feat: add support for secrets field in step configuration

Add the `secrets` field to the Step struct, allowing users to specify
Buildkite secrets that should be injected into step environments.

Supports both formats as documented by Buildkite:
- Array format: ["API_ACCESS_TOKEN", "DATABASE_PASSWORD"]
- Map format: {"MY_API_KEY": "API_ACCESS_TOKEN"}

Changes:
- Add Secrets field as interface{} to support both formats
- Add tests for secrets parsing (array and map formats)
- Add tests for secrets in nested steps within groups
- Add pipeline generation tests for both formats
- Add documentation with examples in README.md

Closes #113

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: 2 people

README.md

@@ -342,6 +342,67 @@ steps:
                 command: "echo deploy-bar"
 ```
 
+### `secrets` (optional)
+
+Add `secrets` to inject [Buildkite Secrets](https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets) into your command steps. Secrets can be specified in two formats:
+
+**Array format** - secret names are used as environment variable names:
+
+```yaml
+steps:
+  - label: "Deploy with secrets"
+    plugins:
+      - monorepo-diff#v1.6.2:
+          diff: "git diff --name-only HEAD~1"
+          watch:
+            - path: "service/"
+              config:
+                command: "deploy.sh"
+                secrets:
+                  - API_ACCESS_TOKEN
+                  - DATABASE_PASSWORD
+```
+
+**Map format** - specify custom environment variable names:
+
+```yaml
+steps:
+  - label: "Deploy with secrets"
+    plugins:
+      - monorepo-diff#v1.6.2:
+          diff: "git diff --name-only HEAD~1"
+          watch:
+            - path: "service/"
+              config:
+                command: "deploy.sh"
+                secrets:
+                  MY_API_KEY: api_access_token_secret
+                  DB_PASS: database_password_secret
+```
+
+Secrets also work within grouped steps:
+
+```yaml
+steps:
+  - label: "Deploy services"
+    plugins:
+      - monorepo-diff#v1.6.2:
+          diff: "git diff --name-only HEAD~1"
+          watch:
+            - path: "services/"
+              config:
+                group: "Deploy"
+                steps:
+                  - command: "deploy-uat.sh"
+                    label: "Deploy UAT"
+                    secrets:
+                      - UAT_DB_HOST
+                  - command: "deploy-prod.sh"
+                    label: "Deploy Prod"
+                    secrets:
+                      DB_HOST: prod_db_host_secret
+```
+
 ## Example
 
 ```yaml

pipeline_test.go

@@ -714,3 +714,114 @@ func TestGeneratePipelineWithStepKey(t *testing.T) {
 
 	assert.Equal(t, want, string(got))
 }
+
+func TestGeneratePipelineWithSecretsAsMap(t *testing.T) {
+	steps := []Step{
+		{
+			Command: "echo deploy",
+			Label:   "Deploy",
+			Secrets: map[string]interface{}{
+				"DATABRICKS_HOST":  "databricks_host_secret",
+				"DATABRICKS_TOKEN": "databricks_token_secret",
+			},
+		},
+	}
+
+	plugin := Plugin{Wait: false}
+
+	pipeline, _, err := generatePipeline(steps, plugin)
+	require.NoError(t, err)
+	defer func() {
+		if err = os.Remove(pipeline.Name()); err != nil {
+			t.Logf("Failed to remove temporary pipeline file: %v", err)
+		}
+	}()
+
+	got, err := os.ReadFile(pipeline.Name())
+	require.NoError(t, err)
+
+	// Check that the output contains the expected secrets (order may vary in maps)
+	assert.Contains(t, string(got), "label: Deploy")
+	assert.Contains(t, string(got), "command: echo deploy")
+	assert.Contains(t, string(got), "secrets:")
+	assert.Contains(t, string(got), "DATABRICKS_HOST: databricks_host_secret")
+	assert.Contains(t, string(got), "DATABRICKS_TOKEN: databricks_token_secret")
+}
+
+func TestGeneratePipelineWithSecretsAsArray(t *testing.T) {
+	steps := []Step{
+		{
+			Command: "echo deploy",
+			Label:   "Deploy",
+			Secrets: []interface{}{"API_ACCESS_TOKEN", "DATABASE_PASSWORD"},
+		},
+	}
+
+	want := `steps:
+    - label: Deploy
+      command: echo deploy
+      secrets:
+        - API_ACCESS_TOKEN
+        - DATABASE_PASSWORD
+`
+
+	plugin := Plugin{Wait: false}
+
+	pipeline, _, err := generatePipeline(steps, plugin)
+	require.NoError(t, err)
+	defer func() {
+		if err = os.Remove(pipeline.Name()); err != nil {
+			t.Logf("Failed to remove temporary pipeline file: %v", err)
+		}
+	}()
+
+	got, err := os.ReadFile(pipeline.Name())
+	require.NoError(t, err)
+
+	assert.Equal(t, want, string(got))
+}
+
+func TestGeneratePipelineWithSecretsInGroup(t *testing.T) {
+	steps := []Step{
+		{
+			Group: "deploy group",
+			Steps: []Step{
+				{
+					Command: "echo deploy uat",
+					Label:   "Deploy UAT",
+					Secrets: map[string]interface{}{
+						"DB_HOST": "uat_db_host",
+					},
+				},
+				{
+					Command: "echo deploy prod",
+					Label:   "Deploy Prod",
+					Secrets: []interface{}{"PROD_DB_HOST", "PROD_DB_PASS"},
+				},
+			},
+		},
+	}
+
+	plugin := Plugin{Wait: false}
+
+	pipeline, _, err := generatePipeline(steps, plugin)
+	require.NoError(t, err)
+	defer func() {
+		if err = os.Remove(pipeline.Name()); err != nil {
+			t.Logf("Failed to remove temporary pipeline file: %v", err)
+		}
+	}()
+
+	got, err := os.ReadFile(pipeline.Name())
+	require.NoError(t, err)
+
+	// Check structure and content (map order may vary)
+	assert.Contains(t, string(got), "group: deploy group")
+	assert.Contains(t, string(got), "label: Deploy UAT")
+	assert.Contains(t, string(got), "command: echo deploy uat")
+	assert.Contains(t, string(got), "DB_HOST: uat_db_host")
+	assert.Contains(t, string(got), "label: Deploy Prod")
+	assert.Contains(t, string(got), "command: echo deploy prod")
+	assert.Contains(t, string(got), "- PROD_DB_HOST")
+	assert.Contains(t, string(got), "- PROD_DB_PASS")
+}

plugin.go

@@ -95,6 +95,7 @@ type Step struct {
 	Notify    []StepNotify             `yaml:"notify,omitempty"`
 	DependsOn interface{}              `json:"depends_on" yaml:"depends_on,omitempty"`
 	Key       string                   `yaml:"key,omitempty"`
+	Secrets   interface{}              `json:"secrets,omitempty" yaml:"secrets,omitempty"`
 	Steps     []Step                   `yaml:"steps,omitempty"`
 }
 

plugin_test.go

@@ -1087,3 +1087,137 @@ func TestPluginEnvWithEqualsSignsAndSpacesInValues(t *testing.T) {
 	assert.Equal(t, "value with spaces", got.Env["SPACE_VALUE"])
 	assert.Equal(t, "\"--opt1=val1 --opt2=val2\"", got.Env["COMPLEX"])
 }
+
+func TestPluginShouldPreserveSecretsAsMap(t *testing.T) {
+	param := `[{
+		"github.com/buildkite-plugins/monorepo-diff-buildkite-plugin#commit": {
+			"watch": [
+				{
+					"path": "service/**/*",
+					"config": {
+						"command": "echo deploy",
+						"secrets": {
+							"DATABRICKS_HOST": "databricks_host_secret",
+							"DATABRICKS_TOKEN": "databricks_token_secret"
+						}
+					}
+				}
+			]
+		}
+	}]`
+
+	got, err := initializePlugin(param)
+	assert.NoError(t, err)
+
+	expected := Plugin{
+		Diff:          "git diff --name-only HEAD~1",
+		Wait:          false,
+		LogLevel:      "info",
+		Interpolation: true,
+		Watch: []WatchConfig{
+			{
+				Paths: []string{"service/**/*"},
+				Step: Step{
+					Command: "echo deploy",
+					Secrets: map[string]interface{}{
+						"DATABRICKS_HOST":  "databricks_host_secret",
+						"DATABRICKS_TOKEN": "databricks_token_secret",
+					},
+				},
+			},
+		},
+	}
+
+	if diff := cmp.Diff(expected, got); diff != "" {
+		t.Fatalf("plugin diff (-want +got):\n%s", diff)
+	}
+}
+
+func TestPluginShouldPreserveSecretsAsArray(t *testing.T) {
+	param := `[{
+		"github.com/buildkite-plugins/monorepo-diff-buildkite-plugin#commit": {
+			"watch": [
+				{
+					"path": "service/**/*",
+					"config": {
+						"command": "echo deploy",
+						"secrets": ["API_ACCESS_TOKEN", "DATABASE_PASSWORD"]
+					}
+				}
+			]
+		}
+	}]`
+
+	got, err := initializePlugin(param)
+	assert.NoError(t, err)
+
+	expected := Plugin{
+		Diff:          "git diff --name-only HEAD~1",
+		Wait:          false,
+		LogLevel:      "info",
+		Interpolation: true,
+		Watch: []WatchConfig{
+			{
+				Paths: []string{"service/**/*"},
+				Step: Step{
+					Command: "echo deploy",
+					Secrets: []interface{}{"API_ACCESS_TOKEN", "DATABASE_PASSWORD"},
+				},
+			},
+		},
+	}
+
+	if diff := cmp.Diff(expected, got); diff != "" {
+		t.Fatalf("plugin diff (-want +got):\n%s", diff)
+	}
+}
+
+func TestPluginShouldPreserveSecretsInNestedSteps(t *testing.T) {
+	param := `[{
+		"github.com/buildkite-plugins/monorepo-diff-buildkite-plugin#commit": {
+			"watch": [
+				{
+					"path": "service/**/*",
+					"config": {
+						"group": "deploy group",
+						"steps": [
+							{
+								"command": "echo deploy uat",
+								"label": "Deploy UAT",
+								"secrets": {
+									"DB_HOST": "uat_db_host"
+								}
+							},
+							{
+								"command": "echo deploy prod",
+								"label": "Deploy Prod",
+								"secrets": ["PROD_DB_HOST", "PROD_DB_PASS"]
+							}
+						]
+					}
+				}
+			]
+		}
+	}]`
+
+	got, err := initializePlugin(param)
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(got.Watch))
+	assert.Equal(t, "deploy group", got.Watch[0].Step.Group)
+	assert.Equal(t, 2, len(got.Watch[0].Step.Steps))
+
+	// Verify first nested step has secrets as map
+	firstStep := got.Watch[0].Step.Steps[0]
+	assert.Equal(t, "echo deploy uat", firstStep.Command)
+	secretsMap, ok := firstStep.Secrets.(map[string]interface{})
+	assert.True(t, ok, "first step secrets should be a map")
+	assert.Equal(t, "uat_db_host", secretsMap["DB_HOST"])
+
+	// Verify second nested step has secrets as array
+	secondStep := got.Watch[0].Step.Steps[1]
+	assert.Equal(t, "echo deploy prod", secondStep.Command)
+	secretsArray, ok := secondStep.Secrets.([]interface{})
+	assert.True(t, ok, "second step secrets should be an array")
+	assert.Equal(t, []interface{}{"PROD_DB_HOST", "PROD_DB_PASS"}, secretsArray)
+}