Use alpha 5 version

As ncc uses commonjs bundle type and we import `install-cli-action` which is also commonjs, we should not set `type: module` in the package.json so it doesn't break the load-secrets-action bundle. Therefore, we can safely remove it at all.

Revert package.json

.github/workflows/acceptance-test.yml

@@ -15,17 +15,21 @@ on:
       export-env:
         required: true
         type: boolean
+      version:
+        required: false
+        type: string
+        default: "latest"
+      os:
+        required: true
+        type: string
+        default: "ubuntu-latest"
+      auth:
+        required: true
+        type: string
 
 jobs:
   acceptance-test:
-    strategy:
+    runs-on: ${{ inputs.os }}
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-    runs-on: ${{ matrix.os }}
     steps:
       - name: Base checkout
         uses: actions/checkout@v4
@@ -50,32 +54,50 @@ jobs:
             github.event.client_payload.slash_command.args.named.sha
           )
       - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
       - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
+        if: ${{ inputs.auth == 'service-account' }}
         uses: ./configure
         with:
           service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Verify Service Account env var is set
+        if: ${{ inputs.auth == 'service-account' }}
+        shell: bash
+        run: |
+          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
+            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
+            exit 1
+          fi
       - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
+        if: ${{ inputs.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Verify Connect env vars are set
+        if: ${{ inputs.auth == 'connect' }}
+        run: |
+          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
+            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
+            exit 1
+          fi
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
+          version: ${{ inputs.version }}
           export-env: ${{ inputs.export-env }}
         env:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Verify installed op cli version
+        run: ./tests/assert-cli-version.sh ${{ inputs.version }}
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:

.github/workflows/test.yml

@@ -14,6 +14,7 @@ jobs:
           node-version: 20
       - run: npm ci
       - run: npm test
+
   test-with-output-secrets:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -21,13 +22,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: false
+
   test-with-export-env:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -35,13 +50,27 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://acceptance-tests/test-secret/password
       secret-in-section: op://acceptance-tests/test-secret/test-section/password
       multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
       export-env: true
+
   test-references-with-ids:
     if: |
       github.ref == 'refs/heads/main' ||
@@ -49,9 +78,22 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+          - os: windows-latest
+            auth: connect
     with:
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      auth: ${{ matrix.auth }}
       secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
       secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
       multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain

action.yml

@@ -5,6 +5,9 @@ branding:
   icon: lock
   color: blue
 inputs:
+  version:
+    description: Version of the 1Password CLI to install
+    default: latest
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
     default: "false"

config/jest.config.js

@@ -25,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };
 
-export default jestConfig;
+module.exports = jestConfig;

configure/action.yml

@@ -9,12 +9,5 @@ inputs:
   service-account-token:
     description: Your 1Password service account token
 runs:
-  using: composite
+  using: "node20"
-  steps:
+  main: "dist/index.js"
-    - shell: bash
-      env:
-        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
-        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
-        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
-      run: |
-        ${{ github.action_path }}/entrypoint.sh

configure/entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Capture Connect configuration in $GITHUB_ENV, giving (optional) inputs 
-# precendence over OP_CONNECT_* environment variables.
-
-OP_CONNECT_HOST="${INPUT_CONNECT_HOST:-$OP_CONNECT_HOST}"
-if [ -n "$OP_CONNECT_HOST" ]; then
-  echo "OP_CONNECT_HOST=$OP_CONNECT_HOST" >> $GITHUB_ENV
-fi
-
-OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
-if [ -n "$OP_CONNECT_TOKEN" ]; then
-  echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
-fi
-
-OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
-if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
-fi

configure/index.js

@@ -0,0 +1,27 @@
+const core = require("@actions/core");
+
+const configure = () => {
+	const OP_CONNECT_HOST =
+		core.getInput("connect-host", { required: false }) ||
+		process.env.OP_CONNECT_HOST;
+	const OP_CONNECT_TOKEN =
+		core.getInput("connect-token", { required: false }) ||
+		process.env.OP_CONNECT_TOKEN;
+	const OP_SERVICE_ACCOUNT_TOKEN =
+		core.getInput("service-account-token", { required: false }) ||
+		process.env.OP_SERVICE_ACCOUNT_TOKEN;
+
+	if (OP_CONNECT_HOST) {
+		core.exportVariable("OP_CONNECT_HOST", OP_CONNECT_HOST);
+	}
+
+	if (OP_CONNECT_TOKEN) {
+		core.exportVariable("OP_CONNECT_TOKEN", OP_CONNECT_TOKEN);
+	}
+
+	if (OP_SERVICE_ACCOUNT_TOKEN) {
+		core.exportVariable("OP_SERVICE_ACCOUNT_TOKEN", OP_SERVICE_ACCOUNT_TOKEN);
+	}
+};
+
+configure();

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}

package-lock.json

@@ -9,9 +9,10 @@
 			"version": "2.0.0",
 			"license": "MIT",
 			"dependencies": {
-				"@1password/op-js": "^0.1.11",
+				"@1password/op-js": "^0.1.14-alpha.5",
-				"@actions/core": "^1.10.1",
+				"@actions/core": "^1.11.1",
-				"@actions/exec": "^1.1.1"
+				"@actions/exec": "^1.1.1",
+				"@actions/tool-cache": "^2.0.2"
 			},
 			"devDependencies": {
 				"@1password/eslint-config": "^4.3.1",
@@ -26,6 +27,38 @@
 				"typescript": "^5.4.2"
 			}
 		},
+		"../op-js": {
+			"name": "@1password/op-js",
+			"version": "0.1.14-alpha.1",
+			"extraneous": true,
+			"license": "MIT",
+			"dependencies": {
+				"@actions/core": "^1.11.1",
+				"@actions/tool-cache": "^2.0.2",
+				"lookpath": "^1.2.2",
+				"semver": "^7.6.2"
+			},
+			"devDependencies": {
+				"@1password/eslint-config": "^4.3.0",
+				"@1password/prettier-config": "^1.1.3",
+				"@types/jest": "^29.5.12",
+				"@types/node": "^20.12.12",
+				"@types/semver": "^7.5.8",
+				"@typescript-eslint/eslint-plugin": "^7.9.0",
+				"esbuild": "^0.21.2",
+				"eslint": "^8.57.0",
+				"husky": "^9.0.11",
+				"jest": "^29.7.0",
+				"jest-environment-jsdom": "^29.6.2",
+				"joi": "^17.13.1",
+				"license-checker-rseidelsohn": "^4.3.0",
+				"lint-staged": "^15.2.2",
+				"prettier": "^3.2.5",
+				"prettier-plugin-organize-imports": "^3.2.4",
+				"ts-jest": "^29.1.2",
+				"typescript": "5.4.5"
+			}
+		},
 		"node_modules/@1password/eslint-config": {
 			"version": "4.3.1",
 			"resolved": "https://registry.npmjs.org/@1password/eslint-config/-/eslint-config-4.3.1.tgz",
@@ -51,11 +84,12 @@
 			}
 		},
 		"node_modules/@1password/op-js": {
-			"version": "0.1.13",
+			"version": "0.1.14-alpha.5",
-			"resolved": "https://registry.npmjs.org/@1password/op-js/-/op-js-0.1.13.tgz",
+			"resolved": "https://registry.npmjs.org/@1password/op-js/-/op-js-0.1.14-alpha.5.tgz",
-			"integrity": "sha512-ZZBLxVqywFdvIbLv2xWw2N1ImSi183rRKf90vV19KRMReNyLwuD0dv6IrKrIdrJU33IuV3Gz85Z4K2a1PJTBDg==",
+			"integrity": "sha512-G+psqF+8CEGAfUzHIk1Y8m6F8y6UAyyYk2pT8078hmvoKDmpEUZXCvA2X0QrVfZhTllvRPuKVI+GbCgy8l74Yw==",
-			"license": "MIT",
 			"dependencies": {
+				"@actions/core": "^1.11.1",
+				"@actions/tool-cache": "^2.0.2",
 				"lookpath": "^1.2.2",
 				"semver": "^7.6.2"
 			}
@@ -105,6 +139,26 @@
 			"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
 			"license": "MIT"
 		},
+		"node_modules/@actions/tool-cache": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.2.tgz",
+			"integrity": "sha512-fBhNNOWxuoLxztQebpOaWu6WeVmuwa77Z+DxIZ1B+OYvGkGQon6kTVg6Z32Cb13WCuw0szqonK+hh03mJV7Z6w==",
+			"dependencies": {
+				"@actions/core": "^1.11.1",
+				"@actions/exec": "^1.0.0",
+				"@actions/http-client": "^2.0.1",
+				"@actions/io": "^1.1.1",
+				"semver": "^6.1.0"
+			}
+		},
+		"node_modules/@actions/tool-cache/node_modules/semver": {
+			"version": "6.3.1",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+			"integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+			"bin": {
+				"semver": "bin/semver.js"
+			}
+		},
 		"node_modules/@ampproject/remapping": {
 			"version": "2.3.0",
 			"resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
@@ -1641,11 +1695,10 @@
 			}
 		},
 		"node_modules/acorn": {
-			"version": "8.14.0",
+			"version": "8.15.0",
-			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz",
+			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
-			"integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==",
+			"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
 			"dev": true,
-			"license": "MIT",
 			"peer": true,
 			"bin": {
 				"acorn": "bin/acorn"
@@ -6030,10 +6083,9 @@
 			}
 		},
 		"node_modules/lookpath": {
-			"version": "1.2.2",
+			"version": "1.2.3",
-			"resolved": "https://registry.npmjs.org/lookpath/-/lookpath-1.2.2.tgz",
+			"resolved": "https://registry.npmjs.org/lookpath/-/lookpath-1.2.3.tgz",
-			"integrity": "sha512-k2Gmn8iV6qdME3ztZC2spubmQISimFOPLuQKiPaLcVdRz0IpdxrNClVepMlyTJlhodm/zG/VfbkWERm3kUIh+Q==",
+			"integrity": "sha512-kthRVhf4kH4+HW3anM4UBHxsw/XFESf13euCEldhXr6GpBdmBoa7rDd7WO5G0Mhd4G5XtKTcEy8OR0iRZXpS3Q==",
-			"license": "MIT",
 			"bin": {
 				"lookpath": "bin/lookpath.js"
 			},
@@ -6989,10 +7041,9 @@
 			}
 		},
 		"node_modules/semver": {
-			"version": "7.6.3",
+			"version": "7.7.2",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-			"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+			"integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
-			"license": "ISC",
 			"bin": {
 				"semver": "bin/semver.js"
 			},

package.json

@@ -2,13 +2,13 @@
 	"name": "load-secrets-action",
 	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
-	"type": "module",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
 	},
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
+		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -39,9 +39,10 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@1password/op-js": "^0.1.11",
+		"@1password/op-js": "^0.1.14-alpha.5",
-		"@actions/core": "^1.10.1",
+		"@actions/core": "^1.11.1",
-		"@actions/exec": "^1.1.1"
+		"@actions/exec": "^1.1.1",
+		"@actions/tool-cache": "^2.0.2"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",

src/index.ts

@@ -1,8 +1,5 @@
-import path from "path";
-import url from "url";
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
+import { validateCli, installCliOnGithubRunner } from "@1password/op-js";
-import { validateCli } from "@1password/op-js";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 
 const loadSecretsAction = async () => {
@@ -46,21 +43,7 @@ const installCLI = async (): Promise<void> => {
 	// If there's no CLI installed, then validateCli will throw an error, which we will use
 	// as an indicator that we need to execute the installation script.
 	await validateCli().catch(async () => {
-		const currentFile = url.fileURLToPath(import.meta.url);
+		await installCliOnGithubRunner();
-		const currentDir = path.dirname(currentFile);
-		const parentDir = path.resolve(currentDir, "..");
-
-		// Execute bash script
-		const cmdOut = await exec.getExecOutput(
-			`sh -c "` + parentDir + `/install_cli.sh"`,
-		);
-
-		// Add path to 1Password CLI to $PATH
-		const outArr = cmdOut.stdout.split("\n");
-		if (outArr[0] && process.env.PATH) {
-			const cliPath = outArr[0]?.replace(/^(::debug::OP_INSTALL_DIR: )/, "");
-			core.addPath(cliPath);
-		}
 	});
 };
 

tests/assert-cli-version.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+OP_CLI_VERSION="$1"
+CLI_URL="https://app-updates.agilebits.com/product_history/CLI2"
+
+get_latest_cli_version() {
+    conditional_path="/beta/"
+    if [ "$1" == "non_beta" ]; then
+        conditional_path="!/beta/"
+    fi
+    # This long command parses the HTML page at "CLI_URL" and finds the latest CLI version
+    # based on the release channel we're looking for (stable or beta).
+    #
+    # The ideal call (i.e. 'curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/Y -s | jq -r .version')
+    # doesn't retrieve the latest CLI version on a channel basis.
+    # If the latest release is stable and we want the latest beta, this command will return the stable still.
+    OP_CLI_VERSION="$(curl -s $CLI_URL | awk -v RS='<h3>|</h3>' 'NR % 2 == 0 {gsub(/[[:blank:]]+/, ""); gsub(/<span[^>]*>|<\/span>|[\r\n]+/, ""); gsub(/&nbsp;.*$/, ""); if (!'"$1"' && '"$conditional_path"'){print; '"$1"'=1;}}')"
+}
+
+if [ "$OP_CLI_VERSION" == "latest" ]; then
+    get_latest_cli_version non_beta
+elif [ "$OP_CLI_VERSION" == "latest-beta" ]; then
+    get_latest_cli_version beta
+fi
+
+if [ "$(op --version)" != "$OP_CLI_VERSION" ]; then
+    echo -e "Expected CLI version to be:\n$OP_CLI_VERSION\nBut got:\n$(op --version)"
+    exit 1
+fi