Release 1.3.2

Fix dependabot vulnerability

.github/workflows/lint.yml

@@ -5,6 +5,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_paths: >-
+            .husky

.github/workflows/test.yml

@@ -2,50 +2,135 @@ on: push
 name: Run acceptance tests
 
 jobs:
-  test:
-    runs-on: ubuntu-latest
+  test-with-output-secrets:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
+        uses: ./configure # 1password/load-secrets-action/configure@<version>
+        with:
+          connect-host: localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Load secrets
+        id: load_secrets
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          export-env: false
+        env:
+          SECRET: op://acceptance-tests/test-secret/password
+          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
+          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
+      - name: Assert test secret values
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+  test-with-export-env:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
+        id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         env:
-          SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
-          UNMASKED_VALUE: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/username
-      - name: Load multiline secret
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Print environment variables with masked secrets
-        run: printenv
+          SECRET: op://acceptance-tests/test-secret/password
+          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
+          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
       - name: Assert test secret values
         run: ./tests/assert-env-set.sh
       - name: Remove secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
           unset-previous: true
-      - name: Print environment variables with secrets removed
-        run: printenv
       - name: Assert removed secrets
         run: ./tests/assert-env-unset.sh
-      - name: Load secret again
+  test-references-with-ids:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
+        uses: ./configure # 1password/load-secrets-action/configure@<version>
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Load secrets
+        id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          export-env: false
         env:
           SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
+          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
           MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Print environment variables with masked secrets
-        run: printenv
-      - name: Assert test secret values again
+      - name: Assert test secret values
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
         run: ./tests/assert-env-set.sh

.gitignore

@@ -0,0 +1,2 @@
+coverage/
+node_modules/

README.md

@@ -1,10 +1,27 @@
-# Load Secrets from 1Password - GitHub Action
+<!-- Image sourced from https://blog.1password.com/1password-service-accounts/ -->
+<img alt="" role="img" src="https://blog.1password.com/posts/2023/1password-service-accounts/header.png"/>
 
-The action to load secrets from [1Password Connect](https://1password.com/secrets/) into GitHub Actions.
+<div align="center">
+  <h1>Load Secrets from 1Password - GitHub Action</h1>
+  <p>Provide the secrets your GitHub runner needs from 1Password.</p>
+  <a href="https://developer.1password.com/docs/ci-cd/github-actions">
+    <img alt="Get started" src="https://user-images.githubusercontent.com/45081667/226940040-16d3684b-60f4-4d95-adb2-5757a8f1bc15.png" height="37"/>
+  </a>
+</div>
 
-Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
+---
 
-## Usage
+`load-secrets-action` loads secrets from 1Password into GitHub Actions using [Service Accounts](https://developer.1password.com/docs/service-accounts) or [1Password Connect](https://developer.1password.com/docs/connect).
+
+Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
+
+Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
+
+## 🪄 See it in action!
+
+[![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
+
+## ✨ Quickstart
 
 ```yml
 on: push
@@ -12,141 +29,32 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Load secret
         uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
         env:
-          OP_CONNECT_HOST: <Your Connect instance URL>
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
 
       - name: Print masked secret
-        run: echo "Secret: $SECRET"
+        run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
-<details>
-<summary><b>Longer usage example</b></summary>
 
-```yml
-on: push
-name: Deploy app
+## 💙 Community & Support
 
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
+- File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
+- Join the [Developer Slack workspace](https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA).
+- Subscribe to the [Developer Newsletter](https://1password.com/dev-subscribe/).
 
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          # Persist the 1Password Connect URL for next steps. You can also persist 
-          # the Connect token using input `connect-token`, but keep in mind that 
-          # every single step in the job would then be able to access the token.
-          connect-host: https://1password.acme.com
+## 🔐 Security
 
-      - name: Load Docker credentials
-        uses: 1password/load-secrets-action@v1
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          DOCKERHUB_USERNAME: op://app-cicd/docker/username
-          DOCKERHUB_TOKEN: op://app-cicd/docker/token
+1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
+Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
 
-      - name: Print environment variables with masked secrets
-        run: printenv
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          tags: acme/app:latest
-
-      - name: Load AWS credentials
-        uses: 1password/load-secrets-action@v1
-        with:
-          # Remove local copies of the Docker credentials, which are not needed anymore
-          unset-previous: true
-        env:
-          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
-          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
-
-      - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was 
-        # done automatically by the step above
-        run: ./deploy.sh
-```
-</details>
-
-## Action Inputs
-
-| Name | Default | Description |
-|---|---|---|
-| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
-
-## Secrets Reference Syntax
-
-To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values.
-
-These reference URIs have the following syntax:
-
-> `op://<vault>/<item>[/<section>]/<field>`
-
-So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
-  * **Vault:** `app-cicd`
-  * **Item:** `aws`
-  * **Section:** default section
-  * **Field:** `secret-access-key`
-
-## Masking
-
-Similar to regular GitHub repository secrets, secret fields from 1Password will automatically be masked from the GitHub Actions logs too.
-A 1Password field is considered 'secret' when it's marked as concealed (which shows as `•••••••` in the 1Password GUI) or when it's a secure note.
-So if one of these values accidentally gets printed, it'll get replaced with `***`.
-
-This means that a username or port field for example will not get masked.
-
-## 1Password Connect Configuration
-
-To use the action, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
-To configure the action with your Connect URL and a Connect token, you can set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables.
-
-If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Configure 1Password Connect
-        uses: 1password/load-secrets-action/configure@v1
-        with:
-          connect-host: <Your Connect instance URL>
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-
-      - name: Load secret
-        uses: 1password/load-secrets-action@v1
-        env:
-          SECRET: op://app-cicd/hello-world/secret
-```
-
-### `configure` Action Inputs
-
-| Name | Default | Environment variable | Description |
-|---|---|---|---|
-| `connect-host` | | `OP_CONNECT_HOST` | Your 1Password Connect instance URL |
-| `connect-token` | | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance |
-
-## Supported Runners
-
-You can run the action on Linux and macOS runners. Windows is currently not supported.
+For information about security practices, please visit the [1Password Bug Bounty Program](https://bugcrowd.com/agilebits).

action.yml

@@ -7,11 +7,10 @@ branding:
 inputs:
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
-    default: false
+    default: "false"
+  export-env:
+    description: Export the secrets as environment variables
+    default: "true"
 runs:
-  using: composite
-  steps: 
-    - run: |
-        export INPUT_UNSET_PREVIOUS=${{ inputs.unset-previous }}
-        ${{ github.action_path }}/entrypoint.sh
-      shell: bash
+  using: "node16"
+  main: "dist/index.js"

config/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged --config ./config/lint-staged.config.js

config/.husky/pre-push

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npm run validate

config/.prettierignore

@@ -0,0 +1,3 @@
+coverage/
+dist/
+node_modules/

config/jest.config.js

@@ -0,0 +1,19 @@
+const jestConfig = {
+	/**
+	 * Jest docs: "We recommend placing the extensions most commonly used in your project
+	 *             on the left, so if you are using TypeScript, you may want to consider
+	 *             moving 'ts' to the beginning of the array."
+	 *
+	 * https://jestjs.io/docs/configuration#modulefileextensions-arraystring
+	 */
+	moduleFileExtensions: ["ts", "js", "json"],
+	rootDir: "../src/",
+	testEnvironment: "node",
+	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
+	transform: {
+		".ts": ["ts-jest"],
+	},
+	verbose: true,
+};
+
+export default jestConfig;

config/lint-staged.config.js

@@ -0,0 +1,9 @@
+const lintStagedConfig = {
+	// run formatting and linting on all supported file types
+	"*.{js,json,md,ts,yaml,yml}": "npm run format:write",
+	"*.{js,ts}": ["npm run lint:fix"],
+	// run testing on all supported file types within the src/ directory
+	"src/**/*.{js,ts}": ["npm run test -- --findRelatedTests"],
+};
+
+export default lintStagedConfig;

configure/action.yml

@@ -1,16 +1,20 @@
-name: Configure 1Password Connect
-description: Persist 1Password Connect host and token for use in next steps.
+name: Configure 1Password Connect and service account
+description: Persist 1Password Connect host, token and service account for use in next steps.
 author: 1Password
 inputs:
   connect-host:
     description: Your 1Password Connect instance URL
   connect-token:
     description: Token to authenticate to your 1Password Connect instance
+  service-account-token:
+    description: Your 1Password service account token
 runs:
   using: composite
-  steps: 
-    - run: |
-        export INPUT_CONNECT_HOST=${{ inputs.connect-host }}
-        export INPUT_CONNECT_TOKEN=${{ inputs.connect-token }}
+  steps:
+    - shell: bash
+      env:
+        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
+        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
+        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
+      run: |
         ${{ github.action_path }}/entrypoint.sh
-      shell: bash

configure/entrypoint.sh

@@ -14,3 +14,8 @@ OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
 if [ -n "$OP_CONNECT_TOKEN" ]; then
   echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
 fi
+
+OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
+if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
+  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
+fi

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

entrypoint.sh

@@ -2,132 +2,170 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 
-if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
-  echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
-  exit 1
-fi
+# Pass User-Agent Inforomation to the 1Password CLI
+export OP_INTEGRATION_NAME="1Password GitHub Action"
+export OP_INTEGRATION_ID="GHA"
+export OP_INTEGRATION_BUILDNUMBER="1010001"
 
+readonly CONNECT="CONNECT"
+readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
+
+auth_type=$CONNECT
 managed_variables_var="OP_MANAGED_VARIABLES"
-IFS=',' read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
+IFS=','
+
+if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
+  export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
+fi
 
 # Unset all secrets managed by 1Password if `unset-previous` is set.
-if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
-  echo "Unsetting previous values..."
+unset_prev_secrets() {
+  if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
+    echo "Unsetting previous values..."
 
-  # Find environment variables that are managed by 1Password.
-  for env_var in "${managed_variables[@]}"; do
-    echo "Unsetting $env_var"
-    unset $env_var
+    # Find environment variables that are managed by 1Password.
+    for env_var in "${managed_variables[@]}"; do
+      echo "Unsetting $env_var"
+      unset $env_var
 
-    echo "$env_var=" >> $GITHUB_ENV
+      echo "$env_var=" >> $GITHUB_ENV
 
-    # Keep the masks, just in case.
-  done
+      # Keep the masks, just in case.
+    done
 
-  managed_variables=()
-fi
-
-# Iterate over environment varables to find 1Password references, load the secret values, 
-# and make them available as environment variables in the next steps.
-IFS=$'\n'
-for possible_ref in $(printenv | grep "=op://" | grep -v "^#"); do
-  env_var=$(echo "$possible_ref" | cut -d '=' -f1)
-  ref=$(printenv $env_var)
-
-  if [[ ! $ref == "op://"* ]]; then
-    echo "Not really a reference: $ref"
-    continue
+    managed_variables=()
   fi
+}
 
-  path=$(echo $ref | sed -e "s/^op:\/\///")
-  if [ $(echo "$path" | tr -cd '/' | wc -c) -lt 2 ]; then
-    echo "Expected path to be in format op://<vault>/<item>[/<section>]/<field>: $ref"
-    continue
+# Install op-cli
+install_op_cli() {
+  # Create a temporary directory where the CLI is installed
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
   fi
+  export OP_INSTALL_DIR
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
 
-  echo "Populating variable: $env_var"
+  # Get the latest stable version of the CLI
+  OP_CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
 
-  vault=""
-  item=""
-  section=""
-  field=""
-  i=0
-  IFS="/"
-  for component in $path; do
-    ((i+=1))
-    case "$i" in
-      1) vault=$component ;;
-      2) item=$component ;;
-      3) section=$component ;;
-      4) field=$component ;;
-    esac
-  done
-  unset IFS
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    # Get runner's architecture
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
 
-  # If field is not set, it may have wrongfully been interpreted as the section.
-  if [ -z "$field" ]; then
-    field="$section"
-    section=""
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_linux_${ARCH}_${OP_CLI_VERSION}.zip"
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_apple_universal_${OP_CLI_VERSION}.pkg"
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
   fi
+}
 
-  echo "Loading item $item from vault $vault..."
-  item_json=$(curl -sSf -H "Content-Type: application/json" -H "Authorization: Bearer $OP_CONNECT_TOKEN" "$OP_CONNECT_HOST/v1/vaults/$vault/items/$item")
-  jq_field_selector=".id == \"$field\" or .label == \"$field\""
-  jq_section_selector=".section == null"
-
-  # If the reference contains a section, edit the jq selector to take that into account.
-  if [ -n "$section" ]; then
-    echo "Looking for section: $section"
-    section_id=$(echo "$item_json" | jq -r ".sections[] | select(.id == \"$section\" or .label == \"$section\") | .id")
-    jq_section_selector=".section.id == \"$section_id\""
+# Uninstall op-cli
+uninstall_op_cli() {
+  if [[ -d "$OP_INSTALL_DIR" ]]; then
+    rm -fr "$OP_INSTALL_DIR"
   fi
+}
 
-  jq_secret_selector="$jq_section_selector and ($jq_field_selector)"
+populating_secret() {
+  ref=$(printenv $1)
 
-  echo "Looking for field: $field"
-  secret_field_json=$(echo "$item_json" | jq -r "first(.fields[] | select($jq_secret_selector))")
-
-  field_type=$(echo "$secret_field_json" | jq -r '.type')
-  field_purpose=$(echo "$secret_field_json" | jq -r '.purpose')
-  secret_value=$(echo "$secret_field_json" | jq -r '.value')
+  echo "Populating variable: $1"
+  secret_value=$("${OP_INSTALL_DIR}/op" read "$ref")
 
   if [ -z "$secret_value" ]; then
     echo "Could not find or access secret $ref"
     exit 1
   fi
 
-  # If the field is marked as concealed or is a note, register a mask
-  # for the secret to prevent accidental log exposure.
-  if [ "$field_type" == "CONCEALED" ] || [ "$field_purpose" == "NOTES" ]; then
-    # To support multiline secrets, escape percent signs and add a mask per line.
-    escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
-    IFS=$'\n'
-    for line in $escaped_mask_value; do
-      if [ "${#line}" -lt 3 ]; then
-        # To avoid false positives and unreadable logs, omit mask for lines that are too short.
-        continue
-      fi
-      echo "::add-mask::$line"
-    done
-    unset IFS
-  fi
+  # Register a mask for the secret to prevent accidental log exposure.
+  # To support multiline secrets, escape percent signs and add a mask per line.
+  escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
+  IFS=$'\n'
+  for line in $escaped_mask_value; do
+    if [ "${#line}" -lt 3 ]; then
+      # To avoid false positives and unreadable logs, omit mask for lines that are too short.
+      continue
+    fi
+    echo "::add-mask::$line"
+  done
+  unset IFS
 
   # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
   # As the heredoc identifier, we'll use a randomly generated 64-character string,
   # so that collisions are practically impossible.
-  random_heredoc_identifier=$(openssl rand -hex 16)
+  # Read more: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
+  delimiter="$(openssl rand -hex 32)"
 
-  {
-    # Populate env var, using heredoc syntax with generated identifier
-    echo "$env_var<<${random_heredoc_identifier}"
-    echo "$secret_value"
-    echo "${random_heredoc_identifier}"
-  } >> $GITHUB_ENV
+  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
+    {
+      # Populate env var, using heredoc syntax with generated identifier
+      echo "$env_var<<${delimiter}"
+      echo "$secret_value"
+      echo "${delimiter}"
+    } >> $GITHUB_ENV
+    echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
+
+  else
+    {
+      # Populate env var, using heredoc syntax with generated identifier
+      echo "$env_var<<${delimiter}"
+      echo "$secret_value"
+      echo "${delimiter}"
+    } >> $GITHUB_OUTPUT
+  fi
 
   managed_variables+=("$env_var")
-done
-unset IFS
+}
 
+# Load environment variables using op cli. Iterate over them to find 1Password references, load the secret values,
+# and make them available as environment variables in the next steps.
+extract_secrets() {
+  IFS=$'\n'
+  for env_var in $("${OP_INSTALL_DIR}/op" env ls); do
+    populating_secret $env_var
+  done
+}
+
+read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
+
+if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
+  if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
+    echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
+    exit 1
+  fi
+
+  auth_type=$SERVICE_ACCOUNT
+fi
+
+printf "Authenticated with %s \n" $auth_type
+
+unset_prev_secrets
+install_op_cli
+extract_secrets
+uninstall_op_cli
+
+unset IFS
 # Add extra env var that lists which secrets are managed by 1Password so that in a later step
 # these can be unset again.
 managed_variables_str=$(IFS=','; echo "${managed_variables[*]}")

package.json

@@ -0,0 +1,66 @@
+{
+	"name": "load-secrets-action",
+	"version": "1.3.2",
+	"description": "Load Secrets from 1Password",
+	"type": "module",
+	"main": "dist/index.js",
+	"directories": {
+		"test": "tests"
+	},
+	"scripts": {
+		"build": "ncc build ./src/index.ts",
+		"format": "prettier --ignore-path ./config/.prettierignore",
+		"format:check": "npm run format -- --check ./",
+		"format:write": "npm run format -- --write ./",
+		"lint": "eslint ./",
+		"lint:fix": "npm run lint -- --fix",
+		"prepare": "husky install ./config/.husky",
+		"test": "jest --config=./config/jest.config.js",
+		"test:clearcache": "jest --clearCache",
+		"test:coverage": "npm run test -- --coverage",
+		"test:watch": "npm run test -- --watch",
+		"typecheck": "tsc",
+		"validate": "npm run format:check && npm run lint && npm run test:coverage && npm run typecheck && npm run build"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/1Password/load-secrets-action.git"
+	},
+	"keywords": [
+		"actions",
+		"1password",
+		"load secrets",
+		"connect"
+	],
+	"author": "1Password",
+	"license": "MIT",
+	"bugs": {
+		"url": "https://github.com/1Password/load-secrets-action/issues"
+	},
+	"homepage": "https://github.com/1Password/load-secrets-action#readme",
+	"dependencies": {
+		"@actions/core": "^1.10.1",
+		"@actions/exec": "^1.1.1"
+	},
+	"devDependencies": {
+		"@1password/front-end-style": "^6.0.1",
+		"@types/jest": "^29.5.6",
+		"@types/node": "^18.18.6",
+		"@vercel/ncc": "^0.36.1",
+		"husky": "^8.0.3",
+		"jest": "^29.7.0",
+		"lint-staged": "^13.3.0",
+		"ts-jest": "^29.1.1",
+		"typescript": "^4.9.5"
+	},
+	"eslintConfig": {
+		"extends": "./node_modules/@1password/front-end-style/eslintrc.yml",
+		"ignorePatterns": [
+			"coverage/"
+		],
+		"parserOptions": {
+			"project": "./tsconfig.json"
+		}
+	},
+	"prettier": "./node_modules/@1password/front-end-style/prettierrc.json"
+}

src/index.ts

@@ -0,0 +1,32 @@
+import path from "path";
+import url from "url";
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+
+const run = async () => {
+	try {
+		const currentFile = url.fileURLToPath(import.meta.url);
+		const currentDir = path.dirname(currentFile);
+		const parentDir = path.resolve(currentDir, "..");
+
+		// Get action inputs
+		process.env.INPUT_UNSET_PREVIOUS = core.getInput("unset-previous");
+		process.env.INPUT_EXPORT_ENV = core.getInput("export-env");
+
+		// Execute bash script
+		await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+	} catch (error) {
+		// It's possible for the Error constructor to be modified to be anything
+		// in JavaScript, so the following code accounts for this possibility.
+		// https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
+		let message = "Unknown Error";
+		if (error instanceof Error) {
+			message = error.message;
+		} else {
+			String(error);
+		}
+		core.setFailed(message);
+	}
+};
+
+void run();

tsconfig.json

@@ -0,0 +1,25 @@
+{
+	"compilerOptions": {
+		"allowJs": false,
+		"allowUnreachableCode": false,
+		"allowUnusedLabels": false,
+		"esModuleInterop": true,
+		"exactOptionalPropertyTypes": true,
+		"forceConsistentCasingInFileNames": true,
+		"importsNotUsedAsValues": "error",
+		"isolatedModules": true,
+		"module": "esnext",
+		"moduleResolution": "node",
+		"noEmit": true,
+		"noEmitOnError": true,
+		"noFallthroughCasesInSwitch": true,
+		"noImplicitReturns": true,
+		"noUncheckedIndexedAccess": true,
+		"noUnusedLocals": true,
+		"noUnusedParameters": true,
+		"outDir": "./dist/",
+		"rootDir": "./src/",
+		"strict": true,
+		"target": "es2022"
+	}
+}