Merge branch 'main' into vzt/prepare-relese-v3.1.0

# Conflicts:
#	.github/workflows/ok-to-test.yml
#	.gitignore
#	dist/index.js
#	package-lock.json
#	package.json
#	src/index.ts

.github/workflows/e2e-tests.yml

@@ -0,0 +1,160 @@
+name: E2E Tests
+
+on:
+  # For local testing with: act push -W .github/workflows/e2e-tests.yml
+  push:
+    branches-ignore:
+      - "**" # Never runs on GitHub, only locally with act
+
+  # For test.yml to call this workflow
+  workflow_call:
+    secrets:
+      OP_CONNECT_CREDENTIALS:
+        required: true
+      OP_CONNECT_TOKEN:
+        required: true
+      OP_SERVICE_ACCOUNT_TOKEN:
+        required: true
+      VAULT:
+        description: "1Password vault name or UUID"
+        required: true
+
+jobs:
+  test-service-account:
+    name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        version: [latest, 2.30.0]
+        export-env: [true, false]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Generate .env.tpl
+        shell: bash
+        run: |
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+
+      - name: Configure Service account
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+
+      - name: Load secrets
+        id: load_secrets
+        uses: ./
+        with:
+          version: ${{ matrix.version }}
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          OP_ENV_FILE: ./tests/.env.tpl
+
+      - name: Assert test secret values [step output]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Assert test secret values [exported env]
+        if: ${{ matrix.export-env }}
+        shell: bash
+        run: ./tests/assert-env-set.sh
+
+      - name: Remove secrets [exported env]
+        if: ${{ matrix.export-env }}
+        uses: ./
+        with:
+          unset-previous: true
+
+      - name: Assert removed secrets [exported env]
+        if: ${{ matrix.export-env }}
+        shell: bash
+        run: ./tests/assert-env-unset.sh
+
+  test-connect:
+    name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        version: [latest, 2.30.0]
+        export-env: [true, false]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Generate .env.tpl
+        run: |
+          mkdir -p tests
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+
+      - name: Launch 1Password Connect instance
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+
+      - name: Configure 1Password Connect
+        uses: ./configure
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+
+      - name: Load secrets
+        id: load_secrets
+        uses: ./
+        with:
+          version: ${{ matrix.version }}
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          OP_ENV_FILE: ./tests/.env.tpl
+
+      - name: Assert test secret values [step output]
+        if: ${{ !matrix.export-env }}
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Assert test secret values [exported env]
+        if: ${{ matrix.export-env }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Remove secrets [exported env]
+        if: ${{ matrix.export-env }}
+        uses: ./
+        with:
+          unset-previous: true
+
+      - name: Assert removed secrets [exported env]
+        if: ${{ matrix.export-env }}
+        run: ./tests/assert-env-unset.sh

.github/workflows/lint-and-test.yml

@@ -0,0 +1,36 @@
+name: Lint and Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_paths: >-
+            .husky
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Check formatting
+        run: npm run format:check
+
+      - name: Check lint
+        run: npm run lint
+
+      - name: Run unit tests
+        run: npm test

.github/workflows/ok-to-test.yml

@@ -1,4 +1,4 @@
-# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+# Write comments "/ok-to-test sha=<hash>" on a pull request. This will emit a repository_dispatch event.
 name: Ok To Test
 
 on:
@@ -15,7 +15,7 @@ jobs:
     if: ${{ github.event.issue.pull_request }}
     steps:
       - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@v3
+        uses: peter-evans/slash-command-dispatch@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-e2e.yml

@@ -0,0 +1,114 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+    paths-ignore: &ignore_paths
+      - "docs/**"
+      - "config/**"
+      - "*.md"
+      - ".gitignore"
+      - "LICENSE"
+  pull_request:
+    paths-ignore: *ignore_paths
+  repository_dispatch:
+    types: [ok-to-test-command]
+
+concurrency:
+  group: >-
+    ${{ github.event_name == 'pull_request' &&
+          format('e2e-{0}', github.event.pull_request.head.ref) ||
+          format('e2e-{0}', github.ref) }}
+  cancel-in-progress: true
+
+jobs:
+  check-external-pr:
+    runs-on: ubuntu-latest
+    outputs:
+      condition: ${{ steps.check.outputs.condition }}
+    steps:
+      - name: Check if PR is from external contributor
+        id: check
+        run: |
+          echo "Event name: ${{ github.event_name }}"
+          echo "Repository: ${{ github.repository }}"
+
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            # For pull_request events, check if PR is from external fork
+            echo "PR head repo: ${{ github.event.pull_request.head.repo.full_name }}"
+            if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (Dependabot PR)"
+            elif [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (external fork PR creation)"
+            else
+              echo "condition=pr-creation-maintainer" >> $GITHUB_OUTPUT
+              echo "Setting condition=pr-creation-maintainer (internal PR creation)"
+            fi
+          elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
+            # For repository_dispatch events (ok-to-test), check if sha matches
+            SHA_PARAM="${{ github.event.client_payload.slash_command.args.named.sha }}"
+            PR_HEAD_SHA="${{ github.event.client_payload.pull_request.head.sha }}"
+
+            echo "Checking dispatch event conditions..."
+            echo "SHA from command: $SHA_PARAM"
+            echo "PR head SHA: $PR_HEAD_SHA"
+
+            if [ -n "$SHA_PARAM" ] && [[ "$PR_HEAD_SHA" == *"$SHA_PARAM"* ]]; then
+              echo "condition=dispatch-event" >> $GITHUB_OUTPUT
+              echo "Setting condition=dispatch-event (sha matches)"
+            else
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (sha does not match or empty)"
+            fi
+          elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_name }}" == "main" ]; then
+            echo "condition=push-to-main" >> $GITHUB_OUTPUT
+            echo "Setting condition=push-to-main (push to main)"
+          else
+            # Unknown event type
+            echo "condition=skip" >> $GITHUB_OUTPUT
+            echo "Setting condition=skip (unknown event type: ${{ github.event_name }})"
+          fi
+
+  e2e:
+    needs: check-external-pr
+    if: |
+      (needs.check-external-pr.outputs.condition == 'pr-creation-maintainer')
+      ||
+      (needs.check-external-pr.outputs.condition == 'dispatch-event')
+      ||
+      needs.check-external-pr.outputs.condition == 'push-to-main'
+    uses: ./.github/workflows/e2e-tests.yml
+    secrets:
+      OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+      OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      VAULT: ${{ secrets.VAULT }}
+
+  # Post comment on fork PRs after /ok-to-test
+  comment-pr:
+    needs: [check-external-pr, e2e]
+    runs-on: ubuntu-latest
+    if: always() && needs.check-external-pr.outputs.condition == 'dispatch-event'
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Create URL to the run output
+        id: vars
+        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
+
+      - name: Create comment on PR
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          issue-number: ${{ github.event.client_payload.pull_request.number }}
+          body: |
+            ${{
+                needs.e2e.result == 'success' && '✅ E2E tests passed.' ||
+                needs.e2e.result == 'failure' && '❌ E2E tests failed.' ||
+                '⚠️ E2E tests completed.'
+            }}
+
+            [View test run output][1]
+
+            [1]: ${{ steps.vars.outputs.run-url }}