Update install-cli-action package

As ncc uses commonjs bundle type and we import `install-cli-action` which is also commonjs, we should not set `type: module` in the package.json so it doesn't break the load-secrets-action bundle. Therefore, we can safely remove it at all.

Revert package.json

.github/workflows/acceptance-test.yml

@@ -15,17 +15,21 @@ on:
       export-env:
         required: true
         type: boolean
+      version:
+        required: false
+        type: string
+        default: "latest"
+      os:
+        required: true
+        type: string
+        default: "ubuntu-latest"
+      auth:
+        required: true
+        type: string
 
 jobs:
   acceptance-test:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ inputs.os }}
     steps:
       - name: Base checkout
         uses: actions/checkout@v4
@@ -50,32 +54,50 @@ jobs:
             github.event.client_payload.slash_command.args.named.sha
           )
       - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
       - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
+        if: ${{ inputs.auth == 'service-account' }}
         uses: ./configure
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Verify Service Account env var is set
+        if: ${{ inputs.auth == 'service-account' }}
+        shell: bash
+        run: |
+          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
+            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
+            exit 1
+          fi
       - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Verify Connect env vars are set
+        if: ${{ inputs.auth == 'connect' }}
+        run: |
+          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
+            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
+            exit 1
+          fi
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
+          version: ${{ inputs.version }}
           export-env: ${{ inputs.export-env }}
         env:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Verify installed op cli version
+        run: ./tests/assert-cli-version.sh ${{ inputs.version }}
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:

.github/workflows/test.yml

@@ -14,6 +14,7 @@ jobs:
           node-version: 20
       - run: npm ci
       - run: npm test
+
   test-with-output-secrets:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -21,13 +22,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: false
+
   test-with-export-env:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -35,13 +50,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: true
+
   test-references-with-ids:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -49,9 +78,22 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
       secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
       multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain

action.yml

@@ -5,6 +5,9 @@ branding:
   icon: lock
   color: blue
 inputs:
+  version:
+    description: Version of the 1Password CLI to install
+    default: latest
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
     default: "false"

config/jest.config.js

@@ -25,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };
 
-export default jestConfig;
+module.exports = jestConfig;

configure/action.yml

@@ -9,12 +9,5 @@ inputs:
   service-account-token:
     description: Your 1Password service account token
 runs:
-  using: composite
-  steps:
-    - shell: bash
-      env:
-        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
-        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
-        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
-      run: |
-        ${{ github.action_path }}/entrypoint.sh
+  using: "node20"
+  main: "dist/index.js"

configure/entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Capture Connect configuration in $GITHUB_ENV, giving (optional) inputs 
-# precendence over OP_CONNECT_* environment variables.
-
-OP_CONNECT_HOST="${INPUT_CONNECT_HOST:-$OP_CONNECT_HOST}"
-if [ -n "$OP_CONNECT_HOST" ]; then
-  echo "OP_CONNECT_HOST=$OP_CONNECT_HOST" >> $GITHUB_ENV
-fi
-
-OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
-if [ -n "$OP_CONNECT_TOKEN" ]; then
-  echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
-fi
-
-OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
-if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
-fi

configure/index.js

@@ -0,0 +1,27 @@
+const core = require("@actions/core");
+
+const configure = () => {
+	const OP_CONNECT_HOST =
+		core.getInput("connect-host", { required: false }) ||
+		process.env.OP_CONNECT_HOST;
+	const OP_CONNECT_TOKEN =
+		core.getInput("connect-token", { required: false }) ||
+		process.env.OP_CONNECT_TOKEN;
+	const OP_SERVICE_ACCOUNT_TOKEN =
+		core.getInput("service-account-token", { required: false }) ||
+		process.env.OP_SERVICE_ACCOUNT_TOKEN;
+
+	if (OP_CONNECT_HOST) {
+		core.exportVariable("OP_CONNECT_HOST", OP_CONNECT_HOST);
+	}
+
+	if (OP_CONNECT_TOKEN) {
+		core.exportVariable("OP_CONNECT_TOKEN", OP_CONNECT_TOKEN);
+	}
+
+	if (OP_SERVICE_ACCOUNT_TOKEN) {
+		core.exportVariable("OP_SERVICE_ACCOUNT_TOKEN", OP_SERVICE_ACCOUNT_TOKEN);
+	}
+};
+
+configure();

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}

package.json

@@ -2,13 +2,14 @@
 	"name": "load-secrets-action",
 	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
-	"type": "module",
+	"type": "commonjs",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
 	},
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
+		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -39,9 +40,11 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
+		"@1password/install-cli-action": "github:1password/install-cli-action#vzt/export-install-function",
 		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^1.10.1",
-		"@actions/exec": "^1.1.1"
+		"@actions/core": "^1.11.1",
+		"@actions/exec": "^1.1.1",
+		"@actions/tool-cache": "^2.0.2"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",

src/index.ts

@@ -1,7 +1,4 @@
-import path from "path";
-import url from "url";
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
 import { validateCli } from "@1password/op-js";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 
@@ -46,21 +43,10 @@ const installCLI = async (): Promise<void> => {
 	// If there's no CLI installed, then validateCli will throw an error, which we will use
 	// as an indicator that we need to execute the installation script.
 	await validateCli().catch(async () => {
-		const currentFile = url.fileURLToPath(import.meta.url);
-		const currentDir = path.dirname(currentFile);
-		const parentDir = path.resolve(currentDir, "..");
-
-		// Execute bash script
-		const cmdOut = await exec.getExecOutput(
-			`sh -c "` + parentDir + `/install_cli.sh"`,
-		);
-
-		// Add path to 1Password CLI to $PATH
-		const outArr = cmdOut.stdout.split("\n");
-		if (outArr[0] && process.env.PATH) {
-			const cliPath = outArr[0]?.replace(/^(::debug::OP_INSTALL_DIR: )/, "");
-			core.addPath(cliPath);
-		}
+		// eslint-disable-next-line
+		const { install } = require("@1password/install-cli-action");
+		// eslint-disable-next-line @typescript-eslint/no-unsafe-call
+		await install();
 	});
 };
 

tests/assert-cli-version.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+OP_CLI_VERSION="$1"
+CLI_URL="https://app-updates.agilebits.com/product_history/CLI2"
+
+get_latest_cli_version() {
+    conditional_path="/beta/"
+    if [ "$1" == "non_beta" ]; then
+        conditional_path="!/beta/"
+    fi
+    # This long command parses the HTML page at "CLI_URL" and finds the latest CLI version
+    # based on the release channel we're looking for (stable or beta).
+    #
+    # The ideal call (i.e. 'curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/Y -s | jq -r .version')
+    # doesn't retrieve the latest CLI version on a channel basis.
+    # If the latest release is stable and we want the latest beta, this command will return the stable still.
+    OP_CLI_VERSION="$(curl -s $CLI_URL | awk -v RS='<h3>|</h3>' 'NR % 2 == 0 {gsub(/[[:blank:]]+/, ""); gsub(/<span[^>]*>|<\/span>|[\r\n]+/, ""); gsub(/&nbsp;.*$/, ""); if (!'"$1"' && '"$conditional_path"'){print; '"$1"'=1;}}')"
+}
+
+if [ "$OP_CLI_VERSION" == "latest" ]; then
+    get_latest_cli_version non_beta
+elif [ "$OP_CLI_VERSION" == "latest-beta" ]; then
+    get_latest_cli_version beta
+fi
+
+if [ "$(op --version)" != "$OP_CLI_VERSION" ]; then
+    echo -e "Expected CLI version to be:\n$OP_CLI_VERSION\nBut got:\n$(op --version)"
+    exit 1
+fi