@@ -772,6 +772,61 @@ $graph:
772772 from the input object, or if the value of the parameter in the input
773773 object is `null`. Default values are applied before evaluating expressions
774774 (e.g. dependent `valueFrom` fields).
775+ name : secret
776+ type : ["null", boolean, string]
777+ doc : |
778+ Indicates this input parameter value is sensitive.
779+ Implementations should apply special handling to secret values
780+ to avoid displaying them in logs, including them in output, or
781+ otherwise making them visible or accessible in any way beyond
782+ what is required to make the value of the secret input
783+ parameter available to workflow processes that need it.
784+
785+ This feature is intended to provide a safer way to handle
786+ credentials such as passwords and API tokens.
787+
788+ Possible values of the `secret` field can be:
789+
790+ * null or not provided (default, the input parameter is not secret)
791+ * false (same as null)
792+ * true (parameter is secret)
793+ * a non-empty string (parameter is secret, and may be looked up in platform storage)
794+
795+ If the value of `secret` is a string, this is a lookup key to
796+ be used to fetch a secret value from the workflow platform
797+ secret store. This assumes a model where a non-sensitive
798+ lookup key is passed to the secret store and a sensitive
799+ string value (the password, API token, etc) is returned.
800+
801+ The format of this lookup key, as well as management, access
802+ permissions, and authentication for the secret store are
803+ implementation specific and out of scope for this document.
804+
805+ If the input parameter is a secret, the `type` of the input
806+ parameter must only consist of `string`, `array<string>`, or
807+ `null`.
808+
809+ If `secret` is a string and the platform supports looking up
810+ credentials, the input parameter is implicitly optional for
811+ the caller, and platform should look up the secret to fill in
812+ the input parameter value when not provided by the caller.
813+
814+ An explict value provided by the caller always takes
815+ precidence over looking up a value, i.e. checking the secret
816+ store must only happen if the caller did not provide an
817+ explicit value for this secret parameter, or the value is
818+ null.
819+
820+ If the platform does not support secrets lookup, a string
821+ value of `secret` is treated like boolean true, indicating the
822+ parameter is secret, but must be provided in the input
823+ document (unless marked as optional).
824+
825+ Failure to look up the secret (for example, due to denial of
826+ access) may yield a value of "null". Execution continues only
827+ if the parameter is optional (i.e. "null" is an accepted
828+ type). However implementations may, at user option, treat
829+ failure to look up a secret as a fatal error.
775830
776831
777832name : OutputParameter
0 commit comments