feat: add secret parameter type for pipeline parameters(HEXA-1457 ) (#373)

DimitriKwihangana · yolanfery · blsqbot · web-flow · commit 0dfc82e21ad4 · 2026-04-23T10:05:59.000+02:00
* feat: add secret field in parameters of a pipeline * fix:type identity * add secret to schema * feat: add secret field type to pipeline parameters * Revert "chore(deps): update dependency python to 3.14 (#363)" This reverts commit 178b0a7. * fix: parameter typing for File (#371) * chore: release v2.19.4 (#370) * fix: type * fix: type test --------- Co-authored-by: blsqbot <83090543+blsqbot@users.noreply.github.com> --------- Co-authored-by: Yolan Fery <yolan@codethefuture.be> Co-authored-by: blsqbot <83090543+blsqbot@users.noreply.github.com>
diff --git a/.github/workflows/schema-compatibility-cron.yml b/.github/workflows/schema-compatibility-cron.yml
@@ -12,7 +12,7 @@ jobs:
 
       - uses: actions/setup-python@v6
         with:
-          python-version: "3.14"
+          python-version: "3.13"
 
       - run: pip install --upgrade openhexa.sdk
 
diff --git a/openhexa/graphql/graphql_client/enums.py b/openhexa/graphql/graphql_client/enums.py
@@ -571,6 +571,7 @@ class ParameterType(str, Enum):
     int = "int"
     postgresql = "postgresql"
     s3 = "s3"
+    secret = "secret"
     str = "str"
 
 
diff --git a/openhexa/graphql/schema.generated.graphql b/openhexa/graphql/schema.generated.graphql
@@ -3180,6 +3180,7 @@ enum ParameterType {
   int
   postgresql
   s3
+  secret
   str
 }
 
diff --git a/openhexa/sdk/__init__.py b/openhexa/sdk/__init__.py
@@ -3,7 +3,7 @@
 from .datasets import Dataset
 from .files import File
 from .pipelines import current_pipeline, current_run, parameter, pipeline
-from .pipelines.parameter import DHIS2Widget, IASOWidget
+from .pipelines.parameter import DHIS2Widget, IASOWidget, Secret
 from .utils import OpenHexaClient
 from .workspaces import workspace
 from .workspaces.connection import (
@@ -32,4 +32,5 @@
     "Dataset",
     "OpenHexaClient",
     "File",
+    "Secret",
 ]
diff --git a/openhexa/sdk/pipelines/parameter.py b/openhexa/sdk/pipelines/parameter.py
@@ -389,11 +389,77 @@ def validate(self, value: typing.Any | None) -> File:
             raise ParameterValueError(str(e))
 
 
+class Secret(str):
+    """Marker type for secret/password pipeline parameters.
+
+    Use as the ``type`` argument of the ``@parameter`` decorator to indicate that the parameter value is sensitive
+    and should be hidden in the OpenHEXA web interface. The pipeline function will receive the value as a plain
+    ``str`` at runtime.
+
+    Example::
+
+        @parameter("iaso_token", type=Secret, name="IASO token", required=True)
+        @pipeline("my-pipeline")
+        def my_pipeline(iaso_token: str):
+            ...
+    """
+
+    pass
+
+
+class SecretType(ParameterType):
+    """Type class for secret/password string parameters. Values are treated as plain strings at runtime."""
+
+    @property
+    def spec_type(self) -> str:
+        """Return a type string for the specs that are sent to the backend."""
+        return "secret"
+
+    @property
+    def expected_type(self) -> type:
+        """Returns the python type expected for values."""
+        return Secret
+
+    @property
+    def accepts_choices(self) -> bool:
+        """Secrets don't support choices."""
+        return False
+
+    @property
+    def accepts_multiple(self) -> bool:
+        """Secrets don't support multiple values."""
+        return False
+
+    @staticmethod
+    def normalize(value: typing.Any) -> Secret | None:
+        """Strip whitespace, convert empty strings to None, and wrap as Secret."""
+        if isinstance(value, str):
+            normalized_value = value.strip()
+        else:
+            normalized_value = value
+
+        if normalized_value == "":
+            return None
+
+        if isinstance(normalized_value, str):
+            return Secret(normalized_value)
+
+        return normalized_value
+
+    def validate_default(self, value: typing.Any | None):
+        """Validate the default value configured for this type."""
+        if value == "":
+            raise ParameterValueError("Empty values are not accepted.")
+
+        super().validate_default(value)
+
+
 TYPES_BY_PYTHON_TYPE = {
     "str": StringType,
     "bool": Boolean,
     "int": Integer,
     "float": Float,
+    "Secret": SecretType,
     "DHIS2Connection": DHIS2ConnectionType,
     "PostgreSQLConnection": PostgreSQLConnectionType,
     "IASOConnection": IASOConnectionType,
@@ -438,6 +504,7 @@ def __init__(
             | int
             | bool
             | float
+            | Secret
             | DHIS2Connection
             | IASOConnection
             | PostgreSQLConnection
@@ -622,6 +689,7 @@ def parameter(
         | int
         | bool
         | float
+        | Secret
         | DHIS2Connection
         | IASOConnection
         | PostgreSQLConnection
diff --git a/tests/test_parameter.py b/tests/test_parameter.py
@@ -32,6 +32,8 @@
     ParameterValueError,
     PostgreSQLConnectionType,
     S3ConnectionType,
+    Secret,
+    SecretType,
     StringType,
     parameter,
 )
@@ -92,6 +94,54 @@ def test_parameter_types_validate():
         boolean_parameter_type.validate(86)
 
 
+def test_secret_type_normalize():
+    """Check normalization for SecretType."""
+    secret_type = SecretType()
+    assert secret_type.normalize("my-token") == "my-token"
+    assert secret_type.normalize("  my-token  ") == "my-token"
+    assert secret_type.normalize("") is None
+    assert secret_type.normalize(" ") is None
+
+
+def test_secret_type_validate():
+    """Check validation for SecretType."""
+    secret_type = SecretType()
+    assert secret_type.validate(Secret("my-token")) == "my-token"
+    with pytest.raises(ParameterValueError):
+        secret_type.validate(123)
+
+
+def test_secret_type_does_not_accept_choices():
+    """Secret parameters don't support choices."""
+    with pytest.raises(InvalidParameterError):
+        Parameter("token", type=Secret, choices=["a", "b"])
+
+
+def test_secret_type_does_not_accept_multiple():
+    """Secret parameters don't support multiple values."""
+    with pytest.raises(InvalidParameterError):
+        Parameter("token", type=Secret, multiple=True)
+
+
+def test_secret_parameter_spec_type():
+    """Secret parameters serialize with spec_type 'secret'."""
+    p = Parameter("token", type=Secret)
+    assert p.to_dict()["type"] == "secret"
+
+
+def test_secret_parameter_validates_string():
+    """Secret parameters validate and return plain strings."""
+    p = Parameter("token", type=Secret)
+    assert p.validate("my-secret-token") == "my-secret-token"
+
+
+def test_secret_parameter_required():
+    """Secret parameters respect required constraint."""
+    p = Parameter("token", type=Secret, required=True)
+    with pytest.raises(ParameterValueError):
+        p.validate(None)
+
+
 def test_validate_postgres_connection():
     """Check PostgreSQL connection validation."""
     identifier = "polio-ff3a0d"

Original file line number	Diff line number	Diff line change
`@@ -3180,6 +3180,7 @@ enum ParameterType {`
`3180`	`3180`	`int`
`3181`	`3181`	`postgresql`
`3182`	`3182`	`s3`
	`3183`	`+ secret`
`3183`	`3184`	`str`
`3184`	`3185`	`}`
`3185`	`3186`