As per the discussion in this thread on the mailing list, it would be useful for jobs to be able to declare that they are unable to complete without their secrets. This would allow srht to intelligently choose not to run the job when secrets are unavailable (such as a patch build to mailing list or a clone of someone else's repo).
The proposed implementation is an additional manifest field called
secrets-policy with a default value of
required. The possible values are:
required: this build needs secrets in order to run. If they are not available, do not run it.
optional: this build can run without its secrets. This is a declaration of intent by the designer of the CI that they expect the build to work without secrets.
On the mailing list, ~sircmpwn suggested a third
disabled state, but I didn't understand it. I thought it was better to open an issue with the specification that made sense to me as a starting point. I apologize if that's procedurally incorrect.