feat: add binary secret value support via ValueEncoding enum

internal/graph/schema/secret.graphqls

@@ -228,6 +228,9 @@ input SecretValueInput {
 
 	"The secret value to set."
 	value: String!
+
+	"Encoding of the value. Defaults to PLAIN_TEXT. Use BASE64 for binary data (certificates, keystores, etc.)."
+	encoding: ValueEncoding = PLAIN_TEXT
 }
 
 input CreateSecretInput {
@@ -386,8 +389,11 @@ type SecretValue {
 	"The name of the secret value."
 	name: String!
 
-	"The secret value itself."
+	"The secret value itself. When encoding is BASE64, the value is Base64-encoded binary data."
 	value: String!
+
+	"Encoding of the value. PLAIN_TEXT for UTF-8 text, BASE64 for binary data."
+	encoding: ValueEncoding!
 }
 
 extend enum ActivityLogEntryResourceType {

internal/graph/schema/workloads.graphqls

@@ -435,6 +435,17 @@ enum EnvironmentWorkloadOrderField {
 	DEPLOYMENT_TIME
 }
 
+"""
+Encoding of a secret or config value.
+"""
+enum ValueEncoding {
+	"The value is plain text (UTF-8)."
+	PLAIN_TEXT
+
+	"The value is Base64-encoded binary data."
+	BASE64
+}
+
 """
 Input for filtering team workloads.
 """

internal/workload/secret/models.go

@@ -139,8 +139,9 @@ func secretFromAPIResponse(o *unstructured.Unstructured, environmentName string)
 }
 
 type SecretValue struct {
-	Name  string `json:"name"`
-	Value string `json:"value"`
+	Name     string        `json:"name"`
+	Value    string        `json:"value"`
+	Encoding ValueEncoding `json:"encoding"`
 }
 
 type DeleteSecretInput struct {
@@ -154,8 +155,9 @@ type DeleteSecretPayload struct {
 }
 
 type SecretValueInput struct {
-	Name  string `json:"name"`
-	Value string `json:"value"`
+	Name     string         `json:"name"`
+	Value    string         `json:"value"`
+	Encoding *ValueEncoding `json:"encoding"`
 }
 
 type AddSecretValueInput struct {
@@ -242,6 +244,44 @@ type ViewSecretValuesPayload struct {
 // IsActivityLogger implements the ActivityLogger interface.
 func (Secret) IsActivityLogger() {}
 
+type ValueEncoding string
+
+const (
+	ValueEncodingPlainText ValueEncoding = "PLAIN_TEXT"
+	ValueEncodingBase64    ValueEncoding = "BASE64"
+)
+
+func (e ValueEncoding) IsValid() bool {
+	switch e {
+	case ValueEncodingPlainText, ValueEncodingBase64:
+		return true
+	}
+	return false
+}
+
+func (e ValueEncoding) String() string {
+	return string(e)
+}
+
+func (e *ValueEncoding) UnmarshalGQL(v any) error {
+	str, ok := v.(string)
+	if !ok {
+		return fmt.Errorf("enums must be strings")
+	}
+
+	tmp := ValueEncoding(str)
+	if !tmp.IsValid() {
+		return fmt.Errorf("%s is not a valid ValueEncoding", str)
+	}
+
+	*e = tmp
+	return nil
+}
+
+func (e ValueEncoding) MarshalGQL(w io.Writer) {
+	fmt.Fprint(w, strconv.Quote(e.String()))
+}
+
 type TeamInventoryCountSecrets struct {
 	Total int `json:"total"`
 }