ci: install client deps with --no-frozen-lockfile explicitly

pnpm ignores the npm_config_frozen_lockfile env var, so the previous fix did not take effect and CI still ran a frozen install. Add an explicit 'pnpm install --no-frozen-lockfile' step before 'make build-all' to reconcile the lockfile (missing pnpmfileChecksum for configDependencies); the subsequent frozen install in 'make client-deps' then succeeds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.github/DISCUSSION_TEMPLATE/ideas.yaml

@@ -3,13 +3,13 @@ body:
     attributes:
       value: |
         # Welcome!
-        
+
         Thanks for suggesting an idea for Portainer!
 
         Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion category](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.
 
         Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io) as they may point you toward a solution.
-        
+
         **DO NOT FILE DUPLICATE REQUESTS.**
 
   - type: textarea

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -94,9 +94,11 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.42.0'
         - '2.41.1'
         - '2.41.0'
         - '2.40.0'
+        - '2.39.3'
         - '2.39.2'
         - '2.39.1'
         - '2.39.0'

.github/workflows/build-image.yml

@@ -0,0 +1,86 @@
+name: Build image
+
+on:
+  push:
+    branches: [develop]
+    tags: ['v*']
+  workflow_dispatch: {}
+
+env:
+  IMAGE: ghcr.io/vvzvlad/portainer-ce
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Resolve version
+        id: ver
+        run: echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
+
+      - name: Install client dependencies
+        # CI forces pnpm into --frozen-lockfile, which fails with
+        # ERR_PNPM_LOCKFILE_CONFIG_MISMATCH because the committed lockfile lacks
+        # the pnpmfileChecksum for the configDependencies in package.json.
+        # Reconcile the lockfile explicitly; the later frozen install in
+        # `make client-deps` then finds a matching lockfile. pnpm ignores the
+        # npm_config_frozen_lockfile env var, so an explicit flag is required.
+        run: pnpm install --no-frozen-lockfile
+
+      - name: Build client and server
+        env:
+          SKIP_GO_GET: "true"
+          CONTAINER_IMAGE_TAG: ${{ steps.ver.outputs.version }}
+          BUILDNUMBER: ${{ github.run_number }}
+          # Pin the embedded commit to the full SHA so it matches the image
+          # GIT_COMMIT build-arg and does not depend on the shallow checkout.
+          GIT_COMMIT_HASH: ${{ github.sha }}
+        # ENV=production selects webpack/webpack.production.js (minified bundle),
+        # matching the official CE image; the Makefile default is development.
+        run: make build-all ENV=production
+
+      - name: Ensure storybook directory exists
+        # make build-all does not produce dist/storybook, but alpine.Dockerfile
+        # has `COPY dist/storybook* /storybook/`; without a match the docker build fails.
+        run: mkdir -p dist/storybook
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image (linux/amd64, alpine base)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: build/linux/alpine.Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ steps.ver.outputs.version }}
+            ${{ env.IMAGE }}:latest
+          build-args: |
+            GIT_COMMIT=${{ github.sha }}

.gitignore

@@ -4,6 +4,7 @@ dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
 storybook-static
+debug-storybook.log
 .tmp
 **/.vscode/settings.json
 **/.vscode/tasks.json

.golangci-forward.yaml

@@ -1,4 +1,4 @@
-version: "2"
+version: '2'
 linters:
   default: none
   enable:

.golangci.yaml

@@ -1,10 +1,11 @@
-version: "2"
+version: '2'
 
 run:
   allow-parallel-runners: true
 linters:
   default: none
   enable:
+    - gocritic
     - bodyclose
     - copyloopvar
     - depguard
@@ -31,7 +32,7 @@ linters:
     - exptostd
   settings:
     staticcheck:
-      checks: ["all", "-ST1003", "-ST1005", "-ST1016", "-SA1019", "-QF1003"]
+      checks: ['all', '-ST1003', '-ST1005', '-ST1016', '-SA1019', '-QF1003']
     depguard:
       rules:
         main:
@@ -76,6 +77,13 @@ linters:
               desc: use github.com/Masterminds/semver/v3
             - pkg: github.com/hashicorp/go-version
               desc: use github.com/Masterminds/semver/v3
+    gocritic:
+      disable-all: true
+      enabled-checks:
+        - ruleguard
+      settings:
+        ruleguard:
+          rules: './analysis/ssrf.go,./analysis/git.go'
     forbidigo:
       forbid:
         - pattern: ^tls\.Config$
@@ -83,9 +91,11 @@ linters:
         - pattern: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$
           msg: Do not set this field directly, use crypto.CreateTLSConfiguration() instead
         - pattern: ^object\.(Commit|Tag)\.Verify$
-          msg: "Not allowed because of FIPS mode"
+          msg: 'Not allowed because of FIPS mode'
         - pattern: ^(types\.SystemContext\.)?(DockerDaemonInsecureSkipTLSVerify|DockerInsecureSkipTLSVerify|OCIInsecureSkipTLSVerify)$
-          msg: "Not allowed because of FIPS mode"
+          msg: 'Not allowed because of FIPS mode'
+        - pattern: ^git\.PlainClone(Context|WithOptions)?$
+          msg: Use git.CloneContext with NewNoSymlinkFS to prevent symlink traversal attacks
       analyze-types: true
   exclusions:
     generated: lax
@@ -93,6 +103,14 @@ linters:
       - comments
       - common-false-positives
       - legacy
+    rules:
+      - path: pkg/libhttp/ssrf
+        linters:
+          - gocritic
+        text: ruleguard
+      - path: pkg/libhttp/ssrf/builder\.go
+        linters:
+          - forbidigo
     paths:
       - third_party$
       - builtin$

.prettierignore

@@ -1,3 +1,5 @@
 dist
 api/datastore/test_data
-coverage
+coverage
+
+pnpm-lock.yaml

CODE_OF_CONDUCT.md

@@ -8,19 +8,19 @@ In the interest of fostering an open and welcoming environment, we as contributo
 
 Examples of behavior that contributes to creating a positive environment include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a professional setting
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
 
 ## Our Responsibilities
 
@@ -34,7 +34,7 @@ This Code of Conduct applies both within project spaces and in public spaces whe
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at anthony.lapenna@portainer.io. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contribute@portainer.io. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
 

CONTRIBUTING.md

@@ -147,7 +147,9 @@ When adding a new route to an existing handler use the following as a template (
 // @router /{id} [get]
 ```
 
-explanation about each line can be found (here)[https://github.com/swaggo/swag#api-operation]
+explanation about each line can be found [here](https://github.com/swaggo/swag#api-operation)
+
+After changing these annotations, regenerate the TypeScript API client and types — see [Generating API types](./README.md#generating-api-types).
 
 ## Licensing
 

Makefile

@@ -6,6 +6,7 @@ TAG=local
 SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.6
 GOTESTSUM_VERSION?=v1.13.0
 GOTESTSUM=go run gotest.tools/gotestsum@$(GOTESTSUM_VERSION)
+GOLANGCI_LINT_VERSION := $(shell cat $(shell git rev-parse --show-toplevel)/.golangci-version)
 
 # Don't change anything below this line unless you know what you're doing
 .DEFAULT_GOAL := help
@@ -90,13 +91,25 @@ format-server: ## Format server code
 	go fmt ./...
 
 ##@ Lint
-.PHONY: lint lint-client lint-server
+.PHONY: lint lint-client lint-server check-lint-version
 lint: lint-client lint-server ## Lint all code
 
 lint-client: ## Lint client code
 	pnpm run lint
 
-lint-server: tidy ## Lint server code
+check-lint-version:
+	@installed=v$$(golangci-lint --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1); \
+	if [ "$$installed" = "v" ]; then \
+		echo "ERROR: golangci-lint not found, need $(GOLANGCI_LINT_VERSION)"; \
+		echo "Install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)"; \
+		exit 1; \
+	elif [ "$$installed" != "$(GOLANGCI_LINT_VERSION)" ]; then \
+		echo "ERROR: golangci-lint $$installed installed, need $(GOLANGCI_LINT_VERSION)"; \
+		echo "Install: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)"; \
+		exit 1; \
+	fi
+
+lint-server: tidy check-lint-version ## Lint server code
 	golangci-lint run --timeout=10m -c .golangci.yaml
 	golangci-lint run --timeout=10m --new-from-rev=HEAD~ -c .golangci-forward.yaml
 
@@ -109,7 +122,7 @@ dev-extension: build-server build-client ## Run the extension in development mod
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
 	go mod download
-	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./
+	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./ --overridesFile .swaggo
 
 docs-validate: docs-build ## Validate docs
 	pnpm swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
@@ -121,6 +134,10 @@ docs-serve: docs-build ## Serve docs locally with Swagger UI on port 8080
 		-e SWAGGER_JSON=/foo/swagger.yaml \
 		-v $(PWD)/dist/docs:/foo \
 		swaggerapi/swagger-ui
+		
+.PHONY: generate-api
+generate-api: docs-validate ## Generate API client and types from OpenAPI spec
+	pnpm generate-api
 
 ##@ Helpers
 .PHONY: help

README.md

@@ -44,6 +44,32 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-
 - Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
 - Want to help us build **_portainer_**? Follow our [contribution guidelines](https://docs.portainer.io/contribute/contribute) to build it locally and make a pull request.
 
+## Generating API types
+
+The frontend consumes a TypeScript API client (SDK functions and request/response types) that is generated from the Go API's Swagger annotations. Regenerate it after any API change — a new endpoint, a changed request/response shape, or a removed endpoint:
+
+```bash
+make generate-api
+```
+
+This runs the following pipeline:
+
+```
+Go Swagger annotations
+  → dist/docs/swagger.yaml       (make docs-build, via swaggo/swag)
+  → dist/docs/openapi.yaml       (swagger2openapi + validation)
+  → app/react/portainer/generated-api/portainer/   (hey-api/openapi-ts)
+```
+
+The generator is configured in [`openapi-ts.config.ts`](./openapi-ts.config.ts), which controls the output path, plugins, and tag filters (for example, `deprecated` endpoints and `edge_agent`-tagged routes are excluded).
+
+The generated files live in `app/react/portainer/generated-api/portainer/` and must **not** be edited by hand — your changes would be overwritten on the next run. Import the generated SDK functions and types instead of writing direct HTTP calls:
+
+- `@api/sdk.gen` — SDK functions
+- `@api/types.gen` — request/response types
+
+See [Adding api docs](./CONTRIBUTING.md#adding-api-docs) for how to annotate handlers so they are picked up by the generator.
+
 ## Security
 
 For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md).

analysis/git.go

@@ -0,0 +1,18 @@
+//go:build ignore
+
+package gorules
+
+import "github.com/quasilyte/go-ruleguard/dsl"
+
+// inMemoryCloneWithWorktree flags git clone calls that use memory.NewStorage() as
+// the storer while also writing files to a real worktree. This holds all git objects
+// in heap for the duration of the clone, which is unbounded for user-supplied repos.
+func inMemoryCloneWithWorktree(m dsl.Matcher) {
+	m.Match(`git.CloneContext($_, memory.NewStorage(), $wt, $_)`).
+		Where(m["wt"].Text != "nil").
+		Report(`git.CloneContext with memory.NewStorage() holds all git objects in heap; use gogitfs.NewStorage with a filesystem storer instead`)
+
+	m.Match(`git.Clone(memory.NewStorage(), $wt, $_)`).
+		Where(m["wt"].Text != "nil").
+		Report(`git.Clone with memory.NewStorage() holds all git objects in heap; use gogitfs.NewStorage with a filesystem storer instead`)
+}

analysis/ssrf.go

@@ -0,0 +1,75 @@
+//go:build ignore
+
+package gorules
+
+import "github.com/quasilyte/go-ruleguard/dsl"
+
+// unwrappedHTTPTransport flags any bare http.Transport composite literal.
+// All transports must be created via ssrf.NewTransport or ssrf.NewInternalTransport,
+// which clone http.DefaultTransport and handle SSRF protection internally.
+func unwrappedHTTPTransport(m dsl.Matcher) {
+	m.Match(`$f(&http.Transport{$*_})`).
+		Report(`$f receives a bare *http.Transport; use ssrf.NewTransport(tlsConfig) or ssrf.NewInternalTransport(tlsConfig) instead`)
+
+	m.Match(`$_ := &http.Transport{$*_}`).
+		Report(`bare *http.Transport variable; use ssrf.NewTransport(tlsConfig) or ssrf.NewInternalTransport(tlsConfig) instead`)
+
+	m.Match(`$_.Transport = &http.Transport{$*_}`).
+		Report(`bare *http.Transport field assignment; use ssrf.NewTransport(tlsConfig) or ssrf.NewInternalTransport(tlsConfig) instead`)
+}
+
+// helmGetterTransport flags getter.WithTransport calls that receive a bare *http.Transport.
+// Helm v4 installs its own transport and bypasses http.DefaultTransport, so the transport
+// passed here must be created via ssrf.NewTransport.
+func helmGetterTransport(m dsl.Matcher) {
+	m.Match(`getter.WithTransport(&http.Transport{$*_})`).
+		Report(`getter.WithTransport called with a bare *http.Transport; use ssrf.NewTransport(tlsConfig) as Helm v4 bypasses http.DefaultTransport`)
+}
+
+// cloneDefaultTransport flags direct clones of *http.Transport outside main.go.
+// The one legitimate clone is in main.go where http.DefaultTransport is globally
+// wrapped with SSRF protection at server startup.
+func cloneDefaultTransport(m dsl.Matcher) {
+	m.Match(`$_.(*http.Transport).Clone()`).
+		Where(!m.File().Name.Matches(`^main\.go$`)).
+		Report(`cloning *http.Transport directly is forbidden; use ssrf.NewTransport(tlsConfig) or ssrf.NewInternalTransport(tlsConfig) instead`)
+}
+
+// internalTransportMisuse flags calls to NewInternalTransport outside the proxy
+// factory files where Chisel-tunnel and in-cluster K8s destinations are valid exemptions.
+func internalTransportMisuse(m dsl.Matcher) {
+	m.Match(`ssrf.NewInternalTransport($*_)`).
+		Where(
+			!(m.File().PkgPath.Matches(`proxy/factory`) &&
+				m.File().Name.Matches(`^(docker|agent|local_transport|edge_transport|docker_unix|docker_windows)\.go$`))).
+		Report(`NewInternalTransport bypasses SSRF validation; only valid in the proxy factory files for local sockets and internally-routed endpoints`)
+}
+
+// dialerOverride flags direct assignments to any of the dialer fields on a transport.
+// The only valid assignments are in docker_unix.go and docker_windows.go where a
+// custom dialer is required for unix sockets and named pipes.
+func dialerOverride(m dsl.Matcher) {
+	m.Match(`$_.DialContext = $*_`).
+		Where(
+			!(m.File().PkgPath.Matches(`proxy/factory`) &&
+				m.File().Name.Matches(`^(docker_unix|docker_windows)\.go$`))).
+		Report(`direct DialContext assignment replaces the transport dialer; use ssrf.NewTransport or ssrf.NewInternalTransport instead`)
+
+	m.Match(`$_.Dial = $*_`).
+		Where(
+			!(m.File().PkgPath.Matches(`proxy/factory`) &&
+				m.File().Name.Matches(`^(docker_unix|docker_windows)\.go$`))).
+		Report(`direct Dial assignment replaces the transport dialer; use ssrf.NewTransport or ssrf.NewInternalTransport instead`)
+
+	m.Match(`$_.DialTLSContext = $*_`).
+		Where(
+			!(m.File().PkgPath.Matches(`proxy/factory`) &&
+				m.File().Name.Matches(`^(docker_unix|docker_windows)\.go$`))).
+		Report(`direct DialTLSContext assignment replaces the transport dialer; use ssrf.NewTransport or ssrf.NewInternalTransport instead`)
+
+	m.Match(`$_.DialTLS = $*_`).
+		Where(
+			!(m.File().PkgPath.Matches(`proxy/factory`) &&
+				m.File().Name.Matches(`^(docker_unix|docker_windows)\.go$`))).
+		Report(`direct DialTLS assignment replaces the transport dialer; use ssrf.NewTransport or ssrf.NewInternalTransport instead`)
+}

analysis/tools.go

@@ -0,0 +1,5 @@
+//go:build tools
+
+package gorules
+
+import _ "github.com/quasilyte/go-ruleguard/dsl"

api/.swaggo

@@ -0,0 +1 @@
+replace k8s.io/apimachinery/pkg/apis/meta/v1.Duration string

api/agent/version.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -11,6 +12,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/url"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
 
 	"github.com/rs/zerolog/log"
 )
@@ -19,10 +21,14 @@ import (
 //
 // it sends a ping to the agent and parses the version and platform from the headers
 func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
+	if err := ssrf.CheckURL(context.Background(), endpointUrl); err != nil {
+		return 0, "", err
+	}
+
 	httpCli := &http.Client{Timeout: 3 * time.Second}
 
 	if tlsConfig != nil {
-		httpCli.Transport = &http.Transport{TLSClientConfig: tlsConfig}
+		httpCli.Transport = ssrf.NewTransport(tlsConfig)
 	}
 
 	parsedURL, err := url.ParseURL(endpointUrl + "/ping")

api/api.md

@@ -53,7 +53,7 @@ To do so, use the `/endpoints/{id}/docker` endpoint. Note that this endpoint is
 # Private Registry
 
 When using a private registry, include a Base64-encoded JSON string in the request header. The header parameter name is `X-Registry-Auth` and the value should encode the following structure: ‘{"registryId":\<registryId\>}’ where `<registryId>` is the ID of the registry where the repository was created.
- 
+
 Example encoded value:
 
 ```

api/chisel/service.go

@@ -306,6 +306,10 @@ func (service *Service) snapshotAndLog(endpointID portainer.EndpointID, tunnelPo
 			Err(err).
 			Msg("unable to snapshot Edge environment")
 
+		if service.dataStore.IsErrObjectNotFound(err) {
+			service.close(endpointID)
+		}
+
 		return false
 	}
 

api/chisel/service_test.go

@@ -187,6 +187,24 @@ func TestCheckTunnelsKeepsHasSnapshotFalseOnSnapshotFailure(t *testing.T) {
 	require.False(t, s.activeTunnels[endpoint.ID].HasSnapshot, "HasSnapshot must stay false after failure")
 }
 
+func TestCheckTunnelsClosesStaleEntryForDeletedEndpoint(t *testing.T) {
+	t.Parallel()
+
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	// Endpoint is not created in the store, simulates deletion while tunnel stays open.
+	s := NewService(store, nil, nil)
+	s.activeTunnels[1] = &portainer.TunnelDetails{
+		Status:       portainer.EdgeAgentManagementRequired,
+		Port:         50010,
+		LastActivity: time.Now(),
+	}
+
+	s.checkTunnels()
+
+	require.Nil(t, s.activeTunnels[1], "stale tunnel for deleted endpoint must be removed immediately")
+}
+
 func TestCheckTunnelsClosesIdleTunnelAndSnapshots(t *testing.T) {
 	t.Parallel()
 

api/chisel/tunnel.go

@@ -82,17 +82,24 @@ func (s *Service) Open(endpoint *portainer.Endpoint) error {
 	return nil
 }
 
-// close removes the tunnel from the map so the agent will close it
+// close removes the tunnel from the map so the agent will close it.
+// The lock is released before cleaning up the chisel user and proxy to avoid
+// blocking Config/Open callers while DeleteUser interacts with chisel internals.
 func (s *Service) close(endpointID portainer.EndpointID) {
 	s.mu.Lock()
-	defer s.mu.Unlock()
 
 	tun, ok := s.activeTunnels[endpointID]
 	if !ok {
+		s.mu.Unlock()
 		return
 	}
 
-	if len(tun.Credentials) > 0 && s.chiselServer != nil {
+	delete(s.activeTunnels, endpointID)
+	cache.Del(endpointID)
+
+	s.mu.Unlock()
+
+	if s.chiselServer != nil {
 		user, _, _ := strings.Cut(tun.Credentials, ":")
 		s.chiselServer.DeleteUser(user)
 	}
@@ -100,10 +107,6 @@ func (s *Service) close(endpointID portainer.EndpointID) {
 	if s.ProxyManager != nil {
 		s.ProxyManager.DeleteEndpointProxy(endpointID)
 	}
-
-	delete(s.activeTunnels, endpointID)
-
-	cache.Del(endpointID)
 }
 
 // Config returns the tunnel details needed for the agent to connect

api/cli/cli.go

@@ -56,6 +56,8 @@ func CLIFlags() *portainer.CLIFlags {
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
 		CompactDB:                 kingpin.Flag("compact-db", "Enable database compaction on startup").Envar(portainer.CompactDBEnvVar).Default("false").Bool(),
+		NoSetupToken:              kingpin.Flag("no-setup-token", "Disable the setup token requirement for admin initialization and restore on an uninitialized instance").Envar(portainer.NoSetupTokenEnvVar).Bool(),
+		SetupToken:                kingpin.Flag("setup-token", "Set a custom setup token for admin initialization and restore on an uninitialized instance (overrides auto-generation)").Envar(portainer.SetupTokenEnvVar).String(),
 	}
 }
 

api/cmd/portainer/main.go

@@ -4,6 +4,7 @@ import (
 	"cmp"
 	"context"
 	"crypto/sha256"
+	nethttp "net/http"
 	"os"
 	"path"
 	"strings"
@@ -29,6 +30,7 @@ import (
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/proxy"
 	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	"github.com/portainer/portainer/api/http/security/setuptoken"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/edge/edgestacks"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -51,10 +53,15 @@ import (
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/fips"
 	"github.com/portainer/portainer/pkg/libhelm"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	libswarm "github.com/portainer/portainer/pkg/libstack/swarm"
 	"github.com/portainer/portainer/pkg/validate"
 
+	gogitclient "github.com/go-git/go-git/v5/plumbing/transport/client"
+	gogitraw "github.com/go-git/go-git/v5/plumbing/transport/git"
+	gogithttp "github.com/go-git/go-git/v5/plumbing/transport/http"
+	gogitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog/log"
 )
@@ -225,6 +232,32 @@ func initSnapshotService(
 	return snapshotService, nil
 }
 
+func resolveSetupToken(tx dataservices.DataStoreTx, providedToken string) (string, error) {
+	admins, err := tx.User().UsersByRole(portainer.AdministratorRole)
+	if err != nil {
+		return "", err
+	}
+	if len(admins) > 0 {
+		return "", nil
+	}
+
+	if providedToken != "" {
+		log.Info().Msg("using custom setup token; admin initialization and backup restore require this token in the X-Setup-Token header")
+		return providedToken, nil
+	}
+
+	token, err := setuptoken.Generate()
+	if err != nil {
+		return "", err
+	}
+
+	log.Info().
+		Str("setup_token", token).
+		Msg("no administrator account configured; admin initialization and backup restore require this setup token in the X-Setup-Token header. Start with --no-setup-token to disable.")
+
+	return token, nil
+}
+
 func initStatus(instanceID string) *portainer.Status {
 	return &portainer.Status{
 		Version:    portainer.APIVersion,
@@ -374,6 +407,19 @@ func buildServer(flags *portainer.CLIFlags, shutdownCtx context.Context, shutdow
 		log.Fatal().Msg("The database schema version does not align with the server version. Please consider reverting to the previous server version or addressing the database migration issue.")
 	}
 
+	if err := ssrf.Configure(dataStore.AllowList()); err != nil {
+		log.Fatal().Err(err).Msg("failed initializing ssrf service")
+	}
+
+	if !ssrf.WrapDefaultTransport() {
+		log.Fatal().Msg("failed to wrap default HTTP transport with SSRF protection")
+	}
+
+	gogithttp.DefaultClient = gogithttp.NewClient(&nethttp.Client{Transport: nethttp.DefaultTransport})
+	gogitclient.InstallProtocol("git", git.NewSSRFGitTransport(gogitraw.DefaultClient))
+	gogitclient.InstallProtocol("ssh", git.NewSSRFGitTransport(gogitssh.DefaultClient))
+	gogitclient.InstallProtocol("file", nil)
+
 	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed getting instance id")
@@ -510,6 +556,17 @@ func buildServer(flags *portainer.CLIFlags, shutdownCtx context.Context, shutdow
 		}
 	}
 
+	setupToken := ""
+	if adminPasswordHash == "" && !*flags.NoSetupToken {
+		if err := dataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
+			var txErr error
+			setupToken, txErr = resolveSetupToken(tx, *flags.SetupToken)
+			return txErr
+		}); err != nil {
+			log.Fatal().Err(err).Msg("failed initializing setup token")
+		}
+	}
+
 	if err := reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService); err != nil {
 		log.Fatal().Err(err).Msg("failed starting tunnel server")
 	}
@@ -601,6 +658,7 @@ func buildServer(flags *portainer.CLIFlags, shutdownCtx context.Context, shutdow
 		PlatformService:             platformService,
 		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 		TrustedOrigins:              trustedOrigins,
+		SetupToken:                  setupToken,
 	}
 }
 

api/cmd/portainer/main_test.go

@@ -12,6 +12,44 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func Test_resolveSetupToken(t *testing.T) {
+	t.Parallel()
+
+	t.Run("admin already exists — returns empty token", func(t *testing.T) {
+		admin := portainer.User{Role: portainer.AdministratorRole}
+		store := testhelpers.NewDatastore(testhelpers.WithUsers([]portainer.User{admin}))
+		token, err := resolveSetupToken(store, "")
+		require.NoError(t, err)
+		assert.Empty(t, token)
+	})
+
+	t.Run("no admin — generates a 64-char hex token", func(t *testing.T) {
+		store := testhelpers.NewDatastore(testhelpers.WithUsers([]portainer.User{}))
+		token, err := resolveSetupToken(store, "")
+		require.NoError(t, err)
+		assert.Len(t, token, 64)
+
+		token2, err := resolveSetupToken(store, "")
+		require.NoError(t, err)
+		assert.NotEqual(t, token, token2)
+	})
+
+	t.Run("no admin — uses provided token", func(t *testing.T) {
+		store := testhelpers.NewDatastore(testhelpers.WithUsers([]portainer.User{}))
+		token, err := resolveSetupToken(store, "mysecrettoken")
+		require.NoError(t, err)
+		assert.Equal(t, "mysecrettoken", token)
+	})
+
+	t.Run("admin already exists — ignores provided token", func(t *testing.T) {
+		admin := portainer.User{Role: portainer.AdministratorRole}
+		store := testhelpers.NewDatastore(testhelpers.WithUsers([]portainer.User{admin}))
+		token, err := resolveSetupToken(store, "mysecrettoken")
+		require.NoError(t, err)
+		assert.Empty(t, token)
+	})
+}
+
 const secretFileName = "secret.txt"
 
 func createPasswordFile(t *testing.T, secretPath, password string) string {

api/connection.go

@@ -46,7 +46,7 @@ type Connection interface {
 
 	IsEncryptedStore() bool
 	NeedsEncryptionMigration() (bool, error)
-	SetEncrypted(encrypted bool)
+	SetEncrypted(encrypted bool) error
 
 	BackupMetadata() (map[string]any, error)
 	RestoreMetadata(s map[string]any) error

api/crypto/nonce.go

@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"io"
+	"slices"
 )
 
 type Nonce struct {
@@ -45,7 +46,7 @@ func (n *Nonce) Value() []byte {
 
 func (n *Nonce) Increment() error {
 	// Start incrementing from the least significant byte
-	for i := len(n.val) - 1; i >= 0; i-- {
+	for i := range slices.Backward(n.val) {
 		// Increment the current byte
 		n.val[i]++
 

api/database/boltdb/db.go

@@ -1,6 +1,8 @@
 package boltdb
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -40,6 +42,8 @@ type DbConnection struct {
 	isEncrypted     bool
 	Compact         bool
 
+	gcm cipher.AEAD
+
 	*bolt.DB
 }
 
@@ -75,8 +79,28 @@ func (connection *DbConnection) GetDatabaseFileSize() (int64, error) {
 	return file.Size(), nil
 }
 
-func (connection *DbConnection) SetEncrypted(flag bool) {
+func (connection *DbConnection) SetEncrypted(flag bool) error {
 	connection.isEncrypted = flag
+
+	if !flag || connection.EncryptionKey == nil {
+		connection.gcm = nil
+
+		return nil
+	}
+
+	block, err := aes.NewCipher(connection.EncryptionKey)
+	if err != nil {
+		return fmt.Errorf("creating AES cipher for database encryption: %w", err)
+	}
+
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	if err != nil {
+		return fmt.Errorf("creating GCM cipher for database encryption: %w", err)
+	}
+
+	connection.gcm = gcm
+
+	return nil
 }
 
 // Return true if the database is encrypted
@@ -100,7 +124,9 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
 
 	// If we have a loaded encryption key, always set encrypted
 	if connection.EncryptionKey != nil {
-		connection.SetEncrypted(true)
+		if err := connection.SetEncrypted(true); err != nil {
+			return false, err
+		}
 	}
 
 	// Check for portainer.db

api/database/boltdb/db_test.go

@@ -131,7 +131,7 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 			}
 
 			if tc.key {
-				connection.EncryptionKey = []byte("secret")
+				connection.EncryptionKey = secretToEncryptionKey("secret")
 			}
 
 			result, err := connection.NeedsEncryptionMigration()
@@ -142,6 +142,57 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 	}
 }
 
+func TestSetEncrypted_InvalidKeyReturnsError(t *testing.T) {
+	t.Parallel()
+
+	conn := DbConnection{EncryptionKey: []byte("bad")}
+	err := conn.SetEncrypted(true)
+	require.Error(t, err)
+	require.Nil(t, conn.gcm)
+}
+
+func TestSetEncrypted_NilKeyDoesNotSetGCM(t *testing.T) {
+	t.Parallel()
+
+	conn := DbConnection{}
+	err := conn.SetEncrypted(true)
+	require.NoError(t, err)
+	require.Nil(t, conn.gcm)
+}
+
+func TestSetEncrypted_EnableThenDisableStopsEncryption(t *testing.T) {
+	t.Parallel()
+
+	key := secretToEncryptionKey(passphrase)
+	conn := DbConnection{EncryptionKey: key}
+
+	err := conn.SetEncrypted(true)
+	require.NoError(t, err)
+	require.NotNil(t, conn.gcm)
+
+	err = conn.SetEncrypted(false)
+	require.NoError(t, err)
+	require.Nil(t, conn.gcm)
+
+	// MarshalObject must return plaintext after encryption is disabled
+	data, err := conn.MarshalObject("hello")
+	require.NoError(t, err)
+	require.Equal(t, "hello", string(data))
+}
+
+func TestNeedsEncryptionMigration_InvalidKeyError(t *testing.T) {
+	t.Parallel()
+
+	conn := DbConnection{
+		Path:          t.TempDir(),
+		EncryptionKey: []byte("bad"),
+	}
+
+	result, err := conn.NeedsEncryptionMigration()
+	require.Error(t, err)
+	require.False(t, result)
+}
+
 func TestDBCompaction(t *testing.T) {
 	t.Parallel()
 	db := &DbConnection{Path: t.TempDir()}

api/database/boltdb/json.go

@@ -2,7 +2,6 @@ package boltdb
 
 import (
 	"bytes"
-	"crypto/aes"
 	"crypto/cipher"
 
 	"github.com/pkg/errors"
@@ -28,18 +27,18 @@ func (connection *DbConnection) MarshalObject(object any) ([]byte, error) {
 		}
 	}
 
-	if connection.getEncryptionKey() == nil {
+	if connection.gcm == nil {
 		return buf.Bytes(), nil
 	}
 
-	return encrypt(buf.Bytes(), connection.getEncryptionKey())
+	return encrypt(buf.Bytes(), connection.gcm), nil
 }
 
 // UnmarshalObject decodes an object from binary data
 func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 	var err error
-	if connection.getEncryptionKey() != nil {
-		data, err = decrypt(data, connection.getEncryptionKey())
+	if connection.gcm != nil {
+		data, err = decrypt(data, connection.gcm)
 		if err != nil {
 			return errors.Wrap(err, "Failed decrypting object")
 		}
@@ -59,48 +58,23 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 	return err
 }
 
-// mmm, don't have a KMS .... aes GCM seems the most likely from
-// https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a#symmetric-encryption
-
-func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error) {
-	block, err := aes.NewCipher(passphrase)
-	if err != nil {
-		return encrypted, err
-	}
-
-	// NewGCMWithRandomNonce in go 1.24 handles setting up the nonce and adding it to the encrypted output
-	gcm, err := cipher.NewGCMWithRandomNonce(block)
-	if err != nil {
-		return encrypted, err
-	}
-
-	return gcm.Seal(nil, nil, plaintext, nil), nil
+func encrypt(plaintext []byte, gcm cipher.AEAD) []byte {
+	return gcm.Seal(nil, nil, plaintext, nil)
 }
 
-func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
+func decrypt(encrypted []byte, gcm cipher.AEAD) ([]byte, error) {
 	if string(encrypted) == "false" {
 		return []byte("false"), nil
 	}
 
-	block, err := aes.NewCipher(passphrase)
-	if err != nil {
-		return encrypted, errors.Wrap(err, "Error creating cypher block")
-	}
-
-	// NewGCMWithRandomNonce in go 1.24 handles reading the nonce from the encrypted input for us
-	gcm, err := cipher.NewGCMWithRandomNonce(block)
-	if err != nil {
-		return encrypted, errors.Wrap(err, "Error creating GCM")
-	}
-
-	if len(encrypted) < gcm.NonceSize() {
+	if len(encrypted) < gcm.Overhead() {
 		return encrypted, errEncryptedStringTooShort
 	}
 
-	plaintextByte, err = gcm.Open(nil, nil, encrypted, nil)
+	plaintextByte, err := gcm.Open(nil, nil, encrypted, nil)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
 
-	return plaintextByte, err
+	return plaintextByte, nil
 }

api/database/boltdb/json_test.go

@@ -170,7 +170,10 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 	}
 
 	key := secretToEncryptionKey(passphrase)
-	conn := DbConnection{EncryptionKey: key, isEncrypted: true}
+	conn := DbConnection{EncryptionKey: key}
+	err := conn.SetEncrypted(true)
+	require.NoError(t, err)
+
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 
@@ -232,13 +235,16 @@ func Test_NonceSources(t *testing.T) {
 		return plaintext, err
 	}
 
-	encryptNewFn := encrypt
-	decryptNewFn := decrypt
-
 	passphrase := make([]byte, 32)
 	_, err := io.ReadFull(rand.Reader, passphrase)
 	require.NoError(t, err)
 
+	block, err := aes.NewCipher(passphrase)
+	require.NoError(t, err)
+
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	require.NoError(t, err)
+
 	junk := make([]byte, 1024)
 	_, err = io.ReadFull(rand.Reader, junk)
 	require.NoError(t, err)
@@ -263,13 +269,12 @@ func Test_NonceSources(t *testing.T) {
 		enc, err = encryptOldFn(plain, passphrase)
 		require.NoError(t, err)
 
-		dec, err = decryptNewFn(enc, passphrase)
+		dec, err = decrypt(enc, gcm)
 		require.NoError(t, err)
 
 		require.Equal(t, plain, dec)
 
-		enc, err = encryptNewFn(plain, passphrase)
-		require.NoError(t, err)
+		enc = encrypt(plain, gcm)
 
 		dec, err = decryptOldFn(enc, passphrase)
 		require.NoError(t, err)
@@ -277,3 +282,110 @@ func Test_NonceSources(t *testing.T) {
 		require.Equal(t, plain, dec)
 	}
 }
+
+func TestDecrypt_FalseStringBypassesDecryption(t *testing.T) {
+	t.Parallel()
+
+	key := secretToEncryptionKey(passphrase)
+	block, err := aes.NewCipher(key)
+	require.NoError(t, err)
+
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	require.NoError(t, err)
+
+	result, err := decrypt([]byte("false"), gcm)
+	require.NoError(t, err)
+	require.Equal(t, []byte("false"), result)
+}
+
+func TestDecrypt_ShortDataReturnsError(t *testing.T) {
+	t.Parallel()
+
+	key := secretToEncryptionKey(passphrase)
+	block, err := aes.NewCipher(key)
+	require.NoError(t, err)
+
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	require.NoError(t, err)
+
+	short := []byte("short")
+	result, err := decrypt(short, gcm)
+	require.ErrorIs(t, err, errEncryptedStringTooShort)
+	require.Equal(t, short, result)
+}
+
+func TestDecrypt_CorruptDataReturnsError(t *testing.T) {
+	t.Parallel()
+
+	key := secretToEncryptionKey(passphrase)
+	block, err := aes.NewCipher(key)
+	require.NoError(t, err)
+
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	require.NoError(t, err)
+
+	// 30 bytes passes the length check but fails authentication
+	corrupted := make([]byte, 30)
+	_, err = io.ReadFull(rand.Reader, corrupted)
+	require.NoError(t, err)
+
+	result, err := decrypt(corrupted, gcm)
+	require.Error(t, err)
+	require.Equal(t, corrupted, result)
+}
+
+// BenchmarkEncryptCachedCipher measures the new approach: cipher created once and reused.
+func BenchmarkEncryptCachedCipher(b *testing.B) {
+	key := secretToEncryptionKey(passphrase)
+	conn := DbConnection{EncryptionKey: key}
+	err := conn.SetEncrypted(true)
+	require.NoError(b, err)
+
+	data := []byte(jsonobject)
+
+	b.ResetTimer()
+
+	for b.Loop() {
+		_ = encrypt(data, conn.gcm)
+	}
+}
+
+// BenchmarkEncryptPerCallCipher measures the old approach: cipher created on every call.
+func BenchmarkEncryptPerCallCipher(b *testing.B) {
+	key := secretToEncryptionKey(passphrase)
+	data := []byte(jsonobject)
+
+	b.ResetTimer()
+
+	for b.Loop() {
+		block, err := aes.NewCipher(key)
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		gcm, err := cipher.NewGCMWithRandomNonce(block)
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		_ = gcm.Seal(nil, nil, data, nil)
+	}
+}
+
+// BenchmarkEncryptCachedCipherParallel verifies the cached cipher is safe for concurrent use.
+func BenchmarkEncryptCachedCipherParallel(b *testing.B) {
+	key := secretToEncryptionKey(passphrase)
+	conn := DbConnection{EncryptionKey: key}
+	err := conn.SetEncrypted(true)
+	require.NoError(b, err)
+
+	data := []byte(jsonobject)
+
+	b.ResetTimer()
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = encrypt(data, conn.gcm)
+		}
+	})
+}

api/database/boltdb/tx.go

@@ -40,10 +40,10 @@ func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, err
 		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
 	}
 
-	if tx.conn.getEncryptionKey() != nil {
+	if tx.conn.gcm != nil {
 		var err error
 
-		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+		if value, err = decrypt(value, tx.conn.gcm); err != nil {
 			return value, errors.Wrap(err, "Failed decrypting object")
 		}
 	}

api/database/boltdb/tx_test.go

@@ -2,6 +2,7 @@ package boltdb
 
 import (
 	"errors"
+	"strconv"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
@@ -23,10 +24,10 @@ func TestTxs(t *testing.T) {
 
 	err := conn.Open()
 	require.NoError(t, err)
-	defer func() {
+	t.Cleanup(func() {
 		err := conn.Close()
 		require.NoError(t, err)
-	}()
+	})
 
 	// Error propagation
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
@@ -103,3 +104,57 @@ func TestTxs(t *testing.T) {
 	})
 	require.Error(t, err)
 }
+
+func BenchmarkGetAll(b *testing.B) {
+	const endpointBucket = "endpoints"
+	const n = 10000
+
+	conn := DbConnection{Path: b.TempDir()}
+
+	err := conn.Open()
+	require.NoError(b, err)
+	b.Cleanup(func() {
+		err := conn.Close()
+		require.NoError(b, err)
+	})
+
+	err = conn.UpdateTx(func(tx portainer.Transaction) error {
+		if err := tx.SetServiceName(endpointBucket); err != nil {
+			return err
+		}
+
+		for i := 1; i <= n; i++ {
+			ep := portainer.Endpoint{
+				ID:              portainer.EndpointID(i),
+				Name:            "env-" + strconv.Itoa(i),
+				Type:            portainer.DockerEnvironment,
+				URL:             "tcp://192.168.1." + strconv.Itoa(i%254+1) + ":2375",
+				PublicURL:       "https://env-" + strconv.Itoa(i) + ".example.com",
+				GroupID:         portainer.EndpointGroupID(i%10 + 1),
+				TagIDs:          []portainer.TagID{portainer.TagID(i%5 + 1), portainer.TagID(i%3 + 1)},
+				LastCheckInDate: int64(i) * 1000,
+				EdgeID:          "edge-" + strconv.Itoa(i),
+			}
+
+			if err := tx.CreateObjectWithId(endpointBucket, i, &ep); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+	require.NoError(b, err)
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for b.Loop() {
+		var collection []portainer.Endpoint
+
+		if err := conn.ViewTx(func(tx portainer.Transaction) error {
+			return tx.GetAll(endpointBucket, new(portainer.Endpoint), dataservices.AppendFn(&collection))
+		}); err != nil {
+			b.Fatal(err)
+		}
+	}
+}

api/dataservices/allowlist/allowlist.go

@@ -0,0 +1,131 @@
+package allowlist
+
+import (
+	"fmt"
+
+	lru "github.com/hashicorp/golang-lru"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
+)
+
+const (
+	BucketName = "allowlist"
+)
+
+type Service struct {
+	baseService dataservices.BaseDataService[portainer.AllowList, portainer.AllowListKey]
+	cache       *lru.Cache
+}
+
+func (service *Service) BucketName() string {
+	return service.baseService.BucketName()
+}
+
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	service := &Service{
+		baseService: dataservices.BaseDataService[portainer.AllowList, portainer.AllowListKey]{
+			Bucket:     BucketName,
+			Connection: connection,
+		},
+	}
+
+	err = service.populateCache()
+
+	return service, err
+}
+
+func (service *Service) populateCache() error {
+	allowListKeys := []portainer.AllowListKey{portainer.AllowListSSRF}
+	cache, err := lru.New(len(allowListKeys))
+	if err != nil {
+		return err
+	}
+
+	for _, k := range allowListKeys {
+		allowList, err := service.baseService.Read(k)
+		if dataservices.IsErrObjectNotFound(err) {
+			allowList = &portainer.AllowList{
+				ID:      k,
+				Mode:    portainer.SSRFModeOff,
+				Entries: []string{},
+			}
+		} else if err != nil {
+			return err
+		}
+
+		parsedAllowList := ssrf.ParseAllowedHosts(allowList.Entries)
+		parsedAllowList.Mode = allowList.Mode
+
+		cache.Add(k, &parsedAllowList)
+	}
+
+	service.cache = cache
+
+	return nil
+}
+
+func (service *Service) Tx(tx portainer.Transaction) *ServiceTx {
+	return &ServiceTx{
+		baseService: service.baseService.Tx(tx),
+		cache:       service.cache,
+	}
+}
+
+func (service *Service) Read(id portainer.AllowListKey) (*portainer.AllowList, error) {
+	var result *portainer.AllowList
+	if err := service.baseService.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		result, err = service.Tx(tx).Read(id)
+		return err
+	}); err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func (service *Service) ReadAll() ([]portainer.AllowList, error) {
+	var result []portainer.AllowList
+	if err := service.baseService.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		result, err = service.Tx(tx).ReadAll()
+		return err
+	}); err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func (service *Service) ReadParsed(id portainer.AllowListKey) (*portainer.ParsedAllowList, error) {
+	allowListAny, ok := service.cache.Get(id)
+	if ok {
+		allowList, ok := allowListAny.(*portainer.ParsedAllowList)
+		if !ok {
+			return nil, fmt.Errorf("expected ParsedAllowList in cache but got %T", allowListAny)
+		}
+
+		return allowList, nil
+	}
+
+	var result *portainer.ParsedAllowList
+	err := service.baseService.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		result, err = service.Tx(tx).ReadParsed(id)
+		return err
+	})
+
+	return result, err
+}
+
+func (service *Service) Update(id portainer.AllowListKey, allowList *portainer.AllowList) error {
+	return service.baseService.Connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).Update(id, allowList)
+	})
+}

api/dataservices/allowlist/allowlist_test.go

@@ -0,0 +1,89 @@
+package allowlist_test
+
+import (
+	"net"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAllowListReadEmpty(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+	got, err := ds.AllowList().Read(portainer.AllowListSSRF)
+	expected := &portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeOff,
+		Entries: []string{},
+	}
+	require.NoError(t, err)
+	require.Equal(t, expected, got)
+}
+
+func TestAllowListUpdate(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	expected := &portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeEnforce,
+		Entries: []string{"example.com", "10.0.0.0/8"},
+	}
+
+	require.NoError(t, ds.AllowList().Update(portainer.AllowListSSRF, expected))
+
+	got, err := ds.AllowList().Read(portainer.AllowListSSRF)
+	require.NoError(t, err)
+	require.Equal(t, expected, got)
+}
+
+func TestAllowListReadAllEmpty(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	got, err := ds.AllowList().ReadAll()
+	require.NoError(t, err)
+	require.Equal(t, []portainer.AllowList{}, got)
+}
+
+func TestAllowListReadAllAfterUpdate(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	expected := portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeEnforce,
+		Entries: []string{"example.com", "10.0.0.0/8"},
+	}
+
+	require.NoError(t, ds.AllowList().Update(portainer.AllowListSSRF, &expected))
+
+	got, err := ds.AllowList().ReadAll()
+	require.NoError(t, err)
+	require.Equal(t, []portainer.AllowList{expected}, got)
+}
+
+func TestAllowListReadParsedAfterUpdate(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	require.NoError(t, ds.AllowList().Update(portainer.AllowListSSRF, &portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeEnforce,
+		Entries: []string{"example.com"},
+	}))
+
+	expected := &portainer.ParsedAllowList{
+		Mode: portainer.SSRFModeEnforce,
+		Nets: []*net.IPNet{},
+		Hosts: map[string]bool{
+			"example.com": true,
+		},
+	}
+
+	got, err := ds.AllowList().ReadParsed(portainer.AllowListSSRF)
+	require.NoError(t, err)
+	require.Equal(t, expected, got)
+}

api/dataservices/allowlist/tx.go

@@ -0,0 +1,77 @@
+package allowlist
+
+import (
+	"fmt"
+
+	lru "github.com/hashicorp/golang-lru"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
+)
+
+type ServiceTx struct {
+	baseService dataservices.BaseDataServiceTx[portainer.AllowList, portainer.AllowListKey]
+	cache       *lru.Cache
+}
+
+func (service *ServiceTx) BucketName() string {
+	return service.baseService.BucketName()
+}
+
+func (service *ServiceTx) ReadParsed(id portainer.AllowListKey) (*portainer.ParsedAllowList, error) {
+	allowListAny, ok := service.cache.Get(id)
+	if ok {
+		allowList, ok := allowListAny.(*portainer.ParsedAllowList)
+		if !ok {
+			return nil, fmt.Errorf("expected ParsedAllowList in cache but got %T", allowListAny)
+		}
+
+		return allowList, nil
+	}
+
+	allowList, err := service.Read(id)
+	if err != nil {
+		return nil, err
+	}
+
+	parsed := ssrf.ParseAllowedHosts(allowList.Entries)
+	parsed.Mode = allowList.Mode
+	service.cache.Add(id, &parsed)
+
+	return &parsed, nil
+}
+
+func (service *ServiceTx) Read(id portainer.AllowListKey) (*portainer.AllowList, error) {
+	allowList, err := service.baseService.Read(id)
+	if dataservices.IsErrObjectNotFound(err) {
+		allowList = &portainer.AllowList{
+			ID:      id,
+			Mode:    portainer.SSRFModeOff,
+			Entries: []string{},
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	return allowList, nil
+}
+
+func (service *ServiceTx) ReadAll() ([]portainer.AllowList, error) {
+	allowLists, err := service.baseService.ReadAll()
+	if err != nil && !dataservices.IsErrObjectNotFound(err) {
+		return nil, err
+	}
+
+	return allowLists, nil
+}
+
+func (service *ServiceTx) Update(id portainer.AllowListKey, allowList *portainer.AllowList) error {
+	if err := service.baseService.Update(id, allowList); err != nil {
+		return err
+	}
+
+	parsed := ssrf.ParseAllowedHosts(allowList.Entries)
+	parsed.Mode = allowList.Mode
+	service.cache.Add(id, &parsed)
+	return nil
+}

api/dataservices/allowlist/tx_test.go

@@ -0,0 +1,92 @@
+package allowlist_test
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAllowListReadTx(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	var got *portainer.AllowList
+	require.NoError(t, ds.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		got, err = tx.AllowList().Read(portainer.AllowListSSRF)
+		return err
+	}))
+
+	expected := &portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeOff,
+		Entries: []string{},
+	}
+
+	require.Equal(t, expected, got)
+}
+
+func TestAllowListReadAllEmptyTx(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	var got []portainer.AllowList
+	require.NoError(t, ds.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		got, err = tx.AllowList().ReadAll()
+		return err
+	}))
+
+	require.Equal(t, []portainer.AllowList{}, got)
+}
+
+func TestAllowListReadAllAfterUpdateTx(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	expected := portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeEnforce,
+		Entries: []string{"example.com"},
+	}
+
+	require.NoError(t, ds.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		return tx.AllowList().Update(portainer.AllowListSSRF, &expected)
+	}))
+
+	var got []portainer.AllowList
+	require.NoError(t, ds.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		got, err = tx.AllowList().ReadAll()
+		return err
+	}))
+
+	require.Equal(t, []portainer.AllowList{expected}, got)
+}
+
+func TestAllowListUpdateTx(t *testing.T) {
+	t.Parallel()
+	_, ds := datastore.MustNewTestStore(t, false, false)
+
+	expected := &portainer.AllowList{
+		ID:      portainer.AllowListSSRF,
+		Mode:    portainer.SSRFModeEnforce,
+		Entries: []string{"example.com"},
+	}
+
+	require.NoError(t, ds.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		return tx.AllowList().Update(portainer.AllowListSSRF, expected)
+	}))
+
+	var got *portainer.AllowList
+	require.NoError(t, ds.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		got, err = tx.AllowList().Read(portainer.AllowListSSRF)
+		return err
+	}))
+
+	require.Equal(t, expected, got)
+}

api/dataservices/apikeyrepository/apikeyrepository.go

@@ -2,13 +2,10 @@ package apikeyrepository
 
 import (
 	"errors"
-	"fmt"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
-
-	"github.com/rs/zerolog/log"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -40,19 +37,10 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj any) (any, error) {
-			record, ok := obj.(*portainer.APIKey)
-			if !ok {
-				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
-				return nil, fmt.Errorf("failed to convert to APIKey object: %s", obj)
-			}
-
-			if record.UserID == userID {
-				result = append(result, *record)
-			}
-
-			return &portainer.APIKey{}, nil
-		})
+		dataservices.FilterFn(&result, func(record portainer.APIKey) bool {
+			return record.UserID == userID
+		}),
+	)
 
 	return result, err
 }
@@ -60,27 +48,18 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 // GetAPIKeyByDigest returns the API key for the associated digest.
 // Note: there is a 1-to-1 mapping of api-key and digest
 func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, error) {
-	var k *portainer.APIKey
-	stop := errors.New("ok")
+	var found portainer.APIKey
+
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj any) (any, error) {
-			key, ok := obj.(*portainer.APIKey)
-			if !ok {
-				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
-				return nil, fmt.Errorf("failed to convert to APIKey object: %s", obj)
-			}
-			if key.Digest == digest {
-				k = key
-				return nil, stop
-			}
+		dataservices.FirstFn(&found, func(key portainer.APIKey) bool {
+			return key.Digest == digest
+		}),
+	)
 
-			return &portainer.APIKey{}, nil
-		})
-
-	if errors.Is(err, stop) {
-		return k, nil
+	if errors.Is(err, dataservices.ErrStop) {
+		return &found, nil
 	}
 
 	if err == nil {

api/dataservices/edgestack/tx.go

@@ -1,11 +1,8 @@
 package edgestack
 
 import (
-	"fmt"
-
 	portainer "github.com/portainer/portainer/api"
-
-	"github.com/rs/zerolog/log"
+	"github.com/portainer/portainer/api/dataservices"
 )
 
 type ServiceTx struct {
@@ -24,17 +21,8 @@ func (service ServiceTx) EdgeStacks() ([]portainer.EdgeStack, error) {
 	err := service.tx.GetAll(
 		BucketName,
 		&portainer.EdgeStack{},
-		func(obj any) (any, error) {
-			stack, ok := obj.(*portainer.EdgeStack)
-			if !ok {
-				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to EdgeStack object")
-				return nil, fmt.Errorf("failed to convert to EdgeStack object: %s", obj)
-			}
-
-			stacks = append(stacks, *stack)
-
-			return &portainer.EdgeStack{}, nil
-		})
+		dataservices.AppendFn(&stacks),
+	)
 
 	return stacks, err
 }

api/dataservices/edgestackstatus/edgestackstatus.go

@@ -1,6 +1,8 @@
 package edgestackstatus
 
 import (
+	"encoding/binary"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 )
@@ -85,5 +87,9 @@ func (s *Service) Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsID
 }
 
 func (s *Service) key(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) []byte {
-	return append(s.conn.ConvertToKey(int(edgeStackID)), s.conn.ConvertToKey(int(endpointID))...)
+	k := make([]byte, 16)
+	binary.BigEndian.PutUint64(k[:8], uint64(edgeStackID))
+	binary.BigEndian.PutUint64(k[8:], uint64(endpointID))
+
+	return k
 }

api/dataservices/helpers.go

@@ -27,7 +27,10 @@ func AppendFn[T any](collection *[]T) func(obj any) (any, error) {
 
 		*collection = append(*collection, *element)
 
-		return new(T), nil
+		var zero T
+		*element = zero
+
+		return element, nil
 	}
 }
 
@@ -44,7 +47,10 @@ func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj any) (any
 			*collection = append(*collection, *element)
 		}
 
-		return new(T), nil
+		var zero T
+		*element = zero
+
+		return element, nil
 	}
 }
 
@@ -60,9 +66,12 @@ func FirstFn[T any](element *T, predicate func(T) bool) func(obj any) (any, erro
 
 		if predicate(*e) {
 			*element = *e
-			return new(T), ErrStop
+			return e, ErrStop
 		}
 
-		return new(T), nil
+		var zero T
+		*e = zero
+
+		return e, nil
 	}
 }

api/dataservices/interface.go

@@ -8,6 +8,7 @@ import (
 type (
 	DataStoreTx interface {
 		IsErrObjectNotFound(err error) bool
+		AllowList() AllowListService
 		CustomTemplate() CustomTemplateService
 		EdgeGroup() EdgeGroupService
 		EdgeJob() EdgeJobService
@@ -24,6 +25,7 @@ type (
 		Settings() SettingsService
 		Snapshot() SnapshotService
 		SSLSettings() SSLSettingsService
+		Source() SourceService
 		Stack() StackService
 		Tag() TagService
 		TeamMembership() TeamMembershipService
@@ -32,6 +34,7 @@ type (
 		User() UserService
 		Version() VersionService
 		Webhook() WebhookService
+		Workflow() WorkflowService
 		PendingActions() PendingActionsService
 	}
 
@@ -51,6 +54,15 @@ type (
 		DataStoreTx
 	}
 
+	// AllowListService represents a service for managing the URL allow list
+	AllowListService interface {
+		Read(id portainer.AllowListKey) (*portainer.AllowList, error)
+		ReadAll() ([]portainer.AllowList, error)
+		ReadParsed(id portainer.AllowListKey) (*portainer.ParsedAllowList, error)
+		Update(id portainer.AllowListKey, allowList *portainer.AllowList) error
+		BucketName() string
+	}
+
 	// CustomTemplateService represents a service to manage custom templates
 	CustomTemplateService interface {
 		BaseCRUD[portainer.CustomTemplate, portainer.CustomTemplateID]
@@ -183,6 +195,11 @@ type (
 		BucketName() string
 	}
 
+	// SourceService represents a service for managing GitOps source data
+	SourceService interface {
+		BaseCRUD[portainer.Source, portainer.SourceID]
+	}
+
 	// StackService represents a service for managing stack data
 	StackService interface {
 		BaseCRUD[portainer.Stack, portainer.StackID]
@@ -245,4 +262,9 @@ type (
 		WebhookByResourceID(resourceID string) (*portainer.Webhook, error)
 		WebhookByToken(token string) (*portainer.Webhook, error)
 	}
+
+	// WorkflowService represents a service for managing GitOps workflow data
+	WorkflowService interface {
+		BaseCRUD[portainer.Workflow, portainer.WorkflowID]
+	}
 )

api/dataservices/resourcecontrol/resourcecontrol.go

@@ -2,13 +2,10 @@ package resourcecontrol
 
 import (
 	"errors"
-	"fmt"
 	"slices"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -48,35 +45,26 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 // to the main ResourceID or in SubResourceIDs. It also performs a check on the resource type. Return nil
 // if no ResourceControl was found.
 func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
-	var resourceControl *portainer.ResourceControl
-	stop := errors.New("ok")
+	var found portainer.ResourceControl
+
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj any) (any, error) {
-			rc, ok := obj.(*portainer.ResourceControl)
-			if !ok {
-				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
-				return nil, fmt.Errorf("failed to convert to ResourceControl object: %s", obj)
-			}
+		dataservices.FirstFn(&found, func(rc portainer.ResourceControl) bool {
+			return (rc.ResourceID == resourceID && rc.Type == resourceType) ||
+				slices.Contains(rc.SubResourceIDs, resourceID)
+		}),
+	)
 
-			if rc.ResourceID == resourceID && rc.Type == resourceType {
-				resourceControl = rc
-				return nil, stop
-			}
-
-			if slices.Contains(rc.SubResourceIDs, resourceID) {
-				resourceControl = rc
-				return nil, stop
-			}
-
-			return &portainer.ResourceControl{}, nil
-		})
-	if errors.Is(err, stop) {
-		return resourceControl, nil
+	if errors.Is(err, dataservices.ErrStop) {
+		return &found, nil
 	}
 
-	return nil, err
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
 }
 
 // CreateResourceControl creates a new ResourceControl object

api/dataservices/resourcecontrol/tx.go

@@ -2,13 +2,10 @@ package resourcecontrol
 
 import (
 	"errors"
-	"fmt"
 	"slices"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
 )
 
 type ServiceTx struct {
@@ -19,35 +16,26 @@ type ServiceTx struct {
 // to the main ResourceID or in SubResourceIDs. It also performs a check on the resource type. Return nil
 // if no ResourceControl was found.
 func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
-	var resourceControl *portainer.ResourceControl
-	stop := errors.New("ok")
+	var found portainer.ResourceControl
+
 	err := service.Tx.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj any) (any, error) {
-			rc, ok := obj.(*portainer.ResourceControl)
-			if !ok {
-				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
-				return nil, fmt.Errorf("failed to convert to ResourceControl object: %s", obj)
-			}
+		dataservices.FirstFn(&found, func(rc portainer.ResourceControl) bool {
+			return (rc.ResourceID == resourceID && rc.Type == resourceType) ||
+				slices.Contains(rc.SubResourceIDs, resourceID)
+		}),
+	)
 
-			if rc.ResourceID == resourceID && rc.Type == resourceType {
-				resourceControl = rc
-				return nil, stop
-			}
-
-			if slices.Contains(rc.SubResourceIDs, resourceID) {
-				resourceControl = rc
-				return nil, stop
-			}
-
-			return &portainer.ResourceControl{}, nil
-		})
-	if errors.Is(err, stop) {
-		return resourceControl, nil
+	if errors.Is(err, dataservices.ErrStop) {
+		return &found, nil
 	}
 
-	return nil, err
+	if err != nil {
+		return nil, err
+	}
+
+	return nil, nil
 }
 
 // CreateResourceControl creates a new ResourceControl object

api/dataservices/source/source.go

@@ -0,0 +1,50 @@
+package source
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+// BucketName represents the name of the bucket where this service stores data.
+const BucketName = "sources"
+
+// Service represents a service for managing GitOps source data.
+type Service struct {
+	dataservices.BaseDataService[portainer.Source, portainer.SourceID]
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		BaseDataService: dataservices.BaseDataService[portainer.Source, portainer.SourceID]{
+			Bucket:     BucketName,
+			Connection: connection,
+		},
+	}, nil
+}
+
+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.Source, portainer.SourceID]{
+			Bucket:     BucketName,
+			Connection: service.Connection,
+			Tx:         tx,
+		},
+	}
+}
+
+// Create creates a new source.
+func (service *Service) Create(source *portainer.Source) error {
+	return service.Connection.CreateObject(
+		BucketName,
+		func(id uint64) (int, any) {
+			source.ID = portainer.SourceID(id)
+			return int(source.ID), source
+		},
+	)
+}

api/dataservices/source/tx.go

@@ -0,0 +1,21 @@
+package source
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.Source, portainer.SourceID]
+}
+
+// Create creates a new source.
+func (service ServiceTx) Create(source *portainer.Source) error {
+	return service.Tx.CreateObject(
+		BucketName,
+		func(id uint64) (int, any) {
+			source.ID = portainer.SourceID(id)
+			return int(source.ID), source
+		},
+	)
+}

api/dataservices/stack/stack.go

@@ -7,6 +7,8 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
+
+	"github.com/rs/zerolog/log"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -81,9 +83,21 @@ func (service *Service) GetNextIdentifier() int {
 
 // CreateStack creates a new stack.
 func (service *Service) Create(stack *portainer.Stack) error {
+	if stack.GitConfig != nil {
+		log.Warn().Int("stackID", int(stack.ID)).Str("url", stack.GitConfig.URL).Msg("stack persisted with non-nil GitConfig; GitConfig is deprecated, use WorkflowID/Source instead")
+	}
+
 	return service.Connection.CreateObjectWithId(BucketName, int(stack.ID), stack)
 }
 
+func (service *Service) Update(ID portainer.StackID, stack *portainer.Stack) error {
+	if stack.GitConfig != nil {
+		log.Warn().Int("stackID", int(ID)).Str("url", stack.GitConfig.URL).Msg("stack persisted with non-nil GitConfig; GitConfig is deprecated, use WorkflowID/Source instead")
+	}
+
+	return service.BaseDataService.Update(ID, stack)
+}
+
 // StackByWebhookID returns a pointer to a stack object by webhook ID.
 // It returns nil, errors.ErrObjectNotFound if there's no stack associated with the webhook ID.
 func (service *Service) StackByWebhookID(id string) (*portainer.Stack, error) {
@@ -116,7 +130,7 @@ func (service *Service) RefreshableStacks() ([]portainer.Stack, error) {
 		BucketName,
 		&portainer.Stack{},
 		dataservices.FilterFn(&stacks, func(e portainer.Stack) bool {
-			return e.AutoUpdate != nil && e.AutoUpdate.Interval != ""
+			return e.WorkflowID != 0 && e.AutoUpdate != nil && e.AutoUpdate.Interval != ""
 		}),
 	)
 }

api/dataservices/stack/tests/stack_test.go

@@ -93,14 +93,15 @@ func Test_RefreshableStacks(t *testing.T) {
 
 	staticStack := portainer.Stack{ID: 1}
 	stackWithWebhook := portainer.Stack{ID: 2, AutoUpdate: &portainer.AutoUpdateSettings{Webhook: "webhook"}}
-	refreshableStack := portainer.Stack{ID: 3, AutoUpdate: &portainer.AutoUpdateSettings{Interval: "1m"}}
+	intervalNoWorkflow := portainer.Stack{ID: 3, AutoUpdate: &portainer.AutoUpdateSettings{Interval: "1m"}}
+	refreshableStack := portainer.Stack{ID: 4, WorkflowID: 1, AutoUpdate: &portainer.AutoUpdateSettings{Interval: "1m"}}
 
-	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &refreshableStack} {
+	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &intervalNoWorkflow, &refreshableStack} {
 		err := store.Stack().Create(stack)
 		require.NoError(t, err)
 	}
 
 	stacks, err := store.Stack().RefreshableStacks()
 	require.NoError(t, err)
-	assert.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
+	require.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
 }

api/dataservices/stack/tx.go

@@ -7,6 +7,8 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
+
+	"github.com/rs/zerolog/log"
 )
 
 type ServiceTx struct {
@@ -56,9 +58,21 @@ func (service ServiceTx) GetNextIdentifier() int {
 
 // CreateStack creates a new stack.
 func (service ServiceTx) Create(stack *portainer.Stack) error {
+	if stack.GitConfig != nil {
+		log.Warn().Int("stackID", int(stack.ID)).Str("url", stack.GitConfig.URL).Msg("stack persisted with non-nil GitConfig; GitConfig is deprecated, use WorkflowID/Source instead")
+	}
+
 	return service.Tx.CreateObjectWithId(BucketName, int(stack.ID), stack)
 }
 
+func (service ServiceTx) Update(ID portainer.StackID, stack *portainer.Stack) error {
+	if stack.GitConfig != nil {
+		log.Warn().Int("stackID", int(ID)).Str("url", stack.GitConfig.URL).Msg("stack persisted with non-nil GitConfig; GitConfig is deprecated, use WorkflowID/Source instead")
+	}
+
+	return service.BaseDataServiceTx.Update(ID, stack)
+}
+
 // StackByWebhookID returns a pointer to a stack object by webhook ID.
 // It returns nil, errors.ErrObjectNotFound if there's no stack associated with the webhook ID.
 func (service ServiceTx) StackByWebhookID(id string) (*portainer.Stack, error) {
@@ -92,7 +106,7 @@ func (service ServiceTx) RefreshableStacks() ([]portainer.Stack, error) {
 		BucketName,
 		&portainer.Stack{},
 		dataservices.FilterFn(&stacks, func(e portainer.Stack) bool {
-			return e.AutoUpdate != nil && e.AutoUpdate.Interval != ""
+			return e.WorkflowID != 0 && e.AutoUpdate != nil && e.AutoUpdate.Interval != ""
 		}),
 	)
 }

api/dataservices/workflow/service.go

@@ -0,0 +1,46 @@
+package workflow
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+const BucketName = "workflows"
+
+type Service struct {
+	dataservices.BaseDataService[portainer.Workflow, portainer.WorkflowID]
+}
+
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		BaseDataService: dataservices.BaseDataService[portainer.Workflow, portainer.WorkflowID]{
+			Bucket:     BucketName,
+			Connection: connection,
+		},
+	}, nil
+}
+
+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.Workflow, portainer.WorkflowID]{
+			Bucket:     BucketName,
+			Connection: service.Connection,
+			Tx:         tx,
+		},
+	}
+}
+
+func (service *Service) Create(workflow *portainer.Workflow) error {
+	return service.Connection.CreateObject(
+		BucketName,
+		func(id uint64) (int, any) {
+			workflow.ID = portainer.WorkflowID(id)
+			return int(workflow.ID), workflow
+		},
+	)
+}

api/dataservices/workflow/tx.go

@@ -0,0 +1,20 @@
+package workflow
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.Workflow, portainer.WorkflowID]
+}
+
+func (service ServiceTx) Create(workflow *portainer.Workflow) error {
+	return service.Tx.CreateObject(
+		BucketName,
+		func(id uint64) (int, any) {
+			workflow.ID = portainer.WorkflowID(id)
+			return int(workflow.ID), workflow
+		},
+	)
+}

api/datastore/backup_test.go

@@ -130,7 +130,8 @@ func TestBackupDBFileUsesCorrectPath(t *testing.T) {
 	_, store := MustNewTestStore(t, true, false)
 
 	t.Run("backs up unencrypted db when encrypted flag is false", func(t *testing.T) {
-		store.connection.SetEncrypted(false)
+		err := store.connection.SetEncrypted(false)
+		require.NoError(t, err)
 
 		backupFilename, err := store.backupDBFile("")
 		require.NoError(t, err)

api/datastore/datastore.go

@@ -35,7 +35,9 @@ func (store *Store) Open() (newStore bool, err error) {
 		// NeedsEncryptionMigration() sets encrypted=true as a side effect when a key exists.
 		// We need to set it back to false so GetDatabaseFilePath() returns the path to the
 		// actual unencrypted file (portainer.db) that we want to back up.
-		store.connection.SetEncrypted(false)
+		if err := store.connection.SetEncrypted(false); err != nil {
+			return false, err
+		}
 
 		// Use backupDBFile directly since connection isn't open yet
 		// and we don't want to trigger the close/open cycle of Backup()
@@ -124,7 +126,10 @@ func (store *Store) Rollback(force bool) error {
 }
 
 func (store *Store) encryptDB() error {
-	store.connection.SetEncrypted(false)
+	if err := store.connection.SetEncrypted(false); err != nil {
+		return err
+	}
+
 	if err := store.connection.Open(); err != nil {
 		return err
 	}

api/datastore/datastore_test.go

@@ -72,12 +72,16 @@ func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, n
 		TLSConfig: portainer.TLSConfiguration{
 			TLS: false,
 		},
-		UserAccessPolicies: portainer.UserAccessPolicies{},
-		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		TagIDs:             []portainer.TagID{},
-		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.DockerSnapshot{},
-		Kubernetes:         portainer.KubernetesDefault(),
+		TagIDs:    nil,
+		Status:    portainer.EndpointStatusUp,
+		Snapshots: nil,
+		Kubernetes: portainer.KubernetesData{
+			Configuration: portainer.KubernetesConfiguration{
+				UseLoadBalancer:          false,
+				UseServerMetrics:         false,
+				EnableResourceOverCommit: true,
+			},
+		},
 	}
 
 	if TLS {

api/datastore/migrate_data.go

@@ -88,6 +88,9 @@ func (store *Store) newMigratorParameters(version *models.Version, flags *portai
 		EdgeGroupService:        store.EdgeGroupService,
 		TunnelServerService:     store.TunnelServerService,
 		PendingActionsService:   store.PendingActionsService,
+		CustomTemplateService:   store.CustomTemplateService,
+		SourceService:           store.SourceService,
+		WorkflowService:         store.WorkflowService,
 	}
 }
 

api/datastore/migrator/migrate_2_43_0.go

@@ -0,0 +1,250 @@
+package migrator
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices/stack"
+	gittypes "github.com/portainer/portainer/api/git/types"
+
+	"github.com/rs/zerolog/log"
+)
+
+type legacyRepoConfig struct {
+	URL            string
+	ReferenceName  string
+	ConfigFilePath string
+	Authentication *legacyGitAuthentication
+	ConfigHash     string
+	TLSSkipVerify  bool
+}
+
+type legacyGitAuthentication struct {
+	Username          string
+	Password          string
+	Provider          int `json:",omitempty"`
+	AuthorizationType int `json:",omitempty"`
+}
+
+func (lrc *legacyRepoConfig) toRepoConfig() *gittypes.RepoConfig {
+	if lrc == nil {
+		return nil
+	}
+
+	cfg := &gittypes.RepoConfig{
+		URL:            lrc.URL,
+		ReferenceName:  lrc.ReferenceName,
+		ConfigFilePath: lrc.ConfigFilePath,
+		ConfigHash:     lrc.ConfigHash,
+		TLSSkipVerify:  lrc.TLSSkipVerify,
+	}
+
+	if lrc.Authentication != nil {
+		cfg.Authentication = &gittypes.GitAuthentication{
+			Username:          lrc.Authentication.Username,
+			Password:          lrc.Authentication.Password,
+			Provider:          gittypes.GitProvider(lrc.Authentication.Provider),
+			AuthorizationType: gittypes.GitCredentialAuthType(lrc.Authentication.AuthorizationType),
+		}
+	}
+
+	return cfg
+}
+
+type legacyStack struct {
+	ID         int               `json:"Id"`
+	GitConfig  *legacyRepoConfig `json:"GitConfig"`
+	WorkflowID *int
+}
+
+// sourceDedupeKey is the identity used to detect duplicate Sources during migration.
+// Two stacks sharing the same URL and credentials must reuse the same Source record.
+type sourceDedupeKey struct {
+	url      string
+	username string
+	password string
+}
+
+func gitSourceKey(cfg *gittypes.RepoConfig) sourceDedupeKey {
+	key := sourceDedupeKey{url: cfg.URL}
+	if cfg.Authentication != nil {
+		key.username = cfg.Authentication.Username
+		key.password = cfg.Authentication.Password
+	}
+
+	return key
+}
+
+func (m *Migrator) migrateGitConfigToSources_2_43_0() error {
+	log.Info().Msg("migrating git-backed stacks to Source+Workflow records")
+
+	var legacyStacks []legacyStack
+
+	err := m.stackService.Connection.GetAll(
+		stack.BucketName,
+		new(legacyStack),
+		func(obj any) (any, error) {
+			s, ok := obj.(*legacyStack)
+			if !ok {
+				return nil, fmt.Errorf("unexpected type reading stack bucket: %T", obj)
+			}
+
+			legacyStacks = append(legacyStacks, *s)
+
+			return new(legacyStack), nil
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	existingSources, err := m.sourceService.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	sourcesByKey := make(map[sourceDedupeKey]portainer.SourceID, len(existingSources))
+	for _, src := range existingSources {
+		if src.Git != nil {
+			sourcesByKey[gitSourceKey(src.Git)] = src.ID
+		}
+	}
+
+	for _, ls := range legacyStacks {
+		if ls.GitConfig == nil || (ls.WorkflowID != nil && *ls.WorkflowID != 0) {
+			continue
+		}
+
+		cfg := ls.GitConfig.toRepoConfig()
+		cfg.URL = gittypes.SanitizeURL(cfg.URL)
+		key := gitSourceKey(cfg)
+
+		var newSrcID portainer.SourceID
+
+		if err := m.stackService.Connection.UpdateTx(func(tx portainer.Transaction) error {
+			srcID, exists := sourcesByKey[key]
+
+			if !exists {
+				src := &portainer.Source{
+					Name: gittypes.RepoName(cfg.URL),
+					Type: portainer.SourceTypeGit,
+					Git:  cfg,
+				}
+				if err := m.sourceService.Tx(tx).Create(src); err != nil {
+					return fmt.Errorf("failed to create source for stack %d: %w", ls.ID, err)
+				}
+				srcID = src.ID
+				newSrcID = src.ID
+			}
+
+			liveStack, err := m.stackService.Tx(tx).Read(portainer.StackID(ls.ID))
+			if err != nil {
+				return fmt.Errorf("failed to read stack %d: %w", ls.ID, err)
+			}
+
+			wf := &portainer.Workflow{
+				Name: liveStack.Name,
+				Artifacts: []portainer.Artifact{{
+					StackID: portainer.StackID(ls.ID),
+					Files: []portainer.ArtifactFile{{
+						SourceID: srcID,
+						Path:     cfg.ConfigFilePath,
+						Ref:      cfg.ReferenceName,
+						Hash:     cfg.ConfigHash,
+					}},
+				}},
+			}
+			if err := m.workflowService.Tx(tx).Create(wf); err != nil {
+				return fmt.Errorf("failed to create workflow for stack %d: %w", ls.ID, err)
+			}
+
+			liveStack.WorkflowID = wf.ID
+			liveStack.GitConfig = nil
+
+			return m.stackService.Tx(tx).Update(portainer.StackID(ls.ID), liveStack)
+		}); err != nil {
+			return fmt.Errorf("failed to migrate stack %d: %w", ls.ID, err)
+		}
+
+		if newSrcID != 0 {
+			sourcesByKey[key] = newSrcID
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) migrateCustomTemplateGitConfigToSources_2_43_0() error {
+	log.Info().Msg("migrating git-backed custom templates to Source records")
+
+	templates, err := m.customTemplateService.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	existingSources, err := m.sourceService.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	sourcesByKey := make(map[sourceDedupeKey]portainer.SourceID, len(existingSources))
+	for _, src := range existingSources {
+		if src.Git != nil {
+			sourcesByKey[gitSourceKey(src.Git)] = src.ID
+		}
+	}
+
+	for i := range templates {
+		t := &templates[i]
+		if t.GitConfig == nil || t.Artifact != nil {
+			continue
+		}
+
+		cfg := &gittypes.RepoConfig{
+			URL:            gittypes.SanitizeURL(t.GitConfig.URL),
+			Authentication: t.GitConfig.Authentication,
+			TLSSkipVerify:  t.GitConfig.TLSSkipVerify,
+		}
+
+		key := gitSourceKey(cfg)
+
+		var newSrcID portainer.SourceID
+
+		if err := m.stackService.Connection.UpdateTx(func(tx portainer.Transaction) error {
+			srcID, exists := sourcesByKey[key]
+
+			if !exists {
+				src := &portainer.Source{
+					Name: gittypes.RepoName(cfg.URL),
+					Type: portainer.SourceTypeGit,
+					Git:  cfg,
+				}
+				if err := m.sourceService.Tx(tx).Create(src); err != nil {
+					return fmt.Errorf("failed to create source for custom template %d: %w", t.ID, err)
+				}
+				srcID = src.ID
+				newSrcID = src.ID
+			}
+
+			t.Artifact = &portainer.Artifact{
+				Files: []portainer.ArtifactFile{{
+					SourceID: srcID,
+					Path:     t.GitConfig.ConfigFilePath,
+					Ref:      t.GitConfig.ReferenceName,
+					Hash:     t.GitConfig.ConfigHash,
+				}},
+			}
+			t.GitConfig = nil
+
+			return m.customTemplateService.Tx(tx).Update(t.ID, t)
+		}); err != nil {
+			return fmt.Errorf("failed to migrate custom template %d: %w", t.ID, err)
+		}
+
+		if newSrcID != 0 {
+			sourcesByKey[key] = newSrcID
+		}
+	}
+
+	return nil
+}

api/datastore/migrator/migrate_2_43_0_test.go

@@ -0,0 +1,462 @@
+package migrator
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/dataservices/customtemplate"
+	"github.com/portainer/portainer/api/dataservices/source"
+	"github.com/portainer/portainer/api/dataservices/stack"
+	"github.com/portainer/portainer/api/dataservices/workflow"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/api/logs"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMigrateGitConfigToSources_2_43_0_GitStackMigrated(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	workflowSvc, err := workflow.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:    stackSvc,
+		SourceService:   sourceSvc,
+		WorkflowService: workflowSvc,
+	})
+
+	gitStack := &portainer.Stack{
+		ID:   1,
+		Name: "git-stack",
+		GitConfig: &gittypes.RepoConfig{
+			URL:           "https://github.com/example/repo",
+			ReferenceName: "refs/heads/main",
+			ConfigHash:    "abc123",
+		},
+	}
+	err = conn.CreateObjectWithId(stack.BucketName, int(gitStack.ID), gitStack)
+	require.NoError(t, err)
+
+	err = m.migrateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	migrated, err := stackSvc.Read(gitStack.ID)
+	require.NoError(t, err)
+	require.NotZero(t, migrated.WorkflowID)
+	require.Nil(t, migrated.GitConfig)
+
+	wf, err := workflowSvc.Read(migrated.WorkflowID)
+	require.NoError(t, err)
+	require.Len(t, wf.Artifacts, 1)
+	require.Len(t, wf.Artifacts[0].Files, 1)
+
+	src, err := sourceSvc.Read(wf.Artifacts[0].Files[0].SourceID)
+	require.NoError(t, err)
+	require.Equal(t, portainer.SourceTypeGit, src.Type)
+	require.Equal(t, gitStack.GitConfig.URL, src.Git.URL)
+	require.Equal(t, gitStack.GitConfig.ReferenceName, src.Git.ReferenceName)
+}
+
+func TestMigrateGitConfigToSources_2_43_0_NonGitStackUntouched(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	workflowSvc, err := workflow.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:    stackSvc,
+		SourceService:   sourceSvc,
+		WorkflowService: workflowSvc,
+	})
+
+	plainStack := &portainer.Stack{
+		ID:   1,
+		Name: "plain-stack",
+	}
+	err = conn.CreateObjectWithId(stack.BucketName, int(plainStack.ID), plainStack)
+	require.NoError(t, err)
+
+	err = m.migrateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	result, err := stackSvc.Read(plainStack.ID)
+	require.NoError(t, err)
+	require.Zero(t, result.WorkflowID)
+	require.Nil(t, result.GitConfig)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Empty(t, sources)
+
+	workflows, err := workflowSvc.ReadAll()
+	require.NoError(t, err)
+	require.Empty(t, workflows)
+}
+
+func TestMigrateGitConfigToSources_2_43_0_DuplicateSourcesDeduped(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	workflowSvc, err := workflow.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:    stackSvc,
+		SourceService:   sourceSvc,
+		WorkflowService: workflowSvc,
+	})
+
+	sharedURL := "https://github.com/example/shared-repo"
+
+	stack1 := &portainer.Stack{
+		ID:   1,
+		Name: "stack-a",
+		GitConfig: &gittypes.RepoConfig{
+			URL:           sharedURL,
+			ReferenceName: "refs/heads/main",
+		},
+	}
+	stack2 := &portainer.Stack{
+		ID:   2,
+		Name: "stack-b",
+		GitConfig: &gittypes.RepoConfig{
+			URL:           sharedURL,
+			ReferenceName: "refs/heads/develop",
+		},
+	}
+	err = conn.CreateObjectWithId(stack.BucketName, int(stack1.ID), stack1)
+	require.NoError(t, err)
+	err = conn.CreateObjectWithId(stack.BucketName, int(stack2.ID), stack2)
+	require.NoError(t, err)
+
+	err = m.migrateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, sources, 1, "two stacks with the same URL must share one Source")
+
+	workflows, err := workflowSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, workflows, 2, "each stack must get its own Workflow")
+
+	sharedSourceID := sources[0].ID
+	for _, wf := range workflows {
+		require.Len(t, wf.Artifacts, 1)
+		require.Len(t, wf.Artifacts[0].Files, 1)
+		require.Equal(t, sharedSourceID, wf.Artifacts[0].Files[0].SourceID)
+	}
+}
+
+func TestMigrateGitConfigToSources_2_43_0_Idempotent(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	workflowSvc, err := workflow.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:    stackSvc,
+		SourceService:   sourceSvc,
+		WorkflowService: workflowSvc,
+	})
+
+	gitStack := &portainer.Stack{
+		ID:   1,
+		Name: "git-stack",
+		GitConfig: &gittypes.RepoConfig{
+			URL: "https://github.com/example/repo",
+		},
+	}
+	err = conn.CreateObjectWithId(stack.BucketName, int(gitStack.ID), gitStack)
+	require.NoError(t, err)
+
+	err = m.migrateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	// Second run must not create duplicate Source/Workflow records
+	err = m.migrateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, sources, 1)
+
+	workflows, err := workflowSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, workflows, 1)
+}
+
+func TestMigrateCustomTemplateGitConfigToSources_2_43_0_GitTemplateMigrated(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	customTemplateSvc, err := customtemplate.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:          stackSvc,
+		SourceService:         sourceSvc,
+		CustomTemplateService: customTemplateSvc,
+	})
+
+	tmpl := &portainer.CustomTemplate{
+		ID: 1,
+		GitConfig: &gittypes.RepoConfig{
+			URL:            "https://github.com/example/repo",
+			ReferenceName:  "refs/heads/main",
+			ConfigFilePath: "docker-compose.yml",
+			ConfigHash:     "abc123",
+		},
+	}
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl.ID), tmpl)
+	require.NoError(t, err)
+
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	migrated, err := customTemplateSvc.Read(tmpl.ID)
+	require.NoError(t, err)
+	require.NotNil(t, migrated.Artifact)
+	require.Nil(t, migrated.GitConfig)
+	require.Len(t, migrated.Artifact.Files, 1)
+	require.Equal(t, "refs/heads/main", migrated.Artifact.Files[0].Ref)
+	require.Equal(t, "docker-compose.yml", migrated.Artifact.Files[0].Path)
+	require.Equal(t, "abc123", migrated.Artifact.Files[0].Hash)
+
+	src, err := sourceSvc.Read(migrated.Artifact.Files[0].SourceID)
+	require.NoError(t, err)
+	require.Equal(t, portainer.SourceTypeGit, src.Type)
+	require.Equal(t, "https://github.com/example/repo", src.Git.URL)
+}
+
+func TestMigrateCustomTemplateGitConfigToSources_2_43_0_NonGitTemplateUntouched(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	customTemplateSvc, err := customtemplate.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:          stackSvc,
+		SourceService:         sourceSvc,
+		CustomTemplateService: customTemplateSvc,
+	})
+
+	tmpl := &portainer.CustomTemplate{ID: 1, Title: "plain-template"}
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl.ID), tmpl)
+	require.NoError(t, err)
+
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	result, err := customTemplateSvc.Read(tmpl.ID)
+	require.NoError(t, err)
+	require.Nil(t, result.Artifact)
+	require.Nil(t, result.GitConfig)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Empty(t, sources)
+}
+
+func TestMigrateCustomTemplateGitConfigToSources_2_43_0_AlreadyMigratedSkipped(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	customTemplateSvc, err := customtemplate.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:          stackSvc,
+		SourceService:         sourceSvc,
+		CustomTemplateService: customTemplateSvc,
+	})
+
+	// Template already has Artifact set (already migrated)
+	srcID := portainer.SourceID(99)
+	tmpl := &portainer.CustomTemplate{
+		ID: 1,
+		GitConfig: &gittypes.RepoConfig{
+			URL: "https://github.com/example/repo",
+		},
+		Artifact: &portainer.Artifact{
+			Files: []portainer.ArtifactFile{{SourceID: srcID}},
+		},
+	}
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl.ID), tmpl)
+	require.NoError(t, err)
+
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Empty(t, sources, "no new sources should be created for already-migrated templates")
+}
+
+func TestMigrateCustomTemplateGitConfigToSources_2_43_0_DuplicateSourcesDeduped(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	customTemplateSvc, err := customtemplate.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:          stackSvc,
+		SourceService:         sourceSvc,
+		CustomTemplateService: customTemplateSvc,
+	})
+
+	sharedURL := "https://github.com/example/shared-repo"
+
+	tmpl1 := &portainer.CustomTemplate{
+		ID:    1,
+		Title: "template-a",
+		GitConfig: &gittypes.RepoConfig{
+			URL:           sharedURL,
+			ReferenceName: "refs/heads/main",
+		},
+	}
+	tmpl2 := &portainer.CustomTemplate{
+		ID:    2,
+		Title: "template-b",
+		GitConfig: &gittypes.RepoConfig{
+			URL:           sharedURL,
+			ReferenceName: "refs/heads/develop",
+		},
+	}
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl1.ID), tmpl1)
+	require.NoError(t, err)
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl2.ID), tmpl2)
+	require.NoError(t, err)
+
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, sources, 1, "two templates with the same URL must share one Source")
+
+	sharedSrcID := sources[0].ID
+
+	migrated1, err := customTemplateSvc.Read(tmpl1.ID)
+	require.NoError(t, err)
+	require.NotNil(t, migrated1.Artifact)
+	require.Equal(t, sharedSrcID, migrated1.Artifact.Files[0].SourceID)
+
+	migrated2, err := customTemplateSvc.Read(tmpl2.ID)
+	require.NoError(t, err)
+	require.NotNil(t, migrated2.Artifact)
+	require.Equal(t, sharedSrcID, migrated2.Artifact.Files[0].SourceID)
+}
+
+func TestMigrateCustomTemplateGitConfigToSources_2_43_0_Idempotent(t *testing.T) {
+	t.Parallel()
+
+	conn := &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+	defer logs.CloseAndLogErr(conn)
+
+	stackSvc, err := stack.NewService(conn)
+	require.NoError(t, err)
+	sourceSvc, err := source.NewService(conn)
+	require.NoError(t, err)
+	customTemplateSvc, err := customtemplate.NewService(conn)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{
+		StackService:          stackSvc,
+		SourceService:         sourceSvc,
+		CustomTemplateService: customTemplateSvc,
+	})
+
+	tmpl := &portainer.CustomTemplate{
+		ID: 1,
+		GitConfig: &gittypes.RepoConfig{
+			URL: "https://github.com/example/repo",
+		},
+	}
+	err = conn.CreateObjectWithId(customtemplate.BucketName, int(tmpl.ID), tmpl)
+	require.NoError(t, err)
+
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	// Second run must not create duplicate Source records
+	err = m.migrateCustomTemplateGitConfigToSources_2_43_0()
+	require.NoError(t, err)
+
+	sources, err := sourceSvc.ReadAll()
+	require.NoError(t, err)
+	require.Len(t, sources, 1)
+}

api/datastore/migrator/migrator.go

@@ -5,6 +5,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
+	"github.com/portainer/portainer/api/dataservices/customtemplate"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
@@ -21,12 +22,14 @@ import (
 	"github.com/portainer/portainer/api/dataservices/schedule"
 	"github.com/portainer/portainer/api/dataservices/settings"
 	"github.com/portainer/portainer/api/dataservices/snapshot"
+	"github.com/portainer/portainer/api/dataservices/source"
 	"github.com/portainer/portainer/api/dataservices/stack"
 	"github.com/portainer/portainer/api/dataservices/tag"
 	"github.com/portainer/portainer/api/dataservices/teammembership"
 	"github.com/portainer/portainer/api/dataservices/tunnelserver"
 	"github.com/portainer/portainer/api/dataservices/user"
 	"github.com/portainer/portainer/api/dataservices/version"
+	"github.com/portainer/portainer/api/dataservices/workflow"
 	"github.com/portainer/portainer/api/internal/authorization"
 
 	"github.com/Masterminds/semver/v3"
@@ -64,6 +67,9 @@ type (
 		edgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		pendingActionsService   *pendingactions.Service
+		customTemplateService   *customtemplate.Service
+		sourceService           *source.Service
+		workflowService         *workflow.Service
 	}
 
 	// MigratorParameters represents the required parameters to create a new Migrator instance.
@@ -94,6 +100,9 @@ type (
 		EdgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		PendingActionsService   *pendingactions.Service
+		CustomTemplateService   *customtemplate.Service
+		SourceService           *source.Service
+		WorkflowService         *workflow.Service
 	}
 )
 
@@ -126,6 +135,9 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		edgeGroupService:        parameters.EdgeGroupService,
 		TunnelServerService:     parameters.TunnelServerService,
 		pendingActionsService:   parameters.PendingActionsService,
+		customTemplateService:   parameters.CustomTemplateService,
+		sourceService:           parameters.SourceService,
+		workflowService:         parameters.WorkflowService,
 	}
 
 	migrator.initMigrations()
@@ -260,6 +272,11 @@ func (m *Migrator) initMigrations() {
 
 	m.addMigrations("2.40.0", m.migrateRegistryAccessSASecrets_2_40_0)
 
+	m.addMigrations("2.43.0",
+		m.migrateGitConfigToSources_2_43_0,
+		m.migrateCustomTemplateGitConfigToSources_2_43_0,
+	)
+
 	// WARNING: do not change migrations that have already been released!
 
 	// Add new migrations above...

api/datastore/services.go

@@ -7,6 +7,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/dataservices/allowlist"
 	"github.com/portainer/portainer/api/dataservices/apikeyrepository"
 	"github.com/portainer/portainer/api/dataservices/customtemplate"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
@@ -26,6 +27,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/schedule"
 	"github.com/portainer/portainer/api/dataservices/settings"
 	"github.com/portainer/portainer/api/dataservices/snapshot"
+	"github.com/portainer/portainer/api/dataservices/source"
 	"github.com/portainer/portainer/api/dataservices/ssl"
 	"github.com/portainer/portainer/api/dataservices/stack"
 	"github.com/portainer/portainer/api/dataservices/tag"
@@ -35,6 +37,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/user"
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/dataservices/webhook"
+	"github.com/portainer/portainer/api/dataservices/workflow"
 
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
@@ -49,6 +52,7 @@ type Store struct {
 	connection portainer.Connection
 
 	fileService               portainer.FileService
+	AllowListService          *allowlist.Service
 	CustomTemplateService     *customtemplate.Service
 	DockerHubService          *dockerhub.Service
 	EdgeGroupService          *edgegroup.Service
@@ -67,6 +71,7 @@ type Store struct {
 	ScheduleService           *schedule.Service
 	SettingsService           *settings.Service
 	SnapshotService           *snapshot.Service
+	SourceService             *source.Service
 	SSLSettingsService        *ssl.Service
 	StackService              *stack.Service
 	TagService                *tag.Service
@@ -76,10 +81,17 @@ type Store struct {
 	UserService               *user.Service
 	VersionService            *version.Service
 	WebhookService            *webhook.Service
+	WorkflowService           *workflow.Service
 	PendingActionsService     *pendingactions.Service
 }
 
 func (store *Store) initServices() error {
+	allowListService, err := allowlist.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.AllowListService = allowListService
+
 	authorizationsetService, err := role.NewService(store.connection)
 	if err != nil {
 		return err
@@ -179,6 +191,12 @@ func (store *Store) initServices() error {
 	}
 	store.SnapshotService = snapshotService
 
+	sourceService, err := source.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.SourceService = sourceService
+
 	sslSettingsService, err := ssl.NewService(store.connection)
 	if err != nil {
 		return err
@@ -239,6 +257,12 @@ func (store *Store) initServices() error {
 	}
 	store.WebhookService = webhookService
 
+	workflowService, err := workflow.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.WorkflowService = workflowService
+
 	scheduleService, err := schedule.NewService(store.connection)
 	if err != nil {
 		return err
@@ -259,6 +283,11 @@ func (store *Store) PendingActions() dataservices.PendingActionsService {
 	return store.PendingActionsService
 }
 
+// AllowList gives access to the AllowList data management layer
+func (store *Store) AllowList() dataservices.AllowListService {
+	return store.AllowListService
+}
+
 // CustomTemplate gives access to the CustomTemplate data management layer
 func (store *Store) CustomTemplate() dataservices.CustomTemplateService {
 	return store.CustomTemplateService
@@ -332,6 +361,11 @@ func (store *Store) Snapshot() dataservices.SnapshotService {
 	return store.SnapshotService
 }
 
+// Source gives access to the Source data management layer
+func (store *Store) Source() dataservices.SourceService {
+	return store.SourceService
+}
+
 // SSLSettings gives access to the SSL Settings data management layer
 func (store *Store) SSLSettings() dataservices.SSLSettingsService {
 	return store.SSLSettingsService
@@ -377,6 +411,11 @@ func (store *Store) Webhook() dataservices.WebhookService {
 	return store.WebhookService
 }
 
+// Workflow gives access to the Workflow data management layer
+func (store *Store) Workflow() dataservices.WorkflowService {
+	return store.WorkflowService
+}
+
 type storeExport struct {
 	CustomTemplate     []portainer.CustomTemplate     `json:"customtemplates,omitempty"`
 	EdgeGroup          []portainer.EdgeGroup          `json:"edgegroups,omitempty"`
@@ -394,6 +433,7 @@ type storeExport struct {
 	Settings           portainer.Settings             `json:"settings,omitzero"`
 	Snapshot           []portainer.Snapshot           `json:"snapshots,omitempty"`
 	SSLSettings        portainer.SSLSettings          `json:"ssl,omitzero"`
+	Source             []portainer.Source             `json:"sources,omitempty"`
 	Stack              []portainer.Stack              `json:"stacks,omitempty"`
 	Tag                []portainer.Tag                `json:"tags,omitempty"`
 	TeamMembership     []portainer.TeamMembership     `json:"team_membership,omitempty"`
@@ -402,6 +442,7 @@ type storeExport struct {
 	User               []portainer.User               `json:"users,omitempty"`
 	Version            models.Version                 `json:"version,omitzero"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
+	Workflow           []portainer.Workflow           `json:"workflows,omitempty"`
 	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }
 
@@ -536,6 +577,14 @@ func (store *Store) Export(filename string) (err error) {
 		backup.SSLSettings = *settings
 	}
 
+	if s, err := store.Source().ReadAll(); err != nil {
+		if !store.IsErrObjectNotFound(err) {
+			log.Error().Err(err).Msg("exporting Sources")
+		}
+	} else {
+		backup.Source = s
+	}
+
 	if t, err := store.Stack().ReadAll(); err != nil {
 		if !store.IsErrObjectNotFound(err) {
 			log.Error().Err(err).Msg("exporting Stacks")
@@ -592,6 +641,14 @@ func (store *Store) Export(filename string) (err error) {
 		backup.Webhook = webhooks
 	}
 
+	if w, err := store.Workflow().ReadAll(); err != nil {
+		if !store.IsErrObjectNotFound(err) {
+			log.Error().Err(err).Msg("exporting Workflows")
+		}
+	} else {
+		backup.Workflow = w
+	}
+
 	if version, err := store.Version().Version(); err != nil {
 		if !store.IsErrObjectNotFound(err) {
 			log.Error().Err(err).Msg("exporting Version")
@@ -610,7 +667,7 @@ func (store *Store) Export(filename string) (err error) {
 		return err
 	}
 
-	return os.WriteFile(filename, b, 0600)
+	return os.WriteFile(filename, b, 0o600)
 }
 
 func (store *Store) Import(filename string) (err error) {
@@ -710,6 +767,18 @@ func (store *Store) Import(filename string) (err error) {
 		}
 	}
 
+	for _, v := range backup.Source {
+		if err := store.Source().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the source in the database")
+		}
+	}
+
+	for _, v := range backup.Workflow {
+		if err := store.Workflow().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the workflow in the database")
+		}
+	}
+
 	for _, v := range backup.Stack {
 		if err := store.Stack().Update(v.ID, &v); err != nil {
 			log.Warn().Err(err).Msg("failed to update the stack in the database")

api/datastore/services_tx.go

@@ -14,6 +14,10 @@ func (tx *StoreTx) IsErrObjectNotFound(err error) bool {
 	return tx.store.IsErrObjectNotFound(err)
 }
 
+func (tx *StoreTx) AllowList() dataservices.AllowListService {
+	return tx.store.AllowListService.Tx(tx.tx)
+}
+
 func (tx *StoreTx) CustomTemplate() dataservices.CustomTemplateService {
 	return tx.store.CustomTemplateService.Tx(tx.tx)
 }
@@ -74,6 +78,10 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 	return tx.store.SnapshotService.Tx(tx.tx)
 }
 
+func (tx *StoreTx) Source() dataservices.SourceService {
+	return tx.store.SourceService.Tx(tx.tx)
+}
+
 func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService {
 	return tx.store.SSLSettingsService.Tx(tx.tx)
 }
@@ -102,3 +110,7 @@ func (tx *StoreTx) User() dataservices.UserService {
 
 func (tx *StoreTx) Version() dataservices.VersionService { return nil }
 func (tx *StoreTx) Webhook() dataservices.WebhookService { return nil }
+
+func (tx *StoreTx) Workflow() dataservices.WorkflowService {
+	return tx.store.WorkflowService.Tx(tx.tx)
+}

api/datastore/test_data/output_24_to_latest.json

@@ -1,4 +1,5 @@
 {
+  "allowlist": null,
   "api_key": null,
   "customtemplates": null,
   "dockerhub": [
@@ -33,11 +34,7 @@
   ],
   "endpoints": [
     {
-      "Agent": {
-        "Version": ""
-      },
-      "AuthorizedTeams": null,
-      "AuthorizedUsers": null,
+      "Agent": {},
       "AzureCredentials": {
         "ApplicationID": "",
         "AuthenticationKey": "",
@@ -53,7 +50,6 @@
       },
       "EdgeCheckinInterval": 0,
       "EdgeKey": "",
-      "Gpus": [],
       "GroupId": 1,
       "Heartbeat": false,
       "Id": 1,
@@ -62,10 +58,8 @@
           "AllowNoneIngressClass": false,
           "EnableResourceOverCommit": false,
           "IngressAvailabilityPerNamespace": true,
-          "IngressClasses": null,
           "ResourceOverCommitPercentage": 0,
           "RestrictDefaultNamespace": false,
-          "StorageClasses": null,
           "UseLoadBalancer": false,
           "UseServerMetrics": false
         },
@@ -73,8 +67,7 @@
           "IsServerIngressClassDetected": false,
           "IsServerMetricsDetected": false,
           "IsServerStorageDetected": false
-        },
-        "Snapshots": []
+        }
       },
       "LastCheckInDate": 0,
       "Name": "local",
@@ -96,18 +89,13 @@
         "allowVolumeBrowserForRegularUsers": false,
         "enableHostManagementFeatures": false
       },
-      "Snapshots": [],
       "Status": 1,
       "TLSConfig": {
         "TLS": false,
         "TLSSkipVerify": false
       },
-      "TagIds": [],
-      "Tags": null,
-      "TeamAccessPolicies": {},
       "Type": 1,
-      "URL": "unix:///var/run/docker.sock",
-      "UserAccessPolicies": {}
+      "URL": "unix:///var/run/docker.sock"
     }
   ],
   "extension": null,
@@ -616,7 +604,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.42.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.43.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -669,8 +657,6 @@
         "ContainerCount": 0,
         "DiagnosticsData": {},
         "DockerSnapshotRaw": {
-          "Containers": null,
-          "Images": null,
           "Info": {
             "Architecture": "",
             "CDISpecDirs": null,
@@ -746,7 +732,6 @@
             "SystemTime": "",
             "Warnings": null
           },
-          "Networks": null,
           "Version": {
             "ApiVersion": "",
             "Arch": "",
@@ -765,12 +750,10 @@
         },
         "DockerVersion": "20.10.13",
         "GpuUseAll": false,
-        "GpuUseList": null,
         "HealthyContainerCount": 0,
         "ImageCount": 9,
         "IsPodman": false,
         "NodeCount": 0,
-        "PerformanceMetrics": null,
         "RunningContainerCount": 5,
         "ServiceCount": 0,
         "StackCount": 2,
@@ -786,6 +769,7 @@
       "Kubernetes": null
     }
   ],
+  "sources": null,
   "ssl": {
     "certPath": "",
     "httpEnabled": true,
@@ -937,7 +921,8 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.42.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.43.0\",\"MigratorCount\":2,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
-  "webhooks": null
+  "webhooks": null,
+  "workflows": null
 }

api/docker/client/client.go

@@ -11,6 +11,8 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
+
 	"github.com/rs/zerolog/log"
 
 	"github.com/docker/docker/api/types/image"
@@ -88,7 +90,7 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli
 		client.WithHTTPClient(httpCli),
 	}
 
-	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
+	if endpoint.TLSConfig.TLS {
 		opts = append(opts, client.WithScheme("https"))
 	}
 
@@ -122,7 +124,7 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu
 		client.WithHTTPHeaders(headers),
 	}
 
-	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
+	if endpoint.TLSConfig.TLS {
 		opts = append(opts, client.WithScheme("https"))
 	}
 
@@ -184,17 +186,20 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 }
 
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
-	transport := &NodeNameTransport{
-		Transport: &http.Transport{},
-	}
-
+	var transport *NodeNameTransport
 	if endpoint.TLSConfig.TLS {
 		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		transport.TLSClientConfig = tlsConfig
+		transport = &NodeNameTransport{
+			Transport: ssrf.NewTransport(tlsConfig),
+		}
+	} else {
+		transport = &NodeNameTransport{
+			Transport: ssrf.NewTransport(nil),
+		}
 	}
 
 	clientTimeout := defaultDockerRequestTimeout

api/docker/images/digest.go

@@ -5,9 +5,10 @@ import (
 	"strings"
 	"time"
 
-	dockerclient "github.com/portainer/portainer/api/docker/client"
+	portainer "github.com/portainer/portainer/api"
 
 	"github.com/docker/docker/api/types/image"
+	dockerclient "github.com/docker/docker/client"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -15,28 +16,33 @@ import (
 	imagetypes "go.podman.io/image/v5/types"
 )
 
-// Options holds docker registry object options
-type Options struct {
-	Auth    imagetypes.DockerAuthConfig
-	Timeout time.Duration
+const digestFetchTimeout = 5 * time.Second
+
+// ClientFactory creates Docker clients for a given environment.
+type ClientFactory interface {
+	CreateClient(endpoint *portainer.Endpoint, nodeName string, timeout *time.Duration) (*dockerclient.Client, error)
+}
+
+// RegistryAuthProvider looks up registry credentials for an image.
+type RegistryAuthProvider interface {
+	RegistryAuth(image Image) (string, string, error)
 }
 
 type DigestClient struct {
-	clientFactory  *dockerclient.ClientFactory
-	opts           Options
+	clientFactory  ClientFactory
 	sysCtx         *imagetypes.SystemContext
-	registryClient *RegistryClient
+	registryClient RegistryAuthProvider
 }
 
-func NewClientWithRegistry(registryClient *RegistryClient, clientFactory *dockerclient.ClientFactory) *DigestClient {
+func NewClientWithRegistry(registryClient RegistryAuthProvider, clientFactory ClientFactory) *DigestClient {
 	return &DigestClient{
 		clientFactory:  clientFactory,
 		registryClient: registryClient,
 	}
 }
 
-func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
-	ctx, cancel := c.timeoutContext()
+func (c *DigestClient) RemoteDigest(ctx context.Context, image Image) (digest.Digest, error) {
+	ctx, cancel := context.WithTimeout(ctx, digestFetchTimeout)
 	defer cancel()
 
 	// Docker references with both a tag and digest are currently not supported
@@ -170,14 +176,3 @@ func ParseRepoTag(repoTag string) *Image {
 
 	return &image
 }
-
-func (c *DigestClient) timeoutContext() (context.Context, context.CancelFunc) {
-	ctx := context.Background()
-	var cancel context.CancelFunc = func() {}
-
-	if c.opts.Timeout > 0 {
-		ctx, cancel = context.WithTimeout(ctx, c.opts.Timeout)
-	}
-
-	return ctx, cancel
-}

api/docker/images/registry.go

@@ -24,14 +24,22 @@ func NewRegistryClient(dataStore dataservices.DataStore) *RegistryClient {
 }
 
 func (c *RegistryClient) RegistryAuth(image Image) (string, string, error) {
-	registries, err := c.dataStore.Registry().ReadAll()
+	registry, err := cachedRegistry(image.Opts.Name)
 	if err != nil {
-		return "", "", err
-	}
+		var registries []portainer.Registry
+		err = c.dataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
+			var err error
+			registries, err = tx.Registry().ReadAll()
+			return err
+		})
+		if err != nil {
+			return "", "", err
+		}
 
-	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
-	if err != nil {
-		return "", "", err
+		registry, err = findBestMatchRegistry(image.Opts.Name, registries)
+		if err != nil {
+			return "", "", err
+		}
 	}
 
 	if !registry.Authentication {
@@ -54,14 +62,22 @@ func (c *RegistryClient) CertainRegistryAuth(registry *portainer.Registry) (stri
 }
 
 func (c *RegistryClient) EncodedRegistryAuth(image Image) (string, error) {
-	registries, err := c.dataStore.Registry().ReadAll()
+	registry, err := cachedRegistry(image.Opts.Name)
 	if err != nil {
-		return "", err
-	}
+		var registries []portainer.Registry
+		err = c.dataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
+			var err error
+			registries, err = tx.Registry().ReadAll()
+			return err
+		})
+		if err != nil {
+			return "", err
+		}
 
-	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
-	if err != nil {
-		return "", err
+		registry, err = findBestMatchRegistry(image.Opts.Name, registries)
+		if err != nil {
+			return "", err
+		}
 	}
 
 	if !registry.Authentication {
@@ -121,7 +137,7 @@ func findBestMatchRegistry(repository string, registries []portainer.Registry) (
 		return nil, errors.New("no registries matched")
 	}
 
-	registriesCache.Set(repository, match, 0)
+	registriesCache.Set(repository, *match, 0)
 
 	return match, nil
 }

api/docker/images/registry_test.go

@@ -57,6 +57,21 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 	})
 }
 
+func TestFindBestMatchRegistryCachesResult(t *testing.T) {
+	t.Parallel()
+
+	repository := "caching-test/nginx:latest"
+	registries := []portainer.Registry{createNewRegistry("docker.io", "", true)}
+
+	r, err := findBestMatchRegistry(repository, registries)
+	require.NoError(t, err)
+
+	cached, err := cachedRegistry(repository)
+	require.NoError(t, err)
+	require.Equal(t, r.URL, cached.URL)
+	require.Equal(t, r.Authentication, cached.Authentication)
+}
+
 func createNewRegistry(domain, username string, auth bool) portainer.Registry {
 	registry := portainer.Registry{
 		URL:            domain,

api/docker/images/status.go

@@ -16,6 +16,7 @@ import (
 	"github.com/patrickmn/go-cache"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
+	"golang.org/x/sync/errgroup"
 )
 
 // Status constants
@@ -28,6 +29,11 @@ const (
 	Error      = Status("error")
 )
 
+const (
+	errorStatusCacheTTL       = 5 * time.Minute
+	maxConcurrentStatusChecks = 8
+)
+
 var (
 	statusCache       = cache.New(24*time.Hour, 24*time.Hour)
 	remoteDigestCache = cache.New(5*time.Second, 5*time.Second)
@@ -46,13 +52,17 @@ func (c *DigestClient) ContainersImageStatus(ctx context.Context, containers []t
 	}
 
 	statuses := make([]Status, len(containers))
-	for i, ct := range containers {
+
+	g, ctx := errgroup.WithContext(ctx)
+	g.SetLimit(maxConcurrentStatusChecks)
+
+	containerStatus := func(ct types.Container) Status {
 		var nodeName string
 		if swarmNodeId := ct.Labels[consts.SwarmNodeIDLabel]; swarmNodeId != "" {
 			if swarmNodeName, ok := swarmID2NameCache.Get(swarmNodeId); ok {
 				nodeName, _ = swarmNodeName.(string)
 			} else {
-				node, _, err := cli.NodeInspectWithRaw(ctx, ct.Labels[consts.SwarmNodeIDLabel])
+				node, _, err := cli.NodeInspectWithRaw(ctx, swarmNodeId)
 				if err != nil {
 					return Error
 				}
@@ -64,23 +74,26 @@ func (c *DigestClient) ContainersImageStatus(ctx context.Context, containers []t
 
 		s, err := c.ContainerImageStatus(ctx, ct.ID, endpoint, nodeName)
 		if err != nil {
-			statuses[i] = Error
 			log.Warn().Str("containerId", ct.ID).Err(err).Msg("error when fetching image status for container")
-
-			continue
+			return Error
 		}
 
-		statuses[i] = s
-
-		if s == Outdated || s == Processing {
-			break
-		}
+		return s
 	}
 
-	return FigureOut(statuses)
+	for i, ct := range containers {
+		g.Go(func() error {
+			statuses[i] = containerStatus(ct)
+			return nil
+		})
+	}
+
+	_ = g.Wait()
+
+	return AggregateImageStatus(statuses)
 }
 
-func FigureOut(statuses []Status) Status {
+func AggregateImageStatus(statuses []Status) Status {
 	if allMatch(statuses, Skipped) {
 		return Skipped
 	}
@@ -141,7 +154,7 @@ func (c *DigestClient) ContainerImageStatus(ctx context.Context, containerID str
 		images = append(images, ParseRepoTags(imageInspect.RepoTags)...)
 	}
 
-	s, err := c.checkStatus(images, digs)
+	s, err := c.checkStatus(ctx, images, digs)
 	if err != nil {
 		log.Debug().Str("image", container.Image).Err(err).Msg("fetching a certain image status")
 		return Error, err
@@ -191,7 +204,7 @@ func (c *DigestClient) ServiceImageStatus(ctx context.Context, serviceID string,
 	return c.ContainersImageStatus(ctx, nonExistedOrStoppedContainers, endpoint), nil
 }
 
-func (c *DigestClient) checkStatus(images []*Image, digests []digest.Digest) (Status, error) {
+func (c *DigestClient) checkStatus(ctx context.Context, images []*Image, digests []digest.Digest) (Status, error) {
 	if digests == nil {
 		digests = make([]digest.Digest, 0)
 	}
@@ -216,7 +229,7 @@ func (c *DigestClient) checkStatus(images []*Image, digests []digest.Digest) (St
 			remoteDigest, _ = rd.(digest.Digest)
 		}
 		if remoteDigest == "" {
-			remoteDigest, err = c.RemoteDigest(*img)
+			remoteDigest, err = c.RemoteDigest(ctx, *img)
 			if err != nil {
 				log.Error().Str("image", img.String()).Msg("error when fetch remote digest for image")
 				return Error, err
@@ -263,6 +276,10 @@ func CacheResourceImageStatus(resourceID string, status Status) {
 	statusCache.Set(resourceID, status, 0)
 }
 
+func CacheErrorImageStatus(resourceID string) {
+	statusCache.Set(resourceID, Error, errorStatusCacheTTL)
+}
+
 func CachedImageDigest(resourceID string) (Status, error) {
 	if s, ok := statusCache.Get(resourceID); ok {
 		return s.(Status), nil

api/docker/images/status_test.go

@@ -0,0 +1,63 @@
+package images
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestAggregateImageStatus(t *testing.T) {
+	t.Parallel()
+
+	f := func(statuses []Status, expected Status) {
+		t.Helper()
+		require.Equal(t, expected, AggregateImageStatus(statuses))
+	}
+
+	f([]Status{Skipped, Skipped, Skipped}, Skipped)
+	f([]Status{Preparing, Preparing}, Preparing)
+	f([]Status{Updated, Outdated, Processing, Error}, Outdated)
+	f([]Status{Updated, Processing, Error}, Processing)
+	f([]Status{Updated, Error}, Error)
+	f([]Status{Updated, Updated}, Updated)
+	f([]Status{}, Updated)
+	f([]Status{Updated, Skipped}, Updated)
+}
+
+func TestCachedResourceImageStatusMiss(t *testing.T) {
+	t.Parallel()
+
+	_, err := CachedResourceImageStatus("status-test-miss-key")
+	require.Error(t, err)
+}
+
+func TestCachedResourceImageStatusHitAndEvict(t *testing.T) {
+	t.Parallel()
+
+	key := "status-test-hit-evict-key"
+
+	CacheResourceImageStatus(key, Updated)
+
+	s, err := CachedResourceImageStatus(key)
+	require.NoError(t, err)
+	require.Equal(t, Updated, s)
+
+	EvictImageStatus(key)
+
+	_, err = CachedResourceImageStatus(key)
+	require.Error(t, err)
+}
+
+func TestCacheErrorImageStatus(t *testing.T) {
+	t.Parallel()
+
+	key := "status-test-error-key"
+
+	CacheErrorImageStatus(key)
+
+	s, err := CachedResourceImageStatus(key)
+	require.NoError(t, err)
+	require.Equal(t, Error, s)
+
+	EvictImageStatus(key)
+}

api/exec/common.go

@@ -38,7 +38,7 @@ func fetchEndpointProxy(proxyManager *proxy.Manager, endpoint *portainer.Endpoin
 
 // portainerRegistriesToAuthConfigs converts registries to Docker auth configs.
 // Callers must ensure ECR tokens are valid before calling this function (e.g. via
-// registryutils.ValidateRegistriesECRTokens with a real DataStoreTx). This function
+// registryutils.RefreshAndPersistECRTokens with a real DataStoreTx). This function
 // intentionally performs no DB writes to avoid write-lock contention when called inside
 // an active BoltDB write transaction.
 func portainerRegistriesToAuthConfigs(registries []portainer.Registry) []types.AuthConfig {

api/filesystem/filesystem.go

@@ -89,7 +89,7 @@ func JoinPaths(trustedRoot string, untrustedPaths ...string) string {
 		trustedRoot = "."
 	}
 
-	p := filepath.Join(trustedRoot, filepath.Join(append([]string{"/"}, untrustedPaths...)...)) //nolint:forbidigo
+	p := filepath.Join(trustedRoot, filepath.Join(append([]string{"/"}, untrustedPaths...)...))
 
 	// avoid setting a volume name from the untrusted paths
 	vnp := filepath.VolumeName(p)

api/filesystem/serialize.go

@@ -15,7 +15,7 @@ type DirEntry struct {
 	Name        string
 	Content     string
 	IsFile      bool
-	Permissions os.FileMode
+	Permissions os.FileMode `swaggertype:"integer"`
 }
 
 // FilterDirForEntryFile filers the given dirEntries, returns entries of the entryFile and .env file

api/git/azure.go

@@ -14,12 +14,13 @@ import (
 	"github.com/portainer/portainer/api/crypto"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/logs"
-	"github.com/rs/zerolog/log"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 )
 
@@ -64,15 +65,10 @@ func NewAzureClient() *azureClient {
 }
 
 func newHttpClientForAzure(insecureSkipVerify bool) *http.Client {
-	httpsCli := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: crypto.CreateTLSConfiguration(insecureSkipVerify),
-			Proxy:           http.ProxyFromEnvironment,
-		},
-		Timeout: 300 * time.Second,
+	return &http.Client{
+		Transport: ssrf.NewTransport(crypto.CreateTLSConfiguration(insecureSkipVerify)),
+		Timeout:   300 * time.Second,
 	}
-
-	return httpsCli
 }
 
 func (a *azureClient) Download(ctx context.Context, destination string, opt *git.CloneOptions) error {

api/git/git.go

@@ -3,6 +3,7 @@ package git
 import (
 	"context"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/portainer/portainer/api/filesystem"
@@ -47,11 +48,19 @@ func NewGitClient(preserveGitDir bool) *gitClient {
 }
 
 func (c *gitClient) Download(ctx context.Context, dst string, opt *git.CloneOptions) error {
+	resolved, err := filepath.EvalSymlinks(dst)
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		return errors.Wrap(err, "failed to resolve destination path")
+	}
+	if err == nil {
+		dst = resolved
+	}
+
 	wt := NewNoSymlinkFS(osfs.New(dst))
 	dot := osfs.New(filesystem.JoinPaths(dst, ".git"))
 	storer := gogitfs.NewStorage(dot, cache.NewObjectLRU(0))
 
-	_, err := git.CloneContext(ctx, storer, wt, opt)
+	_, err = git.CloneContext(ctx, storer, wt, opt)
 	if err != nil {
 		if err.Error() == "authentication required" {
 			return gittypes.ErrAuthenticationFailure
@@ -77,7 +86,7 @@ func (c *gitClient) LatestCommitID(ctx context.Context, repositoryUrl, reference
 		URLs: []string{repositoryUrl},
 	})
 
-	refs, err := remote.List(opt)
+	refs, err := remote.ListContext(ctx, opt)
 	if err != nil {
 		if err.Error() == "authentication required" {
 			return "", gittypes.ErrAuthenticationFailure
@@ -109,7 +118,7 @@ func (c *gitClient) ListRefs(ctx context.Context, repositoryUrl string, opt *git
 		URLs: []string{repositoryUrl},
 	})
 
-	refs, err := rem.List(opt)
+	refs, err := rem.ListContext(ctx, opt)
 	if err != nil {
 		return nil, checkGitError(err)
 	}

api/git/git_test.go

@@ -99,6 +99,19 @@ func Test_ClonePublicRepository_NoGitDirectory(t *testing.T) {
 	assert.NoDirExists(t, filesystem.JoinPaths(dir, ".git"))
 }
 
+func Test_ClonePublicRepository_NonExistentDst(t *testing.T) {
+	t.Parallel()
+	service := Service{git: NewGitClient(false)}
+	repositoryURL := setup(t)
+	referenceName := "refs/heads/main"
+
+	dir := filesystem.JoinPaths(t.TempDir(), "sub", "dir")
+	err := service.CloneRepository(t.Context(), dir, repositoryURL, referenceName, "", "", false)
+	require.NoError(t, err)
+	assert.DirExists(t, dir)
+	assert.NoDirExists(t, filesystem.JoinPaths(dir, ".git"))
+}
+
 func Test_latestCommitID(t *testing.T) {
 	t.Parallel()
 	service := Service{git: NewGitClient(true)} // no need for http client since the test access the repo via file system.
@@ -262,6 +275,7 @@ func createBareRepoWithSymlink(t *testing.T) string {
 }
 
 func Test_Download_RejectsSymlink(t *testing.T) {
+	t.Parallel()
 	client := NewGitClient(false)
 	repoURL := createBareRepoWithSymlink(t)
 

api/git/ssrf_transport.go

@@ -0,0 +1,53 @@
+package git
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
+
+	gittransport "github.com/go-git/go-git/v5/plumbing/transport"
+)
+
+const gitDefaultPort = 9418
+
+// ssrfGitTransport wraps a git:// transport and validates the resolved IP
+// against the SSRF policy before establishing connections.
+type ssrfGitTransport struct {
+	inner gittransport.Transport
+}
+
+// NewSSRFGitTransport wraps inner and blocks connections to private IP ranges
+// according to the active SSRF policy.
+func NewSSRFGitTransport(inner gittransport.Transport) gittransport.Transport {
+	return &ssrfGitTransport{inner: inner}
+}
+
+func (t *ssrfGitTransport) NewUploadPackSession(ep *gittransport.Endpoint, auth gittransport.AuthMethod) (gittransport.UploadPackSession, error) {
+	if err := checkEndpointSSRF(ep); err != nil {
+		return nil, err
+	}
+
+	return t.inner.NewUploadPackSession(ep, auth)
+}
+
+func (t *ssrfGitTransport) NewReceivePackSession(ep *gittransport.Endpoint, auth gittransport.AuthMethod) (gittransport.ReceivePackSession, error) {
+	if err := checkEndpointSSRF(ep); err != nil {
+		return nil, err
+	}
+
+	return t.inner.NewReceivePackSession(ep, auth)
+}
+
+func checkEndpointSSRF(ep *gittransport.Endpoint) error {
+	port := ep.Port
+	if port <= 0 {
+		port = gitDefaultPort
+	}
+
+	rawURL := fmt.Sprintf("git://%s/", net.JoinHostPort(ep.Host, strconv.Itoa(port)))
+
+	return ssrf.CheckURL(context.Background(), rawURL)
+}

api/git/types/types.go

@@ -1,6 +1,7 @@
 package gittypes
 
 import (
+	"cmp"
 	"errors"
 	"net/url"
 	"path"
@@ -27,7 +28,7 @@ type RepoConfig struct {
 	// NOTE: For stacks, this mirrors Stack.EntryPoint and the two are kept in sync by stackUpdateGit.
 	ConfigFilePath string `example:"docker-compose.yml"`
 	// Git credentials
-	Authentication *GitAuthentication
+	Authentication *GitAuthentication `json:",omitempty"`
 	// Repository hash
 	ConfigHash string `example:"bc4c183d756879ea4d173315338110b31004b8e0"`
 	// TLSSkipVerify skips SSL verification when cloning the Git repository
@@ -40,6 +41,24 @@ func RepoName(rawURL string) string {
 	return strings.TrimSuffix(path.Base(rawURL), ".git")
 }
 
+// NormalizeURL returns a canonical form of rawURL for deduplication purposes:
+// scheme and host are lowercased, embedded credentials are removed, trailing
+// slashes and the .git suffix are stripped from the path. If the scheme is
+// absent it defaults to https.
+func NormalizeURL(rawURL string) (string, error) {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return "", err
+	}
+
+	u.Scheme = strings.ToLower(cmp.Or(u.Scheme, "https"))
+	u.Host = strings.ToLower(u.Host)
+	u.User = nil
+	u.Path = strings.TrimSuffix(strings.TrimRight(u.Path, "/"), ".git")
+
+	return u.String(), nil
+}
+
 // SanitizeURL strips any userinfo (username/password) embedded in rawURL,
 // returning a URL safe to store or return to clients.
 func SanitizeURL(rawURL string) string {
@@ -53,13 +72,28 @@ func SanitizeURL(rawURL string) string {
 	return u.String()
 }
 
+// SanitizeRepoConfig returns a copy of gc with the URL sanitized and password cleared,
+// safe to return to clients.
+func SanitizeRepoConfig(gc *RepoConfig) *RepoConfig {
+	if gc == nil {
+		return nil
+	}
+
+	result := *gc
+	result.URL = SanitizeURL(result.URL)
+
+	if result.Authentication != nil && result.Authentication.Password != "" {
+		auth := *result.Authentication
+		auth.Password = ""
+		result.Authentication = &auth
+	}
+
+	return &result
+}
+
 type GitAuthentication struct {
 	Username          string
 	Password          string
 	Provider          GitProvider           `json:",omitempty"`
 	AuthorizationType GitCredentialAuthType `json:",omitempty"`
-	// Git credentials identifier when the value is not 0
-	// When the value is 0, Username and Password are set without using saved credential
-	// This is introduced since 2.15.0
-	GitCredentialID int `example:"0"`
 }

api/git/types/types_test.go

@@ -0,0 +1,26 @@
+package gittypes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNormalizeURL(t *testing.T) {
+	t.Parallel()
+
+	f := func(input, expected string) {
+		t.Helper()
+		got, err := NormalizeURL(input)
+		require.NoError(t, err)
+		require.Equal(t, expected, got)
+	}
+
+	f("https://github.com/org/repo.git", "https://github.com/org/repo")
+	f("https://github.com/org/repo/", "https://github.com/org/repo")
+	f("https://github.com/org/repo.git/", "https://github.com/org/repo")
+	f("HTTPS://github.com/org/repo", "https://github.com/org/repo")
+	f("https://GitHub.COM/org/repo", "https://github.com/org/repo")
+	f("https://user:pass@github.com/org/repo.git", "https://github.com/org/repo")
+	f("https://github.com/org/repo", "https://github.com/org/repo")
+}

api/git/update/update.go

@@ -2,7 +2,9 @@ package update
 
 import (
 	"context"
+	"os"
 	"strings"
+	"time"
 
 	"github.com/pkg/errors"
 
@@ -27,15 +29,21 @@ func UpdateGitObject(ctx context.Context, gitService portainer.GitService, objId
 
 	username, password := git.GetCredentials(gitConfig.Authentication)
 
+	fetchCtx, cancel := context.WithTimeout(ctx, time.Minute)
 	newHash, err := gitService.LatestCommitID(
-		ctx,
+		fetchCtx,
 		gitConfig.URL,
 		gitConfig.ReferenceName,
 		username,
 		password,
 		gitConfig.TLSSkipVerify,
 	)
+	cancel()
 	if err != nil {
+		if fetchCtx.Err() == context.DeadlineExceeded {
+			log.Error().Str("object", objId).Msg("git fetch timed out after 1 minute")
+		}
+
 		return false, "", errors.WithMessagef(err, "failed to fetch latest commit id of %v", objId)
 	}
 
@@ -71,6 +79,11 @@ func UpdateGitObject(ctx context.Context, gitService portainer.GitService, objId
 	}
 
 	if err := cloneGitRepository(ctx, gitService, cloneParams); err != nil {
+		if enableVersionFolder {
+			if removeErr := os.RemoveAll(toDir); removeErr != nil {
+				log.Warn().Err(removeErr).Str("dir", toDir).Msg("failed to remove partial clone directory")
+			}
+		}
 		return false, "", errors.WithMessagef(err, "failed to do a fresh clone of %v", objId)
 	}
 

api/gitops/sources/repo_config.go

@@ -0,0 +1,55 @@
+package sources
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/pkg/fips"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+)
+
+// RepoConfigInput holds the raw payload fields needed to resolve a git RepoConfig.
+// Set SourceID to resolve URL/auth from a stored source; otherwise provide the inline fields.
+type RepoConfigInput struct {
+	SourceID                 portainer.SourceID
+	ReferenceName            string
+	ConfigFilePath           string
+	RepositoryURL            string
+	TLSSkipVerify            bool
+	RepositoryAuthentication bool
+	Username                 string
+	Password                 string
+	Provider                 gittypes.GitProvider
+	AuthorizationType        gittypes.GitCredentialAuthType
+}
+
+// ResolveRepoConfig builds a RepoConfig from either a SourceID or inline URL/auth fields.
+func ResolveRepoConfig(tx gitSourceStore, input RepoConfigInput) (gittypes.RepoConfig, *httperror.HandlerError) {
+	cfg := gittypes.RepoConfig{
+		ReferenceName:  input.ReferenceName,
+		ConfigFilePath: input.ConfigFilePath,
+	}
+
+	if input.SourceID != 0 {
+		src, httpErr := ValidateGitSourceAccess(tx, input.SourceID)
+		if httpErr != nil {
+			return gittypes.RepoConfig{}, httpErr
+		}
+		cfg.URL = src.Git.URL
+		cfg.Authentication = src.Git.Authentication
+		cfg.TLSSkipVerify = src.Git.TLSSkipVerify
+	} else {
+		cfg.URL = input.RepositoryURL
+		cfg.TLSSkipVerify = input.TLSSkipVerify
+		if input.RepositoryAuthentication {
+			cfg.Authentication = &gittypes.GitAuthentication{
+				Username:          input.Username,
+				Password:          input.Password,
+				Provider:          input.Provider,
+				AuthorizationType: input.AuthorizationType,
+			}
+		}
+	}
+
+	cfg.TLSSkipVerify = cfg.TLSSkipVerify && fips.CanTLSSkipVerify()
+	return cfg, nil
+}

api/gitops/sources/repo_config_test.go

@@ -0,0 +1,70 @@
+package sources
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/pkg/fips"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	fips.InitFIPS(false)
+}
+
+func TestResolveRepoConfig_WithSourceID_ReturnsSourceConfig(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	src := &portainer.Source{
+		Type: portainer.SourceTypeGit,
+		Git: &gittypes.RepoConfig{
+			URL:           "https://github.com/org/repo",
+			TLSSkipVerify: true,
+			Authentication: &gittypes.GitAuthentication{
+				Username: "user",
+				Password: "token",
+			},
+		},
+	}
+	require.NoError(t, store.Source().Create(src))
+
+	cfg, httpErr := ResolveRepoConfig(store, RepoConfigInput{
+		SourceID:       src.ID,
+		ReferenceName:  "refs/heads/main",
+		ConfigFilePath: "docker-compose.yml",
+		RepositoryURL:  "https://ignored.example.com",
+	})
+
+	require.Nil(t, httpErr)
+	assert.Equal(t, src.Git.URL, cfg.URL)
+	assert.Equal(t, src.Git.Authentication, cfg.Authentication)
+	assert.Equal(t, src.Git.TLSSkipVerify, cfg.TLSSkipVerify)
+	assert.Equal(t, "refs/heads/main", cfg.ReferenceName)
+	assert.Equal(t, "docker-compose.yml", cfg.ConfigFilePath)
+}
+
+func TestResolveRepoConfig_WithInlineURL_ReturnsInlineConfig(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	cfg, httpErr := ResolveRepoConfig(store, RepoConfigInput{
+		ReferenceName:            "refs/heads/main",
+		ConfigFilePath:           "docker-compose.yml",
+		RepositoryURL:            "https://github.com/org/repo",
+		TLSSkipVerify:            true,
+		RepositoryAuthentication: true,
+		Username:                 "user",
+		Password:                 "pass",
+	})
+
+	require.Nil(t, httpErr)
+	assert.Equal(t, "https://github.com/org/repo", cfg.URL)
+	assert.True(t, cfg.TLSSkipVerify)
+	require.NotNil(t, cfg.Authentication)
+	assert.Equal(t, "user", cfg.Authentication.Username)
+	assert.Equal(t, "pass", cfg.Authentication.Password)
+}

api/gitops/sources/source_access.go

@@ -0,0 +1,38 @@
+package sources
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+)
+
+// gitSourceStore is the minimal intersection of CE and EE DataStoreTx that these functions need.
+// Both EE and CE DataStoreTx satisfy it, even though they are incompatible as full interface types.
+type gitSourceStore interface {
+	Source() dataservices.SourceService
+	IsErrObjectNotFound(err error) bool
+}
+
+// ValidateGitSourceAccess checks that the given Source exists and is a git Source, and returns it.
+// TODO(BE-12905): enforce per-user access policies once Source ownership is introduced.
+func ValidateGitSourceAccess(tx gitSourceStore, sourceID portainer.SourceID) (*portainer.Source, *httperror.HandlerError) {
+	src, err := tx.Source().Read(sourceID)
+	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil, httperror.NotFound("Source not found", err)
+		}
+		return nil, httperror.InternalServerError("Unable to read source", err)
+	}
+
+	if src.Type != portainer.SourceTypeGit {
+		return nil, httperror.BadRequest(fmt.Sprintf("source %d is not a git source", sourceID), nil)
+	}
+
+	if src.Git == nil {
+		return nil, httperror.BadRequest("Source has no git configuration", nil)
+	}
+
+	return src, nil
+}

api/gitops/sources/source_access_test.go

@@ -0,0 +1,49 @@
+package sources
+
+import (
+	"net/http"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateSourceForStack_ValidGitSource_ReturnsNil(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	src := &portainer.Source{
+		Type: portainer.SourceTypeGit,
+		Git:  &gittypes.RepoConfig{URL: "https://github.com/org/repo"},
+	}
+	require.NoError(t, store.Source().Create(src))
+
+	_, httpErr := ValidateGitSourceAccess(store, src.ID)
+	assert.Nil(t, httpErr)
+}
+
+func TestValidateSourceForStack_SourceNotFound_Returns404(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	_, httpErr := ValidateGitSourceAccess(store, portainer.SourceID(999))
+	require.NotNil(t, httpErr)
+	assert.Equal(t, http.StatusNotFound, httpErr.StatusCode)
+}
+
+func TestValidateSourceForStack_NonGitSource_Returns400(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	src := &portainer.Source{
+		Type: portainer.SourceType(99), // not a git source
+	}
+	require.NoError(t, store.Source().Create(src))
+
+	_, httpErr := ValidateGitSourceAccess(store, src.ID)
+	require.NotNil(t, httpErr)
+	assert.Equal(t, http.StatusBadRequest, httpErr.StatusCode)
+}

api/gitops/workflows/fetch.go

@@ -14,93 +14,190 @@ import (
 // FetchWorkflows returns all GitOps workflows visible to the given user.
 func FetchWorkflows(
 	ctx context.Context,
-	dataStore dataservices.DataStore,
+	tx dataservices.DataStoreTx,
 	gitService portainer.GitService,
 	k8sFactory *cli.ClientFactory,
 	sc *security.RestrictedRequestContext,
 	endpointIDSet set.Set[portainer.EndpointID],
 ) ([]Workflow, error) {
-	var entries []portainer.Stack
-	var endpointMap map[portainer.EndpointID]portainer.Endpoint
+	gitConfigs := map[portainer.StackID]*gittypes.RepoConfig{}
 
-	err := dataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
-		stacks, err := tx.Stack().ReadAll(func(s portainer.Stack) bool {
-			return s.GitConfig != nil && (len(endpointIDSet) == 0 || endpointIDSet.Contains(s.EndpointID))
-		})
-		if err != nil {
-			return err
-		}
-
-		endpointMap, err = buildEndpointMap(tx, stacks)
-		if err != nil {
-			return err
-		}
-
-		stacks, err = filterDockerStacksByAccess(tx, stacks, sc)
-		if err != nil {
-			return err
-		}
-
-		for i := range stacks {
-			s := stacks[i]
-
-			if ep, ok := endpointMap[s.EndpointID]; ok && !EndpointMatchesStackType(ep, s.Type) {
-				continue
-			}
-			entries = append(entries, s)
-		}
-
-		return nil
+	stacks, err := tx.Stack().ReadAll(func(s portainer.Stack) bool {
+		return s.WorkflowID != 0 && (len(endpointIDSet) == 0 || endpointIDSet.Contains(s.EndpointID))
 	})
 	if err != nil {
 		return nil, err
 	}
 
+	endpointMap, err := buildEndpointMap(tx, stacks)
+	if err != nil {
+		return nil, err
+	}
+
+	stacks, err = filterDockerStacksByAccess(tx, stacks, sc)
+	if err != nil {
+		return nil, err
+	}
+
+	// First pass: filter by endpoint/stack-type match and collect workflow IDs.
+	preFiltered := make([]portainer.Stack, 0, len(stacks))
+	workflowIDSet := make(set.Set[portainer.WorkflowID], len(stacks))
+	for _, stack := range stacks {
+		if ep, ok := endpointMap[stack.EndpointID]; ok && !EndpointMatchesStackType(ep, stack.Type) {
+			continue
+		}
+		preFiltered = append(preFiltered, stack)
+		workflowIDSet.Add(stack.WorkflowID)
+	}
+
+	workflowMap, sourceMap, err := LoadWorkflowAndSourceMaps(tx, workflowIDSet)
+	if err != nil {
+		return nil, err
+	}
+
+	// Second pass: build filtered list using in-memory lookups.
+	var filtered []portainer.Stack
+	for _, stack := range preFiltered {
+		wf := workflowMap[stack.WorkflowID]
+
+	outer:
+		for _, as := range wf.Artifacts {
+			if as.StackID != stack.ID {
+				continue
+			}
+
+			for _, f := range as.Files {
+				src := sourceMap[f.SourceID]
+				if src.Type == portainer.SourceTypeGit {
+					gitConfigs[stack.ID] = MergeSourceAndFile(&src, &f)
+					break outer
+				}
+			}
+		}
+
+		filtered = append(filtered, stack)
+	}
+	stacks = filtered
+
 	accessMap, err := buildEndpointAccessMap(k8sFactory, sc, endpointMap)
 	if err != nil {
 		return nil, err
 	}
 
-	entries, err = filterK8SStacks(entries, endpointMap, k8sFactory, accessMap)
+	stacks, err = filterK8SStacks(stacks, endpointMap, k8sFactory, accessMap)
 	if err != nil {
 		return nil, err
 	}
 
-	items := make([]Workflow, 0, len(entries))
-	for _, s := range entries {
-		gitEntries := []GitEntries{
-			{Name: s.GitConfig.ConfigFilePath, IsFile: true},
-		}
-		for _, additionalPath := range s.AdditionalFiles {
-			gitEntries = append(gitEntries, GitEntries{Name: additionalPath, IsFile: true})
-		}
-
-		source, artifact := computePhases(ctx, gitService, s.GitConfig, gitEntries)
-		items = append(items, MapStackToWorkflow(s, s.GitConfig, source, artifact))
+	items := make([]Workflow, 0, len(stacks))
+	for _, stack := range stacks {
+		gitConfig := gitConfigs[stack.ID]
+		source, artifact := ComputeGitPhasesForConfig(ctx, gitService, gitConfig)
+		items = append(items, MapStackToWorkflow(stack, gitConfig, source, artifact))
 	}
 
 	return items, nil
 }
 
-func computePhases(ctx context.Context, gitSvc portainer.GitService, cfg *gittypes.RepoConfig, gitEntries []GitEntries) (source, artifact WorkflowPhaseStatus) {
-	if gitSvc == nil || cfg == nil {
-		return WorkflowPhaseStatus{Status: StatusUnknown}, WorkflowPhaseStatus{Status: StatusUnknown}
-	}
-
-	username, password := gitCredentials(cfg)
-	return ComputeGitPhases(ctx, cfg.ReferenceName, gitEntries,
-		func(ctx context.Context) ([]string, error) {
-			return gitSvc.ListRefs(ctx, cfg.URL, username, password, false, cfg.TLSSkipVerify)
-		},
-		func(ctx context.Context, exts []string, dirOnly bool) ([]string, error) {
-			return gitSvc.ListFiles(ctx, cfg.URL, cfg.ReferenceName, username, password, dirOnly, false, exts, cfg.TLSSkipVerify)
-		},
-	)
+// SourceStats holds aggregated statistics for a GitOps source.
+type SourceStats struct {
+	WorkflowCount int
+	EndpointIDs   set.Set[portainer.EndpointID]
+	LastSync      int64
 }
 
-func gitCredentials(cfg *gittypes.RepoConfig) (username, password string) {
-	if cfg.Authentication != nil {
-		return cfg.Authentication.Username, cfg.Authentication.Password
+// FetchSourceStats returns all sources and per-source stats for sources accessible to the given user.
+// It applies the same access control as FetchWorkflows but skips git phase checks.
+func FetchSourceStats(
+	tx dataservices.DataStoreTx,
+	k8sFactory *cli.ClientFactory,
+	sc *security.RestrictedRequestContext,
+) ([]portainer.Source, map[portainer.SourceID]SourceStats, error) {
+	sources, err := tx.Source().ReadAll()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	allStacks, err := tx.Stack().ReadAll(func(s portainer.Stack) bool { return s.WorkflowID != 0 })
+	if err != nil {
+		return nil, nil, err
+	}
+
+	endpointMap, err := buildEndpointMap(tx, allStacks)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	allStacks, err = filterDockerStacksByAccess(tx, allStacks, sc)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	workflowIDSet := make(set.Set[portainer.WorkflowID], len(allStacks))
+	preFiltered := make([]portainer.Stack, 0, len(allStacks))
+	for _, stack := range allStacks {
+		if ep, ok := endpointMap[stack.EndpointID]; ok && !EndpointMatchesStackType(ep, stack.Type) {
+			continue
+		}
+		preFiltered = append(preFiltered, stack)
+		workflowIDSet.Add(stack.WorkflowID)
+	}
+
+	wfMap, err := LoadWorkflowMap(tx, workflowIDSet)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	wfSources := make(map[portainer.WorkflowID][]portainer.SourceID, len(wfMap))
+	for id, wf := range wfMap {
+		for _, as := range wf.Artifacts {
+			for _, f := range as.Files {
+				wfSources[id] = append(wfSources[id], f.SourceID)
+			}
+		}
+	}
+
+	stackSourceIDs := make(map[portainer.StackID][]portainer.SourceID)
+	for _, stack := range preFiltered {
+		if srcIDs := wfSources[stack.WorkflowID]; len(srcIDs) > 0 {
+			stackSourceIDs[stack.ID] = srcIDs
+		}
+	}
+
+	accessMap, err := buildEndpointAccessMap(k8sFactory, sc, endpointMap)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	stacks, err := filterK8SStacks(preFiltered, endpointMap, k8sFactory, accessMap)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	stats := make(map[portainer.SourceID]SourceStats)
+
+	for _, stack := range stacks {
+		var epIDs []portainer.EndpointID
+		if stack.EndpointID != 0 {
+			epIDs = []portainer.EndpointID{stack.EndpointID}
+		}
+		addSourceStats(stats, stackSourceIDs[stack.ID], epIDs, StackLastSyncDate(stack))
+	}
+
+	return sources, stats, nil
+}
+
+func addSourceStats(result map[portainer.SourceID]SourceStats, srcIDs []portainer.SourceID, epIDs []portainer.EndpointID, lastSync int64) {
+	for _, srcID := range srcIDs {
+		st := result[srcID]
+		if st.EndpointIDs == nil {
+			st.EndpointIDs = make(set.Set[portainer.EndpointID])
+		}
+		st.WorkflowCount++
+		for _, epID := range epIDs {
+			st.EndpointIDs.Add(epID)
+		}
+		st.LastSync = max(lastSync, st.LastSync)
+		result[srcID] = st
 	}
-	return "", ""
 }

api/gitops/workflows/fetch_test.go

@@ -0,0 +1,282 @@
+package workflows
+
+import (
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/datastore"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/set"
+
+	"github.com/stretchr/testify/require"
+)
+
+func adminContext() *security.RestrictedRequestContext {
+	return &security.RestrictedRequestContext{IsAdmin: true, UserID: 1}
+}
+
+func mustCreateGitWorkflow(t *testing.T, tx dataservices.DataStoreTx, stack *portainer.Stack) {
+	t.Helper()
+
+	cfg := stack.GitConfig
+
+	src := &portainer.Source{Type: portainer.SourceTypeGit, Git: cfg}
+	require.NoError(t, tx.Source().Create(src))
+
+	wf := &portainer.Workflow{Artifacts: []portainer.Artifact{{
+		StackID: stack.ID,
+		Files:   []portainer.ArtifactFile{{SourceID: src.ID}},
+	}}}
+	require.NoError(t, tx.Workflow().Create(wf))
+
+	stack.WorkflowID = wf.ID
+	stack.GitConfig = nil
+
+	require.NoError(t, tx.Stack().Create(stack))
+}
+
+func TestAddSourceStats_NoOp(t *testing.T) {
+	t.Parallel()
+
+	result := make(map[portainer.SourceID]SourceStats)
+	addSourceStats(result, nil, nil, 0)
+
+	require.Empty(t, result)
+}
+
+func TestAddSourceStats_AccumulatesWorkflowCount(t *testing.T) {
+	t.Parallel()
+
+	result := make(map[portainer.SourceID]SourceStats)
+	addSourceStats(result, []portainer.SourceID{1}, nil, 0)
+	addSourceStats(result, []portainer.SourceID{1}, nil, 0)
+
+	require.Equal(t, 2, result[1].WorkflowCount)
+}
+
+func TestAddSourceStats_CollectsUniqueEndpointIDs(t *testing.T) {
+	t.Parallel()
+
+	result := make(map[portainer.SourceID]SourceStats)
+	addSourceStats(result, []portainer.SourceID{1}, []portainer.EndpointID{10, 20}, 0)
+	addSourceStats(result, []portainer.SourceID{1}, []portainer.EndpointID{20, 30}, 0)
+
+	require.Len(t, result[1].EndpointIDs, 3)
+	require.True(t, result[1].EndpointIDs[10])
+	require.True(t, result[1].EndpointIDs[20])
+	require.True(t, result[1].EndpointIDs[30])
+}
+
+func TestAddSourceStats_MaxLastSync(t *testing.T) {
+	t.Parallel()
+
+	result := make(map[portainer.SourceID]SourceStats)
+	addSourceStats(result, []portainer.SourceID{1}, nil, 100)
+	addSourceStats(result, []portainer.SourceID{1}, nil, 500)
+	addSourceStats(result, []portainer.SourceID{1}, nil, 200)
+
+	require.Equal(t, int64(500), result[1].LastSync)
+}
+
+func TestAddSourceStats_MultipleSourceIDs(t *testing.T) {
+	t.Parallel()
+
+	result := make(map[portainer.SourceID]SourceStats)
+	addSourceStats(result, []portainer.SourceID{1, 2}, []portainer.EndpointID{10}, 100)
+
+	require.Equal(t, 1, result[1].WorkflowCount)
+	require.Equal(t, 1, result[2].WorkflowCount)
+	require.True(t, result[1].EndpointIDs[10])
+	require.True(t, result[2].EndpointIDs[10])
+}
+
+func TestFetchWorkflows_ReturnsOnlyGitopsStacks(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		mustCreateGitWorkflow(t, tx, &portainer.Stack{
+			ID:        1,
+			Name:      "gitops-stack",
+			GitConfig: &gittypes.RepoConfig{URL: "https://github.com/x/repo"},
+		})
+		require.NoError(t, tx.Stack().Create(&portainer.Stack{ID: 2, Name: "plain-stack"}))
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var items []Workflow
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		items, err = FetchWorkflows(t.Context(), tx, nil, nil, adminContext(), nil)
+		return err
+	}))
+	require.Len(t, items, 1)
+	require.Equal(t, "gitops-stack", items[0].Name)
+}
+
+func TestFetchWorkflows_FiltersByEndpointID(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		for i := 1; i <= 3; i++ {
+			mustCreateGitWorkflow(t, tx, &portainer.Stack{
+				ID:         portainer.StackID(i),
+				Name:       "stack-" + strconv.Itoa(i),
+				EndpointID: portainer.EndpointID(i),
+				GitConfig:  &gittypes.RepoConfig{URL: "https://github.com/x/" + strconv.Itoa(i)},
+			})
+		}
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var items []Workflow
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		items, err = FetchWorkflows(t.Context(), tx, nil, nil, adminContext(), set.ToSet([]portainer.EndpointID{1, 2}))
+		return err
+	}))
+	require.Len(t, items, 2)
+
+	names := []string{items[0].Name, items[1].Name}
+	require.Contains(t, names, "stack-1")
+	require.Contains(t, names, "stack-2")
+}
+
+func TestFetchWorkflows_EmptyWhenNoGitopsStacks(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		require.NoError(t, tx.Stack().Create(&portainer.Stack{ID: 1, Name: "plain-1"}))
+		require.NoError(t, tx.Stack().Create(&portainer.Stack{ID: 2, Name: "plain-2"}))
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var items []Workflow
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		items, err = FetchWorkflows(t.Context(), tx, nil, nil, adminContext(), nil)
+		return err
+	}))
+	require.Empty(t, items)
+}
+
+func TestFetchWorkflows_NilEndpointSetReturnsAll(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		for i := 1; i <= 3; i++ {
+			mustCreateGitWorkflow(t, tx, &portainer.Stack{
+				ID:         portainer.StackID(i),
+				Name:       "stack-" + strconv.Itoa(i),
+				EndpointID: portainer.EndpointID(i),
+				GitConfig:  &gittypes.RepoConfig{URL: "https://github.com/x/" + strconv.Itoa(i)},
+			})
+		}
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var items []Workflow
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		items, err = FetchWorkflows(t.Context(), tx, nil, nil, adminContext(), nil)
+		return err
+	}))
+	require.Len(t, items, 3)
+}
+
+func TestFetchSourceStats_ReturnsAllSources(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		require.NoError(t, tx.Source().Create(&portainer.Source{Name: "source-1", Type: portainer.SourceTypeGit}))
+		require.NoError(t, tx.Source().Create(&portainer.Source{Name: "source-2", Type: portainer.SourceTypeGit}))
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var sources []portainer.Source
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		sources, _, err = FetchSourceStats(tx, nil, adminContext())
+
+		return err
+	}))
+
+	require.Len(t, sources, 2)
+}
+
+func TestFetchSourceStats_TracksWorkflowCountAndEndpoints(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	var srcID portainer.SourceID
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		src := &portainer.Source{Name: "shared", Type: portainer.SourceTypeGit}
+		require.NoError(t, tx.Source().Create(src))
+		srcID = src.ID
+
+		for i := 1; i <= 2; i++ {
+			wf := &portainer.Workflow{Artifacts: []portainer.Artifact{{Files: []portainer.ArtifactFile{{SourceID: srcID}}}}}
+			require.NoError(t, tx.Workflow().Create(wf))
+			require.NoError(t, tx.Stack().Create(&portainer.Stack{
+				ID:         portainer.StackID(i),
+				Name:       "stack-" + strconv.Itoa(i),
+				EndpointID: portainer.EndpointID(i),
+				WorkflowID: wf.ID,
+			}))
+		}
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var stats map[portainer.SourceID]SourceStats
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		_, stats, err = FetchSourceStats(tx, nil, adminContext())
+
+		return err
+	}))
+
+	st := stats[srcID]
+	require.Equal(t, 2, st.WorkflowCount)
+	require.Len(t, st.EndpointIDs, 2)
+}
+
+func TestFetchSourceStats_UnusedSourceHasZeroStats(t *testing.T) {
+	t.Parallel()
+	_, store := datastore.MustNewTestStore(t, false, true)
+
+	var unusedID portainer.SourceID
+
+	require.NoError(t, store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		src := &portainer.Source{Name: "unused", Type: portainer.SourceTypeGit}
+		require.NoError(t, tx.Source().Create(src))
+		unusedID = src.ID
+
+		return tx.User().Create(&portainer.User{ID: 1, Role: portainer.AdministratorRole})
+	}))
+
+	var stats map[portainer.SourceID]SourceStats
+	require.NoError(t, store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		_, stats, err = FetchSourceStats(tx, nil, adminContext())
+
+		return err
+	}))
+
+	st := stats[unusedID]
+	require.Zero(t, st.WorkflowCount)
+	require.Empty(t, st.EndpointIDs)
+}

api/gitops/workflows/filter.go

@@ -16,6 +16,8 @@ import (
 	"github.com/portainer/portainer/api/set"
 	"github.com/portainer/portainer/api/slicesx"
 	"github.com/portainer/portainer/api/stacks/stackutils"
+
+	"github.com/rs/zerolog/log"
 )
 
 func EndpointMatchesStackType(ep portainer.Endpoint, stackType portainer.StackType) bool {
@@ -115,7 +117,8 @@ func buildEndpointAccessMap(k8sFactory *cli.ClientFactory, sc *security.Restrict
 
 		access, err := resolveKubeAccess(k8sFactory, sc, &ep)
 		if err != nil {
-			return nil, err
+			log.Warn().Err(err).Str("context", "buildEndpointAccessMap").Int("endpoint_id", int(epID)).Msg("Failed to resolve kube access for endpoint, skipping")
+			continue
 		}
 
 		result[epID] = access
@@ -148,7 +151,8 @@ func filterK8SStacks(items []portainer.Stack, endpointMap map[portainer.Endpoint
 
 		kcl, err := k8sFactory.GetPrivilegedKubeClient(&ep)
 		if err != nil {
-			return nil, err
+			log.Warn().Err(err).Str("context", "filterK8SStacks").Int("endpoint_id", int(envID)).Msg("Failed to get kube client for endpoint, skipping")
+			continue
 		}
 
 		access := accessMap[envID]
@@ -157,7 +161,8 @@ func filterK8SStacks(items []portainer.Stack, endpointMap map[portainer.Endpoint
 
 		apps, err := kcl.GetApplications("", "")
 		if err != nil {
-			return nil, err
+			log.Warn().Err(err).Str("context", "filterK8SStacks").Int("endpoint_id", int(envID)).Msg("Failed to get kube applications for endpoint, skipping")
+			continue
 		}
 
 		for _, s := range stacks {

api/gitops/workflows/git_phases.go

@@ -5,6 +5,9 @@ import (
 	"fmt"
 	"path"
 	"slices"
+
+	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
 )
 
 // ListRefsFunc lists all git refs for a repository.
@@ -19,6 +22,30 @@ type GitEntries struct {
 	IsFile bool
 }
 
+// ComputeGitPhasesForConfig computes source and artifact phases from a RepoConfig and a GitService.
+func ComputeGitPhasesForConfig(ctx context.Context, gitSvc portainer.GitService, cfg *gittypes.RepoConfig) (source, artifact WorkflowPhaseStatus) {
+	if gitSvc == nil || cfg == nil {
+		return WorkflowPhaseStatus{Status: StatusUnknown}, WorkflowPhaseStatus{Status: StatusUnknown}
+	}
+
+	username, password := gitCredentials(cfg)
+	return ComputeGitPhases(ctx, cfg.ReferenceName, []GitEntries{{Name: cfg.ConfigFilePath, IsFile: true}},
+		func(ctx context.Context) ([]string, error) {
+			return gitSvc.ListRefs(ctx, cfg.URL, username, password, false, cfg.TLSSkipVerify)
+		},
+		func(ctx context.Context, exts []string, dirOnly bool) ([]string, error) {
+			return gitSvc.ListFiles(ctx, cfg.URL, cfg.ReferenceName, username, password, dirOnly, false, exts, cfg.TLSSkipVerify)
+		},
+	)
+}
+
+func gitCredentials(cfg *gittypes.RepoConfig) (username, password string) {
+	if cfg.Authentication != nil {
+		return cfg.Authentication.Username, cfg.Authentication.Password
+	}
+	return "", ""
+}
+
 // ComputeGitPhases checks source (ref reachability) and artifact (config file presence).
 // If source fails, artifact is returned as unknown without making a network call.
 func ComputeGitPhases(ctx context.Context, referenceName string, configFilePath []GitEntries, listRefs ListRefsFunc, listFiles ListFilesFunc) (source, artifact WorkflowPhaseStatus) {

api/gitops/workflows/git_phases_test.go

@@ -34,7 +34,7 @@ func TestComputeGitPhases(t *testing.T) {
 		expectedArtifact Status
 	}{
 		{
-			name:             "listRefs errors → source error, artifact unknown",
+			name:             "listRefs errors: source error, artifact unknown",
 			referenceName:    "refs/heads/main",
 			configFilePath:   []GitEntries{{Name: "docker-compose.yml", IsFile: true}},
 			listRefs:         errRefs,
@@ -43,7 +43,7 @@ func TestComputeGitPhases(t *testing.T) {
 			expectedArtifact: StatusUnknown,
 		},
 		{
-			name:           "ref not in list → source error, artifact unknown",
+			name:           "ref not in list: source error, artifact unknown",
 			referenceName:  "refs/heads/missing",
 			configFilePath: []GitEntries{{Name: "docker-compose.yml", IsFile: true}},
 			listRefs: func(_ context.Context) ([]string, error) {
@@ -54,7 +54,7 @@ func TestComputeGitPhases(t *testing.T) {
 			expectedArtifact: StatusUnknown,
 		},
 		{
-			name:             "empty configFilePath → artifact error",
+			name:             "empty configFilePath: artifact error",
 			referenceName:    "refs/heads/main",
 			configFilePath:   []GitEntries{},
 			listRefs:         okRefs,
@@ -63,7 +63,7 @@ func TestComputeGitPhases(t *testing.T) {
 			expectedArtifact: StatusError,
 		},
 		{
-			name:             "listFiles errors → artifact error",
+			name:             "listFiles errors: artifact error",
 			referenceName:    "refs/heads/main",
 			configFilePath:   []GitEntries{{Name: "docker-compose.yml", IsFile: true}},
 			listRefs:         okRefs,
@@ -72,7 +72,7 @@ func TestComputeGitPhases(t *testing.T) {
 			expectedArtifact: StatusError,
 		},
 		{
-			name:           "file not in list → artifact error",
+			name:           "file not in list: artifact error",
 			referenceName:  "refs/heads/main",
 			configFilePath: []GitEntries{{Name: "docker-compose.yml", IsFile: true}},
 			listRefs:       okRefs,
@@ -92,7 +92,7 @@ func TestComputeGitPhases(t *testing.T) {
 			expectedArtifact: StatusHealthy,
 		},
 		{
-			name:             "empty referenceName → source healthy (default HEAD)",
+			name:             "empty referenceName: source healthy (default HEAD)",
 			referenceName:    "",
 			configFilePath:   []GitEntries{{Name: "docker-compose.yml", IsFile: true}},
 			listRefs:         okRefs,

api/gitops/workflows/mapping.go

@@ -1,6 +1,8 @@
 package workflows
 
 import (
+	"slices"
+
 	portainer "github.com/portainer/portainer/api"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/set"
@@ -27,7 +29,7 @@ func MapStackToWorkflow(s portainer.Stack, gitConfig *gittypes.RepoConfig, sourc
 			Namespace:  s.Namespace,
 		},
 		CreationDate: s.CreationDate,
-		LastSyncDate: stackLastSyncDate(s),
+		LastSyncDate: StackLastSyncDate(s),
 	}
 }
 
@@ -60,10 +62,10 @@ func MapEdgeStackToWorkflow(es portainer.EdgeStack, gitConfig *gittypes.RepoConf
 	}
 }
 
-func stackLastSyncDate(s portainer.Stack) int64 {
-	for i := len(s.DeploymentStatus) - 1; i >= 0; i-- {
-		if s.DeploymentStatus[i].Status == portainer.StackStatusActive {
-			return s.DeploymentStatus[i].Time
+func StackLastSyncDate(s portainer.Stack) int64 {
+	for _, ds := range slices.Backward(s.DeploymentStatus) {
+		if ds.Status == portainer.StackStatusActive {
+			return ds.Time
 		}
 	}
 	return 0
@@ -84,9 +86,9 @@ func edgeStackLastSyncDate(statuses []portainer.EdgeStackStatusForEnv) int64 {
 }
 
 func endpointLastSyncDate(epStatus portainer.EdgeStackStatusForEnv) int64 {
-	for i := len(epStatus.Status) - 1; i >= 0; i-- {
-		if isEdgeStackHealthyStatus(epStatus.Status[i].Type) {
-			return epStatus.Status[i].Time
+	for _, s := range slices.Backward(epStatus.Status) {
+		if isEdgeStackHealthyStatus(s.Type) {
+			return s.Time
 		}
 	}
 	return 0
@@ -120,7 +122,6 @@ func resolveEdgeGroupEndpoints(groups []portainer.EdgeGroupID, groupEndpoints ma
 	for _, gid := range groups {
 		for _, epID := range groupEndpoints[gid] {
 			seen.Add(epID)
-
 		}
 	}
 	return seen.Keys()

api/gitops/workflows/mapping_test.go

@@ -4,7 +4,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestStackLastSyncDate(t *testing.T) {
@@ -12,7 +15,7 @@ func TestStackLastSyncDate(t *testing.T) {
 
 	t.Run("no deployment status", func(t *testing.T) {
 		t.Parallel()
-		assert.Equal(t, int64(0), stackLastSyncDate(portainer.Stack{}))
+		assert.Equal(t, int64(0), StackLastSyncDate(portainer.Stack{}))
 	})
 
 	t.Run("no active entry", func(t *testing.T) {
@@ -20,7 +23,7 @@ func TestStackLastSyncDate(t *testing.T) {
 		s := portainer.Stack{DeploymentStatus: []portainer.StackDeploymentStatus{
 			{Status: portainer.StackStatusDeploying, Time: 100},
 		}}
-		assert.Equal(t, int64(0), stackLastSyncDate(s))
+		assert.Equal(t, int64(0), StackLastSyncDate(s))
 	})
 
 	t.Run("last entry is active", func(t *testing.T) {
@@ -29,7 +32,7 @@ func TestStackLastSyncDate(t *testing.T) {
 			{Status: portainer.StackStatusDeploying, Time: 50},
 			{Status: portainer.StackStatusActive, Time: 100},
 		}}
-		assert.Equal(t, int64(100), stackLastSyncDate(s))
+		assert.Equal(t, int64(100), StackLastSyncDate(s))
 	})
 
 	t.Run("active followed by non-active returns the active time", func(t *testing.T) {
@@ -38,7 +41,7 @@ func TestStackLastSyncDate(t *testing.T) {
 			{Status: portainer.StackStatusActive, Time: 100},
 			{Status: portainer.StackStatusDeploying, Time: 200},
 		}}
-		assert.Equal(t, int64(100), stackLastSyncDate(s))
+		assert.Equal(t, int64(100), StackLastSyncDate(s))
 	})
 }
 
@@ -147,3 +150,118 @@ func TestEdgeStackTargetStatuses(t *testing.T) {
 		assert.Equal(t, StatusError, result[portainer.EdgeGroupID(20)])
 	})
 }
+
+func TestMapEdgeStackToWorkflow_DockerPlatform(t *testing.T) {
+	t.Parallel()
+
+	es := portainer.EdgeStack{
+		ID:             1,
+		Name:           "docker-edge",
+		DeploymentType: portainer.EdgeStackDeploymentCompose,
+		EdgeGroups:     []portainer.EdgeGroupID{1},
+		CreationDate:   1587399600,
+	}
+	cfg := &gittypes.RepoConfig{URL: "https://github.com/x/repo"}
+
+	w := MapEdgeStackToWorkflow(es, cfg, nil, map[portainer.EdgeGroupID][]portainer.EndpointID{1: {10}}, WorkflowPhaseStatus{Status: StatusHealthy}, WorkflowPhaseStatus{Status: StatusHealthy})
+
+	require.Equal(t, int(es.ID), w.ID)
+	require.Equal(t, es.Name, w.Name)
+	require.Equal(t, TypeEdgeStack, w.Type)
+	require.Equal(t, DeploymentPlatformDockerStandalone, w.Platform)
+	require.Equal(t, es.CreationDate, w.CreationDate)
+	require.Equal(t, cfg, w.GitConfig)
+	require.Equal(t, []portainer.EdgeGroupID{1}, w.Target.EdgeGroupIDs)
+}
+
+func TestMapEdgeStackToWorkflow_KubernetesPlatform(t *testing.T) {
+	t.Parallel()
+
+	es := portainer.EdgeStack{
+		ID:             2,
+		Name:           "kube-edge",
+		DeploymentType: portainer.EdgeStackDeploymentKubernetes,
+		EdgeGroups:     []portainer.EdgeGroupID{1},
+	}
+
+	w := MapEdgeStackToWorkflow(es, nil, nil, map[portainer.EdgeGroupID][]portainer.EndpointID{}, WorkflowPhaseStatus{Status: StatusUnknown}, WorkflowPhaseStatus{Status: StatusUnknown})
+
+	require.Equal(t, DeploymentPlatformKubernetes, w.Platform)
+}
+
+func TestMapEdgeStackToWorkflow_GroupStatusesAndResolvedEndpoints(t *testing.T) {
+	t.Parallel()
+
+	statuses := []portainer.EdgeStackStatusForEnv{
+		{EndpointID: 10, Status: []portainer.EdgeStackDeploymentStatus{{Type: portainer.EdgeStackStatusRunning}}},
+		{EndpointID: 20, Status: []portainer.EdgeStackDeploymentStatus{{Type: portainer.EdgeStackStatusError, Error: "boom"}}},
+	}
+	groupEndpoints := map[portainer.EdgeGroupID][]portainer.EndpointID{
+		1: {10},
+		2: {20},
+	}
+	es := portainer.EdgeStack{
+		ID:         3,
+		Name:       "multi-group",
+		EdgeGroups: []portainer.EdgeGroupID{1, 2},
+	}
+
+	w := MapEdgeStackToWorkflow(es, nil, statuses, groupEndpoints, WorkflowPhaseStatus{Status: StatusUnknown}, WorkflowPhaseStatus{Status: StatusUnknown})
+
+	require.Equal(t, StatusHealthy, w.Target.GroupStatus[1])
+	require.Equal(t, StatusError, w.Target.GroupStatus[2])
+	require.Len(t, w.Target.ResolvedEndpointIDs, 2)
+}
+
+func TestPlatformFromStackType(t *testing.T) {
+	t.Parallel()
+
+	require.Equal(t, DeploymentPlatformKubernetes, platformFromStackType(portainer.KubernetesStack))
+	require.Equal(t, DeploymentPlatformDockerSwarm, platformFromStackType(portainer.DockerSwarmStack))
+	require.Equal(t, DeploymentPlatformDockerStandalone, platformFromStackType(portainer.DockerComposeStack))
+	require.Equal(t, DeploymentPlatformDockerStandalone, platformFromStackType(portainer.StackType(99)))
+}
+
+func TestResolveEdgeGroupEndpoints_Empty(t *testing.T) {
+	t.Parallel()
+
+	result := resolveEdgeGroupEndpoints(nil, map[portainer.EdgeGroupID][]portainer.EndpointID{})
+	require.Empty(t, result)
+}
+
+func TestResolveEdgeGroupEndpoints_DeduplicatesAcrossGroups(t *testing.T) {
+	t.Parallel()
+
+	groupEndpoints := map[portainer.EdgeGroupID][]portainer.EndpointID{
+		1: {10, 20},
+		2: {20, 30},
+	}
+
+	result := resolveEdgeGroupEndpoints([]portainer.EdgeGroupID{1, 2}, groupEndpoints)
+
+	require.Len(t, result, 3)
+}
+
+func TestIsEdgeStackHealthyStatus(t *testing.T) {
+	t.Parallel()
+
+	healthyTypes := []portainer.EdgeStackStatusType{
+		portainer.EdgeStackStatusRunning,
+		portainer.EdgeStackStatusRolledBack,
+		portainer.EdgeStackStatusCompleted,
+		portainer.EdgeStackStatusRemoved,
+		portainer.EdgeStackStatusRemoteUpdateSuccess,
+	}
+	for _, typ := range healthyTypes {
+		require.True(t, isEdgeStackHealthyStatus(typ))
+	}
+
+	unhealthyTypes := []portainer.EdgeStackStatusType{
+		portainer.EdgeStackStatusError,
+		portainer.EdgeStackStatusDeploying,
+		portainer.EdgeStackStatusPending,
+	}
+	for _, typ := range unhealthyTypes {
+		require.False(t, isEdgeStackHealthyStatus(typ))
+	}
+}

api/gitops/workflows/source_artifact.go

@@ -0,0 +1,397 @@
+package workflows
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/api/set"
+)
+
+// gitSourceStore is the minimal intersection of CE and EE DataStoreTx that these functions need.
+// Both EE and CE DataStoreTx satisfy it, even though they are incompatible as full interface types.
+type gitSourceStore interface {
+	Workflow() dataservices.WorkflowService
+	Source() dataservices.SourceService
+}
+
+// GitSourceAndArtifactForStack returns the git Source and the ArtifactFile matching stackID
+// from the workflow identified by workflowID.
+// Source carries the shared fields (URL, auth, TLS); ArtifactFile carries the file-specific fields (ref, path, hash).
+// Returns nil, nil, nil when workflowID is 0 or no matching entry is found.
+func GitSourceAndArtifactForStack(tx gitSourceStore, workflowID portainer.WorkflowID, stackID portainer.StackID) (*portainer.Source, *portainer.ArtifactFile, error) {
+	if workflowID == 0 {
+		return nil, nil, nil
+	}
+
+	wf, err := tx.Workflow().Read(workflowID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	sourceMap, err := loadWorkflowSources(tx, wf)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for i, as := range wf.Artifacts {
+		if as.StackID != stackID {
+			continue
+		}
+
+		for j, file := range as.Files {
+			src, ok := sourceMap[file.SourceID]
+			if !ok {
+				continue
+			}
+
+			if src.Type == portainer.SourceTypeGit {
+				return &src, &wf.Artifacts[i].Files[j], nil
+			}
+		}
+	}
+
+	return nil, nil, nil
+}
+
+// GitSourceAndArtifactForEdgeStack returns the git Source and the ArtifactFile matching edgeStackID.
+// Returns nil, nil, nil when workflowID is 0 or no matching entry is found.
+func GitSourceAndArtifactForEdgeStack(tx gitSourceStore, workflowID portainer.WorkflowID, edgeStackID portainer.EdgeStackID) (*portainer.Source, *portainer.ArtifactFile, error) {
+	if workflowID == 0 {
+		return nil, nil, nil
+	}
+
+	wf, err := tx.Workflow().Read(workflowID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	sourceMap, err := loadWorkflowSources(tx, wf)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for i, as := range wf.Artifacts {
+		if as.EdgeStackID != edgeStackID {
+			continue
+		}
+
+		for j, file := range as.Files {
+			src, ok := sourceMap[file.SourceID]
+			if !ok {
+				continue
+			}
+
+			if src.Type == portainer.SourceTypeGit {
+				return &src, &wf.Artifacts[i].Files[j], nil
+			}
+		}
+	}
+
+	return nil, nil, nil
+}
+
+// MergeSourceAndFile builds a RepoConfig by combining shared fields from src (URL, auth, TLS)
+// with file-specific fields from file (ref, path, hash).
+func MergeSourceAndFile(src *portainer.Source, file *portainer.ArtifactFile) *gittypes.RepoConfig {
+	if src == nil || src.Git == nil {
+		return nil
+	}
+
+	cfg := &gittypes.RepoConfig{
+		URL:            src.Git.URL,
+		Authentication: src.Git.Authentication,
+		TLSSkipVerify:  src.Git.TLSSkipVerify,
+	}
+
+	if file != nil {
+		cfg.ReferenceName = file.Ref
+		cfg.ConfigFilePath = file.Path
+		cfg.ConfigHash = file.Hash
+	}
+
+	return cfg
+}
+
+// UpdateArtifactFileForStack finds the ArtifactFile matching stackID and sourceID in the workflow
+// and applies fn to it, then persists the updated Workflow.
+// A no-op if no matching artifact or file is found.
+func UpdateArtifactFileForStack(tx gitSourceStore, workflowID portainer.WorkflowID, stackID portainer.StackID, sourceID portainer.SourceID, fn func(*portainer.ArtifactFile)) error {
+	wf, err := tx.Workflow().Read(workflowID)
+	if err != nil {
+		return err
+	}
+
+	for i, as := range wf.Artifacts {
+		if as.StackID != stackID {
+			continue
+		}
+
+		for j, file := range as.Files {
+			if file.SourceID == sourceID {
+				fn(&wf.Artifacts[i].Files[j])
+
+				return tx.Workflow().Update(workflowID, wf)
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateArtifactFileForEdgeStack finds the ArtifactFile matching edgeStackID and sourceID in the workflow
+// and applies fn to it, then persists the updated Workflow.
+// A no-op if no matching artifact or file is found.
+func UpdateArtifactFileForEdgeStack(tx gitSourceStore, workflowID portainer.WorkflowID, edgeStackID portainer.EdgeStackID, sourceID portainer.SourceID, fn func(*portainer.ArtifactFile)) error {
+	wf, err := tx.Workflow().Read(workflowID)
+	if err != nil {
+		return err
+	}
+
+	for i, as := range wf.Artifacts {
+		if as.EdgeStackID != edgeStackID {
+			continue
+		}
+
+		for j, file := range as.Files {
+			if file.SourceID == sourceID {
+				fn(&wf.Artifacts[i].Files[j])
+
+				return tx.Workflow().Update(workflowID, wf)
+			}
+		}
+	}
+
+	return nil
+}
+
+// FindOrCreateGitSource returns an existing Source whose URL and authentication match cfg,
+// or creates a new one. Only URL, authentication, and TLSSkipVerify are stored on the Source;
+// per-stack fields (ReferenceName, ConfigFilePath, ConfigHash) belong in the Artifact.
+func FindOrCreateGitSource(tx gitSourceStore, src *portainer.Source) (*portainer.Source, error) {
+	src.Git.URL = gittypes.SanitizeURL(src.Git.URL)
+
+	existing, err := tx.Source().ReadAll(func(s portainer.Source) bool {
+		return s.Type == portainer.SourceTypeGit &&
+			s.Git != nil &&
+			s.Git.URL == src.Git.URL &&
+			gitAuthMatches(s.Git.Authentication, src.Git.Authentication)
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(existing) > 0 {
+		return &existing[0], nil
+	}
+
+	toCreate := &portainer.Source{
+		Name: src.Name,
+		Type: portainer.SourceTypeGit,
+		Git: &gittypes.RepoConfig{
+			URL:            src.Git.URL,
+			Authentication: src.Git.Authentication,
+			TLSSkipVerify:  src.Git.TLSSkipVerify,
+		},
+	}
+
+	if err := tx.Source().Create(toCreate); err != nil {
+		return nil, err
+	}
+
+	return toCreate, nil
+}
+
+// SaveWorkflowGitConfig persists URL/auth/TLS on the Source and ref/path/hash on the Artifact
+// matched by matchArtifact. When the URL changes, an existing or new Source is located via
+// FindOrCreateGitSource and the Workflow's SourceID is updated atomically alongside the Artifact fields.
+func SaveWorkflowGitConfig(tx gitSourceStore, workflowID portainer.WorkflowID, matchArtifact func(portainer.Artifact) bool, oldSourceID portainer.SourceID, cfg *gittypes.RepoConfig) error {
+	src, err := tx.Source().Read(oldSourceID)
+	if err != nil {
+		return fmt.Errorf("failed to read source: %w", err)
+	}
+
+	if src.Git == nil {
+		return fmt.Errorf("source %d has no git configuration", oldSourceID)
+	}
+
+	newSourceID := oldSourceID
+
+	if cfg.URL != src.Git.URL {
+		newSrc, err := FindOrCreateGitSource(tx, &portainer.Source{
+			Name: gittypes.RepoName(cfg.URL),
+			Type: portainer.SourceTypeGit,
+			Git:  cfg,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to find or create source: %w", err)
+		}
+
+		newSourceID = newSrc.ID
+	} else {
+		src.Git.Authentication = cfg.Authentication
+		src.Git.TLSSkipVerify = cfg.TLSSkipVerify
+
+		if err := tx.Source().Update(src.ID, src); err != nil {
+			return fmt.Errorf("failed to update source: %w", err)
+		}
+	}
+
+	return SaveWorkflowArtifact(tx, workflowID, matchArtifact, oldSourceID, portainer.ArtifactFile{
+		SourceID: newSourceID,
+		Ref:      cfg.ReferenceName,
+		Path:     cfg.ConfigFilePath,
+		Hash:     cfg.ConfigHash,
+	})
+}
+
+// SaveWorkflowArtifact replaces the ArtifactFile referencing oldSourceID on the Artifact matched by
+// matchArtifact with update (its SourceID may repoint the Artifact to a different Source). It does not
+// modify any Source's git config — the caller is responsible for ensuring update.SourceID
+// references a valid existing Source.
+func SaveWorkflowArtifact(tx gitSourceStore, workflowID portainer.WorkflowID, matchArtifact func(portainer.Artifact) bool, oldSourceID portainer.SourceID, update portainer.ArtifactFile) error {
+	wf, err := tx.Workflow().Read(workflowID)
+	if err != nil {
+		return fmt.Errorf("failed to read workflow: %w", err)
+	}
+
+	for i, as := range wf.Artifacts {
+		if !matchArtifact(as) {
+			continue
+		}
+
+		for j, file := range as.Files {
+			if file.SourceID != oldSourceID {
+				continue
+			}
+
+			f := &wf.Artifacts[i].Files[j]
+			f.SourceID = update.SourceID
+			f.Ref = update.Ref
+			f.Path = update.Path
+			f.Hash = update.Hash
+
+			break
+		}
+
+		break
+	}
+
+	return tx.Workflow().Update(workflowID, wf)
+}
+
+// LoadWorkflowMap fetches workflows by their IDs and returns them keyed by ID.
+func LoadWorkflowMap(tx gitSourceStore, ids set.Set[portainer.WorkflowID]) (map[portainer.WorkflowID]portainer.Workflow, error) {
+	result := make(map[portainer.WorkflowID]portainer.Workflow, len(ids))
+	for id := range ids {
+		wf, err := tx.Workflow().Read(id)
+		if err != nil {
+			return nil, err
+		}
+		result[id] = *wf
+	}
+
+	return result, nil
+}
+
+// LoadWorkflowAndSourceMaps fetches workflows by their IDs and the sources they reference,
+// collecting source IDs in a single pass over the workflows.
+func LoadWorkflowAndSourceMaps(tx gitSourceStore, ids set.Set[portainer.WorkflowID]) (map[portainer.WorkflowID]portainer.Workflow, map[portainer.SourceID]portainer.Source, error) {
+	wfMap := make(map[portainer.WorkflowID]portainer.Workflow, len(ids))
+	sourceIDs := make(set.Set[portainer.SourceID])
+	for id := range ids {
+		wf, err := tx.Workflow().Read(id)
+		if err != nil {
+			return nil, nil, err
+		}
+		wfMap[id] = *wf
+		for _, as := range wf.Artifacts {
+			for _, f := range as.Files {
+				sourceIDs.Add(f.SourceID)
+			}
+		}
+	}
+
+	srcMap, err := LoadSourceMap(tx, sourceIDs)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return wfMap, srcMap, nil
+}
+
+// loadWorkflowSources collects all unique SourceIDs referenced by wf and returns them as a map.
+// This avoids reading the same Source record more than once when files share a SourceID.
+func loadWorkflowSources(tx gitSourceStore, wf *portainer.Workflow) (map[portainer.SourceID]portainer.Source, error) {
+	ids := make(set.Set[portainer.SourceID])
+	for _, as := range wf.Artifacts {
+		for _, f := range as.Files {
+			ids.Add(f.SourceID)
+		}
+	}
+
+	return LoadSourceMap(tx, ids)
+}
+
+// LoadSourceMap fetches sources by their IDs and returns them keyed by ID.
+func LoadSourceMap(tx gitSourceStore, ids set.Set[portainer.SourceID]) (map[portainer.SourceID]portainer.Source, error) {
+	result := make(map[portainer.SourceID]portainer.Source, len(ids))
+	for id := range ids {
+		src, err := tx.Source().Read(id)
+		if err != nil {
+			return nil, err
+		}
+		result[id] = *src
+	}
+
+	return result, nil
+}
+
+func gitAuthMatches(a, b *gittypes.GitAuthentication) bool {
+	if a == nil && b == nil {
+		return true
+	}
+
+	if a == nil || b == nil {
+		return false
+	}
+
+	return a.Username == b.Username && a.Password == b.Password
+}
+
+// ValidateUniqueSource validates there are no other sources with the same URL and credentials.
+// Pass empty strings for username and password when the source has no authentication.
+func ValidateUniqueSource(tx gitSourceStore, url, username, password string, sourceID portainer.SourceID) (bool, error) {
+	normalizedURL, err := gittypes.NormalizeURL(gittypes.SanitizeURL(url))
+	if err != nil {
+		return false, err
+	}
+
+	existing, err := tx.Source().ReadAll(func(s portainer.Source) bool {
+		if s.ID == sourceID || s.Type != portainer.SourceTypeGit || s.Git == nil {
+			return false
+		}
+
+		normalized, err := gittypes.NormalizeURL(gittypes.SanitizeURL(s.Git.URL))
+		if err != nil || normalized != normalizedURL {
+			return false
+		}
+
+		existingUsername, existingPassword := gitAuthCredentials(s.Git.Authentication)
+		return existingUsername == username && existingPassword == password
+	})
+
+	if err != nil {
+		return false, err
+	}
+
+	return len(existing) == 0, nil
+}
+
+func gitAuthCredentials(auth *gittypes.GitAuthentication) (username, password string) {
+	if auth == nil {
+		return "", ""
+	}
+	return auth.Username, auth.Password
+}

api/gitops/workflows/status_test.go

@@ -111,12 +111,12 @@ func TestDeriveEdgeStackTargetState(t *testing.T) {
 	}{
 		{"empty", nil, StatusUnknown},
 		{"all per-env status slices empty", []portainer.EdgeStackStatusForEnv{{EndpointID: 1}}, StatusUnknown},
-		{"running → healthy", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusRunning)}, StatusHealthy},
-		{"deploying → syncing", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusDeploying)}, StatusSyncing},
-		{"paused deploying → paused", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusPausedDeploying)}, StatusPaused},
+		{"running: healthy", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusRunning)}, StatusHealthy},
+		{"deploying: syncing", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusDeploying)}, StatusSyncing},
+		{"paused deploying: paused", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusPausedDeploying)}, StatusPaused},
 		{"error short-circuits", []portainer.EdgeStackStatusForEnv{ep(1, portainer.EdgeStackStatusError)}, StatusError},
 		{
-			"error + running → error (short-circuit, order matters)",
+			"error + running gives error (short-circuit, order matters)",
 			[]portainer.EdgeStackStatusForEnv{
 				ep(1, portainer.EdgeStackStatusError),
 				ep(2, portainer.EdgeStackStatusRunning),

api/gitops/workflows/types.go

@@ -79,14 +79,14 @@ type WorkflowStatusObject struct {
 }
 
 type Workflow struct {
-	ID           int                           `json:"id"`
-	Name         string                        `json:"name"`
-	Type         Type                          `json:"type"`
-	Platform     DeploymentPlatform            `json:"platform"`
-	Status       WorkflowStatusObject          `json:"status"`
+	ID           int                           `json:"id" validate:"required"`
+	Name         string                        `json:"name" validate:"required"`
+	Type         Type                          `json:"type" validate:"required"`
+	Platform     DeploymentPlatform            `json:"platform" validate:"required"`
+	Status       WorkflowStatusObject          `json:"status" validate:"required"`
 	GitConfig    *gittypes.RepoConfig          `json:"gitConfig,omitempty"`
 	AutoUpdate   *portainer.AutoUpdateSettings `json:"autoUpdate,omitempty"`
-	Target       Target                        `json:"target"`
+	Target       Target                        `json:"target" validate:"required"`
 	CreationDate int64                         `json:"creationDate"`
 	LastSyncDate int64                         `json:"lastSyncDate"`
 }

api/http/client/client.go

@@ -11,6 +11,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
 
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
@@ -114,18 +115,19 @@ func Get(url string, timeout int) ([]byte, error) {
 // using the specified host and optional TLS configuration.
 // It uses a new Http.Client for each operation.
 func ExecutePingOperation(host string, tlsConfiguration portainer.TLSConfiguration) (bool, error) {
-	transport := &http.Transport{}
-
 	scheme := "http"
 
+	var transport *http.Transport
 	if tlsConfiguration.TLS {
 		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration)
 		if err != nil {
 			return false, err
 		}
 
-		transport.TLSClientConfig = tlsConfig
 		scheme = "https"
+		transport = ssrf.NewTransport(tlsConfig)
+	} else {
+		transport = ssrf.NewTransport(nil)
 	}
 
 	client := &http.Client{

api/http/handler/backup/handler.go

@@ -22,6 +22,7 @@ type Handler struct {
 	filestorePath   string
 	shutdownTrigger context.CancelFunc
 	adminMonitor    *adminmonitor.Monitor
+	SetupToken      string
 }
 
 // NewHandler creates an new instance of backup handler

api/http/handler/backup/restore.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/pkg/errors"
 	operations "github.com/portainer/portainer/api/backup"
+	"github.com/portainer/portainer/api/http/security/setuptoken"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
@@ -20,15 +21,21 @@ type restorePayload struct {
 // @id Restore
 // @summary Triggers a system restore using provided backup file
 // @description Triggers a system restore using provided backup file
-// @description **Access policy**: public
+// @description **Access policy**: public (requires the X-Setup-Token header on an uninitialized instance unless --no-setup-token is set)
 // @tags backup
 // @accept json
+// @param X-Setup-Token header string false "Setup token (required when instance is uninitialized and --no-setup-token is not set)"
 // @param restorePayload body restorePayload true "Restore request payload"
 // @success 200 "Success"
 // @failure 400 "Invalid request"
+// @failure 403 "Access denied - invalid or missing setup token"
 // @failure 500 "Server error"
 // @router /restore [post]
 func (h *Handler) restore(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if err := setuptoken.Validate(r, h.SetupToken); err != nil {
+		return err
+	}
+
 	initialized, err := h.adminMonitor.WasInitialized()
 	if err != nil {
 		return httperror.InternalServerError("Failed to check system initialization", err)

api/http/handler/backup/restore_test.go

@@ -14,6 +14,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/adminmonitor"
 	"github.com/portainer/portainer/api/http/offlinegate"
+	"github.com/portainer/portainer/api/http/security/setuptoken"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 
 	"github.com/stretchr/testify/assert"
@@ -126,6 +127,45 @@ func backup(t *testing.T, h *Handler, password string) []byte {
 	return archive
 }
 
+func Test_restore_setupTokenGate(t *testing.T) {
+	t.Parallel()
+	datastore := testhelpers.NewDatastore(
+		testhelpers.WithUsers([]portainer.User{}),
+		testhelpers.WithEdgeJobs([]portainer.EdgeJob{}),
+	)
+	adminMonitor := adminmonitor.New(time.Hour, datastore)
+	h := NewHandler(
+		testhelpers.NewTestRequestBouncer(),
+		datastore,
+		offlinegate.NewOfflineGate(),
+		prepareFilestorePath(t),
+		func() {},
+		adminMonitor,
+	)
+	h.SetupToken = "secret-token"
+
+	t.Run("403 without token header", func(t *testing.T) {
+		err := h.restore(httptest.NewRecorder(), prepareMultipartRequest(t, "", []byte("x")))
+		require.Error(t, err)
+		assert.Equal(t, http.StatusForbidden, err.StatusCode)
+	})
+
+	t.Run("403 with wrong token", func(t *testing.T) {
+		r := prepareMultipartRequest(t, "", []byte("x"))
+		r.Header.Set(setuptoken.HeaderName, "wrong")
+		err := h.restore(httptest.NewRecorder(), r)
+		require.Error(t, err)
+		assert.Equal(t, http.StatusForbidden, err.StatusCode)
+	})
+
+	t.Run("passes gate with correct token", func(t *testing.T) {
+		archive := backup(t, h, "")
+		r := prepareMultipartRequest(t, "", archive)
+		r.Header.Set(setuptoken.HeaderName, "secret-token")
+		require.Nil(t, h.restore(httptest.NewRecorder(), r))
+	})
+}
+
 func prepareMultipartRequest(t *testing.T, password string, file []byte) *http.Request {
 	var body bytes.Buffer
 

api/http/handler/customtemplates/customtemplate_create.go

@@ -5,18 +5,21 @@ import (
 	"errors"
 	"net/http"
 	"os"
-	"regexp"
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/api/gitops/sources"
+	"github.com/portainer/portainer/api/gitops/workflows"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/libhttp/ssrf"
 	"github.com/portainer/portainer/pkg/validate"
 
 	"github.com/rs/zerolog/log"
@@ -41,30 +44,39 @@ func (handler *Handler) customTemplateCreate(w http.ResponseWriter, r *http.Requ
 
 	customTemplate.CreatedByUserID = tokenData.ID
 
-	customTemplates, err := handler.DataStore.CustomTemplate().ReadAll()
+	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		return createCustomTemplateTx(tx, customTemplate, tokenData.ID)
+	})
+
+	return response.TxResponse(w, customTemplate, err)
+}
+
+func createCustomTemplateTx(tx dataservices.DataStoreTx, customTemplate *portainer.CustomTemplate, userID portainer.UserID) error {
+	existingTemplates, err := tx.CustomTemplate().ReadAll()
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve custom templates from the database", err)
 	}
 
-	for _, existingTemplate := range customTemplates {
-		if existingTemplate.Title == customTemplate.Title {
+	for _, existing := range existingTemplates {
+		if existing.Title == customTemplate.Title {
 			return httperror.InternalServerError("Template name must be unique", errors.New("Template name must be unique"))
 		}
 	}
 
-	if err := handler.DataStore.CustomTemplate().Create(customTemplate); err != nil {
+	if err := tx.CustomTemplate().Create(customTemplate); err != nil {
 		return httperror.InternalServerError("Unable to create custom template", err)
 	}
 
-	resourceControl := authorization.NewPrivateResourceControl(strconv.Itoa(int(customTemplate.ID)), portainer.CustomTemplateResourceControl, tokenData.ID)
+	resourceControl := authorization.NewPrivateResourceControl(strconv.Itoa(int(customTemplate.ID)), portainer.CustomTemplateResourceControl, userID)
 
-	if err := handler.DataStore.ResourceControl().Create(resourceControl); err != nil {
+	if err := tx.ResourceControl().Create(resourceControl); err != nil {
 		return httperror.InternalServerError("Unable to persist resource control inside the database", err)
 	}
 
 	customTemplate.ResourceControl = resourceControl
+	populateGitConfig(tx, customTemplate)
 
-	return response.JSON(w, customTemplate)
+	return nil
 }
 
 func (handler *Handler) createCustomTemplate(method string, r *http.Request) (*portainer.CustomTemplate, error) {
@@ -122,19 +134,11 @@ func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) e
 	if payload.Type != portainer.KubernetesStack && payload.Type != portainer.DockerSwarmStack && payload.Type != portainer.DockerComposeStack {
 		return errors.New("Invalid custom template type")
 	}
-	if !isValidNote(payload.Note) {
+	if !IsValidNote(payload.Note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 
-	return validateVariablesDefinitions(payload.Variables)
-}
-
-func isValidNote(note string) bool {
-	if len(note) == 0 {
-		return true
-	}
-	match, _ := regexp.MatchString("<img", note)
-	return !match
+	return ValidateVariablesDefinitions(payload.Variables)
 }
 
 // @id CustomTemplateCreateString
@@ -200,21 +204,24 @@ type customTemplateFromGitRepositoryPayload struct {
 	// * 3 - kubernetes
 	Type portainer.StackType `example:"1" enums:"1,2" validate:"required"`
 
-	// URL of a Git repository hosting the Stack file
-	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
+	// SourceID references an existing Source for git credentials/URL.
+	// When set, the inline URL and authentication fields are ignored.
+	SourceID portainer.SourceID `example:"1" validate:"required"`
+	// Deprecated: use SourceID instead. URL of a Git repository hosting the Stack file.
+	RepositoryURL string `example:"https://github.com/openfaas/faas"`
 	// Reference name of a Git repository hosting the Stack file
 	RepositoryReferenceName string `example:"refs/heads/master"`
-	// Use basic authentication to clone the Git repository
+	// Deprecated: use SourceID instead. Use basic authentication to clone the Git repository.
 	RepositoryAuthentication bool `example:"true"`
-	// Username used in basic authentication. Required when RepositoryAuthentication is true.
+	// Deprecated: use SourceID instead. Username used in basic authentication. Required when RepositoryAuthentication is true.
 	RepositoryUsername string `example:"myGitUsername"`
-	// Password used in basic authentication. Required when RepositoryAuthentication is true.
+	// Deprecated: use SourceID instead. Password used in basic authentication. Required when RepositoryAuthentication is true.
 	RepositoryPassword string `example:"myGitPassword"`
 	// Path to the Stack file inside the Git repository
 	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 	// Definitions of variables in the stack file
 	Variables []portainer.CustomTemplateVariableDefinition
-	// TLSSkipVerify skips SSL verification when cloning the Git repository
+	// Deprecated: use SourceID instead. TLSSkipVerify skips SSL verification when cloning the Git repository.
 	TLSSkipVerify bool `example:"false"`
 	// IsComposeFormat indicates if the Kubernetes template is created from a Docker Compose file
 	IsComposeFormat bool `example:"false"`
@@ -229,11 +236,13 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 	if len(payload.Description) == 0 {
 		return errors.New("Invalid custom template description")
 	}
-	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
-		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
-	}
-	if payload.RepositoryAuthentication && (len(payload.RepositoryUsername) == 0 || len(payload.RepositoryPassword) == 0) {
-		return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
+	if payload.SourceID == 0 {
+		if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
+			return errors.New("Invalid repository URL. Must correspond to a valid URL format")
+		}
+		if payload.RepositoryAuthentication && (len(payload.RepositoryUsername) == 0 || len(payload.RepositoryPassword) == 0) {
+			return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
+		}
 	}
 	if len(payload.ComposeFilePathInRepository) == 0 {
 		payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
@@ -246,11 +255,11 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 	if payload.Type != portainer.DockerSwarmStack && payload.Type != portainer.DockerComposeStack && payload.Type != portainer.KubernetesStack {
 		return errors.New("Invalid custom template type")
 	}
-	if !isValidNote(payload.Note) {
+	if !IsValidNote(payload.Note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 
-	return validateVariablesDefinitions(payload.Variables)
+	return ValidateVariablesDefinitions(payload.Variables)
 }
 
 // @id CustomTemplateCreateRepository
@@ -293,28 +302,54 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 	projectPath := getProjectPath()
 	customTemplate.ProjectPath = projectPath
 
-	gitConfig := &gittypes.RepoConfig{
-		URL:            payload.RepositoryURL,
-		ReferenceName:  payload.RepositoryReferenceName,
-		ConfigFilePath: payload.ComposeFilePathInRepository,
-		TLSSkipVerify:  payload.TLSSkipVerify,
+	gitConfig, httpErr := sources.ResolveRepoConfig(handler.DataStore, sources.RepoConfigInput{
+		SourceID:                 payload.SourceID,
+		ReferenceName:            payload.RepositoryReferenceName,
+		ConfigFilePath:           payload.ComposeFilePathInRepository,
+		RepositoryURL:            payload.RepositoryURL,
+		TLSSkipVerify:            payload.TLSSkipVerify,
+		RepositoryAuthentication: payload.RepositoryAuthentication,
+		Username:                 payload.RepositoryUsername,
+		Password:                 payload.RepositoryPassword,
+	})
+	if httpErr != nil {
+		return nil, httpErr
 	}
 
-	if payload.RepositoryAuthentication {
-		gitConfig.Authentication = &gittypes.GitAuthentication{
-			Username: payload.RepositoryUsername,
-			Password: payload.RepositoryPassword,
-		}
+	if err := ssrf.CheckURL(r.Context(), gitConfig.URL); err != nil {
+		return nil, err
 	}
 
-	commitHash, err := stackutils.DownloadGitRepository(context.TODO(), *gitConfig, handler.GitService, getProjectPath)
+	commitHash, err := stackutils.DownloadGitRepository(context.TODO(), gitConfig, handler.GitService, getProjectPath)
 	if err != nil {
 		return nil, err
 	}
 
-	gitConfig.ConfigHash = commitHash
-	customTemplate.GitConfig = gitConfig
+	sourceID := payload.SourceID
+	if sourceID == 0 {
+		src, err := workflows.FindOrCreateGitSource(handler.DataStore, &portainer.Source{
+			Name: gittypes.RepoName(gitConfig.URL),
+			Type: portainer.SourceTypeGit,
+			Git: &gittypes.RepoConfig{
+				URL:            gitConfig.URL,
+				Authentication: gitConfig.Authentication,
+				TLSSkipVerify:  gitConfig.TLSSkipVerify,
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+		sourceID = src.ID
+	}
 
+	customTemplate.Artifact = &portainer.Artifact{
+		Files: []portainer.ArtifactFile{{
+			SourceID: sourceID,
+			Path:     gitConfig.ConfigFilePath,
+			Ref:      gitConfig.ReferenceName,
+			Hash:     commitHash,
+		}},
+	}
 	isValidProject := true
 	defer func() {
 		if !isValidProject {
@@ -390,7 +425,7 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 	payload.Logo = logo
 
 	note, _ := request.RetrieveMultiPartFormValue(r, "Note", true)
-	if !isValidNote(note) {
+	if !IsValidNote(note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 	payload.Note = note
@@ -422,7 +457,7 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 		if err := json.Unmarshal([]byte(varsString), &payload.Variables); err != nil {
 			return errors.New("Invalid variables. Ensure that the variables are valid JSON")
 		}
-		if err := validateVariablesDefinitions(payload.Variables); err != nil {
+		if err := ValidateVariablesDefinitions(payload.Variables); err != nil {
 			return err
 		}
 	}

api/http/handler/customtemplates/customtemplate_delete.go

@@ -51,6 +51,7 @@ func (handler *Handler) customTemplateDelete(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to retrieve a resource control associated to the custom template", err)
 	}
 
+	customTemplate.ResourceControl = resourceControl
 	access := userCanEditTemplate(customTemplate, securityContext)
 	if !access {
 		return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)

api/http/handler/customtemplates/customtemplate_delete_test.go

@@ -0,0 +1,296 @@
+package customtemplates
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/security"
+
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCustomTemplateDelete_NotFound(t *testing.T) {
+	t.Parallel()
+
+	handler, _, _ := newTestHandler(t)
+
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/99", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "99"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 1, IsAdmin: true}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusNotFound, herr.StatusCode)
+}
+
+func TestCustomTemplateDelete_Forbidden(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 1,
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	// User 2 did not create this template and is not an admin
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}
+
+func TestCustomTemplateDelete_CreatorDeniedWhenAdminOnly(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 2,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:                 1,
+			ResourceID:         "1",
+			Type:               portainer.CustomTemplateResourceControl,
+			AdministratorsOnly: true,
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	// User 2 created the template but an admin later changed it to admins-only
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}
+
+func TestCustomTemplateDelete_CreatorDeniedWithoutResourceControl(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		return tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 2,
+		})
+	})
+	require.NoError(t, err)
+
+	// User 2 created this template but there is no resource control
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}
+
+func TestCustomTemplateDelete_Success(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 2,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:           1,
+			ResourceID:   "1",
+			Type:         portainer.CustomTemplateResourceControl,
+			UserAccesses: []portainer.UserResourceAccess{{UserID: 2}},
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.Nil(t, herr)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+
+	err = store.ViewTx(func(tx dataservices.DataStoreTx) error {
+		_, err := tx.CustomTemplate().Read(1)
+		require.True(t, tx.IsErrObjectNotFound(err))
+
+		return nil
+	})
+	require.NoError(t, err)
+}
+
+func TestCustomTemplateDelete_AdminCanDeleteAdminOnly(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 2,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:                 1,
+			ResourceID:         "1",
+			Type:               portainer.CustomTemplateResourceControl,
+			AdministratorsOnly: true,
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 1, IsAdmin: true}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.Nil(t, herr)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}
+
+func TestCustomTemplateDelete_PublicTemplateAllowsAnyUser(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 1,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:         1,
+			ResourceID: "1",
+			Type:       portainer.CustomTemplateResourceControl,
+			Public:     true,
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	// User 2 is not the creator but the template is public
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.Nil(t, herr)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}
+
+func TestCustomTemplateDelete_NonCreatorForbiddenWithPrivateRC(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 1,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:           1,
+			ResourceID:   "1",
+			Type:         portainer.CustomTemplateResourceControl,
+			UserAccesses: []portainer.UserResourceAccess{{UserID: 1}},
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	// User 2 is not the creator and the template has a private resource control
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}
+
+func TestCustomTemplateDelete_CreatorDeniedWithoutAccess(t *testing.T) {
+	t.Parallel()
+
+	handler, store, _ := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		err := tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              1,
+			CreatedByUserID: 2,
+		})
+		require.NoError(t, err)
+
+		// RC exists but only grants access to user 3, not the creator (user 2)
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:           1,
+			ResourceID:   "1",
+			Type:         portainer.CustomTemplateResourceControl,
+			UserAccesses: []portainer.UserResourceAccess{{UserID: 3}},
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodDelete, "/custom_templates/1", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "1"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateDelete(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}

api/http/handler/customtemplates/customtemplate_file.go

@@ -59,12 +59,11 @@ func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Reques
 			return httperror.InternalServerError("Unable to retrieve user info from request context", err)
 		}
 
+		customTemplate.ResourceControl = resourceControl
 		canEdit := userCanEditTemplate(customTemplate, securityContext)
 		hasAccess := false
 
 		if resourceControl != nil {
-			customTemplate.ResourceControl = resourceControl
-
 			teamIDs := slicesx.Map(securityContext.UserMemberships, func(m portainer.TeamMembership) portainer.TeamID {
 				return m.TeamID
 			})
@@ -82,8 +81,8 @@ func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Reques
 	}
 
 	entryPath := customTemplate.EntryPoint
-	if customTemplate.GitConfig != nil {
-		entryPath = customTemplate.GitConfig.ConfigFilePath
+	if customTemplate.Artifact != nil && len(customTemplate.Artifact.Files) > 0 {
+		entryPath = customTemplate.Artifact.Files[0].Path
 	}
 	fileContent, err := handler.FileService.GetFileContent(customTemplate.ProjectPath, entryPath)
 	if err != nil {

api/http/handler/customtemplates/customtemplate_file_test.go

@@ -5,11 +5,13 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"github.com/gorilla/mux"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+
+	"github.com/gorilla/mux"
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/require"
 )
@@ -33,7 +35,8 @@ func TestCustomTemplateFile(t *testing.T) {
 		require.NoError(t, err)
 		require.NoError(t, tx.CustomTemplate().Create(&portainer.CustomTemplate{ID: 2, EntryPoint: templateEntrypoint, ProjectPath: path}))
 
-		require.NoError(t, tx.ResourceControl().Create(&portainer.ResourceControl{ID: 1, ResourceID: "2", Type: portainer.CustomTemplateResourceControl,
+		require.NoError(t, tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID: 1, ResourceID: "2", Type: portainer.CustomTemplateResourceControl,
 			UserAccesses: []portainer.UserResourceAccess{{UserID: 2}},
 			TeamAccesses: []portainer.TeamResourceAccess{{TeamID: 1}},
 		}))
@@ -59,6 +62,7 @@ func TestCustomTemplateFile(t *testing.T) {
 		rr, r := test("1", &security.RestrictedRequestContext{UserID: 1, IsAdmin: true})
 		require.Nil(t, r)
 		require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
 		var res struct{ FileContent string }
 		require.NoError(t, json.NewDecoder(rr.Body).Decode(&res))
 		require.Equal(t, templateContent, res.FileContent)
@@ -74,6 +78,7 @@ func TestCustomTemplateFile(t *testing.T) {
 		rr, r := test("2", &security.RestrictedRequestContext{UserID: 2})
 		require.Nil(t, r)
 		require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
 		var res struct{ FileContent string }
 		require.NoError(t, json.NewDecoder(rr.Body).Decode(&res))
 		require.Equal(t, templateContent, res.FileContent)
@@ -83,6 +88,7 @@ func TestCustomTemplateFile(t *testing.T) {
 		rr, r := test("2", &security.RestrictedRequestContext{UserID: 3, UserMemberships: []portainer.TeamMembership{{ID: 1, UserID: 3, TeamID: 1}}})
 		require.Nil(t, r)
 		require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
 		var res struct{ FileContent string }
 		require.NoError(t, json.NewDecoder(rr.Body).Decode(&res))
 		require.Equal(t, templateContent, res.FileContent)
@@ -94,3 +100,85 @@ func TestCustomTemplateFile(t *testing.T) {
 		require.Equal(t, http.StatusForbidden, r.StatusCode)
 	})
 }
+
+func TestCustomTemplateFile_CreatorDeniedWhenAdminOnly(t *testing.T) {
+	t.Parallel()
+
+	handler, store, fs := newTestHandler(t)
+
+	err := store.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		path, err := fs.StoreCustomTemplateFileFromBytes("5", "entrypoint", []byte("content"))
+		require.NoError(t, err)
+
+		err = tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:              5,
+			EntryPoint:      "entrypoint",
+			ProjectPath:     path,
+			CreatedByUserID: 2,
+		})
+		require.NoError(t, err)
+
+		err = tx.ResourceControl().Create(&portainer.ResourceControl{
+			ID:                 5,
+			ResourceID:         "5",
+			Type:               portainer.CustomTemplateResourceControl,
+			AdministratorsOnly: true,
+		})
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodGet, "/custom_templates/5/file", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "5"})
+	r = r.WithContext(security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 2}))
+	rr := httptest.NewRecorder()
+
+	herr := handler.customTemplateFile(rr, r)
+	require.NotNil(t, herr)
+	require.Equal(t, http.StatusForbidden, herr.StatusCode)
+}
+
+func TestCustomTemplateFile_GitTemplate(t *testing.T) {
+	t.Parallel()
+
+	handler, ds, fs := newTestHandler(t)
+
+	templateContent := "git template content"
+	configFilePath := "docker-compose.yml"
+
+	require.NoError(t, ds.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		src := &portainer.Source{
+			Type: portainer.SourceTypeGit,
+			Git:  &gittypes.RepoConfig{URL: "https://github.com/example/repo"},
+		}
+		err := tx.Source().Create(src)
+		require.NoError(t, err)
+
+		path, err := fs.StoreCustomTemplateFileFromBytes("10", configFilePath, []byte(templateContent))
+		require.NoError(t, err)
+
+		return tx.CustomTemplate().Create(&portainer.CustomTemplate{
+			ID:          10,
+			EntryPoint:  "should-not-be-used.yml",
+			ProjectPath: path,
+			Artifact: &portainer.Artifact{
+				Files: []portainer.ArtifactFile{{Path: configFilePath, SourceID: src.ID}},
+			},
+		})
+	}))
+
+	r := httptest.NewRequest(http.MethodGet, "/custom_templates/10/file", nil)
+	r = mux.SetURLVars(r, map[string]string{"id": "10"})
+	ctx := security.StoreRestrictedRequestContext(r, &security.RestrictedRequestContext{UserID: 1, IsAdmin: true})
+	r = r.WithContext(ctx)
+	rr := httptest.NewRecorder()
+	herr := handler.customTemplateFile(rr, r)
+	require.Nil(t, herr)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var res struct{ FileContent string }
+	require.NoError(t, json.NewDecoder(rr.Body).Decode(&res))
+	require.Equal(t, templateContent, res.FileContent)
+}