Menú
MUST use when using the CLI, including debugging job failures and inspecting run history via `wmill job`.
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
MUST use when writing Bun/TypeScript scripts.
MUST use when writing Bun Native scripts. The script must start with //native to run on the native worker.
MUST use when writing Deno/TypeScript scripts.
MUST use when writing Python scripts.
MUST use when writing Ansible playbooks.
MUST use when creating raw apps.
| name | cli-commands |
| description | MUST use when using the CLI, including debugging job failures and inspecting run history via `wmill job`. |
The Windmill CLI (wmill) provides commands for managing scripts, flows, apps, and other resources.
--workspace <workspace:string> - Specify the target workspace. This overrides the default workspace.--debug --verbose - Show debug/verbose logs--show-diffs - Show diff informations when syncing (may show sensitive informations)--token <token:string> - Specify an API token. This will override any stored token.--base-url <baseUrl:string> - Specify the base URL of the API. If used, --token and --workspace are required and no local remote/workspace already set will be used.--config-dir <configDir:string> - Specify a custom config directory. Overrides WMILL_CONFIG_DIR environment variable and default ~/.config location.app related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
app list - list all apps
--json - Output as JSON (for piping to jq)app get <path:string> - get an app's details
--json - Output as JSON (for piping to jq)app push [file_path:string] [remote_path:string] - push a local app. With no args, infers the app from the current directory and the remote path from its location relative to wmill.yaml.app dev [app_folder:string] - Start a development server for building apps with live reload and hot module replacement
--port <port:number> - Port to run the dev server on (will find next available port if occupied)--host <host:string> - Host to bind the dev server to--entry <entry:string> - Entry point file (default: index.ts for Svelte/Vue, index.tsx otherwise)--no-open - Don't automatically open the browserapp lint [app_folder:string] - Lint a raw app folder to validate structure and buildability
--fix - Attempt to fix common issues (not implemented yet)app new - create a new raw app from a template
--summary <summary:string> - App summary (short description). Skips the prompt when provided. Triggers non-interactive mode.--path <path:string> - App path (e.g., f/folder/my_app or u/username/my_app). Skips the prompt when provided. Triggers non-interactive mode.--framework <framework:string> - Framework template: react19 | react18 | svelte5 | vue. Skips the prompt when provided. Triggers non-interactive mode.--datatable <datatable:string> - Datatable to wire up. Without this flag in non-interactive mode, no datatable is configured.--schema <schema:string> - Schema to use with --datatable. Created (CREATE SCHEMA IF NOT EXISTS) if it doesn't already exist.--overwrite - Overwrite the target directory if it already exists, without prompting.--no-open-in-desktop - Do not prompt to open the new app in Claude Desktop.app generate-agents [app_folder:string] - regenerate AGENTS.md and DATATABLES.md from remote workspaceapp set-permissioned-as <path:string> <email:string> - Set the on_behalf_of_email for an app (requires admin or wm_deployers group)View audit logs (requires admin)
Subcommands:
audit list - List audit log entriesaudit get <id:string> - Get a specific audit log entry
--json - Output as JSON (for piping to jq)Show all available wmill.yaml configuration options
Options:
--json - Output as JSON for programmatic consumptionSubcommands:
config migrate - Migrate wmill.yaml from gitBranches/environments to workspaces formatdatatable related commands
Subcommands:
datatable list - list all datatables in the workspace
--json - Output as JSON (for piping to jq)datatable run <sql:string> - run a SQL query on a datatable
-n --name <name:string> - Datatable name (default: main)-s --silent - Output only the final result as JSON. Useful for scripting.datatable create [name:string] - register a datatable database in the workspace (default: instance-backed 'main') so scripts can use datatable://
--resource <resource:string> - Back the datatable with an existing postgresql resource path instead of the instance database--force - Allow adding to a workspace that already has datatables (fork metadata on existing ones is not preserved)datatable serve - Serve all datatables as a Postgres-wire endpoint (psql, DBeaver, pgAdmin); the client picks the datatable via the database name in its connection string
--port <port:number> - Port to listen on (default: first free port in 5433-5500)--host <host:string> - Bind address (default: 127.0.0.1)--password <password:string> - Password for Postgres clients (default: generate a random password at startup)datatable psql - Start a serve listener and launch psql connected to it
-n --name <name:string> - Datatable to connect psql to (default: main)--port <port:number> - Port the proxy listens on (default: first free port in 5433-5500)--host <host:string> - Bind address for the proxy (default: 127.0.0.1)--password <password:string> - Password for the temporary Postgres proxy (default: generate a random password at startup)workspace dependencies related commands
Alias: deps
Subcommands:
dependencies push <file_path:string> - Push workspace dependencies from a local fileWatch local file changes and live-reload the dev page for preview. Does NOT deploy to the remote workspace — use wmill sync push for that.
Options:
--includes <pattern...:string> - Filter paths given a glob pattern or path--proxy-port <port:number> - Port for a localhost reverse proxy to the remote Windmill server--path <path:string> - Watch a specific windmill path (e.g., u/admin/my_script or f/my_flow)--no-open - Do not open the browser automaticallySearch Windmill documentation.
Arguments: <query:string>
Options:
--json - Output results as JSON.ducklake related commands
Subcommands:
ducklake list - list all ducklakes in the workspace
--json - Output as JSON (for piping to jq)ducklake run <sql:string> - run a SQL query on a ducklake
-n --name <name:string> - Ducklake name (default: main)-s --silent - Output only the final result as JSON. Useful for scripting.flow related commands
Options:
--show-archived - Enable archived flows in output--json - Output as JSON (for piping to jq)Subcommands:
flow list - list all flows
--show-archived - Enable archived flows in output--json - Output as JSON (for piping to jq)flow get <path:string> - get a flow's details
--json - Output as JSON (for piping to jq)flow push <file_path:string> <remote_path:string> - push a local flow spec. This overrides any remote versions.
--message <message:string> - Deployment messageflow run <path:string> - run a flow by path.
-d --data <data:string> - Inputs specified as a JSON string or a file using @ or stdin using @-.-s --silent - Do not ouput anything other then the final output. Useful for scripting.flow preview <flow_path:string> - preview a local flow without deploying it. Runs the flow definition from local files and uses local PathScripts by default. Pass --step to run only one module in isolation (resolves nested steps inside branchone/branchall/forloopflow/whileloopflow plus the special preprocessor/failure modules; supported step types: rawscript, script, flow).
-d --data <data:string> - Inputs specified as a JSON string or a file using @ or stdin using @-.-s --silent - Do not output anything other then the final output. Useful for scripting.--remote - Use deployed workspace scripts for PathScript steps instead of local files.--step <step_id:string> - Run only the named step instead of the whole flow. Honors --data as the step's args and --remote / local-PathScript resolution the same way the full-flow preview does.flow new <flow_path:string> - create a new empty flow
--summary <summary:string> - flow summary--description <description:string> - flow descriptionflow bootstrap <flow_path:string> - create a new empty flow (alias for new)
--summary <summary:string> - flow summary--description <description:string> - flow descriptionflow history <path:string> - Show version history for a flow
--json - Output as JSON (for piping to jq)flow show-version <path:string> <version:string> - Show a specific version of a flow
--json - Output as JSON (for piping to jq)flow set-permissioned-as <path:string> <email:string> - Set the on_behalf_of_email for a flow (requires admin or wm_deployers group)folder related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
folder list - list all folders
--json - Output as JSON (for piping to jq)folder get <name:string> - get a folder's details
--json - Output as JSON (for piping to jq)folder new <name:string> - create a new folder locally
--summary <summary:string> - folder summaryfolder push <name:string> - push a local folder to the remote by name. This overrides any remote versions.folder add-missing - create default folder.meta.yaml for all subdirectories of f/ that are missing one
-y, --yes - skip confirmation promptfolder show-rules <name:string> - Show default_permissioned_as rules for a folder. Use --test-path to see which rule matches a given item path.
--test-path <path:string> - Test which rule matches this item path (e.g. f/prod/jobs/my_script)--json - Output as JSONRegenerate stale local locks and script schemas and refresh wmill-lock.yaml content hashes (scripts, flows, apps). Writes local files only, not a deploy. Run it after edits that add or remove imports or change a script's arguments, so the lock, the auto-generated UI schema, and wmill-lock.yaml stay in sync.
Arguments: [folder:string]
Options:
--yes - Skip confirmation prompt--dry-run - Show what would be updated without making changes--lock-only - Re-generate only the lock files--schema-only - Re-generate only script schemas (skips flows and apps)--skip-scripts - Skip processing scripts--skip-flows - Skip processing flows--skip-apps - Skip processing apps--strict-folder-boundaries - Only update items inside the specified folder (requires folder argument)--parallel <n:number> - Number of items to process in parallel-i --includes <patterns:file[]> - Comma separated patterns to specify which files to include-e --excludes <patterns:file[]> - Comma separated patterns to specify which files to excludeSubcommands:
generate-metadata rehash [folder:string] - Refresh wmill-lock.yaml content hashes from the on-disk .lock and .script.yaml without re-resolving dependencies or hitting the backend. Use when those files are already correct and only the hashes need updating: bootstrapping missing entries or recovering from hash drift.
--skip-scripts - Skip processing scripts--skip-flows - Skip processing flows--skip-apps - Skip processing apps--parallel <n:number> - Number of items to process in parallel-i --includes <patterns:file[]> - Comma separated patterns to specify which files to include-e --excludes <patterns:file[]> - Comma separated patterns to specify which files to excludeManage git-sync settings between local wmill.yaml and Windmill backend
Subcommands:
gitsync-settings pull - Pull git-sync settings from Windmill backend to local wmill.yaml
--repository <repo:string> - Specify repository path (e.g., u/user/repo)--default - Write settings to top-level defaults instead of overrides--replace - Replace existing settings (non-interactive mode)--override - Add branch-specific override (non-interactive mode)--diff - Show differences without applying changes--json-output - Output in JSON format--with-backend-settings <json:string> - Use provided JSON settings instead of querying backend (for testing)--yes - Skip interactive prompts and use default behavior--promotion <branch:string> - Use promotionOverrides from the specified branch instead of regular overridesgitsync-settings push - Push git-sync settings from local wmill.yaml to Windmill backend
--repository <repo:string> - Specify repository path (e.g., u/user/repo)--diff - Show what would be pushed without applying changes--json-output - Output in JSON format--with-backend-settings <json:string> - Use provided JSON settings instead of querying backend (for testing)--yes - Skip interactive prompts and use default behavior--promotion <branch:string> - Use promotionOverrides from the specified branch instead of regular overridesManage workspace groups
Options:
--json - Output as JSON (for piping to jq)Subcommands:
group list - List all groups in the workspace
--json - Output as JSON (for piping to jq)group get <name:string> - Get group details and members
--json - Output as JSON (for piping to jq)group create <name:string> - Create a new group
--summary <summary:string> - Group summary/descriptiongroup delete <name:string> - Delete a groupgroup add-user <name:string> <username:string> - Add a user to a groupgroup remove-user <name:string> <username:string> - Remove a user from a groupHub related commands. EXPERIMENTAL. INTERNAL USE ONLY.
Subcommands:
hub pull - pull any supported definitions. EXPERIMENTAL.Bootstrap a windmill project with a wmill.yaml file
Options:
--use-default - Use default settings without checking backend--use-backend - Use backend git-sync settings if available--repository <repo:string> - Specify repository path (e.g., u/user/repo) when using backend settings--bind-profile - Automatically bind active workspace profile to current Git branch--no-bind-profile - Skip workspace profile binding promptsync local with a remote instance or the opposite (push or pull)
Subcommands:
instance add [instance_name:string] [remote:string] [token:string] - Add a new instanceinstance remove <instance:string:instance> - Remove an instanceinstance switch <instance:string:instance> - Switch the current instanceinstance pull - Pull instance settings, users, configs, instance groups and overwrite local
--yes - Pull without needing confirmation--dry-run - Perform a dry run without making changes--skip-users - Skip pulling users--skip-settings - Skip pulling settings--skip-configs - Skip pulling configs (worker groups)--skip-groups - Skip pulling instance groups--include-workspaces - Also pull workspaces--folder-per-instance - Create a folder per instance--instance <instance:string> - Name of the instance to pull from, override the active instance--prefix <prefix:string> - Prefix of the local workspaces to pull, used to create the folders when using --include-workspaces--prefix-settings - Store instance yamls inside prefixed folders when using --prefix and --folder-per-instanceinstance push - Push instance settings, users, configs, group and overwrite remote
--yes - Push without needing confirmation--dry-run - Perform a dry run without making changes--skip-users - Skip pushing users--skip-settings - Skip pushing settings--skip-configs - Skip pushing configs (worker groups)--skip-groups - Skip pushing instance groups--include-workspaces - Also push workspaces--folder-per-instance - Create a folder per instance--instance <instance:string> - Name of the instance to push to, override the active instance--prefix <prefix:string> - Prefix of the local workspaces folders to push--prefix-settings - Store instance yamls inside prefixed folders when using --prefix and --folder-per-instanceinstance whoami - Display information about the currently logged-in userinstance get-config - Dump the current instance config (global settings + worker configs) as YAML
-o, --output-file <file:string> - Write YAML to a file instead of stdout--show-secrets - Include sensitive fields (license key, JWT secret) without prompting--instance <instance:string> - Name of the instance, override the active instanceinstance connect-slack - Non-interactively connect Slack at the instance level using a pre-minted bot token (xoxb-...). Produces the same artifacts as the UI OAuth flow: global_settings 'slack' row + encrypted f/slack_bot/global_bot_token variable and resource in the admins workspace.
--bot-token <bot_token:string> - Slack bot token (xoxb-...)--team-id <team_id:string> - Slack team id--team-name <team_name:string> - Slack team name--instance <instance:string> - Instance profile to connect against (defaults to the active instance)Manage jobs (list, inspect, cancel)
Subcommands:
job list - List recent jobsjob get <id:string> - Get job details. For flows: shows step tree with sub-job IDs
--json - Output as JSON (for piping to jq)job result <id:string> - Get the result of a completed job (machine-friendly)job logs <id:string> - Get job logs. For flows: aggregates all step logsjob cancel <id:string> - Cancel a running or queued job
--reason <reason:string> - Reason for cancellationjob rerun <id:string> - Re-run a completed job with the same args. Prints the new job UUID on stdout.job restart <id:string> - Restart a completed flow at a given top-level step. Prints the new flow job UUID on stdout.
--step <stepId:string> - Top-level step id to restart the flow from--iteration <n:number> - For a top-level branchall or for-loop step, the iteration to restart atPull completed and queued jobs from workspace
Arguments: [workspace:string]
Options:
-c, --completed-output <file:string> - Completed jobs output file (default: completed_jobs.json)-q, --queued-output <file:string> - Queued jobs output file (default: queued_jobs.json)--skip-worker-check - Skip checking for active workers before exportSubcommands:
jobs pulljobs pushValidate Windmill flow, schedule, and trigger YAML files in a directory
Arguments: [directory:string]
Options:
--json - Output results in JSON format--fail-on-warn - Exit with code 1 when warnings are emitted--locks-required - Fail if scripts or flow inline scripts that need locks have no locks-w, --watch - Watch for file changes and re-lint automaticallyObject storage (S3) related commands. Operates on the workspace's default object storage; use --storage to target a configured secondary storage.
Alias: s3
Subcommands:
object-storage list - List configured object storages for the workspace (default + secondary).
--json - Output as JSON (for piping to jq)object-storage files [prefix:string] - List files in an object storage. Optionally filter by prefix.
--json - Output as JSON (for piping to jq)--max-keys <maxKeys:number> - Page size (default 100)--marker <marker:string> - Pagination marker from a previous response--storage <storage:string> - Secondary storage name (omit for the workspace default)object-storage upload <local_path:string> <file_key:string> - Upload a local file to object storage at the given file key.
--storage <storage:string> - Secondary storage name--content-type <contentType:string> - Content-Type header to set on the object--content-disposition <contentDisposition:string> - Content-Disposition header to set on the objectobject-storage download <file_key:string> [output_path:string] - Download an object to a local file (or stdout). Default output path is the basename of the file key in the current directory.
--storage <storage:string> - Secondary storage name--stdout - Write file contents to stdout instead of a fileobject-storage delete <file_key:string> - Delete an object from object storage. Prompts for confirmation unless --yes is set.
--storage <storage:string> - Secondary storage name--yes - Skip the confirmation promptobject-storage move <src_file_key:string> <dest_file_key:string> - Move an object within the same storage (rename or relocate by key).
--storage <storage:string> - Secondary storage nameobject-storage info <file_key:string> - Show metadata (size, mime, last-modified) for an object.
--json - Output as JSON (for piping to jq)--storage <storage:string> - Secondary storage nameobject-storage preview <file_key:string> - Preview the contents of an object (text/CSV). Use --bytes-from / --bytes-length to peek at a slice of binary files.
--storage <storage:string> - Secondary storage name--mime <mime:string> - Override the detected mime type (e.g. text/csv)--bytes-from <bytesFrom:number> - Start offset in bytes--bytes-length <bytesLength:number> - Number of bytes to read--csv-separator <csvSeparator:string> - CSV column separator (default ,)--csv-header - Treat the first CSV row as a headerinspect asset-driven pipelines (scripts marked // pipeline, wired by // on <spec> annotations)
Subcommands:
pipeline list - list pipeline folders in the workspace
--json - Output as JSON (for piping to jq)pipeline show <folder:string> - render a pipeline folder's DAG (sources, lineage, subscriptions) in the terminal
--json - Output the raw asset graph as JSONSync workspace protection rules between protection-rules.yaml and Windmill. The file is keyed by workspace name; keys must match wmill.yaml 'workspaces'.
Subcommands:
protection-rules pull [workspace:string] - Pull protection rules from Windmill into protection-rules.yaml for a workspace
--all - Pull every workspace defined in wmill.yaml--dry-run - Show what would change without writing the file--json-output - Output in JSON formatprotection-rules push [workspace:string] - Push protection rules from protection-rules.yaml to Windmill for a workspace (full reconcile: creates, updates, and deletes)
--all - Push every workspace defined in protection-rules.yaml--dry-run - Show what would change without applying--json-output - Output in JSON format--yes - Skip the confirmation prompt (including deletions)List all queues with their metrics
Arguments: [workspace:string] the optional workspace to filter by (default to all workspaces)
Options:
--instance [instance] - Name of the instance to push to, override the active instance--base-url [baseUrl] - If used with --token, will be used as the base url for the instanceRefresh wmill-managed project files (AGENTS.wmill.md, skills, tsconfig.wmill.json)
Subcommands:
refresh prompts - Refresh AGENTS.wmill.md and managed skills. User-owned AGENTS.md and CLAUDE.md are never overwritten unless you opt in.
--yes - Non-interactive: append the @AGENTS.wmill.md include to an existing AGENTS.md / CLAUDE.md without prompting. Without it, a non-interactive run leaves an unlinked file untouched.refresh tsconfig - Refresh the wmill-managed tsconfig.wmill.json (and Deno import map for Deno projects)
--yes - Non-interactive: wire an existing custom tsconfig.json/deno.json to the managed file without prompting (a previously-generated config is always migrated automatically).resource related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
resource list - list all resources
--json - Output as JSON (for piping to jq)resource get <path:string> - get a resource's details
--json - Output as JSON (for piping to jq)resource new <path:string> - create a new resource locallyresource push <file_path:string> <remote_path:string> - push a local resource spec. This overrides any remote versions.resource type related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
resource-type list - list all resource types
--schema - Show schema in the output--json - Output as JSON (for piping to jq)resource-type get <path:string> - get a resource type's details
--json - Output as JSON (for piping to jq)resource-type new <name:string> - create a new resource type locallyresource-type push <file_path:string> <name:string> - push a local resource spec. This overrides any remote versions.resource-type generate-namespace - Create a TypeScript definition file with the RT namespace generated from the resource typesschedule related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
schedule list - list all schedules
--json - Output as JSON (for piping to jq)schedule get <path:string> - get a schedule's details
--json - Output as JSON (for piping to jq)schedule new <path:string> - create a new schedule locallyschedule push <file_path:string> <remote_path:string> - push a local schedule spec. This overrides any remote versions.schedule enable <path:string> - Enable a schedule
--force - Bypass the fork-conflict warning when the parent workspace has the same schedule (acknowledges that both crons will fire)schedule disable <path:string> - Disable a scheduleschedule set-permissioned-as <path:string> <email:string> - Set the email (run-as user) for a schedule (requires admin or wm_deployers group)script related commands
Options:
--show-archived - Show archived scripts instead of active ones--json - Output as JSON (for piping to jq)Subcommands:
script list - list all scripts
--show-archived - Show archived scripts instead of active ones--json - Output as JSON (for piping to jq)script push <path:file> - push a local script spec. This overrides any remote versions. Use the script file (.ts, .js, .py, .sh)
--message <message:string> - Deployment messagescript get <path:file> - get a script's details
--json - Output as JSON (for piping to jq)script show <path:file> - show a script's content (alias for get)script run <path:file> - run a script by path
-d --data <data:file> - Inputs specified as a JSON string or a file using @ or stdin using @-.-s --silent - Do not output anything other then the final output. Useful for scripting.script preview <path:file> - preview a local script without deploying it. Supports both regular and codebase scripts.
-d --data <data:file> - Inputs specified as a JSON string or a file using @ or stdin using @-.-s --silent - Do not output anything other than the final output. Useful for scripting.script new <path:file> <language:string> - create a new script
--summary <summary:string> - script summary--description <description:string> - script descriptionscript bootstrap <path:file> <language:string> - create a new script (alias for new)
--summary <summary:string> - script summary--description <description:string> - script descriptionscript set-permissioned-as <path:string> <email:string> - Set the on_behalf_of_email for a script (requires admin or wm_deployers group)script history <path:string> - show version history for a script
--json - Output as JSON (for piping to jq)sync local with a remote workspaces or the opposite (push or pull)
Subcommands:
sync pull - Pull any remote changes and apply them locally.
--yes - Pull without needing confirmation--dry-run - Show changes that would be pulled without actually pushing--plain-secrets - Pull secrets as plain text--json - Use JSON instead of YAML--skip-variables - Skip syncing variables (including secrets)--skip-secrets - Skip syncing only secrets variables--include-secrets - Include secrets in sync (overrides skipSecrets in wmill.yaml)--skip-resources - Skip syncing resources--skip-resource-types - Skip syncing resource types--skip-scripts - Skip syncing scripts--skip-flows - Skip syncing flows--skip-apps - Skip syncing apps--skip-folders - Skip syncing folders--skip-workspace-dependencies - Skip syncing workspace dependencies--skip-scripts-metadata - Skip syncing scripts metadata, focus solely on logic--include-schedules - Include syncing schedules--include-triggers - Include syncing triggers--include-users - Include syncing users--include-groups - Include syncing groups--include-settings - Include syncing workspace settings--include-key - Include workspace encryption key--skip-branch-validation - Skip git branch validation and prompts--json-output - Output results in JSON format-i --includes <patterns:file[]> - Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Overrides wmill.yaml includes-e --excludes <patterns:file[]> - Comma separated patterns to specify which file to NOT take into account. Overrides wmill.yaml excludes--extra-includes <patterns:file[]> - Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy--repository <repo:string> - Specify repository path (e.g., u/user/repo) when multiple repositories exist--promotion <branch:string> - Use promotionOverrides from the specified branch instead of regular overrides--branch, --env <branch:string> - [Deprecated: use --workspace] Override the current git branch/environmentsync push - Push any local changes and apply them remotely.
--yes - Push without needing confirmation--dry-run - Show changes that would be pushed without actually pushing--plain-secrets - Push secrets as plain text--json - Use JSON instead of YAML--skip-variables - Skip syncing variables (including secrets)--skip-secrets - Skip syncing only secrets variables--include-secrets - Include secrets in sync (overrides skipSecrets in wmill.yaml)--skip-resources - Skip syncing resources--skip-resource-types - Skip syncing resource types--skip-scripts - Skip syncing scripts--skip-flows - Skip syncing flows--skip-apps - Skip syncing apps--skip-folders - Skip syncing folders--skip-workspace-dependencies - Skip syncing workspace dependencies--skip-scripts-metadata - Skip syncing scripts metadata, focus solely on logic--include-schedules - Include syncing schedules--include-triggers - Include syncing triggers--include-users - Include syncing users--include-groups - Include syncing groups--include-settings - Include syncing workspace settings--include-key - Include workspace encryption key--skip-reencrypt-on-key-change - When the pushed encryption key differs from the remote, do NOT re-encrypt existing remote secrets. Only safe if they are already encrypted with the new key (e.g. workspace/instance migration). Default is to re-encrypt.--skip-branch-validation - Skip git branch validation and prompts--json-output - Output results in JSON format-i --includes <patterns:file[]> - Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string)-e --excludes <patterns:file[]> - Comma separated patterns to specify which file to NOT take into account.--extra-includes <patterns:file[]> - Comma separated patterns to specify which file to take into account (among files that are compatible with windmill). Patterns can include * (any string until '/') and ** (any string). Useful to still take wmill.yaml into account and act as a second pattern to satisfy--message <message:string> - Include a message that will be added to all scripts/flows/apps updated during this push--parallel <number> - Number of changes to process in parallel--repository <repo:string> - Specify repository path (e.g., u/user/repo) when multiple repositories exist--branch, --env <branch:string> - [Deprecated: use --workspace] Override the current git branch/environment--lint - Run lint validation before pushing--locks-required - Fail if scripts or flow inline scripts that need locks have no locks--auto-metadata - Automatically regenerate stale metadata (locks and schemas) before pushing--accept-overriding-permissioned-as-with-self - Accept that items with a different permissioned_as will be updated with your own userManage API tokens
Options:
--json - Output as JSON (for piping to jq)Subcommands:
token list - List API tokens
--json - Output as JSON (for piping to jq)token create - Create a new API token
--label <label:string> - Token label--expiration <expiration:string> - Token expiration (ISO 8601 timestamp)token delete <token_prefix:string> - Delete a token by its prefixtrigger related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
trigger list - list all triggers
--json - Output as JSON (for piping to jq)trigger get <path:string> - get a trigger's details
--json - Output as JSON (for piping to jq)--kind <kind:string> - Trigger kind (http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, azure, email). Recommended for faster lookuptrigger new <path:string> - create a new trigger locally
--kind <kind:string> - Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, azure, email)trigger push <file_path:string> <remote_path:string> - push a local trigger spec. This overrides any remote versions.trigger set-permissioned-as <path:string> <email:string> - Set the email (run-as user) for a trigger (requires admin or wm_deployers group)
--kind <kind:string> - Trigger kind (required: http, websocket, kafka, nats, postgres, mqtt, sqs, gcp, azure, email)user related commands
Subcommands:
user add <email:string> [password:string] - Create a user
--superadmin - Specify to make the new user superadmin.--company <company:string> - Specify to set the company of the new user.--name <name:string> - Specify to set the name of the new user.user remove <email:string> - Delete a useruser create-token - Create a new API token for the authenticated user
--email <email:string> - Specify credentials to use for authentication. This will not be stored. It will only be used to exchange for a token with the API server, which will not be stored either.--password <password:string> - Specify credentials to use for authentication. This will not be stored. It will only be used to exchange for a token with the API server, which will not be stored either.variable related commands
Options:
--json - Output as JSON (for piping to jq)Subcommands:
variable list - list all variables
--json - Output as JSON (for piping to jq)variable get <path:string> - get a variable's details
--json - Output as JSON (for piping to jq)variable new <path:string> - create a new variable locallyvariable push <file_path:string> <remote_path:string> - Push a local variable spec. This overrides any remote versions.
--plain-secrets - Push secrets as plain textvariable add <value:string> <remote_path:string> - Create a new variable on the remote. This will update the variable if it already exists.
--yes - Skip confirmation prompt when updating an existing variable--secret - Mark the variable as secret (default when creating a new variable)--no-secret - Mark the variable as non-secret (when updating, the existing setting is preserved if neither --secret nor --no-secret is passed)--description <description:string> - Set the variable description (when updating, the existing description is preserved if not passed)--plain-secrets - Push secrets as plain text--public - Legacy option, use --no-secret insteadShow version information
display worker groups, pull and push worker groups configs
Subcommands:
worker-groups pull - Pull worker groups (similar to wmill instance pull --skip-users --skip-settings --skip-groups)
--instance - Name of the instance to push to, override the active instance--base-url - Base url to be passed to the instance settings instead of the local one--yes - Pull without needing confirmationworker-groups push - Push worker groups (similar to wmill instance push --skip-users --skip-settings --skip-groups)
--instance [instance] - Name of the instance to push to, override the active instance--base-url [baseUrl] - If used with --token, will be used as the base url for the instance--yes - Push without needing confirmationList all workers grouped by worker groups
Options:
--instance [instance] - Name of the instance to push to, override the active instance--base-url [baseUrl] - If used with --token, will be used as the base url for the instanceworkspace related commands
Alias: profile
Subcommands:
workspace switch <workspace_name:string:workspace> - Switch to another workspaceworkspace add [workspace_name:string] [workspace_id:string] [remote:string] - Add a workspace
-c --create - Create the workspace if it does not exist--create-workspace-name <workspace_name:string> - Specify the workspace name. Ignored if --create is not specified or the workspace already exists. Will default to the workspace id.--create-username <username:string> - Specify your own username in the newly created workspace. Ignored if --create is not specified, the workspace already exists or automatic username creation is enabled on the instance.workspace remove <workspace_name:string> - Remove a workspaceworkspace whoami - Show the currently active userworkspace list - List local workspace profilesworkspace list-remote - List workspaces on the remote server that you have access to
--as-superadmin - List ALL workspaces on the instance (requires the token to belong to a superadmin/devops user)workspace list-forks - List forked workspaces on the remote serverworkspace bind - Create or update a workspace entry in wmill.yaml from the active profile
--workspace <name:string> - Workspace name (default: current branch or workspaceId)--branch <branch:string> - Git branch to associate (default: workspace name)workspace unbind - Remove baseUrl and workspaceId from a workspace entry
--workspace <name:string> - Workspace to unbindworkspace fork [workspace_name:string] [workspace_id:string] - Create a forked workspace
--create-workspace-name <workspace_name:string> - Specify the workspace name. Ignored if --create is not specified or the workspace already exists. Will default to the workspace id.--color <color:string> - Workspace color (hex code, e.g. #ff0000)--datatable-behavior <behavior:string> - How to handle datatables: skip, schema_only, or schema_and_data (default: interactive prompt)--from-branch <branch:string> - Non-interactive override for the 'turn my current working branch into the fork' workflow: base the fork on (its bound workspace is the parent) and rename the current branch onto wm-fork//. Usually unneeded — from a working branch wmill workspace fork offers this interactively; from a base branch it creates a fresh fork branch.-y --yes - Skip interactive prompts (defaults datatable behavior to 'skip'). On a non-base branch, requires --from-branch since the base branch can't be prompted for.workspace delete-fork <fork_name:string> - Delete a forked workspace and git branch
-y --yes - Skip confirmation promptworkspace merge - Compare and deploy changes between a fork and its parent workspace
--direction <direction:string> - Deploy direction: to-parent or to-fork--all - Deploy all changed items including conflicts--skip-conflicts - Skip items modified in both workspaces--include <items:string> - Comma-separated kind:path items to include (e.g. script:f/test/main,flow:f/my/flow)--exclude <items:string> - Comma-separated kind:path items to exclude--preserve-on-behalf-of - Preserve original on_behalf_of/permissioned_as values-y --yes - Non-interactive mode (deploy without prompts)workspace connect-slack - Non-interactively connect Slack to the active workspace using a pre-minted bot token (xoxb-...). Produces the same artifacts as the UI OAuth flow: workspace_settings fields, g/slack group, f/slack_bot folder, and the encrypted bot token variable + resource at f/slack_bot/bot_token.
--bot-token <bot_token:string> - Slack bot token (xoxb-...)--team-id <team_id:string> - Slack team id--team-name <team_name:string> - Slack team nameworkspace disconnect-slack - Clear slack_team_id / slack_name on the active workspace (marks the workspace as disconnected). Does NOT remove the bot token variable/resource/folder/group — delete those from the local sync folder and run 'wmill sync push' to tear them down. Does NOT remove the workspace-level OAuth override — set slack_oauth_client_id/_secret to '' in settings.yaml and push.wmill object-storage (alias wmill s3) exposes the workspace's object storage (S3-compatible: AWS S3, MinIO, GCS, R2, Azure Blob) over the per-workspace /job_helpers/* endpoints.
file_key is the path inside the bucket (e.g. reports/2026-05/orders.csv), not a Windmill path. Do NOT pass u/... or f/... here — those are Windmill paths to scripts/flows/resources, unrelated to objects in the bucket.--storage <name> targets a secondary storage configured on the workspace. Omit it to use the workspace's default object storage. Use wmill object-storage list to discover configured storages.preview vs download: preview returns a peek (CSV first rows, text content, or a byte slice via --bytes-from/--bytes-length) without writing to disk. Use download when you want the full file on disk.wmill object-storage files [prefix] (alias ls) — paginated, use --marker to continue.wmill object-storage info <file_key> for size/mime/last-modified, wmill object-storage preview <file_key> for content peek.wmill object-storage upload <local_path> <file_key> — set --content-type if the receiver cares (e.g. text/csv).wmill object-storage download <file_key> [output_path] — --stdout to pipe.wmill object-storage move <src> <dest> (same storage), wmill object-storage delete <file_key> (interactive confirm unless --yes).