* export_datatable_schema
* Propose to fork the datatable on ws fork
* dump datatable
* Dockerfile
* Fix import_datatable_dump
* datatable schema fork works!
* Option to copy both schema and data
* Datatable fork behavior
* nit ui
* use psql instead
* remove fork_datatable route
* feat: add fork_pg_database and export_pg_schema routes with DB Manager UI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* style: pluralize "schema" to "schemas" in DB Manager export/import UI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add import mode select (schema only vs schema + data) to DB Manager import
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Select schema or schema+data when important database
* fix: prepend $res: prefix to resource paths in DB Manager import/export
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* style: dynamic import button label based on selected mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* nits
* feat: add warning alert when schema+data import mode is selected
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* nit hide on cloud hosted
* refactor: remove fork_behavior from datatable settings
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: split CreateWorkspace into layout wrapper and CreateWorkspaceInner
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: instantiate CreateWorkspaceInner in globalForkModal
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* nit icons
* Data table fork UI
* feat: pass per-datatable fork behaviors from UI to backend during workspace fork
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix fork overwriting all datatables
* UI nits
* custom instance db refactor
* custom instance db wizard btn for all in dropdown
* nit
* Delete custom instance database button
* Disable forking for resource datatables
* Big import buttons when db empty
* Revert "Disable forking for resource datatables"
This reverts commit 9561cc8fd4.
* feat: add non_diffable flag to resource table
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add resource-type datatable fork with CREATE DATABASE
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: tag forked datatables with nonDiffable and forkedFrom
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: diff datatable and ducklake settings individually on workspace merge
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: skip non_diffable resources and datatables in workspace diff
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: default datatable fork behavior to keep_original
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: make grant permissions non-fatal in instance datatable fork
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: make datatable and ducklake diffs visible in workspace comparison
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: remove datatable fork logic from workspace fork route
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: correct ahead/behind logic for datatable and ducklake diffs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Revert "fix: correct ahead/behind logic for datatable and ducklake diffs"
This reverts commit 6b50884dc6.
* revert: remove datatable and ducklake settings diffing logic
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add datatable clone UI with step-by-step confirmation modal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: extract datatable fork UI into ForkDatatableSection component
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* fix: run datatable cloning before workspace fork creation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit disable fork admins
* nit fix switching workspace prematurely
* fix: use source workspace for forkPgDatabase calls during fork
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: update forked workspace datatable settings after fork creation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add forked_from field to DataTable and set it for instance forks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit onFinish
* fix: add forked_from to DataTableSettings OpenAPI schema
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: track datatable table DDL changes in workspace_diff
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Revert "feat: track datatable table DDL changes in workspace_diff"
This reverts commit 7526dd68b9.
* feat: add get_datatable_full_schema endpoint and snapshot schema on fork
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix duplicate migration key
* fix: set forked_from on datatable config for both instance and resource types
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nits
* feat: drop forked databases on workspace deletion with confirmation UI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: extract drop_forked_datatable_databases from delete_workspace
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: cast pg char columns to text in FK schema query
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: show dbname instead of resource type in fork deletion modal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* ui nit
* refactor: extract drop_custom_instance_database into windmill-common
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add datatable schema diff section to merge UI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* UI
* feat: add review drawer with YAML diff and SQL migration runner
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: use Monaco DiffEditor for YAML diff in review drawer
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* Revert "refactor: use Monaco DiffEditor for YAML diff in review drawer"
This reverts commit a86008ba4c.
* Revert "feat: add review drawer with YAML diff and SQL migration runner"
This reverts commit 0a0deb5ddb.
* feat: add review drawer with DiffEditor and SQL migration runner
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* ui nits
* fix: show diff between forked_from schema and changed side
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: re-fetch target live schema after migration for correct baseline
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* revert
* nit auto next
* feat: add confirmation modal before deploying migration to parent
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: handle missing columns/foreignKeys in schema conversion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nits
* refactor: use temp file on disk for pg_dump instead of in-memory string
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Don't replace postgres dbname
* fix: add validation to drop_custom_instance_database and use source db for CREATE/DROP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: type DataTable.forked_from as DataTableForkedFrom struct
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: simplify fork_pg_database to take source + target_dbname
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* dead code
* feat: enforce schema_and_data admin-only and extract create_custom_instance_database
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: rename fork_pg_database to import_pg_database with source/target/override params
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* refactor: remove original_dbname/original_resource from forked_from, resolve from parent
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* fix: resolve forked dbname from fork workspace when dropping resource databases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nits
* fix: always clean up global_settings even if database doesn't exist
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: check datatable resource_type from config instead of URL prefix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: wrap PG default value expressions in braces to prevent CAST quoting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Revert "fix: wrap PG default value expressions in braces to prevent CAST quoting"
This reverts commit 77f5a2c4e8.
* refactor: reuse columnDefToTableEditorValuesColumn for default value handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: store raw API schema in forked_from to avoid double transformation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Revert "fix: store raw API schema in forked_from to avoid double transformation"
This reverts commit e326197a20.
* Revert "refactor: reuse columnDefToTableEditorValuesColumn for default value handling"
This reverts commit bd8f071d9f.
* fix: validate dbname with strict regex to prevent SQL injection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix default value
* always validate dbname
* refactor: move get_datatable_full_schema structs and logic to query_builders.rs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: split import_pg_database into create_pg_database + import_pg_database
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: extract drop_forked_datatable_databases into its own route
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: require admin when using $res: resource paths in import_pg_database
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: use UserDB for $res: resource access and restrict dbname creation
- resolve_pg_source_checked uses UserDB (row-level security) for $res: paths
- transform_json_unchecked is now pub(crate) to prevent misuse
- Non-superadmins can only create databases with wm_fork_ prefix
- datatable:// remains accessible to everyone
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: refuse to drop forked databases unless name starts with wm_fork_
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: remove resolve_pg_source, use resolve_pg_source_checked everywhere
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Fix permissions
* sqlx prepare
* compilation nits
* sqlx prepare
* sqlx prepare
* wrong route syntax
* fix: allow workspace owner to edit datatable config for fork setup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Revert "fix: allow workspace owner to edit datatable config for fork setup"
This reverts commit ab683e637b.
* refactor: move datatable fork setup into create_workspace_fork backend
Instead of updating datatable settings from the frontend after fork
creation (which required admin/owner access), pass forked_datatables
info to create_workspace_fork and handle it atomically in the same
transaction. Removes applyPostForkDatatableUpdates from frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: snapshot schema in backend during fork instead of frontend
The schema snapshot is now taken by the backend in apply_forked_datatable
via snapshot_datatable_schema, which connects to the parent workspace's
datatable and runs pg_get_full_schema. This removes the need for the
frontend to call getDatatableFullSchema and pass the schema through.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: use get_resource_value_interpolated_internal for $res: to resolve $var: references
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* sqlx prepare
* fix: add permission check to drop_forked_datatable_databases, validate dbnames, restrict temp file perms
- drop_forked_datatable_databases: same permission as delete_workspace
(fork owner or super admin)
- validate_dbname on target_dbname_override and ForkedDatatableInfo.new_dbname
- Enforce wm_fork_ prefix on forked datatable new_dbname
- DumpFile: set /tmp/windmill/ to 0700 and create files with 0600
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit CLI
* Rename to ws_specific
* sqlx prepare
* nit always validate dbname
* fix: include foreign keys in CREATE TABLE migration for added tables
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: detect nextval defaults and use SERIAL/BIGSERIAL types in CREATE TABLE
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Update frontend/src/lib/components/DBManagerDrawer.svelte
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update backend/windmill-common/src/lib.rs
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update backend/windmill-common/src/lib.rs
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* fix: sort foreign keys by constraint name for deterministic schema output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* sqlx prepare
* rename migration to update timestamp
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* feat: add R language support
Add R as a new supported scripting language in Windmill, following the
same pattern used for Ruby. Includes:
- Backend: ScriptLang::Rlang enum variant, DB migration, tree-sitter-r
parser crate with tests, WASM parser binding, R executor with NSJail
sandboxing, job dispatch and signature parsing
- Frontend: language picker, R icon, syntax highlighting, editor bar
insertions (Sys.getenv, get_variable, get_resource), schema inference,
init code template, BETA badge
- CLI: .r extension mapping, sync support, bootstrap template
R scripts use `main <- function(...)` syntax, jsonlite for JSON
serialization, and system curl for the Windmill client helper.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add R package resolution and installation
Parse library()/require() calls from R scripts to extract dependencies.
Resolve versions from CRAN, cache lockfiles in pip_resolution_cache,
and install packages to a shared R library cache. The run step sets
R_LIBS_USER so installed packages are available to the script.
- Parser: parse_r_requirements() extracts package names from AST
- Executor: resolve() generates lockfile, install() installs from CRAN
- Worker lockfiles: wire up R resolve for dependency jobs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add nsjail sandboxing for R resolve and install phases
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: fix R get_variable/get_resource and add sandbox annotation + e2e tests
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: fix R arg inference with JS fallback parser and get_variable/get_resource
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix flake
* nsjail
* nits
* fix: R install improvements - suppress verbose output, flat lockfile logging, Dockerfile R support, rlimits
- Suppress renv verbose output during resolve and install (controlled by #verbose annotation)
- Filter renv from install list (already loaded, causes noisy restart message)
- Log compact "resolved N packages" instead of full renv.lock JSON
- Add R (r-base, r-cran-renv) to DockerfileFull and DockerfileFullEe
- Use disable_rl for nsjail install config (R compiles from source)
- Reduce default concurrency from 20 to 5
- Add rlang to openflow.openapi.yaml
- Fix MainArgSignature (no_main_func -> auto_kind) after main merge
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* final
* fix: remove accidental R install from multiplayer Dockerfile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: remove R from Windows build and DockerfileExtra
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: rename R migration to avoid timestamp collision with trigger_filter_logic
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* all
* fix: R install improvements - suppress verbose output, flat lockfile logging, Dockerfile R support, rlimits
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: add clear error when Rscript binary is missing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: fix type errors in R fallback parser, use format! in wrap(), add R system prompts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: pyranota <pyra@duck.com>
* feat: add gateway reverse proxy for extra services
Add a lightweight Node.js gateway on port 3000 that routes requests
by URL prefix (/ws/*, /ws_mp/*, /ws_debug/*) to the correct backend
service, stripping the prefix before forwarding. This allows all
extra services to be accessed through a single port.
Also makes the multiplayer server more tolerant by generically
stripping /ws_mp/ prefix on HTTP requests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: enable gateway by default for extra services
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: add REMOTE_EXTRA env var for unified extra services proxy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: make gateway port configurable via PORT env var
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: simplify Caddyfile extra services routing
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(cli): add consistent get/list/new subcommands for all item types
Make the CLI consistent so every item type (script, flow, app, resource,
resource-type, variable, schedule, folder, trigger) supports get/list/new
subcommands, enabling the CLI to be used as a full API client in bash
scripts with jq piping.
- Add --json flag to all list commands for machine-readable output
- Register explicit "list" subcommand alongside default action
- Add "get <path> [--json]" subcommand to fetch single items from API
- Rename "bootstrap" to "new" for script/flow, keep "bootstrap" as alias
- Add "new" subcommand for resource, resource-type, variable, schedule,
folder, and trigger to create local template YAML files
- Update cli-commands skill documentation for wmill init
- Add integration tests for all new commands
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* all
* feat: install wmill CLI in Docker images and use it for bash variable/resource access
- Install windmill-cli via bun in all Dockerfiles that include bun
- DockerfileCli: switch from node:slim to oven/bun:slim
- CLI: auto-configure from WM_WORKSPACE/WM_TOKEN/BASE_INTERNAL_URL env vars
as last-resort fallback when no workspace is configured
- Frontend: replace curl-based bash snippets with wmill variable/resource get
- Add backend integration tests for wmill CLI in bash scripts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(ci): install windmill-cli in backend test workflow
Ensures wmill is available on PATH for bash integration tests
that use `wmill variable get` and `wmill resource get`.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(cli): replace @std/* Deno dependencies with Node.js equivalents
Replace @std/log with a lightweight custom logger (core/log.ts),
@std/path with node:path, and @std/yaml with the yaml npm package.
Also fix process hang on exit, add --node option to install_dev.sh,
and add missing hasRequiredPermissions to NpmProvider.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* all
* all
* all
* refactor(cli): replace @ayonli/jsext and @std/encoding with lightweight alternatives
Replace @ayonli/jsext (8.4MB) with tar-stream (32kB) for tar creation,
replace @std/encoding with Node.js Buffer.toString("hex"), and fix
@windmill-labs/shared-utils to use direct npm instead of JSR mirror.
Also resolve merge conflicts in sync.ts and fix pre-existing type errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(cli): use singleQuote YAML output and pass yamlOptions in gitsync pull
The yaml library defaults to double quotes, but the codebase (and tests)
expect single-quoted strings. Add singleQuote: true to yamlOptions and
pass yamlOptions to gitsync-settings pull writeFile calls.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* all
* all
* fix(cli): address code review feedback
- Install CLI from source in backend tests instead of npm
- Fix script bootstrap catch block to re-throw "File already exists"
- Add type-safe local variable after trigger kind validation
- Use created_by instead of policy.on_behalf_of for app get output
- Note --kind is recommended for faster trigger lookup in help text
- Document node symlink purpose in Dockerfiles
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(ci): use /usr/bin for wmill wrapper to ensure it's in PATH
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(ci): install wmill to ~/.local/bin to avoid permission issues
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ci(backend): switch to Blacksmith runner and add cargo caching
- Switch from ubicloud-standard-16 to blacksmith-16vcpu-ubuntu-2404 for faster NVMe-backed builds
- Add stickydisk for cargo target directory (persistent NVMe cache across runs)
- Add cache for cargo registry and git dependencies
- Upgrade DuckDB FFI cache from actions/cache@v3 to useblacksmith/cache@v1
- Enable CARGO_INCREMENTAL=1 to benefit from persistent target cache
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix ci
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The .cargo/config.toml uses mold linker for x86_64-linux (all profiles).
Install mold+clang in the main Dockerfile. For RHEL images where mold
isn't available, override via env vars to use the default linker.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: kafka trigger kerberos/gssapi support
* chore: update ee-repo-ref to bb32d562120dc34bbd8d659d92a0d4b8824b8c4c
This commit updates the EE repository reference after PR #405 was merged in windmill-ee-private.
Previous ee-repo-ref: 128c6549d4557895a362fb720f56afa54d6f566b
New ee-repo-ref: bb32d562120dc34bbd8d659d92a0d4b8824b8c4c
Automated by sync-ee-ref workflow.
* adding kafka-gssapi to all_sqlx_features
* ee ref
* ee ref
---------
Co-authored-by: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
Co-authored-by: Ruben Fiszel <ruben@windmill.dev>
* feat: mssql integrated auth (kerberos/ntlm)
* install krb5 headers
* also make it work for windows
---------
Co-authored-by: Ruben Fiszel <ruben@windmill.dev>
* feat: make nsjail available in all standard images (CE)
Include nsjail binary and runtime deps in the main Dockerfile and
DockerfileSlim so sandboxing is available out of the box. Flip
DISABLE_NSJAIL default to false so nsjail is enabled by default.
Remove DockerfileNsjail (now redundant) and the build_ee_nsjail CI job,
pointing publish_ecr_s3 at the base EE image instead. Add iptables to
DockerfileFullEe to preserve the functionality from the removed nsjail
image.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* revert: keep DISABLE_NSJAIL default as true
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: pin publish_ecr_s3 to exact commit hash
Add type=sha tag to build_ee so it pushes a commit-pinned image tag.
Restore git hash lookup in publish_ecr_s3 to reference the exact image
for that commit, avoiding race conditions with the mutable dev tag.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: publish_ecr_s3 depends on build_ee_full, uses release tag
Only publish to S3 on tag releases, extracting static frontend from the
ee-full image using the semver tag.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: remove stale windmill-ee-nsjail references, add nsjail to EE slim
The windmill-ee-nsjail image is no longer published since DockerfileNsjail
was deleted. Update all references to use the base EE image (which now
includes nsjail), remove redundant nsjail deps from DockerfileExtra, and
add nsjail build to DockerfileSlimEe for consistency with CE slim.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* test: add bun executor tests with minimal production code changes
- Add comprehensive bun job tests (bun_jobs.rs) covering:
- Basic execution, error handling, annotation modes
- Relative imports, deeply nested imports
- Dedicated worker protocol for both Node.js and Bun runtimes
- Builder tests for lockfile generation (import scanning)
- Minimize changes to bun_executor.rs by exposing:
- RELATIVE_BUN_LOADER and RELATIVE_BUN_BUILDER constants
- build_loader() function and LoaderMode enum
- BUN_DEDICATED_WORKER_ARGS constant
- generate_dedicated_worker_wrapper() function
- Tests call production code directly (build_loader) instead of
duplicating script generation logic
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* nit
* fix: reuse BUN_PATH/NODE_BIN_PATH from windmill-worker, add node to CI
- Tests now use exported BUN_PATH and NODE_BIN_PATH constants instead
of duplicating env var logic
- Update backend-test.yml:
- Upgrade bun to v1.3.8
- Add setup-node action
- Add NODE_BIN_PATH to cargo test command
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* add private repo test
* fix private repo test
* try fix again
* fix
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add cache-rt command and SYNC_CACHED_RT env variable for resource types
Add a new CLI command `cache-rt` that fetches resource types from the hub
and caches them locally. This command is run during Docker image build to
pre-populate the cache.
Add `SYNC_CACHED_RT` environment variable that, when set to true, syncs
cached resource types to the admins workspace's resource_type table on
server startup. The sync is incremental - it only updates resource types
that have changed.
Changes:
- Add HUB_RT_CACHE_DIR constant for resource type cache location
- Add cache-rt CLI command to fetch and cache resource types from hub
- Add sync_cached_resource_types() to sync cached types to database
- Update all Dockerfiles to run cache-rt during image build
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: parse schema string from hub into proper JSONB
The hub API returns schema as a JSON string that needs to be parsed
into a proper JSON value before inserting into the database.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
The nsjail debugger mode was failing with "chdir('/tmp'): No such file
or directory" because without a config file, nsjail uses minimal mounts
that don't include /tmp or other necessary directories.
Added nsjail.debug.config.proto with proper mounts:
- /bin, /lib, /lib64, /usr, /etc (system directories)
- /tmp as tmpfs (for script execution)
- /dev/null, /dev/random, /dev/urandom (device nodes)
- /root as tmpfs (for bun cache)
Also updated:
- entrypoint-extra.sh: Pass --nsjail-config when ENABLE_NSJAIL=true
- DockerfileExtra: Copy nsjail config, update ports to 3003
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updates the debugger service to use port 3003 instead of 5679 across
all configuration files, documentation, and code references. This aligns
the debugger with the other windmill-extra services which use ports
3001 (LSP) and 3002 (Multiplayer).
Changes:
- docker-compose.yml: Update port exposure and add DEBUGGER_PORT env
- docker/entrypoint-extra.sh: Change default port from 5679 to 3003
- debugger/dap_debug_service.ts: Update default port in code and docs
- debugger/README.md: Update port documentation
- debugger/test_debug_service.ts: Update test URLs
- docker/test_windmill_extra.ts: Update test configuration
- .github/workflows/publish_extra.yml: Update test container ports
- frontend/src/lib/components/debug/*: Update frontend examples and defaults
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
