Add text about checking correctness for secrets.

common-workflow-language · May 17, 2024 · 2a3029b · 2a3029b
1 parent f9a3879
commit 2a3029b
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/Process.yml b/Process.yml
@@ -828,6 +828,13 @@ $graph:
         type).  However implementations may, at user option, treat
         failure to look up a secret as a fatal error.
 
+        Workflow engines should verify that, when a secret is passed
+        through multiple levels (e.g. from a parent workflow to a
+        sub-workflow to a command line tool), it is secret at every
+        level, for example through a check that secret inputs are only
+        be passed to workflow steps where the inputs are also marked
+        as secret, or that secret inputs to a workflow step are
+        themselves secret at the parent workflow level.
 
 - name: OutputParameter
   type: record