improvements: revise commit history and commit details UI

Use non root user for docs Dockerfile

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -0,0 +1,66 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+export async function up(knex: Knex) {
+  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
+    .select(selectAllTableCols(TableName.SuperAdmin))
+    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
+
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+  const decryptor = kmsService.decryptWithRootKey();
+  const encryptor = kmsService.encryptWithRootKey();
+
+  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
+    const overrides = (
+      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
+    ) as Record<string, string>;
+
+    if (admin.encryptedGitHubAppConnectionClientId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
+        admin.encryptedGitHubAppConnectionClientId
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionClientSecret) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
+        admin.encryptedGitHubAppConnectionClientSecret
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionPrivateKey) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
+        admin.encryptedGitHubAppConnectionPrivateKey
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionSlug) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
+    }
+
+    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
+
+    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
+      encryptedEnvOverrides
+    });
+  });
+
+  await Promise.all(tasks);
+}
+
+export async function down() {
+  // No down migration needed as this migration is only for data transformation
+  // and does not change the schema.
+}

backend/src/lib/api-docs/constants.ts

@@ -2472,6 +2472,9 @@ export const SecretSyncs = {
       projectName: "The name of the Cloudflare Pages project to sync secrets to.",
       environment: "The environment of the Cloudflare Pages project to sync secrets to."
     },
+    CLOUDFLARE_WORKERS: {
+      scriptId: "The ID of the Cloudflare Workers script to sync secrets to."
+    },
     ZABBIX: {
       scope: "The Zabbix scope that secrets should be synced to.",
       hostId: "The ID of the Zabbix host to sync secrets to.",

backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts

@@ -50,4 +50,32 @@ export const registerCloudflareConnectionRouter = async (server: FastifyZodProvi
       return projects;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/cloudflare-workers-scripts`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.cloudflare.listWorkersScripts(connectionId, req.permission);
+
+      return projects;
+    }
+  });
 };

backend/src/server/routes/v1/secret-sync-routers/cloudflare-workers-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CloudflareWorkersSyncSchema,
+  CreateCloudflareWorkersSyncSchema,
+  UpdateCloudflareWorkersSyncSchema
+} from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerCloudflareWorkersSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.CloudflareWorkers,
+    server,
+    responseSchema: CloudflareWorkersSyncSchema,
+    createSchema: CreateCloudflareWorkersSyncSchema,
+    updateSchema: UpdateCloudflareWorkersSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -9,6 +9,7 @@ import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
+import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
@@ -50,6 +51,8 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Flyio]: registerFlyioSyncRouter,
   [SecretSync.GitLab]: registerGitLabSyncRouter,
   [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter,
+  [SecretSync.CloudflareWorkers]: registerCloudflareWorkersSyncRouter,
+
   [SecretSync.Zabbix]: registerZabbixSyncRouter,
   [SecretSync.Railway]: registerRailwaySyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -26,6 +26,10 @@ import {
   CloudflarePagesSyncListItemSchema,
   CloudflarePagesSyncSchema
 } from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
+import {
+  CloudflareWorkersSyncListItemSchema,
+  CloudflareWorkersSyncSchema
+} from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
@@ -65,6 +69,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   FlyioSyncSchema,
   GitLabSyncSchema,
   CloudflarePagesSyncSchema,
+  CloudflareWorkersSyncSchema,
+
   ZabbixSyncSchema,
   RailwaySyncSchema
 ]);
@@ -92,6 +98,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   FlyioSyncListItemSchema,
   GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema,
+  CloudflareWorkersSyncListItemSchema,
+
   ZabbixSyncListItemSchema,
   RailwaySyncListItemSchema
 ]);

backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts

@@ -9,7 +9,8 @@ import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
 import {
   TCloudflareConnection,
   TCloudflareConnectionConfig,
-  TCloudflarePagesProject
+  TCloudflarePagesProject,
+  TCloudflareWorkersScript
 } from "./cloudflare-connection-types";
 
 export const getCloudflareConnectionListItem = () => {
@@ -43,6 +44,28 @@ export const listCloudflarePagesProjects = async (
   }));
 };
 
+export const listCloudflareWorkersScripts = async (
+  appConnection: TCloudflareConnection
+): Promise<TCloudflareWorkersScript[]> => {
+  const {
+    credentials: { apiToken, accountId }
+  } = appConnection;
+
+  const { data } = await request.get<{ result: { id: string }[] }>(
+    `${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}/workers/scripts`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.result.map((a) => ({
+    id: a.id
+  }));
+};
+
 export const validateCloudflareConnectionCredentials = async (config: TCloudflareConnectionConfig) => {
   const { apiToken, accountId } = config.credentials;
 

backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts

@@ -2,7 +2,7 @@ import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
-import { listCloudflarePagesProjects } from "./cloudflare-connection-fns";
+import { listCloudflarePagesProjects, listCloudflareWorkersScripts } from "./cloudflare-connection-fns";
 import { TCloudflareConnection } from "./cloudflare-connection-types";
 
 type TGetAppConnectionFunc = (
@@ -19,12 +19,31 @@ export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionF
 
       return projects;
     } catch (error) {
-      logger.error(error, "Failed to list Cloudflare Pages projects for Cloudflare connection");
+      logger.error(
+        error,
+        `Failed to list Cloudflare Pages projects for Cloudflare connection [connectionId=${connectionId}]`
+      );
+      return [];
+    }
+  };
+
+  const listWorkersScripts = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
+    try {
+      const projects = await listCloudflareWorkersScripts(appConnection);
+
+      return projects;
+    } catch (error) {
+      logger.error(
+        error,
+        `Failed to list Cloudflare Workers scripts for Cloudflare connection [connectionId=${connectionId}]`
+      );
       return [];
     }
   };
 
   return {
-    listPagesProjects
+    listPagesProjects,
+    listWorkersScripts
   };
 };

backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts

@@ -28,3 +28,7 @@ export type TCloudflarePagesProject = {
   id: string;
   name: string;
 };
+
+export type TCloudflareWorkersScript = {
+  id: string;
+};

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -7,7 +7,6 @@ import { request } from "@app/lib/config/request";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
 import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
-import { getInstanceIntegrationsConfig } from "@app/services/super-admin/super-admin-service";
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
@@ -15,14 +14,13 @@ import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-
 
 export const getGitHubConnectionListItem = () => {
   const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
   return {
     name: "GitHub" as const,
     app: AppConnection.GitHub as const,
     methods: Object.values(GitHubConnectionMethod) as [GitHubConnectionMethod.App, GitHubConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
-    appClientSlug: gitHubAppConnection.appSlug || INF_APP_CONNECTION_GITHUB_APP_SLUG
+    appClientSlug: INF_APP_CONNECTION_GITHUB_APP_SLUG
   };
 };
 
@@ -32,10 +30,9 @@ export const getGitHubClient = (appConnection: TGitHubConnection) => {
   const { method, credentials } = appConnection;
 
   let client: Octokit;
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
-  const appId = gitHubAppConnection.appId || appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
-  const appPrivateKey = gitHubAppConnection.privateKey || appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
+  const appId = appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
+  const appPrivateKey = appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
 
   switch (method) {
     case GitHubConnectionMethod.App:
@@ -157,8 +154,6 @@ type TokenRespData = {
 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
   const { credentials, method } = config;
 
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
-
   const {
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
@@ -170,8 +165,8 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
   const { clientId, clientSecret } =
     method === GitHubConnectionMethod.App
       ? {
-          clientId: gitHubAppConnection.clientId || INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
-          clientSecret: gitHubAppConnection.clientSecret || INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
+          clientId: INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+          clientSecret: INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
         }
       : // oauth
         {

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const CLOUDFLARE_WORKERS_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Cloudflare Workers",
+  destination: SecretSync.CloudflareWorkers,
+  connection: AppConnection.Cloudflare,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-fns.ts

@@ -0,0 +1,121 @@
+import { request } from "@app/lib/config/request";
+import { applyJitter } from "@app/lib/dates";
+import { delay as delayMs } from "@app/lib/delay";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { TCloudflareWorkersSyncWithCredentials } from "./cloudflare-workers-types";
+
+const getSecretKeys = async (secretSync: TCloudflareWorkersSyncWithCredentials): Promise<string[]> => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiToken, accountId }
+    }
+  } = secretSync;
+
+  const { data } = await request.get<{
+    result: Array<{ name: string }>;
+  }>(
+    `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${destinationConfig.scriptId}/secrets`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.result.map((s) => s.name);
+};
+
+export const CloudflareWorkersSyncFns = {
+  syncSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection: {
+        credentials: { apiToken, accountId }
+      },
+      destinationConfig: { scriptId }
+    } = secretSync;
+
+    const existingSecretNames = await getSecretKeys(secretSync);
+    const secretMapKeys = new Set(Object.keys(secretMap));
+
+    for await (const [key, val] of Object.entries(secretMap)) {
+      await delayMs(Math.max(0, applyJitter(100, 200)));
+      await request.put(
+        `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets`,
+        { name: key, text: val.value, type: "secret_text" },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            "Content-Type": "application/json"
+          }
+        }
+      );
+    }
+
+    if (!secretSync.syncOptions.disableSecretDeletion) {
+      const secretsToDelete = existingSecretNames.filter((existingKey) => {
+        const isManagedBySchema = matchesSchema(
+          existingKey,
+          secretSync.environment?.slug || "",
+          secretSync.syncOptions.keySchema
+        );
+        const isInNewSecretMap = secretMapKeys.has(existingKey);
+        return !isInNewSecretMap && isManagedBySchema;
+      });
+
+      for await (const key of secretsToDelete) {
+        await delayMs(Math.max(0, applyJitter(100, 200)));
+        await request.delete(
+          `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets/${key}`,
+          {
+            headers: {
+              Authorization: `Bearer ${apiToken}`
+            }
+          }
+        );
+      }
+    }
+  },
+
+  getSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  removeSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection: {
+        credentials: { apiToken, accountId }
+      },
+      destinationConfig: { scriptId }
+    } = secretSync;
+
+    const existingSecretNames = await getSecretKeys(secretSync);
+    const secretMapToRemoveKeys = new Set(Object.keys(secretMap));
+
+    for await (const existingKey of existingSecretNames) {
+      const isManagedBySchema = matchesSchema(
+        existingKey,
+        secretSync.environment?.slug || "",
+        secretSync.syncOptions.keySchema
+      );
+      const isInSecretMapToRemove = secretMapToRemoveKeys.has(existingKey);
+
+      if (isInSecretMapToRemove && isManagedBySchema) {
+        await delayMs(Math.max(0, applyJitter(100, 200)));
+        await request.delete(
+          `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets/${existingKey}`,
+          {
+            headers: {
+              Authorization: `Bearer ${apiToken}`
+            }
+          }
+        );
+      }
+    }
+  }
+};

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas.ts

@@ -0,0 +1,55 @@
+import RE2 from "re2";
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const CloudflareWorkersSyncDestinationConfigSchema = z.object({
+  scriptId: z
+    .string()
+    .min(1, "Script ID is required")
+    .max(64)
+    .refine((val) => {
+      const re2 = new RE2(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/);
+      return re2.test(val);
+    }, "Invalid script ID format")
+    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_WORKERS.scriptId)
+});
+
+const CloudflareWorkersSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const CloudflareWorkersSyncSchema = BaseSecretSyncSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destination: z.literal(SecretSync.CloudflareWorkers),
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
+});
+
+export const CreateCloudflareWorkersSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
+});
+
+export const UpdateCloudflareWorkersSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema.optional()
+});
+
+export const CloudflareWorkersSyncListItemSchema = z.object({
+  name: z.literal("Cloudflare Workers"),
+  connection: z.literal(AppConnection.Cloudflare),
+  destination: z.literal(SecretSync.CloudflareWorkers),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-types.ts

@@ -0,0 +1,19 @@
+import z from "zod";
+
+import { TCloudflareConnection } from "@app/services/app-connection/cloudflare/cloudflare-connection-types";
+
+import {
+  CloudflareWorkersSyncListItemSchema,
+  CloudflareWorkersSyncSchema,
+  CreateCloudflareWorkersSyncSchema
+} from "./cloudflare-workers-schemas";
+
+export type TCloudflareWorkersSyncListItem = z.infer<typeof CloudflareWorkersSyncListItemSchema>;
+
+export type TCloudflareWorkersSync = z.infer<typeof CloudflareWorkersSyncSchema>;
+
+export type TCloudflareWorkersSyncInput = z.infer<typeof CreateCloudflareWorkersSyncSchema>;
+
+export type TCloudflareWorkersSyncWithCredentials = TCloudflareWorkersSync & {
+  connection: TCloudflareConnection;
+};

backend/src/services/secret-sync/cloudflare-workers/index.ts

@@ -0,0 +1,4 @@
+export * from "./cloudflare-workers-constants";
+export * from "./cloudflare-workers-fns";
+export * from "./cloudflare-workers-schemas";
+export * from "./cloudflare-workers-types";

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -21,6 +21,8 @@ export enum SecretSync {
   Flyio = "flyio",
   GitLab = "gitlab",
   CloudflarePages = "cloudflare-pages",
+  CloudflareWorkers = "cloudflare-workers",
+
   Zabbix = "zabbix",
   Railway = "railway"
 }

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -31,6 +31,7 @@ import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./az
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
 import { CLOUDFLARE_PAGES_SYNC_LIST_OPTION } from "./cloudflare-pages/cloudflare-pages-constants";
 import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns";
+import { CLOUDFLARE_WORKERS_SYNC_LIST_OPTION, CloudflareWorkersSyncFns } from "./cloudflare-workers";
 import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
@@ -72,6 +73,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
   [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
   [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION,
+  [SecretSync.CloudflareWorkers]: CLOUDFLARE_WORKERS_SYNC_LIST_OPTION,
+
   [SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION,
   [SecretSync.Railway]: RAILWAY_SYNC_LIST_OPTION
 };
@@ -241,6 +244,8 @@ export const SecretSyncFns = {
         return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflareWorkers:
+        return CloudflareWorkersSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Zabbix:
         return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Railway:
@@ -337,6 +342,9 @@ export const SecretSyncFns = {
       case SecretSync.CloudflarePages:
         secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.CloudflareWorkers:
+        secretMap = await CloudflareWorkersSyncFns.getSecrets(secretSync);
+        break;
       case SecretSync.Zabbix:
         secretMap = await ZabbixSyncFns.getSecrets(secretSync);
         break;
@@ -420,6 +428,8 @@ export const SecretSyncFns = {
         return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflareWorkers:
+        return CloudflareWorkersSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Zabbix:
         return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Railway:

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -24,6 +24,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Flyio]: "Fly.io",
   [SecretSync.GitLab]: "GitLab",
   [SecretSync.CloudflarePages]: "Cloudflare Pages",
+  [SecretSync.CloudflareWorkers]: "Cloudflare Workers",
+
   [SecretSync.Zabbix]: "Zabbix",
   [SecretSync.Railway]: "Railway"
 };
@@ -51,6 +53,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Flyio]: AppConnection.Flyio,
   [SecretSync.GitLab]: AppConnection.GitLab,
   [SecretSync.CloudflarePages]: AppConnection.Cloudflare,
+  [SecretSync.CloudflareWorkers]: AppConnection.Cloudflare,
+
   [SecretSync.Zabbix]: AppConnection.Zabbix,
   [SecretSync.Railway]: AppConnection.Railway
 };
@@ -78,6 +82,8 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.Flyio]: SecretSyncPlanType.Regular,
   [SecretSync.GitLab]: SecretSyncPlanType.Regular,
   [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular,
+  [SecretSync.CloudflareWorkers]: SecretSyncPlanType.Regular,
+
   [SecretSync.Zabbix]: SecretSyncPlanType.Regular,
   [SecretSync.Railway]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -78,6 +78,12 @@ import {
   TCloudflarePagesSyncListItem,
   TCloudflarePagesSyncWithCredentials
 } from "./cloudflare-pages/cloudflare-pages-types";
+import {
+  TCloudflareWorkersSync,
+  TCloudflareWorkersSyncInput,
+  TCloudflareWorkersSyncListItem,
+  TCloudflareWorkersSyncWithCredentials
+} from "./cloudflare-workers";
 import { TFlyioSync, TFlyioSyncInput, TFlyioSyncListItem, TFlyioSyncWithCredentials } from "./flyio/flyio-sync-types";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
 import { TGitLabSync, TGitLabSyncInput, TGitLabSyncListItem, TGitLabSyncWithCredentials } from "./gitlab";
@@ -144,6 +150,7 @@ export type TSecretSync =
   | TFlyioSync
   | TGitLabSync
   | TCloudflarePagesSync
+  | TCloudflareWorkersSync
   | TZabbixSync
   | TRailwaySync;
 
@@ -170,6 +177,7 @@ export type TSecretSyncWithCredentials =
   | TFlyioSyncWithCredentials
   | TGitLabSyncWithCredentials
   | TCloudflarePagesSyncWithCredentials
+  | TCloudflareWorkersSyncWithCredentials
   | TZabbixSyncWithCredentials
   | TRailwaySyncWithCredentials;
 
@@ -196,6 +204,7 @@ export type TSecretSyncInput =
   | TFlyioSyncInput
   | TGitLabSyncInput
   | TCloudflarePagesSyncInput
+  | TCloudflareWorkersSyncInput
   | TZabbixSyncInput
   | TRailwaySyncInput;
 
@@ -222,6 +231,7 @@ export type TSecretSyncListItem =
   | TFlyioSyncListItem
   | TGitLabSyncListItem
   | TCloudflarePagesSyncListItem
+  | TCloudflareWorkersSyncListItem
   | TZabbixSyncListItem
   | TRailwaySyncListItem;
 

docs/Dockerfile

@@ -19,13 +19,17 @@ FROM node:20-alpine
 
 WORKDIR /app
 
-RUN npm install -g mint@4.2.13
+RUN addgroup -g 1001 -S mintuser && \
+    adduser -S -D -H -u 1001 -s /sbin/nologin -G mintuser mintuser && \
+    npm install -g mint@4.2.13
 
-COPY . .
+COPY --chown=mintuser:mintuser . .
 
-COPY --from=builder /root/.mintlify /root/.mintlify
-COPY --from=builder /app/docs.json /app/docs.json
-COPY --from=builder /app/spec.json /app/spec.json
+COPY --from=builder --chown=mintuser:mintuser /root/.mintlify /home/mintuser/.mintlify
+COPY --from=builder --chown=mintuser:mintuser /app/docs.json /app/docs.json
+COPY --from=builder --chown=mintuser:mintuser /app/spec.json /app/spec.json
+
+USER mintuser
 
 EXPOSE 3000
 

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/docs.json

@@ -514,6 +514,7 @@
                   "integrations/secret-syncs/azure-key-vault",
                   "integrations/secret-syncs/camunda",
                   "integrations/secret-syncs/cloudflare-pages",
+                  "integrations/secret-syncs/cloudflare-workers",
                   "integrations/secret-syncs/databricks",
                   "integrations/secret-syncs/flyio",
                   "integrations/secret-syncs/gcp-secret-manager",
@@ -1720,6 +1721,19 @@
                       "api-reference/endpoints/secret-syncs/cloudflare-pages/remove-secrets"
                     ]
                   },
+                  {
+                    "group": "Cloudflare Workers",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/list",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-id",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-name",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/create",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/update",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/delete",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/remove-secrets"
+                    ]
+                  },
                   {
                     "group": "Databricks",
                     "pages": [

docs/integrations/app-connections/cloudflare.mdx

@@ -35,6 +35,17 @@ Infisical supports connecting to Cloudflare using API tokens and Account ID for
             - **Account** - **Cloudflare Pages** - **Edit**
             - **Account** - **Account Settings** - **Read**
 
+            Add these permissions to your API token and click **Continue to summary**, then **Create Token** to generate your API token.
+          </Accordion>
+          <Accordion title="Cloudflare Workers">
+            Use the following permissions to grant Infisical access to sync secrets to Cloudflare Workers:
+
+            ![Configure Token](/images/app-connections/cloudflare/cloudflare-workers-configure-permissions.png)
+
+            **Required Permissions:**
+            - **Account** - **Workers Scripts** - **Edit**
+            - **Account** - **Account Settings** - **Read**
+
             Add these permissions to your API token and click **Continue to summary**, then **Create Token** to generate your API token.
           </Accordion>
         </AccordionGroup>
@@ -44,7 +55,7 @@ Infisical supports connecting to Cloudflare using API tokens and Account ID for
   </Step>
   <Step title="Save Your API Token">
     After creation, copy and securely store your API token as it will not be shown again.
-    
+
     ![Generated API Token](/images/app-connections/cloudflare/cloudflare-generated-token.png)
 
     <Warning>

docs/integrations/secret-syncs/cloudflare-workers.mdx

@@ -0,0 +1,128 @@
+---
+title: "Cloudflare Workers Sync"
+description: "Learn how to configure a Cloudflare Workers Sync for Infisical."
+---
+
+**Prerequisites:**
+
+- Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+- Create a [Cloudflare Connection](/integrations/app-connections/cloudflare)
+
+<Tabs>
+  <Tab title="Infisical UI">
+    1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+    ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+    2. Select the **Cloudflare Workers** option.
+    ![Select Cloudflare Workers](/images/secret-syncs/cloudflare-workers/select-cloudflare-workers-option.png)
+
+    3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+    ![Configure Source](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-source.png)
+
+      - **Environment**: The project environment to retrieve secrets from.
+      - **Secret Path**: The folder path to retrieve secrets from.
+
+      <Tip>
+        If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+      </Tip>
+
+    4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+    ![Configure Destination](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-destination.png)
+
+      - **Cloudflare Connection**: The Cloudflare Connection to authenticate with.
+      - **Cloudflare Workers Script**: Choose the Cloudflare Workers script you want to sync secrets to.
+
+    5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+    ![Configure Options](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-options.png)
+
+      - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+        - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+      - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
+      - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+      - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
+
+    6. Configure the **Details** of your Cloudflare Workers Sync, then click **Next**.
+    ![Configure Details](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-details.png)
+
+      - **Name**: The name of your sync. Must be slug-friendly.
+      - **Description**: An optional description for your sync.
+
+    7. Review your Cloudflare Workers Sync configuration, then click **Create Sync**.
+    ![Confirm Configuration](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-review.png)
+
+    8. If enabled, your Cloudflare Workers Sync will begin syncing your secrets to the destination endpoint.
+    ![Sync Secrets](/images/secret-syncs/cloudflare-workers/cloudflare-workers-sync-created.png)
+
+  </Tab>
+  <Tab title="API">
+    To create a **Cloudflare Workers Sync**, make an API request to the [Create Cloudflare Workers Sync](/api-reference/endpoints/secret-syncs/cloudflare-workers/create) API endpoint.
+
+    ### Sample request
+
+    ```bash Request
+    curl --request POST \
+      --url https://app.infisical.com/api/v1/secret-syncs/cloudflare-workers \
+      --header 'Content-Type: application/json' \
+      --data '{
+        "name": "my-cloudflare-workers-sync",
+        "projectId": "your-project-id",
+        "description": "an example sync",
+        "connectionId": "your-cloudflare-connection-id",
+        "environment": "production",
+        "secretPath": "/my-secrets",
+        "isEnabled": true,
+        "syncOptions": {
+          "initialSyncBehavior": "overwrite-destination"
+        },
+        "destinationConfig": {
+          "scriptId": "my-workers-script"
+        }
+      }'
+    ```
+
+    ### Sample response
+
+    ```bash Response
+    {
+      "secretSync": {
+        "id": "your-sync-id",
+        "name": "my-cloudflare-workers-sync",
+        "description": "an example sync",
+        "isEnabled": true,
+        "version": 1,
+        "folderId": "your-folder-id",
+        "connectionId": "your-cloudflare-connection-id",
+        "createdAt": "2024-05-01T12:00:00Z",
+        "updatedAt": "2024-05-01T12:00:00Z",
+        "syncStatus": "succeeded",
+        "lastSyncJobId": "123",
+        "lastSyncMessage": null,
+        "lastSyncedAt": "2024-05-01T12:00:00Z",
+        "syncOptions": {
+          "initialSyncBehavior": "overwrite-destination"
+        },
+        "projectId": "your-project-id",
+        "connection": {
+          "app": "cloudflare",
+          "name": "my-cloudflare-connection",
+          "id": "your-cloudflare-connection-id"
+        },
+        "environment": {
+          "slug": "production",
+          "name": "Production",
+          "id": "your-env-id"
+        },
+        "folder": {
+          "id": "your-folder-id",
+          "path": "/my-secrets"
+        },
+        "destination": "cloudflare-workers",
+        "destinationConfig": {
+          "scriptId": "my-workers-script"
+        }
+      }
+    }
+    ```
+
+  </Tab>
+</Tabs>

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx

@@ -4,7 +4,7 @@ import { SingleValue } from "react-select";
 import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
 import { FilterableSelect, FormControl, Select, SelectItem } from "@app/components/v2";
 import {
-  TCloudflareProject,
+  TCloudflarePagesProject,
   useCloudflareConnectionListPagesProjects
 } from "@app/hooks/api/appConnections/cloudflare";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
@@ -52,7 +52,7 @@ export const CloudflarePagesSyncFields = () => {
               isDisabled={!connectionId}
               value={projects ? (projects.find((project) => project.name === value) ?? []) : []}
               onChange={(option) => {
-                onChange((option as SingleValue<TCloudflareProject>)?.name ?? null);
+                onChange((option as SingleValue<TCloudflarePagesProject>)?.name ?? null);
               }}
               options={projects}
               placeholder="Select a project..."

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflareWorkersSyncFields.tsx

@@ -0,0 +1,59 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import { FilterableSelect, FormControl } from "@app/components/v2";
+import {
+  TCloudflareWorkersScript,
+  useCloudflareConnectionListWorkersScripts
+} from "@app/hooks/api/appConnections/cloudflare";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const CloudflareWorkersSyncFields = () => {
+  const { control, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.CloudflareWorkers }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+
+  const { data: scripts = [], isPending: isScriptsPending } =
+    useCloudflareConnectionListWorkersScripts(connectionId, {
+      enabled: Boolean(connectionId)
+    });
+
+  return (
+    <>
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.scriptId", "");
+        }}
+      />
+      <Controller
+        name="destinationConfig.scriptId"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            errorText={error?.message}
+            isError={Boolean(error?.message)}
+            label="Worker Script"
+          >
+            <FilterableSelect
+              isLoading={isScriptsPending && Boolean(connectionId)}
+              isDisabled={!connectionId}
+              value={scripts?.find((script) => script.id === value) || []}
+              onChange={(option) => {
+                onChange((option as SingleValue<TCloudflareWorkersScript>)?.id ?? null);
+              }}
+              options={scripts}
+              placeholder="Select a worker script..."
+              getOptionLabel={(option) => option.id}
+              getOptionValue={(option) => option.id}
+            />
+          </FormControl>
+        )}
+      />
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx

@@ -11,6 +11,7 @@ import { AzureDevOpsSyncFields } from "./AzureDevOpsSyncFields";
 import { AzureKeyVaultSyncFields } from "./AzureKeyVaultSyncFields";
 import { CamundaSyncFields } from "./CamundaSyncFields";
 import { CloudflarePagesSyncFields } from "./CloudflarePagesSyncFields";
+import { CloudflareWorkersSyncFields } from "./CloudflareWorkersSyncFields";
 import { DatabricksSyncFields } from "./DatabricksSyncFields";
 import { FlyioSyncFields } from "./FlyioSyncFields";
 import { GcpSyncFields } from "./GcpSyncFields";
@@ -78,6 +79,8 @@ export const SecretSyncDestinationFields = () => {
       return <GitLabSyncFields />;
     case SecretSync.CloudflarePages:
       return <CloudflarePagesSyncFields />;
+    case SecretSync.CloudflareWorkers:
+      return <CloudflareWorkersSyncFields />;
     case SecretSync.Zabbix:
       return <ZabbixSyncFields />;
     case SecretSync.Railway:

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -58,6 +58,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
     case SecretSync.Flyio:
     case SecretSync.GitLab:
     case SecretSync.CloudflarePages:
+    case SecretSync.CloudflareWorkers:
     case SecretSync.Zabbix:
     case SecretSync.Railway:
       AdditionalSyncOptionsFieldsComponent = null;

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/CloudflareWorkersReviewFields.tsx

@@ -0,0 +1,14 @@
+import { useFormContext } from "react-hook-form";
+
+import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { GenericFieldLabel } from "@app/components/v2";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const CloudflareWorkersSyncReviewFields = () => {
+  const { watch } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.CloudflareWorkers }
+  >();
+  const scriptId = watch("destinationConfig.scriptId");
+
+  return <GenericFieldLabel label="Script">{scriptId}</GenericFieldLabel>;
+};

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -20,6 +20,7 @@ import { AzureDevOpsSyncReviewFields } from "./AzureDevOpsSyncReviewFields";
 import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
 import { CamundaSyncReviewFields } from "./CamundaSyncReviewFields";
 import { CloudflarePagesSyncReviewFields } from "./CloudflarePagesReviewFields";
+import { CloudflareWorkersSyncReviewFields } from "./CloudflareWorkersReviewFields";
 import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
 import { FlyioSyncReviewFields } from "./FlyioSyncReviewFields";
 import { GcpSyncReviewFields } from "./GcpSyncReviewFields";
@@ -126,6 +127,9 @@ export const SecretSyncReviewFields = () => {
     case SecretSync.CloudflarePages:
       DestinationFieldsComponent = <CloudflarePagesSyncReviewFields />;
       break;
+    case SecretSync.CloudflareWorkers:
+      DestinationFieldsComponent = <CloudflareWorkersSyncReviewFields />;
+      break;
     case SecretSync.Zabbix:
       DestinationFieldsComponent = <ZabbixSyncReviewFields />;
       break;

frontend/src/components/secret-syncs/forms/schemas/cloudflare-workers-sync-destination-schema.ts

@@ -0,0 +1,18 @@
+import { z } from "zod";
+
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const CloudflareWorkersSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.CloudflareWorkers),
+    destinationConfig: z.object({
+      scriptId: z
+        .string()
+        .trim()
+        .min(1, "Script ID is required")
+        .max(64)
+        .regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/, "Invalid script ID format")
+    })
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -8,6 +8,7 @@ import { AzureDevOpsSyncDestinationSchema } from "./azure-devops-sync-destinatio
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { CamundaSyncDestinationSchema } from "./camunda-sync-destination-schema";
 import { CloudflarePagesSyncDestinationSchema } from "./cloudflare-pages-sync-destination-schema";
+import { CloudflareWorkersSyncDestinationSchema } from "./cloudflare-workers-sync-destination-schema";
 import { DatabricksSyncDestinationSchema } from "./databricks-sync-destination-schema";
 import { FlyioSyncDestinationSchema } from "./flyio-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
@@ -48,6 +49,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   FlyioSyncDestinationSchema,
   GitlabSyncDestinationSchema,
   CloudflarePagesSyncDestinationSchema,
+  CloudflareWorkersSyncDestinationSchema,
+
   ZabbixSyncDestinationSchema,
   RailwaySyncDestinationSchema
 ]);

frontend/src/helpers/secretSyncs.ts

@@ -82,6 +82,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
     name: "Cloudflare Pages",
     image: "Cloudflare.png"
   },
+  [SecretSync.CloudflareWorkers]: {
+    name: "Cloudflare Workers",
+    image: "Cloudflare.png"
+  },
   [SecretSync.Zabbix]: {
     name: "Zabbix",
     image: "Zabbix.png"
@@ -115,6 +119,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Flyio]: AppConnection.Flyio,
   [SecretSync.GitLab]: AppConnection.Gitlab,
   [SecretSync.CloudflarePages]: AppConnection.Cloudflare,
+  [SecretSync.CloudflareWorkers]: AppConnection.Cloudflare,
+
   [SecretSync.Zabbix]: AppConnection.Zabbix,
   [SecretSync.Railway]: AppConnection.Railway
 };

frontend/src/hooks/api/appConnections/cloudflare/queries.tsx

@@ -3,21 +3,23 @@ import { useQuery, UseQueryOptions } from "@tanstack/react-query";
 import { apiRequest } from "@app/config/request";
 
 import { appConnectionKeys } from "../queries";
-import { TCloudflareProject } from "./types";
+import { TCloudflarePagesProject, TCloudflareWorkersScript } from "./types";
 
 const cloudflareConnectionKeys = {
   all: [...appConnectionKeys.all, "cloudflare"] as const,
   listPagesProjects: (connectionId: string) =>
-    [...cloudflareConnectionKeys.all, "pages-projects", connectionId] as const
+    [...cloudflareConnectionKeys.all, "pages-projects", connectionId] as const,
+  listWorkersScripts: (connectionId: string) =>
+    [...cloudflareConnectionKeys.all, "workers-scripts", connectionId] as const
 };
 
 export const useCloudflareConnectionListPagesProjects = (
   connectionId: string,
   options?: Omit<
     UseQueryOptions<
-      TCloudflareProject[],
+      TCloudflarePagesProject[],
       unknown,
-      TCloudflareProject[],
+      TCloudflarePagesProject[],
       ReturnType<typeof cloudflareConnectionKeys.listPagesProjects>
     >,
     "queryKey" | "queryFn"
@@ -26,7 +28,7 @@ export const useCloudflareConnectionListPagesProjects = (
   return useQuery({
     queryKey: cloudflareConnectionKeys.listPagesProjects(connectionId),
     queryFn: async () => {
-      const { data } = await apiRequest.get<TCloudflareProject[]>(
+      const { data } = await apiRequest.get<TCloudflarePagesProject[]>(
         `/api/v1/app-connections/cloudflare/${connectionId}/cloudflare-pages-projects`
       );
 
@@ -35,3 +37,28 @@ export const useCloudflareConnectionListPagesProjects = (
     ...options
   });
 };
+
+export const useCloudflareConnectionListWorkersScripts = (
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      TCloudflareWorkersScript[],
+      unknown,
+      TCloudflareWorkersScript[],
+      ReturnType<typeof cloudflareConnectionKeys.listWorkersScripts>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: cloudflareConnectionKeys.listWorkersScripts(connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TCloudflareWorkersScript[]>(
+        `/api/v1/app-connections/cloudflare/${connectionId}/cloudflare-workers-scripts`
+      );
+
+      return data;
+    },
+    ...options
+  });
+};

frontend/src/hooks/api/appConnections/cloudflare/types.ts

@@ -1,4 +1,8 @@
-export type TCloudflareProject = {
+export type TCloudflarePagesProject = {
   id: string;
   name: string;
 };
+
+export type TCloudflareWorkersScript = {
+  id: string;
+};

frontend/src/hooks/api/secretSyncs/enums.ts

@@ -21,6 +21,8 @@ export enum SecretSync {
   Flyio = "flyio",
   GitLab = "gitlab",
   CloudflarePages = "cloudflare-pages",
+  CloudflareWorkers = "cloudflare-workers",
+
   Zabbix = "zabbix",
   Railway = "railway"
 }

frontend/src/hooks/api/secretSyncs/types/cloudflare-workers-sync.ts

@@ -0,0 +1,15 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
+
+export type TCloudflareWorkersSync = TRootSecretSync & {
+  destination: SecretSync.CloudflareWorkers;
+  destinationConfig: {
+    scriptId: string;
+  };
+  connection: {
+    app: AppConnection.Cloudflare;
+    name: string;
+    id: string;
+  };
+};

frontend/src/hooks/api/secretSyncs/types/index.ts

@@ -10,6 +10,7 @@ import { TAzureDevOpsSync } from "./azure-devops-sync";
 import { TAzureKeyVaultSync } from "./azure-key-vault-sync";
 import { TCamundaSync } from "./camunda-sync";
 import { TCloudflarePagesSync } from "./cloudflare-pages-sync";
+import { TCloudflareWorkersSync } from "./cloudflare-workers-sync";
 import { TDatabricksSync } from "./databricks-sync";
 import { TFlyioSync } from "./flyio-sync";
 import { TGcpSync } from "./gcp-sync";
@@ -56,6 +57,7 @@ export type TSecretSync =
   | TFlyioSync
   | TGitLabSync
   | TCloudflarePagesSync
+  | TCloudflareWorkersSync
   | TZabbixSync
   | TRailwaySync;
 

frontend/src/pages/admin/IntegrationsPage/components/GitHubAppConnectionForm.tsx

@@ -1,222 +0,0 @@
-import { useEffect } from "react";
-import { Controller, useForm } from "react-hook-form";
-import { FaGithub } from "react-icons/fa";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-
-import { createNotification } from "@app/components/notifications";
-import {
-  Accordion,
-  AccordionContent,
-  AccordionItem,
-  AccordionTrigger,
-  Button,
-  FormControl,
-  Input,
-  TextArea
-} from "@app/components/v2";
-import { useToggle } from "@app/hooks";
-import { useUpdateServerConfig } from "@app/hooks/api";
-import { AdminIntegrationsConfig } from "@app/hooks/api/admin/types";
-
-const gitHubAppFormSchema = z.object({
-  clientId: z.string(),
-  clientSecret: z.string(),
-  appSlug: z.string(),
-  appId: z.string(),
-  privateKey: z.string()
-});
-
-type TGitHubAppConnectionForm = z.infer<typeof gitHubAppFormSchema>;
-
-type Props = {
-  adminIntegrationsConfig?: AdminIntegrationsConfig;
-};
-
-export const GitHubAppConnectionForm = ({ adminIntegrationsConfig }: Props) => {
-  const { mutateAsync: updateAdminServerConfig } = useUpdateServerConfig();
-  const [isGitHubAppClientSecretFocused, setIsGitHubAppClientSecretFocused] = useToggle();
-  const {
-    control,
-    handleSubmit,
-    setValue,
-    formState: { isSubmitting, isDirty }
-  } = useForm<TGitHubAppConnectionForm>({
-    resolver: zodResolver(gitHubAppFormSchema)
-  });
-
-  const onSubmit = async (data: TGitHubAppConnectionForm) => {
-    await updateAdminServerConfig({
-      gitHubAppConnectionClientId: data.clientId,
-      gitHubAppConnectionClientSecret: data.clientSecret,
-      gitHubAppConnectionSlug: data.appSlug,
-      gitHubAppConnectionId: data.appId,
-      gitHubAppConnectionPrivateKey: data.privateKey
-    });
-
-    createNotification({
-      text: "Updated GitHub app connection configuration. It can take up to 5 minutes to take effect.",
-      type: "success"
-    });
-  };
-
-  useEffect(() => {
-    if (adminIntegrationsConfig) {
-      setValue("clientId", adminIntegrationsConfig.gitHubAppConnection.clientId);
-      setValue("clientSecret", adminIntegrationsConfig.gitHubAppConnection.clientSecret);
-      setValue("appSlug", adminIntegrationsConfig.gitHubAppConnection.appSlug);
-      setValue("appId", adminIntegrationsConfig.gitHubAppConnection.appId);
-      setValue("privateKey", adminIntegrationsConfig.gitHubAppConnection.privateKey);
-    }
-  }, [adminIntegrationsConfig]);
-
-  return (
-    <form onSubmit={handleSubmit(onSubmit)}>
-      <Accordion type="single" collapsible className="w-full">
-        <AccordionItem value="github-app-integration" className="data-[state=open]:border-none">
-          <AccordionTrigger className="flex h-fit w-full justify-start rounded-md border border-mineshaft-500 bg-mineshaft-700 px-4 py-6 text-sm transition-colors data-[state=open]:rounded-b-none">
-            <div className="text-md group order-1 ml-3 flex items-center gap-2">
-              <FaGithub className="text-lg group-hover:text-primary-400" />
-              <div className="text-[15px] font-semibold">GitHub App</div>
-            </div>
-          </AccordionTrigger>
-          <AccordionContent childrenClassName="px-0 py-0">
-            <div className="flex w-full flex-col justify-start rounded-md rounded-t-none border border-t-0 border-mineshaft-500 bg-mineshaft-700 px-4 py-4">
-              <div className="mb-2 max-w-lg text-sm text-mineshaft-300">
-                Step 1: Create and configure GitHub App. Please refer to the documentation below for
-                more information.
-              </div>
-              <div className="mb-6">
-                <a
-                  href="https://infisical.com/docs/integrations/app-connections/github#self-hosted-instance"
-                  target="_blank"
-                  rel="noopener noreferrer"
-                >
-                  <Button colorSchema="secondary">Documentation</Button>
-                </a>
-              </div>
-              <div className="mb-4 max-w-lg text-sm text-mineshaft-300">
-                Step 2: Configure your instance-wide settings to enable GitHub App connections. Copy
-                the credentials from your GitHub App&apos;s settings page.
-              </div>
-              <Controller
-                control={control}
-                name="clientId"
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    label="Client ID"
-                    className="w-96"
-                    isError={Boolean(error)}
-                    errorText={error?.message}
-                  >
-                    <Input
-                      {...field}
-                      value={field.value || ""}
-                      type="text"
-                      onChange={(e) => field.onChange(e.target.value)}
-                    />
-                  </FormControl>
-                )}
-              />
-              <Controller
-                control={control}
-                name="clientSecret"
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    label="Client Secret"
-                    tooltipText="You can find your Client Secret in the GitHub App's settings under 'Client secrets'."
-                    className="w-96"
-                    isError={Boolean(error)}
-                    errorText={error?.message}
-                  >
-                    <Input
-                      {...field}
-                      value={field.value || ""}
-                      type={isGitHubAppClientSecretFocused ? "text" : "password"}
-                      onFocus={() => setIsGitHubAppClientSecretFocused.on()}
-                      onBlur={() => setIsGitHubAppClientSecretFocused.off()}
-                      onChange={(e) => field.onChange(e.target.value)}
-                    />
-                  </FormControl>
-                )}
-              />
-
-              <Controller
-                control={control}
-                name="appSlug"
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    label="App Slug"
-                    tooltipText="The GitHub App slug from the app's URL (e.g., 'my-app' from github.com/apps/my-app)."
-                    className="w-96"
-                    isError={Boolean(error)}
-                    errorText={error?.message}
-                  >
-                    <Input
-                      {...field}
-                      value={field.value || ""}
-                      type="text"
-                      onChange={(e) => field.onChange(e.target.value)}
-                    />
-                  </FormControl>
-                )}
-              />
-
-              <Controller
-                control={control}
-                name="appId"
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    label="App ID"
-                    tooltipText="The numeric App ID found in your GitHub App's settings."
-                    className="w-96"
-                    isError={Boolean(error)}
-                    errorText={error?.message}
-                  >
-                    <Input
-                      {...field}
-                      value={field.value || ""}
-                      type="text"
-                      onChange={(e) => field.onChange(e.target.value)}
-                    />
-                  </FormControl>
-                )}
-              />
-
-              <Controller
-                control={control}
-                name="privateKey"
-                render={({ field, fieldState: { error } }) => (
-                  <FormControl
-                    label="Private Key"
-                    tooltipText="The private key generated for your GitHub App (PEM format)."
-                    className="w-96"
-                    isError={Boolean(error)}
-                    errorText={error?.message}
-                  >
-                    <TextArea
-                      {...field}
-                      value={field.value || ""}
-                      className="min-h-32"
-                      onChange={(e) => field.onChange(e.target.value)}
-                    />
-                  </FormControl>
-                )}
-              />
-              <div>
-                <Button
-                  className="mt-2"
-                  type="submit"
-                  isLoading={isSubmitting}
-                  isDisabled={isSubmitting || !isDirty}
-                >
-                  Save
-                </Button>
-              </div>
-            </div>
-          </AccordionContent>
-        </AccordionItem>
-      </Accordion>
-    </form>
-  );
-};

frontend/src/pages/admin/IntegrationsPage/components/IntegrationsPageForm.tsx

@@ -5,23 +5,17 @@ import { ROUTE_PATHS } from "@app/const/routes";
 import { useGetAdminIntegrationsConfig } from "@app/hooks/api";
 import { AdminIntegrationsConfig } from "@app/hooks/api/admin/types";
 
-import { GitHubAppConnectionForm } from "./GitHubAppConnectionForm";
 import { MicrosoftTeamsIntegrationForm } from "./MicrosoftTeamsIntegrationForm";
 import { SlackIntegrationForm } from "./SlackIntegrationForm";
 
 enum IntegrationTabSections {
-  Workflow = "workflow",
-  AppConnections = "app-connections"
+  Workflow = "workflow"
 }
 
 interface WorkflowTabProps {
   adminIntegrationsConfig: AdminIntegrationsConfig;
 }
 
-interface AppConnectionsTabProps {
-  adminIntegrationsConfig: AdminIntegrationsConfig;
-}
-
 const WorkflowTab = ({ adminIntegrationsConfig }: WorkflowTabProps) => (
   <div className="flex flex-col gap-2">
     <SlackIntegrationForm adminIntegrationsConfig={adminIntegrationsConfig} />
@@ -29,12 +23,6 @@ const WorkflowTab = ({ adminIntegrationsConfig }: WorkflowTabProps) => (
   </div>
 );
 
-const AppConnectionsTab = ({ adminIntegrationsConfig }: AppConnectionsTabProps) => (
-  <div className="flex flex-col gap-2">
-    <GitHubAppConnectionForm adminIntegrationsConfig={adminIntegrationsConfig} />
-  </div>
-);
-
 export const IntegrationsPageForm = () => {
   const { data: adminIntegrationsConfig } = useGetAdminIntegrationsConfig();
 
@@ -59,11 +47,6 @@ export const IntegrationsPageForm = () => {
       key: IntegrationTabSections.Workflow,
       label: "Workflows",
       component: WorkflowTab
-    },
-    {
-      key: IntegrationTabSections.AppConnections,
-      label: "App Connections",
-      component: AppConnectionsTab
     }
   ];
 

frontend/src/pages/secret-manager/CommitDetailsPage/components/CommitDetailsTab/CommitDetailsTab.tsx

@@ -1,5 +1,5 @@
 import { useEffect, useState } from "react";
-import { faAngleDown } from "@fortawesome/free-solid-svg-icons";
+import { faAngleDown, faCodeCommit, faWarning } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { DropdownMenuItem } from "@radix-ui/react-dropdown-menu";
 import { useSearch } from "@tanstack/react-router";
@@ -7,12 +7,14 @@ import { useSearch } from "@tanstack/react-router";
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
+  Button,
+  ContentLoader,
   DeleteActionModal,
   DropdownMenu,
   DropdownMenuContent,
   DropdownMenuTrigger,
-  IconButton,
-  Spinner
+  EmptyState,
+  PageHeader
 } from "@app/components/v2";
 import { ROUTE_PATHS } from "@app/const/routes";
 import {
@@ -108,25 +110,25 @@ export const CommitDetailsTab = ({
   // If no commit is selected or data is loading, show appropriate message
   if (!selectedCommitId) {
     return (
-      <div className="flex h-64 items-center justify-center">
-        <p className="text-gray-400">Select a commit to view details</p>
-      </div>
+      <EmptyState className="mt-40" title="Select a commit to view details." icon={faCodeCommit}>
+        <Button className="mt-4" colorSchema="secondary" onClick={() => goBackToHistory()}>
+          Back to Commits
+        </Button>
+      </EmptyState>
     );
   }
 
   if (isLoading) {
-    return (
-      <div className="flex h-64 items-center justify-center">
-        <Spinner size="lg" />
-      </div>
-    );
+    return <ContentLoader />;
   }
 
   if (!commitDetails) {
     return (
-      <div className="flex h-64 items-center justify-center">
-        <p className="text-gray-400">No details found for this commit</p>
-      </div>
+      <EmptyState className="mt-40" title="No details found for this commit." icon={faCodeCommit}>
+        <Button className="mt-4" colorSchema="secondary" onClick={() => goBackToHistory()}>
+          Back to Commits
+        </Button>
+      </EmptyState>
     );
   }
 
@@ -138,9 +140,11 @@ export const CommitDetailsTab = ({
   } catch (error) {
     console.error("Failed to parse commit details:", error);
     return (
-      <div className="flex h-64 items-center justify-center">
-        <p className="text-gray-400">Error parsing commit details</p>
-      </div>
+      <EmptyState className="mt-40" title="Error parsing commit details." icon={faWarning}>
+        <Button className="mt-4" colorSchema="secondary" onClick={() => goBackToHistory()}>
+          Back to Commits
+        </Button>
+      </EmptyState>
     );
   }
 
@@ -223,13 +227,12 @@ export const CommitDetailsTab = ({
   // Render an item from the merged list
   const renderMergedItem = (item: MergedItem): JSX.Element => {
     return (
-      <div key={item.id} className="mb-2">
-        <SecretVersionDiffView
-          item={item}
-          isCollapsed={collapsedItems[item.id]}
-          onToggleCollapse={(id) => toggleItemCollapsed(id)}
-        />
-      </div>
+      <SecretVersionDiffView
+        key={item.id}
+        item={item}
+        isCollapsed={collapsedItems[item.id]}
+        onToggleCollapse={(id) => toggleItemCollapsed(id)}
+      />
     );
   };
 
@@ -240,114 +243,94 @@ export const CommitDetailsTab = ({
     "Unknown";
 
   return (
-    <div className="w-full">
-      <div>
-        <div className="flex justify-between pb-2">
-          <div className="w-5/6">
-            <div>
-              <div className="flex items-center">
-                <h1 className="mr-4 truncate text-3xl font-semibold text-white">
-                  {parsedCommitDetails.changes?.message || "No message"}
-                </h1>
-              </div>
-            </div>
-            <div className="font-small mb-4 mt-2 flex items-center text-sm">
-              <p>
-                <span> Commited by </span>
-                <b>{actorDisplay}</b>
-                <span> on </span>
-                <b>
-                  {formatDisplayDate(
-                    parsedCommitDetails.changes?.createdAt || new Date().toISOString()
-                  )}
-                </b>
-                {parsedCommitDetails.changes?.isLatest && (
-                  <span className="ml-1 italic text-gray-400">(Latest)</span>
-                )}
-              </p>
-            </div>
-          </div>
-          <div className="flex items-center justify-start">
-            <ProjectPermissionCan
-              I={ProjectPermissionCommitsActions.PerformRollback}
-              a={ProjectPermissionSub.Commits}
-            >
-              {(isAllowed) => (
-                <DropdownMenu>
-                  <DropdownMenuTrigger
-                    asChild
-                    disabled={!isAllowed}
-                    className={`${!isAllowed ? "cursor-not-allowed" : ""}`}
+    <>
+      <PageHeader
+        title={`${parsedCommitDetails.changes?.message}` || "No message"}
+        description={
+          <>
+            Commited by {actorDisplay} on{" "}
+            {formatDisplayDate(parsedCommitDetails.changes?.createdAt || new Date().toISOString())}
+            {parsedCommitDetails.changes?.isLatest && (
+              <span className="ml-1 text-mineshaft-400">(Latest)</span>
+            )}
+          </>
+        }
+      >
+        <ProjectPermissionCan
+          I={ProjectPermissionCommitsActions.PerformRollback}
+          a={ProjectPermissionSub.Commits}
+        >
+          {(isAllowed) => (
+            <DropdownMenu>
+              <DropdownMenuTrigger
+                asChild
+                disabled={!isAllowed}
+                className={`${!isAllowed ? "cursor-not-allowed" : ""}`}
+              >
+                <Button
+                  rightIcon={<FontAwesomeIcon className="ml-2" icon={faAngleDown} />}
+                  variant="solid"
+                  className="h-min"
+                  colorSchema="secondary"
+                >
+                  Restore Options
+                </Button>
+              </DropdownMenuTrigger>
+              <DropdownMenuContent align="end" sideOffset={2}>
+                {!parsedCommitDetails.changes.isLatest && (
+                  <DropdownMenuItem
+                    className="group cursor-pointer rounded-md px-3 py-3 transition-colors hover:bg-mineshaft-700"
+                    onClick={() => goToRollbackPreview()}
                   >
-                    <IconButton
-                      ariaLabel="commit-options"
-                      variant="outline_bg"
-                      className="h-10 rounded border border-mineshaft-600 bg-mineshaft-800 px-4 py-2 text-sm font-medium"
-                    >
-                      <p className="mr-2">Restore Options</p>
-                      <FontAwesomeIcon icon={faAngleDown} />
-                    </IconButton>
-                  </DropdownMenuTrigger>
-                  <DropdownMenuContent
-                    align="end"
-                    sideOffset={2}
-                    className="animate-in fade-in-50 zoom-in-95 min-w-[240px] rounded-md bg-mineshaft-800 p-1 shadow-lg"
-                    style={{ marginTop: "0" }}
-                  >
-                    {!parsedCommitDetails.changes.isLatest && (
-                      <DropdownMenuItem
-                        className="group cursor-pointer rounded-md px-3 py-3 transition-colors hover:bg-mineshaft-700"
-                        onClick={() => goToRollbackPreview()}
-                      >
-                        <div className="flex items-center space-x-3">
-                          <div className="flex flex-col">
-                            <span className="text-sm font-medium text-white">
-                              Roll back to this commit
-                            </span>
-                            <span className="max-w-[180px] whitespace-normal break-words text-xs leading-snug text-gray-400">
-                              Return this folder to its exact state at the time of this commit,
-                              discarding all other changes made after it
-                            </span>
-                          </div>
-                        </div>
-                      </DropdownMenuItem>
-                    )}
-
-                    <DropdownMenuItem
-                      className="group cursor-pointer rounded-md px-3 py-3 transition-colors hover:bg-mineshaft-700"
-                      onClick={() => handlePopUpOpen("revertChanges")}
-                    >
-                      <div className="flex items-center space-x-3">
-                        <div className="flex flex-col">
-                          <span className="text-sm font-medium text-white">Revert changes</span>
-                          <span className="max-w-[180px] whitespace-normal break-words text-xs leading-snug text-gray-400">
-                            Will restore to the previous version of affected resources
-                          </span>
-                        </div>
+                    <div className="flex items-center space-x-3">
+                      <div className="flex flex-col">
+                        <span className="text-sm font-medium text-white">
+                          Roll back to this commit
+                        </span>
+                        <span className="whitespace-normal break-words text-xs leading-snug text-gray-400">
+                          Return this folder to its exact state at the time of this commit,
+                          discarding all other changes made after it
+                        </span>
                       </div>
-                    </DropdownMenuItem>
-                  </DropdownMenuContent>
-                </DropdownMenu>
-              )}
-            </ProjectPermissionCan>
-          </div>
+                    </div>
+                  </DropdownMenuItem>
+                )}
+                <DropdownMenuItem
+                  className="group cursor-pointer rounded-md px-3 py-3 transition-colors hover:bg-mineshaft-700"
+                  onClick={() => handlePopUpOpen("revertChanges")}
+                >
+                  <div className="flex items-center space-x-3">
+                    <div className="flex flex-col">
+                      <span className="text-sm font-medium text-white">Revert changes</span>
+                      <span className="whitespace-normal break-words text-xs leading-snug text-gray-400">
+                        Will restore to the previous version of affected resources
+                      </span>
+                    </div>
+                  </div>
+                </DropdownMenuItem>
+              </DropdownMenuContent>
+            </DropdownMenu>
+          )}
+        </ProjectPermissionCan>
+      </PageHeader>
+      <div className="flex w-full flex-col rounded-lg border border-mineshaft-600 bg-mineshaft-900 pt-4">
+        <div className="mx-4 flex items-center justify-between border-b border-mineshaft-400 pb-4">
+          <h3 className="text-lg font-semibold text-mineshaft-100">Commit Changes</h3>
         </div>
-
-        <div className="py-2">
-          <div className="overflow-hidden">
-            <div className="space-y-2">
-              {sortedChangedItems.length > 0 ? (
-                sortedChangedItems.map((item) => renderMergedItem(item))
-              ) : (
-                <div className="flex h-32 items-center justify-center rounded-lg border border-mineshaft-600 bg-mineshaft-800">
-                  <p className="text-gray-400">No changed items found</p>
-                </div>
-              )}
-            </div>
+        <div className="flex flex-col overflow-hidden pl-4 pr-1">
+          <div className="thin-scrollbar overflow-y-scroll py-4">
+            {sortedChangedItems.length > 0 ? (
+              sortedChangedItems.map((item) => renderMergedItem(item))
+            ) : (
+              <EmptyState
+                title="No changes found."
+                className="h-full pb-0 pt-28"
+                icon={faCodeCommit}
+              />
+            )}
           </div>
         </div>
       </div>
-
       <DeleteActionModal
         isOpen={popUp.revertChanges.isOpen}
         deleteKey="revert"
@@ -357,6 +340,6 @@ export const CommitDetailsTab = ({
         onDeleteApproved={handleRevertChanges}
         buttonText="Yes, revert changes"
       />
-    </div>
+    </>
   );
 };

frontend/src/pages/secret-manager/CommitDetailsPage/components/SecretVersionDiffView/SecretVersionDiffView.tsx

@@ -225,15 +225,17 @@ const renderJsonWithDiffs = (
 
   const getLineClass = (different: boolean) => {
     if (!different) return "flex";
-    return isOldVersion ? "flex bg-red-950 text-red-300" : "flex bg-green-950 text-green-300";
+    return isOldVersion
+      ? "flex bg-red-500/50 rounded-sm text-red-300"
+      : "flex bg-green-500/50 rounded-sm text-green-300";
   };
 
-  const getHighlightClass = (different: boolean) => {
-    if (!different) return "";
-    return isOldVersion ? "bg-red-900 rounded px-1" : "bg-green-900 rounded px-1";
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const getHighlightClass = (_different: boolean) => {
+    return "";
   };
 
-  const prefix = isDifferent ? (isOldVersion ? "-" : "+") : " ";
+  const prefix = isDifferent ? (isOldVersion ? " -" : " +") : " ";
   const keyDisplay = keyName ? `"${keyName}": ` : "";
   const comma = !isLastItem ? "," : "";
 
@@ -320,7 +322,7 @@ const renderJsonWithDiffs = (
       <div key={reactKey}>
         <div className={getLineClass(isContainerAddedOrRemoved)}>
           <div className="w-4 flex-shrink-0">
-            {isContainerAddedOrRemoved ? (isOldVersion ? "-" : "+") : " "}
+            {isContainerAddedOrRemoved ? (isOldVersion ? " -" : " +") : " "}
           </div>
           <div>
             {indent}
@@ -625,12 +627,11 @@ export const SecretVersionDiffView = ({
   };
 
   return (
-    <div className="overflow-hidden rounded-lg border border-mineshaft-600 bg-mineshaft-800">
+    <div className="overflow-hidden border border-b-0 border-mineshaft-600 bg-mineshaft-800 first:rounded-t last:rounded-b last:border-b">
       {showHeader && renderHeader()}
-
       {!collapsed && (
-        <div className="border-t border-mineshaft-700 bg-mineshaft-900 px-6 py-4">
-          <div className="grid grid-cols-2 gap-4">
+        <div className="border-t border-mineshaft-700 bg-bunker-900 p-3 text-mineshaft-100">
+          <div className="grid grid-cols-2 gap-3">
             <div
               ref={oldContainerRef}
               className="thin-scrollbar max-h-96 overflow-auto whitespace-pre rounded border border-mineshaft-600 bg-mineshaft-900 p-4"

frontend/src/pages/secret-manager/CommitsPage/CommitsPage.tsx

@@ -52,7 +52,7 @@ export const CommitsPage = () => {
           title="Commits"
           description="Track, inspect, and restore your secrets and folders with confidence. View the complete history of changes made to your environment, examine specific modifications at each commit point, and preview the exact impact before rolling back to previous states."
         />
-        <NoticeBannerV2 title="" className="mb-2">
+        <NoticeBannerV2 title="Secret Snapshots Update" className="mb-2">
           <p className="my-1 text-sm text-mineshaft-300">
             Secret Snapshots have been officially renamed to Commits. Going forward, all secret
             changes will be tracked as Commits. If you made changes before this update, you can

frontend/src/pages/secret-manager/CommitsPage/components/CommitHistoryTab/CommitHistoryTab.tsx

@@ -2,13 +2,14 @@ import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import {
   faArrowDownWideShort,
   faArrowUpWideShort,
+  faCodeCommit,
   faCopy,
   faSearch
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { format, formatDistanceToNow } from "date-fns";
 
-import { Button, Input, Spinner } from "@app/components/v2";
+import { Button, ContentLoader, EmptyState, IconButton, Input } from "@app/components/v2";
 import { CopyButton } from "@app/components/v2/CopyButton";
 import { useGetFolderCommitHistory } from "@app/hooks/api/folderCommits";
 
@@ -40,58 +41,40 @@ const CommitItem = ({
   onSelectCommit: (commitId: string, tab: string) => void;
 }) => {
   return (
-    <div className="border-b border-zinc-800 last:border-b-0">
-      <div className="px-4 py-4 transition-colors duration-200 hover:bg-zinc-800">
-        <div className="flex flex-col sm:flex-row sm:justify-between">
-          <div className="w-5/6 flex-1">
-            <div className="flex items-center">
-              <Button
-                variant="link"
-                className="truncate text-left text-white hover:underline"
-                isFullWidth
-                onClick={(e) => {
-                  e.stopPropagation();
-                  onSelectCommit(commit.id, "tab-commit-details");
-                }}
-              >
-                {commit.message}
-              </Button>
-            </div>
-            <p className="text-white-400 mt-2 flex flex-wrap items-center gap-4 text-sm">
-              <span className="flex items-center text-mineshaft-300">
-                {commit.actorMetadata?.email || commit.actorMetadata?.name || commit.actorType}
-                <p className="ml-1 mr-1">committed</p>
-                <time dateTime={commit.createdAt}>{formatTimeAgo(commit.createdAt)}</time>
-              </span>
-            </p>
-          </div>
-          <div className="mt-2 flex w-1/6 items-center justify-end sm:mt-0">
-            <div className="flex items-center space-x-1">
-              <Button
-                variant="link"
-                className="text-white hover:underline"
-                onClick={(e) => {
-                  e.stopPropagation();
-                  onSelectCommit(commit.id, "tab-commit-details");
-                }}
-              >
-                <code className="text-white-400 px-3 py-1 font-mono text-sm">
-                  {commit.id?.substring(0, 11)}
-                </code>
-              </Button>
-              <CopyButton
-                value={commit.id}
-                name={commit.id}
-                size="sm"
-                variant="plain"
-                color="text-mineshaft-400"
-                icon={faCopy}
-              />
-            </div>
-          </div>
+    <button
+      type="button"
+      onClick={(e) => {
+        e.stopPropagation();
+        onSelectCommit(commit.id, "tab-commit-details");
+      }}
+      className="w-full border border-b-0 border-mineshaft-600 bg-mineshaft-800 first:rounded-t-md last:rounded-b-md last:border-b"
+    >
+      <div className="flex gap-2 px-4 py-3 transition-colors duration-200 hover:bg-zinc-800">
+        <div className="flex flex-1 flex-col items-start">
+          <span className="w-min whitespace-nowrap text-sm text-mineshaft-100">
+            {commit.message}
+          </span>
+          <p className="text-left text-xs text-mineshaft-300">
+            {commit.actorMetadata?.email || commit.actorMetadata?.name || commit.actorType}{" "}
+            committed <time dateTime={commit.createdAt}>{formatTimeAgo(commit.createdAt)}</time>
+          </p>
+        </div>
+
+        <div className="flex items-center space-x-2">
+          <code className="mt-0.5 font-mono text-xs text-mineshaft-400">
+            {commit.id?.substring(0, 11)}
+          </code>
+          <CopyButton
+            value={commit.id}
+            name={commit.id}
+            size="xs"
+            variant="plain"
+            color="text-mineshaft-400"
+            icon={faCopy}
+          />
         </div>
       </div>
-    </div>
+    </button>
   );
 };
 
@@ -108,24 +91,16 @@ const DateGroup = ({
   onSelectCommit: (commitId: string, tab: string) => void;
 }) => {
   return (
-    <div className="mb-8 last:mb-0 last:pb-2">
-      <div className="mb-4 flex items-center">
-        <div className="relative mr-3 flex h-6 w-6 items-center justify-center">
-          <div className="z-10 h-3 w-3 rounded-full border-2 border-mineshaft-600 bg-bunker-800" />
-          <div className="absolute left-0 right-0 top-1/2 h-0.5 -translate-y-1/2 bg-mineshaft-600" />
-        </div>
-        <h2 className="text-sm text-white">Commits on {date}</h2>
+    <div className="mt-4 first:mt-0">
+      <div className="mb-4 ml-[0.15rem] flex items-center">
+        <FontAwesomeIcon icon={faCodeCommit} className="text-mineshaft-400" />
+        <h2 className="ml-4 text-sm text-mineshaft-400">Commits on {date}</h2>
       </div>
-
       <div className="relative">
-        <div className="absolute bottom-0 left-3 top-0 w-0.5 bg-mineshaft-600" />
+        <div className="absolute bottom-0 left-3 top-0 w-[0.1rem] bg-mineshaft-500" />
         <div className="ml-10">
           {commits.map((commit) => (
-            <div key={commit.id} className="relative mb-3 pb-1">
-              <div className="overflow-hidden rounded-md border border-solid border-mineshaft-600">
-                <CommitItem commit={commit} onSelectCommit={onSelectCommit} />
-              </div>
-            </div>
+            <CommitItem key={commit.id} commit={commit} onSelectCommit={onSelectCommit} />
           ))}
         </div>
       </div>
@@ -150,7 +125,7 @@ export const CommitHistoryTab = ({
   const [offset, setOffset] = useState(0);
   const [allCommits, setAllCommits] = useState<Commit[]>([]);
   const debounceTimeoutRef = useRef<NodeJS.Timeout>();
-  const limit = 5;
+  const limit = 10;
 
   // Debounce search term
   useEffect(() => {
@@ -234,42 +209,37 @@ export const CommitHistoryTab = ({
   }, [hasMore, isFetching, limit]);
 
   return (
-    <div className="w-full">
+    <div className="mt-4 w-full rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <p className="mb-4 text-xl font-semibold text-mineshaft-100">Commit History</p>
       <div className="mb-4 flex flex-col sm:flex-row sm:justify-end">
         <div className="flex w-full flex-wrap items-center gap-2">
           <div className="relative flex-grow">
             <Input
+              leftIcon={<FontAwesomeIcon icon={faSearch} aria-hidden="true" />}
               placeholder="Search commits..."
-              className="h-10 w-full rounded-md border-transparent bg-zinc-800 pl-9 pr-3 text-sm text-white placeholder-gray-400 focus:border-gray-600 focus:ring-primary-500/20"
               onChange={(e) => handleSearch(e.target.value)}
               value={searchTerm}
               aria-label="Search commits"
             />
-            <div className="absolute left-3 top-1/2 -translate-y-1/2 transform text-gray-400">
-              <FontAwesomeIcon icon={faSearch} aria-hidden="true" />
-            </div>
           </div>
-          <Button
+          <IconButton
             variant="outline_bg"
-            size="md"
-            className="flex h-10 items-center justify-center gap-2 rounded-md bg-zinc-800 px-4 py-2 text-sm text-white transition-colors duration-200 hover:bg-zinc-700 focus:outline-none focus:ring-2 focus:ring-primary-500"
+            size="sm"
+            className="flex h-[2.4rem] items-center justify-center gap-2 rounded-md"
             onClick={handleSort}
-            aria-label={`Sort by date ${sortDirection === "desc" ? "ascending" : "descending"}`}
+            ariaLabel={`Sort by date ${sortDirection === "desc" ? "ascending" : "descending"}`}
           >
             <FontAwesomeIcon
               icon={sortDirection === "desc" ? faArrowDownWideShort : faArrowUpWideShort}
               aria-hidden="true"
             />
-          </Button>
+          </IconButton>
         </div>
       </div>
-
       {isLoading && offset === 0 ? (
-        <div className="flex h-64 items-center justify-center">
-          <Spinner size="lg" aria-label="Loading commits" />
-        </div>
+        <ContentLoader className="h-80" />
       ) : (
-        <div className="space-y-8">
+        <div className="">
           {Object.keys(groupedCommits).length > 0 ? (
             <>
               {Object.entries(groupedCommits).map(([date, dateCommits]) => (
@@ -282,34 +252,21 @@ export const CommitHistoryTab = ({
               ))}
             </>
           ) : (
-            <div className="text-white-400 flex min-h-40 flex-col items-center justify-center rounded-lg bg-zinc-900 py-8 text-center">
-              <FontAwesomeIcon
-                icon={faSearch}
-                className="text-white-500 mb-3 text-3xl"
-                aria-hidden="true"
-              />
-              <p>No matching commits found. Try a different search term.</p>
-            </div>
+            <EmptyState title="No commits found." icon={faCodeCommit} />
           )}
 
           {hasMore && (
             <div className="flex justify-center pb-2">
               <Button
                 variant="outline_bg"
-                size="md"
-                className="rounded-md bg-zinc-900 px-6 py-2 text-sm font-medium text-white transition-colors duration-200 hover:bg-zinc-800 focus:outline-none focus:ring-2 focus:ring-primary-500"
+                size="sm"
+                className="ml-10 mt-4 w-full"
                 onClick={loadMoreCommits}
                 disabled={isFetching}
+                isLoading={isFetching}
                 aria-label="Load more commits"
               >
-                {isFetching ? (
-                  <>
-                    <Spinner size="sm" className="mr-2" />
-                    Loading...
-                  </>
-                ) : (
-                  "Load more commits"
-                )}
+                Load More Commits
               </Button>
             </div>
           )}

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/CloudflareWorkersSyncDestinationCol.tsx

@@ -0,0 +1,14 @@
+import { TCloudflareWorkersSync } from "@app/hooks/api/secretSyncs/types/cloudflare-workers-sync";
+
+import { getSecretSyncDestinationColValues } from "../helpers";
+import { SecretSyncTableCell } from "../SecretSyncTableCell";
+
+type Props = {
+  secretSync: TCloudflareWorkersSync;
+};
+
+export const CloudflareWorkersSyncDestinationCol = ({ secretSync }: Props) => {
+  const { primaryText, secondaryText } = getSecretSyncDestinationColValues(secretSync);
+
+  return <SecretSyncTableCell primaryText={primaryText} secondaryText={secondaryText} />;
+};

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/SecretSyncDestinationCol.tsx

@@ -8,6 +8,7 @@ import { AzureDevOpsSyncDestinationCol } from "./AzureDevOpsSyncDestinationCol";
 import { AzureKeyVaultDestinationSyncCol } from "./AzureKeyVaultDestinationSyncCol";
 import { CamundaSyncDestinationCol } from "./CamundaSyncDestinationCol";
 import { CloudflarePagesSyncDestinationCol } from "./CloudflarePagesSyncDestinationCol";
+import { CloudflareWorkersSyncDestinationCol } from "./CloudflareWorkersSyncDestinationCol";
 import { DatabricksSyncDestinationCol } from "./DatabricksSyncDestinationCol";
 import { FlyioSyncDestinationCol } from "./FlyioSyncDestinationCol";
 import { GcpSyncDestinationCol } from "./GcpSyncDestinationCol";
@@ -75,6 +76,8 @@ export const SecretSyncDestinationCol = ({ secretSync }: Props) => {
       return <GitLabSyncDestinationCol secretSync={secretSync} />;
     case SecretSync.CloudflarePages:
       return <CloudflarePagesSyncDestinationCol secretSync={secretSync} />;
+    case SecretSync.CloudflareWorkers:
+      return <CloudflareWorkersSyncDestinationCol secretSync={secretSync} />;
     case SecretSync.Zabbix:
       return <ZabbixSyncDestinationCol secretSync={secretSync} />;
     case SecretSync.Railway:

frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/helpers/index.ts

@@ -145,6 +145,10 @@ export const getSecretSyncDestinationColValues = (secretSync: TSecretSync) => {
       primaryText = destinationConfig.projectName;
       secondaryText = destinationConfig.environment;
       break;
+    case SecretSync.CloudflareWorkers:
+      primaryText = destinationConfig.scriptId;
+      secondaryText = "Script ID";
+      break;
     case SecretSync.Zabbix:
       if (destinationConfig.scope === ZabbixSyncScope.Host) {
         primaryText = destinationConfig.hostName;

frontend/src/pages/secret-manager/SecretApprovalsPage/components/ApprovalPolicyList/components/AccessPolicyModal.tsx

@@ -21,6 +21,7 @@ import {
   Tag,
   Tooltip
 } from "@app/components/v2";
+import { SecretPathInput } from "@app/components/v2/SecretPathInput";
 import { useWorkspace } from "@app/context";
 import { getMemberLabel } from "@app/helpers/members";
 import { policyDetails } from "@app/helpers/policies";
@@ -203,6 +204,7 @@ const Form = ({
 
   const formUserBypassers = watch("userBypassers");
   const formGroupBypassers = watch("groupBypassers");
+  const formEnvironment = watch("environment")?.slug;
   const bypasserCount = (formUserBypassers || []).length + (formGroupBypassers || []).length;
 
   const handleCreatePolicy = async ({
@@ -474,7 +476,11 @@ const Form = ({
                 errorText={error?.message}
                 className="flex-1"
               >
-                <Input {...field} value={field.value || ""} />
+                <SecretPathInput
+                  {...field}
+                  value={field.value || ""}
+                  environment={formEnvironment}
+                />
               </FormControl>
             )}
           />

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/CloudflareWorkersSyncDestinationSection.tsx

@@ -0,0 +1,14 @@
+import { GenericFieldLabel } from "@app/components/secret-syncs";
+import { TCloudflareWorkersSync } from "@app/hooks/api/secretSyncs/types/cloudflare-workers-sync";
+
+type Props = {
+  secretSync: TCloudflareWorkersSync;
+};
+
+export const CloudflareWorkersSyncDestinationSection = ({ secretSync }: Props) => {
+  const {
+    destinationConfig: { scriptId }
+  } = secretSync;
+
+  return <GenericFieldLabel label="Script ID">{scriptId}</GenericFieldLabel>;
+};

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/SecretSyncDestinatonSection.tsx

@@ -19,6 +19,7 @@ import { AzureDevOpsSyncDestinationSection } from "./AzureDevOpsSyncDestinationS
 import { AzureKeyVaultSyncDestinationSection } from "./AzureKeyVaultSyncDestinationSection";
 import { CamundaSyncDestinationSection } from "./CamundaSyncDestinationSection";
 import { CloudflarePagesSyncDestinationSection } from "./CloudflarePagesSyncDestinationSection";
+import { CloudflareWorkersSyncDestinationSection } from "./CloudflareWorkersSyncDestinationSection";
 import { DatabricksSyncDestinationSection } from "./DatabricksSyncDestinationSection";
 import { FlyioSyncDestinationSection } from "./FlyioSyncDestinationSection";
 import { GcpSyncDestinationSection } from "./GcpSyncDestinationSection";
@@ -116,6 +117,9 @@ export const SecretSyncDestinationSection = ({ secretSync, onEditDestination }:
     case SecretSync.CloudflarePages:
       DestinationComponents = <CloudflarePagesSyncDestinationSection secretSync={secretSync} />;
       break;
+    case SecretSync.CloudflareWorkers:
+      DestinationComponents = <CloudflareWorkersSyncDestinationSection secretSync={secretSync} />;
+      break;
     case SecretSync.Zabbix:
       DestinationComponents = <ZabbixSyncDestinationSection secretSync={secretSync} />;
       break;

frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx

@@ -60,6 +60,7 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
     case SecretSync.Flyio:
     case SecretSync.GitLab:
     case SecretSync.CloudflarePages:
+    case SecretSync.CloudflareWorkers:
     case SecretSync.Zabbix:
     case SecretSync.Railway:
       AdditionalSyncOptionsComponent = null;