go-vela · ecrupper · Nov 6, 2025 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -253,6 +253,18 @@ func UpdateSettings(c *gin.Context) {
 		l.Infof("platform admin: updating max dashboard repos to: %d", input.GetMaxDashboardRepos())
 	}
 
+	if input.EnableOrgSecrets != nil {
+		_s.SetEnableOrgSecrets(input.GetEnableOrgSecrets())
+	}
+
+	if input.EnableRepoSecrets != nil {
+		_s.SetEnableRepoSecrets(input.GetEnableRepoSecrets())
+	}
+
+	if input.EnableSharedSecrets != nil {
+		_s.SetEnableSharedSecrets(input.GetEnableSharedSecrets())
+	}
+
 	_s.SetUpdatedBy(u.GetName())
 
 	// send API call to update the settings

@@ -12,17 +12,20 @@ import (
 //
 // swagger:model Platform
 type Platform struct {
-	ID                *int32 `json:"id"`
-	*Compiler         `json:"compiler,omitempty"            yaml:"compiler,omitempty"`
-	*Queue            `json:"queue,omitempty"               yaml:"queue,omitempty"`
-	*SCM              `json:"scm,omitempty"                 yaml:"scm,omitempty"`
-	RepoAllowlist     *[]string `json:"repo_allowlist,omitempty"      yaml:"repo_allowlist,omitempty"`
-	ScheduleAllowlist *[]string `json:"schedule_allowlist,omitempty"  yaml:"schedule_allowlist,omitempty"`
-	MaxDashboardRepos *int32    `json:"max_dashboard_repos,omitempty" yaml:"max_dashboard_repos,omitempty"`
-	QueueRestartLimit *int32    `json:"queue_restart_limit,omitempty" yaml:"queue_restart_limit,omitempty"`
-	CreatedAt         *int64    `json:"created_at,omitempty"          yaml:"created_at,omitempty"`
-	UpdatedAt         *int64    `json:"updated_at,omitempty"          yaml:"updated_at,omitempty"`
-	UpdatedBy         *string   `json:"updated_by,omitempty"          yaml:"updated_by,omitempty"`
+	ID                  *int32 `json:"id"`
+	*Compiler           `json:"compiler,omitempty"              yaml:"compiler,omitempty"`
+	*Queue              `json:"queue,omitempty"                 yaml:"queue,omitempty"`
+	*SCM                `json:"scm,omitempty"                   yaml:"scm,omitempty"`
+	RepoAllowlist       *[]string `json:"repo_allowlist,omitempty"        yaml:"repo_allowlist,omitempty"`
+	ScheduleAllowlist   *[]string `json:"schedule_allowlist,omitempty"    yaml:"schedule_allowlist,omitempty"`
+	MaxDashboardRepos   *int32    `json:"max_dashboard_repos,omitempty"   yaml:"max_dashboard_repos,omitempty"`
+	QueueRestartLimit   *int32    `json:"queue_restart_limit,omitempty"   yaml:"queue_restart_limit,omitempty"`
+	EnableRepoSecrets   *bool     `json:"enable_repo_secrets,omitempty"   yaml:"enable_repo_secrets,omitempty"`
+	EnableOrgSecrets    *bool     `json:"enable_org_secrets,omitempty"    yaml:"enable_org_secrets,omitempty"`
+	EnableSharedSecrets *bool     `json:"enable_shared_secrets,omitempty" yaml:"enable_shared_secrets,omitempty"`
+	CreatedAt           *int64    `json:"created_at,omitempty"            yaml:"created_at,omitempty"`
+	UpdatedAt           *int64    `json:"updated_at,omitempty"            yaml:"updated_at,omitempty"`
+	UpdatedBy           *string   `json:"updated_by,omitempty"            yaml:"updated_by,omitempty"`
 }
 
 // FromCLICommand returns a new Platform record from a cli command.
@@ -41,6 +44,15 @@ func FromCLICommand(c *cli.Command) *Platform {
 	// set queue restart limit
 	ps.SetQueueRestartLimit(c.Int32("queue-restart-limit"))
 
+	// set enable repo secrets
+	ps.SetEnableRepoSecrets(c.Bool("vela-enable-repo-secrets"))
+
+	// set enable org secrets
+	ps.SetEnableOrgSecrets(c.Bool("vela-enable-org-secrets"))
+
+	// set enable shared secrets
+	ps.SetEnableSharedSecrets(c.Bool("vela-enable-shared-secrets"))
+
 	return ps
 }
 
@@ -148,6 +160,45 @@ func (ps *Platform) GetQueueRestartLimit() int32 {
 	return *ps.QueueRestartLimit
 }
 
+// GetEnableRepoSecrets returns the EnableRepoSecrets field.
+//
+// When the provided Platform type is nil, or the field within
+// the type is nil, it returns the zero value for the field.
+func (ps *Platform) GetEnableRepoSecrets() bool {
+	// return zero value if Platform type or EnableRepoSecrets field is nil
+	if ps == nil || ps.EnableRepoSecrets == nil {
+		return false
+	}
+
+	return *ps.EnableRepoSecrets
+}
+
+// GetEnableOrgSecrets returns the EnableOrgSecrets field.
+//
+// When the provided Platform type is nil, or the field within
+// the type is nil, it returns the zero value for the field.
+func (ps *Platform) GetEnableOrgSecrets() bool {
+	// return zero value if Platform type or EnableOrgSecrets field is nil
+	if ps == nil || ps.EnableOrgSecrets == nil {
+		return false
+	}
+
+	return *ps.EnableOrgSecrets
+}
+
+// GetEnableSharedSecrets returns the EnableSharedSecrets field.
+//
+// When the provided Platform type is nil, or the field within
+// the type is nil, it returns the zero value for the field.
+func (ps *Platform) GetEnableSharedSecrets() bool {
+	// return zero value if Platform type or EnableSharedSecrets field is nil
+	if ps == nil || ps.EnableSharedSecrets == nil {
+		return false
+	}
+
+	return *ps.EnableSharedSecrets
+}
+
 // GetCreatedAt returns the CreatedAt field.
 //
 // When the provided Platform type is nil, or the field within
@@ -291,6 +342,45 @@ func (ps *Platform) SetQueueRestartLimit(v int32) {
 	ps.QueueRestartLimit = &v
 }
 
+// SetEnableRepoSecrets sets the EnableRepoSecrets field.
+//
+// When the provided Platform type is nil, it
+// will set nothing and immediately return.
+func (ps *Platform) SetEnableRepoSecrets(v bool) {
+	// return if Platform type is nil
+	if ps == nil {
+		return
+	}
+
+	ps.EnableRepoSecrets = &v
+}
+
+// SetEnableOrgSecrets sets the EnableOrgSecrets field.
+//
+// When the provided Platform type is nil, it
+// will set nothing and immediately return.
+func (ps *Platform) SetEnableOrgSecrets(v bool) {
+	// return if Platform type is nil
+	if ps == nil {
+		return
+	}
+
+	ps.EnableOrgSecrets = &v
+}
+
+// SetEnableSharedSecrets sets the EnableSharedSecrets field.
+//
+// When the provided Platform type is nil, it
+// will set nothing and immediately return.
+func (ps *Platform) SetEnableSharedSecrets(v bool) {
+	// return if Platform type is nil
+	if ps == nil {
+		return
+	}
+
+	ps.EnableSharedSecrets = &v
+}
+
 // SetCreatedAt sets the CreatedAt field.
 //
 // When the provided Platform type is nil, it
@@ -348,6 +438,9 @@ func (ps *Platform) FromSettings(_ps *Platform) {
 	ps.SetScheduleAllowlist(_ps.GetScheduleAllowlist())
 	ps.SetMaxDashboardRepos(_ps.GetMaxDashboardRepos())
 	ps.SetQueueRestartLimit(_ps.GetQueueRestartLimit())
+	ps.SetEnableRepoSecrets(_ps.GetEnableRepoSecrets())
+	ps.SetEnableOrgSecrets(_ps.GetEnableOrgSecrets())
+	ps.SetEnableSharedSecrets(_ps.GetEnableSharedSecrets())
 
 	ps.SetCreatedAt(_ps.GetCreatedAt())
 	ps.SetUpdatedAt(_ps.GetUpdatedAt())
@@ -369,6 +462,9 @@ func (ps *Platform) String() string {
   ScheduleAllowlist: %v,
   MaxDashboardRepos: %d,
   QueueRestartLimit: %d,
+  EnableRepoSecrets: %t,
+  EnableOrgSecrets: %t,
+  EnableSharedSecrets: %t,
   CreatedAt: %d,
   UpdatedAt: %d,
   UpdatedBy: %s,
@@ -381,6 +477,9 @@ func (ps *Platform) String() string {
 		ps.GetScheduleAllowlist(),
 		ps.GetMaxDashboardRepos(),
 		ps.GetQueueRestartLimit(),
+		ps.GetEnableRepoSecrets(),
+		ps.GetEnableOrgSecrets(),
+		ps.GetEnableSharedSecrets(),
 		ps.GetCreatedAt(),
 		ps.GetUpdatedAt(),
 		ps.GetUpdatedBy(),
@@ -399,6 +498,9 @@ func PlatformMockEmpty() Platform {
 	ps.SetScheduleAllowlist([]string{})
 	ps.SetMaxDashboardRepos(0)
 	ps.SetQueueRestartLimit(0)
+	ps.SetEnableRepoSecrets(false)
+	ps.SetEnableOrgSecrets(false)
+	ps.SetEnableSharedSecrets(false)
 
 	return ps
 }
@@ -55,6 +55,18 @@ func TestTypes_Platform_Getters(t *testing.T) {
 		if test.platform.GetQueueRestartLimit() != test.want.GetQueueRestartLimit() {
 			t.Errorf("GetQueueRestartLimit is %v, want %v", test.platform.GetQueueRestartLimit(), test.want.GetQueueRestartLimit())
 		}
+
+		if test.platform.GetEnableRepoSecrets() != test.want.GetEnableRepoSecrets() {
+			t.Errorf("GetEnableRepoSecrets is %v, want %v", test.platform.GetEnableRepoSecrets(), test.want.GetEnableRepoSecrets())
+		}
+
+		if test.platform.GetEnableOrgSecrets() != test.want.GetEnableOrgSecrets() {
+			t.Errorf("GetEnableOrgSecrets is %v, want %v", test.platform.GetEnableOrgSecrets(), test.want.GetEnableOrgSecrets())
+		}
+
+		if test.platform.GetEnableSharedSecrets() != test.want.GetEnableSharedSecrets() {
+			t.Errorf("GetEnableSharedSecrets is %v, want %v", test.platform.GetEnableSharedSecrets(), test.want.GetEnableSharedSecrets())
+		}
 	}
 }
 
@@ -120,6 +132,24 @@ func TestTypes_Platform_Setters(t *testing.T) {
 		if test.platform.GetQueueRestartLimit() != test.want.GetQueueRestartLimit() {
 			t.Errorf("SetQueueRestartLimit is %v, want %v", test.platform.GetQueueRestartLimit(), test.want.GetQueueRestartLimit())
 		}
+
+		test.platform.SetEnableRepoSecrets(test.want.GetEnableRepoSecrets())
+
+		if test.platform.GetEnableRepoSecrets() != test.want.GetEnableRepoSecrets() {
+			t.Errorf("SetEnableRepoSecrets is %v, want %v", test.platform.GetEnableRepoSecrets(), test.want.GetEnableRepoSecrets())
+		}
+
+		test.platform.SetEnableOrgSecrets(test.want.GetEnableOrgSecrets())
+
+		if test.platform.GetEnableOrgSecrets() != test.want.GetEnableOrgSecrets() {
+			t.Errorf("SetEnableOrgSecrets is %v, want %v", test.platform.GetEnableOrgSecrets(), test.want.GetEnableOrgSecrets())
+		}
+
+		test.platform.SetEnableSharedSecrets(test.want.GetEnableSharedSecrets())
+
+		if test.platform.GetEnableSharedSecrets() != test.want.GetEnableSharedSecrets() {
+			t.Errorf("SetEnableSharedSecrets is %v, want %v", test.platform.GetEnableSharedSecrets(), test.want.GetEnableSharedSecrets())
+		}
 	}
 }
 
@@ -136,6 +166,9 @@ func TestTypes_Platform_Update(t *testing.T) {
 	sUpdate.SetScheduleAllowlist([]string{"bar"})
 	sUpdate.SetMaxDashboardRepos(20)
 	sUpdate.SetQueueRestartLimit(60)
+	sUpdate.SetEnableRepoSecrets(true)
+	sUpdate.SetEnableOrgSecrets(true)
+	sUpdate.SetEnableSharedSecrets(true)
 
 	// setup tests
 	tests := []struct {
@@ -178,6 +211,9 @@ func TestTypes_Platform_String(t *testing.T) {
   ScheduleAllowlist: %v,
   MaxDashboardRepos: %d,
   QueueRestartLimit: %d,
+  EnableRepoSecrets: %t,
+  EnableOrgSecrets: %t,
+  EnableSharedSecrets: %t,
   CreatedAt: %d,
   UpdatedAt: %d,
   UpdatedBy: %s,
@@ -190,6 +226,9 @@ func TestTypes_Platform_String(t *testing.T) {
 		s.GetScheduleAllowlist(),
 		s.GetMaxDashboardRepos(),
 		s.GetQueueRestartLimit(),
+		s.GetEnableRepoSecrets(),
+		s.GetEnableOrgSecrets(),
+		s.GetEnableSharedSecrets(),
 		s.GetCreatedAt(),
 		s.GetUpdatedAt(),
 		s.GetUpdatedBy(),
@@ -216,6 +255,9 @@ func testPlatformSettings() *Platform {
 	s.SetScheduleAllowlist([]string{"*"})
 	s.SetMaxDashboardRepos(10)
 	s.SetQueueRestartLimit(30)
+	s.SetEnableRepoSecrets(false)
+	s.SetEnableOrgSecrets(false)
+	s.SetEnableSharedSecrets(false)
 
 	// setup types
 	// setup compiler

@@ -133,6 +133,24 @@ var Flags = []cli.Flag{
 		Sources: cli.EnvVars("VELA_ENABLE_SECURE_COOKIE"),
 		Value:   true,
 	},
+	&cli.BoolFlag{
+		Name:    "vela-enable-repo-secrets",
+		Usage:   "determines whether or not repo level secrets are enabled",
+		Sources: cli.EnvVars("VELA_ENABLE_REPO_SECRETS"),
+		Value:   true,
+	},
+	&cli.BoolFlag{
+		Name:    "vela-enable-org-secrets",
+		Usage:   "determines whether or not org level secrets are enabled",
+		Sources: cli.EnvVars("VELA_ENABLE_ORG_SECRETS"),
+		Value:   true,
+	},
+	&cli.BoolFlag{
+		Name:    "vela-enable-shared-secrets",
+		Usage:   "determines whether or not shared secrets are enabled",
+		Sources: cli.EnvVars("VELA_ENABLE_SHARED_SECRETS"),
+		Value:   true,
+	},
 	&cli.Int32Flag{
 		Name:    "default-build-limit",
 		Usage:   "override default build limit",

@@ -25,6 +25,9 @@ func TestSettings_Engine_CreateSettings(t *testing.T) {
 	_settings.SetScheduleAllowlist([]string{"*"})
 	_settings.SetMaxDashboardRepos(10)
 	_settings.SetQueueRestartLimit(30)
+	_settings.SetEnableRepoSecrets(true)
+	_settings.SetEnableOrgSecrets(true)
+	_settings.SetEnableSharedSecrets(true)
 	_settings.SetCreatedAt(1)
 	_settings.SetUpdatedAt(1)
 	_settings.SetUpdatedBy("")
@@ -37,9 +40,9 @@ func TestSettings_Engine_CreateSettings(t *testing.T) {
 	_rows := sqlmock.NewRows([]string{"id"}).AddRow(1)
 
 	// ensure the mock expects the query
-	_mock.ExpectQuery(`INSERT INTO "settings" ("compiler","queue","scm","repo_allowlist","schedule_allowlist","max_dashboard_repos","queue_restart_limit","created_at","updated_at","updated_by","id") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11) RETURNING "id"`).
+	_mock.ExpectQuery(`INSERT INTO "settings" ("compiler","queue","scm","repo_allowlist","schedule_allowlist","max_dashboard_repos","queue_restart_limit","enable_repo_secrets","enable_org_secrets","enable_shared_secrets","created_at","updated_at","updated_by","id") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14) RETURNING "id"`).
 		WithArgs(`{"clone_image":{"String":"target/vela-git-slim:latest","Valid":true},"template_depth":{"Int64":10,"Valid":true},"starlark_exec_limit":{"Int64":100,"Valid":true}}`,
-			`{"routes":["vela"]}`, `{"repo_role_map":{"admin":"admin","triage":"read"},"org_role_map":{"admin":"admin","member":"read"},"team_role_map":{"admin":"admin"}}`, `{"octocat/hello-world"}`, `{"*"}`, 10, 30, 1, 1, ``, 1).
+			`{"routes":["vela"]}`, `{"repo_role_map":{"admin":"admin","triage":"read"},"org_role_map":{"admin":"admin","member":"read"},"team_role_map":{"admin":"admin"}}`, `{"octocat/hello-world"}`, `{"*"}`, 10, 30, true, true, true, 1, 1, ``, 1).
 		WillReturnRows(_rows)
 
 	_sqlite := testSqlite(t)

@@ -14,17 +14,20 @@ const (
 CREATE TABLE
 IF NOT EXISTS
 settings (
-	id                  SERIAL PRIMARY KEY,
-	compiler            JSON DEFAULT NULL,
-	queue               JSON DEFAULT NULL,
-	scm 			    JSON DEFAULT NULL,
-	repo_allowlist      VARCHAR(1000),
-	schedule_allowlist  VARCHAR(1000),
-	max_dashboard_repos INTEGER,
-	queue_restart_limit INTEGER,
-	created_at          BIGINT,
-	updated_at          BIGINT,
-	updated_by          VARCHAR(250)
+	id                    SERIAL PRIMARY KEY,
+	compiler              JSON DEFAULT NULL,
+	queue                 JSON DEFAULT NULL,
+	scm 			      JSON DEFAULT NULL,
+	repo_allowlist        VARCHAR(1000),
+	schedule_allowlist    VARCHAR(1000),
+	max_dashboard_repos   INTEGER,
+	queue_restart_limit   INTEGER,
+	enable_repo_secrets   BOOLEAN,
+	enable_org_secrets    BOOLEAN,
+	enable_shared_secrets BOOLEAN,
+	created_at            BIGINT,
+	updated_at            BIGINT,
+	updated_by            VARCHAR(250)
 );
 `
 
@@ -41,6 +44,9 @@ settings (
 	schedule_allowlist      VARCHAR(1000),
 	max_dashboard_repos     INTEGER,
 	queue_restart_limit     INTEGER,
+	enable_repo_secrets     BOOLEAN,
+	enable_org_secrets      BOOLEAN,
+	enable_shared_secrets   BOOLEAN,
 	created_at              INTEGER,
 	updated_at              INTEGER,
 	updated_by              TEXT

@@ -27,6 +27,9 @@ func TestSettings_Engine_UpdateSettings(t *testing.T) {
 	_settings.SetScheduleAllowlist([]string{"*"})
 	_settings.SetMaxDashboardRepos(10)
 	_settings.SetQueueRestartLimit(30)
+	_settings.SetEnableRepoSecrets(true)
+	_settings.SetEnableOrgSecrets(true)
+	_settings.SetEnableSharedSecrets(true)
 	_settings.SetCreatedAt(1)
 	_settings.SetUpdatedAt(1)
 	_settings.SetUpdatedBy("octocat")
@@ -36,9 +39,9 @@ func TestSettings_Engine_UpdateSettings(t *testing.T) {
 	defer func() { _sql, _ := _postgres.client.DB(); _sql.Close() }()
 
 	// ensure the mock expects the query
-	_mock.ExpectExec(`UPDATE "settings" SET "compiler"=$1,"queue"=$2,"scm"=$3,"repo_allowlist"=$4,"schedule_allowlist"=$5,"max_dashboard_repos"=$6,"queue_restart_limit"=$7,"created_at"=$8,"updated_at"=$9,"updated_by"=$10 WHERE "id" = $11`).
+	_mock.ExpectExec(`UPDATE "settings" SET "compiler"=$1,"queue"=$2,"scm"=$3,"repo_allowlist"=$4,"schedule_allowlist"=$5,"max_dashboard_repos"=$6,"queue_restart_limit"=$7,"enable_repo_secrets"=$8,"enable_org_secrets"=$9,"enable_shared_secrets"=$10,"created_at"=$11,"updated_at"=$12,"updated_by"=$13 WHERE "id" = $14`).
 		WithArgs(`{"clone_image":{"String":"target/vela-git-slim:latest","Valid":true},"template_depth":{"Int64":10,"Valid":true},"starlark_exec_limit":{"Int64":100,"Valid":true}}`,
-			`{"routes":["vela","large"]}`, `{"repo_role_map":{"admin":"admin","triage":"read"},"org_role_map":{"admin":"admin","member":"read"},"team_role_map":{"admin":"admin"}}`, `{"octocat/hello-world"}`, `{"*"}`, 10, 30, 1, testutils.AnyArgument{}, "octocat", 1).
+			`{"routes":["vela","large"]}`, `{"repo_role_map":{"admin":"admin","triage":"read"},"org_role_map":{"admin":"admin","member":"read"},"team_role_map":{"admin":"admin"}}`, `{"octocat/hello-world"}`, `{"*"}`, 10, 30, true, true, true, 1, testutils.AnyArgument{}, "octocat", 1).
 		WillReturnResult(sqlmock.NewResult(1, 1))
 
 	_sqlite := testSqlite(t)