npm - @firestartr/cli - Versions diffs - 1.51.1-snapshot-06 → 1.51.2 - Mend

@firestartr/cli 1.51.1-snapshot-06 → 1.51.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/build/index.js CHANGED Viewed

@@ -346931,6 +346931,7 @@ const DEFAULT_TIME_ZONE = 'Europe/Madrid';
 function validateCron(cronLine, tz = DEFAULT_TIME_ZONE) {
     try {
         const interval = cron_parser_dist.CronExpressionParser.parse(cronLine, {
+            // to enable the only minutes cron
             strict: false,
             tz,
         });
@@ -354780,24 +354781,24 @@ var libsodium_wrappers_default = /*#__PURE__*/__nccwpck_require__.n(libsodium_wr
-async function getRepoPublicKey(owner, repo) {
+async function getRepoPublicKey(owner, repo, section) {
     github_src_logger.info(`Retrieving public key for ${owner}/${repo}`);
     try {
         const octokit = await getOctokitForOrg(owner);
-        const { data } = await octokit.actions.getRepoPublicKey({
+        const { data } = await octokit[section].getRepoPublicKey({
             owner,
             repo,
         });
         return data;
     }
     catch (error) {
-        github_src_logger.error(`Error retrieving public key for ${owner}/${repo}: ${error}`);
+        github_src_logger.error(`Error retrieving public key (${section}) for ${owner}/${repo}: ${error}`);
         throw error;
     }
 }
-async function encryptRepoSecret(owner, repo, plaintextValue) {
+async function encryptRepoSecret(owner, repo, section, plaintextValue) {
     try {
-        const { key_id, key } = await getRepoPublicKey(owner, repo);
+        const { key_id, key } = await getRepoPublicKey(owner, repo, section);
         await (libsodium_wrappers_default()).ready;
         const publicKey = libsodium_wrappers_default().from_base64(key, (libsodium_wrappers_default()).base64_variants.ORIGINAL);
         const secretBytes = libsodium_wrappers_default().from_string(plaintextValue);
@@ -355661,6 +355662,10 @@ InitializerClaimRef.applicableKinds = [
 ];
+;// CONCATENATED MODULE: ../cdk8s_renderer/src/logger.ts
+/* harmony default export */ const cdk8s_renderer_src_logger = (catalog_common.logger);
 ;// CONCATENATED MODULE: ../cdk8s_renderer/src/refresolver/index.ts
 /**
  * renderedClaims is a map of rendered claims
@@ -355669,8 +355674,10 @@ InitializerClaimRef.applicableKinds = [
  * and the value is the rendered CR
  */
 let renderedClaims = {};
 function setRenderedClaim(claim, cr) {
     const claimKey = `${claim.kind}-${claim.name}`;
+    cdk8s_renderer_src_logger.silly(`Set rendered claim with key ${claimKey}`);
     if (renderedClaims[claimKey]) {
         throw new Error(`Claim ${claimKey} already rendered`);
     }
@@ -357181,10 +357188,6 @@ const NORMALIZERS = [
     RevisionNormalizer,
 ];
-;// CONCATENATED MODULE: ../cdk8s_renderer/src/logger.ts
-/* harmony default export */ const cdk8s_renderer_src_logger = (catalog_common.logger);
 ;// CONCATENATED MODULE: ../cdk8s_renderer/src/refsSorter/refsExtractor.ts
@@ -357972,6 +357975,9 @@ const external_node_child_process_namespaceObject = __WEBPACK_EXTERNAL_createReq
                                     type: 'boolean',
                                     description: 'If the webhook is active',
                                 },
+                                secretRef: {
+                                    $ref: 'firestartr.dev://github/GithubComponentClaimSecretRef',
+                                },
                                 events: {
                                     type: 'array',
                                     description: 'List of events that trigger the webhook (e.g., push, pull_request, issues)',
@@ -357980,7 +357986,7 @@ const external_node_child_process_namespaceObject = __WEBPACK_EXTERNAL_createReq
                                     },
                                 },
                             },
-                            required: ['url', 'contentType', 'events'],
+                            required: ['url', 'contentType', 'events', 'secretRef'],
                         },
                     },
                     required: ['orgName', 'webhook'],
@@ -358186,7 +358192,11 @@ const GithubSchemas = [
                                 schedule_timezone: {
                                     type: 'string',
                                 },
+                                policy: {
+                                    type: 'string',
+                                },
                             },
+                            additionalProperties: false,
                             required: ['enabled'],
                             oneOf: [
                                 {
@@ -360904,6 +360914,7 @@ const KINDS_CR_MAP = {
     user: 'FirestartrGithubMembership',
     repo: 'FirestartrGithubRepository',
     feat: 'FirestartrGithubRepositoryFeature',
+    secretsSection: 'FirestartrGithubRepositorySecretsSection',
 };
@@ -361724,6 +361735,7 @@ function toJson_FirestartrGithubOrgWebhookSpecWebhookSecretRef(obj) {
         return undefined;
     }
     const result = {
+        'kind': obj.kind,
         'name': obj.name,
         'key': obj.key,
     };
@@ -361772,6 +361784,17 @@ function toJson_FirestartrGithubOrgWebhookSpecWriteConnectionSecretToRefOutputs(
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
+/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+/**
+ * The type of Kubernetes resource to reference.
+ *
+ * @schema FirestartrGithubOrgWebhookSpecWebhookSecretRefKind
+ */
+var FirestartrGithubOrgWebhookSpecWebhookSecretRefKind;
+(function (FirestartrGithubOrgWebhookSpecWebhookSecretRefKind) {
+    /** Secret */
+    FirestartrGithubOrgWebhookSpecWebhookSecretRefKind["SECRET"] = "Secret";
+})(FirestartrGithubOrgWebhookSpecWebhookSecretRefKind || (FirestartrGithubOrgWebhookSpecWebhookSecretRefKind = {}));
 /**
  * Converts an object of type 'FirestartrGithubOrgWebhookSpecContextBackendRef' to JSON representation.
  */
@@ -361900,7 +361923,6 @@ function toJson_FirestartrGithubRepositorySpec(obj) {
         'actions': toJson_FirestartrGithubRepositorySpecActions(obj.actions),
         'pages': toJson_FirestartrGithubRepositorySpecPages(obj.pages),
         'permissions': obj.permissions?.map(y => toJson_FirestartrGithubRepositorySpecPermissions(y)),
-        'secrets': toJson_FirestartrGithubRepositorySpecSecrets(obj.secrets),
         'vars': toJson_FirestartrGithubRepositorySpecVars(obj.vars),
         'branchProtections': obj.branchProtections?.map(y => toJson_FirestartrGithubRepositorySpecBranchProtections(y)),
         'writeConnectionSecretToRef': toJson_FirestartrGithubRepositorySpecWriteConnectionSecretToRef(obj.writeConnectionSecretToRef),
@@ -362012,22 +362034,6 @@ function toJson_FirestartrGithubRepositorySpecPermissions(obj) {
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecrets' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecrets(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'actions': obj.actions?.map(y => toJson_FirestartrGithubRepositorySpecSecretsActions(y)),
-        'codespaces': obj.codespaces?.map(y => toJson_FirestartrGithubRepositorySpecSecretsCodespaces(y)),
-        'dependabot': obj.dependabot?.map(y => toJson_FirestartrGithubRepositorySpecSecretsDependabot(y)),
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
 /**
  * Converts an object of type 'FirestartrGithubRepositorySpecVars' to JSON representation.
  */
@@ -362195,51 +362201,6 @@ function toJson_FirestartrGithubRepositorySpecPermissionsRef(obj) {
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsActions' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsActions(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'name': obj.name,
-        'ref': toJson_FirestartrGithubRepositorySpecSecretsActionsRef(obj.ref),
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsCodespaces' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsCodespaces(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'name': obj.name,
-        'ref': toJson_FirestartrGithubRepositorySpecSecretsCodespacesRef(obj.ref),
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsDependabot' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsDependabot(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'name': obj.name,
-        'ref': toJson_FirestartrGithubRepositorySpecSecretsDependabotRef(obj.ref),
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
 /**
  * Converts an object of type 'FirestartrGithubRepositorySpecVarsVariableItemSchema' to JSON representation.
  */
@@ -362316,54 +362277,6 @@ function toJson_FirestartrGithubRepositorySpecContextProviderRef(obj) {
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsActionsRef' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsActionsRef(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'kind': obj.kind,
-        'name': obj.name,
-        'key': obj.key,
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsCodespacesRef' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsCodespacesRef(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'kind': obj.kind,
-        'name': obj.name,
-        'key': obj.key,
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
-/**
- * Converts an object of type 'FirestartrGithubRepositorySpecSecretsDependabotRef' to JSON representation.
- */
-/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrGithubRepositorySpecSecretsDependabotRef(obj) {
-    if (obj === undefined) {
-        return undefined;
-    }
-    const result = {
-        'kind': obj.kind,
-        'name': obj.name,
-        'key': obj.key,
-    };
-    // filter undefined values
-    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
-}
 /**
  * Converts an object of type 'FirestartrGithubRepositorySpecVarsVariableItemSchemaRef' to JSON representation.
  */
@@ -362650,33 +362563,33 @@ var FirestartrGithubRepositoryFeatureSpecContextProviderRefKind;
     FirestartrGithubRepositoryFeatureSpecContextProviderRefKind["FIRESTARTR_PROVIDER_CONFIG"] = "FirestartrProviderConfig";
 })(FirestartrGithubRepositoryFeatureSpecContextProviderRefKind || (FirestartrGithubRepositoryFeatureSpecContextProviderRefKind = {}));
 /**
- * A resource to handle backend and provider configuration.
  *
- * @schema FirestartrProviderConfig
+ *
+ * @schema FirestartrGithubRepositorySecretsSection
  */
-class FirestartrProviderConfig extends lib.ApiObject {
+class FirestartrGithubRepositorySecretsSection extends lib.ApiObject {
     /**
-     * Renders a Kubernetes manifest for "FirestartrProviderConfig".
+     * Renders a Kubernetes manifest for "FirestartrGithubRepositorySecretsSection".
      *
      * This can be used to inline resource manifests inside other objects (e.g. as templates).
      *
      * @param props initialization props
      */
-    static manifest(props) {
+    static manifest(props = {}) {
         return {
-            ...FirestartrProviderConfig.GVK,
-            ...toJson_FirestartrProviderConfigProps(props),
+            ...FirestartrGithubRepositorySecretsSection.GVK,
+            ...toJson_FirestartrGithubRepositorySecretsSectionProps(props),
         };
     }
     /**
-     * Defines a "FirestartrProviderConfig" API object
+     * Defines a "FirestartrGithubRepositorySecretsSection" API object
      * @param scope the scope in which to define this object
      * @param id a scope-local name for the object
      * @param props initialization props
      */
-    constructor(scope, id, props) {
+    constructor(scope, id, props = {}) {
         super(scope, id, {
-            ...FirestartrProviderConfig.GVK,
+            ...FirestartrGithubRepositorySecretsSection.GVK,
             ...props,
         });
     }
@@ -362686,273 +362599,204 @@ class FirestartrProviderConfig extends lib.ApiObject {
     toJson() {
         const resolved = super.toJson();
         return {
-            ...FirestartrProviderConfig.GVK,
-            ...toJson_FirestartrProviderConfigProps(resolved),
+            ...FirestartrGithubRepositorySecretsSection.GVK,
+            ...toJson_FirestartrGithubRepositorySecretsSectionProps(resolved),
         };
     }
 }
 /**
- * Returns the apiVersion and kind for "FirestartrProviderConfig"
+ * Returns the apiVersion and kind for "FirestartrGithubRepositorySecretsSection"
  */
-FirestartrProviderConfig.GVK = {
+FirestartrGithubRepositorySecretsSection.GVK = {
     apiVersion: 'firestartr.dev/v1',
-    kind: 'FirestartrProviderConfig',
+    kind: 'FirestartrGithubRepositorySecretsSection',
 };
 /**
- * Converts an object of type 'FirestartrProviderConfigProps' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionProps' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrProviderConfigProps(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionProps(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
         'metadata': obj.metadata,
-        'spec': toJson_FirestartrProviderConfigSpec(obj.spec),
+        'spec': toJson_FirestartrGithubRepositorySecretsSectionSpec(obj.spec),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrProviderConfigSpec' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpec' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrProviderConfigSpec(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpec(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'type': obj.type,
-        'source': obj.source,
-        'version': obj.version,
-        'config': obj.config,
-        'inline': obj.inline,
-        'env': obj.env,
-        'secrets': ((obj.secrets) === undefined) ? undefined : (Object.entries(obj.secrets).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: toJson_FirestartrProviderConfigSpecSecrets(i[1]) }), {})),
+        'firestartr': toJson_FirestartrGithubRepositorySecretsSectionSpecFirestartr(obj.firestartr),
+        'repositoryTarget': toJson_FirestartrGithubRepositorySecretsSectionSpecRepositoryTarget(obj.repositoryTarget),
+        'secrets': toJson_FirestartrGithubRepositorySecretsSectionSpecSecrets(obj.secrets),
+        'context': toJson_FirestartrGithubRepositorySecretsSectionSpecContext(obj.context),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrProviderConfigSpecSecrets' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecFirestartr' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrProviderConfigSpecSecrets(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecFirestartr(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'secretRef': toJson_FirestartrProviderConfigSpecSecretsSecretRef(obj.secretRef),
+        'tfStateKey': obj.tfStateKey,
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrProviderConfigSpecSecretsSecretRef' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecRepositoryTarget' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrProviderConfigSpecSecretsSecretRef(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecRepositoryTarget(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'name': obj.name,
-        'namespace': obj.namespace,
-        'key': obj.key,
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecRepositoryTargetRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-/**
- * A workspace to handle Terraform code
- *
- * @schema FirestartrTerraformWorkspace
- */
-class FirestartrTerraformWorkspace extends lib.ApiObject {
-    /**
-     * Renders a Kubernetes manifest for "FirestartrTerraformWorkspace".
-     *
-     * This can be used to inline resource manifests inside other objects (e.g. as templates).
-     *
-     * @param props initialization props
-     */
-    static manifest(props) {
-        return {
-            ...FirestartrTerraformWorkspace.GVK,
-            ...toJson_FirestartrTerraformWorkspaceProps(props),
-        };
-    }
-    /**
-     * Defines a "FirestartrTerraformWorkspace" API object
-     * @param scope the scope in which to define this object
-     * @param id a scope-local name for the object
-     * @param props initialization props
-     */
-    constructor(scope, id, props) {
-        super(scope, id, {
-            ...FirestartrTerraformWorkspace.GVK,
-            ...props,
-        });
-    }
-    /**
-     * Renders the object to Kubernetes JSON.
-     */
-    toJson() {
-        const resolved = super.toJson();
-        return {
-            ...FirestartrTerraformWorkspace.GVK,
-            ...toJson_FirestartrTerraformWorkspaceProps(resolved),
-        };
-    }
-}
-/**
- * Returns the apiVersion and kind for "FirestartrTerraformWorkspace"
- */
-FirestartrTerraformWorkspace.GVK = {
-    apiVersion: 'firestartr.dev/v1',
-    kind: 'FirestartrTerraformWorkspace',
-};
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceProps' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecrets' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceProps(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecrets(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'metadata': obj.metadata,
-        'spec': toJson_FirestartrTerraformWorkspaceSpec(obj.spec),
+        'actions': obj.actions?.map(y => toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsActions(y)),
+        'codespaces': obj.codespaces?.map(y => toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsCodespaces(y)),
+        'dependabot': obj.dependabot?.map(y => toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsDependabot(y)),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpec' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecContext' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpec(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecContext(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'context': toJson_FirestartrTerraformWorkspaceSpecContext(obj.context),
-        'firestartr': toJson_FirestartrTerraformWorkspaceSpecFirestartr(obj.firestartr),
-        'module': obj.module,
-        'source': obj.source,
-        'values': obj.values,
-        'references': obj.references?.map(y => toJson_FirestartrTerraformWorkspaceSpecReferences(y)),
-        'writeConnectionSecretToRef': toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef(obj.writeConnectionSecretToRef),
+        'provider': toJson_FirestartrGithubRepositorySecretsSectionSpecContextProvider(obj.provider),
+        'backend': toJson_FirestartrGithubRepositorySecretsSectionSpecContextBackend(obj.backend),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecContext' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecRepositoryTargetRef' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecContext(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecRepositoryTargetRef(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'backend': toJson_FirestartrTerraformWorkspaceSpecContextBackend(obj.backend),
-        'providers': obj.providers?.map(y => toJson_FirestartrTerraformWorkspaceSpecContextProviders(y)),
+        'kind': obj.kind,
+        'name': obj.name,
+        'needsSecret': obj.needsSecret,
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecFirestartr' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsActions' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecFirestartr(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsActions(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'tfStateKey': obj.tfStateKey,
+        'name': obj.name,
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-/**
- * @schema FirestartrTerraformWorkspaceSpecSource
- */
-var FirestartrTerraformWorkspaceSpecSource;
-(function (FirestartrTerraformWorkspaceSpecSource) {
-    /** Remote */
-    FirestartrTerraformWorkspaceSpecSource["REMOTE"] = "Remote";
-    /** Inline */
-    FirestartrTerraformWorkspaceSpecSource["INLINE"] = "Inline";
-})(FirestartrTerraformWorkspaceSpecSource || (FirestartrTerraformWorkspaceSpecSource = {}));
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecReferences' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsCodespaces' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecReferences(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsCodespaces(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
         'name': obj.name,
-        'ref': toJson_FirestartrTerraformWorkspaceSpecReferencesRef(obj.ref),
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsDependabot' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsDependabot(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
         'name': obj.name,
-        'outputs': obj.outputs?.map(y => toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs(y)),
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextBackend' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecContextProvider' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecContextBackend(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecContextProvider(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'ref': toJson_FirestartrTerraformWorkspaceSpecContextBackendRef(obj.ref),
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecContextProviderRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextProviders' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecContextBackend' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecContextProviders(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecContextBackend(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
-        'ref': toJson_FirestartrTerraformWorkspaceSpecContextProvidersRef(obj.ref),
+        'ref': toJson_FirestartrGithubRepositorySecretsSectionSpecContextBackendRef(obj.ref),
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecReferencesRef' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRef' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecReferencesRef(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRef(obj) {
     if (obj === undefined) {
         return undefined;
     }
@@ -362965,39 +362809,42 @@ function toJson_FirestartrTerraformWorkspaceSpecReferencesRef(obj) {
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRef' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRef(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
+        'kind': obj.kind,
+        'name': obj.name,
         'key': obj.key,
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextBackendRef' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRef' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecContextBackendRef(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRef(obj) {
     if (obj === undefined) {
         return undefined;
     }
     const result = {
         'kind': obj.kind,
         'name': obj.name,
+        'key': obj.key,
     };
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
 /**
- * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextProvidersRef' to JSON representation.
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecContextProviderRef' to JSON representation.
  */
 /* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
-function toJson_FirestartrTerraformWorkspaceSpecContextProvidersRef(obj) {
+function toJson_FirestartrGithubRepositorySecretsSectionSpecContextProviderRef(obj) {
     if (obj === undefined) {
         return undefined;
     }
@@ -363008,7 +362855,428 @@ function toJson_FirestartrTerraformWorkspaceSpecContextProvidersRef(obj) {
     // filter undefined values
     return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
 }
-/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+/**
+ * Converts an object of type 'FirestartrGithubRepositorySecretsSectionSpecContextBackendRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrGithubRepositorySecretsSectionSpecContextBackendRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'kind': obj.kind,
+        'name': obj.name,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+/**
+ * The type of Kubernetes resource to reference.
+ *
+ * @schema FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind
+ */
+var FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind;
+(function (FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind) {
+    /** Secret */
+    FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind["SECRET"] = "Secret";
+})(FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind || (FirestartrGithubRepositorySecretsSectionSpecSecretsActionsRefKind = {}));
+/**
+ * The type of Kubernetes resource to reference.
+ *
+ * @schema FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind
+ */
+var FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind;
+(function (FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind) {
+    /** Secret */
+    FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind["SECRET"] = "Secret";
+})(FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind || (FirestartrGithubRepositorySecretsSectionSpecSecretsCodespacesRefKind = {}));
+/**
+ * The type of Kubernetes resource to reference.
+ *
+ * @schema FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind
+ */
+var FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind;
+(function (FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind) {
+    /** Secret */
+    FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind["SECRET"] = "Secret";
+})(FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind || (FirestartrGithubRepositorySecretsSectionSpecSecretsDependabotRefKind = {}));
+/**
+ * @schema FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind
+ */
+var FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind;
+(function (FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind) {
+    /** FirestartrProviderConfig */
+    FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind["FIRESTARTR_PROVIDER_CONFIG"] = "FirestartrProviderConfig";
+})(FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind || (FirestartrGithubRepositorySecretsSectionSpecContextProviderRefKind = {}));
+/**
+ * @schema FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind
+ */
+var FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind;
+(function (FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind) {
+    /** FirestartrProviderConfig */
+    FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind["FIRESTARTR_PROVIDER_CONFIG"] = "FirestartrProviderConfig";
+})(FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind || (FirestartrGithubRepositorySecretsSectionSpecContextBackendRefKind = {}));
+/**
+ * A resource to handle backend and provider configuration.
+ *
+ * @schema FirestartrProviderConfig
+ */
+class FirestartrProviderConfig extends lib.ApiObject {
+    /**
+     * Renders a Kubernetes manifest for "FirestartrProviderConfig".
+     *
+     * This can be used to inline resource manifests inside other objects (e.g. as templates).
+     *
+     * @param props initialization props
+     */
+    static manifest(props) {
+        return {
+            ...FirestartrProviderConfig.GVK,
+            ...toJson_FirestartrProviderConfigProps(props),
+        };
+    }
+    /**
+     * Defines a "FirestartrProviderConfig" API object
+     * @param scope the scope in which to define this object
+     * @param id a scope-local name for the object
+     * @param props initialization props
+     */
+    constructor(scope, id, props) {
+        super(scope, id, {
+            ...FirestartrProviderConfig.GVK,
+            ...props,
+        });
+    }
+    /**
+     * Renders the object to Kubernetes JSON.
+     */
+    toJson() {
+        const resolved = super.toJson();
+        return {
+            ...FirestartrProviderConfig.GVK,
+            ...toJson_FirestartrProviderConfigProps(resolved),
+        };
+    }
+}
+/**
+ * Returns the apiVersion and kind for "FirestartrProviderConfig"
+ */
+FirestartrProviderConfig.GVK = {
+    apiVersion: 'firestartr.dev/v1',
+    kind: 'FirestartrProviderConfig',
+};
+/**
+ * Converts an object of type 'FirestartrProviderConfigProps' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrProviderConfigProps(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'metadata': obj.metadata,
+        'spec': toJson_FirestartrProviderConfigSpec(obj.spec),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrProviderConfigSpec' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrProviderConfigSpec(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'type': obj.type,
+        'source': obj.source,
+        'version': obj.version,
+        'config': obj.config,
+        'inline': obj.inline,
+        'env': obj.env,
+        'secrets': ((obj.secrets) === undefined) ? undefined : (Object.entries(obj.secrets).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: toJson_FirestartrProviderConfigSpecSecrets(i[1]) }), {})),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrProviderConfigSpecSecrets' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrProviderConfigSpecSecrets(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'secretRef': toJson_FirestartrProviderConfigSpecSecretsSecretRef(obj.secretRef),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrProviderConfigSpecSecretsSecretRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrProviderConfigSpecSecretsSecretRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'name': obj.name,
+        'namespace': obj.namespace,
+        'key': obj.key,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+/**
+ * A workspace to handle Terraform code
+ *
+ * @schema FirestartrTerraformWorkspace
+ */
+class FirestartrTerraformWorkspace extends lib.ApiObject {
+    /**
+     * Renders a Kubernetes manifest for "FirestartrTerraformWorkspace".
+     *
+     * This can be used to inline resource manifests inside other objects (e.g. as templates).
+     *
+     * @param props initialization props
+     */
+    static manifest(props) {
+        return {
+            ...FirestartrTerraformWorkspace.GVK,
+            ...toJson_FirestartrTerraformWorkspaceProps(props),
+        };
+    }
+    /**
+     * Defines a "FirestartrTerraformWorkspace" API object
+     * @param scope the scope in which to define this object
+     * @param id a scope-local name for the object
+     * @param props initialization props
+     */
+    constructor(scope, id, props) {
+        super(scope, id, {
+            ...FirestartrTerraformWorkspace.GVK,
+            ...props,
+        });
+    }
+    /**
+     * Renders the object to Kubernetes JSON.
+     */
+    toJson() {
+        const resolved = super.toJson();
+        return {
+            ...FirestartrTerraformWorkspace.GVK,
+            ...toJson_FirestartrTerraformWorkspaceProps(resolved),
+        };
+    }
+}
+/**
+ * Returns the apiVersion and kind for "FirestartrTerraformWorkspace"
+ */
+FirestartrTerraformWorkspace.GVK = {
+    apiVersion: 'firestartr.dev/v1',
+    kind: 'FirestartrTerraformWorkspace',
+};
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceProps' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceProps(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'metadata': obj.metadata,
+        'spec': toJson_FirestartrTerraformWorkspaceSpec(obj.spec),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpec' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpec(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'context': toJson_FirestartrTerraformWorkspaceSpecContext(obj.context),
+        'firestartr': toJson_FirestartrTerraformWorkspaceSpecFirestartr(obj.firestartr),
+        'module': obj.module,
+        'source': obj.source,
+        'values': obj.values,
+        'references': obj.references?.map(y => toJson_FirestartrTerraformWorkspaceSpecReferences(y)),
+        'writeConnectionSecretToRef': toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef(obj.writeConnectionSecretToRef),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecContext' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecContext(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'backend': toJson_FirestartrTerraformWorkspaceSpecContextBackend(obj.backend),
+        'providers': obj.providers?.map(y => toJson_FirestartrTerraformWorkspaceSpecContextProviders(y)),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecFirestartr' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecFirestartr(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'tfStateKey': obj.tfStateKey,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+/**
+ * @schema FirestartrTerraformWorkspaceSpecSource
+ */
+var FirestartrTerraformWorkspaceSpecSource;
+(function (FirestartrTerraformWorkspaceSpecSource) {
+    /** Remote */
+    FirestartrTerraformWorkspaceSpecSource["REMOTE"] = "Remote";
+    /** Inline */
+    FirestartrTerraformWorkspaceSpecSource["INLINE"] = "Inline";
+})(FirestartrTerraformWorkspaceSpecSource || (FirestartrTerraformWorkspaceSpecSource = {}));
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecReferences' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecReferences(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'name': obj.name,
+        'ref': toJson_FirestartrTerraformWorkspaceSpecReferencesRef(obj.ref),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'name': obj.name,
+        'outputs': obj.outputs?.map(y => toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs(y)),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextBackend' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecContextBackend(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'ref': toJson_FirestartrTerraformWorkspaceSpecContextBackendRef(obj.ref),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextProviders' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecContextProviders(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'ref': toJson_FirestartrTerraformWorkspaceSpecContextProvidersRef(obj.ref),
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecReferencesRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecReferencesRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'kind': obj.kind,
+        'name': obj.name,
+        'key': obj.key,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecWriteConnectionSecretToRefOutputs(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'key': obj.key,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextBackendRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecContextBackendRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'kind': obj.kind,
+        'name': obj.name,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/**
+ * Converts an object of type 'FirestartrTerraformWorkspaceSpecContextProvidersRef' to JSON representation.
+ */
+/* eslint-disable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
+function toJson_FirestartrTerraformWorkspaceSpecContextProvidersRef(obj) {
+    if (obj === undefined) {
+        return undefined;
+    }
+    const result = {
+        'kind': obj.kind,
+        'name': obj.name,
+    };
+    // filter undefined values
+    return Object.entries(result).reduce((r, i) => (i[1] === undefined) ? r : ({ ...r, [i[0]]: i[1] }), {});
+}
+/* eslint-enable max-len, @stylistic/max-len, quote-props, @stylistic/quote-props */
 /**
  * @schema FirestartrTerraformWorkspaceSpecReferencesRefKind
  */
@@ -363691,12 +363959,104 @@ class FeatureRepoChart extends BaseGithubChart {
     }
 }
+;// CONCATENATED MODULE: ../cdk8s_renderer/src/charts/github/RepoSecretsSectionChart.ts
+class RepoSecretsSectionChart extends BaseGithubChart {
+    constructor(scope, chartId, firestartrId, claim, patches = [], cr = null) {
+        super(scope, chartId, firestartrId, claim, patches);
+        this.set('repoCr', cr);
+    }
+    template() {
+        const claim = this.get('claim');
+        const repositoryTarget = this.resolveRepositoryTarget();
+        const github = claim.providers?.github ?? {};
+        const cr = {
+            metadata: {
+                name: this.get('repoCr').metadata.name,
+                annotations: {
+                    'firestartr.dev/external-name': claim.name,
+                },
+            },
+            spec: {
+                context: this.get('repoCr').spec?.context,
+                org: claim.org,
+                repositoryTarget,
+                secrets: {
+                    actions: this.renderSecrets('actions', github),
+                    codespaces: this.renderSecrets('codespaces', github),
+                    dependabot: this.renderSecrets('dependabot', github),
+                },
+                firestartr: {
+                    tfStateKey: this.get('repoCr').spec.firestartr.tfStateKey,
+                },
+            },
+        };
+        const annotations = this.getAnnotationsFromRepo(this.get('repoCr'), [
+            'claim-ref',
+            'revision',
+            'sync-enabled',
+            'sync-period',
+        ]);
+        cr.metadata.annotations = {
+            ...cr.metadata.annotations,
+            ...annotations,
+        };
+        return cr;
+    }
+    getAnnotationsFromRepo(repoCr, inheritedAnnotations) {
+        const annotations = {};
+        for (const annotation of inheritedAnnotations) {
+            const fsAnnotation = `firestartr.dev/${annotation}`;
+            if (fsAnnotation in repoCr.metadata.annotations) {
+                annotations[fsAnnotation] = repoCr.metadata.annotations[fsAnnotation];
+            }
+        }
+        return annotations;
+    }
+    renderSecrets(section, githubProvider) {
+        const secrets = [];
+        if (githubProvider?.secrets?.[section]) {
+            const secretsSection = githubProvider.secrets[section];
+            for (const secret of secretsSection) {
+                const parts = secret.value.split(':');
+                secrets.push({
+                    name: secret.name,
+                    ref: {
+                        kind: 'Secret',
+                        name: parts[2],
+                        key: parts[3],
+                    },
+                });
+            }
+        }
+        return secrets;
+    }
+    gvk() {
+        return FirestartrGithubRepositorySecretsSection.GVK;
+    }
+    instanceApiObject(template) {
+        return new FirestartrGithubRepositorySecretsSection(this, `${template.metadata.name}-${template.spec.firestartr.tfStateKey}-secrets-section`, template);
+    }
+    resolveRepositoryTarget() {
+        const repositoryTarget = {
+            ref: {
+                kind: 'FirestartrGithubRepository',
+                name: this.get('repoCr').metadata.name,
+                needsSecret: false,
+            },
+        };
+        return repositoryTarget;
+    }
+}
 ;// CONCATENATED MODULE: ../cdk8s_renderer/src/charts/github/repositoryChart.ts
 class GithubRepositoryChart extends BaseGithubChart {
     template() {
         const claim = this.get('claim');
@@ -363739,7 +364099,6 @@ class GithubRepositoryChart extends BaseGithubChart {
                 actions,
                 permissions: this.createPermissions(claim),
                 vars: this.createVars(claim),
-                secrets: this.createRepoSecrets(claim),
                 pages: claim.providers.github.pages,
                 branchProtections: [],
                 writeConnectionSecretToRef: {
@@ -363762,6 +364121,7 @@ class GithubRepositoryChart extends BaseGithubChart {
     async render() {
         await super.render();
         await this.postRenderFeatures(this.get('rendered-cr'));
+        await this.postRenderSecretsSection(this.get('rendered-cr'));
         return this;
     }
     gvk() {
@@ -363783,6 +364143,20 @@ class GithubRepositoryChart extends BaseGithubChart {
         }
         this.set('features', features);
     }
+    async postRenderSecretsSection(cr) {
+        const areThereSecrets = this.get('claim').providers?.github?.secrets ?? false;
+        if (!areThereSecrets) {
+            return;
+        }
+        const secretsSectionChart = await (await new RepoSecretsSectionChart(this, 'secrets-section', cr.spec.firestartr.tfStateKey, this.get('claim'), [], cr).render()).postRenderer([]);
+        this.set('secrets_section', {
+            claim: {
+                kind: secretsSectionChart.kind,
+                name: secretsSectionChart.name,
+            },
+            chart: secretsSectionChart,
+        });
+    }
     instanceApiObject(template) {
         return new FirestartrGithubRepository(this, template.metadata.name, template);
     }
@@ -363826,27 +364200,6 @@ class GithubRepositoryChart extends BaseGithubChart {
         }
         return vars;
     }
-    /**
-     * @description This method creates the secrets data for the repository
-     * @param claim
-     * @returns RepoSecretsConfiguration
-     */
-    createRepoSecrets(claim) {
-        const repoSecrets = {};
-        const repoSecretsDefinitions = claim.providers?.github?.secrets;
-        if (repoSecretsDefinitions) {
-            if (repoSecretsDefinitions.actions) {
-                repoSecrets.actions = this.formatRepoSecrets(repoSecretsDefinitions.actions);
-            }
-            if (repoSecretsDefinitions.codespaces) {
-                repoSecrets.codespaces = this.formatRepoSecrets(repoSecretsDefinitions.codespaces);
-            }
-            if (repoSecretsDefinitions.dependabot) {
-                repoSecrets.dependabot = this.formatRepoSecrets(repoSecretsDefinitions.dependabot);
-            }
-        }
-        return repoSecrets;
-    }
     formatVars(blockDefinition) {
         return blockDefinition.map((varDef) => {
             if (isRepoSecretRef(varDef.value)) {
@@ -363868,26 +364221,11 @@ class GithubRepositoryChart extends BaseGithubChart {
             }
         });
     }
-    formatRepoSecrets(blockDefinition) {
-        return blockDefinition.map((secretDef) => {
-            if (isRepoSecretRef(secretDef.value)) {
-                const parts = secretDef.value.split(':');
-                return {
-                    name: secretDef.name,
-                    ref: {
-                        kind: 'Secret',
-                        name: parts[2],
-                        key: parts[3],
-                    },
-                };
-            }
-            else {
-                throw new Error(`RepoSecret value is not correct: ${secretDef.value}`);
-            }
-        });
-    }
     extraCharts() {
-        return this.get('features') || [];
+        const charts = [this.get('secrets_section') ?? undefined];
+        return charts
+            .concat(this.get('features') ?? [])
+            .filter((chart) => chart);
     }
 }
@@ -363910,10 +364248,7 @@ class GithubOrgWebhookChart extends BaseGithubChart {
                 webhook: {
                     url: claim.providers.github.webhook.url,
                     contentType: claim.providers.github.webhook.contentType,
-                    secretRef: {
-                        name: claim.providers.github.webhook.secretRef.name,
-                        key: claim.providers.github.webhook.secretRef.key,
-                    },
+                    secretRef: this.renderSecret(claim.providers.github.webhook.secretRef),
                     active: claim.providers.github.webhook.active,
                     events: claim.providers.github.webhook.events,
                 },
@@ -363924,6 +364259,17 @@ class GithubOrgWebhookChart extends BaseGithubChart {
             },
         };
     }
+    renderSecret(secret) {
+        const parts = secret.split(':');
+        if (parts.length < 4) {
+            throw `GithubOrgWebhookChart: invalid secretRef: ${secret}. Expected format: <provider>:<namespace>:<name>:<key>`;
+        }
+        return {
+            kind: 'Secret',
+            name: parts[2],
+            key: parts[3],
+        };
+    }
     gvk() {
         return FirestartrGithubOrgWebhook.GVK;
     }
@@ -364470,7 +364816,7 @@ class SecretsChart extends BaseSecretsChart {
     gvk() {
         return {
             kind: 'ExternalSecret/PushSecret',
-            apiVersion: 'external-secrets.io/v1',
+            apiVersion: 'external-secrets.io/v1alpha1',
         };
     }
     extraCharts() {
@@ -364478,7 +364824,8 @@ class SecretsChart extends BaseSecretsChart {
         const pushSecrets = this.get('pushSecrets');
         const kind = this.get('claim').kind;
         const name = this.get('claim').name;
-        const concatenated = externalSecrets
+        const concatenated = []
+            .concat(externalSecrets)
             .concat(pushSecrets)
             .filter((el) => el !== undefined);
         return concatenated.map((chart) => {
@@ -364553,7 +364900,7 @@ class SecretsChart extends BaseSecretsChart {
         }
         for (const pushSecret of pushSecretsFromClaim) {
             const k8sResource = {
-                apiVersion: 'external-secrets.io/v1',
+                apiVersion: 'external-secrets.io/v1alpha1',
                 kind: 'PushSecret',
                 metadata: {
                     name: catalog_common.generic.normalizeName(`${pushSecret.secretName}-${claim.name}`),
@@ -364832,7 +365179,7 @@ function validateClaimsSecretsRefs(ref, renderClaims) {
     if (!secrets) {
         return;
     }
-    for (const section of ['actions', 'codespaces', 'copilot']) {
+    for (const section of ['actions', 'codespaces', 'dependabot']) {
         const secretsSection = secrets[section];
         if (!secretsSection) {
             continue;
@@ -366046,12 +366393,7 @@ async function moveCRsAndClaims(crs, org, claimsPath, resourcesPath) {
     const importedResources = [];
     const failedImportedResources = [];
     for (const k of Object.keys(crs)) {
-        if (crs[k].kind === 'FirestartrGithubGroup' &&
-            crs[k].metadata.name === `${org}-all`) {
-            importer_src_logger.info(`⚡ SKIP IMPORT: CR is the all group, skipping import with kind: ${crs[k].kind} and name: ${crs[k].metadata.name}`);
-            continue;
-        }
-        else if (cdk8s_renderer.isCatalogEntity(crs[k])) {
+        if (cdk8s_renderer.isCatalogEntity(crs[k])) {
             importer_src_logger.info(`⚡ SKIP IMPORT: CR is a catalog entity, skipping import with kind: ${crs[k].kind} and name: ${crs[k].metadata.name}`);
             continue;
         }
@@ -366508,6 +366850,7 @@ const kindPluralMap = {
     githubmemberships: 'FirestartrGithubMembership',
     githubrepositories: 'FirestartrGithubRepository',
     githubrepositoryfeatures: 'FirestartrGithubRepositoryFeature',
+    githubrepositorysecretssections: 'FirestartrGithubRepositorySecretsSection',
     terraformmodules: 'FirestartrTerraformModule',
     githuborgwebhooks: 'FirestartrGithubOrgWebhook',
     terraformworkspaces: 'FirestartrTerraformWorkspace',
@@ -367122,6 +367465,28 @@ async function needsProvisioningOnCreate(cr) {
     operator_src_logger.debug(`Skipping the provisioning process for custom resource '${cr.kind}/${cr.metadata.name}' because its current state is not handled.`);
     return false;
 }
+async function updateSyncTransition(itemPath, reason, lastSyncTime, nextSyncTime, message, status) {
+    operator_src_logger.info(`The item at '${itemPath}' transitioned to a new SYNCHRONIZED condition of '${status}'. The reason for the change is '${reason}' with the message: '${message}'.`);
+    const k8sItem = await getItemByItemPath(itemPath);
+    if (!('status' in k8sItem))
+        k8sItem.status = {};
+    if (!('conditions' in k8sItem.status))
+        k8sItem.status.conditions = [];
+    let conditionObject = getRelevantCondition(k8sItem.status.conditions, 'SYNCHRONIZED');
+    conditionObject = {
+        ...conditionObject,
+        reason,
+        status,
+        message,
+        observedGeneration: k8sItem.metadata.generation,
+        lastSyncTime,
+        lastUpdateTime: new Date().toJSON(),
+        nextSyncTime,
+    };
+    k8sItem.status.conditions = updateConditionByType(k8sItem.status.conditions, 'SYNCHRONIZED', conditionObject);
+    const itemParameters = itemPath.split('/');
+    await writeStatus(itemParameters[1], itemParameters[0], k8sItem);
+}
 async function updateTransition(itemPath, reason, type, statusValue, message = '', updateStatusOnly = false) {
     operator_src_logger.info(`The item at '${itemPath}' transitioned to a new status of '${statusValue}' (type: '${type}'). The reason for the change is '${reason}' with the message: '${message}'. This was a status-only update: '${updateStatusOnly}'.`);
     const k8sItem = await getItemByItemPath(itemPath);
@@ -367182,12 +367547,144 @@ function updateConditionByType(conditionList, type, newCondition) {
     return conditionList;
 }
-;// CONCATENATED MODULE: ../operator/src/syncer.ts
+;// CONCATENATED MODULE: ../operator/src/syncCtl.ts
+// Machinery for syncing
-const syncWatchers = {};
-const FORCE_REVISION_TIME = 60 * 1000;
 const DEFAULT_REVISION_TIME = '1m';
+async function createWatcherForItem(itemPath, itemCR) {
+    const item = itemCR ?? (await getItemByItemPath(itemPath));
+    const syncStatus = await getSyncStatus(itemPath, item);
+    let nextTimeoutInMS = syncStatus.nextTimeoutInMS;
+    // we have lapsed last interval
+    // we calculate from the lastSyncTime
+    if (syncStatus.intervalLapsed) {
+        operator_src_logger.debug(`Next sync interval have been lapsed for ${itemPath}`);
+        if (syncStatus.syncMode === 'Period') {
+            operator_src_logger.debug(`Next sync interval have been lapsed for ${itemPath} the sync will start now`);
+            nextTimeoutInMS = -1;
+        }
+    }
+    const syncInfo = syncStatus.conditions?.[0] ?? null;
+    const watcher = {
+        itemPath,
+        lastRevision: setTimeout(() => {
+            operator_src_logger.debug(`Item ${itemPath} needs revision`);
+            watcher.needsRevision = true;
+            watcher.alreadyFired = true;
+        }, nextTimeoutInMS),
+        needsRevision: false,
+        nextSync: syncInfo ? syncInfo?.nextSyncTime : undefined,
+        syncMode: syncStatus.syncMode,
+        alreadyFired: false,
+    };
+    return watcher;
+}
+async function destroyWatcherForItem(watcher) {
+    clearTimeout(watcher.lastRevision);
+    operator_src_logger.debug(`Disabled SyncWatcher for ${watcher.itemPath}`);
+}
+async function getSyncSpecs(itemPath, itemCR) {
+    const item = itemCR ?? (await getItemByItemPath(itemPath));
+    return {
+        item,
+        syncable: helperIsSyncable(item),
+        period: item.metadata.annotations['firestartr.dev/sync-period'] ||
+            DEFAULT_REVISION_TIME,
+        schedule: item.metadata.annotations['firestartr.dev/sync-schedule'] || false,
+        scheduleTZ: item.metadata.annotations['firestartr.dev/sync-schedule-timezone'] ||
+            'Europe/Madrid',
+    };
+}
+async function getSyncStatus(itemPath, itemCR) {
+    const item = itemCR ?? (await getItemByItemPath(itemPath));
+    const syncCondition = getConditionByType(item.status?.conditions ?? [], 'SYNCHRONIZED');
+    // no sync condition present
+    if (!syncCondition) {
+        return {
+            syncStatusPresent: false,
+        };
+    }
+    else {
+        const nextSyncDate = new Date(syncCondition.nextSyncTime);
+        const isLapsed = Date.now() >= nextSyncDate.getTime();
+        const mode = !helperIsSyncable(item)
+            ? 'NotSyncable'
+            : (await getSyncSpecs(itemPath, item)).schedule
+                ? 'Scheduled'
+                : 'Period';
+        return {
+            itemPath,
+            syncMode: mode,
+            conditions: [syncCondition],
+            syncStatusPresent: true,
+            nextTimeoutInMS: isLapsed ? -1 : nextSyncDate.getTime() - Date.now(),
+            intervalLapsed: isLapsed,
+        };
+    }
+}
+async function setSyncStatus(itemPath, reason, status, message) {
+    const item = await getItemByItemPath(itemPath);
+    const machinery = assessSyncCalculationMachinery(item);
+    const syncStatus = await machinery(item, reason, status, message);
+    syncStatus.itemPath = itemPath;
+    syncStatus.syncStatusPresent = true;
+    operator_src_logger.info(`Setting sync status for ${itemPath}: ${JSON.stringify(syncStatus)}`);
+    const syncTransition = syncStatus.conditions[0];
+    await updateSyncTransition(itemPath, syncTransition.reason, syncTransition.lastSyncTime, syncTransition.nextSyncTime, syncTransition.message, syncTransition.status);
+    return syncStatus;
+}
+function assessSyncCalculationMachinery(item) {
+    if (!helperIsSyncable(item)) {
+        return processNotSyncable;
+    }
+    else if (item.metadata.annotations['firestartr.dev/sync-schedule'] ??
+        false) {
+        return processScheduledSync;
+    }
+    else {
+        return processPeriodSync;
+    }
+}
+function helperIsSyncable(item) {
+    return (item.metadata.annotations &&
+        item.metadata.annotations['firestartr.dev/sync-enabled'] &&
+        item.metadata.annotations['firestartr.dev/sync-enabled'] === 'true');
+}
+async function processNotSyncable(item, reason, status, message) {
+    return {
+        syncMode: 'NotSyncable',
+        conditions: [
+            {
+                reason,
+                type: 'SYNCHRONIZED',
+                message,
+                status,
+                lastSyncTime: new Date().toISOString(),
+                nextSyncTime: new Date().toISOString(),
+            },
+        ],
+    };
+}
+async function processPeriodSync(item, reason, status, message) {
+    const period = item.metadata.annotations['firestartr.dev/sync-period'];
+    const periodMS = helperCalculateRevisionTime(period);
+    return {
+        syncMode: 'Period',
+        conditions: [
+            {
+                reason,
+                type: 'SYNCHRONIZED',
+                message,
+                status,
+                lastSyncTime: new Date().toISOString(),
+                nextSyncTime: new Date(Date.now() + periodMS).toISOString(),
+            },
+        ],
+    };
+}
 function helperCalculateRevisionTime(period) {
     const [_, scalar, dimension] = period.split(/(\d+)/);
     const multiplier = dimension === 's'
@@ -367201,24 +367698,97 @@ function helperCalculateRevisionTime(period) {
                     : 1;
     return Number(scalar) * multiplier * 1000;
 }
+async function processScheduledSync(item, reason, status, message) {
+    const nextPeriod = catalog_common.cron.getCronNextInterval(item.metadata.annotations['firestartr.dev/sync-schedule'], item.metadata.annotations['firestartr.dev/sync-schedule-timezone'] ||
+        undefined);
+    const nextPeriodDate = new Date(nextPeriod);
+    return {
+        syncMode: 'Scheduled',
+        conditions: [
+            {
+                reason,
+                type: 'SYNCHRONIZED',
+                message,
+                status,
+                lastSyncTime: new Date().toISOString(),
+                nextSyncTime: nextPeriodDate.toISOString(),
+            },
+        ],
+    };
+}
+;// CONCATENATED MODULE: ../operator/src/syncer.debug.ts
+let running = false;
+let waitingF = null;
+async function syncerDebug(syncWatchers) {
+    if (running)
+        return waitUntilDone(syncWatchers);
+    running = true;
+    try {
+        await writeDownSyncer(syncWatchers);
+        running = false;
+    }
+    catch (err) {
+        operator_src_logger.error(`PANIC!!! sync debug could not be written ${err}`);
+        running = false;
+    }
+}
+async function waitUntilDone(syncWatchers) {
+    if (waitingF)
+        return;
+    waitingF = setTimeout(() => {
+        syncerDebug(syncWatchers).catch((err) => {
+            operator_src_logger.error(`Caught error: ${err}`);
+            throw `Caught error: ${err}`;
+        });
+        clearTimeout(waitingF);
+        waitingF = null;
+    }, 300);
+}
+async function writeDownSyncer(syncWatchers) {
+    let output = '';
+    for (const watcher of Object.values(syncWatchers)) {
+        output += `${watcher.itemPath} - (${watcher.syncMode}) - next: ${watcher.nextSync} \n`;
+    }
+    return new Promise((ok, ko) => {
+        external_fs_.writeFile('/tmp/syncs', output, (err) => {
+            if (err)
+                return ko(`Error writing the /tmp/syncs: ${err}`);
+            else
+                return ok();
+        });
+    });
+}
+;// CONCATENATED MODULE: ../operator/src/syncer.ts
+const syncWatchers = {};
+const FORCE_REVISION_TIME = (/* unused pure expression or super */ null && (60 * 1000));
 async function syncer(enqueue) {
-    // fork
-    void loop(enqueue);
-    return {
+    const api = {
         addItem(itemPath) {
             operator_src_logger.info(`Added item of path '${itemPath}' for synchronization`);
-            void itemIsSyncable(itemPath).then((itemSyncInfo) => {
+            getSyncSpecs(itemPath)
+                .then(async (itemSyncInfo) => {
                 if (!itemSyncInfo.syncable) {
                     return;
                 }
-                syncWatchers[itemPath] = {
-                    itemPath,
-                    lastRevision: setInterval(() => {
-                        syncWatchers[itemPath].needsRevision = true;
-                    }, helperCalculateRevisionTime(itemSyncInfo.period)),
-                    needsRevision: false,
-                };
+                const syncCtl = await getSyncStatus(itemPath, itemSyncInfo.item);
+                syncWatchers[itemPath] = await createWatcherForItem(itemPath, itemSyncInfo.item);
                 operator_src_logger.info(`Configured synchronization for item at path '${itemPath}'`);
+                operator_src_logger.debug(`Sync information for '${itemPath}': ${JSON.stringify({ ...itemSyncInfo, item: null }, null)}`);
+                syncerDebug(syncWatchers).catch((err) => {
+                    throw `Error syncer debug: ${err}`;
+                });
+            })
+                .catch((err) => {
+                operator_src_logger.error(`Error on sync [add item]: ${err}`);
+                throw `Error on sync [add item]: ${err}`;
             });
         },
         updateItem(itemPath) {
@@ -367227,27 +367797,27 @@ async function syncer(enqueue) {
             //  return
             //}
             operator_src_logger.debug(`Updated item of path '${itemPath}' during synchronization`);
-            void itemIsSyncable(itemPath).then((itemSyncInfo) => {
-                if (!itemSyncInfo.syncable) {
-                    if (syncWatchers[itemPath]) {
-                        clearInterval(syncWatchers[itemPath].lastRevision);
-                        delete syncWatchers[itemPath];
-                        operator_src_logger.info(`Removed item of path '${itemPath}' from synchronization`);
-                    }
+            return getSyncSpecs(itemPath)
+                .then(async (itemSyncInfo) => {
+                if (syncWatchers[itemPath]) {
+                    await destroyWatcherForItem(syncWatchers[itemPath]);
+                    delete syncWatchers[itemPath];
                 }
-                else {
-                    if (itemSyncInfo.syncable && syncWatchers[itemPath]) {
-                        clearInterval(syncWatchers[itemPath].lastRevision);
-                    }
-                    syncWatchers[itemPath] = {
-                        itemPath,
-                        lastRevision: setInterval(() => {
-                            syncWatchers[itemPath].needsRevision = true;
-                        }, helperCalculateRevisionTime(itemSyncInfo.period)),
-                        needsRevision: false,
-                    };
-                    operator_src_logger.debug(`Configured synchronization for item at path '${itemPath}' with watcher '${syncWatchers[itemPath]}'`);
+                // we need to check if the item is not syncable anymore
+                if (!itemSyncInfo.syncable) {
+                    operator_src_logger.info(`Removed item of path '${itemPath}' from synchronization`);
+                    return;
                 }
+                // if it is syncable we need to recalculate everything
+                syncWatchers[itemPath] = await createWatcherForItem(itemPath);
+                operator_src_logger.info(`Configured synchronization for item at path '${itemPath}' with watcher`);
+                syncerDebug(syncWatchers).catch((err) => {
+                    throw `Error syncer debug: ${err}`;
+                });
+            })
+                .catch((err) => {
+                operator_src_logger.error(`Error on sync [updateItem]: ${err}`);
+                throw `Error on sync [updateItem]: ${err}`;
             });
         },
         deleteItem(itemPath) {
@@ -367255,35 +367825,54 @@ async function syncer(enqueue) {
                 operator_src_logger.debug(`Ignored deletion attempt for item at path '${itemPath}' as it was not found during synchronization`);
                 return;
             }
-            operator_src_logger.debug(`Deleted item of path '${itemPath}' during synchronization`);
-            clearInterval(syncWatchers[itemPath].lastRevision);
-            delete syncWatchers[itemPath];
-            operator_src_logger.debug(`Successfully deleted item at path '${itemPath}' during synchronization`);
+            destroyWatcherForItem(syncWatchers[itemPath])
+                .then(() => {
+                operator_src_logger.debug(`Deleted item of path '${itemPath}' during synchronization`);
+                delete syncWatchers[itemPath];
+                syncerDebug(syncWatchers).catch((err) => {
+                    throw `Error syncer debug: ${err}`;
+                });
+            })
+                .catch((err) => {
+                operator_src_logger.error(`Error deleting item of path ${itemPath} for synchronization: ${err}`);
+                throw `Error deleting item of path ${itemPath} for synchronization: ${err}`;
+            });
         },
     };
+    // fork
+    void loop(enqueue, api);
+    return api;
 }
-async function loop(enqueueIfNeeded) {
+async function loop(enqueueIfNeeded, api) {
+    void loopKeeper(api);
     while (1) {
         await fWait();
         const needRevisionItems = Object.values(syncWatchers).filter((watcher) => watcher.needsRevision);
         for (const watcher of needRevisionItems) {
             const item = await getItemIfNeededSync(watcher);
+            operator_src_logger.debug(`Item needs revision ${watcher.itemPath}`);
             if (item !== null) {
                 enqueueIfNeeded(item);
-                watcher.needsRevision = false;
             }
+            watcher.needsRevision = false;
         }
     }
 }
-async function itemIsSyncable(itemPath) {
-    const item = await getItemByItemPath(itemPath);
-    return {
-        syncable: item.metadata.annotations &&
-            item.metadata.annotations['firestartr.dev/sync-enabled'] &&
-            item.metadata.annotations['firestartr.dev/sync-enabled'] === 'true',
-        period: item.metadata.annotations['firestartr.dev/sync-period'] ||
-            DEFAULT_REVISION_TIME,
-    };
+async function loopKeeper(api) {
+    try {
+        while (1) {
+            await fWait(5);
+            for (const watcher of Object.values(syncWatchers)) {
+                if (watcher.alreadyFired) {
+                    await api.updateItem(watcher.itemPath);
+                }
+            }
+        }
+    }
+    catch (err) {
+        operator_src_logger.error(`PANIC!: loopKeeper has failed: ${err}`);
+        process.exit(1);
+    }
 }
 async function getItemIfNeededSync(watcher) {
     const item = await getItemByItemPath(watcher.itemPath);
@@ -367293,13 +367882,7 @@ async function getItemIfNeededSync(watcher) {
     const isDeleting = item.status?.conditions?.find((condition) => condition.type === 'DELETING' && condition.status === 'True');
     if (isDeleting)
         return null;
-    const synchronizedCondition = item.status?.conditions?.find((condition) => condition.type === 'SYNCHRONIZED' && condition.status === 'True');
-    if (!synchronizedCondition)
-        return item;
-    const lastSync = new Date(synchronizedCondition.lastUpdateTime).getTime();
-    if (lastSync <= Date.now() - FORCE_REVISION_TIME)
-        return item;
-    return null;
+    return item;
 }
 function fWait(segs = 1) {
     return new Promise((ok) => {
@@ -367555,6 +368138,7 @@ var WorkStatus;
 const kindsWithFinalizer = [
     'FirestartrTerraformWorkspace',
     'FirestartrGithubGroup',
@@ -367562,6 +368146,7 @@ const kindsWithFinalizer = [
     'FirestartrGithubRepository',
     'FirestartrGithubRepositoryFeature',
     'FirestartrGithubOrgWebhook',
+    'FirestartrGithubRepositorySecretsSection',
 ];
 /**
  * Observe whenever a new item is added, modified or deleted in a given kind
@@ -367674,15 +368259,18 @@ function enqueue(pluralKind, workItem, queue, compute, syncCtl, retryCtl) {
         success: () => retryCtl.successReconciling(informer_itemPath(pluralKind, workItem.item)),
     };
     workItem.process = async function* (item, operation, handler) {
-        for await (const transition of compute(item, operation, handler)) {
-            yield transition;
-        }
-        if (operation === OperationType.RENAMED ||
+        const needsUpdateSyncConditions = operation === OperationType.RENAMED ||
             operation === OperationType.UPDATED ||
             operation === OperationType.SYNC ||
             operation === OperationType.CREATED ||
-            operation === OperationType.RETRY) {
-            syncCtl.updateItem(informer_itemPath(pluralKind, item));
+            operation === OperationType.RETRY;
+        await setSyncStatus(workItem.handler.itemPath(), operation, 'False', 'Sync process started');
+        for await (const transition of compute(item, operation, handler)) {
+            yield transition;
+        }
+        if (needsUpdateSyncConditions) {
+            await setSyncStatus(workItem.handler.itemPath(), operation, operation === OperationType.SYNC ? 'True' : 'False', 'Sync process finished');
+            void syncCtl.updateItem(informer_itemPath(pluralKind, item));
         }
         else {
             operator_src_logger.debug(`The informer received an item with an operation type of '${operation}', which is not a specific operation.`);
@@ -367724,6 +368312,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                 item,
                 workStatus: WorkStatus.PENDING,
                 onDelete: function () { },
+                upsertTime: Date.now(),
             };
             return workItem;
         case 'onRename':
@@ -367734,6 +368323,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                     item,
                     workStatus: WorkStatus.PENDING,
                     onDelete: function () { },
+                    upsertTime: Date.now(),
                 };
                 return workItem;
             }
@@ -367747,6 +368337,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                 item,
                 workStatus: WorkStatus.PENDING,
                 onDelete: function () { },
+                upsertTime: Date.now(),
             };
             return workItem;
         case 'onAdd':
@@ -367756,6 +368347,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                     item,
                     workStatus: WorkStatus.PENDING,
                     onDelete: function () { },
+                    upsertTime: Date.now(),
                 };
                 return workItem;
             }
@@ -367763,6 +368355,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
         case 'onMarkedToDeletion':
             if (workItem !== null && workItem.workStatus === WorkStatus.PENDING) {
                 workItem.operation = OperationType.MARKED_TO_DELETION;
+                workItem.upsertTime = Date.now();
                 return null;
             }
             else {
@@ -367771,6 +368364,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                     item,
                     workStatus: WorkStatus.PENDING,
                     onDelete: function () { },
+                    upsertTime: Date.now(),
                 };
                 return workItem;
             }
@@ -367785,6 +368379,7 @@ async function inform(pluralKind, item, op, lastWorkItem = null) {
                     item,
                     workStatus: WorkStatus.PENDING,
                     onDelete: function () { },
+                    upsertTime: Date.now(),
                 };
                 return workItem;
             }
@@ -367904,11 +368499,89 @@ function dummy_fWait(ms) {
     });
 }
+;// CONCATENATED MODULE: ../operator/src/processItem.debug.ts
+function loopWorkItemDebug(queue) {
+    let running = false;
+    setInterval(() => {
+        if (running)
+            return;
+        running = true;
+        writeDownQueueStatus(queue)
+            .then(() => {
+            running = false;
+        })
+            .catch((err) => {
+            operator_src_logger.error(`PANIC cannot evaluate the queue for debug!!!: ${err}`);
+        });
+    }, 5 * 1000);
+}
+async function writeDownQueueStatus(queue) {
+    let output = '';
+    for (const workItem of queue) {
+        const item = workItem.item;
+        output += `${item.kind}/${item.metadata.name} - ${workItem.workStatus} - ${workItem.operation} - (upsert ${formatElapsedTimeWithDate(workItem.upsertTime)})\n`;
+    }
+    return new Promise((ok, ko) => {
+        external_fs_.writeFile('/tmp/queue', output, (err) => {
+            if (err)
+                ko(`Writing /tmp/queue: ${err}`);
+            else
+                ok();
+        });
+    });
+}
+function formatElapsedTimeWithDate(upsertTime) {
+    const now = new Date();
+    const diffMs = now.getTime() - upsertTime;
+    if (diffMs < 0) {
+        return 'Future time (Error)';
+    }
+    if (diffMs < 1000) {
+        return 'Just now';
+    }
+    const MS_PER_SECOND = 1000;
+    const MS_PER_MINUTE = 60 * MS_PER_SECOND;
+    const MS_PER_HOUR = 60 * MS_PER_MINUTE;
+    const MS_PER_DAY = 24 * MS_PER_HOUR;
+    const parts = [];
+    let remainingMs = diffMs;
+    // 1. Calculate Days
+    const days = Math.floor(remainingMs / MS_PER_DAY);
+    if (days > 0) {
+        parts.push(`${days} day${days !== 1 ? 's' : ''}`);
+        remainingMs %= MS_PER_DAY;
+    }
+    // 2. Calculate Hours
+    const hours = Math.floor(remainingMs / MS_PER_HOUR);
+    if (hours > 0) {
+        parts.push(`${hours} hour${hours !== 1 ? 's' : ''}`);
+        remainingMs %= MS_PER_HOUR;
+    }
+    // 3. Calculate Minutes
+    const minutes = Math.floor(remainingMs / MS_PER_MINUTE);
+    if (minutes > 0) {
+        parts.push(`${minutes} minute${minutes !== 1 ? 's' : ''}`);
+        remainingMs %= MS_PER_MINUTE;
+    }
+    // 4. Calculate Seconds (added logic for seconds)
+    const seconds = Math.floor(remainingMs / MS_PER_SECOND);
+    if (seconds > 0 && parts.length < 2) {
+        parts.push(`${seconds} second${seconds !== 1 ? 's' : ''}`);
+    }
+    if (parts.length === 0 && seconds > 0) {
+        return `${seconds} second${seconds !== 1 ? 's' : ''} ago`;
+    }
+    return `${parts.slice(0, 2).join(', ')} ago`;
+}
 ;// CONCATENATED MODULE: ../operator/src/processItem.ts
 const queue = [];
 const WEIGHTS = {
     RENAMED: 15,
@@ -368014,6 +368687,7 @@ async function processItem(workItem) {
  */
 async function processItem_loop() {
     const nextWorkItem = () => sortQueue(queue).find((w) => w.workStatus === WorkStatus.PENDING);
+    loopWorkItemDebug(queue);
     while (1) {
         const w = nextWorkItem();
         if (w) {
@@ -368047,9 +368721,18 @@ function createTimeout(w) {
  */
 function sortQueue(queue) {
     const sortedQueue = queue.sort((wa, wb) => {
-        const weightA = WEIGHTS[wa.operation]; // * KIND_WEIGHTS[wa.item.kind]
-        const weightB = WEIGHTS[wb.operation]; // * KIND_WEIGHTS[wb.item.kind]
-        return weightA > weightB ? -1 : weightB > weightA ? 1 : 0;
+        // --- PRIMARY SORT: By Weight (Descending) ---
+        const weightA = WEIGHTS[wa.operation];
+        const weightB = WEIGHTS[wb.operation];
+        // Check if weights are different
+        if (weightA !== weightB) {
+            // Sort in descending order (higher weight first)
+            // If weightA is larger, return -1 (a comes before b)
+            return weightB - weightA;
+        }
+        // --- SECONDARY SORT: By upsertTime (Ascending) ---
+        // If weights are equal, sort by the oldest upsertTime (ascending)
+        return wa.upsertTime - wb.upsertTime;
     });
     return sortedQueue;
 }
@@ -368180,28 +368863,21 @@ class Entity {
             throw new Error(ErrorMessage);
         }
         const { kind, name, needsSecret } = ref;
-        try {
-            if (!needsSecret) {
-                const cr = this.deps[`${kind}-${name}`].cr;
-                return (cr.metadata?.annotations?.[EXTERNAL_NAME_ANNOTATION] ||
-                    cr.metadata.name);
-            }
-            else {
-                if (!propertyRef) {
-                    const ErrorMessage = `resolveRef:
+        if (!needsSecret) {
+            const cr = this.deps[`${kind}-${name}`].cr;
+            return (cr.metadata?.annotations?.[EXTERNAL_NAME_ANNOTATION] || cr.metadata.name);
+        }
+        else {
+            if (!propertyRef) {
+                const ErrorMessage = `resolveRef:
-                  Entity with kind ${this.kind} ${this.metadata.name}
+                Entity with kind ${this.kind} ${this.metadata.name}
-                  needs a propertyRef to resolve the secret`;
-                    provisioner_src_logger.error(ErrorMessage);
-                    throw new Error(ErrorMessage);
-                }
-                return Buffer.from(this.deps[`${kind}-${name}`].secret.data[propertyRef], 'base64').toString('utf8');
+                needs a propertyRef to resolve the secret`;
+                provisioner_src_logger.error(ErrorMessage);
+                throw new Error(ErrorMessage);
             }
-        }
-        catch (error) {
-            const errorMsg = `Error resolving ref for ${kind}-${name}: ${error}`;
-            throw new Error(errorMsg);
+            return Buffer.from(this.deps[`${kind}-${name}`].secret.data[propertyRef], 'base64').toString('utf8');
         }
     }
     resolveSecretRef(ref) {
@@ -368492,100 +369168,6 @@ function provisionDefaultBranch(scope, fsGithubRepository, repo) {
     return branchDefault;
 }
-// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/actions-secret/index.js
-var actions_secret = __nccwpck_require__(89039);
-// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/codespaces-secret/index.js
-var codespaces_secret = __nccwpck_require__(80659);
-// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/dependabot-secret/index.js
-var dependabot_secret = __nccwpck_require__(16281);
-;// CONCATENATED MODULE: ../provisioner/src/entities/firestartrgithubrepository/helpers/RepositorySecret.ts
-async function provisionRepositorySecrets(scope, repo, fsGithubRepository) {
-    const sections = ['actions', 'codespaces', 'dependabot'];
-    if ('secrets' in fsGithubRepository.spec) {
-        const secrets = fsGithubRepository.spec.secrets;
-        for (const section of sections) {
-            if (section in secrets) {
-                for (const secret of secrets[section]) {
-                    await provisionRepositorySecret(scope, fsGithubRepository, section, secret.name, secret.ref, repo);
-                }
-            }
-        }
-    }
-    else {
-        provisioner_src_logger.info(`FirestartrGithubRepository ${fsGithubRepository.metadata.name} does not have a secrets section`);
-    }
-}
-async function provisionRepositorySecret(scope, repo, section, repoSecretName, secretRef, repoResource) {
-    provisioner_src_logger.info(`Provisioning repo secret ${repo.metadata.name}/${section}/${repoSecretName}`);
-    const secretClass = section === 'actions'
-        ? actions_secret/* ActionsSecret */.N
-        : section === 'codespaces'
-            ? codespaces_secret/* CodespacesSecret */.k
-            : section === 'dependabot'
-                ? dependabot_secret/* DependabotSecret */.c
-                : null;
-    if (secretClass) {
-        const fSecretCreation = process.env['AVOID_PROVIDER_SECRET_ENCRYPTION']
-            ? createUnencryptedSecret
-            : createEncryptedSecrect;
-        await fSecretCreation(scope, repo, secretRef, secretClass, section, repoSecretName, repoResource);
-        provisioner_src_logger.info(`RepoSecret provisioned ${section}-${repoSecretName.toLowerCase()}-secret`);
-    }
-}
-async function createEncryptedSecrect(scope, repo, secretRef, secretClass, section, repoSecretName, repoResource) {
-    const { key_id, encrypted_value } = await encryptSecret(repo, secretRef);
-    const resourceKey = `${section}-${repoSecretName.toLowerCase()}-secret`;
-    const plainTextSecret = repo.resolveSecretRef({
-        name: secretRef.name,
-        key: secretRef.key,
-    });
-    const sha256 = external_crypto_default().createHash('sha256')
-        .update(plainTextSecret)
-        .digest('hex');
-    const secretResourceName = `_${repoSecretName}-${sha256.slice(0, 12)}`;
-    const instanceLifecycle = {
-        ignoreChanges: ['encrypted_value'],
-    };
-    const sc = new secretClass(scope, secretResourceName, {
-        secretName: repoSecretName,
-        repository: repo.metadata.name,
-        encryptedValue: encrypted_value,
-        dependsOn: [repoResource],
-        lifecycle: instanceLifecycle,
-    });
-    repo.addResourceToStack(resourceKey, sc);
-}
-async function createUnencryptedSecret(scope, repo, secretRef, secretClass, section, repoSecretName, repoResource) {
-    const plainTextSecret = repo.resolveSecretRef({
-        name: secretRef.name,
-        key: secretRef.key,
-    });
-    const resourceKey = `${section}-${repoSecretName.toLowerCase()}-secret`;
-    const tfStateKey = `_${repo.getTfStateKey()}-${resourceKey}`;
-    const sc = new secretClass(scope, tfStateKey, {
-        secretName: repoSecretName,
-        plaintextValue: plainTextSecret,
-        repository: repo.metadata.name,
-        dependsOn: [repoResource],
-    });
-    provisioner_src_logger.info(tfStateKey);
-    repo.addResourceToStack(resourceKey, sc);
-}
-async function encryptSecret(repo, secretRef) {
-    const plainTextSecret = repo.resolveSecretRef({
-        name: secretRef.name,
-        key: secretRef.key,
-    });
-    const v = await github_0.encryption.encryptRepoSecret(process.env.ORG, repo.metadata.name, plainTextSecret);
-    return v;
-}
 // EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/actions-variable/index.js
 var actions_variable = __nccwpck_require__(81133);
 ;// CONCATENATED MODULE: ../provisioner/src/entities/firestartrgithubrepository/helpers/RepositoryVariable.ts
@@ -368642,7 +369224,6 @@ async function provisionRepositoryVar(scope, repo, section, repoVarName, value,
 class FirestartrGithubRepository_FirestartrGithubRepository extends Entity {
     constructor(artifact, deps) {
         super(artifact, deps);
@@ -368657,7 +369238,6 @@ class FirestartrGithubRepository_FirestartrGithubRepository extends Entity {
         }
         provisionCodeowners(scope, this.mainResource, branchDefault, this);
         provisionPermissions(scope, this.mainResource, this);
-        await provisionRepositorySecrets(scope, this.mainResource, this);
         await provisionRepositoryVariables(scope, this.mainResource, this);
     }
     async orgHasOneOfThesePlans(org, plans) {
@@ -368889,6 +369469,121 @@ class FirestartrTerraformModuleEntity extends Entity {
     }
 }
+// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/actions-secret/index.js
+var actions_secret = __nccwpck_require__(89039);
+// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/codespaces-secret/index.js
+var codespaces_secret = __nccwpck_require__(80659);
+// EXTERNAL MODULE: ../provisioner/node_modules/@cdktf/provider-github/lib/dependabot-secret/index.js
+var dependabot_secret = __nccwpck_require__(16281);
+;// CONCATENATED MODULE: ../provisioner/src/entities/firestartrgithubrepositorysecretssection/helpers/RepositorySecret.ts
+async function provisionRepositorySecrets(scope, fsGithubRepositorySecretsSection, repo) {
+    const sections = [
+        'actions',
+        'codespaces',
+        'dependabot',
+    ];
+    if ('secrets' in fsGithubRepositorySecretsSection.spec) {
+        const secrets = fsGithubRepositorySecretsSection.spec.secrets;
+        for (const section of sections) {
+            if (section in secrets) {
+                for (const secret of secrets[section]) {
+                    await provisionRepositorySecret(scope, fsGithubRepositorySecretsSection, section, secret.name, secret.ref, repo);
+                }
+            }
+        }
+    }
+    else {
+        provisioner_src_logger.info(`FirestartrGithubRepository ${fsGithubRepositorySecretsSection.metadata.name} does not have a secrets section`);
+    }
+}
+async function provisionRepositorySecret(scope, rss, section, repoSecretName, secretRef, repoResource) {
+    provisioner_src_logger.info(`Provisioning repo secret ${rss.metadata.name}/${section}/${repoSecretName}`);
+    const secretClass = section === 'actions'
+        ? actions_secret/* ActionsSecret */.N
+        : section === 'codespaces'
+            ? codespaces_secret/* CodespacesSecret */.k
+            : section === 'dependabot'
+                ? dependabot_secret/* DependabotSecret */.c
+                : null;
+    if (secretClass) {
+        const fSecretCreation = process.env['AVOID_PROVIDER_SECRET_ENCRYPTION']
+            ? createUnencryptedSecret
+            : createEncryptedSecret;
+        await fSecretCreation(scope, rss, secretRef, secretClass, section, repoSecretName, repoResource);
+        provisioner_src_logger.info(`RepoSecret provisioned ${section}-${repoSecretName.toLowerCase()}-secret`);
+    }
+}
+async function createEncryptedSecret(scope, rss, secretRef, secretClass, section, repoSecretName, repo) {
+    const { key_id, encrypted_value } = await encryptSecret(rss, secretRef, section);
+    const resourceKey = `${section}-${repoSecretName.toLowerCase()}-secret`;
+    const plainTextSecret = rss.resolveSecretRef({
+        name: secretRef.name,
+        key: secretRef.key,
+    });
+    const sha256 = external_crypto_default().createHash('sha256')
+        .update(plainTextSecret)
+        .digest('hex');
+    const secretResourceName = `_${section}-${repoSecretName.toLowerCase()}-${sha256.slice(0, 12)}`;
+    const instanceLifecycle = {
+        ignoreChanges: ['encrypted_value'],
+    };
+    const sc = new secretClass(scope, secretResourceName, {
+        secretName: repoSecretName,
+        repository: repo,
+        encryptedValue: encrypted_value,
+        lifecycle: instanceLifecycle,
+    });
+    rss.addResourceToStack(resourceKey, sc);
+}
+async function createUnencryptedSecret(scope, rss, secretRef, secretClass, section, repoSecretName, repo) {
+    const plainTextSecret = rss.resolveSecretRef({
+        name: secretRef.name,
+        key: secretRef.key,
+    });
+    const resourceKey = `${section}-${repoSecretName.toLowerCase()}-secret`;
+    const tfStateKey = `_${rss.getTfStateKey()}-${resourceKey}`;
+    const sc = new secretClass(scope, tfStateKey, {
+        secretName: repoSecretName,
+        plaintextValue: plainTextSecret,
+        repository: repo,
+    });
+    provisioner_src_logger.info(tfStateKey);
+    rss.addResourceToStack(resourceKey, sc);
+}
+async function encryptSecret(rss, secretRef, section) {
+    const plainTextSecret = rss.resolveSecretRef({
+        name: secretRef.name,
+        key: secretRef.key,
+    });
+    const v = await github_0.encryption.encryptRepoSecret(process.env.ORG, rss.resolveRepoExternalName(), section, plainTextSecret);
+    return v;
+}
+;// CONCATENATED MODULE: ../provisioner/src/entities/firestartrgithubrepositorysecretssection/FirestartrGithubRepositorySecretsSection.ts
+class FirestartrGithubRepositorySecretsSection_FirestartrGithubRepositorySecretsSection extends Entity {
+    constructor(artifact, deps) {
+        super(artifact, deps);
+    }
+    async loadResources(data) {
+        const { scope } = data;
+        const repo = this.resolveRef(this.spec.repositoryTarget.ref);
+        await provisionRepositorySecrets(scope, this, repo);
+    }
+    resolveRepoExternalName() {
+        const cr = this.deps[`${this.spec.repositoryTarget.ref.kind}-${this.spec.repositoryTarget.ref.name}`].cr;
+        const repoName = cr.metadata.annotations['firestartr.dev/external-name'];
+        return repoName;
+    }
+}
 ;// CONCATENATED MODULE: ../provisioner/src/entities/index.ts
@@ -368896,6 +369591,7 @@ class FirestartrTerraformModuleEntity extends Entity {
 function getEntityInstance(entity, deps) {
     let instance = null;
     switch (entity.kind) {
@@ -368917,6 +369613,9 @@ function getEntityInstance(entity, deps) {
         case 'FirestartrGithubOrgWebhook':
             instance = new FirestartrGithubOrgWebhook_FirestartrGithubOrgWebhook(entity, deps);
             break;
+        case 'FirestartrGithubRepositorySecretsSection':
+            instance = new FirestartrGithubRepositorySecretsSection_FirestartrGithubRepositorySecretsSection(entity, deps);
+            break;
         default:
             break;
     }
@@ -369156,6 +369855,7 @@ function getStackByEntity(entity) {
         case 'FirestartrGithubMembership':
         case 'FirestartrGithubRepositoryFeature':
         case 'FirestartrGithubOrgWebhook':
+        case 'FirestartrGithubRepositorySecretsSection':
             return GithubStack;
         case 'FirestartrTerraformModule':
             return TerraformModuleStack;
@@ -369183,8 +369883,12 @@ function __calculateTFStatePath(entity) {
 async function runCDKTF(entityPath, action, depsPath, stream) {
+    const args = [action, '--log-level', 'DEBUG', '--auto-approve'];
+    if (process.env.IS_DEV_LOCAL_ENVIRONMENT) {
+        args.push('--app', 'node --loader ts-node/esm --experimental-specifier-resolution=node index.ts');
+    }
     return new Promise((ok, ko) => {
-        const cdktfProcess = (0,external_child_process_.spawn)('cdktf', [action, '--log-level', 'DEBUG', '--auto-approve'], {
+        const cdktfProcess = (0,external_child_process_.spawn)('cdktf', args, {
             stdio: ['inherit', 'pipe', 'pipe'],
             cwd: process.env.IS_DEV_LOCAL_ENVIRONMENT
                 ? '/library/packages/provisioner'
@@ -369907,6 +370611,30 @@ class github_orgWebhook_FirestartrGithubOrgWebhook extends Resource {
     }
 }
+;// CONCATENATED MODULE: ../provisioner/src/resources/github_repository_secrets_section/index.ts
+class github_repository_secrets_section_FirestartrGithubRepositorySecretsSection extends Resource {
+    static kind() {
+        return 'FirestartrGithubRepositorySecretsSection';
+    }
+    async preprocess() {
+        switch (this.get('operation')) {
+            case 'CREATE':
+                provisioner_src_logger.debug('Creating FirestartrGithubRepositorySecretsSection');
+                break;
+            case 'UPDATE':
+                provisioner_src_logger.debug('Updating FirestartrGithubRepositorySecretsSection');
+                break;
+            case 'DELETE':
+                provisioner_src_logger.debug('Deleting FirestartrGithubRepositorySecretsSection');
+                break;
+            default:
+                provisioner_src_logger.debug(`Unknown operation '${this.get('operation')}' for FirestartrGithubRepositorySecretsSection`);
+        }
+    }
+}
 ;// CONCATENATED MODULE: ../provisioner/src/resources/index.ts
@@ -369914,6 +370642,7 @@ class github_orgWebhook_FirestartrGithubOrgWebhook extends Resource {
 /* harmony default export */ const resources = ({
     FirestartrGithubRepositoryFeature: github_feature_FirestartrGithubRepositoryFeature,
     FirestartrGithubRepository: github_repository_FirestartrGithubRepository,
@@ -369921,6 +370650,7 @@ class github_orgWebhook_FirestartrGithubOrgWebhook extends Resource {
     FirestartrGithubGroup: github_group_FirestartrGithubGroup,
     FirestartrTerraformModule: FirestartrTerraformModule,
     FirestartrGithubOrgWebhook: github_orgWebhook_FirestartrGithubOrgWebhook,
+    FirestartrGithubRepositorySecretsSection: github_repository_secrets_section_FirestartrGithubRepositorySecretsSection,
 });
 ;// CONCATENATED MODULE: ../provisioner/init.ts
@@ -371814,13 +372544,6 @@ function isDestroyRetry(item) {
     return false;
 }
 async function* process_operation_sync(item, op, handler, syncPolicy, generalPolicy) {
-    yield {
-        item,
-        reason: op,
-        type: 'SYNCHRONIZED',
-        status: 'False',
-        message: 'Sync process started',
-    };
     if (!syncPolicy) {
         operator_src_logger.debug(`The Terraform processor is only observing item '${item.kind}/${item.metadata.name}' because no sync policy was found for operation '${op}'.`);
         yield* doPlanJSONFormat(item, op, handler);
@@ -373643,6 +374366,7 @@ function getProvisionImplementation(plural) {
         case 'githubrepositoryfeatures':
         case 'githubgroups':
         case 'githuborgwebhooks':
+        case 'githubrepositorysecretssections':
             implementation = processOperation;
             break;
     }