arazzo: 1.0.1
info:
  title: ZenML Provision Secret
  summary: Confirm the caller identity, create a scoped secret, and confirm it appears in the secret store.
  description: >-
    Provisions an encrypted secret in the ZenML secret store. The workflow reads
    the current authenticated user to anchor ownership context, creates the
    secret with the supplied scope and key/value pairs, and lists secrets to
    confirm the new secret is registered. Secret values are never returned by
    the listing endpoint, so only metadata is confirmed. Every step spells out
    its request inline, including the bearer Authorization header, so the flow
    can be read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: zenmlApi
  url: ../openapi/zenml-openapi.yml
  type: openapi
workflows:
- workflowId: provision-secret
  summary: Create a scoped secret and confirm it is registered in the secret store.
  description: >-
    Reads the current user, creates a secret with the supplied scope and
    values, and lists secrets to confirm registration.
  inputs:
    type: object
    required:
    - accessToken
    - secretName
    - values
    properties:
      accessToken:
        type: string
        description: ZenML JWT access token obtained from the login endpoint.
      secretName:
        type: string
        description: The name to register the secret under.
      scope:
        type: string
        description: The secret scope, either user or workspace.
      values:
        type: object
        description: Map of secret key to secret string value.
  steps:
  - stepId: whoami
    description: >-
      Read the current authenticated user to anchor ownership context for the
      secret being created.
    operationId: getCurrentUser
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
  - stepId: createSecret
    description: >-
      Create the secret with the supplied name, scope, and key/value pairs.
    operationId: createSecret
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    requestBody:
      contentType: application/json
      payload:
        name: $inputs.secretName
        scope: $inputs.scope
        values: $inputs.values
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      secretId: $response.body#/id
      secretName: $response.body#/name
  - stepId: confirmSecret
    description: >-
      List secrets (metadata only) to confirm the new secret is registered.
    operationId: listSecrets
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    - name: page
      in: query
      value: 1
    - name: size
      in: query
      value: 100
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      total: $response.body#/total
  outputs:
    secretId: $steps.createSecret.outputs.secretId
    secretName: $steps.createSecret.outputs.secretName
    ownerId: $steps.whoami.outputs.userId