@@ -385,6 +385,61 @@ $graph:
385385 from the input object, or if the value of the parameter in the input
386386 object is `null`. Default values are applied before evaluating expressions
387387 (e.g. dependent `valueFrom` fields).
388+ name : secret
389+ type : ["null", boolean, string]
390+ doc : |
391+ Indicates this input parameter value is sensitive.
392+ Implementations should apply special handling to secret values
393+ to avoid displaying them in logs, including them in output, or
394+ otherwise making them visible or accessible in any way beyond
395+ what is required to make the value of the secret input
396+ parameter available to workflow processes that need it.
397+
398+ This feature is intended to provide a safer way to handle
399+ credentials such as passwords and API tokens.
400+
401+ Possible values of the `secret` field can be:
402+
403+ * null or not provided (default, the input parameter is not secret)
404+ * false (same as null)
405+ * true (parameter is secret)
406+ * a non-empty string (parameter is secret, and may be looked up in platform storage)
407+
408+ If the value of `secret` is a string, this is a lookup key to
409+ be used to fetch a secret value from the workflow platform
410+ secret store. This assumes a model where a non-sensitive
411+ lookup key is passed to the secret store and a sensitive
412+ string value (the password, API token, etc) is returned.
413+
414+ The format of this lookup key, as well as management, access
415+ permissions, and authentication for the secret store are
416+ implementation specific and out of scope for this document.
417+
418+ If the input parameter is a secret, the `type` of the input
419+ parameter must only consist of `string`, `array<string>`, or
420+ `null`.
421+
422+ If `secret` is a string and the platform supports looking up
423+ credentials, the input parameter is implicitly optional for
424+ the caller, and platform should look up the secret to fill in
425+ the input parameter value when not provided by the caller.
426+
427+ An explict value provided by the caller always takes
428+ precidence over looking up a value, i.e. checking the secret
429+ store must only happen if the caller did not provide an
430+ explicit value for this secret parameter, or the value is
431+ null.
432+
433+ If the platform does not support secrets lookup, a string
434+ value of `secret` is treated like boolean true, indicating the
435+ parameter is secret, but must be provided in the input
436+ document (unless marked as optional).
437+
438+ Failure to look up the secret (for example, due to denial of
439+ access) may yield a value of "null". Execution continues only
440+ if the parameter is optional (i.e. "null" is an accepted
441+ type). However implementations may, at user option, treat
442+ failure to look up a secret as a fatal error.
388443
389444
390445name : OutputParameter
0 commit comments