gen ts types

* remove instrument from validate_cancel_build

* use type safe AllResources map - Action not showing omnisearch

* Stack support replicated services

* server docker nested tables

* fix container networks which use network of another container

* bump version

* add 'address' to ServerListItemInfo

* secrets list on variables page wraps

* fix user data script

* update default template user data

* improve sidebar layout styling

* fix network names shown on containers

* improve stack service / container page

* deleted resource log records Toml backup for later reference

* align all the tables

* add Url Builder type

.devcontainer/dev.compose.yaml

@@ -0,0 +1,33 @@
+services:
+  dev:
+    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    volumes:
+      # Mount the root folder that contains .git
+      - ../:/workspace:cached
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /proc:/proc
+      - repos:/etc/komodo/repos
+      - stacks:/etc/komodo/stacks
+    command: sleep infinity
+    ports:
+      - "9121:9121"
+    environment:
+      KOMODO_FIRST_SERVER: http://localhost:8120
+      KOMODO_DATABASE_ADDRESS: db
+      KOMODO_ENABLE_NEW_USERS: true
+      KOMODO_LOCAL_AUTH: true
+      KOMODO_JWT_SECRET: a_random_secret
+    links:
+      - db
+    # ...
+
+  db:
+    extends:
+      file: ../test.compose.yaml
+      service: ferretdb
+
+volumes:
+  data:
+  repo-cache:
+  repos:
+  stacks:

.devcontainer/devcontainer.json

@@ -0,0 +1,46 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Komodo",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	//"image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye",
+	"dockerComposeFile": ["dev.compose.yaml"],
+	"workspaceFolder": "/workspace",
+  	"service": "dev",
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "18.18.0"
+		},
+		"ghcr.io/devcontainers-community/features/deno:1": {
+
+		}
+	},
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	"mounts": [
+		{
+			"source": "devcontainer-cargo-cache-${devcontainerId}",
+			"target": "/usr/local/cargo",
+			"type": "volume"
+		}
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [
+		9121
+	],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "./.devcontainer/postCreate.sh",
+
+	"runServices": [
+		"db"
+	]
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.devcontainer/postCreate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cargo install typeshare-cli

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "denoland.vscode-deno"
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,179 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run Core",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Core",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Periphery",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Periphery",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Backend",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery"
+            ],
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build TS Client Types",
+            "type": "process",
+            "command": "node",
+            "args": [
+                "./client/core/ts/generate_types.mjs"
+            ],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init TS Client",
+            "type": "shell",
+            "command": "yarn && yarn build && yarn link",
+            "options": {
+                "cwd": "${workspaceFolder}/client/core/ts",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend Client",
+            "type": "shell",
+            "command": "yarn link komodo_client && yarn install",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend",
+            "dependsOn": [
+                "Build TS Client Types",
+                "Init TS Client",
+                "Init Frontend Client"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Build Frontend",
+            "type": "shell",
+            "command": "yarn build",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Prepare Frontend For Run",
+            "type": "shell",
+            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "options": {
+                "cwd": "${workspaceFolder}",
+            },
+            "dependsOn": [
+                "Build TS Client Types",
+                "Build Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Frontend",
+            "type": "shell",
+            "command": "yarn dev",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "dependsOn": ["Prepare Frontend For Run"],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init",
+            "dependsOn": [
+                "Build Backend",
+                "Init Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Komodo",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery",
+                "Run Frontend"
+            ],
+            "problemMatcher": []
+        },
+    ]
+  }

Cargo.toml

@@ -9,7 +9,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.15.9"
+version = "1.16.6"
 edition = "2021"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
@@ -32,7 +32,7 @@ git = { path = "lib/git" }
 
 # MOGH
 run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.4.6", default-features = false }
+serror = { version = "0.4.7", default-features = false }
 slack = { version = "0.2.0", package = "slack_client_rs" }
 derive_default_builder = "0.1.8"
 derive_empty_traits = "0.1.0"
@@ -64,13 +64,13 @@ tokio-tungstenite = "0.24.0"
 ordered_hash_map = { version = "0.4.0", features = ["serde"] }
 serde = { version = "1.0.210", features = ["derive"] }
 strum = { version = "0.26.3", features = ["derive"] }
-serde_json = "1.0.128"
+serde_json = "1.0.132"
 serde_yaml = "0.9.34"
 toml = "0.8.19"
 
 # ERROR
-anyhow = "1.0.89"
-thiserror = "1.0.64"
+anyhow = "1.0.91"
+thiserror = "1.0.65"
 
 # LOGGING
 opentelemetry_sdk = { version = "0.25.0", features = ["rt-tokio"] }
@@ -104,14 +104,15 @@ bollard = "0.17.1"
 sysinfo = "0.32.0"
 
 # CLOUD
-aws-config = "1.5.8"
-aws-sdk-ec2 = "1.77.0"
+aws-config = "1.5.9"
+aws-sdk-ec2 = "1.83.0"
 
 # MISC
 derive_builder = "0.20.2"
-typeshare = "1.0.3"
+typeshare = "1.0.4"
 octorust = "0.7.0"
 dashmap = "6.1.0"
+wildcard = "0.2.0"
 colored = "2.1.0"
-regex = "1.11.0"
+regex = "1.11.1"
 bson = "2.13.0"

bin/cli/src/exec.rs

@@ -1,13 +1,21 @@
 use std::time::Duration;
 
 use colored::Colorize;
-use komodo_client::api::execute::Execution;
+use komodo_client::{
+  api::execute::{BatchExecutionResponse, Execution},
+  entities::update::Update,
+};
 
 use crate::{
   helpers::wait_for_enter,
   state::{cli_args, komodo_client},
 };
 
+pub enum ExecutionResult {
+  Single(Update),
+  Batch(BatchExecutionResponse),
+}
+
 pub async fn run(execution: Execution) -> anyhow::Result<()> {
   if matches!(execution, Execution::None(_)) {
     println!("Got 'none' execution. Doing nothing...");
@@ -21,18 +29,33 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::None(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::RunProcedure(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::RunBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CancelBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
     Execution::Deploy(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::StartDeployment(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -51,15 +74,27 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::DestroyDeployment(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CloneRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::PullRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::BuildRepo(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::CancelRepoBuild(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -135,9 +170,15 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::DeployStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::DeployStackIfChanged(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::StartStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -156,6 +197,9 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
     Execution::DestroyStack(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
     Execution::Sleep(data) => {
       println!("{}: {data:?}", "Data".dimmed())
     }
@@ -168,141 +212,234 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
   info!("Running Execution...");
 
   let res = match execution {
-    Execution::RunProcedure(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::Deploy(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CloneRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PullRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::BuildRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelRepoBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteNetwork(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneNetworks(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteImage(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneImages(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteVolume(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneVolumes(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneDockerBuilders(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneBuildx(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneSystem(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunSync(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CommitSync(request) => {
-      komodo_client().write(request).await
-    }
-    Execution::DeployStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeployStackIfChanged(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyStack(request) => {
-      komodo_client().execute(request).await
-    }
+    Execution::RunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchRunAction(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::RunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchRunProcedure(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::RunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchRunBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::CancelBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::Deploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchDeploy(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::StartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::RestartDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::UnpauseDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StopDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchDestroyDeployment(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::CloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchCloneRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::PullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchPullRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::BuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchBuildRepo(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::CancelRepoBuild(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::RestartContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::UnpauseContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StopContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DestroyContainer(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::RestartAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::UnpauseAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StopAllContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneContainers(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DeleteNetwork(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneNetworks(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DeleteImage(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneImages(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DeleteVolume(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneVolumes(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneDockerBuilders(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneBuildx(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PruneSystem(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::RunSync(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::CommitSync(request) => komodo_client()
+      .write(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchDeployStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::DeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchDeployStackIfChanged(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
+    Execution::StartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::RestartStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::PauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::UnpauseStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::StopStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::DestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u)),
+    Execution::BatchDestroyStack(request) => komodo_client()
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Batch(u)),
     Execution::Sleep(request) => {
       let duration =
         Duration::from_millis(request.duration_ms as u64);
@@ -314,7 +451,12 @@ pub async fn run(execution: Execution) -> anyhow::Result<()> {
   };
 
   match res {
-    Ok(update) => println!("\n{}: {update:#?}", "SUCCESS".green()),
+    Ok(ExecutionResult::Single(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
+    Ok(ExecutionResult::Batch(update)) => {
+      println!("\n{}: {update:#?}", "SUCCESS".green())
+    }
     Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
   }
 

bin/cli/src/state.rs

@@ -40,7 +40,9 @@ pub fn komodo_client() -> &'static KomodoClient {
           creds
         }
       };
-    futures::executor::block_on(KomodoClient::new(url, key, secret))
-      .expect("failed to initialize Komodo client")
+    futures::executor::block_on(
+      KomodoClient::new(url, key, secret).with_healthcheck(),
+    )
+    .expect("failed to initialize Komodo client")
   })
 }

bin/core/Cargo.toml

@@ -19,6 +19,7 @@ komodo_client = { workspace = true, features = ["mongo"] }
 periphery_client.workspace = true
 environment_file.workspace = true
 formatting.workspace = true
+command.workspace = true
 logger.workspace = true
 git.workspace = true
 # mogh
@@ -47,13 +48,14 @@ serde_json.workspace = true
 serde_yaml.workspace = true
 typeshare.workspace = true
 octorust.workspace = true
+wildcard.workspace = true
 dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
 futures.workspace = true
 nom_pem.workspace = true
-anyhow.workspace = true
 dotenvy.workspace = true
+anyhow.workspace = true
 bcrypt.workspace = true
 base64.workspace = true
 tokio.workspace = true

bin/core/alpine.Dockerfile

@@ -4,7 +4,7 @@
 ## and may negatively affect runtime performance.
 
 # Build Core
-FROM rust:1.81.0-alpine AS core-builder
+FROM rust:1.82.0-alpine AS core-builder
 WORKDIR /builder
 RUN apk update && apk --no-cache add musl-dev openssl-dev openssl-libs-static
 COPY . .
@@ -23,7 +23,7 @@ FROM alpine:3.20
 
 # Install Deps
 RUN apk update && apk add --no-cache --virtual .build-deps \
-	openssl ca-certificates git git-lfs
+	openssl ca-certificates git git-lfs curl
 
 # Setup an application directory
 WORKDIR /app
@@ -32,6 +32,13 @@ WORKDIR /app
 COPY ./config/core.config.toml /config/config.toml
 COPY --from=core-builder /builder/target/release/core /app
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
 
 # Hint at the port
 EXPOSE 9120 

bin/core/debian.Dockerfile

@@ -1,5 +1,5 @@
 # Build Core
-FROM rust:1.81.0-bullseye AS core-builder
+FROM rust:1.82.0-bullseye AS core-builder
 WORKDIR /builder
 COPY . .
 RUN cargo build -p komodo_core --release
@@ -27,6 +27,13 @@ WORKDIR /app
 COPY ./config/core.config.toml /config/config.toml
 COPY --from=core-builder /builder/target/release/core /app
 COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
 
 # Hint at the port
 EXPOSE 9120

bin/core/src/alert/mod.rs

@@ -201,6 +201,9 @@ fn resource_link(
     ResourceTargetVariant::Procedure => {
       format!("/procedures/{id}")
     }
+    ResourceTargetVariant::Action => {
+      format!("/actions/{id}")
+    }
     ResourceTargetVariant::ServerTemplate => {
       format!("/server-templates/{id}")
     }

bin/core/src/api/execute/action.rs

@@ -0,0 +1,323 @@
+use std::{
+  collections::HashSet,
+  path::{Path, PathBuf},
+  str::FromStr,
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use command::run_komodo_command;
+use komodo_client::{
+  api::{
+    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
+    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
+  },
+  entities::{
+    action::Action,
+    config::core::CoreConfig,
+    permission::PermissionLevel,
+    update::Update,
+    user::{action_user, User},
+  },
+};
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
+use resolver_api::Resolve;
+use tokio::fs;
+
+use crate::{
+  api::execute::ExecuteRequest,
+  config::core_config,
+  helpers::{
+    interpolate::{
+      add_interp_update_log,
+      interpolate_variables_secrets_into_string,
+    },
+    query::get_variables_and_secrets,
+    random_string,
+    update::update_update,
+  },
+  resource::{self, refresh_action_state_cache},
+  state::{action_states, db_client, State},
+};
+
+impl super::BatchExecute for BatchRunAction {
+  type Resource = Action;
+  fn single_request(action: String) -> ExecuteRequest {
+    ExecuteRequest::RunAction(RunAction { action })
+  }
+}
+
+impl Resolve<BatchRunAction, (User, Update)> for State {
+  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunAction { pattern }: BatchRunAction,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunAction>(&pattern, &user).await
+  }
+}
+
+impl Resolve<RunAction, (User, Update)> for State {
+  #[instrument(name = "RunAction", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+  async fn resolve(
+    &self,
+    RunAction { action }: RunAction,
+    (user, mut update): (User, Update),
+  ) -> anyhow::Result<Update> {
+    let mut action = resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Execute,
+    )
+    .await?;
+
+    // get the action state for the action (or insert default).
+    let action_state = action_states()
+      .action
+      .get_or_insert_default(&action.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure action not already busy before updating.
+    let _action_guard =
+      action_state.update(|state| state.running = true)?;
+
+    update_update(update.clone()).await?;
+
+    let CreateApiKeyResponse { key, secret } = State
+      .resolve(
+        CreateApiKey {
+          name: update.id.clone(),
+          expires: 0,
+        },
+        action_user().to_owned(),
+      )
+      .await?;
+
+    let contents = &mut action.config.file_contents;
+
+    // Wrap the file contents in the execution context.
+    *contents = full_contents(contents, &key, &secret);
+
+    let replacers =
+      interpolate(contents, &mut update, key.clone(), secret.clone())
+        .await?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let file = format!("{}.ts", random_string(10));
+    let path = core_config().action_directory.join(&file);
+
+    if let Some(parent) = path.parent() {
+      let _ = fs::create_dir_all(parent).await;
+    }
+
+    fs::write(&path, contents).await.with_context(|| {
+      format!("Failed to write action file to {path:?}")
+    })?;
+
+    let mut res = run_komodo_command(
+      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+      "Execute Action",
+      None,
+      format!("deno run --allow-all {}", path.display()),
+      false,
+    )
+    .await;
+
+    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+      .replace(&key, "<ACTION_API_KEY>");
+    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+      .replace(&secret, "<ACTION_API_SECRET>");
+
+    cleanup_run(file + ".js", &path).await;
+
+    if let Err(e) = State
+      .resolve(DeleteApiKey { key }, action_user().to_owned())
+      .await
+    {
+      warn!(
+        "Failed to delete API key after action execution | {e:#}"
+      );
+    };
+
+    update.logs.push(res);
+    update.finalize();
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with update_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_action_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+async fn interpolate(
+  contents: &mut String,
+  update: &mut Update,
+  key: String,
+  secret: String,
+) -> anyhow::Result<HashSet<(String, String)>> {
+  let mut vars_and_secrets = get_variables_and_secrets().await?;
+
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_KEY"), key);
+  vars_and_secrets
+    .secrets
+    .insert(String::from("ACTION_API_SECRET"), secret);
+
+  let mut global_replacers = HashSet::new();
+  let mut secret_replacers = HashSet::new();
+
+  interpolate_variables_secrets_into_string(
+    &vars_and_secrets,
+    contents,
+    &mut global_replacers,
+    &mut secret_replacers,
+  )?;
+
+  add_interp_update_log(update, &global_replacers, &secret_replacers);
+
+  Ok(secret_replacers)
+}
+
+fn full_contents(contents: &str, key: &str, secret: &str) -> String {
+  let CoreConfig {
+    port, ssl_enabled, ..
+  } = core_config();
+  let protocol = if *ssl_enabled { "https" } else { "http" };
+  let base_url = format!("{protocol}://localhost:{port}");
+  format!(
+    "import {{ KomodoClient }} from '{base_url}/client/lib.js';
+import * as __YAML__ from 'jsr:@std/yaml';
+import * as __TOML__ from 'jsr:@std/toml';
+
+const YAML = {{
+  stringify: __YAML__.stringify,
+  parse: __YAML__.parse,
+  parseAll: __YAML__.parseAll,
+  parseDockerCompose: __YAML__.parse,
+}}
+
+const TOML = {{
+  stringify: __TOML__.stringify,
+  parse: __TOML__.parse,
+  parseResourceToml: __TOML__.parse,
+  parseCargoToml: __TOML__.parse,
+}}
+
+const komodo = KomodoClient('{base_url}', {{
+  type: 'api-key',
+  params: {{ key: '{key}', secret: '{secret}' }}
+}});
+
+async function main() {{{contents}}}
+
+main().catch(error => {{
+  console.error('🚨 Action exited early with errors 🚨')
+  if (error.status !== undefined && error.result !== undefined) {{
+    console.error('Status:', error.status);
+    console.error(JSON.stringify(error.result, null, 2));
+  }} else {{
+    console.error(JSON.stringify(error, null, 2));
+  }}
+  Deno.exit(1)
+}}).then(() => console.log('🦎 Action completed successfully 🦎'));"
+  )
+}
+
+/// Cleans up file at given path.
+/// ALSO if $DENO_DIR is set,
+/// will clean up the generated file matching "file"
+async fn cleanup_run(file: String, path: &Path) {
+  if let Err(e) = fs::remove_file(path).await {
+    warn!(
+      "Failed to delete action file after action execution | {e:#}"
+    );
+  }
+  // If $DENO_DIR is set (will be in container),
+  // will clean up the generated file matching "file" (NOT under path)
+  let Some(deno_dir) = deno_dir() else {
+    return;
+  };
+  delete_file(deno_dir.join("gen/file"), file).await;
+}
+
+fn deno_dir() -> Option<&'static Path> {
+  static DENO_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();
+  DENO_DIR
+    .get_or_init(|| {
+      let deno_dir = std::env::var("DENO_DIR").ok()?;
+      PathBuf::from_str(&deno_dir).ok()
+    })
+    .as_deref()
+}
+
+/// file is just the terminating file path,
+/// it may be nested multiple folder under path,
+/// this will find the nested file and delete it.
+/// Assumes the file is only there once.
+fn delete_file(
+  dir: PathBuf,
+  file: String,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = bool> + Send>>
+{
+  Box::pin(async move {
+    let Ok(mut dir) = fs::read_dir(dir).await else {
+      return false;
+    };
+    // Collect the nested folders for recursing
+    // only after checking all the files in directory.
+    let mut folders = Vec::<PathBuf>::new();
+
+    while let Ok(Some(entry)) = dir.next_entry().await {
+      let Ok(meta) = entry.metadata().await else {
+        continue;
+      };
+      if meta.is_file() {
+        let Ok(name) = entry.file_name().into_string() else {
+          continue;
+        };
+        if name == file {
+          if let Err(e) = fs::remove_file(entry.path()).await {
+            warn!(
+            "Failed to clean up generated file after action execution | {e:#}"
+          );
+          };
+          return true;
+        }
+      } else {
+        folders.push(entry.path());
+      }
+    }
+
+    if folders.len() == 1 {
+      // unwrap ok, folders definitely is not empty
+      let folder = folders.pop().unwrap();
+      delete_file(folder, file).await
+    } else {
+      // Check folders with file.clone
+      for folder in folders {
+        if delete_file(folder, file.clone()).await {
+          return true;
+        }
+      }
+      false
+    }
+  })
+}

bin/core/src/api/execute/build.rs

@@ -4,7 +4,10 @@ use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use futures::future::join_all;
 use komodo_client::{
-  api::execute::{CancelBuild, Deploy, RunBuild},
+  api::execute::{
+    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+    RunBuild,
+  },
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
     all_logs_success,
@@ -51,6 +54,24 @@ use crate::{
 
 use super::ExecuteRequest;
 
+impl super::BatchExecute for BatchRunBuild {
+  type Resource = Build;
+  fn single_request(build: String) -> ExecuteRequest {
+    ExecuteRequest::RunBuild(RunBuild { build })
+  }
+}
+
+impl Resolve<BatchRunBuild, (User, Update)> for State {
+  #[instrument(name = "BatchRunBuild", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunBuild { pattern }: BatchRunBuild,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunBuild>(&pattern, &user).await
+  }
+}
+
 impl Resolve<RunBuild, (User, Update)> for State {
   #[instrument(name = "RunBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -438,7 +459,6 @@ async fn handle_early_return(
   Ok(update)
 }
 
-#[instrument(skip_all)]
 pub async fn validate_cancel_build(
   request: &ExecuteRequest,
 ) -> anyhow::Result<()> {

bin/core/src/api/execute/deployment.rs

@@ -37,6 +37,30 @@ use crate::{
   state::{action_states, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchDeploy {
+  type Resource = Deployment;
+  fn single_request(deployment: String) -> ExecuteRequest {
+    ExecuteRequest::Deploy(Deploy {
+      deployment,
+      stop_signal: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeploy, (User, Update)> for State {
+  #[instrument(name = "BatchDeploy", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeploy { pattern }: BatchDeploy,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeploy>(&pattern, &user).await
+  }
+}
+
 async fn setup_deployment_execution(
   deployment: &str,
   user: &User,

bin/core/src/api/execute/mod.rs

@@ -2,13 +2,16 @@ use std::time::Instant;
 
 use anyhow::{anyhow, Context};
 use axum::{middleware, routing::post, Extension, Router};
+use axum_extra::{headers::ContentType, TypedHeader};
 use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
+use futures::future::join_all;
 use komodo_client::{
   api::execute::*,
   entities::{
     update::{Log, Update},
     user::User,
+    Operation,
   },
 };
 use mungos::by_id::find_one_by_id;
@@ -21,9 +24,11 @@ use uuid::Uuid;
 use crate::{
   auth::auth_request,
   helpers::update::{init_execution_update, update_update},
+  resource::{list_full_for_user_using_pattern, KomodoResource},
   state::{db_client, State},
 };
 
+mod action;
 mod build;
 mod deployment;
 mod procedure;
@@ -67,6 +72,7 @@ pub enum ExecuteRequest {
 
   // ==== DEPLOYMENT ====
   Deploy(Deploy),
+  BatchDeploy(BatchDeploy),
   StartDeployment(StartDeployment),
   RestartDeployment(RestartDeployment),
   PauseDeployment(PauseDeployment),
@@ -76,26 +82,38 @@ pub enum ExecuteRequest {
 
   // ==== STACK ====
   DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
   DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
   StartStack(StartStack),
   RestartStack(RestartStack),
   StopStack(StopStack),
   PauseStack(PauseStack),
   UnpauseStack(UnpauseStack),
   DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
 
   // ==== BUILD ====
   RunBuild(RunBuild),
+  BatchRunBuild(BatchRunBuild),
   CancelBuild(CancelBuild),
 
   // ==== REPO ====
   CloneRepo(CloneRepo),
+  BatchCloneRepo(BatchCloneRepo),
   PullRepo(PullRepo),
+  BatchPullRepo(BatchPullRepo),
   BuildRepo(BuildRepo),
+  BatchBuildRepo(BatchBuildRepo),
   CancelRepoBuild(CancelRepoBuild),
 
   // ==== PROCEDURE ====
   RunProcedure(RunProcedure),
+  BatchRunProcedure(BatchRunProcedure),
+
+  // ==== ACTION ====
+  RunAction(RunAction),
+  BatchRunAction(BatchRunAction),
 
   // ==== SERVER TEMPLATE ====
   LaunchServer(LaunchServer),
@@ -113,7 +131,25 @@ pub fn router() -> Router {
 async fn handler(
   Extension(user): Extension<User>,
   Json(request): Json<ExecuteRequest>,
-) -> serror::Result<Json<Update>> {
+) -> serror::Result<(TypedHeader<ContentType>, String)> {
+  let res = match inner_handler(request, user).await? {
+    ExecutionResult::Single(update) => serde_json::to_string(&update)
+      .context("Failed to serialize Update")?,
+    ExecutionResult::Batch(res) => res,
+  };
+  Ok((TypedHeader(ContentType::json()), res))
+}
+
+enum ExecutionResult {
+  Single(Update),
+  /// The batch contents will be pre serialized here
+  Batch(String),
+}
+
+async fn inner_handler(
+  request: ExecuteRequest,
+  user: User,
+) -> anyhow::Result<ExecutionResult> {
   let req_id = Uuid::new_v4();
 
   // need to validate no cancel is active before any update is created.
@@ -121,6 +157,17 @@ async fn handler(
 
   let update = init_execution_update(&request, &user).await?;
 
+  // This will be the case for the Batch exections,
+  // they don't have their own updates.
+  // The batch calls also call "inner_handler" themselves,
+  // and in their case will spawn tasks, so that isn't necessary
+  // here either.
+  if update.operation == Operation::None {
+    return Ok(ExecutionResult::Batch(
+      task(req_id, request, user, update).await?,
+    ));
+  }
+
   let handle =
     tokio::spawn(task(req_id, request, user, update.clone()));
 
@@ -156,7 +203,7 @@ async fn handler(
     }
   });
 
-  Ok(Json(update))
+  Ok(ExecutionResult::Single(update))
 }
 
 #[instrument(
@@ -196,3 +243,40 @@ async fn task(
 
   res
 }
+
+trait BatchExecute {
+  type Resource: KomodoResource;
+  fn single_request(name: String) -> ExecuteRequest;
+}
+
+async fn batch_execute<E: BatchExecute>(
+  pattern: &str,
+  user: &User,
+) -> anyhow::Result<BatchExecutionResponse> {
+  let resources = list_full_for_user_using_pattern::<E::Resource>(
+    &pattern,
+    Default::default(),
+    &user,
+    &[],
+  )
+  .await?;
+  let futures = resources.into_iter().map(|resource| {
+    let user = user.clone();
+    async move {
+      inner_handler(E::single_request(resource.name.clone()), user)
+        .await
+        .map(|r| {
+          let ExecutionResult::Single(update) = r else {
+            unreachable!()
+          };
+          update
+        })
+        .map_err(|e| BatchExecutionResponseItemErr {
+          name: resource.name,
+          error: e.into(),
+        })
+        .into()
+    }
+  });
+  Ok(join_all(futures).await)
+}

bin/core/src/api/execute/procedure.rs

@@ -2,7 +2,9 @@ use std::pin::Pin;
 
 use formatting::{bold, colored, format_serror, muted, Color};
 use komodo_client::{
-  api::execute::RunProcedure,
+  api::execute::{
+    BatchExecutionResponse, BatchRunProcedure, RunProcedure,
+  },
   entities::{
     permission::PermissionLevel, procedure::Procedure,
     update::Update, user::User,
@@ -18,6 +20,26 @@ use crate::{
   state::{action_states, db_client, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_request(procedure: String) -> ExecuteRequest {
+    ExecuteRequest::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl Resolve<BatchRunProcedure, (User, Update)> for State {
+  #[instrument(name = "BatchRunProcedure", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchRunProcedure { pattern }: BatchRunProcedure,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchRunProcedure>(&pattern, &user).await
+  }
+}
+
 impl Resolve<RunProcedure, (User, Update)> for State {
   #[instrument(name = "RunProcedure", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(

bin/core/src/api/execute/repo.rs

@@ -3,7 +3,7 @@ use std::{collections::HashSet, future::IntoFuture, time::Duration};
 use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use komodo_client::{
-  api::execute::*,
+  api::{execute::*, write::RefreshRepoCache},
   entities::{
     alert::{Alert, AlertData, SeverityLevel},
     builder::{Builder, BuilderConfig},
@@ -47,6 +47,24 @@ use crate::{
 
 use super::ExecuteRequest;
 
+impl super::BatchExecute for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchCloneRepo, (User, Update)> for State {
+  #[instrument(name = "BatchCloneRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchCloneRepo { pattern }: BatchCloneRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchCloneRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<CloneRepo, (User, Update)> for State {
   #[instrument(name = "CloneRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -123,10 +141,39 @@ impl Resolve<CloneRepo, (User, Update)> for State {
       update_last_pulled_time(&repo.name).await;
     }
 
+    if let Err(e) = State
+      .resolve(RefreshRepoCache { repo: repo.id }, user)
+      .await
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
     handle_server_update_return(update).await
   }
 }
 
+impl super::BatchExecute for BatchPullRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchPullRepo, (User, Update)> for State {
+  #[instrument(name = "BatchPullRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchPullRepo { pattern }: BatchPullRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchPullRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<PullRepo, (User, Update)> for State {
   #[instrument(name = "PullRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -207,6 +254,17 @@ impl Resolve<PullRepo, (User, Update)> for State {
       update_last_pulled_time(&repo.name).await;
     }
 
+    if let Err(e) = State
+      .resolve(RefreshRepoCache { repo: repo.id }, user)
+      .await
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
     handle_server_update_return(update).await
   }
 }
@@ -249,6 +307,24 @@ async fn update_last_pulled_time(repo_name: &str) {
   }
 }
 
+impl super::BatchExecute for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<BatchBuildRepo, (User, Update)> for State {
+  #[instrument(name = "BatchBuildRepo", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchBuildRepo { pattern }: BatchBuildRepo,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchBuildRepo>(&pattern, &user).await
+  }
+}
+
 impl Resolve<BuildRepo, (User, Update)> for State {
   #[instrument(name = "BuildRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(

bin/core/src/api/execute/stack.rs

@@ -36,6 +36,29 @@ use crate::{
   state::{action_states, db_client, State},
 };
 
+use super::ExecuteRequest;
+
+impl super::BatchExecute for BatchDeployStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStack(DeployStack {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeployStack, (User, Update)> for State {
+  #[instrument(name = "BatchDeployStack", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeployStack { pattern }: BatchDeployStack,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeployStack>(&pattern, &user).await
+  }
+}
+
 impl Resolve<DeployStack, (User, Update)> for State {
   #[instrument(name = "DeployStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(
@@ -246,6 +269,28 @@ impl Resolve<DeployStack, (User, Update)> for State {
   }
 }
 
+impl super::BatchExecute for BatchDeployStackIfChanged {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDeployStackIfChanged, (User, Update)> for State {
+  #[instrument(name = "BatchDeployStackIfChanged", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDeployStackIfChanged { pattern }: BatchDeployStackIfChanged,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDeployStackIfChanged>(&pattern, &user)
+      .await
+  }
+}
+
 impl Resolve<DeployStackIfChanged, (User, Update)> for State {
   async fn resolve(
     &self,
@@ -418,6 +463,28 @@ impl Resolve<StopStack, (User, Update)> for State {
   }
 }
 
+impl super::BatchExecute for BatchDestroyStack {
+  type Resource = Stack;
+  fn single_request(stack: String) -> ExecuteRequest {
+    ExecuteRequest::DestroyStack(DestroyStack {
+      stack,
+      remove_orphans: false,
+      stop_time: None,
+    })
+  }
+}
+
+impl Resolve<BatchDestroyStack, (User, Update)> for State {
+  #[instrument(name = "BatchDestroyStack", skip(self, user), fields(user_id = user.id))]
+  async fn resolve(
+    &self,
+    BatchDestroyStack { pattern }: BatchDestroyStack,
+    (user, _): (User, Update),
+  ) -> anyhow::Result<BatchExecutionResponse> {
+    super::batch_execute::<BatchDestroyStack>(&pattern, &user).await
+  }
+}
+
 impl Resolve<DestroyStack, (User, Update)> for State {
   #[instrument(name = "DestroyStack", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
   async fn resolve(

bin/core/src/api/execute/sync.rs

@@ -6,6 +6,7 @@ use komodo_client::{
   api::{execute::RunSync, write::RefreshResourceSyncPending},
   entities::{
     self,
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::Builder,
@@ -126,6 +127,10 @@ impl Resolve<RunSync, (User, Update)> for State {
                 .procedures
                 .get(&name_or_id)
                 .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
               ResourceTargetVariant::Repo => all_resources
                 .repos
                 .get(&name_or_id)
@@ -270,6 +275,17 @@ impl Resolve<RunSync, (User, Update)> for State {
       &sync.config.match_tags,
     )
     .await?;
+    let (actions_to_create, actions_to_update, actions_to_delete) =
+      get_updates_for_execution::<Action>(
+        resources.actions,
+        delete,
+        &all_resources,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?;
     let (builders_to_create, builders_to_update, builders_to_delete) =
       get_updates_for_execution::<Builder>(
         resources.builders,
@@ -388,6 +404,9 @@ impl Resolve<RunSync, (User, Update)> for State {
       && procedures_to_create.is_empty()
       && procedures_to_update.is_empty()
       && procedures_to_delete.is_empty()
+      && actions_to_create.is_empty()
+      && actions_to_update.is_empty()
+      && actions_to_delete.is_empty()
       && user_groups_to_create.is_empty()
       && user_groups_to_update.is_empty()
       && user_groups_to_delete.is_empty()
@@ -464,6 +483,15 @@ impl Resolve<RunSync, (User, Update)> for State {
       )
       .await,
     );
+    maybe_extend(
+      &mut update.logs,
+      Action::execute_sync_updates(
+        actions_to_create,
+        actions_to_update,
+        actions_to_delete,
+      )
+      .await,
+    );
 
     // Dependent on server
     maybe_extend(

bin/core/src/api/read/action.rs

@@ -0,0 +1,132 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    action::{
+      Action, ActionActionState, ActionListItem, ActionState,
+    },
+    permission::PermissionLevel,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  resource,
+  state::{action_state_cache, action_states, State},
+};
+
+impl Resolve<GetAction, User> for State {
+  async fn resolve(
+    &self,
+    GetAction { action }: GetAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await
+  }
+}
+
+impl Resolve<ListActions, User> for State {
+  async fn resolve(
+    &self,
+    ListActions { query }: ListActions,
+    user: User,
+  ) -> anyhow::Result<Vec<ActionListItem>> {
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_for_user::<Action>(query, &user, &all_tags).await
+  }
+}
+
+impl Resolve<ListFullActions, User> for State {
+  async fn resolve(
+    &self,
+    ListFullActions { query }: ListFullActions,
+    user: User,
+  ) -> anyhow::Result<ListFullActionsResponse> {
+    let all_tags = if query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    resource::list_full_for_user::<Action>(query, &user, &all_tags)
+      .await
+  }
+}
+
+impl Resolve<GetActionActionState, User> for State {
+  async fn resolve(
+    &self,
+    GetActionActionState { action }: GetActionActionState,
+    user: User,
+  ) -> anyhow::Result<ActionActionState> {
+    let action = resource::get_check_permissions::<Action>(
+      &action,
+      &user,
+      PermissionLevel::Read,
+    )
+    .await?;
+    let action_state = action_states()
+      .action
+      .get(&action.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<GetActionsSummary, User> for State {
+  async fn resolve(
+    &self,
+    GetActionsSummary {}: GetActionsSummary,
+    user: User,
+  ) -> anyhow::Result<GetActionsSummaryResponse> {
+    let actions = resource::list_full_for_user::<Action>(
+      Default::default(),
+      &user,
+      &[],
+    )
+    .await
+    .context("failed to get actions from db")?;
+
+    let mut res = GetActionsSummaryResponse::default();
+
+    let cache = action_state_cache();
+    let action_states = action_states();
+
+    for action in actions {
+      res.total += 1;
+
+      match (
+        cache.get(&action.id).await.unwrap_or_default(),
+        action_states
+          .action
+          .get(&action.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running => {
+          res.running += 1;
+        }
+        (ActionState::Ok, _) => res.ok += 1,
+        (ActionState::Failed, _) => res.failed += 1,
+        (ActionState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ActionState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}

bin/core/src/api/read/alert.rs

@@ -3,7 +3,10 @@ use komodo_client::{
   api::read::{
     GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
   },
-  entities::{deployment::Deployment, server::Server, user::User},
+  entities::{
+    deployment::Deployment, server::Server, stack::Stack,
+    sync::ResourceSync, user::User,
+  },
 };
 use mungos::{
   by_id::find_one_by_id,
@@ -30,12 +33,18 @@ impl Resolve<ListAlerts, User> for State {
     if !user.admin && !core_config().transparent_mode {
       let server_ids =
         get_resource_ids_for_user::<Server>(&user).await?;
+      let stack_ids =
+        get_resource_ids_for_user::<Stack>(&user).await?;
       let deployment_ids =
         get_resource_ids_for_user::<Deployment>(&user).await?;
+      let sync_ids =
+        get_resource_ids_for_user::<ResourceSync>(&user).await?;
       query.extend(doc! {
         "$or": [
           { "target.type": "Server", "target.id": { "$in": &server_ids } },
+          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
           { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
+          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
         ]
       });
     }

bin/core/src/api/read/alerter.rs

@@ -69,15 +69,16 @@ impl Resolve<GetAlertersSummary, User> for State {
     GetAlertersSummary {}: GetAlertersSummary,
     user: User,
   ) -> anyhow::Result<GetAlertersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Alerter>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    let query = match resource::get_resource_object_ids_for_user::<
+      Alerter,
+    >(&user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
     let total = db_client()
       .alerters
       .count_documents(query)

bin/core/src/api/read/builder.rs

@@ -69,15 +69,16 @@ impl Resolve<GetBuildersSummary, User> for State {
     GetBuildersSummary {}: GetBuildersSummary,
     user: User,
   ) -> anyhow::Result<GetBuildersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Builder>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    let query = match resource::get_resource_object_ids_for_user::<
+      Builder,
+    >(&user)
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
     let total = db_client()
       .builders
       .count_documents(query)

bin/core/src/api/read/mod.rs

@@ -29,6 +29,7 @@ use crate::{
   resource, state::State,
 };
 
+mod action;
 mod alert;
 mod alerter;
 mod build;
@@ -88,6 +89,13 @@ enum ReadRequest {
   ListProcedures(ListProcedures),
   ListFullProcedures(ListFullProcedures),
 
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
   // ==== SERVER TEMPLATE ====
   GetServerTemplate(GetServerTemplate),
   GetServerTemplatesSummary(GetServerTemplatesSummary),
@@ -331,6 +339,7 @@ impl Resolve<ListSecrets, User> for State {
         ResourceTarget::Server(id) => Some(id),
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => None,
             BuilderConfig::Server(config) => Some(config.server_id),
             BuilderConfig::Aws(config) => {
               secrets.extend(config.secrets);
@@ -379,6 +388,7 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
         }
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
             BuilderConfig::Server(config) => {
               merge_git_providers_for_server(
                 &mut providers,
@@ -477,6 +487,7 @@ impl Resolve<ListDockerRegistriesFromConfig, User> for State {
         }
         ResourceTarget::Builder(id) => {
           match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
             BuilderConfig::Server(config) => {
               merge_docker_registries_for_server(
                 &mut registries,

bin/core/src/api/read/server_template.rs

@@ -71,7 +71,7 @@ impl Resolve<GetServerTemplatesSummary, User> for State {
     GetServerTemplatesSummary {}: GetServerTemplatesSummary,
     user: User,
   ) -> anyhow::Result<GetServerTemplatesSummaryResponse> {
-    let query = match resource::get_resource_ids_for_user::<
+    let query = match resource::get_resource_object_ids_for_user::<
       ServerTemplate,
     >(&user)
     .await?

bin/core/src/api/read/toml.rs

@@ -1,27 +1,16 @@
-use std::collections::HashMap;
-
 use anyhow::Context;
 use komodo_client::{
   api::read::{
     ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
     ExportResourcesToToml, ExportResourcesToTomlResponse,
-    GetUserGroup, ListUserTargetPermissions,
+    ListUserGroups,
   },
   entities::{
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
-    permission::{PermissionLevel, UserTarget},
-    procedure::Procedure,
-    repo::Repo,
-    resource::ResourceQuery,
-    server::Server,
-    server_template::ServerTemplate,
-    stack::Stack,
-    sync::ResourceSync,
-    toml::{PermissionToml, ResourcesToml, UserGroupToml},
-    user::User,
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
+    deployment::Deployment, permission::PermissionLevel,
+    procedure::Procedure, repo::Repo, resource::ResourceQuery,
+    server::Server, server_template::ServerTemplate, stack::Stack,
+    sync::ResourceSync, toml::ResourcesToml, user::User,
     ResourceTarget,
   },
 };
@@ -36,6 +25,7 @@ use crate::{
   state::{db_client, State},
   sync::{
     toml::{convert_resource, ToToml, TOML_PRETTY_OPTIONS},
+    user_groups::convert_user_groups,
     AllResourcesById,
   },
 };
@@ -134,6 +124,16 @@ impl Resolve<ExportAllResourcesToToml, User> for State {
       .into_iter()
       .map(|resource| ResourceTarget::Procedure(resource.id)),
     );
+    targets.extend(
+      resource::list_for_user::<Action>(
+        ResourceQuery::builder().tags(tags.clone()).build(),
+        &user,
+        &all_tags,
+      )
+      .await?
+      .into_iter()
+      .map(|resource| ResourceTarget::Action(resource.id)),
+    );
     targets.extend(
       resource::list_for_user::<ServerTemplate>(
         ResourceQuery::builder().tags(tags.clone()).build(),
@@ -349,6 +349,21 @@ impl Resolve<ExportResourcesToToml, User> for State {
             &id_to_tags,
           ));
         }
+        ResourceTarget::Action(id) => {
+          let mut action = resource::get_check_permissions::<Action>(
+            &id,
+            &user,
+            PermissionLevel::Read,
+          )
+          .await?;
+          Action::replace_ids(&mut action, &all);
+          res.actions.push(convert_resource::<Action>(
+            action,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
         ResourceTarget::System(_) => continue,
       };
     }
@@ -385,122 +400,17 @@ async fn add_user_groups(
   all: &AllResourcesById,
   user: &User,
 ) -> anyhow::Result<()> {
-  let db = db_client();
-
-  let usernames = find_collect(&db.users, None, None)
+  let user_groups = State
+    .resolve(ListUserGroups {}, user.clone())
     .await?
     .into_iter()
-    .map(|user| (user.id, user.username))
-    .collect::<HashMap<_, _>>();
-
-  for user_group in user_groups {
-    let ug = State
-      .resolve(GetUserGroup { user_group }, user.clone())
-      .await?;
-    // this method is admin only, but we already know user can see user group if above does not return Err
-    let permissions = State
-      .resolve(
-        ListUserTargetPermissions {
-          user_target: UserTarget::UserGroup(ug.id),
-        },
-        User {
-          admin: true,
-          ..Default::default()
-        },
-      )
-      .await?
-      .into_iter()
-      .map(|mut permission| {
-        match &mut permission.resource_target {
-          ResourceTarget::Build(id) => {
-            *id = all
-              .builds
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Builder(id) => {
-            *id = all
-              .builders
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Deployment(id) => {
-            *id = all
-              .deployments
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Server(id) => {
-            *id = all
-              .servers
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Repo(id) => {
-            *id = all
-              .repos
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Alerter(id) => {
-            *id = all
-              .alerters
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Procedure(id) => {
-            *id = all
-              .procedures
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ServerTemplate(id) => {
-            *id = all
-              .templates
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ResourceSync(id) => {
-            *id = all
-              .syncs
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Stack(id) => {
-            *id = all
-              .stacks
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::System(_) => {}
-        }
-        PermissionToml {
-          target: permission.resource_target,
-          level: permission.level,
-        }
-      })
-      .collect();
-    res.user_groups.push(UserGroupToml {
-      name: ug.name,
-      users: ug
-        .users
-        .into_iter()
-        .filter_map(|user_id| usernames.get(&user_id).cloned())
-        .collect(),
-      all: ug.all,
-      permissions,
+    .filter(|ug| {
+      user_groups.contains(&ug.name) || user_groups.contains(&ug.id)
     });
-  }
+  let mut ug = Vec::with_capacity(user_groups.size_hint().0);
+  convert_user_groups(user_groups, all, &mut ug).await?;
+  res.user_groups = ug.into_iter().map(|ug| ug.1).collect();
+
   Ok(())
 }
 
@@ -557,6 +467,14 @@ fn serialize_resources_toml(
     Procedure::push_to_toml_string(procedure, &mut toml)?;
   }
 
+  for action in resources.actions {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[action]]\n");
+    Action::push_to_toml_string(action, &mut toml)?;
+  }
+
   for alerter in resources.alerters {
     if !toml.is_empty() {
       toml.push_str("\n\n##\n\n");

bin/core/src/api/read/update.rs

@@ -4,6 +4,7 @@ use anyhow::{anyhow, Context};
 use komodo_client::{
   api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
   entities::{
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::Builder,
@@ -104,6 +105,16 @@ impl Resolve<ListUpdates, User> for State {
           })
           .unwrap_or_else(|| doc! { "target.type": "Procedure" });
 
+      let action_query =
+        resource::get_resource_ids_for_user::<Action>(&user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "Action", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "Action" });
+
       let builder_query =
         resource::get_resource_ids_for_user::<Builder>(&user)
           .await?
@@ -124,27 +135,27 @@ impl Resolve<ListUpdates, User> for State {
           })
           .unwrap_or_else(|| doc! { "target.type": "Alerter" });
 
-      let server_template_query = resource::get_resource_ids_for_user::<ServerTemplate>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ServerTemplate", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
+      let server_template_query =
+        resource::get_resource_ids_for_user::<ServerTemplate>(&user)
+          .await?
+          .map(|ids| {
+            doc! {
+              "target.type": "ServerTemplate", "target.id": { "$in": ids }
+            }
+          })
+          .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
 
-      let resource_sync_query = resource::get_resource_ids_for_user::<ResourceSync>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ResourceSync", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
+      let resource_sync_query =
+        resource::get_resource_ids_for_user::<ResourceSync>(
+          &user,
+        )
+        .await?
+        .map(|ids| {
+          doc! {
+            "target.type": "ResourceSync", "target.id": { "$in": ids }
+          }
+        })
+        .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
 
       let mut query = query.unwrap_or_default();
       query.extend(doc! {
@@ -155,6 +166,7 @@ impl Resolve<ListUpdates, User> for State {
           build_query,
           repo_query,
           procedure_query,
+          action_query,
           alerter_query,
           builder_query,
           server_template_query,
@@ -292,6 +304,14 @@ impl Resolve<GetUpdate, User> for State {
         )
         .await?;
       }
+      ResourceTarget::Action(id) => {
+        resource::get_check_permissions::<Action>(
+          id,
+          &user,
+          PermissionLevel::Read,
+        )
+        .await?;
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::get_check_permissions::<ServerTemplate>(
           id,

bin/core/src/api/read/user.rs

@@ -6,7 +6,7 @@ use komodo_client::{
     ListApiKeysForServiceUserResponse, ListApiKeysResponse,
     ListUsers, ListUsersResponse,
   },
-  entities::user::{User, UserConfig},
+  entities::user::{admin_service_user, User, UserConfig},
 };
 use mungos::{
   by_id::find_one_by_id,
@@ -26,6 +26,13 @@ impl Resolve<GetUsername, User> for State {
     GetUsername { user_id }: GetUsername,
     _: User,
   ) -> anyhow::Result<GetUsernameResponse> {
+    if let Some(user) = admin_service_user(&user_id) {
+      return Ok(GetUsernameResponse {
+        username: user.username,
+        avatar: None,
+      });
+    }
+
     let user = find_one_by_id(&db_client().users, &user_id)
       .await
       .context("failed at mongo query for user")?

bin/core/src/api/write/action.rs

@@ -0,0 +1,71 @@
+use komodo_client::{
+  api::write::*,
+  entities::{
+    action::Action, permission::PermissionLevel, update::Update,
+    user::User,
+  },
+};
+use resolver_api::Resolve;
+
+use crate::{resource, state::State};
+
+impl Resolve<CreateAction, User> for State {
+  #[instrument(name = "CreateAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    CreateAction { name, config }: CreateAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::create::<Action>(&name, config, &user).await
+  }
+}
+
+impl Resolve<CopyAction, User> for State {
+  #[instrument(name = "CopyAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    CopyAction { name, id }: CopyAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    let Action { config, .. } = resource::get_check_permissions::<
+      Action,
+    >(
+      &id, &user, PermissionLevel::Write
+    )
+    .await?;
+    resource::create::<Action>(&name, config.into(), &user).await
+  }
+}
+
+impl Resolve<UpdateAction, User> for State {
+  #[instrument(name = "UpdateAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    UpdateAction { id, config }: UpdateAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::update::<Action>(&id, config, &user).await
+  }
+}
+
+impl Resolve<RenameAction, User> for State {
+  #[instrument(name = "RenameAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameAction { id, name }: RenameAction,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Action>(&id, &name, &user).await
+  }
+}
+
+impl Resolve<DeleteAction, User> for State {
+  #[instrument(name = "DeleteAction", skip(self, user))]
+  async fn resolve(
+    &self,
+    DeleteAction { id }: DeleteAction,
+    user: User,
+  ) -> anyhow::Result<Action> {
+    resource::delete::<Action>(&id, &user).await
+  }
+}

bin/core/src/api/write/alerter.rs

@@ -1,9 +1,8 @@
 use komodo_client::{
-  api::write::{
-    CopyAlerter, CreateAlerter, DeleteAlerter, UpdateAlerter,
-  },
+  api::write::*,
   entities::{
-    alerter::Alerter, permission::PermissionLevel, user::User,
+    alerter::Alerter, permission::PermissionLevel, update::Update,
+    user::User,
   },
 };
 use resolver_api::Resolve;
@@ -59,3 +58,14 @@ impl Resolve<UpdateAlerter, User> for State {
     resource::update::<Alerter>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameAlerter, User> for State {
+  #[instrument(name = "RenameAlerter", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameAlerter { id, name }: RenameAlerter,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Alerter>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/build.rs

@@ -6,6 +6,7 @@ use komodo_client::{
     build::{Build, BuildInfo, PartialBuildConfig},
     config::core::CoreConfig,
     permission::PermissionLevel,
+    update::Update,
     user::User,
     CloneArgs, NoData,
   },
@@ -77,6 +78,17 @@ impl Resolve<UpdateBuild, User> for State {
   }
 }
 
+impl Resolve<RenameBuild, User> for State {
+  #[instrument(name = "RenameBuild", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameBuild { id, name }: RenameBuild,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Build>(&id, &name, &user).await
+  }
+}
+
 impl Resolve<RefreshBuildCache, User> for State {
   #[instrument(
     name = "RefreshBuildCache",

bin/core/src/api/write/builder.rs

@@ -1,7 +1,8 @@
 use komodo_client::{
   api::write::*,
   entities::{
-    builder::Builder, permission::PermissionLevel, user::User,
+    builder::Builder, permission::PermissionLevel, update::Update,
+    user::User,
   },
 };
 use resolver_api::Resolve;
@@ -57,3 +58,14 @@ impl Resolve<UpdateBuilder, User> for State {
     resource::update::<Builder>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameBuilder, User> for State {
+  #[instrument(name = "RenameBuilder", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameBuilder { id, name }: RenameBuilder,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Builder>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/deployment.rs

@@ -108,7 +108,7 @@ impl Resolve<RenameDeployment, User> for State {
 
     if container_state == DeploymentState::Unknown {
       return Err(anyhow!(
-        "cannot rename deployment when container status is unknown"
+        "Cannot rename Deployment when container status is unknown"
       ));
     }
 
@@ -124,7 +124,7 @@ impl Resolve<RenameDeployment, User> for State {
       None,
     )
     .await
-    .context("failed to update deployment name on db")?;
+    .context("Failed to update Deployment name on db")?;
 
     if container_state != DeploymentState::NotDeployed {
       let server =
@@ -135,20 +135,19 @@ impl Resolve<RenameDeployment, User> for State {
           new_name: name.clone(),
         })
         .await
-        .context("failed to rename container on server")?;
+        .context("Failed to rename container on server")?;
       update.logs.push(log);
     }
 
     update.push_simple_log(
-      "rename deployment",
+      "Rename Deployment",
       format!(
-        "renamed deployment from {} to {}",
+        "Renamed Deployment from {} to {}",
         deployment.name, name
       ),
     );
     update.finalize();
-
-    add_update(update.clone()).await?;
+    update.id = add_update(update.clone()).await?;
 
     Ok(update)
   }

bin/core/src/api/write/description.rs

@@ -2,7 +2,7 @@ use anyhow::anyhow;
 use komodo_client::{
   api::write::{UpdateDescription, UpdateDescriptionResponse},
   entities::{
-    alerter::Alerter, build::Build, builder::Builder,
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
     deployment::Deployment, procedure::Procedure, repo::Repo,
     server::Server, server_template::ServerTemplate, stack::Stack,
     sync::ResourceSync, user::User, ResourceTarget,
@@ -84,6 +84,14 @@ impl Resolve<UpdateDescription, User> for State {
         )
         .await?;
       }
+      ResourceTarget::Action(id) => {
+        resource::update_description::<Action>(
+          &id,
+          &description,
+          &user,
+        )
+        .await?;
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::update_description::<ServerTemplate>(
           &id,

bin/core/src/api/write/mod.rs

@@ -13,6 +13,7 @@ use uuid::Uuid;
 
 use crate::{auth::auth_request, state::State};
 
+mod action;
 mod alerter;
 mod build;
 mod builder;
@@ -88,6 +89,7 @@ pub enum WriteRequest {
   CopyBuild(CopyBuild),
   DeleteBuild(DeleteBuild),
   UpdateBuild(UpdateBuild),
+  RenameBuild(RenameBuild),
   RefreshBuildCache(RefreshBuildCache),
   CreateBuildWebhook(CreateBuildWebhook),
   DeleteBuildWebhook(DeleteBuildWebhook),
@@ -97,18 +99,21 @@ pub enum WriteRequest {
   CopyBuilder(CopyBuilder),
   DeleteBuilder(DeleteBuilder),
   UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
 
   // ==== SERVER TEMPLATE ====
   CreateServerTemplate(CreateServerTemplate),
   CopyServerTemplate(CopyServerTemplate),
   DeleteServerTemplate(DeleteServerTemplate),
   UpdateServerTemplate(UpdateServerTemplate),
+  RenameServerTemplate(RenameServerTemplate),
 
   // ==== REPO ====
   CreateRepo(CreateRepo),
   CopyRepo(CopyRepo),
   DeleteRepo(DeleteRepo),
   UpdateRepo(UpdateRepo),
+  RenameRepo(RenameRepo),
   RefreshRepoCache(RefreshRepoCache),
   CreateRepoWebhook(CreateRepoWebhook),
   DeleteRepoWebhook(DeleteRepoWebhook),
@@ -118,18 +123,28 @@ pub enum WriteRequest {
   CopyAlerter(CopyAlerter),
   DeleteAlerter(DeleteAlerter),
   UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
 
   // ==== PROCEDURE ====
   CreateProcedure(CreateProcedure),
   CopyProcedure(CopyProcedure),
   DeleteProcedure(DeleteProcedure),
   UpdateProcedure(UpdateProcedure),
+  RenameProcedure(RenameProcedure),
+
+  // ==== ACTION ====
+  CreateAction(CreateAction),
+  CopyAction(CopyAction),
+  DeleteAction(DeleteAction),
+  UpdateAction(UpdateAction),
+  RenameAction(RenameAction),
 
   // ==== SYNC ====
   CreateResourceSync(CreateResourceSync),
   CopyResourceSync(CopyResourceSync),
   DeleteResourceSync(DeleteResourceSync),
   UpdateResourceSync(UpdateResourceSync),
+  RenameResourceSync(RenameResourceSync),
   WriteSyncFileContents(WriteSyncFileContents),
   CommitSync(CommitSync),
   RefreshResourceSyncPending(RefreshResourceSyncPending),

bin/core/src/api/write/permissions.rs

@@ -387,6 +387,20 @@ async fn extract_resource_target_with_validation(
         .id;
       Ok((ResourceTargetVariant::Procedure, id))
     }
+    ResourceTarget::Action(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .actions
+        .find_one(filter)
+        .await
+        .context("failed to query db for actions")?
+        .context("no matching action found")?
+        .id;
+      Ok((ResourceTargetVariant::Action, id))
+    }
     ResourceTarget::ServerTemplate(ident) => {
       let filter = match ObjectId::from_str(ident) {
         Ok(id) => doc! { "_id": id },

bin/core/src/api/write/procedure.rs

@@ -1,7 +1,8 @@
 use komodo_client::{
   api::write::*,
   entities::{
-    permission::PermissionLevel, procedure::Procedure, user::User,
+    permission::PermissionLevel, procedure::Procedure,
+    update::Update, user::User,
   },
 };
 use resolver_api::Resolve;
@@ -48,6 +49,17 @@ impl Resolve<UpdateProcedure, User> for State {
   }
 }
 
+impl Resolve<RenameProcedure, User> for State {
+  #[instrument(name = "RenameProcedure", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameProcedure { id, name }: RenameProcedure,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<Procedure>(&id, &name, &user).await
+  }
+}
+
 impl Resolve<DeleteProcedure, User> for State {
   #[instrument(name = "DeleteProcedure", skip(self, user))]
   async fn resolve(

bin/core/src/api/write/repo.rs

@@ -1,27 +1,36 @@
 use anyhow::{anyhow, Context};
+use formatting::format_serror;
 use git::GitRes;
 use komodo_client::{
   api::write::*,
   entities::{
     config::core::CoreConfig,
+    komodo_timestamp,
     permission::PermissionLevel,
     repo::{PartialRepoConfig, Repo, RepoInfo},
+    server::Server,
+    to_komodo_name,
+    update::{Log, Update},
     user::User,
-    CloneArgs, NoData,
+    CloneArgs, NoData, Operation,
   },
 };
 use mongo_indexed::doc;
-use mungos::mongodb::bson::to_document;
+use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
+use periphery_client::api;
 use resolver_api::Resolve;
 
 use crate::{
   config::core_config,
-  helpers::git_token,
+  helpers::{
+    git_token, periphery_client,
+    update::{add_update, make_update},
+  },
   resource,
-  state::{db_client, github_client, State},
+  state::{action_states, db_client, github_client, State},
 };
 
 impl Resolve<CreateRepo, User> for State {
@@ -75,6 +84,81 @@ impl Resolve<UpdateRepo, User> for State {
   }
 }
 
+impl Resolve<RenameRepo, User> for State {
+  #[instrument(name = "RenameRepo", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameRepo { id, name }: RenameRepo,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    let repo = resource::get_check_permissions::<Repo>(
+      &id,
+      &user,
+      PermissionLevel::Write,
+    )
+    .await?;
+
+    if repo.config.server_id.is_empty()
+      || !repo.config.path.is_empty()
+    {
+      return resource::rename::<Repo>(&repo.id, &name, &user).await;
+    }
+
+    // get the action state for the repo (or insert default).
+    let action_state =
+      action_states().repo.get_or_insert_default(&repo.id).await;
+
+    // Will check to ensure repo not already busy before updating, and return Err if so.
+    // The returned guard will set the action state back to default when dropped.
+    let _action_guard =
+      action_state.update(|state| state.renaming = true)?;
+
+    let name = to_komodo_name(&name);
+
+    let mut update = make_update(&repo, Operation::RenameRepo, &user);
+
+    update_one_by_id(
+      &db_client().repos,
+      &repo.id,
+      mungos::update::Update::Set(
+        doc! { "name": &name, "updated_at": komodo_timestamp() },
+      ),
+      None,
+    )
+    .await
+    .context("Failed to update Repo name on db")?;
+
+    let server =
+      resource::get::<Server>(&repo.config.server_id).await?;
+
+    let log = match periphery_client(&server)?
+      .request(api::git::RenameRepo {
+        curr_name: to_komodo_name(&repo.name),
+        new_name: name.clone(),
+      })
+      .await
+      .context("Failed to rename Repo directory on Server")
+    {
+      Ok(log) => log,
+      Err(e) => Log::error(
+        "Rename Repo directory failure",
+        format_serror(&e.into()),
+      ),
+    };
+
+    update.logs.push(log);
+
+    update.push_simple_log(
+      "Rename Repo",
+      format!("Renamed Repo from {} to {}", repo.name, name),
+    );
+    update.finalize();
+    update.id = add_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
 impl Resolve<RefreshRepoCache, User> for State {
   #[instrument(
     name = "RefreshRepoCache",

bin/core/src/api/write/server.rs

@@ -1,9 +1,7 @@
-use anyhow::Context;
 use formatting::format_serror;
 use komodo_client::{
   api::write::*,
   entities::{
-    komodo_timestamp,
     permission::PermissionLevel,
     server::Server,
     update::{Update, UpdateStatus},
@@ -11,7 +9,6 @@ use komodo_client::{
     Operation,
   },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::doc};
 use periphery_client::api;
 use resolver_api::Resolve;
 
@@ -21,7 +18,7 @@ use crate::{
     update::{add_update, make_update, update_update},
   },
   resource,
-  state::{db_client, State},
+  state::State,
 };
 
 impl Resolve<CreateServer, User> for State {
@@ -64,25 +61,7 @@ impl Resolve<RenameServer, User> for State {
     RenameServer { id, name }: RenameServer,
     user: User,
   ) -> anyhow::Result<Update> {
-    let server = resource::get_check_permissions::<Server>(
-      &id,
-      &user,
-      PermissionLevel::Write,
-    )
-    .await?;
-    let mut update =
-      make_update(&server, Operation::RenameServer, &user);
-
-    update_one_by_id(&db_client().servers, &id, mungos::update::Update::Set(doc! { "name": &name, "updated_at": komodo_timestamp() }), None)
-      .await
-      .context("failed to update server on db. this name may already be taken.")?;
-    update.push_simple_log(
-      "rename server",
-      format!("renamed server {id} from {} to {name}", server.name),
-    );
-    update.finalize();
-    update.id = add_update(update.clone()).await?;
-    Ok(update)
+    resource::rename::<Server>(&id, &name, &user).await
   }
 }
 

bin/core/src/api/write/server_template.rs

@@ -1,11 +1,11 @@
 use komodo_client::{
   api::write::{
     CopyServerTemplate, CreateServerTemplate, DeleteServerTemplate,
-    UpdateServerTemplate,
+    RenameServerTemplate, UpdateServerTemplate,
   },
   entities::{
     permission::PermissionLevel, server_template::ServerTemplate,
-    user::User,
+    update::Update, user::User,
   },
 };
 use resolver_api::Resolve;
@@ -63,3 +63,14 @@ impl Resolve<UpdateServerTemplate, User> for State {
     resource::update::<ServerTemplate>(&id, config, &user).await
   }
 }
+
+impl Resolve<RenameServerTemplate, User> for State {
+  #[instrument(name = "RenameServerTemplate", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameServerTemplate { id, name }: RenameServerTemplate,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<ServerTemplate>(&id, &name, &user).await
+  }
+}

bin/core/src/api/write/stack.rs

@@ -4,7 +4,6 @@ use komodo_client::{
   api::write::*,
   entities::{
     config::core::CoreConfig,
-    komodo_timestamp,
     permission::PermissionLevel,
     server::ServerState,
     stack::{PartialStackConfig, Stack, StackInfo},
@@ -13,10 +12,7 @@ use komodo_client::{
     FileContents, NoData, Operation,
   },
 };
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::bson::{doc, to_document},
-};
+use mungos::mongodb::bson::{doc, to_document};
 use octorust::types::{
   ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
 };
@@ -100,36 +96,7 @@ impl Resolve<RenameStack, User> for State {
     RenameStack { id, name }: RenameStack,
     user: User,
   ) -> anyhow::Result<Update> {
-    let stack = resource::get_check_permissions::<Stack>(
-      &id,
-      &user,
-      PermissionLevel::Write,
-    )
-    .await?;
-
-    let mut update =
-      make_update(&stack, Operation::RenameStack, &user);
-
-    update_one_by_id(
-      &db_client().stacks,
-      &stack.id,
-      mungos::update::Update::Set(
-        doc! { "name": &name, "updated_at": komodo_timestamp() },
-      ),
-      None,
-    )
-    .await
-    .context("failed to update stack name on db")?;
-
-    update.push_simple_log(
-      "rename stack",
-      format!("renamed stack from {} to {}", stack.name, name),
-    );
-    update.finalize();
-
-    add_update(update.clone()).await?;
-
-    Ok(update)
+    resource::rename::<Stack>(&id, &name, &user).await
   }
 }
 

bin/core/src/api/write/sync.rs

@@ -6,6 +6,7 @@ use komodo_client::{
   api::{read::ExportAllResourcesToToml, write::*},
   entities::{
     self,
+    action::Action,
     alert::{Alert, AlertData, SeverityLevel},
     alerter::Alerter,
     all_logs_success,
@@ -106,6 +107,17 @@ impl Resolve<UpdateResourceSync, User> for State {
   }
 }
 
+impl Resolve<RenameResourceSync, User> for State {
+  #[instrument(name = "RenameResourceSync", skip(self, user))]
+  async fn resolve(
+    &self,
+    RenameResourceSync { id, name }: RenameResourceSync,
+    user: User,
+  ) -> anyhow::Result<Update> {
+    resource::rename::<ResourceSync>(&id, &name, &user).await
+  }
+}
+
 impl Resolve<WriteSyncFileContents, User> for State {
   async fn resolve(
     &self,
@@ -535,6 +547,17 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
           &mut diffs,
         )
         .await?;
+        push_updates_for_view::<Action>(
+          resources.actions,
+          delete,
+          &all_resources,
+          None,
+          None,
+          &id_to_tags,
+          &sync.config.match_tags,
+          &mut diffs,
+        )
+        .await?;
         push_updates_for_view::<Builder>(
           resources.builders,
           delete,
@@ -584,8 +607,7 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
       let variable_updates = if sync.config.match_tags.is_empty() {
         crate::sync::variables::get_updates_for_view(
           &resources.variables,
-          // Delete doesn't work with variables when match tags are set
-          sync.config.match_tags.is_empty() && delete,
+          delete,
         )
         .await?
       } else {
@@ -595,8 +617,7 @@ impl Resolve<RefreshResourceSyncPending, User> for State {
       let user_group_updates = if sync.config.match_tags.is_empty() {
         crate::sync::user_groups::get_updates_for_view(
           resources.user_groups,
-          // Delete doesn't work with user groups when match tags are set
-          sync.config.match_tags.is_empty() && delete,
+          delete,
           &all_resources,
         )
         .await?

bin/core/src/api/write/tag.rs

@@ -7,7 +7,7 @@ use komodo_client::{
     UpdateTagsOnResourceResponse,
   },
   entities::{
-    alerter::Alerter, build::Build, builder::Builder,
+    action::Action, alerter::Alerter, build::Build, builder::Builder,
     deployment::Deployment, permission::PermissionLevel,
     procedure::Procedure, repo::Repo, server::Server,
     server_template::ServerTemplate, stack::Stack,
@@ -182,6 +182,15 @@ impl Resolve<UpdateTagsOnResource, User> for State {
         .await?;
         resource::update_tags::<Procedure>(&id, tags, user).await?
       }
+      ResourceTarget::Action(id) => {
+        resource::get_check_permissions::<Action>(
+          &id,
+          &user,
+          PermissionLevel::Write,
+        )
+        .await?;
+        resource::update_tags::<Action>(&id, tags, user).await?
+      }
       ResourceTarget::ServerTemplate(id) => {
         resource::get_check_permissions::<ServerTemplate>(
           &id,

bin/core/src/api/write/variable.rs

@@ -81,7 +81,7 @@ impl Resolve<UpdateVariableValue, User> for State {
     let variable = get_variable(&name).await?;
 
     if value == variable.value {
-      return Err(anyhow!("no change"));
+      return Ok(variable);
     }
 
     db_client()

bin/core/src/config.rs

@@ -150,6 +150,9 @@ pub fn core_config() -> &'static CoreConfig {
       repo_directory: env
         .komodo_repo_directory
         .unwrap_or(config.repo_directory),
+      action_directory: env
+        .komodo_action_directory
+        .unwrap_or(config.action_directory),
       resource_poll_interval: env
         .komodo_resource_poll_interval
         .unwrap_or(config.resource_poll_interval),

bin/core/src/db.rs

@@ -1,4 +1,5 @@
 use komodo_client::entities::{
+  action::Action,
   alert::Alert,
   alerter::Alerter,
   api_key::ApiKey,
@@ -47,6 +48,7 @@ pub struct DbClient {
   pub builders: Collection<Builder>,
   pub repos: Collection<Repo>,
   pub procedures: Collection<Procedure>,
+  pub actions: Collection<Action>,
   pub alerters: Collection<Alerter>,
   pub server_templates: Collection<ServerTemplate>,
   pub resource_syncs: Collection<ResourceSync>,
@@ -115,6 +117,7 @@ impl DbClient {
       repos: resource_collection(&db, "Repo").await?,
       alerters: resource_collection(&db, "Alerter").await?,
       procedures: resource_collection(&db, "Procedure").await?,
+      actions: resource_collection(&db, "Action").await?,
       server_templates: resource_collection(&db, "ServerTemplate")
         .await?,
       resource_syncs: resource_collection(&db, "ResourceSync")

bin/core/src/helpers/action_state.rs

@@ -4,7 +4,8 @@ use anyhow::anyhow;
 use komodo_client::{
   busy::Busy,
   entities::{
-    build::BuildActionState, deployment::DeploymentActionState,
+    action::ActionActionState, build::BuildActionState,
+    deployment::DeploymentActionState,
     procedure::ProcedureActionState, repo::RepoActionState,
     server::ServerActionState, stack::StackActionState,
     sync::ResourceSyncActionState,
@@ -22,6 +23,7 @@ pub struct ActionStates {
   pub repo: Cache<String, Arc<ActionState<RepoActionState>>>,
   pub procedure:
     Cache<String, Arc<ActionState<ProcedureActionState>>>,
+  pub action: Cache<String, Arc<ActionState<ActionActionState>>>,
   pub resource_sync:
     Cache<String, Arc<ActionState<ResourceSyncActionState>>>,
   pub stack: Cache<String, Arc<ActionState<StackActionState>>>,

bin/core/src/helpers/builder.rs

@@ -42,9 +42,32 @@ pub async fn get_builder_periphery(
   update: &mut Update,
 ) -> anyhow::Result<(PeripheryClient, BuildCleanupData)> {
   match builder.config {
+    BuilderConfig::Url(config) => {
+      if config.address.is_empty() {
+        return Err(anyhow!("Builder has not yet configured an address"));
+      }
+      let periphery = PeripheryClient::new(
+        config.address,
+        if config.passkey.is_empty() {
+          core_config().passkey.clone()
+        } else {
+          config.passkey
+        },
+      );
+      periphery
+        .health_check()
+        .await
+        .context("Url Builder failed health check")?;
+      Ok((
+        periphery,
+        BuildCleanupData::Server {
+          repo_name: resource_name,
+        },
+      ))
+    }
     BuilderConfig::Server(config) => {
       if config.server_id.is_empty() {
-        return Err(anyhow!("builder has not configured a server"));
+        return Err(anyhow!("Builder has not configured a server"));
       }
       let server = resource::get::<Server>(&config.server_id).await?;
       let periphery = periphery_client(&server)?;

bin/core/src/helpers/mod.rs

@@ -1,4 +1,4 @@
-use std::{str::FromStr, time::Duration};
+use std::str::FromStr;
 
 use anyhow::{anyhow, Context};
 use futures::future::join_all;
@@ -54,10 +54,6 @@ pub fn empty_or_only_spaces(word: &str) -> bool {
   true
 }
 
-pub fn random_duration(min_ms: u64, max_ms: u64) -> Duration {
-  Duration::from_millis(thread_rng().gen_range(min_ms..max_ms))
-}
-
 pub fn random_string(length: usize) -> String {
   thread_rng()
     .sample_iter(&Alphanumeric)

bin/core/src/helpers/procedure.rs

@@ -4,9 +4,14 @@ use anyhow::{anyhow, Context};
 use formatting::{bold, colored, format_serror, muted, Color};
 use futures::future::join_all;
 use komodo_client::{
-  api::execute::Execution,
+  api::execute::*,
   entities::{
+    action::Action,
+    build::Build,
+    deployment::Deployment,
     procedure::Procedure,
+    repo::Repo,
+    stack::Stack,
     update::{Log, Update},
     user::procedure_user,
   },
@@ -17,6 +22,7 @@ use tokio::sync::Mutex;
 
 use crate::{
   api::execute::ExecuteRequest,
+  resource::{list_full_for_user_using_pattern, KomodoResource},
   state::{db_client, State},
 };
 
@@ -79,11 +85,94 @@ pub async fn execute_procedure(
 #[allow(dependency_on_unit_never_type_fallback)]
 #[instrument(skip(update))]
 async fn execute_stage(
-  executions: Vec<Execution>,
+  _executions: Vec<Execution>,
   parent_id: &str,
   parent_name: &str,
   update: &Mutex<Update>,
 ) -> anyhow::Result<()> {
+  let mut executions = Vec::with_capacity(_executions.capacity());
+  for execution in _executions {
+    match execution {
+      Execution::BatchRunAction(exec) => {
+        extend_batch_exection::<BatchRunAction>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchRunProcedure(exec) => {
+        extend_batch_exection::<BatchRunProcedure>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchRunBuild(exec) => {
+        extend_batch_exection::<BatchRunBuild>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchCloneRepo(exec) => {
+        extend_batch_exection::<BatchCloneRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchPullRepo(exec) => {
+        extend_batch_exection::<BatchPullRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchBuildRepo(exec) => {
+        extend_batch_exection::<BatchBuildRepo>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeploy(exec) => {
+        extend_batch_exection::<BatchDeploy>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDestroyDeployment(exec) => {
+        extend_batch_exection::<BatchDestroyDeployment>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeployStack(exec) => {
+        extend_batch_exection::<BatchDeployStack>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDeployStackIfChanged(exec) => {
+        extend_batch_exection::<BatchDeployStackIfChanged>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      Execution::BatchDestroyStack(exec) => {
+        extend_batch_exection::<BatchDestroyStack>(
+          &exec.pattern,
+          &mut executions,
+        )
+        .await?;
+      }
+      execution => executions.push(execution),
+    }
+  }
   let futures = executions.into_iter().map(|execution| async move {
     let now = Instant::now();
     add_line_to_update(
@@ -146,6 +235,34 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchRunProcedure(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunProcedure not implemented correctly"
+      ));
+    }
+    Execution::RunAction(req) => {
+      let req = ExecuteRequest::RunAction(req);
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::RunAction(req) = req else {
+        unreachable!()
+      };
+      let update_id = update.id.clone();
+      handle_resolve_result(
+        State
+          .resolve(req, (user, update))
+          .await
+          .context("Failed at RunAction"),
+        &update_id,
+      )
+      .await?
+    }
+    Execution::BatchRunAction(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunAction not implemented correctly"
+      ));
+    }
     Execution::RunBuild(req) => {
       let req = ExecuteRequest::RunBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -162,6 +279,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchRunBuild(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchRunBuild not implemented correctly"
+      ));
+    }
     Execution::CancelBuild(req) => {
       let req = ExecuteRequest::CancelBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -194,6 +317,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchDeploy(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeploy not implemented correctly"
+      ));
+    }
     Execution::StartDeployment(req) => {
       let req = ExecuteRequest::StartDeployment(req);
       let update = init_execution_update(&req, &user).await?;
@@ -290,6 +419,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchDestroyDeployment(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDestroyDeployment not implemented correctly"
+      ));
+    }
     Execution::CloneRepo(req) => {
       let req = ExecuteRequest::CloneRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -306,6 +441,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchCloneRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchCloneRepo not implemented correctly"
+      ));
+    }
     Execution::PullRepo(req) => {
       let req = ExecuteRequest::PullRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -322,6 +463,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchPullRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchPullRepo not implemented correctly"
+      ));
+    }
     Execution::BuildRepo(req) => {
       let req = ExecuteRequest::BuildRepo(req);
       let update = init_execution_update(&req, &user).await?;
@@ -338,6 +485,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchBuildRepo(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchBuildRepo not implemented correctly"
+      ));
+    }
     Execution::CancelRepoBuild(req) => {
       let req = ExecuteRequest::CancelRepoBuild(req);
       let update = init_execution_update(&req, &user).await?;
@@ -727,6 +880,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchDeployStack(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeployStack not implemented correctly"
+      ));
+    }
     Execution::DeployStackIfChanged(req) => {
       let req = ExecuteRequest::DeployStackIfChanged(req);
       let update = init_execution_update(&req, &user).await?;
@@ -743,6 +902,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchDeployStackIfChanged(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDeployStackIfChanged not implemented correctly"
+      ));
+    }
     Execution::StartStack(req) => {
       let req = ExecuteRequest::StartStack(req);
       let update = init_execution_update(&req, &user).await?;
@@ -839,6 +1004,12 @@ async fn execute_execution(
       )
       .await?
     }
+    Execution::BatchDestroyStack(_) => {
+      // All batch executions must be expanded in `execute_stage`
+      return Err(anyhow!(
+        "Batch method BatchDestroyStack not implemented correctly"
+      ));
+    }
     Execution::Sleep(req) => {
       let duration = Duration::from_millis(req.duration_ms as u64);
       tokio::time::sleep(duration).await;
@@ -896,3 +1067,120 @@ async fn add_line_to_update(update: &Mutex<Update>, line: &str) {
     error!("Failed to update an update during procedure | {e:#}");
   };
 }
+
+async fn extend_batch_exection<E: ExtendBatch>(
+  pattern: &str,
+  executions: &mut Vec<Execution>,
+) -> anyhow::Result<()> {
+  let more = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    procedure_user(),
+    &[],
+  )
+  .await?
+  .into_iter()
+  .map(|resource| E::single_execution(resource.name));
+  executions.extend(more);
+  Ok(())
+}
+
+trait ExtendBatch {
+  type Resource: KomodoResource;
+  fn single_execution(name: String) -> Execution;
+}
+
+impl ExtendBatch for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_execution(procedure: String) -> Execution {
+    Execution::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl ExtendBatch for BatchRunAction {
+  type Resource = Action;
+  fn single_execution(action: String) -> Execution {
+    Execution::RunAction(RunAction { action })
+  }
+}
+
+impl ExtendBatch for BatchRunBuild {
+  type Resource = Build;
+  fn single_execution(build: String) -> Execution {
+    Execution::RunBuild(RunBuild { build })
+  }
+}
+
+impl ExtendBatch for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchPullRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::PullRepo(PullRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_execution(repo: String) -> Execution {
+    Execution::BuildRepo(BuildRepo { repo })
+  }
+}
+
+impl ExtendBatch for BatchDeploy {
+  type Resource = Deployment;
+  fn single_execution(deployment: String) -> Execution {
+    Execution::Deploy(Deploy {
+      deployment,
+      stop_signal: None,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDestroyDeployment {
+  type Resource = Deployment;
+  fn single_execution(deployment: String) -> Execution {
+    Execution::DestroyDeployment(DestroyDeployment {
+      deployment,
+      signal: None,
+      time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDeployStack {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DeployStack(DeployStack {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDeployStackIfChanged {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DeployStackIfChanged(DeployStackIfChanged {
+      stack,
+      stop_time: None,
+    })
+  }
+}
+
+impl ExtendBatch for BatchDestroyStack {
+  type Resource = Stack;
+  fn single_execution(stack: String) -> Execution {
+    Execution::DestroyStack(DestroyStack {
+      stack,
+      remove_orphans: false,
+      stop_time: None,
+    })
+  }
+}

bin/core/src/helpers/query.rs

@@ -2,6 +2,7 @@ use std::{collections::HashMap, str::FromStr};
 
 use anyhow::{anyhow, Context};
 use komodo_client::entities::{
+  action::Action,
   alerter::Alerter,
   build::Build,
   builder::Builder,
@@ -117,7 +118,7 @@ pub fn get_stack_state_from_containers(
   if containers.is_empty() {
     return StackState::Down;
   }
-  if services.len() != containers.len() {
+  if services.len() > containers.len() {
     return StackState::Unhealthy;
   }
   let running = containers.iter().all(|container| {
@@ -291,6 +292,9 @@ pub async fn get_user_permission_on_target(
     ResourceTarget::Procedure(id) => {
       get_user_permission_on_resource::<Procedure>(user, id).await
     }
+    ResourceTarget::Action(id) => {
+      get_user_permission_on_resource::<Action>(user, id).await
+    }
     ResourceTarget::ServerTemplate(id) => {
       get_user_permission_on_resource::<ServerTemplate>(user, id)
         .await

bin/core/src/helpers/update.rs

@@ -1,5 +1,6 @@
 use anyhow::Context;
 use komodo_client::entities::{
+  action::Action,
   build::Build,
   deployment::Deployment,
   komodo_timestamp,
@@ -260,6 +261,9 @@ pub async fn init_execution_update(
         resource::get::<Deployment>(&data.deployment).await?.id,
       ),
     ),
+    ExecuteRequest::BatchDeploy(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::StartDeployment(data) => (
       Operation::StartDeployment,
       ResourceTarget::Deployment(
@@ -304,6 +308,9 @@ pub async fn init_execution_update(
         resource::get::<Build>(&data.build).await?.id,
       ),
     ),
+    ExecuteRequest::BatchRunBuild(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::CancelBuild(data) => (
       Operation::CancelBuild,
       ResourceTarget::Build(
@@ -318,18 +325,27 @@ pub async fn init_execution_update(
         resource::get::<Repo>(&data.repo).await?.id,
       ),
     ),
+    ExecuteRequest::BatchCloneRepo(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::PullRepo(data) => (
       Operation::PullRepo,
       ResourceTarget::Repo(
         resource::get::<Repo>(&data.repo).await?.id,
       ),
     ),
+    ExecuteRequest::BatchPullRepo(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::BuildRepo(data) => (
       Operation::BuildRepo,
       ResourceTarget::Repo(
         resource::get::<Repo>(&data.repo).await?.id,
       ),
     ),
+    ExecuteRequest::BatchBuildRepo(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::CancelRepoBuild(data) => (
       Operation::CancelRepoBuild,
       ResourceTarget::Repo(
@@ -344,6 +360,20 @@ pub async fn init_execution_update(
         resource::get::<Procedure>(&data.procedure).await?.id,
       ),
     ),
+    ExecuteRequest::BatchRunProcedure(_) => {
+      return Ok(Default::default())
+    }
+
+    // Action
+    ExecuteRequest::RunAction(data) => (
+      Operation::RunAction,
+      ResourceTarget::Action(
+        resource::get::<Action>(&data.action).await?.id,
+      ),
+    ),
+    ExecuteRequest::BatchRunAction(_) => {
+      return Ok(Default::default())
+    }
 
     // Server template
     ExecuteRequest::LaunchServer(data) => (
@@ -370,12 +400,18 @@ pub async fn init_execution_update(
         resource::get::<Stack>(&data.stack).await?.id,
       ),
     ),
+    ExecuteRequest::BatchDeployStack(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::DeployStackIfChanged(data) => (
       Operation::DeployStack,
       ResourceTarget::Stack(
         resource::get::<Stack>(&data.stack).await?.id,
       ),
     ),
+    ExecuteRequest::BatchDeployStackIfChanged(_data) => {
+      return Ok(Default::default())
+    }
     ExecuteRequest::StartStack(data) => (
       if data.service.is_some() {
         Operation::StartStackService
@@ -432,6 +468,9 @@ pub async fn init_execution_update(
         resource::get::<Stack>(&data.stack).await?.id,
       ),
     ),
+    ExecuteRequest::BatchDestroyStack(_data) => {
+      return Ok(Default::default())
+    }
   };
   let mut update = make_update(target, operation, user);
   update.in_progress();

bin/core/src/listener/github/build.rs

@@ -1,66 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::anyhow;
-use axum::http::HeaderMap;
-use komodo_client::{
-  api::execute::RunBuild,
-  entities::{build::Build, user::git_webhook_user},
-};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
-
-use crate::{
-  api::execute::ExecuteRequest,
-  helpers::update::init_execution_update, resource, state::State,
-};
-
-use super::{extract_branch, verify_gh_signature, ListenerLockCache};
-
-fn build_locks() -> &'static ListenerLockCache {
-  static BUILD_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
-  BUILD_LOCKS.get_or_init(Default::default)
-}
-
-pub async fn auth_build_webhook(
-  build_id: &str,
-  headers: HeaderMap,
-  body: &str,
-) -> serror::Result<Build> {
-  let build = resource::get::<Build>(build_id)
-    .await
-    .status_code(StatusCode::NOT_FOUND)?;
-  verify_gh_signature(headers, body, &build.config.webhook_secret)
-    .await
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(build)
-}
-
-pub async fn handle_build_webhook(
-  build: Build,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = build_locks().get_or_insert_default(&build.id).await;
-  let _lock = lock.lock().await;
-
-  if !build.config.webhook_enabled {
-    return Err(anyhow!("build does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != build.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req = ExecuteRequest::RunBuild(RunBuild { build: build.id });
-  let update = init_execution_update(&req, &user).await?;
-  let ExecuteRequest::RunBuild(req) = req else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}

bin/core/src/listener/github/mod.rs

@@ -1,278 +0,0 @@
-use std::sync::Arc;
-
-use anyhow::{anyhow, Context};
-use axum::{extract::Path, http::HeaderMap, routing::post, Router};
-use hex::ToHex;
-use hmac::{Hmac, Mac};
-use serde::Deserialize;
-use sha2::Sha256;
-use tokio::sync::Mutex;
-use tracing::Instrument;
-
-use crate::{
-  config::core_config,
-  helpers::{cache::Cache, random_duration},
-};
-
-mod build;
-mod procedure;
-mod repo;
-mod stack;
-mod sync;
-
-type HmacSha256 = Hmac<Sha256>;
-
-#[derive(Deserialize)]
-struct Id {
-  id: String,
-}
-
-#[derive(Deserialize)]
-struct IdBranch {
-  id: String,
-  branch: Option<String>,
-}
-
-pub fn router() -> Router {
-  Router::new()
-		.route(
-			"/build/:id",
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let build = build::auth_build_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("build_webhook", id);
-            async {
-              let res = build::handle_build_webhook(build, body).await;
-              if let Err(e) = res {
-                warn!("failed to run build webook for build {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			),
-		)
-		.route(
-			"/repo/:id/clone", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let repo = repo::auth_repo_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-						let span = info_span!("repo_clone_webhook", id);
-            async {
-              let res = repo::handle_repo_clone_webhook(repo, body).await;
-              if let Err(e) = res {
-                warn!("failed to run repo clone webook for repo {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-		.route(
-			"/repo/:id/pull", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let repo = repo::auth_repo_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("repo_pull_webhook", id);
-            async {
-              let res = repo::handle_repo_pull_webhook(repo, body).await;
-              if let Err(e) = res {
-                warn!("failed to run repo pull webook for repo {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-		.route(
-			"/repo/:id/build", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let repo = repo::auth_repo_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("repo_build_webhook", id);
-            async {
-              let res = repo::handle_repo_build_webhook(repo, body).await;
-              if let Err(e) = res {
-                warn!("failed to run repo build webook for repo {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-    .route(
-			"/stack/:id/refresh", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let stack = stack::auth_stack_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-						let span = info_span!("stack_clone_webhook", id);
-            async {
-              let res = stack::handle_stack_refresh_webhook(stack, body).await;
-              if let Err(e) = res {
-                warn!("failed to run stack clone webook for stack {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-		.route(
-			"/stack/:id/deploy", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let stack = stack::auth_stack_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("stack_pull_webhook", id);
-            async {
-              let res = stack::handle_stack_deploy_webhook(stack, body).await;
-              if let Err(e) = res {
-                warn!("failed to run stack pull webook for stack {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-    .route(
-			"/procedure/:id/:branch", 
-			post(
-				|Path(IdBranch { id, branch }), headers: HeaderMap, body: String| async move {
-          let procedure = procedure::auth_procedure_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("procedure_webhook", id, branch);
-            async {
-              let res = procedure::handle_procedure_webhook(
-                procedure,
-                branch.unwrap_or_else(|| String::from("main")),
-                body
-              ).await;
-              if let Err(e) = res {
-                warn!("failed to run procedure webook for procedure {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-    .route(
-			"/sync/:id/refresh", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let sync = sync::auth_sync_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("sync_refresh_webhook", id);
-            async {
-              let res = sync::handle_sync_refresh_webhook(
-                sync,
-                body
-              ).await;
-              if let Err(e) = res {
-                warn!("failed to run sync webook for sync {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-    .route(
-			"/sync/:id/sync", 
-			post(
-				|Path(Id { id }), headers: HeaderMap, body: String| async move {
-          let sync = sync::auth_sync_webhook(&id, headers, &body).await?;
-					tokio::spawn(async move {
-            let span = info_span!("sync_execute_webhook", id);
-            async {
-              let res = sync::handle_sync_execute_webhook(
-                sync,
-                body
-              ).await;
-              if let Err(e) = res {
-                warn!("failed to run sync webook for sync {id} | {e:#}");
-              }
-            }
-              .instrument(span)
-              .await
-					});
-          serror::Result::Ok(())
-				},
-			)
-		)
-}
-
-#[instrument(skip_all)]
-async fn verify_gh_signature(
-  headers: HeaderMap,
-  body: &str,
-  custom_secret: &str,
-) -> anyhow::Result<()> {
-  // wait random amount of time
-  tokio::time::sleep(random_duration(0, 500)).await;
-
-  let signature = headers.get("x-hub-signature-256");
-  if signature.is_none() {
-    return Err(anyhow!("no signature in headers"));
-  }
-  let signature = signature.unwrap().to_str();
-  if signature.is_err() {
-    return Err(anyhow!("failed to unwrap signature"));
-  }
-  let signature = signature.unwrap().replace("sha256=", "");
-  let secret_bytes = if custom_secret.is_empty() {
-    core_config().webhook_secret.as_bytes()
-  } else {
-    custom_secret.as_bytes()
-  };
-  let mut mac = HmacSha256::new_from_slice(secret_bytes)
-    .expect("github webhook | failed to create hmac sha256");
-  mac.update(body.as_bytes());
-  let expected = mac.finalize().into_bytes().encode_hex::<String>();
-  if signature == expected {
-    Ok(())
-  } else {
-    Err(anyhow!("signature does not equal expected"))
-  }
-}
-
-#[derive(Deserialize)]
-struct GithubWebhookBody {
-  #[serde(rename = "ref")]
-  branch: String,
-}
-
-fn extract_branch(body: &str) -> anyhow::Result<String> {
-  let branch = serde_json::from_str::<GithubWebhookBody>(body)
-    .context("failed to parse github request body")?
-    .branch
-    .replace("refs/heads/", "");
-  Ok(branch)
-}
-
-type ListenerLockCache = Cache<String, Arc<Mutex<()>>>;

bin/core/src/listener/github/procedure.rs

@@ -1,74 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::anyhow;
-use axum::http::HeaderMap;
-use komodo_client::{
-  api::execute::RunProcedure,
-  entities::{procedure::Procedure, user::git_webhook_user},
-};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
-
-use crate::{
-  api::execute::ExecuteRequest,
-  helpers::update::init_execution_update, resource, state::State,
-};
-
-use super::{extract_branch, verify_gh_signature, ListenerLockCache};
-
-fn procedure_locks() -> &'static ListenerLockCache {
-  static BUILD_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
-  BUILD_LOCKS.get_or_init(Default::default)
-}
-
-pub async fn auth_procedure_webhook(
-  procedure_id: &str,
-  headers: HeaderMap,
-  body: &str,
-) -> serror::Result<Procedure> {
-  let procedure = resource::get::<Procedure>(procedure_id)
-    .await
-    .status_code(StatusCode::NOT_FOUND)?;
-  verify_gh_signature(
-    headers,
-    body,
-    &procedure.config.webhook_secret,
-  )
-  .await
-  .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(procedure)
-}
-
-pub async fn handle_procedure_webhook(
-  procedure: Procedure,
-  target_branch: String,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock =
-    procedure_locks().get_or_insert_default(&procedure.id).await;
-  let _lock = lock.lock().await;
-
-  if !procedure.config.webhook_enabled {
-    return Err(anyhow!("procedure does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != target_branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req = ExecuteRequest::RunProcedure(RunProcedure {
-    procedure: procedure.id,
-  });
-  let update = init_execution_update(&req, &user).await?;
-  let ExecuteRequest::RunProcedure(req) = req else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}

bin/core/src/listener/github/repo.rs

@@ -1,133 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::anyhow;
-use axum::http::HeaderMap;
-use komodo_client::{
-  api::execute::{BuildRepo, CloneRepo, PullRepo},
-  entities::{repo::Repo, user::git_webhook_user},
-};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
-
-use crate::{
-  helpers::update::init_execution_update, resource, state::State,
-};
-
-use super::{extract_branch, verify_gh_signature, ListenerLockCache};
-
-fn repo_locks() -> &'static ListenerLockCache {
-  static REPO_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
-  REPO_LOCKS.get_or_init(Default::default)
-}
-
-pub async fn auth_repo_webhook(
-  repo_id: &str,
-  headers: HeaderMap,
-  body: &str,
-) -> serror::Result<Repo> {
-  let repo = resource::get::<Repo>(repo_id)
-    .await
-    .status_code(StatusCode::NOT_FOUND)?;
-  verify_gh_signature(headers, body, &repo.config.webhook_secret)
-    .await
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(repo)
-}
-
-pub async fn handle_repo_clone_webhook(
-  repo: Repo,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = repo_locks().get_or_insert_default(&repo.id).await;
-  let _lock = lock.lock().await;
-
-  if !repo.config.webhook_enabled {
-    return Err(anyhow!("repo does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != repo.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req =
-    crate::api::execute::ExecuteRequest::CloneRepo(CloneRepo {
-      repo: repo.id,
-    });
-  let update = init_execution_update(&req, &user).await?;
-  let crate::api::execute::ExecuteRequest::CloneRepo(req) = req
-  else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}
-
-pub async fn handle_repo_pull_webhook(
-  repo: Repo,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = repo_locks().get_or_insert_default(&repo.id).await;
-  let _lock = lock.lock().await;
-
-  if !repo.config.webhook_enabled {
-    return Err(anyhow!("repo does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != repo.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req = crate::api::execute::ExecuteRequest::PullRepo(PullRepo {
-    repo: repo.id,
-  });
-  let update = init_execution_update(&req, &user).await?;
-  let crate::api::execute::ExecuteRequest::PullRepo(req) = req else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}
-
-pub async fn handle_repo_build_webhook(
-  repo: Repo,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = repo_locks().get_or_insert_default(&repo.id).await;
-  let _lock = lock.lock().await;
-
-  if !repo.config.webhook_enabled {
-    return Err(anyhow!("repo does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != repo.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req =
-    crate::api::execute::ExecuteRequest::BuildRepo(BuildRepo {
-      repo: repo.id,
-    });
-  let update = init_execution_update(&req, &user).await?;
-  let crate::api::execute::ExecuteRequest::BuildRepo(req) = req
-  else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}

bin/core/src/listener/github/stack.rs

@@ -1,112 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::anyhow;
-use axum::http::HeaderMap;
-use komodo_client::{
-  api::{
-    execute::{DeployStack, DeployStackIfChanged},
-    write::RefreshStackCache,
-  },
-  entities::{stack::Stack, user::git_webhook_user},
-};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
-
-use crate::{
-  api::execute::ExecuteRequest,
-  helpers::update::init_execution_update, resource, state::State,
-};
-
-use super::{extract_branch, verify_gh_signature, ListenerLockCache};
-
-fn stack_locks() -> &'static ListenerLockCache {
-  static STACK_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
-  STACK_LOCKS.get_or_init(Default::default)
-}
-
-pub async fn auth_stack_webhook(
-  stack_id: &str,
-  headers: HeaderMap,
-  body: &str,
-) -> serror::Result<Stack> {
-  let stack = resource::get::<Stack>(stack_id)
-    .await
-    .status_code(StatusCode::NOT_FOUND)?;
-  verify_gh_signature(headers, body, &stack.config.webhook_secret)
-    .await
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(stack)
-}
-
-pub async fn handle_stack_refresh_webhook(
-  stack: Stack,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through, from "action state busy".
-  let lock = stack_locks().get_or_insert_default(&stack.id).await;
-  let _lock = lock.lock().await;
-
-  if !stack.config.webhook_enabled {
-    return Err(anyhow!("stack does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != stack.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  State
-    .resolve(RefreshStackCache { stack: stack.id }, user)
-    .await?;
-  Ok(())
-}
-
-pub async fn handle_stack_deploy_webhook(
-  stack: Stack,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = stack_locks().get_or_insert_default(&stack.id).await;
-  let _lock = lock.lock().await;
-
-  if !stack.config.webhook_enabled {
-    return Err(anyhow!("stack does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != stack.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  if stack.config.webhook_force_deploy {
-    let req = ExecuteRequest::DeployStack(DeployStack {
-      stack: stack.id,
-      stop_time: None,
-    });
-    let update = init_execution_update(&req, &user).await?;
-    let ExecuteRequest::DeployStack(req) = req else {
-      unreachable!()
-    };
-    State.resolve(req, (user, update)).await?;
-  } else {
-    let req =
-      ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
-        stack: stack.id,
-        stop_time: None,
-      });
-    let update = init_execution_update(&req, &user).await?;
-    let ExecuteRequest::DeployStackIfChanged(req) = req else {
-      unreachable!()
-    };
-    State.resolve(req, (user, update)).await?;
-  }
-
-  Ok(())
-}

bin/core/src/listener/github/sync.rs

@@ -1,96 +0,0 @@
-use std::sync::OnceLock;
-
-use anyhow::anyhow;
-use axum::http::HeaderMap;
-use komodo_client::{
-  api::{execute::RunSync, write::RefreshResourceSyncPending},
-  entities::{sync::ResourceSync, user::git_webhook_user},
-};
-use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCode;
-
-use crate::{
-  api::execute::ExecuteRequest,
-  helpers::update::init_execution_update, resource, state::State,
-};
-
-use super::{extract_branch, verify_gh_signature, ListenerLockCache};
-
-fn sync_locks() -> &'static ListenerLockCache {
-  static SYNC_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
-  SYNC_LOCKS.get_or_init(Default::default)
-}
-
-pub async fn auth_sync_webhook(
-  sync_id: &str,
-  headers: HeaderMap,
-  body: &str,
-) -> serror::Result<ResourceSync> {
-  let sync = resource::get::<ResourceSync>(sync_id)
-    .await
-    .status_code(StatusCode::NOT_FOUND)?;
-  verify_gh_signature(headers, body, &sync.config.webhook_secret)
-    .await
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(sync)
-}
-
-pub async fn handle_sync_refresh_webhook(
-  sync: ResourceSync,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = sync_locks().get_or_insert_default(&sync.id).await;
-  let _lock = lock.lock().await;
-
-  if !sync.config.webhook_enabled {
-    return Err(anyhow!("sync does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != sync.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  State
-    .resolve(RefreshResourceSyncPending { sync: sync.id }, user)
-    .await?;
-  Ok(())
-}
-
-pub async fn handle_sync_execute_webhook(
-  sync: ResourceSync,
-  body: String,
-) -> anyhow::Result<()> {
-  // Acquire and hold lock to make a task queue for
-  // subsequent listener calls on same resource.
-  // It would fail if we let it go through from action state busy.
-  let lock = sync_locks().get_or_insert_default(&sync.id).await;
-  let _lock = lock.lock().await;
-
-  if !sync.config.webhook_enabled {
-    return Err(anyhow!("sync does not have webhook enabled"));
-  }
-
-  let request_branch = extract_branch(&body)?;
-  if request_branch != sync.config.branch {
-    return Err(anyhow!("request branch does not match expected"));
-  }
-
-  let user = git_webhook_user().to_owned();
-  let req = ExecuteRequest::RunSync(RunSync {
-    sync: sync.id,
-    resource_type: None,
-    resources: None,
-  });
-  let update = init_execution_update(&req, &user).await?;
-  let ExecuteRequest::RunSync(req) = req else {
-    unreachable!()
-  };
-  State.resolve(req, (user, update)).await?;
-  Ok(())
-}

bin/core/src/listener/integrations/github.rs

@@ -0,0 +1,71 @@
+use anyhow::{anyhow, Context};
+use axum::http::HeaderMap;
+use hex::ToHex;
+use hmac::{Hmac, Mac};
+use serde::Deserialize;
+use sha2::Sha256;
+
+use crate::{
+  config::core_config,
+  listener::{VerifyBranch, VerifySecret},
+};
+
+type HmacSha256 = Hmac<Sha256>;
+
+/// Listener implementation for Github type API, including Gitea
+pub struct Github;
+
+impl VerifySecret for Github {
+  #[instrument("VerifyGithubSecret", skip_all)]
+  fn verify_secret(
+    headers: HeaderMap,
+    body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()> {
+    let signature = headers
+      .get("x-hub-signature-256")
+      .context("No github signature in headers")?;
+    let signature = signature
+      .to_str()
+      .context("Failed to get signature as string")?;
+    let signature =
+      signature.strip_prefix("sha256=").unwrap_or(signature);
+    let secret_bytes = if custom_secret.is_empty() {
+      core_config().webhook_secret.as_bytes()
+    } else {
+      custom_secret.as_bytes()
+    };
+    let mut mac = HmacSha256::new_from_slice(secret_bytes)
+      .context("Failed to create hmac sha256 from secret")?;
+    mac.update(body.as_bytes());
+    let expected = mac.finalize().into_bytes().encode_hex::<String>();
+    if signature == expected {
+      Ok(())
+    } else {
+      Err(anyhow!("Signature does not equal expected"))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+struct GithubWebhookBody {
+  #[serde(rename = "ref")]
+  branch: String,
+}
+
+impl VerifyBranch for Github {
+  fn verify_branch(
+    body: &str,
+    expected_branch: &str,
+  ) -> anyhow::Result<()> {
+    let branch = serde_json::from_str::<GithubWebhookBody>(body)
+      .context("Failed to parse github request body")?
+      .branch
+      .replace("refs/heads/", "");
+    if branch == expected_branch {
+      Ok(())
+    } else {
+      Err(anyhow!("request branch does not match expected"))
+    }
+  }
+}

bin/core/src/listener/integrations/gitlab.rs

@@ -0,0 +1,58 @@
+use anyhow::{anyhow, Context};
+use serde::Deserialize;
+
+use crate::{
+  config::core_config,
+  listener::{VerifyBranch, VerifySecret},
+};
+
+/// Listener implementation for Gitlab type API
+pub struct Gitlab;
+
+impl VerifySecret for Gitlab {
+  #[instrument("VerifyGitlabSecret", skip_all)]
+  fn verify_secret(
+    headers: axum::http::HeaderMap,
+    _body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()> {
+    let token = headers
+      .get("x-gitlab-token")
+      .context("No gitlab token in headers")?;
+    let token =
+      token.to_str().context("Failed to get token as string")?;
+    let secret = if custom_secret.is_empty() {
+      core_config().webhook_secret.as_str()
+    } else {
+      custom_secret
+    };
+    if token == secret {
+      Ok(())
+    } else {
+      Err(anyhow!("Webhook secret does not match expected."))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+struct GitlabWebhookBody {
+  #[serde(rename = "ref")]
+  branch: String,
+}
+
+impl VerifyBranch for Gitlab {
+  fn verify_branch(
+    body: &str,
+    expected_branch: &str,
+  ) -> anyhow::Result<()> {
+    let branch = serde_json::from_str::<GitlabWebhookBody>(body)
+      .context("Failed to parse gitlab request body")?
+      .branch
+      .replace("refs/heads/", "");
+    if branch == expected_branch {
+      Ok(())
+    } else {
+      Err(anyhow!("request branch does not match expected"))
+    }
+  }
+}

bin/core/src/listener/integrations/mod.rs

@@ -0,0 +1,2 @@
+pub mod github;
+pub mod gitlab;

bin/core/src/listener/mod.rs

@@ -1,7 +1,52 @@
-use axum::Router;
+use std::sync::Arc;
 
-mod github;
+use axum::{http::HeaderMap, Router};
+use komodo_client::entities::resource::Resource;
+use tokio::sync::Mutex;
+
+use crate::{helpers::cache::Cache, resource::KomodoResource};
+
+mod integrations;
+mod resources;
+mod router;
+
+use integrations::*;
 
 pub fn router() -> Router {
-  Router::new().nest("/github", github::router())
+  Router::new()
+    .nest("/github", router::router::<github::Github>())
+    .nest("/gitlab", router::router::<gitlab::Gitlab>())
 }
+
+type ListenerLockCache = Cache<String, Arc<Mutex<()>>>;
+
+/// Implemented for all resources which can recieve webhook.
+trait CustomSecret: KomodoResource {
+  fn custom_secret(
+    resource: &Resource<Self::Config, Self::Info>,
+  ) -> &str;
+}
+
+/// Implemented on the integration struct, eg [integrations::github::Github]
+trait VerifySecret {
+  fn verify_secret(
+    headers: HeaderMap,
+    body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()>;
+}
+
+/// Implemented on the integration struct, eg [integrations::github::Github]
+trait VerifyBranch {
+  /// Returns Err if the branch extracted from request
+  /// body does not match the expected branch.
+  fn verify_branch(
+    body: &str,
+    expected_branch: &str,
+  ) -> anyhow::Result<()>;
+}
+
+/// For Procedures and Actions, incoming webhook
+/// can be triggered by any branch by using `__ANY__`
+/// as the branch in the webhook URL.
+const ANY_BRANCH: &str = "__ANY__";

bin/core/src/listener/resources.rs

@@ -0,0 +1,486 @@
+use std::sync::OnceLock;
+
+use anyhow::anyhow;
+use komodo_client::{
+  api::{
+    execute::*,
+    write::{RefreshResourceSyncPending, RefreshStackCache},
+  },
+  entities::{
+    action::Action, build::Build, procedure::Procedure, repo::Repo,
+    stack::Stack, sync::ResourceSync, user::git_webhook_user,
+  },
+};
+use resolver_api::Resolve;
+use serde::Deserialize;
+
+use crate::{
+  api::execute::ExecuteRequest,
+  helpers::update::init_execution_update, state::State,
+};
+
+use super::{ListenerLockCache, ANY_BRANCH};
+
+// =======
+//  BUILD
+// =======
+
+impl super::CustomSecret for Build {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn build_locks() -> &'static ListenerLockCache {
+  static BUILD_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  BUILD_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_build_webhook<B: super::VerifyBranch>(
+  build: Build,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = build_locks().get_or_insert_default(&build.id).await;
+  let _lock = lock.lock().await;
+
+  if !build.config.webhook_enabled {
+    return Err(anyhow!("build does not have webhook enabled"));
+  }
+
+  B::verify_branch(&body, &build.config.branch)?;
+
+  let user = git_webhook_user().to_owned();
+  let req = ExecuteRequest::RunBuild(RunBuild { build: build.id });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunBuild(req) = req else {
+    unreachable!()
+  };
+  State.resolve(req, (user, update)).await?;
+  Ok(())
+}
+
+// ======
+//  REPO
+// ======
+
+impl super::CustomSecret for Repo {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn repo_locks() -> &'static ListenerLockCache {
+  static REPO_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  REPO_LOCKS.get_or_init(Default::default)
+}
+
+pub trait RepoExecution {
+  async fn resolve(repo: Repo) -> anyhow::Result<()>;
+}
+
+impl RepoExecution for CloneRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::CloneRepo(CloneRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::CloneRepo(req) = req
+    else {
+      unreachable!()
+    };
+    State.resolve(req, (user, update)).await?;
+    Ok(())
+  }
+}
+
+impl RepoExecution for PullRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::PullRepo(PullRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::PullRepo(req) = req
+    else {
+      unreachable!()
+    };
+    State.resolve(req, (user, update)).await?;
+    Ok(())
+  }
+}
+
+impl RepoExecution for BuildRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::BuildRepo(BuildRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::BuildRepo(req) = req
+    else {
+      unreachable!()
+    };
+    State.resolve(req, (user, update)).await?;
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+pub struct RepoWebhookPath {
+  pub option: RepoWebhookOption,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum RepoWebhookOption {
+  Clone,
+  Pull,
+  Build,
+}
+
+pub async fn handle_repo_webhook<B: super::VerifyBranch>(
+  option: RepoWebhookOption,
+  repo: Repo,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    RepoWebhookOption::Clone => {
+      handle_repo_webhook_inner::<B, CloneRepo>(repo, body).await
+    }
+    RepoWebhookOption::Pull => {
+      handle_repo_webhook_inner::<B, PullRepo>(repo, body).await
+    }
+    RepoWebhookOption::Build => {
+      handle_repo_webhook_inner::<B, BuildRepo>(repo, body).await
+    }
+  }
+}
+
+async fn handle_repo_webhook_inner<
+  B: super::VerifyBranch,
+  E: RepoExecution,
+>(
+  repo: Repo,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = repo_locks().get_or_insert_default(&repo.id).await;
+  let _lock = lock.lock().await;
+
+  if !repo.config.webhook_enabled {
+    return Err(anyhow!("repo does not have webhook enabled"));
+  }
+
+  B::verify_branch(&body, &repo.config.branch)?;
+
+  E::resolve(repo).await
+}
+
+// =======
+//  STACK
+// =======
+
+impl super::CustomSecret for Stack {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn stack_locks() -> &'static ListenerLockCache {
+  static STACK_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  STACK_LOCKS.get_or_init(Default::default)
+}
+
+pub trait StackExecution {
+  async fn resolve(stack: Stack) -> anyhow::Result<()>;
+}
+
+impl StackExecution for RefreshStackCache {
+  async fn resolve(stack: Stack) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    State
+      .resolve(RefreshStackCache { stack: stack.id }, user)
+      .await?;
+    Ok(())
+  }
+}
+
+impl StackExecution for DeployStack {
+  async fn resolve(stack: Stack) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    if stack.config.webhook_force_deploy {
+      let req = ExecuteRequest::DeployStack(DeployStack {
+        stack: stack.id,
+        stop_time: None,
+      });
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::DeployStack(req) = req else {
+        unreachable!()
+      };
+      State.resolve(req, (user, update)).await?;
+    } else {
+      let req =
+        ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
+          stack: stack.id,
+          stop_time: None,
+        });
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::DeployStackIfChanged(req) = req else {
+        unreachable!()
+      };
+      State.resolve(req, (user, update)).await?;
+    }
+
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+pub struct StackWebhookPath {
+  pub option: StackWebhookOption,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum StackWebhookOption {
+  Refresh,
+  Deploy,
+}
+
+pub async fn handle_stack_webhook<B: super::VerifyBranch>(
+  option: StackWebhookOption,
+  stack: Stack,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    StackWebhookOption::Refresh => {
+      handle_stack_webhook_inner::<B, RefreshStackCache>(stack, body)
+        .await
+    }
+    StackWebhookOption::Deploy => {
+      handle_stack_webhook_inner::<B, DeployStack>(stack, body).await
+    }
+  }
+}
+
+pub async fn handle_stack_webhook_inner<
+  B: super::VerifyBranch,
+  E: StackExecution,
+>(
+  stack: Stack,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through, from "action state busy".
+  let lock = stack_locks().get_or_insert_default(&stack.id).await;
+  let _lock = lock.lock().await;
+
+  if !stack.config.webhook_enabled {
+    return Err(anyhow!("stack does not have webhook enabled"));
+  }
+
+  B::verify_branch(&body, &stack.config.branch)?;
+
+  E::resolve(stack).await
+}
+
+// ======
+//  SYNC
+// ======
+
+impl super::CustomSecret for ResourceSync {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn sync_locks() -> &'static ListenerLockCache {
+  static SYNC_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  SYNC_LOCKS.get_or_init(Default::default)
+}
+
+pub trait SyncExecution {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()>;
+}
+
+impl SyncExecution for RefreshResourceSyncPending {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    State
+      .resolve(RefreshResourceSyncPending { sync: sync.id }, user)
+      .await?;
+    Ok(())
+  }
+}
+
+impl SyncExecution for RunSync {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req = ExecuteRequest::RunSync(RunSync {
+      sync: sync.id,
+      resource_type: None,
+      resources: None,
+    });
+    let update = init_execution_update(&req, &user).await?;
+    let ExecuteRequest::RunSync(req) = req else {
+      unreachable!()
+    };
+    State.resolve(req, (user, update)).await?;
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+pub struct SyncWebhookPath {
+  pub option: SyncWebhookOption,
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum SyncWebhookOption {
+  Refresh,
+  Sync,
+}
+
+pub async fn handle_sync_webhook<B: super::VerifyBranch>(
+  option: SyncWebhookOption,
+  sync: ResourceSync,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    SyncWebhookOption::Refresh => {
+      handle_sync_webhook_inner::<B, RefreshResourceSyncPending>(
+        sync, body,
+      )
+      .await
+    }
+    SyncWebhookOption::Sync => {
+      handle_sync_webhook_inner::<B, RunSync>(sync, body).await
+    }
+  }
+}
+
+async fn handle_sync_webhook_inner<
+  B: super::VerifyBranch,
+  E: SyncExecution,
+>(
+  sync: ResourceSync,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = sync_locks().get_or_insert_default(&sync.id).await;
+  let _lock = lock.lock().await;
+
+  if !sync.config.webhook_enabled {
+    return Err(anyhow!("sync does not have webhook enabled"));
+  }
+
+  B::verify_branch(&body, &sync.config.branch)?;
+
+  E::resolve(sync).await
+}
+
+// ===========
+//  PROCEDURE
+// ===========
+
+impl super::CustomSecret for Procedure {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn procedure_locks() -> &'static ListenerLockCache {
+  static PROCEDURE_LOCKS: OnceLock<ListenerLockCache> =
+    OnceLock::new();
+  PROCEDURE_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_procedure_webhook<B: super::VerifyBranch>(
+  procedure: Procedure,
+  target_branch: String,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock =
+    procedure_locks().get_or_insert_default(&procedure.id).await;
+  let _lock = lock.lock().await;
+
+  if !procedure.config.webhook_enabled {
+    return Err(anyhow!("procedure does not have webhook enabled"));
+  }
+
+  if target_branch != ANY_BRANCH {
+    B::verify_branch(&body, &target_branch)?;
+  }
+
+  let user = git_webhook_user().to_owned();
+  let req = ExecuteRequest::RunProcedure(RunProcedure {
+    procedure: procedure.id,
+  });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunProcedure(req) = req else {
+    unreachable!()
+  };
+  State.resolve(req, (user, update)).await?;
+  Ok(())
+}
+
+// ========
+//  ACTION
+// ========
+
+impl super::CustomSecret for Action {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn action_locks() -> &'static ListenerLockCache {
+  static ACTION_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  ACTION_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_action_webhook<B: super::VerifyBranch>(
+  action: Action,
+  target_branch: String,
+  body: String,
+) -> anyhow::Result<()> {
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = action_locks().get_or_insert_default(&action.id).await;
+  let _lock = lock.lock().await;
+
+  if !action.config.webhook_enabled {
+    return Err(anyhow!("action does not have webhook enabled"));
+  }
+
+  if target_branch != ANY_BRANCH {
+    B::verify_branch(&body, &target_branch)?;
+  }
+
+  let user = git_webhook_user().to_owned();
+  let req =
+    ExecuteRequest::RunAction(RunAction { action: action.id });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunAction(req) = req else {
+    unreachable!()
+  };
+  State.resolve(req, (user, update)).await?;
+  Ok(())
+}

bin/core/src/listener/router.rs

@@ -0,0 +1,208 @@
+use axum::{extract::Path, http::HeaderMap, routing::post, Router};
+use komodo_client::entities::{
+  action::Action, build::Build, procedure::Procedure, repo::Repo,
+  resource::Resource, stack::Stack, sync::ResourceSync,
+};
+use serde::Deserialize;
+use tracing::Instrument;
+
+use crate::resource::KomodoResource;
+
+use super::{
+  resources::{
+    handle_action_webhook, handle_build_webhook,
+    handle_procedure_webhook, handle_repo_webhook,
+    handle_stack_webhook, handle_sync_webhook, RepoWebhookPath,
+    StackWebhookPath, SyncWebhookPath,
+  },
+  CustomSecret, VerifyBranch, VerifySecret,
+};
+
+#[derive(Deserialize)]
+struct Id {
+  id: String,
+}
+
+#[derive(Deserialize)]
+struct Branch {
+  #[serde(default = "default_branch")]
+  branch: String,
+}
+
+fn default_branch() -> String {
+  String::from("main")
+}
+
+pub fn router<P: VerifySecret + VerifyBranch>() -> Router {
+  Router::new()
+  .route(
+    "/build/:id",
+    post(
+      |Path(Id { id }), headers: HeaderMap, body: String| async move {
+        let build =
+          auth_webhook::<P, Build>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("BuildWebhook", id);
+          async {
+            let res = handle_build_webhook::<P>(
+              build, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for build {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/repo/:id/:option",
+    post(
+      |Path(Id { id }), Path(RepoWebhookPath { option }), headers: HeaderMap, body: String| async move {
+        let repo =
+          auth_webhook::<P, Repo>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("RepoWebhook", id);
+          async {
+            let res = handle_repo_webhook::<P>(
+              option, repo, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for repo {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/stack/:id/:option",
+    post(
+      |Path(Id { id }), Path(StackWebhookPath { option }), headers: HeaderMap, body: String| async move {
+        let stack =
+          auth_webhook::<P, Stack>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("StackWebhook", id);
+          async {
+            let res = handle_stack_webhook::<P>(
+              option, stack, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for stack {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/sync/:id/:option",
+    post(
+      |Path(Id { id }), Path(SyncWebhookPath { option }), headers: HeaderMap, body: String| async move {
+        let sync =
+          auth_webhook::<P, ResourceSync>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ResourceSyncWebhook", id);
+          async {
+            let res = handle_sync_webhook::<P>(
+              option, sync, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for resource sync {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/procedure/:id/:branch",
+    post(
+      |Path(Id { id }), Path(Branch { branch }), headers: HeaderMap, body: String| async move {
+        let procedure =
+          auth_webhook::<P, Procedure>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ProcedureWebhook", id);
+          async {
+            let res = handle_procedure_webhook::<P>(
+              procedure, branch, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for procedure {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/action/:id/:branch",
+    post(
+      |Path(Id { id }), Path(Branch { branch }), headers: HeaderMap, body: String| async move {
+        let action =
+          auth_webhook::<P, Action>(&id, headers, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ActionWebhook", id);
+          async {
+            let res = handle_action_webhook::<P>(
+              action, branch, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for action {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        serror::Result::Ok(())
+      },
+    ),
+  )
+}
+
+async fn auth_webhook<P, R>(
+  id: &str,
+  headers: HeaderMap,
+  body: &str,
+) -> serror::Result<Resource<R::Config, R::Info>>
+where
+  P: VerifySecret,
+  R: KomodoResource + CustomSecret,
+{
+  let resource = crate::resource::get::<R>(id).await?;
+  P::verify_secret(headers, body, R::custom_secret(&resource))?;
+  Ok(resource)
+}

bin/core/src/main.rs

@@ -26,6 +26,7 @@ mod resource;
 mod stack;
 mod state;
 mod sync;
+mod ts_client;
 mod ws;
 
 async fn app() -> anyhow::Result<()> {
@@ -57,6 +58,7 @@ async fn app() -> anyhow::Result<()> {
   resource::spawn_build_state_refresh_loop();
   resource::spawn_repo_state_refresh_loop();
   resource::spawn_procedure_state_refresh_loop();
+  resource::spawn_action_state_refresh_loop();
   resource::spawn_resource_sync_state_refresh_loop();
   helpers::prune::spawn_prune_loop();
 
@@ -75,6 +77,7 @@ async fn app() -> anyhow::Result<()> {
     .nest("/execute", api::execute::router())
     .nest("/listener", listener::router())
     .nest("/ws", ws::router())
+    .nest("/client", ts_client::router())
     .nest_service("/", serve_dir)
     .fallback_service(frontend_index)
     .layer(cors()?)

bin/core/src/monitor/alert/server.rs

@@ -316,8 +316,8 @@ pub async fn alert_servers(
           Some(mut alert),
           _,
         ) => {
-          // Disk is persistent, update alert if health changes regardless of direction
-          if health.level != alert.level {
+          // modify alert level only if it has increased
+          if health.level < alert.level {
             let disk =
               server_status.stats.as_ref().and_then(|stats| {
                 stats.disks.iter().find(|disk| disk.mount == *path)

bin/core/src/resource/action.rs

@@ -0,0 +1,219 @@
+use std::time::Duration;
+
+use anyhow::Context;
+use komodo_client::entities::{
+  action::{
+    Action, ActionConfig, ActionConfigDiff, ActionInfo,
+    ActionListItem, ActionListItemInfo, ActionQuerySpecifics,
+    ActionState, PartialActionConfig,
+  },
+  resource::Resource,
+  update::Update,
+  user::User,
+  Operation, ResourceTargetVariant,
+};
+use mungos::{
+  find::find_collect,
+  mongodb::{bson::doc, options::FindOneOptions, Collection},
+};
+
+use crate::state::{action_state_cache, action_states, db_client};
+
+impl super::KomodoResource for Action {
+  type Config = ActionConfig;
+  type PartialConfig = PartialActionConfig;
+  type ConfigDiff = ActionConfigDiff;
+  type Info = ActionInfo;
+  type ListItem = ActionListItem;
+  type QuerySpecifics = ActionQuerySpecifics;
+
+  fn resource_type() -> ResourceTargetVariant {
+    ResourceTargetVariant::Action
+  }
+
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
+    &db_client().actions
+  }
+
+  async fn to_list_item(
+    action: Resource<Self::Config, Self::Info>,
+  ) -> Self::ListItem {
+    let state = get_action_state(&action.id).await;
+    ActionListItem {
+      name: action.name,
+      id: action.id,
+      tags: action.tags,
+      resource_type: ResourceTargetVariant::Action,
+      info: ActionListItemInfo {
+        state,
+        last_run_at: action.info.last_run_at,
+      },
+    }
+  }
+
+  async fn busy(id: &String) -> anyhow::Result<bool> {
+    action_states()
+      .action
+      .get(id)
+      .await
+      .unwrap_or_default()
+      .busy()
+  }
+
+  // CREATE
+
+  fn create_operation() -> Operation {
+    Operation::CreateAction
+  }
+
+  fn user_can_create(user: &User) -> bool {
+    user.admin
+  }
+
+  async fn validate_create_config(
+    config: &mut Self::PartialConfig,
+    _user: &User,
+  ) -> anyhow::Result<()> {
+    if config.file_contents.is_none() {
+      config.file_contents =
+        Some(DEFAULT_ACTION_FILE_CONTENTS.to_string());
+    }
+    Ok(())
+  }
+
+  async fn post_create(
+    _created: &Resource<Self::Config, Self::Info>,
+    _update: &mut Update,
+  ) -> anyhow::Result<()> {
+    refresh_action_state_cache().await;
+    Ok(())
+  }
+
+  // UPDATE
+
+  fn update_operation() -> Operation {
+    Operation::UpdateAction
+  }
+
+  async fn validate_update_config(
+    _id: &str,
+    _config: &mut Self::PartialConfig,
+    _user: &User,
+  ) -> anyhow::Result<()> {
+    Ok(())
+  }
+
+  async fn post_update(
+    updated: &Self,
+    update: &mut Update,
+  ) -> anyhow::Result<()> {
+    Self::post_create(updated, update).await
+  }
+
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameAction
+  }
+
+  // DELETE
+
+  fn delete_operation() -> Operation {
+    Operation::DeleteAction
+  }
+
+  async fn pre_delete(
+    _resource: &Resource<Self::Config, Self::Info>,
+    _update: &mut Update,
+  ) -> anyhow::Result<()> {
+    Ok(())
+  }
+
+  async fn post_delete(
+    _resource: &Resource<Self::Config, Self::Info>,
+    _update: &mut Update,
+  ) -> anyhow::Result<()> {
+    Ok(())
+  }
+}
+
+pub fn spawn_action_state_refresh_loop() {
+  tokio::spawn(async move {
+    loop {
+      refresh_action_state_cache().await;
+      tokio::time::sleep(Duration::from_secs(60)).await;
+    }
+  });
+}
+
+pub async fn refresh_action_state_cache() {
+  let _ = async {
+    let actions = find_collect(&db_client().actions, None, None)
+      .await
+      .context("Failed to get Actions from db")?;
+    let cache = action_state_cache();
+    for action in actions {
+      let state = get_action_state_from_db(&action.id).await;
+      cache.insert(action.id, state).await;
+    }
+    anyhow::Ok(())
+  }
+  .await
+  .inspect_err(|e| {
+    error!("Failed to refresh Action state cache | {e:#}")
+  });
+}
+
+async fn get_action_state(id: &String) -> ActionState {
+  if action_states()
+    .action
+    .get(id)
+    .await
+    .map(|s| s.get().map(|s| s.running))
+    .transpose()
+    .ok()
+    .flatten()
+    .unwrap_or_default()
+  {
+    return ActionState::Running;
+  }
+  action_state_cache().get(id).await.unwrap_or_default()
+}
+
+async fn get_action_state_from_db(id: &str) -> ActionState {
+  async {
+    let state = db_client()
+      .updates
+      .find_one(doc! {
+        "target.type": "Action",
+        "target.id": id,
+        "operation": "RunAction"
+      })
+      .with_options(
+        FindOneOptions::builder()
+          .sort(doc! { "start_ts": -1 })
+          .build(),
+      )
+      .await?
+      .map(|u| {
+        if u.success {
+          ActionState::Ok
+        } else {
+          ActionState::Failed
+        }
+      })
+      .unwrap_or(ActionState::Ok);
+    anyhow::Ok(state)
+  }
+  .await
+  .inspect_err(|e| {
+    warn!("Failed to get Action state for {id} | {e:#}")
+  })
+  .unwrap_or(ActionState::Unknown)
+}
+
+const DEFAULT_ACTION_FILE_CONTENTS: &str =
+  "// Run actions using the pre initialized 'komodo' client.
+const version: Types.GetVersionResponse = await komodo.read('GetVersion', {});
+console.log('🦎 Komodo version:', version.version, '🦎\\n');";

bin/core/src/resource/alerter.rs

@@ -25,8 +25,8 @@ impl super::KomodoResource for Alerter {
     ResourceTargetVariant::Alerter
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().alerters
   }
 
@@ -94,6 +94,12 @@ impl super::KomodoResource for Alerter {
     Ok(())
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameAlerter
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {

bin/core/src/resource/build.rs

@@ -38,8 +38,8 @@ impl super::KomodoResource for Build {
     ResourceTargetVariant::Build
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().builds
   }
 
@@ -118,11 +118,16 @@ impl super::KomodoResource for Build {
   }
 
   async fn post_update(
-    _updated: &Self,
-    _update: &mut Update,
+    updated: &Self,
+    update: &mut Update,
   ) -> anyhow::Result<()> {
-    refresh_build_state_cache().await;
-    Ok(())
+    Self::post_create(updated, update).await
+  }
+
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameBuild
   }
 
   // DELETE

bin/core/src/resource/builder.rs

@@ -31,8 +31,8 @@ impl super::KomodoResource for Builder {
     ResourceTargetVariant::Builder
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().builders
   }
 
@@ -40,6 +40,9 @@ impl super::KomodoResource for Builder {
     builder: Resource<Self::Config, Self::Info>,
   ) -> Self::ListItem {
     let (builder_type, instance_type) = match builder.config {
+      BuilderConfig::Url(_) => {
+        (BuilderConfigVariant::Url.to_string(), None)
+      }
       BuilderConfig::Server(config) => (
         BuilderConfigVariant::Server.to_string(),
         Some(config.server_id),
@@ -118,6 +121,12 @@ impl super::KomodoResource for Builder {
     Ok(())
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameBuilder
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {
@@ -128,17 +137,22 @@ impl super::KomodoResource for Builder {
     resource: &Resource<Self::Config, Self::Info>,
     _update: &mut Update,
   ) -> anyhow::Result<()> {
-    // remove the builder from any attached builds
     db_client()
       .builds
       .update_many(
-        doc! { "config.builder.params.builder_id": &resource.id },
-        mungos::update::Update::Set(
-          doc! { "config.builder.params.builder_id": "" },
-        ),
+        doc! { "config.builder_id": &resource.id },
+        mungos::update::Update::Set(doc! { "config.builder_id": "" }),
       )
       .await
       .context("failed to update_many builds on database")?;
+    db_client()
+      .repos
+      .update_many(
+        doc! { "config.builder_id": &resource.id },
+        mungos::update::Update::Set(doc! { "config.builder_id": "" }),
+      )
+      .await
+      .context("failed to update_many repos on database")?;
     Ok(())
   }
 

bin/core/src/resource/deployment.rs

@@ -26,7 +26,6 @@ use crate::{
     query::get_deployment_state,
   },
   monitor::update_cache_for_server,
-  resource,
   state::{action_states, db_client, deployment_status_cache},
 };
 
@@ -44,8 +43,8 @@ impl super::KomodoResource for Deployment {
     ResourceTargetVariant::Deployment
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().deployments
   }
 
@@ -132,11 +131,21 @@ impl super::KomodoResource for Deployment {
     created: &Resource<Self::Config, Self::Info>,
     _update: &mut Update,
   ) -> anyhow::Result<()> {
-    if !created.config.server_id.is_empty() {
-      let server =
-        resource::get::<Server>(&created.config.server_id).await?;
-      update_cache_for_server(&server).await;
+    if created.config.server_id.is_empty() {
+      return Ok(());
     }
+    let Ok(server) = super::get::<Server>(&created.config.server_id)
+      .await
+      .inspect_err(|e| {
+        warn!(
+          "Failed to get Server for Deployment {} | {e:#}",
+          created.name
+        )
+      })
+    else {
+      return Ok(());
+    };
+    update_cache_for_server(&server).await;
     Ok(())
   }
 
@@ -156,14 +165,15 @@ impl super::KomodoResource for Deployment {
 
   async fn post_update(
     updated: &Self,
-    _update: &mut Update,
+    update: &mut Update,
   ) -> anyhow::Result<()> {
-    if !updated.config.server_id.is_empty() {
-      let server =
-        resource::get::<Server>(&updated.config.server_id).await?;
-      update_cache_for_server(&server).await;
-    }
-    Ok(())
+    Self::post_create(updated, update).await
+  }
+
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameDeployment
   }
 
   // DELETE

bin/core/src/resource/mod.rs

@@ -7,7 +7,7 @@ use anyhow::{anyhow, Context};
 use formatting::format_serror;
 use futures::{future::join_all, FutureExt};
 use komodo_client::{
-  api::write::CreateTag,
+  api::{read::ExportResourcesToToml, write::CreateTag},
   entities::{
     komodo_timestamp,
     permission::PermissionLevel,
@@ -18,6 +18,7 @@ use komodo_client::{
     user::{system_user, User},
     Operation, ResourceTarget, ResourceTargetVariant,
   },
+  parsers::parse_string_list,
 };
 use mungos::{
   by_id::{delete_one_by_id, update_one_by_id},
@@ -45,6 +46,7 @@ use crate::{
   state::{db_client, State},
 };
 
+mod action;
 mod alerter;
 mod build;
 mod builder;
@@ -57,6 +59,9 @@ mod server_template;
 mod stack;
 mod sync;
 
+pub use action::{
+  refresh_action_state_cache, spawn_action_state_refresh_loop,
+};
 pub use build::{
   refresh_build_state_cache, spawn_build_state_refresh_loop,
 };
@@ -106,8 +111,7 @@ pub trait KomodoResource {
 
   fn resource_type() -> ResourceTargetVariant;
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>>;
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>;
 
   async fn to_list_item(
     resource: Resource<Self::Config, Self::Info>,
@@ -165,6 +169,12 @@ pub trait KomodoResource {
     update: &mut Update,
   ) -> anyhow::Result<()>;
 
+  // =======
+  // RENAME
+  // =======
+
+  fn rename_operation() -> Operation;
+
   // =======
   // DELETE
   // =======
@@ -195,7 +205,6 @@ pub async fn get<T: KomodoResource>(
   id_or_name: &str,
 ) -> anyhow::Result<Resource<T::Config, T::Info>> {
   T::coll()
-    .await
     .find_one(id_or_name_filter(id_or_name))
     .await
     .context("failed to query db for resource")?
@@ -234,77 +243,6 @@ pub async fn get_check_permissions<T: KomodoResource>(
   }
 }
 
-// ======
-// LIST
-// ======
-
-/// Returns None if still no need to filter by resource id (eg transparent mode, group membership with all access).
-#[instrument(level = "debug")]
-pub async fn get_resource_ids_for_user<T: KomodoResource>(
-  user: &User,
-) -> anyhow::Result<Option<Vec<ObjectId>>> {
-  // Check admin or transparent mode
-  if user.admin || core_config().transparent_mode {
-    return Ok(None);
-  }
-
-  let resource_type = T::resource_type();
-
-  // Check user 'all' on variant
-  if let Some(level) = user.all.get(&resource_type).cloned() {
-    if level > PermissionLevel::None {
-      return Ok(None);
-    }
-  }
-
-  // Check user groups 'all' on variant
-  let groups = get_user_user_groups(&user.id).await?;
-  for group in &groups {
-    if let Some(level) = group.all.get(&resource_type).cloned() {
-      if level > PermissionLevel::None {
-        return Ok(None);
-      }
-    }
-  }
-
-  let (base, perms) = tokio::try_join!(
-    // Get any resources with non-none base permission,
-    find_collect(
-      T::coll().await,
-      doc! { "base_permission": { "$ne": "None" } },
-      None,
-    )
-    .map(|res| res.with_context(|| format!(
-      "failed to query {resource_type} on db"
-    ))),
-    // And any ids using the permissions table
-    find_collect(
-      &db_client().permissions,
-      doc! {
-        "$or": user_target_query(&user.id, &groups)?,
-        "resource_target.type": resource_type.as_ref(),
-        "level": { "$in": ["Read", "Execute", "Write"] }
-      },
-      None,
-    )
-    .map(|res| res.context("failed to query permissions on db"))
-  )?;
-
-  // Add specific ids
-  let ids = perms
-    .into_iter()
-    .map(|p| p.resource_target.extract_variant_id().1.to_string())
-    // Chain in the ones with non-None base permissions
-    .chain(base.into_iter().map(|res| res.id))
-    // collect into hashset first to remove any duplicates
-    .collect::<HashSet<_>>()
-    .into_iter()
-    .flat_map(|id| ObjectId::from_str(&id))
-    .collect::<HashSet<_>>();
-
-  Ok(Some(ids.into_iter().collect()))
-}
-
 #[instrument(level = "debug")]
 pub async fn get_user_permission_on_resource<T: KomodoResource>(
   user: &User,
@@ -378,6 +316,89 @@ pub async fn get_user_permission_on_resource<T: KomodoResource>(
   Ok(permission)
 }
 
+// ======
+// LIST
+// ======
+
+/// Returns None if still no need to filter by resource id (eg transparent mode, group membership with all access).
+#[instrument(level = "debug")]
+pub async fn get_resource_object_ids_for_user<T: KomodoResource>(
+  user: &User,
+) -> anyhow::Result<Option<Vec<ObjectId>>> {
+  get_resource_ids_for_user::<T>(user).await.map(|ids| {
+    ids.map(|ids| {
+      ids
+        .into_iter()
+        .flat_map(|id| ObjectId::from_str(&id))
+        .collect()
+    })
+  })
+}
+
+/// Returns None if still no need to filter by resource id (eg transparent mode, group membership with all access).
+#[instrument(level = "debug")]
+pub async fn get_resource_ids_for_user<T: KomodoResource>(
+  user: &User,
+) -> anyhow::Result<Option<Vec<String>>> {
+  // Check admin or transparent mode
+  if user.admin || core_config().transparent_mode {
+    return Ok(None);
+  }
+
+  let resource_type = T::resource_type();
+
+  // Check user 'all' on variant
+  if let Some(level) = user.all.get(&resource_type).cloned() {
+    if level > PermissionLevel::None {
+      return Ok(None);
+    }
+  }
+
+  // Check user groups 'all' on variant
+  let groups = get_user_user_groups(&user.id).await?;
+  for group in &groups {
+    if let Some(level) = group.all.get(&resource_type).cloned() {
+      if level > PermissionLevel::None {
+        return Ok(None);
+      }
+    }
+  }
+
+  let (base, perms) = tokio::try_join!(
+    // Get any resources with non-none base permission,
+    find_collect(
+      T::coll(),
+      doc! { "base_permission": { "$exists": true, "$ne": "None" } },
+      None,
+    )
+    .map(|res| res.with_context(|| format!(
+      "failed to query {resource_type} on db"
+    ))),
+    // And any ids using the permissions table
+    find_collect(
+      &db_client().permissions,
+      doc! {
+        "$or": user_target_query(&user.id, &groups)?,
+        "resource_target.type": resource_type.as_ref(),
+        "level": { "$exists": true, "$ne": "None" }
+      },
+      None,
+    )
+    .map(|res| res.context("failed to query permissions on db"))
+  )?;
+
+  // Add specific ids
+  let ids = perms
+    .into_iter()
+    .map(|p| p.resource_target.extract_variant_id().1.to_string())
+    // Chain in the ones with non-None base permissions
+    .chain(base.into_iter().map(|res| res.id))
+    // collect into hashset first to remove any duplicates
+    .collect::<HashSet<_>>();
+
+  Ok(Some(ids.into_iter().collect()))
+}
+
 #[instrument(level = "debug")]
 pub async fn list_for_user<T: KomodoResource>(
   mut query: ResourceQuery<T::QuerySpecifics>,
@@ -390,6 +411,23 @@ pub async fn list_for_user<T: KomodoResource>(
   list_for_user_using_document::<T>(filters, user).await
 }
 
+#[instrument(level = "debug")]
+pub async fn list_for_user_using_pattern<T: KomodoResource>(
+  pattern: &str,
+  query: ResourceQuery<T::QuerySpecifics>,
+  user: &User,
+  all_tags: &[Tag],
+) -> anyhow::Result<Vec<T::ListItem>> {
+  let list = list_full_for_user_using_pattern::<T>(
+    pattern, query, user, all_tags,
+  )
+  .await?
+  .into_iter()
+  .map(|resource| T::to_list_item(resource));
+  Ok(join_all(list).await)
+}
+
+#[instrument(level = "debug")]
 pub async fn list_for_user_using_document<T: KomodoResource>(
   filters: Document,
   user: &User,
@@ -401,6 +439,55 @@ pub async fn list_for_user_using_document<T: KomodoResource>(
   Ok(join_all(list).await)
 }
 
+/// Lists full resource matching wildcard syntax,
+/// or regex if wrapped with "\\"
+///
+/// ## Example
+/// ```
+/// let items = list_full_for_user_using_match_string::<Build>("foo-*", Default::default(), user, all_tags).await?;
+/// let items = list_full_for_user_using_match_string::<Build>("\\^foo-.*$\\", Default::default(), user, all_tags).await?;
+/// ```
+#[instrument(level = "debug")]
+pub async fn list_full_for_user_using_pattern<T: KomodoResource>(
+  pattern: &str,
+  query: ResourceQuery<T::QuerySpecifics>,
+  user: &User,
+  all_tags: &[Tag],
+) -> anyhow::Result<Vec<Resource<T::Config, T::Info>>> {
+  let resources =
+    list_full_for_user::<T>(query, user, all_tags).await?;
+
+  let patterns = parse_string_list(pattern);
+  let mut names = HashSet::<String>::new();
+
+  for pattern in patterns {
+    if pattern.starts_with('\\') && pattern.ends_with('\\') {
+      let regex = regex::Regex::new(&pattern[1..(pattern.len() - 1)])
+        .context("Regex matching string invalid")?;
+      for resource in &resources {
+        if regex.is_match(&resource.name) {
+          names.insert(resource.name.clone());
+        }
+      }
+    } else {
+      let wildcard = wildcard::Wildcard::new(pattern.as_bytes())
+        .context("Wildcard matching string invalid")?;
+      for resource in &resources {
+        if wildcard.is_match(resource.name.as_bytes()) {
+          names.insert(resource.name.clone());
+        }
+      }
+    };
+  }
+
+  Ok(
+    resources
+      .into_iter()
+      .filter(|resource| names.contains(resource.name.as_str()))
+      .collect(),
+  )
+}
+
 #[instrument(level = "debug")]
 pub async fn list_full_for_user<T: KomodoResource>(
   mut query: ResourceQuery<T::QuerySpecifics>,
@@ -418,11 +505,13 @@ pub async fn list_full_for_user_using_document<T: KomodoResource>(
   mut filters: Document,
   user: &User,
 ) -> anyhow::Result<Vec<Resource<T::Config, T::Info>>> {
-  if let Some(ids) = get_resource_ids_for_user::<T>(user).await? {
+  if let Some(ids) =
+    get_resource_object_ids_for_user::<T>(user).await?
+  {
     filters.insert("_id", doc! { "$in": ids });
   }
   find_collect(
-    T::coll().await,
+    T::coll(),
     filters,
     FindOptions::builder().sort(doc! { "name": 1 }).build(),
   )
@@ -445,7 +534,7 @@ pub async fn get_id_to_resource_map<T: KomodoResource>(
   id_to_tags: &HashMap<String, Tag>,
   match_tags: &[String],
 ) -> anyhow::Result<IdResourceMap<T>> {
-  let res = find_collect(T::coll().await, None, None)
+  let res = find_collect(T::coll(), None, None)
     .await
     .with_context(|| {
       format!("failed to pull {}s from mongo", T::resource_type())
@@ -537,7 +626,6 @@ pub async fn create<T: KomodoResource>(
   };
 
   let resource_id = T::coll()
-    .await
     .insert_one(&resource)
     .await
     .with_context(|| {
@@ -605,7 +693,7 @@ pub async fn update<T: KomodoResource>(
   let diff = resource.config.partial_diff(config);
 
   if diff.is_none() {
-    return Err(anyhow!("update has no changes"));
+    return Ok(resource);
   }
 
   let mut diff_log = String::from("diff");
@@ -626,14 +714,9 @@ pub async fn update<T: KomodoResource>(
 
   let update_doc = flatten_document(doc! { "config": config_doc });
 
-  update_one_by_id(
-    T::coll().await,
-    &id,
-    doc! { "$set": update_doc },
-    None,
-  )
-  .await
-  .context("failed to update resource on database")?;
+  update_one_by_id(T::coll(), &id, doc! { "$set": update_doc }, None)
+    .await
+    .context("failed to update resource on database")?;
 
   let mut update = make_update(
     resource_target::<T>(id),
@@ -673,6 +756,7 @@ fn resource_target<T: KomodoResource>(id: String) -> ResourceTarget {
       ResourceTarget::ResourceSync(id)
     }
     ResourceTargetVariant::Stack => ResourceTarget::Stack(id),
+    ResourceTargetVariant::Action => ResourceTarget::Action(id),
   }
 }
 
@@ -688,7 +772,6 @@ pub async fn update_description<T: KomodoResource>(
   )
   .await?;
   T::coll()
-    .await
     .update_one(
       id_or_name_filter(id_or_name),
       doc! { "$set": { "description": description } },
@@ -722,7 +805,6 @@ pub async fn update_tags<T: KomodoResource>(
     .flatten()
     .collect::<Vec<_>>();
   T::coll()
-    .await
     .update_one(
       id_or_name_filter(id_or_name),
       doc! { "$set": { "tags": tags } },
@@ -735,13 +817,67 @@ pub async fn remove_tag_from_all<T: KomodoResource>(
   tag_id: &str,
 ) -> anyhow::Result<()> {
   T::coll()
-    .await
     .update_many(doc! {}, doc! { "$pull": { "tags": tag_id } })
     .await
     .context("failed to remove tag from resources")?;
   Ok(())
 }
 
+// =======
+// RENAME
+// =======
+
+pub async fn rename<T: KomodoResource>(
+  id_or_name: &str,
+  name: &str,
+  user: &User,
+) -> anyhow::Result<Update> {
+  let resource = get_check_permissions::<T>(
+    id_or_name,
+    user,
+    PermissionLevel::Write,
+  )
+  .await?;
+
+  let mut update = make_update(
+    resource_target::<T>(resource.id.clone()),
+    T::rename_operation(),
+    user,
+  );
+
+  let name = to_komodo_name(name);
+
+  update_one_by_id(
+    T::coll(),
+    &resource.id,
+    mungos::update::Update::Set(
+      doc! { "name": &name, "updated_at": komodo_timestamp() },
+    ),
+    None,
+  )
+  .await
+  .with_context(|| {
+    format!(
+      "Failed to update {ty} on db. This name may already be taken.",
+      ty = T::resource_type()
+    )
+  })?;
+
+  update.push_simple_log(
+    &format!("Rename {}", T::resource_type()),
+    format!(
+      "Renamed {ty} {id} from {prev_name} to {name}",
+      ty = T::resource_type(),
+      id = resource.id,
+      prev_name = resource.name
+    ),
+  );
+
+  update.finalize();
+  update.id = add_update(update.clone()).await?;
+  Ok(update)
+}
+
 // =======
 // DELETE
 // =======
@@ -762,6 +898,16 @@ pub async fn delete<T: KomodoResource>(
   }
 
   let target = resource_target::<T>(resource.id.clone());
+  let toml = State
+    .resolve(
+      ExportResourcesToToml {
+        targets: vec![target.clone()],
+        ..Default::default()
+      },
+      user.clone(),
+    )
+    .await?
+    .toml;
 
   let mut update =
     make_update(target.clone(), T::delete_operation(), user);
@@ -771,16 +917,17 @@ pub async fn delete<T: KomodoResource>(
   delete_all_permissions_on_resource(target.clone()).await;
   remove_from_recently_viewed(target.clone()).await;
 
-  delete_one_by_id(T::coll().await, &resource.id, None)
+  delete_one_by_id(T::coll(), &resource.id, None)
     .await
     .with_context(|| {
-      format!("failed to delete {} from database", T::resource_type())
+      format!("Failed to delete {} from database", T::resource_type())
     })?;
 
   update.push_simple_log(
-    &format!("delete {}", T::resource_type()),
-    format!("deleted {} {}", T::resource_type(), resource.name),
+    &format!("Delete {}", T::resource_type()),
+    format!("Deleted {} {}", T::resource_type(), resource.name),
   );
+  update.push_simple_log("Deleted Toml", toml);
 
   if let Err(e) = T::post_delete(&resource, &mut update).await {
     update.push_error_log("post delete", format_serror(&e.into()));
@@ -846,6 +993,7 @@ where
     ResourceTarget::Build(id) => ("recents.Build", id),
     ResourceTarget::Repo(id) => ("recents.Repo", id),
     ResourceTarget::Procedure(id) => ("recents.Procedure", id),
+    ResourceTarget::Action(id) => ("recents.Action", id),
     ResourceTarget::Stack(id) => ("recents.Stack", id),
     ResourceTarget::Builder(id) => ("recents.Builder", id),
     ResourceTarget::Alerter(id) => ("recents.Alerter", id),

bin/core/src/resource/procedure.rs

@@ -4,6 +4,7 @@ use anyhow::{anyhow, Context};
 use komodo_client::{
   api::execute::Execution,
   entities::{
+    action::Action,
     build::Build,
     deployment::Deployment,
     permission::PermissionLevel,
@@ -44,8 +45,8 @@ impl super::KomodoResource for Procedure {
     ResourceTargetVariant::Procedure
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().procedures
   }
 
@@ -114,11 +115,16 @@ impl super::KomodoResource for Procedure {
   }
 
   async fn post_update(
-    _updated: &Self,
-    _update: &mut Update,
+    updated: &Self,
+    update: &mut Update,
   ) -> anyhow::Result<()> {
-    refresh_procedure_state_cache().await;
-    Ok(())
+    Self::post_create(updated, update).await
+  }
+
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameProcedure
   }
 
   // DELETE
@@ -172,6 +178,29 @@ async fn validate_config(
           }
           params.procedure = procedure.id;
         }
+        Execution::BatchRunProcedure(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
+        Execution::RunAction(params) => {
+          let action = super::get_check_permissions::<Action>(
+            &params.action,
+            user,
+            PermissionLevel::Execute,
+          )
+          .await?;
+          params.action = action.id;
+        }
+        Execution::BatchRunAction(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::RunBuild(params) => {
           let build = super::get_check_permissions::<Build>(
             &params.build,
@@ -181,6 +210,13 @@ async fn validate_config(
           .await?;
           params.build = build.id;
         }
+        Execution::BatchRunBuild(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::CancelBuild(params) => {
           let build = super::get_check_permissions::<Build>(
             &params.build,
@@ -200,6 +236,13 @@ async fn validate_config(
             .await?;
           params.deployment = deployment.id;
         }
+        Execution::BatchDeploy(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::StartDeployment(params) => {
           let deployment =
             super::get_check_permissions::<Deployment>(
@@ -260,6 +303,13 @@ async fn validate_config(
             .await?;
           params.deployment = deployment.id;
         }
+        Execution::BatchDestroyDeployment(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::CloneRepo(params) => {
           let repo = super::get_check_permissions::<Repo>(
             &params.repo,
@@ -269,6 +319,13 @@ async fn validate_config(
           .await?;
           params.repo = repo.id;
         }
+        Execution::BatchCloneRepo(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::PullRepo(params) => {
           let repo = super::get_check_permissions::<Repo>(
             &params.repo,
@@ -278,6 +335,13 @@ async fn validate_config(
           .await?;
           params.repo = repo.id;
         }
+        Execution::BatchPullRepo(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::BuildRepo(params) => {
           let repo = super::get_check_permissions::<Repo>(
             &params.repo,
@@ -287,6 +351,13 @@ async fn validate_config(
           .await?;
           params.repo = repo.id;
         }
+        Execution::BatchBuildRepo(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::CancelRepoBuild(params) => {
           let repo = super::get_check_permissions::<Repo>(
             &params.repo,
@@ -513,6 +584,13 @@ async fn validate_config(
           .await?;
           params.stack = stack.id;
         }
+        Execution::BatchDeployStack(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::DeployStackIfChanged(params) => {
           let stack = super::get_check_permissions::<Stack>(
             &params.stack,
@@ -522,6 +600,13 @@ async fn validate_config(
           .await?;
           params.stack = stack.id;
         }
+        Execution::BatchDeployStackIfChanged(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::StartStack(params) => {
           let stack = super::get_check_permissions::<Stack>(
             &params.stack,
@@ -576,6 +661,13 @@ async fn validate_config(
           .await?;
           params.stack = stack.id;
         }
+        Execution::BatchDestroyStack(_params) => {
+          if !user.admin {
+            return Err(anyhow!(
+              "Non admin user cannot configure Batch executions"
+            ));
+          }
+        }
         Execution::Sleep(_) => {}
       }
     }
@@ -598,7 +690,7 @@ pub async fn refresh_procedure_state_cache() {
     let procedures =
       find_collect(&db_client().procedures, None, None)
         .await
-        .context("failed to get procedures from db")?;
+        .context("Failed to get Procedures from db")?;
     let cache = procedure_state_cache();
     for procedure in procedures {
       let state = get_procedure_state_from_db(&procedure.id).await;
@@ -608,7 +700,7 @@ pub async fn refresh_procedure_state_cache() {
   }
   .await
   .inspect_err(|e| {
-    error!("failed to refresh build state cache | {e:#}")
+    error!("Failed to refresh Procedure state cache | {e:#}")
   });
 }
 
@@ -655,7 +747,7 @@ async fn get_procedure_state_from_db(id: &str) -> ProcedureState {
   }
   .await
   .inspect_err(|e| {
-    warn!("failed to get procedure state for {id} | {e:#}")
+    warn!("Failed to get Procedure state for {id} | {e:#}")
   })
   .unwrap_or(ProcedureState::Unknown)
 }

bin/core/src/resource/repo.rs

@@ -11,6 +11,7 @@ use komodo_client::entities::{
   },
   resource::Resource,
   server::Server,
+  to_komodo_name,
   update::Update,
   user::User,
   Operation, ResourceTargetVariant,
@@ -43,8 +44,8 @@ impl super::KomodoResource for Repo {
     ResourceTargetVariant::Repo
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().repos
   }
 
@@ -132,6 +133,12 @@ impl super::KomodoResource for Repo {
     Ok(())
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameRepo
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {
@@ -158,7 +165,11 @@ impl super::KomodoResource for Repo {
 
     match periphery
       .request(DeleteRepo {
-        name: repo.name.clone(),
+        name: if repo.config.path.is_empty() {
+          to_komodo_name(&repo.name)
+        } else {
+          repo.config.path.clone()
+        },
       })
       .await
     {

bin/core/src/resource/server.rs

@@ -30,8 +30,8 @@ impl super::KomodoResource for Server {
     ResourceTargetVariant::Server
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().servers
   }
 
@@ -47,6 +47,7 @@ impl super::KomodoResource for Server {
       info: ServerListItemInfo {
         state: status.map(|s| s.state).unwrap_or_default(),
         region: server.config.region,
+        address: server.config.address,
         send_unreachable_alerts: server
           .config
           .send_unreachable_alerts,
@@ -115,6 +116,12 @@ impl super::KomodoResource for Server {
     Ok(())
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameServer
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {

bin/core/src/resource/server_template.rs

@@ -29,8 +29,8 @@ impl super::KomodoResource for ServerTemplate {
     ResourceTargetVariant::ServerTemplate
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().server_templates
   }
 
@@ -117,6 +117,12 @@ impl super::KomodoResource for ServerTemplate {
     Ok(())
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameServerTemplate
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {

bin/core/src/resource/stack.rs

@@ -44,8 +44,8 @@ impl super::KomodoResource for Stack {
     ResourceTargetVariant::Stack
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().stacks
   }
 
@@ -172,7 +172,7 @@ impl super::KomodoResource for Stack {
       .await
       .inspect_err(|e| {
         warn!(
-          "Failed to get server for stack {} | {e:#}",
+          "Failed to get Server for Stack {} | {e:#}",
           created.name
         )
       })
@@ -204,6 +204,12 @@ impl super::KomodoResource for Stack {
     Self::post_create(updated, update).await
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameStack
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {

bin/core/src/resource/sync.rs

@@ -41,8 +41,8 @@ impl super::KomodoResource for ResourceSync {
     ResourceTargetVariant::ResourceSync
   }
 
-  async fn coll(
-  ) -> &'static Collection<Resource<Self::Config, Self::Info>> {
+  fn coll() -> &'static Collection<Resource<Self::Config, Self::Info>>
+  {
     &db_client().resource_syncs
   }
 
@@ -117,6 +117,7 @@ impl super::KomodoResource for ResourceSync {
         format_serror(&e.context("The sync pending cache has failed to refresh. This is likely due to a misconfiguration of the sync").into())
       );
     };
+    refresh_resource_sync_state_cache().await;
     Ok(())
   }
 
@@ -141,6 +142,12 @@ impl super::KomodoResource for ResourceSync {
     Self::post_create(updated, update).await
   }
 
+  // RENAME
+
+  fn rename_operation() -> Operation {
+    Operation::RenameResourceSync
+  }
+
   // DELETE
 
   fn delete_operation() -> Operation {

bin/core/src/stack/services.rs

@@ -1,6 +1,9 @@
 use anyhow::Context;
 use komodo_client::entities::{
-  stack::{ComposeFile, ComposeService, Stack, StackServiceNames},
+  stack::{
+    ComposeFile, ComposeService, ComposeServiceDeploy, Stack,
+    StackServiceNames,
+  },
   FileContents,
 };
 
@@ -69,16 +72,40 @@ pub fn extract_services_into_res(
   let compose = serde_yaml::from_str::<ComposeFile>(compose_contents)
     .context("failed to parse service names from compose contents")?;
 
-  let services = compose.services.into_iter().map(
-    |(service_name, ComposeService { container_name, .. })| {
-      StackServiceNames {
-        container_name: container_name.unwrap_or_else(|| {
-          format!("{project_name}-{service_name}")
-        }),
-        service_name,
-      }
+  let mut services = Vec::with_capacity(compose.services.capacity());
+
+  for (
+    service_name,
+    ComposeService {
+      container_name,
+      deploy,
+      ..
     },
-  );
+  ) in compose.services
+  {
+    match deploy {
+      Some(ComposeServiceDeploy {
+        replicas: Some(replicas),
+      }) if replicas > 1 => {
+        for i in 1..1 + replicas {
+          services.push(StackServiceNames {
+            container_name: format!(
+              "{project_name}-{service_name}-{i}"
+            ),
+            service_name: format!("{service_name}-{i}"),
+          });
+        }
+      }
+      _ => {
+        services.push(StackServiceNames {
+          container_name: container_name.unwrap_or_else(|| {
+            format!("{project_name}-{service_name}")
+          }),
+          service_name,
+        });
+      }
+    }
+  }
 
   res.extend(services);
 

bin/core/src/state.rs

@@ -5,6 +5,7 @@ use std::{
 
 use anyhow::Context;
 use komodo_client::entities::{
+  action::ActionState,
   build::BuildState,
   config::core::{CoreConfig, GithubWebhookAppConfig},
   deployment::DeploymentState,
@@ -191,6 +192,14 @@ pub fn procedure_state_cache() -> &'static ProcedureStateCache {
   PROCEDURE_STATE_CACHE.get_or_init(Default::default)
 }
 
+pub type ActionStateCache = Cache<String, ActionState>;
+
+pub fn action_state_cache() -> &'static ActionStateCache {
+  static ACTION_STATE_CACHE: OnceLock<ActionStateCache> =
+    OnceLock::new();
+  ACTION_STATE_CACHE.get_or_init(Default::default)
+}
+
 pub type ResourceSyncStateCache = Cache<String, ResourceSyncState>;
 
 pub fn resource_sync_state_cache() -> &'static ResourceSyncStateCache

bin/core/src/sync/execute.rs

@@ -32,7 +32,7 @@ pub async fn get_updates_for_execution<
   id_to_tags: &HashMap<String, Tag>,
   match_tags: &[String],
 ) -> anyhow::Result<UpdatesResult<Resource::PartialConfig>> {
-  let map = find_collect(Resource::coll().await, None, None)
+  let map = find_collect(Resource::coll(), None, None)
     .await
     .context("failed to get resources from db")?
     .into_iter()

bin/core/src/sync/file.rs

@@ -262,6 +262,9 @@ pub fn extend_resources(
   resources
     .procedures
     .extend(filter_by_tag(more.procedures, match_tags));
+  resources
+    .actions
+    .extend(filter_by_tag(more.actions, match_tags));
   resources
     .alerters
     .extend(filter_by_tag(more.alerters, match_tags));

bin/core/src/sync/mod.rs

@@ -1,7 +1,7 @@
 use std::{collections::HashMap, str::FromStr};
 
 use komodo_client::entities::{
-  alerter::Alerter, build::Build, builder::Builder,
+  action::Action, alerter::Alerter, build::Build, builder::Builder,
   deployment::Deployment, procedure::Procedure, repo::Repo,
   server::Server, server_template::ServerTemplate, stack::Stack,
   sync::ResourceSync, tag::Tag, toml::ResourceToml, ResourceTarget,
@@ -147,6 +147,7 @@ pub struct AllResourcesById {
   pub builds: HashMap<String, Build>,
   pub repos: HashMap<String, Repo>,
   pub procedures: HashMap<String, Procedure>,
+  pub actions: HashMap<String, Action>,
   pub builders: HashMap<String, Builder>,
   pub alerters: HashMap<String, Alerter>,
   pub templates: HashMap<String, ServerTemplate>,
@@ -181,6 +182,10 @@ impl AllResourcesById {
           id_to_tags, match_tags,
         )
         .await?,
+      actions: crate::resource::get_id_to_resource_map::<Action>(
+        id_to_tags, match_tags,
+      )
+      .await?,
       builders: crate::resource::get_id_to_resource_map::<Builder>(
         id_to_tags, match_tags,
       )

bin/core/src/sync/resources.rs

@@ -4,6 +4,7 @@ use formatting::{bold, colored, muted, Color};
 use komodo_client::{
   api::execute::Execution,
   entities::{
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::{Builder, BuilderConfig},
@@ -233,6 +234,22 @@ impl ResourceSyncTrait for ServerTemplate {
 
 impl ExecuteResourceSync for ServerTemplate {}
 
+impl ResourceSyncTrait for Action {
+  fn resource_target(id: String) -> ResourceTarget {
+    ResourceTarget::Action(id)
+  }
+
+  fn get_diff(
+    original: Self::Config,
+    update: Self::PartialConfig,
+    _resources: &AllResourcesById,
+  ) -> anyhow::Result<Self::ConfigDiff> {
+    Ok(original.partial_diff(update))
+  }
+}
+
+impl ExecuteResourceSync for Action {}
+
 impl ResourceSyncTrait for ResourceSync {
   fn resource_target(id: String) -> ResourceTarget {
     ResourceTarget::ResourceSync(id)
@@ -343,6 +360,15 @@ impl ResourceSyncTrait for Procedure {
               .map(|p| p.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchRunProcedure(_config) => {}
+          Execution::RunAction(config) => {
+            config.action = resources
+              .actions
+              .get(&config.action)
+              .map(|p| p.name.clone())
+              .unwrap_or_default();
+          }
+          Execution::BatchRunAction(_config) => {}
           Execution::RunBuild(config) => {
             config.build = resources
               .builds
@@ -350,6 +376,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|b| b.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchRunBuild(_config) => {}
           Execution::CancelBuild(config) => {
             config.build = resources
               .builds
@@ -364,6 +391,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|d| d.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchDeploy(_config) => {}
           Execution::StartDeployment(config) => {
             config.deployment = resources
               .deployments
@@ -406,6 +434,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|d| d.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchDestroyDeployment(_config) => {}
           Execution::CloneRepo(config) => {
             config.repo = resources
               .repos
@@ -413,6 +442,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|d| d.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchCloneRepo(_config) => {}
           Execution::PullRepo(config) => {
             config.repo = resources
               .repos
@@ -420,6 +450,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|d| d.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchPullRepo(_config) => {}
           Execution::BuildRepo(config) => {
             config.repo = resources
               .repos
@@ -427,6 +458,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|d| d.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchBuildRepo(_config) => {}
           Execution::CancelRepoBuild(config) => {
             config.repo = resources
               .repos
@@ -602,6 +634,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|s| s.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchDeployStack(_config) => {}
           Execution::DeployStackIfChanged(config) => {
             config.stack = resources
               .stacks
@@ -609,6 +642,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|s| s.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchDeployStackIfChanged(_config) => {}
           Execution::StartStack(config) => {
             config.stack = resources
               .stacks
@@ -651,6 +685,7 @@ impl ResourceSyncTrait for Procedure {
               .map(|s| s.name.clone())
               .unwrap_or_default();
           }
+          Execution::BatchDestroyStack(_config) => {}
           Execution::Sleep(_) => {}
         }
       }

bin/core/src/sync/toml.rs

@@ -4,6 +4,7 @@ use anyhow::Context;
 use komodo_client::{
   api::execute::Execution,
   entities::{
+    action::Action,
     alerter::Alerter,
     build::Build,
     builder::{Builder, BuilderConfig, PartialBuilderConfig},
@@ -164,6 +165,7 @@ pub fn convert_resource<R: KomodoResource>(
 impl ToToml for Alerter {}
 impl ToToml for Server {}
 impl ToToml for ResourceSync {}
+impl ToToml for Action {}
 
 impl ToToml for Stack {
   fn replace_ids(
@@ -388,6 +390,7 @@ impl ToToml for Builder {
     let empty_params = match resource.config {
       PartialBuilderConfig::Aws(config) => config.is_none(),
       PartialBuilderConfig::Server(config) => config.is_none(),
+      PartialBuilderConfig::Url(config) => config.is_none(),
     };
     if empty_params {
       // toml_pretty will remove empty map
@@ -412,6 +415,15 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchRunProcedure(_exec) => {}
+          Execution::RunAction(exec) => exec.action.clone_from(
+            all
+              .actions
+              .get(&exec.action)
+              .map(|r| &r.name)
+              .unwrap_or(&String::new()),
+          ),
+          Execution::BatchRunAction(_exec) => {}
           Execution::RunBuild(exec) => exec.build.clone_from(
             all
               .builds
@@ -419,6 +431,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchRunBuild(_exec) => {}
           Execution::CancelBuild(exec) => exec.build.clone_from(
             all
               .builds
@@ -433,6 +446,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchDeploy(_exec) => {}
           Execution::StartDeployment(exec) => {
             exec.deployment.clone_from(
               all
@@ -487,6 +501,7 @@ impl ToToml for Procedure {
                 .unwrap_or(&String::new()),
             )
           }
+          Execution::BatchDestroyDeployment(_exec) => {}
           Execution::CloneRepo(exec) => exec.repo.clone_from(
             all
               .repos
@@ -494,6 +509,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchCloneRepo(_exec) => {}
           Execution::PullRepo(exec) => exec.repo.clone_from(
             all
               .repos
@@ -501,6 +517,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchPullRepo(_exec) => {}
           Execution::BuildRepo(exec) => exec.repo.clone_from(
             all
               .repos
@@ -508,6 +525,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchBuildRepo(_exec) => {}
           Execution::CancelRepoBuild(exec) => exec.repo.clone_from(
             all
               .repos
@@ -701,6 +719,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchDeployStack(_exec) => {}
           Execution::DeployStackIfChanged(exec) => {
             exec.stack.clone_from(
               all
@@ -710,6 +729,7 @@ impl ToToml for Procedure {
                 .unwrap_or(&String::new()),
             )
           }
+          Execution::BatchDeployStackIfChanged(_exec) => {}
           Execution::StartStack(exec) => exec.stack.clone_from(
             all
               .stacks
@@ -752,6 +772,7 @@ impl ToToml for Procedure {
               .map(|r| &r.name)
               .unwrap_or(&String::new()),
           ),
+          Execution::BatchDestroyStack(_exec) => {}
           Execution::Sleep(_) | Execution::None(_) => {}
         }
       }

bin/core/src/sync/user_groups.rs

@@ -15,7 +15,8 @@ use komodo_client::{
     sync::DiffData,
     toml::{PermissionToml, UserGroupToml},
     update::Log,
-    user::sync_user,
+    user::{sync_user, User},
+    user_group::UserGroup,
     ResourceTarget, ResourceTargetVariant,
   },
 };
@@ -43,17 +44,21 @@ pub async fn get_updates_for_view(
   delete: bool,
   all_resources: &AllResourcesById,
 ) -> anyhow::Result<Vec<DiffData>> {
-  let map = find_collect(&db_client().user_groups, None, None)
+  let _curr = find_collect(&db_client().user_groups, None, None)
     .await
-    .context("failed to query db for UserGroups")?
+    .context("failed to query db for UserGroups")?;
+  let mut curr = Vec::with_capacity(_curr.capacity());
+  convert_user_groups(_curr.into_iter(), all_resources, &mut curr)
+    .await?;
+  let map = curr
     .into_iter()
-    .map(|ug| (ug.name.clone(), ug))
+    .map(|ug| (ug.1.name.clone(), ug))
     .collect::<HashMap<_, _>>();
 
   let mut diffs = Vec::<DiffData>::new();
 
   if delete {
-    for user_group in map.values() {
+    for (_id, user_group) in map.values() {
       if !user_groups.iter().any(|ug| ug.name == user_group.name) {
         diffs.push(DiffData::Delete {
           current: format!(
@@ -66,13 +71,6 @@ pub async fn get_updates_for_view(
     }
   }
 
-  let id_to_user = find_collect(&db_client().users, None, None)
-    .await
-    .context("failed to query db for Users")?
-    .into_iter()
-    .map(|user| (user.id.clone(), user))
-    .collect::<HashMap<_, _>>();
-
   for mut user_group in user_groups {
     user_group
       .permissions
@@ -90,7 +88,10 @@ pub async fn get_updates_for_view(
       )
     })?;
 
-    let original = match map.get(&user_group.name).cloned() {
+    let (_original_id, original) = match map
+      .get(&user_group.name)
+      .cloned()
+    {
       Some(original) => original,
       None => {
         diffs.push(DiffData::Create {
@@ -104,121 +105,16 @@ pub async fn get_updates_for_view(
         continue;
       }
     };
-
-    let mut original_users = original
-      .users
-      .clone()
-      .into_iter()
-      .filter_map(|user_id| {
-        id_to_user.get(&user_id).map(|u| u.username.clone())
-      })
-      .collect::<Vec<_>>();
-
-    let mut original_permissions = State
-      .resolve(
-        ListUserTargetPermissions {
-          user_target: UserTarget::UserGroup(original.id.clone()),
-        },
-        sync_user().to_owned(),
-      )
-      .await
-      .context("failed to query for existing UserGroup permissions")?
-      .into_iter()
-      .filter(|p| p.level > PermissionLevel::None)
-      .map(|mut p| {
-        // replace the ids with names
-        match &mut p.resource_target {
-          ResourceTarget::System(_) => {}
-          ResourceTarget::Build(id) => {
-            *id = all_resources
-              .builds
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Builder(id) => {
-            *id = all_resources
-              .builders
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Deployment(id) => {
-            *id = all_resources
-              .deployments
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Server(id) => {
-            *id = all_resources
-              .servers
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Repo(id) => {
-            *id = all_resources
-              .repos
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Alerter(id) => {
-            *id = all_resources
-              .alerters
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Procedure(id) => {
-            *id = all_resources
-              .procedures
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ServerTemplate(id) => {
-            *id = all_resources
-              .templates
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ResourceSync(id) => {
-            *id = all_resources
-              .syncs
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Stack(id) => {
-            *id = all_resources
-              .stacks
-              .get(id)
-              .map(|b| b.name.clone())
-              .unwrap_or_default()
-          }
-        }
-        PermissionToml {
-          target: p.resource_target,
-          level: p.level,
-        }
-      })
-      .collect::<Vec<_>>();
-
-    original_users.sort();
     user_group.users.sort();
 
     let all_diff = diff_group_all(&original.all, &user_group.all);
 
     user_group.permissions.sort_by(sort_permissions);
-    original_permissions.sort_by(sort_permissions);
 
-    let update_users = user_group.users != original_users;
+    let update_users = user_group.users != original.users;
     let update_all = !all_diff.is_empty();
     let update_permissions =
-      user_group.permissions != original_permissions;
+      user_group.permissions != original.permissions;
 
     // only add log after diff detected
     if update_users || update_all || update_permissions {
@@ -379,6 +275,13 @@ pub async fn get_updates_for_execution(
               .map(|b| b.name.clone())
               .unwrap_or_default()
           }
+          ResourceTarget::Action(id) => {
+            *id = all_resources
+              .actions
+              .get(id)
+              .map(|b| b.name.clone())
+              .unwrap_or_default()
+          }
           ResourceTarget::ServerTemplate(id) => {
             *id = all_resources
               .templates
@@ -820,6 +723,17 @@ async fn expand_user_group_permissions(
             });
           expanded.extend(permissions);
         }
+        ResourceTargetVariant::Action => {
+          let permissions = all_resources
+            .actions
+            .values()
+            .filter(|resource| regex.is_match(&resource.name))
+            .map(|resource| PermissionToml {
+              target: ResourceTarget::Action(resource.name.clone()),
+              level: permission.level,
+            });
+          expanded.extend(permissions);
+        }
         ResourceTargetVariant::ServerTemplate => {
           let permissions = all_resources
             .templates
@@ -900,3 +814,139 @@ fn diff_group_all(
 
   to_update
 }
+
+pub async fn convert_user_groups(
+  user_groups: impl Iterator<Item = UserGroup>,
+  all: &AllResourcesById,
+  res: &mut Vec<(String, UserGroupToml)>,
+) -> anyhow::Result<()> {
+  let db = db_client();
+
+  let usernames = find_collect(&db.users, None, None)
+    .await?
+    .into_iter()
+    .map(|user| (user.id, user.username))
+    .collect::<HashMap<_, _>>();
+
+  for user_group in user_groups {
+    // this method is admin only, but we already know user can see user group if above does not return Err
+    let mut permissions = State
+      .resolve(
+        ListUserTargetPermissions {
+          user_target: UserTarget::UserGroup(user_group.id.clone()),
+        },
+        User {
+          admin: true,
+          ..Default::default()
+        },
+      )
+      .await?
+      .into_iter()
+      .map(|mut permission| {
+        match &mut permission.resource_target {
+          ResourceTarget::Build(id) => {
+            *id = all
+              .builds
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Builder(id) => {
+            *id = all
+              .builders
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Deployment(id) => {
+            *id = all
+              .deployments
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Server(id) => {
+            *id = all
+              .servers
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Repo(id) => {
+            *id = all
+              .repos
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Alerter(id) => {
+            *id = all
+              .alerters
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Procedure(id) => {
+            *id = all
+              .procedures
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Action(id) => {
+            *id = all
+              .actions
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::ServerTemplate(id) => {
+            *id = all
+              .templates
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::ResourceSync(id) => {
+            *id = all
+              .syncs
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::Stack(id) => {
+            *id = all
+              .stacks
+              .get(id)
+              .map(|r| r.name.clone())
+              .unwrap_or_default()
+          }
+          ResourceTarget::System(_) => {}
+        }
+        PermissionToml {
+          target: permission.resource_target,
+          level: permission.level,
+        }
+      })
+      .collect::<Vec<_>>();
+    let mut users = user_group
+      .users
+      .into_iter()
+      .filter_map(|user_id| usernames.get(&user_id).cloned())
+      .collect::<Vec<_>>();
+
+    permissions.sort_by(sort_permissions);
+    users.sort();
+
+    res.push((
+      user_group.id,
+      UserGroupToml {
+        name: user_group.name,
+        users,
+        all: user_group.all,
+        permissions,
+      },
+    ));
+  }
+  Ok(())
+}

bin/core/src/sync/view.rs

@@ -22,7 +22,7 @@ pub async fn push_updates_for_view<Resource: ResourceSyncTrait>(
   match_tags: &[String],
   diffs: &mut Vec<ResourceDiff>,
 ) -> anyhow::Result<()> {
-  let current_map = find_collect(Resource::coll().await, None, None)
+  let current_map = find_collect(Resource::coll(), None, None)
     .await
     .context("failed to get resources from db")?
     .into_iter()

bin/core/src/ts_client.rs

@@ -0,0 +1,64 @@
+use anyhow::{anyhow, Context};
+use axum::{
+  extract::Path,
+  http::{HeaderMap, HeaderValue},
+  routing::get,
+  Router,
+};
+use reqwest::StatusCode;
+use serde::Deserialize;
+use serror::AddStatusCodeError;
+use tokio::fs;
+
+use crate::config::core_config;
+
+pub fn router() -> Router {
+  Router::new().route("/:path", get(serve_client_file))
+}
+
+const ALLOWED_FILES: &[&str] = &[
+  "lib.js",
+  "lib.d.ts",
+  "types.js",
+  "types.d.ts",
+  "responses.js",
+  "responses.d.ts",
+];
+
+#[derive(Deserialize)]
+struct FilePath {
+  path: String,
+}
+
+async fn serve_client_file(
+  Path(FilePath { path }): Path<FilePath>,
+) -> serror::Result<(HeaderMap, String)> {
+  if !ALLOWED_FILES.contains(&path.as_str()) {
+    return Err(
+      anyhow!("File {path} not found.")
+        .status_code(StatusCode::NOT_FOUND),
+    );
+  }
+
+  let contents = fs::read_to_string(format!(
+    "{}/client/{path}",
+    core_config().frontend_path
+  ))
+  .await
+  .with_context(|| format!("Failed to read file: {path}"))?;
+
+  let mut headers = HeaderMap::new();
+
+  if path.ends_with(".js") {
+    headers.insert(
+      "X-TypeScript-Types",
+      HeaderValue::from_str(&format!(
+        "/client/{}",
+        path.replace(".js", ".d.ts")
+      ))
+      .context("?? Invalid Header Value")?,
+    );
+  }
+
+  Ok((headers, contents))
+}

bin/core/src/ws.rs

@@ -1,4 +1,4 @@
-use anyhow::{anyhow, Context};
+use anyhow::anyhow;
 use axum::{
   extract::{
     ws::{Message, WebSocket},
@@ -15,7 +15,6 @@ use komodo_client::{
   },
   ws::WsLoginMessage,
 };
-use mungos::by_id::find_one_by_id;
 use serde_json::json;
 use serror::serialize_error;
 use tokio::select;
@@ -23,11 +22,10 @@ use tokio_util::sync::CancellationToken;
 
 use crate::{
   auth::{auth_api_key_check_enabled, auth_jwt_check_enabled},
-  db::DbClient,
   helpers::{
-    channel::update_channel, query::get_user_permission_on_target,
+    channel::update_channel,
+    query::{get_user, get_user_permission_on_target},
   },
-  state::db_client,
 };
 
 pub fn router() -> Router {
@@ -51,7 +49,6 @@ async fn ws_handler(ws: WebSocketUpgrade) -> impl IntoResponse {
     let cancel_clone = cancel.clone();
 
     tokio::spawn(async move {
-      let db_client = db_client();
       loop {
         // poll for updates off the receiver / await cancel.
         let update = select! {
@@ -61,7 +58,7 @@ async fn ws_handler(ws: WebSocketUpgrade) -> impl IntoResponse {
 
         // before sending every update, verify user is still valid.
         // kill the connection is user if found to be invalid.
-        let user = check_user_valid(db_client, &user.id).await;
+        let user = check_user_valid(&user.id).await;
         let user = match user {
           Err(e) => {
             let _ = ws_sender
@@ -183,15 +180,9 @@ enum LoginMessage {
   Err(String),
 }
 
-#[instrument(level = "debug", skip(db_client))]
-async fn check_user_valid(
-  db_client: &DbClient,
-  user_id: &str,
-) -> anyhow::Result<User> {
-  let user = find_one_by_id(&db_client.users, user_id)
-    .await
-    .context("failed to query mongo for users")?
-    .context("user not found")?;
+#[instrument(level = "debug")]
+async fn check_user_valid(user_id: &str) -> anyhow::Result<User> {
+  let user = get_user(user_id).await?;
   if !user.enabled {
     return Err(anyhow!("user not enabled"));
   }

bin/periphery/alpine.Dockerfile

@@ -4,7 +4,7 @@
 ## and may negatively affect runtime performance.
 
 # Build Periphery
-FROM rust:1.81.0-alpine AS builder
+FROM rust:1.82.0-alpine AS builder
 WORKDIR /builder
 COPY . .
 RUN apk update && apk --no-cache add musl-dev openssl-dev openssl-libs-static

bin/periphery/debian.Dockerfile

@@ -1,5 +1,5 @@
 # Build Periphery
-FROM rust:1.81.0-bullseye AS builder
+FROM rust:1.82.0-bullseye AS builder
 WORKDIR /builder
 COPY . .
 RUN cargo build -p komodo_periphery --release

bin/periphery/src/api/build.rs

@@ -1,12 +1,15 @@
 use anyhow::{anyhow, Context};
 use command::run_komodo_command;
 use formatting::format_serror;
-use komodo_client::entities::{
-  build::{Build, BuildConfig},
-  environment_vars_from_str, get_image_name, optional_string,
-  to_komodo_name,
-  update::Log,
-  EnvironmentVar, Version,
+use komodo_client::{
+  entities::{
+    build::{Build, BuildConfig},
+    environment_vars_from_str, get_image_name, optional_string,
+    to_komodo_name,
+    update::Log,
+    EnvironmentVar, Version,
+  },
+  parsers::QUOTE_PATTERN,
 };
 use periphery_client::api::build::{
   self, PruneBuilders, PruneBuildx,
@@ -101,8 +104,9 @@ impl Resolve<build::Build> for State {
 
     let secret_args = environment_vars_from_str(secret_args)
       .context("Invalid secret_args")?;
-    let _secret_args =
+    let command_secret_args =
       parse_secret_args(&secret_args, *skip_secret_interp)?;
+
     let labels = parse_labels(
       &environment_vars_from_str(labels).context("Invalid labels")?,
     );
@@ -118,7 +122,7 @@ impl Resolve<build::Build> for State {
 
     // Construct command
     let command = format!(
-      "docker{buildx} build{build_args}{_secret_args}{extra_args}{labels}{image_tags} -f {dockerfile_path} .{push_command}",
+      "docker{buildx} build{build_args}{command_secret_args}{extra_args}{labels}{image_tags} -f {dockerfile_path} .{push_command}",
     );
 
     if *skip_secret_interp {
@@ -126,6 +130,7 @@ impl Resolve<build::Build> for State {
         "docker build",
         build_dir.as_ref(),
         command,
+        false,
       )
       .await;
       logs.push(build_log);
@@ -146,6 +151,7 @@ impl Resolve<build::Build> for State {
         "docker build",
         build_dir.as_ref(),
         command,
+        false,
       )
       .await;
       build_log.command =
@@ -188,7 +194,16 @@ fn image_tags(
 fn parse_build_args(build_args: &[EnvironmentVar]) -> String {
   build_args
     .iter()
-    .map(|p| format!(" --build-arg {}=\"{}\"", p.variable, p.value))
+    .map(|p| {
+      if p.value.starts_with(QUOTE_PATTERN)
+        && p.value.ends_with(QUOTE_PATTERN)
+      {
+        // If the value already wrapped in quotes, don't wrap it again
+        format!(" --build-arg {}={}", p.variable, p.value)
+      } else {
+        format!(" --build-arg {}=\"{}\"", p.variable, p.value)
+      }
+    })
     .collect::<Vec<_>>()
     .join("")
 }
@@ -244,7 +259,10 @@ impl Resolve<PruneBuilders> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = String::from("docker builder prune -a -f");
-    Ok(run_komodo_command("prune builders", None, command).await)
+    Ok(
+      run_komodo_command("prune builders", None, command, false)
+        .await,
+    )
   }
 }
 
@@ -258,6 +276,6 @@ impl Resolve<PruneBuildx> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = String::from("docker buildx prune -a -f");
-    Ok(run_komodo_command("prune buildx", None, command).await)
+    Ok(run_komodo_command("prune buildx", None, command, false).await)
   }
 }

bin/periphery/src/api/compose.rs

@@ -35,6 +35,7 @@ impl Resolve<ListComposeProjects, ()> for State {
       "list projects",
       None,
       format!("{docker_compose} ls --all --format json"),
+      false,
     )
     .await;
 
@@ -104,7 +105,9 @@ impl Resolve<GetComposeServiceLog> for State {
     let command = format!(
       "{docker_compose} -p {project} logs {service} --tail {tail}{timestamps}"
     );
-    Ok(run_komodo_command("get stack log", None, command).await)
+    Ok(
+      run_komodo_command("get stack log", None, command, false).await,
+    )
   }
 }
 
@@ -131,7 +134,10 @@ impl Resolve<GetComposeServiceLogSearch> for State {
     let timestamps =
       timestamps.then_some(" --timestamps").unwrap_or_default();
     let command = format!("{docker_compose} -p {project} logs {service} --tail 5000{timestamps} 2>&1 | {grep}");
-    Ok(run_komodo_command("get stack log grep", None, command).await)
+    Ok(
+      run_komodo_command("get stack log grep", None, command, false)
+        .await,
+    )
   }
 }
 
@@ -378,6 +384,7 @@ impl Resolve<ComposeExecution> for State {
       "compose command",
       None,
       format!("{docker_compose} -p {project} {command}"),
+      false,
     )
     .await;
     Ok(log)

bin/periphery/src/api/container.rs

@@ -53,7 +53,10 @@ impl Resolve<GetContainerLog> for State {
       timestamps.then_some(" --timestamps").unwrap_or_default();
     let command =
       format!("docker logs {name} --tail {tail}{timestamps}");
-    Ok(run_komodo_command("get container log", None, command).await)
+    Ok(
+      run_komodo_command("get container log", None, command, false)
+        .await,
+    )
   }
 }
 
@@ -83,8 +86,13 @@ impl Resolve<GetContainerLogSearch> for State {
       "docker logs {name} --tail 5000{timestamps} 2>&1 | {grep}"
     );
     Ok(
-      run_komodo_command("get container log grep", None, command)
-        .await,
+      run_komodo_command(
+        "get container log grep",
+        None,
+        command,
+        false,
+      )
+      .await,
     )
   }
 }
@@ -142,6 +150,7 @@ impl Resolve<StartContainer> for State {
         "docker start",
         None,
         format!("docker start {name}"),
+        false,
       )
       .await,
     )
@@ -162,6 +171,7 @@ impl Resolve<RestartContainer> for State {
         "docker restart",
         None,
         format!("docker restart {name}"),
+        false,
       )
       .await,
     )
@@ -182,6 +192,7 @@ impl Resolve<PauseContainer> for State {
         "docker pause",
         None,
         format!("docker pause {name}"),
+        false,
       )
       .await,
     )
@@ -200,6 +211,7 @@ impl Resolve<UnpauseContainer> for State {
         "docker unpause",
         None,
         format!("docker unpause {name}"),
+        false,
       )
       .await,
     )
@@ -216,11 +228,12 @@ impl Resolve<StopContainer> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = stop_container_command(&name, signal, time);
-    let log = run_komodo_command("docker stop", None, command).await;
+    let log =
+      run_komodo_command("docker stop", None, command, false).await;
     if log.stderr.contains("unknown flag: --signal") {
       let command = stop_container_command(&name, None, time);
       let mut log =
-        run_komodo_command("docker stop", None, command).await;
+        run_komodo_command("docker stop", None, command, false).await;
       log.stderr = format!(
         "old docker version: unable to use --signal flag{}",
         if !log.stderr.is_empty() {
@@ -248,15 +261,19 @@ impl Resolve<RemoveContainer> for State {
     let stop_command = stop_container_command(&name, signal, time);
     let command =
       format!("{stop_command} && docker container rm {name}");
-    let log =
-      run_komodo_command("docker stop and remove", None, command)
-        .await;
+    let log = run_komodo_command(
+      "docker stop and remove",
+      None,
+      command,
+      false,
+    )
+    .await;
     if log.stderr.contains("unknown flag: --signal") {
       let stop_command = stop_container_command(&name, None, time);
       let command =
         format!("{stop_command} && docker container rm {name}");
       let mut log =
-        run_komodo_command("docker stop", None, command).await;
+        run_komodo_command("docker stop", None, command, false).await;
       log.stderr = format!(
         "old docker version: unable to use --signal flag{}",
         if !log.stderr.is_empty() {
@@ -286,7 +303,9 @@ impl Resolve<RenameContainer> for State {
   ) -> anyhow::Result<Log> {
     let new = to_komodo_name(&new_name);
     let command = format!("docker rename {curr_name} {new}");
-    Ok(run_komodo_command("docker rename", None, command).await)
+    Ok(
+      run_komodo_command("docker rename", None, command, false).await,
+    )
   }
 }
 
@@ -300,7 +319,10 @@ impl Resolve<PruneContainers> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = String::from("docker container prune -f");
-    Ok(run_komodo_command("prune containers", None, command).await)
+    Ok(
+      run_komodo_command("prune containers", None, command, false)
+        .await,
+    )
   }
 }
 
@@ -324,7 +346,8 @@ impl Resolve<StartAllContainers> for State {
         }
         let command = format!("docker start {name}");
         Some(async move {
-          run_komodo_command(&command.clone(), None, command).await
+          run_komodo_command(&command.clone(), None, command, false)
+            .await
         })
       },
     );
@@ -352,7 +375,8 @@ impl Resolve<RestartAllContainers> for State {
         }
         let command = format!("docker restart {name}");
         Some(async move {
-          run_komodo_command(&command.clone(), None, command).await
+          run_komodo_command(&command.clone(), None, command, false)
+            .await
         })
       },
     );
@@ -380,7 +404,8 @@ impl Resolve<PauseAllContainers> for State {
         }
         let command = format!("docker pause {name}");
         Some(async move {
-          run_komodo_command(&command.clone(), None, command).await
+          run_komodo_command(&command.clone(), None, command, false)
+            .await
         })
       },
     );
@@ -408,7 +433,8 @@ impl Resolve<UnpauseAllContainers> for State {
         }
         let command = format!("docker unpause {name}");
         Some(async move {
-          run_komodo_command(&command.clone(), None, command).await
+          run_komodo_command(&command.clone(), None, command, false)
+            .await
         })
       },
     );
@@ -439,6 +465,7 @@ impl Resolve<StopAllContainers> for State {
             &format!("docker stop {name}"),
             None,
             stop_container_command(name, None, None),
+            false,
           )
           .await
         })

bin/periphery/src/api/deploy.rs

@@ -1,14 +1,17 @@
 use anyhow::Context;
 use command::run_komodo_command;
 use formatting::format_serror;
-use komodo_client::entities::{
-  deployment::{
-    conversions_from_str, extract_registry_domain, Conversion,
-    Deployment, DeploymentConfig, DeploymentImage, RestartMode,
+use komodo_client::{
+  entities::{
+    deployment::{
+      conversions_from_str, extract_registry_domain, Conversion,
+      Deployment, DeploymentConfig, DeploymentImage, RestartMode,
+    },
+    environment_vars_from_str, to_komodo_name,
+    update::Log,
+    EnvironmentVar,
   },
-  environment_vars_from_str, to_komodo_name,
-  update::Log,
-  EnvironmentVar,
+  parsers::QUOTE_PATTERN,
 };
 use periphery_client::api::container::{Deploy, RemoveContainer};
 use resolver_api::Resolve;
@@ -87,7 +90,7 @@ impl Resolve<Deploy> for State {
     debug!("docker run command: {command}");
 
     if deployment.config.skip_secret_interp {
-      Ok(run_komodo_command("docker run", None, command).await)
+      Ok(run_komodo_command("docker run", None, command, false).await)
     } else {
       let command = svi::interpolate_variables(
         &command,
@@ -108,7 +111,7 @@ impl Resolve<Deploy> for State {
 
       replacers.extend(core_replacers);
       let mut log =
-        run_komodo_command("docker run", None, command).await;
+        run_komodo_command("docker run", None, command, false).await;
       log.command = svi::replace_in_string(&log.command, &replacers);
       log.stdout = svi::replace_in_string(&log.stdout, &replacers);
       log.stderr = svi::replace_in_string(&log.stderr, &replacers);
@@ -175,7 +178,16 @@ fn parse_conversions(
 fn parse_environment(environment: &[EnvironmentVar]) -> String {
   environment
     .iter()
-    .map(|p| format!(" --env {}=\"{}\"", p.variable, p.value))
+    .map(|p| {
+      if p.value.starts_with(QUOTE_PATTERN)
+        && p.value.ends_with(QUOTE_PATTERN)
+      {
+        // If the value already wrapped in quotes, don't wrap it again
+        format!(" --env {}={}", p.variable, p.value)
+      } else {
+        format!(" --env {}=\"{}\"", p.variable, p.value)
+      }
+    })
     .collect::<Vec<_>>()
     .join("")
 }

bin/periphery/src/api/git.rs

@@ -1,13 +1,12 @@
 use anyhow::{anyhow, Context};
 use git::GitRes;
-use komodo_client::entities::{
-  to_komodo_name, update::Log, CloneArgs, LatestCommit,
-};
+use komodo_client::entities::{update::Log, CloneArgs, LatestCommit};
 use periphery_client::api::git::{
   CloneRepo, DeleteRepo, GetLatestCommit, PullOrCloneRepo, PullRepo,
-  RepoActionResponse,
+  RenameRepo, RepoActionResponse,
 };
 use resolver_api::Resolve;
+use tokio::fs;
 
 use crate::{config::periphery_config, State};
 
@@ -207,6 +206,31 @@ impl Resolve<PullOrCloneRepo> for State {
 
 //
 
+impl Resolve<RenameRepo> for State {
+  #[instrument(name = "RenameRepo", skip(self))]
+  async fn resolve(
+    &self,
+    RenameRepo {
+      curr_name,
+      new_name,
+    }: RenameRepo,
+    _: (),
+  ) -> anyhow::Result<Log> {
+    let renamed = fs::rename(
+      periphery_config().repo_dir.join(&curr_name),
+      periphery_config().repo_dir.join(&new_name),
+    )
+    .await;
+    let msg = match renamed {
+      Ok(_) => String::from("Renamed Repo directory on Server"),
+      Err(_) => format!("No Repo cloned at {curr_name} to rename"),
+    };
+    Ok(Log::simple("Rename Repo on Server", msg))
+  }
+}
+
+//
+
 impl Resolve<DeleteRepo> for State {
   #[instrument(name = "DeleteRepo", skip(self))]
   async fn resolve(
@@ -214,14 +238,15 @@ impl Resolve<DeleteRepo> for State {
     DeleteRepo { name }: DeleteRepo,
     _: (),
   ) -> anyhow::Result<Log> {
-    let name = to_komodo_name(&name);
-    let deleted = std::fs::remove_dir_all(
-      periphery_config().repo_dir.join(&name),
-    );
+    // If using custom clone path, it will be passed by core instead of name.
+    // So the join will resolve to just the absolute path.
+    let deleted =
+      fs::remove_dir_all(periphery_config().repo_dir.join(&name))
+        .await;
     let msg = match deleted {
-      Ok(_) => format!("deleted repo {name}"),
-      Err(_) => format!("no repo at {name} to delete"),
+      Ok(_) => format!("Deleted Repo {name}"),
+      Err(_) => format!("No Repo at {name} to delete"),
     };
-    Ok(Log::simple("delete repo", msg))
+    Ok(Log::simple("Delete Repo on Host", msg))
   }
 }

bin/periphery/src/api/image.rs

@@ -44,7 +44,7 @@ impl Resolve<DeleteImage> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = format!("docker image rm {name}");
-    Ok(run_komodo_command("delete image", None, command).await)
+    Ok(run_komodo_command("delete image", None, command, false).await)
   }
 }
 
@@ -58,6 +58,6 @@ impl Resolve<PruneImages> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = String::from("docker image prune -a -f");
-    Ok(run_komodo_command("prune images", None, command).await)
+    Ok(run_komodo_command("prune images", None, command, false).await)
   }
 }

bin/periphery/src/api/mod.rs

@@ -66,6 +66,7 @@ pub enum PeripheryRequest {
   // Repo (Write)
   CloneRepo(CloneRepo),
   PullRepo(PullRepo),
+  RenameRepo(RenameRepo),
   DeleteRepo(DeleteRepo),
 
   // Build
@@ -256,7 +257,7 @@ impl Resolve<RunCommand> for State {
       } else {
         format!("cd {path} && {command}")
       };
-      run_komodo_command("run command", None, command).await
+      run_komodo_command("run command", None, command, false).await
     })
     .await
     .context("failure in spawned task")
@@ -271,6 +272,6 @@ impl Resolve<PruneSystem> for State {
     _: (),
   ) -> anyhow::Result<Log> {
     let command = String::from("docker system prune -a -f --volumes");
-    Ok(run_komodo_command("prune system", None, command).await)
+    Ok(run_komodo_command("prune system", None, command, false).await)
   }
 }