`POST /api/workspace/repo_sync/pull` — clone/pull repo + apply YAML files to DB with last-write-wins. Returns parse outcomes + the sync event id/timestamp.
const url = 'https://example.com/api/workspace/repo_sync/pull';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"selected_sops_paths":["example"]}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/workspace/repo_sync/pull \ --header 'Content-Type: application/json' \ --data '{ "selected_sops_paths": [ "example" ] }'ADR 0023 v4 S2d — ?import_secrets=false skips vault writes for
secrets/*.sops.yaml files (the wizard preview pass). The default
is ON.
Parameters
Section titled “Parameters”Query Parameters
Section titled “Query Parameters”ADR 0023 v4 S2d — when false, SOPS secrets are scanned + decrypted (so the preview is accurate) but not written to vault. Default: true.
Request Bodyrequired
Section titled “Request Bodyrequired”object
Repo-relative SOPS file paths selected in the preview step. Omitted means “all”; empty means “none”.
Examplegenerated
{ "selected_sops_paths": [ "example" ]}Responses
Section titled “Responses”What a pull returns to the HTTP caller.
object
The commit sha the pull operated against (the new HEAD).
ADR 0057 — a shared db namespace (db/namespace.yaml + db/migrations/)
carried in the synced repo and applied this pull. None when the repo ships
none — the UI can hide the section.
object
Migration names actually applied to the schema this run.
Per-step failures (resource/namespace resolution, a bad migration, apply).
One migration (or resolution step) that failed during a namespace import.
object
The namespace handle from the manifest.
The namespace row id (nil if resolution failed before creation).
Migration names recorded into db_namespace_migrations.
The resolved schema name (the manifest’s schema, else the handle).
Sync-event shape with event_id + timestamp.
object
The git commit sha the sync attempt operated against — None when no commit was made (push with no diff).
repo_sync_push_completed / repo_sync_pull_completed.
RFC3339 timestamp (UTC). The string form keeps the wire format language-agnostic; the web client parses it back to a Date.
The number of repo-side files parsed (every YAML the scanner
found under workflows/ / scripts/ / apps/).
One row per entity the pull touched (created / updated / skipped / failed). The order matches the audit log writes.
One row per entity affected by a pull.
object
Set for skipped / failed rows; absent for the happy path.
Closed catalogue of sync targets a log row can reference.
ADR 0023 v4 S2d — summary of secrets/*.sops.yaml discovery +
decrypt. None when the workspace has no SOPS key bootstrapped
yet AND the repo carried no secrets — the UI can hide the
section in that case.
object
Number of files that decrypted successfully with the workspace age key.
Number of secrets/*.sops.yaml files the scanner found.
Per-file failure list — path + one-line reason.
One SOPS-file failure entry — path inside the repo + a one-line safe-to-display reason.
object
One-line reason — safe to surface to the UI.
Path inside the repo (e.g. secrets/foo.sops.yaml).
True if the import-flow caller set import_secrets=false.
Mirrored back so the UI can re-render the toggle without a
follow-up GET. Defaults to true (the wizard ships with the
toggle ON).
Number of vault writes that completed (subset of decrypted when
the import_secrets toggle is off, equal to decrypted when on).
Example
{ "outcomes": [ { "target_kind": "workflow" } ]}