From 753501cc91e6423fd0c89555a2b38abd51ef7d94 Mon Sep 17 00:00:00 2001 From: Rashmi Naidu Date: Thu, 16 Apr 2026 15:53:36 -0400 Subject: [PATCH 1/4] added fix for nextflow launch to include workspace secrets Signed-off-by: Rashmi Naidu --- .../src/main/groovy/nextflow/cli/CmdLaunch.groovy | 14 +++++++++++++- .../tower/plugin/launch/LaunchCommandImpl.groovy | 2 ++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/nextflow/src/main/groovy/nextflow/cli/CmdLaunch.groovy b/modules/nextflow/src/main/groovy/nextflow/cli/CmdLaunch.groovy index da672a0006..520c89e33b 100644 --- a/modules/nextflow/src/main/groovy/nextflow/cli/CmdLaunch.groovy +++ b/modules/nextflow/src/main/groovy/nextflow/cli/CmdLaunch.groovy @@ -86,6 +86,12 @@ class CmdLaunch extends CmdBase implements UsageAware { @Parameter(names = ['-main-script'], description = 'The script file to be executed when launching a project directory or repository') String mainScript + @Parameter(names = ['-user-secret'], description = 'Specify a user secret name to use in the pipeline (can be specified multiple times)') + List userSecrets = [] + + @Parameter(names = ['-workspace-secret'], description = 'Specify a workspace secret name to use in the pipeline (can be specified multiple times)') + List workspaceSecrets = [] + /** * Defines the parameters to be passed to the pipeline script */ @@ -124,7 +130,9 @@ class CmdLaunch extends CmdBase implements UsageAware { stubRun: stubRun, mainScript: mainScript, params: params, - launcher: launcher + launcher: launcher, + userSecrets: userSecrets, + workspaceSecrets: workspaceSecrets ) // Execute launch @@ -156,6 +164,8 @@ class CmdLaunch extends CmdBase implements UsageAware { result << ' -latest Pull latest changes before run' result << ' -stub-run, -stub Execute the workflow replacing process scripts with command stubs' result << ' -main-script The script file to be executed when launching a project' + result << ' -user-secret User secret name to use in the pipeline (can be specified multiple times)' + result << ' -workspace-secret Workspace secret name to use in the pipeline (can be specified multiple times)' result << ' --= Set a parameter used by the pipeline' result << '' println result.join('\n').toString() @@ -191,5 +201,7 @@ class CmdLaunch extends CmdBase implements UsageAware { String mainScript Map params Launcher launcher + List userSecrets + List workspaceSecrets } } diff --git a/plugins/nf-tower/src/main/io/seqera/tower/plugin/launch/LaunchCommandImpl.groovy b/plugins/nf-tower/src/main/io/seqera/tower/plugin/launch/LaunchCommandImpl.groovy index 8921353a3d..e6f187b59d 100644 --- a/plugins/nf-tower/src/main/io/seqera/tower/plugin/launch/LaunchCommandImpl.groovy +++ b/plugins/nf-tower/src/main/io/seqera/tower/plugin/launch/LaunchCommandImpl.groovy @@ -229,6 +229,8 @@ class LaunchCommandImpl extends BaseCommandImpl implements CmdLaunch.LaunchComma if (paramsText) launch.paramsText = paramsText if (options.mainScript) launch.mainScript = options.mainScript if (options.entryName) launch.entryName = options.entryName + if (options.userSecrets) launch.userSecrets = options.userSecrets as Set + if (options.workspaceSecrets) launch.workspaceSecrets = options.workspaceSecrets as Set log.debug "Built launch request with ${launch.size()} parameters" return [launch: launch] From 5324df437694e6e3efe9dd6047604b9fbd7b1f7b Mon Sep 17 00:00:00 2001 From: Rashmi Naidu Date: Thu, 16 Apr 2026 16:04:27 -0400 Subject: [PATCH 2/4] add tests for user and workspace secrets in launch request Signed-off-by: Rashmi Naidu --- .../launch/LaunchCommandImplTest.groovy | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/plugins/nf-tower/src/test/io/seqera/tower/plugin/launch/LaunchCommandImplTest.groovy b/plugins/nf-tower/src/test/io/seqera/tower/plugin/launch/LaunchCommandImplTest.groovy index 044928c4d1..bca3ae0101 100644 --- a/plugins/nf-tower/src/test/io/seqera/tower/plugin/launch/LaunchCommandImplTest.groovy +++ b/plugins/nf-tower/src/test/io/seqera/tower/plugin/launch/LaunchCommandImplTest.groovy @@ -622,6 +622,44 @@ class LaunchCommandImplTest extends Specification { request.launch.configText == 'process.cpus = 8' } + def 'should include workspace and user secrets in launch request'() { + given: + def cmd = new LaunchCommandImpl() + def options = new CmdLaunch.LaunchOptions( + pipeline: 'nf-core/rnaseq', + userSecrets: ['MY_USER_SECRET'], + workspaceSecrets: ['DRAGEN_USERNAME', 'DRAGEN_PASSWORD'] + ) + def context = new LaunchCommandImpl.LaunchContext( + computeEnvId: 'ce-123', + workDir: 's3://bucket/work' + ) + + when: + def request = cmd.buildLaunchRequestPayload(options, context, 'https://github.com/nf-core/rnaseq', null, null) + + then: + request.launch.userSecrets == ['MY_USER_SECRET'] as Set + request.launch.workspaceSecrets == ['DRAGEN_USERNAME', 'DRAGEN_PASSWORD'] as Set + } + + def 'should not include secrets in launch request when none provided'() { + given: + def cmd = new LaunchCommandImpl() + def options = new CmdLaunch.LaunchOptions(pipeline: 'nf-core/rnaseq') + def context = new LaunchCommandImpl.LaunchContext( + computeEnvId: 'ce-123', + workDir: 's3://bucket/work' + ) + + when: + def request = cmd.buildLaunchRequestPayload(options, context, 'https://github.com/nf-core/rnaseq', null, null) + + then: + !request.launch.containsKey('userSecrets') + !request.launch.containsKey('workspaceSecrets') + } + // ===== Workflow Status Tests ===== def 'should get color for workflow status'() { From 388b1900ee2d01a7636dc5f0528af25ed196ac61 Mon Sep 17 00:00:00 2001 From: Christopher Hakkaart Date: Mon, 20 Apr 2026 15:05:48 +1200 Subject: [PATCH 3/4] Add minimal docs Signed-off-by: Christopher Hakkaart --- docs/migrations/26-04.md | 17 +++++++++++++++++ docs/reference/cli.md | 12 ++++++++++++ 2 files changed, 29 insertions(+) diff --git a/docs/migrations/26-04.md b/docs/migrations/26-04.md index 260daf878f..0fd7bb25ad 100644 --- a/docs/migrations/26-04.md +++ b/docs/migrations/26-04.md @@ -337,6 +337,23 @@ workflow RNASEQ { See the {ref}`cli-lint` command reference for details. +

New -user-secret and -workspace-secret options for launch command

+ +The `launch` command now has `-user-secret` and `-workspace-secret` options, which can be used to specify secrets for Seqera Platform pipeline runs. + +```bash +nextflow launch myorg/pipeline \ + -r main \ + -profile awsbatch \ + -workspace-secret DRAGEN_USERNAME \ + -workspace-secret DRAGEN_PASSWORD \ + -user-secret MY_USER_SECRET +``` + +Each option can be specified multiple times. + +See the {ref}`cli-launch` command reference for details. + ## Breaking changes - The {ref}`strict syntax parser ` is now enabled by default. The legacy parser can be enabled by setting the `NXF_SYNTAX_PARSER` environment variable to `v1`. diff --git a/docs/reference/cli.md b/docs/reference/cli.md index 44ac9e31a6..cd3d838099 100644 --- a/docs/reference/cli.md +++ b/docs/reference/cli.md @@ -832,9 +832,21 @@ The `launch` command launches a pipeline run in Seqera Platform. To log in and c `-stub-run, -stub` : Whether to replace scripts with command stubs when executing the run. +`-user-secret` +: :::{versionadded} 26.04.0 + ::: +: Name of user secret to use in the pipeline. +: Can be specified multiple times. + `-w, -work-dir` : The directory where intermediate result files are stored. +`-workspace-secret` +: :::{versionadded} 26.04.0 + ::: +: Name of workspace secret to use in the pipeline. +: Can be specified multiple times. + `-workspace` : The Seqera Platform workspace name. From 56470be5ddeee9fb611fed51637873435abd14bd Mon Sep 17 00:00:00 2001 From: Ben Sherman Date: Tue, 28 Apr 2026 07:42:10 -0500 Subject: [PATCH 4/4] update docs Signed-off-by: Ben Sherman --- docs/migrations/26-04.md | 17 ----------------- docs/reference/cli.md | 6 +++--- 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/docs/migrations/26-04.md b/docs/migrations/26-04.md index 0fd7bb25ad..260daf878f 100644 --- a/docs/migrations/26-04.md +++ b/docs/migrations/26-04.md @@ -337,23 +337,6 @@ workflow RNASEQ { See the {ref}`cli-lint` command reference for details. -

New -user-secret and -workspace-secret options for launch command

- -The `launch` command now has `-user-secret` and `-workspace-secret` options, which can be used to specify secrets for Seqera Platform pipeline runs. - -```bash -nextflow launch myorg/pipeline \ - -r main \ - -profile awsbatch \ - -workspace-secret DRAGEN_USERNAME \ - -workspace-secret DRAGEN_PASSWORD \ - -user-secret MY_USER_SECRET -``` - -Each option can be specified multiple times. - -See the {ref}`cli-launch` command reference for details. - ## Breaking changes - The {ref}`strict syntax parser ` is now enabled by default. The legacy parser can be enabled by setting the `NXF_SYNTAX_PARSER` environment variable to `v1`. diff --git a/docs/reference/cli.md b/docs/reference/cli.md index cd3d838099..40238c85ae 100644 --- a/docs/reference/cli.md +++ b/docs/reference/cli.md @@ -841,15 +841,15 @@ The `launch` command launches a pipeline run in Seqera Platform. To log in and c `-w, -work-dir` : The directory where intermediate result files are stored. +`-workspace` +: The Seqera Platform workspace name. + `-workspace-secret` : :::{versionadded} 26.04.0 ::: : Name of workspace secret to use in the pipeline. : Can be specified multiple times. -`-workspace` -: The Seqera Platform workspace name. - **Examples** Execute a pipeline in Seqera Platform.