Sensitive outputs can only be given to sensitive inputs

Problem

Users need a way to declare inputs and outputs that are "sensitive", in other words, likely contain a secret.

The GitLab steps team and step authors can use the sensitive metadata to mask output to prevent secrets being leaked.

Proposal

• In a step specification, an output can be marked as sensitive. Defaults to non-sensitive.
• In a step specification, an input can be marked as sensitive. Defaults to non-sensitive.
• Error when inputs not declared sensitive attempt to derive value using sensitive outputs.
• The epic Handling sensitive values (&14416) states: Any value derived from a sensitive value will also be marked sensitive. This is out-of-scope of this issue, as it conflicts with the above proposed item.
• Delegate outputs are sensitive if output delegated to is sensitive.

Example

Step inputs can be annotated as sensitive, which allows them to handle sensitive values. If a sensitive value is given to a non-sensitive input it will be an error. This guarantees the step knows which incoming values are sensitive so it can act accordingly.

use_creds/step.yml

spec:
  inputs:
    wrapped_creds:
      type: string
      sensitive: true
    not_for_creds:
      type: string
---

.gitlab-ci.yml

...
  - name: use_creds
    step: ./use_creds
    inputs:
      wrapped_creds: | # This is OK
        BEGIN
        ${{ steps.gen_creds.outputs.creds }}
        END
      not_for_creds: | # This produces an error
        BEGIN
        ${{ steps.gen_creds.outputs.creds }}
        END

Reference

• Terraform sensitive variables

Outstanding questions

• Whether or not values should be declared or derived as sensitive, or some combination of both.