Use alpha 5 version

As ncc uses commonjs bundle type and we import `install-cli-action` which is also commonjs, we should not set `type: module` in the package.json so it doesn't break the load-secrets-action bundle. Therefore, we can safely remove it at all.

Revert package.json

.github/workflows/acceptance-test.yml

@@ -0,0 +1,118 @@
+name: Acceptance test
+
+on:
+  workflow_call:
+    inputs:
+      secret:
+        required: true
+        type: string
+      secret-in-section:
+        required: true
+        type: string
+      multiline-secret:
+        required: true
+        type: string
+      export-env:
+        required: true
+        type: boolean
+      version:
+        required: false
+        type: string
+        default: "latest"
+      os:
+        required: true
+        type: string
+        default: "ubuntu-latest"
+      auth:
+        required: true
+        type: string
+
+jobs:
+  acceptance-test:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Base checkout
+        uses: actions/checkout@v4
+        if: |
+          github.event_name != 'repository_dispatch' &&
+          (
+            github.ref == 'refs/heads/main' || 
+            (
+              github.event_name == 'pull_request' && 
+              github.event.pull_request.head.repo.full_name == github.repository
+            )
+          )
+      - name: Fork based /ok-to-test checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+        if: |
+          github.event_name == 'repository_dispatch' &&
+          github.event.client_payload.slash_command.args.named.sha != '' &&
+          contains(
+            github.event.client_payload.pull_request.head.sha,
+            github.event.client_payload.slash_command.args.named.sha
+          )
+      - name: Launch 1Password Connect instance
+        if: ${{ inputs.auth == 'connect' }}
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ inputs.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Verify Service Account env var is set
+        if: ${{ inputs.auth == 'service-account' }}
+        shell: bash
+        run: |
+          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
+            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
+            exit 1
+          fi
+      - name: Configure 1Password Connect
+        if: ${{ inputs.auth == 'connect' }}
+        uses: ./configure # 1password/load-secrets-action/configure@<version>
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Verify Connect env vars are set
+        if: ${{ inputs.auth == 'connect' }}
+        run: |
+          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
+            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
+            exit 1
+          fi
+      - name: Load secrets
+        id: load_secrets
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          version: ${{ inputs.version }}
+          export-env: ${{ inputs.export-env }}
+        env:
+          SECRET: ${{ inputs.secret }}
+          SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
+          MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Verify installed op cli version
+        run: ./tests/assert-cli-version.sh ${{ inputs.version }}
+      - name: Assert test secret values [step output]
+        if: ${{ !inputs.export-env }}
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+      - name: Assert test secret values [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-set.sh
+      - name: Remove secrets [exported env]
+        if: ${{ inputs.export-env }}
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          unset-previous: true
+      - name: Assert removed secrets [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-unset.sh

.github/workflows/lint.yml

@@ -1,4 +1,7 @@
-on: pull_request
+on:
+  push:
+    branches: [main]
+  pull_request:
 name: Lint
 
 jobs:
@@ -11,3 +14,16 @@ jobs:
         with:
           ignore_paths: >-
             .husky
+      - name: Setup Node.js
+        id: setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - name: Install Dependencies
+        id: install
+        run: npm ci
+      - name: Check formatting
+        run: npm run format:check
+      - name: Check lint
+        run: npm run lint

.github/workflows/ok-to-test.yml

@@ -0,0 +1,25 @@
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+name: Ok To Test
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  ok-to-test:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # For adding reactions to the pull request comments
+      contents: write # For executing the repository_dispatch event
+    # Only run for PRs, not issue comments
+    if: ${{ github.event.issue.pull_request }}
+    steps:
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          reaction-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-type: pull-request
+          commands: ok-to-test
+          # The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this.
+          permission: write

.github/workflows/pr-check-signed-commits.yml

@@ -0,0 +1,13 @@
+name: Check signed commits in PR
+on: pull_request_target
+
+jobs:
+  build:
+    name: Check signed commits in PR
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@v1

.github/workflows/test-fork.yml

@@ -0,0 +1,92 @@
+on:
+  repository_dispatch:
+    types: [ok-to-test-command]
+name: Run acceptance tests [fork]
+
+jobs:
+  test-with-output-secrets:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: false
+  test-with-export-env:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+  test-references-with-ids:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
+      export-env: false
+  update-checks:
+    # required permissions for updating the status of the pull request checks
+    permissions:
+      pull-requests: write
+      checks: write
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    strategy:
+      matrix:
+        job-name:
+          [
+            test-with-output-secrets,
+            test-with-export-env,
+            test-references-with-ids,
+          ]
+    needs:
+      [test-with-output-secrets, test-with-export-env, test-references-with-ids]
+    steps:
+      - uses: actions/github-script@v6
+        env:
+          job: ${{ matrix.job-name }}
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+          conclusion: ${{ needs[format('{0}', matrix.job-name )].result }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { data: checks } = await github.rest.checks.listForRef({
+              ...context.repo,
+              ref: process.env.ref
+            });
+
+            const check = checks.check_runs.filter(c => c.name === process.env.job);
+
+            const { data: result } = await github.rest.checks.update({
+              ...context.repo,
+              check_run_id: check[0].id,
+              status: 'completed',
+              conclusion: process.env.conclusion
+            });
+
+            return result;

.github/workflows/test.yml

@@ -1,136 +1,100 @@
-on: push
+on:
+  push:
+    branches: [main]
+  pull_request:
 name: Run acceptance tests
 
 jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - run: npm ci
+      - run: npm test
+
   test-with-output-secrets:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
+    secrets: inherit
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
         auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: false
-        env:
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
+
   test-with-export-env:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
+    secrets: inherit
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
         auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
+          - os: windows-latest
+            auth: connect
     with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        run: ./tests/assert-env-set.sh
-      - name: Remove secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          unset-previous: true
-      - name: Assert removed secrets
-        run: ./tests/assert-env-unset.sh
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+
   test-references-with-ids:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
+    secrets: inherit
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
         auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
       export-env: false
-        env:
-          SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-          MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh

CONTRIBUTING.md

@@ -0,0 +1,54 @@
+# Contributing
+
+Thank you for your interest in contributing to the 1Password load-secrets-action project 👋! Before you start, please take a moment to read through this guide to understand our contribution process.
+
+## Testing
+
+Unit tests can be run with `npm run test`.
+
+After following the steps below for signing commits, you can test against your PR with these steps:
+
+1. Create or use an existing repo to run the `load-secrets` GitHub Action.
+2. In a workflow yaml file that uses the GitHub Action, modify the `uses: 1Password/load-secrets-action` line to be
+
+   ```yaml
+   uses: 1Password/load-secrets-action@<branch-name>
+   ```
+
+   OR
+
+   ```yaml
+   uses: 1Password/load-secrets-action@<commit-hash>
+   ```
+
+3. Trigger the action, which now includes your changes.
+
+## Documentation Updates
+
+If applicable, update the [README.md](./README.md) to reflect any changes introduced by the new code.
+
+## Sign your commits
+
+To get your PR merged, we require you to sign your commits.
+
+### Sign commits with 1Password
+
+You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.
+
+Learn how to use [1Password to sign your commits](https://developer.1password.com/docs/ssh/git-commit-signing/).
+
+### Sign commits with ssh-agent
+
+Follow the steps below to set up commit signing with `ssh-agent`:
+
+1. [Generate an SSH key and add it to ssh-agent](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)
+2. [Add the SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)
+3. [Configure git to use your SSH key for commits signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key)
+
+### Sign commits with gpg
+
+Follow the steps below to set up commit signing with `gpg`:
+
+1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
+2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)
+3. [Configure git to use your GPG key for commits signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)

README.md

@@ -1,38 +1,27 @@
-# Load Secrets from 1Password - GitHub Action
+<!-- Image sourced from https://blog.1password.com/1password-service-accounts/ -->
+<img alt="" role="img" src="https://blog.1password.com/posts/2023/1password-service-accounts/header.png"/>
 
-This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://developer.1password.com/docs/connect) or a [Service Account <sup>[BETA]</sup>](https://developer.1password.com/docs/service-accounts).
+<div align="center">
+  <h1>Load Secrets from 1Password - GitHub Action</h1>
+  <p>Provide the secrets your GitHub runner needs from 1Password.</p>
+  <a href="https://developer.1password.com/docs/ci-cd/github-actions">
+    <img alt="Get started" src="https://user-images.githubusercontent.com/45081667/226940040-16d3684b-60f4-4d95-adb2-5757a8f1bc15.png" height="37"/>
+  </a>
+</div>
+
+---
+
+`load-secrets-action` loads secrets from 1Password into GitHub Actions using [Service Accounts](https://developer.1password.com/docs/service-accounts) or [1Password Connect](https://developer.1password.com/docs/connect).
 
 Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
 Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
 
-## Requirements
+## 🪄 See it in action!
 
-Before you get started, you'll need to:
+[![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
 
-- [Deploy 1Password Connect](/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
-- Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials, so it'll be used to load secrets.
-
-_Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
-
-## Usage
-
-You can configure the action to use your 1Password Connect instance.
-
-If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
-
-If you provide `OP_SERVICE_ACCOUNT_TOKEN` variable, the service account will be used to load secrets.
-
-**_Note_**: If all environment variables have been set, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.
-
-There are two ways that secrets can be loaded:
-
-- [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
-- [export secrets as environment variables](#export-secrets-as-environment-variables)
-
-### Use secrets from the action's output
-
-This method allows for you to use the loaded secrets as an output from the step: `steps.step-id.outputs.secret-name`. You will need to set an id for the step that uses this action to be able to access its outputs. For more details, , see [`outputs.<output_id>`](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
+## ✨ Quickstart
 
 ```yml
 on: push
@@ -43,151 +32,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Load secret
-        id: op-load-secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
-        # Prints: Secret: ***
-```
-
-<details>
-<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Load secret
-        id: op-load-secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
-        # Prints: Secret: ***
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example</b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # this will grant all steps of the job access to the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        id: load-docker-credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Service Account token. This will grant
-          # all steps of the job access to the token.
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-
-      - name: Load Docker credentials
-        id: load-docker-credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          export-env: false
-        env:
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-```
-
-</details>
-
-### Export secrets as environment variables
-
-This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
+        uses: 1password/load-secrets-action@v2
         with:
           # Export loaded secrets as environment variables
           export-env: true
@@ -196,273 +41,18 @@ jobs:
           SECRET: op://app-cicd/hello-world/secret
 
       - name: Print masked secret
-        run: echo "Secret: $SECRET"
+        run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
 
-<details>
-<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
+## 💙 Community & Support
 
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
+- File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
+- Join the [Developer Slack workspace](https://developer.1password.com/joinslack).
+- Subscribe to the [Developer Newsletter](https://1password.com/dev-subscribe/).
 
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: $SECRET"
-        # Prints: Secret: ***
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example</b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # this will grant all steps of the job access to the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-          # Remove local copies of the Docker credentials, which aren't needed anymore
-          unset-previous: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
-        # This happened using secret references in the preceding lines.
-        run: ./deploy.sh
-```
-
-</details>
-
-<details>
-<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Service Account token. This will grant
-          # all steps of the job access to the token.
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-          # Remove local copies of the Docker credentials, which aren't needed anymore
-          unset-previous: true
-        env:
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
-        # This happened using secret references in the preceding lines.
-        run: ./deploy.sh
-```
-
-</details>
-
-## Action Inputs
-
-| Name             | Default | Description                                                                        |
-| ---------------- | ------- | ---------------------------------------------------------------------------------- |
-| `export-env`     | `true`  | Export the loaded secrets as environment variables                                 |
-| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
-
-## Secrets Reference Syntax
-
-To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values.
-
-These reference URIs have the following syntax:
-
-> `op://<vault>/<item>[/<section>]/<field>`
-
-So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
-
-- **Vault:** `app-cicd`
-- **Item:** `aws`
-- **Section:** default section
-- **Field:** `secret-access-key`
-
-## Masking
-
-Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too.
-So if one of these values accidentally gets printed, it'll get replaced with `***`.
-
-## 1Password Configuration
-
-To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
-To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.
-
-To configure the action with your service account token <sup>BETA</sup>, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable.
-
-If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          connect-host: <Your Connect instance URL>
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        env:
-          SECRET: op://app-cicd/hello-world/secret
-```
-
-### `configure` Action Inputs
-
-| Name                    | Environment variable       | Description                                              |
-| ----------------------- | -------------------------- | -------------------------------------------------------- |
-| `connect-host`          | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
-| `connect-token`         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
-| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | Your 1Password service account token                     |
-
-## Supported Runners
-
-You can run the action on Linux and macOS runners. Windows is currently not supported.
-
-## Warnings
-
-If you're using the CLI in your GitHub pipelines and you want to create items with it, the following command will fail:
-
-```
-op item create --category=login --title='My Example Item' --vault='Test' \
-                --url https://www.acme.com/login \
-                --generate-password=20,letters,digits \
-                username=jane@acme.com \
-                'Test Field 1=my test secret' \
-                'Test Section 1.Test Field2[text]=Jane Doe' \
-                'Test Section 1.Test Field3[date]=1995-02-23' \
-                'Test Section 2.Test Field4[text]='$myNotes
-```
-
-This is caused by the fact that the environment in these pipelines is in piped mode, which triggers the CLI's pipe detection to expect a piped input.
-To be able to create items in such environments, do the following steps:
-
-1. Get the template of the item category you want:
-
-   ```sh
-   op item template get --out-file=new-item.json <category>
-   ```
-
-2. Edit [the template](https://developer.1password.com/docs/cli/item-template-json) to add your information.
-3. Pipe the item content to the command:
-
-   ```sh
-   cat new-item.json | op item create --vault='Test'
-   ```
-
-## Security
+## 🔐 Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests through [BugCrowd](https://bugcrowd.com/agilebits).
-
-For information about our security practices, visit the [1Password Security homepage](https://1password.com/security).
-
-## Getting help
-
-If you find yourself stuck, visit our [**Support Page**](https://support.1password.com/) for help.
+Please file requests by sending an email to bugbounty@agilebits.com.

action.yml

@@ -5,6 +5,9 @@ branding:
   icon: lock
   color: blue
 inputs:
+  version:
+    description: Version of the 1Password CLI to install
+    default: latest
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
     default: "false"
@@ -12,5 +15,5 @@ inputs:
     description: Export the secrets as environment variables
     default: "true"
 runs:
-  using: "node16"
+  using: "node20"
   main: "dist/index.js"

config/jest.config.js

@@ -11,9 +11,18 @@ const jestConfig = {
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
 	transform: {
-		".ts": ["ts-jest"],
+		".ts": [
+			"ts-jest",
+			{
+				// Note: We shouldn't need to include `isolatedModules` here because it's a deprecated config option in TS 5,
+				// but setting it to `true` fixes the `ESM syntax is not allowed in a CommonJS module when
+				// 'verbatimModuleSyntax' is enabled` error that we're seeing when running our Jest tests.
+				isolatedModules: true,
+				useESM: true,
+			},
+		],
 	},
 	verbose: true,
 };
 
-export default jestConfig;
+module.exports = jestConfig;

configure/action.yml

@@ -9,12 +9,5 @@ inputs:
   service-account-token:
     description: Your 1Password service account token
 runs:
-  using: composite
-  steps:
-    - shell: bash
-      env:
-        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
-        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
-        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
-      run: |
-        ${{ github.action_path }}/entrypoint.sh
+  using: "node20"
+  main: "dist/index.js"

configure/entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Capture Connect configuration in $GITHUB_ENV, giving (optional) inputs 
-# precendence over OP_CONNECT_* environment variables.
-
-OP_CONNECT_HOST="${INPUT_CONNECT_HOST:-$OP_CONNECT_HOST}"
-if [ -n "$OP_CONNECT_HOST" ]; then
-  echo "OP_CONNECT_HOST=$OP_CONNECT_HOST" >> $GITHUB_ENV
-fi
-
-OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
-if [ -n "$OP_CONNECT_TOKEN" ]; then
-  echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
-fi
-
-OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
-if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
-fi

configure/index.js

@@ -0,0 +1,27 @@
+const core = require("@actions/core");
+
+const configure = () => {
+	const OP_CONNECT_HOST =
+		core.getInput("connect-host", { required: false }) ||
+		process.env.OP_CONNECT_HOST;
+	const OP_CONNECT_TOKEN =
+		core.getInput("connect-token", { required: false }) ||
+		process.env.OP_CONNECT_TOKEN;
+	const OP_SERVICE_ACCOUNT_TOKEN =
+		core.getInput("service-account-token", { required: false }) ||
+		process.env.OP_SERVICE_ACCOUNT_TOKEN;
+
+	if (OP_CONNECT_HOST) {
+		core.exportVariable("OP_CONNECT_HOST", OP_CONNECT_HOST);
+	}
+
+	if (OP_CONNECT_TOKEN) {
+		core.exportVariable("OP_CONNECT_TOKEN", OP_CONNECT_TOKEN);
+	}
+
+	if (OP_SERVICE_ACCOUNT_TOKEN) {
+		core.exportVariable("OP_SERVICE_ACCOUNT_TOKEN", OP_SERVICE_ACCOUNT_TOKEN);
+	}
+};
+
+configure();

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}

entrypoint.sh

@@ -1,146 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2046,SC2001,SC2086
-set -e
-
-# Pass User-Agent Inforomation to the 1Password CLI
-export OP_INTEGRATION_NAME="1Password GitHub Action"
-export OP_INTEGRATION_ID="GHA"
-export OP_INTEGRATION_BUILDNUMBER="1010001"
-
-readonly CONNECT="CONNECT"
-readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
-
-auth_type=$CONNECT
-managed_variables_var="OP_MANAGED_VARIABLES"
-IFS=','
-
-if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
-  export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
-fi
-
-# Unset all secrets managed by 1Password if `unset-previous` is set.
-unset_prev_secrets() {
-  if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
-    echo "Unsetting previous values..."
-
-    # Find environment variables that are managed by 1Password.
-    for env_var in "${managed_variables[@]}"; do
-      echo "Unsetting $env_var"
-      unset $env_var
-
-      echo "$env_var=" >> $GITHUB_ENV
-
-      # Keep the masks, just in case.
-    done
-
-    managed_variables=()
-  fi
-}
-
-# Install op-cli
-install_op_cli() {
-  OP_INSTALL_DIR="$(mktemp -d)"
-  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
-    echo "Install dir $OP_INSTALL_DIR not found"
-    exit 1
-  fi
-  export OP_INSTALL_DIR
-  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
-  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
-    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
-  elif [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
-    pkgutil --expand op.pkg temp-pkg
-    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
-    rm -rf temp-pkg && rm op.pkg
-  fi
-}
-
-# Uninstall op-cli
-uninstall_op_cli() {
-  if [[ -d "$OP_INSTALL_DIR" ]]; then
-    rm -fr "$OP_INSTALL_DIR"
-  fi
-}
-
-populating_secret() {
-  ref=$(printenv $1)
-
-  echo "Populating variable: $1"
-  secret_value=$("${OP_INSTALL_DIR}/op" read "$ref")
-
-  if [ -z "$secret_value" ]; then
-    echo "Could not find or access secret $ref"
-    exit 1
-  fi
-
-  # Register a mask for the secret to prevent accidental log exposure.
-  # To support multiline secrets, escape percent signs and add a mask per line.
-  escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
-  IFS=$'\n'
-  for line in $escaped_mask_value; do
-    if [ "${#line}" -lt 3 ]; then
-      # To avoid false positives and unreadable logs, omit mask for lines that are too short.
-      continue
-    fi
-    echo "::add-mask::$line"
-  done
-  unset IFS
-
-  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
-    # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
-    # As the heredoc identifier, we'll use a randomly generated 64-character string,
-    # so that collisions are practically impossible.
-    random_heredoc_identifier=$(openssl rand -hex 32)
-
-    {
-      # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${random_heredoc_identifier}"
-      echo "$secret_value"
-      echo "${random_heredoc_identifier}"
-    } >> $GITHUB_ENV
-    echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
-
-  else
-    # Prepare the secret_value to be outputed properly (especially multiline secrets)
-    secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
-
-    echo "::set-output name=$env_var::$secret_value"
-  fi
-
-  managed_variables+=("$env_var")
-}
-
-# Load environment variables using op cli. Iterate over them to find 1Password references, load the secret values,
-# and make them available as environment variables in the next steps.
-extract_secrets() {
-  IFS=$'\n'
-  for env_var in $("${OP_INSTALL_DIR}/op" env ls); do
-    populating_secret $env_var
-  done
-}
-
-read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
-
-if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
-  if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-    echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
-    exit 1
-  fi
-
-  auth_type=$SERVICE_ACCOUNT
-fi
-
-printf "Authenticated with %s \n" $auth_type
-
-unset_prev_secrets
-install_op_cli
-extract_secrets
-uninstall_op_cli
-
-unset IFS
-# Add extra env var that lists which secrets are managed by 1Password so that in a later step
-# these can be unset again.
-managed_variables_str=$(IFS=','; echo "${managed_variables[*]}")
-echo "$managed_variables_var=$managed_variables_str" >> $GITHUB_ENV

install_cli.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+# Install op-cli
+install_op_cli() {
+  # Create a temporary directory where the CLI is installed
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
+  fi
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
+
+  # Get the latest stable version of the CLI
+  CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
+
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    # Get runner's architecture
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
+
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_linux_${ARCH}_${CLI_VERSION}.zip"
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_apple_universal_${CLI_VERSION}.pkg"
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
+  fi
+}
+
+install_op_cli

package.json

@@ -1,14 +1,14 @@
 {
 	"name": "load-secrets-action",
-	"version": "1.2.0",
+	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
-	"type": "module",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
 	},
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
+		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -39,22 +39,25 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@actions/core": "^1.10.0",
-		"@actions/exec": "^1.1.1"
+		"@1password/op-js": "^0.1.14-alpha.5",
+		"@actions/core": "^1.11.1",
+		"@actions/exec": "^1.1.1",
+		"@actions/tool-cache": "^2.0.2"
 	},
 	"devDependencies": {
-		"@1password/front-end-style": "^6.0.1",
-		"@types/jest": "^29.5.0",
-		"@types/node": "^18.15.10",
-		"@vercel/ncc": "^0.36.1",
-		"husky": "^8.0.3",
-		"jest": "^29.5.0",
-		"lint-staged": "^13.2.0",
-		"ts-jest": "^29.0.5",
-		"typescript": "^4.9.5"
+		"@1password/eslint-config": "^4.3.1",
+		"@1password/prettier-config": "^1.2.0",
+		"@types/jest": "^29.5.12",
+		"@types/node": "^20.11.30",
+		"@vercel/ncc": "^0.38.1",
+		"husky": "^9.0.11",
+		"jest": "^29.7.0",
+		"lint-staged": "^15.2.2",
+		"ts-jest": "^29.1.2",
+		"typescript": "^5.4.2"
 	},
 	"eslintConfig": {
-		"extends": "./node_modules/@1password/front-end-style/eslintrc.yml",
+		"extends": "@1password/eslint-config",
 		"ignorePatterns": [
 			"coverage/"
 		],
@@ -62,5 +65,5 @@
 			"project": "./tsconfig.json"
 		}
 	},
-	"prettier": "./node_modules/@1password/front-end-style/prettierrc.json"
+	"prettier": "@1password/prettier-config"
 }

src/constants.ts

@@ -0,0 +1,6 @@
+export const envConnectHost = "OP_CONNECT_HOST";
+export const envConnectToken = "OP_CONNECT_TOKEN";
+export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
+export const envManagedVariables = "OP_MANAGED_VARIABLES";
+
+export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;

src/index.ts

@@ -1,20 +1,26 @@
-import path from "path";
-import url from "url";
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
+import { validateCli, installCliOnGithubRunner } from "@1password/op-js";
+import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 
-const run = async () => {
+const loadSecretsAction = async () => {
 	try {
-		const currentFile = url.fileURLToPath(import.meta.url);
-		const currentDir = path.dirname(currentFile);
-		const parentDir = path.resolve(currentDir, "..");
-
 		// Get action inputs
-		process.env.INPUT_UNSET_PREVIOUS = core.getInput("unset-previous");
-		process.env.INPUT_EXPORT_ENV = core.getInput("export-env");
+		const shouldUnsetPrevious = core.getBooleanInput("unset-previous");
+		const shouldExportEnv = core.getBooleanInput("export-env");
 
-		// Execute bash script
-		await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+		// Unset all secrets managed by 1Password if `unset-previous` is set.
+		if (shouldUnsetPrevious) {
+			unsetPrevious();
+		}
+
+		// Validate that a proper authentication configuration is set for the CLI
+		validateAuth();
+
+		// Download and install the CLI
+		await installCLI();
+
+		// Load secrets
+		await loadSecrets(shouldExportEnv);
 	} catch (error) {
 		// It's possible for the Error constructor to be modified to be anything
 		// in JavaScript, so the following code accounts for this possibility.
@@ -29,4 +35,16 @@ const run = async () => {
 	}
 };
 
-void run();
+// This function's name is an exception from the naming convention
+// since we refer to the 1Password CLI here.
+// eslint-disable-next-line @typescript-eslint/naming-convention
+const installCLI = async (): Promise<void> => {
+	// validateCli checks if there's an existing 1Password CLI installed on the runner.
+	// If there's no CLI installed, then validateCli will throw an error, which we will use
+	// as an indicator that we need to execute the installation script.
+	await validateCli().catch(async () => {
+		await installCliOnGithubRunner();
+	});
+};
+
+void loadSecretsAction();

src/utils.test.ts

@@ -0,0 +1,164 @@
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+import { read, setClientInfo } from "@1password/op-js";
+import {
+	extractSecret,
+	loadSecrets,
+	unsetPrevious,
+	validateAuth,
+} from "./utils";
+import {
+	authErr,
+	envConnectHost,
+	envConnectToken,
+	envManagedVariables,
+	envServiceAccountToken,
+} from "./constants";
+
+jest.mock("@actions/core");
+jest.mock("@actions/exec", () => ({
+	getExecOutput: jest.fn(() => ({
+		stdout: "MOCK_SECRET",
+	})),
+}));
+jest.mock("@1password/op-js");
+
+beforeEach(() => {
+	jest.clearAllMocks();
+});
+
+describe("validateAuth", () => {
+	const testConnectHost = "https://localhost:8000";
+	const testConnectToken = "token";
+	const testServiceAccountToken = "ops_token";
+
+	beforeEach(() => {
+		process.env[envConnectHost] = "";
+		process.env[envConnectToken] = "";
+		process.env[envServiceAccountToken] = "";
+	});
+
+	it("should throw an error when no config is provided", () => {
+		expect(validateAuth).toThrow(authErr);
+	});
+
+	it("should throw an error when partial Connect config is provided", () => {
+		process.env[envConnectHost] = testConnectHost;
+		expect(validateAuth).toThrow(authErr);
+	});
+
+	it("should be authenticated as a Connect client", () => {
+		process.env[envConnectHost] = testConnectHost;
+		process.env[envConnectToken] = testConnectToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.info).toHaveBeenCalledWith("Authenticated with Connect.");
+	});
+
+	it("should be authenticated as a service account", () => {
+		process.env[envServiceAccountToken] = testServiceAccountToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.info).toHaveBeenCalledWith(
+			"Authenticated with Service account.",
+		);
+	});
+
+	it("should prioritize Connect over service account if both are configured", () => {
+		process.env[envServiceAccountToken] = testServiceAccountToken;
+		process.env[envConnectHost] = testConnectHost;
+		process.env[envConnectToken] = testConnectToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.warning).toHaveBeenCalled();
+		expect(core.info).toHaveBeenCalledWith("Authenticated with Connect.");
+	});
+});
+
+describe("extractSecret", () => {
+	const envTestSecretEnv = "TEST_SECRET";
+	const testSecretRef = "op://vault/item/secret";
+	const testSecretValue = "Secret1@3$";
+
+	read.parse = jest.fn().mockReturnValue(testSecretValue);
+
+	process.env[envTestSecretEnv] = testSecretRef;
+
+	it("should set secret as step output", () => {
+		extractSecret(envTestSecretEnv, false);
+		expect(core.exportVariable).not.toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setOutput).toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
+	});
+
+	it("should set secret as environment variable", () => {
+		extractSecret(envTestSecretEnv, true);
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setOutput).not.toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
+	});
+});
+
+describe("loadSecrets", () => {
+	it("sets the client info and gets the executed output", async () => {
+		await loadSecrets(true);
+
+		expect(setClientInfo).toHaveBeenCalledWith({
+			name: "1Password GitHub Action",
+			id: "GHA",
+		});
+		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			"OP_MANAGED_VARIABLES",
+			"MOCK_SECRET",
+		);
+	});
+
+	it("return early if no env vars with secrets found", async () => {
+		(exec.getExecOutput as jest.Mock).mockReturnValueOnce({ stdout: "" });
+		await loadSecrets(true);
+
+		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
+		expect(core.exportVariable).not.toHaveBeenCalled();
+	});
+
+	describe("core.exportVariable", () => {
+		it("is called when shouldExportEnv is true", async () => {
+			await loadSecrets(true);
+
+			expect(core.exportVariable).toHaveBeenCalledTimes(1);
+		});
+
+		it("is not called when shouldExportEnv is false", async () => {
+			await loadSecrets(false);
+
+			expect(core.exportVariable).not.toHaveBeenCalled();
+		});
+	});
+});
+
+describe("unsetPrevious", () => {
+	const testManagedEnv = "TEST_SECRET";
+	const testSecretValue = "MyS3cr#T";
+
+	beforeEach(() => {
+		process.env[testManagedEnv] = testSecretValue;
+		process.env[envManagedVariables] = testManagedEnv;
+	});
+
+	it("should unset the environment variable if user wants it", () => {
+		unsetPrevious();
+		expect(core.info).toHaveBeenCalledWith("Unsetting previous values ...");
+		expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
+		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
+	});
+});

src/utils.ts

@@ -0,0 +1,91 @@
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+import { read, setClientInfo, semverToInt } from "@1password/op-js";
+import { version } from "../package.json";
+import {
+	authErr,
+	envConnectHost,
+	envConnectToken,
+	envServiceAccountToken,
+	envManagedVariables,
+} from "./constants";
+
+export const validateAuth = (): void => {
+	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
+	const isServiceAccount = process.env[envServiceAccountToken];
+
+	if (isConnect && isServiceAccount) {
+		core.warning(
+			"WARNING: Both service account and Connect credentials are provided. Connect credentials will take priority.",
+		);
+	}
+
+	if (!isConnect && !isServiceAccount) {
+		throw new Error(authErr);
+	}
+
+	const authType = isConnect ? "Connect" : "Service account";
+
+	core.info(`Authenticated with ${authType}.`);
+};
+
+export const extractSecret = (
+	envName: string,
+	shouldExportEnv: boolean,
+): void => {
+	core.info(`Populating variable: ${envName}`);
+
+	const ref = process.env[envName];
+	if (!ref) {
+		return;
+	}
+
+	const secretValue = read.parse(ref);
+	if (!secretValue) {
+		return;
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envName, secretValue);
+	} else {
+		core.setOutput(envName, secretValue);
+	}
+	core.setSecret(secretValue);
+};
+
+export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
+	// Pass User-Agent Information to the 1Password CLI
+	setClientInfo({
+		name: "1Password GitHub Action",
+		id: "GHA",
+		build: semverToInt(version),
+	});
+
+	// Load secrets from environment variables using 1Password CLI.
+	// Iterate over them to find 1Password references, extract the secret values,
+	// and make them available in the next steps either as step outputs or as environment variables.
+	const res = await exec.getExecOutput(`sh -c "op env ls"`);
+
+	if (res.stdout === "") {
+		return;
+	}
+
+	const envs = res.stdout.replace(/\n+$/g, "").split(/\r?\n/);
+	for (const envName of envs) {
+		extractSecret(envName, shouldExportEnv);
+	}
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+export const unsetPrevious = (): void => {
+	if (process.env[envManagedVariables]) {
+		core.info("Unsetting previous values ...");
+		const managedEnvs = process.env[envManagedVariables].split(",");
+		for (const envName of managedEnvs) {
+			core.info(`Unsetting ${envName}`);
+			core.exportVariable(envName, "");
+		}
+	}
+};

tests/assert-cli-version.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+OP_CLI_VERSION="$1"
+CLI_URL="https://app-updates.agilebits.com/product_history/CLI2"
+
+get_latest_cli_version() {
+    conditional_path="/beta/"
+    if [ "$1" == "non_beta" ]; then
+        conditional_path="!/beta/"
+    fi
+    # This long command parses the HTML page at "CLI_URL" and finds the latest CLI version
+    # based on the release channel we're looking for (stable or beta).
+    #
+    # The ideal call (i.e. 'curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/Y -s | jq -r .version')
+    # doesn't retrieve the latest CLI version on a channel basis.
+    # If the latest release is stable and we want the latest beta, this command will return the stable still.
+    OP_CLI_VERSION="$(curl -s $CLI_URL | awk -v RS='<h3>|</h3>' 'NR % 2 == 0 {gsub(/[[:blank:]]+/, ""); gsub(/<span[^>]*>|<\/span>|[\r\n]+/, ""); gsub(/&nbsp;.*$/, ""); if (!'"$1"' && '"$conditional_path"'){print; '"$1"'=1;}}')"
+}
+
+if [ "$OP_CLI_VERSION" == "latest" ]; then
+    get_latest_cli_version non_beta
+elif [ "$OP_CLI_VERSION" == "latest-beta" ]; then
+    get_latest_cli_version beta
+fi
+
+if [ "$(op --version)" != "$OP_CLI_VERSION" ]; then
+    echo -e "Expected CLI version to be:\n$OP_CLI_VERSION\nBut got:\n$(op --version)"
+    exit 1
+fi

tsconfig.json

@@ -6,8 +6,6 @@
 		"esModuleInterop": true,
 		"exactOptionalPropertyTypes": true,
 		"forceConsistentCasingInFileNames": true,
-		"importsNotUsedAsValues": "error",
-		"isolatedModules": true,
 		"module": "esnext",
 		"moduleResolution": "node",
 		"noEmit": true,
@@ -17,9 +15,9 @@
 		"noUncheckedIndexedAccess": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,
-		"outDir": "./dist/",
-		"rootDir": "./src/",
+		"resolveJsonModule": true,
 		"strict": true,
-		"target": "es2022"
+		"target": "es2022",
+		"verbatimModuleSyntax": true
 	}
 }