wesley/load-secrets-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use SDK with service account

Browse Source
This commit is contained in:
Jill Regan
2026-02-18 13:48:19 -05:00
parent 81bc2a50b4
commit 4a997a0402
5 changed files with 193 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
package-lock.json generated
View File

@@ -10,6 +10,7 @@
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@1password/op-js": "^0.1.11", "@1password/op-js": "^0.1.11",
"@1password/sdk": "^0.4.0",
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/tool-cache": "^2.0.2", "@actions/tool-cache": "^2.0.2",
@@ -72,6 +73,21 @@
"prettier": "^2.0.0 || ^3.0.0" "prettier": "^2.0.0 || ^3.0.0"
} }
}, },
"node_modules/@1password/sdk": {
"version": "0.4.0",
"resolved": "https://registry.npmjs.org/@1password/sdk/-/sdk-0.4.0.tgz",
"integrity": "sha512-RIypujc9R/UeUaobjyClTYokqRFpcaIkHq+EO/X9XoHId98Vg+SbjwGV+yygRC4MyHwYNo1KP1iEbZcqJ4ZTdw==",
"license": "MIT",
"dependencies": {
"@1password/sdk-core": "0.4.0"
}
},
"node_modules/@1password/sdk-core": {
"version": "0.4.0",
"resolved": "https://registry.npmjs.org/@1password/sdk-core/-/sdk-core-0.4.0.tgz",
"integrity": "sha512-vjeI1o4wiONY+t1naA4dtUp6HktdLH1D2S+tN1Lh4l41S9XIUHxrljov9B5u6G+VHr7f2MUoxmzXA9zT3aokQQ==",
"license": "MIT"
},
"node_modules/@actions/core": { "node_modules/@actions/core": {
"version": "1.11.1", "version": "1.11.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",

1
package.json
View File

@@ -41,6 +41,7 @@
"homepage": "https://github.com/1Password/load-secrets-action#readme", "homepage": "https://github.com/1Password/load-secrets-action#readme",
"dependencies": { "dependencies": {
"@1password/op-js": "^0.1.11", "@1password/op-js": "^0.1.11",
"@1password/sdk": "^0.4.0",
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/tool-cache": "^2.0.2", "@actions/tool-cache": "^2.0.2",

11
src/index.ts
View File

@@ -3,7 +3,7 @@ import * as core from "@actions/core";
import { validateCli } from "@1password/op-js"; import { validateCli } from "@1password/op-js";
import { installCliOnGithubActionRunner } from "./op-cli-installer"; import { installCliOnGithubActionRunner } from "./op-cli-installer";
import { loadSecrets, unsetPrevious, validateAuth } from "./utils"; import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
import { envFilePath } from "./constants"; import { envFilePath, envConnectHost, envConnectToken } from "./constants";
const loadSecretsAction = async () => { const loadSecretsAction = async () => {
try { try {
@@ -26,8 +26,13 @@ const loadSecretsAction = async () => {
dotenv.config({ path: file }); dotenv.config({ path: file });
} }
// Download and install the CLI
await installCLI(); const isConnect =
process.env[envConnectHost] && process.env[envConnectToken];
// If Connect is used, download and install the CLI
if (isConnect) {
await installCLI();
}
// Load secrets // Load secrets
await loadSecrets(shouldExportEnv); await loadSecrets(shouldExportEnv);

90
src/utils.test.ts
View File

@@ -1,6 +1,7 @@
import * as core from "@actions/core"; import * as core from "@actions/core";
import * as exec from "@actions/exec"; import * as exec from "@actions/exec";
import { read, setClientInfo } from "@1password/op-js"; import { read, setClientInfo } from "@1password/op-js";
import { createClient } from "@1password/sdk";
import { import {
extractSecret, extractSecret,
loadSecrets, loadSecrets,
@@ -22,6 +23,9 @@ jest.mock("@actions/exec", () => ({
})), })),
})); }));
jest.mock("@1password/op-js"); jest.mock("@1password/op-js");
jest.mock("@1password/sdk", () => ({
createClient: jest.fn(),
}));
beforeEach(() => { beforeEach(() => {
jest.clearAllMocks(); jest.clearAllMocks();
@@ -181,6 +185,92 @@ describe("loadSecrets", () => {
}); });
}); });
describe("loadSecrets when using Service Account", () => {
const mockResolve = jest.fn();
beforeEach(() => {
process.env[envConnectHost] = "";
process.env[envConnectToken] = "";
process.env[envServiceAccountToken] = "ops_token";
Object.keys(process.env).forEach((key) => {
if (
typeof process.env[key] === "string" &&
process.env[key]?.startsWith("op://")
) {
delete process.env[key];
}
});
process.env.MY_SECRET = "op://vault/item/field";
(createClient as jest.Mock).mockResolvedValue({
secrets: { resolve: mockResolve },
});
mockResolve.mockResolvedValue("resolved-secret-value");
});
it("does not call op env ls when using Service Account", async () => {
await loadSecrets(false);
expect(exec.getExecOutput).not.toHaveBeenCalled();
});
it("sets step output with resolved value when export-env is false", async () => {
await loadSecrets(false);
expect(core.setOutput).toHaveBeenCalledTimes(1);
expect(core.setOutput).toHaveBeenCalledWith("MY_SECRET", "resolved-secret-value");
});
it("masks secret with setSecret when export-env is false", async () => {
await loadSecrets(false);
expect(core.setSecret).toHaveBeenCalledTimes(1);
expect(core.setSecret).toHaveBeenCalledWith("resolved-secret-value");
});
it("does not call exportVariable when export-env is false", async () => {
await loadSecrets(false);
expect(core.exportVariable).not.toHaveBeenCalled();
});
it("exports env and sets OP_MANAGED_VARIABLES when export-env is true", async () => {
await loadSecrets(true);
expect(core.exportVariable).toHaveBeenCalledWith(
"MY_SECRET",
"resolved-secret-value",
);
expect(core.exportVariable).toHaveBeenCalledWith(
envManagedVariables,
"MY_SECRET",
);
});
it("does not set step output when export-env is true", async () => {
await loadSecrets(true);
expect(core.setOutput).not.toHaveBeenCalledWith("MY_SECRET", expect.anything());
});
it("masks secret with setSecret when export-env is true", async () => {
await loadSecrets(true);
expect(core.setSecret).toHaveBeenCalledTimes(1);
expect(core.setSecret).toHaveBeenCalledWith("resolved-secret-value");
});
it("returns early when no env vars have op:// refs", async () => {
Object.keys(process.env).forEach((key) => {
if (
typeof process.env[key] === "string" &&
process.env[key]?.startsWith("op://")
) {
delete process.env[key];
}
});
await loadSecrets(true);
expect(exec.getExecOutput).not.toHaveBeenCalled();
expect(core.exportVariable).not.toHaveBeenCalled();
});
});
describe("unsetPrevious", () => { describe("unsetPrevious", () => {
const testManagedEnv = "TEST_SECRET"; const testManagedEnv = "TEST_SECRET";
const testSecretValue = "MyS3cr#T"; const testSecretValue = "MyS3cr#T";

80
src/utils.ts
View File

@@ -1,6 +1,7 @@
import * as core from "@actions/core"; import * as core from "@actions/core";
import * as exec from "@actions/exec"; import * as exec from "@actions/exec";
import { read, setClientInfo, semverToInt } from "@1password/op-js"; import { read, setClientInfo, semverToInt } from "@1password/op-js";
import { createClient } from "@1password/sdk";
import { version } from "../package.json"; import { version } from "../package.json";
import { import {
authErr, authErr,
@@ -29,6 +30,30 @@ export const validateAuth = (): void => {
core.info(`Authenticated with ${authType}.`); core.info(`Authenticated with ${authType}.`);
}; };
export const getEnvVarNamesWithSecretRefs = (): string[] =>
Object.keys(process.env).filter(
(key) =>
typeof process.env[key] === "string" &&
process.env[key]?.startsWith("op://"),
);
const setResolvedSecret = (
envName: string,
secretValue: string,
shouldExportEnv: boolean,
): void => {
core.info(`Populating variable: ${envName}`);
if (shouldExportEnv) {
core.exportVariable(envName, secretValue);
} else {
core.setOutput(envName, secretValue);
}
if (secretValue) {
core.setSecret(secretValue);
}
};
export const extractSecret = ( export const extractSecret = (
envName: string, envName: string,
shouldExportEnv: boolean, shouldExportEnv: boolean,
@@ -57,8 +82,10 @@ export const extractSecret = (
} }
}; };
export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => { // Connect loads secrets via the 1Password CLI
// Pass User-Agent Information to the 1Password CLI const loadSecretsViaConnect = async (
shouldExportEnv: boolean,
): Promise<void> => {
setClientInfo({ setClientInfo({
name: "1Password GitHub Action", name: "1Password GitHub Action",
id: "GHA", id: "GHA",
@@ -83,6 +110,55 @@ export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
} }
}; };
// Service Account loads secrets via the 1Password SDK
const loadSecretsViaServiceAccount = async (
shouldExportEnv: boolean,
): Promise<void> => {
const envs = getEnvVarNamesWithSecretRefs();
if (envs.length === 0) {
return;
}
const token = process.env[envServiceAccountToken];
if (!token) {
throw new Error(authErr);
}
const client = await createClient({
auth: token,
integrationName: "1Password GitHub Action",
integrationVersion: version,
});
for (const envName of envs) {
const ref = process.env[envName];
if (!ref) {
continue;
}
// Resolve the secret value using the 1Password SDK
// and make it available either as step outputs or as environment variables
const secretValue = await client.secrets.resolve(ref);
setResolvedSecret(envName, secretValue, shouldExportEnv);
}
if (shouldExportEnv) {
core.exportVariable(envManagedVariables, envs.join());
}
};
export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
const isConnect =
process.env[envConnectHost] && process.env[envConnectToken];
if (isConnect) {
await loadSecretsViaConnect(shouldExportEnv);
return;
}
await loadSecretsViaServiceAccount(shouldExportEnv);
};
export const unsetPrevious = (): void => { export const unsetPrevious = (): void => {
if (process.env[envManagedVariables]) { if (process.env[envManagedVariables]) {
core.info("Unsetting previous values ..."); core.info("Unsetting previous values ...");