LoginSign Up
← Back to all sparks
W

Windmill

INFRA · APIS
Velocity6.3

Open-source developer platform to build internal tools and workflows from scripts

www.windmill.dev

Windmill hardens for untrusted multi-tenant workloads while sharpening local DX

workflow-automationsandboxingmulti-tenantkubernetesobservabilitydeveloper-experience
Current state
Windmill is a developer platform for running scripts, flows, and apps, and its recent releases split between enterprise-grade execution hardening and developer ergonomics. The standout is a daemonless, nsjail-sandboxed container runtime that runs arbitrary images without a Docker socket, isolated enough that Docker scripts are now allowed on Windmill Cloud. Around it sit incremental infra wins: smarter Kubernetes scale-in, inbound distributed tracing, remote SSH execution, and audit-log export.
Where it's heading
The direction is making Windmill safe and observable enough for large multi-tenant and regulated deployments: isolation that needs no privileged daemon, autoscaling that protects running jobs, end-to-end traces, and SIEM-ready audit logs. In parallel, the wmill dev live preview and editor integrations lower the friction of authoring locally. Enterprise hardening and self-serve DX are advancing together rather than one at the other's expense.
Prediction
Expect further isolation and observability work, more sandboxing options and broader tracing coverage, plus continued investment in the local-to-cloud authoring loop.

Recent moves

  1. 5d ago

    Kubernetes autoscaling scale-in prefers idle worker pods

    The Kubernetes autoscaler now annotates pods with a deletion cost so idle workers are scaled in before busy ones, protecting running jobs. An operational refinement that fits the push toward dependable large-scale deployments.

    View source ↗
  2. 5d ago

    Run bash scripts on a remote SSH host

    Bash scripts can target a remote SSH host via a #ssh directive for jump or utility nodes where no worker fits, with full parity to local jobs. A niche but practical extension of where Windmill can execute code.

    View source ↗
  3. 10d ago

    Jobs join the caller's inbound distributed trace

    With OTEL enabled, webhook- or REST-triggered jobs now nest under the caller's W3C trace, so an execution shows up as one end-to-end span instead of a disconnected one. Part of the broader observability build-out.

    View source ↗
  4. 10d ago

    Sandboxed daemonless container runtime

    ⚡ SPARK

    A # sandbox annotation lets bash scripts run any container image, pulled with crane and chrooted inside the job's own nsjail with no Docker daemon. This is the load-bearing move that finally lets Docker scripts run on Windmill Cloud.

    View source ↗
  5. 27d ago

    Export audit logs to object storage

    Audit logs can be continuously exported as newline-delimited JSON to instance object storage for SIEM forwarding and archival. A compliance capability that matters for the enterprise buyers Windmill is courting.

    View source ↗
  6. 1mo ago

    S3Object input for native SQL scripts

    View source ↗