Release 1.3.2

Fix dependabot vulnerability

.github/workflows/test.yml

@@ -5,8 +5,8 @@ jobs:
   test-with-output-secrets:
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ubuntu-latest, macos-latest]
-        auth: [ connect, service-account ]
+        auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect
@@ -49,8 +49,8 @@ jobs:
   test-with-export-env:
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ubuntu-latest, macos-latest]
-        auth: [ connect, service-account ]
+        auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect
@@ -93,8 +93,8 @@ jobs:
   test-references-with-ids:
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ubuntu-latest, macos-latest]
-        auth: [ connect, service-account ]
+        auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect

README.md

@@ -1,182 +1,27 @@
-# Load Secrets from 1Password - GitHub Action
+<!-- Image sourced from https://blog.1password.com/1password-service-accounts/ -->
+<img alt="" role="img" src="https://blog.1password.com/posts/2023/1password-service-accounts/header.png"/>
 
-This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://developer.1password.com/docs/connect) or a [Service Account <sup>[BETA]</sup>](https://developer.1password.com/docs/service-accounts).
+<div align="center">
+  <h1>Load Secrets from 1Password - GitHub Action</h1>
+  <p>Provide the secrets your GitHub runner needs from 1Password.</p>
+  <a href="https://developer.1password.com/docs/ci-cd/github-actions">
+    <img alt="Get started" src="https://user-images.githubusercontent.com/45081667/226940040-16d3684b-60f4-4d95-adb2-5757a8f1bc15.png" height="37"/>
+  </a>
+</div>
+
+---
+
+`load-secrets-action` loads secrets from 1Password into GitHub Actions using [Service Accounts](https://developer.1password.com/docs/service-accounts) or [1Password Connect](https://developer.1password.com/docs/connect).
 
 Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
 Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
 
-## Requirements
+## 🪄 See it in action!
 
-Before you get started, you'll need to:
+[![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
 
-- [Deploy 1Password Connect](/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
+## ✨ Quickstart
-- Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials, so it'll be used to load secrets.
-
-_Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
-
-## Usage
-
-You can configure the action to use your 1Password Connect instance.
-
-If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
-
-If you provide `OP_SERVICE_ACCOUNT_TOKEN` variable, the service account will be used to load secrets.
-
-**_Note_**: If all environment variables have been set, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.
-
-There are two ways that secrets can be loaded:
-
-- [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
-- [export secrets as environment variables](#export-secrets-as-environment-variables)
-
-### Use secrets from the action's output
-
-This method allows for you to use the loaded secrets as an output from the step: `steps.step-id.outputs.secret-name`. You will need to set an id for the step that uses this action to be able to access its outputs. For more details, , see [`outputs.<output_id>`](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Load secret
-        id: op-load-secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
-        # Prints: Secret: ***
-```
-
-<details>
-<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Load secret
-        id: op-load-secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
-        # Prints: Secret: ***
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example</b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # this will grant all steps of the job access to the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        id: load-docker-credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Service Account token. This will grant
-          # all steps of the job access to the token.
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-
-      - name: Load Docker credentials
-        id: load-docker-credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-```
-
-</details>
-
-### Export secrets as environment variables
-
-This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
 
 ```yml
 on: push
@@ -196,242 +41,20 @@ jobs:
           SECRET: op://app-cicd/hello-world/secret
 
       - name: Print masked secret
-        run: echo "Secret: $SECRET"
+        run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
 
-<details>
+## 💙 Community & Support
-<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
 
-```yml
+- File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
-on: push
+- Join the [Developer Slack workspace](https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA).
-jobs:
+- Subscribe to the [Developer Newsletter](https://1password.com/dev-subscribe/).
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
 
-      - name: Load secret
+## 🔐 Security
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: $SECRET"
-        # Prints: Secret: ***
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example</b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # this will grant all steps of the job access to the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-          # Remove local copies of the Docker credentials, which aren't needed anymore
-          unset-previous: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
-        # This happened using secret references in the preceding lines.
-        run: ./deploy.sh
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Service Account token. This will grant
-          # all steps of the job access to the token.
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-          # Remove local copies of the Docker credentials, which aren't needed anymore
-          unset-previous: true
-        env:
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
-        # This happened using secret references in the preceding lines.
-        run: ./deploy.sh
-```
-
-</details>
-
-## Action Inputs
-
-| Name             | Default | Description                                                                        |
-| ---------------- | ------- | ---------------------------------------------------------------------------------- |
-| `export-env`     | `true`  | Export the loaded secrets as environment variables                                 |
-| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
-
-## Secrets Reference Syntax
-
-To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values.
-
-These reference URIs have the following syntax:
-
-> `op://<vault>/<item>[/<section>]/<field>`
-
-So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
-
-- **Vault:** `app-cicd`
-- **Item:** `aws`
-- **Section:** default section
-- **Field:** `secret-access-key`
-
-## Masking
-
-Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too.
-So if one of these values accidentally gets printed, it'll get replaced with `***`.
-
-## 1Password Configuration
-
-To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
-To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.
-
-To configure the action with your service account token <sup>BETA</sup>, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable.
-
-If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          connect-host: <Your Connect instance URL>
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        env:
-          SECRET: op://app-cicd/hello-world/secret
-```
-
-### `configure` Action Inputs
-
-| Name                    | Environment variable       | Description                                              |
-| ----------------------- | -------------------------- | -------------------------------------------------------- |
-| `connect-host`          | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
-| `connect-token`         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
-| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | Your 1Password service account token                     |
-
-## Supported Runners
-
-You can run the action on Linux and macOS runners. Windows is currently not supported.
-
-## Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests through [BugCrowd](https://bugcrowd.com/agilebits).
+Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
 
-For information about our security practices, visit the [1Password Security homepage](https://1password.com/security).
+For information about security practices, please visit the [1Password Bug Bounty Program](https://bugcrowd.com/agilebits).
-
-## Getting help
-
-If you find yourself stuck, visit our [**Support Page**](https://support.1password.com/) for help.

entrypoint.sh

@@ -39,6 +39,7 @@ unset_prev_secrets() {
 
 # Install op-cli
 install_op_cli() {
+  # Create a temporary directory where the CLI is installed
   OP_INSTALL_DIR="$(mktemp -d)"
   if [[ ! -d "$OP_INSTALL_DIR" ]]; then
     echo "Install dir $OP_INSTALL_DIR not found"
@@ -46,14 +47,36 @@ install_op_cli() {
   fi
   export OP_INSTALL_DIR
   echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
+
+  # Get the latest stable version of the CLI
+  OP_CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
+
   if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
+    # Get runner's architecture
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
+
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_linux_${ARCH}_${OP_CLI_VERSION}.zip"
     unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
   elif [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_apple_universal_${OP_CLI_VERSION}.pkg"
     pkgutil --expand op.pkg temp-pkg
     tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
     rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
   fi
 }
 
@@ -88,25 +111,28 @@ populating_secret() {
   done
   unset IFS
 
-  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
+  # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
-    # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
+  # As the heredoc identifier, we'll use a randomly generated 64-character string,
-    # As the heredoc identifier, we'll use a randomly generated 64-character string,
+  # so that collisions are practically impossible.
-    # so that collisions are practically impossible.
+  # Read more: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
-    random_heredoc_identifier=$(openssl rand -hex 32)
+  delimiter="$(openssl rand -hex 32)"
 
+  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
     {
       # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${random_heredoc_identifier}"
+      echo "$env_var<<${delimiter}"
       echo "$secret_value"
-      echo "${random_heredoc_identifier}"
+      echo "${delimiter}"
     } >> $GITHUB_ENV
     echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
 
   else
-    # Prepare the secret_value to be outputed properly (especially multiline secrets)
+    {
-    secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
+      # Populate env var, using heredoc syntax with generated identifier
-
+      echo "$env_var<<${delimiter}"
-    echo "::set-output name=$env_var::$secret_value"
+      echo "$secret_value"
+      echo "${delimiter}"
+    } >> $GITHUB_OUTPUT
   fi
 
   managed_variables+=("$env_var")

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "load-secrets-action",
-	"version": "1.2.0",
+	"version": "1.3.2",
 	"description": "Load Secrets from 1Password",
 	"type": "module",
 	"main": "dist/index.js",
@@ -39,18 +39,18 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@actions/core": "^1.10.0",
+		"@actions/core": "^1.10.1",
 		"@actions/exec": "^1.1.1"
 	},
 	"devDependencies": {
 		"@1password/front-end-style": "^6.0.1",
-		"@types/jest": "^29.5.0",
+		"@types/jest": "^29.5.6",
-		"@types/node": "^18.15.10",
+		"@types/node": "^18.18.6",
 		"@vercel/ncc": "^0.36.1",
 		"husky": "^8.0.3",
-		"jest": "^29.5.0",
+		"jest": "^29.7.0",
-		"lint-staged": "^13.2.0",
+		"lint-staged": "^13.3.0",
-		"ts-jest": "^29.0.5",
+		"ts-jest": "^29.1.1",
 		"typescript": "^4.9.5"
 	},
 	"eslintConfig": {