Merge pull request #118 from wcarlsen/main

feature: enable loading 1password secrets from file

.github/workflows/acceptance-test.yml

@@ -36,9 +36,9 @@ jobs:
         if: |
           github.event_name != 'repository_dispatch' &&
           (
-            github.ref == 'refs/heads/main' || 
+            github.ref == 'refs/heads/main' ||
             (
-              github.event_name == 'pull_request' && 
+              github.event_name == 'pull_request' &&
               github.event.pull_request.head.repo.full_name == github.repository
             )
           )
@@ -96,12 +96,14 @@ jobs:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+          OP_ENV_FILE: ./tests/.env.tpl
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:
           SECRET: ${{ steps.load_secrets.outputs.SECRET }}
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          OP_ENV_FILE: ./tests/.env.tpl
         run: ./tests/assert-env-set.sh
       - name: Assert test secret values [exported env]
         if: ${{ inputs.export-env }}

README.md

@@ -39,6 +39,7 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
@@ -63,6 +64,7 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: $SECRET"'

package-lock.json

@@ -12,6 +12,7 @@
 				"@1password/op-js": "^0.1.11",
 				"@actions/core": "^1.10.1",
 				"@actions/exec": "^1.1.1",
+				"dotenv": "^17.2.2",
 				"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 			},
 			"devDependencies": {
@@ -2766,6 +2767,18 @@
 				"node": ">=6.0.0"
 			}
 		},
+		"node_modules/dotenv": {
+			"version": "17.2.2",
+			"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.2.tgz",
+			"integrity": "sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==",
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=12"
+			},
+			"funding": {
+				"url": "https://dotenvx.com"
+			}
+		},
 		"node_modules/dunder-proto": {
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",

package.json

@@ -43,6 +43,7 @@
 		"@1password/op-js": "^0.1.11",
 		"@actions/core": "^1.10.1",
 		"@actions/exec": "^1.1.1",
+		"dotenv": "^17.2.2",
 		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 	},
 	"devDependencies": {

src/constants.ts

@@ -2,5 +2,6 @@ export const envConnectHost = "OP_CONNECT_HOST";
 export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
+export const envFilePath = "OP_ENV_FILE";
 
 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;

src/index.ts

@@ -1,7 +1,9 @@
 import * as core from "@actions/core";
 import { validateCli } from "@1password/op-js";
 import { installCliOnGithubActionRunner } from "op-cli-installer";
+import dotenv from "dotenv";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
+import { envFilePath } from "./constants";
 
 const loadSecretsAction = async () => {
 	try {
@@ -17,6 +19,13 @@ const loadSecretsAction = async () => {
 		// Validate that a proper authentication configuration is set for the CLI
 		validateAuth();
 
+		// Set environment variables from OP_ENV_FILE
+		const file = process.env[envFilePath];
+		if (file) {
+			core.info(`Loading environment variables from file: ${file}`);
+			dotenv.config({ path: file });
+		}
+
 		// Download and install the CLI
 		await installCLI();
 

tests/.env.tpl

@@ -0,0 +1,3 @@
+FILE_SECRET=op://acceptance-tests/test-secret/password
+FILE_SECRET_IN_SECTION=op://acceptance-tests/test-secret/test-section/password
+FILE_MULTILINE_SECRET=op://acceptance-tests/multiline-secret/notesPlain

tests/assert-env-set.sh

@@ -9,11 +9,8 @@ assert_env_equals() {
   fi
 }
 
-assert_env_equals "SECRET" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-
-assert_env_equals "SECRET_IN_SECTION" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-
-assert_env_equals "MULTILINE_SECRET" "$(cat << EOF
+readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+MULTILINE_SECRET="$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
 ZSB3ZSBkZWVwbHkgYXBwcmVjaWF0ZSB5b3VyIHZp
@@ -28,3 +25,13 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 -----END PRIVATE KEY-----
 EOF
 )"
+readonly MULTILINE_SECRET
+
+assert_env_equals "SECRET" "${SECRET}"
+assert_env_equals "FILE_SECRET" "${SECRET}"
+
+assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
+assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
+
+assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
+assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"

tests/assert-env-unset.sh

@@ -10,5 +10,10 @@ assert_env_unset() {
 }
 
 assert_env_unset "SECRET"
+assert_env_unset "FILE_SECRET"
+
 assert_env_unset "SECRET_IN_SECTION"
+assert_env_unset "FILE_SECRET_IN_SECTION"
+
 assert_env_unset "MULTILINE_SECRET"
+assert_env_unset "FILE_MULTILINE_SECRET"