Merge pull request #854 from erhancagirici/ec-xpv2

add v2 apis
use correct namespace from MR in MultiNamespacedResolution
2025-07-22 17:33:02 +03:00 · 2025-07-22 16:59:23 +03:00 · 2025-07-22 13:16:29 +03:00 · 2025-07-22 13:15:24 +03:00 · 2025-07-22 13:12:11 +03:00 · 2025-07-22 13:12:01 +03:00
162 changed files with 13946 additions and 8079 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,35 +1,32 @@
 <!--
-Thank you for helping to improve Crossplane!
+Thank you for helping to improve Crossplane! Please read the contribution docs
-
+(linked below) if this is your first Crossplane pull request.
 Please read through https://git.io/fj2m9 if this is your first time opening a
 Crossplane pull request. Find us in https://slack.crossplane.io/messages/dev if
 you need any help contributing.
 -->
 ### Description of your changes
 <!--
-Briefly describe what this pull request does. Be sure to direct your reviewers'
+Briefly describe what this pull request does, and how it is covered by tests.
-attention to anything that needs special consideration.
+Be proactive - direct your reviewers' attention to anything that needs special
-
+consideration.
 We love pull requests that resolve an open Crossplane issue. If yours does, you
 can uncomment the below line to indicate which issue your PR fixes, for example
 "Fixes #500":
 We love pull requests that fix an open issue. If yours does, use the below line
 to indicate which issue it fixes, for example "Fixes #500".
 -->
 Fixes # 
-I have:
+I have: <!--You MUST either [x] check or [ ] ~strike through~ every item.-->
 - [ ] Read and followed Crossplane's [contribution process].
- [ ] Run `make reviewable test` to ensure this PR is ready for review.
+- [ ] Run `earthly +reviewable` to ensure this PR is ready for review.
 - [ ] Added or updated unit tests.
 - [ ] Linked a PR or a [docs tracking issue] to [document this change].
 - [ ] Added `backport release-x.y` labels to auto-backport this PR.
-### How has this code been tested
+Need help with this checklist? See the [cheat sheet].
-<!--
+[contribution process]: https://github.com/crossplane/crossplane/tree/main/contributing
-Before reviewers can be confident in the correctness of this pull request, it
+[docs tracking issue]: https://github.com/crossplane/docs/issues/new
-needs to tested and shown to be correct. Briefly describe the testing that has
+[document this change]: https://docs.crossplane.io/contribute/contribute
-already been done or which is planned for this change.
+[cheat sheet]: https://github.com/crossplane/crossplane/tree/main/contributing#checklist-cheat-sheet
 -->
 [contribution process]: https://git.io/fj2m9
--- a/.github/renovate-entrypoint.sh
+++ b/.github/renovate-entrypoint.sh
@ -0,0 +1,7 @@
 #!/bin/sh
 curl -fsSLo /usr/local/bin/earthly https://github.com/earthly/earthly/releases/latest/download/earthly-linux-amd64
 chmod +x /usr/local/bin/earthly
 /usr/local/bin/earthly bootstrap
 renovate
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -1,63 +1,211 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
-    "config:base",
+    "config:recommended",
-    "helpers:pinGitHubActionDigests"
+    "helpers:pinGitHubActionDigests",
    ":semanticCommits"
  ],
-// We only want renovate to rebase PRs when they have conflicts,
+  // We only want renovate to rebase PRs when they have conflicts, default
-// default "auto" mode is not required.
+  // "auto" mode is not required.
  "rebaseWhen": "conflicted",
  // The maximum number of PRs to be created in parallel
  "prConcurrentLimit": 5,
-  "postUpdateOptions": ["gomodTidy"],
+  // The branches renovate should target
-// By default renovate will auto detect whether semantic commits have been used
+  // PLEASE UPDATE THIS WHEN RELEASING.
-// in the recent history and comply with that, we explicitly disable it
+  "baseBranches": [
-  "semanticCommits": "disabled",
+    'main',
    'release-1.18',
    'release-1.19',
    'release-1.20',
  ],
  "ignorePaths": [
    "design/**",
    // We test upgrades, so leave it on an older version on purpose.
    "test/e2e/manifests/pkg/provider/provider-initial.yaml",
  ],
  "postUpdateOptions": [
    "gomodTidy"
  ],
  // All PRs should have a label
-  "labels": ["automated"],
+  "labels": [
-  "regexManagers": [
+    "automated"
  ],
  "customManagers": [
    {
-      "description": "Bump Go version ued in workflows",
+      "customType": "regex",
-      "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$"],
+      "description": "Bump Earthly version in GitHub workflows",
      "fileMatch": [
        "^\\.github\\/workflows\\/[^/]+\\.ya?ml$"
      ],
      "matchStrings": [
-        "GO_VERSION: '(?<currentValue>.*?)'\\n"
+        "EARTHLY_VERSION: '(?<currentValue>.*?)'\\n"
      ],
      "datasourceTemplate": "github-releases",
      "depNameTemplate": "earthly/earthly",
      "extractVersionTemplate": "^v(?<version>.*)$"
    },
    {
      "customType": "regex",
      "description": "Bump Go version in Earthfile",
      "fileMatch": [
        "^Earthfile$"
      ],
      "matchStrings": [
        "ARG --global GO_VERSION=(?<currentValue>.*?)\\n"
      ],
      "datasourceTemplate": "golang-version",
      "depNameTemplate": "golang"
-    }, {
+    },
-      "description": "Bump golangci-lint version in workflows and the Makefile",
+    {
-      "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$","^Makefile$"],
+      "customType": "regex",
      "description": "Bump golangci-lint version in the Earthfile",
      "fileMatch": [
        "^Earthfile$"
      ],
      "matchStrings": [
-        "GOLANGCI_VERSION: 'v(?<currentValue>.*?)'\\n",
+        "ARG GOLANGCI_LINT_VERSION=(?<currentValue>.*?)\\n"
-        "GOLANGCILINT_VERSION = (?<currentValue>.*?)\\n"
+      ],
      "datasourceTemplate": "github-releases",
      "depNameTemplate": "golangci/golangci-lint"
    },
    {
      "customType": "regex",
      "description": "Bump codeql version in the Earthfile",
      "fileMatch": [
        "^Earthfile$"
      ],
      "datasourceTemplate": "github-tags",
      "depNameTemplate": "golangci/golangci-lint",
      "extractVersionTemplate": "^v(?<version>.*)$"
    }, {
      "description": "Bump Go required version in workflows and the Makefile",
      "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$", "^Makefile$"],
      "matchStrings": [
-        "GO_REQUIRED_VERSION = (?<currentValue>.*?)\\n",
+        "ARG CODEQL_VERSION=(?<currentValue>.*?)\\n"
      ],
-      "datasourceTemplate": "golang-version",
+      "datasourceTemplate": "github-releases",
-      "depNameTemplate": "golang",
+      "depNameTemplate": "github/codeql-action",
-      "versioningTemplate": "loose",
+      "extractVersionTemplate": "^codeql-bundle-(?<version>.*)$"
-      "extractVersionTemplate": "^(?<version>\\d+\\.\\d+)"
+    },
    }
  ],
  // Renovate doesn't have native Earthfile support, but because Earthfile
  // syntax is a superset of Dockerfile syntax this works to update FROM images.
  // https://github.com/renovatebot/renovate/issues/15975
  "dockerfile": {
    "fileMatch": [
      "(^|/)Earthfile$"
    ]
  },
  // PackageRules disabled below should be enabled in case of vulnerabilities
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true,
  // Renovate evaluates all packageRules in order, so low priority rules should
  // be at the beginning, high priority at the end
  "packageRules": [
    {
-      "description": "Only get docker image updates every 2 weeks to reduce noise",
+      "description": "Generate code after upgrading go dependencies (main)",
-      "matchDatasources": ["docker"],
+      "matchDatasources": [
-      "schedule": ["every 2 week on monday"],
+        "go"
-      "enabled": true,
+      ],
-    }, {
+      // Currently we only have an Earthfile on main and some release branches, so we ignore the ones we know don't have it.
      matchBaseBranches: [
        '!/release-1\.16/',
      ],
      postUpgradeTasks: {
        // Post-upgrade tasks that are executed before a commit is made by Renovate.
        "commands": [
          "earthly --strict +go-generate",
        ],
        fileFilters: [
          "**/*"
        ],
        executionMode: "update",
      },
    },
    {
      "description": "Generate code after upgrading go dependencies (release branch)",
      "matchDatasources": [
        "go"
      ],
      // Currently we only have an Earthfile on main and some release branches, so we only run this on older release branches.
      matchBaseBranches: [
        'release-1.16',
      ],
      postUpgradeTasks: {
        // Post-upgrade tasks that are executed before a commit is made by Renovate.
        "commands": [
          "make go.generate",
        ],
        fileFilters: [
          "**/*"
        ],
        executionMode: "update",
      },
    },
    {
      "description": "Lint code after upgrading golangci-lint (main)",
      "matchDepNames": [
        "golangci/golangci-lint"
      ],
      // Currently we only have an Earthfile on main and some release branches, so we ignore the ones we know don't have it.
      matchBaseBranches: [
        '!/release-1\.16/',
      ],
      postUpgradeTasks: {
        // Post-upgrade tasks that are executed before a commit is made by Renovate.
        "commands": [
          "earthly --strict +go-lint",
        ],
        fileFilters: [
          "**/*"
        ],
        executionMode: "update",
      },
    },
    {
      "description": "Lint code after upgrading golangci-lint (release branch)",
      "matchDepNames": [
        "golangci/golangci-lint"
      ],
      // Currently we only have an Earthfile on main and some release branches, so we only run this on older release branches.
      matchBaseBranches: [
        'release-1.16',
      ],
      postUpgradeTasks: {
        // Post-upgrade tasks that are executed before a commit is made by Renovate.
        "commands": [
          "make go.lint",
        ],
        fileFilters: [
          "**/*"
        ],
        executionMode: "update",
      },
    },
    {
      "description": "Ignore non-security related updates to release branches",
      matchBaseBranches: [
        "/^release-.*/"
      ],
      enabled: false,
    },
    {
      "description": "Still update Docker images on release branches though",
      "matchDatasources": [
        "docker"
      ],
      matchBaseBranches: [
        "/^release-.*/"
      ],
      enabled: true,
    },
    {
      "description": "Only get Docker image updates every 2 weeks to reduce noise",
      "matchDatasources": [
        "docker"
      ],
      "schedule": [
        "every 2 week on monday"
      ],
      enabled: true,
    },
    {
      "description": "Ignore k8s.io/client-go older versions, they switched to semantic version and old tags are still available in the repo",
      "matchDatasources": [
        "go"
@ -65,32 +213,35 @@
      "matchDepNames": [
        "k8s.io/client-go"
      ],
-      "allowedVersions": "<1.0"
+      "allowedVersions": "<1.0",
-    }, {
+    },
-      "description": "Only get dependency digest updates every month to reduce noise",
+    {
      "description": "Ignore k8s dependencies, should be updated on crossplane-runtime",
      "matchDatasources": [
        "go"
      ],
      "matchPackagePrefixes": [
        "k8s.io",
        "sigs.k8s.io"
      ],
      "enabled": false,
    },
    {
      "description": "Only get dependency digest updates every month to reduce noise, except crossplane-runtime",
      "excludePackageNames": [
        "github.com/crossplane/crossplane-runtime"
      ],
      "matchDatasources": [
        "go"
      ],
      "matchUpdateTypes": [
        "digest",
      ],
-      "extends": ["schedule:monthly"],
+      "extends": [
-    }, {
+        "schedule:monthly"
      "description": "Single PR for all kubernetes dependency updates, as they usually are all linked",
      "matchDatasources": [
        "go"
      ],
-      "groupName": "kubernetes deps",
+    },
-      "matchUpdateTypes": [
+    {
        "major",
        "minor",
        "patch"
      ],
      "matchPackagePrefixes": [
        "k8s.io",
        "sigs.k8s.io"
      ]
    }, {
      "description": "Ignore oss-fuzz, it's not using tags, we'll stick to master",
      "matchDepTypes": [
        "action"
@ -99,6 +250,13 @@
        "google/oss-fuzz"
      ],
      "enabled": false
    },
    {
      "description": "Group all go version updates",
      "matchDatasources": [
        "golang-version"
      ],
      "groupName": "golang version",
    }
-  ]
+  ],
 }
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -1,38 +0,0 @@
 # Configuration for probot-stale - https://github.com/probot/stale
 # Number of days of inactivity before an Issue or Pull Request becomes stale
 daysUntilStale: 90
 # Number of days of inactivity before a stale Issue or Pull Request is closed.
 # Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
 daysUntilClose: 7
 # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
 exemptLabels:
  - security
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false
 # Set to true to ignore issues in a milestone (defaults to false)
 exemptMilestones: false
 # Label to use when marking as stale
 staleLabel: wontfix
 # Comment to post when marking as stale. Set to `false` to disable
 markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
 # Comment to post when closing a stale Issue or Pull Request.
 closeComment: >
  This issue has been automatically closed due to inactivity. Please re-open
  if this still requires investigation.
 # Limit the number of actions per hour, from 1-30. Default is 30
 limitPerRun: 30
 # Limit to only `issues` or `pulls`
 only: issues
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -22,12 +22,12 @@ jobs:
    if: github.event.pull_request.merged
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bd68141f079bd036e45ea8149bc9d174d5a04703 # v1.4.0
+        uses: zeebe-io/backport-action@ef20d86abccbac3ee3a73cb2efbdc06344c390e5 # v2.5.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -3,15 +3,22 @@ name: CI
 on:
  push:
    branches:
-      - master
+      - main
      - release-*
  pull_request: {}
  workflow_dispatch: {}
 env:
  # Common versions
-  GO_VERSION: '1.21.3'
+  EARTHLY_VERSION: '0.8.15'
-  GOLANGCI_VERSION: 'v1.54.2'
+
  # Force Earthly to use color output
  FORCE_COLOR: "1"
  # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
  # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  DOCKER_USR: ${{ secrets.DOCKER_USR }}
 jobs:
  check-diff:
@ -19,209 +26,220 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
-          submodules: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}
-      - name: Setup Go
+      - name: Login to DockerHub
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
-          go-version: ${{ env.GO_VERSION }}
+          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}
-      - name: Find the Go Build Cache
+      - name: Login to GitHub Container Registry
-        id: go
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        run: echo "::set-output name=cache::$(make go.cachedir)"
      - name: Cache the Go Build Cache
        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
        with:
-          path: ${{ steps.go.outputs.cache }}
+          registry: ghcr.io
-          key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }}
+          username: ${{ github.actor }}
-          restore-keys: ${{ runner.os }}-build-check-diff-
+          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Go Dependencies
+      - name: Configure Earthly to Push Cache to GitHub Container Registry 
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV
      - name: Generate Files
        run: earthly --strict --remote-cache ghcr.io/crossplane/crossplane-runtime-earthly-cache:${{ github.job }} +generate
      - name: Count Changed Files
        id: changed_files
        run: echo "count=$(git status --porcelain | wc -l)" >> $GITHUB_OUTPUT
      - name: Fail if Files Changed
        if: steps.changed_files.outputs.count != 0
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
        with:
-          path: .work/pkg
+          script: core.setFailed('Found changed files after running earthly +generate.')
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-
      - name: Vendor Dependencies
        run: make vendor vendor.check
      - name: Check Diff
        run: make check-diff
  detect-noop:
    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
          concurrent_skipping: false
  lint:
    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
-          submodules: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}
-      - name: Setup Go
+      - name: Login to DockerHub
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
-          go-version: ${{ env.GO_VERSION }}
+          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}
-      - name: Find the Go Build Cache
+      - name: Login to GitHub Container Registry
-        id: go
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        run: echo "::set-output name=cache::$(make go.cachedir)"
      - name: Cache the Go Build Cache
        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
        with:
-          path: ${{ steps.go.outputs.cache }}
+          registry: ghcr.io
-          key: ${{ runner.os }}-build-lint-${{ hashFiles('**/go.sum') }}
+          username: ${{ github.actor }}
-          restore-keys: ${{ runner.os }}-build-lint-
+          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Go Dependencies
+      - name: Configure Earthly to Push Cache to GitHub Container Registry 
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        if: github.ref == 'refs/heads/main'
-        with:
+        run: |
-          path: .work/pkg
+          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
+          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV
          restore-keys: ${{ runner.os }}-pkg-
      - name: Vendor Dependencies
        run: make vendor vendor.check
      # We could run 'make lint' to ensure our desired Go version, but we prefer
      # this action because it leaves 'annotations' (i.e. it comments on PRs to
      # point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3
+        run: earthly --strict --remote-cache ghcr.io/crossplane/crossplane-runtime-earthly-cache:${{ github.job }} +lint
        with:
          version: ${{ env.GOLANGCI_VERSION }}
          skip-cache: true # We do our own caching.
  codeql:
    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
-          submodules: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}
-      - name: Setup Go
+      - name: Login to DockerHub
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
-          go-version: ${{ env.GO_VERSION }}
+          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}
-      - name: Find the Go Build Cache
+      - name: Login to GitHub Container Registry
-        id: go
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        run: echo "::set-output name=cache::$(make go.cachedir)"
      - name: Cache the Go Build Cache
        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
        with:
-          path: ${{ steps.go.outputs.cache }}
+          registry: ghcr.io
-          key: ${{ runner.os }}-build-check-diff-${{ hashFiles('**/go.sum') }}
+          username: ${{ github.actor }}
-          restore-keys: ${{ runner.os }}-build-check-diff-
+          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Go Dependencies
+      - name: Configure Earthly to Push Cache to GitHub Container Registry 
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV
      - name: Run CodeQL
        run: earthly --strict --remote-cache ghcr.io/crossplane/crossplane-runtime-earthly-cache:${{ github.job }} +ci-codeql
      - name: Upload CodeQL Results to GitHub
        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
        with:
-          path: .work/pkg
+          sarif_file: '_output/codeql/go.sarif'
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-
      - name: Vendor Dependencies
        run: make vendor vendor.check
      - name: Initialize CodeQL
        uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2
        with:
          languages: go
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2
  trivy-scan-fs:
    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          submodules: true
      - name: Run Trivy vulnerability scanner in fs mode
-        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          skip-dirs: design
          scan-ref: '.'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
          format: sarif
          output: 'trivy-results.sarif'
      - name: Upload Trivy Results to GitHub
        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
        with:
          sarif_file: 'trivy-results.sarif'
  unit-tests:
    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
-          submodules: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}
-      - name: Fetch History
+      - name: Login to DockerHub
-        run: git fetch --prune --unshallow
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
-
+        if: env.DOCKER_USR != ''
      - name: Setup Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}
-      - name: Find the Go Build Cache
+      - name: Login to GitHub Container Registry
-        id: go
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        run: echo "::set-output name=cache::$(make go.cachedir)"
      - name: Cache the Go Build Cache
        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
        with:
-          path: ${{ steps.go.outputs.cache }}
+          registry: ghcr.io
-          key: ${{ runner.os }}-build-unit-tests-${{ hashFiles('**/go.sum') }}
+          username: ${{ github.actor }}
-          restore-keys: ${{ runner.os }}-build-unit-tests-
+          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Go Dependencies
+      - name: Configure Earthly to Push Cache to GitHub Container Registry 
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        if: github.ref == 'refs/heads/main'
-        with:
+        run: |
-          path: .work/pkg
+          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
+          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV
          restore-keys: ${{ runner.os }}-pkg-
      - name: Vendor Dependencies
        run: make vendor vendor.check
      - name: Run Unit Tests
-        run: make -j2 test
+        run: earthly --strict --remote-cache ghcr.io/crossplane/crossplane-runtime-earthly-cache:${{ github.job }} +test
      - name: Publish Unit Test Coverage
-        uses: codecov/codecov-action@c4cf8a4f03f0ac8585acb7c1b7ce3460ec15782f # v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
        with:
          flags: unittests
-          file: _output/tests/linux_amd64/coverage.txt
+          file: _output/tests/coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}
  protobuf-schemas:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Setup Buf
        uses: bufbuild/buf-setup-action@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
      - name: Lint Protocol Buffers
        uses: bufbuild/buf-lint-action@v1
        with:
          input: apis
      # buf-breaking-action doesn't support branches
      # https://github.com/bufbuild/buf-push-action/issues/34
      - name: Detect Breaking Changes in Protocol Buffers
        uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1
        # We want to run this for the main branch, and PRs against main.
        if: ${{ github.ref == 'refs/heads/main' || github.base_ref == 'main' }}
        with:
          input: apis
          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main,subdir=apis"
      - name: Push Protocol Buffers to Buf Schema Registry
        if: ${{ github.repository == 'crossplane/crossplane-runtime' && github.ref == 'refs/heads/main' }}
        uses: bufbuild/buf-push-action@v1
        with:
          input: apis
          buf_token: ${{ secrets.BUF_TOKEN }}
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@ -19,7 +19,7 @@ jobs:
        allow-edits: "false"
        permission-level: write
    - name: Handle Command
-      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
      env:
        POINTS: ${{ steps.command.outputs.command-arguments }}
      with:
@ -80,12 +80,32 @@ jobs:
        permission-level: write
    - name: Checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      with:
        fetch-depth: 0
    - name: Open Backport PR
-      uses: zeebe-io/backport-action@bd68141f079bd036e45ea8149bc9d174d5a04703 # v1.4.0
+      uses: zeebe-io/backport-action@ef20d86abccbac3ee3a73cb2efbdc06344c390e5 # v2.5.0
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        github_workspace: ${{ github.workspace }}
  fresh:
    runs-on: ubuntu-22.04
    if: startsWith(github.event.comment.body, '/fresh')
    steps:
      - name: Extract Command
        id: command
        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: fresh
          reaction: "true"
          reaction-type: "eyes"
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          labels: stale
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@ -1,48 +0,0 @@
 name: Promote
 on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version (e.g. v0.1.0)'
        required: true
      channel:
        description: 'Release channel'
        required: true
        default: 'alpha'
 env:
  # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
  # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  DOCKER_USR: ${{ secrets.DOCKER_USR }}
  AWS_USR: ${{ secrets.AWS_USR }}
 jobs:
  promote-artifacts:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
        with:
          submodules: true
      - name: Fetch History
        run: git fetch --prune --unshallow
      - name: Login to Docker
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}
      - name: Promote Artifacts in S3 and Docker Hub
        if: env.AWS_USR != '' && env.DOCKER_USR != ''
        run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/}
        env:
          VERSION: ${{ github.event.inputs.version }}
          CHANNEL: ${{ github.event.inputs.channel }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@ -0,0 +1,54 @@
 name: Renovate
 on:
  # Allows manual/automated trigger for debugging purposes
  workflow_dispatch:
    inputs:
      logLevel:
        description: "Renovate's log level"
        required: true
        default: "info"
        type: string
  schedule:
    - cron: '0 8 * * *'
 env:
  # Common versions
  EARTHLY_VERSION: '0.8.15'
  LOG_LEVEL: "info"
 jobs:
  renovate:
    runs-on: ubuntu-latest
    if: |
      !github.event.repository.fork &&
      !github.event.pull_request.head.repo.fork
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      # Don't waste time starting Renovate if JSON is invalid
      - name: Validate Renovate JSON
        run:  npx --yes --package renovate -- renovate-config-validator
      - name: Get token
        id: get-github-app-token
        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
        with:
          app-id: ${{ secrets.RENOVATE_GITHUB_APP_ID }}
          private-key: ${{ secrets.RENOVATE_GITHUB_APP_PRIVATE_KEY }}
      - name: Self-hosted Renovate
        uses: renovatebot/github-action@0984fb80fc633b17e57f3e8b6c007fe0dc3e0d62 # v40.3.6
        env:
          RENOVATE_REPOSITORIES: ${{ github.repository }}
          # Use GitHub API to create commits
          RENOVATE_PLATFORM_COMMIT: "true"
          LOG_LEVEL: ${{ github.event.inputs.logLevel || env.LOG_LEVEL }}
          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^earthly .+"]'
        with:
          configurationFile: .github/renovate.json5
          token: '${{ steps.get-github-app-token.outputs.token }}'
          mount-docker-socket: true
          docker-user: root
          docker-cmd-file: .github/renovate-entrypoint.sh
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -0,0 +1,47 @@
 name: Stale Issues and PRs
 on:
  schedule:
    # Process new stale issues once a day. Folks can /fresh for a fast un-stale
    # per the commands workflow. Run at 1:15 mostly as a somewhat unique time to
    # help correlate any issues with this workflow.
    - cron: '15 1 * * *'
  workflow_dispatch: {}
 permissions:
  issues: write
  pull-requests: write
 jobs:
  stale:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
        with:
          # This action uses ~2 operations per stale issue per run to determine
          # whether it's still stale. It also uses 2-3 operations to mark an issue
          # stale or not. During steady state (no issues to mark stale, check, or
          # close) we seem to use less than 10 operations with ~150 issues and PRs
          # open.
          #
          # Our hourly rate-limit budget for all workflows that use GITHUB_TOKEN
          # is 1,000 requests per the below docs.
          # https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions
          operations-per-run: 100
          days-before-stale: 90
          days-before-close: 14
          stale-issue-label: stale
          exempt-issue-labels: exempt-from-stale
          stale-issue-message: >
            Crossplane does not currently have enough maintainers to address every
            issue and pull request. This issue has been automatically marked as
            `stale` because it has had no activity in the last 90 days. It will be
            closed in 14 days if no further activity occurs. Leaving a comment
            **starting with** `/fresh` will mark this issue as not stale.
          stale-pr-label: stale
          exempt-pr-labels: exempt-from-stale
          stale-pr-message:
            Crossplane does not currently have enough maintainers to address every
            issue and pull request. This pull request has been automatically
            marked as `stale` because it has had no activity in the last 90 days.
            It will be closed in 14 days if no further activity occurs.
            Adding a comment **starting with** `/fresh` will mark this PR as not stale.
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -16,7 +16,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
      - name: Create Tag
        uses: negz/create-tag@39bae1e0932567a58c20dea5a1a0d18358503320 # v1
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +0,0 @@
 [submodule "build"]
 	path = build
 	url = https://github.com/upbound/build
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,211 +1,265 @@
-run:
+version: "2"
  timeout: 10m
  skip-files:
  - "zz_generated\\..+\\.go$"
 output:
-  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
+  formats:
-  format: colored-line-number
+    text:
      path: stderr
-linters-settings:
+linters:
  default: all
  disable:
    # These are linters we'd like to enable, but that will be labor intensive to
    # make existing code compliant.
    - wrapcheck
    - varnamelen
    - testpackage
    - paralleltest
    - nilnil
    - funcorder
    # Below are linters that lint for things we don't value. Each entry below
    # this line must have a comment explaining the rationale.
    # These linters add whitespace in an attempt to make code more readable.
    # This isn't a widely accepted Go best practice, and would be laborious to
    # apply to existing code.
    - wsl
    - nlreturn
    # Warns about uses of fmt.Sprintf that are less performant than alternatives
    # such as string concatenation. We value readability more than performance
    # unless performance is measured to be an issue.
    - perfsprint
    # This linter:
    #
    # 1. Requires errors.Is/errors.As to test equality.
    # 2. Requires all errors be wrapped with fmt.Errorf specifically.
    # 3. Disallows errors.New inline - requires package level errors.
    #
    # 1 is covered by other linters. 2 is covered by wrapcheck, which can also
    # handle our use of crossplane-runtime's errors package. 3 is more strict
    # than we need. Not every error needs to be tested for equality.
    - err113
    # These linters duplicate gocognit, but calculate complexity differently.
    - gocyclo
    - cyclop
    - nestif
    - funlen
    - maintidx
    # Enforces max line length. It's not idiomatic to enforce a strict limit on
    # line length in Go. We'd prefer to lint for things that often cause long
    # lines, like functions with too many parameters or long parameter names
    # that duplicate their types.
    - lll
    # Warns about struct instantiations that don't specify every field. Could be
    # useful in theory to catch fields that are accidentally omitted. Seems like
    # it would have many more false positives than useful catches, though.
    - exhaustruct
    # Warns about TODO comments. The rationale being they should be issues
    # instead. We're okay with using TODO to track minor cleanups for next time
    # we touch a particular file.
    - godox
    # Warns about duplicated code blocks within the same file. Could be useful
    # to prompt folks to think about whether code should be broken out into a
    # function, but generally we're less worried about DRY and fine with a
    # little copying. We don't want to give folks the impression that we require
    # every duplicated code block to be factored out into a function.
    - dupl
    # Warns about returning interfaces rather than concrete types. We do think
    # it's best to avoid returning interfaces where possible. However, at the
    # time of writing enabling this linter would only catch the (many) cases
    # where we must return an interface.
    - ireturn
    # Warns about returning named variables. We do think it's best to avoid
    # returning named variables where possible. However, at the time of writing
    # enabling this linter would only catch the (many) cases where returning
    # named variables is useful to document what the variables are. For example
    # we believe it makes sense to return (ready bool) rather than just (bool)
    # to communicate what the bool means.
    - nonamedreturns
    # Warns about using magic numbers. We do think it's best to avoid magic
    # numbers, but we should not be strict about it.
    - mnd
    # Warns about if err := Foo(); err != nil style error checks. Seems to go
    # against idiomatic Go programming, which encourages this approach - e.g.
    # to scope errors.
    - noinlineerr
  settings:
    depguard:
      rules:
        no_third_party_test_libraries:
          list-mode: lax
          files:
            - $test
          deny:
            - pkg: github.com/stretchr/testify
              desc: See https://go.dev/wiki/TestComments#assert-libraries
            - pkg: github.com/onsi/ginkgo
              desc: See https://go.dev/wiki/TestComments#assert-libraries
            - pkg: github.com/onsi/gomega
              desc: See https://go.dev/wiki/TestComments#assert-libraries
    dupl:
      threshold: 100
    errcheck:
    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
    # default is false: such cases aren't reported by default.
      check-type-assertions: false
    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
    # default is false: such cases aren't reported by default.
      check-blank: false
-
+    goconst:
-    # [deprecated] comma-separated list of pairs of the form pkg:regex
+      min-len: 3
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
+      min-occurrences: 5
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
+    gocritic:
-    ignore: fmt:.*,io/ioutil:^Read.*
+      enabled-tags:
-
+        - performance
      settings:
        captLocal:
          paramsOnly: true
        rangeValCopy:
          sizeThreshold: 32
    govet:
-    # report about shadowed variables
+      disable:
-    check-shadowing: false
+        - shadow
    interfacebloat:
      max: 5
    lll:
      tab-width: 1
    nakedret:
      max-func-lines: 30
    nolintlint:
      require-explanation: true
      require-specific: true
    prealloc:
      simple: true
      range-loops: true
      for-loops: false
    tagliatelle:
      case:
        rules:
          json: goCamel
    unparam:
      check-exported: false
    unused:
      exported-fields-are-used: true
  exclusions:
    generated: lax
    rules:
      - linters:
          - containedctx
          - errcheck
          - forcetypeassert
          - gochecknoglobals
          - gochecknoinits
          - gocognit
          - gosec
          - scopelint
          - unparam
          - embeddedstructfieldcheck
        path: _test(ing)?\.go
-  gofmt:
+      - linters:
-    # simplify code: gofmt with `-s` option, true by default
+          - gocritic
-    simplify: true
+        path: _test\.go
        text: (unnamedResult|exitAfterDefer)
      # It's idiomatic to register Kubernetes types with a package scoped
      # SchemeBuilder using an init function.
      - linters:
          - gochecknoglobals
          - gochecknoinits
        path: apis/
      # These are performance optimisations rather than style issues per se.
      # They warn when function arguments or range values copy a lot of memory
      # rather than using a pointer.
      - linters:
          - gocritic
        text: '(hugeParam|rangeValCopy):'
      # This "TestMain should call os.Exit to set exit code" warning is not clever
      # enough to notice that we call a helper method that calls os.Exit.
      - linters:
          - staticcheck
        text: 'SA3000:'
      # This is a "potential hardcoded credentials" warning. It's triggered by
      # any variable with 'secret' in the same, and thus hits a lot of false
      # positives in Kubernetes land where a Secret is an object type.
      - linters:
          - gosec
        text: 'G101:'
      # This is an 'errors unhandled' warning that duplicates errcheck.
      - linters:
          - gosec
        text: 'G104:'
      # This is about implicit memory aliasing in a range loop.
      # This is a false positive with Go v1.22 and above.
      - linters:
          - gosec
        text: 'G601:'
      # Some k8s dependencies do not have JSON tags on all fields in structs.
      - linters:
          - musttag
        path: k8s.io/
      # Various fields related to native patch and transform Composition are
      # deprecated, but we can't drop support from Crossplane 1.x. We ignore the
      # warnings globally instead of suppressing them with comments everywhere.
      - linters:
          - staticcheck
        text: 'SA1019: .+ is deprecated: Use Composition Functions instead.'
      # Some shared structs in apis/common/v1 are moved to
      # apis/common. To preserve a backward-compatible directory structure
      # package had to be named common, which we suppress.
      - linters:
          - revive
        text: "var-naming: avoid meaningless package names"
        path: apis/common
    paths:
      - zz_generated\..+\.go$
      - .+\.pb.go$
      - third_party$
      - builtin$
      - examples$
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
  new: false
 formatters:
  enable:
    - gci
    - gofmt
    - gofumpt
    - goimports
  settings:
    gci:
    custom-order: true
      sections:
        - standard
        - default
        - prefix(github.com/crossplane/crossplane-runtime)
        - blank
        - dot
-
+      custom-order: true
-  gocyclo:
+    gofmt:
-    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+      simplify: true
-    min-complexity: 10
+  exclusions:
-
+    generated: lax
-  maligned:
+    paths:
-    # print struct with more effective memory layout or not, false by default
+      - zz_generated\..+\.go$
-    suggest-new: true
+      - .+\.pb.go$
-
+      - third_party$
-  dupl:
+      - builtin$
-    # tokens count to trigger issue, 150 by default
+      - examples$
    threshold: 100
  goconst:
    # minimal length of string constant, 3 by default
    min-len: 3
    # minimal occurrences count to trigger, 3 by default
    min-occurrences: 5
  lll:
    # tab width in spaces. Default to 1.
    tab-width: 1
  unused:
    # treat code as a program (not a library) and report unused exported identifiers; default is false.
    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
    # with golangci-lint call it on a directory with the changed file.
    check-exported: false
  unparam:
    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
    # with golangci-lint call it on a directory with the changed file.
    check-exported: false
  nakedret:
    # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
    max-func-lines: 30
  prealloc:
    # XXX: we don't recommend using this linter before doing performance profiling.
    # For most programs usage of prealloc will be a premature optimization.
    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
    # True by default.
    simple: true
    range-loops: true # Report preallocation suggestions on range loops, true by default
    for-loops: false # Report preallocation suggestions on for loops, false by default
  gocritic:
    # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
    # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
    enabled-tags:
      - performance
    settings: # settings passed to gocritic
      captLocal: # must be valid enabled check name
        paramsOnly: true
      rangeValCopy:
        sizeThreshold: 32
  nolintlint:
    require-explanation: true
    require-specific: true
 linters:
  enable:
    - megacheck
    - govet
    - gocyclo
    - gocritic
    - goconst
    - gci
    - gofmt  # We enable this as well as goimports for its simplify mode.
    - prealloc
    - revive
    - unconvert
    - misspell
    - nakedret
    - nolintlint
  disable:
    # These linters are all deprecated as of golangci-lint v1.49.0. We disable
    # them explicitly to avoid the linter logging deprecation warnings.
    - deadcode
    - varcheck
    - scopelint
    - structcheck
    - interfacer
  presets:
    - bugs
    - unused
  fast: false
 issues:
  # Excluding configuration per-path and per-linter
  exclude-rules:
    # Exclude some linters from running on tests files.
    - path: _test(ing)?\.go
      linters:
        - gocyclo
        - errcheck
        - dupl
        - gosec
        - scopelint
        - unparam
        - contextcheck
        - errchkjson
    # Ease some gocritic warnings on test files.
    - path: _test\.go
      text: "(unnamedResult|exitAfterDefer)"
      linters:
        - gocritic
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
    - text: "(hugeParam|rangeValCopy):"
      linters:
      - gocritic
    # This "TestMain should call os.Exit to set exit code" warning is not clever
    # enough to notice that we call a helper method that calls os.Exit.
    - text: "SA3000:"
      linters:
      - staticcheck
    - text: "k8s.io/api/core/v1"
      linters:
      - goimports
    # This is a "potential hardcoded credentials" warning. It's triggered by
    # any variable with 'secret' in the same, and thus hits a lot of false
    # positives in Kubernetes land where a Secret is an object type.
    - text: "G101:"
      linters:
      - gosec
      - gas
    # This is an 'errors unhandled' warning that duplicates errcheck.
    - text: "G104:"
      linters:
      - gosec
      - gas
  # Independently from option `exclude` we use default exclude patterns,
  # it can be disabled by this option. To list all
  # excluded by default patterns execute `golangci-lint run --help`.
  # Default value for this option is true.
  exclude-use-default: false
  # Show only new issues: if there are unstaged changes or untracked files,
  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
  # It's a super-useful option for integration of golangci-lint into existing
  # large codebase. It's not practical to fix all existing issues at the moment
  # of integration: much better don't allow issues in new code.
  # Default is false.
  new: false
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-per-linter: 0
  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
  max-same-issues: 0
--- a/2
+++ b/2
@ -22,7 +22,7 @@
 # See also OWNERS.md for governance details
 # Fallback owners
-*                                   @crossplane/crossplane-maintainers @crossplane/crossplane-reviewers
+*                                   @crossplane/crossplane-maintainers
 # Governance owners - steering committee
 /README.md                           @crossplane/steering-committee
--- a/153
+++ b/153
@ -0,0 +1,153 @@
 # See https://docs.earthly.dev/docs/earthfile/features
 VERSION --try --raw-output 0.8
 PROJECT crossplane/crossplane-runtime
 ARG --global GO_VERSION=1.24.4
 # reviewable checks that a branch is ready for review. Run it before opening a
 # pull request. It will catch a lot of the things our CI workflow will catch.
 reviewable:
  WAIT
    BUILD +generate
  END
  BUILD +lint
  BUILD +test
 # test runs unit tests.
 test:
  BUILD +go-test
 # lint runs linters.
 lint:
  BUILD +go-lint
 # build builds Crossplane for your native OS and architecture.
 build:
  BUILD +go-build
 # multiplatform-build builds Crossplane for all supported OS and architectures.
 multiplatform-build:
  BUILD +go-multiplatform-build
 # generate runs code generation. To keep builds fast, it doesn't run as part of
 # the build target. It's important to run it explicitly when code needs to be
 # generated, for example when you update an API type.
 generate:
  BUILD +go-modules-tidy
  BUILD +go-generate
 # go-modules downloads Crossplane's go modules. It's the base target of most Go
 # related target (go-build, etc).
 go-modules:
  ARG NATIVEPLATFORM
  FROM --platform=${NATIVEPLATFORM} golang:${GO_VERSION}
  WORKDIR /crossplane
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY go.mod go.sum ./
  RUN go mod download
  SAVE ARTIFACT go.mod AS LOCAL go.mod
  SAVE ARTIFACT go.sum AS LOCAL go.sum
 # go-modules-tidy tidies and verifies go.mod and go.sum.
 go-modules-tidy:
  FROM +go-modules
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY --dir apis/ pkg/ .
  RUN go mod tidy
  RUN go mod verify
  SAVE ARTIFACT go.mod AS LOCAL go.mod
  SAVE ARTIFACT go.sum AS LOCAL go.sum
 # go-generate runs Go code generation.
 go-generate:
  FROM +go-modules
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY --dir apis/ hack/ .
  RUN go generate -tags 'generate' ./apis/...
  SAVE ARTIFACT apis/ AS LOCAL apis
 # go-build builds Crossplane binaries for your native OS and architecture.
 go-build:
  ARG TARGETARCH
  ARG TARGETOS
  ARG GOARCH=${TARGETARCH}
  ARG GOOS=${TARGETOS}
  ARG CGO_ENABLED=0
  FROM +go-modules
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY --dir apis/ pkg/ .
  RUN go build ./...
 # go-multiplatform-build builds Crossplane binaries for all supported OS
 # and architectures.
 go-multiplatform-build:
  BUILD \
    --platform=linux/amd64 \
    --platform=linux/arm64 \
    --platform=linux/arm \
    --platform=linux/ppc64le \
    --platform=darwin/arm64 \
    --platform=darwin/amd64 \
    --platform=windows/amd64 \
    +go-build
 # go-test runs Go unit tests.
 go-test:
  FROM +go-modules
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY --dir apis/ pkg/ .
  RUN go test -covermode=count -coverprofile=coverage.txt ./...
  SAVE ARTIFACT coverage.txt AS LOCAL _output/tests/coverage.txt
 # go-lint lints Go code.
 go-lint:
  ARG GOLANGCI_LINT_VERSION=v2.2.1
  FROM +go-modules
  # This cache is private because golangci-lint doesn't support concurrent runs.
  CACHE --id go-lint --sharing private /root/.cache/golangci-lint
  CACHE --id go-build --sharing shared /root/.cache/go-build
  RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
  COPY .golangci.yml .
  COPY --dir apis/ pkg/ .
  RUN golangci-lint run --fix
  SAVE ARTIFACT apis AS LOCAL apis
  SAVE ARTIFACT pkg AS LOCAL pkg
 # Targets below this point are intended only for use in GitHub Actions CI. They
 # may not work outside of that environment. For example they may depend on
 # secrets that are only availble in the CI environment. Targets below this point
 # must be prefixed with ci-.
 # TODO(negz): Is there a better way to determine the Crossplane version?
 # This versioning approach maintains compatibility with the build submodule. See
 # https://github.com/crossplane/build/blob/231258/makelib/common.mk#L205. This
 # approach is problematic in Earthly because computing it inside a containerized
 # target requires copying the entire git repository into the container. Doing so
 # would invalidate all dependent target caches any time any file in git changed.
 # ci-codeql-setup sets up CodeQL for the ci-codeql target.
 ci-codeql-setup:
  ARG CODEQL_VERSION=v2.20.5
  FROM curlimages/curl:8.8.0
  RUN curl -fsSL https://github.com/github/codeql-action/releases/download/codeql-bundle-${CODEQL_VERSION}/codeql-bundle-linux64.tar.gz|tar zx
  SAVE ARTIFACT codeql
 # ci-codeql is used by CI to build Crossplane with CodeQL scanning enabled.
 ci-codeql:
  ARG CGO_ENABLED=0
  ARG TARGETOS
  ARG TARGETARCH
  # Using a static CROSSPLANE_VERSION allows Earthly to cache E2E runs as long
  # as no code changed. If the version contains a git commit (the default) the
  # build layer cache is invalidated on every commit.
  FROM +go-modules --CROSSPLANE_VERSION=v0.0.0-codeql
  IF [ "${TARGETARCH}" = "arm64" ] && [ "${TARGETOS}" = "linux" ]
    RUN --no-cache echo "CodeQL doesn't support Linux on Apple Silicon" && false
  END
  COPY --dir +ci-codeql-setup/codeql /codeql
  CACHE --id go-build --sharing shared /root/.cache/go-build
  COPY --dir apis/ pkg/ .
  RUN /codeql/codeql database create /codeqldb --language=go
  RUN /codeql/codeql database analyze /codeqldb --threads=0 --format=sarif-latest --output=go.sarif --sarif-add-baseline-file-info
  SAVE ARTIFACT go.sarif AS LOCAL _output/codeql/go.sarif
--- a/95
+++ b/95
@ -1,95 +0,0 @@
 # ====================================================================================
 # Setup Project
 PROJECT_NAME := crossplane-runtime
 PROJECT_REPO := github.com/crossplane/$(PROJECT_NAME)
 PLATFORMS ?= linux_amd64 linux_arm64
 # -include will silently skip missing files, which allows us
 # to load those files with a target in the Makefile. If only
 # "include" was used, the make command would fail and refuse
 # to run a target until the include commands succeeded.
 -include build/makelib/common.mk
 # ====================================================================================
 # Setup Images
 # even though this repo doesn't build images (note the no-op img.build target below),
 # some of the init is needed for the cross build container, e.g. setting BUILD_REGISTRY
 -include build/makelib/image.mk
 img.build:
 # ====================================================================================
 # Setup Go
 # Set a sane default so that the nprocs calculation below is less noisy on the initial
 # loading of this file
 NPROCS ?= 1
 # each of our test suites starts a kube-apiserver and running many test suites in
 # parallel can lead to high CPU utilization. by default we reduce the parallelism
 # to half the number of CPU cores.
 GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 )))
 GO_LDFLAGS += -X $(GO_PROJECT)/pkg/version.Version=$(VERSION)
 GO_SUBDIRS += pkg apis
 GO111MODULE = on
 GOLANGCILINT_VERSION = 1.54.2
 -include build/makelib/golang.mk
 # ====================================================================================
 # Targets
 # run `make help` to see the targets and options
 # We want submodules to be set up the first time `make` is run.
 # We manage the build/ folder and its Makefiles as a submodule.
 # The first time `make` is run, the includes of build/*.mk files will
 # all fail, and this target will be run. The next time, the default as defined
 # by the includes will be run instead.
 fallthrough: submodules
 	@echo Initial setup complete. Running make again . . .
 	@make
 # NOTE(hasheddan): the build submodule currently overrides XDG_CACHE_HOME in
 # order to force the Helm 3 to use the .work/helm directory. This causes Go on
 # Linux machines to use that directory as the build cache as well. We should
 # adjust this behavior in the build submodule because it is also causing Linux
 # users to duplicate their build cache, but for now we just make it easier to
 # identify its location in CI so that we cache between builds.
 go.cachedir:
 	@go env GOCACHE
 # Generate a coverage report for cobertura applying exclusions on
 # - generated file
 cobertura:
 	@cat $(GO_TEST_OUTPUT)/coverage.txt | \
 		grep -v zz_generated.deepcopy | \
 		$(GOCOVER_COBERTURA) > $(GO_TEST_OUTPUT)/cobertura-coverage.xml
 # Update the submodules, such as the common build scripts.
 submodules:
 	@git submodule sync
 	@git submodule update --init --recursive
 .PHONY: cobertura reviewable submodules fallthrough
 # ====================================================================================
 # Special Targets
 define CROSSPLANE_RUNTIME_HELP
 Crossplane Runtime Targets:
    cobertura          Generate a coverage report for cobertura applying exclusions on generated files.
    reviewable         Ensure a PR is ready for review.
    submodules         Update the submodules, such as the common build scripts.
 endef
 export CROSSPLANE_RUNTIME_HELP
 crossplane-runtime.help:
 	@echo "$$CROSSPLANE_RUNTIME_HELP"
 help-special: crossplane-runtime.help
 .PHONY: crossplane-runtime.help help-special
--- a/OWNERS.md
+++ b/OWNERS.md
@ -5,7 +5,7 @@ Each repository in the [Crossplane organization](https://github.com/crossplane/)
 will list their repository maintainers and reviewers in their own `OWNERS.md`
 file.
-Please see [GOVERNANCE.md](https://github.com/crossplane/crossplane/blob/masterGOVERNANCE.md)
+Please see [GOVERNANCE.md](https://github.com/crossplane/crossplane/blob/main/GOVERNANCE.md)
 for governance guidelines and responsibilities for maintainers, and reviewers.
 See [CODEOWNERS](CODEOWNERS) for automatic PR assignment.
@ -14,17 +14,15 @@ See [CODEOWNERS](CODEOWNERS) for automatic PR assignment.
 ## Maintainers
 * Nic Cope <negz@upbound.io> ([negz](https://github.com/negz))
 * Daniel Mangum <dan@upbound.io> ([hasheddan](https://github.com/hasheddan))
 * Muvaffak Onus <monus@upbound.io> ([muvaf](https://github.com/muvaf))
 * Hasan Turken <hasan@upbound.io> ([turkenh](https://github.com/turkenh))
 * Bob Haddleton <bob.haddleton@nokia.com> ([bobh66](https://github.com/bobh66))
 * Philippe Scorsolini <philippe.scorsolini@upbound.io> ([phisco](https://github.com/phisco))
 ## Reviewers
 * Bob Haddleton <bob.haddleton@nokia.com> ([bobh66](https://github.com/bobh66))
 * Yury Tsarev <yury@upbound.io> ([ytsarev](https://github.com/ytsarev))
 * Ezgi Demirel <ezgi@upbound.io> ([ezgidemirel](https://github.com/ezgidemirel))
 * Max Blatt ([MisterMX](https://github.com/MisterMX))
 * Philippe Scorsolini <philippe.scorsolini@upbound.io> ([phisco](https://github.com/phisco))
 ## Emeritus maintainers
--- a/README.md
+++ b/README.md
@ -47,15 +47,15 @@ crossplane-runtime is under the Apache 2.0 license.
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane-runtime.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane-runtime?ref=badge_large)
-[developer guide]: https://github.com/crossplane/crossplane/tree/master/contributing
+[developer guide]: https://github.com/crossplane/crossplane/tree/main/contributing
 [API documentation]: https://godoc.org/github.com/crossplane/crossplane-runtime
-[contributing]: https://github.com/crossplane/crossplane/blob/master/CONTRIBUTING.md
+[contributing]: https://github.com/crossplane/crossplane/blob/main/CONTRIBUTING.md
 [issue]: https://github.com/crossplane/crossplane-runtime/issues
 [slack channel]: https://slack.crossplane.io
 [crossplane-dev]: https://groups.google.com/forum/#!forum/crossplane-dev
 [@crossplane_io]: https://twitter.com/crossplane_io
 [info@crossplane.io]: mailto:info@crossplane.io
-[roadmap]: https://github.com/crossplane/crossplane/blob/master/ROADMAP.md
+[roadmap]: https://github.com/crossplane/crossplane/blob/main/ROADMAP.md
-[governance]: https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md
+[governance]: https://github.com/crossplane/crossplane/blob/main/GOVERNANCE.md
-[ownership]: https://github.com/crossplane/crossplane/blob/master/OWNERS.md
+[ownership]: https://github.com/crossplane/crossplane/blob/main/OWNERS.md
-[code of conduct]: https://github.com/crossplane/crossplane/blob/master/CODE_OF_CONDUCT.md
+[code of conduct]: https://github.com/crossplane/crossplane/blob/main/CODE_OF_CONDUCT.md
--- a/RELEASE.md
+++ b/RELEASE.md
@ -12,9 +12,9 @@ In order to cut a new patch release from an existing release branch `release-X.Y
 In order to cut a new minor release, follow these steps:
- Create a new release branch `release-X.Y` from `master`, using the [GitHub UI][create-branch].
+- Create a new release branch `release-X.Y` from `main`, using the [GitHub UI][create-branch].
- Create and merge an empty commit to the `master` branch, if required to have it at least one commit ahead of the release branch.
+- Create and merge an empty commit to the `main` branch, if required to have it at least one commit ahead of the release branch.
- Run the [Tag workflow][tag-workflow] on the `master` branch with the release candidate tag for the next release, so `vX.<Y+1>.0-rc.0`.
+- Run the [Tag workflow][tag-workflow] on the `main` branch with the release candidate tag for the next release, so `vX.<Y+1>.0-rc.0`.
 - Run the [Tag workflow][tag-workflow] on the `release-X.Y` branch with the proper release version, `vX.Y.0`. Message suggested, but not required: `Release vX.Y.0`.
 - Draft the [new release notes], and share them with the rest of the team to ensure that all the required information is included.
 - Publish the above release notes.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -3,5 +3,5 @@
 ## Reporting a Vulnerability
 Instructions for reporting a vulnerability can be found on the
-[crossplane repository](https://github.com/crossplane/crossplane/blob/master/SECURITY.md).
+[crossplane repository](https://github.com/crossplane/crossplane/blob/main/SECURITY.md).
--- a/apis/apis.go
+++ b/apis/apis.go
@ -35,13 +35,12 @@ limitations under the License.
 // (or protoc) to invoke them.
 //go:generate go install google.golang.org/protobuf/cmd/protoc-gen-go google.golang.org/grpc/cmd/protoc-gen-go-grpc
-//go:generate go run github.com/bufbuild/buf/cmd/buf generate
+//go:generate go run github.com/bufbuild/buf/cmd/buf@v1.36.0 generate
 // Package apis contains Kubernetes API groups
 package apis
 import (
 	_ "github.com/bufbuild/buf/cmd/buf"                 //nolint:typecheck
 	_ "google.golang.org/grpc/cmd/protoc-gen-go-grpc"   //nolint:typecheck
 	_ "google.golang.org/protobuf/cmd/protoc-gen-go"    //nolint:typecheck
 	_ "sigs.k8s.io/controller-tools/cmd/controller-gen" //nolint:typecheck
--- a/apis/buf.yaml
+++ b/apis/buf.yaml
@ -0,0 +1,9 @@
 version: v1
 name: buf.build/crossplane/crossplane-runtime
 breaking:
  use:
    - FILE
 lint:
  use:
    - DEFAULT
  allow_comment_ignores: true
--- a/apis/changelogs/proto/v1alpha1/changelog.pb.go
+++ b/apis/changelogs/proto/v1alpha1/changelog.pb.go
@ -0,0 +1,453 @@
 //
 //Copyright 2024 The Crossplane Authors.
 //Licensed under the Apache License, Version 2.0 (the "License");
 //you may not use this file except in compliance with the License.
 //You may obtain a copy of the License at
 //http://www.apache.org/licenses/LICENSE-2.0
 //Unless required by applicable law or agreed to in writing, software
 //distributed under the License is distributed on an "AS IS" BASIS,
 //WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 //See the License for the specific language governing permissions and
 //limitations under the License.
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.5
 // 	protoc        (unknown)
 // source: changelogs/proto/v1alpha1/changelog.proto
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package v1alpha1
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	structpb "google.golang.org/protobuf/types/known/structpb"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 	unsafe "unsafe"
 )
 const (
 	// Verify that this generated code is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
 	// Verify that runtime/protoimpl is sufficiently up-to-date.
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 // OperationType represents the type of operation that was performed on a
 // resource.
 type OperationType int32
 const (
 	OperationType_OPERATION_TYPE_UNSPECIFIED OperationType = 0
 	OperationType_OPERATION_TYPE_CREATE      OperationType = 1
 	OperationType_OPERATION_TYPE_UPDATE      OperationType = 2
 	OperationType_OPERATION_TYPE_DELETE      OperationType = 3
 )
 // Enum value maps for OperationType.
 var (
 	OperationType_name = map[int32]string{
 		0: "OPERATION_TYPE_UNSPECIFIED",
 		1: "OPERATION_TYPE_CREATE",
 		2: "OPERATION_TYPE_UPDATE",
 		3: "OPERATION_TYPE_DELETE",
 	}
 	OperationType_value = map[string]int32{
 		"OPERATION_TYPE_UNSPECIFIED": 0,
 		"OPERATION_TYPE_CREATE":      1,
 		"OPERATION_TYPE_UPDATE":      2,
 		"OPERATION_TYPE_DELETE":      3,
 	}
 )
 func (x OperationType) Enum() *OperationType {
 	p := new(OperationType)
 	*p = x
 	return p
 }
 func (x OperationType) String() string {
 	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
 }
 func (OperationType) Descriptor() protoreflect.EnumDescriptor {
 	return file_changelogs_proto_v1alpha1_changelog_proto_enumTypes[0].Descriptor()
 }
 func (OperationType) Type() protoreflect.EnumType {
 	return &file_changelogs_proto_v1alpha1_changelog_proto_enumTypes[0]
 }
 func (x OperationType) Number() protoreflect.EnumNumber {
 	return protoreflect.EnumNumber(x)
 }
 // Deprecated: Use OperationType.Descriptor instead.
 func (OperationType) EnumDescriptor() ([]byte, []int) {
 	return file_changelogs_proto_v1alpha1_changelog_proto_rawDescGZIP(), []int{0}
 }
 // SendChangeLogRequest represents a request to send a single change log entry.
 type SendChangeLogRequest struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The change log entry to send as part of this request.
 	Entry         *ChangeLogEntry `protobuf:"bytes,1,opt,name=entry,proto3" json:"entry,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *SendChangeLogRequest) Reset() {
 	*x = SendChangeLogRequest{}
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[0]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *SendChangeLogRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SendChangeLogRequest) ProtoMessage() {}
 func (x *SendChangeLogRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[0]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SendChangeLogRequest.ProtoReflect.Descriptor instead.
 func (*SendChangeLogRequest) Descriptor() ([]byte, []int) {
 	return file_changelogs_proto_v1alpha1_changelog_proto_rawDescGZIP(), []int{0}
 }
 func (x *SendChangeLogRequest) GetEntry() *ChangeLogEntry {
 	if x != nil {
 		return x.Entry
 	}
 	return nil
 }
 // ChangeLogEntry represents a single change log entry, with detailed information
 // about the resource that was changed.
 type ChangeLogEntry struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The timestamp at which the change occurred.
 	Timestamp *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=timestamp,proto3" json:"timestamp,omitempty"`
 	// The name and version of the provider that is making the change to the
 	// resource.
 	Provider string `protobuf:"bytes,2,opt,name=provider,proto3" json:"provider,omitempty"`
 	// The API version of the resource that was changed, e.g. Group/Version.
 	ApiVersion string `protobuf:"bytes,3,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
 	// The kind of the resource that was changed.
 	Kind string `protobuf:"bytes,4,opt,name=kind,proto3" json:"kind,omitempty"`
 	// The name of the resource that was changed.
 	Name string `protobuf:"bytes,5,opt,name=name,proto3" json:"name,omitempty"`
 	// The external name of the resource that was changed.
 	ExternalName string `protobuf:"bytes,6,opt,name=external_name,json=externalName,proto3" json:"external_name,omitempty"`
 	// The type of operation that was performed on the resource, e.g. Create,
 	// Update, or Delete.
 	Operation OperationType `protobuf:"varint,7,opt,name=operation,proto3,enum=changelogs.proto.v1alpha1.OperationType" json:"operation,omitempty"`
 	// A full snapshot of the resource's state, as observed directly before the
 	// resource was changed.
 	Snapshot *structpb.Struct `protobuf:"bytes,8,opt,name=snapshot,proto3" json:"snapshot,omitempty"`
 	// An optional error message that describes any error encountered while
 	// performing the operation on the resource.
 	ErrorMessage *string `protobuf:"bytes,9,opt,name=error_message,json=errorMessage,proto3,oneof" json:"error_message,omitempty"`
 	// An optional additional details that can be provided for further context
 	// about the change.
 	AdditionalDetails map[string]string `protobuf:"bytes,10,rep,name=additional_details,json=additionalDetails,proto3" json:"additional_details,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	unknownFields     protoimpl.UnknownFields
 	sizeCache         protoimpl.SizeCache
 }
 func (x *ChangeLogEntry) Reset() {
 	*x = ChangeLogEntry{}
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[1]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *ChangeLogEntry) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ChangeLogEntry) ProtoMessage() {}
 func (x *ChangeLogEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[1]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ChangeLogEntry.ProtoReflect.Descriptor instead.
 func (*ChangeLogEntry) Descriptor() ([]byte, []int) {
 	return file_changelogs_proto_v1alpha1_changelog_proto_rawDescGZIP(), []int{1}
 }
 func (x *ChangeLogEntry) GetTimestamp() *timestamppb.Timestamp {
 	if x != nil {
 		return x.Timestamp
 	}
 	return nil
 }
 func (x *ChangeLogEntry) GetProvider() string {
 	if x != nil {
 		return x.Provider
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetApiVersion() string {
 	if x != nil {
 		return x.ApiVersion
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetKind() string {
 	if x != nil {
 		return x.Kind
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetName() string {
 	if x != nil {
 		return x.Name
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetExternalName() string {
 	if x != nil {
 		return x.ExternalName
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetOperation() OperationType {
 	if x != nil {
 		return x.Operation
 	}
 	return OperationType_OPERATION_TYPE_UNSPECIFIED
 }
 func (x *ChangeLogEntry) GetSnapshot() *structpb.Struct {
 	if x != nil {
 		return x.Snapshot
 	}
 	return nil
 }
 func (x *ChangeLogEntry) GetErrorMessage() string {
 	if x != nil && x.ErrorMessage != nil {
 		return *x.ErrorMessage
 	}
 	return ""
 }
 func (x *ChangeLogEntry) GetAdditionalDetails() map[string]string {
 	if x != nil {
 		return x.AdditionalDetails
 	}
 	return nil
 }
 // SendChangeLogResponse is the response returned by the ChangeLogService after
 // a change log entry is sent. Currently, this is an empty message as the only
 // useful information expected to sent back at this time will be through errors.
 type SendChangeLogResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *SendChangeLogResponse) Reset() {
 	*x = SendChangeLogResponse{}
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[2]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *SendChangeLogResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*SendChangeLogResponse) ProtoMessage() {}
 func (x *SendChangeLogResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[2]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use SendChangeLogResponse.ProtoReflect.Descriptor instead.
 func (*SendChangeLogResponse) Descriptor() ([]byte, []int) {
 	return file_changelogs_proto_v1alpha1_changelog_proto_rawDescGZIP(), []int{2}
 }
 var File_changelogs_proto_v1alpha1_changelog_proto protoreflect.FileDescriptor
 var file_changelogs_proto_v1alpha1_changelog_proto_rawDesc = string([]byte{
 	0x0a, 0x29, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2f, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x68, 0x61, 0x6e,
 	0x67, 0x65, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x63, 0x68, 0x61,
 	0x6e, 0x67, 0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x57, 0x0a, 0x14, 0x53, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x61,
 	0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a,
 	0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x63,
 	0x68, 0x61, 0x6e, 0x67, 0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e,
 	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c,
 	0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0xc4,
 	0x04, 0x0a, 0x0e, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72,
 	0x79, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
 	0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x1a, 0x0a, 0x08, 0x70,
 	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70,
 	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70, 0x69, 0x5f, 0x76,
 	0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x70,
 	0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64,
 	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04,
 	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65,
 	0x12, 0x23, 0x0a, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x6e, 0x61, 0x6d,
 	0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61,
 	0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x46, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69,
 	0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x67,
 	0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31, 0x61, 0x6c,
 	0x70, 0x68, 0x61, 0x31, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79,
 	0x70, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x33, 0x0a,
 	0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32,
 	0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
 	0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68,
 	0x6f, 0x74, 0x12, 0x28, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73,
 	0x61, 0x67, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c, 0x65, 0x72, 0x72,
 	0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x88, 0x01, 0x01, 0x12, 0x6f, 0x0a, 0x12,
 	0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69,
 	0x6c, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x40, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x67,
 	0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31, 0x61, 0x6c,
 	0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x45, 0x6e,
 	0x74, 0x72, 0x79, 0x2e, 0x41, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x44, 0x65,
 	0x74, 0x61, 0x69, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x11, 0x61, 0x64, 0x64, 0x69,
 	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x1a, 0x44, 0x0a,
 	0x16, 0x41, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x44, 0x65, 0x74, 0x61, 0x69,
 	0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
 	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
 	0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65,
 	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x17, 0x0a, 0x15, 0x53, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x61,
 	0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2a, 0x80,
 	0x01, 0x0a, 0x0d, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65,
 	0x12, 0x1e, 0x0a, 0x1a, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
 	0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
 	0x12, 0x19, 0x0a, 0x15, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
 	0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x4f,
 	0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50,
 	0x44, 0x41, 0x54, 0x45, 0x10, 0x02, 0x12, 0x19, 0x0a, 0x15, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54,
 	0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x45, 0x4c, 0x45, 0x54, 0x45, 0x10,
 	0x03, 0x32, 0x88, 0x01, 0x0a, 0x10, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x53,
 	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x74, 0x0a, 0x0d, 0x53, 0x65, 0x6e, 0x64, 0x43, 0x68,
 	0x61, 0x6e, 0x67, 0x65, 0x4c, 0x6f, 0x67, 0x12, 0x2f, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65,
 	0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
 	0x68, 0x61, 0x31, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c, 0x6f,
 	0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x67,
 	0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31, 0x61, 0x6c,
 	0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4c,
 	0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x49, 0x5a, 0x47,
 	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6f, 0x73, 0x73,
 	0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x63, 0x72, 0x6f, 0x73, 0x73, 0x70, 0x6c, 0x61, 0x6e, 0x65,
 	0x2d, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x63, 0x68,
 	0x61, 0x6e, 0x67, 0x65, 0x6c, 0x6f, 0x67, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76,
 	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 var (
 	file_changelogs_proto_v1alpha1_changelog_proto_rawDescOnce sync.Once
 	file_changelogs_proto_v1alpha1_changelog_proto_rawDescData []byte
 )
 func file_changelogs_proto_v1alpha1_changelog_proto_rawDescGZIP() []byte {
 	file_changelogs_proto_v1alpha1_changelog_proto_rawDescOnce.Do(func() {
 		file_changelogs_proto_v1alpha1_changelog_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_changelogs_proto_v1alpha1_changelog_proto_rawDesc), len(file_changelogs_proto_v1alpha1_changelog_proto_rawDesc)))
 	})
 	return file_changelogs_proto_v1alpha1_changelog_proto_rawDescData
 }
 var file_changelogs_proto_v1alpha1_changelog_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
 var file_changelogs_proto_v1alpha1_changelog_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
 var file_changelogs_proto_v1alpha1_changelog_proto_goTypes = []any{
 	(OperationType)(0),            // 0: changelogs.proto.v1alpha1.OperationType
 	(*SendChangeLogRequest)(nil),  // 1: changelogs.proto.v1alpha1.SendChangeLogRequest
 	(*ChangeLogEntry)(nil),        // 2: changelogs.proto.v1alpha1.ChangeLogEntry
 	(*SendChangeLogResponse)(nil), // 3: changelogs.proto.v1alpha1.SendChangeLogResponse
 	nil,                           // 4: changelogs.proto.v1alpha1.ChangeLogEntry.AdditionalDetailsEntry
 	(*timestamppb.Timestamp)(nil), // 5: google.protobuf.Timestamp
 	(*structpb.Struct)(nil),       // 6: google.protobuf.Struct
 }
 var file_changelogs_proto_v1alpha1_changelog_proto_depIdxs = []int32{
 	2, // 0: changelogs.proto.v1alpha1.SendChangeLogRequest.entry:type_name -> changelogs.proto.v1alpha1.ChangeLogEntry
 	5, // 1: changelogs.proto.v1alpha1.ChangeLogEntry.timestamp:type_name -> google.protobuf.Timestamp
 	0, // 2: changelogs.proto.v1alpha1.ChangeLogEntry.operation:type_name -> changelogs.proto.v1alpha1.OperationType
 	6, // 3: changelogs.proto.v1alpha1.ChangeLogEntry.snapshot:type_name -> google.protobuf.Struct
 	4, // 4: changelogs.proto.v1alpha1.ChangeLogEntry.additional_details:type_name -> changelogs.proto.v1alpha1.ChangeLogEntry.AdditionalDetailsEntry
 	1, // 5: changelogs.proto.v1alpha1.ChangeLogService.SendChangeLog:input_type -> changelogs.proto.v1alpha1.SendChangeLogRequest
 	3, // 6: changelogs.proto.v1alpha1.ChangeLogService.SendChangeLog:output_type -> changelogs.proto.v1alpha1.SendChangeLogResponse
 	6, // [6:7] is the sub-list for method output_type
 	5, // [5:6] is the sub-list for method input_type
 	5, // [5:5] is the sub-list for extension type_name
 	5, // [5:5] is the sub-list for extension extendee
 	0, // [0:5] is the sub-list for field type_name
 }
 func init() { file_changelogs_proto_v1alpha1_changelog_proto_init() }
 func file_changelogs_proto_v1alpha1_changelog_proto_init() {
 	if File_changelogs_proto_v1alpha1_changelog_proto != nil {
 		return
 	}
 	file_changelogs_proto_v1alpha1_changelog_proto_msgTypes[1].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_changelogs_proto_v1alpha1_changelog_proto_rawDesc), len(file_changelogs_proto_v1alpha1_changelog_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   4,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
 		GoTypes:           file_changelogs_proto_v1alpha1_changelog_proto_goTypes,
 		DependencyIndexes: file_changelogs_proto_v1alpha1_changelog_proto_depIdxs,
 		EnumInfos:         file_changelogs_proto_v1alpha1_changelog_proto_enumTypes,
 		MessageInfos:      file_changelogs_proto_v1alpha1_changelog_proto_msgTypes,
 	}.Build()
 	File_changelogs_proto_v1alpha1_changelog_proto = out.File
 	file_changelogs_proto_v1alpha1_changelog_proto_goTypes = nil
 	file_changelogs_proto_v1alpha1_changelog_proto_depIdxs = nil
 }
--- a/apis/changelogs/proto/v1alpha1/changelog.proto
+++ b/apis/changelogs/proto/v1alpha1/changelog.proto
@ -0,0 +1,88 @@
 /*
 Copyright 2024 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 syntax = "proto3";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package changelogs.proto.v1alpha1;
 option go_package = "github.com/crossplane/crossplane-runtime/apis/changelogs/proto/v1alpha1";
 // ChangeLogService is a service that provides the ability to send change log
 // entries.
 service ChangeLogService {
  // SendChangeLog sends a change log entry to the change log service.
  rpc SendChangeLog (SendChangeLogRequest) returns (SendChangeLogResponse) {}
 }
 // SendChangeLogRequest represents a request to send a single change log entry.
 message SendChangeLogRequest {
  // The change log entry to send as part of this request.
  ChangeLogEntry entry = 1;
 }
 // ChangeLogEntry represents a single change log entry, with detailed information
 // about the resource that was changed.
 message ChangeLogEntry {
  // The timestamp at which the change occurred.
  google.protobuf.Timestamp timestamp = 1;
  // The name and version of the provider that is making the change to the
  // resource.
  string provider = 2;
  // The API version of the resource that was changed, e.g. Group/Version.
  string api_version = 3;
  // The kind of the resource that was changed.
  string kind = 4;
  // The name of the resource that was changed.
  string name = 5;
  // The external name of the resource that was changed.
  string external_name = 6;
  // The type of operation that was performed on the resource, e.g. Create,
  // Update, or Delete.
  OperationType operation = 7;
  // A full snapshot of the resource's state, as observed directly before the
  // resource was changed.
  google.protobuf.Struct snapshot = 8;
  // An optional error message that describes any error encountered while
  // performing the operation on the resource.
  optional string error_message = 9;
  // An optional additional details that can be provided for further context
  // about the change.
  map<string, string> additional_details = 10;
 }
 // OperationType represents the type of operation that was performed on a
 // resource.
 enum OperationType {
  OPERATION_TYPE_UNSPECIFIED = 0;
  OPERATION_TYPE_CREATE = 1;
  OPERATION_TYPE_UPDATE = 2;
  OPERATION_TYPE_DELETE = 3;
 }
 // SendChangeLogResponse is the response returned by the ChangeLogService after
 // a change log entry is sent. Currently, this is an empty message as the only
 // useful information expected to sent back at this time will be through errors.
 message SendChangeLogResponse {}
--- a/apis/changelogs/proto/v1alpha1/changelog_grpc.pb.go
+++ b/apis/changelogs/proto/v1alpha1/changelog_grpc.pb.go
@ -0,0 +1,125 @@
 //
 //Copyright 2024 The Crossplane Authors.
 //Licensed under the Apache License, Version 2.0 (the "License");
 //you may not use this file except in compliance with the License.
 //You may obtain a copy of the License at
 //http://www.apache.org/licenses/LICENSE-2.0
 //Unless required by applicable law or agreed to in writing, software
 //distributed under the License is distributed on an "AS IS" BASIS,
 //WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 //See the License for the specific language governing permissions and
 //limitations under the License.
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.3.0
 // - protoc             (unknown)
 // source: changelogs/proto/v1alpha1/changelog.proto
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package v1alpha1
 import (
 	context "context"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 )
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	ChangeLogService_SendChangeLog_FullMethodName = "/changelogs.proto.v1alpha1.ChangeLogService/SendChangeLog"
 )
 // ChangeLogServiceClient is the client API for ChangeLogService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type ChangeLogServiceClient interface {
 	// SendChangeLog sends a change log entry to the change log service.
 	SendChangeLog(ctx context.Context, in *SendChangeLogRequest, opts ...grpc.CallOption) (*SendChangeLogResponse, error)
 }
 type changeLogServiceClient struct {
 	cc grpc.ClientConnInterface
 }
 func NewChangeLogServiceClient(cc grpc.ClientConnInterface) ChangeLogServiceClient {
 	return &changeLogServiceClient{cc}
 }
 func (c *changeLogServiceClient) SendChangeLog(ctx context.Context, in *SendChangeLogRequest, opts ...grpc.CallOption) (*SendChangeLogResponse, error) {
 	out := new(SendChangeLogResponse)
 	err := c.cc.Invoke(ctx, ChangeLogService_SendChangeLog_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // ChangeLogServiceServer is the server API for ChangeLogService service.
 // All implementations must embed UnimplementedChangeLogServiceServer
 // for forward compatibility
 type ChangeLogServiceServer interface {
 	// SendChangeLog sends a change log entry to the change log service.
 	SendChangeLog(context.Context, *SendChangeLogRequest) (*SendChangeLogResponse, error)
 	mustEmbedUnimplementedChangeLogServiceServer()
 }
 // UnimplementedChangeLogServiceServer must be embedded to have forward compatible implementations.
 type UnimplementedChangeLogServiceServer struct {
 }
 func (UnimplementedChangeLogServiceServer) SendChangeLog(context.Context, *SendChangeLogRequest) (*SendChangeLogResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendChangeLog not implemented")
 }
 func (UnimplementedChangeLogServiceServer) mustEmbedUnimplementedChangeLogServiceServer() {}
 // UnsafeChangeLogServiceServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to ChangeLogServiceServer will
 // result in compilation errors.
 type UnsafeChangeLogServiceServer interface {
 	mustEmbedUnimplementedChangeLogServiceServer()
 }
 func RegisterChangeLogServiceServer(s grpc.ServiceRegistrar, srv ChangeLogServiceServer) {
 	s.RegisterService(&ChangeLogService_ServiceDesc, srv)
 }
 func _ChangeLogService_SendChangeLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SendChangeLogRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(ChangeLogServiceServer).SendChangeLog(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: ChangeLogService_SendChangeLog_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(ChangeLogServiceServer).SendChangeLog(ctx, req.(*SendChangeLogRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 // ChangeLogService_ServiceDesc is the grpc.ServiceDesc for ChangeLogService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
 var ChangeLogService_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "changelogs.proto.v1alpha1.ChangeLogService",
 	HandlerType: (*ChangeLogServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{
 			MethodName: "SendChangeLog",
 			Handler:    _ChangeLogService_SendChangeLog_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "changelogs/proto/v1alpha1/changelog.proto",
 }
--- a/apis/common/condition.go
+++ b/apis/common/condition.go
@ -0,0 +1,307 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package common
 import (
 	"sort"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 // A ConditionType represents a condition a resource could be in.
 type ConditionType string
 // Condition types.
 const (
 	// TypeReady resources are believed to be ready to handle work.
 	TypeReady ConditionType = "Ready"
 	// TypeSynced resources are believed to be in sync with the
 	// Kubernetes resources that manage their lifecycle.
 	TypeSynced ConditionType = "Synced"
 	// TypeHealthy resources are believed to be in a healthy state and to have all
 	// of their child resources in a healthy state. For example, a claim is
 	// healthy when the claim is synced and the underlying composite resource is
 	// both synced and healthy. A composite resource is healthy when the composite
 	// resource is synced and all composed resources are synced and, if
 	// applicable, healthy (e.g., the composed resource is a composite resource).
 	// TODO: This condition is not yet implemented. It is currently just reserved
 	// as a system condition. See the tracking issue for more details
 	// https://github.com/crossplane/crossplane/issues/5643.
 	TypeHealthy ConditionType = "Healthy"
 )
 // A ConditionReason represents the reason a resource is in a condition.
 type ConditionReason string
 // Reasons a resource is or is not ready.
 const (
 	ReasonAvailable   ConditionReason = "Available"
 	ReasonUnavailable ConditionReason = "Unavailable"
 	ReasonCreating    ConditionReason = "Creating"
 	ReasonDeleting    ConditionReason = "Deleting"
 )
 // Reasons a resource is or is not synced.
 const (
 	ReasonReconcileSuccess ConditionReason = "ReconcileSuccess"
 	ReasonReconcileError   ConditionReason = "ReconcileError"
 	ReasonReconcilePaused  ConditionReason = "ReconcilePaused"
 )
 // See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 // A Condition that may apply to a resource.
 type Condition struct { //nolint:recvcheck // False positive - only has non-pointer methods AFAICT.
 	// Type of this condition. At most one of each condition type may apply to
 	// a resource at any point in time.
 	Type ConditionType `json:"type"`
 	// Status of this condition; is it currently True, False, or Unknown?
 	Status corev1.ConditionStatus `json:"status"`
 	// LastTransitionTime is the last time this condition transitioned from one
 	// status to another.
 	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
 	// A Reason for this condition's last transition from one status to another.
 	Reason ConditionReason `json:"reason"`
 	// A Message containing details about this condition's last transition from
 	// one status to another, if any.
 	// +optional
 	Message string `json:"message,omitempty"`
 	// ObservedGeneration represents the .metadata.generation that the condition was set based upon.
 	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
 	// with respect to the current state of the instance.
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 }
 // Equal returns true if the condition is identical to the supplied condition,
 // ignoring the LastTransitionTime.
 func (c Condition) Equal(other Condition) bool {
 	return c.Type == other.Type &&
 		c.Status == other.Status &&
 		c.Reason == other.Reason &&
 		c.Message == other.Message &&
 		c.ObservedGeneration == other.ObservedGeneration
 }
 // WithMessage returns a condition by adding the provided message to existing
 // condition.
 func (c Condition) WithMessage(msg string) Condition {
 	c.Message = msg
 	return c
 }
 // WithObservedGeneration returns a condition by adding the provided observed generation
 // to existing condition.
 func (c Condition) WithObservedGeneration(gen int64) Condition {
 	c.ObservedGeneration = gen
 	return c
 }
 // IsSystemConditionType returns true if the condition is owned by the
 // Crossplane system (e.g, Ready, Synced, Healthy).
 func IsSystemConditionType(t ConditionType) bool {
 	switch t {
 	case TypeReady, TypeSynced, TypeHealthy:
 		return true
 	}
 	return false
 }
 // NOTE(negz): Conditions are implemented as a slice rather than a map to comply
 // with Kubernetes API conventions. Ideally we'd comply by using a map that
 // marshalled to a JSON array, but doing so confuses the CRD schema generator.
 // https://github.com/kubernetes/community/blob/9bf8cd/contributors/devel/sig-architecture/api-conventions.md#lists-of-named-subobjects-preferred-over-maps
 // NOTE(negz): Do not manipulate Conditions directly. Use the Set method.
 // A ConditionedStatus reflects the observed status of a resource. Only
 // one condition of each type may exist.
 type ConditionedStatus struct {
 	// Conditions of the resource.
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	Conditions []Condition `json:"conditions,omitempty"`
 }
 // NewConditionedStatus returns a stat with the supplied conditions set.
 func NewConditionedStatus(c ...Condition) *ConditionedStatus {
 	s := &ConditionedStatus{}
 	s.SetConditions(c...)
 	return s
 }
 // GetCondition returns the condition for the given ConditionType if exists,
 // otherwise returns nil.
 func (s *ConditionedStatus) GetCondition(ct ConditionType) Condition {
 	for _, c := range s.Conditions {
 		if c.Type == ct {
 			return c
 		}
 	}
 	return Condition{Type: ct, Status: corev1.ConditionUnknown}
 }
 // SetConditions sets the supplied conditions, replacing any existing conditions
 // of the same type. This is a no-op if all supplied conditions are identical,
 // ignoring the last transition time, to those already set.
 func (s *ConditionedStatus) SetConditions(c ...Condition) {
 	for _, cond := range c {
 		exists := false
 		for i, existing := range s.Conditions {
 			if existing.Type != cond.Type {
 				continue
 			}
 			if existing.Equal(cond) {
 				exists = true
 				continue
 			}
 			s.Conditions[i] = cond
 			exists = true
 		}
 		if !exists {
 			s.Conditions = append(s.Conditions, cond)
 		}
 	}
 }
 // Equal returns true if the status is identical to the supplied status,
 // ignoring the LastTransitionTimes and order of statuses.
 func (s *ConditionedStatus) Equal(other *ConditionedStatus) bool {
 	if s == nil || other == nil {
 		return s == nil && other == nil
 	}
 	if len(other.Conditions) != len(s.Conditions) {
 		return false
 	}
 	sc := make([]Condition, len(s.Conditions))
 	copy(sc, s.Conditions)
 	oc := make([]Condition, len(other.Conditions))
 	copy(oc, other.Conditions)
 	// We should not have more than one condition of each type.
 	sort.Slice(sc, func(i, j int) bool { return sc[i].Type < sc[j].Type })
 	sort.Slice(oc, func(i, j int) bool { return oc[i].Type < oc[j].Type })
 	for i := range sc {
 		if !sc[i].Equal(oc[i]) {
 			return false
 		}
 	}
 	return true
 }
 // Creating returns a condition that indicates the resource is currently
 // being created.
 func Creating() Condition {
 	return Condition{
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonCreating,
 	}
 }
 // Deleting returns a condition that indicates the resource is currently
 // being deleted.
 func Deleting() Condition {
 	return Condition{
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonDeleting,
 	}
 }
 // Available returns a condition that indicates the resource is
 // currently observed to be available for use.
 func Available() Condition {
 	return Condition{
 		Type:               TypeReady,
 		Status:             corev1.ConditionTrue,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonAvailable,
 	}
 }
 // Unavailable returns a condition that indicates the resource is not
 // currently available for use. Unavailable should be set only when Crossplane
 // expects the resource to be available but knows it is not, for example
 // because its API reports it is unhealthy.
 func Unavailable() Condition {
 	return Condition{
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonUnavailable,
 	}
 }
 // ReconcileSuccess returns a condition indicating that Crossplane successfully
 // completed the most recent reconciliation of the resource.
 func ReconcileSuccess() Condition {
 	return Condition{
 		Type:               TypeSynced,
 		Status:             corev1.ConditionTrue,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcileSuccess,
 	}
 }
 // ReconcileError returns a condition indicating that Crossplane encountered an
 // error while reconciling the resource. This could mean Crossplane was
 // unable to update the resource to reflect its desired state, or that
 // Crossplane was unable to determine the current actual state of the resource.
 func ReconcileError(err error) Condition {
 	return Condition{
 		Type:               TypeSynced,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcileError,
 		Message:            err.Error(),
 	}
 }
 // ReconcilePaused returns a condition that indicates reconciliation on
 // the managed resource is paused via the pause annotation.
 func ReconcilePaused() Condition {
 	return Condition{
 		Type:               TypeSynced,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcilePaused,
 	}
 }
--- a/apis/common/v1/condition_test.go
+++ b/apis/common/v1/condition_test.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package v1
+package common
 import (
 	"testing"
@ -32,6 +32,25 @@ func TestConditionEqual(t *testing.T) {
 		b    Condition
 		want bool
 	}{
 		"Identical": {
 			a: Condition{
 				Type:               TypeReady,
 				Status:             corev1.ConditionTrue,
 				LastTransitionTime: metav1.Now(),
 				Reason:             ReasonCreating,
 				Message:            "UnitTest",
 				ObservedGeneration: 1,
 			},
 			b: Condition{
 				Type:               TypeReady,
 				Status:             corev1.ConditionTrue,
 				LastTransitionTime: metav1.Now(),
 				Reason:             ReasonCreating,
 				Message:            "UnitTest",
 				ObservedGeneration: 1,
 			},
 			want: true,
 		},
 		"IdenticalIgnoringTimestamp": {
 			a:    Condition{Type: TypeReady, LastTransitionTime: metav1.Now()},
 			b:    Condition{Type: TypeReady, LastTransitionTime: metav1.Now()},
@ -57,6 +76,11 @@ func TestConditionEqual(t *testing.T) {
 			b:    Condition{Message: "uncool"},
 			want: false,
 		},
 		"DifferentObservedGeneration": {
 			a:    Condition{ObservedGeneration: 1},
 			b:    Condition{},
 			want: false,
 		},
 		"CheckReconcilePaused": {
 			a: ReconcilePaused(),
 			b: Condition{
@ -139,6 +163,11 @@ func TestSetConditions(t *testing.T) {
 			c:    []Condition{Available()},
 			want: NewConditionedStatus(Available()),
 		},
 		"ObservedGenerationIsUpdated": {
 			cs:   NewConditionedStatus(Available().WithObservedGeneration(1)),
 			c:    []Condition{Available().WithObservedGeneration(2)},
 			want: NewConditionedStatus(Available().WithObservedGeneration(2)),
 		},
 		"TypeIsDifferent": {
 			cs:   NewConditionedStatus(Creating()),
 			c:    []Condition{Available()},
@ -228,3 +257,64 @@ func TestConditionWithMessage(t *testing.T) {
 		})
 	}
 }
 func TestConditionWithObservedGeneration(t *testing.T) {
 	cases := map[string]struct {
 		c                  Condition
 		observedGeneration int64
 		want               Condition
 	}{
 		"Added": {
 			c:                  Condition{Type: TypeReady, Reason: ReasonUnavailable},
 			observedGeneration: 10,
 			want:               Condition{Type: TypeReady, Reason: ReasonUnavailable, ObservedGeneration: 10},
 		},
 		"Changed": {
 			c:                  Condition{Type: TypeReady, Reason: ReasonUnavailable, ObservedGeneration: 3},
 			observedGeneration: 10,
 			want:               Condition{Type: TypeReady, Reason: ReasonUnavailable, ObservedGeneration: 10},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			got := tc.c.WithObservedGeneration(tc.observedGeneration)
 			if diff := cmp.Diff(tc.want, got); diff != "" {
 				t.Errorf("a.Equal(b): -want, +got:\n%s", diff)
 			}
 		})
 	}
 }
 func TestIsSystemConditionType(t *testing.T) {
 	cases := map[string]struct {
 		c    Condition
 		want bool
 	}{
 		"SystemReady": {
 			c:    Condition{Type: ConditionType("Ready")},
 			want: true,
 		},
 		"SystemSynced": {
 			c:    Condition{Type: ConditionType("Synced")},
 			want: true,
 		},
 		"SystemHealthy": {
 			c:    Condition{Type: ConditionType("Healthy")},
 			want: true,
 		},
 		"Custom": {
 			c:    Condition{Type: ConditionType("Custom")},
 			want: false,
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			if diff := cmp.Diff(tc.want, IsSystemConditionType(tc.c.Type)); diff != "" {
 				t.Errorf("IsSystemConditionType(tc.c.Type): -want, +got:\n%s", diff)
 			}
 		})
 	}
 }
--- a/apis/common/doc.go
+++ b/apis/common/doc.go
@ -0,0 +1,3 @@
 // Package common contains core API types used by most Crossplane resources.
 // +kubebuilder:object:generate=true
 package common
--- a/apis/common/merge.go
+++ b/apis/common/merge.go
@ -0,0 +1,54 @@
 /*
 Copyright 2021 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package common
 import (
 	"dario.cat/mergo"
 )
 // MergeOptions Specifies merge options on a field path.
 type MergeOptions struct { // TODO(aru): add more options that control merging behavior
 	// Specifies that already existing values in a merged map should be preserved
 	// +optional
 	KeepMapValues *bool `json:"keepMapValues,omitempty"`
 	// Specifies that already existing elements in a merged slice should be preserved
 	// +optional
 	AppendSlice *bool `json:"appendSlice,omitempty"`
 }
 // MergoConfiguration the default behavior is to replace maps and slices.
 func (mo *MergeOptions) MergoConfiguration() []func(*mergo.Config) {
 	config := []func(*mergo.Config){mergo.WithOverride}
 	if mo == nil {
 		return config
 	}
 	if mo.KeepMapValues != nil && *mo.KeepMapValues {
 		config = config[:0]
 	}
 	if mo.AppendSlice != nil && *mo.AppendSlice {
 		config = append(config, mergo.WithAppendSlice)
 	}
 	return config
 }
 // IsAppendSlice returns true if mo.AppendSlice is set to true.
 func (mo *MergeOptions) IsAppendSlice() bool {
 	return mo != nil && mo.AppendSlice != nil && *mo.AppendSlice
 }
--- a/apis/common/v1/merge_test.go
+++ b/apis/common/v1/merge_test.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package v1
+package common
 import (
 	"reflect"
@ -33,12 +33,15 @@ func (arr mergoOptArr) names() []string {
 	for i, opt := range arr {
 		names[i] = runtime.FuncForPC(reflect.ValueOf(opt).Pointer()).Name()
 	}
 	sort.Strings(names)
 	return names
 }
 func TestMergoConfiguration(t *testing.T) {
 	valTrue := true
 	tests := map[string]struct {
 		mo   *MergeOptions
 		want mergoOptArr
@ -84,7 +87,6 @@ func TestMergoConfiguration(t *testing.T) {
 			if diff := cmp.Diff(tc.want.names(), mergoOptArr(tc.mo.MergoConfiguration()).names()); diff != "" {
 				t.Errorf("\nmo.MergoConfiguration(): -want, +got:\n %s", diff)
 			}
 		})
 	}
 }
--- a/apis/common/observation.go
+++ b/apis/common/observation.go
@ -0,0 +1,37 @@
 /*
 Copyright 2024 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package common
 // ObservedStatus contains the recent reconciliation stats.
 type ObservedStatus struct {
 	// ObservedGeneration is the latest metadata.generation
 	// which resulted in either a ready state, or stalled due to error
 	// it can not recover from without human intervention.
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 }
 // SetObservedGeneration sets the generation of the main resource
 // during the last reconciliation.
 func (s *ObservedStatus) SetObservedGeneration(generation int64) {
 	s.ObservedGeneration = generation
 }
 // GetObservedGeneration returns the last observed generation of the main resource.
 func (s *ObservedStatus) GetObservedGeneration() int64 {
 	return s.ObservedGeneration
 }
--- a/apis/common/policies.go
+++ b/apis/common/policies.go
@ -0,0 +1,120 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package common
 // ManagementPolicies determine how should Crossplane controllers manage an
 // external resource through an array of ManagementActions.
 type ManagementPolicies []ManagementAction
 // A ManagementAction represents an action that the Crossplane controllers
 // can take on an external resource.
 // +kubebuilder:validation:Enum=Observe;Create;Update;Delete;LateInitialize;*
 type ManagementAction string
 const (
 	// ManagementActionObserve means that the managed resource status.atProvider
 	// will be updated with the external resource state.
 	ManagementActionObserve ManagementAction = "Observe"
 	// ManagementActionCreate means that the external resource will be created
 	// using the managed resource spec.initProvider and spec.forProvider.
 	ManagementActionCreate ManagementAction = "Create"
 	// ManagementActionUpdate means that the external resource will be updated
 	// using the managed resource spec.forProvider.
 	ManagementActionUpdate ManagementAction = "Update"
 	// ManagementActionDelete means that the external resource will be deleted
 	// when the managed resource is deleted.
 	ManagementActionDelete ManagementAction = "Delete"
 	// ManagementActionLateInitialize means that unspecified fields of the managed
 	// resource spec.forProvider will be updated with the external resource state.
 	ManagementActionLateInitialize ManagementAction = "LateInitialize"
 	// ManagementActionAll means that all of the above actions will be taken
 	// by the Crossplane controllers.
 	ManagementActionAll ManagementAction = "*"
 )
 // A DeletionPolicy determines what should happen to the underlying external
 // resource when a managed resource is deleted.
 // +kubebuilder:validation:Enum=Orphan;Delete
 type DeletionPolicy string
 const (
 	// DeletionOrphan means the external resource will be orphaned when its
 	// managed resource is deleted.
 	DeletionOrphan DeletionPolicy = "Orphan"
 	// DeletionDelete means both the  external resource will be deleted when its
 	// managed resource is deleted.
 	DeletionDelete DeletionPolicy = "Delete"
 )
 // A CompositeDeletePolicy determines how the composite resource should be deleted
 // when the corresponding claim is deleted.
 // +kubebuilder:validation:Enum=Background;Foreground
 type CompositeDeletePolicy string
 const (
 	// CompositeDeleteBackground means the composite resource will be deleted using
 	// the Background Propagation Policy when the claim is deleted.
 	CompositeDeleteBackground CompositeDeletePolicy = "Background"
 	// CompositeDeleteForeground means the composite resource will be deleted using
 	// the Foreground Propagation Policy when the claim is deleted.
 	CompositeDeleteForeground CompositeDeletePolicy = "Foreground"
 )
 // An UpdatePolicy determines how something should be updated - either
 // automatically (without human intervention) or manually.
 // +kubebuilder:validation:Enum=Automatic;Manual
 type UpdatePolicy string
 const (
 	// UpdateAutomatic means the resource should be updated automatically,
 	// without any human intervention.
 	UpdateAutomatic UpdatePolicy = "Automatic"
 	// UpdateManual means the resource requires human intervention to
 	// update.
 	UpdateManual UpdatePolicy = "Manual"
 )
 // ResolvePolicy is a type for resolve policy.
 type ResolvePolicy string
 // ResolutionPolicy is a type for resolution policy.
 type ResolutionPolicy string
 const (
 	// ResolvePolicyAlways is a resolve option.
 	// When the ResolvePolicy is set to ResolvePolicyAlways the reference will
 	// be tried to resolve for every reconcile loop.
 	ResolvePolicyAlways ResolvePolicy = "Always"
 	// ResolutionPolicyRequired is a resolution option.
 	// When the ResolutionPolicy is set to ResolutionPolicyRequired the execution
 	// could not continue even if the reference cannot be resolved.
 	ResolutionPolicyRequired ResolutionPolicy = "Required"
 	// ResolutionPolicyOptional is a resolution option.
 	// When the ReferenceResolutionPolicy is set to ReferencePolicyOptional the
 	// execution could continue even if the reference cannot be resolved.
 	ResolutionPolicyOptional ResolutionPolicy = "Optional"
 )
--- a/apis/common/resource.go
+++ b/apis/common/resource.go
@ -0,0 +1,328 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package common
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 )
 const (
 	// ResourceCredentialsSecretEndpointKey is the key inside a connection secret for the connection endpoint.
 	ResourceCredentialsSecretEndpointKey = "endpoint"
 	// ResourceCredentialsSecretPortKey is the key inside a connection secret for the connection port.
 	ResourceCredentialsSecretPortKey = "port"
 	// ResourceCredentialsSecretUserKey is the key inside a connection secret for the connection user.
 	ResourceCredentialsSecretUserKey = "username"
 	// ResourceCredentialsSecretPasswordKey is the key inside a connection secret for the connection password.
 	ResourceCredentialsSecretPasswordKey = "password"
 	// ResourceCredentialsSecretCAKey is the key inside a connection secret for the server CA certificate.
 	ResourceCredentialsSecretCAKey = "clusterCA"
 	// ResourceCredentialsSecretClientCertKey is the key inside a connection secret for the client certificate.
 	ResourceCredentialsSecretClientCertKey = "clientCert"
 	// ResourceCredentialsSecretClientKeyKey is the key inside a connection secret for the client key.
 	ResourceCredentialsSecretClientKeyKey = "clientKey"
 	// ResourceCredentialsSecretTokenKey is the key inside a connection secret for the bearer token value.
 	ResourceCredentialsSecretTokenKey = "token"
 	// ResourceCredentialsSecretKubeconfigKey is the key inside a connection secret for the raw kubeconfig yaml.
 	ResourceCredentialsSecretKubeconfigKey = "kubeconfig"
 )
 // LabelKeyProviderKind is added to ProviderConfigUsages to relate them to their
 // ProviderConfig.
 const LabelKeyProviderKind = "crossplane.io/provider-config-kind"
 // LabelKeyProviderName is added to ProviderConfigUsages to relate them to their
 // ProviderConfig.
 const LabelKeyProviderName = "crossplane.io/provider-config"
 // NOTE(negz): The below secret references differ from ObjectReference and
 // LocalObjectReference in that they include only the fields Crossplane needs to
 // reference a secret, and make those fields required. This reduces ambiguity in
 // the API for resource authors.
 // A LocalSecretReference is a reference to a secret in the same namespace as
 // the referencer.
 type LocalSecretReference struct {
 	// Name of the secret.
 	Name string `json:"name"`
 }
 // A SecretReference is a reference to a secret in an arbitrary namespace.
 type SecretReference struct {
 	// Name of the secret.
 	Name string `json:"name"`
 	// Namespace of the secret.
 	Namespace string `json:"namespace"`
 }
 // A SecretKeySelector is a reference to a secret key in an arbitrary namespace.
 type SecretKeySelector struct {
 	SecretReference `json:",inline"`
 	// The key to select.
 	Key string `json:"key"`
 }
 // A LocalSecretKeySelector is a reference to a secret key
 // in the same namespace with the referencing object.
 type LocalSecretKeySelector struct {
 	LocalSecretReference `json:",inline"`
 	Key string `json:"key"`
 }
 // ToSecretKeySelector is a convenience method for converting the
 // LocalSecretKeySelector to a SecretKeySelector with the given namespace.
 func (ls *LocalSecretKeySelector) ToSecretKeySelector(namespace string) *SecretKeySelector {
 	return &SecretKeySelector{
 		SecretReference: SecretReference{
 			Name:      ls.Name,
 			Namespace: namespace,
 		},
 		Key: ls.Key,
 	}
 }
 // Policy represents the Resolve and Resolution policies of Reference instance.
 type Policy struct {
 	// Resolve specifies when this reference should be resolved. The default
 	// is 'IfNotPresent', which will attempt to resolve the reference only when
 	// the corresponding field is not present. Use 'Always' to resolve the
 	// reference on every reconcile.
 	// +optional
 	// +kubebuilder:validation:Enum=Always;IfNotPresent
 	Resolve *ResolvePolicy `json:"resolve,omitempty"`
 	// Resolution specifies whether resolution of this reference is required.
 	// The default is 'Required', which means the reconcile will fail if the
 	// reference cannot be resolved. 'Optional' means this reference will be
 	// a no-op if it cannot be resolved.
 	// +optional
 	// +kubebuilder:default=Required
 	// +kubebuilder:validation:Enum=Required;Optional
 	Resolution *ResolutionPolicy `json:"resolution,omitempty"`
 }
 // IsResolutionPolicyOptional checks whether the resolution policy of relevant reference is Optional.
 func (p *Policy) IsResolutionPolicyOptional() bool {
 	if p == nil || p.Resolution == nil {
 		return false
 	}
 	return *p.Resolution == ResolutionPolicyOptional
 }
 // IsResolvePolicyAlways checks whether the resolution policy of relevant reference is Always.
 func (p *Policy) IsResolvePolicyAlways() bool {
 	if p == nil || p.Resolve == nil {
 		return false
 	}
 	return *p.Resolve == ResolvePolicyAlways
 }
 // A Reference to a named object.
 type Reference struct {
 	// Name of the referenced object.
 	Name string `json:"name"`
 	// Policies for referencing.
 	// +optional
 	Policy *Policy `json:"policy,omitempty"`
 }
 // A NamespacedReference to a named object.
 type NamespacedReference struct {
 	// Name of the referenced object.
 	Name string `json:"name"`
 	// Namespace of the referenced object
 	// +optional
 	Namespace string `json:"namespace,omitempty"`
 	// Policies for referencing.
 	// +optional
 	Policy *Policy `json:"policy,omitempty"`
 }
 // A TypedReference refers to an object by Name, Kind, and APIVersion. It is
 // commonly used to reference cluster-scoped objects or objects where the
 // namespace is already known.
 type TypedReference struct {
 	// APIVersion of the referenced object.
 	APIVersion string `json:"apiVersion"`
 	// Kind of the referenced object.
 	Kind string `json:"kind"`
 	// Name of the referenced object.
 	Name string `json:"name"`
 	// UID of the referenced object.
 	// +optional
 	UID types.UID `json:"uid,omitempty"`
 }
 // A Selector selects an object.
 type Selector struct {
 	// MatchLabels ensures an object with matching labels is selected.
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 	// MatchControllerRef ensures an object with the same controller reference
 	// as the selecting object is selected.
 	MatchControllerRef *bool `json:"matchControllerRef,omitempty"`
 	// Policies for selection.
 	// +optional
 	Policy *Policy `json:"policy,omitempty"`
 }
 // NamespacedSelector selects a namespaced object.
 type NamespacedSelector struct {
 	// MatchLabels ensures an object with matching labels is selected.
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 	// MatchControllerRef ensures an object with the same controller reference
 	// as the selecting object is selected.
 	MatchControllerRef *bool `json:"matchControllerRef,omitempty"`
 	// Policies for selection.
 	// +optional
 	Policy *Policy `json:"policy,omitempty"`
 	// Namespace for the selector
 	// +optional
 	Namespace string `json:"namespace,omitempty"`
 }
 // ProviderConfigReference is a typed reference to a ProviderConfig
 // object, with a known api group.
 type ProviderConfigReference struct {
 	// Kind of the referenced object.
 	Kind string `json:"kind"`
 	// Name of the referenced object.
 	Name string `json:"name"`
 }
 // SetGroupVersionKind sets the Kind and APIVersion of a TypedReference.
 func (obj *TypedReference) SetGroupVersionKind(gvk schema.GroupVersionKind) {
 	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
 }
 // GroupVersionKind gets the GroupVersionKind of a TypedReference.
 func (obj *TypedReference) GroupVersionKind() schema.GroupVersionKind {
 	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
 }
 // GetObjectKind get the ObjectKind of a TypedReference.
 func (obj *TypedReference) GetObjectKind() schema.ObjectKind { return obj }
 // ResourceStatus represents the observed state of a managed resource.
 type ResourceStatus struct {
 	ConditionedStatus `json:",inline"`
 	ObservedStatus    `json:",inline"`
 }
 // A CredentialsSource is a source from which provider credentials may be
 // acquired.
 type CredentialsSource string
 const (
 	// CredentialsSourceNone indicates that a provider does not require
 	// credentials.
 	CredentialsSourceNone CredentialsSource = "None"
 	// CredentialsSourceSecret indicates that a provider should acquire
 	// credentials from a secret.
 	CredentialsSourceSecret CredentialsSource = "Secret"
 	// CredentialsSourceInjectedIdentity indicates that a provider should use
 	// credentials via its (pod's) identity; i.e. via IRSA for AWS,
 	// Workload Identity for GCP, Pod Identity for Azure, or in-cluster
 	// authentication for the Kubernetes API.
 	CredentialsSourceInjectedIdentity CredentialsSource = "InjectedIdentity"
 	// CredentialsSourceEnvironment indicates that a provider should acquire
 	// credentials from an environment variable.
 	CredentialsSourceEnvironment CredentialsSource = "Environment"
 	// CredentialsSourceFilesystem indicates that a provider should acquire
 	// credentials from the filesystem.
 	CredentialsSourceFilesystem CredentialsSource = "Filesystem"
 )
 // CommonCredentialSelectors provides common selectors for extracting
 // credentials.
 //
 //nolint:revive // preserve backward-compatibility
 type CommonCredentialSelectors struct {
 	// Fs is a reference to a filesystem location that contains credentials that
 	// must be used to connect to the provider.
 	// +optional
 	Fs *FsSelector `json:"fs,omitempty"`
 	// Env is a reference to an environment variable that contains credentials
 	// that must be used to connect to the provider.
 	// +optional
 	Env *EnvSelector `json:"env,omitempty"`
 	// A SecretRef is a reference to a secret key that contains the credentials
 	// that must be used to connect to the provider.
 	// +optional
 	SecretRef *SecretKeySelector `json:"secretRef,omitempty"`
 }
 // EnvSelector selects an environment variable.
 type EnvSelector struct {
 	// Name is the name of an environment variable.
 	Name string `json:"name"`
 }
 // FsSelector selects a filesystem location.
 type FsSelector struct {
 	// Path is a filesystem path.
 	Path string `json:"path"`
 }
 // A ProviderConfigStatus defines the observed status of a ProviderConfig.
 type ProviderConfigStatus struct {
 	ConditionedStatus `json:",inline"`
 	// Users of this provider configuration.
 	Users int64 `json:"users,omitempty"`
 }
 // A ProviderConfigUsage is a record that a particular managed resource is using
 // a particular provider configuration.
 type ProviderConfigUsage struct {
 	// ProviderConfigReference to the provider config being used.
 	ProviderConfigReference Reference `json:"providerConfigRef"`
 	// ResourceReference to the managed resource using the provider config.
 	ResourceReference TypedReference `json:"resourceRef"`
 }
 // A TypedProviderConfigUsage is a record that a particular managed resource is using
 // a particular provider configuration.
 type TypedProviderConfigUsage struct {
 	// ProviderConfigReference to the provider config being used.
 	ProviderConfigReference ProviderConfigReference `json:"providerConfigRef"`
 	// ResourceReference to the managed resource using the provider config.
 	ResourceReference TypedReference `json:"resourceRef"`
 }
--- a/apis/common/v1/condition.go
+++ b/apis/common/v1/condition.go
@ -17,79 +17,60 @@ limitations under the License.
 package v1
 import (
-	"sort"
+	"github.com/crossplane/crossplane-runtime/apis/common"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 // A ConditionType represents a condition a resource could be in.
-type ConditionType string
+type ConditionType = common.ConditionType
 // Condition types.
 const (
 	// TypeReady resources are believed to be ready to handle work.
-	TypeReady ConditionType = "Ready"
+	TypeReady ConditionType = common.TypeReady
 	// TypeSynced resources are believed to be in sync with the
 	// Kubernetes resources that manage their lifecycle.
-	TypeSynced ConditionType = "Synced"
+	TypeSynced ConditionType = common.TypeSynced
 	// TypeHealthy resources are believed to be in a healthy state and to have all
 	// of their child resources in a healthy state. For example, a claim is
 	// healthy when the claim is synced and the underlying composite resource is
 	// both synced and healthy. A composite resource is healthy when the composite
 	// resource is synced and all composed resources are synced and, if
 	// applicable, healthy (e.g., the composed resource is a composite resource).
 	// TODO: This condition is not yet implemented. It is currently just reserved
 	// as a system condition. See the tracking issue for more details
 	// https://github.com/crossplane/crossplane/issues/5643.
 	TypeHealthy ConditionType = common.TypeHealthy
 )
 // A ConditionReason represents the reason a resource is in a condition.
-type ConditionReason string
+type ConditionReason = common.ConditionReason
 // Reasons a resource is or is not ready.
 const (
-	ReasonAvailable   ConditionReason = "Available"
+	ReasonAvailable   = common.ReasonAvailable
-	ReasonUnavailable ConditionReason = "Unavailable"
+	ReasonUnavailable = common.ReasonUnavailable
-	ReasonCreating    ConditionReason = "Creating"
+	ReasonCreating    = common.ReasonCreating
-	ReasonDeleting    ConditionReason = "Deleting"
+	ReasonDeleting    = common.ReasonDeleting
 )
 // Reasons a resource is or is not synced.
 const (
-	ReasonReconcileSuccess ConditionReason = "ReconcileSuccess"
+	ReasonReconcileSuccess = common.ReasonReconcileSuccess
-	ReasonReconcileError   ConditionReason = "ReconcileError"
+	ReasonReconcileError   = common.ReasonReconcileError
-	ReasonReconcilePaused  ConditionReason = "ReconcilePaused"
+	ReasonReconcilePaused  = common.ReasonReconcilePaused
 )
 // See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 // A Condition that may apply to a resource.
-type Condition struct {
+type Condition = common.Condition
 	// Type of this condition. At most one of each condition type may apply to
 	// a resource at any point in time.
 	Type ConditionType `json:"type"`
-	// Status of this condition; is it currently True, False, or Unknown?
+// IsSystemConditionType returns true if the condition is owned by the
-	Status corev1.ConditionStatus `json:"status"`
+// Crossplane system (e.g, Ready, Synced, Healthy).
-
+func IsSystemConditionType(t ConditionType) bool {
-	// LastTransitionTime is the last time this condition transitioned from one
+	return common.IsSystemConditionType(t)
 	// status to another.
 	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
 	// A Reason for this condition's last transition from one status to another.
 	Reason ConditionReason `json:"reason"`
 	// A Message containing details about this condition's last transition from
 	// one status to another, if any.
 	// +optional
 	Message string `json:"message,omitempty"`
 }
 // Equal returns true if the condition is identical to the supplied condition,
 // ignoring the LastTransitionTime.
 func (c Condition) Equal(other Condition) bool {
 	return c.Type == other.Type &&
 		c.Status == other.Status &&
 		c.Reason == other.Reason &&
 		c.Message == other.Message
 }
 // WithMessage returns a condition by adding the provided message to existing
 // condition.
 func (c Condition) WithMessage(msg string) Condition {
 	c.Message = msg
 	return c
 }
 // NOTE(negz): Conditions are implemented as a slice rather than a map to comply
@ -101,119 +82,29 @@ func (c Condition) WithMessage(msg string) Condition {
 // A ConditionedStatus reflects the observed status of a resource. Only
 // one condition of each type may exist.
-type ConditionedStatus struct {
+type ConditionedStatus = common.ConditionedStatus
 	// Conditions of the resource.
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	Conditions []Condition `json:"conditions,omitempty"`
 }
 // NewConditionedStatus returns a stat with the supplied conditions set.
 func NewConditionedStatus(c ...Condition) *ConditionedStatus {
-	s := &ConditionedStatus{}
+	return common.NewConditionedStatus(c...)
 	s.SetConditions(c...)
 	return s
 }
 // GetCondition returns the condition for the given ConditionType if exists,
 // otherwise returns nil
 func (s *ConditionedStatus) GetCondition(ct ConditionType) Condition {
 	for _, c := range s.Conditions {
 		if c.Type == ct {
 			return c
 		}
 	}
 	return Condition{Type: ct, Status: corev1.ConditionUnknown}
 }
 // SetConditions sets the supplied conditions, replacing any existing conditions
 // of the same type. This is a no-op if all supplied conditions are identical,
 // ignoring the last transition time, to those already set.
 func (s *ConditionedStatus) SetConditions(c ...Condition) {
 	for _, new := range c {
 		exists := false
 		for i, existing := range s.Conditions {
 			if existing.Type != new.Type {
 				continue
 			}
 			if existing.Equal(new) {
 				exists = true
 				continue
 			}
 			s.Conditions[i] = new
 			exists = true
 		}
 		if !exists {
 			s.Conditions = append(s.Conditions, new)
 		}
 	}
 }
 // Equal returns true if the status is identical to the supplied status,
 // ignoring the LastTransitionTimes and order of statuses.
 func (s *ConditionedStatus) Equal(other *ConditionedStatus) bool {
 	if s == nil || other == nil {
 		return s == nil && other == nil
 	}
 	if len(other.Conditions) != len(s.Conditions) {
 		return false
 	}
 	sc := make([]Condition, len(s.Conditions))
 	copy(sc, s.Conditions)
 	oc := make([]Condition, len(other.Conditions))
 	copy(oc, other.Conditions)
 	// We should not have more than one condition of each type.
 	sort.Slice(sc, func(i, j int) bool { return sc[i].Type < sc[j].Type })
 	sort.Slice(oc, func(i, j int) bool { return oc[i].Type < oc[j].Type })
 	for i := range sc {
 		if !sc[i].Equal(oc[i]) {
 			return false
 		}
 	}
 	return true
 }
 // Creating returns a condition that indicates the resource is currently
 // being created.
 func Creating() Condition {
-	return Condition{
+	return common.Creating()
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonCreating,
 	}
 }
 // Deleting returns a condition that indicates the resource is currently
 // being deleted.
 func Deleting() Condition {
-	return Condition{
+	return common.Deleting()
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonDeleting,
 	}
 }
 // Available returns a condition that indicates the resource is
 // currently observed to be available for use.
 func Available() Condition {
-	return Condition{
+	return common.Available()
 		Type:               TypeReady,
 		Status:             corev1.ConditionTrue,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonAvailable,
 	}
 }
 // Unavailable returns a condition that indicates the resource is not
@ -221,23 +112,13 @@ func Available() Condition {
 // expects the resource to be available but knows it is not, for example
 // because its API reports it is unhealthy.
 func Unavailable() Condition {
-	return Condition{
+	return common.Unavailable()
 		Type:               TypeReady,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonUnavailable,
 	}
 }
 // ReconcileSuccess returns a condition indicating that Crossplane successfully
 // completed the most recent reconciliation of the resource.
 func ReconcileSuccess() Condition {
-	return Condition{
+	return common.ReconcileSuccess()
 		Type:               TypeSynced,
 		Status:             corev1.ConditionTrue,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcileSuccess,
 	}
 }
 // ReconcileError returns a condition indicating that Crossplane encountered an
@ -245,22 +126,11 @@ func ReconcileSuccess() Condition {
 // unable to update the resource to reflect its desired state, or that
 // Crossplane was unable to determine the current actual state of the resource.
 func ReconcileError(err error) Condition {
-	return Condition{
+	return common.ReconcileError(err)
 		Type:               TypeSynced,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcileError,
 		Message:            err.Error(),
 	}
 }
 // ReconcilePaused returns a condition that indicates reconciliation on
 // the managed resource is paused via the pause annotation.
 func ReconcilePaused() Condition {
-	return Condition{
+	return common.ReconcilePaused()
 		Type:               TypeSynced,
 		Status:             corev1.ConditionFalse,
 		LastTransitionTime: metav1.Now(),
 		Reason:             ReasonReconcilePaused,
 	}
 }
--- a/apis/common/v1/connection_details.go
+++ b/apis/common/v1/connection_details.go
@ -1,165 +0,0 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package v1
 import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 const (
 	// LabelKeyOwnerUID is the UID of the owner resource of a connection secret.
 	// Kubernetes provides owner/controller references to track ownership of
 	// resources including secrets, however, this would only work for in cluster
 	// k8s secrets. We opted to use a label for this purpose to be consistent
 	// across Secret Store implementations and expect all to support
 	// setting/getting labels.
 	LabelKeyOwnerUID = "secret.crossplane.io/owner-uid"
 )
 // PublishConnectionDetailsTo represents configuration of a connection secret.
 type PublishConnectionDetailsTo struct {
 	// Name is the name of the connection secret.
 	Name string `json:"name"`
 	// Metadata is the metadata for connection secret.
 	// +optional
 	Metadata *ConnectionSecretMetadata `json:"metadata,omitempty"`
 	// SecretStoreConfigRef specifies which secret store config should be used
 	// for this ConnectionSecret.
 	// +optional
 	// +kubebuilder:default={"name": "default"}
 	SecretStoreConfigRef *Reference `json:"configRef,omitempty"`
 }
 // ConnectionSecretMetadata represents metadata of a connection secret.
 // Labels are used to track ownership of connection secrets and has to be
 // supported for any secret store implementation.
 type ConnectionSecretMetadata struct {
 	// Labels are the labels/tags to be added to connection secret.
 	// - For Kubernetes secrets, this will be used as "metadata.labels".
 	// - It is up to Secret Store implementation for others store types.
 	// +optional
 	Labels map[string]string `json:"labels,omitempty"`
 	// Annotations are the annotations to be added to connection secret.
 	// - For Kubernetes secrets, this will be used as "metadata.annotations".
 	// - It is up to Secret Store implementation for others store types.
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 	// Type is the SecretType for the connection secret.
 	// - Only valid for Kubernetes Secret Stores.
 	// +optional
 	Type *corev1.SecretType `json:"type,omitempty"`
 }
 // SetOwnerUID sets owner object uid label.
 func (in *ConnectionSecretMetadata) SetOwnerUID(uid types.UID) {
 	if in.Labels == nil {
 		in.Labels = map[string]string{}
 	}
 	in.Labels[LabelKeyOwnerUID] = string(uid)
 }
 // GetOwnerUID gets owner object uid.
 func (in *ConnectionSecretMetadata) GetOwnerUID() string {
 	if u, ok := in.Labels[LabelKeyOwnerUID]; ok {
 		return u
 	}
 	return ""
 }
 // SecretStoreType represents a secret store type.
 // +kubebuilder:validation:Enum=Kubernetes;Vault;Plugin
 type SecretStoreType string
 const (
 	// SecretStoreKubernetes indicates that secret store type is
 	// Kubernetes. In other words, connection secrets will be stored as K8s
 	// Secrets.
 	SecretStoreKubernetes SecretStoreType = "Kubernetes"
 	// SecretStorePlugin indicates that secret store type is Plugin and will be used with external secret stores.
 	SecretStorePlugin SecretStoreType = "Plugin"
 )
 // SecretStoreConfig represents configuration of a Secret Store.
 type SecretStoreConfig struct {
 	// Type configures which secret store to be used. Only the configuration
 	// block for this store will be used and others will be ignored if provided.
 	// Default is Kubernetes.
 	// +optional
 	// +kubebuilder:default=Kubernetes
 	Type *SecretStoreType `json:"type,omitempty"`
 	// DefaultScope used for scoping secrets for "cluster-scoped" resources.
 	// If store type is "Kubernetes", this would mean the default namespace to
 	// store connection secrets for cluster scoped resources.
 	// In case of "Vault", this would be used as the default parent path.
 	// Typically, should be set as Crossplane installation namespace.
 	DefaultScope string `json:"defaultScope"`
 	// Kubernetes configures a Kubernetes secret store.
 	// If the "type" is "Kubernetes" but no config provided, in cluster config
 	// will be used.
 	// +optional
 	Kubernetes *KubernetesSecretStoreConfig `json:"kubernetes,omitempty"`
 	// Plugin configures External secret store as a plugin.
 	// +optional
 	Plugin *PluginStoreConfig `json:"plugin,omitempty"`
 }
 // PluginStoreConfig represents configuration of an External Secret Store.
 type PluginStoreConfig struct {
 	// Endpoint is the endpoint of the gRPC server.
 	Endpoint string `json:"endpoint,omitempty"`
 	// ConfigRef contains store config reference info.
 	ConfigRef Config `json:"configRef,omitempty"`
 }
 // Config contains store config reference info.
 type Config struct {
 	// APIVersion of the referenced config.
 	APIVersion string `json:"apiVersion"`
 	// Kind of the referenced config.
 	Kind string `json:"kind"`
 	// Name of the referenced config.
 	Name string `json:"name"`
 }
 // KubernetesAuthConfig required to authenticate to a K8s API. It expects
 // a "kubeconfig" file to be provided.
 type KubernetesAuthConfig struct {
 	// Source of the credentials.
 	// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
 	Source CredentialsSource `json:"source"`
 	// CommonCredentialSelectors provides common selectors for extracting
 	// credentials.
 	CommonCredentialSelectors `json:",inline"`
 }
 // KubernetesSecretStoreConfig represents the required configuration
 // for a Kubernetes secret store.
 type KubernetesSecretStoreConfig struct {
 	// Credentials used to connect to the Kubernetes API.
 	Auth KubernetesAuthConfig `json:"auth"`
 	// TODO(turkenh): Support additional identities like
 	// https://github.com/crossplane-contrib/provider-kubernetes/blob/4d722ef914e6964e80e190317daca9872ae98738/apis/v1alpha1/types.go#L34
 }
--- a/apis/common/v1/merge.go
+++ b/apis/common/v1/merge.go
@ -17,36 +17,8 @@ limitations under the License.
 package v1
 import (
-	"dario.cat/mergo"
+	"github.com/crossplane/crossplane-runtime/apis/common"
 )
-// MergeOptions Specifies merge options on a field path
+// MergeOptions Specifies merge options on a field path.
-type MergeOptions struct { // TODO(aru): add more options that control merging behavior
+type MergeOptions = common.MergeOptions
 	// Specifies that already existing values in a merged map should be preserved
 	// +optional
 	KeepMapValues *bool `json:"keepMapValues,omitempty"`
 	// Specifies that already existing elements in a merged slice should be preserved
 	// +optional
 	AppendSlice *bool `json:"appendSlice,omitempty"`
 }
 // MergoConfiguration the default behavior is to replace maps and slices
 func (mo *MergeOptions) MergoConfiguration() []func(*mergo.Config) {
 	config := []func(*mergo.Config){mergo.WithOverride}
 	if mo == nil {
 		return config
 	}
 	if mo.KeepMapValues != nil && *mo.KeepMapValues {
 		config = config[:0]
 	}
 	if mo.AppendSlice != nil && *mo.AppendSlice {
 		config = append(config, mergo.WithAppendSlice)
 	}
 	return config
 }
 // IsAppendSlice returns true if mo.AppendSlice is set to true
 func (mo *MergeOptions) IsAppendSlice() bool {
 	return mo != nil && mo.AppendSlice != nil && *mo.AppendSlice
 }
--- a/apis/common/v1/observation.go
+++ b/apis/common/v1/observation.go
@ -0,0 +1,24 @@
 /*
 Copyright 2024 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package v1
 import (
 	"github.com/crossplane/crossplane-runtime/apis/common"
 )
 // ObservedStatus contains the recent reconciliation stats.
 type ObservedStatus = common.ObservedStatus
--- a/apis/common/v1/policies.go
+++ b/apis/common/v1/policies.go
@ -16,39 +16,42 @@ limitations under the License.
 package v1
 import (
 	"github.com/crossplane/crossplane-runtime/apis/common"
 )
 // ManagementPolicies determine how should Crossplane controllers manage an
 // external resource through an array of ManagementActions.
-type ManagementPolicies []ManagementAction
+type ManagementPolicies = common.ManagementPolicies
 // A ManagementAction represents an action that the Crossplane controllers
 // can take on an external resource.
-// +kubebuilder:validation:Enum=Observe;Create;Update;Delete;LateInitialize;*
+type ManagementAction = common.ManagementAction
 type ManagementAction string
 const (
 	// ManagementActionObserve means that the managed resource status.atProvider
 	// will be updated with the external resource state.
-	ManagementActionObserve ManagementAction = "Observe"
+	ManagementActionObserve = common.ManagementActionObserve
 	// ManagementActionCreate means that the external resource will be created
 	// using the managed resource spec.initProvider and spec.forProvider.
-	ManagementActionCreate ManagementAction = "Create"
+	ManagementActionCreate = common.ManagementActionCreate
 	// ManagementActionUpdate means that the external resource will be updated
 	// using the managed resource spec.forProvider.
-	ManagementActionUpdate ManagementAction = "Update"
+	ManagementActionUpdate = common.ManagementActionUpdate
 	// ManagementActionDelete means that the external resource will be deleted
 	// when the managed resource is deleted.
-	ManagementActionDelete ManagementAction = "Delete"
+	ManagementActionDelete = common.ManagementActionDelete
 	// ManagementActionLateInitialize means that unspecified fields of the managed
 	// resource spec.forProvider will be updated with the external resource state.
-	ManagementActionLateInitialize ManagementAction = "LateInitialize"
+	ManagementActionLateInitialize = common.ManagementActionLateInitialize
 	// ManagementActionAll means that all of the above actions will be taken
 	// by the Crossplane controllers.
-	ManagementActionAll ManagementAction = "*"
+	ManagementActionAll = common.ManagementActionAll
 )
 // A DeletionPolicy determines what should happen to the underlying external
@ -68,53 +71,51 @@ const (
 // A CompositeDeletePolicy determines how the composite resource should be deleted
 // when the corresponding claim is deleted.
-// +kubebuilder:validation:Enum=Background;Foreground
+type CompositeDeletePolicy = common.CompositeDeletePolicy
 type CompositeDeletePolicy string
 const (
 	// CompositeDeleteBackground means the composite resource will be deleted using
 	// the Background Propagation Policy when the claim is deleted.
-	CompositeDeleteBackground CompositeDeletePolicy = "Background"
+	CompositeDeleteBackground = common.CompositeDeleteBackground
 	// CompositeDeleteForeground means the composite resource will be deleted using
 	// the Foreground Propagation Policy when the claim is deleted.
-	CompositeDeleteForeground CompositeDeletePolicy = "Foreground"
+	CompositeDeleteForeground = common.CompositeDeleteForeground
 )
 // An UpdatePolicy determines how something should be updated - either
 // automatically (without human intervention) or manually.
-// +kubebuilder:validation:Enum=Automatic;Manual
+type UpdatePolicy = common.UpdatePolicy
 type UpdatePolicy string
 const (
 	// UpdateAutomatic means the resource should be updated automatically,
 	// without any human intervention.
-	UpdateAutomatic UpdatePolicy = "Automatic"
+	UpdateAutomatic = common.UpdateAutomatic
 	// UpdateManual means the resource requires human intervention to
 	// update.
-	UpdateManual UpdatePolicy = "Manual"
+	UpdateManual = common.UpdateManual
 )
 // ResolvePolicy is a type for resolve policy.
-type ResolvePolicy string
+type ResolvePolicy = common.ResolvePolicy
 // ResolutionPolicy is a type for resolution policy.
-type ResolutionPolicy string
+type ResolutionPolicy = common.ResolutionPolicy
 const (
 	// ResolvePolicyAlways is a resolve option.
 	// When the ResolvePolicy is set to ResolvePolicyAlways the reference will
 	// be tried to resolve for every reconcile loop.
-	ResolvePolicyAlways ResolvePolicy = "Always"
+	ResolvePolicyAlways = common.ResolvePolicyAlways
 	// ResolutionPolicyRequired is a resolution option.
 	// When the ResolutionPolicy is set to ResolutionPolicyRequired the execution
 	// could not continue even if the reference cannot be resolved.
-	ResolutionPolicyRequired ResolutionPolicy = "Required"
+	ResolutionPolicyRequired = common.ResolutionPolicyRequired
 	// ResolutionPolicyOptional is a resolution option.
 	// When the ReferenceResolutionPolicy is set to ReferencePolicyOptional the
 	// execution could continue even if the reference cannot be resolved.
-	ResolutionPolicyOptional ResolutionPolicy = "Optional"
+	ResolutionPolicyOptional = common.ResolutionPolicyOptional
 )
--- a/apis/common/v1/resource.go
+++ b/apis/common/v1/resource.go
@ -18,34 +18,38 @@ package v1
 import (
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+
-	"k8s.io/apimachinery/pkg/types"
+	"github.com/crossplane/crossplane-runtime/apis/common"
 )
 const (
-	// ResourceCredentialsSecretEndpointKey is the key inside a connection secret for the connection endpoint
+	// ResourceCredentialsSecretEndpointKey is the key inside a connection secret for the connection endpoint.
 	ResourceCredentialsSecretEndpointKey = "endpoint"
-	// ResourceCredentialsSecretPortKey is the key inside a connection secret for the connection port
+	// ResourceCredentialsSecretPortKey is the key inside a connection secret for the connection port.
 	ResourceCredentialsSecretPortKey = "port"
-	// ResourceCredentialsSecretUserKey is the key inside a connection secret for the connection user
+	// ResourceCredentialsSecretUserKey is the key inside a connection secret for the connection user.
 	ResourceCredentialsSecretUserKey = "username"
-	// ResourceCredentialsSecretPasswordKey is the key inside a connection secret for the connection password
+	// ResourceCredentialsSecretPasswordKey is the key inside a connection secret for the connection password.
 	ResourceCredentialsSecretPasswordKey = "password"
-	// ResourceCredentialsSecretCAKey is the key inside a connection secret for the server CA certificate
+	// ResourceCredentialsSecretCAKey is the key inside a connection secret for the server CA certificate.
 	ResourceCredentialsSecretCAKey = "clusterCA"
-	// ResourceCredentialsSecretClientCertKey is the key inside a connection secret for the client certificate
+	// ResourceCredentialsSecretClientCertKey is the key inside a connection secret for the client certificate.
 	ResourceCredentialsSecretClientCertKey = "clientCert"
-	// ResourceCredentialsSecretClientKeyKey is the key inside a connection secret for the client key
+	// ResourceCredentialsSecretClientKeyKey is the key inside a connection secret for the client key.
 	ResourceCredentialsSecretClientKeyKey = "clientKey"
-	// ResourceCredentialsSecretTokenKey is the key inside a connection secret for the bearer token value
+	// ResourceCredentialsSecretTokenKey is the key inside a connection secret for the bearer token value.
 	ResourceCredentialsSecretTokenKey = "token"
-	// ResourceCredentialsSecretKubeconfigKey is the key inside a connection secret for the raw kubeconfig yaml
+	// ResourceCredentialsSecretKubeconfigKey is the key inside a connection secret for the raw kubeconfig yaml.
 	ResourceCredentialsSecretKubeconfigKey = "kubeconfig"
 )
 // LabelKeyProviderKind is added to ProviderConfigUsages to relate them to their
 // ProviderConfig.
 const LabelKeyProviderKind = common.LabelKeyProviderKind
 // LabelKeyProviderName is added to ProviderConfigUsages to relate them to their
 // ProviderConfig.
-const LabelKeyProviderName = "crossplane.io/provider-config"
+const LabelKeyProviderName = common.LabelKeyProviderName
 // NOTE(negz): The below secret references differ from ObjectReference and
 // LocalObjectReference in that they include only the fields Crossplane needs to
@ -54,118 +58,41 @@ const LabelKeyProviderName = "crossplane.io/provider-config"
 // A LocalSecretReference is a reference to a secret in the same namespace as
 // the referencer.
-type LocalSecretReference struct {
+type LocalSecretReference = common.LocalSecretReference
 	// Name of the secret.
 	Name string `json:"name"`
 }
 // A SecretReference is a reference to a secret in an arbitrary namespace.
-type SecretReference struct {
+type SecretReference = common.SecretReference
 	// Name of the secret.
 	Name string `json:"name"`
 	// Namespace of the secret.
 	Namespace string `json:"namespace"`
 }
 // A SecretKeySelector is a reference to a secret key in an arbitrary namespace.
-type SecretKeySelector struct {
+type SecretKeySelector = common.SecretKeySelector
 	SecretReference `json:",inline"`
-	// The key to select.
+// A LocalSecretKeySelector is a reference to a secret key
-	Key string `json:"key"`
+// in the same namespace with the referencing object.
-}
+type LocalSecretKeySelector = common.LocalSecretKeySelector
 // Policy represents the Resolve and Resolution policies of Reference instance.
-type Policy struct {
+type Policy = common.Policy
 	// Resolve specifies when this reference should be resolved. The default
 	// is 'IfNotPresent', which will attempt to resolve the reference only when
 	// the corresponding field is not present. Use 'Always' to resolve the
 	// reference on every reconcile.
 	// +optional
 	// +kubebuilder:validation:Enum=Always;IfNotPresent
 	Resolve *ResolvePolicy `json:"resolve,omitempty"`
 	// Resolution specifies whether resolution of this reference is required.
 	// The default is 'Required', which means the reconcile will fail if the
 	// reference cannot be resolved. 'Optional' means this reference will be
 	// a no-op if it cannot be resolved.
 	// +optional
 	// +kubebuilder:default=Required
 	// +kubebuilder:validation:Enum=Required;Optional
 	Resolution *ResolutionPolicy `json:"resolution,omitempty"`
 }
 // IsResolutionPolicyOptional checks whether the resolution policy of relevant reference is Optional.
 func (p *Policy) IsResolutionPolicyOptional() bool {
 	if p == nil || p.Resolution == nil {
 		return false
 	}
 	return *p.Resolution == ResolutionPolicyOptional
 }
 // IsResolvePolicyAlways checks whether the resolution policy of relevant reference is Always.
 func (p *Policy) IsResolvePolicyAlways() bool {
 	if p == nil || p.Resolve == nil {
 		return false
 	}
 	return *p.Resolve == ResolvePolicyAlways
 }
 // A Reference to a named object.
-type Reference struct {
+type Reference = common.Reference
 	// Name of the referenced object.
 	Name string `json:"name"`
-	// Policies for referencing.
+// A NamespacedReference to a named object.
-	// +optional
+type NamespacedReference = common.NamespacedReference
 	Policy *Policy `json:"policy,omitempty"`
 }
 // A TypedReference refers to an object by Name, Kind, and APIVersion. It is
 // commonly used to reference cluster-scoped objects or objects where the
 // namespace is already known.
-type TypedReference struct {
+type TypedReference = common.TypedReference
 	// APIVersion of the referenced object.
 	APIVersion string `json:"apiVersion"`
 	// Kind of the referenced object.
 	Kind string `json:"kind"`
 	// Name of the referenced object.
 	Name string `json:"name"`
 	// UID of the referenced object.
 	// +optional
 	UID types.UID `json:"uid,omitempty"`
 }
 // A Selector selects an object.
-type Selector struct {
+type Selector = common.Selector
 	// MatchLabels ensures an object with matching labels is selected.
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
-	// MatchControllerRef ensures an object with the same controller reference
+// NamespacedSelector selects a namespaced object.
-	// as the selecting object is selected.
+type NamespacedSelector = common.NamespacedSelector
 	MatchControllerRef *bool `json:"matchControllerRef,omitempty"`
-	// Policies for selection.
+// ProviderConfigReference is a typed reference to a ProviderConfig
-	// +optional
+// object, with a known api group.
-	Policy *Policy `json:"policy,omitempty"`
+type ProviderConfigReference = common.ProviderConfigReference
 }
 // SetGroupVersionKind sets the Kind and APIVersion of a TypedReference.
 func (obj *TypedReference) SetGroupVersionKind(gvk schema.GroupVersionKind) {
 	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
 }
 // GroupVersionKind gets the GroupVersionKind of a TypedReference.
 func (obj *TypedReference) GroupVersionKind() schema.GroupVersionKind {
 	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
 }
 // GetObjectKind get the ObjectKind of a TypedReference.
 func (obj *TypedReference) GetObjectKind() schema.ObjectKind { return obj }
 // TODO(negz): Rename Resource* to Managed* to clarify that they enable the
 // resource.Managed interface.
@ -176,21 +103,9 @@ type ResourceSpec struct {
 	// Secret to which any connection details for this managed resource should
 	// be written. Connection details frequently include the endpoint, username,
 	// and password required to connect to the managed resource.
 	// This field is planned to be replaced in a future release in favor of
 	// PublishConnectionDetailsTo. Currently, both could be set independently
 	// and connection details would be published to both without affecting
 	// each other.
 	// +optional
 	WriteConnectionSecretToReference *SecretReference `json:"writeConnectionSecretToRef,omitempty"`
 	// PublishConnectionDetailsTo specifies the connection secret config which
 	// contains a name, metadata and a reference to secret store config to
 	// which any connection details for this managed resource should be written.
 	// Connection details frequently include the endpoint, username,
 	// and password required to connect to the managed resource.
 	// +optional
 	PublishConnectionDetailsTo *PublishConnectionDetailsTo `json:"publishConnectionDetailsTo,omitempty"`
 	// ProviderConfigReference specifies how the provider that will be used to
 	// create, observe, update, and delete this managed resource should be
 	// configured.
@ -226,84 +141,53 @@ type ResourceSpec struct {
 // ResourceStatus represents the observed state of a managed resource.
 type ResourceStatus struct {
 	ConditionedStatus `json:",inline"`
 	ObservedStatus    `json:",inline"`
 }
 // A CredentialsSource is a source from which provider credentials may be
 // acquired.
-type CredentialsSource string
+type CredentialsSource = common.CredentialsSource
 const (
 	// CredentialsSourceNone indicates that a provider does not require
 	// credentials.
-	CredentialsSourceNone CredentialsSource = "None"
+	CredentialsSourceNone = common.CredentialsSourceNone
 	// CredentialsSourceSecret indicates that a provider should acquire
 	// credentials from a secret.
-	CredentialsSourceSecret CredentialsSource = "Secret"
+	CredentialsSourceSecret = common.CredentialsSourceSecret
 	// CredentialsSourceInjectedIdentity indicates that a provider should use
 	// credentials via its (pod's) identity; i.e. via IRSA for AWS,
 	// Workload Identity for GCP, Pod Identity for Azure, or in-cluster
 	// authentication for the Kubernetes API.
-	CredentialsSourceInjectedIdentity CredentialsSource = "InjectedIdentity"
+	CredentialsSourceInjectedIdentity = common.CredentialsSourceInjectedIdentity
 	// CredentialsSourceEnvironment indicates that a provider should acquire
 	// credentials from an environment variable.
-	CredentialsSourceEnvironment CredentialsSource = "Environment"
+	CredentialsSourceEnvironment = common.CredentialsSourceEnvironment
 	// CredentialsSourceFilesystem indicates that a provider should acquire
 	// credentials from the filesystem.
-	CredentialsSourceFilesystem CredentialsSource = "Filesystem"
+	CredentialsSourceFilesystem = common.CredentialsSourceFilesystem
 )
 // CommonCredentialSelectors provides common selectors for extracting
 // credentials.
-type CommonCredentialSelectors struct {
+type CommonCredentialSelectors = common.CommonCredentialSelectors
 	// Fs is a reference to a filesystem location that contains credentials that
 	// must be used to connect to the provider.
 	// +optional
 	Fs *FsSelector `json:"fs,omitempty"`
 	// Env is a reference to an environment variable that contains credentials
 	// that must be used to connect to the provider.
 	// +optional
 	Env *EnvSelector `json:"env,omitempty"`
 	// A SecretRef is a reference to a secret key that contains the credentials
 	// that must be used to connect to the provider.
 	// +optional
 	SecretRef *SecretKeySelector `json:"secretRef,omitempty"`
 }
 // EnvSelector selects an environment variable.
-type EnvSelector struct {
+type EnvSelector = common.EnvSelector
 	// Name is the name of an environment variable.
 	Name string `json:"name"`
 }
 // FsSelector selects a filesystem location.
-type FsSelector struct {
+type FsSelector = common.FsSelector
 	// Path is a filesystem path.
 	Path string `json:"path"`
 }
 // A ProviderConfigStatus defines the observed status of a ProviderConfig.
-type ProviderConfigStatus struct {
+type ProviderConfigStatus = common.ProviderConfigStatus
 	ConditionedStatus `json:",inline"`
 	// Users of this provider configuration.
 	Users int64 `json:"users,omitempty"`
 }
 // A ProviderConfigUsage is a record that a particular managed resource is using
 // a particular provider configuration.
-type ProviderConfigUsage struct {
+type ProviderConfigUsage = common.ProviderConfigUsage
 	// ProviderConfigReference to the provider config being used.
 	ProviderConfigReference Reference `json:"providerConfigRef"`
 	// ResourceReference to the managed resource using the provider config.
 	ResourceReference TypedReference `json:"resourceRef"`
 }
 // A TargetSpec defines the common fields of objects used for exposing
 // infrastructure to workloads that can be scheduled to.
--- a/apis/common/v1/zz_generated.deepcopy.go
+++ b/apis/common/v1/zz_generated.deepcopy.go
@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 /*
-Copyright 2019 The Crossplane Authors.
+Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -24,363 +24,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommonCredentialSelectors) DeepCopyInto(out *CommonCredentialSelectors) {
 	*out = *in
 	if in.Fs != nil {
 		in, out := &in.Fs, &out.Fs
 		*out = new(FsSelector)
 		**out = **in
 	}
 	if in.Env != nil {
 		in, out := &in.Env, &out.Env
 		*out = new(EnvSelector)
 		**out = **in
 	}
 	if in.SecretRef != nil {
 		in, out := &in.SecretRef, &out.SecretRef
 		*out = new(SecretKeySelector)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonCredentialSelectors.
 func (in *CommonCredentialSelectors) DeepCopy() *CommonCredentialSelectors {
 	if in == nil {
 		return nil
 	}
 	out := new(CommonCredentialSelectors)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in
 	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
 func (in *Condition) DeepCopy() *Condition {
 	if in == nil {
 		return nil
 	}
 	out := new(Condition)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionedStatus) DeepCopyInto(out *ConditionedStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
 		*out = make([]Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionedStatus.
 func (in *ConditionedStatus) DeepCopy() *ConditionedStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ConditionedStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Config) DeepCopyInto(out *Config) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Config.
 func (in *Config) DeepCopy() *Config {
 	if in == nil {
 		return nil
 	}
 	out := new(Config)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionSecretMetadata) DeepCopyInto(out *ConnectionSecretMetadata) {
 	*out = *in
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.Annotations != nil {
 		in, out := &in.Annotations, &out.Annotations
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.Type != nil {
 		in, out := &in.Type, &out.Type
 		*out = new(corev1.SecretType)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionSecretMetadata.
 func (in *ConnectionSecretMetadata) DeepCopy() *ConnectionSecretMetadata {
 	if in == nil {
 		return nil
 	}
 	out := new(ConnectionSecretMetadata)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvSelector) DeepCopyInto(out *EnvSelector) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvSelector.
 func (in *EnvSelector) DeepCopy() *EnvSelector {
 	if in == nil {
 		return nil
 	}
 	out := new(EnvSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FsSelector) DeepCopyInto(out *FsSelector) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FsSelector.
 func (in *FsSelector) DeepCopy() *FsSelector {
 	if in == nil {
 		return nil
 	}
 	out := new(FsSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesAuthConfig) DeepCopyInto(out *KubernetesAuthConfig) {
 	*out = *in
 	in.CommonCredentialSelectors.DeepCopyInto(&out.CommonCredentialSelectors)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuthConfig.
 func (in *KubernetesAuthConfig) DeepCopy() *KubernetesAuthConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(KubernetesAuthConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesSecretStoreConfig) DeepCopyInto(out *KubernetesSecretStoreConfig) {
 	*out = *in
 	in.Auth.DeepCopyInto(&out.Auth)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesSecretStoreConfig.
 func (in *KubernetesSecretStoreConfig) DeepCopy() *KubernetesSecretStoreConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(KubernetesSecretStoreConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocalSecretReference) DeepCopyInto(out *LocalSecretReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSecretReference.
 func (in *LocalSecretReference) DeepCopy() *LocalSecretReference {
 	if in == nil {
 		return nil
 	}
 	out := new(LocalSecretReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in ManagementPolicies) DeepCopyInto(out *ManagementPolicies) {
 	{
 		in := &in
 		*out = make(ManagementPolicies, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagementPolicies.
 func (in ManagementPolicies) DeepCopy() ManagementPolicies {
 	if in == nil {
 		return nil
 	}
 	out := new(ManagementPolicies)
 	in.DeepCopyInto(out)
 	return *out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MergeOptions) DeepCopyInto(out *MergeOptions) {
 	*out = *in
 	if in.KeepMapValues != nil {
 		in, out := &in.KeepMapValues, &out.KeepMapValues
 		*out = new(bool)
 		**out = **in
 	}
 	if in.AppendSlice != nil {
 		in, out := &in.AppendSlice, &out.AppendSlice
 		*out = new(bool)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MergeOptions.
 func (in *MergeOptions) DeepCopy() *MergeOptions {
 	if in == nil {
 		return nil
 	}
 	out := new(MergeOptions)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PluginStoreConfig) DeepCopyInto(out *PluginStoreConfig) {
 	*out = *in
 	out.ConfigRef = in.ConfigRef
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PluginStoreConfig.
 func (in *PluginStoreConfig) DeepCopy() *PluginStoreConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(PluginStoreConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Policy) DeepCopyInto(out *Policy) {
 	*out = *in
 	if in.Resolve != nil {
 		in, out := &in.Resolve, &out.Resolve
 		*out = new(ResolvePolicy)
 		**out = **in
 	}
 	if in.Resolution != nil {
 		in, out := &in.Resolution, &out.Resolution
 		*out = new(ResolutionPolicy)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
 func (in *Policy) DeepCopy() *Policy {
 	if in == nil {
 		return nil
 	}
 	out := new(Policy)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigStatus) DeepCopyInto(out *ProviderConfigStatus) {
 	*out = *in
 	in.ConditionedStatus.DeepCopyInto(&out.ConditionedStatus)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigStatus.
 func (in *ProviderConfigStatus) DeepCopy() *ProviderConfigStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ProviderConfigStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigUsage) DeepCopyInto(out *ProviderConfigUsage) {
 	*out = *in
 	in.ProviderConfigReference.DeepCopyInto(&out.ProviderConfigReference)
 	out.ResourceReference = in.ResourceReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigUsage.
 func (in *ProviderConfigUsage) DeepCopy() *ProviderConfigUsage {
 	if in == nil {
 		return nil
 	}
 	out := new(ProviderConfigUsage)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublishConnectionDetailsTo) DeepCopyInto(out *PublishConnectionDetailsTo) {
 	*out = *in
 	if in.Metadata != nil {
 		in, out := &in.Metadata, &out.Metadata
 		*out = new(ConnectionSecretMetadata)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.SecretStoreConfigRef != nil {
 		in, out := &in.SecretStoreConfigRef, &out.SecretStoreConfigRef
 		*out = new(Reference)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublishConnectionDetailsTo.
 func (in *PublishConnectionDetailsTo) DeepCopy() *PublishConnectionDetailsTo {
 	if in == nil {
 		return nil
 	}
 	out := new(PublishConnectionDetailsTo)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Reference) DeepCopyInto(out *Reference) {
 	*out = *in
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Reference.
 func (in *Reference) DeepCopy() *Reference {
 	if in == nil {
 		return nil
 	}
 	out := new(Reference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec) {
 	*out = *in
@ -389,11 +32,6 @@ func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec) {
 		*out = new(SecretReference)
 		**out = **in
 	}
 	if in.PublishConnectionDetailsTo != nil {
 		in, out := &in.PublishConnectionDetailsTo, &out.PublishConnectionDetailsTo
 		*out = new(PublishConnectionDetailsTo)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ProviderConfigReference != nil {
 		in, out := &in.ProviderConfigReference, &out.ProviderConfigReference
 		*out = new(Reference)
@ -420,6 +58,7 @@ func (in *ResourceSpec) DeepCopy() *ResourceSpec {
 func (in *ResourceStatus) DeepCopyInto(out *ResourceStatus) {
 	*out = *in
 	in.ConditionedStatus.DeepCopyInto(&out.ConditionedStatus)
 	in.ObservedStatus.DeepCopyInto(&out.ObservedStatus)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceStatus.
@ -432,99 +71,6 @@ func (in *ResourceStatus) DeepCopy() *ResourceStatus {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
 	*out = *in
 	out.SecretReference = in.SecretReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
 func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
 	if in == nil {
 		return nil
 	}
 	out := new(SecretKeySelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretReference) DeepCopyInto(out *SecretReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
 func (in *SecretReference) DeepCopy() *SecretReference {
 	if in == nil {
 		return nil
 	}
 	out := new(SecretReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretStoreConfig) DeepCopyInto(out *SecretStoreConfig) {
 	*out = *in
 	if in.Type != nil {
 		in, out := &in.Type, &out.Type
 		*out = new(SecretStoreType)
 		**out = **in
 	}
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(KubernetesSecretStoreConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Plugin != nil {
 		in, out := &in.Plugin, &out.Plugin
 		*out = new(PluginStoreConfig)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreConfig.
 func (in *SecretStoreConfig) DeepCopy() *SecretStoreConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(SecretStoreConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Selector) DeepCopyInto(out *Selector) {
 	*out = *in
 	if in.MatchLabels != nil {
 		in, out := &in.MatchLabels, &out.MatchLabels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.MatchControllerRef != nil {
 		in, out := &in.MatchControllerRef, &out.MatchControllerRef
 		*out = new(bool)
 		**out = **in
 	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector.
 func (in *Selector) DeepCopy() *Selector {
 	if in == nil {
 		return nil
 	}
 	out := new(Selector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetSpec) DeepCopyInto(out *TargetSpec) {
 	*out = *in
@ -565,18 +111,3 @@ func (in *TargetStatus) DeepCopy() *TargetStatus {
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TypedReference) DeepCopyInto(out *TypedReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypedReference.
 func (in *TypedReference) DeepCopy() *TypedReference {
 	if in == nil {
 		return nil
 	}
 	out := new(TypedReference)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/apis/common/v2/doc.go
+++ b/apis/common/v2/doc.go
@ -0,0 +1,19 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package v2 contains core API types used by most Crossplane resources.
 // +kubebuilder:object:generate=true
 package v2
--- a/apis/common/v2/resource.go
+++ b/apis/common/v2/resource.go
@ -0,0 +1,51 @@
 /*
 Copyright 2019 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package v2
 import (
 	"github.com/crossplane/crossplane-runtime/apis/common"
 )
 // A ManagedResourceSpec defines the desired state of a managed resource.
 type ManagedResourceSpec struct {
 	// WriteConnectionSecretToReference specifies the namespace and name of a
 	// Secret to which any connection details for this managed resource should
 	// be written. Connection details frequently include the endpoint, username,
 	// and password required to connect to the managed resource.
 	// +optional
 	WriteConnectionSecretToReference *common.LocalSecretReference `json:"writeConnectionSecretToRef,omitempty"`
 	// ProviderConfigReference specifies how the provider that will be used to
 	// create, observe, update, and delete this managed resource should be
 	// configured.
 	// +kubebuilder:default={"kind": "ClusterProviderConfig", "name": "default"}
 	ProviderConfigReference *common.ProviderConfigReference `json:"providerConfigRef,omitempty"`
 	// THIS IS A BETA FIELD. It is on by default but can be opted out
 	// through a Crossplane feature flag.
 	// ManagementPolicies specify the array of actions Crossplane is allowed to
 	// take on the managed and external resources.
 	// See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223
 	// and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
 	// +optional
 	// +kubebuilder:default={"*"}
 	ManagementPolicies common.ManagementPolicies `json:"managementPolicies,omitempty"`
 }
 // A TypedProviderConfigUsage is a record that a particular managed resource is using
 // a particular provider configuration.
 type TypedProviderConfigUsage = common.TypedProviderConfigUsage
--- a/apis/common/v2/zz_generated.deepcopy.go
+++ b/apis/common/v2/zz_generated.deepcopy.go
@ -0,0 +1,55 @@
 //go:build !ignore_autogenerated
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by controller-gen. DO NOT EDIT.
 package v2
 import (
 	"github.com/crossplane/crossplane-runtime/apis/common"
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedResourceSpec) DeepCopyInto(out *ManagedResourceSpec) {
 	*out = *in
 	if in.WriteConnectionSecretToReference != nil {
 		in, out := &in.WriteConnectionSecretToReference, &out.WriteConnectionSecretToReference
 		*out = new(common.LocalSecretReference)
 		**out = **in
 	}
 	if in.ProviderConfigReference != nil {
 		in, out := &in.ProviderConfigReference, &out.ProviderConfigReference
 		*out = new(common.ProviderConfigReference)
 		**out = **in
 	}
 	if in.ManagementPolicies != nil {
 		in, out := &in.ManagementPolicies, &out.ManagementPolicies
 		*out = make(common.ManagementPolicies, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedResourceSpec.
 func (in *ManagedResourceSpec) DeepCopy() *ManagedResourceSpec {
 	if in == nil {
 		return nil
 	}
 	out := new(ManagedResourceSpec)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/apis/common/zz_generated.deepcopy.go
+++ b/apis/common/zz_generated.deepcopy.go
@ -0,0 +1,468 @@
 //go:build !ignore_autogenerated
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by controller-gen. DO NOT EDIT.
 package common
 import ()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommonCredentialSelectors) DeepCopyInto(out *CommonCredentialSelectors) {
 	*out = *in
 	if in.Fs != nil {
 		in, out := &in.Fs, &out.Fs
 		*out = new(FsSelector)
 		**out = **in
 	}
 	if in.Env != nil {
 		in, out := &in.Env, &out.Env
 		*out = new(EnvSelector)
 		**out = **in
 	}
 	if in.SecretRef != nil {
 		in, out := &in.SecretRef, &out.SecretRef
 		*out = new(SecretKeySelector)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonCredentialSelectors.
 func (in *CommonCredentialSelectors) DeepCopy() *CommonCredentialSelectors {
 	if in == nil {
 		return nil
 	}
 	out := new(CommonCredentialSelectors)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in
 	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
 func (in *Condition) DeepCopy() *Condition {
 	if in == nil {
 		return nil
 	}
 	out := new(Condition)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionedStatus) DeepCopyInto(out *ConditionedStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
 		*out = make([]Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionedStatus.
 func (in *ConditionedStatus) DeepCopy() *ConditionedStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ConditionedStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvSelector) DeepCopyInto(out *EnvSelector) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvSelector.
 func (in *EnvSelector) DeepCopy() *EnvSelector {
 	if in == nil {
 		return nil
 	}
 	out := new(EnvSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FsSelector) DeepCopyInto(out *FsSelector) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FsSelector.
 func (in *FsSelector) DeepCopy() *FsSelector {
 	if in == nil {
 		return nil
 	}
 	out := new(FsSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocalSecretKeySelector) DeepCopyInto(out *LocalSecretKeySelector) {
 	*out = *in
 	out.LocalSecretReference = in.LocalSecretReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSecretKeySelector.
 func (in *LocalSecretKeySelector) DeepCopy() *LocalSecretKeySelector {
 	if in == nil {
 		return nil
 	}
 	out := new(LocalSecretKeySelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocalSecretReference) DeepCopyInto(out *LocalSecretReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSecretReference.
 func (in *LocalSecretReference) DeepCopy() *LocalSecretReference {
 	if in == nil {
 		return nil
 	}
 	out := new(LocalSecretReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in ManagementPolicies) DeepCopyInto(out *ManagementPolicies) {
 	{
 		in := &in
 		*out = make(ManagementPolicies, len(*in))
 		copy(*out, *in)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagementPolicies.
 func (in ManagementPolicies) DeepCopy() ManagementPolicies {
 	if in == nil {
 		return nil
 	}
 	out := new(ManagementPolicies)
 	in.DeepCopyInto(out)
 	return *out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MergeOptions) DeepCopyInto(out *MergeOptions) {
 	*out = *in
 	if in.KeepMapValues != nil {
 		in, out := &in.KeepMapValues, &out.KeepMapValues
 		*out = new(bool)
 		**out = **in
 	}
 	if in.AppendSlice != nil {
 		in, out := &in.AppendSlice, &out.AppendSlice
 		*out = new(bool)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MergeOptions.
 func (in *MergeOptions) DeepCopy() *MergeOptions {
 	if in == nil {
 		return nil
 	}
 	out := new(MergeOptions)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespacedReference) DeepCopyInto(out *NamespacedReference) {
 	*out = *in
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedReference.
 func (in *NamespacedReference) DeepCopy() *NamespacedReference {
 	if in == nil {
 		return nil
 	}
 	out := new(NamespacedReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespacedSelector) DeepCopyInto(out *NamespacedSelector) {
 	*out = *in
 	if in.MatchLabels != nil {
 		in, out := &in.MatchLabels, &out.MatchLabels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.MatchControllerRef != nil {
 		in, out := &in.MatchControllerRef, &out.MatchControllerRef
 		*out = new(bool)
 		**out = **in
 	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedSelector.
 func (in *NamespacedSelector) DeepCopy() *NamespacedSelector {
 	if in == nil {
 		return nil
 	}
 	out := new(NamespacedSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObservedStatus) DeepCopyInto(out *ObservedStatus) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObservedStatus.
 func (in *ObservedStatus) DeepCopy() *ObservedStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ObservedStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Policy) DeepCopyInto(out *Policy) {
 	*out = *in
 	if in.Resolve != nil {
 		in, out := &in.Resolve, &out.Resolve
 		*out = new(ResolvePolicy)
 		**out = **in
 	}
 	if in.Resolution != nil {
 		in, out := &in.Resolution, &out.Resolution
 		*out = new(ResolutionPolicy)
 		**out = **in
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
 func (in *Policy) DeepCopy() *Policy {
 	if in == nil {
 		return nil
 	}
 	out := new(Policy)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigReference) DeepCopyInto(out *ProviderConfigReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigReference.
 func (in *ProviderConfigReference) DeepCopy() *ProviderConfigReference {
 	if in == nil {
 		return nil
 	}
 	out := new(ProviderConfigReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigStatus) DeepCopyInto(out *ProviderConfigStatus) {
 	*out = *in
 	in.ConditionedStatus.DeepCopyInto(&out.ConditionedStatus)
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigStatus.
 func (in *ProviderConfigStatus) DeepCopy() *ProviderConfigStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ProviderConfigStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigUsage) DeepCopyInto(out *ProviderConfigUsage) {
 	*out = *in
 	in.ProviderConfigReference.DeepCopyInto(&out.ProviderConfigReference)
 	out.ResourceReference = in.ResourceReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigUsage.
 func (in *ProviderConfigUsage) DeepCopy() *ProviderConfigUsage {
 	if in == nil {
 		return nil
 	}
 	out := new(ProviderConfigUsage)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Reference) DeepCopyInto(out *Reference) {
 	*out = *in
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Reference.
 func (in *Reference) DeepCopy() *Reference {
 	if in == nil {
 		return nil
 	}
 	out := new(Reference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceStatus) DeepCopyInto(out *ResourceStatus) {
 	*out = *in
 	in.ConditionedStatus.DeepCopyInto(&out.ConditionedStatus)
 	out.ObservedStatus = in.ObservedStatus
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceStatus.
 func (in *ResourceStatus) DeepCopy() *ResourceStatus {
 	if in == nil {
 		return nil
 	}
 	out := new(ResourceStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
 	*out = *in
 	out.SecretReference = in.SecretReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
 func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
 	if in == nil {
 		return nil
 	}
 	out := new(SecretKeySelector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretReference) DeepCopyInto(out *SecretReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
 func (in *SecretReference) DeepCopy() *SecretReference {
 	if in == nil {
 		return nil
 	}
 	out := new(SecretReference)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Selector) DeepCopyInto(out *Selector) {
 	*out = *in
 	if in.MatchLabels != nil {
 		in, out := &in.MatchLabels, &out.MatchLabels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
 	if in.MatchControllerRef != nil {
 		in, out := &in.MatchControllerRef, &out.MatchControllerRef
 		*out = new(bool)
 		**out = **in
 	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(Policy)
 		(*in).DeepCopyInto(*out)
 	}
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector.
 func (in *Selector) DeepCopy() *Selector {
 	if in == nil {
 		return nil
 	}
 	out := new(Selector)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TypedProviderConfigUsage) DeepCopyInto(out *TypedProviderConfigUsage) {
 	*out = *in
 	out.ProviderConfigReference = in.ProviderConfigReference
 	out.ResourceReference = in.ResourceReference
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypedProviderConfigUsage.
 func (in *TypedProviderConfigUsage) DeepCopy() *TypedProviderConfigUsage {
 	if in == nil {
 		return nil
 	}
 	out := new(TypedProviderConfigUsage)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TypedReference) DeepCopyInto(out *TypedReference) {
 	*out = *in
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypedReference.
 func (in *TypedReference) DeepCopy() *TypedReference {
 	if in == nil {
 		return nil
 	}
 	out := new(TypedReference)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/apis/proto/v1alpha1/ess.pb.go
+++ b/apis/proto/v1alpha1/ess.pb.go
@ -12,10 +12,12 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.36.5
 // 	protoc        (unknown)
 // source: proto/v1alpha1/ess.proto
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package v1alpha1
 import (
@ -23,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
 	unsafe "unsafe"
 )
 const (
@ -34,23 +37,20 @@ const (
 // ConfigReference is used to refer a StoreConfig object.
 type ConfigReference struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	ApiVersion    string                 `protobuf:"bytes,1,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
 	Kind          string                 `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"`
 	Name          string                 `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *ConfigReference) Reset() {
 	*x = ConfigReference{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[0]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *ConfigReference) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -60,7 +60,7 @@ func (*ConfigReference) ProtoMessage() {}
 func (x *ConfigReference) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -98,23 +98,20 @@ func (x *ConfigReference) GetName() string {
 // Secret defines the structure of a secret.
 type Secret struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	ScopedName    string                 `protobuf:"bytes,1,opt,name=scoped_name,json=scopedName,proto3" json:"scoped_name,omitempty"`
-	Metadata   map[string]string `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Metadata      map[string]string      `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
-	Data       map[string][]byte `protobuf:"bytes,3,rep,name=data,proto3" json:"data,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Data          map[string][]byte      `protobuf:"bytes,3,rep,name=data,proto3" json:"data,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *Secret) Reset() {
 	*x = Secret{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[1]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *Secret) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -124,7 +121,7 @@ func (*Secret) ProtoMessage() {}
 func (x *Secret) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -162,22 +159,19 @@ func (x *Secret) GetData() map[string][]byte {
 // GetSecretRequest requests secret from the secret store.
 type GetSecretRequest struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Config        *ConfigReference       `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"`
 	Secret        *Secret                `protobuf:"bytes,2,opt,name=secret,proto3" json:"secret,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *GetSecretRequest) Reset() {
 	*x = GetSecretRequest{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[2]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *GetSecretRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -187,7 +181,7 @@ func (*GetSecretRequest) ProtoMessage() {}
 func (x *GetSecretRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -218,21 +212,18 @@ func (x *GetSecretRequest) GetSecret() *Secret {
 // GetSecretResponse returns the secret from the secret store.
 type GetSecretResponse struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Secret        *Secret                `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *GetSecretResponse) Reset() {
 	*x = GetSecretResponse{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[3]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *GetSecretResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -242,7 +233,7 @@ func (*GetSecretResponse) ProtoMessage() {}
 func (x *GetSecretResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -266,22 +257,19 @@ func (x *GetSecretResponse) GetSecret() *Secret {
 // ApplySecretRequest applies the secret data update to the secret store.
 type ApplySecretRequest struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Config        *ConfigReference       `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"`
 	Secret        *Secret                `protobuf:"bytes,2,opt,name=secret,proto3" json:"secret,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *ApplySecretRequest) Reset() {
 	*x = ApplySecretRequest{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[4]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *ApplySecretRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -291,7 +279,7 @@ func (*ApplySecretRequest) ProtoMessage() {}
 func (x *ApplySecretRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -322,21 +310,18 @@ func (x *ApplySecretRequest) GetSecret() *Secret {
 // ApplySecretResponse returns if the secret is changed or not.
 type ApplySecretResponse struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Changed       bool                   `protobuf:"varint,1,opt,name=changed,proto3" json:"changed,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *ApplySecretResponse) Reset() {
 	*x = ApplySecretResponse{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[5]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *ApplySecretResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -346,7 +331,7 @@ func (*ApplySecretResponse) ProtoMessage() {}
 func (x *ApplySecretResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -370,22 +355,19 @@ func (x *ApplySecretResponse) GetChanged() bool {
 // DeleteKeysRequest deletes the secret from the secret store.
 type DeleteKeysRequest struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Config        *ConfigReference       `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"`
 	Secret        *Secret                `protobuf:"bytes,2,opt,name=secret,proto3" json:"secret,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *DeleteKeysRequest) Reset() {
 	*x = DeleteKeysRequest{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[6]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *DeleteKeysRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -395,7 +377,7 @@ func (*DeleteKeysRequest) ProtoMessage() {}
 func (x *DeleteKeysRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -426,19 +408,17 @@ func (x *DeleteKeysRequest) GetSecret() *Secret {
 // DeleteKeysResponse is returned if the secret is deleted.
 type DeleteKeysResponse struct {
-	state         protoimpl.MessageState
+	state         protoimpl.MessageState `protogen:"open.v1"`
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 func (x *DeleteKeysResponse) Reset() {
 	*x = DeleteKeysResponse{}
 	if protoimpl.UnsafeEnabled {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[7]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 }
 func (x *DeleteKeysResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
@ -448,7 +428,7 @@ func (*DeleteKeysResponse) ProtoMessage() {}
 func (x *DeleteKeysResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_proto_v1alpha1_ess_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@ -465,7 +445,7 @@ func (*DeleteKeysResponse) Descriptor() ([]byte, []int) {
 var File_proto_v1alpha1_ess_proto protoreflect.FileDescriptor
-var file_proto_v1alpha1_ess_proto_rawDesc = []byte{
+var file_proto_v1alpha1_ess_proto_rawDesc = string([]byte{
 	0x0a, 0x18, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
 	0x2f, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x65, 0x73, 0x73, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x5a,
@ -552,22 +532,22 @@ var file_proto_v1alpha1_ess_proto_rawDesc = []byte{
 	0x73, 0x73, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2d, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x2f,
 	0x61, 0x70, 0x69, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
 	0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 var (
 	file_proto_v1alpha1_ess_proto_rawDescOnce sync.Once
-	file_proto_v1alpha1_ess_proto_rawDescData = file_proto_v1alpha1_ess_proto_rawDesc
+	file_proto_v1alpha1_ess_proto_rawDescData []byte
 )
 func file_proto_v1alpha1_ess_proto_rawDescGZIP() []byte {
 	file_proto_v1alpha1_ess_proto_rawDescOnce.Do(func() {
-		file_proto_v1alpha1_ess_proto_rawDescData = protoimpl.X.CompressGZIP(file_proto_v1alpha1_ess_proto_rawDescData)
+		file_proto_v1alpha1_ess_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_proto_v1alpha1_ess_proto_rawDesc), len(file_proto_v1alpha1_ess_proto_rawDesc)))
 	})
 	return file_proto_v1alpha1_ess_proto_rawDescData
 }
 var file_proto_v1alpha1_ess_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
-var file_proto_v1alpha1_ess_proto_goTypes = []interface{}{
+var file_proto_v1alpha1_ess_proto_goTypes = []any{
 	(*ConfigReference)(nil),     // 0: ess.proto.v1alpha1.ConfigReference
 	(*Secret)(nil),              // 1: ess.proto.v1alpha1.Secret
 	(*GetSecretRequest)(nil),    // 2: ess.proto.v1alpha1.GetSecretRequest
@ -607,109 +587,11 @@ func file_proto_v1alpha1_ess_proto_init() {
 	if File_proto_v1alpha1_ess_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_proto_v1alpha1_ess_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ConfigReference); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Secret); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*GetSecretRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*GetSecretResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ApplySecretRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ApplySecretResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DeleteKeysRequest); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_proto_v1alpha1_ess_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DeleteKeysResponse); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_proto_v1alpha1_ess_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_v1alpha1_ess_proto_rawDesc), len(file_proto_v1alpha1_ess_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   10,
 			NumExtensions: 0,
@ -720,7 +602,6 @@ func file_proto_v1alpha1_ess_proto_init() {
 		MessageInfos:      file_proto_v1alpha1_ess_proto_msgTypes,
 	}.Build()
 	File_proto_v1alpha1_ess_proto = out.File
 	file_proto_v1alpha1_ess_proto_rawDesc = nil
 	file_proto_v1alpha1_ess_proto_goTypes = nil
 	file_proto_v1alpha1_ess_proto_depIdxs = nil
 }
--- a/apis/proto/v1alpha1/ess.proto
+++ b/apis/proto/v1alpha1/ess.proto
@ -13,6 +13,7 @@ limitations under the License.
 syntax = "proto3";
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package ess.proto.v1alpha1;
 option go_package = "github.com/crossplane/crossplane-runtime/apis/proto/v1alpha1";
--- a/apis/proto/v1alpha1/ess_grpc.pb.go
+++ b/apis/proto/v1alpha1/ess_grpc.pb.go
@ -16,6 +16,8 @@
 // - protoc             (unknown)
 // source: proto/v1alpha1/ess.proto
 // buf:lint:ignore PACKAGE_DIRECTORY_MATCH
 package v1alpha1
 import (
--- a/1
+++ b/1
@ -1 +0,0 @@
 Subproject commit 7da2fdeb3dc1ebbce8210a58616debe34ef0fd97
--- a/go.mod
+++ b/go.mod
@ -1,124 +1,84 @@
 module github.com/crossplane/crossplane-runtime
-go 1.20
+go 1.24.0
 require (
-	dario.cat/mergo v1.0.0
+	dario.cat/mergo v1.0.1
-	github.com/bufbuild/buf v1.27.1
+	github.com/evanphx/json-patch v5.9.11+incompatible
-	github.com/go-logr/logr v1.2.4
+	github.com/go-logr/logr v1.4.2
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
-	github.com/spf13/afero v1.10.0
+	github.com/prometheus/client_golang v1.22.0
-	golang.org/x/time v0.3.0
+	github.com/spf13/afero v1.11.0
-	google.golang.org/grpc v1.59.0
+	golang.org/x/time v0.9.0
 	google.golang.org/grpc v1.68.1
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.36.5
-	k8s.io/api v0.28.3
+	k8s.io/api v0.33.0
-	k8s.io/apiextensions-apiserver v0.28.3
+	k8s.io/apiextensions-apiserver v0.33.0
-	k8s.io/apimachinery v0.28.3
+	k8s.io/apimachinery v0.33.0
-	k8s.io/client-go v0.28.3
+	k8s.io/client-go v0.33.0
-	sigs.k8s.io/controller-runtime v0.16.3
+	k8s.io/component-base v0.33.0
-	sigs.k8s.io/controller-tools v0.13.0
+	k8s.io/klog/v2 v2.130.1
-	sigs.k8s.io/yaml v1.3.0
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/controller-tools v0.18.0
 	sigs.k8s.io/yaml v1.4.0
 )
 require (
 	connectrpc.com/connect v1.11.1 // indirect
 	connectrpc.com/otelconnect v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bufbuild/protocompile v0.6.0 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/cli v24.0.6+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v24.0.6+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
-	github.com/felixge/fgprof v0.9.3 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-chi/chi/v5 v5.0.10 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gobuffalo/flect v1.0.2 // indirect
+	github.com/gobuffalo/flect v1.0.3 // indirect
 	github.com/gofrs/uuid/v5 v5.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-containerregistry v0.16.1 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jdx/go-netrc v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.1 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pkg/profile v1.7.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/rs/cors v1.10.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
-	github.com/spf13/cobra v1.7.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/mod v0.24.0 // indirect
-	github.com/tetratelabs/wazero v1.5.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
-	go.opentelemetry.io/otel v1.19.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
-	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.19.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
-	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.11.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.28.3 // indirect
+	k8s.io/code-generator v0.33.0 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,716 +1,249 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
 cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
 cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
 cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 connectrpc.com/connect v1.11.1 h1:dqRwblixqkVh+OFBOOL1yIf1jS/yP0MSJLijRj29bFg=
 connectrpc.com/connect v1.11.1/go.mod h1:3AGaO6RRGMx5IKFfqbe3hvK1NqLosFNP2BxDYTPmNPo=
 connectrpc.com/otelconnect v0.6.0 h1:VJAdQL9+sgdUw9+7+J+jq8pQo/h1S7tSFv2+vDcR7bU=
 connectrpc.com/otelconnect v0.6.0/go.mod h1:jdcs0uiwXQVmSMgTJ2dAaWR5VbpNd7QKNkuoH7n86RA=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bufbuild/buf v1.27.1 h1:r8nmR+QLdpzgMr/F6+ua0awewMKGVf3uHsW0/UoUeME=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
-github.com/bufbuild/buf v1.27.1/go.mod h1:BTXcNcZU8rvEZv2MdmVGpEyNgrXQ2UYO9u8H8yLmOdM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
 github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
 github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
 github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
+github.com/gobuffalo/flect v1.0.3 h1:xeWBM2nui+qnVvNM4S3foBhCAL2XgPU+a7FdpelbTq4=
-github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gobuffalo/flect v1.0.3/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
 github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9RwLgmVFfReJN+KbQ8ExNEUUoQ=
 github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ=
 github.com/jdx/go-netrc v1.0.0/go.mod h1:Gh9eFQJnoTNIRHXl2j5bJXA1u84hQWJWgGh569zF3v8=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jhump/protoreflect v1.15.3 h1:6SFRuqU45u9hIZPJAoZ8c28T3nK64BNdp9w6jFonzls=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.1 h1:NE3C767s2ak2bweCZo3+rdP4U/HoyVXLv/X9f2gPS5g=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.17.1/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo=
 github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/tetratelabs/wazero v1.5.0 h1:Yz3fZHivfDiZFUXnWMPUoiW7s8tC1sjdBtlJn08qYa0=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tetratelabs/wazero v1.5.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs=
 go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY=
 go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE=
 go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8=
 go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o=
 go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A=
 go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k=
 go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg=
 go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
 golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
 golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
 google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
 google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 h1:rNBFJjBCOgVr9pWD7rs/knKL4FRTKgpZmsRfV214zcA=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0/go.mod h1:Dk1tviKTvMCz5tvh7t+fh94dhmQVHuCt2OzJB3CTW9Y=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg=
-k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=
+k8s.io/code-generator v0.33.0 h1:B212FVl6EFqNmlgdOZYWNi77yBv+ed3QgQsMR8YQCw4=
-k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc=
+k8s.io/code-generator v0.33.0/go.mod h1:KnJRokGxjvbBQkSJkbVuBbu6z4B0rC7ynkpY5Aw6m9o=
-k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08=
+k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk=
-k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc=
+k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU=
-k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
+k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 h1:2OX19X59HxDprNCVrWi6jb7LW1PoqTlYqEq5H2oetog=
-k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
+k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
-k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
-k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
-k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
-k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
-k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU=
+sigs.k8s.io/controller-tools v0.18.0 h1:rGxGZCZTV2wJreeRgqVoWab/mfcumTMmSwKzoM9xrsE=
-k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-tools v0.18.0/go.mod h1:gLKoiGBriyNh+x1rWtUQnakUYEujErjXs9pf+x/8n1U=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
-sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
-sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
--- a/hack/boilerplate.go.txt
+++ b/hack/boilerplate.go.txt
@ -1,5 +1,5 @@
 /*
-Copyright 2019 The Crossplane Authors.
+Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/hack/linter-violation.tmpl
+++ b/hack/linter-violation.tmpl
@ -1,3 +1,3 @@
 `{{violation.rule}}`: {{violation.message}}
-Refer to Crossplane's [coding style documentation](https://github.com/crossplane/crossplane/blob/master/CONTRIBUTING.md#coding-style-and-linting) for more information.
+Refer to Crossplane's [coding style documentation](https://github.com/crossplane/crossplane/blob/main/CONTRIBUTING.md#coding-style-and-linting) for more information.
--- a/pkg/certificates/certificates.go
+++ b/pkg/certificates/certificates.go
@ -36,12 +36,14 @@ const (
 func LoadMTLSConfig(caPath, certPath, keyPath string, isServer bool) (*tls.Config, error) {
 	tlsCertFilePath := filepath.Clean(certPath)
 	tlsKeyFilePath := filepath.Clean(keyPath)
 	certificate, err := tls.LoadX509KeyPair(tlsCertFilePath, tlsKeyFilePath)
 	if err != nil {
 		return nil, errors.Wrap(err, errLoadCert)
 	}
 	caCertFilePath := filepath.Clean(caPath)
 	ca, err := os.ReadFile(caCertFilePath)
 	if err != nil {
 		return nil, errors.Wrap(err, errLoadCA)
--- a/pkg/certificates/certificates_test.go
+++ b/pkg/certificates/certificates_test.go
@ -27,10 +27,12 @@ func TestLoad(t *testing.T) {
 		certsFolderPath         string
 		requireClientValidation bool
 	}
 	type want struct {
 		err error
 		out *tls.Config
 	}
 	cases := map[string]struct {
 		reason string
 		args
@ -92,16 +94,16 @@ func TestLoad(t *testing.T) {
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
-			certsFolderPath := tc.args.certsFolderPath
+			certsFolderPath := tc.certsFolderPath
-			requireClient := tc.args.requireClientValidation
+			requireClient := tc.requireClientValidation
 			cfg, err := LoadMTLSConfig(filepath.Join(certsFolderPath, caCertFileName), filepath.Join(certsFolderPath, tlsCertFileName), filepath.Join(certsFolderPath, tlsKeyFileName), requireClient)
-			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+			if diff := cmp.Diff(tc.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nLoad(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if requireClient {
-				if diff := cmp.Diff(tc.want.out.ClientAuth, cfg.ClientAuth); diff != "" {
+				if diff := cmp.Diff(tc.out.ClientAuth, cfg.ClientAuth); diff != "" {
 					t.Errorf("\n%s\nLoad(...): -want, +got:\n%s", tc.reason, diff)
 				}
 			}
--- a/pkg/conditions/manager.go
+++ b/pkg/conditions/manager.go
@ -0,0 +1,73 @@
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package conditions enables consistent interactions with an object's status conditions.
 package conditions
 import (
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 )
 // ObjectWithConditions is the interface definition that allows.
 type ObjectWithConditions interface {
 	resource.Object
 	resource.Conditioned
 }
 // Manager is an interface for a stateless factory-like object that produces ConditionSet objects.
 type Manager interface {
 	// For returns an implementation of a ConditionSet to operate on a specific ObjectWithConditions.
 	For(o ObjectWithConditions) ConditionSet
 }
 // ConditionSet holds operations for interacting with an object's conditions.
 type ConditionSet interface {
 	// MarkConditions adds or updates the conditions onto the managed resource object. Unlike a "Set" method, this also
 	// can add contextual updates to the condition such as propagating the correct observedGeneration to the conditions
 	// being changed.
 	MarkConditions(condition ...xpv1.Condition)
 }
 // ObservedGenerationPropagationManager is the top level factor for producing a ConditionSet
 // on behalf of a ObjectWithConditions resource, the ConditionSet is only currently concerned with
 // propagating observedGeneration to conditions that are being updated.
 // observedGenerationPropagationManager implements Manager.
 type ObservedGenerationPropagationManager struct{}
 // For implements Manager.For.
 func (m ObservedGenerationPropagationManager) For(o ObjectWithConditions) ConditionSet {
 	return &observedGenerationPropagationConditionSet{o: o}
 }
 // observedGenerationPropagationConditionSet propagates the meta.generation of the given object
 // to the observedGeneration of any condition being set via the `MarkConditions` method.
 type observedGenerationPropagationConditionSet struct {
 	o ObjectWithConditions
 }
 // MarkConditions implements ConditionSet.MarkConditions.
 func (c *observedGenerationPropagationConditionSet) MarkConditions(condition ...xpv1.Condition) {
 	if c == nil || c.o == nil {
 		return
 	}
 	// Foreach condition we have been sent to mark, update the observed generation.
 	for i := range condition {
 		condition[i].ObservedGeneration = c.o.GetGeneration()
 	}
 	c.o.SetConditions(condition...)
 }
--- a/pkg/conditions/manager_test.go
+++ b/pkg/conditions/manager_test.go
@ -0,0 +1,135 @@
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 	http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package conditions
 import (
 	"reflect"
 	"testing"
 	"time"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/resource/fake"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 )
 // Check that conditionsImpl implements ConditionManager.
 var _ Manager = (*ObservedGenerationPropagationManager)(nil)
 // Check that conditionSet implements ConditionSet.
 var _ ConditionSet = (*observedGenerationPropagationConditionSet)(nil)
 func TestOGConditionSetMark(t *testing.T) {
 	manager := new(ObservedGenerationPropagationManager)
 	tests := map[string]struct {
 		reason string
 		start  []xpv1.Condition
 		mark   []xpv1.Condition
 		want   []xpv1.Condition
 	}{
 		"ProvideNoConditions": {
 			reason: "If updating a resource without conditions with no new conditions, conditions should remain empty.",
 			start:  nil,
 			mark:   nil,
 			want:   nil,
 		},
 		"EmptyAppendCondition": {
 			reason: "If starting with a resource without conditions, and we mark a condition, it should propagate to conditions with the correct generation.",
 			start:  nil,
 			mark:   []xpv1.Condition{xpv1.ReconcileSuccess()},
 			want:   []xpv1.Condition{xpv1.ReconcileSuccess().WithObservedGeneration(42)},
 		},
 		"ExistingMarkNothing": {
 			reason: "If the resource has a condition and we update nothing, nothing should change.",
 			start:  []xpv1.Condition{xpv1.Available().WithObservedGeneration(1)},
 			mark:   nil,
 			want:   []xpv1.Condition{xpv1.Available().WithObservedGeneration(1)},
 		},
 		"ExistingUpdated": {
 			reason: "If a resource starts with a condition, and we update it, we should see the observedGeneration be updated",
 			start:  []xpv1.Condition{xpv1.ReconcileSuccess().WithObservedGeneration(1)},
 			mark:   []xpv1.Condition{xpv1.ReconcileSuccess()},
 			want:   []xpv1.Condition{xpv1.ReconcileSuccess().WithObservedGeneration(42)},
 		},
 		"ExistingAppended": {
 			reason: "If a resource has an existing condition and we make another condition, the new condition should merge into the conditions list.",
 			start:  []xpv1.Condition{xpv1.Available().WithObservedGeneration(1)},
 			mark:   []xpv1.Condition{xpv1.ReconcileSuccess()},
 			want:   []xpv1.Condition{xpv1.Available().WithObservedGeneration(1), xpv1.ReconcileSuccess().WithObservedGeneration(42)},
 		},
 	}
 	for name, tt := range tests {
 		t.Run(name, func(t *testing.T) {
 			ut := newManaged(42, tt.start...)
 			c := manager.For(ut)
 			c.MarkConditions(tt.mark...)
 			if diff := cmp.Diff(tt.want, ut.Conditions, test.EquateConditions(), cmpopts.EquateApproxTime(1*time.Second)); diff != "" {
 				t.Errorf("\nReason: %s\n-want, +got:\n%s", tt.reason, diff)
 			}
 		})
 	}
 	t.Run("ManageNilObject", func(t *testing.T) {
 		c := manager.For(nil)
 		if c == nil {
 			t.Errorf("manager.For(nil) = %v, want non-nil", c)
 		}
 		// Test that Marking on a Manager that has a nil object does not end up panicking.
 		c.MarkConditions(xpv1.ReconcileSuccess())
 		// Success!
 	})
 }
 func TestOGManagerFor(t *testing.T) {
 	tests := map[string]struct {
 		reason string
 		o      ObjectWithConditions
 		want   ConditionSet
 	}{
 		"NilObject": {
 			reason: "Even if an object is nil, the manager should return a non-nil ConditionSet",
 			want:   &observedGenerationPropagationConditionSet{},
 		},
 		"Object": {
 			reason: "Object propagates into manager.",
 			o:      &fake.Managed{},
 			want: &observedGenerationPropagationConditionSet{
 				o: &fake.Managed{},
 			},
 		},
 	}
 	for name, tt := range tests {
 		t.Run(name, func(t *testing.T) {
 			m := &ObservedGenerationPropagationManager{}
 			if got := m.For(tt.o); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("\nReason: %s\nFor() = %v, want %v", tt.reason, got, tt.want)
 			}
 		})
 	}
 }
 func newManaged(generation int64, conditions ...xpv1.Condition) *fake.Managed {
 	mg := &fake.Managed{}
 	mg.Generation = generation
 	mg.SetConditions(conditions...)
 	return mg
 }
--- a/pkg/connection/fake/mocks.go
+++ b/pkg/connection/fake/mocks.go
@ -1,81 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package fake implements a fake secret store.
 package fake
 import (
 	"context"
 	"encoding/json"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 )
 // SecretStore is a fake SecretStore
 type SecretStore struct {
 	ReadKeyValuesFn   func(ctx context.Context, n store.ScopedName, s *store.Secret) error
 	WriteKeyValuesFn  func(ctx context.Context, s *store.Secret, wo ...store.WriteOption) (bool, error)
 	DeleteKeyValuesFn func(ctx context.Context, s *store.Secret, do ...store.DeleteOption) error
 }
 // ReadKeyValues reads key values.
 func (ss *SecretStore) ReadKeyValues(ctx context.Context, n store.ScopedName, s *store.Secret) error {
 	return ss.ReadKeyValuesFn(ctx, n, s)
 }
 // WriteKeyValues writes key values.
 func (ss *SecretStore) WriteKeyValues(ctx context.Context, s *store.Secret, wo ...store.WriteOption) (bool, error) {
 	return ss.WriteKeyValuesFn(ctx, s, wo...)
 }
 // DeleteKeyValues deletes key values.
 func (ss *SecretStore) DeleteKeyValues(ctx context.Context, s *store.Secret, do ...store.DeleteOption) error {
 	return ss.DeleteKeyValuesFn(ctx, s, do...)
 }
 // StoreConfig is a mock implementation of the StoreConfig interface.
 type StoreConfig struct { //nolint:musttag // This is a fake implementation to be used in unit tests only.
 	metav1.ObjectMeta
 	Config v1.SecretStoreConfig
 	v1.ConditionedStatus
 }
 // GetStoreConfig returns SecretStoreConfig
 func (s *StoreConfig) GetStoreConfig() v1.SecretStoreConfig {
 	return s.Config
 }
 // GetObjectKind returns schema.ObjectKind.
 func (s *StoreConfig) GetObjectKind() schema.ObjectKind {
 	return schema.EmptyObjectKind
 }
 // DeepCopyObject returns a copy of the object as runtime.Object
 func (s *StoreConfig) DeepCopyObject() runtime.Object {
 	out := &StoreConfig{}
 	j, err := json.Marshal(s)
 	if err != nil {
 		panic(err)
 	}
 	_ = json.Unmarshal(j, out)
 	return out
 }
--- a/pkg/connection/interfaces.go
+++ b/pkg/connection/interfaces.go
@ -1,39 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package connection
 import (
 	"context"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 )
 // A StoreConfig configures a connection store.
 type StoreConfig interface {
 	resource.Object
 	GetStoreConfig() v1.SecretStoreConfig
 }
 // A Store stores sensitive key values in Secret.
 type Store interface {
 	ReadKeyValues(ctx context.Context, n store.ScopedName, s *store.Secret) error
 	WriteKeyValues(ctx context.Context, s *store.Secret, wo ...store.WriteOption) (changed bool, err error)
 	DeleteKeyValues(ctx context.Context, s *store.Secret, do ...store.DeleteOption) error
 }
--- a/pkg/connection/manager.go
+++ b/pkg/connection/manager.go
@ -1,220 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package connection provides utilities for working with connection details.
 package connection
 import (
 	"context"
 	"crypto/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/reconciler/managed"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 )
 // Error strings.
 const (
 	errConnectStore    = "cannot connect to secret store"
 	errWriteStore      = "cannot write to secret store"
 	errReadStore       = "cannot read from secret store"
 	errDeleteFromStore = "cannot delete from secret store"
 	errGetStoreConfig  = "cannot get store config"
 	errSecretConflict  = "cannot establish control of existing connection secret"
 	errFmtNotOwnedBy = "existing secret is not owned by UID %q"
 )
 // StoreBuilderFn is a function that builds and returns a Store with a given
 // store config.
 type StoreBuilderFn func(ctx context.Context, local client.Client, tcfg *tls.Config, cfg v1.SecretStoreConfig) (Store, error)
 // A DetailsManagerOption configures a DetailsManager.
 type DetailsManagerOption func(*DetailsManager)
 // WithStoreBuilder configures the StoreBuilder to use.
 func WithStoreBuilder(sb StoreBuilderFn) DetailsManagerOption {
 	return func(m *DetailsManager) {
 		m.storeBuilder = sb
 	}
 }
 // WithTLSConfig configures the TLS config to use.
 func WithTLSConfig(tcfg *tls.Config) DetailsManagerOption {
 	return func(m *DetailsManager) {
 		m.tcfg = tcfg
 	}
 }
 // DetailsManager is a connection details manager that satisfies the required
 // interfaces to work with connection details by managing interaction with
 // different store implementations.
 type DetailsManager struct {
 	client       client.Client
 	newConfig    func() StoreConfig
 	storeBuilder StoreBuilderFn
 	tcfg         *tls.Config
 }
 // NewDetailsManager returns a new connection DetailsManager.
 func NewDetailsManager(c client.Client, of schema.GroupVersionKind, o ...DetailsManagerOption) *DetailsManager {
 	nc := func() StoreConfig {
 		return resource.MustCreateObject(of, c.Scheme()).(StoreConfig)
 	}
 	// Panic early if we've been asked to reconcile a resource kind that has not
 	// been registered with our controller manager's scheme.
 	_ = nc()
 	m := &DetailsManager{
 		client:       c,
 		newConfig:    nc,
 		storeBuilder: RuntimeStoreBuilder,
 	}
 	for _, mo := range o {
 		mo(m)
 	}
 	return m
 }
 // PublishConnection publishes the supplied ConnectionDetails to a secret on
 // the configured connection Store.
 func (m *DetailsManager) PublishConnection(ctx context.Context, so resource.ConnectionSecretOwner, conn managed.ConnectionDetails) (bool, error) {
 	// This resource does not want to expose a connection secret.
 	p := so.GetPublishConnectionDetailsTo()
 	if p == nil {
 		return false, nil
 	}
 	ss, err := m.connectStore(ctx, p)
 	if err != nil {
 		return false, errors.Wrap(err, errConnectStore)
 	}
 	changed, err := ss.WriteKeyValues(ctx, store.NewSecret(so, store.KeyValues(conn)), SecretToWriteMustBeOwnedBy(so))
 	return changed, errors.Wrap(err, errWriteStore)
 }
 // UnpublishConnection deletes connection details secret to the configured
 // connection Store.
 func (m *DetailsManager) UnpublishConnection(ctx context.Context, so resource.ConnectionSecretOwner, conn managed.ConnectionDetails) error {
 	// This resource didn't expose a connection secret.
 	p := so.GetPublishConnectionDetailsTo()
 	if p == nil {
 		return nil
 	}
 	ss, err := m.connectStore(ctx, p)
 	if err != nil {
 		return errors.Wrap(err, errConnectStore)
 	}
 	return errors.Wrap(ss.DeleteKeyValues(ctx, store.NewSecret(so, store.KeyValues(conn)), SecretToDeleteMustBeOwnedBy(so)), errDeleteFromStore)
 }
 // FetchConnection fetches connection details of a given ConnectionSecretOwner.
 func (m *DetailsManager) FetchConnection(ctx context.Context, so resource.ConnectionSecretOwner) (managed.ConnectionDetails, error) {
 	// This resource does not want to expose a connection secret.
 	p := so.GetPublishConnectionDetailsTo()
 	if p == nil {
 		return nil, nil
 	}
 	ss, err := m.connectStore(ctx, p)
 	if err != nil {
 		return nil, errors.Wrap(err, errConnectStore)
 	}
 	s := &store.Secret{}
 	return managed.ConnectionDetails(s.Data), errors.Wrap(ss.ReadKeyValues(ctx, store.ScopedName{Name: p.Name, Scope: so.GetNamespace()}, s), errReadStore)
 }
 // PropagateConnection propagate connection details from one resource to another.
 func (m *DetailsManager) PropagateConnection(ctx context.Context, to resource.LocalConnectionSecretOwner, from resource.ConnectionSecretOwner) (propagated bool, err error) {
 	// Either from does not expose a connection secret, or to does not want one.
 	if from.GetPublishConnectionDetailsTo() == nil || to.GetPublishConnectionDetailsTo() == nil {
 		return false, nil
 	}
 	ssFrom, err := m.connectStore(ctx, from.GetPublishConnectionDetailsTo())
 	if err != nil {
 		return false, errors.Wrap(err, errConnectStore)
 	}
 	sFrom := &store.Secret{}
 	if err = ssFrom.ReadKeyValues(ctx, store.ScopedName{
 		Name:  from.GetPublishConnectionDetailsTo().Name,
 		Scope: from.GetNamespace(),
 	}, sFrom); err != nil {
 		return false, errors.Wrap(err, errReadStore)
 	}
 	// Make sure 'from' is the controller of the connection secret it references
 	// before we propagate it. This ensures a resource cannot use Crossplane to
 	// circumvent RBAC by propagating a secret it does not own.
 	if sFrom.GetOwner() != string(from.GetUID()) {
 		return false, errors.New(errSecretConflict)
 	}
 	ssTo, err := m.connectStore(ctx, to.GetPublishConnectionDetailsTo())
 	if err != nil {
 		return false, errors.Wrap(err, errConnectStore)
 	}
 	changed, err := ssTo.WriteKeyValues(ctx, store.NewSecret(to, sFrom.Data), SecretToWriteMustBeOwnedBy(to))
 	return changed, errors.Wrap(err, errWriteStore)
 }
 func (m *DetailsManager) connectStore(ctx context.Context, p *v1.PublishConnectionDetailsTo) (Store, error) {
 	sc := m.newConfig()
 	if err := m.client.Get(ctx, types.NamespacedName{Name: p.SecretStoreConfigRef.Name}, sc); err != nil {
 		return nil, errors.Wrap(err, errGetStoreConfig)
 	}
 	return m.storeBuilder(ctx, m.client, m.tcfg, sc.GetStoreConfig())
 }
 // SecretToWriteMustBeOwnedBy requires that the current object is a
 // connection secret that is owned by an object with the supplied UID.
 func SecretToWriteMustBeOwnedBy(so metav1.Object) store.WriteOption {
 	return func(_ context.Context, current, _ *store.Secret) error {
 		return secretMustBeOwnedBy(so, current)
 	}
 }
 // SecretToDeleteMustBeOwnedBy requires that the current secret is owned by
 // an object with the supplied UID.
 func SecretToDeleteMustBeOwnedBy(so metav1.Object) store.DeleteOption {
 	return func(_ context.Context, secret *store.Secret) error {
 		return secretMustBeOwnedBy(so, secret)
 	}
 }
 func secretMustBeOwnedBy(so metav1.Object, secret *store.Secret) error {
 	if secret.Metadata == nil || secret.Metadata.GetOwnerUID() != string(so.GetUID()) {
 		return errors.Errorf(errFmtNotOwnedBy, string(so.GetUID()))
 	}
 	return nil
 }
--- a/pkg/connection/manager_test.go
+++ b/pkg/connection/manager_test.go
--- a/pkg/connection/store/kubernetes/store.go
+++ b/pkg/connection/store/kubernetes/store.go
@ -1,256 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package kubernetes implements a secret store backed by Kubernetes Secrets.
 package kubernetes
 import (
 	"context"
 	"crypto/tls"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 )
 // Error strings.
 const (
 	errGetSecret    = "cannot get secret"
 	errDeleteSecret = "cannot delete secret"
 	errUpdateSecret = "cannot update secret"
 	errApplySecret  = "cannot apply secret"
 	errExtractKubernetesAuthCreds = "cannot extract kubernetes auth credentials"
 	errBuildRestConfig            = "cannot build rest config kubeconfig"
 	errBuildClient                = "cannot build Kubernetes client"
 )
 // SecretStore is a Kubernetes Secret Store.
 type SecretStore struct {
 	client resource.ClientApplicator
 	defaultNamespace string
 }
 // NewSecretStore returns a new Kubernetes SecretStore.
 func NewSecretStore(ctx context.Context, local client.Client, _ *tls.Config, cfg v1.SecretStoreConfig) (*SecretStore, error) {
 	kube, err := buildClient(ctx, local, cfg)
 	if err != nil {
 		return nil, errors.Wrap(err, errBuildClient)
 	}
 	return &SecretStore{
 		client: resource.ClientApplicator{
 			Client:     kube,
 			Applicator: resource.NewApplicatorWithRetry(resource.NewAPIPatchingApplicator(kube), resource.IsAPIErrorWrapped, nil),
 		},
 		defaultNamespace: cfg.DefaultScope,
 	}, nil
 }
 func buildClient(ctx context.Context, local client.Client, cfg v1.SecretStoreConfig) (client.Client, error) {
 	if cfg.Kubernetes == nil {
 		// No KubernetesSecretStoreConfig provided, local API Server will be
 		// used as Secret Store.
 		return local, nil
 	}
 	// Configure client for an external API server with a given Kubeconfig.
 	kfg, err := resource.CommonCredentialExtractor(ctx, cfg.Kubernetes.Auth.Source, local, cfg.Kubernetes.Auth.CommonCredentialSelectors)
 	if err != nil {
 		return nil, errors.Wrap(err, errExtractKubernetesAuthCreds)
 	}
 	config, err := clientcmd.RESTConfigFromKubeConfig(kfg)
 	if err != nil {
 		return nil, errors.Wrap(err, errBuildRestConfig)
 	}
 	return client.New(config, client.Options{})
 }
 // ReadKeyValues reads and returns key value pairs for a given Kubernetes Secret.
 func (ss *SecretStore) ReadKeyValues(ctx context.Context, n store.ScopedName, s *store.Secret) error {
 	ks := &corev1.Secret{}
 	if err := ss.client.Get(ctx, types.NamespacedName{Name: n.Name, Namespace: ss.namespaceForSecret(n)}, ks); resource.IgnoreNotFound(err) != nil {
 		return errors.Wrap(err, errGetSecret)
 	}
 	s.Data = ks.Data
 	s.Metadata = &v1.ConnectionSecretMetadata{
 		Labels:      ks.Labels,
 		Annotations: ks.Annotations,
 		Type:        &ks.Type,
 	}
 	return nil
 }
 // WriteKeyValues writes key value pairs to a given Kubernetes Secret.
 func (ss *SecretStore) WriteKeyValues(ctx context.Context, s *store.Secret, wo ...store.WriteOption) (bool, error) {
 	ks := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      s.Name,
 			Namespace: ss.namespaceForSecret(s.ScopedName),
 		},
 		Type: resource.SecretTypeConnection,
 		Data: s.Data,
 	}
 	if s.Metadata != nil {
 		ks.Labels = s.Metadata.Labels
 		ks.Annotations = s.Metadata.Annotations
 		if s.Metadata.Type != nil {
 			ks.Type = *s.Metadata.Type
 		}
 	}
 	ao := applyOptions(wo...)
 	ao = append(ao, resource.AllowUpdateIf(func(current, desired runtime.Object) bool {
 		// We consider the update to be a no-op and don't allow it if the
 		// current and existing secret data are identical.
 		return !cmp.Equal(current.(*corev1.Secret).Data, desired.(*corev1.Secret).Data, cmpopts.EquateEmpty())
 	}))
 	err := ss.client.Apply(ctx, ks, ao...)
 	if resource.IsNotAllowed(err) {
 		// The update was not allowed because it was a no-op.
 		return false, nil
 	}
 	if err != nil {
 		return false, errors.Wrap(err, errApplySecret)
 	}
 	return true, nil
 }
 // DeleteKeyValues delete key value pairs from a given Kubernetes Secret.
 // If no kv specified, the whole secret instance is deleted.
 // If kv specified, those would be deleted and secret instance will be deleted
 // only if there is no data left.
 func (ss *SecretStore) DeleteKeyValues(ctx context.Context, s *store.Secret, do ...store.DeleteOption) error {
 	// NOTE(turkenh): DeleteKeyValues method wouldn't need to do anything if we
 	// have used owner references similar to existing implementation. However,
 	// this wouldn't work if the K8s API is not the same as where ConnectionSecretOwner
 	// object lives, i.e. a remote cluster.
 	// Considering there is not much additional value with deletion via garbage
 	// collection in this specific case other than one less API call during
 	// deletion, I opted for unifying both instead of adding conditional logic
 	// like add owner references if not remote and not call delete etc.
 	ks := &corev1.Secret{}
 	err := ss.client.Get(ctx, types.NamespacedName{Name: s.Name, Namespace: ss.namespaceForSecret(s.ScopedName)}, ks)
 	if kerrors.IsNotFound(err) {
 		// Secret already deleted, nothing to do.
 		return nil
 	}
 	if err != nil {
 		return errors.Wrap(err, errGetSecret)
 	}
 	for _, o := range do {
 		if err = o(ctx, s); err != nil {
 			return err
 		}
 	}
 	// Delete all supplied keys from secret data
 	for k := range s.Data {
 		delete(ks.Data, k)
 	}
 	if len(s.Data) == 0 || len(ks.Data) == 0 {
 		// Secret is deleted only if:
 		// - No kv to delete specified as input
 		// - No data left in the secret
 		return errors.Wrapf(ss.client.Delete(ctx, ks), errDeleteSecret)
 	}
 	// If there are still keys left, update the secret with the remaining.
 	return errors.Wrapf(ss.client.Update(ctx, ks), errUpdateSecret)
 }
 func (ss *SecretStore) namespaceForSecret(n store.ScopedName) string {
 	if n.Scope == "" {
 		return ss.defaultNamespace
 	}
 	return n.Scope
 }
 func applyOptions(wo ...store.WriteOption) []resource.ApplyOption {
 	ao := make([]resource.ApplyOption, len(wo))
 	for i := range wo {
 		o := wo[i]
 		ao[i] = func(ctx context.Context, current, desired runtime.Object) error {
 			currentSecret := current.(*corev1.Secret)
 			desiredSecret := desired.(*corev1.Secret)
 			cs := &store.Secret{
 				ScopedName: store.ScopedName{
 					Name:  currentSecret.Name,
 					Scope: currentSecret.Namespace,
 				},
 				Metadata: &v1.ConnectionSecretMetadata{
 					Labels:      currentSecret.Labels,
 					Annotations: currentSecret.Annotations,
 					Type:        &currentSecret.Type,
 				},
 				Data: currentSecret.Data,
 			}
 			// NOTE(turkenh): With External Secret Stores, we are using a special label/tag with key
 			// "secret.crossplane.io/owner-uid" to track the owner of the connection secret. However, different from
 			// other Secret Store implementations, Kubernetes Store uses metadata.OwnerReferences for this purpose and
 			// we don't want it to appear in the labels of the secret additionally.
 			// Here we are adding the owner label to the internal representation of the current secret as part of
 			// converting store.WriteOption's to k8s resource.ApplyOption's, so that our generic store.WriteOptions
 			// checking secret owner could work as expected.
 			// Fixes: https://github.com/crossplane/crossplane/issues/3520
 			if len(currentSecret.GetOwnerReferences()) > 0 {
 				cs.Metadata.SetOwnerUID(currentSecret.GetOwnerReferences()[0].UID)
 			}
 			ds := &store.Secret{
 				ScopedName: store.ScopedName{
 					Name:  desiredSecret.Name,
 					Scope: desiredSecret.Namespace,
 				},
 				Metadata: &v1.ConnectionSecretMetadata{
 					Labels:      desiredSecret.Labels,
 					Annotations: desiredSecret.Annotations,
 					Type:        &desiredSecret.Type,
 				},
 				Data: desiredSecret.Data,
 			}
 			if err := o(ctx, cs, ds); err != nil {
 				return err
 			}
 			desiredSecret.Data = ds.Data
 			desiredSecret.Labels = ds.Metadata.Labels
 			desiredSecret.Annotations = ds.Metadata.Annotations
 			if ds.Metadata.Type != nil {
 				desiredSecret.Type = *ds.Metadata.Type
 			}
 			return nil
 		}
 	}
 	return ao
 }
--- a/pkg/connection/store/kubernetes/store_test.go
+++ b/pkg/connection/store/kubernetes/store_test.go
@ -1,897 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package kubernetes
 import (
 	"context"
 	"testing"
 	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 )
 var (
 	errBoom = errors.New("boom")
 	fakeSecretName      = "fake"
 	fakeSecretNamespace = "fake-namespace"
 	fakeOwnerID         = "00000000-0000-0000-0000-000000000000"
 	storeTypeKubernetes = v1.SecretStoreKubernetes
 )
 func fakeKV() map[string][]byte {
 	return map[string][]byte{
 		"key1": []byte("value1"),
 		"key2": []byte("value2"),
 		"key3": []byte("value3"),
 	}
 }
 func fakeLabels() map[string]string {
 	return map[string]string{
 		"environment": "unit-test",
 		"reason":      "testing",
 	}
 }
 func fakeAnnotations() map[string]string {
 	return map[string]string{
 		"some-annotation-key": "some-annotation-value",
 	}
 }
 func TestSecretStoreReadKeyValues(t *testing.T) {
 	type args struct {
 		client resource.ClientApplicator
 		n      store.ScopedName
 	}
 	type want struct {
 		result store.KeyValues
 		err    error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"CannotGetSecret": {
 			reason: "Should return a proper error if cannot get the secret",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(errBoom),
 					},
 				},
 				n: store.ScopedName{
 					Name: fakeSecretName,
 				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errGetSecret),
 			},
 		},
 		"SuccessfulRead": {
 			reason: "Should return all key values after a success read",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: func(ctx context.Context, key client.ObjectKey, obj client.Object) error {
 							if key.Name != fakeSecretName || key.Namespace != fakeSecretNamespace {
 								return errors.New("unexpected secret name or namespace to get the secret")
 							}
 							*obj.(*corev1.Secret) = corev1.Secret{
 								Data: fakeKV(),
 							}
 							return nil
 						},
 					},
 				},
 				n: store.ScopedName{
 					Name:  fakeSecretName,
 					Scope: fakeSecretNamespace,
 				},
 			},
 			want: want{
 				result: store.KeyValues(fakeKV()),
 			},
 		},
 		"SecretNotFound": {
 			reason: "Should return nil as an error if secret is not found",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(kerrors.NewNotFound(schema.GroupResource{}, "")),
 					},
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ss := &SecretStore{
 				client: tc.args.client,
 			}
 			s := &store.Secret{}
 			s.ScopedName = tc.args.n
 			err := ss.ReadKeyValues(context.Background(), tc.args.n, s)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.ReadKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.result, s.Data); diff != "" {
 				t.Errorf("\n%s\nss.ReadKeyValues(...): -want, +got:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestSecretStoreWriteKeyValues(t *testing.T) {
 	secretTypeOpaque := corev1.SecretTypeOpaque
 	type args struct {
 		client           resource.ClientApplicator
 		defaultNamespace string
 		secret           *store.Secret
 		wo []store.WriteOption
 	}
 	type want struct {
 		changed bool
 		err     error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"ApplyFailed": {
 			reason: "Should return a proper error when cannot apply.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						return errBoom
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errApplySecret),
 			},
 		},
 		"FailedWriteOption": {
 			reason: "Should return a proper error if supplied write option fails",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(fakeKV())), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 				wo: []store.WriteOption{
 					func(ctx context.Context, current, desired *store.Secret) error {
 						return errBoom
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errApplySecret),
 			},
 		},
 		"SuccessfulWriteOption": {
 			reason: "Should return a proper error if supplied write option fails",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(fakeKV())), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 				wo: []store.WriteOption{
 					func(ctx context.Context, current, desired *store.Secret) error {
 						desired.Data["customkey"] = []byte("customval")
 						desired.Metadata = &v1.ConnectionSecretMetadata{
 							Labels: map[string]string{
 								"foo": "baz",
 							},
 						}
 						return nil
 					},
 				},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 		"SecretAlreadyUpToDate": {
 			reason: "Should not change secret if already up to date.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(fakeKV())), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 			},
 		},
 		"SecretUpdatedWithNewValue": {
 			reason: "Should update value for an existing key if changed.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						if diff := cmp.Diff(fakeConnectionSecret(withData(map[string][]byte{
 							"existing-key": []byte("new-value"),
 						})), obj.(*corev1.Secret)); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(map[string][]byte{
 								"existing-key": []byte("old-value"),
 							})), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(map[string][]byte{
 						"existing-key": []byte("new-value"),
 					}),
 				},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 		"SecretHasExpectedOwner": {
 			reason: "Should correctly check the owner of the secret.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						if diff := cmp.Diff(fakeConnectionSecret(withData(map[string][]byte{
 							"existing-key": []byte("new-value"),
 						})), obj.(*corev1.Secret)); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(map[string][]byte{
 								"existing-key": []byte("old-value"),
 							}), withOwnerID(fakeOwnerID)), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(map[string][]byte{
 						"existing-key": []byte("new-value"),
 					}),
 				},
 				wo: []store.WriteOption{func(ctx context.Context, current, desired *store.Secret) error {
 					if current.Metadata == nil || current.Metadata.GetOwnerUID() != fakeOwnerID {
 						return errors.Errorf("secret not owned by %s", fakeOwnerID)
 					}
 					return nil
 				}},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 		"SecretUpdatedWithNewKey": {
 			reason: "Should update existing secret additively if a new key added",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						if diff := cmp.Diff(fakeConnectionSecret(withData(map[string][]byte{
 							"new-key": []byte("new-value"),
 						})), obj.(*corev1.Secret)); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						for _, fn := range option {
 							if err := fn(ctx, fakeConnectionSecret(withData(map[string][]byte{
 								"existing-key": []byte("existing-value"),
 							})), obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(map[string][]byte{
 						"new-key": []byte("new-value"),
 					}),
 				},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 		"SecretCreatedWithData": {
 			reason: "Should create a secret with all key values with default type.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						if diff := cmp.Diff(fakeConnectionSecret(withData(fakeKV())), obj.(*corev1.Secret)); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						for _, fn := range option {
 							if err := fn(ctx, &corev1.Secret{}, obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 		"SecretCreatedWithDataAndMetadata": {
 			reason: "Should create a secret with all key values and provided metadata data.",
 			args: args{
 				client: resource.ClientApplicator{
 					Applicator: resource.ApplyFn(func(ctx context.Context, obj client.Object, option ...resource.ApplyOption) error {
 						if diff := cmp.Diff(fakeConnectionSecret(
 							withData(fakeKV()),
 							withType(corev1.SecretTypeOpaque),
 							withLabels(fakeLabels()),
 							withAnnotations(fakeAnnotations())), obj.(*corev1.Secret)); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						for _, fn := range option {
 							if err := fn(ctx, &corev1.Secret{}, obj); err != nil {
 								return err
 							}
 						}
 						return nil
 					}),
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Metadata: &v1.ConnectionSecretMetadata{
 						Labels: map[string]string{
 							"environment": "unit-test",
 							"reason":      "testing",
 						},
 						Annotations: map[string]string{
 							"some-annotation-key": "some-annotation-value",
 						},
 						Type: &secretTypeOpaque,
 					},
 					Data: store.KeyValues(fakeKV()),
 				},
 			},
 			want: want{
 				changed: true,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ss := &SecretStore{
 				client:           tc.args.client,
 				defaultNamespace: tc.args.defaultNamespace,
 			}
 			changed, err := ss.WriteKeyValues(context.Background(), tc.args.secret, tc.args.wo...)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.WriteKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.changed, changed); diff != "" {
 				t.Errorf("\n%s\nss.WriteKeyValues(...): -want changed, +got changed:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestSecretStoreDeleteKeyValues(t *testing.T) {
 	type args struct {
 		client           resource.ClientApplicator
 		defaultNamespace string
 		secret           *store.Secret
 		do []store.DeleteOption
 	}
 	type want struct {
 		err error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"CannotGetSecret": {
 			reason: "Should return a proper error when it fails to get secret.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(errBoom),
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errGetSecret),
 			},
 		},
 		"SecretUpdatedWithRemainingKeys": {
 			reason: "Should remove supplied keys from secret and update with remaining.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = *fakeConnectionSecret(withData(fakeKV()))
 							return nil
 						}),
 						MockUpdate: func(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error {
 							if diff := cmp.Diff(fakeConnectionSecret(withData(map[string][]byte{"key3": []byte("value3")})), obj.(*corev1.Secret)); diff != "" {
 								t.Errorf("r: -want, +got:\n%s", diff)
 							}
 							return nil
 						},
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 					Data: store.KeyValues(map[string][]byte{
 						"key1": []byte("value1"),
 						"key2": []byte("value2"),
 					}),
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"CannotDeleteSecret": {
 			reason: "Should return a proper error when it fails to delete secret.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = *fakeConnectionSecret()
 							return nil
 						}),
 						MockDelete: test.NewMockDeleteFn(errBoom),
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errDeleteSecret),
 			},
 		},
 		"SecretAlreadyDeleted": {
 			reason: "Should not return error if secret already deleted.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							return kerrors.NewNotFound(schema.GroupResource{}, "")
 						}),
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"FailedDeleteOption": {
 			reason: "Should return a proper error if provided delete option fails.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = *fakeConnectionSecret(withData(fakeKV()))
 							return nil
 						}),
 						MockDelete: func(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
 							return nil
 						},
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 				},
 				do: []store.DeleteOption{
 					func(ctx context.Context, secret *store.Secret) error {
 						return errBoom
 					},
 				},
 			},
 			want: want{
 				err: errBoom,
 			},
 		},
 		"SecretDeletedNoKVSupplied": {
 			reason: "Should delete the whole secret if no kv supplied as parameter.",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = *fakeConnectionSecret(withData(fakeKV()))
 							return nil
 						}),
 						MockDelete: func(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
 							return nil
 						},
 					},
 				},
 				secret: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  fakeSecretName,
 						Scope: fakeSecretNamespace,
 					},
 				},
 				do: []store.DeleteOption{
 					func(ctx context.Context, secret *store.Secret) error {
 						return nil
 					},
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ss := &SecretStore{
 				client:           tc.args.client,
 				defaultNamespace: tc.args.defaultNamespace,
 			}
 			err := ss.DeleteKeyValues(context.Background(), tc.args.secret, tc.args.do...)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.DeleteKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestNewSecretStore(t *testing.T) {
 	type args struct {
 		client resource.ClientApplicator
 		cfg    v1.SecretStoreConfig
 	}
 	type want struct {
 		err error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"SuccessfulLocal": {
 			reason: "Should return no error after successfully building local Kubernetes secret store",
 			args: args{
 				client: resource.ClientApplicator{},
 				cfg: v1.SecretStoreConfig{
 					Type:         &storeTypeKubernetes,
 					DefaultScope: "test-ns",
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 		"NoSecretWithRemoteKubeconfig": {
 			reason: "Should fail properly if configured kubeconfig secret does not exist",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							return kerrors.NewNotFound(schema.GroupResource{}, "kube-conn")
 						}),
 					},
 				},
 				cfg: v1.SecretStoreConfig{
 					Type:         &storeTypeKubernetes,
 					DefaultScope: "test-ns",
 					Kubernetes: &v1.KubernetesSecretStoreConfig{
 						Auth: v1.KubernetesAuthConfig{
 							Source: v1.CredentialsSourceSecret,
 							CommonCredentialSelectors: v1.CommonCredentialSelectors{
 								SecretRef: &v1.SecretKeySelector{
 									SecretReference: v1.SecretReference{
 										Name:      "kube-conn",
 										Namespace: "test-ns",
 									},
 									Key: "kubeconfig",
 								},
 							},
 						},
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errors.Wrap(errors.Wrap(kerrors.NewNotFound(schema.GroupResource{}, "kube-conn"), "cannot get credentials secret"), errExtractKubernetesAuthCreds), errBuildClient),
 			},
 		},
 		"InvalidRestConfigForRemote": {
 			reason: "Should fetch the configured kubeconfig and fail if it is not valid",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = corev1.Secret{
 								ObjectMeta: metav1.ObjectMeta{
 									Name:      "kube-conn",
 									Namespace: "test-ns",
 								},
 								Data: map[string][]byte{
 									"kubeconfig": []byte(`
 apiVersion: v1
 kind: Config
 malformed
 `),
 								},
 							}
 							return nil
 						}),
 					},
 				},
 				cfg: v1.SecretStoreConfig{
 					Type:         &storeTypeKubernetes,
 					DefaultScope: "test-ns",
 					Kubernetes: &v1.KubernetesSecretStoreConfig{
 						Auth: v1.KubernetesAuthConfig{
 							Source: v1.CredentialsSourceSecret,
 							CommonCredentialSelectors: v1.CommonCredentialSelectors{
 								SecretRef: &v1.SecretKeySelector{
 									SecretReference: v1.SecretReference{
 										Name:      "kube-conn",
 										Namespace: "test-ns",
 									},
 									Key: "kubeconfig",
 								},
 							},
 						},
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errors.Wrap(errors.New("yaml: line 5: could not find expected ':'"), errBuildRestConfig), errBuildClient),
 			},
 		},
 		"InvalidKubeconfigForRemote": {
 			reason: "Should fetch the configured kubeconfig and fail if it is not valid",
 			args: args{
 				client: resource.ClientApplicator{
 					Client: &test.MockClient{
 						MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 							*obj.(*corev1.Secret) = corev1.Secret{
 								ObjectMeta: metav1.ObjectMeta{
 									Name:      "kube-conn",
 									Namespace: "test-ns",
 								},
 								Data: map[string][]byte{
 									"kubeconfig": []byte(`
 apiVersion: v1
 clusters:
 - cluster:
    certificate-authority-data: TEST
    server: https://127.0.0.1:64695
  name: kind-kind
 contexts:
 - context:
    cluster: kind-kind
    namespace: crossplane-system
    user: kind-kind
  name: kind-kind
 current-context: kind-kind
 kind: Config
 users:
 - name: kind-kind
  user: {}
 `),
 								},
 							}
 							return nil
 						}),
 					},
 				},
 				cfg: v1.SecretStoreConfig{
 					Type:         &storeTypeKubernetes,
 					DefaultScope: "test-ns",
 					Kubernetes: &v1.KubernetesSecretStoreConfig{
 						Auth: v1.KubernetesAuthConfig{
 							Source: v1.CredentialsSourceSecret,
 							CommonCredentialSelectors: v1.CommonCredentialSelectors{
 								SecretRef: &v1.SecretKeySelector{
 									SecretReference: v1.SecretReference{
 										Name:      "kube-conn",
 										Namespace: "test-ns",
 									},
 									Key: "kubeconfig",
 								},
 							},
 						},
 					},
 				},
 			},
 			want: want{
 				err: errors.Wrap(errors.New("unable to load root certificates: unable to parse bytes as PEM block"), errBuildClient),
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			_, err := NewSecretStore(context.Background(), tc.args.client, nil, tc.args.cfg)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nNewSecretStore(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 type secretOption func(*corev1.Secret)
 func withType(t corev1.SecretType) secretOption {
 	return func(s *corev1.Secret) {
 		s.Type = t
 	}
 }
 func withData(d map[string][]byte) secretOption {
 	return func(s *corev1.Secret) {
 		s.Data = d
 	}
 }
 func withLabels(l map[string]string) secretOption {
 	return func(s *corev1.Secret) {
 		s.Labels = l
 	}
 }
 func withAnnotations(a map[string]string) secretOption {
 	return func(s *corev1.Secret) {
 		s.Annotations = a
 	}
 }
 func withOwnerID(id string) secretOption {
 	return func(s *corev1.Secret) {
 		s.SetOwnerReferences([]metav1.OwnerReference{
 			{
 				UID: types.UID(id),
 			},
 		})
 	}
 }
 func fakeConnectionSecret(opts ...secretOption) *corev1.Secret {
 	s := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fakeSecretName,
 			Namespace: fakeSecretNamespace,
 		},
 		Type: resource.SecretTypeConnection,
 	}
 	for _, o := range opts {
 		o(s)
 	}
 	return s
 }
--- a/pkg/connection/store/plugin/fake/mocks.go
+++ b/pkg/connection/store/plugin/fake/mocks.go
@ -1,46 +0,0 @@
 /*
 Copyright 2023 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package fake is a fake ExternalSecretStorePluginServiceClient.
 package fake
 import (
 	"context"
 	"google.golang.org/grpc"
 	ess "github.com/crossplane/crossplane-runtime/apis/proto/v1alpha1"
 )
 // ExternalSecretStorePluginServiceClient is a fake ExternalSecretStorePluginServiceClient.
 type ExternalSecretStorePluginServiceClient struct {
 	GetSecretFn   func(context.Context, *ess.GetSecretRequest, ...grpc.CallOption) (*ess.GetSecretResponse, error)
 	ApplySecretFn func(context.Context, *ess.ApplySecretRequest, ...grpc.CallOption) (*ess.ApplySecretResponse, error)
 	DeleteKeysFn  func(context.Context, *ess.DeleteKeysRequest, ...grpc.CallOption) (*ess.DeleteKeysResponse, error)
 	*ess.UnimplementedExternalSecretStorePluginServiceServer
 }
 // GetSecret returns the secret.
 func (e *ExternalSecretStorePluginServiceClient) GetSecret(ctx context.Context, req *ess.GetSecretRequest, _ ...grpc.CallOption) (*ess.GetSecretResponse, error) {
 	return e.GetSecretFn(ctx, req)
 }
 // ApplySecret applies the secret.
 func (e *ExternalSecretStorePluginServiceClient) ApplySecret(ctx context.Context, req *ess.ApplySecretRequest, _ ...grpc.CallOption) (*ess.ApplySecretResponse, error) {
 	return e.ApplySecretFn(ctx, req)
 }
 // DeleteKeys deletes the secret keys.
 func (e *ExternalSecretStorePluginServiceClient) DeleteKeys(ctx context.Context, req *ess.DeleteKeysRequest, _ ...grpc.CallOption) (*ess.DeleteKeysResponse, error) {
 	return e.DeleteKeysFn(ctx, req)
 }
--- a/pkg/connection/store/plugin/store.go
+++ b/pkg/connection/store/plugin/store.go
@ -1,136 +0,0 @@
 /*
 Copyright 2023 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package plugin implements a gRPC client for external secret store plugins.
 package plugin
 import (
 	"context"
 	"crypto/tls"
 	"path/filepath"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	essproto "github.com/crossplane/crossplane-runtime/apis/proto/v1alpha1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 )
 // Error strings.
 const (
 	errGet    = "cannot get secret"
 	errApply  = "cannot apply secret"
 	errDelete = "cannot delete secret"
 	errFmtCannotDial = "cannot dial to the endpoint: %s"
 )
 // SecretStore is an External Secret Store.
 type SecretStore struct {
 	client     essproto.ExternalSecretStorePluginServiceClient
 	kubeClient client.Client
 	config     *v1.Config
 	defaultScope string
 }
 // NewSecretStore returns a new External SecretStore.
 func NewSecretStore(_ context.Context, kube client.Client, tcfg *tls.Config, cfg v1.SecretStoreConfig) (*SecretStore, error) {
 	creds := credentials.NewTLS(tcfg)
 	conn, err := grpc.Dial(cfg.Plugin.Endpoint, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		return nil, errors.Wrapf(err, errFmtCannotDial, cfg.Plugin.Endpoint)
 	}
 	return &SecretStore{
 		kubeClient:   kube,
 		client:       essproto.NewExternalSecretStorePluginServiceClient(conn),
 		config:       &cfg.Plugin.ConfigRef,
 		defaultScope: cfg.DefaultScope,
 	}, nil
 }
 // ReadKeyValues reads and returns key value pairs for a given Secret.
 func (ss *SecretStore) ReadKeyValues(ctx context.Context, n store.ScopedName, s *store.Secret) error {
 	resp, err := ss.client.GetSecret(ctx, &essproto.GetSecretRequest{Secret: &essproto.Secret{ScopedName: ss.getScopedName(n)}, Config: ss.getConfigReference()})
 	if err != nil {
 		return errors.Wrap(err, errGet)
 	}
 	s.ScopedName = n
 	s.Data = make(map[string][]byte, len(resp.Secret.Data))
 	for d := range resp.Secret.Data {
 		s.Data[d] = resp.Secret.Data[d]
 	}
 	if resp.Secret != nil && len(resp.Secret.Metadata) != 0 {
 		s.Metadata = new(v1.ConnectionSecretMetadata)
 		s.Metadata.Labels = make(map[string]string, len(resp.Secret.Metadata))
 		for k, v := range resp.Secret.Metadata {
 			s.Metadata.Labels[k] = v
 		}
 	}
 	return nil
 }
 // WriteKeyValues writes key value pairs to a given Secret.
 func (ss *SecretStore) WriteKeyValues(ctx context.Context, s *store.Secret, _ ...store.WriteOption) (changed bool, err error) {
 	sec := &essproto.Secret{}
 	sec.ScopedName = ss.getScopedName(s.ScopedName)
 	sec.Data = make(map[string][]byte, len(s.Data))
 	for k, v := range s.Data {
 		sec.Data[k] = v
 	}
 	if s.Metadata != nil && len(s.Metadata.Labels) != 0 {
 		sec.Metadata = make(map[string]string, len(s.Metadata.Labels))
 		for k, v := range s.Metadata.Labels {
 			sec.Metadata[k] = v
 		}
 	}
 	resp, err := ss.client.ApplySecret(ctx, &essproto.ApplySecretRequest{Secret: sec, Config: ss.getConfigReference()})
 	if err != nil {
 		return false, errors.Wrap(err, errApply)
 	}
 	return resp.Changed, nil
 }
 // DeleteKeyValues delete key value pairs from a given Secret.
 func (ss *SecretStore) DeleteKeyValues(ctx context.Context, s *store.Secret, _ ...store.DeleteOption) error {
 	_, err := ss.client.DeleteKeys(ctx, &essproto.DeleteKeysRequest{Secret: &essproto.Secret{ScopedName: ss.getScopedName(s.ScopedName)}, Config: ss.getConfigReference()})
 	return errors.Wrap(err, errDelete)
 }
 func (ss *SecretStore) getConfigReference() *essproto.ConfigReference {
 	return &essproto.ConfigReference{
 		ApiVersion: ss.config.APIVersion,
 		Kind:       ss.config.Kind,
 		Name:       ss.config.Name,
 	}
 }
 func (ss *SecretStore) getScopedName(n store.ScopedName) string {
 	if n.Scope == "" {
 		n.Scope = ss.defaultScope
 	}
 	return filepath.Join(n.Scope, n.Name)
 }
--- a/pkg/connection/store/plugin/store_test.go
+++ b/pkg/connection/store/plugin/store_test.go
@ -1,280 +0,0 @@
 /*
 Copyright 2023 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package plugin
 import (
 	"context"
 	"path/filepath"
 	"testing"
 	"github.com/google/go-cmp/cmp"
 	"google.golang.org/grpc"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	ess "github.com/crossplane/crossplane-runtime/apis/proto/v1alpha1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store/plugin/fake"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 )
 const (
 	parentPath = "crossplane-system"
 	secretName = "ess-test-secret"
 )
 var (
 	errBoom = errors.New("boom")
 )
 func TestReadKeyValues(t *testing.T) {
 	type args struct {
 		sn     store.ScopedName
 		client ess.ExternalSecretStorePluginServiceClient
 	}
 	type want struct {
 		out *store.Secret
 		err error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"ErrorWhileGetting": {
 			reason: "Should return a proper error if secret cannot be obtained",
 			args: args{
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					GetSecretFn: func(ctx context.Context, req *ess.GetSecretRequest, opts ...grpc.CallOption) (*ess.GetSecretResponse, error) {
 						return nil, errBoom
 					},
 				},
 			},
 			want: want{
 				out: &store.Secret{},
 				err: errors.Wrap(errBoom, errGet),
 			},
 		},
 		"SuccessfulGet": {
 			reason: "Should return key values from a secret with scope",
 			args: args{
 				sn: store.ScopedName{
 					Name:  secretName,
 					Scope: parentPath,
 				},
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					GetSecretFn: func(ctx context.Context, req *ess.GetSecretRequest, opts ...grpc.CallOption) (*ess.GetSecretResponse, error) {
 						if diff := cmp.Diff(filepath.Join(parentPath, secretName), req.Secret.ScopedName); diff != "" {
 							t.Errorf("r: -want, +got:\n%s", diff)
 						}
 						sec := &ess.Secret{
 							ScopedName: req.Secret.ScopedName,
 							Data: map[string][]byte{
 								"data1": []byte("val1"),
 								"data2": []byte("val2"),
 							},
 							Metadata: map[string]string{
 								"meta1": "val1",
 								"meta2": "val2",
 							},
 						}
 						res := &ess.GetSecretResponse{
 							Secret: sec,
 						}
 						return res, nil
 					},
 				},
 			},
 			want: want{
 				out: &store.Secret{
 					ScopedName: store.ScopedName{
 						Name:  secretName,
 						Scope: parentPath,
 					},
 					Data: map[string][]byte{
 						"data1": []byte("val1"),
 						"data2": []byte("val2"),
 					},
 					Metadata: &v1.ConnectionSecretMetadata{
 						Labels: map[string]string{
 							"meta1": "val1",
 							"meta2": "val2",
 						},
 					},
 				},
 				err: nil,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ctx := context.Background()
 			ss := &SecretStore{
 				client: tc.args.client,
 				config: &v1.Config{
 					APIVersion: "v1alpha1",
 					Kind:       "VaultConfig",
 					Name:       "ess-test",
 				},
 			}
 			s := &store.Secret{}
 			err := ss.ReadKeyValues(ctx, tc.args.sn, s)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.ReadKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.out, s); diff != "" {
 				t.Errorf("\n%s\nss.ReadKeyValues(...): -want, +got:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestWriteKeyValues(t *testing.T) {
 	type args struct {
 		client ess.ExternalSecretStorePluginServiceClient
 	}
 	type want struct {
 		isChanged bool
 		err       error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"ErrorWhileWriting": {
 			reason: "Should return a proper error if secret cannot be applied",
 			args: args{
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					ApplySecretFn: func(ctx context.Context, req *ess.ApplySecretRequest, opts ...grpc.CallOption) (*ess.ApplySecretResponse, error) {
 						return nil, errBoom
 					},
 				},
 			},
 			want: want{
 				isChanged: false,
 				err:       errors.Wrap(errBoom, errApply),
 			},
 		},
 		"SuccessfulWrite": {
 			reason: "Should return isChanged true",
 			args: args{
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					ApplySecretFn: func(ctx context.Context, req *ess.ApplySecretRequest, opts ...grpc.CallOption) (*ess.ApplySecretResponse, error) {
 						resp := &ess.ApplySecretResponse{
 							Changed: true,
 						}
 						return resp, nil
 					},
 				},
 			},
 			want: want{
 				isChanged: true,
 				err:       nil,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ctx := context.Background()
 			ss := &SecretStore{
 				client: tc.args.client,
 				config: &v1.Config{
 					APIVersion: "v1alpha1",
 					Kind:       "VaultConfig",
 					Name:       "ess-test",
 				},
 			}
 			s := &store.Secret{}
 			isChanged, err := ss.WriteKeyValues(ctx, s)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.WriteKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.isChanged, isChanged); diff != "" {
 				t.Errorf("\n%s\nss.WriteKeyValues(...): -want, +got:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestDeleteKeyValues(t *testing.T) {
 	type args struct {
 		client ess.ExternalSecretStorePluginServiceClient
 	}
 	type want struct {
 		err error
 	}
 	cases := map[string]struct {
 		reason string
 		args
 		want
 	}{
 		"ErrorWhileDeleting": {
 			reason: "Should return a proper error if key values cannot be deleted",
 			args: args{
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					DeleteKeysFn: func(ctx context.Context, req *ess.DeleteKeysRequest, opts ...grpc.CallOption) (*ess.DeleteKeysResponse, error) {
 						return nil, errBoom
 					}},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errDelete),
 			},
 		},
 		"SuccessfulDelete": {
 			reason: "Should not return error",
 			args: args{
 				client: &fake.ExternalSecretStorePluginServiceClient{
 					DeleteKeysFn: func(ctx context.Context, req *ess.DeleteKeysRequest, opts ...grpc.CallOption) (*ess.DeleteKeysResponse, error) {
 						return nil, nil
 					},
 				},
 			},
 			want: want{
 				err: nil,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			ctx := context.Background()
 			ss := &SecretStore{
 				client: tc.args.client,
 				config: &v1.Config{
 					APIVersion: "v1alpha1",
 					Kind:       "VaultConfig",
 					Name:       "ess-test",
 				},
 			}
 			s := &store.Secret{}
 			err := ss.DeleteKeyValues(ctx, s)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nss.DeletKeyValues(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
--- a/pkg/connection/store/store.go
+++ b/pkg/connection/store/store.go
@ -1,92 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package store implements secret stores.
 package store
 import (
 	"context"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 )
 // SecretOwner owns a Secret.
 type SecretOwner interface {
 	resource.Object
 	resource.ConnectionDetailsPublisherTo
 }
 // KeyValues is a map with sensitive values.
 type KeyValues map[string][]byte
 // ScopedName is scoped name of a secret.
 type ScopedName struct {
 	Name  string
 	Scope string
 }
 // A Secret is an entity representing a set of sensitive Key Values.
 type Secret struct {
 	ScopedName
 	Metadata *v1.ConnectionSecretMetadata
 	Data     KeyValues
 }
 // NewSecret returns a new Secret owned by supplied SecretOwner and with
 // supplied data.
 func NewSecret(so SecretOwner, data KeyValues) *Secret {
 	if so.GetPublishConnectionDetailsTo() == nil {
 		return nil
 	}
 	p := so.GetPublishConnectionDetailsTo()
 	if p.Metadata == nil {
 		p.Metadata = &v1.ConnectionSecretMetadata{}
 	}
 	p.Metadata.SetOwnerUID(so.GetUID())
 	return &Secret{
 		ScopedName: ScopedName{
 			Name:  p.Name,
 			Scope: so.GetNamespace(),
 		},
 		Metadata: p.Metadata,
 		Data:     data,
 	}
 }
 // GetOwner returns the UID of the owner of secret.
 func (s *Secret) GetOwner() string {
 	if s.Metadata == nil {
 		return ""
 	}
 	return s.Metadata.GetOwnerUID()
 }
 // GetLabels returns the labels of the secret.
 func (s *Secret) GetLabels() map[string]string {
 	if s.Metadata == nil {
 		return nil
 	}
 	return s.Metadata.Labels
 }
 // A WriteOption is called before writing the desired secret over the
 // current object.
 type WriteOption func(ctx context.Context, current, desired *Secret) error
 // An DeleteOption is called before deleting the secret.
 type DeleteOption func(ctx context.Context, secret *Secret) error
--- a/pkg/connection/stores.go
+++ b/pkg/connection/stores.go
@ -1,47 +0,0 @@
 /*
 Copyright 2022 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package connection
 import (
 	"context"
 	"crypto/tls"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store/kubernetes"
 	"github.com/crossplane/crossplane-runtime/pkg/connection/store/plugin"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 )
 const (
 	errFmtUnknownSecretStore = "unknown secret store type: %q"
 )
 // RuntimeStoreBuilder builds and returns a Store for any supported Store type
 // in a given config.
 //
 // All in-tree connection Store implementations needs to be registered here.
 func RuntimeStoreBuilder(ctx context.Context, local client.Client, tcfg *tls.Config, cfg v1.SecretStoreConfig) (Store, error) {
 	switch *cfg.Type {
 	case v1.SecretStoreKubernetes:
 		return kubernetes.NewSecretStore(ctx, local, nil, cfg)
 	case v1.SecretStorePlugin:
 		return plugin.NewSecretStore(ctx, local, tcfg, cfg)
 	}
 	return nil, errors.Errorf(errFmtUnknownSecretStore, *cfg.Type)
 }
--- a/pkg/controller/cache.go
+++ b/pkg/controller/cache.go
@ -1,287 +0,0 @@
 /*
 Copyright 2023 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package controller
 import (
 	"context"
 	"strings"
 	"sync"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 )
 // GVKRoutedCache is a cache that routes requests by GVK to other caches.
 type GVKRoutedCache struct {
 	scheme *runtime.Scheme
 	fallback cache.Cache
 	lock      sync.RWMutex
 	delegates map[schema.GroupVersionKind]cache.Cache
 }
 // NewGVKRoutedCache returns a new routed cache.
 func NewGVKRoutedCache(scheme *runtime.Scheme, fallback cache.Cache) *GVKRoutedCache {
 	return &GVKRoutedCache{
 		scheme:    scheme,
 		fallback:  fallback,
 		delegates: make(map[schema.GroupVersionKind]cache.Cache),
 	}
 }
 var _ cache.Cache = &GVKRoutedCache{}
 // AddDelegate adds a delegated cache for a given GVK.
 func (c *GVKRoutedCache) AddDelegate(gvk schema.GroupVersionKind, delegate cache.Cache) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 	c.delegates[gvk] = delegate
 }
 // RemoveDelegate removes a delegated cache for a given GVK.
 func (c *GVKRoutedCache) RemoveDelegate(gvk schema.GroupVersionKind) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 	delete(c.delegates, gvk)
 }
 // Get retrieves an object for a given ObjectKey backed by a cache.
 func (c *GVKRoutedCache) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
 	gvk, err := apiutil.GVKForObject(obj, c.scheme)
 	if err != nil {
 		return errors.Errorf("failed to get GVK for type %T: %w", obj, err)
 	}
 	c.lock.RLock()
 	delegate, ok := c.delegates[gvk]
 	c.lock.RUnlock()
 	if ok {
 		return delegate.Get(ctx, key, obj, opts...)
 	}
 	return c.fallback.Get(ctx, key, obj, opts...)
 }
 // List lists objects for a given ObjectList backed by a cache.
 func (c *GVKRoutedCache) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
 	gvk, err := apiutil.GVKForObject(list, c.scheme)
 	if err != nil {
 		return errors.Errorf("failed to get GVK for type %T: %w", list, err)
 	}
 	if !strings.HasSuffix(gvk.Kind, "List") {
 		// following controller-runtime here which does not support non
 		// <Kind>List types.
 		return errors.Errorf("non-list type %T (kind %q) passed as output", list, gvk)
 	}
 	gvk.Kind = strings.TrimSuffix(gvk.Kind, "List")
 	c.lock.RLock()
 	delegate, ok := c.delegates[gvk]
 	c.lock.RUnlock()
 	if ok {
 		return delegate.List(ctx, list, opts...)
 	}
 	return c.fallback.List(ctx, list, opts...)
 }
 // GetInformer returns an informer for the given object.
 func (c *GVKRoutedCache) GetInformer(ctx context.Context, obj client.Object, opts ...cache.InformerGetOption) (cache.Informer, error) {
 	gvk, err := apiutil.GVKForObject(obj, c.scheme)
 	if err != nil {
 		return nil, errors.Errorf("failed to get GVK for type %T: %w", obj, err)
 	}
 	c.lock.RLock()
 	delegate, ok := c.delegates[gvk]
 	c.lock.RUnlock()
 	if ok {
 		return delegate.GetInformer(ctx, obj, opts...)
 	}
 	return c.fallback.GetInformer(ctx, obj, opts...)
 }
 // GetInformerForKind returns an informer for the given GVK.
 func (c *GVKRoutedCache) GetInformerForKind(ctx context.Context, gvk schema.GroupVersionKind, opts ...cache.InformerGetOption) (cache.Informer, error) {
 	c.lock.RLock()
 	delegate, ok := c.delegates[gvk]
 	c.lock.RUnlock()
 	if ok {
 		return delegate.GetInformerForKind(ctx, gvk, opts...)
 	}
 	return c.fallback.GetInformerForKind(ctx, gvk, opts...)
 }
 // Start for a GVKRoutedCache is a no-op. Start must be called for each delegate.
 func (c *GVKRoutedCache) Start(_ context.Context) error {
 	return nil
 }
 // WaitForCacheSync for a GVKRoutedCache waits for all delegates to sync, and
 // returns false if any of them fails to sync.
 func (c *GVKRoutedCache) WaitForCacheSync(ctx context.Context) bool {
 	c.lock.RLock()
 	syncedCh := make(chan bool, len(c.delegates)+1)
 	cas := make([]cache.Cache, 0, len(c.delegates))
 	for _, ca := range c.delegates {
 		cas = append(cas, ca)
 	}
 	cas = append(cas, c.fallback)
 	c.lock.RUnlock()
 	var wg sync.WaitGroup
 	ctx, cancelFn := context.WithCancel(ctx)
 	for _, ca := range cas {
 		wg.Add(1)
 		go func(ca cache.Cache) {
 			defer wg.Done()
 			synced := ca.WaitForCacheSync(ctx)
 			if !synced {
 				// first unsynced cache breaks the whole wait
 				cancelFn()
 			}
 			syncedCh <- synced
 		}(ca)
 	}
 	wg.Wait()
 	close(syncedCh)
 	cancelFn()
 	// any not synced?
 	for synced := range syncedCh {
 		if !synced {
 			return false
 		}
 	}
 	return true
 }
 // IndexField adds an index with the given field name on the given object type
 // by using the given function to extract the value for that field.
 func (c *GVKRoutedCache) IndexField(ctx context.Context, obj client.Object, field string, extractValue client.IndexerFunc) error {
 	gvk, err := apiutil.GVKForObject(obj, c.scheme)
 	if err != nil {
 		return errors.Errorf("failed to get GVK for type %T: %w", obj, err)
 	}
 	c.lock.RLock()
 	delegate, ok := c.delegates[gvk]
 	c.lock.RUnlock()
 	if ok {
 		return delegate.IndexField(ctx, obj, field, extractValue)
 	}
 	return c.fallback.IndexField(ctx, obj, field, extractValue)
 }
 // cachedRoutedClient wraps a client and routes read requests by GVK to a cache.
 type cachedRoutedClient struct {
 	client.Client
 	scheme *runtime.Scheme
 	cache  *GVKRoutedCache
 }
 func (c *cachedRoutedClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
 	gvk, err := apiutil.GVKForObject(obj, c.scheme)
 	if err != nil {
 		return errors.Errorf("failed to get GVK for type %T: %w", obj, err)
 	}
 	c.cache.lock.RLock()
 	delegate, ok := c.cache.delegates[gvk]
 	c.cache.lock.RUnlock()
 	if ok {
 		return delegate.Get(ctx, key, obj, opts...)
 	}
 	return c.Client.Get(ctx, key, obj, opts...)
 }
 func (c *cachedRoutedClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
 	gvk, err := apiutil.GVKForObject(list, c.scheme)
 	if err != nil {
 		return errors.Errorf("failed to get GVK for type %T: %w", list, err)
 	}
 	if !strings.HasSuffix(gvk.Kind, "List") {
 		// following controller-runtime here which does not support non
 		// <Kind>List types.
 		return errors.Errorf("non-list type %T (kind %q) passed as output", list, gvk)
 	}
 	gvk.Kind = strings.TrimSuffix(gvk.Kind, "List")
 	c.cache.lock.RLock()
 	delegate, ok := c.cache.delegates[gvk]
 	c.cache.lock.RUnlock()
 	if ok {
 		return delegate.List(ctx, list, opts...)
 	}
 	return c.Client.List(ctx, list, opts...)
 }
 // WithGVKRoutedCache returns a manager backed by a GVKRoutedCache. The client
 // returned by the manager will route read requests to cached GVKs.
 func WithGVKRoutedCache(c *GVKRoutedCache, mgr controllerruntime.Manager) controllerruntime.Manager {
 	return &routedManager{
 		Manager: mgr,
 		client: &cachedRoutedClient{
 			Client: mgr.GetClient(),
 			scheme: mgr.GetScheme(),
 			cache:  c,
 		},
 		cache: c,
 	}
 }
 type routedManager struct {
 	controllerruntime.Manager
 	client client.Client
 	cache  cache.Cache
 }
 func (m *routedManager) GetClient() client.Client {
 	return m.client
 }
 func (m *routedManager) GetCache() cache.Cache {
 	return m.cache
 }
--- a/pkg/controller/engine.go
+++ b/pkg/controller/engine.go
@ -1,283 +0,0 @@
 /*
 Copyright 2020 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package controller provides utilties for working with controllers.
 package controller
 import (
 	"context"
 	"sync"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 )
 // Error strings
 const (
 	errCreateCache      = "cannot create new cache"
 	errCreateController = "cannot create new controller"
 	errCrashCache       = "cache error"
 	errCrashController  = "controller error"
 	errWatch            = "cannot setup watch"
 )
 // A NewCacheFn creates a new controller-runtime cache.
 type NewCacheFn func(cfg *rest.Config, o cache.Options) (cache.Cache, error)
 // A NewControllerFn creates a new controller-runtime controller.
 type NewControllerFn func(name string, m manager.Manager, o controller.Options) (controller.Controller, error)
 // The default new cache and new controller functions.
 var (
 	DefaultNewCacheFn      NewCacheFn      = cache.New
 	DefaultNewControllerFn NewControllerFn = controller.NewUnmanaged
 )
 // An Engine manages the lifecycles of controller-runtime controllers (and their
 // caches). The lifecycles of the controllers are not coupled to lifecycle of
 // the engine, nor to the lifecycle of the controller manager it uses.
 type Engine struct {
 	mgr manager.Manager
 	started map[string]context.CancelFunc
 	errors  map[string]error
 	mx      sync.RWMutex
 	newCache NewCacheFn
 	newCtrl  NewControllerFn
 }
 // An EngineOption configures an Engine.
 type EngineOption func(*Engine)
 // WithNewCacheFn may be used to configure a different cache implementation.
 // DefaultNewCacheFn is used by default.
 func WithNewCacheFn(fn NewCacheFn) EngineOption {
 	return func(e *Engine) {
 		e.newCache = fn
 	}
 }
 // WithNewControllerFn may be used to configure a different controller
 // implementation. DefaultNewControllerFn is used by default.
 func WithNewControllerFn(fn NewControllerFn) EngineOption {
 	return func(e *Engine) {
 		e.newCtrl = fn
 	}
 }
 // NewEngine produces a new Engine.
 func NewEngine(mgr manager.Manager, o ...EngineOption) *Engine {
 	e := &Engine{
 		mgr: mgr,
 		started: make(map[string]context.CancelFunc),
 		errors:  make(map[string]error),
 		newCache: DefaultNewCacheFn,
 		newCtrl:  DefaultNewControllerFn,
 	}
 	for _, eo := range o {
 		eo(e)
 	}
 	return e
 }
 // IsRunning indicates whether the named controller is running - i.e. whether it
 // has been started and does not appear to have crashed.
 func (e *Engine) IsRunning(name string) bool {
 	e.mx.RLock()
 	defer e.mx.RUnlock()
 	_, running := e.started[name]
 	return running
 }
 // Err returns any error encountered by the named controller. The returned error
 // is always nil if the named controller is running.
 func (e *Engine) Err(name string) error {
 	e.mx.RLock()
 	defer e.mx.RUnlock()
 	return e.errors[name]
 }
 // Stop the named controller.
 func (e *Engine) Stop(name string) {
 	e.done(name, nil)
 }
 func (e *Engine) done(name string, err error) {
 	e.mx.Lock()
 	defer e.mx.Unlock()
 	stop, ok := e.started[name]
 	if ok {
 		stop()
 		delete(e.started, name)
 	}
 	// Don't overwrite the first error if done is called multiple times.
 	if e.errors[name] != nil {
 		return
 	}
 	e.errors[name] = err
 }
 // Watch an object.
 type Watch struct {
 	// one of the two:
 	kind         client.Object
 	customSource source.Source
 	handler    handler.EventHandler
 	predicates []predicate.Predicate
 }
 // For returns a Watch for the supplied kind of object. Events will be handled
 // by the supplied EventHandler, and may be filtered by the supplied predicates.
 func For(kind client.Object, h handler.EventHandler, p ...predicate.Predicate) Watch {
 	return Watch{kind: kind, handler: h, predicates: p}
 }
 // TriggeredBy returns a custom watch for secondary resources triggering the
 // controller. source.Kind can be used to create a source for a secondary cache.
 // Events will be handled by the supplied EventHandler, and may be filtered by
 // the supplied predicates.
 func TriggeredBy(source source.Source, h handler.EventHandler, p ...predicate.Predicate) Watch {
 	return Watch{customSource: source, handler: h, predicates: p}
 }
 // Start the named controller. Each controller is started with its own cache
 // whose lifecycle is coupled to the controller. The controller is started with
 // the supplied options, and configured with the supplied watches. Start does
 // not block.
 func (e *Engine) Start(name string, o controller.Options, w ...Watch) error {
 	c, err := e.Create(name, o, w...)
 	if err != nil {
 		return err
 	}
 	return c.Start(context.Background())
 }
 // NamedController is a controller that's not yet started. It gives access to
 // the underlying cache, which may be used e.g. to add indexes.
 type NamedController interface {
 	Start(ctx context.Context) error
 	GetCache() cache.Cache
 }
 type namedController struct {
 	name string
 	e    *Engine
 	ca   cache.Cache
 	ctrl controller.Controller
 }
 // Create the named controller. Each controller gets its own cache
 // whose lifecycle is coupled to the controller. The controller is created with
 // the supplied options, and configured with the supplied watches. It is not
 // started yet.
 func (e *Engine) Create(name string, o controller.Options, w ...Watch) (NamedController, error) {
 	// Each controller gets its own cache for the GVKs it owns. This cache is
 	// wrapped by a GVKRoutedCache that routes requests to other GVKs to the
 	// manager's cache. This way we can share informers for composed resources
 	// (that's where this is primarily used) with other controllers, but get
 	// control about the lifecycle of the owned GVKs' informers.
 	ca, err := e.newCache(e.mgr.GetConfig(), cache.Options{Scheme: e.mgr.GetScheme(), Mapper: e.mgr.GetRESTMapper()})
 	if err != nil {
 		return nil, errors.Wrap(err, errCreateCache)
 	}
 	// Wrap the existing manager to use our cache for the GVKs of this controller.
 	rc := NewGVKRoutedCache(e.mgr.GetScheme(), e.mgr.GetCache())
 	rm := &routedManager{
 		Manager: e.mgr,
 		client: &cachedRoutedClient{
 			Client: e.mgr.GetClient(),
 			scheme: e.mgr.GetScheme(),
 			cache:  rc,
 		},
 		cache: rc,
 	}
 	ctrl, err := e.newCtrl(name, rm, o)
 	if err != nil {
 		return nil, errors.Wrap(err, errCreateController)
 	}
 	for _, wt := range w {
 		if wt.customSource != nil {
 			if err := ctrl.Watch(wt.customSource, wt.handler, wt.predicates...); err != nil {
 				return nil, errors.Wrap(err, errWatch)
 			}
 			continue
 		}
 		// route cache and client (read) requests to our cache for this GVK.
 		gvk, err := apiutil.GVKForObject(wt.kind, e.mgr.GetScheme())
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to get GVK for type %T", wt.kind)
 		}
 		rc.AddDelegate(gvk, ca)
 		if err := ctrl.Watch(source.Kind(ca, wt.kind), wt.handler, wt.predicates...); err != nil {
 			return nil, errors.Wrap(err, errWatch)
 		}
 	}
 	return &namedController{name: name, e: e, ca: ca, ctrl: ctrl}, nil
 }
 // Start the named controller. Start does not block.
 func (c *namedController) Start(ctx context.Context) error {
 	if c.e.IsRunning(c.name) {
 		return nil
 	}
 	ctx, stop := context.WithCancel(ctx)
 	c.e.mx.Lock()
 	c.e.started[c.name] = stop
 	c.e.errors[c.name] = nil
 	c.e.mx.Unlock()
 	go func() {
 		<-c.e.mgr.Elected()
 		c.e.done(c.name, errors.Wrap(c.ca.Start(ctx), errCrashCache))
 	}()
 	go func() {
 		<-c.e.mgr.Elected()
 		c.e.done(c.name, errors.Wrap(c.ctrl.Start(ctx), errCrashController))
 	}()
 	return nil
 }
 // GetCache returns the cache used by the named controller.
 func (c *namedController) GetCache() cache.Cache {
 	return c.ca
 }
--- a/pkg/controller/engine_test.go
+++ b/pkg/controller/engine_test.go
@ -1,219 +0,0 @@
 /*
 Copyright 2020 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package controller
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/google/go-cmp/cmp"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/resource/fake"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 )
 type MockCache struct {
 	cache.Cache
 	MockStart func(stop context.Context) error
 }
 func (c *MockCache) Start(stop context.Context) error {
 	return c.MockStart(stop)
 }
 type MockController struct {
 	controller.Controller
 	MockStart func(stop context.Context) error
 	MockWatch func(s source.Source, h handler.EventHandler, p ...predicate.Predicate) error
 }
 func (c *MockController) Start(stop context.Context) error {
 	return c.MockStart(stop)
 }
 func (c *MockController) Watch(s source.Source, h handler.EventHandler, p ...predicate.Predicate) error {
 	return c.MockWatch(s, h, p...)
 }
 func TestEngine(t *testing.T) {
 	errBoom := errors.New("boom")
 	type args struct {
 		name string
 		o    controller.Options
 		w    []Watch
 	}
 	type want struct {
 		err   error
 		crash error
 	}
 	cases := map[string]struct {
 		reason string
 		e      *Engine
 		args   args
 		want   want
 	}{
 		"NewCacheError": {
 			reason: "Errors creating a new cache should be returned",
 			e: NewEngine(&fake.Manager{},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) { return nil, errBoom }),
 			),
 			args: args{
 				name: "coolcontroller",
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errCreateCache),
 			},
 		},
 		"NewControllerError": {
 			reason: "Errors creating a new controller should be returned",
 			e: NewEngine(
 				&fake.Manager{
 					Scheme: runtime.NewScheme(),
 					Cache:  &MockCache{},
 				},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) { return nil, nil }),
 				WithNewControllerFn(func(string, manager.Manager, controller.Options) (controller.Controller, error) { return nil, errBoom }),
 			),
 			args: args{
 				name: "coolcontroller",
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errCreateController),
 			},
 		},
 		"WatchError": {
 			reason: "Errors adding a watch should be returned",
 			e: NewEngine(
 				&fake.Manager{
 					Scheme: runtime.NewScheme(),
 					Cache:  &MockCache{},
 				},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) { return nil, nil }),
 				WithNewControllerFn(func(string, manager.Manager, controller.Options) (controller.Controller, error) {
 					c := &MockController{MockWatch: func(source.Source, handler.EventHandler, ...predicate.Predicate) error { return errBoom }}
 					return c, nil
 				}),
 			),
 			args: args{
 				name: "coolcontroller",
 				w: []Watch{For(&unstructured.Unstructured{
 					Object: map[string]interface{}{"apiVersion": "example.org/v1", "kind": "Thing"},
 				}, nil)},
 			},
 			want: want{
 				err: errors.Wrap(errBoom, errWatch),
 			},
 		},
 		"SchemeError": {
 			reason: "Passing an object of unknown GVK",
 			e: NewEngine(
 				&fake.Manager{
 					Scheme: runtime.NewScheme(),
 					Cache:  &MockCache{},
 				},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) { return nil, nil }),
 				WithNewControllerFn(func(string, manager.Manager, controller.Options) (controller.Controller, error) {
 					c := &MockController{MockWatch: func(source.Source, handler.EventHandler, ...predicate.Predicate) error { return errBoom }}
 					return c, nil
 				}),
 			),
 			args: args{
 				name: "coolcontroller",
 				w:    []Watch{For(&unstructured.Unstructured{}, nil)},
 			},
 			want: want{
 				err: errors.Wrap(runtime.NewMissingKindErr("unstructured object has no kind"), "failed to get GVK for type *unstructured.Unstructured"),
 			},
 		},
 		"CacheCrashError": {
 			reason: "Errors starting or running a cache should be returned",
 			e: NewEngine(&fake.Manager{},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) {
 					c := &MockCache{MockStart: func(stop context.Context) error { return errBoom }}
 					return c, nil
 				}),
 				WithNewControllerFn(func(string, manager.Manager, controller.Options) (controller.Controller, error) {
 					c := &MockController{MockStart: func(stop context.Context) error {
 						return nil
 					}}
 					return c, nil
 				}),
 			),
 			args: args{
 				name: "coolcontroller",
 			},
 			want: want{
 				crash: errors.Wrap(errBoom, errCrashCache),
 			},
 		},
 		"ControllerCrashError": {
 			reason: "Errors starting or running a controller should be returned",
 			e: NewEngine(&fake.Manager{},
 				WithNewCacheFn(func(*rest.Config, cache.Options) (cache.Cache, error) {
 					c := &MockCache{MockStart: func(stop context.Context) error {
 						return nil
 					}}
 					return c, nil
 				}),
 				WithNewControllerFn(func(string, manager.Manager, controller.Options) (controller.Controller, error) {
 					c := &MockController{MockStart: func(stop context.Context) error {
 						return errBoom
 					}}
 					return c, nil
 				}),
 			),
 			args: args{
 				name: "coolcontroller",
 			},
 			want: want{
 				crash: errors.Wrap(errBoom, errCrashController),
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			err := tc.e.Start(tc.args.name, tc.args.o, tc.args.w...)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\ne.Start(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			// Give the goroutines a little time to return an error. If this
 			// becomes flaky or time consuming we could use a ticker instead.
 			time.Sleep(100 * time.Millisecond)
 			tc.e.Stop(tc.args.name)
 			if diff := cmp.Diff(tc.want.crash, tc.e.Err(tc.args.name), test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\ne.Err(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
--- a/pkg/controller/gate.go
+++ b/pkg/controller/gate.go
@ -0,0 +1,15 @@
 package controller
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 // A Gate is an interface to allow reconcilers to delay a callback until a set of GVKs are set to true inside the gate.
 type Gate interface {
 	// Register to call a callback function when all given GVKs are marked true. If the callback is unblocked, the
 	// registration is removed.
 	Register(callback func(), gvks ...schema.GroupVersionKind)
 	// Set marks the associated condition to the given value. If the condition is already set as
 	// that value, then this is a no-op. Returns true if there was an update detected.
 	Set(gvk schema.GroupVersionKind, ready bool) bool
 }
--- a/pkg/controller/options.go
+++ b/pkg/controller/options.go
@ -14,18 +14,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package controller configures controller options.
 package controller
 import (
 	"crypto/tls"
 	"time"
 	"k8s.io/client-go/util/workqueue"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"github.com/crossplane/crossplane-runtime/pkg/feature"
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
 	"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
 	"github.com/crossplane/crossplane-runtime/pkg/reconciler/managed"
 	"github.com/crossplane/crossplane-runtime/pkg/statemetrics"
 )
 // DefaultOptions returns a functional set of options with conservative
@ -47,7 +49,7 @@ type Options struct {
 	// The GlobalRateLimiter used by this controller manager. The rate of
 	// reconciles across all controllers will be subject to this limit.
-	GlobalRateLimiter workqueue.RateLimiter
+	GlobalRateLimiter ratelimiter.RateLimiter
 	// PollInterval at which each controller should speculatively poll to
 	// determine whether it has work to do.
@ -61,6 +63,15 @@ type Options struct {
 	// ESSOptions for External Secret Stores.
 	ESSOptions *ESSOptions
 	// MetricOptions for recording metrics.
 	MetricOptions *MetricOptions
 	// ChangeLogOptions for recording change logs.
 	ChangeLogOptions *ChangeLogOptions
 	// Gate implements a gated function callback pattern.
 	Gate Gate
 }
 // ForControllerRuntime extracts options for controller-runtime.
@ -79,3 +90,21 @@ type ESSOptions struct {
 	TLSConfig     *tls.Config
 	TLSSecretName *string
 }
 // MetricOptions for recording metrics.
 type MetricOptions struct {
 	// PollStateMetricInterval at which each controller should record state
 	PollStateMetricInterval time.Duration
 	// MetricsRecorder to use for recording metrics.
 	MRMetrics managed.MetricRecorder
 	// MRStateMetrics to use for recording state metrics.
 	MRStateMetrics *statemetrics.MRStateMetrics
 }
 // ChangeLogOptions for recording changes to managed resources into the change
 // logs.
 type ChangeLogOptions struct {
 	ChangeLogger managed.ChangeLogger
 }
--- a/pkg/errors/errors.go
+++ b/pkg/errors/errors.go
@ -85,6 +85,7 @@ func WithMessage(err error, message string) error {
 	if err == nil {
 		return nil
 	}
 	return fmt.Errorf("%s: %w", message, err)
 }
@ -94,6 +95,7 @@ func WithMessagef(err error, format string, args ...any) error {
 	if err == nil {
 		return nil
 	}
 	return fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), err)
 }
@ -102,7 +104,7 @@ func Wrap(err error, message string) error {
 	return WithMessage(err, message)
 }
-// Wrapf is an alias for WithMessagef
+// Wrapf is an alias for WithMessagef.
 func Wrapf(err error, format string, args ...any) error {
 	return WithMessagef(err, format, args...)
 }
@ -116,11 +118,11 @@ func Cause(err error) error {
 	}
 	for err != nil {
 		//nolint:errorlint // We actually do want to check the outermost error.
 		w, ok := err.(wrapped)
 		if !ok {
 			return err
 		}
 		err = w.Unwrap()
 	}
@ -147,6 +149,7 @@ func Join(errs ...error) MultiError {
 	if err == nil {
 		return nil
 	}
 	return multiError{aggregate: err}
 }
@ -157,6 +160,7 @@ type multiError struct {
 func (m multiError) Error() string {
 	return m.aggregate.Error()
 }
 func (m multiError) Unwrap() []error {
 	return m.aggregate.Errors()
 }
--- a/pkg/errors/errors_test.go
+++ b/pkg/errors/errors_test.go
@ -29,6 +29,7 @@ func TestWrap(t *testing.T) {
 		err     error
 		message string
 	}
 	cases := map[string]struct {
 		args args
 		want error
@ -65,6 +66,7 @@ func TestWrapf(t *testing.T) {
 		message string
 		args    []any
 	}
 	cases := map[string]struct {
 		args args
 		want error
--- a/pkg/errors/reconcile.go
+++ b/pkg/errors/reconcile.go
@ -30,6 +30,7 @@ func SilentlyRequeueOnConflict(result reconcile.Result, err error) (reconcile.Re
 	if kerrors.IsConflict(Cause(err)) {
 		return reconcile.Result{Requeue: true}, nil
 	}
 	return result, err
 }
--- a/pkg/errors/reconcile_test.go
+++ b/pkg/errors/reconcile_test.go
@ -33,10 +33,12 @@ func TestSilentlyRequeueOnConflict(t *testing.T) {
 		result reconcile.Result
 		err    error
 	}
 	type want struct {
 		result reconcile.Result
 		err    error
 	}
 	tests := []struct {
 		reason string
 		args   args
@ -91,6 +93,7 @@ func TestSilentlyRequeueOnConflict(t *testing.T) {
 			if diff := cmp.Diff(tt.want.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nIgnoreConflict(...): -want error, +got error:\n%s", tt.reason, diff)
 			}
 			if diff := cmp.Diff(tt.want.result, got); diff != "" {
 				t.Errorf("\n%s\nIgnoreConflict(...): -want result, +got result:\n%s", tt.reason, diff)
 			}
--- a/pkg/event/event.go
+++ b/pkg/event/event.go
@ -27,7 +27,7 @@ type Type string
 // Event types. See below for valid types.
 // https://godoc.org/k8s.io/client-go/tools/record#EventRecorder
-var (
+const (
 	TypeNormal  Type = "Normal"
 	TypeWarning Type = "Warning"
 )
@ -52,6 +52,7 @@ func Normal(r Reason, message string, keysAndValues ...string) Event {
 		Annotations: map[string]string{},
 	}
 	sliceMap(keysAndValues, e.Annotations)
 	return e
 }
@ -64,6 +65,7 @@ func Warning(r Reason, err error, keysAndValues ...string) Event {
 		Annotations: map[string]string{},
 	}
 	sliceMap(keysAndValues, e.Annotations)
 	return e
 }
@ -77,17 +79,27 @@ type Recorder interface {
 type APIRecorder struct {
 	kube        record.EventRecorder
 	annotations map[string]string
 	filterFns   []FilterFn
 }
 // FilterFn is a function used to filter events.
 // It should return false when events should not be sent.
 type FilterFn func(obj runtime.Object, e Event) bool
 // NewAPIRecorder returns an APIRecorder that records Kubernetes events to an
 // APIServer using the supplied EventRecorder.
-func NewAPIRecorder(r record.EventRecorder) *APIRecorder {
+func NewAPIRecorder(r record.EventRecorder, fns ...FilterFn) *APIRecorder {
-	return &APIRecorder{kube: r, annotations: map[string]string{}}
+	return &APIRecorder{kube: r, annotations: map[string]string{}, filterFns: fns}
 }
 // Event records the supplied event.
 func (r *APIRecorder) Event(obj runtime.Object, e Event) {
-	r.kube.AnnotatedEventf(obj, r.annotations, string(e.Type), string(e.Reason), e.Message)
+	for _, filter := range r.filterFns {
 		if filter(obj, e) {
 			return
 		}
 	}
 	r.kube.AnnotatedEventf(obj, r.annotations, string(e.Type), string(e.Reason), "%s", e.Message)
 }
 // WithAnnotations returns a new *APIRecorder that includes the supplied
@ -97,7 +109,9 @@ func (r *APIRecorder) WithAnnotations(keysAndValues ...string) Recorder {
 	for k, v := range r.annotations {
 		ar.annotations[k] = v
 	}
 	sliceMap(keysAndValues, ar.annotations)
 	return ar
 }
--- a/pkg/event/event_test.go
+++ b/pkg/event/event_test.go
@ -24,11 +24,11 @@ import (
 )
 func TestSliceMap(t *testing.T) {
 	type args struct {
 		from []string
 		to   map[string]string
 	}
 	cases := map[string]struct {
 		reason string
 		args   args
@ -86,5 +86,4 @@ func TestSliceMap(t *testing.T) {
 			}
 		})
 	}
 }
--- a/pkg/feature/feature.go
+++ b/pkg/feature/feature.go
@ -33,9 +33,11 @@ type Flags struct {
 // Enable a feature flag.
 func (fs *Flags) Enable(f Flag) {
 	fs.m.Lock()
 	if fs.enabled == nil {
 		fs.enabled = make(map[Flag]bool)
 	}
 	fs.enabled[f] = true
 	fs.m.Unlock()
 }
@ -45,7 +47,9 @@ func (fs *Flags) Enabled(f Flag) bool {
 	if fs == nil {
 		return false
 	}
 	fs.m.RLock()
 	defer fs.m.RUnlock()
 	return fs.enabled[f]
 }
--- a/pkg/feature/features.go
+++ b/pkg/feature/features.go
@ -20,3 +20,8 @@ package feature
 // Management Policies. See the below design for more details.
 // https://github.com/crossplane/crossplane/pull/3531
 const EnableBetaManagementPolicies Flag = "EnableBetaManagementPolicies"
 // EnableAlphaChangeLogs enables alpha support for capturing change logs during
 // reconciliation. See the following design for more details:
 // https://github.com/crossplane/crossplane/pull/5822
 const EnableAlphaChangeLogs Flag = "EnableAlphaChangeLogs"
--- a/pkg/fieldpath/fieldpath.go
+++ b/pkg/fieldpath/fieldpath.go
@ -82,6 +82,7 @@ func (sg Segments) String() string {
 				b.WriteString(fmt.Sprintf("[%s]", s.Field))
 				continue
 			}
 			b.WriteString(fmt.Sprintf(".%s", s.Field))
 		case SegmentIndex:
 			b.WriteString(fmt.Sprintf("[%d]", s.Index))
@ -120,6 +121,7 @@ func Parse(path string) (Segments, error) {
 	go l.run()
 	segments := make(Segments, 0, 1)
 	for i := range l.items {
 		switch i.typ { //nolint:exhaustive // We're only worried about names, not separators.
 		case itemField:
@ -130,6 +132,7 @@ func Parse(path string) (Segments, error) {
 			return nil, errors.Errorf("%s at position %d", i.val, i.pos)
 		}
 	}
 	return segments, nil
 }
@ -174,6 +177,7 @@ func (l *lexer) run() {
 	for state := lexField; state != nil; {
 		state = state(l)
 	}
 	close(l.items)
 }
@ -182,7 +186,9 @@ func (l *lexer) emit(t itemType) {
 	if l.pos <= l.start {
 		return
 	}
 	l.items <- item{typ: t, pos: l.start, val: l.input[l.start:l.pos]}
 	l.start = l.pos
 }
@ -202,12 +208,14 @@ func lexField(l *lexer) stateFn {
 		case leftBracket:
 			l.pos += i
 			l.emit(itemField)
 			return lexLeftBracket
 		// A period indicates the end of the field name.
 		case period:
 			l.pos += i
 			l.emit(itemField)
 			return lexPeriod
 		}
 	}
@ -216,6 +224,7 @@ func lexField(l *lexer) stateFn {
 	l.pos = len(l.input)
 	l.emit(itemField)
 	l.emit(itemEOL)
 	return nil
 }
@ -234,6 +243,7 @@ func lexPeriod(l *lexer) stateFn {
 	if r == period {
 		return l.errorf(l.pos, "unexpected %q", period)
 	}
 	if r == leftBracket {
 		return l.errorf(l.pos, "unexpected %q", leftBracket)
 	}
@ -249,6 +259,7 @@ func lexLeftBracket(l *lexer) stateFn {
 	l.pos += utf8.RuneLen(leftBracket)
 	l.emit(itemLeftBracket)
 	return lexFieldOrIndex
 }
@ -272,11 +283,13 @@ func lexFieldOrIndex(l *lexer) stateFn {
 	// Periods are not considered field separators when we're inside brackets.
 	l.pos += rbi
 	l.emit(itemFieldOrIndex)
 	return lexRightBracket
 }
 func lexRightBracket(l *lexer) stateFn {
 	l.pos += utf8.RuneLen(rightBracket)
 	l.emit(itemRightBracket)
 	return lexField
 }
--- a/pkg/fieldpath/fieldpath_test.go
+++ b/pkg/fieldpath/fieldpath_test.go
@ -72,7 +72,6 @@ func TestSegments(t *testing.T) {
 			if diff := cmp.Diff(tc.want, tc.s.String()); diff != "" {
 				t.Errorf("s.String(): -want, +got:\n %s", diff)
 			}
 		})
 	}
 }
@ -300,6 +299,7 @@ func TestParse(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\nParse(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.s, got); diff != "" {
 				t.Errorf("\nParse(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
--- a/pkg/fieldpath/merge.go
+++ b/pkg/fieldpath/merge.go
@ -30,7 +30,7 @@ const (
 )
 // MergeValue of the receiver p at the specified field path with the supplied
-// value according to supplied merge options
+// value according to supplied merge options.
 func (p *Paved) MergeValue(path string, value any, mo *xpv1.MergeOptions) error {
 	dst, err := p.GetValue(path)
 	if IsNotFound(err) || mo == nil {
@ -57,6 +57,7 @@ func merge(dst, src any, mergeOptions *xpv1.MergeOptions) (any, error) {
 	// because mergo currently supports merging only maps or structs,
 	// we wrap the argument to be passed to mergo.Merge in a map.
 	const keyArg = "arg"
 	argWrap := func(arg any) map[string]any {
 		return map[string]any{
 			keyArg: arg,
@ -77,6 +78,7 @@ func merge(dst, src any, mergeOptions *xpv1.MergeOptions) (any, error) {
 	if err := mergo.Merge(&mDst, argWrap(src), mergeOptions.MergoConfiguration()...); err != nil {
 		return nil, errors.Wrap(err, errInvalidMerge)
 	}
 	return mDst[keyArg], nil
 }
@ -85,16 +87,19 @@ func removeSourceDuplicates(dst, src any) any {
 	if sliceDst.Kind() == reflect.Ptr {
 		sliceDst = sliceDst.Elem()
 	}
 	if sliceSrc.Kind() == reflect.Ptr {
 		sliceSrc = sliceSrc.Elem()
 	}
 	if sliceDst.Kind() != reflect.Slice || sliceSrc.Kind() != reflect.Slice {
 		return src
 	}
 	result := reflect.New(sliceSrc.Type()).Elem() // we will not modify src
-	for i := 0; i < sliceSrc.Len(); i++ {
+	for i := range sliceSrc.Len() {
 		itemSrc := sliceSrc.Index(i)
 		found := false
 		for j := 0; j < sliceDst.Len() && !found; j++ {
 			// if src item is found in the dst array
@ -102,10 +107,12 @@ func removeSourceDuplicates(dst, src any) any {
 				found = true
 			}
 		}
 		if !found {
 			// then put src item into result
 			result = reflect.Append(result, itemSrc)
 		}
 	}
 	return result.Interface()
 }
--- a/pkg/fieldpath/merge_test.go
+++ b/pkg/fieldpath/merge_test.go
@ -36,6 +36,7 @@ func TestMergeValue(t *testing.T) {
 		valSrc2  = "e1-from-source-2"
 		valDst   = "e1-from-destination"
 	)
 	formatArr := func(arr []string) string {
 		return fmt.Sprintf(`{"%s": ["%s"]}`, pathTest, strings.Join(arr, `", "`))
 	}
@ -59,15 +60,18 @@ func TestMergeValue(t *testing.T) {
 	type fields struct {
 		object map[string]any
 	}
 	type args struct {
 		path  string
 		value any
 		mo    *xpv1.MergeOptions
 	}
 	type want struct {
 		serialized string
 		err        error
 	}
 	tests := map[string]struct {
 		reason string
 		fields fields
@ -199,11 +203,13 @@ func TestMergeValue(t *testing.T) {
 			p := &Paved{
 				object: tc.fields.object,
 			}
 			err := p.MergeValue(tc.args.path, tc.args.value, tc.args.mo)
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.MergeValue(%s, %v): %s: -want error, +got error:\n%s",
 					tc.args.path, tc.args.value, tc.reason, diff)
 			}
 			if diff := cmp.Diff(want, p.object); diff != "" {
 				t.Fatalf("\np.MergeValue(%s, %v): %s: -want, +got:\n%s",
 					tc.args.path, tc.args.value, tc.reason, diff)
--- a/pkg/fieldpath/paved.go
+++ b/pkg/fieldpath/paved.go
@ -28,11 +28,11 @@ import (
 // DefaultMaxFieldPathIndex is the max allowed index in a field path.
 const DefaultMaxFieldPathIndex = 1024
-type errNotFound struct {
+type notFoundError struct {
 	error
 }
-func (e errNotFound) IsNotFound() bool {
+func (e notFoundError) IsNotFound() bool {
 	return true
 }
@ -41,9 +41,10 @@ func (e errNotFound) IsNotFound() bool {
 // index was out of bounds in an array.
 func IsNotFound(err error) bool {
 	cause := errors.Cause(err)
-	_, ok := cause.(interface { //nolint: errorlint // Skip errorlint for interface type
+	_, ok := cause.(interface {
 		IsNotFound() bool
 	})
 	return ok
 }
@ -75,9 +76,9 @@ func Pave(object map[string]any, opts ...PavedOption) *Paved {
 }
 // WithMaxFieldPathIndex returns a PavedOption that sets the max allowed index for field paths, 0 means no limit.
-func WithMaxFieldPathIndex(max uint) PavedOption {
+func WithMaxFieldPathIndex(maxIndex uint) PavedOption {
 	return func(paved *Paved) {
-		paved.maxFieldPathIndex = max
+		paved.maxFieldPathIndex = maxIndex
 	}
 }
@ -100,6 +101,7 @@ func (p *Paved) UnstructuredContent() map[string]any {
 	if p.object == nil {
 		return make(map[string]any)
 	}
 	return p.object
 }
@ -115,32 +117,41 @@ func (p *Paved) getValue(s Segments) (any, error) {
 func getValueFromInterface(it any, s Segments) (any, error) {
 	for i, current := range s {
 		final := i == len(s)-1
 		switch current.Type {
 		case SegmentIndex:
 			array, ok := it.([]any)
 			if !ok {
 				return nil, errors.Errorf("%s: not an array", s[:i])
 			}
-			if int(current.Index) >= len(array) {
+
-				return nil, errNotFound{errors.Errorf("%s: no such element", s[:i+1])}
+			if current.Index >= uint(len(array)) {
 				return nil, notFoundError{errors.Errorf("%s: no such element", s[:i+1])}
 			}
 			if final {
 				return array[current.Index], nil
 			}
 			it = array[current.Index]
 		case SegmentField:
-			object, ok := it.(map[string]any)
+			switch object := it.(type) {
-			if !ok {
+			case map[string]any:
 				return nil, errors.Errorf("%s: not an object", s[:i])
 			}
 				v, ok := object[current.Field]
 				if !ok {
-				return nil, errNotFound{errors.Errorf("%s: no such field", s[:i+1])}
+					return nil, notFoundError{errors.Errorf("%s: no such field", s[:i+1])}
 				}
 				if final {
 					return v, nil
 				}
 				it = object[current.Field]
 			case nil:
 				return nil, notFoundError{errors.Errorf("%s: expected map, got nil", s[:i])}
 			default:
 				return nil, errors.Errorf("%s: not an object", s[:i])
 			}
 		}
 	}
@ -156,28 +167,33 @@ func getValueFromInterface(it any, s Segments) (any, error) {
 //
 // For a Paved object with the following data: []byte(`{"spec":{"containers":[{"name":"cool", "image": "latest", "args": ["start", "now", "debug"]}]}}`),
 // ExpandWildcards("spec.containers[*].args[*]") returns:
-// []string{"spec.containers[0].args[0]", "spec.containers[0].args[1]", "spec.containers[0].args[2]"},
+// []string{"spec.containers[0].args[0]", "spec.containers[0].args[1]", "spec.containers[0].args[2]"},.
 func (p *Paved) ExpandWildcards(path string) ([]string, error) {
 	segments, err := Parse(path)
 	if err != nil {
 		return nil, errors.Wrapf(err, "cannot parse path %q", path)
 	}
 	segmentsArray, err := expandWildcards(p.object, segments)
 	if err != nil {
 		return nil, errors.Wrapf(err, "cannot expand wildcards for segments: %q", segments)
 	}
 	paths := make([]string, len(segmentsArray))
 	for i, s := range segmentsArray {
 		paths[i] = s.String()
 	}
 	return paths, nil
 }
-func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint:gocyclo // See note below.
+func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint:gocognit // See note below.
 	// Even complexity turns out to be high, it is mostly because we have duplicate
 	// logic for arrays and maps and a couple of error handling.
 	var res []Segments
 	it := data
 	for i, current := range segments {
 		// wildcards are regular fields with "*" as string
 		if current.Type == SegmentField && current.Field == wildcard {
@ -187,10 +203,12 @@ func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint
 					expanded := make(Segments, len(segments))
 					copy(expanded, segments)
 					expanded = append(append(expanded[:i], FieldOrIndex(strconv.Itoa(ix))), expanded[i+1:]...)
 					r, err := expandWildcards(data, expanded)
 					if err != nil {
 						return nil, errors.Wrapf(err, "%q: cannot expand wildcards", expanded)
 					}
 					res = append(res, r...)
 				}
 			case map[string]any:
@ -198,26 +216,35 @@ func expandWildcards(data any, segments Segments) ([]Segments, error) { //nolint
 					expanded := make(Segments, len(segments))
 					copy(expanded, segments)
 					expanded = append(append(expanded[:i], Field(k)), expanded[i+1:]...)
 					r, err := expandWildcards(data, expanded)
 					if err != nil {
 						return nil, errors.Wrapf(err, "%q: cannot expand wildcards", expanded)
 					}
 					res = append(res, r...)
 				}
 			case nil:
 				return nil, notFoundError{errors.Errorf("wildcard field %q is not found in the path", segments[:i])}
 			default:
 				return nil, errors.Errorf("%q: unexpected wildcard usage", segments[:i])
 			}
 			return res, nil
 		}
 		var err error
 		it, err = getValueFromInterface(data, segments[:i+1])
 		if IsNotFound(err) {
 			return nil, nil
 		}
 		if err != nil {
 			return nil, err
 		}
 	}
 	return append(res, segments), nil
 }
@ -237,10 +264,12 @@ func (p *Paved) GetValueInto(path string, out any) error {
 	if err != nil {
 		return err
 	}
 	js, err := json.Marshal(val)
 	if err != nil {
 		return errors.Wrap(err, "cannot marshal value to JSON")
 	}
 	return errors.Wrap(json.Unmarshal(js, out), "cannot unmarshal value from JSON")
 }
@ -255,6 +284,7 @@ func (p *Paved) GetString(path string) (string, error) {
 	if !ok {
 		return "", errors.Errorf("%s: not a string", path)
 	}
 	return s, nil
 }
@ -276,6 +306,7 @@ func (p *Paved) GetStringArray(path string) ([]string, error) {
 		if !ok {
 			return nil, errors.Errorf("%s: not an array of strings", path)
 		}
 		sa[i] = s
 	}
@ -300,8 +331,8 @@ func (p *Paved) GetStringObject(path string) (map[string]string, error) {
 		if !ok {
 			return nil, errors.Errorf("%s: not an object with string field values", path)
 		}
 		so[k] = s
 		so[k] = s
 	}
 	return so, nil
@ -318,6 +349,7 @@ func (p *Paved) GetBool(path string) (bool, error) {
 	if !ok {
 		return false, errors.Errorf("%s: not a bool", path)
 	}
 	return b, nil
 }
@ -332,6 +364,7 @@ func (p *Paved) GetInteger(path string) (int64, error) {
 	if !ok {
 		return 0, errors.Errorf("%s: not a (int64) number", path)
 	}
 	return f, nil
 }
@ -350,6 +383,7 @@ func (p *Paved) setValue(s Segments, value any) error {
 	}
 	var in any = p.object
 	for i, current := range s {
 		final := i == len(s)-1
@ -389,13 +423,16 @@ func (p *Paved) setValue(s Segments, value any) error {
 func toValidJSON(value any) (any, error) {
 	var v any
 	j, err := json.Marshal(value)
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot marshal value to JSON")
 	}
 	if err := json.Unmarshal(j, &v); err != nil {
 		return nil, errors.Wrap(err, "cannot unmarshal value from JSON")
 	}
 	return v, nil
 }
@ -409,6 +446,7 @@ func prepareElement(array []any, current, next Segment) {
 		case SegmentField:
 			array[current.Index] = make(map[string]any)
 		}
 		return
 	}
@ -423,11 +461,11 @@ func prepareElement(array []any, current, next Segment) {
 		return
 	}
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
-	array[current.Index] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	array[current.Index] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 func prepareField(object map[string]any, current, next Segment) {
@ -440,6 +478,7 @@ func prepareField(object map[string]any, current, next Segment) {
 		case SegmentField:
 			object[current.Field] = make(map[string]any)
 		}
 		return
 	}
@ -454,11 +493,11 @@ func prepareField(object map[string]any, current, next Segment) {
 		return
 	}
-	if int(next.Index) < len(na) {
+	if next.Index < uint(len(na)) {
 		return
 	}
-	object[current.Field] = append(na, make([]any, int(next.Index)-len(na)+1)...)
+	object[current.Field] = append(na, make([]any, next.Index-uint(len(na))+1)...)
 }
 // SetValue at the supplied field path.
@ -467,6 +506,7 @@ func (p *Paved) SetValue(path string, value any) error {
 	if err != nil {
 		return errors.Wrapf(err, "cannot parse path %q", path)
 	}
 	return p.setValue(segments, value)
 }
@ -474,11 +514,13 @@ func (p *Paved) validateSegments(s Segments) error {
 	if !p.maxFieldPathIndexEnabled() {
 		return nil
 	}
 	for _, segment := range s {
 		if segment.Type == SegmentIndex && segment.Index > p.maxFieldPathIndex {
 			return errors.Errorf("index %v is greater than max allowed index %d", segment.Index, p.maxFieldPathIndex)
 		}
 	}
 	return nil
 }
@ -507,10 +549,11 @@ func (p *Paved) DeleteField(path string) error {
 	if err != nil {
 		return errors.Wrapf(err, "cannot parse path %q", path)
 	}
 	return p.delete(segments)
 }
-func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note below.
+func (p *Paved) delete(segments Segments) error { //nolint:gocognit // See note below.
 	// NOTE(muvaf): I could not reduce the cyclomatic complexity
 	// more than that without disturbing the reading flow.
 	if len(segments) == 1 {
@ -518,10 +561,14 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note b
 		if err != nil {
 			return errors.Wrapf(err, "cannot delete %s", segments)
 		}
-		p.object = o.(map[string]any)
+
 		p.object = o.(map[string]any) //nolint:forcetypeassert // We're deleting from the root of the paved object, which is always a map[string]any.
 		return nil
 	}
 	var in any = p.object
 	for i, current := range segments {
 		// beforeLast is true for the element before the last one because
 		// slices cannot be changed in place and Go does not allow
@ -531,6 +578,7 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note b
 		// until the element before the last one as opposed to
 		// Set/Get functions in this file.
 		beforeLast := i == len(segments)-2
 		switch current.Type {
 		case SegmentIndex:
 			array, ok := in.([]any)
@ -539,7 +587,7 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note b
 			}
 			// It doesn't exist anyway.
-			if len(array) <= int(current.Index) {
+			if uint(len(array)) <= current.Index {
 				return nil
 			}
@ -548,7 +596,9 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note b
 				if err != nil {
 					return errors.Wrapf(err, "cannot delete %s", segments)
 				}
 				array[current.Index] = o
 				return nil
 			}
@ -569,13 +619,16 @@ func (p *Paved) delete(segments Segments) error { //nolint:gocyclo // See note b
 				if err != nil {
 					return errors.Wrapf(err, "cannot delete %s", segments)
 				}
 				object[current.Field] = o
 				return nil
 			}
 			in = object[current.Field]
 		}
 	}
 	return nil
 }
@ -589,20 +642,26 @@ func deleteField(obj any, s Segment) (any, error) {
 		if !ok {
 			return nil, errors.New("not an array")
 		}
-		if len(array) == 0 || len(array) <= int(s.Index) {
+
 		if len(array) == 0 || uint(len(array)) <= s.Index {
 			return array, nil
 		}
-		for i := int(s.Index); i < len(array)-1; i++ {
+
 		for i := s.Index; i < uint(len(array))-1; i++ {
 			array[i] = array[i+1]
 		}
 		return array[:len(array)-1], nil
 	case SegmentField:
 		object, ok := obj.(map[string]any)
 		if !ok {
 			return nil, errors.New("not an object")
 		}
 		delete(object, s.Field)
 		return object, nil
 	}
 	return nil, nil
 }
--- a/pkg/fieldpath/paved_test.go
+++ b/pkg/fieldpath/paved_test.go
@ -38,12 +38,12 @@ func TestIsNotFound(t *testing.T) {
 	}{
 		"NotFound": {
 			reason: "An error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errNotFound{errors.New("boom")},
+			err:    notFoundError{errors.New("boom")},
 			want:   true,
 		},
 		"WrapsNotFound": {
 			reason: "An error that wraps an error with method `IsNotFound() bool` should be considered a not found error.",
-			err:    errors.Wrap(errNotFound{errors.New("boom")}, "because reasons"),
+			err:    errors.Wrap(notFoundError{errors.New("boom")}, "because reasons"),
 			want:   true,
 		},
 		"SomethingElse": {
@ -68,6 +68,7 @@ func TestGetValue(t *testing.T) {
 		value any
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -127,7 +128,7 @@ func TestGetValue(t *testing.T) {
 			path:   "metadata.name",
 			data:   []byte(`{"metadata":{"nope":"cool"}}`),
 			want: want{
-				err: errNotFound{errors.New("metadata.name: no such field")},
+				err: notFoundError{errors.New("metadata.name: no such field")},
 			},
 		},
 		"InsufficientContainers": {
@ -135,7 +136,7 @@ func TestGetValue(t *testing.T) {
 			path:   "spec.containers[1].name",
 			data:   []byte(`{"spec":{"containers":[{"name":"cool"}]}}`),
 			want: want{
-				err: errNotFound{errors.New("spec.containers[1]: no such element")},
+				err: notFoundError{errors.New("spec.containers[1]: no such element")},
 			},
 		},
 		"NotAnArray": {
@ -161,6 +162,14 @@ func TestGetValue(t *testing.T) {
 				err: errors.Wrap(errors.New("unexpected ']' at position 5"), "cannot parse path \"spec[]\""),
 			},
 		},
 		"NilParent": {
 			reason: "Request for a path with a nil parent value",
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
 				err: notFoundError{errors.Errorf("%s: expected map, got nil", "spec.containers")},
 			},
 		},
 	}
 	for name, tc := range cases {
@ -173,6 +182,7 @@ func TestGetValue(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetValue(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetValue(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -193,10 +203,12 @@ func TestGetValueInto(t *testing.T) {
 		path string
 		out  any
 	}
 	type want struct {
 		out any
 		err error
 	}
 	cases := map[string]struct {
 		reason string
 		data   []byte
@ -234,7 +246,7 @@ func TestGetValueInto(t *testing.T) {
 			},
 			want: want{
 				out: &Struct{},
-				err: errNotFound{errors.New("s: no such field")},
+				err: notFoundError{errors.New("s: no such field")},
 			},
 		},
 	}
@ -249,6 +261,7 @@ func TestGetValueInto(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetValueInto(%s): %s: -want error, +got error:\n%s", tc.args.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.out, tc.args.out); diff != "" {
 				t.Errorf("\np.GetValueInto(%s): %s: -want, +got:\n%s", tc.args.path, tc.reason, diff)
 			}
@ -261,6 +274,7 @@ func TestGetString(t *testing.T) {
 		value string
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -302,6 +316,7 @@ func TestGetString(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetString(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetString(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -314,6 +329,7 @@ func TestGetStringArray(t *testing.T) {
 		value []string
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -363,6 +379,7 @@ func TestGetStringArray(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetStringArray(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetStringArray(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -375,6 +392,7 @@ func TestGetStringObject(t *testing.T) {
 		value map[string]string
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -424,6 +442,7 @@ func TestGetStringObject(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetStringObject(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetStringObject(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -436,6 +455,7 @@ func TestGetBool(t *testing.T) {
 		value bool
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -477,6 +497,7 @@ func TestGetBool(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetBool(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetBool(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -489,6 +510,7 @@ func TestGetInteger(t *testing.T) {
 		value int64
 		err   error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -530,6 +552,7 @@ func TestGetInteger(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.GetNumber(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.value, got); diff != "" {
 				t.Errorf("\np.GetNumber(%s): %s: -want, +got:\n%s", tc.path, tc.reason, diff)
 			}
@ -543,10 +566,12 @@ func TestSetValue(t *testing.T) {
 		value any
 		opts  []PavedOption
 	}
 	type want struct {
 		object map[string]any
 		err    error
 	}
 	cases := map[string]struct {
 		reason string
 		data   []byte
@ -695,7 +720,8 @@ func TestSetValue(t *testing.T) {
 			},
 			want: want{
 				object: map[string]any{
-					"data": []any{"a"}},
+					"data": []any{"a"},
 				},
 				err: errors.Errorf("index %v is greater than max allowed index %v",
 					DefaultMaxFieldPathIndex+1, DefaultMaxFieldPathIndex),
 			},
@ -715,7 +741,8 @@ func TestSetValue(t *testing.T) {
 						res[0] = "a"
 						res[DefaultMaxFieldPathIndex+1] = "c"
 						return res
-					}()},
+					}(),
 				},
 			},
 		},
 		"MapStringString": {
@ -804,6 +831,7 @@ func TestSetValue(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.SetValue(%s, %v): %s: -want error, +got error:\n%s", tc.args.path, tc.args.value, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.object, p.object); diff != "" {
 				t.Fatalf("\np.SetValue(%s, %v): %s: -want, +got:\n%s", tc.args.path, tc.args.value, tc.reason, diff)
 			}
@ -816,6 +844,7 @@ func TestExpandWildcards(t *testing.T) {
 		expanded []string
 		err      error
 	}
 	cases := map[string]struct {
 		reason string
 		path   string
@ -949,6 +978,14 @@ func TestExpandWildcards(t *testing.T) {
 				err: errors.Wrap(errors.New("unexpected ']' at position 5"), "cannot parse path \"spec[]\""),
 			},
 		},
 		"NilValue": {
 			reason: "Requesting a wildcard for an object that has nil value",
 			path:   "spec.containers[*].name",
 			data:   []byte(`{"spec":{"containers": null}}`),
 			want: want{
 				err: errors.Wrapf(notFoundError{errors.Errorf("wildcard field %q is not found in the path", "spec.containers")}, "cannot expand wildcards for segments: %q", "spec.containers[*].name"),
 			},
 		},
 	}
 	for name, tc := range cases {
@ -961,6 +998,7 @@ func TestExpandWildcards(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.ExpandWildcards(%s): %s: -want error, +got error:\n%s", tc.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.expanded, got, cmpopts.SortSlices(func(x, y string) bool {
 				return x < y
 			})); diff != "" {
@ -974,10 +1012,12 @@ func TestDeleteField(t *testing.T) {
 	type args struct {
 		path string
 	}
 	type want struct {
 		object map[string]any
 		err    error
 	}
 	cases := map[string]struct {
 		reason string
 		data   []byte
@ -1249,6 +1289,7 @@ func TestDeleteField(t *testing.T) {
 			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
 				t.Fatalf("\np.DeleteField(%s): %s: -want error, +got error:\n%s", tc.args.path, tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.object, p.object); diff != "" {
 				t.Fatalf("\np.DeleteField(%s): %s: -want, +got:\n%s", tc.args.path, tc.reason, diff)
 			}
--- a/pkg/gate/gate.go
+++ b/pkg/gate/gate.go
@ -0,0 +1,106 @@
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Package gate contains a gated function callback registration implementation.
 package gate
 import (
 	"slices"
 	"sync"
 )
 // Gate implements a gated function callback registration with comparable conditions.
 type Gate[T comparable] struct {
 	mux       sync.RWMutex
 	satisfied map[T]bool
 	fns       []gated[T]
 }
 // gated is an internal tracking resource.
 type gated[T comparable] struct {
 	// fn is the function callback we will invoke when all the dependent conditions are true.
 	fn func()
 	// depends is the list of conditions this gated function is waiting on. This is an AND.
 	depends []T
 	// released means the gated function has been invoked and we can garbage collect this gated function.
 	released bool
 }
 // Register a callback function that will be called when all the provided dependent conditions are true.
 // After all conditions are true, the callback function is removed from the registration and will not be called again.
 // Thread Safe.
 func (g *Gate[T]) Register(fn func(), depends ...T) {
 	g.mux.Lock()
 	g.fns = append(g.fns, gated[T]{fn: fn, depends: depends})
 	g.mux.Unlock()
 	g.process()
 }
 // Set marks the associated condition to the given value. If the condition is already set as that value, then this is a
 // no-op. Returns true if there was an update detected. Thread safe.
 func (g *Gate[T]) Set(condition T, value bool) bool {
 	g.mux.Lock()
 	if g.satisfied == nil {
 		g.satisfied = make(map[T]bool)
 	}
 	old, found := g.satisfied[condition]
 	updated := false
 	if !found || old != value {
 		updated = true
 		g.satisfied[condition] = value
 	}
 	// process() would also like to lock the mux, so we must unlock here directly and not use defer.
 	g.mux.Unlock()
 	if updated {
 		g.process()
 	}
 	return updated
 }
 func (g *Gate[T]) process() {
 	g.mux.Lock()
 	defer g.mux.Unlock()
 	for i := range g.fns {
 		// release controls if we should release the function.
 		release := true
 		for _, dep := range g.fns[i].depends {
 			if !g.satisfied[dep] {
 				release = false
 			}
 		}
 		if release {
 			fn := g.fns[i].fn
 			// mark the function released so we can garbage collect after we are done with the loop.
 			g.fns[i].released = true
 			// Need to capture a copy of fn or else we would be accessing a deleted member when the go routine runs.
 			go fn()
 		}
 	}
 	// garbage collect released functions.
 	g.fns = slices.DeleteFunc(g.fns, func(a gated[T]) bool {
 		return a.released
 	})
 }
--- a/pkg/gate/gate_test.go
+++ b/pkg/gate/gate_test.go
@ -0,0 +1,299 @@
 /*
 Copyright 2025 The Crossplane Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package gate_test
 import (
 	"sync"
 	"testing"
 	"time"
 	"github.com/google/go-cmp/cmp"
 	"github.com/crossplane/crossplane-runtime/pkg/gate"
 )
 func TestGateRegister(t *testing.T) {
 	type args struct {
 		depends []string
 	}
 	type want struct {
 		called bool
 	}
 	cases := map[string]struct {
 		reason string
 		args   args
 		want   want
 	}{
 		"NoDependencies": {
 			reason: "Should immediately call function when no dependencies are required",
 			args: args{
 				depends: []string{},
 			},
 			want: want{
 				called: true,
 			},
 		},
 		"SingleDependency": {
 			reason: "Should not call function when dependency is not met",
 			args: args{
 				depends: []string{"condition1"},
 			},
 			want: want{
 				called: false,
 			},
 		},
 		"MultipleDependencies": {
 			reason: "Should not call function when multiple dependencies are not met",
 			args: args{
 				depends: []string{"condition1", "condition2"},
 			},
 			want: want{
 				called: false,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			g := new(gate.Gate[string])
 			called := false
 			g.Register(func() {
 				called = true
 			}, tc.args.depends...)
 			// Give some time for goroutine to execute
 			time.Sleep(10 * time.Millisecond)
 			if diff := cmp.Diff(tc.want.called, called); diff != "" {
 				t.Errorf("\n%s\nRegister(...): -want called, +got called:\n%s", tc.reason, diff)
 			}
 		})
 	}
 }
 func TestGateIntegration(t *testing.T) {
 	type want struct {
 		called bool
 	}
 	cases := map[string]struct {
 		reason string
 		setup  func(g *gate.Gate[string]) chan bool
 		want   want
 	}{
 		"SingleDependencyMet": {
 			reason: "Should call function when single dependency is met",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 1)
 				g.Register(func() {
 					called <- true
 				}, "condition1")
 				// Set condition to true (will be initialized as false first)
 				g.Set("condition1", true)
 				return called
 			},
 			want: want{
 				called: true,
 			},
 		},
 		"MultipleDependenciesMet": {
 			reason: "Should call function when all dependencies are met",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 1)
 				g.Register(func() {
 					called <- true
 				}, "condition1", "condition2")
 				// Set both conditions to true
 				g.Set("condition1", true)
 				g.Set("condition2", true)
 				return called
 			},
 			want: want{
 				called: true,
 			},
 		},
 		"PartialDependenciesMet": {
 			reason: "Should not call function when only some dependencies are met",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 1)
 				g.Register(func() {
 					called <- true
 				}, "condition1", "condition2")
 				// Set only one condition to true
 				g.Set("condition1", true)
 				return called
 			},
 			want: want{
 				called: false,
 			},
 		},
 		"DependenciesAlreadyMet": {
 			reason: "Should call function when dependencies are already met",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 1)
 				g.Set("condition1", true)
 				g.Set("condition2", true)
 				g.Register(func() {
 					called <- true
 				}, "condition1", "condition2")
 				return called
 			},
 			want: want{
 				called: true,
 			},
 		},
 		"DependencySetThenUnset": {
 			reason: "Should call function when dependency is met, even if unset later",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 1)
 				g.Register(func() {
 					called <- true
 				}, "condition1")
 				// Set condition to true then false (function already called when true)
 				g.Set("condition1", true)
 				g.Set("condition1", false)
 				return called
 			},
 			want: want{
 				called: true,
 			},
 		},
 		"FunctionCalledOnlyOnce": {
 			reason: "Should call function only once even if conditions change after",
 			setup: func(g *gate.Gate[string]) chan bool {
 				called := make(chan bool, 2) // Buffer for potential multiple calls
 				g.Register(func() {
 					called <- true
 				}, "condition1")
 				// Set condition multiple times
 				g.Set("condition1", true)
 				g.Set("condition1", false)
 				g.Set("condition1", true)
 				return called
 			},
 			want: want{
 				called: true,
 			},
 		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			g := new(gate.Gate[string])
 			callChannel := tc.setup(g)
 			var got bool
 			select {
 			case got = <-callChannel:
 			case <-time.After(100 * time.Millisecond):
 				got = false
 			}
 			if diff := cmp.Diff(tc.want.called, got); diff != "" {
 				t.Errorf("\n%s\nIntegration test: -want called, +got called:\n%s", tc.reason, diff)
 			}
 			// For the "only once" test, ensure no additional calls
 			if name == "FunctionCalledOnlyOnce" && tc.want.called {
 				select {
 				case <-callChannel:
 					t.Errorf("\n%s\nFunction was called more than once", tc.reason)
 				case <-time.After(50 * time.Millisecond):
 					// Good - no additional calls
 				}
 			}
 		})
 	}
 }
 func TestGateConcurrency(t *testing.T) {
 	g := new(gate.Gate[string])
 	const numGoroutines = 100
 	var wg sync.WaitGroup
 	callCount := make(chan struct{}, numGoroutines)
 	// Register functions concurrently
 	for range numGoroutines {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			g.Register(func() {
 				callCount <- struct{}{}
 			}, "shared-condition")
 		}()
 	}
 	// Wait for all registrations
 	wg.Wait()
 	// Set condition to true once
 	g.Set("shared-condition", true)
 	// Give some time for goroutines to execute
 	time.Sleep(100 * time.Millisecond)
 	// Count how many functions were called
 	close(callCount)
 	count := 0
 	for range callCount {
 		count++
 	}
 	if count != numGoroutines {
 		t.Errorf("Expected %d function calls, got %d", numGoroutines, count)
 	}
 }
 func TestGateTypeSafety(t *testing.T) {
 	intGate := new(gate.Gate[int])
 	called := false
 	intGate.Register(func() {
 		called = true
 	}, 1, 2, 3)
 	intGate.Set(1, true)
 	intGate.Set(2, true)
 	intGate.Set(3, true)
 	// Give some time for goroutine to execute
 	time.Sleep(10 * time.Millisecond)
 	if !called {
 		t.Error("Function should have been called when all int conditions were met")
 	}
 }
--- a/pkg/logging/klog.go
+++ b/pkg/logging/klog.go
@ -0,0 +1,62 @@
 // Copyright 2024 Upbound Inc.
 // All rights reserved
 package logging
 import (
 	"flag"
 	"os"
 	"strings"
 	"github.com/go-logr/logr"
 	"k8s.io/klog/v2"
 )
 // SetFilteredKlogLogger sets log as the logger backend of klog, but filtering
 // aggressively to avoid noise.
 func SetFilteredKlogLogger(log logr.Logger) {
 	// initialize klog at verbosity level 3, dropping everything higher.
 	fs := flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 	klog.InitFlags(fs)
 	fs.Parse([]string{"--v=3"}) //nolint:errcheck // we couldn't do anything here anyway
 	klogr := logr.New(&requestThrottlingFilter{log.GetSink()})
 	klog.SetLogger(klogr)
 }
 // requestThrottlingFilter drops everything that is not a client-go throttling
 // message, compare:
 // https://github.com/kubernetes/client-go/blob/8c4efe8d079e405329f314fb789a41ac6af101dc/rest/request.go#L621
 type requestThrottlingFilter struct {
 	logr.LogSink
 }
 func (l *requestThrottlingFilter) Info(level int, msg string, keysAndValues ...interface{}) {
 	if !strings.Contains(msg, "Waited for ") || !strings.Contains(msg, "  request: ") {
 		return
 	}
 	l.LogSink.Info(l.klogToLogrLevel(level), msg, keysAndValues...)
 }
 func (l *requestThrottlingFilter) Enabled(level int) bool {
 	return l.LogSink.Enabled(l.klogToLogrLevel(level))
 }
 func (l *requestThrottlingFilter) klogToLogrLevel(klogLvl int) int {
 	// we want a default klog level of 3 for info, 4 for debug, corresponding to
 	// logr levels of 0 and 1.
 	if klogLvl >= 3 {
 		return klogLvl - 3
 	}
 	return 0
 }
 func (l *requestThrottlingFilter) WithCallDepth(depth int) logr.LogSink {
 	if delegate, ok := l.LogSink.(logr.CallDepthLogSink); ok {
 		return &requestThrottlingFilter{LogSink: delegate.WithCallDepth(depth)}
 	}
 	return l
 }
--- a/pkg/meta/meta.go
+++ b/pkg/meta/meta.go
@ -70,6 +70,7 @@ const (
 // See https://github.com/crossplane/crossplane-runtime/issues/49
 func ReferenceTo(o metav1.Object, of schema.GroupVersionKind) *corev1.ObjectReference {
 	v, k := of.ToAPIVersionAndKind()
 	return &corev1.ObjectReference{
 		APIVersion: v,
 		Kind:       k,
@ -83,6 +84,7 @@ func ReferenceTo(o metav1.Object, of schema.GroupVersionKind) *corev1.ObjectRefe
 // presumed to be of the supplied group, version, and kind.
 func TypedReferenceTo(o metav1.Object, of schema.GroupVersionKind) *xpv1.TypedReference {
 	v, k := of.ToAPIVersionAndKind()
 	return &xpv1.TypedReference{
 		APIVersion: v,
 		Kind:       k,
@ -108,6 +110,7 @@ func AsController(r *xpv1.TypedReference) metav1.OwnerReference {
 	ref := AsOwner(r)
 	ref.Controller = &t
 	ref.BlockOwnerDeletion = &t
 	return ref
 }
@ -139,9 +142,11 @@ func AddOwnerReference(o metav1.Object, r metav1.OwnerReference) {
 		if refs[i].UID == r.UID {
 			refs[i] = r
 			o.SetOwnerReferences(refs)
 			return
 		}
 	}
 	o.SetOwnerReferences(append(refs, r))
 }
@ -154,6 +159,7 @@ func AddControllerReference(o metav1.Object, r metav1.OwnerReference) error {
 	}
 	AddOwnerReference(o, r)
 	return nil
 }
@ -165,6 +171,7 @@ func AddFinalizer(o metav1.Object, finalizer string) {
 			return
 		}
 	}
 	o.SetFinalizers(append(f, finalizer))
 }
@ -176,6 +183,7 @@ func RemoveFinalizer(o metav1.Object, finalizer string) {
 			f = append(f[:i], f[i+1:]...)
 		}
 	}
 	o.SetFinalizers(f)
 }
@ -187,6 +195,7 @@ func FinalizerExists(o metav1.Object, finalizer string) bool {
 			return true
 		}
 	}
 	return false
 }
@ -197,9 +206,11 @@ func AddLabels(o metav1.Object, labels map[string]string) {
 		o.SetLabels(labels)
 		return
 	}
 	for k, v := range labels {
 		l[k] = v
 	}
 	o.SetLabels(l)
 }
@ -209,9 +220,11 @@ func RemoveLabels(o metav1.Object, labels ...string) {
 	if l == nil {
 		return
 	}
 	for _, k := range labels {
 		delete(l, k)
 	}
 	o.SetLabels(l)
 }
@ -222,9 +235,11 @@ func AddAnnotations(o metav1.Object, annotations map[string]string) {
 		o.SetAnnotations(annotations)
 		return
 	}
 	for k, v := range annotations {
 		a[k] = v
 	}
 	o.SetAnnotations(a)
 }
@ -234,9 +249,11 @@ func RemoveAnnotations(o metav1.Object, annotations ...string) {
 	if a == nil {
 		return
 	}
 	for _, k := range annotations {
 		delete(a, k)
 	}
 	o.SetAnnotations(a)
 }
@ -267,10 +284,12 @@ func SetExternalName(o metav1.Object, name string) {
 // was most recently pending creation.
 func GetExternalCreatePending(o metav1.Object) time.Time {
 	a := o.GetAnnotations()[AnnotationKeyExternalCreatePending]
 	t, err := time.Parse(time.RFC3339, a)
 	if err != nil {
 		return time.Time{}
 	}
 	return t
 }
@ -284,10 +303,12 @@ func SetExternalCreatePending(o metav1.Object, t time.Time) {
 // was most recently created.
 func GetExternalCreateSucceeded(o metav1.Object) time.Time {
 	a := o.GetAnnotations()[AnnotationKeyExternalCreateSucceeded]
 	t, err := time.Parse(time.RFC3339, a)
 	if err != nil {
 		return time.Time{}
 	}
 	return t
 }
@ -301,10 +322,12 @@ func SetExternalCreateSucceeded(o metav1.Object, t time.Time) {
 // recently failed to create.
 func GetExternalCreateFailed(o metav1.Object) time.Time {
 	a := o.GetAnnotations()[AnnotationKeyExternalCreateFailed]
 	t, err := time.Parse(time.RFC3339, a)
 	if err != nil {
 		return time.Time{}
 	}
 	return t
 }
@ -344,6 +367,7 @@ func ExternalCreateSucceededDuring(o metav1.Object, d time.Duration) bool {
 	if t.IsZero() {
 		return false
 	}
 	return time.Since(t) < d
 }
--- a/pkg/meta/meta_test.go
+++ b/pkg/meta/meta_test.go
@ -46,6 +46,7 @@ func TestReferenceTo(t *testing.T) {
 		o  metav1.Object
 		of schema.GroupVersionKind
 	}
 	tests := map[string]struct {
 		args
 		want *corev1.ObjectReference
@ -77,7 +78,7 @@ func TestReferenceTo(t *testing.T) {
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			got := ReferenceTo(tc.args.o, tc.args.of)
+			got := ReferenceTo(tc.o, tc.of)
 			if diff := cmp.Diff(tc.want, got); diff != "" {
 				t.Errorf("ReferenceTo(): -want, +got:\n%s", diff)
 			}
@ -90,6 +91,7 @@ func TestTypedReferenceTo(t *testing.T) {
 		o  metav1.Object
 		of schema.GroupVersionKind
 	}
 	tests := map[string]struct {
 		args
 		want *xpv1.TypedReference
@ -120,7 +122,7 @@ func TestTypedReferenceTo(t *testing.T) {
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			got := TypedReferenceTo(tc.args.o, tc.args.of)
+			got := TypedReferenceTo(tc.o, tc.of)
 			if diff := cmp.Diff(tc.want, got); diff != "" {
 				t.Errorf("TypedReferenceTo(): -want, +got:\n%s", diff)
 			}
@ -825,6 +827,7 @@ func TestWasDeleted(t *testing.T) {
 		})
 	}
 }
 func TestWasCreated(t *testing.T) {
 	now := metav1.Now()
 	zero := metav1.Time{}
@ -894,6 +897,7 @@ func TestSetExternalName(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			SetExternalName(tc.o, tc.name)
 			if diff := cmp.Diff(tc.want, tc.o); diff != "" {
 				t.Errorf("SetExternalName(...): -want, +got:\n%s", diff)
 			}
@ -946,6 +950,7 @@ func TestSetExternalCreatePending(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			SetExternalCreatePending(tc.o, tc.t)
 			if diff := cmp.Diff(tc.want, tc.o); diff != "" {
 				t.Errorf("SetExternalCreatePending(...): -want, +got:\n%s", diff)
 			}
@ -998,6 +1003,7 @@ func TestSetExternalCreateSucceeded(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			SetExternalCreateSucceeded(tc.o, tc.t)
 			if diff := cmp.Diff(tc.want, tc.o); diff != "" {
 				t.Errorf("SetExternalCreateSucceeded(...): -want, +got:\n%s", diff)
 			}
@ -1050,6 +1056,7 @@ func TestSetExternalCreateFailed(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			SetExternalCreateFailed(tc.o, tc.t)
 			if diff := cmp.Diff(tc.want, tc.o); diff != "" {
 				t.Errorf("SetExternalCreateFailed(...): -want, +got:\n%s", diff)
 			}
@ -1111,7 +1118,6 @@ func TestExternalCreateSucceededDuring(t *testing.T) {
 }
 func TestExternalCreateIncomplete(t *testing.T) {
 	now := time.Now().Format(time.RFC3339)
 	earlier := time.Now().Add(-1 * time.Second).Format(time.RFC3339)
 	evenEarlier := time.Now().Add(-1 * time.Minute).Format(time.RFC3339)
--- a/pkg/parser/fsreader.go
+++ b/pkg/parser/fsreader.go
@ -51,34 +51,36 @@ type FilterFn func(path string, info os.FileInfo) (bool, error)
 // SkipPath skips files at a certain path.
 func SkipPath(pattern string) FilterFn {
-	return func(path string, info os.FileInfo) (bool, error) {
+	return func(path string, _ os.FileInfo) (bool, error) {
 		return filepath.Match(pattern, path)
 	}
 }
 // SkipDirs skips directories.
 func SkipDirs() FilterFn {
-	return func(path string, info os.FileInfo) (bool, error) {
+	return func(_ string, info os.FileInfo) (bool, error) {
 		if info.IsDir() {
 			return true, nil
 		}
 		return false, nil
 	}
 }
 // SkipEmpty skips empty files.
 func SkipEmpty() FilterFn {
-	return func(path string, info os.FileInfo) (bool, error) {
+	return func(_ string, info os.FileInfo) (bool, error) {
 		return info.Size() == 0, nil
 	}
 }
 // SkipNotYAML skips files that do not have YAML extension.
 func SkipNotYAML() FilterFn {
-	return func(path string, info os.FileInfo) (bool, error) {
+	return func(path string, _ os.FileInfo) (bool, error) {
 		if filepath.Ext(path) != ".yaml" && filepath.Ext(path) != ".yml" {
 			return true, nil
 		}
 		return false, nil
 	}
 }
@ -92,18 +94,23 @@ func NewFsReadCloser(fs afero.Fs, dir string, fns ...FilterFn) (*FsReadCloser, e
 		if err != nil {
 			return err
 		}
 		for _, fn := range fns {
 			filter, err := fn(path, info)
 			if err != nil {
 				return err
 			}
 			if filter {
 				return nil
 			}
 		}
 		paths = append(paths, path)
 		return nil
 	})
 	return &FsReadCloser{
 		fs:         fs,
 		dir:        dir,
@ -121,24 +128,31 @@ func (r *FsReadCloser) Read(p []byte) (n int, err error) {
 		r.position = 0
 		r.wroteBreak = false
 		n = copy(p, "\n---\n")
 		return n, nil
 	}
 	if r.index == len(r.paths) {
 		return 0, io.EOF
 	}
 	if r.writeBreak {
 		n = copy(p, "\n...\n")
 		r.writeBreak = false
 		r.wroteBreak = true
 		return n, nil
 	}
 	b, err := afero.ReadFile(r.fs, r.paths[r.index])
 	n = copy(p, b[r.position:])
 	r.position += n
 	if errors.Is(err, io.EOF) || n == 0 {
 		r.writeBreak = true
 		err = nil
 	}
 	return n, err
 }
@ -155,6 +169,7 @@ func (r *FsReadCloser) Annotate() any {
 	if index == len(r.paths) {
 		index--
 	}
 	return FsReadCloserAnnotation{
 		path:     r.paths[index],
 		position: r.position,
--- a/pkg/parser/fuzz_test.go
+++ b/pkg/parser/fuzz_test.go
@ -10,7 +10,7 @@ import (
 )
 func FuzzParse(f *testing.F) {
-	f.Fuzz(func(t *testing.T, data []byte) {
+	f.Fuzz(func(_ *testing.T, data []byte) {
 		objScheme := runtime.NewScheme()
 		metaScheme := runtime.NewScheme()
 		p := New(metaScheme, objScheme)
--- a/pkg/parser/linter.go
+++ b/pkg/parser/linter.go
@ -32,7 +32,7 @@ const (
 // A Linter lints packages.
 type Linter interface {
-	Lint(Lintable) error
+	Lint(l Lintable) error
 }
 // PackageLinterFn lints an entire package. If function applies a check for
@ -78,6 +78,7 @@ func (l *PackageLinter) Lint(pkg Lintable) error {
 			return err
 		}
 	}
 	for _, o := range pkg.GetMeta() {
 		for _, fn := range l.perMeta {
 			if err := fn(o); err != nil {
@ -85,6 +86,7 @@ func (l *PackageLinter) Lint(pkg Lintable) error {
 			}
 		}
 	}
 	for _, o := range pkg.GetObjects() {
 		for _, fn := range l.perObject {
 			if err := fn(o); err != nil {
@ -92,6 +94,7 @@ func (l *PackageLinter) Lint(pkg Lintable) error {
 			}
 		}
 	}
 	return nil
 }
@ -100,16 +103,20 @@ func (l *PackageLinter) Lint(pkg Lintable) error {
 func Or(linters ...ObjectLinterFn) ObjectLinterFn {
 	return func(o runtime.Object) error {
 		var errs []string
 		for _, l := range linters {
 			if l == nil {
 				return errors.New(errNilLinterFn)
 			}
 			err := l(o)
 			if err == nil {
 				return nil
 			}
 			errs = append(errs, err.Error())
 		}
 		return errors.Errorf(errOrFmt, strings.Join(errs, ", "))
 	}
 }
--- a/pkg/parser/linter_test.go
+++ b/pkg/parser/linter_test.go
@ -31,16 +31,16 @@ var _ Linter = &PackageLinter{}
 var (
 	errBoom = errors.New("boom")
-	pkgPass = func(lin Lintable) error {
+	pkgPass = func(_ Lintable) error {
 		return nil
 	}
-	pkgFail = func(lin Lintable) error {
+	pkgFail = func(_ Lintable) error {
 		return errBoom
 	}
-	objPass = func(o runtime.Object) error {
+	objPass = func(_ runtime.Object) error {
 		return nil
 	}
-	objFail = func(o runtime.Object) error {
+	objFail = func(_ runtime.Object) error {
 		return errBoom
 	}
 )
@ -119,7 +119,6 @@ func TestLinter(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			err := tc.args.linter.Lint(tc.args.pkg)
 			if diff := cmp.Diff(tc.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nl.Lint(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
@ -175,7 +174,6 @@ func TestOr(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			err := Or(tc.args.one, tc.args.two)(crd)
 			if diff := cmp.Diff(tc.err, err, test.EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nOr(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
--- a/pkg/parser/parser.go
+++ b/pkg/parser/parser.go
@ -79,7 +79,7 @@ func (p *Package) GetObjects() []runtime.Object {
 // Parser is a package parser.
 type Parser interface {
-	Parse(context.Context, io.ReadCloser) (*Package, error)
+	Parse(ctx context.Context, rc io.ReadCloser) (*Package, error)
 }
 // PackageParser is a Parser implementation for parsing packages.
@ -105,21 +105,27 @@ func (p *PackageParser) Parse(_ context.Context, reader io.ReadCloser) (*Package
 	if reader == nil {
 		return pkg, nil
 	}
 	defer func() { _ = reader.Close() }()
 	yr := yaml.NewYAMLReader(bufio.NewReader(reader))
 	dm := json.NewSerializerWithOptions(json.DefaultMetaFactory, p.metaScheme, p.metaScheme, json.SerializerOptions{Yaml: true})
 	do := json.NewSerializerWithOptions(json.DefaultMetaFactory, p.objScheme, p.objScheme, json.SerializerOptions{Yaml: true})
 	for {
 		content, err := yr.Read()
 		if err != nil && !errors.Is(err, io.EOF) {
 			return pkg, err
 		}
 		if errors.Is(err, io.EOF) {
 			break
 		}
 		if isEmptyYAML(content) {
 			continue
 		}
 		m, _, err := dm.Decode(content, nil, nil)
 		if err != nil {
 			// NOTE(hasheddan): we only try to decode with object scheme if the
@ -127,15 +133,20 @@ func (p *PackageParser) Parse(_ context.Context, reader io.ReadCloser) (*Package
 			if !runtime.IsNotRegisteredError(err) {
 				return pkg, annotateErr(err, reader)
 			}
 			o, _, err := do.Decode(content, nil, nil)
 			if err != nil {
 				return pkg, annotateErr(err, reader)
 			}
 			pkg.objects = append(pkg.objects, o)
 			continue
 		}
 		pkg.meta = append(pkg.meta, m)
 	}
 	return pkg, nil
 }
@ -151,6 +162,7 @@ func isEmptyYAML(y []byte) bool {
 			return false
 		}
 	}
 	return true
 }
@ -159,6 +171,7 @@ func annotateErr(err error, reader io.ReadCloser) error {
 	if anno, ok := reader.(AnnotatedReadCloser); ok {
 		return errors.Wrapf(err, "%+v", anno.Annotate())
 	}
 	return err
 }
@ -168,7 +181,7 @@ type BackendOption func(Backend)
 // Backend provides a source for a parser.
 type Backend interface {
-	Init(context.Context, ...BackendOption) (io.ReadCloser, error)
+	Init(ctx context.Context, o ...BackendOption) (io.ReadCloser, error)
 }
 // PodLogBackend is a parser backend that uses Kubernetes pod logs as source.
@ -184,6 +197,7 @@ func NewPodLogBackend(bo ...BackendOption) *PodLogBackend {
 	for _, o := range bo {
 		o(p)
 	}
 	return p
 }
@ -192,11 +206,14 @@ func (p *PodLogBackend) Init(ctx context.Context, bo ...BackendOption) (io.ReadC
 	for _, o := range bo {
 		o(p)
 	}
 	logs := p.client.CoreV1().Pods(p.namespace).GetLogs(p.name, &corev1.PodLogOptions{})
 	reader, err := logs.Stream(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return reader, nil
 }
@ -207,6 +224,7 @@ func PodName(name string) BackendOption {
 		if !ok {
 			return
 		}
 		pl.name = name
 	}
 }
@ -218,6 +236,7 @@ func PodNamespace(namespace string) BackendOption {
 		if !ok {
 			return
 		}
 		pl.namespace = namespace
 	}
 }
@ -229,6 +248,7 @@ func PodClient(client kubernetes.Interface) BackendOption {
 		if !ok {
 			return
 		}
 		pl.client = client
 	}
 }
@ -261,6 +281,7 @@ func NewFsBackend(fs afero.Fs, bo ...BackendOption) *FsBackend {
 	for _, o := range bo {
 		o(f)
 	}
 	return f
 }
@ -269,6 +290,7 @@ func (p *FsBackend) Init(_ context.Context, bo ...BackendOption) (io.ReadCloser,
 	for _, o := range bo {
 		o(p)
 	}
 	return NewFsReadCloser(p.fs, p.dir, p.skips...)
 }
@ -279,6 +301,7 @@ func FsDir(dir string) BackendOption {
 		if !ok {
 			return
 		}
 		f.dir = dir
 	}
 }
@ -290,6 +313,7 @@ func FsFilters(skips ...FilterFn) BackendOption {
 		if !ok {
 			return
 		}
 		f.skips = skips
 	}
 }
@ -311,5 +335,6 @@ func (p *EchoBackend) Init(_ context.Context, bo ...BackendOption) (io.ReadClose
 	for _, o := range bo {
 		o(p)
 	}
 	return io.NopCloser(strings.NewReader(p.echo)), nil
 }
--- a/pkg/parser/parser_test.go
+++ b/pkg/parser/parser_test.go
@ -195,18 +195,22 @@ func TestParser(t *testing.T) {
 			if err != nil {
 				t.Errorf("backend.Init(...): unexpected error: %s", err)
 			}
 			pkg, err := tc.parser.Parse(context.TODO(), r)
 			if err != nil && !tc.wantErr {
 				t.Errorf("parser.Parse(...): unexpected error: %s", err)
 			}
 			if tc.wantErr {
 				return
 			}
 			if diff := cmp.Diff(tc.pkg.GetObjects(), pkg.GetObjects(), cmpopts.SortSlices(func(i, j runtime.Object) bool {
 				return i.GetObjectKind().GroupVersionKind().String() > j.GetObjectKind().GroupVersionKind().String()
 			})); diff != "" {
 				t.Errorf("Objects: -want, +got:\n%s", diff)
 			}
 			if diff := cmp.Diff(tc.pkg.GetMeta(), pkg.GetMeta(), cmpopts.SortSlices(func(i, j runtime.Object) bool {
 				return i.GetObjectKind().GroupVersionKind().String() > j.GetObjectKind().GroupVersionKind().String()
 			})); diff != "" {
@ -220,9 +224,11 @@ func TestCleanYAML(t *testing.T) {
 	type args struct {
 		in []byte
 	}
 	type want struct {
 		out bool
 	}
 	cases := map[string]struct {
 		reason string
 		args   args
--- a/pkg/password/password.go
+++ b/pkg/password/password.go
@ -32,6 +32,8 @@ type Settings struct {
 }
 // Default password generation settings.
 //
 //nolint:gochecknoglobals // We treat this as a constant.
 var Default = Settings{
 	CharacterSet: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
 	Length:       27,
@ -46,12 +48,14 @@ func Generate() (string, error) {
 // Generate a password.
 func (s Settings) Generate() (string, error) {
 	pw := make([]byte, s.Length)
-	for i := 0; i < s.Length; i++ {
+	for i := range s.Length {
 		n, err := rand.Int(rand.Reader, big.NewInt(int64(len(s.CharacterSet))))
 		if err != nil {
 			return "", err
 		}
 		pw[i] = s.CharacterSet[n.Int64()]
 	}
 	return string(pw), nil
 }
--- a/pkg/password/password_test.go
+++ b/pkg/password/password_test.go
@ -8,12 +8,13 @@ import (
 func TestGenerate(t *testing.T) {
 	// ¯\_(ツ)_/¯
 	want := "aaa"
 	got, err := Settings{CharacterSet: "a", Length: 3}.Generate()
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("Generate(): -want, +got:\n%s", diff)
 	}
 	if err != nil {
 		t.Errorf("Generate: %s\n", err)
 	}
--- a/pkg/ratelimiter/default.go
+++ b/pkg/ratelimiter/default.go
@ -23,21 +23,24 @@ import (
 	"golang.org/x/time/rate"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/workqueue"
-	"sigs.k8s.io/controller-runtime/pkg/ratelimiter"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 // NewGlobal returns a token bucket rate limiter meant for limiting the number
 // of average total requeues per second for all controllers registered with a
 // controller manager. The bucket size (i.e. allowed burst) is rps * 10.
-func NewGlobal(rps int) *workqueue.BucketRateLimiter {
+func NewGlobal(rps int) *BucketRateLimiter {
-	return &workqueue.BucketRateLimiter{Limiter: rate.NewLimiter(rate.Limit(rps), rps*10)}
+	return &workqueue.TypedBucketRateLimiter[string]{Limiter: rate.NewLimiter(rate.Limit(rps), rps*10)}
 }
 // ControllerRateLimiter to work with [sigs.k8s.io/controller-runtime/pkg/controller.Options].
 type ControllerRateLimiter = workqueue.TypedRateLimiter[reconcile.Request]
 // NewController returns a rate limiter that takes the maximum delay between the
 // passed rate limiter and a per-item exponential backoff limiter. The
 // exponential backoff limiter has a base delay of 1s and a maximum of 60s.
-func NewController() ratelimiter.RateLimiter {
+func NewController() ControllerRateLimiter {
-	return workqueue.NewItemExponentialFailureRateLimiter(1*time.Second, 60*time.Second)
+	return workqueue.NewTypedItemExponentialFailureRateLimiter[reconcile.Request](1*time.Second, 60*time.Second)
 }
 // LimitRESTConfig returns a copy of the supplied REST config with rate limits
@ -49,5 +52,6 @@ func LimitRESTConfig(cfg *rest.Config, rps int) *rest.Config {
 	out := rest.CopyConfig(cfg)
 	out.QPS = float32(rps * 5)
 	out.Burst = rps * 10
 	return out
 }
--- a/Show More
+++ b/Show More
		`@ -1 +0,0 @@`
			`Subproject commit 7da2fdeb3dc1ebbce8210a58616debe34ef0fd97`
`@ -1,3 +1,3 @@`
	`{{violation.rule}}`: {{violation.message}}	`{{violation.rule}}`: {{violation.message}}

	`Refer to Crossplane's [coding style documentation](https://github.com/crossplane/crossplane/blob/master/CONTRIBUTING.md#coding-style-and-linting) for more information.`	`Refer to Crossplane's [coding style documentation](https://github.com/crossplane/crossplane/blob/main/CONTRIBUTING.md#coding-style-and-linting) for more information.`