chore(main): release 1.311.0 (#3580)

* chore(main): release 1.311.0

* Apply automatic changes

---------

Co-authored-by: rubenfiszel <rubenfiszel@users.noreply.github.com>

.github/change-versions-mac.sh

@@ -16,6 +16,7 @@ sed -i '' -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/
 sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i '' -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i '' -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
+sed -i '' -e "/^ModuleVersion =/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
 # sed -i '' -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" python-client/wmill_pg/pyproject.toml
 sed -i '' -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
 sed -i '' -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

.github/change-versions.sh

@@ -16,6 +16,7 @@ sed -i -e "/\"version\": /s/: .*,/: \"$VERSION\",/" ${root_dirpath}/frontend/pac
 sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i -e "/^windmill-api =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill/pyproject.toml
 sed -i -e "/^version =/s/= .*/= \"$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
+sed -i -e "/^ModuleVersion =/s/= .*/= '$VERSION'/" ${root_dirpath}/powershell-client/WindmillClient/WindmillClient.psd1
 # sed -i -e "/^wmill =/s/= .*/= \"\\^$VERSION\"/" ${root_dirpath}/python-client/wmill_pg/pyproject.toml
 sed -i -e "/^wmill =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile
 sed -i -e "/^wmill_pg =/s/= .*/= \">=$VERSION\"/" ${root_dirpath}/lsp/Pipfile

.github/workflows/benchmark.yml

@@ -34,27 +34,20 @@ jobs:
       - uses: denoland/setup-deno@v1
         with:
           deno-version: v1.x
-      - uses: actions/checkout@v4
-        with:
-          ref: benchmarks
       - name: benchmark
         timeout-minutes: 20
         run: deno run --unstable -A -r
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
           -c
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
-      - name: Push changes
-        run: |
-          pwd
-          git pull origin benchmarks
-          git add .
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git commit -m "Update benchmarks"
-          git push
+      - name: Save benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark_single
+          path: |
+            *.json
 
   benchmark_dedicated:
-    needs: benchmark_single
     runs-on: ubicloud-standard-8
     services:
       postgres:
@@ -82,24 +75,18 @@ jobs:
       - uses: denoland/setup-deno@v1
         with:
           deno-version: v1.x
-      - uses: actions/checkout@v4
-        with:
-          ref: benchmarks
       - name: benchmark
         timeout-minutes: 20
         run: deno run --unstable -A -r
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_suite.ts
           --no-warm-up -c
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_dedicated.json
-      - name: Push changes
-        run: |
-          pwd
-          git pull origin benchmarks
-          git add .
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git commit -m "Update benchmarks"
-          git push
+      - name: Save benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark_dedicated
+          path: |
+            *.json
 
   benchmark_4workers:
     runs-on: ubicloud-standard-8
@@ -162,9 +149,6 @@ jobs:
       - uses: denoland/setup-deno@v1
         with:
           deno-version: v1.x
-      - uses: actions/checkout@v4
-        with:
-          ref: benchmarks
       - name: benchmark
         timeout-minutes: 20
         run: deno run --unstable -A -r
@@ -172,15 +156,12 @@ jobs:
           -c
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
           --workers 4
-      - name: Push changes
-        run: |
-          pwd
-          git pull origin benchmarks
-          git add .
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git commit -m "Update benchmarks"
-          git push
+      - name: Save benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark_4workers
+          path: |
+            *.json
 
   benchmark_8workers:
     runs-on: ubicloud-standard-8
@@ -286,9 +267,6 @@ jobs:
       - uses: denoland/setup-deno@v1
         with:
           deno-version: v1.x
-      - uses: actions/checkout@v4
-        with:
-          ref: benchmarks
       - name: benchmark
         timeout-minutes: 20
         run: deno run --unstable -A -r
@@ -296,10 +274,40 @@ jobs:
           -c
           https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/suite_config.json
           --workers 8
+      - name: Save benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark_8workers
+          path: |
+            *.json
+
+  benchmark_graphs:
+    runs-on: ubicloud
+    needs:
+      - benchmark_single
+      - benchmark_dedicated
+      - benchmark_4workers
+      - benchmark_8workers
+    steps:
+      - uses: denoland/setup-deno@v1
+        with:
+          deno-version: v1.x
+      - uses: actions/checkout@v4
+        with:
+          ref: benchmarks
+      - name: Download benchmark results
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+      - name: graphs
+        run: deno run --unstable -A -r
+          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/benchmark_graphs.ts
+          -c
+          https://raw.githubusercontent.com/windmill-labs/windmill/${GITHUB_REF##ref/head/}/benchmarks/graphs_config.json
       - name: Push changes
         run: |
+          ls -la
           pwd
-          git pull origin benchmarks
           git add .
           git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --local user.name "github-actions[bot]"

.github/workflows/build_ws.yml

@@ -7,15 +7,14 @@ name: Publish websocket multiplayer server
 on:
   workflow_dispatch:
 
-
 permissions:
   contents: read
   id-token: write
   packages: write
-  
+
 jobs:
   publish_multiplayer:
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-8
     steps:
       - uses: actions/checkout@v3
         with:
@@ -56,7 +55,7 @@ jobs:
 
   publish_privately:
     needs: [publish_multiplayer]
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-8
     steps:
       - uses: actions/checkout@v3
         with:
@@ -71,9 +70,8 @@ jobs:
           username: ${{ secrets.AWS_ACCESS_KEY_ID }}
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
-
       - name: Push image to ECR
         run: |
           docker buildx imagetools create \
             --tag ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/docker-image.yml

@@ -8,15 +8,16 @@ on:
   push:
     branches: [main]
     tags: ["*"]
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - "Dockerfile"
 
 concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  id-token: write
-  packages: write
+permissions: write-all
 
 jobs:
   build:
@@ -136,7 +137,6 @@ jobs:
           push: true
           build-args: |
             features=enterprise,enterprise_saml,stripe,embedding,parquet,prometheus,openidconnect
-            nsjail=true
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:dev
             ${{ steps.meta-ee-public.outputs.tags }}
@@ -144,52 +144,68 @@ jobs:
             ${{ steps.meta-ee-public.outputs.labels }}
             org.opencontainers.image.licenses=Windmill-Enterprise-License
 
-  build_ee_reports_privately:
-    needs: [build_ee]
+  build_ee_312:
     runs-on: ubicloud
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
+      - name: Read EE repo commit hash
+        run: |
+          echo "ee_repo_ref=$(cat ./backend/ee-repo-ref.txt)" >> "$GITHUB_ENV"
+
+      - uses: actions/checkout@v3
+        with:
+          repository: windmill-labs/windmill-ee-private
+          path: ./windmill-ee-private
+          ref: ${{ env.ee_repo_ref }}
+          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
+          fetch-depth: 0
+
       # - name: Set up Docker Buildx
       #   uses: docker/setup-buildx-action@v2
-
       - uses: depot/setup-action@v1
 
       - name: Docker meta
-        id: meta-ee-public
+        id: meta-ee-public-py312
         uses: docker/metadata-action@v4
         with:
           images: |
-            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee-reports
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-py312
+          flavor: |
+            latest=false
           tags: |
-            type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=sha,enable=true,priority=100,prefix=,suffix=,format=short
 
-      - name: Login to ECR
-        if: github.event_name != 'pull_request'
+      - name: Login to registry
         uses: docker/login-action@v2
         with:
-          registry: ${{ env.ECR_REGISTRY }}
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push publicly ee reports
+      - name: Substitute EE code
+        run: |
+          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
+
+      - name: Build and push publicly ee
         uses: depot/build-push-action@v1
         with:
           context: .
           platforms: linux/amd64
           push: true
-          file: "./docker/DockerfileReports"
+          build-args: |
+            features=enterprise,enterprise_saml,stripe,embedding,parquet,prometheus,openidconnect
+            PYTHON_IMAGE=python:3.12.2-slim-bookworm
           tags: |
-            ${{ steps.meta-ee-public.outputs.tags }}
+            ${{ steps.meta-ee-public-py312.outputs.tags }}
           labels: |
-            ${{ steps.meta-ee-public.outputs.labels }}
+            ${{ steps.meta-ee-public-py312.outputs.labels }}
             org.opencontainers.image.licenses=Windmill-Enterprise-License
-
   # disabled until we make it 100% reliable and add more meaningful tests
   # playwright:
   #   runs-on: [self-hosted, new]
@@ -311,54 +327,6 @@ jobs:
   #           ${{ steps.extract.outputs.destination }}/*
   #           ${{ steps.extract-ee.outputs.destination }}/*
 
-  publish_ecr_s3:
-    needs: [build_ee]
-    runs-on: ubicloud
-    if: github.event_name != 'pull_request'
-    env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to ECR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
-        with:
-          registry: ${{ env.ECR_REGISTRY }}
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
-      - name: Push image to ECR
-        if: github.event_name != 'pull_request'
-        id: push_ecr
-        run: |
-          git_hash=$(git rev-parse --short "$GITHUB_SHA")
-          docker buildx imagetools create \
-            --tag ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${git_hash:0:7} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:dev
-          echo "GIT_HASH=${git_hash:0:7}" >> "$GITHUB_OUTPUT"
-
-      - uses: shrink/actions-docker-extract@v3
-        if: github.event_name != 'pull_request'
-        id: extract
-        with:
-          image: |-
-            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ steps.push_ecr.outputs.GIT_HASH }}
-          path: "/static_frontend/."
-
-      - uses: reggionick/s3-deploy@v3
-        if: github.event_name != 'pull_request'
-        with:
-          folder: ${{ steps.extract.outputs.destination }}
-          bucket: windmill-frontend
-          bucket-region: us-east-1
-
   run_integration_test:
     runs-on: ubicloud
     needs: [build_ee]
@@ -419,6 +387,190 @@ jobs:
           docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:dev --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:latest
           docker buildx imagetools create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:dev --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
 
+  verify_ee_image_vulnerabilities:
+    runs-on: ubicloud
+    needs: [tag_latest_ee]
+    # if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          only-severities: critical,high
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
+          sarif-file: sarif.output.json
+          summary: true
+          dockerhub-user: windmilllabs
+          dockerhub-password: ${{ secrets.DOCKER_PAT }}
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
+
+  # docker_scout_ee:
+  #   runs-on: ubicloud
+  #   needs: [tag_latest_ee]
+  #   steps:
+  #     - name: Docker Scout
+  #       id: docker-scout
+  #       uses: docker/scout-action@v1
+  #       with:
+  #         dockerhub-
+  #         command: cves,recommendations,compare
+  #         to-latest: true
+  #         ignore-base: true
+  #         ignore-unchanged: true
+  #         only-fixed: true
+
+  build_ee_nsjail:
+    needs: [build_ee]
+    runs-on: ubicloud
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # - name: Set up Docker Buildx
+      #   uses: docker/setup-buildx-action@v2
+
+      - uses: depot/setup-action@v1
+
+      - name: Docker meta
+        id: meta-ee-public
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-nsjail
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,enable=true,priority=100,prefix=,suffix=,format=short
+
+      - name: Login to registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push publicly ee
+        uses: depot/build-push-action@v1
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          file: "./docker/DockerfileNsjail"
+          tags: |
+            ${{ steps.meta-ee-public.outputs.tags }}
+          labels: |
+            ${{ steps.meta-ee-public.outputs.labels }}
+            org.opencontainers.image.licenses=Windmill-Enterprise-License
+
+  build_ee_reports_privately:
+    needs: [build_ee_nsjail]
+    runs-on: ubicloud
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      # - name: Set up Docker Buildx
+      #   uses: docker/setup-buildx-action@v2
+
+      - uses: depot/setup-action@v1
+
+      - name: Docker meta
+        id: meta-ee-public
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee-reports
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,enable=true,priority=100,prefix=,suffix=,format=short
+
+      - name: Login to ECR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Build and push publicly ee reports
+        uses: depot/build-push-action@v1
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          file: "./docker/DockerfileReports"
+          tags: |
+            ${{ steps.meta-ee-public.outputs.tags }}
+          labels: |
+            ${{ steps.meta-ee-public.outputs.labels }}
+            org.opencontainers.image.licenses=Windmill-Enterprise-License
+
+  publish_ecr_s3:
+    needs: [build_ee_nsjail]
+    runs-on: ubicloud
+    if: github.event_name != 'pull_request'
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to ECR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Push image to ECR
+        if: github.event_name != 'pull_request'
+        id: push_ecr
+        run: |
+          git_hash=$(git rev-parse --short "$GITHUB_SHA")
+          docker buildx imagetools create \
+            --tag ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${git_hash:0:7} \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee-nsjail:main
+          echo "GIT_HASH=${git_hash:0:7}" >> "$GITHUB_OUTPUT"
+
+      - uses: shrink/actions-docker-extract@v3
+        if: github.event_name != 'pull_request'
+        id: extract
+        with:
+          image: |-
+            ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}-ee:${{ steps.push_ecr.outputs.GIT_HASH }}
+          path: "/static_frontend/."
+
+      - uses: reggionick/s3-deploy@v3
+        if: github.event_name != 'pull_request'
+        with:
+          folder: ${{ steps.extract.outputs.destination }}
+          bucket: windmill-frontend
+          bucket-region: us-east-1
+
   build_ee_cuda:
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     needs: [build_ee]

.github/workflows/gallery_on_release.yml

@@ -0,0 +1,16 @@
+name: Publish powershell-client
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  publish_gallery:
+    runs-on: ubicloud-standard-8
+    steps:
+      - uses: actions/checkout@v4
+      - run: . ./powershell-client/publish.ps1
+        shell: pwsh
+        env:
+          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}

.github/workflows/release-please.yml

@@ -6,7 +6,7 @@ name: release-please
 jobs:
   release-please:
     name: "Release please"
-    runs-on: ubicloud-standard-8
+    runs-on: ubicloud
     steps:
       - uses: GoogleCloudPlatform/release-please-action@v3
         with:

.github/workflows/sign-cla.yml

@@ -7,10 +7,13 @@ on:
 
 jobs:
   CLAssistant:
-    runs-on: ubuntu-latest
+    runs-on: ubicloud
     steps:
       - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        if:
+          (github.event.comment.body == 'recheck' || github.event.comment.body
+          == 'I have read the CLA Document and I hereby sign the CLA') ||
+          github.event_name == 'pull_request_target'
         # Beta Release
         uses: cla-assistant/github-action@v2.3.1
         env:

Dockerfile

@@ -1,30 +1,6 @@
 ARG DEBIAN_IMAGE=debian:bookworm-slim
 ARG RUST_IMAGE=rust:1.76-slim-bookworm
-ARG PYTHON_IMAGE=python:3.11.4-slim-bookworm
-
-FROM ${DEBIAN_IMAGE} as nsjail
-
-WORKDIR /nsjail
-
-ARG nsjail=""
-
-RUN  if [ "$nsjail" = "true" ]; then apt-get -y update \
-    && apt-get install -y \
-    bison=2:3.8.* \
-    flex=2.6.* \
-    g++=4:12.2.* \
-    gcc=4:12.2.* \
-    git=1:2.39.* \
-    libprotobuf-dev=3.21.* \
-    libnl-route-3-dev=3.7.* \
-    make=4.3-4.1 \
-    pkg-config=1.8.* \
-    protobuf-compiler=3.21.*; fi
-
-
-RUN if [ "$nsjail" = "true" ]; then git clone -b master --single-branch https://github.com/google/nsjail.git . \
-    && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800; fi
-RUN if [ "$nsjail" = "true" ]; then make; else touch nsjail; fi
+ARG PYTHON_IMAGE=python:3.11.8-slim-bookworm
 
 FROM ${RUST_IMAGE} AS rust_base
 
@@ -100,8 +76,8 @@ SHELL ["/bin/bash", "-c"]
 RUN apt update -y
 RUN apt install -y unzip curl
 
-RUN [ "$TARGETPLATFORM" == "linux/amd64" ] && curl -Lsf https://github.com/denoland/deno/releases/download/v1.41.0/deno-x86_64-unknown-linux-gnu.zip -o deno.zip || true
-RUN [ "$TARGETPLATFORM" == "linux/arm64" ] && curl -Lsf https://github.com/denoland/deno/releases/download/v1.41.0/deno-aarch64-unknown-linux-gnu.zip -o deno.zip || true
+RUN [ "$TARGETPLATFORM" == "linux/amd64" ] && curl -Lsf https://github.com/denoland/deno/releases/download/v1.42.0/deno-x86_64-unknown-linux-gnu.zip -o deno.zip || true
+RUN [ "$TARGETPLATFORM" == "linux/arm64" ] && curl -Lsf https://github.com/denoland/deno/releases/download/v1.42.0/deno-aarch64-unknown-linux-gnu.zip -o deno.zip || true
 
 
 RUN unzip deno.zip && rm deno.zip
@@ -111,8 +87,8 @@ FROM ${PYTHON_IMAGE}
 ARG TARGETPLATFORM
 ARG POWERSHELL_VERSION=7.3.5
 ARG POWERSHELL_DEB_VERSION=7.3.5-1
-ARG KUBECTL_VERSION=1.27.2
-ARG HELM_VERSION=3.12.0
+ARG KUBECTL_VERSION=1.28.7
+ARG HELM_VERSION=3.14.3
 ARG APP=/usr/src/app
 ARG WITH_POWERSHELL=true
 ARG WITH_KUBECTL=true
@@ -120,9 +96,10 @@ ARG WITH_HELM=true
 
 
 RUN apt-get update \
-    && apt-get install -y ca-certificates wget curl git jq libprotobuf-dev libnl-route-3-dev unzip build-essential unixodbc xmlsec1 \
+    && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1  software-properties-common \
     && rm -rf /var/lib/apt/lists/*
 
+
 RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
     if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \
     dpkg --install 'pwsh.deb' && \
@@ -150,22 +127,6 @@ RUN if [ "$WITH_KUBECTL" = "true" ]; then \
     install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl; \
     else echo 'Building the image without kubectl'; fi
 
-RUN set -eux; \
-    arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
-    case "$arch" in \
-    'amd64') \
-    zip='awscli-exe-linux-x86_64.zip'; \
-    ;; \
-    'arm64') \
-    zip='awscli-exe-linux-aarch64.zip'; \
-    ;; \
-    *) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; \
-    esac; \
-    apt-get update && apt install unzip && curl "https://awscli.amazonaws.com/$zip" -o "awscliv2.zip" && \
-    unzip awscliv2.zip && \
-    ./aws/install && rm awscliv2.zip
-
-
 
 RUN set -eux; \
     arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
@@ -186,14 +147,11 @@ RUN set -eux; \
 ENV PATH="${PATH}:/usr/local/go/bin"
 ENV GO_PATH=/usr/local/go/bin/go
 
-ARG nsjail=""
-
-RUN if [ "$nsjail" = "true" ]; then apt-get -y update \
-    && apt-get install -y \
-    curl nodejs npm; fi
+RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - 
+RUN apt-get -y update && apt-get install -y curl nodejs awscli
 
 # go build is slower the first time it is ran, so we prewarm it in the build
-RUN mkdir -p /tmp/gobuildwarm && cd /tmp/gobuildwarm && go mod init gobuildwarm && printf "package foo\nimport (\"fmt\"\nwmill \"github.com/windmill-labs/windmill-go-client\")\nfunc main() { v := wmill.GetStatePath()\n fmt.Println(v) }" > warm.go && go mod tidy && go build -x && rm -rf /tmp/gobuildwarm
+RUN mkdir -p /tmp/gobuildwarm && cd /tmp/gobuildwarm && go mod init gobuildwarm && printf "package foo\nimport (\"fmt\")\nfunc main() { fmt.Println(42) }" > warm.go && go mod tidy && go build -x && rm -rf /tmp/gobuildwarm
 
 ENV TZ=Etc/UTC
 
@@ -205,9 +163,7 @@ COPY --from=builder /windmill/target/release/windmill ${APP}/windmill
 
 COPY --from=downloader --chmod=755 /deno /usr/bin/deno
 
-COPY --from=nsjail /nsjail/nsjail /bin/nsjail
-
-COPY --from=oven/bun:1.0.29 /usr/local/bin/bun /usr/bin/bun
+COPY --from=oven/bun:1.1.0 /usr/local/bin/bun /usr/bin/bun
 
 # add the docker client to call docker from a worker if enabled
 COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/

LICENSE

@@ -13,7 +13,7 @@ any snippets of code that require a positive license check to be activated.
 Those snippets and files are under a proprietary and commercial license. Private
 and public forks MUST not include any of the above proprietary and commercial
 code. Windmill Labs, Inc. provide tools to clean the codebase from those
-snippets upon demand. The files under python-client/ deno-client/ go-client/ are
+snippets upon demand. The files under python-client/ deno-client/ go-client/ powershell-client/ are
 Apache 2.0 Licensed.
 
 The openapi files, including the OpenFlow spec is Apache 2.0 Licensed.

README.md

@@ -353,6 +353,43 @@ you to have it being synced automatically everyday.
 | QUEUE_LIMIT_WAIT_RESULT   | None                   | The number of max jobs in the queue before rejecting immediately the request in 'run_wait_result' endpoint. Takes precedence on the query arg. If none is specified, there are no limit.           | Worker                |
 | DENO_AUTH_TOKENS          | None                   | Custom DENO_AUTH_TOKENS to pass to worker to allow the use of private modules                                                                                                                      | Worker                |
 
+## Run a local dev setup
+### only Frontend
+This will use the backend of <https://app.windmill.dev> but your own frontend
+with hot-code reloading.
+1. Install [caddy](https://caddyserver.com)
+2. Go to `frontend/`:
+   1. `npm install`, `npm run generate-backend-client` then `npm run dev`
+   2. In another shell `sudo caddy run --config CaddyfileRemote`
+3. Et voilà, windmill should be available at `http://localhost/`
+### Backend + Frontend
+See the [./frontend/README_DEV.md](./frontend/README_DEV.md) file for all
+running options.
+1. Create a Postgres Database for Windmill and create an admin role inside your
+   Postgres setup.
+   The easiest way to get a working db is to run
+	```
+   cargo install sqlx-cli
+   env DATABASE_URL=<YOUR_DATABASE_URL> sqlx migrate run
+	```
+   This will also avoid compile time issue with sqlx's `query!` macro
+2. Install [nsjail](https://github.com/google/nsjail) and have it accessible in
+   your PATH
+3. Install deno and python3, have the bins at `/usr/bin/deno` and
+   `/usr/local/bin/python3`
+4. Install [caddy](https://caddyserver.com)
+5. Install the [lld linker](https://lld.llvm.org/)
+6. Go to `frontend/`:
+   1. `npm install`, `npm run generate-backend-client` then `npm run dev`
+   2. You might need to set some extra heap space for the node runtime `export NODE_OPTIONS="--max-old-space-size=4096"`
+   3. In another shell `npm run build` otherwise the backend will not find the `frontend/build` folder and will not compile.
+   4. In another shell `sudo caddy run --config Caddyfile`
+7. Go to `backend/`:
+   `env DATABASE_URL=<DATABASE_URL_TO_YOUR_WINDMILL_DB> RUST_LOG=info cargo run`
+8. Et voilà, windmill should be available at `http://localhost/`
+
+
+
 ## Contributors
 
 <a href="https://github.com/windmill-labs/windmill/graphs/contributors">

backend/.sqlx/query-020d33ed5d47350b456783fd548422ea8dcf2d786d0e9fa849754db82c9fa378.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO script (workspace_id, hash, path, parent_hashes, summary, description, content, created_by, schema, is_template, extra_perms, lock, language, kind, tag, draft_only, envs, concurrent_limit, concurrency_time_window_s, cache_ttl, dedicated_worker, ws_error_handler_muted, priority, restart_unless_cancelled, delete_after_use, timeout, concurrency_key) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::text::json, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26, $27)",
+  "query": "INSERT INTO script (workspace_id, hash, path, parent_hashes, summary, description, content, created_by, schema, is_template, extra_perms, lock, language, kind, tag, draft_only, envs, concurrent_limit, concurrency_time_window_s, cache_ttl, dedicated_worker, ws_error_handler_muted, priority, restart_unless_cancelled, delete_after_use, timeout, concurrency_key, visible_to_runner_only) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::text::json, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26, $27, $28)",
   "describe": {
     "columns": [],
     "parameters": {
@@ -65,10 +65,11 @@
         "Bool",
         "Bool",
         "Int4",
-        "Varchar"
+        "Varchar",
+        "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "260feb784bb0b223bd9276d6a82bd26be90efb17a4323b9673e93ff88513942a"
+  "hash": "020d33ed5d47350b456783fd548422ea8dcf2d786d0e9fa849754db82c9fa378"
 }

backend/.sqlx/query-0c349ac832cbf055fce755c8e2081eacf2b836b0396ec48a6cc2405fb7aa76de.json

@@ -0,0 +1,14 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE queue SET suspend = suspend - 1 WHERE id = $1 AND suspend > 0",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "0c349ac832cbf055fce755c8e2081eacf2b836b0396ec48a6cc2405fb7aa76de"
+}

backend/.sqlx/query-1289e7278d2a289bfaa53f00e0b6dceb195df0fb43a8ac03bc8b35939fc941dd.json

@@ -27,11 +27,6 @@
         "ordinal": 4,
         "name": "premium",
         "type_info": "Bool"
-      },
-      {
-        "ordinal": 5,
-        "name": "is_overquota",
-        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -45,7 +40,6 @@
       false,
       false,
       false,
-      false,
       false
     ]
   },

backend/.sqlx/query-12a0fd7d8d99fb73b01bc24774fe9a8da57b5204bb6b1207aed47143c17a20bc.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT COUNT(id) FROM queue WHERE running = true AND workspace_id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "count",
+        "type_info": "Int8"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "12a0fd7d8d99fb73b01bc24774fe9a8da57b5204bb6b1207aed47143c17a20bc"
+}

backend/.sqlx/query-26e4ec75366d1e46a98710f29066b40e66a802f98eeabbb3ae5bebe3aeb6b3f8.json

@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM folder WHERE name = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "26e4ec75366d1e46a98710f29066b40e66a802f98eeabbb3ae5bebe3aeb6b3f8"
-}

backend/.sqlx/query-2e9b3e718440f3c5269e9217a13076c565f3add98b6768b5476bd3afed11ea31.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO usage (id, is_workspace, month_, usage)\n                    VALUES ($1, FALSE, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), 1)\n                    ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + 1 \n                    RETURNING usage.usage",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "usage",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Varchar"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "2e9b3e718440f3c5269e9217a13076c565f3add98b6768b5476bd3afed11ea31"
+}

backend/.sqlx/query-35e6af0b203e3e4fac9020b037a3c41af92537c0fd5683227767f6a1bd17339f.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO flow (workspace_id, path, summary, description, value, edited_by, edited_at, schema, dependency_job, draft_only, tag, dedicated_worker) VALUES ($1, $2, $3, $4, $5, $6, now(), $7::text::json, NULL, $8, $9, $10)",
+  "query": "INSERT INTO flow (workspace_id, path, summary, description, value, edited_by, edited_at, schema, dependency_job, draft_only, tag, dedicated_worker, visible_to_runner_only) VALUES ($1, $2, $3, $4, $5, $6, now(), $7::text::json, NULL, $8, $9, $10, $11)",
   "describe": {
     "columns": [],
     "parameters": {
@@ -14,10 +14,11 @@
         "Text",
         "Bool",
         "Varchar",
+        "Bool",
         "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "c3da506f47dfb42434debf6e005319147c7513193e853c38cfb7c071d61a3d2e"
+  "hash": "35e6af0b203e3e4fac9020b037a3c41af92537c0fd5683227767f6a1bd17339f"
 }

backend/.sqlx/query-3901cce744c9b246b661c817e068bdb3b1ab504ff8070fcccf6c909ad75f1f6d.json

@@ -1,11 +1,16 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT COALESCE((SELECT MIN(started_at) as min_started_at\n            FROM queue\n            WHERE script_path = $1 AND job_kind != 'dependencies'  AND running = true AND workspace_id = $2 AND canceled = false\n            GROUP BY script_path), $3)",
+  "query": "SELECT COALESCE((SELECT MIN(started_at) as min_started_at\n            FROM queue\n            WHERE script_path = $1 AND job_kind != 'dependencies'  AND running = true AND workspace_id = $2 AND canceled = false\n            GROUP BY script_path), $3) as min_started_at, now() AS now",
   "describe": {
     "columns": [
       {
         "ordinal": 0,
-        "name": "coalesce",
+        "name": "min_started_at",
+        "type_info": "Timestamptz"
+      },
+      {
+        "ordinal": 1,
+        "name": "now",
         "type_info": "Timestamptz"
       }
     ],
@@ -17,8 +22,9 @@
       ]
     },
     "nullable": [
+      null,
       null
     ]
   },
-  "hash": "abc7c72dfe9b01cde6f5b206300ed33e3d15b16bce2510160166a66fb7598e61"
+  "hash": "3901cce744c9b246b661c817e068bdb3b1ab504ff8070fcccf6c909ad75f1f6d"
 }

backend/.sqlx/query-43b376a2eff086a32cd76e54361ce3631feee1565935d2a6ddbecc17950758d1.json

@@ -0,0 +1,17 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO workspace_settings\n                 (workspace_id, slack_team_id, slack_name, slack_email)\n                 VALUES ($1, $2, $3, $4) ON CONFLICT (workspace_id) DO UPDATE SET slack_team_id = $2, slack_name = $3, slack_email = $4",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "43b376a2eff086a32cd76e54361ce3631feee1565935d2a6ddbecc17950758d1"
+}

backend/.sqlx/query-4613382f7b031a2b667f86d9af995065a99a63c407fd58aa293fb269e032121d.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT 1 FROM schedule WHERE path = $1 AND workspace_id = $2",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "4613382f7b031a2b667f86d9af995065a99a63c407fd58aa293fb269e032121d"
+}

backend/.sqlx/query-489a62b5943a7a21ce487aa7b72a63dfc6300dd93bc29f5ec4cb1bfc471ad0bf.json

@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO resource\n             (workspace_id, path, value, description, resource_type)\n             VALUES ($1, $2, $3, $4, $5) ON CONFLICT (workspace_id, path) DO UPDATE SET value = $3",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Jsonb",
+        "Text",
+        "Varchar"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "489a62b5943a7a21ce487aa7b72a63dfc6300dd93bc29f5ec4cb1bfc471ad0bf"
+}

backend/.sqlx/query-52c8b4350235bdaab4df79e517d5e42a61a4e1e209d120b2c8bb31ebb7ce1e56.json

@@ -1,20 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO variable\n            (workspace_id, path, value, is_secret, description, account, is_oauth)\n            VALUES ($1, $2, $3, $4, $5, $6, $7)\n            ON CONFLICT (workspace_id, path) DO UPDATE SET value = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Bool",
-        "Varchar",
-        "Int4",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "52c8b4350235bdaab4df79e517d5e42a61a4e1e209d120b2c8bb31ebb7ce1e56"
-}

backend/.sqlx/query-55a2f170823f1d1abce76287d8817a6cf34de92b9b4079c00b75423a9ff835b9.json

@@ -0,0 +1,20 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO variable\n             (workspace_id, path, value, is_secret, description, account, is_oauth)\n             VALUES ($1, $2, $3, $4, $5, $6, $7)\n             ON CONFLICT (workspace_id, path) DO UPDATE SET value = $3",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "Bool",
+        "Varchar",
+        "Int4",
+        "Bool"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "55a2f170823f1d1abce76287d8817a6cf34de92b9b4079c00b75423a9ff835b9"
+}

backend/.sqlx/query-55cb03040bc2a8c53dd7fbb42bbdcc40f463cbc52d94ed9315cf9a547d4c89f2.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT * FROM workspace_settings WHERE slack_team_id = $1",
+  "query": "SELECT * FROM workspace_settings WHERE slack_team_id = $1 AND slack_command_script IS NOT NULL",
   "describe": {
     "columns": [
       {
@@ -144,5 +144,5 @@
       true
     ]
   },
-  "hash": "5445083864b2b092b012e894bff7630a1d7b9deb8d33e9f909061f351f96844e"
+  "hash": "55cb03040bc2a8c53dd7fbb42bbdcc40f463cbc52d94ed9315cf9a547d4c89f2"
 }

backend/.sqlx/query-61e9662fe42506131222412ab3de48cf6485dea10aa3a2f97c0fd6322a0cb17f.json

@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "DELETE FROM schedule WHERE path = $1 AND workspace_id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "61e9662fe42506131222412ab3de48cf6485dea10aa3a2f97c0fd6322a0cb17f"
-}

backend/.sqlx/query-621e9a2a53187dac3ebed62f0d645b692815f1594bf302dbebd5f80d5d22b98e.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO usage (id, is_workspace, month_, usage) \n                    VALUES ($1, $2, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), 0) \n                    ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + 1 \n                    RETURNING usage.usage",
+  "query": "INSERT INTO usage (id, is_workspace, month_, usage)\n                    VALUES ($1, TRUE, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), 1)\n                    ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + 1 \n                    RETURNING usage.usage",
   "describe": {
     "columns": [
       {
@@ -11,13 +11,12 @@
     ],
     "parameters": {
       "Left": [
-        "Varchar",
-        "Bool"
+        "Varchar"
       ]
     },
     "nullable": [
       false
     ]
   },
-  "hash": "bd086c56ad3a58163619122641b93b941ef75880eeeab0756d40f68f87760d5b"
+  "hash": "621e9a2a53187dac3ebed62f0d645b692815f1594bf302dbebd5f80d5d22b98e"
 }

backend/.sqlx/query-6e816fdba0d281d5147ddc5d4d438a3209b811324dba4ac661938e0523210682.json

@@ -1,28 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT premium, is_overquota FROM workspace WHERE id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "premium",
-        "type_info": "Bool"
-      },
-      {
-        "ordinal": 1,
-        "name": "is_overquota",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      false,
-      false
-    ]
-  },
-  "hash": "6e816fdba0d281d5147ddc5d4d438a3209b811324dba4ac661938e0523210682"
-}

backend/.sqlx/query-73ca6ea13b362b2569ea115d28e4e255cd5e9b990ffa89998ef24871d3a9717c.json

@@ -0,0 +1,14 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE workspace_settings\n             SET slack_team_id = null, slack_name = null WHERE workspace_id = $1",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "73ca6ea13b362b2569ea115d28e4e255cd5e9b990ffa89998ef24871d3a9717c"
+}

backend/.sqlx/query-748904c35cdbb6c7b8a8e0024b341278bf2bb727f2fe0427847565fb9c774abc.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "DELETE FROM folder WHERE name = $1 AND workspace_id = $2 RETURNING 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "748904c35cdbb6c7b8a8e0024b341278bf2bb727f2fe0427847565fb9c774abc"
+}

backend/.sqlx/query-82b16e771b6e21c4587b5ebf059e312f43b3e5a48f7599133831dbd65886f5d8.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n    SELECT usage.usage FROM usage \n    WHERE is_workspace = true \n    AND month_ = EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date)\n    AND id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "usage",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "82b16e771b6e21c4587b5ebf059e312f43b3e5a48f7599133831dbd65886f5d8"
+}

backend/.sqlx/query-8d4235984f27d8b939ffd5c660d5b57dc38dd3b2643361ed3b7cdcd1534d2e21.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "DELETE FROM queue WHERE schedule_path = $1 AND running = false AND workspace_id = $2",
+  "query": "DELETE FROM queue WHERE schedule_path = $1 AND running = false AND workspace_id = $2 AND is_flow_step = false",
   "describe": {
     "columns": [],
     "parameters": {
@@ -11,5 +11,5 @@
     },
     "nullable": []
   },
-  "hash": "ade89de6e8527c543b182229f1febeb2513ad58b03ab526df148582264fb3a44"
+  "hash": "8d4235984f27d8b939ffd5c660d5b57dc38dd3b2643361ed3b7cdcd1534d2e21"
 }

backend/.sqlx/query-8f0031533f1bf407bd5d8af4d364eaf00d4c38ee7ba75141b40fc9fcd2ffc0b8.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO workspace SELECT $1, $2, owner, deleted, premium, is_overquota FROM workspace WHERE id = $3",
+  "query": "INSERT INTO workspace SELECT $1, $2, owner, deleted, premium FROM workspace WHERE id = $3",
   "describe": {
     "columns": [],
     "parameters": {
@@ -12,5 +12,5 @@
     },
     "nullable": []
   },
-  "hash": "6d89ac43c4ae3a17167a44c802df72bc506803b79fe93ab3b203fb0690b1bef1"
+  "hash": "8f0031533f1bf407bd5d8af4d364eaf00d4c38ee7ba75141b40fc9fcd2ffc0b8"
 }

backend/.sqlx/query-94ff696b4d3904e3823ef637fa8f1f0d0bdac01040c81b31514326417eb58cee.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT usage.usage + 1 FROM usage \n                            WHERE is_workspace IS FALSE AND\n                            month_ = EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date)\n                            AND id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "94ff696b4d3904e3823ef637fa8f1f0d0bdac01040c81b31514326417eb58cee"
+}

backend/.sqlx/query-95ebdfaf0510b9cad861568cd25d479759d4ea3c3ff4e136aad13a3521525372.json

@@ -1,18 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO folder\n                (workspace_id, name, display_name, owners, extra_perms)\n                VALUES ($1, $2, $3, $4, $5) ON CONFLICT DO NOTHING",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "VarcharArray",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "95ebdfaf0510b9cad861568cd25d479759d4ea3c3ff4e136aad13a3521525372"
-}

backend/.sqlx/query-a3ccf362b4f6df400b3c7a084795dbf541eb14c5c374656ffb96da7283a2a6f1.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT concurrency_key FROM script WHERE hash = $1",
+  "query": "SELECT concurrency_key FROM script WHERE hash = $1 AND workspace_id = $2",
   "describe": {
     "columns": [
       {
@@ -11,12 +11,13 @@
     ],
     "parameters": {
       "Left": [
-        "Int8"
+        "Int8",
+        "Text"
       ]
     },
     "nullable": [
       true
     ]
   },
-  "hash": "2719f910142b32476a16025bb9836b0cab019ba0a436b330ea3a53fba4725f73"
+  "hash": "a3ccf362b4f6df400b3c7a084795dbf541eb14c5c374656ffb96da7283a2a6f1"
 }

backend/.sqlx/query-a405e637f5f3b3203de6d65dfcb0ba1be406ee5167f7b8aa90213ef52c97441f.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT usage.usage + 1 FROM usage \n                        WHERE is_workspace IS TRUE AND\n                        month_ = EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date)\n                        AND id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "a405e637f5f3b3203de6d65dfcb0ba1be406ee5167f7b8aa90213ef52c97441f"
+}

backend/.sqlx/query-a4ae245dcf7e4b930cd45701db0b7c45f2a5797e8b6724bade5b964d4334c098.json

@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE queue SET suspend = suspend - 1 WHERE parent_job = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Uuid"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "a4ae245dcf7e4b930cd45701db0b7c45f2a5797e8b6724bade5b964d4334c098"
-}

backend/.sqlx/query-a875cb56485b812e9d4739afd0915067f7e5abe0ca0adf264b792fccf21e005b.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT value->>'concurrency_key' FROM flow WHERE path = $1 AND workspace_id = $2",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "a875cb56485b812e9d4739afd0915067f7e5abe0ca0adf264b792fccf21e005b"
+}

backend/.sqlx/query-ae2f005af8ab4b035a907e0c8fc9a9d035f3eb1d9d833041969fce967daa91a4.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT raw_flow->'modules'->$2::int->'retry' FROM queue WHERE id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Jsonb"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid",
+        "Int4"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "ae2f005af8ab4b035a907e0c8fc9a9d035f3eb1d9d833041969fce967daa91a4"
+}

backend/.sqlx/query-b8d97d300ffe6fae99f2396ae07cef03903752d17ce3fdadca47d86da75139aa.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT id FROM queue WHERE parent_job = $1 AND suspend > 0 ORDER by suspend",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Uuid"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "b8d97d300ffe6fae99f2396ae07cef03903752d17ce3fdadca47d86da75139aa"
+}

backend/.sqlx/query-bf1d8e043338867e1da1ed236ff6c85a566d5fd58d4b0d5c3a10454513811ba3.json

@@ -1,14 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE workspace_settings\n            SET slack_team_id = null, slack_name = null WHERE workspace_id = $1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "bf1d8e043338867e1da1ed236ff6c85a566d5fd58d4b0d5c3a10454513811ba3"
-}

backend/.sqlx/query-ca3ba808e020c8c7a35eaef842b20cfeee64fd47ded72fce55cc75e0bbb291a8.json

@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO usage (id, is_workspace, month_, usage) \n                VALUES ($1, TRUE, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), $2) \n                ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + $2",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Int4"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "ca3ba808e020c8c7a35eaef842b20cfeee64fd47ded72fce55cc75e0bbb291a8"
+}

backend/.sqlx/query-caeb49629b8673c1f1c84a6e40c3e2d2c3bc3fdbde530a0a6b6fd68a22b867c3.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE queue SET canceled = true,  canceled_by = $2, scheduled_for = now(), suspend = 0 WHERE scheduled_for < now() AND workspace_id = $1 AND schedule_path IS NULL RETURNING id, running, is_flow_step",
+  "query": "SELECT id, running, is_flow_step FROM queue WHERE scheduled_for < now() AND workspace_id = $1 AND schedule_path IS NULL",
   "describe": {
     "columns": [
       {
@@ -21,8 +21,7 @@
     ],
     "parameters": {
       "Left": [
-        "Text",
-        "Varchar"
+        "Text"
       ]
     },
     "nullable": [
@@ -31,5 +30,5 @@
       true
     ]
   },
-  "hash": "18699cb0eca25b6bde05d81571dfdea8cafd0043634f61b0f652a93767c9c30a"
+  "hash": "caeb49629b8673c1f1c84a6e40c3e2d2c3bc3fdbde530a0a6b6fd68a22b867c3"
 }

backend/.sqlx/query-d1ded8b38e50eb01fa5e5e122dae48ec21856a0041f4aeb244349ab7648d306f.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "DELETE FROM schedule WHERE path = $1 AND workspace_id = $2 RETURNING 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "?column?",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "d1ded8b38e50eb01fa5e5e122dae48ec21856a0041f4aeb244349ab7648d306f"
+}

backend/.sqlx/query-d4fb94ee8198592c24e85d29078feb5220ab367e339510ee0e83bb7b5abfd184.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE queue SET canceled = true,  canceled_by = $1, scheduled_for = now(), suspend = 0 WHERE id = $2 RETURNING 1 as one",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "one",
+        "type_info": "Int4"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Uuid"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "d4fb94ee8198592c24e85d29078feb5220ab367e339510ee0e83bb7b5abfd184"
+}

backend/.sqlx/query-d5a8614286c170e0d175903cd1b53ff66b37ed8110a0b67aedb9f25e6a7383e1.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO completed_job AS cj\n                   ( workspace_id\n                   , id\n                   , parent_job\n                   , created_by\n                   , created_at\n                   , started_at\n                   , duration_ms\n                   , success\n                   , script_hash\n                   , script_path\n                   , args\n                   , result\n                   , raw_code\n                   , raw_lock\n                   , canceled\n                   , canceled_by\n                   , canceled_reason\n                   , job_kind\n                   , schedule_path\n                   , permissioned_as\n                   , flow_status\n                   , raw_flow\n                   , is_flow_step\n                   , is_skipped\n                   , language\n                   , email\n                   , visible_to_owner\n                   , mem_peak\n                   , tag\n                   , priority\n                )\n            VALUES ($1, $2, $3, $4, $5, COALESCE($6, now()), COALESCE($25, (EXTRACT('epoch' FROM (now())) - EXTRACT('epoch' FROM (COALESCE($6, now()))))*1000), $7, $8, $9,$10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $26, $27, $28, $29, $30)\n         ON CONFLICT (id) DO UPDATE SET success = $7, result = $11 RETURNING duration_ms",
+  "query": "INSERT INTO completed_job AS cj\n                   ( workspace_id\n                   , id\n                   , parent_job\n                   , created_by\n                   , created_at\n                   , started_at\n                   , duration_ms\n                   , success\n                   , script_hash\n                   , script_path\n                   , args\n                   , result\n                   , raw_code\n                   , raw_lock\n                   , canceled\n                   , canceled_by\n                   , canceled_reason\n                   , job_kind\n                   , schedule_path\n                   , permissioned_as\n                   , flow_status\n                   , raw_flow\n                   , is_flow_step\n                   , is_skipped\n                   , language\n                   , email\n                   , visible_to_owner\n                   , mem_peak\n                   , tag\n                   , priority\n                )\n            VALUES ($1, $2, $3, $4, $5, COALESCE($6, now()), (EXTRACT('epoch' FROM (now())) - EXTRACT('epoch' FROM (COALESCE($6, now()))))*1000, $7, $8, $9,$10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26, $27, $28, $29)\n         ON CONFLICT (id) DO UPDATE SET success = $7, result = $11 RETURNING duration_ms",
   "describe": {
     "columns": [
       {
@@ -79,7 +79,6 @@
             }
           }
         },
-        "Numeric",
         "Varchar",
         "Bool",
         "Int4",
@@ -91,5 +90,5 @@
       false
     ]
   },
-  "hash": "2ade671449393541fa565088b21268dad137314d250f7ded502defb9a6de0b2f"
+  "hash": "d5a8614286c170e0d175903cd1b53ff66b37ed8110a0b67aedb9f25e6a7383e1"
 }

backend/.sqlx/query-d918e1d3a1ccc36ca8b4b25aeeec1cb55aadaf1e6609a1aad09b0515c93a667a.json

@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n        SELECT usage.usage + 1 FROM usage \n        WHERE is_workspace = false AND\n     month_ = EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date)\n     AND id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "?column?",
-        "type_info": "Int4"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Text"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "d918e1d3a1ccc36ca8b4b25aeeec1cb55aadaf1e6609a1aad09b0515c93a667a"
-}

backend/.sqlx/query-e38240e6d50bfe60e1c2b649588eb41dcef121ed161db04b2568ac2d990aed7c.json

@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO usage (id, is_workspace, month_, usage) \n                VALUES ($1, FALSE, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), $2) \n                ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + $2",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Int4"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "e38240e6d50bfe60e1c2b649588eb41dcef121ed161db04b2568ac2d990aed7c"
+}

backend/.sqlx/query-e7418515b88d14d1fd79078342963e11422eed9a60e0472c68971f4e8f8735d9.json

@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO usage (id, is_workspace, month_, usage) \n                VALUES ($1, $2, EXTRACT(YEAR FROM current_date) * 12 + EXTRACT(MONTH FROM current_date), 0) \n                ON CONFLICT (id, is_workspace, month_) DO UPDATE SET usage = usage.usage + $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Bool",
-        "Int4"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "e7418515b88d14d1fd79078342963e11422eed9a60e0472c68971f4e8f8735d9"
-}

backend/.sqlx/query-e7a1c2b5d79e72f557181782419a9d8d1a502796842f185374d2d0f69043086b.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT COUNT(id) FROM queue WHERE workspace_id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "count",
+        "type_info": "Int8"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "e7a1c2b5d79e72f557181782419a9d8d1a502796842f185374d2d0f69043086b"
+}

backend/.sqlx/query-ea8ebb8d972fe99c960b5a69f794ee2b57bfb1914bf370c5b10313e45fa9b65f.json

@@ -1,18 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO resource\n            (workspace_id, path, value, description, resource_type)\n            VALUES ($1, $2, $3, $4, $5) ON CONFLICT (workspace_id, path) DO UPDATE SET value = $3",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Jsonb",
-        "Text",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "ea8ebb8d972fe99c960b5a69f794ee2b57bfb1914bf370c5b10313e45fa9b65f"
-}

backend/.sqlx/query-eaa6e9dc4c0d3d6cc8152515019befa880bb3b69ff340d337edd14b65e74e2a3.json

@@ -1,17 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "INSERT INTO workspace_settings\n                (workspace_id, slack_team_id, slack_name, slack_email)\n                VALUES ($1, $2, $3, $4) ON CONFLICT (workspace_id) DO UPDATE SET slack_team_id = $2, slack_name = $3, slack_email = $4",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Varchar",
-        "Varchar",
-        "Varchar",
-        "Varchar"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "eaa6e9dc4c0d3d6cc8152515019befa880bb3b69ff340d337edd14b65e74e2a3"
-}

backend/.sqlx/query-f2aee3ae39c90e40dd1835befc339e5381cc9104933cf8e90d840a9bf638ff52.json

@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO folder\n                 (workspace_id, name, display_name, owners, extra_perms)\n                 VALUES ($1, $2, $3, $4, $5) ON CONFLICT DO NOTHING",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Varchar",
+        "Varchar",
+        "Varchar",
+        "VarcharArray",
+        "Jsonb"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "f2aee3ae39c90e40dd1835befc339e5381cc9104933cf8e90d840a9bf638ff52"
+}

backend/.sqlx/query-f516ca558816c2cbab3c8ae865ef8f764aa4686e7df9c53d30d49a3dbbf36af4.json

@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT SUM(duration_ms) as duration FROM completed_job WHERE id = ANY($1)",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "duration",
-        "type_info": "Numeric"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "UuidArray"
-      ]
-    },
-    "nullable": [
-      null
-    ]
-  },
-  "hash": "f516ca558816c2cbab3c8ae865ef8f764aa4686e7df9c53d30d49a3dbbf36af4"
-}

backend/.sqlx/query-f632ca2e17a3952fc45bd40a055a9442c35453dff95140d2f252c4fe6a14c6a4.json

@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n                SELECT EXISTS (SELECT 1 \n                FROM workspace_settings \n                WHERE workspace_id <> $1 \n                    AND slack_command_script IS NOT NULL\n                    AND slack_team_id IS NOT NULL \n                    AND slack_team_id = (SELECT slack_team_id FROM workspace_settings WHERE workspace_id = $1))\n            ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "exists",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "f632ca2e17a3952fc45bd40a055a9442c35453dff95140d2f252c4fe6a14c6a4"
+}

backend/.sqlx/query-f6fd65fbe36502923ab4ccf1a22f748cb854e23049d0cf73a42229eccc88c4e6.json

@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE flow SET path = $1, summary = $2, description = $3, value = $4, edited_by = $5, edited_at = now(), schema = $6::text::json, dependency_job = NULL, draft_only = NULL, tag = $9, dedicated_worker = $10\n        WHERE path = $7 AND workspace_id = $8",
+  "query": "UPDATE flow SET path = $1, summary = $2, description = $3, value = $4, edited_by = $5, edited_at = now(), schema = $6::text::json, dependency_job = NULL, draft_only = NULL, tag = $9, dedicated_worker = $10, visible_to_runner_only = $11\n        WHERE path = $7 AND workspace_id = $8",
   "describe": {
     "columns": [],
     "parameters": {
@@ -14,10 +14,11 @@
         "Text",
         "Text",
         "Varchar",
+        "Bool",
         "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "de06474de29c6c2cadb99787f5d627678a5285011d7b1a516d4e240a5810ddba"
+  "hash": "f6fd65fbe36502923ab4ccf1a22f748cb854e23049d0cf73a42229eccc88c4e6"
 }

backend/.sqlx/query-f7f2598ac824e9b5719b96b1d1873ad728f7f786c7f447df6cac3e65d5a53bf1.json

@@ -27,11 +27,6 @@
         "ordinal": 4,
         "name": "premium",
         "type_info": "Bool"
-      },
-      {
-        "ordinal": 5,
-        "name": "is_overquota",
-        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -44,7 +39,6 @@
       false,
       false,
       false,
-      false,
       false
     ]
   },

backend/.sqlx/query-fa59674af1d1a4ceb696fc883005ef114772f7d2ee0f60cb1358cdb7f0b5cd0c.json

@@ -0,0 +1,23 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n             SELECT EXISTS (SELECT 1 \n             FROM workspace_settings \n             WHERE workspace_id <> $1 \n                 AND slack_command_script IS NOT NULL\n                 AND slack_team_id = $2\n                 AND (SELECT slack_command_script IS NOT NULL FROM workspace_settings WHERE workspace_id = $1))\n         ",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "exists",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      null
+    ]
+  },
+  "hash": "fa59674af1d1a4ceb696fc883005ef114772f7d2ee0f60cb1358cdb7f0b5cd0c"
+}

backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "windmill"
-version = "1.296.1"
+version = "1.311.0"
 authors.workspace = true
 edition.workspace = true
 
@@ -20,10 +20,11 @@ members = [
     "./parsers/windmill-parser-bash",
     "./parsers/windmill-parser-py",
     "./parsers/windmill-parser-py-imports",
+    "./parsers/windmill-sql-datatype-parser-wasm",
 ]
 
 [workspace.package]
-version = "1.296.1"
+version = "1.311.0"
 authors = ["Ruben Fiszel <ruben@windmill.dev>"]
 edition = "2021"
 
@@ -143,7 +144,6 @@ urlencoding = "^2"
 url = "^2"
 async-oauth2 = "^0"
 reqwest = { version = "^0.12", features = ["json", "stream"] }
-reqwest_11 = { package = "reqwest", version = "0.11" }
 time = "0.3.16"
 serde_urlencoded = "^0"
 tokio-tar = "^0"

backend/ee-repo-ref.txt

@@ -1 +1 @@
-721b9298e35b831b390b7311b791a5b526dee923
+66d9cbb158ab9a5869a45ba253bf57f2cbb5ecb6

backend/migrations/20240326122255_add_visible_to_runner_only.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240326122255_add_visible_to_runner_only.up.sql

@@ -0,0 +1,3 @@
+-- Add up migration script here
+ALTER TABLE script ADD COLUMN visible_to_runner_only BOOLEAN;
+ALTER TABLE flow ADD COLUMN visible_to_runner_only BOOLEAN;

backend/migrations/20240328145425_remove_overquota.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240328145425_remove_overquota.up.sql

@@ -0,0 +1,2 @@
+-- Add up migration script here
+alter table workspace drop column is_overquota;

backend/migrations/20240331125020_webhooks_audits.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240331125020_webhooks_audits.up.sql

@@ -0,0 +1,4 @@
+-- Add up migration script here
+CREATE POLICY "webhook" ON audit FOR INSERT
+TO windmill_user
+WITH CHECK (((username)::text ~~ 'webhook-%'::text))

backend/migrations/20240403083110_remove_team_id_constraint.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240403083110_remove_team_id_constraint.up.sql

@@ -0,0 +1,2 @@
+-- Add up migration script here
+ALTER TABLE public.workspace_settings DROP CONSTRAINT workspace_settings_slack_team_id_key

backend/migrations/20240408134243_longer_approvers.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240408134243_longer_approvers.up.sql

@@ -0,0 +1,2 @@
+-- Add up migration script here
+ALTER TABLE resume_job ALTER COLUMN approver TYPE VARCHAR(1000);

backend/migrations/20240409181630_add_concurrency_key_to_flow.down.sql

@@ -0,0 +1,2 @@
+-- Add down migration script here
+ALTER TABLE flow DROP COLUMN concurrency_key;

backend/migrations/20240409181630_add_concurrency_key_to_flow.up.sql

@@ -0,0 +1,2 @@
+-- Add up migration script here
+ALTER TABLE flow ADD COLUMN concurrency_key VARCHAR(255);

backend/migrations/20240415144144_tighten_delete_permissions.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240415144144_tighten_delete_permissions.up.sql

@@ -0,0 +1,228 @@
+
+DO
+$do$
+  DECLARE
+    i text;
+    arr text[] := array['resource', 'script', 'variable', 'schedule', 'flow', 'app', 'raw_app'];
+  BEGIN
+  FOREACH i IN ARRAY arr
+  LOOP
+    EXECUTE FORMAT(
+      $$
+        DROP POLICY IF EXISTS see_folder_extra_perms_user ON %1$I;
+        DROP POLICY IF EXISTS see_folder_extra_perms_user_delete ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_user ON %1$I;
+        DROP POLICY IF EXISTS see_member ON %1$I;
+        DROP POLICY IF EXISTS see_own ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_user_delete ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_groups ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_groups_delete ON %1$I;
+
+        -- New policies for select, insert, update
+        DROP POLICY IF EXISTS see_folder_extra_perms_user_select ON %1$I;
+        DROP POLICY IF EXISTS see_folder_extra_perms_user_insert ON %1$I;
+        DROP POLICY IF EXISTS see_folder_extra_perms_user_update ON %1$I;
+
+        DROP POLICY IF EXISTS see_own ON %1$I;
+        DROP POLICY IF EXISTS see_member ON %1$I;
+
+        DROP POLICY IF EXISTS see_extra_perms_user_select ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_user_insert ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_user_update ON %1$I;
+
+        DROP POLICY IF EXISTS see_extra_perms_groups_select ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_groups_insert ON %1$I;
+        DROP POLICY IF EXISTS see_extra_perms_groups_update ON %1$I;
+
+
+        -- Folder permissions split into select, insert, and update
+        CREATE POLICY see_folder_extra_perms_user_select ON %1$I FOR SELECT TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_read'), ',')::text[]));
+
+        CREATE POLICY see_folder_extra_perms_user_insert ON %1$I FOR INSERT TO windmill_user
+        WITH CHECK (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+        CREATE POLICY see_folder_extra_perms_user_update ON %1$I FOR UPDATE TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+        CREATE POLICY see_folder_extra_perms_user_delete ON %1$I FOR UPDATE TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+        CREATE POLICY see_own ON %1$I FOR ALL TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'u' AND SPLIT_PART(%1$I.path, '/', 2) = current_setting('session.user'));
+
+
+        CREATE POLICY see_member ON %1$I FOR ALL TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'g' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.groups'), ',')::text[]));
+
+
+
+        CREATE POLICY see_extra_perms_user_select ON %1$I FOR SELECT TO windmill_user
+        USING (extra_perms ? CONCAT('u/', current_setting('session.user')));
+
+        CREATE POLICY see_extra_perms_user_insert ON %1$I FOR INSERT TO windmill_user
+        WITH CHECK ((extra_perms ->> CONCAT('u/', current_setting('session.user')))::boolean);
+
+        CREATE POLICY see_extra_perms_user_update ON %1$I FOR UPDATE TO windmill_user
+        USING ((extra_perms ->> CONCAT('u/', current_setting('session.user')))::boolean);
+
+        CREATE POLICY see_extra_perms_user_delete ON %1$I FOR DELETE TO windmill_user
+        USING ((extra_perms ->> CONCAT('u/', current_setting('session.user')))::boolean);
+
+
+
+
+        CREATE POLICY see_extra_perms_groups_select ON %1$I FOR SELECT TO windmill_user
+        USING (extra_perms ?| regexp_split_to_array(current_setting('session.pgroups'), ',')::text[]);
+
+        CREATE POLICY see_extra_perms_groups_insert ON %1$I FOR INSERT TO windmill_user
+        WITH CHECK (exists(
+            SELECT key, value FROM jsonb_each_text(extra_perms) 
+            WHERE SPLIT_PART(key, '/', 1) = 'g' AND key = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+            AND value::boolean));
+
+        CREATE POLICY see_extra_perms_groups_update ON %1$I FOR UPDATE TO windmill_user
+        USING (exists(
+            SELECT key, value FROM jsonb_each_text(extra_perms) 
+            WHERE SPLIT_PART(key, '/', 1) = 'g' AND key = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+            AND value::boolean));
+
+        CREATE POLICY see_extra_perms_groups_delete ON %1$I FOR DELETE  TO windmill_user
+        USING (exists(
+            SELECT key, value FROM jsonb_each_text(extra_perms) 
+            WHERE SPLIT_PART(key, '/', 1) = 'g' AND key = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+            AND value::boolean));
+
+      $$,
+      i
+    );
+  END LOOP;
+  END
+$do$;
+
+DROP POLICY IF EXISTS see_extra_perms_user ON folder;
+DROP POLICY IF EXISTS see_extra_perms_user_select ON folder;
+DROP POLICY IF EXISTS see_extra_perms_user_insert ON folder;
+DROP POLICY IF EXISTS see_extra_perms_user_update ON folder;
+DROP POLICY IF EXISTS see_extra_perms_user_delete ON folder;
+
+DROP POLICY IF EXISTS see_extra_perms_groups ON folder;
+DROP POLICY IF EXISTS see_extra_perms_groups_select ON folder;
+DROP POLICY IF EXISTS see_extra_perms_groups_insert ON folder;
+DROP POLICY IF EXISTS see_extra_perms_groups_update ON folder;
+DROP POLICY IF EXISTS see_extra_perms_groups_delete ON folder;
+
+
+-- Existing CREATE POLICY statements updated to reflect policy splitting for 'folder' table
+CREATE POLICY see_extra_perms_user_select ON folder FOR SELECT TO windmill_user
+USING (extra_perms ? CONCAT('u/', current_setting('session.user')) OR CONCAT('u/', current_setting('session.user')) = ANY(owners));
+
+CREATE POLICY see_extra_perms_user_insert ON folder FOR INSERT TO windmill_user
+WITH CHECK ((CONCAT('u/', current_setting('session.user')) = ANY(owners)));
+
+CREATE POLICY see_extra_perms_user_update ON folder FOR UPDATE TO windmill_user
+USING ((CONCAT('u/', current_setting('session.user')) = ANY(owners)));
+
+CREATE POLICY see_extra_perms_user_delete ON folder FOR DELETE TO windmill_user
+USING ((CONCAT('u/', current_setting('session.user')) = ANY(owners)));
+
+CREATE POLICY see_extra_perms_groups_select ON folder FOR SELECT TO windmill_user
+USING (extra_perms ?| regexp_split_to_array(current_setting('session.pgroups'), ',')::text[] OR EXISTS (
+    SELECT o FROM unnest(owners) AS o
+    WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));
+
+CREATE POLICY see_extra_perms_groups_insert ON folder FOR INSERT TO windmill_user
+WITH CHECK (EXISTS (
+    SELECT o FROM unnest(owners) AS o
+    WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));
+
+
+CREATE POLICY see_extra_perms_groups_update ON folder FOR UPDATE TO windmill_user
+USING (EXISTS (
+    SELECT o FROM unnest(owners) AS o
+    WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));
+
+
+CREATE POLICY see_extra_perms_groups_delete ON folder FOR DELETE TO windmill_user
+USING (EXISTS (
+    SELECT o FROM unnest(owners) AS o
+    WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));
+
+
+-- DO
+-- $do$
+--   DECLARE
+--     i text;
+--     arr text[] := array['resource', 'script', 'variable', 'schedule', 'flow', 'app', 'raw_app'];
+--   BEGIN
+--   FOREACH i IN ARRAY arr
+--   LOOP
+--     EXECUTE FORMAT(
+--       $$
+
+
+--         CREATE POLICY see_folder_extra_perms_user ON %1$I FOR ALL TO windmill_user
+--         USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_read'), ',')::text[]))
+--         WITH CHECK (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+--         CREATE POLICY see_folder_extra_perms_user_delete ON %1$I AS RESTRICTIVE FOR DELETE TO windmill_user
+--         USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+--         CREATE POLICY see_own ON %1$I FOR ALL TO windmill_user
+--         USING (SPLIT_PART(%1$I.path, '/', 1) = 'u' AND SPLIT_PART(%1$I.path, '/', 2) = current_setting('session.user'));
+
+--         CREATE POLICY see_member ON %1$I FOR ALL TO windmill_user
+--         USING (SPLIT_PART(%1$I.path, '/', 1) = 'g' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.groups'), ',')::text[]));
+
+
+--         CREATE POLICY see_extra_perms_user ON %1$I FOR ALL TO windmill_user
+--         USING (extra_perms ? CONCAT('u/', current_setting('session.user')))
+--         WITH CHECK ((extra_perms ->> CONCAT('u/', current_setting('session.user')))::boolean);
+
+--         CREATE POLICY see_extra_perms_user_delete ON %1$I FOR DELETE TO windmill_user
+--         USING ((extra_perms ->> CONCAT('u/', current_setting('session.user')))::boolean);
+
+--         CREATE POLICY see_extra_perms_groups ON %1$I FOR ALL TO windmill_user
+--         USING (extra_perms ?| regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+--         WITH CHECK (exists(
+--             SELECT key, value FROM jsonb_each_text(extra_perms) 
+--             WHERE SPLIT_PART(key, '/', 1) = 'g' AND key = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+--             AND value::boolean));
+
+--         CREATE POLICY see_extra_perms_groups_delete ON %1$I FOR DELETE  TO windmill_user
+--         USING (exists(
+--             SELECT key, value FROM jsonb_each_text(extra_perms) 
+--             WHERE SPLIT_PART(key, '/', 1) = 'g' AND key = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])
+--             AND value::boolean));
+--       $$,
+--       i
+--     );
+--   END LOOP;
+--   END
+-- $do$;
+
+
+-- DROP POLICY see_extra_perms_user ON folder;
+-- DROP POLICY see_extra_perms_groups ON folder;
+
+-- CREATE POLICY see_extra_perms_user ON folder FOR ALL to windmill_user
+-- USING (extra_perms ? CONCAT('u/', current_setting('session.user')) or (CONCAT('u/', current_setting('session.user')) = ANY(owners)))
+-- WITH CHECK ((CONCAT('u/', current_setting('session.user')) = ANY(owners)));
+
+-- DROP POLICY IF EXISTS see_extra_perms_user_delete ON folder;
+-- CREATE POLICY see_extra_perms_user_delete ON folder AS RESTRICTIVE FOR DELETE to windmill_user
+-- USING ((CONCAT('u/', current_setting('session.user')) = ANY(owners)));
+
+-- CREATE POLICY see_extra_perms_groups ON folder FOR ALL to windmill_user
+-- USING (extra_perms ?| regexp_split_to_array(current_setting('session.pgroups'), ',')::text[] or (exists(
+--     SELECT o FROM unnest(owners) as o
+--     WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[]))))
+-- WITH CHECK (exists(
+--     SELECT o FROM unnest(owners) as o
+--     WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));
+
+-- DROP POLICY IF EXISTS see_extra_perms_groups_delete ON folder;
+-- CREATE POLICY see_extra_perms_groups_delete ON folder AS RESTRICTIVE FOR DELETE to windmill_user
+-- USING (exists(
+--     SELECT o FROM unnest(owners) as o
+--     WHERE o = ANY(regexp_split_to_array(current_setting('session.pgroups'), ',')::text[])));

backend/migrations/20240416175148_tighten_delete_perms2.down.sql

@@ -0,0 +1 @@
+-- Add down migration script here

backend/migrations/20240416175148_tighten_delete_perms2.up.sql

@@ -0,0 +1,22 @@
+
+DO
+$do$
+  DECLARE
+    i text;
+    arr text[] := array['resource', 'script', 'variable', 'schedule', 'flow', 'app', 'raw_app'];
+  BEGIN
+  FOREACH i IN ARRAY arr
+  LOOP
+    EXECUTE FORMAT(
+      $$
+        DROP POLICY IF EXISTS see_folder_extra_perms_user_delete ON %1$I;
+
+        CREATE POLICY see_folder_extra_perms_user_delete ON %1$I FOR DELETE TO windmill_user
+        USING (SPLIT_PART(%1$I.path, '/', 1) = 'f' AND SPLIT_PART(%1$I.path, '/', 2) = any(regexp_split_to_array(current_setting('session.folders_write'), ',')::text[]));
+
+      $$,
+      i
+    );
+  END LOOP;
+  END
+$do$;-- Add up migration script here

backend/oauth_connect.json

@@ -141,5 +141,16 @@
     "scopes": [
       "com.intuit.quickbooks.accounting"
     ]
+  },
+  "visma": {
+    "auth_url": "https://connect.visma.com/connect/authorize",
+    "token_url": "https://connect.visma.com/connect/token",
+    "scopes": [
+      "offline_access",
+      "vismanet_erp_interactive_api:create",
+      "vismanet_erp_interactive_api:delete",
+      "vismanet_erp_interactive_api:read",
+      "vismanet_erp_interactive_api:update"
+    ]
   }
 }

backend/parsers/windmill-parser-py-imports/src/lib.rs

@@ -50,6 +50,7 @@ static PYTHON_IMPORTS_REPLACEMENT: phf::Map<&'static str, &'static str> = phf_ma
     "mysql" => "mysql-connector-python",
     "tenable" => "pytenable",
     "ns1" => "ns1-python",
+    "pymsql" => "PyMySQL",
 };
 
 fn replace_import(x: String) -> String {

backend/parsers/windmill-parser-sql/src/lib.rs

@@ -5,7 +5,7 @@ use regex::Regex;
 use serde_json::json;
 
 use std::collections::HashMap;
-use windmill_parser::{Arg, MainArgSignature, Typ};
+pub use windmill_parser::{Arg, MainArgSignature, Typ};
 
 pub fn parse_mysql_sig(code: &str) -> anyhow::Result<MainArgSignature> {
     let parsed = parse_mysql_file(&code)?;

backend/parsers/windmill-sql-datatype-parser-wasm/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "windmill-sql-datatype-parser-wasm"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+
+
+[lib]
+crate-type = ["cdylib"]
+name = "windmill_sql_datatype_parser_wasm"
+path = "./src/lib.rs"
+
+[dev-dependencies]
+wasm-bindgen-test.workspace = true
+
+[dependencies]
+windmill-parser.workspace = true
+windmill-parser-sql.workspace = true
+wasm-bindgen.workspace = true
+serde = { version = "1.0", features = ["derive"] }

backend/parsers/windmill-sql-datatype-parser-wasm/build.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -eou pipefail
+
+deno task wasmbuild --out ../../../cli/wasm/

backend/parsers/windmill-sql-datatype-parser-wasm/package-lock.json

@@ -0,0 +1,6 @@
+{
+  "name": "windmill-parser-wasm",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {}
+}

backend/parsers/windmill-sql-datatype-parser-wasm/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "windmill-sql-datatype-parser-wasm",
+  "version": "0.1.0"
+}

backend/parsers/windmill-sql-datatype-parser-wasm/src/lib.rs

@@ -0,0 +1,40 @@
+use wasm_bindgen::prelude::*;
+use windmill_parser_sql::Typ;
+
+fn to_str(typ: Typ) -> String {
+    match typ {
+        Typ::Str(_) => "str".to_string(),
+        Typ::Int => "int".to_string(),
+        Typ::Float => "float".to_string(),
+        Typ::Bool => "bool".to_string(),
+        Typ::List(t) => format!("list-{}", to_str(*t)),
+        Typ::Bytes => "bytes".to_string(),
+        Typ::Datetime => "datetime".to_string(),
+        _ => "unknown".to_string(),
+    }
+}
+
+#[wasm_bindgen]
+pub fn parse_sql(typ: &str) -> String {
+    to_str(windmill_parser_sql::parse_pg_typ(typ))
+}
+
+#[wasm_bindgen]
+pub fn parse_mysql(typ: &str) -> String {
+    to_str(windmill_parser_sql::parse_mysql_typ(typ))
+}
+
+#[wasm_bindgen]
+pub fn parse_bigquery(typ: &str) -> String {
+    to_str(windmill_parser_sql::parse_bigquery_typ(typ))
+}
+
+#[wasm_bindgen]
+pub fn parse_snowflake(typ: &str) -> String {
+    to_str(windmill_parser_sql::parse_snowflake_typ(typ))
+}
+
+#[wasm_bindgen]
+pub fn parse_mssql(typ: &str) -> String {
+    to_str(windmill_parser_sql::parse_mssql_typ(typ))
+}

backend/src/main.rs

@@ -19,8 +19,8 @@ use windmill_api::HTTP_CLIENT;
 use windmill_common::{
     global_settings::{
         BASE_URL_SETTING, BUNFIG_INSTALL_SCOPES_SETTING, CUSTOM_TAGS_SETTING,
-        DEFAULT_TAGS_PER_WORKSPACE_SETTING, DISABLE_STATS_SETTING, ENV_SETTINGS,
-        EXPOSE_DEBUG_METRICS_SETTING, EXPOSE_METRICS_SETTING, EXTRA_PIP_INDEX_URL_SETTING,
+        DEFAULT_TAGS_PER_WORKSPACE_SETTING, ENV_SETTINGS, EXPOSE_DEBUG_METRICS_SETTING,
+        EXPOSE_METRICS_SETTING, EXTRA_PIP_INDEX_URL_SETTING, HUB_BASE_URL_SETTING,
         JOB_DEFAULT_TIMEOUT_SECS_SETTING, KEEP_JOB_DIR_SETTING, LICENSE_KEY_SETTING,
         NPM_CONFIG_REGISTRY_SETTING, OAUTH_SETTING, PIP_INDEX_URL_SETTING,
         REQUEST_SIZE_LIMIT_SETTING, REQUIRE_PREEXISTING_USER_FOR_OAUTH_SETTING,
@@ -47,10 +47,10 @@ use windmill_worker::{
 use crate::monitor::{
     initial_load, load_keep_job_dir, load_require_preexisting_user, load_tag_per_workspace_enabled,
     monitor_db, monitor_pool, reload_base_url_setting, reload_bunfig_install_scopes_setting,
-    reload_extra_pip_index_url_setting, reload_job_default_timeout_setting, reload_license_key,
-    reload_npm_config_registry_setting, reload_pip_index_url_setting,
-    reload_retention_period_setting, reload_scim_token_setting, reload_server_config,
-    reload_worker_config,
+    reload_extra_pip_index_url_setting, reload_hub_base_url_setting,
+    reload_job_default_timeout_setting, reload_license_key, reload_npm_config_registry_setting,
+    reload_pip_index_url_setting, reload_retention_period_setting, reload_scim_token_setting,
+    reload_server_config, reload_worker_config,
 };
 
 #[cfg(feature = "parquet")]
@@ -498,7 +498,11 @@ Windmill Community Edition {GIT_VERSION}
                                                         tracing::error!(error = %e, "Could not send killpill to server");
                                                     }
                                                 },
-                                                DISABLE_STATS_SETTING => {},
+                                                HUB_BASE_URL_SETTING => {
+                                                    if let Err(e) = reload_hub_base_url_setting(&db, server_mode).await {
+                                                        tracing::error!(error = %e, "Could not reload hub base url setting");
+                                                    }
+                                                },
                                                 a @_ => {
                                                     tracing::info!("Unrecognized Global Setting Change Payload: {:?}", a);
                                                 }

backend/src/monitor.rs

@@ -14,6 +14,9 @@ use tokio::{
     join,
     sync::{mpsc, RwLock},
 };
+
+#[cfg(feature = "embedding")]
+use windmill_api::embeddings::update_embeddings_db;
 use windmill_api::{
     oauth2_ee::{build_oauth_clients, OAuthClient},
     DEFAULT_BODY_LIMIT, IS_SECURE, OAUTH_CLIENTS, REQUEST_SIZE_LIMIT, SAML_METADATA, SCIM_TOKEN,
@@ -24,8 +27,8 @@ use windmill_common::{
     global_settings::{
         BASE_URL_SETTING, BUNFIG_INSTALL_SCOPES_SETTING, DEFAULT_TAGS_PER_WORKSPACE_SETTING,
         EXPOSE_DEBUG_METRICS_SETTING, EXPOSE_METRICS_SETTING, EXTRA_PIP_INDEX_URL_SETTING,
-        JOB_DEFAULT_TIMEOUT_SECS_SETTING, KEEP_JOB_DIR_SETTING, LICENSE_KEY_SETTING,
-        NPM_CONFIG_REGISTRY_SETTING, OAUTH_SETTING, PIP_INDEX_URL_SETTING,
+        HUB_BASE_URL_SETTING, JOB_DEFAULT_TIMEOUT_SECS_SETTING, KEEP_JOB_DIR_SETTING,
+        LICENSE_KEY_SETTING, NPM_CONFIG_REGISTRY_SETTING, OAUTH_SETTING, PIP_INDEX_URL_SETTING,
         REQUEST_SIZE_LIMIT_SETTING, REQUIRE_PREEXISTING_USER_FOR_OAUTH_SETTING,
         RETENTION_PERIOD_SECS_SETTING, SAML_METADATA_SETTING, SCIM_TOKEN_SETTING,
     },
@@ -37,7 +40,7 @@ use windmill_common::{
         load_worker_config, reload_custom_tags_setting, DEFAULT_TAGS_PER_WORKSPACE, SERVER_CONFIG,
         WORKER_CONFIG,
     },
-    BASE_URL, DB, METRICS_DEBUG_ENABLED, METRICS_ENABLED,
+    BASE_URL, DB, DEFAULT_HUB_BASE_URL, HUB_BASE_URL, METRICS_DEBUG_ENABLED, METRICS_ENABLED,
 };
 use windmill_queue::cancel_job;
 use windmill_worker::{
@@ -136,6 +139,10 @@ pub async fn initial_load(
         tracing::error!("Error reloading base url: {:?}", e)
     }
 
+    if let Err(e) = reload_hub_base_url_setting(db, server_mode).await {
+        tracing::error!("Error reloading hub base url: {:?}", e)
+    }
+
     #[cfg(feature = "parquet")]
     if !_is_agent {
         reload_s3_cache_setting(&db).await;
@@ -920,7 +927,7 @@ async fn handle_zombie_flows(
         r#"
         SELECT *
         FROM queue
-        WHERE running = true AND suspend = 0 AND scheduled_for <= now() AND (job_kind = 'flow' OR job_kind = 'flowpreview')
+        WHERE running = true AND suspend = 0 AND suspend_until IS null AND scheduled_for <= now() AND (job_kind = 'flow' OR job_kind = 'flowpreview')
             AND last_ping IS NOT NULL AND last_ping < NOW() - ($1 || ' seconds')::interval 
         "#,
     ).bind(FLOW_ZOMBIE_TRANSITION_TIMEOUT.as_str())
@@ -1025,3 +1032,45 @@ async fn cancel_zombie_flow_job(
     ntx.commit().await?;
     Ok(())
 }
+
+pub async fn reload_hub_base_url_setting(db: &DB, server_mode: bool) -> error::Result<()> {
+    let hub_base_url = load_value_from_global_settings(db, HUB_BASE_URL_SETTING).await?;
+
+    let base_url = if let Some(q) = hub_base_url {
+        if let Ok(v) = serde_json::from_value::<String>(q.clone()) {
+            if v != "" {
+                v
+            } else {
+                DEFAULT_HUB_BASE_URL.to_string()
+            }
+        } else {
+            tracing::error!(
+                "Could not parse hub_base_url setting as a string, found: {:#?}",
+                &q
+            );
+            DEFAULT_HUB_BASE_URL.to_string()
+        }
+    } else {
+        DEFAULT_HUB_BASE_URL.to_string()
+    };
+
+    let mut l = HUB_BASE_URL.write().await;
+    if server_mode {
+        #[cfg(feature = "embedding")]
+        if *l != base_url {
+            let disable_embedding = std::env::var("DISABLE_EMBEDDING")
+                .ok()
+                .map(|x| x.parse::<bool>().unwrap_or(false))
+                .unwrap_or(false);
+            if !disable_embedding {
+                let db_clone = db.clone();
+                tokio::spawn(async move {
+                    update_embeddings_db(&db_clone).await;
+                });
+            }
+        }
+    }
+    *l = base_url;
+
+    Ok(())
+}

backend/tests/worker.rs

@@ -1079,7 +1079,8 @@ async fn test_deno_flow(db: Pool<Postgres>) {
                     mock: None,
                     timeout: None,
                     priority: None,
-                    delete_after_use: None
+                    delete_after_use: None,
+                    continue_on_error: None,
                 },
                 FlowModule {
                     id: "b".to_string(),
@@ -1116,6 +1117,7 @@ async fn test_deno_flow(db: Pool<Postgres>) {
                             timeout: None,
                             priority: None,
                             delete_after_use: None,
+                            continue_on_error: None,
                         }],
                     },
                     stop_after_if: Default::default(),
@@ -1128,6 +1130,7 @@ async fn test_deno_flow(db: Pool<Postgres>) {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
             ],
             same_worker: false,
@@ -1229,6 +1232,7 @@ async fn test_deno_flow_same_worker(db: Pool<Postgres>) {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
                 FlowModule {
                     id: "b".to_string(),
@@ -1276,6 +1280,7 @@ async fn test_deno_flow_same_worker(db: Pool<Postgres>) {
                                 timeout: None,
                                 priority: None,
                                 delete_after_use: None,
+                                continue_on_error: None,
                             },
                             FlowModule {
                                 id: "e".to_string(),
@@ -1308,7 +1313,9 @@ async fn test_deno_flow_same_worker(db: Pool<Postgres>) {
                                 mock: None,
                                 timeout: None,
                                 priority: None,
-                                delete_after_use: None
+                                delete_after_use: None,
+                                continue_on_error: None,
+
                             },
                         ],
                     },
@@ -1321,7 +1328,8 @@ async fn test_deno_flow_same_worker(db: Pool<Postgres>) {
                     mock: None,
                     timeout: None,
                     priority: None,
-                    delete_after_use: None
+                    delete_after_use: None,
+                    continue_on_error: None,
                 },
                 FlowModule {
                     id: "c".to_string(),
@@ -1362,6 +1370,7 @@ async fn test_deno_flow_same_worker(db: Pool<Postgres>) {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
             ],
             same_worker: true,
@@ -2582,6 +2591,7 @@ async fn test_flow_lock_all(db: Pool<Postgres>) {
                     priority: None,
                     dedicated_worker: None,
                     timeout: None,
+                    visible_to_runner_only: None,
                 },
                 draft_only: None,
                 deployment_message: None,
@@ -3153,6 +3163,7 @@ async fn run_deployed_relative_imports(db: &Pool<Postgres>, script_content: Stri
             restart_unless_cancelled: None,
             deployment_message: None,
             concurrency_key: None,
+            visible_to_runner_only: None,
         },
     ).await.unwrap();
 

backend/windmill-api/Cargo.toml

@@ -39,7 +39,6 @@ tower-http.workspace = true
 hyper.workspace = true
 itertools.workspace = true
 reqwest.workspace = true
-reqwest_11.workspace = true
 serde.workspace = true
 sqlx.workspace = true
 async-oauth2.workspace = true

backend/windmill-api/build_openapi.sh

@@ -5,5 +5,7 @@ npx @redocly/openapi-cli@latest bundle openapi.yaml > openapi-bundled.yaml
 
 
 npx @redocly/openapi-cli@latest bundle openapi-bundled.yaml --ext yaml -d > openapi-deref.yaml
+npx @redocly/openapi-cli@latest bundle openapi-bundled.yaml --ext json > openapi-deref.json
+
 
 rm openapi-bundled.yaml

backend/windmill-api/openapi.yaml

@@ -1,7 +1,7 @@
 openapi: "3.0.3"
 
 info:
-  version: 1.296.1
+  version: 1.311.0
   title: Windmill API
 
   contact:
@@ -718,7 +718,6 @@ paths:
               schema:
                 type: string
 
-
     # pub use_ssl: Option<bool>,
     # #[serde(rename = "accountName")]
     # pub account_name: String,
@@ -1229,7 +1228,6 @@ paths:
               schema:
                 type: string
 
-
   /w/{workspace}/workspaces/change_workspace_id:
     post:
       summary: change workspace id
@@ -1957,6 +1955,22 @@ paths:
               schema:
                 $ref: "#/components/schemas/LargeFileStorage"
 
+  /w/{workspace}/workspaces/usage:
+    get:
+      summary: get usage
+      operationId: getWorkspaceUsage
+      tags:
+        - workspace
+      parameters:
+        - $ref: "#/components/parameters/WorkspaceId"
+      responses:
+        "200":
+          description: usage
+          content:
+            text/plain:
+              schema:
+                type: number
+
   /w/{workspace}/users/list:
     get:
       summary: list users
@@ -3876,6 +3890,7 @@ paths:
             type: integer
         - $ref: "#/components/parameters/ParentJob"
         - $ref: "#/components/parameters/WorkerTag"
+        - $ref: "#/components/parameters/CacheTtl"
         - $ref: "#/components/parameters/NewJobId"
         - name: invisible_to_owner
           description: make the run invisible to the the script owner (default false)
@@ -3939,6 +3954,7 @@ paths:
         - $ref: "#/components/parameters/ScriptPath"
         - $ref: "#/components/parameters/ParentJob"
         - $ref: "#/components/parameters/WorkerTag"
+        - $ref: "#/components/parameters/CacheTtl"
         - $ref: "#/components/parameters/NewJobId"
         - $ref: "#/components/parameters/IncludeHeader"
         - $ref: "#/components/parameters/QueueLimit"
@@ -3968,6 +3984,7 @@ paths:
         - $ref: "#/components/parameters/ScriptPath"
         - $ref: "#/components/parameters/ParentJob"
         - $ref: "#/components/parameters/WorkerTag"
+        - $ref: "#/components/parameters/CacheTtl"
         - $ref: "#/components/parameters/NewJobId"
         - $ref: "#/components/parameters/IncludeHeader"
         - $ref: "#/components/parameters/QueueLimit"
@@ -5025,6 +5042,7 @@ paths:
             type: integer
         - $ref: "#/components/parameters/ParentJob"
         - $ref: "#/components/parameters/WorkerTag"
+        - $ref: "#/components/parameters/CacheTtl"
         - $ref: "#/components/parameters/NewJobId"
         - $ref: "#/components/parameters/IncludeHeader"
         - name: invisible_to_owner
@@ -5216,6 +5234,8 @@ paths:
         - $ref: "#/components/parameters/ArgsFilter"
         - $ref: "#/components/parameters/ResultFilter"
         - $ref: "#/components/parameters/Tag"
+        - $ref: "#/components/parameters/Page"
+        - $ref: "#/components/parameters/PerPage"
         - name: all_workspaces
           description: get jobs from all workspaces (only valid if request come from the `admins` workspace)
           in: query
@@ -5318,6 +5338,8 @@ paths:
         - $ref: "#/components/parameters/ArgsFilter"
         - $ref: "#/components/parameters/ResultFilter"
         - $ref: "#/components/parameters/Tag"
+        - $ref: "#/components/parameters/Page"
+        - $ref: "#/components/parameters/PerPage"
         - name: is_skipped
           description: is the job skipped
           in: query
@@ -5367,6 +5389,8 @@ paths:
         - $ref: "#/components/parameters/ArgsFilter"
         - $ref: "#/components/parameters/Tag"
         - $ref: "#/components/parameters/ResultFilter"
+        - $ref: "#/components/parameters/Page"
+        - $ref: "#/components/parameters/PerPage"
         - name: is_skipped
           description: is the job skipped
           in: query
@@ -5510,6 +5534,26 @@ paths:
                   flow_status:
                     $ref: "#/components/schemas/WorkflowStatusRecord"
 
+  /w/{workspace}/jobs_u/get_log_file/{path}:
+    get:
+      summary: get log file from object store
+      operationId: getLogFileFromStore
+      tags:
+        - job
+      parameters:
+        - $ref: "#/components/parameters/WorkspaceId"
+        - name: path
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        "200":
+          description: job log
+          content:
+            text/plain:
+              type: string
+
   /w/{workspace}/jobs_u/get_flow_debug_info/{id}:
     get:
       summary: get flow debug info
@@ -6176,6 +6220,7 @@ paths:
         - $ref: "#/components/parameters/WorkspaceId"
         - $ref: "#/components/parameters/Page"
         - $ref: "#/components/parameters/PerPage"
+        - $ref: "#/components/parameters/ArgsFilter"
         - name: path
           description: filter by path
           in: query
@@ -7995,6 +8040,12 @@ components:
       in: query
       schema:
         type: string
+    CacheTtl:
+      name: cache_ttl
+      description: Override the cache time to live (in seconds). Can not be used to disable caching, only override with a new cache ttl
+      in: query
+      schema:
+        type: string
     NewJobId:
       name: job_id
       description:
@@ -8303,6 +8354,8 @@ components:
           type: integer
         delete_after_use:
           type: boolean
+        visible_to_runner_only:
+          type: boolean
       required:
         - hash
         - path
@@ -8389,6 +8442,8 @@ components:
           type: string
         concurrency_key:
           type: string
+        visible_to_runner_only:
+          type: boolean
       required:
         - path
         - summary
@@ -8707,15 +8762,21 @@ components:
         - tag
 
     Job:
-      allOf:
-        - oneOf:
+      oneOf:
+        - allOf:
             - $ref: "#/components/schemas/CompletedJob"
+            - type: object
+              properties:
+                type:
+                  type: string
+                  enum: [CompletedJob]
+        - allOf:
             - $ref: "#/components/schemas/QueuedJob"
-        - type: object
-          properties:
-            type:
-              type: string
-              enum: [CompletedJob, QueuedJob]
+            - type: object
+              properties:
+                type:
+                  type: string
+                  enum: [QueuedJob]
       discriminator:
         propertyName: type
 
@@ -9685,6 +9746,11 @@ components:
         - $ref: "../../openflow.openapi.yaml#/components/schemas/OpenFlow"
         - $ref: "#/components/schemas/FlowMetadata"
 
+    ExtraPerms:
+      type: object
+      additionalProperties:
+        type: boolean
+
     FlowMetadata:
       type: object
       properties:
@@ -9700,9 +9766,7 @@ components:
         archived:
           type: boolean
         extra_perms:
-          type: object
-        additionalProperties:
-          type: boolean
+          $ref: "#/components/schemas/ExtraPerms"
         starred:
           type: boolean
         draft_only:
@@ -9717,6 +9781,8 @@ components:
           type: boolean
         timeout:
           type: number
+        visible_to_runner_only:
+          type: boolean
       required:
         - path
         - edited_by
@@ -9741,6 +9807,8 @@ components:
               type: boolean
             timeout:
               type: number
+            visible_to_runner_only:
+              type: boolean
           required:
             - path
 
@@ -9872,7 +9940,8 @@ components:
         created_at:
           type: string
           format: date-time
-        value: {}
+        value:
+          type: object
         policy:
           $ref: "#/components/schemas/Policy"
         execution_mode:
@@ -10097,6 +10166,8 @@ components:
           type: string
         use_individual_branch:
           type: boolean
+        group_by_folder:
+          type: boolean
         exclude_types_override:
           type: array
           items:

backend/windmill-api/src/apps.rs

@@ -39,6 +39,7 @@ use windmill_common::{
         http_get_from_hub, not_found_if_none, paginate, query_elems_from_hub, Pagination, StripPath,
     },
     variables::build_crypt,
+    HUB_BASE_URL,
 };
 
 use windmill_git_sync::{handle_deployment_metadata, DeployedObject};
@@ -633,16 +634,12 @@ async fn create_app(
 async fn list_hub_apps(Extension(db): Extension<DB>) -> impl IntoResponse {
     let (status_code, headers, body) = query_elems_from_hub(
         &HTTP_CLIENT,
-        "https://hub.windmill.dev/searchUiData?approved=true",
+        &format!("{}/searchUiData?approved=true", *HUB_BASE_URL.read().await),
         None,
         &db,
     )
     .await?;
-    Ok::<_, Error>((
-        status_code,
-        headers,
-        body
-    ))
+    Ok::<_, Error>((status_code, headers, body))
 }
 
 pub async fn get_hub_app_by_id(
@@ -651,7 +648,7 @@ pub async fn get_hub_app_by_id(
 ) -> JsonResult<serde_json::Value> {
     let value = http_get_from_hub(
         &HTTP_CLIENT,
-        &format!("https://hub.windmill.dev/apps/{id}/json"),
+        &format!("{}/apps/{}/json", *HUB_BASE_URL.read().await, id),
         false,
         None,
         &db,

backend/windmill-api/src/db.rs

@@ -166,6 +166,7 @@ pub async fn migrate(db: &DB) -> Result<(), Error> {
             tracing::error!("Database had been applied more migrations than this container. 
             This usually mean than another container on a more recent version migrated the database and this one is on an earlier version.
             Please update the container to latest. Not critical, but may cause issues if migration introduced a breaking change. Version missing: {e}");
+            custom_migrator.unlock().await?;
             Ok(())
         }
         Err(err) => Err(err),

backend/windmill-api/src/embeddings.rs

@@ -1,21 +1,22 @@
 #[cfg(feature = "embedding")]
+use anyhow::{anyhow, Error, Result};
+#[cfg(feature = "embedding")]
 use std::{collections::HashMap, path::PathBuf, sync::Arc};
 #[cfg(feature = "embedding")]
-use anyhow::{anyhow, Error, Result};
+use windmill_common::DEFAULT_HUB_BASE_URL;
+#[cfg(feature = "embedding")]
+use windmill_common::HUB_BASE_URL;
 
 use axum::Router;
 
 #[cfg(feature = "embedding")]
 use axum::{
     extract::{Path, Query},
-    Json, 
+    Json,
 };
 
-
 #[cfg(feature = "embedding")]
-use axum::{
-    routing::get, Extension
-};
+use axum::routing::get;
 #[cfg(feature = "embedding")]
 use candle_core::{Device, Tensor};
 #[cfg(feature = "embedding")]
@@ -45,9 +46,14 @@ use windmill_common::utils::http_get_from_hub;
 use windmill_common::error::JsonResult;
 
 #[cfg(feature = "embedding")]
-
 use crate::{resources::ResourceType, HTTP_CLIENT};
 
+#[cfg(feature = "embedding")]
+lazy_static::lazy_static! {
+    pub static ref EMBEDDINGS_DB: Arc<RwLock<Option<EmbeddingsDb>>> = Arc::new(RwLock::new(None));
+    pub static ref MODEL_INSTANCE: Arc<RwLock<Option<Arc<ModelInstance>>>> = Arc::new(RwLock::new(None));
+}
+
 #[cfg(feature = "embedding")]
 #[derive(Deserialize)]
 struct HubScriptsQuery {
@@ -71,9 +77,8 @@ pub struct HubScriptResult {
 #[cfg(feature = "embedding")]
 async fn query_hub_scripts(
     Query(query): Query<HubScriptsQuery>,
-    Extension(embeddings_db): Extension<Arc<RwLock<Option<EmbeddingsDb>>>>,
 ) -> JsonResult<Vec<HubScriptResult>> {
-    let embeddings_db = embeddings_db.read().await;
+    let embeddings_db = EMBEDDINGS_DB.read().await;
 
     if let Some(embeddings_db) = embeddings_db.as_ref() {
         let results = embeddings_db
@@ -88,7 +93,6 @@ async fn query_hub_scripts(
     }
 }
 
-
 #[cfg(feature = "embedding")]
 #[derive(Deserialize)]
 struct ResourceTypesQuery {
@@ -106,9 +110,8 @@ pub struct ResourceTypeResult {
 async fn query_resource_types(
     Query(query): Query<ResourceTypesQuery>,
     Path(w_id): Path<String>,
-    Extension(embeddings_db): Extension<Arc<RwLock<Option<EmbeddingsDb>>>>,
 ) -> JsonResult<Vec<ResourceTypeResult>> {
-    let embeddings_db = embeddings_db.read().await;
+    let embeddings_db = EMBEDDINGS_DB.read().await;
 
     if let Some(embeddings_db) = embeddings_db.as_ref() {
         let results = embeddings_db
@@ -123,7 +126,6 @@ async fn query_resource_types(
     }
 }
 
-
 #[cfg(feature = "embedding")]
 #[derive(Deserialize, Debug, Clone)]
 struct HubScript {
@@ -292,24 +294,41 @@ impl EmbeddingsDb {
         self.db
             .create_collection("resource_types".to_string(), 384, Distance::Cosine)?;
 
-        let response = HTTP_CLIENT
-            .get("https://bucket.windmillhub.com/embeddings/scripts_embeddings.json")
-            .send()
-            .await;
-        let response =
-            if response.is_err() || response.as_ref().unwrap().error_for_status_ref().is_err() {
-                tracing::warn!("Failed to get scripts embeddings from bucket, trying hub...");
+        let hub_base_url = HUB_BASE_URL.read().await.clone();
+
+        let response = match hub_base_url.as_str() {
+            DEFAULT_HUB_BASE_URL => {
+                let response = HTTP_CLIENT
+                    .get("https://bucket.windmillhub.com/embeddings/scripts_embeddings.json")
+                    .send()
+                    .await;
+
+                if response.is_err() || response.as_ref().unwrap().error_for_status_ref().is_err() {
+                    tracing::warn!("Failed to get scripts embeddings from bucket, trying hub...");
+                    http_get_from_hub(
+                        &HTTP_CLIENT,
+                        &format!("{}/scripts/embeddings", hub_base_url),
+                        false,
+                        None,
+                        pg_db,
+                    )
+                    .await?
+                } else {
+                    response.unwrap()
+                }
+            }
+            _ => {
                 http_get_from_hub(
                     &HTTP_CLIENT,
-                    "https://hub.windmill.dev/scripts/embeddings",
+                    &format!("{}/scripts/embeddings", hub_base_url),
                     false,
                     None,
                     pg_db,
                 )
                 .await?
-            } else {
-                response.unwrap()
-            };
+            }
+        };
+
         if response.error_for_status_ref().is_err() {
             return Err(anyhow!(
                 "Failed to get scripts embeddings from hub with error code: {}",
@@ -338,25 +357,40 @@ impl EmbeddingsDb {
             self.db.insert_into_collection("scripts", embedding)?;
         }
 
-        let response = HTTP_CLIENT
-            .get("https://bucket.windmillhub.com/embeddings/resource_types_embeddings.json")
-            .send()
-            .await;
-        let response = if response.is_err()
-            || response.as_ref().unwrap().error_for_status_ref().is_err()
-        {
-            tracing::warn!("Failed to get resource types embeddings from bucket, trying hub...");
-            http_get_from_hub(
-                &HTTP_CLIENT,
-                "https://hub.windmill.dev/resource_types/embeddings",
-                false,
-                None,
-                pg_db,
-            )
-            .await?
-        } else {
-            response.unwrap()
+        let response = match hub_base_url.as_str() {
+            DEFAULT_HUB_BASE_URL => {
+                let response = HTTP_CLIENT
+                    .get("https://bucket.windmillhub.com/embeddings/resource_types_embeddings.json")
+                    .send()
+                    .await;
+                if response.is_err() || response.as_ref().unwrap().error_for_status_ref().is_err() {
+                    tracing::warn!(
+                        "Failed to get resource types embeddings from bucket, trying hub..."
+                    );
+                    http_get_from_hub(
+                        &HTTP_CLIENT,
+                        &format!("{}/resource_types/embeddings", hub_base_url),
+                        false,
+                        None,
+                        pg_db,
+                    )
+                    .await?
+                } else {
+                    response.unwrap()
+                }
+            }
+            _ => {
+                http_get_from_hub(
+                    &HTTP_CLIENT,
+                    &format!("{}/resource_types/embeddings", hub_base_url),
+                    false,
+                    None,
+                    pg_db,
+                )
+                .await?
+            }
         };
+
         if response.error_for_status_ref().is_err() {
             return Err(anyhow!(
                 "Failed to get resource types embeddings from hub with error code: {}",
@@ -554,9 +588,7 @@ fn normalize_l2(v: &Tensor) -> Result<Tensor> {
 }
 
 #[cfg(feature = "embedding")]
-pub fn load_embeddings_db(db: &Pool<Postgres>) -> Arc<RwLock<Option<EmbeddingsDb>>> {
-    let embeddings_db: Arc<RwLock<Option<EmbeddingsDb>>> = Arc::new(RwLock::new(None));
-
+pub fn load_embeddings_db(db: &Pool<Postgres>) -> () {
     let disable_embedding = std::env::var("DISABLE_EMBEDDING")
         .ok()
         .map(|x| x.parse::<bool>().unwrap_or(false))
@@ -564,24 +596,14 @@ pub fn load_embeddings_db(db: &Pool<Postgres>) -> Arc<RwLock<Option<EmbeddingsDb
 
     if !disable_embedding {
         let db_clone = db.clone();
-        let embeddings_clone: Arc<RwLock<Option<EmbeddingsDb>>> = embeddings_db.clone();
         tokio::spawn(async move {
             let model_instance = ModelInstance::new().await;
-
             if let Ok(model_instance) = model_instance {
-                let model_instance = Arc::new(model_instance);
+                let mut model_instance_lock = MODEL_INSTANCE.write().await;
+                *model_instance_lock = Some(Arc::new(model_instance));
+                drop(model_instance_lock);
                 loop {
-                    tracing::info!("Creating embeddings DB...");
-                    let new_embeddings_db =
-                        EmbeddingsDb::new(&db_clone, model_instance.clone()).await;
-                    if let Err(e) = new_embeddings_db.as_ref() {
-                        tracing::error!("Failed to create embeddings db: {}", e);
-                    } else {
-                        let mut embeddings_db = embeddings_clone.write().await;
-                        *embeddings_db = new_embeddings_db.ok();
-                        tracing::info!("Created embeddings DB");
-                    }
-
+                    update_embeddings_db(&db_clone).await;
                     tokio::time::sleep(std::time::Duration::from_secs(3600 * 24)).await;
                 }
             } else {
@@ -592,39 +614,41 @@ pub fn load_embeddings_db(db: &Pool<Postgres>) -> Arc<RwLock<Option<EmbeddingsDb
             }
         });
     }
-
-    embeddings_db
 }
 
 #[cfg(feature = "embedding")]
-pub fn workspaced_service(embeddings_db: Option<Arc<RwLock<Option<EmbeddingsDb>>>>) -> Router {
-    if let Some(embeddings_db) = embeddings_db {
-        Router::new()
-            .route("/query_resource_types", get(query_resource_types))
-            .layer(Extension(embeddings_db))
+pub async fn update_embeddings_db(db: &Pool<Postgres>) -> () {
+    if let Some(model_instance) = MODEL_INSTANCE.read().await.as_ref() {
+        tracing::info!("Creating embeddings DB...");
+        let new_embeddings_db = EmbeddingsDb::new(&db, model_instance.clone()).await;
+        if let Err(e) = new_embeddings_db.as_ref() {
+            tracing::error!("Failed to create embeddings db: {}", e);
+        } else {
+            let mut embeddings_db = EMBEDDINGS_DB.write().await;
+            *embeddings_db = new_embeddings_db.ok();
+            tracing::info!("Created embeddings DB");
+        }
     } else {
-        Router::new()
+        tracing::error!("Could not update embeddings DB, model instance not initialized");
     }
 }
 
 #[cfg(feature = "embedding")]
-pub fn global_service(embeddings_db: Option<Arc<RwLock<Option<EmbeddingsDb>>>>) -> Router {
-    if let Some(embeddings_db) = embeddings_db {
-        Router::new()
-            .route("/query_hub_scripts", get(query_hub_scripts))
-            .layer(Extension(embeddings_db))
-    } else {
-        Router::new()
-    }
+pub fn workspaced_service() -> Router {
+    Router::new().route("/query_resource_types", get(query_resource_types))
 }
 
-
-#[cfg(not(feature = "embedding"))]
-pub fn workspaced_service(_embeddings_db: Option<()>) -> Router {
-        Router::new()
+#[cfg(feature = "embedding")]
+pub fn global_service() -> Router {
+    Router::new().route("/query_hub_scripts", get(query_hub_scripts))
 }
 
 #[cfg(not(feature = "embedding"))]
-pub fn global_service(_embeddings_db: Option<()>) -> Router {
-        Router::new()
+pub fn workspaced_service() -> Router {
+    Router::new()
+}
+
+#[cfg(not(feature = "embedding"))]
+pub fn global_service() -> Router {
+    Router::new()
 }

backend/windmill-api/src/flows.rs

@@ -31,6 +31,7 @@ use sqlx::{FromRow, Postgres, Transaction};
 use windmill_audit::audit_ee::audit_log;
 use windmill_audit::ActionKind;
 use windmill_common::utils::query_elems_from_hub;
+use windmill_common::HUB_BASE_URL;
 use windmill_common::{
     db::UserDB,
     error::{self, to_anyhow, Error, JsonResult, Result},
@@ -167,7 +168,10 @@ async fn list_flows(
 async fn list_hub_flows(Extension(db): Extension<DB>) -> impl IntoResponse {
     let (status_code, headers, response) = query_elems_from_hub(
         &HTTP_CLIENT,
-        "https://hub.windmill.dev/searchFlowData?approved=true",
+        &format!(
+            "{}/searchFlowData?approved=true",
+            *HUB_BASE_URL.read().await
+        ),
         None,
         &db,
     )
@@ -199,7 +203,7 @@ pub async fn get_hub_flow_by_id(
 ) -> JsonResult<serde_json::Value> {
     let value = http_get_from_hub(
         &HTTP_CLIENT,
-        &format!("https://hub.windmill.dev/flows/{id}/json"),
+        &format!("{}/flows/{}/json", *HUB_BASE_URL.read().await, id),
         false,
         None,
         &db,
@@ -319,7 +323,7 @@ async fn create_flow(
 
     sqlx::query!(
         "INSERT INTO flow (workspace_id, path, summary, description, value, edited_by, edited_at, \
-         schema, dependency_job, draft_only, tag, dedicated_worker) VALUES ($1, $2, $3, $4, $5, $6, now(), $7::text::json, NULL, $8, $9, $10)",
+         schema, dependency_job, draft_only, tag, dedicated_worker, visible_to_runner_only) VALUES ($1, $2, $3, $4, $5, $6, now(), $7::text::json, NULL, $8, $9, $10, $11)",
         w_id,
         nf.path,
         nf.summary,
@@ -329,7 +333,8 @@ async fn create_flow(
         nf.schema.and_then(|x| serde_json::to_string(&x.0).ok()),
         nf.draft_only,
         nf.tag,
-        nf.dedicated_worker
+        nf.dedicated_worker,
+        nf.visible_to_runner_only.unwrap_or(false),
     )
     .execute(&mut tx)
     .await?;
@@ -485,7 +490,7 @@ async fn update_flow(
     let old_dep_job = not_found_if_none(old_dep_job, "Flow", flow_path)?;
     sqlx::query!(
         "UPDATE flow SET path = $1, summary = $2, description = $3, value = $4, edited_by = $5, \
-         edited_at = now(), schema = $6::text::json, dependency_job = NULL, draft_only = NULL, tag = $9, dedicated_worker = $10
+         edited_at = now(), schema = $6::text::json, dependency_job = NULL, draft_only = NULL, tag = $9, dedicated_worker = $10, visible_to_runner_only = $11
         WHERE path = $7 AND workspace_id = $8",
         nf.path,
         nf.summary,
@@ -496,7 +501,8 @@ async fn update_flow(
         flow_path,
         w_id,
         nf.tag,
-        nf.dedicated_worker
+        nf.dedicated_worker,
+        nf.visible_to_runner_only.unwrap_or(false),
     )
     .execute(&mut tx)
     .await?;
@@ -669,6 +675,8 @@ pub struct FlowWDraft {
     pub ws_error_handler_muted: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub dedicated_worker: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub visible_to_runner_only: Option<bool>,
 }
 
 async fn get_flow_by_path_w_draft(
@@ -680,7 +688,7 @@ async fn get_flow_by_path_w_draft(
     let mut tx = user_db.begin(&authed).await?;
 
     let flow_o = sqlx::query_as::<_, FlowWDraft>(
-        "SELECT flow.path, flow.summary, flow,description, flow.schema, flow.value, flow.extra_perms, flow.draft_only, flow.ws_error_handler_muted, flow.dedicated_worker, draft.value as draft, flow.tag
+        "SELECT flow.path, flow.summary, flow,description, flow.schema, flow.value, flow.extra_perms, flow.draft_only, flow.ws_error_handler_muted, flow.dedicated_worker, draft.value as draft, flow.tag, flow.visible_to_runner_only
          FROM flow
         LEFT JOIN draft ON 
         flow.path = draft.path AND draft.workspace_id = $2 AND draft.typ = 'flow' 
@@ -893,6 +901,7 @@ mod tests {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
                 FlowModule {
                     id: "b".to_string(),
@@ -919,6 +928,7 @@ mod tests {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
                 FlowModule {
                     id: "c".to_string(),
@@ -942,6 +952,7 @@ mod tests {
                     timeout: None,
                     priority: None,
                     delete_after_use: None,
+                    continue_on_error: None,
                 },
             ],
             failure_module: Some(FlowModule {
@@ -965,6 +976,7 @@ mod tests {
                 timeout: None,
                 priority: None,
                 delete_after_use: None,
+                continue_on_error: None,
             }),
             same_worker: false,
             concurrent_limit: None,
@@ -973,6 +985,7 @@ mod tests {
             cache_ttl: None,
             priority: None,
             early_return: None,
+            concurrency_key: None,
         };
         let expect = serde_json::json!({
           "modules": [

backend/windmill-api/src/folders.rs

@@ -478,13 +478,22 @@ async fn delete_folder(
 
     not_found_if_none(get_folderopt(&mut tx, &w_id, &name).await?, "Folder", &name)?;
 
-    sqlx::query!(
-        "DELETE FROM folder WHERE name = $1 AND workspace_id = $2",
+    let del = sqlx::query_scalar!(
+        "DELETE FROM folder WHERE name = $1 AND workspace_id = $2 RETURNING 1",
         name,
         w_id
     )
-    .execute(&mut *tx)
-    .await?;
+    .fetch_optional(&mut *tx)
+    .await?
+    .flatten();
+
+    if del.is_none() {
+        return Err(windmill_common::error::Error::NotAuthorized(format!(
+            "Not authorized to delete folder {}",
+            name
+        )));
+    }
+
     audit_log(
         &mut *tx,
         &authed.username,

backend/windmill-api/src/integration.rs

@@ -1,8 +1,6 @@
 use crate::{db::DB, HTTP_CLIENT};
-use axum::{
-     extract::Query, response::IntoResponse, routing::get, Extension, Router,
-};
-use windmill_common::{error::Error, utils::query_elems_from_hub};
+use axum::{extract::Query, response::IntoResponse, routing::get, Extension, Router};
+use windmill_common::{error::Error, utils::query_elems_from_hub, HUB_BASE_URL};
 
 pub fn global_service() -> Router {
     Router::new().route("/hub/list", get(list_hub_integrations))
@@ -24,14 +22,10 @@ async fn list_hub_integrations(
 
     let (status_code, headers, response) = query_elems_from_hub(
         &HTTP_CLIENT,
-        "https://hub.windmill.dev/integrations/list",
+        &format!("{}/integrations/list", *HUB_BASE_URL.read().await),
         Some(query_params),
         &db,
     )
     .await?;
-    Ok::<_, Error>((
-        status_code,
-        headers,
-        response
-    ))
+    Ok::<_, Error>((status_code, headers, response))
 }