Release 1.3.2

Fix dependabot vulnerability

.github/workflows/lint.yml

@@ -5,6 +5,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
-      - name: ShellCheck
+      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_paths: >-
+            .husky

.github/workflows/test.yml

@@ -2,24 +2,40 @@ on: push
 name: Run acceptance tests
 
 jobs:
-  use-connect-without-export-env:
+  test-with-output-secrets:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
-          connect-host: http://localhost:8080
+          connect-host: localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          export-env: false
         env:
           SECRET: op://acceptance-tests/test-secret/password
           SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -30,17 +46,31 @@ jobs:
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
         run: ./tests/assert-env-set.sh
-  use-connect-with-export-env:
+  test-with-export-env:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
@@ -48,8 +78,6 @@ jobs:
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          export-env: true
         env:
           SECRET: op://acceptance-tests/test-secret/password
           SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -62,77 +90,41 @@ jobs:
           unset-previous: true
       - name: Assert removed secrets
         run: ./tests/assert-env-unset.sh
-  use-connect-with-references-with-id:
+  test-references-with-ids:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-          MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
-  use-service-account-without-export-env:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
-  use-service-account-with-export-env:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
-          export-env: true
+          export-env: false
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        run: ./tests/assert-env-set.sh
-  use-service-account-with-references-with-id:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
           SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
           MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
@@ -142,21 +134,3 @@ jobs:
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
         run: ./tests/assert-env-set.sh
-  run-on-macos-12:
-    runs-on: macos-12
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh

.gitignore

@@ -1 +1,2 @@
+coverage/
 node_modules/

README.md

@@ -1,23 +1,27 @@
-# Load Secrets from 1Password - GitHub Action
+<!-- Image sourced from https://blog.1password.com/1password-service-accounts/ -->
+<img alt="" role="img" src="https://blog.1password.com/posts/2023/1password-service-accounts/header.png"/>
 
-This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/).
+<div align="center">
+  <h1>Load Secrets from 1Password - GitHub Action</h1>
+  <p>Provide the secrets your GitHub runner needs from 1Password.</p>
+  <a href="https://developer.1password.com/docs/ci-cd/github-actions">
+    <img alt="Get started" src="https://user-images.githubusercontent.com/45081667/226940040-16d3684b-60f4-4d95-adb2-5757a8f1bc15.png" height="37"/>
+  </a>
+</div>
 
-Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
+---
 
-## Usage
+`load-secrets-action` loads secrets from 1Password into GitHub Actions using [Service Accounts](https://developer.1password.com/docs/service-accounts) or [1Password Connect](https://developer.1password.com/docs/connect).
 
-You can configure the action to use either 1Password Connect instance.
+Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
-If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
+Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
 
-There are two ways that secrets can be loaded:
+## 🪄 See it in action!
 
-- [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
+[![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
-- [export secrets as environment variables](#export-secrets-as-environment-variables)
 
-### Use secrets from the action's output
+## ✨ Quickstart
-
-This method allows for you to use the loaded secrets as an output from the step: `steps.step-id.outputs.secret-name`. You will need to set an id for the step that uses this action to be able to access its outputs. For more details, , see [`outputs.<output_id>`](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
 
 ```yml
 on: push
@@ -25,230 +29,32 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Load secret
-        id: op-load-secret
         uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
         env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
 
       - name: Print masked secret
-        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
+        run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
 
-<details>
+## 💙 Community & Support
-<summary><b>Longer usage example</b></summary>
 
-```yml
+- File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
-on: push
+- Join the [Developer Slack workspace](https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA).
-name: Deploy app
+- Subscribe to the [Developer Newsletter](https://1password.com/dev-subscribe/).
 
-jobs:
+## 🔐 Security
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # every single step in the job would then be able to access the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        id: load-docker-credentials
-        uses: 1password/load-secrets-action@v1
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          tags: acme/app:latest
-```
-
-</details>
-
-### Export secrets as environment variables
-
-This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: echo "Secret: $SECRET"
-        # Prints: Secret: ***
-```
-
-<details>
-<summary><b>Longer usage example</b></summary>
-
-```yml
-on: push
-name: Deploy app
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist
-          # the Connect token using input `connect-token`, but keep in mind that
-          # every single step in the job would then be able to access the token.
-          connect-host: https://1password.acme.com
-
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-          # Remove local copies of the Docker credentials, which are not needed anymore
-          unset-previous: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
-        # done automatically by the step above
-        run: ./deploy.sh
-```
-
-</details>
-
-## Action Inputs
-
-| Name             | Default | Description                                                                        |
-| ---------------- | ------- | ---------------------------------------------------------------------------------- |
-| `export-env`     | `false` | Export the loaded secrets as environment variables                                 |
-| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
-
-## Secrets Reference Syntax
-
-To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values.
-
-These reference URIs have the following syntax:
-
-> `op://<vault>/<item>[/<section>]/<field>`
-
-So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
-
-- **Vault:** `app-cicd`
-- **Item:** `aws`
-- **Section:** default section
-- **Field:** `secret-access-key`
-
-## Masking
-
-Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too.
-So if one of these values accidentally gets printed, it'll get replaced with `***`.
-
-## 1Password Configuration
-
-To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
-To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.  
-
-If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          connect-host: <Your Connect instance URL>
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        env:
-          SECRET: op://app-cicd/hello-world/secret
-```
-
-### `configure` Action Inputs
-
-| Name                    | Default | Environment variable       | Description                                              |
-| ----------------------- | ------- | -------------------------- | -------------------------------------------------------- |
-| `connect-host`          |         | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
-| `connect-token`         |         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
-
-## Supported Runners
-
-You can run the action on Linux and macOS runners. Windows is currently not supported.
-
-## Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
 Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
 
-For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
+For information about security practices, please visit the [1Password Bug Bounty Program](https://bugcrowd.com/agilebits).
-
-## Getting help
-
-If you find yourself stuck, visit our [**Support Page**](https://support.1password.com/) for help.

action.yml

@@ -7,10 +7,10 @@ branding:
 inputs:
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
-    default: false
+    default: "false"
   export-env:
     description: Export the secrets as environment variables
-    default: false
+    default: "true"
 runs:
-  using: 'node16'
+  using: "node16"
-  main: 'dist/index.js'
+  main: "dist/index.js"

config/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged --config ./config/lint-staged.config.js

config/.husky/pre-push

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npm run validate

config/.prettierignore

@@ -0,0 +1,3 @@
+coverage/
+dist/
+node_modules/

config/jest.config.js

@@ -0,0 +1,19 @@
+const jestConfig = {
+	/**
+	 * Jest docs: "We recommend placing the extensions most commonly used in your project
+	 *             on the left, so if you are using TypeScript, you may want to consider
+	 *             moving 'ts' to the beginning of the array."
+	 *
+	 * https://jestjs.io/docs/configuration#modulefileextensions-arraystring
+	 */
+	moduleFileExtensions: ["ts", "js", "json"],
+	rootDir: "../src/",
+	testEnvironment: "node",
+	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
+	transform: {
+		".ts": ["ts-jest"],
+	},
+	verbose: true,
+};
+
+export default jestConfig;

config/lint-staged.config.js

@@ -0,0 +1,9 @@
+const lintStagedConfig = {
+	// run formatting and linting on all supported file types
+	"*.{js,json,md,ts,yaml,yml}": "npm run format:write",
+	"*.{js,ts}": ["npm run lint:fix"],
+	// run testing on all supported file types within the src/ directory
+	"src/**/*.{js,ts}": ["npm run test -- --findRelatedTests"],
+};
+
+export default lintStagedConfig;

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

entrypoint.sh

@@ -2,6 +2,11 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 
+# Pass User-Agent Inforomation to the 1Password CLI
+export OP_INTEGRATION_NAME="1Password GitHub Action"
+export OP_INTEGRATION_ID="GHA"
+export OP_INTEGRATION_BUILDNUMBER="1010001"
+
 readonly CONNECT="CONNECT"
 readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
 
@@ -9,6 +14,10 @@ auth_type=$CONNECT
 managed_variables_var="OP_MANAGED_VARIABLES"
 IFS=','
 
+if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
+  export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
+fi
+
 # Unset all secrets managed by 1Password if `unset-previous` is set.
 unset_prev_secrets() {
   if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
@@ -30,12 +39,51 @@ unset_prev_secrets() {
 
 # Install op-cli
 install_op_cli() {
+  # Create a temporary directory where the CLI is installed
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
+  fi
+  export OP_INSTALL_DIR
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
+
+  # Get the latest stable version of the CLI
+  OP_CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
+
   if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_linux_amd64_v2.7.1-beta.01.zip"
+    # Get runner's architecture
-    unzip -od /usr/local/bin/ op.zip && rm op.zip
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
+
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_linux_${ARCH}_${OP_CLI_VERSION}.zip"
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
   elif [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_apple_universal_v2.7.1-beta.01.pkg"
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_apple_universal_${OP_CLI_VERSION}.pkg"
-    sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
+  fi
+}
+
+# Uninstall op-cli
+uninstall_op_cli() {
+  if [[ -d "$OP_INSTALL_DIR" ]]; then
+    rm -fr "$OP_INSTALL_DIR"
   fi
 }
 
@@ -43,7 +91,7 @@ populating_secret() {
   ref=$(printenv $1)
 
   echo "Populating variable: $1"
-  secret_value=$(op read $ref)
+  secret_value=$("${OP_INSTALL_DIR}/op" read "$ref")
 
   if [ -z "$secret_value" ]; then
     echo "Could not find or access secret $ref"
@@ -63,25 +111,28 @@ populating_secret() {
   done
   unset IFS
 
-  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
+  # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
-    # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
+  # As the heredoc identifier, we'll use a randomly generated 64-character string,
-    # As the heredoc identifier, we'll use a randomly generated 64-character string,
+  # so that collisions are practically impossible.
-    # so that collisions are practically impossible.
+  # Read more: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
-    random_heredoc_identifier=$(openssl rand -hex 16)
+  delimiter="$(openssl rand -hex 32)"
 
+  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
     {
       # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${random_heredoc_identifier}"
+      echo "$env_var<<${delimiter}"
       echo "$secret_value"
-      echo "${random_heredoc_identifier}"
+      echo "${delimiter}"
     } >> $GITHUB_ENV
     echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
 
   else
-    # Prepare the secret_value to be outputed properly (especially multiline secrets)
+    {
-    secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
+      # Populate env var, using heredoc syntax with generated identifier
-
+      echo "$env_var<<${delimiter}"
-    echo "::set-output name=$env_var::$secret_value"
+      echo "$secret_value"
+      echo "${delimiter}"
+    } >> $GITHUB_OUTPUT
   fi
 
   managed_variables+=("$env_var")
@@ -91,7 +142,7 @@ populating_secret() {
 # and make them available as environment variables in the next steps.
 extract_secrets() {
   IFS=$'\n'
-  for env_var in $(op env ls); do
+  for env_var in $("${OP_INSTALL_DIR}/op" env ls); do
     populating_secret $env_var
   done
 }
@@ -112,6 +163,7 @@ printf "Authenticated with %s \n" $auth_type
 unset_prev_secrets
 install_op_cli
 extract_secrets
+uninstall_op_cli
 
 unset IFS
 # Add extra env var that lists which secrets are managed by 1Password so that in a later step

package.json

@@ -1,37 +1,66 @@
 {
-  "name": "load-secrets-action",
+	"name": "load-secrets-action",
-  "version": "1.1.0",
+	"version": "1.3.2",
-  "description": "Load Secrets from 1Password",
+	"description": "Load Secrets from 1Password",
-  "main": "dist/index.js",
+	"type": "module",
-  "directories": {
+	"main": "dist/index.js",
-    "test": "tests"
+	"directories": {
-  },
+		"test": "tests"
-  "scripts": {
+	},
-    "build": "ncc build src/index.ts"
+	"scripts": {
-  },
+		"build": "ncc build ./src/index.ts",
-  "repository": {
+		"format": "prettier --ignore-path ./config/.prettierignore",
-    "type": "git",
+		"format:check": "npm run format -- --check ./",
-    "url": "git+https://github.com/1Password/load-secrets-action.git"
+		"format:write": "npm run format -- --write ./",
-  },
+		"lint": "eslint ./",
-  "keywords": [
+		"lint:fix": "npm run lint -- --fix",
-    "actions",
+		"prepare": "husky install ./config/.husky",
-    "1password",
+		"test": "jest --config=./config/jest.config.js",
-    "load secrets",
+		"test:clearcache": "jest --clearCache",
-    "connect"
+		"test:coverage": "npm run test -- --coverage",
-  ],
+		"test:watch": "npm run test -- --watch",
-  "author": "1Password",
+		"typecheck": "tsc",
-  "license": "MIT",
+		"validate": "npm run format:check && npm run lint && npm run test:coverage && npm run typecheck && npm run build"
-  "bugs": {
+	},
-    "url": "https://github.com/1Password/load-secrets-action/issues"
+	"repository": {
-  },
+		"type": "git",
-  "homepage": "https://github.com/1Password/load-secrets-action#readme",
+		"url": "git+https://github.com/1Password/load-secrets-action.git"
-  "dependencies": {
+	},
-    "@actions/core": "^1.9.1",
+	"keywords": [
-    "@actions/exec": "^1.1.1"
+		"actions",
-  },
+		"1password",
-  "devDependencies": {
+		"load secrets",
-    "@types/node": "^18.7.14",
+		"connect"
-    "@vercel/ncc": "^0.34.0",
+	],
-    "typescript": "^4.8.2"
+	"author": "1Password",
-  }
+	"license": "MIT",
+	"bugs": {
+		"url": "https://github.com/1Password/load-secrets-action/issues"
+	},
+	"homepage": "https://github.com/1Password/load-secrets-action#readme",
+	"dependencies": {
+		"@actions/core": "^1.10.1",
+		"@actions/exec": "^1.1.1"
+	},
+	"devDependencies": {
+		"@1password/front-end-style": "^6.0.1",
+		"@types/jest": "^29.5.6",
+		"@types/node": "^18.18.6",
+		"@vercel/ncc": "^0.36.1",
+		"husky": "^8.0.3",
+		"jest": "^29.7.0",
+		"lint-staged": "^13.3.0",
+		"ts-jest": "^29.1.1",
+		"typescript": "^4.9.5"
+	},
+	"eslintConfig": {
+		"extends": "./node_modules/@1password/front-end-style/eslintrc.yml",
+		"ignorePatterns": [
+			"coverage/"
+		],
+		"parserOptions": {
+			"project": "./tsconfig.json"
+		}
+	},
+	"prettier": "./node_modules/@1password/front-end-style/prettierrc.json"
 }

src/index.ts

@@ -1,21 +1,32 @@
-import * as core from '@actions/core';
+import path from "path";
-import * as exec from '@actions/exec';
+import url from "url";
-import path from 'path';
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
 
-async function run(): Promise<void> {
+const run = async () => {
-  try {
+	try {
-    const parentDir = path.resolve(__dirname, '..');
+		const currentFile = url.fileURLToPath(import.meta.url);
-    
+		const currentDir = path.dirname(currentFile);
-    // Get action inputs
+		const parentDir = path.resolve(currentDir, "..");
-    process.env.INPUT_UNSET_PREVIOUS = core.getInput('unset-previous');
-    process.env.INPUT_EXPORT_ENV = core.getInput('export-env');
 
-    // Execute bash script
+		// Get action inputs
-    await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+		process.env.INPUT_UNSET_PREVIOUS = core.getInput("unset-previous");
+		process.env.INPUT_EXPORT_ENV = core.getInput("export-env");
 
-  } catch (error: any) {
+		// Execute bash script
-    core.setFailed(error.message);
+		await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
-  }
+	} catch (error) {
-}
+		// It's possible for the Error constructor to be modified to be anything
+		// in JavaScript, so the following code accounts for this possibility.
+		// https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
+		let message = "Unknown Error";
+		if (error instanceof Error) {
+			message = error.message;
+		} else {
+			String(error);
+		}
+		core.setFailed(message);
+	}
+};
 
-run();
+void run();

tsconfig.json

@@ -1,13 +1,25 @@
 {
-    "compilerOptions": {
+	"compilerOptions": {
-        "target": "es6",
+		"allowJs": false,
-        "module": "commonjs",
+		"allowUnreachableCode": false,
-        "moduleResolution": "node",
+		"allowUnusedLabels": false,
-        "outDir": "./dist",
+		"esModuleInterop": true,
-        "rootDir": "./src",
+		"exactOptionalPropertyTypes": true,
-        "strict": true,
+		"forceConsistentCasingInFileNames": true,
-        "noImplicitAny": true,
+		"importsNotUsedAsValues": "error",
-        "esModuleInterop": true
+		"isolatedModules": true,
-    },
+		"module": "esnext",
-    "exclude": ["node_modules"]
+		"moduleResolution": "node",
+		"noEmit": true,
+		"noEmitOnError": true,
+		"noFallthroughCasesInSwitch": true,
+		"noImplicitReturns": true,
+		"noUncheckedIndexedAccess": true,
+		"noUnusedLocals": true,
+		"noUnusedParameters": true,
+		"outDir": "./dist/",
+		"rootDir": "./src/",
+		"strict": true,
+		"target": "es2022"
+	}
 }