Compare commits
3 Commits
jill/handl
...
jill/depre
| Author | SHA1 | Date | |
|---|---|---|---|
|
be2bd38fd6 | ||
|
|
9bdf6cdcfc | ||
|
|
85fc7ef953 |
56
.github/workflows/e2e-tests.yml
vendored
56
.github/workflows/e2e-tests.yml
vendored
@@ -29,13 +29,12 @@ on:
|
||||
|
||||
jobs:
|
||||
test-service-account:
|
||||
name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
|
||||
name: Service Account (${{ matrix.os }}, export-env=${{ matrix.export-env }})
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
fail-fast: true
|
||||
matrix:
|
||||
os: [ubuntu-latest, macos-latest, windows-latest]
|
||||
version: [latest, 2.30.0]
|
||||
export-env: [true, false]
|
||||
steps:
|
||||
- name: Checkout
|
||||
@@ -66,8 +65,6 @@ jobs:
|
||||
echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
|
||||
echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
|
||||
echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
|
||||
echo "SSH_PRIVATE_KEY=op://${{ secrets.VAULT }}/test-ssh-key/private key" >> tests/.env.tpl
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH=op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
|
||||
|
||||
- name: Generate .vaultId_env.tpl
|
||||
shell: bash
|
||||
@@ -78,8 +75,6 @@ jobs:
|
||||
echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
|
||||
echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
|
||||
echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl
|
||||
echo "SSH_PRIVATE_KEY=op://${{ secrets.VAULT_ID }}/test-ssh-key/private key" >> tests/.vaultId_env.tpl
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH=op://${{ secrets.VAULT_ID }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.vaultId_env.tpl
|
||||
|
||||
- name: Configure Service account
|
||||
uses: ./configure
|
||||
@@ -90,7 +85,6 @@ jobs:
|
||||
id: load_secrets
|
||||
uses: ./
|
||||
with:
|
||||
version: ${{ matrix.version }}
|
||||
export-env: ${{ matrix.export-env }}
|
||||
env:
|
||||
SECRET: op://${{ secrets.VAULT }}/test-secret/password
|
||||
@@ -99,8 +93,6 @@ jobs:
|
||||
SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
|
||||
SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
|
||||
DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
|
||||
SSH_PRIVATE_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
|
||||
SSH_PRIVATE_KEY_OPENSSH: op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh
|
||||
OP_ENV_FILE: ./tests/.env.tpl
|
||||
|
||||
- name: Assert test secret values [step output]
|
||||
@@ -116,8 +108,6 @@ jobs:
|
||||
SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
|
||||
SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
|
||||
DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
|
||||
SSH_PRIVATE_KEY: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY }}
|
||||
SSH_PRIVATE_KEY_OPENSSH: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY_OPENSSH }}
|
||||
run: ./tests/assert-env-set.sh
|
||||
|
||||
- name: Assert test secret values [exported env]
|
||||
@@ -125,19 +115,6 @@ jobs:
|
||||
shell: bash
|
||||
run: ./tests/assert-env-set.sh
|
||||
|
||||
- name: Assert SSH keys [step output]
|
||||
if: ${{ !matrix.export-env }}
|
||||
shell: bash
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY }}
|
||||
SSH_PRIVATE_KEY_OPENSSH: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY_OPENSSH }}
|
||||
run: ./tests/assert-ssh-keys.sh
|
||||
|
||||
- name: Assert SSH keys [exported env]
|
||||
if: ${{ matrix.export-env }}
|
||||
shell: bash
|
||||
run: ./tests/assert-ssh-keys.sh
|
||||
|
||||
- name: Remove secrets [exported env]
|
||||
if: ${{ matrix.export-env }}
|
||||
uses: ./
|
||||
@@ -168,7 +145,6 @@ jobs:
|
||||
id: load_secrets_by_vault_id
|
||||
uses: ./
|
||||
with:
|
||||
version: ${{ matrix.version }}
|
||||
export-env: ${{ matrix.export-env }}
|
||||
env:
|
||||
SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
|
||||
@@ -177,8 +153,6 @@ jobs:
|
||||
SECRET_WITH_FILE: op://${{ secrets.VAULT_ID }}/file-secret/test.txt
|
||||
SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt
|
||||
DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password
|
||||
SSH_PRIVATE_KEY: op://${{ secrets.VAULT_ID }}/test-ssh-key/private key
|
||||
SSH_PRIVATE_KEY_OPENSSH: op://${{ secrets.VAULT_ID }}/test-ssh-key/private key?ssh-format=openssh
|
||||
OP_ENV_FILE: ./tests/.vaultId_env.tpl
|
||||
|
||||
- name: Assert test secret values [vault by ID]
|
||||
@@ -194,18 +168,15 @@ jobs:
|
||||
SECRET_WITH_FILE: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE }}
|
||||
SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE_IN_SECTION }}
|
||||
DOUBLE_SECTION_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.DOUBLE_SECTION_SECRET }}
|
||||
SSH_PRIVATE_KEY: ${{ steps.load_secrets_by_vault_id.outputs.SSH_PRIVATE_KEY }}
|
||||
SSH_PRIVATE_KEY_OPENSSH: ${{ steps.load_secrets_by_vault_id.outputs.SSH_PRIVATE_KEY_OPENSSH }}
|
||||
run: ./tests/assert-env-set.sh
|
||||
|
||||
test-connect:
|
||||
name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
|
||||
name: Connect (ubuntu-latest, export-env=${{ matrix.export-env }})
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: true
|
||||
matrix:
|
||||
os: [ubuntu-latest, macos-latest, windows-latest]
|
||||
version: [latest, 2.30.0]
|
||||
export-env: [true, false]
|
||||
steps:
|
||||
- name: Checkout
|
||||
@@ -235,8 +206,6 @@ jobs:
|
||||
echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
|
||||
echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
|
||||
echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
|
||||
echo "SSH_PRIVATE_KEY=op://${{ secrets.VAULT }}/test-ssh-key/private key" >> tests/.env.tpl
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH=op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
|
||||
|
||||
- name: Generate .vaultId_env.tpl
|
||||
run: |
|
||||
@@ -246,8 +215,6 @@ jobs:
|
||||
echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
|
||||
echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
|
||||
echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl
|
||||
echo "SSH_PRIVATE_KEY=op://${{ secrets.VAULT_ID }}/test-ssh-key/private key" >> tests/.vaultId_env.tpl
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH=op://${{ secrets.VAULT_ID }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.vaultId_env.tpl
|
||||
|
||||
- name: Launch 1Password Connect instance
|
||||
env:
|
||||
@@ -266,7 +233,6 @@ jobs:
|
||||
id: load_secrets
|
||||
uses: ./
|
||||
with:
|
||||
version: ${{ matrix.version }}
|
||||
export-env: ${{ matrix.export-env }}
|
||||
env:
|
||||
SECRET: op://${{ secrets.VAULT }}/test-secret/password
|
||||
@@ -275,8 +241,6 @@ jobs:
|
||||
SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
|
||||
SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
|
||||
DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
|
||||
SSH_PRIVATE_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
|
||||
SSH_PRIVATE_KEY_OPENSSH: op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh
|
||||
OP_ENV_FILE: ./tests/.env.tpl
|
||||
|
||||
- name: Assert test secret values [step output]
|
||||
@@ -291,27 +255,12 @@ jobs:
|
||||
SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
|
||||
SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
|
||||
DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
|
||||
SSH_PRIVATE_KEY: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY }}
|
||||
SSH_PRIVATE_KEY_OPENSSH: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY_OPENSSH }}
|
||||
run: ./tests/assert-env-set.sh
|
||||
|
||||
- name: Assert test secret values [exported env]
|
||||
if: ${{ matrix.export-env }}
|
||||
run: ./tests/assert-env-set.sh
|
||||
|
||||
- name: Assert SSH keys [step output]
|
||||
if: ${{ !matrix.export-env }}
|
||||
shell: bash
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY }}
|
||||
SSH_PRIVATE_KEY_OPENSSH: ${{ steps.load_secrets.outputs.SSH_PRIVATE_KEY_OPENSSH }}
|
||||
run: ./tests/assert-ssh-keys.sh
|
||||
|
||||
- name: Assert SSH keys [exported env]
|
||||
if: ${{ matrix.export-env }}
|
||||
shell: bash
|
||||
run: ./tests/assert-ssh-keys.sh
|
||||
|
||||
- name: Remove secrets [exported env]
|
||||
if: ${{ matrix.export-env }}
|
||||
uses: ./
|
||||
@@ -341,7 +290,6 @@ jobs:
|
||||
id: load_secrets_by_vault_id
|
||||
uses: ./
|
||||
with:
|
||||
version: ${{ matrix.version }}
|
||||
export-env: ${{ matrix.export-env }}
|
||||
env:
|
||||
SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
|
||||
|
||||
@@ -84,7 +84,7 @@ When loading SSH keys, you can specify the format using the `ssh-format` query p
|
||||
SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
|
||||
```
|
||||
|
||||
For more details on secret reference syntax, see the [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
|
||||
For more details on secret reference syntax, see the [1Password documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
|
||||
|
||||
## 💙 Community & Support
|
||||
|
||||
|
||||
@@ -11,8 +11,9 @@ inputs:
|
||||
export-env:
|
||||
description: Export the secrets as environment variables
|
||||
default: "false"
|
||||
# Backward-compatible no-op input (intentionally ignored)
|
||||
version:
|
||||
description: Specify which 1Password CLI version to install. Defaults to "latest".
|
||||
description: "(Deprecated) No longer used. Kept for backwards compatibility."
|
||||
default: "latest"
|
||||
runs:
|
||||
using: "node20"
|
||||
|
||||
138
package-lock.json
generated
138
package-lock.json
generated
@@ -10,20 +10,17 @@
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@1password/connect": "^1.4.2",
|
||||
"@1password/op-js": "^0.1.11",
|
||||
"@1password/sdk": "^0.4.0",
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/tool-cache": "^2.0.2",
|
||||
"dotenv": "^17.2.2",
|
||||
"sshpk": "^1.18.0"
|
||||
"dotenv": "^17.2.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@1password/eslint-config": "^4.3.1",
|
||||
"@1password/prettier-config": "^1.2.0",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20.11.30",
|
||||
"@types/sshpk": "^1.17.4",
|
||||
"@vercel/ncc": "^0.38.1",
|
||||
"husky": "^9.0.11",
|
||||
"jest": "^29.7.0",
|
||||
@@ -69,16 +66,6 @@
|
||||
"typescript": "^5.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@1password/op-js": {
|
||||
"version": "0.1.13",
|
||||
"resolved": "https://registry.npmjs.org/@1password/op-js/-/op-js-0.1.13.tgz",
|
||||
"integrity": "sha512-ZZBLxVqywFdvIbLv2xWw2N1ImSi183rRKf90vV19KRMReNyLwuD0dv6IrKrIdrJU33IuV3Gz85Z4K2a1PJTBDg==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"lookpath": "^1.2.2",
|
||||
"semver": "^7.6.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@1password/prettier-config": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@1password/prettier-config/-/prettier-config-1.2.0.tgz",
|
||||
@@ -1304,15 +1291,6 @@
|
||||
"@sinonjs/commons": "^3.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/asn1": {
|
||||
"version": "0.2.4",
|
||||
"resolved": "https://registry.npmjs.org/@types/asn1/-/asn1-0.2.4.tgz",
|
||||
"integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/babel__core": {
|
||||
"version": "7.20.5",
|
||||
"resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz",
|
||||
@@ -1437,16 +1415,6 @@
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@types/sshpk": {
|
||||
"version": "1.17.4",
|
||||
"resolved": "https://registry.npmjs.org/@types/sshpk/-/sshpk-1.17.4.tgz",
|
||||
"integrity": "sha512-5gI/7eJn6wmkuIuFY8JZJ1g5b30H9K5U5vKrvOuYu+hoZLb2xcVEgxhYZ2Vhbs0w/ACyzyfkJq0hQtBfSCugjw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@types/asn1": "*",
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/stack-utils": {
|
||||
"version": "2.0.3",
|
||||
"resolved": "https://registry.npmjs.org/@types/stack-utils/-/stack-utils-2.0.3.tgz",
|
||||
@@ -2001,22 +1969,6 @@
|
||||
"url": "https://github.com/sponsors/ljharb"
|
||||
}
|
||||
},
|
||||
"node_modules/asn1": {
|
||||
"version": "0.2.6",
|
||||
"resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz",
|
||||
"integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
|
||||
"dependencies": {
|
||||
"safer-buffer": "~2.1.0"
|
||||
}
|
||||
},
|
||||
"node_modules/assert-plus": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz",
|
||||
"integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==",
|
||||
"engines": {
|
||||
"node": ">=0.8"
|
||||
}
|
||||
},
|
||||
"node_modules/ast-types-flow": {
|
||||
"version": "0.0.8",
|
||||
"resolved": "https://registry.npmjs.org/ast-types-flow/-/ast-types-flow-0.0.8.tgz",
|
||||
@@ -2217,14 +2169,6 @@
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/bcrypt-pbkdf": {
|
||||
"version": "1.0.2",
|
||||
"resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz",
|
||||
"integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==",
|
||||
"dependencies": {
|
||||
"tweetnacl": "^0.14.3"
|
||||
}
|
||||
},
|
||||
"node_modules/brace-expansion": {
|
||||
"version": "1.1.12",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
|
||||
@@ -2682,17 +2626,6 @@
|
||||
"dev": true,
|
||||
"license": "BSD-2-Clause"
|
||||
},
|
||||
"node_modules/dashdash": {
|
||||
"version": "1.14.1",
|
||||
"resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz",
|
||||
"integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==",
|
||||
"dependencies": {
|
||||
"assert-plus": "^1.0.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=0.10"
|
||||
}
|
||||
},
|
||||
"node_modules/data-view-buffer": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/data-view-buffer/-/data-view-buffer-1.0.1.tgz",
|
||||
@@ -2915,15 +2848,6 @@
|
||||
"node": ">= 0.4"
|
||||
}
|
||||
},
|
||||
"node_modules/ecc-jsbn": {
|
||||
"version": "0.1.2",
|
||||
"resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz",
|
||||
"integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==",
|
||||
"dependencies": {
|
||||
"jsbn": "~0.1.0",
|
||||
"safer-buffer": "^2.1.0"
|
||||
}
|
||||
},
|
||||
"node_modules/ejs": {
|
||||
"version": "3.1.10",
|
||||
"resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz",
|
||||
@@ -4157,14 +4081,6 @@
|
||||
"url": "https://github.com/sponsors/ljharb"
|
||||
}
|
||||
},
|
||||
"node_modules/getpass": {
|
||||
"version": "0.1.7",
|
||||
"resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz",
|
||||
"integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==",
|
||||
"dependencies": {
|
||||
"assert-plus": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/glob": {
|
||||
"version": "7.2.3",
|
||||
"resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
|
||||
@@ -5717,11 +5633,6 @@
|
||||
"js-yaml": "bin/js-yaml.js"
|
||||
}
|
||||
},
|
||||
"node_modules/jsbn": {
|
||||
"version": "0.1.1",
|
||||
"resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz",
|
||||
"integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg=="
|
||||
},
|
||||
"node_modules/jsdoc-type-pratt-parser": {
|
||||
"version": "4.0.0",
|
||||
"resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-4.0.0.tgz",
|
||||
@@ -6239,18 +6150,6 @@
|
||||
"url": "https://github.com/chalk/strip-ansi?sponsor=1"
|
||||
}
|
||||
},
|
||||
"node_modules/lookpath": {
|
||||
"version": "1.2.2",
|
||||
"resolved": "https://registry.npmjs.org/lookpath/-/lookpath-1.2.2.tgz",
|
||||
"integrity": "sha512-k2Gmn8iV6qdME3ztZC2spubmQISimFOPLuQKiPaLcVdRz0IpdxrNClVepMlyTJlhodm/zG/VfbkWERm3kUIh+Q==",
|
||||
"license": "MIT",
|
||||
"bin": {
|
||||
"lookpath": "bin/lookpath.js"
|
||||
},
|
||||
"engines": {
|
||||
"npm": ">=6.13.4"
|
||||
}
|
||||
},
|
||||
"node_modules/loose-envify": {
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
|
||||
@@ -7223,15 +7122,11 @@
|
||||
"url": "https://github.com/sponsors/ljharb"
|
||||
}
|
||||
},
|
||||
"node_modules/safer-buffer": {
|
||||
"version": "2.1.2",
|
||||
"resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
|
||||
"integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
|
||||
},
|
||||
"node_modules/semver": {
|
||||
"version": "7.6.3",
|
||||
"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
|
||||
"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"bin": {
|
||||
"semver": "bin/semver.js"
|
||||
@@ -7489,30 +7384,6 @@
|
||||
"dev": true,
|
||||
"license": "BSD-3-Clause"
|
||||
},
|
||||
"node_modules/sshpk": {
|
||||
"version": "1.18.0",
|
||||
"resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz",
|
||||
"integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==",
|
||||
"dependencies": {
|
||||
"asn1": "~0.2.3",
|
||||
"assert-plus": "^1.0.0",
|
||||
"bcrypt-pbkdf": "^1.0.0",
|
||||
"dashdash": "^1.12.0",
|
||||
"ecc-jsbn": "~0.1.1",
|
||||
"getpass": "^0.1.1",
|
||||
"jsbn": "~0.1.0",
|
||||
"safer-buffer": "^2.0.2",
|
||||
"tweetnacl": "~0.14.0"
|
||||
},
|
||||
"bin": {
|
||||
"sshpk-conv": "bin/sshpk-conv",
|
||||
"sshpk-sign": "bin/sshpk-sign",
|
||||
"sshpk-verify": "bin/sshpk-verify"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=0.10.0"
|
||||
}
|
||||
},
|
||||
"node_modules/stack-utils": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/stack-utils/-/stack-utils-2.0.6.tgz",
|
||||
@@ -7981,11 +7852,6 @@
|
||||
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
|
||||
}
|
||||
},
|
||||
"node_modules/tweetnacl": {
|
||||
"version": "0.14.5",
|
||||
"resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz",
|
||||
"integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA=="
|
||||
},
|
||||
"node_modules/type-check": {
|
||||
"version": "0.4.0",
|
||||
"resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
|
||||
|
||||
@@ -40,21 +40,18 @@
|
||||
},
|
||||
"homepage": "https://github.com/1Password/load-secrets-action#readme",
|
||||
"dependencies": {
|
||||
"@1password/op-js": "^0.1.11",
|
||||
"@1password/sdk": "^0.4.0",
|
||||
"@1password/connect": "^1.4.2",
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/tool-cache": "^2.0.2",
|
||||
"dotenv": "^17.2.2",
|
||||
"sshpk": "^1.18.0"
|
||||
"dotenv": "^17.2.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@1password/eslint-config": "^4.3.1",
|
||||
"@1password/prettier-config": "^1.2.0",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20.11.30",
|
||||
"@types/sshpk": "^1.17.4",
|
||||
"@vercel/ncc": "^0.38.1",
|
||||
"husky": "^9.0.11",
|
||||
"jest": "^29.7.0",
|
||||
|
||||
@@ -14,7 +14,7 @@ const loadSecretsAction = async () => {
|
||||
unsetPrevious();
|
||||
}
|
||||
|
||||
// Validate that a proper authentication configuration is set for the CLI
|
||||
// Validate that a proper authentication configuration is set (Connect or service account)
|
||||
validateAuth();
|
||||
|
||||
// Set environment variables from OP_ENV_FILE
|
||||
|
||||
@@ -1,58 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import * as core from "@actions/core";
|
||||
import * as tc from "@actions/tool-cache";
|
||||
|
||||
export type SupportedPlatform = Extract<
|
||||
NodeJS.Platform,
|
||||
"linux" | "darwin" | "win32"
|
||||
>;
|
||||
|
||||
// maps OS architecture names to 1Password CLI installer architecture names
|
||||
export const archMap: Record<string, string> = {
|
||||
ia32: "386",
|
||||
x64: "amd64",
|
||||
arm: "arm",
|
||||
arm64: "arm64",
|
||||
};
|
||||
|
||||
// Builds the download URL for the 1Password CLI based on the platform and version.
|
||||
export const cliUrlBuilder: Record<
|
||||
SupportedPlatform,
|
||||
(version: string, arch?: string) => string
|
||||
> = {
|
||||
linux: (version, arch) =>
|
||||
`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_linux_${arch}_${version}.zip`,
|
||||
darwin: (version) =>
|
||||
`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_apple_universal_${version}.pkg`,
|
||||
win32: (version, arch) =>
|
||||
`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_windows_${arch}_${version}.zip`,
|
||||
};
|
||||
|
||||
export class CliInstaller {
|
||||
public readonly version: string;
|
||||
public readonly arch: string;
|
||||
|
||||
public constructor(version: string) {
|
||||
this.version = version;
|
||||
this.arch = this.getArch();
|
||||
}
|
||||
|
||||
public async install(url: string): Promise<void> {
|
||||
console.info(`Downloading 1Password CLI from: ${url}`);
|
||||
const downloadPath = await tc.downloadTool(url);
|
||||
console.info("Installing 1Password CLI");
|
||||
const extractedPath = await tc.extractZip(downloadPath);
|
||||
core.addPath(extractedPath);
|
||||
core.info("1Password CLI installed");
|
||||
}
|
||||
|
||||
private getArch(): string {
|
||||
const arch = archMap[os.arch()];
|
||||
if (!arch) {
|
||||
throw new Error("Unsupported architecture");
|
||||
}
|
||||
|
||||
return arch;
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
export { type Installer, newCliInstaller } from "./installer";
|
||||
@@ -1,43 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import { newCliInstaller } from "./installer";
|
||||
import { LinuxInstaller } from "./linux";
|
||||
import { MacOsInstaller } from "./macos";
|
||||
import { WindowsInstaller } from "./windows";
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
describe("newCliInstaller", () => {
|
||||
const version = "1.0.0";
|
||||
|
||||
afterEach(() => {
|
||||
jest.resetAllMocks();
|
||||
});
|
||||
|
||||
it("should return LinuxInstaller for linux platform", () => {
|
||||
jest.spyOn(os, "platform").mockReturnValue("linux");
|
||||
const installer = newCliInstaller(version);
|
||||
expect(installer).toBeInstanceOf(LinuxInstaller);
|
||||
});
|
||||
|
||||
it("should return MacOsInstaller for darwin platform", () => {
|
||||
jest.spyOn(os, "platform").mockReturnValue("darwin");
|
||||
const installer = newCliInstaller(version);
|
||||
expect(installer).toBeInstanceOf(MacOsInstaller);
|
||||
});
|
||||
|
||||
it("should return WindowsInstaller for win32 platform", () => {
|
||||
jest.spyOn(os, "platform").mockReturnValue("win32");
|
||||
const installer = newCliInstaller(version);
|
||||
expect(installer).toBeInstanceOf(WindowsInstaller);
|
||||
});
|
||||
|
||||
it("should throw error for unsupported platform", () => {
|
||||
jest.spyOn(os, "platform").mockReturnValue("sunos");
|
||||
expect(() => newCliInstaller(version)).toThrow(
|
||||
"Unsupported platform: sunos",
|
||||
);
|
||||
});
|
||||
});
|
||||
@@ -1,23 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import { LinuxInstaller } from "./linux";
|
||||
import { MacOsInstaller } from "./macos";
|
||||
import { WindowsInstaller } from "./windows";
|
||||
|
||||
export interface Installer {
|
||||
installCli(): Promise<void>;
|
||||
}
|
||||
|
||||
export const newCliInstaller = (version: string): Installer => {
|
||||
const platform = os.platform();
|
||||
switch (platform) {
|
||||
case "linux":
|
||||
return new LinuxInstaller(version);
|
||||
case "darwin":
|
||||
return new MacOsInstaller(version);
|
||||
case "win32":
|
||||
return new WindowsInstaller(version);
|
||||
default:
|
||||
throw new Error(`Unsupported platform: ${platform}`);
|
||||
}
|
||||
};
|
||||
@@ -1,38 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import {
|
||||
archMap,
|
||||
CliInstaller,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import { LinuxInstaller } from "./linux";
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
describe("LinuxInstaller", () => {
|
||||
const version = "1.2.3";
|
||||
const arch: NodeJS.Architecture = "arm64";
|
||||
|
||||
it("should construct with given version and architecture", () => {
|
||||
jest.spyOn(os, "arch").mockReturnValue(arch);
|
||||
const installer = new LinuxInstaller(version);
|
||||
expect(installer.version).toEqual(version);
|
||||
expect(installer.arch).toEqual(archMap[arch]);
|
||||
});
|
||||
|
||||
it("should call install with correct URL", async () => {
|
||||
const installer = new LinuxInstaller(version);
|
||||
const installMock = jest
|
||||
.spyOn(CliInstaller.prototype, "install")
|
||||
.mockResolvedValue();
|
||||
|
||||
await installer.installCli();
|
||||
|
||||
const builder = cliUrlBuilder["linux" as SupportedPlatform];
|
||||
const url = builder(version, installer.arch);
|
||||
expect(installMock).toHaveBeenCalledWith(url);
|
||||
});
|
||||
});
|
||||
@@ -1,19 +0,0 @@
|
||||
import {
|
||||
CliInstaller,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import type { Installer } from "./installer";
|
||||
|
||||
export class LinuxInstaller extends CliInstaller implements Installer {
|
||||
private readonly platform: SupportedPlatform = "linux"; // Node.js platform identifier for Linux
|
||||
|
||||
public constructor(version: string) {
|
||||
super(version);
|
||||
}
|
||||
|
||||
public async installCli(): Promise<void> {
|
||||
const urlBuilder = cliUrlBuilder[this.platform];
|
||||
await super.install(urlBuilder(this.version, this.arch));
|
||||
}
|
||||
}
|
||||
@@ -1,35 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import {
|
||||
archMap,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import { MacOsInstaller } from "./macos";
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
describe("MacOsInstaller", () => {
|
||||
const version = "1.2.3";
|
||||
const arch: NodeJS.Architecture = "x64";
|
||||
|
||||
it("should construct with given version and architecture", () => {
|
||||
jest.spyOn(os, "arch").mockReturnValue(arch);
|
||||
const installer = new MacOsInstaller(version);
|
||||
expect(installer.version).toEqual(version);
|
||||
expect(installer.arch).toEqual(archMap[arch]);
|
||||
});
|
||||
|
||||
it("should call install with correct URL", async () => {
|
||||
const installer = new MacOsInstaller(version);
|
||||
const installMock = jest.spyOn(installer, "install").mockResolvedValue();
|
||||
|
||||
await installer.installCli();
|
||||
|
||||
const builder = cliUrlBuilder["darwin" as SupportedPlatform];
|
||||
const url = builder(version, installer.arch);
|
||||
expect(installMock).toHaveBeenCalledWith(url);
|
||||
});
|
||||
});
|
||||
@@ -1,49 +0,0 @@
|
||||
import { execFile } from "child_process";
|
||||
import * as fs from "fs";
|
||||
import * as path from "path";
|
||||
import { promisify } from "util";
|
||||
|
||||
import * as core from "@actions/core";
|
||||
import * as tc from "@actions/tool-cache";
|
||||
|
||||
import {
|
||||
CliInstaller,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import { type Installer } from "./installer";
|
||||
|
||||
const execFileAsync = promisify(execFile);
|
||||
|
||||
export class MacOsInstaller extends CliInstaller implements Installer {
|
||||
private readonly platform: SupportedPlatform = "darwin"; // Node.js platform identifier for macOS
|
||||
|
||||
public constructor(version: string) {
|
||||
super(version);
|
||||
}
|
||||
|
||||
public async installCli(): Promise<void> {
|
||||
const urlBuilder = cliUrlBuilder[this.platform];
|
||||
await this.install(urlBuilder(this.version));
|
||||
}
|
||||
|
||||
// @actions/tool-cache package does not support .pkg files, so we need to handle the installation manually
|
||||
public override async install(downloadUrl: string): Promise<void> {
|
||||
console.info(`Downloading 1Password CLI from: ${downloadUrl}`);
|
||||
const pkgPath = await tc.downloadTool(downloadUrl);
|
||||
const pkgWithExtension = `${pkgPath}.pkg`;
|
||||
fs.renameSync(pkgPath, pkgWithExtension);
|
||||
|
||||
const expandDir = "temp-pkg";
|
||||
await execFileAsync("pkgutil", ["--expand", pkgWithExtension, expandDir]);
|
||||
const payloadPath = path.join(expandDir, "op.pkg", "Payload");
|
||||
console.info("Installing 1Password CLI");
|
||||
const cliPath = await tc.extractTar(payloadPath);
|
||||
core.addPath(cliPath);
|
||||
|
||||
fs.rmSync(expandDir, { recursive: true, force: true });
|
||||
fs.rmSync(pkgPath, { force: true });
|
||||
|
||||
core.info("1Password CLI installed");
|
||||
}
|
||||
}
|
||||
@@ -1,38 +0,0 @@
|
||||
import os from "os";
|
||||
|
||||
import {
|
||||
archMap,
|
||||
CliInstaller,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import { WindowsInstaller } from "./windows";
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
describe("WindowsInstaller", () => {
|
||||
const version = "1.2.3";
|
||||
const arch: NodeJS.Architecture = "x64";
|
||||
|
||||
it("should construct with given version and architecture", () => {
|
||||
jest.spyOn(os, "arch").mockReturnValue(arch);
|
||||
const installer = new WindowsInstaller(version);
|
||||
expect(installer.version).toEqual(version);
|
||||
expect(installer.arch).toEqual(archMap[arch]);
|
||||
});
|
||||
|
||||
it("should call install with correct URL", async () => {
|
||||
const installer = new WindowsInstaller(version);
|
||||
const installMock = jest
|
||||
.spyOn(CliInstaller.prototype, "install")
|
||||
.mockResolvedValue();
|
||||
|
||||
await installer.installCli();
|
||||
|
||||
const builder = cliUrlBuilder["win32" as SupportedPlatform];
|
||||
const url = builder(version, installer.arch);
|
||||
expect(installMock).toHaveBeenCalledWith(url);
|
||||
});
|
||||
});
|
||||
@@ -1,19 +0,0 @@
|
||||
import {
|
||||
CliInstaller,
|
||||
cliUrlBuilder,
|
||||
type SupportedPlatform,
|
||||
} from "./cli-installer";
|
||||
import type { Installer } from "./installer";
|
||||
|
||||
export class WindowsInstaller extends CliInstaller implements Installer {
|
||||
private readonly platform: SupportedPlatform = "win32"; // Node.js platform identifier for Windows
|
||||
|
||||
public constructor(version: string) {
|
||||
super(version);
|
||||
}
|
||||
|
||||
public async installCli(): Promise<void> {
|
||||
const urlBuilder = cliUrlBuilder[this.platform];
|
||||
await super.install(urlBuilder(this.version, this.arch));
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
import * as core from "@actions/core";
|
||||
|
||||
import { ReleaseChannel, VersionResolver } from "../version";
|
||||
|
||||
import { newCliInstaller } from "./cli-installer";
|
||||
|
||||
// Installs the 1Password CLI on a GitHub Action runner.
|
||||
export const installCliOnGithubActionRunner = async (
|
||||
version?: string,
|
||||
): Promise<void> => {
|
||||
// Get the version from parameter, if not passed - from the job input. Defaults to latest if no version is provided
|
||||
const providedVersion =
|
||||
version || core.getInput("version") || ReleaseChannel.latest;
|
||||
const versionResolver = new VersionResolver(providedVersion);
|
||||
await versionResolver.resolve();
|
||||
const installer = newCliInstaller(versionResolver.get());
|
||||
await installer.installCli();
|
||||
};
|
||||
@@ -1,81 +0,0 @@
|
||||
import * as core from "@actions/core";
|
||||
|
||||
import { newCliInstaller } from "./github-action/cli-installer";
|
||||
import {
|
||||
installCliOnGithubActionRunner,
|
||||
ReleaseChannel,
|
||||
VersionResolver,
|
||||
} from "./index";
|
||||
|
||||
jest.mock("./github-action/cli-installer", () => ({
|
||||
newCliInstaller: jest.fn().mockImplementation((_resolved: string) => ({
|
||||
installCli: jest.fn(),
|
||||
})),
|
||||
}));
|
||||
|
||||
beforeEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
describe("installCliOnGithubActionRunner", () => {
|
||||
it("should defaults to `latest` when nothing is passed", async () => {
|
||||
jest.spyOn(core, "getInput").mockReturnValue("");
|
||||
jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
|
||||
jest
|
||||
.spyOn(VersionResolver.prototype, "get")
|
||||
.mockReturnValue(ReleaseChannel.latest);
|
||||
|
||||
await installCliOnGithubActionRunner();
|
||||
|
||||
expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
|
||||
});
|
||||
|
||||
it("should defaults to `latest` when undefined is passed", async () => {
|
||||
jest.spyOn(core, "getInput").mockReturnValue("");
|
||||
jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
|
||||
jest
|
||||
.spyOn(VersionResolver.prototype, "get")
|
||||
.mockReturnValue(ReleaseChannel.latest);
|
||||
|
||||
await installCliOnGithubActionRunner(undefined);
|
||||
|
||||
expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
|
||||
});
|
||||
|
||||
it("should set provided explicit version", async () => {
|
||||
const providedVersion = "1.2.3";
|
||||
jest.spyOn(core, "getInput").mockReturnValue("");
|
||||
jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
|
||||
jest
|
||||
.spyOn(VersionResolver.prototype, "get")
|
||||
.mockReturnValue(providedVersion);
|
||||
|
||||
await installCliOnGithubActionRunner(providedVersion);
|
||||
|
||||
expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
|
||||
});
|
||||
|
||||
it("should set version provided as job input", async () => {
|
||||
const providedVersion = "3.0.0";
|
||||
jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
|
||||
jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
|
||||
jest
|
||||
.spyOn(VersionResolver.prototype, "get")
|
||||
.mockReturnValue(providedVersion);
|
||||
|
||||
await installCliOnGithubActionRunner();
|
||||
|
||||
expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
|
||||
});
|
||||
|
||||
it("should throw error for invalid version", async () => {
|
||||
const providedVersion = "invalid";
|
||||
jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
|
||||
jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
|
||||
jest
|
||||
.spyOn(VersionResolver.prototype, "get")
|
||||
.mockReturnValue(providedVersion);
|
||||
|
||||
await expect(installCliOnGithubActionRunner()).rejects.toThrow();
|
||||
});
|
||||
});
|
||||
@@ -1,2 +0,0 @@
|
||||
export { installCliOnGithubActionRunner } from "./github-action";
|
||||
export { ReleaseChannel, VersionResolver } from "./version";
|
||||
@@ -1,13 +0,0 @@
|
||||
export enum ReleaseChannel {
|
||||
latest = "latest",
|
||||
latestBeta = "latest-beta",
|
||||
}
|
||||
|
||||
export interface VersionResponse {
|
||||
// eslint disabled next line as CLI2 is expected in getting CLI versions response
|
||||
/* eslint-disable-next-line @typescript-eslint/naming-convention */
|
||||
CLI2: {
|
||||
release: { version: string };
|
||||
beta: { version: string };
|
||||
};
|
||||
}
|
||||
@@ -1,91 +0,0 @@
|
||||
import { ReleaseChannel } from "./constants";
|
||||
import { getLatestVersion } from "./helper";
|
||||
|
||||
describe("getLatestVersion", () => {
|
||||
beforeEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
it("should return latest stable version", async () => {
|
||||
const mockResponse = {
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
CLI2: {
|
||||
release: { version: "2.31.0" },
|
||||
beta: { version: "2.32.0-beta.01" },
|
||||
},
|
||||
};
|
||||
|
||||
jest.spyOn(global, "fetch").mockResolvedValueOnce({
|
||||
// eslint-disable-next-line @typescript-eslint/require-await
|
||||
json: async () => mockResponse,
|
||||
} as Response);
|
||||
|
||||
const version = await getLatestVersion(ReleaseChannel.latest);
|
||||
expect(version).toBe("2.31.0");
|
||||
});
|
||||
|
||||
it("should return latest beta version", async () => {
|
||||
const mockResponse = {
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
CLI2: {
|
||||
release: { version: "2.31.0" },
|
||||
beta: { version: "2.32.0-beta.01" },
|
||||
},
|
||||
};
|
||||
|
||||
jest.spyOn(global, "fetch").mockResolvedValueOnce({
|
||||
// eslint-disable-next-line @typescript-eslint/require-await
|
||||
json: async () => mockResponse,
|
||||
} as Response);
|
||||
|
||||
const version = await getLatestVersion(ReleaseChannel.latestBeta);
|
||||
expect(version).toBe("2.32.0-beta.01");
|
||||
});
|
||||
|
||||
it("should throw if no CLI2 field", async () => {
|
||||
jest.spyOn(global, "fetch").mockResolvedValueOnce({
|
||||
// eslint-disable-next-line @typescript-eslint/require-await
|
||||
json: async () => ({}),
|
||||
} as Response);
|
||||
|
||||
await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
|
||||
`No ${ReleaseChannel.latest} versions found`,
|
||||
);
|
||||
});
|
||||
|
||||
it("should throw if no stable version found", async () => {
|
||||
const mockResponse = {
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
CLI2: {
|
||||
beta: { version: "2.32.0-beta.01" },
|
||||
},
|
||||
};
|
||||
|
||||
jest.spyOn(global, "fetch").mockResolvedValueOnce({
|
||||
// eslint-disable-next-line @typescript-eslint/require-await
|
||||
json: async () => mockResponse,
|
||||
} as Response);
|
||||
|
||||
await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
|
||||
`No ${ReleaseChannel.latest} versions found`,
|
||||
);
|
||||
});
|
||||
|
||||
it("should throw if no beta version found", async () => {
|
||||
const mockResponse = {
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
CLI2: {
|
||||
release: { version: "2.32.0" },
|
||||
},
|
||||
};
|
||||
|
||||
jest.spyOn(global, "fetch").mockResolvedValueOnce({
|
||||
// eslint-disable-next-line @typescript-eslint/require-await
|
||||
json: async () => mockResponse,
|
||||
} as Response);
|
||||
|
||||
await expect(getLatestVersion(ReleaseChannel.latestBeta)).rejects.toThrow(
|
||||
`No ${ReleaseChannel.latestBeta} versions found`,
|
||||
);
|
||||
});
|
||||
});
|
||||
@@ -1,23 +0,0 @@
|
||||
import * as core from "@actions/core";
|
||||
|
||||
import { ReleaseChannel, type VersionResponse } from "./constants";
|
||||
|
||||
// Returns the latest version of the 1Password CLI based on the specified channel.
|
||||
export const getLatestVersion = async (
|
||||
channel: ReleaseChannel,
|
||||
): Promise<string> => {
|
||||
core.info(`Getting ${channel} version number`);
|
||||
const res = await fetch("https://app-updates.agilebits.com/latest");
|
||||
const json = (await res.json()) as VersionResponse;
|
||||
const latestStable = json?.CLI2?.release?.version;
|
||||
const latestBeta = json?.CLI2?.beta?.version;
|
||||
const version =
|
||||
channel === ReleaseChannel.latestBeta ? latestBeta : latestStable;
|
||||
|
||||
if (!version) {
|
||||
core.error(`No ${channel} versions found`);
|
||||
throw new Error(`No ${channel} versions found`);
|
||||
}
|
||||
|
||||
return version;
|
||||
};
|
||||
@@ -1,2 +0,0 @@
|
||||
export { VersionResolver } from "./version-resolver";
|
||||
export { ReleaseChannel } from "./constants";
|
||||
@@ -1,45 +0,0 @@
|
||||
import { describe, expect, it } from "@jest/globals";
|
||||
|
||||
import { validateVersion } from "./validate";
|
||||
|
||||
describe("validateVersion", () => {
|
||||
it('should not throw for "latest"', () => {
|
||||
expect(() => validateVersion("latest")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should not throw for "latest-beta"', () => {
|
||||
expect(() => validateVersion("latest-beta")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should not throw for valid semver version "2.18.0"', () => {
|
||||
expect(() => validateVersion("2.18.0")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should throw for partial version "2"', () => {
|
||||
expect(() => validateVersion("2")).toThrow();
|
||||
});
|
||||
|
||||
it('should throw for partial version "2.1"', () => {
|
||||
expect(() => validateVersion("2.1")).toThrow();
|
||||
});
|
||||
|
||||
it('should not throw for valid beta "2.19.0-beta.01"', () => {
|
||||
expect(() => validateVersion("2.19.0-beta.01")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should not throw for valid beta "2.19.3-beta.12"', () => {
|
||||
expect(() => validateVersion("2.19.3-beta.12")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should not throw for coerced version "v2.19.0"', () => {
|
||||
expect(() => validateVersion("v2.19.0")).not.toThrow();
|
||||
});
|
||||
|
||||
it('should throw for invalid version "latest-abc"', () => {
|
||||
expect(() => validateVersion("latest-abc")).toThrow();
|
||||
});
|
||||
|
||||
it("should throw for empty string", () => {
|
||||
expect(() => validateVersion("")).toThrow();
|
||||
});
|
||||
});
|
||||
@@ -1,23 +0,0 @@
|
||||
import semver from "semver";
|
||||
|
||||
import { ReleaseChannel } from "./constants";
|
||||
|
||||
// Validates if the provided version type is a valid enum value or a valid semver version.
|
||||
export const validateVersion = (input: string): void => {
|
||||
if (Object.values(ReleaseChannel).includes(input as ReleaseChannel)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// 1Password beta releases (aka 2.19.0-beta.01) are not semver compliant.
|
||||
// According to semver, it should be "2.19.0-beta.1".
|
||||
// That's why we need to normalize them before validating.
|
||||
// Accepts valid semver versions like "2.18.0" or beta-releases like "2.19.0-beta.01"
|
||||
// or versions with 'v' prefix like "v2.19.0"
|
||||
const normalized = input.replace(/-beta\.0*(\d+)/, "-beta.$1");
|
||||
const normInput = new semver.SemVer(normalized);
|
||||
if (semver.valid(normInput)) {
|
||||
return;
|
||||
}
|
||||
|
||||
throw new Error(`Invalid version input: ${input}`);
|
||||
};
|
||||
@@ -1,58 +0,0 @@
|
||||
import { expect } from "@jest/globals";
|
||||
|
||||
import { ReleaseChannel } from "./constants";
|
||||
import { VersionResolver } from "./version-resolver";
|
||||
|
||||
describe("VersionResolver", () => {
|
||||
test("should throw error when invalid version provided", () => {
|
||||
expect(() => new VersionResolver("vv")).toThrow();
|
||||
});
|
||||
|
||||
test("should throw error when version is empty", () => {
|
||||
expect(() => new VersionResolver("")).toThrow();
|
||||
});
|
||||
|
||||
test("should throw error for major version only", () => {
|
||||
expect(() => new VersionResolver("1")).toThrow();
|
||||
});
|
||||
|
||||
test("should throw error for major and minor version only", () => {
|
||||
expect(() => new VersionResolver("1.0")).toThrow();
|
||||
});
|
||||
|
||||
test("should resolve latest stable version", async () => {
|
||||
const versionResolver = new VersionResolver(ReleaseChannel.latest);
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBeDefined();
|
||||
});
|
||||
|
||||
test("should resolve latest beta version", async () => {
|
||||
const versionResolver = new VersionResolver(ReleaseChannel.latestBeta);
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBeDefined();
|
||||
});
|
||||
|
||||
test("should resolve version without 'v' prefix", async () => {
|
||||
const versionResolver = new VersionResolver("1.0.0");
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBe("v1.0.0");
|
||||
});
|
||||
|
||||
test("should resolve version with 'v' prefix", async () => {
|
||||
const versionResolver = new VersionResolver("v1.0.0");
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBe("v1.0.0");
|
||||
});
|
||||
|
||||
test("should resolve beta version without 'v' prefix", async () => {
|
||||
const versionResolver = new VersionResolver("2.19.0-beta.01");
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBe("v2.19.0-beta.01");
|
||||
});
|
||||
|
||||
test("should resolve beta version with 'v' prefix", async () => {
|
||||
const versionResolver = new VersionResolver("v2.19.0-beta.01");
|
||||
await versionResolver.resolve();
|
||||
expect(versionResolver.get()).toBe("v2.19.0-beta.01");
|
||||
});
|
||||
});
|
||||
@@ -1,45 +0,0 @@
|
||||
import * as core from "@actions/core";
|
||||
|
||||
import { ReleaseChannel } from "./constants";
|
||||
import { getLatestVersion } from "./helper";
|
||||
import { validateVersion } from "./validate";
|
||||
|
||||
export class VersionResolver {
|
||||
private version: string;
|
||||
|
||||
public constructor(version: string) {
|
||||
this.validate(version);
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
public get(): string {
|
||||
return this.version;
|
||||
}
|
||||
|
||||
public async resolve(): Promise<void> {
|
||||
core.info(`Resolving version: ${this.version}`);
|
||||
if (!this.version) {
|
||||
core.error("Version is not provided");
|
||||
throw new Error("Version is not provided");
|
||||
}
|
||||
|
||||
if (this.isReleaseChannel(this.version)) {
|
||||
this.version = await getLatestVersion(this.version);
|
||||
}
|
||||
|
||||
// add `v` prefix if not already present
|
||||
this.version = this.version.startsWith("v")
|
||||
? this.version
|
||||
: `v${this.version}`;
|
||||
}
|
||||
|
||||
private validate(version: string) {
|
||||
core.info(`Validating version number: '${version}'`);
|
||||
validateVersion(version);
|
||||
core.info(`Version number '${version}' is valid`);
|
||||
}
|
||||
|
||||
private isReleaseChannel(value: string): value is ReleaseChannel {
|
||||
return Object.values(ReleaseChannel).includes(value as ReleaseChannel);
|
||||
}
|
||||
}
|
||||
@@ -1,10 +1,8 @@
|
||||
import * as core from "@actions/core";
|
||||
import * as exec from "@actions/exec";
|
||||
import { read } from "@1password/op-js";
|
||||
import { createClient, Secrets } from "@1password/sdk";
|
||||
import { OnePasswordConnect, FullItem } from "@1password/connect";
|
||||
import {
|
||||
extractSecret,
|
||||
loadSecrets,
|
||||
unsetPrevious,
|
||||
validateAuth,
|
||||
@@ -27,7 +25,6 @@ jest.mock("@actions/exec", () => ({
|
||||
stdout: "MOCK_SECRET",
|
||||
})),
|
||||
}));
|
||||
jest.mock("@1password/op-js");
|
||||
jest.mock("@1password/sdk", () => ({
|
||||
createClient: jest.fn(),
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
@@ -86,77 +83,6 @@ describe("validateAuth", () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe("extractSecret", () => {
|
||||
const envTestSecretEnv = "TEST_SECRET";
|
||||
const testSecretRef = "op://vault/item/secret";
|
||||
const testSecretValue = "Secret1@3$";
|
||||
|
||||
read.parse = jest.fn().mockReturnValue(testSecretValue);
|
||||
|
||||
process.env[envTestSecretEnv] = testSecretRef;
|
||||
|
||||
it("should set secret as step output", () => {
|
||||
extractSecret(envTestSecretEnv, false);
|
||||
expect(core.exportVariable).not.toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
testSecretValue,
|
||||
);
|
||||
expect(core.setOutput).toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
testSecretValue,
|
||||
);
|
||||
expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
|
||||
});
|
||||
|
||||
it("should set secret as environment variable", () => {
|
||||
extractSecret(envTestSecretEnv, true);
|
||||
expect(core.exportVariable).toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
testSecretValue,
|
||||
);
|
||||
expect(core.setOutput).not.toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
testSecretValue,
|
||||
);
|
||||
expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
|
||||
});
|
||||
|
||||
describe("when secret value is empty string", () => {
|
||||
const emptySecretValue = "";
|
||||
|
||||
beforeEach(() => {
|
||||
(read.parse as jest.Mock).mockReturnValue(emptySecretValue);
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
(read.parse as jest.Mock).mockReturnValue(testSecretValue);
|
||||
});
|
||||
|
||||
it("should set empty string as step output", () => {
|
||||
extractSecret(envTestSecretEnv, false);
|
||||
expect(core.setOutput).toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
emptySecretValue,
|
||||
);
|
||||
expect(core.exportVariable).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("should set empty string as environment variable", () => {
|
||||
extractSecret(envTestSecretEnv, true);
|
||||
expect(core.exportVariable).toHaveBeenCalledWith(
|
||||
envTestSecretEnv,
|
||||
emptySecretValue,
|
||||
);
|
||||
expect(core.setOutput).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("should not call setSecret for empty string", () => {
|
||||
extractSecret(envTestSecretEnv, false);
|
||||
expect(core.setSecret).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe("loadSecrets when using Connect", () => {
|
||||
beforeEach(() => {
|
||||
process.env[envConnectHost] = "https://connect.example";
|
||||
@@ -413,11 +339,6 @@ describe("loadSecrets when using Service Account", () => {
|
||||
mockResolve.mockResolvedValue("resolved-secret-value");
|
||||
});
|
||||
|
||||
it("does not call op env ls when using Service Account", async () => {
|
||||
await loadSecrets(false);
|
||||
expect(exec.getExecOutput).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("sets step output with resolved value when export-env is false", async () => {
|
||||
await loadSecrets(false);
|
||||
expect(core.setOutput).toHaveBeenCalledTimes(1);
|
||||
@@ -549,7 +470,7 @@ describe("loadSecrets when using Service Account", () => {
|
||||
|
||||
describe("secret reference validation", () => {
|
||||
it("fails with clear message when a secret reference is invalid", async () => {
|
||||
process.env.MY_SECRET = "op://x";
|
||||
process.env.MY_SECRET = "op://invalid/ref/form";
|
||||
(Secrets.validateSecretReference as jest.Mock).mockImplementationOnce(
|
||||
() => {
|
||||
throw new Error("invalid reference format");
|
||||
@@ -572,6 +493,7 @@ describe("loadSecrets when using Service Account", () => {
|
||||
}
|
||||
},
|
||||
);
|
||||
mockResolve.mockResolvedValue("value1");
|
||||
|
||||
await expect(loadSecrets(false)).rejects.toThrow(
|
||||
"Invalid secret reference(s): OTHER",
|
||||
@@ -835,21 +757,21 @@ describe("findMatchingFieldAndFile", () => {
|
||||
describe("findSectionIdsByQuery", () => {
|
||||
it("throws when sections is empty", () => {
|
||||
expect(() => findSectionIdsByQuery([], "section-1")).toThrow(
|
||||
/Item has no sections; cannot resolve section "section-1"/,
|
||||
/section section-1 could not be found/,
|
||||
);
|
||||
});
|
||||
|
||||
it("throws when sections is null/undefined", () => {
|
||||
expect(() =>
|
||||
findSectionIdsByQuery(undefined as unknown as FullItem["sections"], "x"),
|
||||
).toThrow(/Item has no sections; cannot resolve section "x"/);
|
||||
).toThrow(/could not be found/);
|
||||
});
|
||||
|
||||
it("throws when section query matches no section", () => {
|
||||
const sections = [{ id: "sec-1", label: "Other" }];
|
||||
expect(() =>
|
||||
findSectionIdsByQuery(sections as FullItem["sections"], "nonexistent"),
|
||||
).toThrow(/No section matching "nonexistent" found in specified item/);
|
||||
it("returns section id when section matches by id", () => {
|
||||
const sections = [{ id: "sec-1", label: "Section 1" }];
|
||||
expect(
|
||||
findSectionIdsByQuery(sections as FullItem["sections"], "sec-1"),
|
||||
).toEqual(["sec-1"]);
|
||||
});
|
||||
|
||||
it("returns section id when section matches by label", () => {
|
||||
@@ -863,7 +785,7 @@ describe("findSectionIdsByQuery", () => {
|
||||
const sections = [{ id: "sec-1", label: "Other" }];
|
||||
expect(() =>
|
||||
findSectionIdsByQuery(sections as FullItem["sections"], "nonexistent"),
|
||||
).toThrow(/No section matching "nonexistent" found in specified item/);
|
||||
).toThrow(/could not be found/);
|
||||
});
|
||||
|
||||
it("returns multiple ids when multiple sections match", () => {
|
||||
|
||||
155
src/utils.ts
155
src/utils.ts
@@ -1,6 +1,4 @@
|
||||
import * as core from "@actions/core";
|
||||
import sshpk from "sshpk";
|
||||
import { read } from "@1password/op-js";
|
||||
import { createClient, Secrets } from "@1password/sdk";
|
||||
import { OnePasswordConnect, FullItem, OPConnect } from "@1password/connect";
|
||||
import { version } from "../package.json";
|
||||
@@ -18,8 +16,6 @@ interface ParsedOpRef {
|
||||
item: string;
|
||||
section: string | undefined;
|
||||
field: string;
|
||||
|
||||
queryParams: string | undefined;
|
||||
}
|
||||
|
||||
export const parseOpRef = (ref: string): ParsedOpRef => {
|
||||
@@ -50,14 +46,11 @@ export const parseOpRef = (ref: string): ParsedOpRef => {
|
||||
throw new Error(`Invalid op reference: item is required`);
|
||||
}
|
||||
|
||||
// Last segment is the field; it may include a query string (e.g. "private key?ssh-format=openssh")
|
||||
const lastSegment = segments[segments.length - 1] ?? "";
|
||||
const [fieldPart, queryPart] = lastSegment.split("?");
|
||||
const field = fieldPart ?? "";
|
||||
// Last segment is always the field
|
||||
const field = segments[segments.length - 1] ?? "";
|
||||
if (!field) {
|
||||
throw new Error(`Invalid op reference: field is required`);
|
||||
}
|
||||
const queryParams = queryPart ?? undefined;
|
||||
|
||||
// Second to last segment is the section if it exists
|
||||
let section: string | undefined;
|
||||
@@ -75,7 +68,6 @@ export const parseOpRef = (ref: string): ParsedOpRef => {
|
||||
item,
|
||||
field,
|
||||
section,
|
||||
queryParams,
|
||||
};
|
||||
};
|
||||
// #endregion
|
||||
@@ -99,8 +91,30 @@ const getSecretFromConnectItem = async (
|
||||
return fieldValue;
|
||||
}
|
||||
|
||||
// If a file was found, get the content of the file (with retry on 503)
|
||||
if (fileId) {
|
||||
return getFileContentWithRetry(client, parsed.vault, parsed.item, fileId);
|
||||
const maxAttempts = 3;
|
||||
const retryDelayMs = 2000;
|
||||
for (let attempt = 1; attempt <= maxAttempts; attempt++) {
|
||||
try {
|
||||
const content = await client.getFileContent(
|
||||
parsed.vault,
|
||||
parsed.item,
|
||||
fileId,
|
||||
);
|
||||
return content;
|
||||
} catch (err) {
|
||||
const is503 =
|
||||
err &&
|
||||
typeof err === "object" &&
|
||||
(err as Record<string, unknown>).statusCode === 503;
|
||||
if (is503 && attempt < maxAttempts) {
|
||||
await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
|
||||
continue;
|
||||
}
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (parsed.section) {
|
||||
@@ -114,33 +128,6 @@ const getSecretFromConnectItem = async (
|
||||
);
|
||||
};
|
||||
|
||||
const getFileContentWithRetry = async (
|
||||
client: OPConnect,
|
||||
vaultId: string,
|
||||
itemId: string,
|
||||
fileId: string,
|
||||
): Promise<string> => {
|
||||
const maxAttempts = 3;
|
||||
const retryDelayMs = 2000;
|
||||
for (let attempt = 1; attempt <= maxAttempts; attempt++) {
|
||||
try {
|
||||
return await client.getFileContent(vaultId, itemId, fileId);
|
||||
} catch (err) {
|
||||
// Retry on 503 errors as this can happen on multiple secret fetches
|
||||
const is503 =
|
||||
err !== null &&
|
||||
typeof err === "object" &&
|
||||
(err as Record<string, unknown>).statusCode === 503;
|
||||
if (is503 && attempt < maxAttempts) {
|
||||
await new Promise((r) => setTimeout(r, retryDelayMs));
|
||||
continue;
|
||||
}
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
return "";
|
||||
};
|
||||
|
||||
export const findSectionIdsByQuery = (
|
||||
sections: FullItem["sections"],
|
||||
sectionQuery: string | undefined,
|
||||
@@ -148,7 +135,7 @@ export const findSectionIdsByQuery = (
|
||||
// If no sections were returned with the item throw an error
|
||||
if (!sections || sections.length === 0) {
|
||||
throw new Error(
|
||||
`Item has no sections; cannot resolve section "${sectionQuery}"`,
|
||||
`section ${sectionQuery} could not be found in specified item`,
|
||||
);
|
||||
}
|
||||
|
||||
@@ -159,7 +146,7 @@ export const findSectionIdsByQuery = (
|
||||
// If no sections were found with the given query throw an error
|
||||
if (ids.length === 0) {
|
||||
throw new Error(
|
||||
`No section matching "${sectionQuery}" found in specified item`,
|
||||
`section ${sectionQuery} could not be found in specified item`,
|
||||
);
|
||||
}
|
||||
|
||||
@@ -263,32 +250,6 @@ const findSingleMatch = <T>(matches: T[]): T | undefined => {
|
||||
}
|
||||
return matches[0];
|
||||
};
|
||||
|
||||
const createConnectClient = (host: string, token: string): OPConnect => {
|
||||
try {
|
||||
return OnePasswordConnect({
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
serverURL: host,
|
||||
token,
|
||||
});
|
||||
} catch (err) {
|
||||
const message = err instanceof Error ? err.message : String(err);
|
||||
throw new Error(`Connect authentication failed: ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
const toOpenSSH = (value: string, _queryParams: string | undefined): string => {
|
||||
try {
|
||||
const key = sshpk.parsePrivateKey(value, "auto");
|
||||
return key.toString("openssh");
|
||||
} catch {
|
||||
core.warning(
|
||||
`Failed to parse private key to OpenSSH, returning original value`,
|
||||
);
|
||||
return value;
|
||||
}
|
||||
};
|
||||
// #endregion
|
||||
|
||||
// #region Shared helpers and auth
|
||||
@@ -300,7 +261,7 @@ export const getEnvVarNamesWithSecretRefs = (): string[] =>
|
||||
);
|
||||
|
||||
const validateSecretRefs = (envNames: string[]): void => {
|
||||
const invalid: { name: string; message: string }[] = [];
|
||||
const invalid: string[] = [];
|
||||
|
||||
for (const envName of envNames) {
|
||||
const ref = process.env[envName];
|
||||
@@ -310,18 +271,15 @@ const validateSecretRefs = (envNames: string[]): void => {
|
||||
|
||||
try {
|
||||
Secrets.validateSecretReference(ref);
|
||||
} catch (err) {
|
||||
const message = err instanceof Error ? err.message : String(err);
|
||||
invalid.push({ name: envName, message });
|
||||
} catch {
|
||||
invalid.push(envName);
|
||||
}
|
||||
}
|
||||
|
||||
// Throw an error if any secret references are invalid
|
||||
if (invalid.length > 0) {
|
||||
const details = invalid
|
||||
.map(({ name, message }) => `${name}: ${message}`)
|
||||
.join("; ");
|
||||
throw new Error(`Invalid secret reference(s): ${details}`);
|
||||
const names = invalid.join(", ");
|
||||
throw new Error(`Invalid secret reference(s): ${names}`);
|
||||
}
|
||||
};
|
||||
|
||||
@@ -361,23 +319,6 @@ export const validateAuth = (): void => {
|
||||
core.info(`Authenticated with ${authType}.`);
|
||||
};
|
||||
|
||||
export const extractSecret = (
|
||||
envName: string,
|
||||
shouldExportEnv: boolean,
|
||||
): void => {
|
||||
const ref = process.env[envName];
|
||||
if (!ref) {
|
||||
return;
|
||||
}
|
||||
|
||||
const secretValue = read.parse(ref);
|
||||
if (secretValue === null || secretValue === undefined) {
|
||||
return;
|
||||
}
|
||||
|
||||
setResolvedSecret(envName, secretValue, shouldExportEnv);
|
||||
};
|
||||
|
||||
export const unsetPrevious = (): void => {
|
||||
if (process.env[envManagedVariables]) {
|
||||
core.info("Unsetting previous values ...");
|
||||
@@ -393,10 +334,10 @@ const fetchVaultId = async (
|
||||
client: OPConnect,
|
||||
vaultQuery: string,
|
||||
ref: string,
|
||||
vaultIdCache: Map<string, string>,
|
||||
cache: Map<string, string>,
|
||||
): Promise<string> => {
|
||||
// Check if the vault ID is already cached to avoid unnecessary API calls
|
||||
const cached = vaultIdCache.get(vaultQuery);
|
||||
// Check if the vault ID is already cached
|
||||
const cached = cache.get(vaultQuery);
|
||||
if (cached !== undefined) {
|
||||
return cached;
|
||||
}
|
||||
@@ -408,7 +349,7 @@ const fetchVaultId = async (
|
||||
);
|
||||
}
|
||||
|
||||
vaultIdCache.set(vaultQuery, vault.id);
|
||||
cache.set(vaultQuery, vault.id);
|
||||
return vault.id;
|
||||
};
|
||||
// #endregion
|
||||
@@ -431,8 +372,20 @@ const loadSecretsViaConnect = async (
|
||||
throw new Error(authErr);
|
||||
}
|
||||
|
||||
const client = createConnectClient(host, token);
|
||||
const vaultIdCache = new Map<string, string>();
|
||||
// Authenticate with the Connect SDK
|
||||
let client;
|
||||
try {
|
||||
client = OnePasswordConnect({
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
serverURL: host,
|
||||
token,
|
||||
});
|
||||
} catch (err) {
|
||||
const message = err instanceof Error ? err.message : String(err);
|
||||
throw new Error(`Connect authentication failed: ${message}`);
|
||||
}
|
||||
|
||||
const vaultIdByQuery = new Map<string, string>();
|
||||
|
||||
for (const envName of envs) {
|
||||
const ref = process.env[envName];
|
||||
@@ -448,17 +401,13 @@ const loadSecretsViaConnect = async (
|
||||
client,
|
||||
parsed.vault,
|
||||
ref,
|
||||
vaultIdCache,
|
||||
vaultIdByQuery,
|
||||
);
|
||||
const item = await client.getItem(vaultId, parsed.item);
|
||||
|
||||
// Get the secret value from the item as Connect returns a full item object
|
||||
const secretValue = await getSecretFromConnectItem(client, item, parsed);
|
||||
let valueToSet = secretValue;
|
||||
if (parsed.queryParams?.includes("ssh-format=openssh")) {
|
||||
valueToSet = toOpenSSH(secretValue, parsed.queryParams);
|
||||
}
|
||||
setResolvedSecret(envName, valueToSet, shouldExportEnv);
|
||||
setResolvedSecret(envName, secretValue, shouldExportEnv);
|
||||
} catch (err) {
|
||||
const msg = err instanceof Error ? err.message : String(err);
|
||||
throw new Error(`Failed to load ref "${ref}": ${msg}`);
|
||||
|
||||
@@ -21,6 +21,3 @@ assert_env_unset "FILE_MULTILINE_SECRET"
|
||||
assert_env_unset "SECRET_WITH_FILE"
|
||||
assert_env_unset "SECRET_WITH_FILE_IN_SECTION"
|
||||
assert_env_unset "DOUBLE_SECTION_SECRET"
|
||||
|
||||
assert_env_unset "SSH_PRIVATE_KEY"
|
||||
assert_env_unset "SSH_PRIVATE_KEY_OPENSSH"
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# SSH_PRIVATE_KEY: any private key format
|
||||
v="$(printenv SSH_PRIVATE_KEY)"
|
||||
if [ -z "$v" ]; then
|
||||
echo "SSH_PRIVATE_KEY is not set"
|
||||
exit 1
|
||||
fi
|
||||
if ! echo "$v" | head -1 | grep -qE -- '^-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----'; then
|
||||
echo "SSH_PRIVATE_KEY does not start with a private key header"
|
||||
exit 1
|
||||
fi
|
||||
if ! echo "$v" | tail -1 | grep -qE -- '-----END (RSA |EC |OPENSSH )?PRIVATE KEY-----$'; then
|
||||
echo "SSH_PRIVATE_KEY does not end with a private key footer"
|
||||
exit 1
|
||||
fi
|
||||
echo "SSH_PRIVATE_KEY has valid key format"
|
||||
|
||||
# SSH_PRIVATE_KEY_OPENSSH: OpenSSH format only
|
||||
v="$(printenv SSH_PRIVATE_KEY_OPENSSH)"
|
||||
if [ -z "$v" ]; then
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH is not set"
|
||||
exit 1
|
||||
fi
|
||||
if ! echo "$v" | head -1 | grep -q -- '-----BEGIN OPENSSH PRIVATE KEY-----'; then
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH is not in OpenSSH format"
|
||||
exit 1
|
||||
fi
|
||||
if ! echo "$v" | tail -1 | grep -q -- '-----END OPENSSH PRIVATE KEY-----$'; then
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH does not end with OpenSSH private key footer"
|
||||
exit 1
|
||||
fi
|
||||
echo "SSH_PRIVATE_KEY_OPENSSH has valid OpenSSH key format"
|
||||
Reference in New Issue
Block a user