[Code Quality] Add `secrets` field to workflow schema with proper validation

[github-actions]

Description

The secrets field is used in the workflow compiler but is NOT defined in the schema, allowing undocumented and unvalidated usage. This was identified during schema consistency analysis (Discussion #13673).

Current Status:

• ✅ Used in compiler: pkg/workflow/compiler_jobs.go:387 - configMap["secrets"]
• ✅ Has struct field: pkg/workflow/frontmatter_types.go:493 - fc.Secrets
• ❌ NOT in schema: pkg/parser/schemas/main_workflow_schema.json
• ❌ NOT documented

Impact

HIGH - Workflows can use undocumented/unvalidated secrets field, leading to:

• No type checking
• No validation
• Confusing for users (not in docs)
• Potential security implications

Suggested Changes

1. Add Schema Definition (30 minutes)

Add to pkg/parser/schemas/main_workflow_schema.json:

"secrets": {
  "type": "object",
  "description": "Secret values passed to workflow execution. Keys are secret names, values can be strings or objects with 'value' and 'description' properties.",
  "additionalProperties": true,
  "examples": [
    {
      "API_TOKEN": "value from secrets context",
      "DATABASE_URL": {
        "value": "${{ secrets.DB_URL }}",
        "description": "Production database connection string"
      }
    }
  ]
}

2. Add Documentation (30 minutes)

Update docs/src/content/docs/reference/frontmatter.md with:

• Description of secrets field
• Usage examples
• Security best practices
• How secrets are passed to agent execution

3. Add Test Cases (1 hour)

// In pkg/parser/ tests
func TestSecretsFieldValidation(t *testing.T) {
    tests := []struct {
        name      string
        secrets   map[string]any
        shouldErr bool
    }{
        {
            name: "valid string secret",
            secrets: map[string]any{"API_KEY": "test"},
        },
        {
            name: "valid object secret",
            secrets: map[string]any{
                "DB": map[string]any{
                    "value": "connection-string",
                    "description": "Database",
                },
            },
        },
        {
            name: "invalid type",
            secrets: map[string]any{"KEY": []int{1, 2, 3}},
            shouldErr: true,
        },
    }
    // ... test implementation
}

Files Affected

• pkg/parser/schemas/main_workflow_schema.json (schema definition)
• docs/src/content/docs/reference/frontmatter.md (documentation)
• pkg/parser/*_test.go (validation tests)
• pkg/workflow/compiler_jobs.go (existing usage)
• pkg/workflow/frontmatter_types.go (existing struct)

Success Criteria

• secrets field added to schema with proper type definition
• Schema validation catches invalid secret configurations
• Documentation includes examples and security guidance
• Test cases cover common usage patterns
• All existing code using secrets continues to work

Source

Extracted from Schema Consistency Analysis discussion #13673

Priority: High - Missing validation for security-sensitive field

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 18, 2026, 9:13 AM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster