feat(api): add credential_proxy to secrets, remove format from environment spec

stainless-app[bot] · stainless-app[bot] · commit 349a1bab3893 · 2026-05-08T10:58:45.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
 configured_endpoints: 193
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod/gitpod-771a93472886d9a5ad2f4322a3585a6006eeea484e04d9e610a6b6f5afc12c7b.yml
-openapi_spec_hash: f44f26ac4d487d9831848a729032dc51
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod/gitpod-22142c64382973b366500f7fd197f8baa74d441cc7418b74306700c23031ff21.yml
+openapi_spec_hash: 2d481c6c65d22f4de3c52beb496cb0bd
 config_hash: a5dff404dcc41293fdc9d3a131a6f2e3
diff --git a/src/gitpod/resources/secrets.py b/src/gitpod/resources/secrets.py
@@ -56,6 +56,7 @@ def create(
         *,
         api_only: bool | Omit = omit,
         container_registry_basic_auth_host: str | Omit = omit,
+        credential_proxy: secret_create_params.CredentialProxy | Omit = omit,
         environment_variable: bool | Omit = omit,
         file_path: str | Omit = omit,
         name: str | Omit = omit,
@@ -122,6 +123,13 @@ def create(
           container_registry_basic_auth_host: secret will be mounted as a docker config in the environment VM, mount will have
               the docker registry host
 
+          credential_proxy: credential_proxy configures transparent credential injection when environments
+              materialize this secret. When set, the credential proxy intercepts HTTPS traffic
+              to the target hosts and replaces the dummy mounted value with the real value in
+              the specified HTTP header. The real secret value is never exposed in the
+              environment. This field is orthogonal to mount — a secret can be both mounted
+              and proxied at the same time.
+
           environment_variable: secret will be created as an Environment Variable with the same name as the
               secret
 
@@ -152,6 +160,7 @@ def create(
                 {
                     "api_only": api_only,
                     "container_registry_basic_auth_host": container_registry_basic_auth_host,
+                    "credential_proxy": credential_proxy,
                     "environment_variable": environment_variable,
                     "file_path": file_path,
                     "name": name,
@@ -432,6 +441,7 @@ async def create(
         *,
         api_only: bool | Omit = omit,
         container_registry_basic_auth_host: str | Omit = omit,
+        credential_proxy: secret_create_params.CredentialProxy | Omit = omit,
         environment_variable: bool | Omit = omit,
         file_path: str | Omit = omit,
         name: str | Omit = omit,
@@ -498,6 +508,13 @@ async def create(
           container_registry_basic_auth_host: secret will be mounted as a docker config in the environment VM, mount will have
               the docker registry host
 
+          credential_proxy: credential_proxy configures transparent credential injection when environments
+              materialize this secret. When set, the credential proxy intercepts HTTPS traffic
+              to the target hosts and replaces the dummy mounted value with the real value in
+              the specified HTTP header. The real secret value is never exposed in the
+              environment. This field is orthogonal to mount — a secret can be both mounted
+              and proxied at the same time.
+
           environment_variable: secret will be created as an Environment Variable with the same name as the
               secret
 
@@ -528,6 +545,7 @@ async def create(
                 {
                     "api_only": api_only,
                     "container_registry_basic_auth_host": container_registry_basic_auth_host,
+                    "credential_proxy": credential_proxy,
                     "environment_variable": environment_variable,
                     "file_path": file_path,
                     "name": name,
diff --git a/src/gitpod/types/environment_spec.py b/src/gitpod/types/environment_spec.py
@@ -144,12 +144,6 @@ class SecretCredentialProxy(BaseModel):
      as a git credential) and proxied at the same time.
     """
 
-    format: Optional[Literal["FORMAT_UNSPECIFIED", "FORMAT_PLAIN", "FORMAT_BASE64"]] = None
-    """format describes how the secret value is encoded.
-
-    The proxy uses this to decode the value before injecting it into the header.
-    """
-
     header: Optional[str] = None
     """header is the HTTP header name to inject (e.g. "Authorization")."""
 
diff --git a/src/gitpod/types/environment_spec_param.py b/src/gitpod/types/environment_spec_param.py
@@ -152,12 +152,6 @@ class SecretCredentialProxy(TypedDict, total=False):
      as a git credential) and proxied at the same time.
     """
 
-    format: Literal["FORMAT_UNSPECIFIED", "FORMAT_PLAIN", "FORMAT_BASE64"]
-    """format describes how the secret value is encoded.
-
-    The proxy uses this to decode the value before injecting it into the header.
-    """
-
     header: str
     """header is the HTTP header name to inject (e.g. "Authorization")."""
 
diff --git a/src/gitpod/types/secret.py b/src/gitpod/types/secret.py
@@ -1,6 +1,6 @@
 # File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
 
-from typing import Optional
+from typing import List, Optional
 from datetime import datetime
 
 from pydantic import Field as FieldInfo
@@ -9,7 +9,28 @@
 from .secret_scope import SecretScope
 from .shared.subject import Subject
 
-__all__ = ["Secret"]
+__all__ = ["Secret", "CredentialProxy"]
+
+
+class CredentialProxy(BaseModel):
+    """
+    credential_proxy configures transparent credential injection via the
+     credential proxy. When set, the credential proxy intercepts HTTPS
+     traffic to the target hosts and replaces the dummy mounted value with
+     the real value in the specified HTTP header. The real secret value is
+     never exposed in the environment.
+     This field is orthogonal to mount — a secret can be both mounted and
+     proxied at the same time.
+    """
+
+    header: Optional[str] = None
+    """header is the HTTP header name to inject (e.g. "Authorization")."""
+
+    target_hosts: Optional[List[str]] = FieldInfo(alias="targetHosts", default=None)
+    """
+    target_hosts lists the hostnames to intercept (for example "github.com" or
+    "\\**.github.com"). Wildcards are subdomain-only and do not match the apex domain.
+    """
 
 
 class Secret(BaseModel):
@@ -116,6 +137,16 @@ class Secret(BaseModel):
     creator: Optional[Subject] = None
     """creator is the identity of the creator of the secret"""
 
+    credential_proxy: Optional[CredentialProxy] = FieldInfo(alias="credentialProxy", default=None)
+    """
+    credential_proxy configures transparent credential injection via the credential
+    proxy. When set, the credential proxy intercepts HTTPS traffic to the target
+    hosts and replaces the dummy mounted value with the real value in the specified
+    HTTP header. The real secret value is never exposed in the environment. This
+    field is orthogonal to mount — a secret can be both mounted and proxied at the
+    same time.
+    """
+
     environment_variable: Optional[bool] = FieldInfo(alias="environmentVariable", default=None)
     """
     secret will be created as an Environment Variable with the same name as the
diff --git a/src/gitpod/types/secret_create_params.py b/src/gitpod/types/secret_create_params.py
@@ -4,10 +4,11 @@
 
 from typing_extensions import Annotated, TypedDict
 
+from .._types import SequenceNotStr
 from .._utils import PropertyInfo
 from .secret_scope_param import SecretScopeParam
 
-__all__ = ["SecretCreateParams"]
+__all__ = ["SecretCreateParams", "CredentialProxy"]
 
 
 class SecretCreateParams(TypedDict, total=False):
@@ -24,6 +25,16 @@ class SecretCreateParams(TypedDict, total=False):
     the docker registry host
     """
 
+    credential_proxy: Annotated[CredentialProxy, PropertyInfo(alias="credentialProxy")]
+    """
+    credential_proxy configures transparent credential injection when environments
+    materialize this secret. When set, the credential proxy intercepts HTTPS traffic
+    to the target hosts and replaces the dummy mounted value with the real value in
+    the specified HTTP header. The real secret value is never exposed in the
+    environment. This field is orthogonal to mount — a secret can be both mounted
+    and proxied at the same time.
+    """
+
     environment_variable: Annotated[bool, PropertyInfo(alias="environmentVariable")]
     """
     secret will be created as an Environment Variable with the same name as the
@@ -52,3 +63,24 @@ class SecretCreateParams(TypedDict, total=False):
 
     value: str
     """value is the plaintext value of the secret"""
+
+
+class CredentialProxy(TypedDict, total=False):
+    """
+    credential_proxy configures transparent credential injection when
+     environments materialize this secret. When set, the credential proxy
+     intercepts HTTPS traffic to the target hosts and replaces the dummy
+     mounted value with the real value in the specified HTTP header. The real
+     secret value is never exposed in the environment.
+     This field is orthogonal to mount — a secret can be both mounted and
+     proxied at the same time.
+    """
+
+    header: str
+    """header is the HTTP header name to inject (e.g. "Authorization")."""
+
+    target_hosts: Annotated[SequenceNotStr[str], PropertyInfo(alias="targetHosts")]
+    """
+    target_hosts lists the hostnames to intercept (for example "github.com" or
+    "\\**.github.com"). Wildcards are subdomain-only and do not match the apex domain.
+    """
diff --git a/tests/api_resources/test_environments.py b/tests/api_resources/test_environments.py
@@ -108,7 +108,6 @@ def test_method_create_with_all_params(self, client: Gitpod) -> None:
                         "api_only": True,
                         "container_registry_basic_auth_host": "containerRegistryBasicAuthHost",
                         "credential_proxy": {
-                            "format": "FORMAT_UNSPECIFIED",
                             "header": "header",
                             "target_hosts": ["string"],
                         },
@@ -487,7 +486,6 @@ def test_method_create_from_project_with_all_params(self, client: Gitpod) -> Non
                         "api_only": True,
                         "container_registry_basic_auth_host": "containerRegistryBasicAuthHost",
                         "credential_proxy": {
-                            "format": "FORMAT_UNSPECIFIED",
                             "header": "header",
                             "target_hosts": ["string"],
                         },
@@ -808,7 +806,6 @@ async def test_method_create_with_all_params(self, async_client: AsyncGitpod) ->
                         "api_only": True,
                         "container_registry_basic_auth_host": "containerRegistryBasicAuthHost",
                         "credential_proxy": {
-                            "format": "FORMAT_UNSPECIFIED",
                             "header": "header",
                             "target_hosts": ["string"],
                         },
@@ -1187,7 +1184,6 @@ async def test_method_create_from_project_with_all_params(self, async_client: As
                         "api_only": True,
                         "container_registry_basic_auth_host": "containerRegistryBasicAuthHost",
                         "credential_proxy": {
-                            "format": "FORMAT_UNSPECIFIED",
                             "header": "header",
                             "target_hosts": ["string"],
                         },
diff --git a/tests/api_resources/test_secrets.py b/tests/api_resources/test_secrets.py
@@ -34,6 +34,10 @@ def test_method_create_with_all_params(self, client: Gitpod) -> None:
         secret = client.secrets.create(
             api_only=True,
             container_registry_basic_auth_host="containerRegistryBasicAuthHost",
+            credential_proxy={
+                "header": "header",
+                "target_hosts": ["string"],
+            },
             environment_variable=True,
             file_path="filePath",
             name="DATABASE_URL",
@@ -247,6 +251,10 @@ async def test_method_create_with_all_params(self, async_client: AsyncGitpod) ->
         secret = await async_client.secrets.create(
             api_only=True,
             container_registry_basic_auth_host="containerRegistryBasicAuthHost",
+            credential_proxy={
+                "header": "header",
+                "target_hosts": ["string"],
+            },
             environment_variable=True,
             file_path="filePath",
             name="DATABASE_URL",
