Merge branch 'heads/main' into windmill-connection-and-sync

backend/src/lib/api-docs/constants.ts

@@ -1808,6 +1808,10 @@ export const AppConnections = {
     CAMUNDA: {
       clientId: "The client ID used to authenticate with Camunda.",
       clientSecret: "The client secret used to authenticate with Camunda."
+    },
+    WINDMILL: {
+      instanceUrl: "The Windmill instance URL to connect with (defaults to https://app.windmill.dev).",
+      accessToken: "The access token to use to connect with Windmill."
     }
   }
 };
@@ -1943,6 +1947,10 @@ export const SecretSyncs = {
       env: "The ID of the Vercel environment to sync secrets to.",
       branch: "The branch to sync preview secrets to.",
       teamId: "The ID of the Vercel team to sync secrets to."
+    },
+    WINDMILL: {
+      workspace: "The Windmill workspace to sync secrets to.",
+      path: "The Windmill workspace path to sync secrets to."
     }
   }
 };

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -37,6 +37,10 @@ import {
   TerraformCloudConnectionListItemSchema
 } from "@app/services/app-connection/terraform-cloud";
 import { SanitizedVercelConnectionSchema, VercelConnectionListItemSchema } from "@app/services/app-connection/vercel";
+import {
+  SanitizedWindmillConnectionSchema,
+  WindmillConnectionListItemSchema
+} from "@app/services/app-connection/windmill";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
@@ -53,6 +57,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedPostgresConnectionSchema.options,
   ...SanitizedMsSqlConnectionSchema.options,
   ...SanitizedCamundaConnectionSchema.options,
+  ...SanitizedWindmillConnectionSchema.options,
   ...SanitizedAuth0ConnectionSchema.options
 ]);
 
@@ -69,6 +74,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   PostgresConnectionListItemSchema,
   MsSqlConnectionListItemSchema,
   CamundaConnectionListItemSchema,
+  WindmillConnectionListItemSchema,
   Auth0ConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -13,6 +13,7 @@ import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
+import { registerWindmillConnectionRouter } from "./windmill-connection-router";
 
 export * from "./app-connection-router";
 
@@ -30,5 +31,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Postgres]: registerPostgresConnectionRouter,
     [AppConnection.MsSql]: registerMsSqlConnectionRouter,
     [AppConnection.Camunda]: registerCamundaConnectionRouter,
+    [AppConnection.Windmill]: registerWindmillConnectionRouter,
     [AppConnection.Auth0]: registerAuth0ConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/windmill-connection-router.ts

@@ -0,0 +1,53 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateWindmillConnectionSchema,
+  SanitizedWindmillConnectionSchema,
+  UpdateWindmillConnectionSchema
+} from "@app/services/app-connection/windmill";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerWindmillConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Windmill,
+    server,
+    sanitizedResponseSchema: SanitizedWindmillConnectionSchema,
+    createSchema: CreateWindmillConnectionSchema,
+    updateSchema: UpdateWindmillConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/workspaces`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const workspaces = await server.services.appConnection.windmill.listWorkspaces(connectionId, req.permission);
+
+      return workspaces;
+    }
+  });
+};

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -11,6 +11,7 @@ import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
+import { registerWindmillSyncRouter } from "./windmill-sync-router";
 
 export * from "./secret-sync-router";
 
@@ -25,5 +26,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Humanitec]: registerHumanitecSyncRouter,
   [SecretSync.TerraformCloud]: registerTerraformCloudSyncRouter,
   [SecretSync.Camunda]: registerCamundaSyncRouter,
-  [SecretSync.Vercel]: registerVercelSyncRouter
+  [SecretSync.Vercel]: registerVercelSyncRouter,
+  [SecretSync.Windmill]: registerWindmillSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -25,6 +25,7 @@ import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
+import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -37,7 +38,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   HumanitecSyncSchema,
   TerraformCloudSyncSchema,
   CamundaSyncSchema,
-  VercelSyncSchema
+  VercelSyncSchema,
+  WindmillSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -51,7 +53,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   HumanitecSyncListItemSchema,
   TerraformCloudSyncListItemSchema,
   CamundaSyncListItemSchema,
-  VercelSyncListItemSchema
+  VercelSyncListItemSchema,
+  WindmillSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/secret-sync-routers/windmill-sync-router.ts

@@ -0,0 +1,17 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  CreateWindmillSyncSchema,
+  UpdateWindmillSyncSchema,
+  WindmillSyncSchema
+} from "@app/services/secret-sync/windmill";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerWindmillSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Windmill,
+    server,
+    responseSchema: WindmillSyncSchema,
+    createSchema: CreateWindmillSyncSchema,
+    updateSchema: UpdateWindmillSyncSchema
+  });

backend/src/server/routes/v2/project-router.ts

@@ -29,8 +29,7 @@ import { SanitizedProjectSchema } from "../sanitizedSchemas";
 
 const projectWithEnv = SanitizedProjectSchema.extend({
   _id: z.string(),
-  environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array(),
-  kmsSecretManagerKeyId: z.string().nullable().optional()
+  environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
 });
 
 export const registerProjectRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -11,6 +11,7 @@ export enum AppConnection {
   Postgres = "postgres",
   MsSql = "mssql",
   Camunda = "camunda",
+  Windmill = "windmill",
   Auth0 = "auth0"
 }
 

backend/src/services/app-connection/app-connection-fns.ts

@@ -50,6 +50,11 @@ import {
 } from "./terraform-cloud";
 import { VercelConnectionMethod } from "./vercel";
 import { getVercelConnectionListItem, validateVercelConnectionCredentials } from "./vercel/vercel-connection-fns";
+import {
+  getWindmillConnectionListItem,
+  validateWindmillConnectionCredentials,
+  WindmillConnectionMethod
+} from "./windmill";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -65,6 +70,7 @@ export const listAppConnectionOptions = () => {
     getPostgresConnectionListItem(),
     getMsSqlConnectionListItem(),
     getCamundaConnectionListItem(),
+    getWindmillConnectionListItem(),
     getAuth0ConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -128,7 +134,8 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Camunda]: validateCamundaConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Vercel]: validateVercelConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.TerraformCloud]: validateTerraformCloudConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Auth0]: validateAuth0ConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Auth0]: validateAuth0ConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Windmill]: validateWindmillConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -159,6 +166,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
       return "Username & Password";
+    case WindmillConnectionMethod.AccessToken:
+      return "Access Token";
     case Auth0ConnectionMethod.ClientCredentials:
       return "Client Credentials";
     default:
@@ -204,5 +213,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.TerraformCloud]: platformManagedCredentialsNotSupported,
   [AppConnection.Camunda]: platformManagedCredentialsNotSupported,
   [AppConnection.Vercel]: platformManagedCredentialsNotSupported,
+  [AppConnection.Windmill]: platformManagedCredentialsNotSupported,
   [AppConnection.Auth0]: platformManagedCredentialsNotSupported
 };

backend/src/services/app-connection/app-connection-maps.ts

@@ -13,5 +13,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Postgres]: "PostgreSQL",
   [AppConnection.MsSql]: "Microsoft SQL Server",
   [AppConnection.Camunda]: "Camunda",
+  [AppConnection.Windmill]: "Windmill",
   [AppConnection.Auth0]: "Auth0"
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -49,6 +49,8 @@ import { ValidateTerraformCloudConnectionCredentialsSchema } from "./terraform-c
 import { terraformCloudConnectionService } from "./terraform-cloud/terraform-cloud-connection-service";
 import { ValidateVercelConnectionCredentialsSchema } from "./vercel";
 import { vercelConnectionService } from "./vercel/vercel-connection-service";
+import { ValidateWindmillConnectionCredentialsSchema } from "./windmill";
+import { windmillConnectionService } from "./windmill/windmill-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -71,6 +73,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Postgres]: ValidatePostgresConnectionCredentialsSchema,
   [AppConnection.MsSql]: ValidateMsSqlConnectionCredentialsSchema,
   [AppConnection.Camunda]: ValidateCamundaConnectionCredentialsSchema,
+  [AppConnection.Windmill]: ValidateWindmillConnectionCredentialsSchema,
   [AppConnection.Auth0]: ValidateAuth0ConnectionCredentialsSchema
 };
 
@@ -446,6 +449,7 @@ export const appConnectionServiceFactory = ({
     terraformCloud: terraformCloudConnectionService(connectAppConnectionById),
     camunda: camundaConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     vercel: vercelConnectionService(connectAppConnectionById),
+    windmill: windmillConnectionService(connectAppConnectionById),
     auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -75,6 +75,12 @@ import {
   TVercelConnectionConfig,
   TVercelConnectionInput
 } from "./vercel";
+import {
+  TValidateWindmillConnectionCredentialsSchema,
+  TWindmillConnection,
+  TWindmillConnectionConfig,
+  TWindmillConnectionInput
+} from "./windmill";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -89,6 +95,7 @@ export type TAppConnection = { id: string } & (
   | TPostgresConnection
   | TMsSqlConnection
   | TCamundaConnection
+  | TWindmillConnection
   | TAuth0Connection
 );
 
@@ -109,6 +116,7 @@ export type TAppConnectionInput = { id: string } & (
   | TPostgresConnectionInput
   | TMsSqlConnectionInput
   | TCamundaConnectionInput
+  | TWindmillConnectionInput
   | TAuth0ConnectionInput
 );
 
@@ -132,9 +140,10 @@ export type TAppConnectionConfig =
   | TDatabricksConnectionConfig
   | THumanitecConnectionConfig
   | TTerraformCloudConnectionConfig
+  | TVercelConnectionConfig
   | TSqlConnectionConfig
   | TCamundaConnectionConfig
-  | TVercelConnectionConfig
+  | TWindmillConnectionConfig
   | TAuth0ConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
@@ -148,8 +157,9 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidatePostgresConnectionCredentialsSchema
   | TValidateMsSqlConnectionCredentialsSchema
   | TValidateCamundaConnectionCredentialsSchema
-  | TValidateVercelConnectionCredentialsSchema
   | TValidateTerraformCloudConnectionCredentialsSchema
+  | TValidateVercelConnectionCredentialsSchema
+  | TValidateWindmillConnectionCredentialsSchema
   | TValidateAuth0ConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {

backend/src/services/app-connection/terraform-cloud/terraform-cloud-connection-fns.ts

@@ -44,7 +44,7 @@ export const validateTerraformCloudConnectionCredentials = async (config: TTerra
       });
     }
     throw new BadRequestError({
-      message: "Unable to validate connection - verify credentials"
+      message: "Unable to validate connection: verify credentials"
     });
   }
 

backend/src/services/app-connection/windmill/index.ts

@@ -0,0 +1,4 @@
+export * from "./windmill-connection-enums";
+export * from "./windmill-connection-fns";
+export * from "./windmill-connection-schemas";
+export * from "./windmill-connection-types";

backend/src/services/app-connection/windmill/windmill-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum WindmillConnectionMethod {
+  AccessToken = "access-token"
+}

backend/src/services/app-connection/windmill/windmill-connection-fns.ts

@@ -0,0 +1,65 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { WindmillConnectionMethod } from "./windmill-connection-enums";
+import { TWindmillConnection, TWindmillConnectionConfig, TWindmillWorkspace } from "./windmill-connection-types";
+
+export const getWindmillInstanceUrl = async (config: TWindmillConnectionConfig) => {
+  const instanceUrl = config.credentials.instanceUrl
+    ? removeTrailingSlash(config.credentials.instanceUrl)
+    : "https://app.windmill.dev";
+
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  return instanceUrl;
+};
+
+export const getWindmillConnectionListItem = () => {
+  return {
+    name: "Windmill" as const,
+    app: AppConnection.Windmill as const,
+    methods: Object.values(WindmillConnectionMethod) as [WindmillConnectionMethod.AccessToken]
+  };
+};
+
+export const validateWindmillConnectionCredentials = async (config: TWindmillConnectionConfig) => {
+  const instanceUrl = await getWindmillInstanceUrl(config);
+  const { accessToken } = config.credentials;
+
+  try {
+    await request.get(`${instanceUrl}/api/workspaces/list`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listWindmillWorkspaces = async (appConnection: TWindmillConnection) => {
+  const instanceUrl = await getWindmillInstanceUrl(appConnection);
+  const { accessToken } = appConnection.credentials;
+
+  const resp = await request.get<TWindmillWorkspace[]>(`${instanceUrl}/api/workspaces/list`, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+
+  return resp.data.filter((workspace) => !workspace.deleted);
+};

backend/src/services/app-connection/windmill/windmill-connection-schemas.ts

@@ -0,0 +1,70 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { WindmillConnectionMethod } from "./windmill-connection-enums";
+
+export const WindmillConnectionAccessTokenCredentialsSchema = z.object({
+  accessToken: z
+    .string()
+    .trim()
+    .min(1, "Access Token required")
+    .describe(AppConnections.CREDENTIALS.WINDMILL.accessToken),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.WINDMILL.instanceUrl)
+});
+
+const BaseWindmillConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Windmill) });
+
+export const WindmillConnectionSchema = BaseWindmillConnectionSchema.extend({
+  method: z.literal(WindmillConnectionMethod.AccessToken),
+  credentials: WindmillConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedWindmillConnectionSchema = z.discriminatedUnion("method", [
+  BaseWindmillConnectionSchema.extend({
+    method: z.literal(WindmillConnectionMethod.AccessToken),
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateWindmillConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(WindmillConnectionMethod.AccessToken)
+      .describe(AppConnections.CREATE(AppConnection.Windmill).method),
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Windmill).credentials
+    )
+  })
+]);
+
+export const CreateWindmillConnectionSchema = ValidateWindmillConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Windmill)
+);
+
+export const UpdateWindmillConnectionSchema = z
+  .object({
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Windmill).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Windmill));
+
+export const WindmillConnectionListItemSchema = z.object({
+  name: z.literal("Windmill"),
+  app: z.literal(AppConnection.Windmill),
+  methods: z.nativeEnum(WindmillConnectionMethod).array()
+});

backend/src/services/app-connection/windmill/windmill-connection-service.ts

@@ -0,0 +1,28 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listWindmillWorkspaces } from "./windmill-connection-fns";
+import { TWindmillConnection } from "./windmill-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TWindmillConnection>;
+
+export const windmillConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listWorkspaces = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Windmill, connectionId, actor);
+
+    try {
+      const workspaces = await listWindmillWorkspaces(appConnection);
+      return workspaces;
+    } catch (error) {
+      return [];
+    }
+  };
+
+  return {
+    listWorkspaces
+  };
+};

backend/src/services/app-connection/windmill/windmill-connection-types.ts

@@ -0,0 +1,27 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateWindmillConnectionSchema,
+  ValidateWindmillConnectionCredentialsSchema,
+  WindmillConnectionSchema
+} from "./windmill-connection-schemas";
+
+export type TWindmillConnection = z.infer<typeof WindmillConnectionSchema>;
+
+export type TWindmillConnectionInput = z.infer<typeof CreateWindmillConnectionSchema> & {
+  app: AppConnection.Windmill;
+};
+
+export type TValidateWindmillConnectionCredentialsSchema = typeof ValidateWindmillConnectionCredentialsSchema;
+
+export type TWindmillConnectionConfig = DiscriminativePick<
+  TWindmillConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TWindmillWorkspace = { id: string; name: string; deleted: boolean };

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -9,7 +9,8 @@ export enum SecretSync {
   Humanitec = "humanitec",
   TerraformCloud = "terraform-cloud",
   Camunda = "camunda",
-  Vercel = "vercel"
+  Vercel = "vercel",
+  Windmill = "windmill"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -29,6 +29,7 @@ import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
 import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
 import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud";
 import { VERCEL_SYNC_LIST_OPTION, VercelSyncFns } from "./vercel";
+import { WINDMILL_SYNC_LIST_OPTION, WindmillSyncFns } from "./windmill";
 
 const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@@ -41,7 +42,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Humanitec]: HUMANITEC_SYNC_LIST_OPTION,
   [SecretSync.TerraformCloud]: TERRAFORM_CLOUD_SYNC_LIST_OPTION,
   [SecretSync.Camunda]: CAMUNDA_SYNC_LIST_OPTION,
-  [SecretSync.Vercel]: VERCEL_SYNC_LIST_OPTION
+  [SecretSync.Vercel]: VERCEL_SYNC_LIST_OPTION,
+  [SecretSync.Windmill]: WINDMILL_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -136,6 +138,8 @@ export const SecretSyncFns = {
         }).syncSecrets(secretSync, secretMap);
       case SecretSync.Vercel:
         return VercelSyncFns.syncSecrets(secretSync, secretMap);
+      case SecretSync.Windmill:
+        return WindmillSyncFns.syncSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -192,6 +196,9 @@ export const SecretSyncFns = {
       case SecretSync.Vercel:
         secretMap = await VercelSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Windmill:
+        secretMap = await WindmillSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -243,6 +250,8 @@ export const SecretSyncFns = {
         }).removeSecrets(secretSync, secretMap);
       case SecretSync.Vercel:
         return VercelSyncFns.removeSecrets(secretSync, secretMap);
+      case SecretSync.Windmill:
+        return WindmillSyncFns.removeSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -12,7 +12,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Humanitec]: "Humanitec",
   [SecretSync.TerraformCloud]: "Terraform Cloud",
   [SecretSync.Camunda]: "Camunda",
-  [SecretSync.Vercel]: "Vercel"
+  [SecretSync.Vercel]: "Vercel",
+  [SecretSync.Windmill]: "Windmill"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -26,5 +27,6 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Humanitec]: AppConnection.Humanitec,
   [SecretSync.TerraformCloud]: AppConnection.TerraformCloud,
   [SecretSync.Camunda]: AppConnection.Camunda,
-  [SecretSync.Vercel]: AppConnection.Vercel
+  [SecretSync.Vercel]: AppConnection.Vercel,
+  [SecretSync.Windmill]: AppConnection.Windmill
 };

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -76,6 +76,7 @@ type TSecretSyncQueueFactoryDep = {
     | "findBySecretKeys"
     | "bulkUpdate"
     | "deleteMany"
+    | "invalidateSecretCacheByProjectId"
   >;
   secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
   secretSyncDAL: Pick<TSecretSyncDALFactory, "findById" | "find" | "updateById" | "deleteById">;
@@ -382,6 +383,9 @@ export const secretSyncQueueFactory = ({
       });
     }
 
+    if (secretsToUpdate.length || secretsToCreate.length)
+      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
+
     return importedSecretMap;
   };
 

backend/src/services/secret-sync/secret-sync-types.ts

@@ -29,6 +29,12 @@ import {
 } from "@app/services/secret-sync/github";
 import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  TWindmillSync,
+  TWindmillSyncInput,
+  TWindmillSyncListItem,
+  TWindmillSyncWithCredentials
+} from "@app/services/secret-sync/windmill";
 
 import {
   TAwsParameterStoreSync,
@@ -74,7 +80,8 @@ export type TSecretSync =
   | THumanitecSync
   | TTerraformCloudSync
   | TCamundaSync
-  | TVercelSync;
+  | TVercelSync
+  | TWindmillSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -87,7 +94,8 @@ export type TSecretSyncWithCredentials =
   | THumanitecSyncWithCredentials
   | TTerraformCloudSyncWithCredentials
   | TCamundaSyncWithCredentials
-  | TVercelSyncWithCredentials;
+  | TVercelSyncWithCredentials
+  | TWindmillSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -100,7 +108,8 @@ export type TSecretSyncInput =
   | THumanitecSyncInput
   | TTerraformCloudSyncInput
   | TCamundaSyncInput
-  | TVercelSyncInput;
+  | TVercelSyncInput
+  | TWindmillSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -113,7 +122,8 @@ export type TSecretSyncListItem =
   | THumanitecSyncListItem
   | TTerraformCloudSyncListItem
   | TCamundaSyncListItem
-  | TVercelSyncListItem;
+  | TVercelSyncListItem
+  | TWindmillSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/secret-sync/windmill/index.ts

@@ -0,0 +1,4 @@
+export * from "./windmill-sync-constants";
+export * from "./windmill-sync-fns";
+export * from "./windmill-sync-schemas";
+export * from "./windmill-sync-types";

backend/src/services/secret-sync/windmill/windmill-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const WINDMILL_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Windmill",
+  destination: SecretSync.Windmill,
+  connection: AppConnection.Windmill,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/windmill/windmill-sync-fns.ts

@@ -0,0 +1,241 @@
+import { request } from "@app/lib/config/request";
+import { getWindmillInstanceUrl } from "@app/services/app-connection/windmill";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import {
+  TDeleteWindmillVariable,
+  TPostWindmillVariable,
+  TWindmillListVariables,
+  TWindmillListVariablesResponse,
+  TWindmillSyncWithCredentials,
+  TWindmillVariable
+} from "@app/services/secret-sync/windmill/windmill-sync-types";
+
+import { TSecretMap } from "../secret-sync-types";
+
+const PAGE_LIMIT = 100;
+
+const listWindmillVariables = async ({ instanceUrl, workspace, accessToken, path }: TWindmillListVariables) => {
+  const variables: Record<string, TWindmillVariable> = {};
+
+  // windmill paginates but doesn't return if there's more pages so we need to check if page size full
+  let page: number | null = 1;
+
+  while (page) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data: variablesPage } = await request.get<TWindmillListVariablesResponse>(
+      `${instanceUrl}/api/w/${workspace}/variables/list`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        },
+        params: {
+          page,
+          limit: PAGE_LIMIT,
+          path_start: path
+        }
+      }
+    );
+
+    for (const variable of variablesPage) {
+      const variableName = variable.path.replace(path, "");
+
+      if (variable.is_secret) {
+        // eslint-disable-next-line no-await-in-loop
+        const { data: variableValue } = await request.get<string>(
+          `${instanceUrl}/api/w/${workspace}/variables/get_value/${variable.path}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`
+            }
+          }
+        );
+
+        variables[variableName] = {
+          ...variable,
+          value: variableValue
+        };
+      } else {
+        variables[variableName] = variable;
+      }
+    }
+
+    if (variablesPage.length >= PAGE_LIMIT) {
+      page += 1;
+    } else {
+      page = null;
+    }
+  }
+
+  return variables;
+};
+
+const createWindmillVariable = async ({
+  path,
+  value,
+  instanceUrl,
+  accessToken,
+  workspace,
+  description
+}: TPostWindmillVariable) =>
+  request.post(
+    `${instanceUrl}/api/w/${workspace}/variables/create`,
+    {
+      path,
+      value,
+      is_secret: true,
+      description
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+
+const updateWindmillVariable = async ({
+  path,
+  value,
+  instanceUrl,
+  accessToken,
+  workspace,
+  description
+}: TPostWindmillVariable) =>
+  request.post(
+    `${instanceUrl}/api/w/${workspace}/variables/update/${path}`,
+    {
+      value,
+      is_secret: true,
+      description
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+
+const deleteWindmillVariable = async ({ path, instanceUrl, accessToken, workspace }: TDeleteWindmillVariable) =>
+  request.delete(`${instanceUrl}/api/w/${workspace}/variables/delete/${path}`, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+
+export const WindmillSyncFns = {
+  syncSecrets: async (secretSync: TWindmillSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { path },
+      syncOptions: { disableSecretDeletion }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    for await (const entry of Object.entries(secretMap)) {
+      const [key, { value, comment = "" }] = entry;
+
+      try {
+        const payload = {
+          instanceUrl,
+          workspace,
+          path: path + key,
+          value,
+          accessToken,
+          description: comment
+        };
+        if (key in variables) {
+          if (variables[key].value !== value || variables[key].description !== comment)
+            await updateWindmillVariable(payload);
+        } else {
+          await createWindmillVariable(payload);
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+
+    if (disableSecretDeletion) return;
+
+    for await (const [key, variable] of Object.entries(variables)) {
+      if (!(key in secretMap)) {
+        try {
+          await deleteWindmillVariable({
+            instanceUrl,
+            workspace,
+            path: variable.path,
+            accessToken
+          });
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+    }
+  },
+  removeSecrets: async (secretSync: TWindmillSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { path }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    for await (const [key, variable] of Object.entries(variables)) {
+      if (key in secretMap) {
+        try {
+          await deleteWindmillVariable({
+            path: variable.path,
+            instanceUrl,
+            workspace,
+            accessToken
+          });
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+    }
+  },
+  getSecrets: async (secretSync: TWindmillSyncWithCredentials) => {
+    const {
+      connection,
+      destinationConfig: { path }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    return Object.fromEntries(
+      Object.entries(variables).map(([key, variable]) => [key, { value: variable.value ?? "" }])
+    );
+  }
+};

backend/src/services/secret-sync/windmill/windmill-sync-schemas.ts

@@ -0,0 +1,66 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const pathCharacterValidator = characterValidator([
+  CharacterType.AlphaNumeric,
+  CharacterType.Underscore,
+  CharacterType.Hyphen
+]);
+
+const WindmillSyncDestinationConfigSchema = z.object({
+  workspace: z.string().trim().min(1, "Workspace required").describe(SecretSyncs.DESTINATION_CONFIG.WINDMILL.workspace),
+  path: z
+    .string()
+    .trim()
+    .min(1, "Path required")
+    .refine(
+      (val) =>
+        (val.startsWith("u/") || val.startsWith("f/")) &&
+        val.endsWith("/") &&
+        val.split("/").length >= 3 &&
+        val
+          .split("/")
+          .slice(0, -1) // Remove last empty segment from trailing slash
+          .every((segment) => segment && pathCharacterValidator(segment)),
+      'Invalid path - must follow Windmill path format. ex: "f/folder/path/"'
+    )
+    .describe(SecretSyncs.DESTINATION_CONFIG.WINDMILL.path)
+});
+
+const WindmillSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const WindmillSyncSchema = BaseSecretSyncSchema(SecretSync.Windmill, WindmillSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Windmill),
+  destinationConfig: WindmillSyncDestinationConfigSchema
+});
+
+export const CreateWindmillSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Windmill,
+  WindmillSyncOptionsConfig
+).extend({
+  destinationConfig: WindmillSyncDestinationConfigSchema
+});
+
+export const UpdateWindmillSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Windmill,
+  WindmillSyncOptionsConfig
+).extend({
+  destinationConfig: WindmillSyncDestinationConfigSchema.optional()
+});
+
+export const WindmillSyncListItemSchema = z.object({
+  name: z.literal("Windmill"),
+  connection: z.literal(AppConnection.Windmill),
+  destination: z.literal(SecretSync.Windmill),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/windmill/windmill-sync-types.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+import { TWindmillConnection } from "@app/services/app-connection/windmill";
+
+import { CreateWindmillSyncSchema, WindmillSyncListItemSchema, WindmillSyncSchema } from "./windmill-sync-schemas";
+
+export type TWindmillSync = z.infer<typeof WindmillSyncSchema>;
+
+export type TWindmillSyncInput = z.infer<typeof CreateWindmillSyncSchema>;
+
+export type TWindmillSyncListItem = z.infer<typeof WindmillSyncListItemSchema>;
+
+export type TWindmillSyncWithCredentials = TWindmillSync & {
+  connection: TWindmillConnection;
+};
+
+export type TWindmillVariable = {
+  path: string;
+  value: string;
+  is_secret: boolean;
+  is_oauth: boolean;
+  description: string;
+};
+
+export type TWindmillListVariablesResponse = TWindmillVariable[];
+
+export type TWindmillListVariables = {
+  accessToken: string;
+  instanceUrl: string;
+  path: string;
+  workspace: string;
+  description?: string;
+};
+
+export type TPostWindmillVariable = TWindmillListVariables & {
+  value: string;
+};
+
+export type TDeleteWindmillVariable = TWindmillListVariables;

docs/api-reference/endpoints/app-connections/windmill/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/windmill/available"
+---

docs/api-reference/endpoints/app-connections/windmill/create.mdx

@@ -0,0 +1,9 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/windmill"
+---
+
+<Note>
+    Check out the configuration docs for [Windmill Connections](/integrations/app-connections/windmill) to learn how to obtain
+    the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/windmill/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/windmill/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/windmill/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/windmill/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/windmill/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/windmill/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/windmill/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/windmill"
+---

docs/api-reference/endpoints/app-connections/windmill/update.mdx

@@ -0,0 +1,9 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/windmill/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Windmill Connections](/integrations/app-connections/windmill) to learn how to obtain
+    the required credentials.
+</Note>

docs/api-reference/endpoints/secret-syncs/windmill/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/windmill"
+---

docs/api-reference/endpoints/secret-syncs/windmill/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/windmill/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/windmill/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/windmill/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/windmill/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/windmill/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/windmill/import-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Import Secrets"
+openapi: "POST /api/v1/secret-syncs/windmill/{syncId}/import-secrets"
+---

docs/api-reference/endpoints/secret-syncs/windmill/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/windmill"
+---

docs/api-reference/endpoints/secret-syncs/windmill/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/windmill/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/windmill/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/windmill/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/windmill/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/windmill/{syncId}"
+---

docs/integrations/app-connections/windmill.mdx

@@ -0,0 +1,112 @@
+---
+title: "Windmill Connection"
+description: "Learn how to configure a Windmill Connection for Infisical."
+---
+
+Infisical supports connecting to Windmill using an **Access Token** to securely sync your secrets to Windmill.
+
+## Get a Windmill Access Token
+
+Ensure the user generating the access token has the required role and permissions based on your use-case:
+<Tabs>
+    <Tab title="Secret Sync">
+        <Note>
+            The user generating the access token should be at least a `Developer` in the configured workspace and have `write` permissions for the workspace path secrets will be synced to.
+        </Note>
+    </Tab>
+</Tabs>
+
+
+<Steps>
+    <Step title="Navigate to Account Settings">
+        In Windmill, click on your user in the sidebar and select **Account Settings**.
+        ![Windmill Account Settings](/images/app-connections/windmill/windmill-account-settings.png)
+    </Step>
+    <Step title="Access Token Section">
+        In the **Tokens** section on the drawer, click **Create token**.
+        ![Windmill Create Token](/images/app-connections/windmill/windmill-create-token.png)
+    </Step>
+    <Step title="Create Access Token">
+        Give your token a name and click **New token**.
+        <Note>
+            If you configure an expiry date for your access token, you must manually rotate to a new token before the expiration date to prevent service interruption.
+        </Note>
+        ![Windmill New Token](/images/app-connections/windmill/windmill-new-token.png)
+    </Step>
+    <Step title="Copy Access Token">
+        Copy your new access token and save it for the steps below.
+        ![Windmill Copy Token](/images/app-connections/windmill/windmill-copy-token.png)
+    </Step>
+</Steps>
+
+
+## Setup Windmill Connection in Infisical
+
+
+<Tabs>
+    <Tab title="Infisical UI">
+        <Steps>
+            <Step title="Navigate to App Connections">
+                In your Infisical dashboard, go to **Organization Settings** and select the **App Connections** tab.
+                ![App Connections Tab](/images/app-connections/general/add-connection.png)
+            </Step>
+            <Step title="Add Connection">
+                Click the **+ Add Connection** button and select the **Windmill Connection** option.
+                ![Select Windmill Connection](/images/app-connections/windmill/select-windmill-connection.png)
+            </Step>
+            <Step title="Configure Connection">
+                Configure your Windmill Connection using the access token generated in the steps above. Then click **Connect to Windmill**.
+                ![Windmill Configure Connection](/images/app-connections/windmill/create-windmill-access-token.png)
+
+                - **Name**: The name of the connection to be created. Must be slug-friendly.
+                - **Description**: An optional description to provide details about this connection.
+                - **Instance URL**: The URL of your Windmill instance. If you are not self-hosting Windmill you can leave this field blank.
+                - **Access Token**: The access token generated in the steps above.
+            </Step>
+            <Step title="Connection Created">
+                Your Windmill Connection is now available for use.
+                ![Windmill Connection Created](/images/app-connections/windmill/windmill-access-token-created.png)
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="API">
+        To create a Windmill Connection, make an API request to the [Create Windmill
+        Connection](/api-reference/endpoints/app-connections/windmill/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+                --url https://app.infisical.com/api/v1/app-connections/windmill \
+                --header 'Content-Type: application/json' \
+                --data '{
+                    "name": "my-windmill-connection",
+                    "method": "access-token",
+                    "credentials": {
+                        "token": "...",
+                        "instanceUrl": "https://app.windmill.dev"
+                    }
+                }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "appConnection": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-windmill-connection",
+                "version": 123,
+                "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2025-04-01T05:31:56Z",
+                "updatedAt": "2025-04-01T05:31:56Z",
+                "app": "windmill",
+                "method": "access-token",
+                "credentials": {
+                    "instanceUrl": "https://app.windmill.dev"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/integrations/secret-syncs/windmill.mdx

@@ -0,0 +1,147 @@
+---
+title: "Windmill Sync"
+description: "Learn how to configure a Windmill Sync for Infisical."
+---
+
+**Prerequisites:**
+
+        - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+        - Create a [Windmill Connection](/integrations/app-connections/windmill) with the required **Secret Sync** permissions
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **Windmill** option.
+        ![Select Windmill](/images/secret-syncs/windmill/select-windmill-option.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/windmill/windmill-sync-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/windmill/windmill-sync-destination.png)
+
+            - **Windmill Connection**: The Windmill Connection to authenticate with.
+            - **Workspace**: The Windmill workspace to sync secrets to.
+            - **Path**: The workspace path to sync secrets to.
+
+            <Note>
+                Workspace path must conform to Windmill's [owner path convention](https://www.windmill.dev/docs/core_concepts/roles_and_permissions#path).
+            </Note>
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/windmill/windmill-sync-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Windmill when keys conflict.
+                - **Import Secrets (Prioritize Windmill)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Windmill over Infisical when keys conflict.
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
+
+        6. Configure the **Details** of your Windmill Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/windmill/windmill-sync-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your Windmill Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/windmill/windmill-sync-review.png)
+
+        8. If enabled, your Windmill Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/windmill/windmill-sync-created.png)
+
+    </Tab>
+    <Tab title="API">
+        To create an **Windmill Sync**, make an API request to the [Create Windmill Sync](/api-reference/endpoints/secret-syncs/windmill/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/windmill \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-windmill-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination"
+            },
+            "destinationConfig": {
+                "workspace": "my-workspace",
+                "path": "f/folder/path/"
+            }
+        }'
+        ```
+
+        <Note>
+            Workspace path must conform to Windmill's [owner path convention](https://www.windmill.dev/docs/core_concepts/roles_and_permissions#path).
+        </Note>
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-windmill-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "windmill",
+                    "name": "my-windmill-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "windmill",
+                "destinationConfig": {
+                    "workspace": "my-workspace",
+                    "path": "f/folder/path/"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/mint.json

@@ -427,7 +427,8 @@
             "integrations/app-connections/mssql",
             "integrations/app-connections/postgres",
             "integrations/app-connections/terraform-cloud",
-            "integrations/app-connections/vercel"
+            "integrations/app-connections/vercel",
+            "integrations/app-connections/windmill"
           ]
         }
       ]
@@ -449,7 +450,8 @@
             "integrations/secret-syncs/github",
             "integrations/secret-syncs/humanitec",
             "integrations/secret-syncs/terraform-cloud",
-            "integrations/secret-syncs/vercel"
+            "integrations/secret-syncs/vercel",
+            "integrations/secret-syncs/windmill"
           ]
         }
       ]
@@ -1058,6 +1060,18 @@
                 "api-reference/endpoints/app-connections/vercel/update",
                 "api-reference/endpoints/app-connections/vercel/delete"
               ]
+            },
+            {
+              "group": "Windmill",
+              "pages": [
+                "api-reference/endpoints/app-connections/windmill/list",
+                "api-reference/endpoints/app-connections/windmill/available",
+                "api-reference/endpoints/app-connections/windmill/get-by-id",
+                "api-reference/endpoints/app-connections/windmill/get-by-name",
+                "api-reference/endpoints/app-connections/windmill/create",
+                "api-reference/endpoints/app-connections/windmill/update",
+                "api-reference/endpoints/app-connections/windmill/delete"
+              ]
             }
           ]
         },
@@ -1211,8 +1225,22 @@
                 "api-reference/endpoints/secret-syncs/vercel/update",
                 "api-reference/endpoints/secret-syncs/vercel/delete",
                 "api-reference/endpoints/secret-syncs/vercel/sync-secrets",
-                "api-reference/endpoints/secret-syncs/vercel/remove-secrets",
-                "api-reference/endpoints/secret-syncs/vercel/import-secrets"
+                "api-reference/endpoints/secret-syncs/vercel/import-secrets",
+                "api-reference/endpoints/secret-syncs/vercel/remove-secrets"
+              ]
+            },
+            {
+              "group": "Windmill",
+              "pages": [
+                "api-reference/endpoints/secret-syncs/windmill/list",
+                "api-reference/endpoints/secret-syncs/windmill/get-by-id",
+                "api-reference/endpoints/secret-syncs/windmill/get-by-name",
+                "api-reference/endpoints/secret-syncs/windmill/create",
+                "api-reference/endpoints/secret-syncs/windmill/update",
+                "api-reference/endpoints/secret-syncs/windmill/delete",
+                "api-reference/endpoints/secret-syncs/windmill/sync-secrets",
+                "api-reference/endpoints/secret-syncs/windmill/import-secrets",
+                "api-reference/endpoints/secret-syncs/windmill/remove-secrets"
               ]
             }
           ]

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx

@@ -14,6 +14,7 @@ import { GitHubSyncFields } from "./GitHubSyncFields";
 import { HumanitecSyncFields } from "./HumanitecSyncFields";
 import { TerraformCloudSyncFields } from "./TerraformCloudSyncFields";
 import { VercelSyncFields } from "./VercelSyncFields";
+import { WindmillSyncFields } from "./WindmillSyncFields";
 
 export const SecretSyncDestinationFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
@@ -43,6 +44,8 @@ export const SecretSyncDestinationFields = () => {
       return <CamundaSyncFields />;
     case SecretSync.Vercel:
       return <VercelSyncFields />;
+    case SecretSync.Windmill:
+      return <WindmillSyncFields />;
     default:
       throw new Error(`Unhandled Destination Config Field: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/WindmillSyncFields.tsx

@@ -0,0 +1,105 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faCircleInfo } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import { FilterableSelect, FormControl, Input, Tooltip } from "@app/components/v2";
+import {
+  TWindmillWorkspace,
+  useWindmillConnectionListWorkspaces
+} from "@app/hooks/api/appConnections/windmill";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const WindmillSyncFields = () => {
+  const { control, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.Windmill }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+
+  const { data: workspaces, isLoading: isWorkspacesLoading } = useWindmillConnectionListWorkspaces(
+    connectionId,
+    {
+      enabled: Boolean(connectionId)
+    }
+  );
+
+  return (
+    <>
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.workspace", "");
+        }}
+      />
+
+      <Controller
+        name="destinationConfig.workspace"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="Workspace"
+            helperText={
+              <Tooltip
+                className="max-w-md"
+                content="Ensure the workspace exists in the connection's Windmill instance URL."
+              >
+                <div>
+                  <span>Don&#39;t see the workspace you&#39;re looking for?</span>{" "}
+                  <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                </div>
+              </Tooltip>
+            }
+          >
+            <FilterableSelect
+              menuPlacement="top"
+              isLoading={isWorkspacesLoading && Boolean(connectionId)}
+              isDisabled={!connectionId}
+              value={workspaces?.find((workspace) => workspace.name === value) ?? null}
+              onChange={(option) =>
+                onChange((option as SingleValue<TWindmillWorkspace>)?.name ?? null)
+              }
+              options={workspaces}
+              placeholder="Select a workspace..."
+              getOptionLabel={(option) => option.name}
+              getOptionValue={(option) => option.name}
+            />
+          </FormControl>
+        )}
+      />
+      <Controller
+        name="destinationConfig.path"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            tooltipClassName="max-w-sm"
+            tooltipText={
+              <>
+                The workspace path where secrets should be synced to. Path must follow Windmill{" "}
+                <a
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  href="https://www.windmill.dev/docs/core_concepts/roles_and_permissions#path"
+                >
+                  <span className="cursor-pointer underline decoration-primary underline-offset-2 hover:text-mineshaft-200">
+                    owner path convention
+                  </span>
+                  .
+                </a>
+              </>
+            }
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="Path"
+          >
+            <Input value={value} onChange={onChange} placeholder="f/folder-name/" />
+          </FormControl>
+        )}
+      />
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -42,6 +42,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
     case SecretSync.TerraformCloud:
     case SecretSync.Camunda:
     case SecretSync.Vercel:
+    case SecretSync.Windmill:
       AdditionalSyncOptionsFieldsComponent = null;
       break;
     default:

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -24,6 +24,7 @@ import { GitHubSyncReviewFields } from "./GitHubSyncReviewFields";
 import { HumanitecSyncReviewFields } from "./HumanitecSyncReviewFields";
 import { TerraformCloudSyncReviewFields } from "./TerraformCloudSyncReviewFields";
 import { VercelSyncReviewFields } from "./VercelSyncReviewFields";
+import { WindmillSyncReviewFields } from "./WindmillSyncReviewFields";
 
 export const SecretSyncReviewFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
@@ -84,6 +85,9 @@ export const SecretSyncReviewFields = () => {
     case SecretSync.Vercel:
       DestinationFieldsComponent = <VercelSyncReviewFields />;
       break;
+    case SecretSync.Windmill:
+      DestinationFieldsComponent = <WindmillSyncReviewFields />;
+      break;
     default:
       throw new Error(`Unhandled Destination Review Fields: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/WindmillSyncReviewFields.tsx

@@ -0,0 +1,18 @@
+import { useFormContext } from "react-hook-form";
+
+import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { GenericFieldLabel } from "@app/components/v2";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const WindmillSyncReviewFields = () => {
+  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Windmill }>();
+  const workspace = watch("destinationConfig.workspace");
+  const path = watch("destinationConfig.path");
+
+  return (
+    <>
+      <GenericFieldLabel label="Workspace">{workspace}</GenericFieldLabel>
+      <GenericFieldLabel label="Path">{path}</GenericFieldLabel>
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -1,17 +1,17 @@
 import { z } from "zod";
 
-import { AwsSecretsManagerSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/aws-secrets-manager-sync-destination-schema";
-import { DatabricksSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/databricks-sync-destination-schema";
-import { GitHubSyncDestinationSchema } from "@app/components/secret-syncs/forms/schemas/github-sync-destination-schema";
-
 import { AwsParameterStoreSyncDestinationSchema } from "./aws-parameter-store-sync-destination-schema";
+import { AwsSecretsManagerSyncDestinationSchema } from "./aws-secrets-manager-sync-destination-schema";
 import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configuration-sync-destination-schema";
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { CamundaSyncDestinationSchema } from "./camunda-sync-destination-schema";
+import { DatabricksSyncDestinationSchema } from "./databricks-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
+import { GitHubSyncDestinationSchema } from "./github-sync-destination-schema";
 import { HumanitecSyncDestinationSchema } from "./humanitec-sync-destination-schema";
 import { TerraformCloudSyncDestinationSchema } from "./terraform-cloud-destination-schema";
 import { VercelSyncDestinationSchema } from "./vercel-sync-destination-schema";
+import { WindmillSyncDestinationSchema } from "./windmill-sync-destination-schema";
 
 const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncDestinationSchema,
@@ -24,7 +24,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   HumanitecSyncDestinationSchema,
   TerraformCloudSyncDestinationSchema,
   CamundaSyncDestinationSchema,
-  VercelSyncDestinationSchema
+  VercelSyncDestinationSchema,
+  WindmillSyncDestinationSchema
 ]);
 
 export const SecretSyncFormSchema = SecretSyncUnionSchema;

frontend/src/components/secret-syncs/forms/schemas/windmill-sync-destination-schema.ts

@@ -0,0 +1,21 @@
+import { z } from "zod";
+
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const WindmillSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.Windmill),
+    destinationConfig: z.object({
+      workspace: z.string().trim().min(1, "Workspace required"),
+      path: z
+        .string()
+        .trim()
+        .min(1, "Path required")
+        .regex(
+          /^([uf])\/([a-zA-Z0-9_-]+)(\/[a-zA-Z0-9_-]+)*\/$/,
+          'Invalid path - must follow Windmill path format. ex: "f/folder/path/"'
+        )
+    })
+  })
+);

frontend/src/helpers/appConnections.ts

@@ -16,7 +16,8 @@ import {
   PostgresConnectionMethod,
   TAppConnection,
   TerraformCloudConnectionMethod,
-  VercelConnectionMethod
+  VercelConnectionMethod,
+  WindmillConnectionMethod
 } from "@app/hooks/api/appConnections/types";
 
 export const APP_CONNECTION_MAP: Record<
@@ -41,6 +42,7 @@ export const APP_CONNECTION_MAP: Record<
   [AppConnection.Postgres]: { name: "PostgreSQL", image: "Postgres.png" },
   [AppConnection.MsSql]: { name: "Microsoft SQL Server", image: "MsSql.png" },
   [AppConnection.Camunda]: { name: "Camunda", image: "Camunda.png" },
+  [AppConnection.Windmill]: { name: "Windmill", image: "Windmill.png" },
   [AppConnection.Auth0]: { name: "Auth0", image: "Auth0.png", size: 40 }
 };
 
@@ -69,6 +71,8 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
       return { name: "Username & Password", icon: faLock };
+    case WindmillConnectionMethod.AccessToken:
+      return { name: "Access Token", icon: faKey };
     case Auth0ConnectionMethod.ClientCredentials:
       return { name: "Client Credentials", icon: faServer };
     default:

frontend/src/helpers/secretSyncs.ts

@@ -35,6 +35,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
   [SecretSync.Vercel]: {
     name: "Vercel",
     image: "Vercel.png"
+  },
+  [SecretSync.Windmill]: {
+    name: "Windmill",
+    image: "Windmill.png"
   }
 };
 
@@ -49,7 +53,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Humanitec]: AppConnection.Humanitec,
   [SecretSync.TerraformCloud]: AppConnection.TerraformCloud,
   [SecretSync.Camunda]: AppConnection.Camunda,
-  [SecretSync.Vercel]: AppConnection.Vercel
+  [SecretSync.Vercel]: AppConnection.Vercel,
+  [SecretSync.Windmill]: AppConnection.Windmill
 };
 
 export const SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP: Record<

frontend/src/hooks/api/appConnections/enums.ts

@@ -11,5 +11,6 @@ export enum AppConnection {
   Postgres = "postgres",
   MsSql = "mssql",
   Camunda = "camunda",
+  Windmill = "windmill",
   Auth0 = "auth0"
 }

frontend/src/hooks/api/appConnections/types/app-options.ts

@@ -59,6 +59,10 @@ export type TCamundaConnectionOption = TAppConnectionOptionBase & {
   app: AppConnection.Camunda;
 };
 
+export type TWindmillConnectionOption = TAppConnectionOptionBase & {
+  app: AppConnection.Windmill;
+};
+
 export type TAuth0ConnectionOption = TAppConnectionOptionBase & {
   app: AppConnection.Auth0;
 };
@@ -76,6 +80,7 @@ export type TAppConnectionOption =
   | TPostgresConnectionOption
   | TMsSqlConnectionOption
   | TCamundaConnectionOption
+  | TWindmillConnectionOption
   | TAuth0ConnectionOption;
 
 export type TAppConnectionOptionMap = {
@@ -91,5 +96,6 @@ export type TAppConnectionOptionMap = {
   [AppConnection.Postgres]: TPostgresConnectionOption;
   [AppConnection.MsSql]: TMsSqlConnectionOption;
   [AppConnection.Camunda]: TCamundaConnectionOption;
+  [AppConnection.Windmill]: TWindmillConnectionOption;
   [AppConnection.Auth0]: TAuth0ConnectionOption;
 };

frontend/src/hooks/api/appConnections/types/index.ts

@@ -13,6 +13,7 @@ import { TMsSqlConnection } from "./mssql-connection";
 import { TPostgresConnection } from "./postgres-connection";
 import { TTerraformCloudConnection } from "./terraform-cloud-connection";
 import { TVercelConnection } from "./vercel-connection";
+import { TWindmillConnection } from "./windmill-connection";
 
 export * from "./auth0-connection";
 export * from "./aws-connection";
@@ -27,6 +28,7 @@ export * from "./mssql-connection";
 export * from "./postgres-connection";
 export * from "./terraform-cloud-connection";
 export * from "./vercel-connection";
+export * from "./windmill-connection";
 
 export type TAppConnection =
   | TAwsConnection
@@ -41,6 +43,7 @@ export type TAppConnection =
   | TPostgresConnection
   | TMsSqlConnection
   | TCamundaConnection
+  | TWindmillConnection
   | TAuth0Connection;
 
 export type TAvailableAppConnection = Pick<TAppConnection, "name" | "id">;
@@ -81,5 +84,6 @@ export type TAppConnectionMap = {
   [AppConnection.Postgres]: TPostgresConnection;
   [AppConnection.MsSql]: TMsSqlConnection;
   [AppConnection.Camunda]: TCamundaConnection;
+  [AppConnection.Windmill]: TWindmillConnection;
   [AppConnection.Auth0]: TAuth0Connection;
 };

frontend/src/hooks/api/appConnections/types/windmill-connection.ts

@@ -0,0 +1,14 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum WindmillConnectionMethod {
+  AccessToken = "access-token"
+}
+
+export type TWindmillConnection = TRootAppConnection & { app: AppConnection.Windmill } & {
+  method: WindmillConnectionMethod.AccessToken;
+  credentials: {
+    accessToken: string;
+    instanceUrl?: string;
+  };
+};

frontend/src/hooks/api/appConnections/windmill/index.ts

@@ -0,0 +1,2 @@
+export * from "./queries";
+export * from "./types";

frontend/src/hooks/api/appConnections/windmill/queries.tsx

@@ -0,0 +1,37 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { appConnectionKeys } from "../queries";
+import { TWindmillWorkspace } from "./types";
+
+const windmillConnectionKeys = {
+  all: [...appConnectionKeys.all, "windmill"] as const,
+  listWorkspaces: (connectionId: string) =>
+    [...windmillConnectionKeys.all, "workspaces", connectionId] as const
+};
+
+export const useWindmillConnectionListWorkspaces = (
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      TWindmillWorkspace[],
+      unknown,
+      TWindmillWorkspace[],
+      ReturnType<typeof windmillConnectionKeys.listWorkspaces>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: windmillConnectionKeys.listWorkspaces(connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TWindmillWorkspace[]>(
+        `/api/v1/app-connections/windmill/${connectionId}/workspaces`
+      );
+
+      return data;
+    },
+    ...options
+  });
+};

frontend/src/hooks/api/appConnections/windmill/types.ts

@@ -0,0 +1,4 @@
+export type TWindmillWorkspace = {
+  id: string;
+  name: string;
+};

frontend/src/hooks/api/secretSyncs/enums.ts

@@ -9,7 +9,8 @@ export enum SecretSync {
   Humanitec = "humanitec",
   TerraformCloud = "terraform-cloud",
   Camunda = "camunda",
-  Vercel = "vercel"
+  Vercel = "vercel",
+  Windmill = "windmill"
 }
 
 export enum SecretSyncStatus {

frontend/src/hooks/api/secretSyncs/types/index.ts

@@ -1,17 +1,18 @@
 import { SecretSync, SecretSyncImportBehavior } from "@app/hooks/api/secretSyncs";
-import { TAwsParameterStoreSync } from "@app/hooks/api/secretSyncs/types/aws-parameter-store-sync";
-import { TDatabricksSync } from "@app/hooks/api/secretSyncs/types/databricks-sync";
-import { TGitHubSync } from "@app/hooks/api/secretSyncs/types/github-sync";
 import { DiscriminativePick } from "@app/types";
 
+import { TAwsParameterStoreSync } from "./aws-parameter-store-sync";
 import { TAwsSecretsManagerSync } from "./aws-secrets-manager-sync";
 import { TAzureAppConfigurationSync } from "./azure-app-configuration-sync";
 import { TAzureKeyVaultSync } from "./azure-key-vault-sync";
 import { TCamundaSync } from "./camunda-sync";
+import { TDatabricksSync } from "./databricks-sync";
 import { TGcpSync } from "./gcp-sync";
+import { TGitHubSync } from "./github-sync";
 import { THumanitecSync } from "./humanitec-sync";
 import { TTerraformCloudSync } from "./terraform-cloud-sync";
 import { TVercelSync } from "./vercel-sync";
+import { TWindmillSync } from "./windmill-sync";
 
 export type TSecretSyncOption = {
   name: string;
@@ -30,7 +31,8 @@ export type TSecretSync =
   | THumanitecSync
   | TTerraformCloudSync
   | TCamundaSync
-  | TVercelSync;
+  | TVercelSync
+  | TWindmillSync;
 
 export type TListSecretSyncs = { secretSyncs: TSecretSync[] };
 

frontend/src/hooks/api/secretSyncs/types/windmill-sync.ts

@@ -0,0 +1,16 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
+
+export type TWindmillSync = TRootSecretSync & {
+  destination: SecretSync.Windmill;
+  destinationConfig: {
+    workspace: string;
+    path: string;
+  };
+  connection: {
+    app: AppConnection.Windmill;
+    name: string;
+    id: string;
+  };
+};

frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx

@@ -22,6 +22,7 @@ import { MsSqlConnectionForm } from "./MsSqlConnectionForm";
 import { PostgresConnectionForm } from "./PostgresConnectionForm";
 import { TerraformCloudConnectionForm } from "./TerraformCloudConnectionForm";
 import { VercelConnectionForm } from "./VercelConnectionForm";
+import { WindmillConnectionForm } from "./WindmillConnectionForm";
 
 type FormProps = {
   onComplete: (appConnection: TAppConnection) => void;
@@ -84,6 +85,8 @@ const CreateForm = ({ app, onComplete }: CreateFormProps) => {
       return <MsSqlConnectionForm onSubmit={onSubmit} />;
     case AppConnection.Camunda:
       return <CamundaConnectionForm onSubmit={onSubmit} />;
+    case AppConnection.Windmill:
+      return <WindmillConnectionForm onSubmit={onSubmit} />;
     case AppConnection.Auth0:
       return <Auth0ConnectionForm onSubmit={onSubmit} />;
     default:
@@ -146,6 +149,8 @@ const UpdateForm = ({ appConnection, onComplete }: UpdateFormProps) => {
       return <MsSqlConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
     case AppConnection.Camunda:
       return <CamundaConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
+    case AppConnection.Windmill:
+      return <WindmillConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
     case AppConnection.Auth0:
       return <Auth0ConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
     default:

frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/WindmillConnectionForm.tsx

@@ -0,0 +1,158 @@
+import { Controller, FormProvider, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import {
+  Button,
+  FormControl,
+  Input,
+  ModalClose,
+  SecretInput,
+  Select,
+  SelectItem
+} from "@app/components/v2";
+import { APP_CONNECTION_MAP, getAppConnectionMethodDetails } from "@app/helpers/appConnections";
+import { TWindmillConnection, WindmillConnectionMethod } from "@app/hooks/api/appConnections";
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+
+import {
+  genericAppConnectionFieldsSchema,
+  GenericAppConnectionsFields
+} from "./GenericAppConnectionFields";
+
+type Props = {
+  appConnection?: TWindmillConnection;
+  onSubmit: (formData: FormData) => void;
+};
+
+const rootSchema = genericAppConnectionFieldsSchema.extend({
+  app: z.literal(AppConnection.Windmill)
+});
+
+const formSchema = z.discriminatedUnion("method", [
+  rootSchema.extend({
+    method: z.literal(WindmillConnectionMethod.AccessToken),
+    credentials: z.object({
+      accessToken: z.string().trim().min(1, "Access Token required"),
+      instanceUrl: z
+        .string()
+        .trim()
+        .transform((value) => value || undefined)
+        .refine((value) => (!value ? true : z.string().url().safeParse(value).success), {
+          message: "Invalid instance URL"
+        })
+        .optional()
+    })
+  })
+]);
+
+type FormData = z.infer<typeof formSchema>;
+
+export const WindmillConnectionForm = ({ appConnection, onSubmit }: Props) => {
+  const isUpdate = Boolean(appConnection);
+
+  const form = useForm<FormData>({
+    resolver: zodResolver(formSchema),
+    defaultValues: appConnection ?? {
+      app: AppConnection.Windmill,
+      method: WindmillConnectionMethod.AccessToken
+    }
+  });
+
+  const {
+    handleSubmit,
+    control,
+    formState: { isSubmitting, isDirty }
+  } = form;
+
+  return (
+    <FormProvider {...form}>
+      <form onSubmit={handleSubmit(onSubmit)}>
+        {!isUpdate && <GenericAppConnectionsFields />}
+        <Controller
+          name="method"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              tooltipText={`The method you would like to use to connect with ${
+                APP_CONNECTION_MAP[AppConnection.Windmill].name
+              }. This field cannot be changed after creation.`}
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="Method"
+            >
+              <Select
+                isDisabled={isUpdate}
+                value={value}
+                onValueChange={(val) => onChange(val)}
+                className="w-full border border-mineshaft-500"
+                position="popper"
+                dropdownContainerClassName="max-w-none"
+              >
+                {Object.values(WindmillConnectionMethod).map((method) => {
+                  return (
+                    <SelectItem value={method} key={method}>
+                      {getAppConnectionMethodDetails(method).name}{" "}
+                    </SelectItem>
+                  );
+                })}
+              </Select>
+            </FormControl>
+          )}
+        />
+        <Controller
+          name="credentials.instanceUrl"
+          control={control}
+          shouldUnregister
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="Instance URL"
+              isOptional
+              tooltipClassName="max-w-sm"
+              tooltipText="Will default to Windmill Cloud if not specified."
+            >
+              <Input {...field} placeholder="https://app.windmill.dev" />
+            </FormControl>
+          )}
+        />
+        <Controller
+          name="credentials.accessToken"
+          control={control}
+          shouldUnregister
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="Access Token"
+            >
+              <SecretInput
+                containerClassName="text-gray-400 group-focus-within:!border-primary-400/50 border border-mineshaft-500 bg-mineshaft-900 px-2.5 py-1.5"
+                value={value}
+                onChange={(e) => onChange(e.target.value)}
+              />
+            </FormControl>
+          )}
+        />
+        <div className="mt-8 flex items-center">
+          <Button
+            className="mr-4"
+            size="sm"
+            type="submit"
+            colorSchema="secondary"
+            isLoading={isSubmitting}
+            isDisabled={isSubmitting || !isDirty}
+          >
+            {isUpdate ? "Update Credentials" : "Connect to Windmill"}
+          </Button>
+          <ModalClose asChild>
+            <Button colorSchema="secondary" variant="plain">
+              Cancel
+            </Button>
+          </ModalClose>
+        </div>
+      </form>
+    </FormProvider>
+  );
+};

frontend/src/pages/organization/SettingsPage/components/OrgEncryptionTab/ExternalKmsItem.tsx

@@ -1,152 +0,0 @@
-import { faAws, faGoogle } from "@fortawesome/free-brands-svg-icons";
-import { faCheck, faCopy, faEllipsis } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { twMerge } from "tailwind-merge";
-
-import { createNotification } from "@app/components/notifications";
-import { OrgPermissionCan } from "@app/components/permissions/OrgPermissionCan";
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger
-} from "@app/components/v2/Dropdown";
-import { IconButton } from "@app/components/v2/IconButton";
-import { Td, Tr } from "@app/components/v2/Table";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context/OrgPermissionContext";
-import { useToggle } from "@app/hooks";
-import { ExternalKmsProvider, KmsListEntry } from "@app/hooks/api/kms/types";
-import { SubscriptionPlan } from "@app/hooks/api/types";
-import { UsePopUpState } from "@app/hooks/usePopUp";
-
-type Props = {
-  kms: KmsListEntry;
-  handlePopUpOpen: (
-    popUpName: keyof UsePopUpState<["editExternalKms", "removeExternalKms", "upgradePlan"]>,
-    data?: {
-      kmsId?: string;
-      name?: string;
-      provider?: string;
-    }
-  ) => void;
-  subscription: SubscriptionPlan;
-};
-
-export const ExternalKmsItem = ({ kms, handlePopUpOpen, subscription }: Props) => {
-  const [isKmsIdCopied, { timedToggle: toggleKmsIdCopied }] = useToggle(false);
-  const [isKmsAliasCopied, { timedToggle: toggleKmsAliasCopied }] = useToggle(false);
-
-  return (
-    <Tr key={kms.id}>
-      <Td className="flex max-w-xs items-center overflow-hidden text-ellipsis hover:overflow-auto hover:break-all">
-        {kms.externalKms.provider === ExternalKmsProvider.Aws && <FontAwesomeIcon icon={faAws} />}
-        {kms.externalKms.provider === ExternalKmsProvider.Gcp && (
-          <FontAwesomeIcon icon={faGoogle} />
-        )}
-        <div className="ml-2">{kms.externalKms.provider.toUpperCase()}</div>
-      </Td>
-      <Td>
-        <div className="group flex items-center gap-2">
-          {kms.name}
-          <IconButton
-            size="xs"
-            ariaLabel="copy icon"
-            colorSchema="secondary"
-            className="relative rounded-md opacity-0 group-hover:opacity-100"
-            onClick={() => {
-              if (isKmsAliasCopied) {
-                return;
-              }
-              navigator.clipboard.writeText(kms.name);
-              createNotification({
-                text: "KMS alias copied to clipboard",
-                type: "success"
-              });
-              toggleKmsAliasCopied(2000);
-            }}
-          >
-            <FontAwesomeIcon icon={isKmsAliasCopied ? faCheck : faCopy} />
-          </IconButton>
-        </div>
-      </Td>
-      <Td>
-        <div className="group flex items-center gap-2">
-          {kms.id}
-          <IconButton
-            size="xs"
-            ariaLabel="copy icon"
-            colorSchema="secondary"
-            className="relative rounded-md opacity-0 group-hover:opacity-100"
-            onClick={() => {
-              if (isKmsIdCopied) {
-                return;
-              }
-              navigator.clipboard.writeText(kms.id);
-              createNotification({
-                text: "KMS ID copied to clipboard",
-                type: "success"
-              });
-              toggleKmsIdCopied(2000);
-            }}
-          >
-            <FontAwesomeIcon icon={isKmsIdCopied ? faCheck : faCopy} />
-          </IconButton>
-        </div>
-      </Td>
-      <Td>
-        <DropdownMenu>
-          <DropdownMenuTrigger asChild className="rounded-lg">
-            <div className="flex justify-end hover:text-primary-400 data-[state=open]:text-primary-400">
-              <FontAwesomeIcon size="sm" icon={faEllipsis} />
-            </div>
-          </DropdownMenuTrigger>
-          <DropdownMenuContent align="start" className="p-1">
-            <OrgPermissionCan I={OrgPermissionActions.Edit} an={OrgPermissionSubjects.Kms}>
-              {(isAllowed) => (
-                <DropdownMenuItem
-                  disabled={!isAllowed}
-                  className={twMerge(
-                    !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
-                  )}
-                  onClick={(e) => {
-                    e.stopPropagation();
-                    if (subscription && !subscription?.externalKms) {
-                      handlePopUpOpen("upgradePlan");
-                      return;
-                    }
-
-                    handlePopUpOpen("editExternalKms", {
-                      kmsId: kms.id
-                    });
-                  }}
-                >
-                  Edit
-                </DropdownMenuItem>
-              )}
-            </OrgPermissionCan>
-            <OrgPermissionCan I={OrgPermissionActions.Delete} an={OrgPermissionSubjects.Kms}>
-              {(isAllowed) => (
-                <DropdownMenuItem
-                  disabled={!isAllowed}
-                  className={twMerge(
-                    !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
-                  )}
-                  onClick={(e) => {
-                    e.stopPropagation();
-                    handlePopUpOpen("removeExternalKms", {
-                      name: kms.name,
-                      kmsId: kms.id,
-                      provider: kms.externalKms.provider
-                    });
-                  }}
-                >
-                  Delete
-                </DropdownMenuItem>
-              )}
-            </OrgPermissionCan>
-          </DropdownMenuContent>
-        </DropdownMenu>
-      </Td>
-    </Tr>
-  );
-};

frontend/src/pages/organization/SettingsPage/components/OrgEncryptionTab/OrgEncryptionTab.tsx

@@ -1,5 +1,7 @@
-import { faLock, faPlus } from "@fortawesome/free-solid-svg-icons";
+import { faAws, faGoogle } from "@fortawesome/free-brands-svg-icons";
+import { faEllipsis, faLock, faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
 
 import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { createNotification } from "@app/components/notifications";
@@ -7,6 +9,10 @@ import { OrgPermissionCan } from "@app/components/permissions";
 import {
   Button,
   DeleteActionModal,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
   EmptyState,
   Table,
   TableContainer,
@@ -25,9 +31,9 @@ import {
 import { withPermission } from "@app/hoc";
 import { usePopUp } from "@app/hooks";
 import { useGetExternalKmsList, useRemoveExternalKms } from "@app/hooks/api";
+import { ExternalKmsProvider } from "@app/hooks/api/kms/types";
 
 import { AddExternalKmsForm } from "./AddExternalKmsForm";
-import { ExternalKmsItem } from "./ExternalKmsItem";
 import { UpdateExternalKmsForm } from "./UpdateExternalKmsForm";
 
 export const OrgEncryptionTab = withPermission(
@@ -96,7 +102,6 @@ export const OrgEncryptionTab = withPermission(
               <Tr>
                 <Td>Provider</Td>
                 <Td>Alias</Td>
-                <Td>ID</Td>
               </Tr>
             </THead>
             <TBody>
@@ -110,12 +115,78 @@ export const OrgEncryptionTab = withPermission(
               )}
               {!isExternalKmsListLoading &&
                 externalKmsList?.map((kms) => (
-                  <ExternalKmsItem
-                    key={kms.id}
-                    kms={kms}
-                    handlePopUpOpen={handlePopUpOpen}
-                    subscription={subscription}
-                  />
+                  <Tr key={kms.id}>
+                    <Td className="flex max-w-xs items-center overflow-hidden text-ellipsis hover:overflow-auto hover:break-all">
+                      {kms.externalKms.provider === ExternalKmsProvider.Aws && (
+                        <FontAwesomeIcon icon={faAws} />
+                      )}
+                      {kms.externalKms.provider === ExternalKmsProvider.Gcp && (
+                        <FontAwesomeIcon icon={faGoogle} />
+                      )}
+                      <div className="ml-2">{kms.externalKms.provider.toUpperCase()}</div>
+                    </Td>
+                    <Td>{kms.name}</Td>
+                    <Td>
+                      <DropdownMenu>
+                        <DropdownMenuTrigger asChild className="rounded-lg">
+                          <div className="flex justify-end hover:text-primary-400 data-[state=open]:text-primary-400">
+                            <FontAwesomeIcon size="sm" icon={faEllipsis} />
+                          </div>
+                        </DropdownMenuTrigger>
+                        <DropdownMenuContent align="start" className="p-1">
+                          <OrgPermissionCan
+                            I={OrgPermissionActions.Edit}
+                            an={OrgPermissionSubjects.Kms}
+                          >
+                            {(isAllowed) => (
+                              <DropdownMenuItem
+                                disabled={!isAllowed}
+                                className={twMerge(
+                                  !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
+                                )}
+                                onClick={(e) => {
+                                  e.stopPropagation();
+                                  if (subscription && !subscription?.externalKms) {
+                                    handlePopUpOpen("upgradePlan");
+                                    return;
+                                  }
+
+                                  handlePopUpOpen("editExternalKms", {
+                                    kmsId: kms.id
+                                  });
+                                }}
+                              >
+                                Edit
+                              </DropdownMenuItem>
+                            )}
+                          </OrgPermissionCan>
+                          <OrgPermissionCan
+                            I={OrgPermissionActions.Delete}
+                            an={OrgPermissionSubjects.Kms}
+                          >
+                            {(isAllowed) => (
+                              <DropdownMenuItem
+                                disabled={!isAllowed}
+                                className={twMerge(
+                                  !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
+                                )}
+                                onClick={(e) => {
+                                  e.stopPropagation();
+                                  handlePopUpOpen("removeExternalKms", {
+                                    name: kms.name,
+                                    kmsId: kms.id,
+                                    provider: kms.externalKms.provider
+                                  });
+                                }}
+                              >
+                                Delete
+                              </DropdownMenuItem>
+                            )}
+                          </OrgPermissionCan>
+                        </DropdownMenuContent>
+                      </DropdownMenu>
+                    </Td>
+                  </Tr>
                 ))}
             </TBody>
           </Table>

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/SecretSyncDestinationCol.tsx

@@ -11,6 +11,7 @@ import { GitHubSyncDestinationCol } from "./GitHubSyncDestinationCol";
 import { HumanitecSyncDestinationCol } from "./HumanitecSyncDestinationCol";
 import { TerraformCloudSyncDestinationCol } from "./TerraformCloudSyncDestinationCol";
 import { VercelSyncDestinationCol } from "./VercelSyncDestinationCol";
+import { WindmillSyncDestinationCol } from "./WindmillSyncDestinationCol";
 
 type Props = {
   secretSync: TSecretSync;
@@ -40,6 +41,8 @@ export const SecretSyncDestinationCol = ({ secretSync }: Props) => {
       return <CamundaSyncDestinationCol secretSync={secretSync} />;
     case SecretSync.Vercel:
       return <VercelSyncDestinationCol secretSync={secretSync} />;
+    case SecretSync.Windmill:
+      return <WindmillSyncDestinationCol secretSync={secretSync} />;
     default:
       throw new Error(
         `Unhandled Secret Sync Destination Col: ${(secretSync as TSecretSync).destination}`

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/WindmillSyncDestinationCol.tsx

@@ -0,0 +1,14 @@
+import { TWindmillSync } from "@app/hooks/api/secretSyncs/types/windmill-sync";
+
+import { getSecretSyncDestinationColValues } from "../helpers";
+import { SecretSyncTableCell } from "../SecretSyncTableCell";
+
+type Props = {
+  secretSync: TWindmillSync;
+};
+
+export const WindmillSyncDestinationCol = ({ secretSync }: Props) => {
+  const { primaryText, secondaryText } = getSecretSyncDestinationColValues(secretSync);
+
+  return <SecretSyncTableCell primaryText={primaryText} secondaryText={secondaryText} />;
+};

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/helpers/index.ts

@@ -90,6 +90,10 @@ export const getSecretSyncDestinationColValues = (secretSync: TSecretSync) => {
       primaryText = destinationConfig.appName || destinationConfig.app;
       secondaryText = destinationConfig.env;
       break;
+    case SecretSync.Windmill:
+      primaryText = destinationConfig.workspace;
+      secondaryText = destinationConfig.path;
+      break;
     default:
       throw new Error(`Unhandled Destination Col Values ${destination}`);
   }

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/SecretSyncDestinatonSection.tsx

@@ -9,18 +9,19 @@ import { ProjectPermissionSub } from "@app/context";
 import { ProjectPermissionSecretSyncActions } from "@app/context/ProjectPermissionContext/types";
 import { APP_CONNECTION_MAP } from "@app/helpers/appConnections";
 import { SecretSync, TSecretSync } from "@app/hooks/api/secretSyncs";
-import { AwsParameterStoreSyncDestinationSection } from "@app/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/AwsParameterStoreSyncDestinationSection";
-import { AwsSecretsManagerSyncDestinationSection } from "@app/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/AwsSecretsManagerSyncDestinationSection";
-import { DatabricksSyncDestinationSection } from "@app/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/DatabricksSyncDestinationSection";
-import { GitHubSyncDestinationSection } from "@app/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/GitHubSyncDestinationSection";
 
+import { AwsParameterStoreSyncDestinationSection } from "./AwsParameterStoreSyncDestinationSection";
+import { AwsSecretsManagerSyncDestinationSection } from "./AwsSecretsManagerSyncDestinationSection";
 import { AzureAppConfigurationSyncDestinationSection } from "./AzureAppConfigurationSyncDestinationSection";
 import { AzureKeyVaultSyncDestinationSection } from "./AzureKeyVaultSyncDestinationSection";
 import { CamundaSyncDestinationSection } from "./CamundaSyncDestinationSection";
+import { DatabricksSyncDestinationSection } from "./DatabricksSyncDestinationSection";
 import { GcpSyncDestinationSection } from "./GcpSyncDestinationSection";
+import { GitHubSyncDestinationSection } from "./GitHubSyncDestinationSection";
 import { HumanitecSyncDestinationSection } from "./HumanitecSyncDestinationSection";
 import { TerraformCloudSyncDestinationSection } from "./TerraformCloudSyncDestinationSection";
 import { VercelSyncDestinationSection } from "./VercelSyncDestinationSection";
+import { WindmillSyncDestinationSection } from "./WindmillSyncDestinationSection";
 
 type Props = {
   secretSync: TSecretSync;
@@ -69,6 +70,9 @@ export const SecretSyncDestinationSection = ({ secretSync, onEditDestination }:
     case SecretSync.Vercel:
       DestinationComponents = <VercelSyncDestinationSection secretSync={secretSync} />;
       break;
+    case SecretSync.Windmill:
+      DestinationComponents = <WindmillSyncDestinationSection secretSync={secretSync} />;
+      break;
     default:
       throw new Error(`Unhandled Destination Section components: ${destination}`);
   }

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/WindmillSyncDestinationSection.tsx

@@ -0,0 +1,19 @@
+import { GenericFieldLabel } from "@app/components/secret-syncs";
+import { TWindmillSync } from "@app/hooks/api/secretSyncs/types/windmill-sync";
+
+type Props = {
+  secretSync: TWindmillSync;
+};
+
+export const WindmillSyncDestinationSection = ({ secretSync }: Props) => {
+  const {
+    destinationConfig: { path, workspace }
+  } = secretSync;
+
+  return (
+    <>
+      <GenericFieldLabel label="Workspace">{workspace}</GenericFieldLabel>
+      <GenericFieldLabel label="Path">{path}</GenericFieldLabel>
+    </>
+  );
+};

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx

@@ -51,6 +51,7 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
     case SecretSync.TerraformCloud:
     case SecretSync.Camunda:
     case SecretSync.Vercel:
+    case SecretSync.Windmill:
       AdditionalSyncOptionsComponent = null;
       break;
     default: