improvement: disable tooltip hover content for env name tooltip

feat: added auto-bootstrap support to helm

.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml

@@ -51,11 +51,18 @@ jobs:
             --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
             --from-literal=SITE_URL=http://localhost:8080
 
+      - name: Create bootstrap secret
+        run: |
+          kubectl create secret generic infisical-bootstrap-credentials \
+            --namespace infisical-standalone-postgres \
+            --from-literal=INFISICAL_ADMIN_EMAIL=admin@example.com \
+            --from-literal=INFISICAL_ADMIN_PASSWORD=admin-password
+
       - name: Run chart-testing (install)
         run: |
           ct install \
             --config ct.yaml \
             --charts helm-charts/infisical-standalone-postgres \
             --helm-extra-args="--timeout=300s" \
-            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres --set infisical.autoBootstrap.enabled=true" \
             --namespace infisical-standalone-postgres

.infisicalignore

@@ -45,3 +45,4 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:48
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
+frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7

backend/e2e-test/mocks/queue.ts

@@ -26,6 +26,7 @@ export const mockQueue = (): TQueueServiceFactory => {
     getRepeatableJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
+    stopJobByIdPg: async () => {},
     stopRepeatableJobByJobId: async () => true,
     stopRepeatableJobByKey: async () => true
   };

backend/src/@types/fastify.d.ts

@@ -10,8 +10,8 @@ import { TAuditLogServiceFactory, TCreateAuditLogDTO } from "@app/ee/services/au
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-types";
 import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-types";
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
-import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
-import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
+import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";

backend/src/db/instance.ts

@@ -50,6 +50,8 @@ export const initDbConnection = ({
           }
         : false
     },
+    // https://knexjs.org/guide/#pool
+    pool: { min: 0, max: 10 },
     migrations: {
       tableName: "infisical_migrations"
     }
@@ -70,7 +72,8 @@ export const initDbConnection = ({
       },
       migrations: {
         tableName: "infisical_migrations"
-      }
+      },
+      pool: { min: 0, max: 10 }
     });
   });
 

backend/src/db/migrations/20250620144939_add-instance-github-app-connection-credentials.ts

@@ -0,0 +1,91 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.binary("encryptedGitHubAppConnectionClientId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.binary("encryptedGitHubAppConnectionClientSecret").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionSlugColumn) {
+      t.binary("encryptedGitHubAppConnectionSlug").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.binary("encryptedGitHubAppConnectionId").nullable();
+    }
+    if (!hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.binary("encryptedGitHubAppConnectionPrivateKey").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedGithubAppConnectionClientIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientId"
+  );
+  const hasEncryptedGithubAppConnectionClientSecretColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionClientSecret"
+  );
+
+  const hasEncryptedGithubAppConnectionSlugColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionSlug"
+  );
+
+  const hasEncryptedGithubAppConnectionAppIdColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionId"
+  );
+
+  const hasEncryptedGithubAppConnectionAppPrivateKeyColumn = await knex.schema.hasColumn(
+    TableName.SuperAdmin,
+    "encryptedGitHubAppConnectionPrivateKey"
+  );
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasEncryptedGithubAppConnectionClientIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientId");
+    }
+    if (hasEncryptedGithubAppConnectionClientSecretColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionClientSecret");
+    }
+    if (hasEncryptedGithubAppConnectionSlugColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionSlug");
+    }
+    if (hasEncryptedGithubAppConnectionAppIdColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionId");
+    }
+    if (hasEncryptedGithubAppConnectionAppPrivateKeyColumn) {
+      t.dropColumn("encryptedGitHubAppConnectionPrivateKey");
+    }
+  });
+}

backend/src/db/schemas/super-admin.ts

@@ -29,7 +29,12 @@ export const SuperAdminSchema = z.object({
   adminIdentityIds: z.string().array().nullable().optional(),
   encryptedMicrosoftTeamsAppId: zodBuffer.nullable().optional(),
   encryptedMicrosoftTeamsClientSecret: zodBuffer.nullable().optional(),
-  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional()
+  encryptedMicrosoftTeamsBotId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -89,7 +89,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
     schema: {
       querystring: z.object({
         projectSlug: z.string().trim(),
-        authorProjectMembershipId: z.string().trim().optional(),
+        authorUserId: z.string().trim().optional(),
         envSlug: z.string().trim().optional()
       }),
       response: {
@@ -143,7 +143,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
     handler: async (req) => {
       const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
         projectSlug: req.query.projectSlug,
-        authorProjectMembershipId: req.query.authorProjectMembershipId,
+        authorUserId: req.query.authorUserId,
         envSlug: req.query.envSlug,
         actor: req.permission.type,
         actorId: req.permission.id,

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -30,6 +30,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         workspaceId: z.string().trim(),
         environment: z.string().trim().optional(),
         committer: z.string().trim().optional(),
+        search: z.string().trim().optional(),
         status: z.nativeEnum(RequestState).optional(),
         limit: z.coerce.number().default(20),
         offset: z.coerce.number().default(0)
@@ -66,13 +67,14 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 userId: z.string().nullable().optional()
               })
               .array()
-          }).array()
+          }).array(),
+          totalCount: z.number()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const approvals = await server.services.secretApprovalRequest.getSecretApprovals({
+      const { approvals, totalCount } = await server.services.secretApprovalRequest.getSecretApprovals({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -80,7 +82,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         ...req.query,
         projectId: req.query.workspaceId
       });
-      return { approvals };
+      return { approvals, totalCount };
     }
   });
 

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -725,16 +725,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         )
 
         .where(`${TableName.Environment}.projectId`, projectId)
-        .where(`${TableName.AccessApprovalPolicy}.deletedAt`, null)
         .select(selectAllTableCols(TableName.AccessApprovalRequest))
         .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
-        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"));
+        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))
+        .select(db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"));
 
       const formattedRequests = sqlNestRelationships({
         data: accessRequests,
         key: "id",
         parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc)
+          ...AccessApprovalRequestsSchema.parse(doc),
+          isPolicyDeleted: Boolean(doc.policyDeletedAt)
         }),
         childrenMapper: [
           {
@@ -751,7 +752,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         (req) =>
           !req.privilegeId &&
           !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
-          req.status === ApprovalStatus.PENDING
+          req.status === ApprovalStatus.PENDING &&
+          !req.isPolicyDeleted
       );
 
       // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required.
@@ -759,7 +761,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         (req) =>
           req.privilegeId ||
           req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
-          req.status !== ApprovalStatus.PENDING
+          req.status !== ApprovalStatus.PENDING ||
+          req.isPolicyDeleted
       );
 
       return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -275,7 +275,7 @@ export const accessApprovalRequestServiceFactory = ({
 
   const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
     projectSlug,
-    authorProjectMembershipId,
+    authorUserId,
     envSlug,
     actor,
     actorOrgId,
@@ -300,8 +300,8 @@ export const accessApprovalRequestServiceFactory = ({
     const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
     let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
 
-    if (authorProjectMembershipId) {
-      requests = requests.filter((request) => request.requestedByUserId === actorId);
+    if (authorUserId) {
+      requests = requests.filter((request) => request.requestedByUserId === authorUserId);
     }
 
     if (envSlug) {

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -31,7 +31,7 @@ export type TCreateAccessApprovalRequestDTO = {
 
 export type TListApprovalRequestsDTO = {
   projectSlug: string;
-  authorProjectMembershipId?: string;
+  authorUserId?: string;
   envSlug?: string;
 } & Omit<TProjectPermission, "projectId">;
 

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -3,9 +3,43 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { DynamicSecretLeasesSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
 
-export type TDynamicSecretLeaseDALFactory = ReturnType<typeof dynamicSecretLeaseDALFactory>;
+export interface TDynamicSecretLeaseDALFactory extends Omit<TOrmify<TableName.DynamicSecretLease>, "findById"> {
+  countLeasesForDynamicSecret: (dynamicSecretId: string, tx?: Knex) => Promise<number>;
+  findById: (
+    id: string,
+    tx?: Knex
+  ) => Promise<
+    | {
+        dynamicSecret: {
+          id: string;
+          name: string;
+          version: number;
+          type: string;
+          defaultTTL: string;
+          maxTTL: string | null | undefined;
+          encryptedInput: Buffer;
+          folderId: string;
+          status: string | null | undefined;
+          statusDetails: string | null | undefined;
+          createdAt: Date;
+          updatedAt: Date;
+        };
+        version: number;
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        externalEntityId: string;
+        expireAt: Date;
+        dynamicSecretId: string;
+        status?: string | null | undefined;
+        config?: unknown;
+        statusDetails?: string | null | undefined;
+      }
+    | undefined
+  >;
+}
 
 export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.DynamicSecretLease);

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -21,7 +21,12 @@ type TDynamicSecretLeaseQueueServiceFactoryDep = {
   folderDAL: Pick<TSecretFolderDALFactory, "findById">;
 };
 
-export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
+export type TDynamicSecretLeaseQueueServiceFactory = {
+  pruneDynamicSecret: (dynamicSecretCfgId: string) => Promise<void>;
+  setLeaseRevocation: (leaseId: string, expiryAt: Date) => Promise<void>;
+  unsetLeaseRevocation: (leaseId: string) => Promise<void>;
+  init: () => Promise<void>;
+};
 
 export const dynamicSecretLeaseQueueServiceFactory = ({
   queueService,
@@ -30,55 +35,48 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
   dynamicSecretLeaseDAL,
   kmsService,
   folderDAL
-}: TDynamicSecretLeaseQueueServiceFactoryDep) => {
+}: TDynamicSecretLeaseQueueServiceFactoryDep): TDynamicSecretLeaseQueueServiceFactory => {
   const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
+    await queueService.queuePg<QueueName.DynamicSecretRevocation>(
       QueueJobs.DynamicSecretPruning,
       { dynamicSecretCfgId },
       {
-        jobId: dynamicSecretCfgId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
+        singletonKey: dynamicSecretCfgId,
+        retryLimit: 3,
+        retryBackoff: true
       }
     );
   };
 
-  const setLeaseRevocation = async (leaseId: string, expiry: number) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
+  const setLeaseRevocation = async (leaseId: string, expiryAt: Date) => {
+    await queueService.queuePg<QueueName.DynamicSecretRevocation>(
       QueueJobs.DynamicSecretRevocation,
       { leaseId },
       {
-        jobId: leaseId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        delay: expiry,
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
+        id: leaseId,
+        singletonKey: leaseId,
+        startAfter: expiryAt,
+        retryLimit: 3,
+        retryBackoff: true,
+        retentionDays: 2
       }
     );
   };
 
   const unsetLeaseRevocation = async (leaseId: string) => {
     await queueService.stopJobById(QueueName.DynamicSecretRevocation, leaseId);
+    await queueService.stopJobByIdPg(QueueName.DynamicSecretRevocation, leaseId);
   };
 
-  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
+  const $dynamicSecretQueueJob = async (
+    jobName: string,
+    jobId: string,
+    data: { leaseId: string } | { dynamicSecretCfgId: string }
+  ): Promise<void> => {
     try {
-      if (job.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
-        logger.info("Dynamic secret lease revocation started: ", leaseId, job.id);
+      if (jobName === QueueJobs.DynamicSecretRevocation) {
+        const { leaseId } = data as { leaseId: string };
+        logger.info("Dynamic secret lease revocation started: ", leaseId, jobId);
 
         const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
         if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
@@ -107,9 +105,9 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
         return;
       }
 
-      if (job.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
-        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, job.id);
+      if (jobName === QueueJobs.DynamicSecretPruning) {
+        const { dynamicSecretCfgId } = data as { dynamicSecretCfgId: string };
+        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, jobId);
         const dynamicSecretCfg = await dynamicSecretDAL.findById(dynamicSecretCfgId);
         if (!dynamicSecretCfg) throw new DisableRotationErrors({ message: "Dynamic secret not found" });
         if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
@@ -150,38 +148,68 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
 
         await dynamicSecretDAL.deleteById(dynamicSecretCfgId);
       }
-      logger.info("Finished dynamic secret job", job.id);
+      logger.info("Finished dynamic secret job", jobId);
     } catch (error) {
       logger.error(error);
 
-      if (job?.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
+      if (jobName === QueueJobs.DynamicSecretPruning) {
+        const { dynamicSecretCfgId } = data as { dynamicSecretCfgId: string };
         await dynamicSecretDAL.updateById(dynamicSecretCfgId, {
           status: DynamicSecretStatus.FailedDeletion,
           statusDetails: (error as Error)?.message?.slice(0, 255)
         });
       }
 
-      if (job?.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
+      if (jobName === QueueJobs.DynamicSecretRevocation) {
+        const { leaseId } = data as { leaseId: string };
         await dynamicSecretLeaseDAL.updateById(leaseId, {
           status: DynamicSecretStatus.FailedDeletion,
           statusDetails: (error as Error)?.message?.slice(0, 255)
         });
       }
       if (error instanceof DisableRotationErrors) {
-        if (job.id) {
-          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, job.id);
+        if (jobId) {
+          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, jobId);
+          await queueService.stopJobByIdPg(QueueName.DynamicSecretRevocation, jobId);
         }
       }
       // propogate to next part
       throw error;
     }
+  };
+
+  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
+    await $dynamicSecretQueueJob(job.name, job.id as string, job.data);
   });
 
+  const init = async () => {
+    await queueService.startPg<QueueName.DynamicSecretRevocation>(
+      QueueJobs.DynamicSecretRevocation,
+      async ([job]) => {
+        await $dynamicSecretQueueJob(job.name, job.id, job.data);
+      },
+      {
+        workerCount: 5,
+        pollingIntervalSeconds: 1
+      }
+    );
+
+    await queueService.startPg<QueueName.DynamicSecretRevocation>(
+      QueueJobs.DynamicSecretPruning,
+      async ([job]) => {
+        await $dynamicSecretQueueJob(job.name, job.id, job.data);
+      },
+      {
+        workerCount: 1,
+        pollingIntervalSeconds: 1
+      }
+    );
+  };
+
   return {
     pruneDynamicSecret,
     setLeaseRevocation,
-    unsetLeaseRevocation
+    unsetLeaseRevocation,
+    init
   };
 };

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -26,12 +26,8 @@ import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "./dynamic-secret-lease-queue";
 import {
   DynamicSecretLeaseStatus,
-  TCreateDynamicSecretLeaseDTO,
-  TDeleteDynamicSecretLeaseDTO,
-  TDetailsDynamicSecretLeaseDTO,
   TDynamicSecretLeaseConfig,
-  TListDynamicSecretLeasesDTO,
-  TRenewDynamicSecretLeaseDTO
+  TDynamicSecretLeaseServiceFactory
 } from "./dynamic-secret-lease-types";
 
 type TDynamicSecretLeaseServiceFactoryDep = {
@@ -48,8 +44,6 @@ type TDynamicSecretLeaseServiceFactoryDep = {
   identityDAL: TIdentityDALFactory;
 };
 
-export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
-
 export const dynamicSecretLeaseServiceFactory = ({
   dynamicSecretLeaseDAL,
   dynamicSecretProviders,
@@ -62,14 +56,14 @@ export const dynamicSecretLeaseServiceFactory = ({
   kmsService,
   userDAL,
   identityDAL
-}: TDynamicSecretLeaseServiceFactoryDep) => {
+}: TDynamicSecretLeaseServiceFactoryDep): TDynamicSecretLeaseServiceFactory => {
   const extractEmailUsername = (email: string) => {
     const regex = new RE2(/^([^@]+)/);
     const match = email.match(regex);
     return match ? match[1] : email;
   };
 
-  const create = async ({
+  const create: TDynamicSecretLeaseServiceFactory["create"] = async ({
     environmentSlug,
     path,
     name,
@@ -80,7 +74,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorAuthMethod,
     ttl,
     config
-  }: TCreateDynamicSecretLeaseDTO) => {
+  }) => {
     const appCfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -184,11 +178,11 @@ export const dynamicSecretLeaseServiceFactory = ({
       config
     });
 
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, expireAt);
     return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
   };
 
-  const renewLease = async ({
+  const renewLease: TDynamicSecretLeaseServiceFactory["renewLease"] = async ({
     ttl,
     actorAuthMethod,
     actorOrgId,
@@ -198,7 +192,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     path,
     environmentSlug,
     leaseId
-  }: TRenewDynamicSecretLeaseDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -278,7 +272,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     );
 
     await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, expireAt);
     const updatedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
       expireAt,
       externalEntityId: entityId
@@ -286,7 +280,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     return updatedDynamicSecretLease;
   };
 
-  const revokeLease = async ({
+  const revokeLease: TDynamicSecretLeaseServiceFactory["revokeLease"] = async ({
     leaseId,
     environmentSlug,
     path,
@@ -296,7 +290,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     isForced
-  }: TDeleteDynamicSecretLeaseDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -376,7 +370,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     return deletedDynamicSecretLease;
   };
 
-  const listLeases = async ({
+  const listLeases: TDynamicSecretLeaseServiceFactory["listLeases"] = async ({
     path,
     name,
     actor,
@@ -385,7 +379,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorOrgId,
     environmentSlug,
     actorAuthMethod
-  }: TListDynamicSecretLeasesDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -424,7 +418,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     return dynamicSecretLeases;
   };
 
-  const getLeaseDetails = async ({
+  const getLeaseDetails: TDynamicSecretLeaseServiceFactory["getLeaseDetails"] = async ({
     projectSlug,
     actorOrgId,
     path,
@@ -433,7 +427,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorId,
     leaseId,
     actorAuthMethod
-  }: TDetailsDynamicSecretLeaseDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts

@@ -1,4 +1,5 @@
-import { TProjectPermission } from "@app/lib/types";
+import { TDynamicSecretLeases } from "@app/db/schemas";
+import { TDynamicSecretWithMetadata, TProjectPermission } from "@app/lib/types";
 
 export enum DynamicSecretLeaseStatus {
   FailedDeletion = "Failed to delete"
@@ -48,3 +49,40 @@ export type TDynamicSecretKubernetesLeaseConfig = {
 };
 
 export type TDynamicSecretLeaseConfig = TDynamicSecretKubernetesLeaseConfig;
+
+export type TDynamicSecretLeaseServiceFactory = {
+  create: (arg: TCreateDynamicSecretLeaseDTO) => Promise<{
+    lease: TDynamicSecretLeases;
+    dynamicSecret: TDynamicSecretWithMetadata;
+    data: unknown;
+  }>;
+  listLeases: (arg: TListDynamicSecretLeasesDTO) => Promise<TDynamicSecretLeases[]>;
+  revokeLease: (arg: TDeleteDynamicSecretLeaseDTO) => Promise<TDynamicSecretLeases>;
+  renewLease: (arg: TRenewDynamicSecretLeaseDTO) => Promise<TDynamicSecretLeases>;
+  getLeaseDetails: (arg: TDetailsDynamicSecretLeaseDTO) => Promise<{
+    dynamicSecret: {
+      id: string;
+      name: string;
+      version: number;
+      type: string;
+      defaultTTL: string;
+      maxTTL: string | null | undefined;
+      encryptedInput: Buffer;
+      folderId: string;
+      status: string | null | undefined;
+      statusDetails: string | null | undefined;
+      createdAt: Date;
+      updatedAt: Date;
+    };
+    version: number;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    externalEntityId: string;
+    expireAt: Date;
+    dynamicSecretId: string;
+    status?: string | null | undefined;
+    config?: unknown;
+    statusDetails?: string | null | undefined;
+  }>;
+};

backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts

@@ -10,17 +10,35 @@ import {
   selectAllTableCols,
   sqlNestRelationships,
   TFindFilter,
-  TFindOpt
+  TFindOpt,
+  TOrmify
 } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
+import { OrderByDirection, TDynamicSecretWithMetadata } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
-export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
+export interface TDynamicSecretDALFactory extends Omit<TOrmify<TableName.DynamicSecret>, "findOne"> {
+  findOne: (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => Promise<TDynamicSecretWithMetadata>;
+  listDynamicSecretsByFolderIds: (
+    arg: {
+      folderIds: string[];
+      search?: string | undefined;
+      limit?: number | undefined;
+      offset?: number | undefined;
+      orderBy?: SecretsOrderBy | undefined;
+      orderDirection?: OrderByDirection | undefined;
+    },
+    tx?: Knex
+  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string }>>;
+  findWithMetadata: (
+    filter: TFindFilter<TDynamicSecrets>,
+    arg?: TFindOpt<TDynamicSecrets>
+  ) => Promise<TDynamicSecretWithMetadata[]>;
+}
 
-export const dynamicSecretDALFactory = (db: TDbClient) => {
+export const dynamicSecretDALFactory = (db: TDbClient): TDynamicSecretDALFactory => {
   const orm = ormify(db, TableName.DynamicSecret);
 
-  const findOne = async (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => {
+  const findOne: TDynamicSecretDALFactory["findOne"] = async (filter, tx) => {
     const query = (tx || db.replicaNode())(TableName.DynamicSecret)
       .leftJoin(
         TableName.ResourceMetadata,
@@ -55,9 +73,9 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
     return docs[0];
   };
 
-  const findWithMetadata = async (
-    filter: TFindFilter<TDynamicSecrets>,
-    { offset, limit, sort, tx }: TFindOpt<TDynamicSecrets> = {}
+  const findWithMetadata: TDynamicSecretDALFactory["findWithMetadata"] = async (
+    filter,
+    { offset, limit, sort, tx } = {}
   ) => {
     const query = (tx || db.replicaNode())(TableName.DynamicSecret)
       .leftJoin(
@@ -101,23 +119,9 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
   };
 
   // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
-  const listDynamicSecretsByFolderIds = async (
-    {
-      folderIds,
-      search,
-      limit,
-      offset = 0,
-      orderBy = SecretsOrderBy.Name,
-      orderDirection = OrderByDirection.ASC
-    }: {
-      folderIds: string[];
-      search?: string;
-      limit?: number;
-      offset?: number;
-      orderBy?: SecretsOrderBy;
-      orderDirection?: OrderByDirection;
-    },
-    tx?: Knex
+  const listDynamicSecretsByFolderIds: TDynamicSecretDALFactory["listDynamicSecretsByFolderIds"] = async (
+    { folderIds, search, limit, offset = 0, orderBy = SecretsOrderBy.Name, orderDirection = OrderByDirection.ASC },
+    tx
   ) => {
     try {
       const query = (tx || db.replicaNode())(TableName.DynamicSecret)

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -8,7 +8,7 @@ import {
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
+import { OrderByDirection } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -20,17 +20,7 @@ import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/
 import { TGatewayDALFactory } from "../gateway/gateway-dal";
 import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
-import {
-  DynamicSecretStatus,
-  TCreateDynamicSecretDTO,
-  TDeleteDynamicSecretDTO,
-  TDetailsDynamicSecretDTO,
-  TGetDynamicSecretsCountDTO,
-  TListDynamicSecretsByFolderMappingsDTO,
-  TListDynamicSecretsDTO,
-  TListDynamicSecretsMultiEnvDTO,
-  TUpdateDynamicSecretDTO
-} from "./dynamic-secret-types";
+import { DynamicSecretStatus, TDynamicSecretServiceFactory } from "./dynamic-secret-types";
 import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
 
@@ -51,8 +41,6 @@ type TDynamicSecretServiceFactoryDep = {
   resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
-export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
-
 export const dynamicSecretServiceFactory = ({
   dynamicSecretDAL,
   dynamicSecretLeaseDAL,
@@ -65,8 +53,8 @@ export const dynamicSecretServiceFactory = ({
   kmsService,
   gatewayDAL,
   resourceMetadataDAL
-}: TDynamicSecretServiceFactoryDep) => {
-  const create = async ({
+}: TDynamicSecretServiceFactoryDep): TDynamicSecretServiceFactory => {
+  const create: TDynamicSecretServiceFactory["create"] = async ({
     path,
     actor,
     name,
@@ -80,7 +68,7 @@ export const dynamicSecretServiceFactory = ({
     actorAuthMethod,
     metadata,
     usernameTemplate
-  }: TCreateDynamicSecretDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -188,7 +176,7 @@ export const dynamicSecretServiceFactory = ({
     return dynamicSecretCfg;
   };
 
-  const updateByName = async ({
+  const updateByName: TDynamicSecretServiceFactory["updateByName"] = async ({
     name,
     maxTTL,
     defaultTTL,
@@ -203,7 +191,7 @@ export const dynamicSecretServiceFactory = ({
     actorAuthMethod,
     metadata,
     usernameTemplate
-  }: TUpdateDynamicSecretDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -345,7 +333,7 @@ export const dynamicSecretServiceFactory = ({
     return updatedDynamicCfg;
   };
 
-  const deleteByName = async ({
+  const deleteByName: TDynamicSecretServiceFactory["deleteByName"] = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -355,7 +343,7 @@ export const dynamicSecretServiceFactory = ({
     path,
     environmentSlug,
     isForced
-  }: TDeleteDynamicSecretDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -413,7 +401,7 @@ export const dynamicSecretServiceFactory = ({
     return deletedDynamicSecretCfg;
   };
 
-  const getDetails = async ({
+  const getDetails: TDynamicSecretServiceFactory["getDetails"] = async ({
     name,
     projectSlug,
     path,
@@ -422,7 +410,7 @@ export const dynamicSecretServiceFactory = ({
     actorOrgId,
     actorId,
     actor
-  }: TDetailsDynamicSecretDTO) => {
+  }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
@@ -480,7 +468,7 @@ export const dynamicSecretServiceFactory = ({
   };
 
   // get unique dynamic secret count across multiple envs
-  const getCountMultiEnv = async ({
+  const getCountMultiEnv: TDynamicSecretServiceFactory["getCountMultiEnv"] = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -490,7 +478,7 @@ export const dynamicSecretServiceFactory = ({
     environmentSlugs,
     search,
     isInternal
-  }: TListDynamicSecretsMultiEnvDTO) => {
+  }) => {
     if (!isInternal) {
       const { permission } = await permissionService.getProjectPermission({
         actor,
@@ -526,7 +514,7 @@ export const dynamicSecretServiceFactory = ({
   };
 
   // get dynamic secret count for a single env
-  const getDynamicSecretCount = async ({
+  const getDynamicSecretCount: TDynamicSecretServiceFactory["getDynamicSecretCount"] = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -535,7 +523,7 @@ export const dynamicSecretServiceFactory = ({
     environmentSlug,
     search,
     projectId
-  }: TGetDynamicSecretsCountDTO) => {
+  }) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -561,7 +549,7 @@ export const dynamicSecretServiceFactory = ({
     return Number(dynamicSecretCfg[0]?.count ?? 0);
   };
 
-  const listDynamicSecretsByEnv = async ({
+  const listDynamicSecretsByEnv: TDynamicSecretServiceFactory["listDynamicSecretsByEnv"] = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -575,7 +563,7 @@ export const dynamicSecretServiceFactory = ({
     orderDirection = OrderByDirection.ASC,
     search,
     ...params
-  }: TListDynamicSecretsDTO) => {
+  }) => {
     let { projectId } = params;
 
     if (!projectId) {
@@ -619,9 +607,9 @@ export const dynamicSecretServiceFactory = ({
     });
   };
 
-  const listDynamicSecretsByFolderIds = async (
-    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
-    actor: OrgServiceActor
+  const listDynamicSecretsByFolderIds: TDynamicSecretServiceFactory["listDynamicSecretsByFolderIds"] = async (
+    { folderMappings, filters, projectId },
+    actor
   ) => {
     const { permission } = await permissionService.getProjectPermission({
       actor: actor.type,
@@ -657,7 +645,7 @@ export const dynamicSecretServiceFactory = ({
   };
 
   // get dynamic secrets for multiple envs
-  const listDynamicSecretsByEnvs = async ({
+  const listDynamicSecretsByEnvs: TDynamicSecretServiceFactory["listDynamicSecretsByEnvs"] = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -667,7 +655,7 @@ export const dynamicSecretServiceFactory = ({
     projectId,
     isInternal,
     ...params
-  }: TListDynamicSecretsMultiEnvDTO) => {
+  }) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -700,14 +688,10 @@ export const dynamicSecretServiceFactory = ({
     });
   };
 
-  const fetchAzureEntraIdUsers = async ({
+  const fetchAzureEntraIdUsers: TDynamicSecretServiceFactory["fetchAzureEntraIdUsers"] = async ({
     tenantId,
     applicationId,
     clientSecret
-  }: {
-    tenantId: string;
-    applicationId: string;
-    clientSecret: string;
   }) => {
     const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
       tenantId,

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
-import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { TDynamicSecrets } from "@app/db/schemas";
+import { OrderByDirection, OrgServiceActor, TDynamicSecretWithMetadata, TProjectPermission } from "@app/lib/types";
 import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
@@ -83,3 +84,27 @@ export type TListDynamicSecretsMultiEnvDTO = Omit<
 export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
   projectId: string;
 };
+
+export type TDynamicSecretServiceFactory = {
+  create: (arg: TCreateDynamicSecretDTO) => Promise<TDynamicSecrets>;
+  updateByName: (arg: TUpdateDynamicSecretDTO) => Promise<TDynamicSecrets>;
+  deleteByName: (arg: TDeleteDynamicSecretDTO) => Promise<TDynamicSecrets>;
+  getDetails: (arg: TDetailsDynamicSecretDTO) => Promise<TDynamicSecretWithMetadata>;
+  listDynamicSecretsByEnv: (arg: TListDynamicSecretsDTO) => Promise<TDynamicSecretWithMetadata[]>;
+  listDynamicSecretsByEnvs: (
+    arg: TListDynamicSecretsMultiEnvDTO
+  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string }>>;
+  getDynamicSecretCount: (arg: TGetDynamicSecretsCountDTO) => Promise<number>;
+  getCountMultiEnv: (arg: TListDynamicSecretsMultiEnvDTO) => Promise<number>;
+  fetchAzureEntraIdUsers: (arg: { tenantId: string; applicationId: string; clientSecret: string }) => Promise<
+    {
+      name: string;
+      id: string;
+      email: string;
+    }[]
+  >;
+  listDynamicSecretsByFolderIds: (
+    arg: TListDynamicSecretsByFolderMappingsDTO,
+    actor: OrgServiceActor
+  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string; path: string }>>;
+};

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -0,0 +1,133 @@
+import axios from "axios";
+import * as jwt from "jsonwebtoken";
+
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { DynamicSecretGithubSchema, TDynamicProviderFns } from "./models";
+
+interface GitHubInstallationTokenResponse {
+  token: string;
+  expires_at: string; // ISO 8601 timestamp e.g., "2024-01-15T12:00:00Z"
+  permissions?: Record<string, string>;
+  repository_selection?: string;
+}
+
+interface TGithubProviderInputs {
+  appId: number;
+  installationId: number;
+  privateKey: string;
+}
+
+export const GithubProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretGithubSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $generateGitHubInstallationAccessToken = async (
+    credentials: TGithubProviderInputs
+  ): Promise<GitHubInstallationTokenResponse> => {
+    const { appId, installationId, privateKey } = credentials;
+
+    const nowInSeconds = Math.floor(Date.now() / 1000);
+    const jwtPayload = {
+      iat: nowInSeconds - 5,
+      exp: nowInSeconds + 60,
+      iss: String(appId)
+    };
+
+    let appJwt: string;
+    try {
+      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+    } catch (error) {
+      let message = "Failed to sign JWT.";
+      if (error instanceof jwt.JsonWebTokenError) {
+        message += ` JsonWebTokenError: ${error.message}`;
+      }
+      throw new InternalServerError({
+        message
+      });
+    }
+
+    const tokenUrl = `${IntegrationUrls.GITHUB_API_URL}/app/installations/${String(installationId)}/access_tokens`;
+
+    try {
+      const response = await axios.post<GitHubInstallationTokenResponse>(tokenUrl, undefined, {
+        headers: {
+          Authorization: `Bearer ${appJwt}`,
+          Accept: "application/vnd.github.v3+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+
+      if (response.status === 201 && response.data.token) {
+        return response.data; // Includes token, expires_at, permissions, repository_selection
+      }
+
+      throw new InternalServerError({
+        message: `GitHub API responded with unexpected status ${response.status}: ${JSON.stringify(response.data)}`
+      });
+    } catch (error) {
+      let message = "Failed to fetch GitHub installation access token.";
+      if (axios.isAxiosError(error) && error.response) {
+        const githubErrorMsg =
+          (error.response.data as { message?: string })?.message || JSON.stringify(error.response.data);
+        message += ` GitHub API Error: ${error.response.status} - ${githubErrorMsg}`;
+
+        // Classify as BadRequestError for auth-related issues (401, 403, 404) which might be due to user input
+        if ([401, 403, 404].includes(error.response.status)) {
+          throw new BadRequestError({ message });
+        }
+      }
+
+      throw new InternalServerError({ message });
+    }
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    await $generateGitHubInstallationAccessToken(providerInputs);
+    return true;
+  };
+
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+    const entityId = alphaNumericNanoId(32);
+
+    return {
+      entityId,
+      data: {
+        TOKEN: ghTokenData.token,
+        EXPIRES_AT: ghTokenData.expires_at,
+        PERMISSIONS: ghTokenData.permissions,
+        REPOSITORY_SELECTION: ghTokenData.repository_selection
+      }
+    };
+  };
+
+  const revoke = async () => {
+    // GitHub installation tokens cannot be revoked.
+    throw new BadRequestError({
+      message:
+        "Github dynamic secret does not support revocation because GitHub itself cannot revoke installation tokens"
+    });
+  };
+
+  const renew = async () => {
+    // No renewal
+    throw new BadRequestError({ message: "Github dynamic secret does not support renewal" });
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -7,6 +7,7 @@ import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
+import { GithubProvider } from "./github";
 import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
@@ -44,5 +45,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.SapAse]: SapAseProvider(),
   [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
   [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
-  [DynamicSecretProviders.GcpIam]: GcpIamProvider()
+  [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
+  [DynamicSecretProviders.Github]: GithubProvider()
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -52,9 +52,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       gatewayId: string;
       targetHost: string;
       targetPort: number;
-      caCert?: string;
+      httpsAgent?: https.Agent;
       reviewTokenThroughGateway: boolean;
-      enableSsl: boolean;
     },
     gatewayCallback: (host: string, port: number, httpsAgent?: https.Agent) => Promise<T>
   ): Promise<T> => {
@@ -85,10 +84,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           key: relayDetails.privateKey.toString()
         },
         // we always pass this, because its needed for both tcp and http protocol
-        httpsAgent: new https.Agent({
-          ca: inputs.caCert,
-          rejectUnauthorized: inputs.enableSsl
-        })
+        httpsAgent: inputs.httpsAgent
       }
     );
 
@@ -311,6 +307,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
     const k8sHost = `${url.protocol}//${url.hostname}`;
 
     try {
+      const httpsAgent =
+        providerInputs.ca && providerInputs.sslEnabled
+          ? new https.Agent({
+              ca: providerInputs.ca,
+              rejectUnauthorized: true
+            })
+          : undefined;
+
       if (providerInputs.gatewayId) {
         if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
           await $gatewayProxyWrapper(
@@ -318,8 +322,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: true
             },
             providerInputs.credentialType === KubernetesCredentialType.Static
@@ -332,8 +335,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sGatewayHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: false
             },
             providerInputs.credentialType === KubernetesCredentialType.Static
@@ -342,9 +344,9 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           );
         }
       } else if (providerInputs.credentialType === KubernetesCredentialType.Static) {
-        await serviceAccountStaticCallback(k8sHost, k8sPort);
+        await serviceAccountStaticCallback(k8sHost, k8sPort, httpsAgent);
       } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort);
+        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
       }
 
       return true;
@@ -546,6 +548,15 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
 
     try {
       let tokenData;
+
+      const httpsAgent =
+        providerInputs.ca && providerInputs.sslEnabled
+          ? new https.Agent({
+              ca: providerInputs.ca,
+              rejectUnauthorized: true
+            })
+          : undefined;
+
       if (providerInputs.gatewayId) {
         if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
           tokenData = await $gatewayProxyWrapper(
@@ -553,8 +564,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: true
             },
             providerInputs.credentialType === KubernetesCredentialType.Static
@@ -567,8 +577,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sGatewayHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: false
             },
             providerInputs.credentialType === KubernetesCredentialType.Static
@@ -579,8 +588,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       } else {
         tokenData =
           providerInputs.credentialType === KubernetesCredentialType.Static
-            ? await tokenRequestStaticCallback(k8sHost, k8sPort)
-            : await serviceAccountDynamicCallback(k8sHost, k8sPort);
+            ? await tokenRequestStaticCallback(k8sHost, k8sPort, httpsAgent)
+            : await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
       }
 
       return {
@@ -684,6 +693,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       const k8sPort = url.port ? Number(url.port) : 443;
       const k8sHost = `${url.protocol}//${url.hostname}`;
 
+      const httpsAgent =
+        providerInputs.ca && providerInputs.sslEnabled
+          ? new https.Agent({
+              ca: providerInputs.ca,
+              rejectUnauthorized: true
+            })
+          : undefined;
+
       if (providerInputs.gatewayId) {
         if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
           await $gatewayProxyWrapper(
@@ -691,8 +708,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: true
             },
             serviceAccountDynamicCallback
@@ -703,15 +719,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
               gatewayId: providerInputs.gatewayId,
               targetHost: k8sGatewayHost,
               targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
-              caCert: providerInputs.ca,
+              httpsAgent,
               reviewTokenThroughGateway: false
             },
             serviceAccountDynamicCallback
           );
         }
       } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort);
+        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
       }
     }
 

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -477,6 +477,23 @@ export const DynamicSecretGcpIamSchema = z.object({
   serviceAccountEmail: z.string().email().trim().min(1, "Service account email required").max(128)
 });
 
+export const DynamicSecretGithubSchema = z.object({
+  appId: z.number().min(1).describe("The ID of your GitHub App."),
+  installationId: z.number().min(1).describe("The ID of the GitHub App installation."),
+  privateKey: z
+    .string()
+    .trim()
+    .min(1)
+    .refine(
+      (val) =>
+        new RE2(
+          /^-----BEGIN(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----\s*[\s\S]*?-----END(?:(?: RSA| PGP| ENCRYPTED)? PRIVATE KEY)-----$/
+        ).test(val),
+      "Invalid PEM format for private key"
+    )
+    .describe("The private key generated for your GitHub App.")
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -495,7 +512,8 @@ export enum DynamicSecretProviders {
   SapAse = "sap-ase",
   Kubernetes = "kubernetes",
   Vertica = "vertica",
-  GcpIam = "gcp-iam"
+  GcpIam = "gcp-iam",
+  Github = "github"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -516,7 +534,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -24,6 +24,7 @@ type TFindQueryFilter = {
   committer?: string;
   limit?: number;
   offset?: number;
+  search?: string;
 };
 
 export const secretApprovalRequestDALFactory = (db: TDbClient) => {
@@ -314,7 +315,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                   .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
                   .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
             )
-            .andWhere((bd) => void bd.where(`${TableName.SecretApprovalPolicy}.deletedAt`, null))
             .select("status", `${TableName.SecretApprovalRequest}.id`)
             .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
             .count("status")
@@ -340,13 +340,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
   };
 
   const findByProjectId = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, userId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, userId, search }: TFindQueryFilter,
     tx?: Knex
   ) => {
     try {
       // akhilmhdh: If ever u wanted a 1 to so many relationship connected with pagination
       // this is the place u wanna look at.
-      const query = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
+      const innerQuery = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
         .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
         .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .join(
@@ -435,7 +435,30 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
           db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
         )
-        .orderBy("createdAt", "desc");
+        .distinctOn(`${TableName.SecretApprovalRequest}.id`)
+        .as("inner");
+
+      const query = (tx || db)
+        .select("*")
+        .select(db.raw("count(*) OVER() as total_count"))
+        .from(innerQuery)
+        .orderBy("createdAt", "desc") as typeof innerQuery;
+
+      if (search) {
+        void query.where((qb) => {
+          void qb
+            .whereRaw(`CONCAT_WS(' ', ??, ??) ilike ?`, [
+              db.ref("firstName").withSchema("committerUser"),
+              db.ref("lastName").withSchema("committerUser"),
+              `%${search}%`
+            ])
+            .orWhereRaw(`?? ilike ?`, [db.ref("username").withSchema("committerUser"), `%${search}%`])
+            .orWhereRaw(`?? ilike ?`, [db.ref("email").withSchema("committerUser"), `%${search}%`])
+            .orWhereILike(`${TableName.Environment}.name`, `%${search}%`)
+            .orWhereILike(`${TableName.Environment}.slug`, `%${search}%`)
+            .orWhereILike(`${TableName.SecretApprovalPolicy}.secretPath`, `%${search}%`);
+        });
+      }
 
       const docs = await (tx || db)
         .with("w", query)
@@ -443,6 +466,10 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
+
+      // @ts-expect-error knex does not infer
+      const totalCount = Number(docs[0]?.total_count || 0);
+
       const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
@@ -504,23 +531,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           }
         ]
       });
-      return formattedDoc.map((el) => ({
-        ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
-      }));
+      return {
+        approvals: formattedDoc.map((el) => ({
+          ...el,
+          policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        })),
+        totalCount
+      };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });
     }
   };
 
   const findByProjectIdBridgeSecretV2 = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, userId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, userId, search }: TFindQueryFilter,
     tx?: Knex
   ) => {
     try {
       // akhilmhdh: If ever u wanted a 1 to so many relationship connected with pagination
       // this is the place u wanna look at.
-      const query = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
+      const innerQuery = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
         .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
         .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .join(
@@ -609,14 +639,42 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
           db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
         )
-        .orderBy("createdAt", "desc");
+        .distinctOn(`${TableName.SecretApprovalRequest}.id`)
+        .as("inner");
 
+      const query = (tx || db)
+        .select("*")
+        .select(db.raw("count(*) OVER() as total_count"))
+        .from(innerQuery)
+        .orderBy("createdAt", "desc") as typeof innerQuery;
+
+      if (search) {
+        void query.where((qb) => {
+          void qb
+            .whereRaw(`CONCAT_WS(' ', ??, ??) ilike ?`, [
+              db.ref("firstName").withSchema("committerUser"),
+              db.ref("lastName").withSchema("committerUser"),
+              `%${search}%`
+            ])
+            .orWhereRaw(`?? ilike ?`, [db.ref("username").withSchema("committerUser"), `%${search}%`])
+            .orWhereRaw(`?? ilike ?`, [db.ref("email").withSchema("committerUser"), `%${search}%`])
+            .orWhereILike(`${TableName.Environment}.name`, `%${search}%`)
+            .orWhereILike(`${TableName.Environment}.slug`, `%${search}%`)
+            .orWhereILike(`${TableName.SecretApprovalPolicy}.secretPath`, `%${search}%`);
+        });
+      }
+
+      const rankOffset = offset + 1;
       const docs = await (tx || db)
         .with("w", query)
         .select("*")
         .from<Awaited<typeof query>[number]>("w")
-        .where("w.rank", ">=", offset)
-        .andWhere("w.rank", "<", offset + limit);
+        .where("w.rank", ">=", rankOffset)
+        .andWhere("w.rank", "<", rankOffset + limit);
+
+      // @ts-expect-error knex does not infer
+      const totalCount = Number(docs[0]?.total_count || 0);
+
       const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
@@ -682,10 +740,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           }
         ]
       });
-      return formattedDoc.map((el) => ({
-        ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
-      }));
+      return {
+        approvals: formattedDoc.map((el) => ({
+          ...el,
+          policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        })),
+        totalCount
+      };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });
     }

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -194,7 +194,8 @@ export const secretApprovalRequestServiceFactory = ({
     environment,
     committer,
     limit,
-    offset
+    offset,
+    search
   }: TListApprovalsDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
@@ -208,6 +209,7 @@ export const secretApprovalRequestServiceFactory = ({
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+
     if (shouldUseSecretV2Bridge) {
       return secretApprovalRequestDAL.findByProjectIdBridgeSecretV2({
         projectId,
@@ -216,19 +218,21 @@ export const secretApprovalRequestServiceFactory = ({
         status,
         userId: actorId,
         limit,
-        offset
+        offset,
+        search
       });
     }
-    const approvals = await secretApprovalRequestDAL.findByProjectId({
+
+    return secretApprovalRequestDAL.findByProjectId({
       projectId,
       committer,
       environment,
       status,
       userId: actorId,
       limit,
-      offset
+      offset,
+      search
     });
-    return approvals;
   };
 
   const getSecretApprovalDetails = async ({

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -93,6 +93,7 @@ export type TListApprovalsDTO = {
   committer?: string;
   limit?: number;
   offset?: number;
+  search?: string;
 } & TProjectPermission;
 
 export type TSecretApprovalDetailsDTO = {

backend/src/keystore/keystore.ts

@@ -11,7 +11,8 @@ export const PgSqlLock = {
   OrgGatewayRootCaInit: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-root-ca:${orgId}`),
   OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
   SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
-  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`)
+  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
+  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`)
 } as const;
 
 // all the key prefixes used must be set here to avoid conflict

backend/src/lib/api-docs/constants.ts

@@ -2401,6 +2401,10 @@ export const SecretSyncs = {
     },
     FLYIO: {
       appId: "The ID of the Fly.io app to sync secrets to."
+    },
+    CLOUDFLARE_PAGES: {
+      projectName: "The name of the Cloudflare Pages project to sync secrets to.",
+      environment: "The environment of the Cloudflare Pages project to sync secrets to."
     }
   }
 };

backend/src/lib/fn/time.ts

@@ -19,3 +19,5 @@ export const getMinExpiresIn = (exp1: string | number, exp2: string | number): s
 
   return ms1 <= ms2 ? exp1 : exp2;
 };
+
+export const convertMsToSecond = (time: number) => time / 1000;

backend/src/lib/types/index.ts

@@ -1,3 +1,4 @@
+import { TDynamicSecrets } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 export type TGenericPermission = {
@@ -84,3 +85,7 @@ export enum QueueWorkerProfile {
   Standard = "standard",
   SecretScanning = "secret-scanning"
 }
+
+export interface TDynamicSecretWithMetadata extends TDynamicSecrets {
+  metadata: { id: string; key: string; value: string }[];
+}

backend/src/queue/queue-service.ts

@@ -377,6 +377,7 @@ export type TQueueServiceFactory = {
   stopRepeatableJobByKey: <T extends QueueName>(name: T, repeatJobKey: string) => Promise<boolean>;
   clearQueue: (name: QueueName) => Promise<void>;
   stopJobById: <T extends QueueName>(name: T, jobId: string) => Promise<void | undefined>;
+  stopJobByIdPg: <T extends QueueName>(name: T, jobId: string) => Promise<void | undefined>;
   getRepeatableJobs: (
     name: QueueName,
     startOffset?: number,
@@ -542,6 +543,10 @@ export const queueServiceFactory = (
     return q.removeRepeatableByKey(repeatJobKey);
   };
 
+  const stopJobByIdPg: TQueueServiceFactory["stopJobByIdPg"] = async (name, jobId) => {
+    await pgBoss.deleteJob(name, jobId);
+  };
+
   const stopJobById: TQueueServiceFactory["stopJobById"] = async (name, jobId) => {
     const q = queueContainer[name];
     const job = await q.getJob(jobId);
@@ -568,6 +573,7 @@ export const queueServiceFactory = (
     stopRepeatableJobByKey,
     clearQueue,
     stopJobById,
+    stopJobByIdPg,
     getRepeatableJobs,
     startPg,
     queuePg,

backend/src/server/routes/index.ts

@@ -1903,6 +1903,7 @@ export const registerRoutes = async (
   await pkiSubscriberQueue.startDailyAutoRenewalJob();
   await kmsService.startService();
   await microsoftTeamsService.start();
+  await dynamicSecretQueueService.init();
 
   // inject all services
   server.decorate<FastifyZodProvider["services"]>("services", {
@@ -2020,10 +2021,16 @@ export const registerRoutes = async (
     if (licenseSyncJob) {
       cronJobs.push(licenseSyncJob);
     }
+
     const microsoftTeamsSyncJob = await microsoftTeamsService.initializeBackgroundSync();
     if (microsoftTeamsSyncJob) {
       cronJobs.push(microsoftTeamsSyncJob);
     }
+
+    const adminIntegrationsSyncJob = await superAdminService.initializeAdminIntegrationConfigSync();
+    if (adminIntegrationsSyncJob) {
+      cronJobs.push(adminIntegrationsSyncJob);
+    }
   }
 
   server.decorate<FastifyZodProvider["store"]>("store", {

backend/src/server/routes/v1/admin-router.ts

@@ -37,7 +37,12 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             encryptedSlackClientSecret: true,
             encryptedMicrosoftTeamsAppId: true,
             encryptedMicrosoftTeamsClientSecret: true,
-            encryptedMicrosoftTeamsBotId: true
+            encryptedMicrosoftTeamsBotId: true,
+            encryptedGitHubAppConnectionClientId: true,
+            encryptedGitHubAppConnectionClientSecret: true,
+            encryptedGitHubAppConnectionSlug: true,
+            encryptedGitHubAppConnectionId: true,
+            encryptedGitHubAppConnectionPrivateKey: true
           }).extend({
             isMigrationModeOn: z.boolean(),
             defaultAuthOrgSlug: z.string().nullable(),
@@ -87,6 +92,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         microsoftTeamsAppId: z.string().optional(),
         microsoftTeamsClientSecret: z.string().optional(),
         microsoftTeamsBotId: z.string().optional(),
+        gitHubAppConnectionClientId: z.string().optional(),
+        gitHubAppConnectionClientSecret: z.string().optional(),
+        gitHubAppConnectionSlug: z.string().optional(),
+        gitHubAppConnectionId: z.string().optional(),
+        gitHubAppConnectionPrivateKey: z.string().optional(),
         authConsentContent: z
           .string()
           .trim()
@@ -348,6 +358,13 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             appId: z.string(),
             clientSecret: z.string(),
             botId: z.string()
+          }),
+          gitHubAppConnection: z.object({
+            clientId: z.string(),
+            clientSecret: z.string(),
+            appSlug: z.string(),
+            appId: z.string(),
+            privateKey: z.string()
           })
         })
       }

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -80,6 +80,10 @@ import {
   WindmillConnectionListItemSchema
 } from "@app/services/app-connection/windmill";
 import { AuthMode } from "@app/services/auth/auth-type";
+import {
+  CloudflareConnectionListItemSchema,
+  SanitizedCloudflareConnectionSchema
+} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 
 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
@@ -109,7 +113,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedOnePassConnectionSchema.options,
   ...SanitizedHerokuConnectionSchema.options,
   ...SanitizedRenderConnectionSchema.options,
-  ...SanitizedFlyioConnectionSchema.options
+  ...SanitizedFlyioConnectionSchema.options,
+  ...SanitizedCloudflareConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -139,7 +144,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   OnePassConnectionListItemSchema,
   HerokuConnectionListItemSchema,
   RenderConnectionListItemSchema,
-  FlyioConnectionListItemSchema
+  FlyioConnectionListItemSchema,
+  CloudflareConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts

@@ -0,0 +1,53 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateCloudflareConnectionSchema,
+  SanitizedCloudflareConnectionSchema,
+  UpdateCloudflareConnectionSchema
+} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerCloudflareConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Cloudflare,
+    server,
+    sanitizedResponseSchema: SanitizedCloudflareConnectionSchema,
+    createSchema: CreateCloudflareConnectionSchema,
+    updateSchema: UpdateCloudflareConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/cloudflare-pages-projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.cloudflare.listPagesProjects(connectionId, req.permission);
+
+      return projects;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -27,6 +27,7 @@ import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
 import { registerWindmillConnectionRouter } from "./windmill-connection-router";
+import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 
 export * from "./app-connection-router";
 
@@ -58,5 +59,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.OnePass]: registerOnePassConnectionRouter,
     [AppConnection.Heroku]: registerHerokuConnectionRouter,
     [AppConnection.Render]: registerRenderConnectionRouter,
-    [AppConnection.Flyio]: registerFlyioConnectionRouter
+    [AppConnection.Flyio]: registerFlyioConnectionRouter,
+    [AppConnection.Cloudflare]: registerCloudflareConnectionRouter
   };

backend/src/server/routes/v1/invite-org-router.ts

@@ -83,7 +83,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: smtpRateLimit({
         keyGenerator: (req) =>
-          (req.body as { membershipId?: string })?.membershipId?.trim().substring(0, 100) ?? req.realIp
+          (req.body as { membershipId?: string })?.membershipId?.trim().substring(0, 100) || req.realIp
       })
     },
     method: "POST",

backend/src/server/routes/v1/password-router.ts

@@ -81,7 +81,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
     url: "/email/password-reset",
     config: {
       rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
       })
     },
     schema: {
@@ -107,7 +107,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/email/password-reset-verify",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
+      })
     },
     schema: {
       body: z.object({

backend/src/server/routes/v1/secret-sync-routers/cloudflare-pages-sync-router.ts

@@ -0,0 +1,16 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+import {
+  CloudflarePagesSyncSchema,
+  CreateCloudflarePagesSyncSchema,
+  UpdateCloudflarePagesSyncSchema
+} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
+
+export const registerCloudflarePagesSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.CloudflarePages,
+    server,
+    responseSchema: CloudflarePagesSyncSchema,
+    createSchema: CreateCloudflarePagesSyncSchema,
+    updateSchema: UpdateCloudflarePagesSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -8,6 +8,7 @@ import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configurati
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
+import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
@@ -43,5 +44,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.OnePass]: registerOnePassSyncRouter,
   [SecretSync.Heroku]: registerHerokuSyncRouter,
   [SecretSync.Render]: registerRenderSyncRouter,
-  [SecretSync.Flyio]: registerFlyioSyncRouter
+  [SecretSync.Flyio]: registerFlyioSyncRouter,
+  [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -34,6 +34,10 @@ import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/se
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
 import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
+import {
+  CloudflarePagesSyncListItemSchema,
+  CloudflarePagesSyncSchema
+} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -55,7 +59,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   OnePassSyncSchema,
   HerokuSyncSchema,
   RenderSyncSchema,
-  FlyioSyncSchema
+  FlyioSyncSchema,
+  CloudflarePagesSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -78,7 +83,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   OnePassSyncListItemSchema,
   HerokuSyncListItemSchema,
   RenderSyncListItemSchema,
-  FlyioSyncListItemSchema
+  FlyioSyncListItemSchema,
+  CloudflarePagesSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v2/user-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { AuthTokenSessionsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
-import { authRateLimit, readLimit, smtpRateLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, smtpRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -13,7 +13,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     url: "/me/emails/code",
     config: {
       rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) || req.realIp
       })
     },
     schema: {
@@ -34,7 +34,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/me/emails/verify",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) || req.realIp
+      })
     },
     schema: {
       body: z.object({

backend/src/server/routes/v3/secret-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { SecretApprovalRequestsSchema, SecretsSchema, SecretType, ServiceTokenScopes } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { BaseSecretNameSchema, SecretNameSchema } from "@app/server/lib/schemas";
@@ -12,7 +12,6 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
-import { ProjectFilterType } from "@app/services/project/project-types";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
@@ -286,22 +285,17 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           environment = scope[0].environment;
           workspaceId = req.auth.serviceToken.projectId;
         }
-      } else if (req.permission.type === ActorType.IDENTITY && req.query.workspaceSlug && !workspaceId) {
-        const workspace = await server.services.project.getAProject({
-          filter: {
-            type: ProjectFilterType.SLUG,
-            orgId: req.permission.orgId,
-            slug: req.query.workspaceSlug
-          },
+      } else {
+        const projectId = await server.services.project.extractProjectIdFromSlug({
+          projectSlug: req.query.workspaceSlug,
+          projectId: workspaceId,
           actorId: req.permission.id,
           actorAuthMethod: req.permission.authMethod,
           actor: req.permission.type,
           actorOrgId: req.permission.orgId
         });
 
-        if (!workspace) throw new NotFoundError({ message: `No project found with slug ${req.query.workspaceSlug}` });
-
-        workspaceId = workspace.id;
+        workspaceId = projectId;
       }
 
       if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
@@ -442,11 +436,23 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           environment = scope[0].environment;
           workspaceId = req.auth.serviceToken.projectId;
         }
+      } else {
+        const projectId = await server.services.project.extractProjectIdFromSlug({
+          projectSlug: workspaceSlug,
+          projectId: workspaceId,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId
+        });
+
+        workspaceId = projectId;
       }
 
       if (!environment) throw new BadRequestError({ message: "Missing environment" });
-      if (!workspaceId && !workspaceSlug)
+      if (!workspaceId) {
         throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
+      }
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -457,7 +463,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         environment,
         projectId: workspaceId,
         viewSecretValue: req.query.viewSecretValue,
-        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -518,7 +523,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.CREATE.workspaceId),
+        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.CREATE.projectSlug),
         environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
         secretPath: z
           .string()
@@ -558,13 +564,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const projectId = await server.services.project.extractProjectIdFromSlug({
+        projectSlug: req.body.projectSlug,
+        projectId: req.body.workspaceId,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
+      });
+
       const secretOperation = await server.services.secret.createSecretRaw({
         actorId: req.permission.id,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         environment: req.body.environment,
         actorAuthMethod: req.permission.authMethod,
-        projectId: req.body.workspaceId,
+        projectId,
         secretPath: req.body.secretPath,
         secretName: req.params.secretName,
         type: req.body.type,
@@ -582,7 +597,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       const { secret } = secretOperation;
       await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
         ...req.auditLogInfo,
         event: {
           type: EventType.CREATE_SECRET,
@@ -602,7 +617,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),
@@ -633,7 +648,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretName: BaseSecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.workspaceId),
+        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.projectSlug),
         environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
         secretValue: z
           .string()
@@ -679,13 +695,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const projectId = await server.services.project.extractProjectIdFromSlug({
+        projectSlug: req.body.projectSlug,
+        projectId: req.body.workspaceId,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
+      });
+
       const secretOperation = await server.services.secret.updateSecretRaw({
         actorId: req.permission.id,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         environment: req.body.environment,
-        projectId: req.body.workspaceId,
+        projectId,
         secretPath: req.body.secretPath,
         secretName: req.params.secretName,
         type: req.body.type,
@@ -707,7 +732,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       const { secret } = secretOperation;
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
         ...req.auditLogInfo,
         event: {
           type: EventType.UPDATE_SECRET,
@@ -727,7 +752,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),
@@ -757,7 +782,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.DELETE.workspaceId),
+        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.DELETE.projectSlug),
         environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
         secretPath: z
           .string()
@@ -780,13 +806,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const projectId = await server.services.project.extractProjectIdFromSlug({
+        projectSlug: req.body.projectSlug,
+        projectId: req.body.workspaceId,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
+      });
+
       const secretOperation = await server.services.secret.deleteSecretRaw({
         actorId: req.permission.id,
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         environment: req.body.environment,
-        projectId: req.body.workspaceId,
+        projectId,
         secretPath: req.body.secretPath,
         secretName: req.params.secretName,
         type: req.body.type
@@ -798,7 +833,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       const { secret } = secretOperation;
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
         ...req.auditLogInfo,
         event: {
           type: EventType.DELETE_SECRET,
@@ -817,7 +852,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
           environment: req.body.environment,
           secretPath: req.body.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),

backend/src/server/routes/v3/signup-router.ts

@@ -14,7 +14,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     config: {
       rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
       })
     },
     schema: {
@@ -55,7 +55,9 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
     url: "/email/verify",
     method: "POST",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
+      })
     },
     schema: {
       body: z.object({

backend/src/services/app-connection/app-connection-enums.ts

@@ -25,7 +25,8 @@ export enum AppConnection {
   OnePass = "1password",
   Heroku = "heroku",
   Render = "render",
-  Flyio = "flyio"
+  Flyio = "flyio",
+  Cloudflare = "cloudflare"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -99,6 +99,11 @@ import {
   validateWindmillConnectionCredentials,
   WindmillConnectionMethod
 } from "./windmill";
+import {
+  getCloudflareConnectionListItem,
+  validateCloudflareConnectionCredentials
+} from "./cloudflare/cloudflare-connection-fns";
+import { CloudflareConnectionMethod } from "./cloudflare/cloudflare-connection-enum";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -128,7 +133,8 @@ export const listAppConnectionOptions = () => {
     getOnePassConnectionListItem(),
     getHerokuConnectionListItem(),
     getRenderConnectionListItem(),
-    getFlyioConnectionListItem()
+    getFlyioConnectionListItem(),
+    getCloudflareConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -206,7 +212,8 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Heroku]: validateHerokuConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -241,6 +248,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case TerraformCloudConnectionMethod.ApiToken:
     case VercelConnectionMethod.ApiToken:
     case OnePassConnectionMethod.ApiToken:
+    case CloudflareConnectionMethod.APIToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
@@ -318,7 +326,8 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.OnePass]: platformManagedCredentialsNotSupported,
   [AppConnection.Heroku]: platformManagedCredentialsNotSupported,
   [AppConnection.Render]: platformManagedCredentialsNotSupported,
-  [AppConnection.Flyio]: platformManagedCredentialsNotSupported
+  [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
+  [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -27,7 +27,8 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.OnePass]: "1Password",
   [AppConnection.Heroku]: "Heroku",
   [AppConnection.Render]: "Render",
-  [AppConnection.Flyio]: "Fly.io"
+  [AppConnection.Flyio]: "Fly.io",
+  [AppConnection.Cloudflare]: "Cloudflare"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -57,5 +58,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.MySql]: AppConnectionPlanType.Regular,
   [AppConnection.Heroku]: AppConnectionPlanType.Regular,
   [AppConnection.Render]: AppConnectionPlanType.Regular,
-  [AppConnection.Flyio]: AppConnectionPlanType.Regular
+  [AppConnection.Flyio]: AppConnectionPlanType.Regular,
+  [AppConnection.Cloudflare]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -47,6 +47,8 @@ import { azureDevOpsConnectionService } from "./azure-devops/azure-devops-servic
 import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
 import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
 import { camundaConnectionService } from "./camunda/camunda-connection-service";
+import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/cloudflare-connection-schema";
+import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
@@ -113,7 +115,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema,
   [AppConnection.Heroku]: ValidateHerokuConnectionCredentialsSchema,
   [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
-  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema
+  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
+  [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -521,6 +524,7 @@ export const appConnectionServiceFactory = ({
     onepass: onePassConnectionService(connectAppConnectionById),
     heroku: herokuConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     render: renderConnectionService(connectAppConnectionById),
+    cloudflare: cloudflareConnectionService(connectAppConnectionById),
     flyio: flyioConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -153,6 +153,12 @@ import {
   TWindmillConnectionConfig,
   TWindmillConnectionInput
 } from "./windmill";
+import {
+  TCloudflareConnection,
+  TCloudflareConnectionConfig,
+  TCloudflareConnectionInput,
+  TValidateCloudflareConnectionCredentialsSchema
+} from "./cloudflare/cloudflare-connection-types";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -182,6 +188,7 @@ export type TAppConnection = { id: string } & (
   | THerokuConnection
   | TRenderConnection
   | TFlyioConnection
+  | TCloudflareConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -216,6 +223,7 @@ export type TAppConnectionInput = { id: string } & (
   | THerokuConnectionInput
   | TRenderConnectionInput
   | TFlyioConnectionInput
+  | TCloudflareConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -257,7 +265,8 @@ export type TAppConnectionConfig =
   | TOnePassConnectionConfig
   | THerokuConnectionConfig
   | TRenderConnectionConfig
-  | TFlyioConnectionConfig;
+  | TFlyioConnectionConfig
+  | TCloudflareConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -286,7 +295,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateOnePassConnectionCredentialsSchema
   | TValidateHerokuConnectionCredentialsSchema
   | TValidateRenderConnectionCredentialsSchema
-  | TValidateFlyioConnectionCredentialsSchema;
+  | TValidateFlyioConnectionCredentialsSchema
+  | TValidateCloudflareConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/cloudflare/cloudflare-connection-enum.ts

@@ -0,0 +1,3 @@
+export enum CloudflareConnectionMethod {
+  APIToken = "api-token"
+}

backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts

@@ -0,0 +1,75 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
+import {
+  TCloudflareConnection,
+  TCloudflareConnectionConfig,
+  TCloudflarePagesProject
+} from "./cloudflare-connection-types";
+
+export const getCloudflareConnectionListItem = () => {
+  return {
+    name: "Cloudflare" as const,
+    app: AppConnection.Cloudflare as const,
+    methods: Object.values(CloudflareConnectionMethod) as [CloudflareConnectionMethod.APIToken]
+  };
+};
+
+export const listCloudflarePagesProjects = async (
+  appConnection: TCloudflareConnection
+): Promise<TCloudflarePagesProject[]> => {
+  const {
+    credentials: { apiToken, accountId }
+  } = appConnection;
+
+  const { data } = await request.get<{ result: { name: string; id: string }[] }>(
+    `${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.result.map((a) => ({
+    name: a.name,
+    id: a.id
+  }));
+};
+
+export const validateCloudflareConnectionCredentials = async (config: TCloudflareConnectionConfig) => {
+  const { apiToken, accountId } = config.credentials;
+
+  try {
+    const resp = await request.get(`${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}`, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    });
+
+    if (resp.data === null) {
+      throw new BadRequestError({
+        message: "Unable to validate connection: Invalid API token provided."
+      });
+    }
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+        message: `Failed to validate credentials: ${error.response?.data?.errors?.[0]?.message || error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};

backend/src/services/app-connection/cloudflare/cloudflare-connection-schema.ts

@@ -0,0 +1,74 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+
+const accountIdCharacterValidator = characterValidator([
+  CharacterType.AlphaNumeric,
+  CharacterType.Underscore,
+  CharacterType.Hyphen
+]);
+
+export const CloudflareConnectionApiTokenCredentialsSchema = z.object({
+  accountId: z
+    .string()
+    .trim()
+    .min(1, "Account ID required")
+    .max(256, "Account ID cannot exceed 256 characters")
+    .refine(
+      (val) => accountIdCharacterValidator(val),
+      "Account ID can only contain alphanumeric characters, underscores, and hyphens"
+    ),
+  apiToken: z.string().trim().min(1, "API token required").max(256, "API token cannot exceed 256 characters")
+});
+
+const BaseCloudflareConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Cloudflare) });
+
+export const CloudflareConnectionSchema = BaseCloudflareConnectionSchema.extend({
+  method: z.literal(CloudflareConnectionMethod.APIToken),
+  credentials: CloudflareConnectionApiTokenCredentialsSchema
+});
+
+export const SanitizedCloudflareConnectionSchema = z.discriminatedUnion("method", [
+  BaseCloudflareConnectionSchema.extend({
+    method: z.literal(CloudflareConnectionMethod.APIToken),
+    credentials: CloudflareConnectionApiTokenCredentialsSchema.pick({ accountId: true })
+  })
+]);
+
+export const ValidateCloudflareConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(CloudflareConnectionMethod.APIToken)
+      .describe(AppConnections.CREATE(AppConnection.Cloudflare).method),
+    credentials: CloudflareConnectionApiTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Cloudflare).credentials
+    )
+  })
+]);
+
+export const CreateCloudflareConnectionSchema = ValidateCloudflareConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Cloudflare)
+);
+
+export const UpdateCloudflareConnectionSchema = z
+  .object({
+    credentials: CloudflareConnectionApiTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Cloudflare).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Cloudflare));
+
+export const CloudflareConnectionListItemSchema = z.object({
+  name: z.literal("Cloudflare"),
+  app: z.literal(AppConnection.Cloudflare),
+  methods: z.nativeEnum(CloudflareConnectionMethod).array()
+});

backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listCloudflarePagesProjects } from "./cloudflare-connection-fns";
+import { TCloudflareConnection } from "./cloudflare-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TCloudflareConnection>;
+
+export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listPagesProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
+    try {
+      const projects = await listCloudflarePagesProjects(appConnection);
+
+      return projects;
+    } catch (error) {
+      logger.error(error, "Failed to list Cloudflare Pages projects for Cloudflare connection");
+      return [];
+    }
+  };
+
+  return {
+    listPagesProjects
+  };
+};

backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts

@@ -0,0 +1,30 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CloudflareConnectionSchema,
+  CreateCloudflareConnectionSchema,
+  ValidateCloudflareConnectionCredentialsSchema
+} from "./cloudflare-connection-schema";
+
+export type TCloudflareConnection = z.infer<typeof CloudflareConnectionSchema>;
+
+export type TCloudflareConnectionInput = z.infer<typeof CreateCloudflareConnectionSchema> & {
+  app: AppConnection.Cloudflare;
+};
+
+export type TValidateCloudflareConnectionCredentialsSchema = typeof ValidateCloudflareConnectionCredentialsSchema;
+
+export type TCloudflareConnectionConfig = DiscriminativePick<
+  TCloudflareConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TCloudflarePagesProject = {
+  id: string;
+  name: string;
+};

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -7,6 +7,7 @@ import { request } from "@app/lib/config/request";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
 import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { getInstanceIntegrationsConfig } from "@app/services/super-admin/super-admin-service";
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
@@ -14,13 +15,14 @@ import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-
 
 export const getGitHubConnectionListItem = () => {
   const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
   return {
     name: "GitHub" as const,
     app: AppConnection.GitHub as const,
     methods: Object.values(GitHubConnectionMethod) as [GitHubConnectionMethod.App, GitHubConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
-    appClientSlug: INF_APP_CONNECTION_GITHUB_APP_SLUG
+    appClientSlug: gitHubAppConnection.appSlug || INF_APP_CONNECTION_GITHUB_APP_SLUG
   };
 };
 
@@ -30,23 +32,24 @@ export const getGitHubClient = (appConnection: TGitHubConnection) => {
   const { method, credentials } = appConnection;
 
   let client: Octokit;
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
+
+  const appId = gitHubAppConnection.appId || appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
+  const appPrivateKey = gitHubAppConnection.privateKey || appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
 
   switch (method) {
     case GitHubConnectionMethod.App:
-      if (!appCfg.INF_APP_CONNECTION_GITHUB_APP_ID || !appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY) {
+      if (!appId || !appPrivateKey) {
         throw new InternalServerError({
-          message: `GitHub ${getAppConnectionMethodName(method).replace(
-            "GitHub",
-            ""
-          )} environment variables have not been configured`
+          message: `GitHub ${getAppConnectionMethodName(method).replace("GitHub", "")} has not been configured`
         });
       }
 
       client = new Octokit({
         authStrategy: createAppAuth,
         auth: {
-          appId: appCfg.INF_APP_CONNECTION_GITHUB_APP_ID,
-          privateKey: appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY,
+          appId,
+          privateKey: appPrivateKey,
           installationId: credentials.installationId
         }
       });
@@ -154,6 +157,8 @@ type TokenRespData = {
 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
   const { credentials, method } = config;
 
+  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
+
   const {
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
@@ -165,8 +170,8 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
   const { clientId, clientSecret } =
     method === GitHubConnectionMethod.App
       ? {
-          clientId: INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
-          clientSecret: INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
+          clientId: gitHubAppConnection.clientId || INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+          clientSecret: gitHubAppConnection.clientSecret || INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
         }
       : // oauth
         {

backend/src/services/integration-auth/integration-list.ts

@@ -84,6 +84,8 @@ export enum IntegrationUrls {
   QOVERY_API_URL = "https://api.qovery.com",
   TERRAFORM_CLOUD_API_URL = "https://app.terraform.io",
   CLOUDFLARE_PAGES_API_URL = "https://api.cloudflare.com",
+  // eslint-disable-next-line @typescript-eslint/no-duplicate-enum-values
+  CLOUDFLARE_API_URL = "https://api.cloudflare.com",
   // eslint-disable-next-line
   CLOUDFLARE_WORKERS_API_URL = "https://api.cloudflare.com",
   BITBUCKET_API_URL = "https://api.bitbucket.org",

backend/src/services/project/project-service.ts

@@ -42,7 +42,7 @@ import { TProjectPermission } from "@app/lib/types";
 import { TQueueServiceFactory } from "@app/queue";
 import { TPkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
 
-import { ActorType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 import { TCertificateDALFactory } from "../certificate/certificate-dal";
 import { TCertificateAuthorityDALFactory } from "../certificate-authority/certificate-authority-dal";
 import { expandInternalCa } from "../certificate-authority/certificate-authority-fns";
@@ -82,6 +82,7 @@ import { assignWorkspaceKeysToMembers, bootstrapSshProject, createProjectKey } f
 import { TProjectQueueFactory } from "./project-queue";
 import { TProjectSshConfigDALFactory } from "./project-ssh-config-dal";
 import {
+  ProjectFilterType,
   TCreateProjectDTO,
   TDeleteProjectDTO,
   TDeleteProjectWorkflowIntegration,
@@ -866,6 +867,39 @@ export const projectServiceFactory = ({
     });
   };
 
+  const extractProjectIdFromSlug = async ({
+    projectSlug,
+    projectId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: {
+    projectSlug?: string;
+    projectId?: string;
+    actorId: string;
+    actorAuthMethod: ActorAuthMethod;
+    actor: ActorType;
+    actorOrgId: string;
+  }) => {
+    if (projectId) return projectId;
+    if (!projectSlug) throw new BadRequestError({ message: "You must provide projectSlug or workspaceId" });
+    const project = await getAProject({
+      filter: {
+        type: ProjectFilterType.SLUG,
+        orgId: actorOrgId,
+        slug: projectSlug
+      },
+      actorId,
+      actorAuthMethod,
+      actor,
+      actorOrgId
+    });
+
+    if (!project) throw new NotFoundError({ message: `No project found with slug ${projectSlug}` });
+    return project.id;
+  };
+
   const getProjectUpgradeStatus = async ({
     projectId,
     actor,
@@ -2006,6 +2040,7 @@ export const projectServiceFactory = ({
     getProjectSshConfig,
     updateProjectSshConfig,
     requestProjectAccess,
-    searchProjects
+    searchProjects,
+    extractProjectIdFromSlug
   };
 };

backend/src/services/secret-folder/secret-folder-service.ts

@@ -6,6 +6,7 @@ import { ActionProjectType, TSecretFoldersInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
+import { PgSqlLock } from "@app/keystore/keystore";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { buildFolderPath } from "@app/services/secret-folder/secret-folder-fns";
@@ -83,36 +84,75 @@ export const secretFolderServiceFactory = ({
       // that is this request must be idempotent
       // so we do a tricky move. we try to find the to be created folder path if that is exactly match return that
       // else we get some path before that then we will start creating remaining folder
+      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateFolder(env.id, env.projectId)]);
+
       const pathWithFolder = path.join(secretPath, name);
       const parentFolder = await folderDAL.findClosestFolder(projectId, environment, pathWithFolder, tx);
-      // no folder found is not possible root should be their
+
       if (!parentFolder) {
         throw new NotFoundError({
-          message: `Folder with path '${pathWithFolder}' in environment with slug '${environment}' not found`
+          message: `Parent folder for path '${pathWithFolder}' not found`
         });
       }
-      // exact folder
-      if (parentFolder.path === pathWithFolder) return parentFolder;
 
-      let parentFolderId = parentFolder.id;
+      // check if the exact folder already exists
+      const existingFolder = await folderDAL.findOne(
+        {
+          envId: env.id,
+          parentId: parentFolder.id,
+          name,
+          isReserved: false
+        },
+        tx
+      );
+
+      if (existingFolder) {
+        return existingFolder;
+      }
+
+      // exact folder case
+      if (parentFolder.path === pathWithFolder) {
+        return parentFolder;
+      }
+
+      let currentParentId = parentFolder.id;
+
+      // build the full path we need by processing each segment
       if (parentFolder.path !== secretPath) {
-        // this is upsert folder in a path
-        // we are not taking snapshots of this because
-        // snapshot will be removed from automatic for all commits to user click or cron based
-        const missingSegment = secretPath.substring(parentFolder.path.length).split("/").filter(Boolean);
-        if (missingSegment.length) {
-          const newFolders: Array<TSecretFoldersInsert & { id: string }> = missingSegment.map((segment) => {
+        const missingSegments = secretPath.substring(parentFolder.path.length).split("/").filter(Boolean);
+
+        const newFolders: TSecretFoldersInsert[] = [];
+
+        // process each segment sequentially
+        for await (const segment of missingSegments) {
+          const existingSegment = await folderDAL.findOne(
+            {
+              name: segment,
+              parentId: currentParentId,
+              envId: env.id,
+              isReserved: false
+            },
+            tx
+          );
+
+          if (existingSegment) {
+            // use existing folder and update the path / parent
+            currentParentId = existingSegment.id;
+          } else {
             const newFolder = {
               name: segment,
-              parentId: parentFolderId,
+              parentId: currentParentId,
               id: uuidv4(),
               envId: env.id,
               version: 1
             };
-            parentFolderId = newFolder.id;
-            return newFolder;
-          });
-          parentFolderId = newFolders.at(-1)?.id as string;
+
+            currentParentId = newFolder.id;
+            newFolders.push(newFolder);
+          }
+        }
+
+        if (newFolders.length) {
           const docs = await folderDAL.insertMany(newFolders, tx);
           const folderVersions = await folderVersionDAL.insertMany(
             docs.map((doc) => ({
@@ -133,7 +173,7 @@ export const secretFolderServiceFactory = ({
                 }
               },
               message: "Folder created",
-              folderId: parentFolderId,
+              folderId: currentParentId,
               changes: folderVersions.map((fv) => ({
                 type: CommitType.ADD,
                 folderVersionId: fv.id
@@ -145,9 +185,10 @@ export const secretFolderServiceFactory = ({
       }
 
       const doc = await folderDAL.create(
-        { name, envId: env.id, version: 1, parentId: parentFolderId, description },
+        { name, envId: env.id, version: 1, parentId: currentParentId, description },
         tx
       );
+
       const folderVersion = await folderVersionDAL.create(
         {
           name: doc.name,
@@ -158,6 +199,7 @@ export const secretFolderServiceFactory = ({
         },
         tx
       );
+
       await folderCommitService.createCommit(
         {
           actor: {
@@ -167,7 +209,7 @@ export const secretFolderServiceFactory = ({
             }
           },
           message: "Folder created",
-          folderId: parentFolderId,
+          folderId: doc.id,
           changes: [
             {
               type: CommitType.ADD,
@@ -177,6 +219,7 @@ export const secretFolderServiceFactory = ({
         },
         tx
       );
+
       return doc;
     });
 

backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const CLOUDFLARE_PAGES_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Cloudflare Pages",
+  destination: SecretSync.CloudflarePages,
+  connection: AppConnection.Cloudflare,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-fns.ts

@@ -0,0 +1,138 @@
+import { request } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { TCloudflarePagesSyncWithCredentials } from "./cloudflare-pages-types";
+
+const getProjectEnvironmentSecrets = async (secretSync: TCloudflarePagesSyncWithCredentials) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiToken, accountId }
+    }
+  } = secretSync;
+
+  const secrets = (
+    await request.get<{
+      result: {
+        deployment_configs: Record<
+          string,
+          {
+            env_vars: Record<string, { type: "plain_text" | "secret_text"; value: string }>;
+          }
+        >;
+      };
+    }>(
+      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
+      {
+        headers: {
+          Authorization: `Bearer ${apiToken}`,
+          Accept: "application/json"
+        }
+      }
+    )
+  ).data.result.deployment_configs[destinationConfig.environment].env_vars;
+
+  return Object.entries(secrets ?? {}).map(([key, envVar]) => ({
+    key,
+    value: envVar.value
+  }));
+};
+
+export const CloudflarePagesSyncFns = {
+  syncSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      destinationConfig,
+      connection: {
+        credentials: { apiToken, accountId }
+      }
+    } = secretSync;
+
+    // Create/update secret entries
+    let secretEntries: [string, object | null][] = Object.entries(secretMap).map(([key, val]) => [
+      key,
+      { type: "secret_text", value: val.value }
+    ]);
+
+    // Handle deletions if not disabled
+    if (!secretSync.syncOptions.disableSecretDeletion) {
+      const existingSecrets = await getProjectEnvironmentSecrets(secretSync);
+      const toDeleteKeys = existingSecrets
+        .filter(
+          (secret) =>
+            matchesSchema(secret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema) &&
+            !secretMap[secret.key]
+        )
+        .map((secret) => secret.key);
+
+      const toDeleteEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
+      secretEntries = [...secretEntries, ...toDeleteEntries];
+    }
+
+    const data = {
+      deployment_configs: {
+        [destinationConfig.environment]: {
+          env_vars: Object.fromEntries(secretEntries)
+        }
+      }
+    };
+
+    await request.patch(
+      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
+      data,
+      {
+        headers: {
+          Authorization: `Bearer ${apiToken}`,
+          Accept: "application/json"
+        }
+      }
+    );
+  },
+
+  getSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  removeSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      destinationConfig,
+      connection: {
+        credentials: { apiToken, accountId }
+      }
+    } = secretSync;
+
+    const secrets = await getProjectEnvironmentSecrets(secretSync);
+    const toDeleteKeys = secrets
+      .filter(
+        (secret) =>
+          matchesSchema(secret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema) &&
+          secret.key in secretMap
+      )
+      .map((secret) => secret.key);
+
+    if (toDeleteKeys.length === 0) return;
+
+    const secretEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
+
+    const data = {
+      deployment_configs: {
+        [destinationConfig.environment]: {
+          env_vars: Object.fromEntries(secretEntries)
+        }
+      }
+    };
+
+    await request.patch(
+      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
+      data,
+      {
+        headers: {
+          Authorization: `Bearer ${apiToken}`,
+          Accept: "application/json"
+        }
+      }
+    );
+  }
+};

backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-schema.ts

@@ -0,0 +1,53 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const CloudflarePagesSyncDestinationConfigSchema = z.object({
+  projectName: z
+    .string()
+    .min(1, "Project name is required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_PAGES.projectName),
+  environment: z
+    .string()
+    .min(1, "Environment is required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_PAGES.environment)
+});
+
+const CloudflarePagesSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const CloudflarePagesSyncSchema = BaseSecretSyncSchema(
+  SecretSync.CloudflarePages,
+  CloudflarePagesSyncOptionsConfig
+).extend({
+  destination: z.literal(SecretSync.CloudflarePages),
+  destinationConfig: CloudflarePagesSyncDestinationConfigSchema
+});
+
+export const CreateCloudflarePagesSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.CloudflarePages,
+  CloudflarePagesSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflarePagesSyncDestinationConfigSchema
+});
+
+export const UpdateCloudflarePagesSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.CloudflarePages,
+  CloudflarePagesSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflarePagesSyncDestinationConfigSchema.optional()
+});
+
+export const CloudflarePagesSyncListItemSchema = z.object({
+  name: z.literal("Cloudflare Pages"),
+  connection: z.literal(AppConnection.Cloudflare),
+  destination: z.literal(SecretSync.CloudflarePages),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-types.ts

@@ -0,0 +1,19 @@
+import z from "zod";
+
+import { TCloudflareConnection } from "@app/services/app-connection/cloudflare/cloudflare-connection-types";
+
+import {
+  CloudflarePagesSyncListItemSchema,
+  CloudflarePagesSyncSchema,
+  CreateCloudflarePagesSyncSchema
+} from "./cloudflare-pages-schema";
+
+export type TCloudflarePagesSyncListItem = z.infer<typeof CloudflarePagesSyncListItemSchema>;
+
+export type TCloudflarePagesSync = z.infer<typeof CloudflarePagesSyncSchema>;
+
+export type TCloudflarePagesSyncInput = z.infer<typeof CreateCloudflarePagesSyncSchema>;
+
+export type TCloudflarePagesSyncWithCredentials = TCloudflarePagesSync & {
+  connection: TCloudflareConnection;
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -18,7 +18,8 @@ export enum SecretSync {
   OnePass = "1password",
   Heroku = "heroku",
   Render = "render",
-  Flyio = "flyio"
+  Flyio = "flyio",
+  CloudflarePages = "cloudflare-pages"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -29,6 +29,8 @@ import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFact
 import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
+import { CLOUDFLARE_PAGES_SYNC_LIST_OPTION } from "./cloudflare-pages/cloudflare-pages-constants";
+import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns";
 import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
@@ -63,7 +65,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.OnePass]: ONEPASS_SYNC_LIST_OPTION,
   [SecretSync.Heroku]: HEROKU_SYNC_LIST_OPTION,
   [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
-  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION
+  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
+  [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -227,6 +230,8 @@ export const SecretSyncFns = {
         return RenderSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Flyio:
         return FlyioSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflarePages:
+        return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -313,6 +318,9 @@ export const SecretSyncFns = {
       case SecretSync.Flyio:
         secretMap = await FlyioSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.CloudflarePages:
+        secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -386,6 +394,8 @@ export const SecretSyncFns = {
         return RenderSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Flyio:
         return FlyioSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflarePages:
+        return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -21,7 +21,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.OnePass]: "1Password",
   [SecretSync.Heroku]: "Heroku",
   [SecretSync.Render]: "Render",
-  [SecretSync.Flyio]: "Fly.io"
+  [SecretSync.Flyio]: "Fly.io",
+  [SecretSync.CloudflarePages]: "Cloudflare Pages"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -44,7 +45,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.OnePass]: AppConnection.OnePass,
   [SecretSync.Heroku]: AppConnection.Heroku,
   [SecretSync.Render]: AppConnection.Render,
-  [SecretSync.Flyio]: AppConnection.Flyio
+  [SecretSync.Flyio]: AppConnection.Flyio,
+  [SecretSync.CloudflarePages]: AppConnection.Cloudflare
 };
 
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -67,5 +69,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.OnePass]: SecretSyncPlanType.Regular,
   [SecretSync.Heroku]: SecretSyncPlanType.Regular,
   [SecretSync.Render]: SecretSyncPlanType.Regular,
-  [SecretSync.Flyio]: SecretSyncPlanType.Regular
+  [SecretSync.Flyio]: SecretSyncPlanType.Regular,
+  [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -106,6 +106,12 @@ import {
   TTerraformCloudSyncWithCredentials
 } from "./terraform-cloud";
 import { TVercelSync, TVercelSyncInput, TVercelSyncListItem, TVercelSyncWithCredentials } from "./vercel";
+import {
+  TCloudflarePagesSync,
+  TCloudflarePagesSyncInput,
+  TCloudflarePagesSyncListItem,
+  TCloudflarePagesSyncWithCredentials
+} from "./cloudflare-pages/cloudflare-pages-types";
 
 export type TSecretSync =
   | TAwsParameterStoreSync
@@ -127,7 +133,8 @@ export type TSecretSync =
   | TOnePassSync
   | THerokuSync
   | TRenderSync
-  | TFlyioSync;
+  | TFlyioSync
+  | TCloudflarePagesSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -149,7 +156,8 @@ export type TSecretSyncWithCredentials =
   | TOnePassSyncWithCredentials
   | THerokuSyncWithCredentials
   | TRenderSyncWithCredentials
-  | TFlyioSyncWithCredentials;
+  | TFlyioSyncWithCredentials
+  | TCloudflarePagesSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -171,7 +179,8 @@ export type TSecretSyncInput =
   | TOnePassSyncInput
   | THerokuSyncInput
   | TRenderSyncInput
-  | TFlyioSyncInput;
+  | TFlyioSyncInput
+  | TCloudflarePagesSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -193,7 +202,8 @@ export type TSecretSyncListItem =
   | TOnePassSyncListItem
   | THerokuSyncListItem
   | TRenderSyncListItem
-  | TFlyioSyncListItem;
+  | TFlyioSyncListItem
+  | TCloudflarePagesSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/secret/secret-service.ts

@@ -1543,9 +1543,8 @@ export const secretServiceFactory = ({
     actor,
     environment,
     viewSecretValue,
-    projectId: workspaceId,
+    projectId,
     expandSecretReferences,
-    projectSlug,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -1553,7 +1552,6 @@ export const secretServiceFactory = ({
     includeImports,
     version
   }: TGetASecretRawDTO) => {
-    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
       const secret = await secretV2BridgeService.getSecretByName({

backend/src/services/secret/secret-types.ts

@@ -229,8 +229,7 @@ export type TGetASecretRawDTO = {
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;
-  projectSlug?: string;
-  projectId?: string;
+  projectId: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TGetASecretByIdRawDTO = {

backend/src/services/super-admin/super-admin-service.ts

@@ -1,4 +1,5 @@
 import bcrypt from "bcrypt";
+import { CronJob } from "cron";
 import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
@@ -8,6 +9,7 @@ import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
@@ -35,6 +37,7 @@ import {
   TAdminBootstrapInstanceDTO,
   TAdminGetIdentitiesDTO,
   TAdminGetUsersDTO,
+  TAdminIntegrationConfig,
   TAdminSignUpDTO,
   TGetOrganizationsDTO
 } from "./super-admin-types";
@@ -70,6 +73,31 @@ export let getServerCfg: () => Promise<
   }
 >;
 
+let adminIntegrationsConfig: TAdminIntegrationConfig = {
+  slack: {
+    clientSecret: "",
+    clientId: ""
+  },
+  microsoftTeams: {
+    appId: "",
+    clientSecret: "",
+    botId: ""
+  },
+  gitHubAppConnection: {
+    clientId: "",
+    clientSecret: "",
+    appSlug: "",
+    appId: "",
+    privateKey: ""
+  }
+};
+
+Object.freeze(adminIntegrationsConfig);
+
+export const getInstanceIntegrationsConfig = () => {
+  return adminIntegrationsConfig;
+};
+
 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s
 export const ADMIN_CONFIG_DB_UUID = "00000000-0000-0000-0000-000000000000";
@@ -138,6 +166,74 @@ export const superAdminServiceFactory = ({
     return serverCfg;
   };
 
+  const getAdminIntegrationsConfig = async () => {
+    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
+
+    if (!serverCfg) {
+      throw new NotFoundError({ name: "AdminConfig", message: "Admin config not found" });
+    }
+
+    const decrypt = kmsService.decryptWithRootKey();
+
+    const slackClientId = serverCfg.encryptedSlackClientId ? decrypt(serverCfg.encryptedSlackClientId).toString() : "";
+    const slackClientSecret = serverCfg.encryptedSlackClientSecret
+      ? decrypt(serverCfg.encryptedSlackClientSecret).toString()
+      : "";
+
+    const microsoftAppId = serverCfg.encryptedMicrosoftTeamsAppId
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsAppId).toString()
+      : "";
+    const microsoftClientSecret = serverCfg.encryptedMicrosoftTeamsClientSecret
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsClientSecret).toString()
+      : "";
+    const microsoftBotId = serverCfg.encryptedMicrosoftTeamsBotId
+      ? decrypt(serverCfg.encryptedMicrosoftTeamsBotId).toString()
+      : "";
+
+    const gitHubAppConnectionClientId = serverCfg.encryptedGitHubAppConnectionClientId
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionClientId).toString()
+      : "";
+    const gitHubAppConnectionClientSecret = serverCfg.encryptedGitHubAppConnectionClientSecret
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionClientSecret).toString()
+      : "";
+
+    const gitHubAppConnectionAppSlug = serverCfg.encryptedGitHubAppConnectionSlug
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionSlug).toString()
+      : "";
+
+    const gitHubAppConnectionAppId = serverCfg.encryptedGitHubAppConnectionId
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionId).toString()
+      : "";
+    const gitHubAppConnectionAppPrivateKey = serverCfg.encryptedGitHubAppConnectionPrivateKey
+      ? decrypt(serverCfg.encryptedGitHubAppConnectionPrivateKey).toString()
+      : "";
+
+    return {
+      slack: {
+        clientSecret: slackClientSecret,
+        clientId: slackClientId
+      },
+      microsoftTeams: {
+        appId: microsoftAppId,
+        clientSecret: microsoftClientSecret,
+        botId: microsoftBotId
+      },
+      gitHubAppConnection: {
+        clientId: gitHubAppConnectionClientId,
+        clientSecret: gitHubAppConnectionClientSecret,
+        appSlug: gitHubAppConnectionAppSlug,
+        appId: gitHubAppConnectionAppId,
+        privateKey: gitHubAppConnectionAppPrivateKey
+      }
+    };
+  };
+
+  const $syncAdminIntegrationConfig = async () => {
+    const config = await getAdminIntegrationsConfig();
+    Object.freeze(config);
+    adminIntegrationsConfig = config;
+  };
+
   const updateServerCfg = async (
     data: TSuperAdminUpdate & {
       slackClientId?: string;
@@ -145,6 +241,11 @@ export const superAdminServiceFactory = ({
       microsoftTeamsAppId?: string;
       microsoftTeamsClientSecret?: string;
       microsoftTeamsBotId?: string;
+      gitHubAppConnectionClientId?: string;
+      gitHubAppConnectionClientSecret?: string;
+      gitHubAppConnectionSlug?: string;
+      gitHubAppConnectionId?: string;
+      gitHubAppConnectionPrivateKey?: string;
     },
     userId: string
   ) => {
@@ -236,10 +337,51 @@ export const superAdminServiceFactory = ({
       updatedData.microsoftTeamsBotId = undefined;
       microsoftTeamsSettingsUpdated = true;
     }
+
+    let gitHubAppConnectionSettingsUpdated = false;
+    if (data.gitHubAppConnectionClientId !== undefined) {
+      const encryptedClientId = encryptWithRoot(Buffer.from(data.gitHubAppConnectionClientId));
+      updatedData.encryptedGitHubAppConnectionClientId = encryptedClientId;
+      updatedData.gitHubAppConnectionClientId = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionClientSecret !== undefined) {
+      const encryptedClientSecret = encryptWithRoot(Buffer.from(data.gitHubAppConnectionClientSecret));
+      updatedData.encryptedGitHubAppConnectionClientSecret = encryptedClientSecret;
+      updatedData.gitHubAppConnectionClientSecret = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionSlug !== undefined) {
+      const encryptedAppSlug = encryptWithRoot(Buffer.from(data.gitHubAppConnectionSlug));
+      updatedData.encryptedGitHubAppConnectionSlug = encryptedAppSlug;
+      updatedData.gitHubAppConnectionSlug = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionId !== undefined) {
+      const encryptedAppId = encryptWithRoot(Buffer.from(data.gitHubAppConnectionId));
+      updatedData.encryptedGitHubAppConnectionId = encryptedAppId;
+      updatedData.gitHubAppConnectionId = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
+    if (data.gitHubAppConnectionPrivateKey !== undefined) {
+      const encryptedAppPrivateKey = encryptWithRoot(Buffer.from(data.gitHubAppConnectionPrivateKey));
+      updatedData.encryptedGitHubAppConnectionPrivateKey = encryptedAppPrivateKey;
+      updatedData.gitHubAppConnectionPrivateKey = undefined;
+      gitHubAppConnectionSettingsUpdated = true;
+    }
+
     const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, updatedData);
 
     await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
 
+    if (gitHubAppConnectionSettingsUpdated) {
+      await $syncAdminIntegrationConfig();
+    }
+
     if (
       updatedServerCfg.encryptedMicrosoftTeamsAppId &&
       updatedServerCfg.encryptedMicrosoftTeamsClientSecret &&
@@ -593,43 +735,6 @@ export const superAdminServiceFactory = ({
     await userDAL.updateById(userId, { superAdmin: true });
   };
 
-  const getAdminIntegrationsConfig = async () => {
-    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
-
-    if (!serverCfg) {
-      throw new NotFoundError({ name: "AdminConfig", message: "Admin config not found" });
-    }
-
-    const decrypt = kmsService.decryptWithRootKey();
-
-    const slackClientId = serverCfg.encryptedSlackClientId ? decrypt(serverCfg.encryptedSlackClientId).toString() : "";
-    const slackClientSecret = serverCfg.encryptedSlackClientSecret
-      ? decrypt(serverCfg.encryptedSlackClientSecret).toString()
-      : "";
-
-    const microsoftAppId = serverCfg.encryptedMicrosoftTeamsAppId
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsAppId).toString()
-      : "";
-    const microsoftClientSecret = serverCfg.encryptedMicrosoftTeamsClientSecret
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsClientSecret).toString()
-      : "";
-    const microsoftBotId = serverCfg.encryptedMicrosoftTeamsBotId
-      ? decrypt(serverCfg.encryptedMicrosoftTeamsBotId).toString()
-      : "";
-
-    return {
-      slack: {
-        clientSecret: slackClientSecret,
-        clientId: slackClientId
-      },
-      microsoftTeams: {
-        appId: microsoftAppId,
-        clientSecret: microsoftClientSecret,
-        botId: microsoftBotId
-      }
-    };
-  };
-
   const getConfiguredEncryptionStrategies = async () => {
     const appCfg = getConfig();
 
@@ -696,6 +801,19 @@ export const superAdminServiceFactory = ({
     return (await keyStore.getItem("invalidating-cache")) !== null;
   };
 
+  const initializeAdminIntegrationConfigSync = async () => {
+    logger.info("Setting up background sync process for admin integrations config");
+
+    // initial sync upon startup
+    await $syncAdminIntegrationConfig();
+
+    // sync admin integrations config every 5 minutes
+    const job = new CronJob("*/5 * * * *", $syncAdminIntegrationConfig);
+    job.start();
+
+    return job;
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
@@ -714,6 +832,7 @@ export const superAdminServiceFactory = ({
     checkIfInvalidatingCache,
     getOrganizations,
     deleteOrganization,
-    deleteOrganizationMembership
+    deleteOrganizationMembership,
+    initializeAdminIntegrationConfigSync
   };
 };

backend/src/services/super-admin/super-admin-types.ts

@@ -55,3 +55,22 @@ export enum CacheType {
   ALL = "all",
   SECRETS = "secrets"
 }
+
+export type TAdminIntegrationConfig = {
+  slack: {
+    clientSecret: string;
+    clientId: string;
+  };
+  microsoftTeams: {
+    appId: string;
+    clientSecret: string;
+    botId: string;
+  };
+  gitHubAppConnection: {
+    clientId: string;
+    clientSecret: string;
+    appSlug: string;
+    appId: string;
+    privateKey: string;
+  };
+};

cli/go.mod

@@ -40,6 +40,9 @@ require (
 	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.31.4
+	k8s.io/apimachinery v0.31.4
+	k8s.io/client-go v0.31.4
 )
 
 require (
@@ -70,16 +73,25 @@ require (
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/errors v0.20.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -90,17 +102,23 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/muesli/mango v0.1.0 // indirect
 	github.com/muesli/mango-pflag v0.1.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.22.2 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
@@ -117,6 +135,7 @@ require (
 	github.com/tetratelabs/wazero v1.9.0 // indirect
 	github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
@@ -127,18 +146,26 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
 	google.golang.org/grpc v1.64.1 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
 require (

cli/go.sum

@@ -134,6 +134,8 @@ github.com/denisbrodbeck/machineid v1.0.1 h1:geKr9qtkB876mXguW2X6TU4ZynleN6ezuMS
 github.com/denisbrodbeck/machineid v1.0.1/go.mod h1:dJUwb7PTidGDeYyUBmXZ2GphQBbjJCrnectwCyxcUSI=
 github.com/dvsekhvalnov/jose2go v1.6.0 h1:Y9gnSnP4qEI0+/uQkHvFXeD2PLPJeXEL+ySMEA2EjTY=
 github.com/dvsekhvalnov/jose2go v1.6.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -152,6 +154,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gitleaks/go-gitdiff v0.9.1 h1:ni6z6/3i9ODT685OLCTf+s/ERlWUNWQF4x1pvoNICw0=
 github.com/gitleaks/go-gitdiff v0.9.1/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF1uXV9ZyNvrA=
@@ -165,8 +169,16 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
 github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -174,6 +186,7 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -211,6 +224,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -222,9 +237,12 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -298,7 +316,11 @@ github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BA
 github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
@@ -308,6 +330,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -318,6 +341,8 @@ github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -346,8 +371,12 @@ github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
 github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
@@ -365,7 +394,8 @@ github.com/muesli/roff v0.1.0 h1:YD0lalCotmYuF5HhZliKWlIx7IEhiXeSfq7hNjFqGF8=
 github.com/muesli/roff v0.1.0/go.mod h1:pjAHQM9hdUUwm/krAfrLGgJkXJ+YuhtsfZ42kieB2Ig=
 github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
 github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
@@ -406,8 +436,8 @@ github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
 github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@@ -467,6 +497,8 @@ github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 h1:OvLBa8S
 github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52/go.mod h1:jMeV4Vpbi8osrE/pKUxRZkVaA0EX7NZN0A9/oRzgpgY=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
@@ -596,8 +628,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -610,8 +642,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -693,8 +725,8 @@ golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -863,14 +895,17 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -890,6 +925,27 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
+k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
+k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
+k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/client-go v0.31.4 h1:t4QEXt4jgHIkKKlx06+W3+1JOwAFU/2OPiOo7H92eRQ=
+k8s.io/client-go v0.31.4/go.mod h1:kvuMro4sFYIa8sulL5Gi5GFqUPvfH2O/dXuKstbaaeg=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

cli/packages/api/api.go

@@ -631,8 +631,8 @@ func CallGatewayHeartBeatV1(httpClient *resty.Client) error {
 	return nil
 }
 
-func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRequest) (map[string]interface{}, error) {
-	var resBody map[string]interface{}
+func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRequest) (BootstrapInstanceResponse, error) {
+	var resBody BootstrapInstanceResponse
 	response, err := httpClient.
 		R().
 		SetResult(&resBody).
@@ -641,11 +641,11 @@ func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRe
 		Post(fmt.Sprintf("%v/v1/admin/bootstrap", request.Domain))
 
 	if err != nil {
-		return nil, NewGenericRequestError(operationCallBootstrapInstance, err)
+		return BootstrapInstanceResponse{}, NewGenericRequestError(operationCallBootstrapInstance, err)
 	}
 
 	if response.IsError() {
-		return nil, NewAPIErrorWithResponse(operationCallBootstrapInstance, response, nil)
+		return BootstrapInstanceResponse{}, NewAPIErrorWithResponse(operationCallBootstrapInstance, response, nil)
 	}
 
 	return resBody, nil

cli/packages/api/model.go

@@ -655,3 +655,35 @@ type BootstrapInstanceRequest struct {
 	Organization string `json:"organization"`
 	Domain       string `json:"domain"`
 }
+
+type BootstrapInstanceResponse struct {
+	Message      string                `json:"message"`
+	Identity     BootstrapIdentity     `json:"identity"`
+	Organization BootstrapOrganization `json:"organization"`
+	User         BootstrapUser         `json:"user"`
+}
+
+type BootstrapIdentity struct {
+	ID          string                       `json:"id"`
+	Name        string                       `json:"name"`
+	Credentials BootstrapIdentityCredentials `json:"credentials"`
+}
+
+type BootstrapIdentityCredentials struct {
+	Token string `json:"token"`
+}
+
+type BootstrapOrganization struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+	Slug string `json:"slug"`
+}
+
+type BootstrapUser struct {
+	ID         string `json:"id"`
+	Email      string `json:"email"`
+	FirstName  string `json:"firstName"`
+	LastName   string `json:"lastName"`
+	Username   string `json:"username"`
+	SuperAdmin bool   `json:"superAdmin"`
+}

cli/packages/cmd/bootstrap.go

@@ -4,16 +4,127 @@ Copyright (c) 2023 Infisical Inc.
 package cmd
 
 import (
+	"bytes"
+	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
+	"text/template"
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
+// handleK8SecretOutput processes the k8-secret output type by creating a Kubernetes secret
+func handleK8SecretOutput(bootstrapResponse api.BootstrapInstanceResponse, k8SecretTemplate, k8SecretName, k8SecretNamespace string) error {
+	// Create in-cluster config
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return fmt.Errorf("failed to create in-cluster config: %v", err)
+	}
+
+	// Create Kubernetes client
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return fmt.Errorf("failed to create Kubernetes client: %v", err)
+	}
+
+	// Parse and execute the template to render the data/stringData section
+	tmpl, err := template.New("k8-secret-template").Funcs(template.FuncMap{
+		"encodeBase64": func(s string) string {
+			return base64.StdEncoding.EncodeToString([]byte(s))
+		},
+	}).Parse(k8SecretTemplate)
+
+	if err != nil {
+		return fmt.Errorf("failed to parse output template: %v", err)
+	}
+
+	var renderedDataSection bytes.Buffer
+	err = tmpl.Execute(&renderedDataSection, bootstrapResponse)
+	if err != nil {
+		return fmt.Errorf("failed to execute output template: %v", err)
+	}
+
+	// Parse the rendered template as JSON to validate it's valid
+	var dataSection map[string]interface{}
+	if err := json.Unmarshal(renderedDataSection.Bytes(), &dataSection); err != nil {
+		return fmt.Errorf("template output is not valid JSON: %v", err)
+	}
+
+	// Prepare the secret data and stringData maps
+	secretData := make(map[string][]byte)
+	secretStringData := make(map[string]string)
+
+	// Process the dataSection to separate data and stringData
+	if data, exists := dataSection["data"]; exists {
+		if dataMap, ok := data.(map[string]interface{}); ok {
+			for key, value := range dataMap {
+				if strValue, ok := value.(string); ok {
+					secretData[key] = []byte(strValue)
+				}
+			}
+		}
+	}
+
+	if stringData, exists := dataSection["stringData"]; exists {
+		if stringDataMap, ok := stringData.(map[string]interface{}); ok {
+			for key, value := range stringDataMap {
+				if strValue, ok := value.(string); ok {
+					secretStringData[key] = strValue
+				}
+			}
+		}
+	}
+
+	// Create the Kubernetes secret object
+	k8sSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      k8SecretName,
+			Namespace: k8SecretNamespace,
+		},
+		Type:       corev1.SecretTypeOpaque,
+		Data:       secretData,
+		StringData: secretStringData,
+	}
+
+	ctx := context.Background()
+	secretsClient := clientset.CoreV1().Secrets(k8SecretNamespace)
+
+	// Check if secret already exists
+	existingSecret, err := secretsClient.Get(ctx, k8SecretName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Secret doesn't exist, create it
+			_, err = secretsClient.Create(ctx, k8sSecret, metav1.CreateOptions{})
+			if err != nil {
+				return fmt.Errorf("failed to create Kubernetes secret: %v", err)
+			}
+			log.Info().Msgf("Successfully created Kubernetes secret '%s' in namespace '%s'", k8SecretName, k8SecretNamespace)
+		} else {
+			return fmt.Errorf("failed to check if Kubernetes secret exists: %v", err)
+		}
+	} else {
+		// Secret exists, update it
+		k8sSecret.ObjectMeta.ResourceVersion = existingSecret.ObjectMeta.ResourceVersion
+		_, err = secretsClient.Update(ctx, k8sSecret, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to update Kubernetes secret: %v", err)
+		}
+		log.Info().Msgf("Successfully updated Kubernetes secret '%s' in namespace '%s'", k8SecretName, k8SecretNamespace)
+	}
+
+	return nil
+}
+
 var bootstrapCmd = &cobra.Command{
 	Use:                   "bootstrap",
 	Short:                 "Used to bootstrap your Infisical instance",
@@ -23,7 +134,7 @@ var bootstrapCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		email, _ := cmd.Flags().GetString("email")
 		if email == "" {
-			if envEmail, ok := os.LookupEnv("INFISICAL_ADMIN_EMAIL"); ok {
+			if envEmail, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_EMAIL_NAME); ok {
 				email = envEmail
 			}
 		}
@@ -35,7 +146,7 @@ var bootstrapCmd = &cobra.Command{
 
 		password, _ := cmd.Flags().GetString("password")
 		if password == "" {
-			if envPassword, ok := os.LookupEnv("INFISICAL_ADMIN_PASSWORD"); ok {
+			if envPassword, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_PASSWORD_NAME); ok {
 				password = envPassword
 			}
 		}
@@ -47,7 +158,7 @@ var bootstrapCmd = &cobra.Command{
 
 		organization, _ := cmd.Flags().GetString("organization")
 		if organization == "" {
-			if envOrganization, ok := os.LookupEnv("INFISICAL_ADMIN_ORGANIZATION"); ok {
+			if envOrganization, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_ORGANIZATION_NAME); ok {
 				organization = envOrganization
 			}
 		}
@@ -69,11 +180,56 @@ var bootstrapCmd = &cobra.Command{
 			return
 		}
 
+		outputType, err := cmd.Flags().GetString("output")
+		if err != nil {
+			log.Error().Msgf("Failed to get output type: %v", err)
+			return
+		}
+
+		k8SecretTemplate, err := cmd.Flags().GetString("k8-secret-template")
+		if err != nil {
+			log.Error().Msgf("Failed to get k8-secret-template: %v", err)
+		}
+
+		k8SecretName, err := cmd.Flags().GetString("k8-secret-name")
+		if err != nil {
+			log.Error().Msgf("Failed to get k8-secret-name: %v", err)
+		}
+
+		k8SecretNamespace, err := cmd.Flags().GetString("k8-secret-namespace")
+		if err != nil {
+			log.Error().Msgf("Failed to get k8-secret-namespace: %v", err)
+		}
+
+		if outputType == "k8-secret" {
+			if k8SecretTemplate == "" {
+				log.Error().Msg("k8-secret-template is required when using k8-secret output type")
+				return
+			}
+
+			if k8SecretName == "" {
+				log.Error().Msg("k8-secret-name is required when using k8-secret output type")
+				return
+			}
+
+			if k8SecretNamespace == "" {
+				log.Error().Msg("k8-secret-namespace is required when using k8-secret output type")
+				return
+			}
+		}
+
 		httpClient, err := util.GetRestyClientWithCustomHeaders()
 		if err != nil {
 			log.Error().Msgf("Failed to get resty client with custom headers: %v", err)
 			return
 		}
+
+		ignoreIfBootstrapped, err := cmd.Flags().GetBool("ignore-if-bootstrapped")
+		if err != nil {
+			log.Error().Msgf("Failed to get ignore-if-bootstrapped flag: %v", err)
+			return
+		}
+
 		httpClient.SetHeader("Accept", "application/json")
 
 		bootstrapResponse, err := api.CallBootstrapInstance(httpClient, api.BootstrapInstanceRequest{
@@ -84,16 +240,26 @@ var bootstrapCmd = &cobra.Command{
 		})
 
 		if err != nil {
-			log.Error().Msgf("Failed to bootstrap instance: %v", err)
+			if !ignoreIfBootstrapped {
+				log.Error().Msgf("Failed to bootstrap instance: %v", err)
+			}
 			return
 		}
 
-		responseJSON, err := json.MarshalIndent(bootstrapResponse, "", "  ")
-		if err != nil {
-			log.Fatal().Msgf("Failed to convert response to JSON: %v", err)
-			return
+		if outputType == "k8-secret" {
+			if err := handleK8SecretOutput(bootstrapResponse, k8SecretTemplate, k8SecretName, k8SecretNamespace); err != nil {
+				log.Error().Msgf("Failed to handle k8-secret output: %v", err)
+				return
+			}
+		} else {
+			responseJSON, err := json.MarshalIndent(bootstrapResponse, "", "  ")
+			if err != nil {
+				log.Fatal().Msgf("Failed to convert response to JSON: %v", err)
+				return
+			}
+
+			fmt.Println(string(responseJSON))
 		}
-		fmt.Println(string(responseJSON))
 	},
 }
 
@@ -102,6 +268,10 @@ func init() {
 	bootstrapCmd.Flags().String("email", "", "The desired email address of the instance admin")
 	bootstrapCmd.Flags().String("password", "", "The desired password of the instance admin")
 	bootstrapCmd.Flags().String("organization", "", "The name of the organization to create for the instance")
-
+	bootstrapCmd.Flags().String("output", "", "The type of output to use for the bootstrap command (json or k8-secret)")
+	bootstrapCmd.Flags().Bool("ignore-if-bootstrapped", false, "Whether to continue on error if the instance has already been bootstrapped")
+	bootstrapCmd.Flags().String("k8-secret-template", "{\"data\":{\"token\":\"{{.Identity.Credentials.Token}}\"}}", "The template to use for rendering the Kubernetes secret (entire secret JSON)")
+	bootstrapCmd.Flags().String("k8-secret-namespace", "", "The namespace to create the Kubernetes secret in")
+	bootstrapCmd.Flags().String("k8-secret-name", "", "The name of the Kubernetes secret to create")
 	rootCmd.AddCommand(bootstrapCmd)
 }

cli/packages/util/constants.go

@@ -10,6 +10,10 @@ const (
 	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
 	INFISICAL_VAULT_FILE_PASSPHRASE_ENV_NAME   = "INFISICAL_VAULT_FILE_PASSPHRASE" // This works because we've forked the keyring package and added support for this env variable. This explains why you won't find any occurrences of it in the CLI codebase.
 
+	INFISICAL_BOOTSTRAP_EMAIL_NAME        = "INFISICAL_ADMIN_EMAIL"
+	INFISICAL_BOOTSTRAP_PASSWORD_NAME     = "INFISICAL_ADMIN_PASSWORD"
+	INFISICAL_BOOTSTRAP_ORGANIZATION_NAME = "INFISICAL_ADMIN_ORGANIZATION"
+
 	VAULT_BACKEND_AUTO_MODE = "auto"
 	VAULT_BACKEND_FILE_MODE = "file"
 
@@ -47,6 +51,11 @@ const (
 
 	INFISICAL_BACKUP_SECRET                = "infisical-backup-secrets" // akhilmhdh: @depreciated remove in version v0.30
 	INFISICAL_BACKUP_SECRET_ENCRYPTION_KEY = "infisical-backup-secret-encryption-key"
+
+	KUBERNETES_SERVICE_HOST_ENV_NAME        = "KUBERNETES_SERVICE_HOST"
+	KUBERNETES_SERVICE_PORT_HTTPS_ENV_NAME  = "KUBERNETES_SERVICE_PORT_HTTPS"
+	KUBERNETES_SERVICE_ACCOUNT_CA_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH   = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 )
 
 var (

docs/api-reference/endpoints/app-connections/cloudflare/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/cloudflare/available"
+---

docs/api-reference/endpoints/app-connections/cloudflare/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/cloudflare"
+---
+
+<Note>
+  Check out the configuration docs for [Cloudflare
+  Connections](/integrations/app-connections/cloudflare) to learn how to obtain
+  the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/cloudflare/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/cloudflare/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/cloudflare/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/cloudflare/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/cloudflare/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/cloudflare/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/cloudflare/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/cloudflare"
+---

docs/api-reference/endpoints/app-connections/cloudflare/update.mdx

@@ -0,0 +1,10 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/cloudflare/{connectionId}"
+---
+
+<Note>
+  Check out the configuration docs for [Cloudflare
+  Connections](/integrations/app-connections/cloudflare) to learn how to obtain
+  the required credentials.
+</Note>

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/cloudflare-pages"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/cloudflare-pages/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/cloudflare-pages/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/cloudflare-pages/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/cloudflare-pages"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-pages/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-pages/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-pages/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/cloudflare-pages/{syncId}"
+---

docs/cli/commands/bootstrap.mdx

@@ -75,8 +75,90 @@ This flag is required.
 
 </Accordion>
 
+<Accordion title="--ignore-if-bootstrapped">
+  Whether to continue without error if the instance has already been bootstrapped. Useful for idempotent automation scripts.
+
+```bash
+# Example
+infisical bootstrap --ignore-if-bootstrapped
+```
+
+This flag is optional and defaults to `false`.
+
+</Accordion>
+
+<Accordion title="--output">
+  The type of output format for the bootstrap command. Supports `k8-secret` for Kubernetes secret integration. This flag is optional and defaults to "".
+
+```bash
+# Kubernetes secret output
+infisical bootstrap --output=k8-secret --k8-secret-template='{"data":{"token":"{{.Identity.Credentials.Token}}"}}' --k8-secret-name=infisical-bootstrap --k8-secret-namespace=default
+```
+
+When using `k8-secret`, the command will create or update a Kubernetes secret directly in your cluster. Note that this option requires the command to be executed from within a Kubernetes pod with appropriate service account permissions.
+
+</Accordion>
+
+<Accordion title="--k8-secret-template">
+  The template to use for rendering the Kubernetes secret data/stringData section. Required when using `--output=k8-secret`. The template uses Go template syntax and has access to the bootstrap response data.
+
+```bash
+# Example template that stores the token
+infisical bootstrap --k8-secret-template='{"data":{"token":"{{.Identity.Credentials.Token}}"}}'
+
+# Example template with multiple fields
+infisical bootstrap --k8-secret-template='{"stringData":{"token":"{{.Identity.Credentials.Token}}","org-id":"{{.Organization.ID}}","user-email":"{{.User.Email}}"}}'
+```
+
+Available template functions:
+
+- `encodeBase64`: Base64 encode a string
+
+Available data fields:
+
+- `.Identity.Credentials.Token`: The machine identity token
+- `.Identity.ID`: The identity ID
+- `.Identity.Name`: The identity name
+- `.Organization.ID`: The organization ID
+- `.Organization.Name`: The organization name
+- `.Organization.Slug`: The organization slug
+- `.User.Email`: The admin user email
+- `.User.ID`: The admin user ID
+- `.User.FirstName`: The admin user first name
+- `.User.LastName`: The admin user last name
+
+This flag is required when using `k8-secret` output.
+
+</Accordion>
+
+<Accordion title="--k8-secret-name">
+  The name of the Kubernetes secret to create or update. Required when using `--output=k8-secret`.
+
+```bash
+# Example
+infisical bootstrap --k8-secret-name=infisical-bootstrap-credentials
+```
+
+This flag is required when using `k8-secret` output.
+
+</Accordion>
+
+<Accordion title="--k8-secret-namespace">
+  The namespace where the Kubernetes secret should be created or updated. Required when using `--output=k8-secret`.
+
+```bash
+# Example
+infisical bootstrap --k8-secret-namespace=infisical-system
+```
+
+This flag is required when using `k8-secret` output.
+
+</Accordion>
+
 ## Response
 
+### JSON Output (Default)
+
 The command returns a JSON response with details about the created user, organization, and machine identity:
 
 ```json
@@ -105,6 +187,47 @@ The command returns a JSON response with details about the created user, organiz
 }
 ```
 
+### Kubernetes Secret Output
+
+When using `--output=k8-secret`, the command creates or updates a Kubernetes secret in your cluster and logs the operation result. This is particularly useful for automated bootstrapping scenarios such as Kubernetes Jobs, GitOps workflows, or when you need to immediately store the admin credentials for use by other applications in your cluster.
+
+## Kubernetes Integration
+
+### Prerequisites for k8-secret Output
+
+When running with `--output=k8-secret`, the command must be executed from within a Kubernetes pod with proper service account permissions. The command automatically:
+
+1. Reads the service account token from `/var/run/secrets/kubernetes.io/serviceaccount/token`
+2. Reads the CA certificate from `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`
+3. Gets the Kubernetes API server URL from environment variables (`KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT_HTTPS`)
+
+### Required RBAC Permissions
+
+Your service account needs the following permissions:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infisical-bootstrap
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infisical-bootstrap
+subjects:
+  - kind: ServiceAccount
+    name: your-service-account
+roleRef:
+  kind: Role
+  name: infisical-bootstrap
+  apiGroup: rbac.authorization.k8s.io
+```
+
 ## Usage with Automation
 
 For automation purposes, you can extract just the machine identity token from the response:
@@ -127,6 +250,8 @@ echo "Token has been captured and can be used for authentication"
 ## Notes
 
 - The bootstrap process can only be performed once on a fresh Infisical instance
-- All flags are required for the bootstrap process to complete successfully
+- All core flags (domain, email, password, organization) are required for the bootstrap process to complete successfully
 - Security controls prevent privilege escalation: instance admin identities cannot be managed by non-instance admin users and identities
 - The generated admin user account can be used to log in via the UI if needed
+- When using `k8-secret` output, the command must run within a Kubernetes pod with proper service account permissions
+- The `--ignore-if-bootstrapped` flag is useful for making bootstrap scripts idempotent

docs/documentation/guides/nextjs-vercel.mdx

@@ -127,8 +127,8 @@ Follow the instructions for your operating system to install the Infisical CLI.
 
    </Tab>
 	 <Tab title="Debian/Ubuntu">
-	 	Add Infisical repository 
-			
+	 	Add Infisical repository
+
 		```console
 		$ curl -1sLf \
 		'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' \
@@ -143,7 +143,7 @@ Follow the instructions for your operating system to install the Infisical CLI.
    </Tab>
 	<Tab title="Arch Linux">
 		Use the `yay` package manager to install from the [Arch User Repository](https://aur.archlinux.org/packages/infisical-bin)
-			
+
 		```console
 		$ yay -S infisical-bin
 		```
@@ -187,7 +187,7 @@ We'll now use the Infisical-Vercel integration send secrets from Infisical to Ve
 
 ### Infisical-Vercel integration
 
-To begin we have to import the Next.js app into Vercel as a project. [Follow these instructions](https://nextjs.org/learn/basics/deploying-nextjs-app/deploy) to deploy the Next.js app to Vercel.
+To begin we have to import the Next.js app into Vercel as a project. [Follow these instructions](https://vercel.com/docs/frameworks/nextjs) to deploy the Next.js app to Vercel.
 
 Next, navigate to your project's integrations tab in Infisical and press on the Vercel tile to grant Infisical access to your Vercel account.
 
@@ -237,7 +237,7 @@ At this stage, you know how to use the Infisical-Vercel integration to sync prod
     </Accordion>
     <Accordion title="Is opting out of end-to-end encryption for the Infisical-Vercel integration safe?">
         Yes. Your secrets are still encrypted at rest. To note, most secret managers actually don't support end-to-end encryption.
-        
+
         Check out the [security guide](/security/overview).
     </Accordion>
 </AccordionGroup>

docs/documentation/platform/dynamic-secrets/github.mdx

@@ -0,0 +1,112 @@
+---
+title: "GitHub"
+description: "Learn how to dynamically generate GitHub App tokens."
+---
+
+The Infisical GitHub dynamic secret allows you to generate short-lived tokens for a GitHub App on demand based on service account permissions.
+
+## Setup GitHub App
+
+<Steps>
+    <Step title="Create an application on GitHub">
+        Navigate to [GitHub App settings](https://github.com/settings/apps) and click **New GitHub App**.
+
+        ![integrations github app create](/images/integrations/github/app/self-hosted-github-app-create.png)
+
+        Give the application a name and a homepage URL. These values do not need to be anything specific.
+
+        Disable webhook by unchecking the Active checkbox.
+        ![integrations github app webhook](/images/integrations/github/app/self-hosted-github-app-webhook.png)
+
+        Configure the app's permissions to grant the necessary access for the dynamic secret's short-lived tokens based on your use case.
+
+        Create the GitHub Application.
+        ![integrations github app create confirm](/images/integrations/github/app/self-hosted-github-app-create-confirm.png)
+
+        <Note>
+            If you have a GitHub organization, you can create an application under it
+            in your organization Settings > Developer settings > GitHub Apps > New GitHub App.
+        </Note>
+    </Step>
+    <Step title="Save app credentials">
+        Copy the **App ID** and generate a new **Private Key** for your GitHub Application.
+        ![integrations github app create private key](/images/integrations/github/app/self-hosted-github-app-private-key.png)
+
+        Save these for later steps.
+    </Step>
+    <Step title="Install app">
+        Install your application to whichever repositories and organizations that you want the dynamic secret to access.
+        ![Install App](/images/platform/dynamic-secrets/github/install-app.png)
+
+        ![Install App](/images/platform/dynamic-secrets/github/install-app-modal.png)
+
+        Once you've installed the app, **copy the installation ID** from the URL and save it for later steps.
+        ![Install App](/images/platform/dynamic-secrets/github/installation.png)
+    </Step>
+</Steps>
+
+## Set up Dynamic Secrets with GitHub
+
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select 'GitHub'">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/github/modal.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+    	<ParamField path="Secret Name" type="string" required>
+    		Name by which you want the secret to be referenced
+    	</ParamField>
+    	<ParamField path="App ID" type="string" required>
+       		The ID of the app created in earlier steps.
+    	</ParamField>
+    	<ParamField path="App Private Key PEM" type="string" required>
+       		The Private Key of the app created in earlier steps.
+    	</ParamField>
+    	<ParamField path="Installation ID" type="string" required>
+       		The ID of the installation from earlier steps.
+    	</ParamField>
+  </Step>
+  <Step title="Click `Submit`">
+      After submitting the form, you will see a dynamic secret created in the dashboard.
+  </Step>
+
+  <Step title="Generate dynamic secrets">
+    	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+    	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+    	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+    	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+    	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+    	When generating these secrets, the TTL will be fixed to 1 hour.
+
+    	![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+    	Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you.
+
+    	![Dynamic Secret Lease](/images/platform/dynamic-secrets/github/lease.png)
+  </Step>
+</Steps>
+
+## Audit or Revoke Leases
+
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
+
+This will allow you to see the expiration time of the lease or delete a lease before its set time to live.
+
+![Lease Data](/images/platform/dynamic-secrets/lease-data.png)
+
+<Warning>
+    GitHub App tokens cannot be revoked. As such, revoking a token on Infisical does not invalidate the GitHub token; it remains active until it expires.
+</Warning>
+
+## Renew Leases
+
+<Note>
+    GitHub App tokens cannot be renewed because they are fixed to a lifetime of 1 hour.
+</Note>

docs/documentation/platform/pki/pki-issuer.mdx

@@ -49,11 +49,21 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         ```
     </Step>
     <Step title="Install the Issuer Controller">
-        Install the Infisical PKI Issuer controller into your Kubernetes cluster by running the following command:
+        Install the Infisical PKI Issuer controller into your Kubernetes cluster using one of the following methods:
 
-        ```bash
-        kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical-issuer/main/build/install.yaml
-        ```
+        <Tabs>
+            <Tab title="Helm">
+                ```bash
+                helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+                helm install infisical-pki-issuer infisical-helm-charts/infisical-pki-issuer
+                ```
+            </Tab>
+            <Tab title="kubectl">
+                ```bash
+                kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical-issuer/main/build/install.yaml
+                ```
+            </Tab>
+        </Tabs>
     </Step>
     <Step title="Create Kubernetes Secret for Infisical PKI Issuer">
         Start by creating a Kubernetes `Secret` containing the **Client Secret** from step 1. As mentioned previously, this will be used by the Infisical PKI issuer to authenticate with Infisical.