wesley/load-secrets-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

split logic for connect and service_account flows

Browse Source
This commit is contained in:
volodymyrZotov
2022-08-09 11:21:49 +03:00
parent da5dd0865d
commit 2faffa0507
1 changed files with 92 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
entrypoint.sh
View File

@@ -2,23 +2,15 @@
# shellcheck disable=SC2046,SC2001,SC2086 # shellcheck disable=SC2046,SC2001,SC2086
set -e set -e
# Install op-cli readonly CONNECT="CONNECT"
if [[ "$OSTYPE" == "linux-gnu"* ]]; then readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_linux_amd64_v2-alpha2.zip"
elif [[ "$OSTYPE" == "darwin"* ]]; then
curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_darwin_amd64_v2-alpha2.zip"
fi
unzip -od /usr/local/bin/ op.zip && rm op.zip
if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
exit 1
fi
auth_type=$CONNECT
managed_variables_var="OP_MANAGED_VARIABLES" managed_variables_var="OP_MANAGED_VARIABLES"
IFS=',' read -r -a managed_variables <<< "$(printenv $managed_variables_var)" IFS=','
# Unset all secrets managed by 1Password if `unset-previous` is set. # Unset all secrets managed by 1Password if `unset-previous` is set.
unset_prev_secrets() {
if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
echo "Unsetting previous values..." echo "Unsetting previous values..."
@@ -34,9 +26,21 @@ if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
managed_variables=() managed_variables=()
fi fi
}
# Install op-cli
install_op_cli() {
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_linux_amd64_v2-alpha2.zip"
elif [[ "$OSTYPE" == "darwin"* ]]; then
curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_darwin_amd64_v2-alpha2.zip"
fi
unzip -od /usr/local/bin/ op.zip && rm op.zip
}
# Iterate over environment varables to find 1Password references, load the secret values, # Iterate over environment varables to find 1Password references, load the secret values,
# and make them available as environment variables in the next steps. # and make them available as environment variables in the next steps.
extract_from_op_env() {
IFS=$'\n' IFS=$'\n'
for env_var in $(op env ls); do for env_var in $(op env ls); do
ref=$(printenv $env_var) ref=$(printenv $env_var)
@@ -75,8 +79,6 @@ for env_var in $(op env ls); do
echo "${random_heredoc_identifier}" echo "${random_heredoc_identifier}"
} >> $GITHUB_ENV } >> $GITHUB_ENV
managed_variables+=("$env_var")
else else
# Prepare the secret_value to be outputed properly (especially multiline secrets) # Prepare the secret_value to be outputed properly (especially multiline secrets)
secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1') secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
@@ -84,8 +86,33 @@ for env_var in $(op env ls); do
echo "::set-output name=$env_var::$secret_value" echo "::set-output name=$env_var::$secret_value"
fi fi
managed_variables+=("$env_var")
done done
unset IFS unset IFS
}
read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
exit 1
fi
auth_type=$SERVICE_ACCOUNT
fi
printf "Authenticated with %s \n" $auth_type
unset_prev_secrets
if [ "$auth_type" == "$SERVICE_ACCOUNT" ]; then
install_op_cli
extract_from_op_env
elif [ "$auth_type" == "$CONNECT" ]; then
echo "Fetch via connect"
fi
# Add extra env var that lists which secrets are managed by 1Password so that in a later step # Add extra env var that lists which secrets are managed by 1Password so that in a later step
# these can be unset again. # these can be unset again.