if [ "$__currentbranch" != "master" ]; then
+      __buildinfo="$__currentbranch.$__buildinfo"
+    fi
+
+    local __suffix=
+    if [ "$__commitcount" != "0" ]; then
+      if [ -n "$__suffix" ]; then
+        __suffix="$__suffix."
+      fi
+      __suffix="$__suffix$__commitcount"
+    fi
+    if [ -n "$__status" ]; then
+      if [ -n "$__suffix" ]; then
+        __suffix="$__suffix."
+      fi
+      __suffix="$__suffix$__status"
+    fi
+
+    __suffix="$__suffix+$__buildinfo"
+    if [ "$lastversion" == "$finalversion" ]; then
+      scope="patch"
+      identifier=
+      local __bumped=
+      bump_version __bumped
+      eval "$1=$__bumped-dev.$__suffix"
+    else
+      eval "$1=$lastversion.$__suffix"
+    fi
+  fi
+}
+
+function init {
+  git fetch > /dev/null
+  TAGS="$(git tag)"
+  IFS=$'\n' read -rd '' -a TAG_ARRAY <<<"$TAGS"
+
+  get_latest ${TAG_ARRAY[@]}
+  currentbranch="$(git rev-parse --abbrev-ref HEAD)"
+}
+
+case $ACTION in
+  --help)
+    echo -e "$HELP"
+    ;;
+  --version)
+    echo -e "${PROG}: $PROG_VERSION"
+    ;;
+  final)
+    init
+    diff=$(git diff master | cat)
+    if [ "$forcetag" == "false" ]; then
+      if [ -n "$diff" ]; then
+        echo "ERROR: Branch must be updated with master for final versions"
+        exit 1
+      fi
+    fi
+    increase_version
+    ;;
+  alpha|beta)
+    init
+    identifier="$ACTION"
+    increase_version
+    ;;
+  candidate)
+    init
+    identifier="rc"
+    increase_version
+    ;;
+  getlast)
+    init
+    echo "$lastversion"
+    ;;
+  getfinal)
+    init
+    echo "$finalversion"
+    ;;
+  getcurrent)
+    init
+    get_current current
+    echo "$current"
+    ;;
+  get)
+    init
+    echo "Current final version: $finalversion"
+    echo "Last tagged version:   $lastversion"
+    ;;
+  *)
+    echo "'$ACTION' is not a valid command, see --help for available commands."
+    ;;
+esac
--- a/helmexec/exec.go
+++ b/helmexec/exec.go
@ -1,159 +0,0 @@
-package helmexec
-
-import (
-	"io"
-	"strings"
-
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-)
-
-const (
-	command = "helm"
-)
-
-type execer struct {
-	helmBinary  string
-	runner      Runner
-	logger      *zap.SugaredLogger
-	kubeContext string
-	extra       []string
-}
-
-func NewLogger(writer io.Writer, logLevel string) *zap.SugaredLogger {
-	var cfg zapcore.EncoderConfig
-	cfg.MessageKey = "message"
-	out := zapcore.AddSync(writer)
-	var level zapcore.Level
-	err := level.Set(logLevel)
-	if err != nil {
-		panic(err)
-	}
-	core := zapcore.NewCore(
-		zapcore.NewConsoleEncoder(cfg),
-		out,
-		level,
-	)
-	return zap.New(core).Sugar()
-}
-
-// New for running helm commands
-func New(logger *zap.SugaredLogger, kubeContext string) *execer {
-	return &execer{
-		helmBinary:  command,
-		logger:      logger,
-		kubeContext: kubeContext,
-		runner:      &ShellRunner{},
-	}
-}
-
-func (helm *execer) SetExtraArgs(args ...string) {
-	helm.extra = args
-}
-
-func (helm *execer) SetHelmBinary(bin string) {
-	helm.helmBinary = bin
-}
-
-func (helm *execer) AddRepo(name, repository, certfile, keyfile, username, password string) error {
-	var args []string
-	args = append(args, "repo", "add", name, repository)
-	if certfile != "" && keyfile != "" {
-		args = append(args, "--cert-file", certfile, "--key-file", keyfile)
-	}
-	if username != "" && password != "" {
-		args = append(args, "--username", username, "--password", password)
-	}
-	helm.logger.Infof("Adding repo %v %v", name, repository)
-	out, err := helm.exec(args...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) UpdateRepo() error {
-	helm.logger.Info("Updating repo")
-	out, err := helm.exec("repo", "update")
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) UpdateDeps(chart string) error {
-	helm.logger.Infof("Updating dependency %v", chart)
-	out, err := helm.exec("dependency", "update", chart)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) SyncRelease(name, chart string, flags ...string) error {
-	helm.logger.Infof("Upgrading %v", chart)
-	out, err := helm.exec(append([]string{"upgrade", "--install", "--reset-values", name, chart}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) ReleaseStatus(name string) error {
-	helm.logger.Infof("Getting status %v", name)
-	out, err := helm.exec(append([]string{"status", name})...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) DecryptSecret(name string) (string, error) {
-	helm.logger.Infof("Decrypting secret %v", name)
-	out, err := helm.exec(append([]string{"secrets", "dec", name})...)
-	helm.write(out)
-	return name + ".dec", err
-}
-
-func (helm *execer) DiffRelease(name, chart string, flags ...string) error {
-	helm.logger.Infof("Comparing %v %v", name, chart)
-	out, err := helm.exec(append([]string{"diff", "upgrade", "--allow-unreleased", name, chart}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) Lint(chart string, flags ...string) error {
-	helm.logger.Infof("Linting %v", chart)
-	out, err := helm.exec(append([]string{"lint", chart}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) Fetch(chart string, flags ...string) error {
-	helm.logger.Infof("Fetching %v", chart)
-	out, err := helm.exec(append([]string{"fetch", chart}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) DeleteRelease(name string, flags ...string) error {
-	helm.logger.Infof("Deleting %v", name)
-	out, err := helm.exec(append([]string{"delete", name}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) TestRelease(name string, flags ...string) error {
-	helm.logger.Infof("Testing %v", name)
-	out, err := helm.exec(append([]string{"test", name}, flags...)...)
-	helm.write(out)
-	return err
-}
-
-func (helm *execer) exec(args ...string) ([]byte, error) {
-	cmdargs := args
-	if len(helm.extra) > 0 {
-		cmdargs = append(cmdargs, helm.extra...)
-	}
-	if helm.kubeContext != "" {
-		cmdargs = append(cmdargs, "--kube-context", helm.kubeContext)
-	}
-	helm.logger.Debugf("exec: %s %s", helm.helmBinary, strings.Join(cmdargs, " "))
-	return helm.runner.Execute(helm.helmBinary, cmdargs)
-}
-
-func (helm *execer) write(out []byte) {
-	if len(out) > 0 {
-		helm.logger.Infof("%s", out)
-	}
-}
--- a/helmexec/exec_test.go
+++ b/helmexec/exec_test.go
@ -1,355 +0,0 @@
-package helmexec
-
-import (
-	"bytes"
-	"os"
-	"reflect"
-	"testing"
-
-	"go.uber.org/zap"
-)
-
-// Mocking the command-line runner
-
-type mockRunner struct {
-	output []byte
-	err    error
-}
-
-func (mock *mockRunner) Execute(cmd string, args []string) ([]byte, error) {
-	return []byte{}, nil
-}
-
-func MockExecer(logger *zap.SugaredLogger, kubeContext string) *execer {
-	execer := New(logger, kubeContext)
-	execer.runner = &mockRunner{}
-	return execer
-}
-
-// Test methods
-
-func TestNewHelmExec(t *testing.T) {
-	buffer := bytes.NewBufferString("something")
-	logger := NewLogger(buffer, "debug")
-	helm := New(logger, "dev")
-	if helm.kubeContext != "dev" {
-		t.Error("helmexec.New() - kubeContext")
-	}
-	if buffer.String() != "something" {
-		t.Error("helmexec.New() - changed buffer")
-	}
-	if len(helm.extra) != 0 {
-		t.Error("helmexec.New() - extra args not empty")
-	}
-}
-
-func Test_SetExtraArgs(t *testing.T) {
-	helm := New(NewLogger(os.Stdout, "info"), "dev")
-	helm.SetExtraArgs()
-	if len(helm.extra) != 0 {
-		t.Error("helmexec.SetExtraArgs() - passing no arguments should not change extra field")
-	}
-	helm.SetExtraArgs("foo")
-	if !reflect.DeepEqual(helm.extra, []string{"foo"}) {
-		t.Error("helmexec.SetExtraArgs() - one extra argument missing")
-	}
-	helm.SetExtraArgs("alpha", "beta")
-	if !reflect.DeepEqual(helm.extra, []string{"alpha", "beta"}) {
-		t.Error("helmexec.SetExtraArgs() - two extra arguments missing (overwriting the previous value)")
-	}
-}
-
-func Test_SetHelmBinary(t *testing.T) {
-	helm := New(NewLogger(os.Stdout, "info"), "dev")
-	if helm.helmBinary != "helm" {
-		t.Error("helmexec.command - default command is not helm")
-	}
-	helm.SetHelmBinary("foo")
-	if helm.helmBinary != "foo" {
-		t.Errorf("helmexec.SetHelmBinary() - actual = %s expect = foo", helm.helmBinary)
-	}
-}
-
-func Test_AddRepo(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.AddRepo("myRepo", "https://repo.example.com/", "cert.pem", "key.pem", "", "")
-	expected := `Adding repo myRepo https://repo.example.com/
-exec: helm repo add myRepo https://repo.example.com/ --cert-file cert.pem --key-file key.pem --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.AddRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.AddRepo("myRepo", "https://repo.example.com/", "", "", "", "")
-	expected = `Adding repo myRepo https://repo.example.com/
-exec: helm repo add myRepo https://repo.example.com/ --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.AddRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.AddRepo("myRepo", "https://repo.example.com/", "", "", "example_user", "example_password")
-	expected = `Adding repo myRepo https://repo.example.com/
-exec: helm repo add myRepo https://repo.example.com/ --username example_user --password example_password --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.AddRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_UpdateRepo(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.UpdateRepo()
-	expected := `Updating repo
-exec: helm repo update --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.UpdateRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_SyncRelease(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.SyncRelease("release", "chart", "--timeout 10", "--wait")
-	expected := `Upgrading chart
-exec: helm upgrade --install --reset-values release chart --timeout 10 --wait --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.SyncRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.SyncRelease("release", "chart")
-	expected = `Upgrading chart
-exec: helm upgrade --install --reset-values release chart --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.SyncRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_UpdateDeps(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.UpdateDeps("./chart/foo")
-	expected := `Updating dependency ./chart/foo
-exec: helm dependency update ./chart/foo --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.UpdateDeps()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.SetExtraArgs("--verify")
-	helm.UpdateDeps("./chart/foo")
-	expected = `Updating dependency ./chart/foo
-exec: helm dependency update ./chart/foo --verify --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.AddRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_DecryptSecret(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.DecryptSecret("secretName")
-	expected := `Decrypting secret secretName
-exec: helm secrets dec secretName --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.DecryptSecret()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_DiffRelease(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.DiffRelease("release", "chart", "--timeout 10", "--wait")
-	expected := `Comparing release chart
-exec: helm diff upgrade --allow-unreleased release chart --timeout 10 --wait --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.DiffRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.DiffRelease("release", "chart")
-	expected = `Comparing release chart
-exec: helm diff upgrade --allow-unreleased release chart --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.DiffRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_DeleteRelease(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.DeleteRelease("release")
-	expected := `Deleting release
-exec: helm delete release --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.DeleteRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-func Test_DeleteRelease_Flags(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.DeleteRelease("release", "--purge")
-	expected := `Deleting release
-exec: helm delete release --purge --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.DeleteRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_TestRelease(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.TestRelease("release")
-	expected := `Testing release
-exec: helm test release --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.TestRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-func Test_TestRelease_Flags(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.TestRelease("release", "--cleanup", "--timeout", "60")
-	expected := `Testing release
-exec: helm test release --cleanup --timeout 60 --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.TestRelease()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_ReleaseStatus(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.ReleaseStatus("myRelease")
-	expected := `Getting status myRelease
-exec: helm status myRelease --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.ReleaseStatus()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_exec(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "")
-	helm.exec("version")
-	expected := "exec: helm version\n"
-	if buffer.String() != expected {
-		t.Errorf("helmexec.exec()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	helm = MockExecer(logger, "dev")
-	ret, _ := helm.exec("diff")
-	if len(ret) != 0 {
-		t.Error("helmexec.exec() - expected empty return value")
-	}
-
-	buffer.Reset()
-	helm = MockExecer(logger, "dev")
-	helm.exec("diff", "release", "chart", "--timeout 10", "--wait")
-	expected = "exec: helm diff release chart --timeout 10 --wait --kube-context dev\n"
-	if buffer.String() != expected {
-		t.Errorf("helmexec.exec()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.exec("version")
-	expected = "exec: helm version --kube-context dev\n"
-	if buffer.String() != expected {
-		t.Errorf("helmexec.exec()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm.SetExtraArgs("foo")
-	helm.exec("version")
-	expected = "exec: helm version foo --kube-context dev\n"
-	if buffer.String() != expected {
-		t.Errorf("helmexec.exec()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-
-	buffer.Reset()
-	helm = MockExecer(logger, "")
-	helm.SetHelmBinary("overwritten")
-	helm.exec("version")
-	expected = "exec: overwritten version\n"
-	if buffer.String() != expected {
-		t.Errorf("helmexec.exec()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_Lint(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.Lint("path/to/chart", "--values", "file.yml")
-	expected := `Linting path/to/chart
-exec: helm lint path/to/chart --values file.yml --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.Lint()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-func Test_Fetch(t *testing.T) {
-	var buffer bytes.Buffer
-	logger := NewLogger(&buffer, "debug")
-	helm := MockExecer(logger, "dev")
-	helm.Fetch("chart", "--version", "1.2.3", "--untar", "--untardir", "/tmp/dir")
-	expected := `Fetching chart
-exec: helm fetch chart --version 1.2.3 --untar --untardir /tmp/dir --kube-context dev
-`
-	if buffer.String() != expected {
-		t.Errorf("helmexec.Lint()\nactual = %v\nexpect = %v", buffer.String(), expected)
-	}
-}
-
-var logLevelTests = map[string]string{
-	"debug": `Adding repo myRepo https://repo.example.com/
-exec: helm repo add myRepo https://repo.example.com/ --username example_user --password example_password
-`,
-	"info": `Adding repo myRepo https://repo.example.com/
-`,
-	"warn": ``,
-}
-
-func Test_LogLevels(t *testing.T) {
-	var buffer bytes.Buffer
-	for logLevel, expected := range logLevelTests {
-		buffer.Reset()
-		logger := NewLogger(&buffer, logLevel)
-		helm := MockExecer(logger, "")
-		helm.AddRepo("myRepo", "https://repo.example.com/", "", "", "example_user", "example_password")
-		if buffer.String() != expected {
-			t.Errorf("helmexec.AddRepo()\nactual = %v\nexpect = %v", buffer.String(), expected)
-		}
-	}
-}
--- a/helmexec/helmexec.go
+++ b/helmexec/helmexec.go
@ -1,20 +0,0 @@
-package helmexec
-
-// Interface for executing helm commands
-type Interface interface {
-	SetExtraArgs(args ...string)
-	SetHelmBinary(bin string)
-
-	AddRepo(name, repository, certfile, keyfile, username, password string) error
-	UpdateRepo() error
-	UpdateDeps(chart string) error
-	SyncRelease(name, chart string, flags ...string) error
-	DiffRelease(name, chart string, flags ...string) error
-	Fetch(chart string, flags ...string) error
-	Lint(chart string, flags ...string) error
-	ReleaseStatus(name string) error
-	DeleteRelease(name string, flags ...string) error
-	TestRelease(name string, flags ...string) error
-
-	DecryptSecret(name string) (string, error)
-}
--- a/helmexec/runner.go
+++ b/helmexec/runner.go
@ -1,24 +0,0 @@
-package helmexec
-
-import (
-	"os/exec"
-)
-
-const (
-	tmpPrefix = "helmfile-"
-	tmpSuffix = "-exec"
-)
-
-// Runner interface for shell commands
-type Runner interface {
-	Execute(cmd string, args []string) ([]byte, error)
-}
-
-// ShellRunner implemention for shell commands
-type ShellRunner struct{}
-
-// Execute a shell command
-func (shell ShellRunner) Execute(cmd string, args []string) ([]byte, error) {
-	preparedCmd := exec.Command(cmd, args...)
-	return preparedCmd.CombinedOutput()
-}
--- a/logo/helmfile.ai
+++ b/logo/helmfile.ai
--- a/logo/helmfile.png
+++ b/logo/helmfile.png
--- a/main.go
+++ b/main.go
@ -1,571 +1,49 @@
 package main

 import (
-	"fmt"
-	"log"
 	"os"
 	"os/signal"
-	"path/filepath"
-	"sort"
 	"syscall"

-	"os/exec"
-
-	"github.com/roboll/helmfile/args"
-	"github.com/roboll/helmfile/helmexec"
-	"github.com/roboll/helmfile/state"
-	"github.com/urfave/cli"
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
+	"github.com/helmfile/helmfile/cmd"
+	"github.com/helmfile/helmfile/pkg/app"
+	"github.com/helmfile/helmfile/pkg/config"
+	"github.com/helmfile/helmfile/pkg/errors"
 )

-const (
-	DefaultHelmfile          = "helmfile.yaml"
-	DeprecatedHelmfile       = "charts.yaml"
-	DefaultHelmfileDirectory = "helmfile.d"
-)
-
-var Version string
-
-var logger *zap.SugaredLogger
-
-func configureLogging(c *cli.Context) error {
-	// Valid levels:
-	// https://github.com/uber-go/zap/blob/7e7e266a8dbce911a49554b945538c5b950196b8/zapcore/level.go#L126
-	logLevel := c.GlobalString("log-level")
-	if c.GlobalBool("quiet") {
-		logLevel = "warn"
-	}
-	var level zapcore.Level
-	err := level.Set(logLevel)
-	if err != nil {
-		return err
-	}
-	logger = helmexec.NewLogger(os.Stdout, logLevel)
-	if c.App.Metadata == nil {
-		// Auto-initialised in 1.19.0
-		// https://github.com/urfave/cli/blob/master/CHANGELOG.md#1190---2016-11-19
-		c.App.Metadata = make(map[string]interface{})
-	}
-	c.App.Metadata["logger"] = logger
-	return nil
-}
-
 func main() {
-
-	app := cli.NewApp()
-	app.Name = "helmfile"
-	app.Usage = ""
-	app.Version = Version
-	app.Flags = []cli.Flag{
-		cli.StringFlag{
-			Name:  "helm-binary, b",
-			Usage: "path to helm binary",
-		},
-		cli.StringFlag{
-			Name:  "file, f",
-			Usage: "load config from file or directory. defaults to `helmfile.yaml` or `helmfile.d`(means `helmfile.d/*.yaml`) in this preference",
-		},
-		cli.BoolFlag{
-			Name:  "quiet, q",
-			Usage: "Silence output. Equivalent to log-level warn",
-		},
-		cli.StringFlag{
-			Name:  "kube-context",
-			Usage: "Set kubectl context. Uses current context by default",
-		},
-		cli.StringFlag{
-			Name:  "log-level",
-			Usage: "Set log level, default info",
-		},
-		cli.StringFlag{
-			Name:  "namespace, n",
-			Usage: "Set namespace. Uses the namespace set in the context by default",
-		},
-		cli.StringSliceFlag{
-			Name: "selector, l",
-			Usage: `Only run using the releases that match labels. Labels can take the form of foo=bar or foo!=bar.
-	A release must match all labels in a group in order to be used. Multiple groups can be specified at once.
-	--selector tier=frontend,tier!=proxy --selector tier=backend. Will match all frontend, non-proxy releases AND all backend releases.
-	The name of a release can be used as a label. --selector name=myrelease`,
-		},
-	}
-
-	app.Before = configureLogging
-	app.Commands = []cli.Command{
-		{
-			Name:  "repos",
-			Usage: "sync repositories from state file (helm repo add && helm repo update)",
-			Flags: []cli.Flag{
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					return state.SyncRepos(helm)
-				})
-			},
-		},
-		{
-			Name:  "charts",
-			Usage: "sync releases from state file (helm upgrade --install)",
-			Flags: []cli.Flag{
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-				cli.StringSliceFlag{
-					Name:  "values",
-					Usage: "additional value files to be merged into the command",
-				},
-				cli.IntFlag{
-					Name:  "concurrency",
-					Value: 0,
-					Usage: "maximum number of concurrent helm processes to run, 0 is unlimited",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					values := c.StringSlice("values")
-					workers := c.Int("concurrency")
-
-					return state.SyncReleases(helm, values, workers)
-				})
-			},
-		},
-		{
-			Name:  "diff",
-			Usage: "diff releases from state file against env (helm diff)",
-			Flags: []cli.Flag{
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-				cli.StringSliceFlag{
-					Name:  "values",
-					Usage: "additional value files to be merged into the command",
-				},
-				cli.BoolFlag{
-					Name:  "sync-repos",
-					Usage: "enable a repo sync prior to diffing",
-				},
-				cli.BoolFlag{
-					Name:  "detailed-exitcode",
-					Usage: "return a non-zero exit code when there are changes",
-				},
-				cli.IntFlag{
-					Name:  "concurrency",
-					Value: 0,
-					Usage: "maximum number of concurrent helm processes to run, 0 is unlimited",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					if c.Bool("sync-repos") {
-						if errs := state.SyncRepos(helm); errs != nil && len(errs) > 0 {
-							return errs
-						}
-					}
-
-					values := c.StringSlice("values")
-					workers := c.Int("concurrency")
-					detailedExitCode := c.Bool("detailed-exitcode")
-
-					return state.DiffReleases(helm, values, workers, detailedExitCode)
-				})
-			},
-		},
-		{
-			Name:  "lint",
-			Usage: "lint charts from state file (helm lint)",
-			Flags: []cli.Flag{
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-				cli.StringSliceFlag{
-					Name:  "values",
-					Usage: "additional value files to be merged into the command",
-				},
-				cli.IntFlag{
-					Name:  "concurrency",
-					Value: 0,
-					Usage: "maximum number of concurrent helm processes to run, 0 is unlimited",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					values := c.StringSlice("values")
-					workers := c.Int("concurrency")
-
-					return state.LintReleases(helm, values, workers)
-				})
-			},
-		},
-		{
-			Name:  "sync",
-			Usage: "sync all resources from state file (repos, releases and chart deps)",
-			Flags: []cli.Flag{
-				cli.StringSliceFlag{
-					Name:  "values",
-					Usage: "additional value files to be merged into the command",
-				},
-				cli.IntFlag{
-					Name:  "concurrency",
-					Value: 0,
-					Usage: "maximum number of concurrent helm processes to run, 0 is unlimited",
-				},
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					if errs := state.SyncRepos(helm); errs != nil && len(errs) > 0 {
-						return errs
-					}
-
-					if errs := state.UpdateDeps(helm); errs != nil && len(errs) > 0 {
-						return errs
-					}
-
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					values := c.StringSlice("values")
-					workers := c.Int("concurrency")
-
-					return state.SyncReleases(helm, values, workers)
-				})
-			},
-		},
-		{
-			Name:  "status",
-			Usage: "retrieve status of releases in state file",
-			Flags: []cli.Flag{
-				cli.IntFlag{
-					Name:  "concurrency",
-					Value: 0,
-					Usage: "maximum number of concurrent helm processes to run, 0 is unlimited",
-				},
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					workers := c.Int("concurrency")
-
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					return state.ReleaseStatuses(helm, workers)
-				})
-			},
-		},
-		{
-			Name:  "delete",
-			Usage: "delete releases from state file (helm delete)",
-			Flags: []cli.Flag{
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass args to helm exec",
-				},
-				cli.BoolFlag{
-					Name:  "purge",
-					Usage: "purge releases i.e. free release names and histories",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					purge := c.Bool("purge")
-
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					return state.DeleteReleases(helm, purge)
-				})
-			},
-		},
-		{
-			Name:  "test",
-			Usage: "test releases from state file (helm test)",
-			Flags: []cli.Flag{
-				cli.BoolFlag{
-					Name:  "cleanup",
-					Usage: "delete test pods upon completion",
-				},
-				cli.StringFlag{
-					Name:  "args",
-					Value: "",
-					Usage: "pass additional args to helm exec",
-				},
-				cli.IntFlag{
-					Name:  "timeout",
-					Value: 300,
-					Usage: "maximum time for tests to run before being considered failed",
-				},
-			},
-			Action: func(c *cli.Context) error {
-				return eachDesiredStateDo(c, func(state *state.HelmState, helm helmexec.Interface) []error {
-					cleanup := c.Bool("cleanup")
-					timeout := c.Int("timeout")
-
-					args := args.GetArgs(c.String("args"), state)
-					if len(args) > 0 {
-						helm.SetExtraArgs(args...)
-					}
-					if c.GlobalString("helm-binary") != "" {
-						helm.SetHelmBinary(c.GlobalString("helm-binary"))
-					}
-
-					return state.TestReleases(helm, cleanup, timeout)
-				})
-			},
-		},
-	}
-
-	err := app.Run(os.Args)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "%v\n", err)
-		os.Exit(3)
-	}
-}
-
-func eachDesiredStateDo(c *cli.Context, converge func(*state.HelmState, helmexec.Interface) []error) error {
-	fileOrDirPath := c.GlobalString("file")
-	desiredStateFiles, err := findDesiredStateFiles(fileOrDirPath)
-	if err != nil {
-		return err
-	}
-	allSelectorNotMatched := true
-	for _, f := range desiredStateFiles {
-		yamlBuf, err := state.RenderTemplateFileToBuffer(f)
-		if err != nil {
-			return err
-		}
-		state, helm, noReleases, err := loadDesiredStateFromFile(
-			yamlBuf.Bytes(),
-			f,
-			c.GlobalString("kube-context"),
-			c.GlobalString("namespace"),
-			c.GlobalStringSlice("selector"),
-			c.App.Metadata["logger"].(*zap.SugaredLogger),
-		)
-		if err != nil {
-			return err
-		}
-		allSelectorNotMatched = allSelectorNotMatched && noReleases
-		if noReleases {
-			continue
-		}
-		errs := converge(state, helm)
-		if err := clean(state, errs); err != nil {
-			return err
-		}
-	}
-	if allSelectorNotMatched {
-		logger.Error("specified selector did not match any releases in any helmfile")
-		os.Exit(2)
-	}
-	return nil
-}
-
-func findDesiredStateFiles(specifiedPath string) ([]string, error) {
-	var helmfileDir string
-	if specifiedPath != "" {
-		if fileExistsAt(specifiedPath) {
-			return []string{specifiedPath}, nil
-		} else if directoryExistsAt(specifiedPath) {
-			helmfileDir = specifiedPath
-		} else {
-			return []string{}, fmt.Errorf("specified state file %s is not found", specifiedPath)
-		}
-	} else {
-		var defaultFile string
-		if fileExistsAt(DefaultHelmfile) {
-			defaultFile = DefaultHelmfile
-		} else if fileExistsAt(DeprecatedHelmfile) {
-			log.Printf(
-				"warn: %s is being loaded: %s is deprecated in favor of %s. See https://github.com/roboll/helmfile/issues/25 for more information",
-				DeprecatedHelmfile,
-				DeprecatedHelmfile,
-				DefaultHelmfile,
-			)
-			defaultFile = DeprecatedHelmfile
-		}
-
-		if directoryExistsAt(DefaultHelmfileDirectory) {
-			if defaultFile != "" {
-				return []string{}, fmt.Errorf("configuration conlict error: you can have either %s or %s, but not both", defaultFile, DefaultHelmfileDirectory)
-			}
-
-			helmfileDir = DefaultHelmfileDirectory
-		} else if defaultFile != "" {
-			return []string{defaultFile}, nil
-		} else {
-			return []string{}, fmt.Errorf("no state file found. It must be named %s/*.yaml, %s, or %s, or otherwise specified with the --file flag", DefaultHelmfileDirectory, DefaultHelmfile, DeprecatedHelmfile)
-		}
-	}
-
-	files, err := filepath.Glob(filepath.Join(helmfileDir, "*.yaml"))
-	if err != nil {
-		return []string{}, err
-	}
-	sort.Slice(files, func(i, j int) bool {
-		return files[i] < files[j]
-	})
-	return files, nil
-}
-
-func fileExistsAt(path string) bool {
-	fileInfo, err := os.Stat(path)
-	return err == nil && fileInfo.Mode().IsRegular()
-}
-
-func directoryExistsAt(path string) bool {
-	fileInfo, err := os.Stat(path)
-	return err == nil && fileInfo.Mode().IsDir()
-}
-
-func loadDesiredStateFromFile(yaml []byte, file string, kubeContext, namespace string, labels []string, logger *zap.SugaredLogger) (*state.HelmState, helmexec.Interface, bool, error) {
-	st, err := state.CreateFromYaml(yaml, file, logger)
-	if err != nil {
-		return nil, nil, false, fmt.Errorf("failed to read %s: %v", file, err)
-	}
-
-	if st.Context != "" {
-		if kubeContext != "" {
-			log.Printf("err: Cannot use option --kube-context and set attribute context.")
-			os.Exit(1)
-		}
-
-		kubeContext = st.Context
-	}
-	if namespace != "" {
-		if st.Namespace != "" {
-			log.Printf("err: Cannot use option --namespace and set attribute namespace.")
-			os.Exit(1)
-		}
-		st.Namespace = namespace
-	}
-
-	if len(labels) > 0 {
-		err = st.FilterReleases(labels)
-		if err != nil {
-			log.Print(err)
-			return nil, nil, true, nil
-		}
-	}
-
-	releaseNameCounts := map[string]int{}
-	for _, r := range st.Releases {
-		releaseNameCounts[r.Name] += 1
-	}
-	for name, c := range releaseNameCounts {
-		if c > 1 {
-			return nil, nil, false, fmt.Errorf("duplicate release \"%s\" found: there were %d releases named \"%s\" matching specified selector", name, c, name)
-		}
-	}
-
+	var sig os.Signal
 	sigs := make(chan os.Signal, 1)
-	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		sig := <-sigs
+	errChan := make(chan error, 1)

-		errs := []error{fmt.Errorf("Received [%s] to shutdown ", sig)}
-		clean(st, errs)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		globalConfig := new(config.GlobalOptions)
+		rootCmd, err := cmd.NewRootCmd(globalConfig)
+		if err != nil {
+			errChan <- err
+			return
+		}
+
+		errChan <- rootCmd.Execute()
 	}()

-	return st, helmexec.New(logger, kubeContext), len(st.Releases) == 0, nil
-}
+	select {
+	case sig = <-sigs:
+		if sig != nil {
+			app.Cancel()
+			app.CleanWaitGroup.Wait()

-func clean(st *state.HelmState, errs []error) error {
-	if errs == nil {
-		errs = []error{}
-	}
-
-	cleanErrs := st.Clean()
-	if cleanErrs != nil {
-		errs = append(errs, cleanErrs...)
-	}
-
-	if errs != nil && len(errs) > 0 {
-		for _, err := range errs {
-			switch e := err.(type) {
-			case *state.ReleaseError:
-				fmt.Printf("err: release \"%s\" in \"%s\" failed: %v\n", e.Name, st.FilePath, e)
-			default:
-				fmt.Printf("err: %v\n", e)
+			// See http://tldp.org/LDP/abs/html/exitcodes.html
+			switch sig {
+			case syscall.SIGINT:
+				os.Exit(130)
+			case syscall.SIGTERM:
+				os.Exit(143)
 			}
 		}
-		switch e := errs[0].(type) {
-		case *exec.ExitError:
-			// Propagate any non-zero exit status from the external command like `helm` that is failed under the hood
-			status := e.Sys().(syscall.WaitStatus)
-			os.Exit(status.ExitStatus())
-		default:
-			os.Exit(1)
-		}
+	case err := <-errChan:
+		errors.HandleExitCoder(err)
 	}
-	return nil
 }
--- a/main_test.go
+++ b/main_test.go
@ -1,26 +0,0 @@
-package main
-
-import "testing"
-
-// See https://github.com/roboll/helmfile/issues/193
-func TestReadFromYaml_DuplicateReleaseName(t *testing.T) {
-	yamlFile := "example/path/to/yaml/file"
-	yamlContent := []byte(`releases:
- name: myrelease1
-  chart: mychart1
-  labels:
-    stage: pre
-    foo: bar
- name: myrelease1
-  chart: mychart2
-  labels:
-    stage: post
-`)
-	_, _, _, err := loadDesiredStateFromFile(yamlContent, yamlFile, "default", "default", []string{}, logger)
-	if err == nil {
-		t.Error("error expected but not happened")
-	}
-	if err.Error() != "duplicate release \"myrelease1\" found: there were 2 releases named \"myrelease1\" matching specified selector" {
-		t.Errorf("unexpected error happened: %v", err)
-	}
-}
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -0,0 +1,57 @@
+# Test this locally with:
+#   $ docker run --rm -it -v $(pwd):$(pwd) --workdir $(pwd) python:3 bash
+#   # pip install -r docs/requirements.txt
+#   # mkdocs serve
+#   # mkdocs build
+#   $ ls -lah site/
+site_name: helmfile
+site_author: Helmfile Authors
+
+repo_name: helmfile/helmfile/
+repo_url: https://github.com/helmfile/helmfile/
+edit_uri: ''
+
+docs_dir: docs
+
+nav:
+  - Home: index.md
+  - Getting Started:
+    - Paths Overview: paths.md
+    - Templating Funcs: templating_funcs.md
+    - HCL Funcs: hcl_funcs.md
+    - Built-in Objects: builtin-objects.md
+  - Advanced Features:
+    - Best Practices Guide: writing-helmfile.md
+    - Advanced Features: advanced-features.md
+    - Secrets: remote-secrets.md
+    - Shared Configuration Across Teams: shared-configuration-across-teams.md
+  - Experimental Features: experimental-features.md
+  - About:
+    - Users: users.md
+    - License: license.md
+    - Contributing: contributing.md
+
+theme:
+  name: readthedocs
+  features:
+    - navigation.tabs
+  collapse_navigation: false
+  hljs_languages:
+    - yaml
+    - dockerfile
+
+markdown_extensions:
+  # meta, toc, table and fenced_code extensions are included by default
+  - extra
+  - admonition
+  - smarty
+  - sane_lists
+  - nl2br
+  - toc:
+      permalink: true
+
+plugins:
+  - search
+  - git-revision-date-localized:
+      type: date
+      fallback_to_build_date: true
--- a/pkg/app/app.go
+++ b/pkg/app/app.go
--- a/pkg/app/app_apply_hooks_test.go
+++ b/pkg/app/app_apply_hooks_test.go
@ -0,0 +1,455 @@
+package app
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/helmfile/vals"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/exectest"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+)
+
+func TestApply_hooks(t *testing.T) {
+	type fields struct {
+		skipNeeds              bool
+		includeNeeds           bool
+		includeTransitiveNeeds bool
+	}
+
+	type testcase struct {
+		fields            fields
+		ns                string
+		concurrency       int
+		skipDiffOnInstall bool
+		error             string
+		files             map[string]string
+		selectors         []string
+		lists             map[exectest.ListKey]string
+		diffs             map[exectest.DiffKey]error
+		upgraded          []exectest.Release
+		deleted           []exectest.Release
+		log               string
+		logLevel          string
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantUpgrades := tc.upgraded
+		wantDeletes := tc.deleted
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			Lists:                tc.lists,
+			Diffs:                tc.diffs,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, tc.logLevel, func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				OverrideKubeContext: "default",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", "default"): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, tc.files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			syncErr := app.Apply(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency:            tc.concurrency,
+				logger:                 logger,
+				skipDiffOnInstall:      tc.skipDiffOnInstall,
+				skipNeeds:              tc.fields.skipNeeds,
+				includeNeeds:           tc.fields.includeNeeds,
+				includeTransitiveNeeds: tc.fields.includeTransitiveNeeds,
+			})
+
+			var gotErr string
+			if syncErr != nil {
+				gotErr = syncErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			if len(wantUpgrades) > len(helm.Releases) {
+				t.Fatalf("insufficient number of upgrades: got %d, want %d", len(helm.Releases), len(wantUpgrades))
+			}
+
+			for relIdx := range wantUpgrades {
+				if wantUpgrades[relIdx].Name != helm.Releases[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Releases[relIdx].Name, wantUpgrades[relIdx].Name)
+				}
+				for flagIdx := range wantUpgrades[relIdx].Flags {
+					if wantUpgrades[relIdx].Flags[flagIdx] != helm.Releases[relIdx].Flags[flagIdx] {
+						t.Errorf("releases[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Releases[relIdx].Flags[flagIdx], wantUpgrades[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+
+			if len(wantDeletes) > len(helm.Deleted) {
+				t.Fatalf("insufficient number of deletes: got %d, want %d", len(helm.Deleted), len(wantDeletes))
+			}
+
+			for relIdx := range wantDeletes {
+				if wantDeletes[relIdx].Name != helm.Deleted[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Deleted[relIdx].Name, wantDeletes[relIdx].Name)
+				}
+				for flagIdx := range wantDeletes[relIdx].Flags {
+					if wantDeletes[relIdx].Flags[flagIdx] != helm.Deleted[relIdx].Flags[flagIdx] {
+						t.Errorf("releaes[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Deleted[relIdx].Flags[flagIdx], wantDeletes[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+		})
+
+		if tc.log != "" {
+			actual := bs.String()
+
+			assert.Equal(t, tc.log, actual)
+		} else {
+			assertLogEqualsToSnapshot(t, bs.String())
+		}
+	}
+
+	t.Run("apply release with preapply hook", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["preapply"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+`,
+			},
+			selectors: []string{"name=foo"},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("apply release with preapply hook", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+`,
+			},
+			selectors: []string{"name=foo"},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("apply release with preapply hook", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+`,
+			},
+			selectors: []string{"name=foo"},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("hooks for no-diff release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  # only prepare and cleanup are run
+  - events: ["prepare", "preapply", "presync", "cleanup"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+`,
+			},
+			selectors: []string{"app=test"},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: nil,
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("hooks are run on enabled release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+values:
+- bar:
+    enabled: true
+
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+- name: bar
+  condition: bar.enabled
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["bar"]
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+				{Name: "bar"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "bar", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("hooks are not run on disabled release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+values:
+- bar:
+    enabled: false
+
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+- name: bar
+  condition: bar.enabled
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["bar"]
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("hooks are run on to-be-uninstalled release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+- name: bar
+  installed: false
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["bar"]
+`,
+			},
+			selectors: []string{"app=test"},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^foo$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^bar$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+bar 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+
+	t.Run("hooks are not run on alreadyd uninstalled release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["foo"]
+- name: bar
+  installed: false
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  hooks:
+  - events: ["prepare", "preapply", "presync"]
+    command: echo
+    showlogs: true
+    args: ["bar"]
+`,
+			},
+			selectors: []string{"app=test"},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^foo$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^bar$", Flags: listFlags("default", "default")}: ``,
+			},
+			upgraded: []exectest.Release{
+				{Name: "foo"},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+			logLevel:    "info",
+		})
+	})
+}
--- a/pkg/app/app_apply_nokubectx_test.go
+++ b/pkg/app/app_apply_nokubectx_test.go
@ -0,0 +1,499 @@
+package app
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/helmfile/vals"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/exectest"
+	"github.com/helmfile/helmfile/pkg/filesystem"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+)
+
+func TestApply_3(t *testing.T) {
+	type fields struct {
+		skipNeeds              bool
+		includeNeeds           bool
+		includeTransitiveNeeds bool
+	}
+
+	type testcase struct {
+		fields            fields
+		ns                string
+		concurrency       int
+		skipDiffOnInstall bool
+		error             string
+		files             map[string]string
+		selectors         []string
+		lists             map[exectest.ListKey]string
+		diffs             map[exectest.DiffKey]error
+		upgraded          []exectest.Release
+		deleted           []exectest.Release
+		log               string
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantUpgrades := tc.upgraded
+		wantDeletes := tc.deleted
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			Lists:                tc.lists,
+			Diffs:                tc.diffs,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, "debug", func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				fs:                  filesystem.DefaultFileSystem(),
+				OverrideKubeContext: "",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", ""): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, tc.files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			syncErr := app.Apply(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency:            tc.concurrency,
+				logger:                 logger,
+				skipDiffOnInstall:      tc.skipDiffOnInstall,
+				skipNeeds:              tc.fields.skipNeeds,
+				includeNeeds:           tc.fields.includeNeeds,
+				includeTransitiveNeeds: tc.fields.includeTransitiveNeeds,
+			})
+
+			var gotErr string
+			if syncErr != nil {
+				gotErr = syncErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			if len(wantUpgrades) > len(helm.Releases) {
+				t.Fatalf("insufficient number of upgrades: got %d, want %d", len(helm.Releases), len(wantUpgrades))
+			}
+
+			for relIdx := range wantUpgrades {
+				if wantUpgrades[relIdx].Name != helm.Releases[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Releases[relIdx].Name, wantUpgrades[relIdx].Name)
+				}
+				for flagIdx := range wantUpgrades[relIdx].Flags {
+					if wantUpgrades[relIdx].Flags[flagIdx] != helm.Releases[relIdx].Flags[flagIdx] {
+						t.Errorf("releaes[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Releases[relIdx].Flags[flagIdx], wantUpgrades[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+
+			if len(wantDeletes) > len(helm.Deleted) {
+				t.Fatalf("insufficient number of deletes: got %d, want %d", len(helm.Deleted), len(wantDeletes))
+			}
+
+			for relIdx := range wantDeletes {
+				if wantDeletes[relIdx].Name != helm.Deleted[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Deleted[relIdx].Name, wantDeletes[relIdx].Name)
+				}
+				for flagIdx := range wantDeletes[relIdx].Flags {
+					if wantDeletes[relIdx].Flags[flagIdx] != helm.Deleted[relIdx].Flags[flagIdx] {
+						t.Errorf("releaes[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Deleted[relIdx].Flags[flagIdx], wantDeletes[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+		})
+
+		if tc.log != "" {
+			actual := bs.String()
+
+			assert.Equal(t, tc.log, actual)
+		} else {
+			assertLogEqualsToSnapshot(t, bs.String())
+		}
+	}
+
+	t.Run("skip-needs=true", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--namespace", "default"}},
+				{Name: "my-release", Flags: []string{"--namespace", "default"}},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=true with no diff on a release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--namespace", "default"}},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+^external-secrets$ 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:       nil,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "kubernetes-external-secrets", Chart: "incubator/raw", Flags: "--namespace kube-system --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:                helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:                      helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+kubernetes-external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true but no diff on needed release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "kubernetes-external-secrets", Chart: "incubator/raw", Flags: "--namespace kube-system --reset-values --detailed-exitcode"}: nil,
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:                helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:                      helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true with installed but disabled release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+				kubernetes-external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true with not installed and disabled release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "")}: ``,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("bad --selector", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test_non_existent"},
+			upgraded:  []exectest.Release{},
+			error:     "err: no releases found that matches specified selector(app=test_non_existent) and environment(default), in any helmfile",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+}
--- a/pkg/app/app_apply_test.go
+++ b/pkg/app/app_apply_test.go
@ -0,0 +1,656 @@
+package app
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/helmfile/vals"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/exectest"
+	"github.com/helmfile/helmfile/pkg/filesystem"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+)
+
+func TestApply_2(t *testing.T) {
+	type fields struct {
+		skipNeeds              bool
+		includeNeeds           bool
+		includeTransitiveNeeds bool
+	}
+
+	type testcase struct {
+		fields            fields
+		ns                string
+		concurrency       int
+		skipDiffOnInstall bool
+		error             string
+		files             map[string]string
+		selectors         []string
+		lists             map[exectest.ListKey]string
+		diffs             map[exectest.DiffKey]error
+		upgraded          []exectest.Release
+		deleted           []exectest.Release
+		log               string
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantUpgrades := tc.upgraded
+		wantDeletes := tc.deleted
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			Lists:                tc.lists,
+			Diffs:                tc.diffs,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, "debug", func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				fs:                  filesystem.DefaultFileSystem(),
+				OverrideKubeContext: "default",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", "default"): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, tc.files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			syncErr := app.Apply(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency:            tc.concurrency,
+				logger:                 logger,
+				skipDiffOnInstall:      tc.skipDiffOnInstall,
+				skipNeeds:              tc.fields.skipNeeds,
+				includeNeeds:           tc.fields.includeNeeds,
+				includeTransitiveNeeds: tc.fields.includeTransitiveNeeds,
+			})
+
+			var gotErr string
+			if syncErr != nil {
+				gotErr = syncErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			if len(wantUpgrades) > len(helm.Releases) {
+				t.Fatalf("insufficient number of upgrades: got %d, want %d", len(helm.Releases), len(wantUpgrades))
+			}
+
+			for relIdx := range wantUpgrades {
+				if wantUpgrades[relIdx].Name != helm.Releases[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Releases[relIdx].Name, wantUpgrades[relIdx].Name)
+				}
+				for flagIdx := range wantUpgrades[relIdx].Flags {
+					if wantUpgrades[relIdx].Flags[flagIdx] != helm.Releases[relIdx].Flags[flagIdx] {
+						t.Errorf("releases[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Releases[relIdx].Flags[flagIdx], wantUpgrades[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+
+			if len(wantDeletes) > len(helm.Deleted) {
+				t.Fatalf("insufficient number of deletes: got %d, want %d", len(helm.Deleted), len(wantDeletes))
+			}
+
+			for relIdx := range wantDeletes {
+				if wantDeletes[relIdx].Name != helm.Deleted[relIdx].Name {
+					t.Errorf("releases[%d].name: got %q, want %q", relIdx, helm.Deleted[relIdx].Name, wantDeletes[relIdx].Name)
+				}
+				for flagIdx := range wantDeletes[relIdx].Flags {
+					if wantDeletes[relIdx].Flags[flagIdx] != helm.Deleted[relIdx].Flags[flagIdx] {
+						t.Errorf("releaes[%d].flags[%d]: got %v, want %v", relIdx, flagIdx, helm.Deleted[relIdx].Flags[flagIdx], wantDeletes[relIdx].Flags[flagIdx])
+					}
+				}
+			}
+		})
+
+		if tc.log != "" {
+			actual := bs.String()
+
+			assert.Equal(t, tc.log, actual)
+		} else {
+			assertLogEqualsToSnapshot(t, bs.String())
+		}
+	}
+
+	t.Run("skip-needs=true", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default"}},
+				{Name: "my-release", Flags: []string{"--kube-context", "default", "--namespace", "default"}},
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=true with no diff on a release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default"}},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+^external-secrets$ 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:       nil,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "kubernetes-external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace kube-system --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:                helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:                      helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+kubernetes-external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true but no diff on needed release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "kubernetes-external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace kube-system --reset-values --detailed-exitcode"}: nil,
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:                helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:                      helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true with installed but disabled release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+kubernetes-external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+				`,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("skip-needs=false include-needs=true with not installed and disabled release", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test"},
+			upgraded:  []exectest.Release{},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^kubernetes-external-secrets$", Flags: listFlags("kube-system", "default")}: ``,
+				{Filter: "^external-secrets$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+external-secrets 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+				{Filter: "^my-release$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+my-release 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "external-secrets", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "my-release", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}:       helmexec.ExitError{Code: 2},
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("include-transitive-needs=true", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           true,
+				includeTransitiveNeeds: true,
+			},
+			error: ``,
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: serviceA
+  chart: my/chart
+  needs:
+  - serviceB
+
+- name: serviceB
+  chart: my/chart
+  needs:
+  - serviceC
+
+- name: serviceC
+  chart: my/chart
+
+- name: serviceD
+  chart: my/chart
+`,
+			},
+			selectors: []string{"name=serviceA"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "serviceA", Chart: "my/chart", Flags: "--kube-context default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "serviceB", Chart: "my/chart", Flags: "--kube-context default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+				{Name: "serviceC", Chart: "my/chart", Flags: "--kube-context default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^serviceA$", Flags: listFlags("", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+serviceA 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	chart-3.1.0	3.1.0      	default
+`,
+				{Filter: "^serviceB$", Flags: listFlags("", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+serviceB 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	chart-3.1.0	3.1.0      	default
+`,
+				{Filter: "^serviceC$", Flags: listFlags("", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+serviceC 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	chart-3.1.0	3.1.0      	default
+`,
+			},
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("bad --selector", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml.gotmpl": `
+{{ $mark := "a" }}
+
+releases:
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+`,
+			},
+			selectors: []string{"app=test_non_existent"},
+			upgraded:  []exectest.Release{},
+			error:     "err: no releases found that matches specified selector(app=test_non_existent) and environment(default), in any helmfile",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("deduplicate by --selector", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+    component: raw
+    index: '1'
+
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+    component: raw
+    index: '2'
+`,
+			},
+			selectors: []string{"index=1"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^foo$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+				`,
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("select non existent release with --allow-no-matching-release", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+
+- name: bar
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+`,
+			},
+			selectors: []string{"app=foo"},
+			upgraded:  []exectest.Release{},
+			error:     "err: no releases found that matches specified selector(app=foo) and environment(default), in any helmfile",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+
+	t.Run("select single release from helmfile with two duplicates", func(t *testing.T) {
+		check(t, testcase{
+			files: map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: foo
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+
+- name: bar
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: build
+
+- name: bar
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+`,
+			},
+			selectors: []string{"name=foo"},
+			upgraded:  []exectest.Release{},
+			diffs: map[exectest.DiffKey]error{
+				{Name: "foo", Chart: "incubator/raw", Flags: "--kube-context default --namespace default --reset-values --detailed-exitcode"}: helmexec.ExitError{Code: 2},
+			},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^foo$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+				`,
+			},
+			error: "",
+			// as we check for log output, set concurrency to 1 to avoid non-deterministic test result
+			concurrency: 1,
+		})
+	})
+}
--- a/pkg/app/app_diff_test.go
+++ b/pkg/app/app_diff_test.go
@ -0,0 +1,442 @@
+package app
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/helmfile/vals"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/exectest"
+	"github.com/helmfile/helmfile/pkg/filesystem"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+	"github.com/helmfile/helmfile/pkg/testhelper"
+)
+
+func TestDiffWithNeeds(t *testing.T) {
+	type fields struct {
+		skipNeeds              bool
+		includeNeeds           bool
+		includeTransitiveNeeds bool
+		noHooks                bool
+	}
+
+	type testcase struct {
+		fields    fields
+		ns        string
+		error     string
+		selectors []string
+		diffed    []exectest.Release
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantDiffs := tc.diffed
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, "debug", func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			files := map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: logging
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  needs:
+  - kube-system/logging
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+
+
+# Disabled releases are treated as missing
+- name: disabled
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: test2
+  chart: incubator/raw
+  needs:
+  - kube-system/disabled
+
+- name: test3
+  chart: incubator/raw
+  needs:
+  - test2
+`,
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				fs:                  filesystem.DefaultFileSystem(),
+				OverrideKubeContext: "default",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", "default"): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			diffErr := app.Diff(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency:            1,
+				logger:                 logger,
+				skipNeeds:              tc.fields.skipNeeds,
+				includeNeeds:           tc.fields.includeNeeds,
+				includeTransitiveNeeds: tc.fields.includeTransitiveNeeds,
+				noHooks:                tc.fields.noHooks,
+			})
+
+			var gotErr string
+			if diffErr != nil {
+				gotErr = diffErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			require.Equal(t, wantDiffs, helm.Diffed)
+		})
+
+		testhelper.RequireLog(t, "app_diff_test", bs)
+	}
+
+	t.Run("fail on unselected need by default", func(t *testing.T) {
+		check(t, testcase{
+			selectors: []string{"app=test"},
+			error:     `in ./helmfile.yaml: release "default/default/external-secrets" depends on "default/kube-system/kubernetes-external-secrets" which does not match the selectors. Please add a selector like "--selector name=kubernetes-external-secrets", or indicate whether to skip (--skip-needs) or include (--include-needs) these dependencies`,
+		})
+	})
+
+	t.Run("skip-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			selectors: []string{"app=test"},
+			diffed: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+				{Name: "my-release", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error:     ``,
+			selectors: []string{"app=test"},
+			diffed: []exectest.Release{
+				// TODO: Turned out we can't differentiate needs vs transitive needs in this case :thinking:
+				{Name: "logging", Flags: []string{"--kube-context", "default", "--namespace", "kube-system", "--reset-values"}},
+				{Name: "kubernetes-external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "kube-system", "--reset-values"}},
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+				{Name: "my-release", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-transitive-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeTransitiveNeeds: true,
+			},
+			error:     ``,
+			selectors: []string{"app=test"},
+			diffed: []exectest.Release{
+				{Name: "logging", Flags: []string{"--kube-context", "default", "--namespace", "kube-system", "--reset-values"}},
+				{Name: "kubernetes-external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "kube-system", "--reset-values"}},
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+				{Name: "my-release", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-needs should not fail on disabled direct need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			selectors: []string{"name=test2"},
+			diffed: []exectest.Release{
+				{Name: "test2", Flags: []string{"--kube-context", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			diffed: []exectest.Release{
+				{Name: "test2", Flags: []string{"--kube-context", "default", "--reset-values"}},
+				{Name: "test3", Flags: []string{"--kube-context", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-transitive-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           false,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			diffed: []exectest.Release{
+				{Name: "test2", Flags: []string{"--kube-context", "default", "--reset-values"}},
+				{Name: "test3", Flags: []string{"--kube-context", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-needs with include-transitive-needs should not fail on disabled direct need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           true,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test2"},
+			diffed: []exectest.Release{
+				{Name: "test2", Flags: []string{"--kube-context", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("include-needs with include-transitive-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           true,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			diffed: []exectest.Release{
+				{Name: "test2", Flags: []string{"--kube-context", "default", "--reset-values"}},
+				{Name: "test3", Flags: []string{"--kube-context", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("no-hooks", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+				noHooks:   true,
+			},
+			selectors: []string{"app=test"},
+			diffed: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values", "--no-hooks"}},
+				{Name: "my-release", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values", "--no-hooks"}},
+			},
+		})
+	})
+
+	t.Run("bad selector", func(t *testing.T) {
+		check(t, testcase{
+			selectors: []string{"app=test_non_existent"},
+			diffed:    nil,
+			error:     "err: no releases found that matches specified selector(app=test_non_existent) and environment(default), in any helmfile",
+		})
+	})
+}
+
+func TestDiffWithInstalled(t *testing.T) {
+	type testcase struct {
+		helmfile  string
+		ns        string
+		error     string
+		selectors []string
+		lists     map[exectest.ListKey]string
+		diffed    []exectest.Release
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantDiffs := tc.diffed
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			Lists:                tc.lists,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, "debug", func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			files := map[string]string{
+				"/path/to/helmfile.yaml": tc.helmfile,
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				fs:                  filesystem.DefaultFileSystem(),
+				OverrideKubeContext: "default",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", "default"): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			diffErr := app.Diff(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency: 1,
+				logger:      logger,
+				skipNeeds:   true,
+			})
+
+			var gotErr string
+			if diffErr != nil {
+				gotErr = diffErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			require.Equal(t, wantDiffs, helm.Diffed)
+		})
+
+		testhelper.RequireLog(t, "app_diff_test", bs)
+	}
+
+	t.Run("show diff on changed selected release", func(t *testing.T) {
+		check(t, testcase{
+			helmfile: `
+releases:
+- name: a
+  chart: incubator/raw
+  namespace: default
+- name: b
+  chart: incubator/raw
+  namespace: default
+`,
+			selectors: []string{"name=a"},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^a$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffed: []exectest.Release{
+				{Name: "a", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+			},
+		})
+	})
+
+	t.Run("shows no diff on already uninstalled selected release", func(t *testing.T) {
+		check(t, testcase{
+			helmfile: `
+releases:
+- name: a
+  chart: incubator/raw
+  installed: false
+  namespace: default
+- name: b
+  chart: incubator/raw
+  namespace: default
+`,
+			selectors: []string{"name=a"},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^a$", Flags: listFlags("default", "default")}: ``,
+			},
+		})
+	})
+
+	t.Run("show diff on changed selected release with reinstall", func(t *testing.T) {
+		check(t, testcase{
+			helmfile: `
+releases:
+- name: a
+  chart: incubator/raw
+  namespace: default
+  updateStrategy: reinstallIfForbidden
+- name: b
+  chart: incubator/raw
+  namespace: default
+`,
+			selectors: []string{"name=a"},
+			lists: map[exectest.ListKey]string{
+				{Filter: "^a$", Flags: listFlags("default", "default")}: `NAME	REVISION	UPDATED                 	STATUS  	CHART        	APP VERSION	NAMESPACE
+foo 	4       	Fri Nov  1 08:40:07 2019	DEPLOYED	raw-3.1.0	3.1.0      	default
+`,
+			},
+			diffed: []exectest.Release{
+				{Name: "a", Flags: []string{"--kube-context", "default", "--namespace", "default", "--reset-values"}},
+			},
+		})
+	})
+}
--- a/pkg/app/app_lint_test.go
+++ b/pkg/app/app_lint_test.go
@ -0,0 +1,306 @@
+package app
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/helmfile/vals"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+
+	"github.com/helmfile/helmfile/pkg/exectest"
+	ffs "github.com/helmfile/helmfile/pkg/filesystem"
+	"github.com/helmfile/helmfile/pkg/helmexec"
+)
+
+func TestLint(t *testing.T) {
+	type fields struct {
+		skipNeeds              bool
+		includeNeeds           bool
+		includeTransitiveNeeds bool
+	}
+
+	type testcase struct {
+		fields    fields
+		ns        string
+		error     string
+		selectors []string
+		linted    []exectest.Release
+	}
+
+	check := func(t *testing.T, tc testcase) {
+		t.Helper()
+
+		wantLints := tc.linted
+
+		var helm = &exectest.Helm{
+			FailOnUnexpectedList: true,
+			FailOnUnexpectedDiff: true,
+			DiffMutex:            &sync.Mutex{},
+			ChartsMutex:          &sync.Mutex{},
+			ReleasesMutex:        &sync.Mutex{},
+			Helm3:                true,
+		}
+
+		bs := runWithLogCapture(t, "debug", func(t *testing.T, logger *zap.SugaredLogger) {
+			t.Helper()
+
+			valsRuntime, err := vals.New(vals.Options{CacheSize: 32})
+			if err != nil {
+				t.Errorf("unexpected error creating vals runtime: %v", err)
+			}
+
+			files := map[string]string{
+				"/path/to/helmfile.yaml": `
+releases:
+- name: logging
+  chart: incubator/raw
+  namespace: kube-system
+
+- name: kubernetes-external-secrets
+  chart: incubator/raw
+  namespace: kube-system
+  needs:
+  - kube-system/logging
+
+- name: external-secrets
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - kube-system/kubernetes-external-secrets
+
+- name: my-release
+  chart: incubator/raw
+  namespace: default
+  labels:
+    app: test
+  needs:
+  - default/external-secrets
+
+
+# Disabled releases are treated as missing
+- name: disabled
+  chart: incubator/raw
+  namespace: kube-system
+  installed: false
+
+- name: test2
+  chart: incubator/raw
+  needs:
+  - kube-system/disabled
+
+- name: test3
+  chart: incubator/raw
+  needs:
+  - test2
+`,
+			}
+
+			app := appWithFs(&App{
+				OverrideHelmBinary:  DefaultHelmBinary,
+				fs:                  ffs.DefaultFileSystem(),
+				OverrideKubeContext: "default",
+				Env:                 "default",
+				Logger:              logger,
+				helms: map[helmKey]helmexec.Interface{
+					createHelmKey("helm", "default"): helm,
+				},
+				valsRuntime: valsRuntime,
+			}, files)
+
+			if tc.ns != "" {
+				app.Namespace = tc.ns
+			}
+
+			if tc.selectors != nil {
+				app.Selectors = tc.selectors
+			}
+
+			lintErr := app.Lint(applyConfig{
+				// if we check log output, concurrency must be 1. otherwise the test becomes non-deterministic.
+				concurrency:            1,
+				logger:                 logger,
+				skipNeeds:              tc.fields.skipNeeds,
+				includeNeeds:           tc.fields.includeNeeds,
+				includeTransitiveNeeds: tc.fields.includeTransitiveNeeds,
+			})
+
+			var gotErr string
+			if lintErr != nil {
+				gotErr = lintErr.Error()
+			}
+
+			if d := cmp.Diff(tc.error, gotErr); d != "" {
+				t.Fatalf("unexpected error: want (-), got (+): %s", d)
+			}
+
+			require.Equal(t, wantLints, helm.Linted)
+		})
+
+		testNameComponents := strings.Split(t.Name(), "/")
+		testBaseName := strings.ToLower(
+			strings.ReplaceAll(
+				testNameComponents[len(testNameComponents)-1],
+				" ",
+				"_",
+			),
+		)
+		wantLogFileDir := filepath.Join("testdata", "app_lint_test")
+		wantLogFile := filepath.Join(wantLogFileDir, testBaseName)
+		wantLogData, err := os.ReadFile(wantLogFile)
+		updateLogFile := err != nil
+		wantLog := string(wantLogData)
+		gotLog := bs.String()
+		if updateLogFile {
+			if err := os.MkdirAll(wantLogFileDir, 0755); err != nil {
+				t.Fatalf("unable to create directory %q: %v", wantLogFileDir, err)
+			}
+			if err := os.WriteFile(wantLogFile, bs.Bytes(), 0644); err != nil {
+				t.Fatalf("unable to update lint log snapshot: %v", err)
+			}
+		}
+
+		assert.Equal(t, wantLog, gotLog)
+	}
+
+	t.Run("fail on unselected need by default", func(t *testing.T) {
+		check(t, testcase{
+			selectors: []string{"app=test"},
+			error:     `in ./helmfile.yaml: release "default/default/external-secrets" depends on "default/kube-system/kubernetes-external-secrets" which does not match the selectors. Please add a selector like "--selector name=kubernetes-external-secrets", or indicate whether to skip (--skip-needs) or include (--include-needs) these dependencies`,
+		})
+	})
+
+	t.Run("skip-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds: true,
+			},
+			selectors: []string{"app=test"},
+			linted: []exectest.Release{
+				{Name: "external-secrets", Flags: []string{"--namespace", "default"}},
+				{Name: "my-release", Flags: []string{"--namespace", "default"}},
+			},
+		})
+	})
+
+	t.Run("include-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			error:     ``,
+			selectors: []string{"app=test"},
+			linted: []exectest.Release{
+				// TODO: Turned out we can't differentiate needs vs transitive needs in this case :thinking:
+				{Name: "logging", Flags: []string{"--namespace", "kube-system"}},
+				{Name: "kubernetes-external-secrets", Flags: []string{"--namespace", "kube-system"}},
+				{Name: "external-secrets", Flags: []string{"--namespace", "default"}},
+				{Name: "my-release", Flags: []string{"--namespace", "default"}},
+			},
+		})
+	})
+
+	t.Run("include-transitive-needs", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeTransitiveNeeds: true,
+			},
+			error:     ``,
+			selectors: []string{"app=test"},
+			linted: []exectest.Release{
+				{Name: "logging", Flags: []string{"--namespace", "kube-system"}},
+				{Name: "kubernetes-external-secrets", Flags: []string{"--namespace", "kube-system"}},
+				{Name: "external-secrets", Flags: []string{"--namespace", "default"}},
+				{Name: "my-release", Flags: []string{"--namespace", "default"}},
+			},
+		})
+	})
+
+	t.Run("include-needs should not fail on disabled direct need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			selectors: []string{"name=test2"},
+			linted: []exectest.Release{
+				{Name: "test2", Flags: []string{}},
+			},
+		})
+	})
+
+	t.Run("include-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:    false,
+				includeNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			linted: []exectest.Release{
+				{Name: "test2", Flags: []string{}},
+				{Name: "test3", Flags: []string{}},
+			},
+		})
+	})
+
+	t.Run("include-transitive-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           false,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			linted: []exectest.Release{
+				{Name: "test2", Flags: []string{}},
+				{Name: "test3", Flags: []string{}},
+			},
+		})
+	})
+
+	t.Run("include-needs with include-transitive-needs should not fail on disabled direct need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           true,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test2"},
+			linted: []exectest.Release{
+				{Name: "test2", Flags: []string{}},
+			},
+		})
+	})
+
+	t.Run("include-needs with include-transitive-needs should not fail on disabled transitive need", func(t *testing.T) {
+		check(t, testcase{
+			fields: fields{
+				skipNeeds:              false,
+				includeNeeds:           true,
+				includeTransitiveNeeds: true,
+			},
+			selectors: []string{"name=test3"},
+			linted: []exectest.Release{
+				{Name: "test2", Flags: []string{}},
+				{Name: "test3", Flags: []string{}},
+			},
+		})
+	})
+
+	t.Run("bad selector", func(t *testing.T) {
+		check(t, testcase{
+			selectors: []string{"app=test_non_existent"},
+			linted:    nil,
+			error:     "err: no releases found that matches specified selector(app=test_non_existent) and environment(default), in any helmfile",
+		})
+	})
+}
--- a/Show More
+++ b/Show More