Merge pull request #21 from simonwhitaker/simon/quote-ref

Quote $ref to avoid word splitting

README.md

@@ -1,38 +1,36 @@
 # Load Secrets from 1Password - GitHub Action
 
-`load-secrets-action` loads secrets from 1Password into GitHub Actions using [1Password Connect](https://developer.1password.com/docs/connect).
+This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/).
 
 Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
+Read more on the [1Password Developer Portal](https://developer.1password.com/ci-cd/github-actions).
+
+
 ## Requirements
 
 Before you get started, you'll need to:
 
-- [Deploy 1Password Connect](https://developer.1password.com/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
+- [Deploy 1Password Connect](/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
 - Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials, so it'll be used to load secrets.
 
-### Supported runners
+_Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
 
-You can run the action on Mac and Linux runners. Windows is currently not supported.
-
-## 1Password configuration
-
-By default, you'll need to set the environment variables for your Connect instance in the step that uses `load-secrets-action`.
-
-If you're using the action more than once in a single job, [you can use the `configure` action](https://developer.1password.com/docs/connect/github-actions/#1password-configuration) to set the environment variables instead, so you don't have to set them separately in each `load-secrets-action` step.
 
 ## Usage
 
-You can load secrets using the action in two ways:
+You can configure the action to use your 1Password Connect instance.
 
-1. [Use secrets from the action's output](#use-secrets-from-the-actions-output)
-2. [Export secrets as environment variables](#export-secrets-as-environment-variables)
+If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
+
+There are two ways that secrets can be loaded:
+
+- [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
+- [export secrets as environment variables](#export-secrets-as-environment-variables)
 
 ### Use secrets from the action's output
 
-This method allows you to use the loaded secrets outputted by the step: `steps.step-id.outputs.secret-name`.
-
-You'll need to set an ID for the step to be able to access its outputs. For more information, see [`outputs.<output_id>`](https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
+This method allows for you to use the loaded secrets as an output from the step: `steps.step-id.outputs.secret-name`. You will need to set an id for the step that uses this action to be able to access its outputs. For more details, , see [`outputs.<output_id>`](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
 
 ```yml
 on: push
@@ -55,11 +53,53 @@ jobs:
         # Prints: Secret: ***
 ```
 
-[Read the full documentation for more usage examples.](https://developer.1password.com/docs/connect/github-actions/#use-secrets-from-the-actions-output)
+<details>
+<summary><b>Longer usage example</b></summary>
+
+```yml
+on: push
+name: Deploy app
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Configure 1Password Connect
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          # Persist the 1Password Connect URL for next steps. You can also persist
+          # the Connect token using input `connect-token`, but keep in mind that
+          # every single step in the job would then be able to access the token.
+          connect-host: https://1password.acme.com
+
+      - name: Load Docker credentials
+        id: load-docker-credentials
+        uses: 1password/load-secrets-action@v1
+        env:
+          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+          DOCKERHUB_USERNAME: op://app-cicd/docker/username
+          DOCKERHUB_TOKEN: op://app-cicd/docker/token
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
+          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          tags: acme/app:latest
+```
+
+</details>
 
 ### Export secrets as environment variables
 
-This method allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
+This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
 
 ```yml
 on: push
@@ -84,23 +124,144 @@ jobs:
         # Prints: Secret: ***
 ```
 
-[Read the full documentation for more usage examples.](https://developer.1password.com/docs/connect/github-actions/#export-secrets-as-environment-variables)
+<details>
+<summary><b>Longer usage example</b></summary>
+
+```yml
+on: push
+name: Deploy app
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Configure 1Password Connect
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          # Persist the 1Password Connect URL for next steps. You can also persist
+          # the Connect token using input `connect-token`, but keep in mind that
+          # every single step in the job would then be able to access the token.
+          connect-host: https://1password.acme.com
+
+      - name: Load Docker credentials
+        uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
+        env:
+          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+          DOCKERHUB_USERNAME: op://app-cicd/docker/username
+          DOCKERHUB_TOKEN: op://app-cicd/docker/token
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: Print environment variables with masked secrets
+        run: printenv
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          tags: acme/app:latest
+
+      - name: Load AWS credentials
+        uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
+          # Remove local copies of the Docker credentials, which are not needed anymore
+          unset-previous: true
+        env:
+          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
+          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
+
+      - name: Deploy app
+        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
+        # done automatically by the step above
+        run: ./deploy.sh
+```
+
+</details>
+
+## Action Inputs
+
+| Name             | Default | Description                                                                        |
+| ---------------- | ------- | ---------------------------------------------------------------------------------- |
+| `export-env`     | `false` | Export the loaded secrets as environment variables                                 |
+| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
+
+## Secrets Reference Syntax
+
+To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values.
+
+These reference URIs have the following syntax:
+
+> `op://<vault>/<item>[/<section>]/<field>`
+
+So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
+
+- **Vault:** `app-cicd`
+- **Item:** `aws`
+- **Section:** default section
+- **Field:** `secret-access-key`
 
 ## Masking
 
-Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked in GitHub Actions logs. If one of these values accidentally gets printed, it'll be replaced with `***`.
+Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too.
+So if one of these values accidentally gets printed, it'll get replaced with `***`.
+
+## 1Password Configuration
+
+To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
+To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.  
+
+If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
+
+```yml
+on: push
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Configure 1Password Connect
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          connect-host: <Your Connect instance URL>
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Load secret
+        uses: 1password/load-secrets-action@v1
+        env:
+          SECRET: op://app-cicd/hello-world/secret
+```
+
+### `configure` Action Inputs
+
+| Name                    | Default | Environment variable       | Description                                              |
+| ----------------------- | ------- | -------------------------- | -------------------------------------------------------- |
+| `connect-host`          |         | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
+| `connect-token`         |         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
+
+## Supported Runners
+
+You can run the action on Linux and macOS runners. Windows is currently not supported.
 
 ## Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests through [BugCrowd](https://bugcrowd.com/agilebits).
+Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
 
-[Learn more about our security practices.](https://bugcrowd.com/agilebits)
+For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
 
-## Get help
-
-If you find yourself stuck, [contact 1Password support](https://support.1password.com/) for help.
-
-[Read the full documentation](https://developer.1password.com/docs/connect/github-actions/).
+## Getting help
 
+If you find yourself stuck, visit our [**Support Page**](https://support.1password.com/) for help.

entrypoint.sh

@@ -2,6 +2,11 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 
+# Pass User-Agent Inforomation to the 1Password CLI
+export OP_INTEGRATION_NAME="1Password GitHub Action"
+export OP_INTEGRATION_ID="GHA"
+export OP_INTEGRATION_BUILDNUMBER="1010001"
+
 readonly CONNECT="CONNECT"
 readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
 
@@ -31,10 +36,10 @@ unset_prev_secrets() {
 # Install op-cli
 install_op_cli() {
   if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_linux_amd64_v2.7.1-beta.01.zip"
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
     unzip -od /usr/local/bin/ op.zip && rm op.zip
   elif [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_apple_universal_v2.7.1-beta.01.pkg"
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
     sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg
   fi
 }
@@ -43,7 +48,7 @@ populating_secret() {
   ref=$(printenv $1)
 
   echo "Populating variable: $1"
-  secret_value=$(op read $ref)
+  secret_value=$(op read "$ref")
 
   if [ -z "$secret_value" ]; then
     echo "Could not find or access secret $ref"
@@ -67,7 +72,7 @@ populating_secret() {
     # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
     # As the heredoc identifier, we'll use a randomly generated 64-character string,
     # so that collisions are practically impossible.
-    random_heredoc_identifier=$(openssl rand -hex 16)
+    random_heredoc_identifier=$(openssl rand -hex 32)
 
     {
       # Populate env var, using heredoc syntax with generated identifier