From 860c5ff00e429b35c5d7adc1c93aee197b44f9f1 Mon Sep 17 00:00:00 2001
From: Floris van der Grinten <floris.vandergrinten@agilebits.com>
Date: Wed, 26 May 2021 13:13:03 +0200
Subject: [PATCH] Remove use of undocumented API in unset mechanism

---
 .github/workflows/test.yml |  3 +++
 entrypoint.sh              | 27 +++++++++++++++++----------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a5f7e71..27f8794 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,6 +22,9 @@ jobs:
         env:
           SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
           SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
+      - name: Load multiline secret
+        uses: ./ # 1password/load-secrets-action@<version>
+        env:
           MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
       - name: Print environment variables with masked secrets
         run: printenv
diff --git a/entrypoint.sh b/entrypoint.sh
index 66b4d81..ca4c538 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,22 +2,20 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 
-managed_by_statement="Managed by 1Password"
-
 if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
   echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
   exit 1
 fi
 
+managed_variables_var="OP_MANAGED_VARIABLES"
+IFS=',' read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
+
 # Unset all secrets managed by 1Password if `unset-previous` is set.
 if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
   echo "Unsetting previous values..."
 
-  # Iterate over 'Managed by 1Password' comments in environment.
-  printenv | grep "$managed_by_statement" | while read -r comment; do
-    # Extract env var name and heredoc identifier from comment.
-    env_var=$(echo "$comment" | sed -e "s/.*$managed_by_statement: \(.*\)=.*/\1/")
-
+  # Find environment variables that are managed by 1Password.
+  for env_var in "${managed_variables[@]}"; do
     echo "Unsetting $env_var"
     unset $env_var
 
@@ -25,11 +23,14 @@ if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
 
     # Keep the masks, just in case.
   done
+
+  managed_variables=()
 fi
 
 # Iterate over environment varables to find 1Password references, load the secret values, 
 # and make them available as environment variables in the next steps.
-printenv | grep "=op://" | grep -v "^#" | while read -r possible_ref; do
+IFS=$'\n'
+for possible_ref in $(printenv | grep "=op://" | grep -v "^#"); do
   env_var=$(echo "$possible_ref" | cut -d '=' -f1)
   ref=$(printenv $env_var)
 
@@ -104,11 +105,17 @@ printenv | grep "=op://" | grep -v "^#" | while read -r possible_ref; do
   random_heredoc_identifier=$(openssl rand -hex 16)
 
   {
-    # Add 'Managed by 1Password' comment, so in a later step it the secret can be unset again.
-    echo "# $managed_by_statement: $env_var=$ref"
     # Populate env var, using heredoc syntax with generated identifier
     echo "$env_var<<${random_heredoc_identifier}"
     echo "$secret_value"
     echo "${random_heredoc_identifier}"
   } >> $GITHUB_ENV
+
+  managed_variables+=("$env_var")
 done
+unset IFS
+
+# Add extra env var that lists which secrets are managed by 1Password so that in a later step
+# these can be unset again.
+managed_variables_str=$(IFS=','; echo "${managed_variables[*]}")
+echo "$managed_variables_var=$managed_variables_str" >> $GITHUB_ENV