wesley/load-secrets-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: wesley:v1.1.0
Branches Tags
wesley:main wesley:feature/migrate-to-sdk wesley:jill/rebuild-dist wesley:jill/handle-open-ssh-keys wesley:jill/migrate-to-connect-sdk wesley:jill/deprecate-cli wesley:vzt/prepare-relese-v3.1.0 wesley:vzt/update-ok-to-test-workflow wesley:vzt/rename-version-input wesley:vzt/test-module-package wesley:vzt/windows-support2 wesley:vzt/windows-support3 wesley:v2-alpha wesley:ruetz-automate-releases wesley:releases/v1 wesley:eddy/cli-create-item-alternative wesley:lucy/update-readme wesley:feature/add-client
wesley:v4.0.0-gitea.1 wesley:v4-gitea wesley:v4 wesley:v4.0.0 wesley:v3 wesley:v3.2.1 wesley:v3.2.0 wesley:v3.1.0 wesley:v3.0.0 wesley:v2 wesley:v2.0.0 wesley:v1 wesley:v1.3.2 wesley:v1.3.1 wesley:v1.3.0 wesley:v1.2.0 wesley:v1.1.2 wesley:v1.1.1 wesley:v1.1.0 wesley:v1.0.2 wesley:v1.0.1 wesley:v1.0.0
..
compare: wesley:v1.2.0
Branches Tags
wesley:main wesley:feature/migrate-to-sdk wesley:jill/rebuild-dist wesley:jill/handle-open-ssh-keys wesley:jill/migrate-to-connect-sdk wesley:jill/deprecate-cli wesley:vzt/prepare-relese-v3.1.0 wesley:vzt/update-ok-to-test-workflow wesley:vzt/rename-version-input wesley:vzt/test-module-package wesley:vzt/windows-support2 wesley:vzt/windows-support3 wesley:v2-alpha wesley:ruetz-automate-releases wesley:releases/v1 wesley:eddy/cli-create-item-alternative wesley:lucy/update-readme wesley:feature/add-client
wesley:v4.0.0-gitea.1 wesley:v4-gitea wesley:v4 wesley:v4.0.0 wesley:v3 wesley:v3.2.1 wesley:v3.2.0 wesley:v3.1.0 wesley:v3.0.0 wesley:v2 wesley:v2.0.0 wesley:v1 wesley:v1.3.2 wesley:v1.3.1 wesley:v1.3.0 wesley:v1.2.0 wesley:v1.1.2 wesley:v1.1.1 wesley:v1.1.0 wesley:v1.0.2 wesley:v1.0.1 wesley:v1.0.0

10 Commits
v1.1.0 ... v1.2.0

Author SHA1 Message Date
Eduard Filip
0a7975f916 Ensure that the action is backwards-compatible (#25)
Some checks failed
Run acceptance tests / use-connect-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / use-service-account-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / run-on-macos-12 (push) Has been cancelled
Details 
Bring 2 changes that ensure that the GitHub Action is backwards compatible:

- Append `http://` if the prefix is not provided in the `OP_CONNECT_HOST` (this is caused by the fact that `curl` guesses the protocol if not provided (https://linux.die.net/man/1/curl), which we missed when switching to using the 1Password CLI as the backend of the action)
- Set the default of export-env to true, since that was the default behavior of the action until we added the possibility to export secrets as step's output.

Also, the documentation is adjusted to reflect these changes.
 2022-12-22 12:46:28 +02:00
volodymyrZotov
ffba2a6966 Merge pull request #21 from simonwhitaker/simon/quote-ref
Some checks failed
Run acceptance tests / use-connect-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / use-service-account-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / run-on-macos-12 (push) Has been cancelled
Details 
Quote $ref to avoid word splitting
 2022-12-16 16:44:11 +02:00
Simon Whitaker
2ee4979efa Quote $ref to avoid word splitting 2022-12-16 14:40:27 +00:00
Eduard Filip
7903600d82 Merge pull request #22 from 1Password/feat/user-agent-info
Some checks failed
Run acceptance tests / use-connect-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-connect-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / use-service-account-without-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-export-env (push) Has been cancelled
Details
Run acceptance tests / use-service-account-with-references-with-id (push) Has been cancelled
Details
Run acceptance tests / run-on-macos-12 (push) Has been cancelled
Details 
Pass User-Agent Information to the 1Password CLI
 2022-12-14 17:19:34 +01:00
Eddy Filip
fbf9be8f55 Pass User-Agent Information to the 1Password CLI 2022-12-14 14:57:06 +02:00
Eddy Filip
5a04ae581c Update 1Password CLI to the latest version 2022-12-14 14:49:33 +02:00
Eduard Filip
747c0b5974 Merge pull request #19 from 1Password/ekmoore-readme-update 
Add link to README
 2022-12-07 07:40:25 +01:00
Erin Moore
c0fbfd88d3 Added link to developer.1password.com 
Added link to GitHub Actions article on https://developer.1password.com/ci-cd/github-actions
 2022-12-06 13:57:18 -05:00
Eduard Filip
3f3d1e45cb Merge pull request #18 from 1Password/eddy/rand-64 
Make openssl generate a 64-character string as mentioned in comment
 2022-10-17 19:03:05 +02:00
Eddy Filip
b73c8a7ca6 Make openssl generate a 64-character string as mentioned in comment 2022-10-17 18:22:43 +02:00
4 changed files with 45 additions and 13 deletions
Expand all files Collapse all files

16
.github/workflows/test.yml vendored
View File

@@ -15,11 +15,13 @@ jobs:
- name: Configure 1Password Connect - name: Configure 1Password Connect
uses: ./configure # 1password/load-secrets-action/configure@<version> uses: ./configure # 1password/load-secrets-action/configure@<version>
with: with:
connect-host: http://localhost:8080 connect-host: localhost:8080
connect-token: ${{ secrets.OP_CONNECT_TOKEN }} connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env: env:
SECRET: op://acceptance-tests/test-secret/password SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -48,8 +50,6 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: true
env: env:
SECRET: op://acceptance-tests/test-secret/password SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -80,6 +80,8 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env: env:
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
@@ -97,6 +99,8 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env: env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password SECRET: op://acceptance-tests/test-secret/password
@@ -115,8 +119,6 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: true
env: env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password SECRET: op://acceptance-tests/test-secret/password
@@ -131,6 +133,8 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env: env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
@@ -149,6 +153,8 @@ jobs:
- name: Load secrets - name: Load secrets
id: load_secrets id: load_secrets
uses: ./ # 1password/load-secrets-action@<version> uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env: env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password SECRET: op://acceptance-tests/test-secret/password

23
README.md
View File

@@ -2,11 +2,24 @@
This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/). This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/).
Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
Read more on the [1Password Developer Portal](https://developer.1password.com/ci-cd/github-actions).
## Requirements
Before you get started, you'll need to:
- [Deploy 1Password Connect](/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
- Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials, so it'll be used to load secrets.
_Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
## Usage ## Usage
You can configure the action to use either 1Password Connect instance. You can configure the action to use your 1Password Connect instance.
If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure. If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
@@ -30,6 +43,8 @@ jobs:
- name: Load secret - name: Load secret
id: op-load-secret id: op-load-secret
uses: 1password/load-secrets-action@v1 uses: 1password/load-secrets-action@v1
with:
export-env: false
env: env:
OP_CONNECT_HOST: <Your Connect instance URL> OP_CONNECT_HOST: <Your Connect instance URL>
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
@@ -64,6 +79,8 @@ jobs:
- name: Load Docker credentials - name: Load Docker credentials
id: load-docker-credentials id: load-docker-credentials
uses: 1password/load-secrets-action@v1 uses: 1password/load-secrets-action@v1
with:
export-env: false
env: env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username DOCKERHUB_USERNAME: op://app-cicd/docker/username
@@ -181,7 +198,7 @@ jobs:
| Name | Default | Description | | Name | Default | Description |
| ---------------- | ------- | ---------------------------------------------------------------------------------- | | ---------------- | ------- | ---------------------------------------------------------------------------------- |
| `export-env` | `false` | Export the loaded secrets as environment variables | | `export-env` | `true` | Export the loaded secrets as environment variables |
| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps | | `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
## Secrets Reference Syntax ## Secrets Reference Syntax

2
action.yml
View File

@@ -10,7 +10,7 @@ inputs:
default: false default: false
export-env: export-env:
description: Export the secrets as environment variables description: Export the secrets as environment variables
default: false default: true
runs: runs:
using: 'node16' using: 'node16'
main: 'dist/index.js' main: 'dist/index.js'

17
entrypoint.sh
View File

@@ -2,6 +2,11 @@
# shellcheck disable=SC2046,SC2001,SC2086 # shellcheck disable=SC2046,SC2001,SC2086
set -e set -e
# Pass User-Agent Inforomation to the 1Password CLI
export OP_INTEGRATION_NAME="1Password GitHub Action"
export OP_INTEGRATION_ID="GHA"
export OP_INTEGRATION_BUILDNUMBER="1010001"
readonly CONNECT="CONNECT" readonly CONNECT="CONNECT"
readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT" readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
@@ -9,6 +14,10 @@ auth_type=$CONNECT
managed_variables_var="OP_MANAGED_VARIABLES" managed_variables_var="OP_MANAGED_VARIABLES"
IFS=',' IFS=','
if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
fi
# Unset all secrets managed by 1Password if `unset-previous` is set. # Unset all secrets managed by 1Password if `unset-previous` is set.
unset_prev_secrets() { unset_prev_secrets() {
if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
@@ -31,10 +40,10 @@ unset_prev_secrets() {
# Install op-cli # Install op-cli
install_op_cli() { install_op_cli() {
if [[ "$OSTYPE" == "linux-gnu"* ]]; then if [[ "$OSTYPE" == "linux-gnu"* ]]; then
curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_linux_amd64_v2.7.1-beta.01.zip" curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
unzip -od /usr/local/bin/ op.zip && rm op.zip unzip -od /usr/local/bin/ op.zip && rm op.zip
elif [[ "$OSTYPE" == "darwin"* ]]; then elif [[ "$OSTYPE" == "darwin"* ]]; then
curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.7.1-beta.01/op_apple_universal_v2.7.1-beta.01.pkg" curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg
fi fi
} }
@@ -43,7 +52,7 @@ populating_secret() {
ref=$(printenv $1) ref=$(printenv $1)
echo "Populating variable: $1" echo "Populating variable: $1"
secret_value=$(op read $ref) secret_value=$(op read "$ref")
if [ -z "$secret_value" ]; then if [ -z "$secret_value" ]; then
echo "Could not find or access secret $ref" echo "Could not find or access secret $ref"
@@ -67,7 +76,7 @@ populating_secret() {
# To support multiline secrets, we'll use the heredoc syntax to populate the environment variables. # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
# As the heredoc identifier, we'll use a randomly generated 64-character string, # As the heredoc identifier, we'll use a randomly generated 64-character string,
# so that collisions are practically impossible. # so that collisions are practically impossible.
random_heredoc_identifier=$(openssl rand -hex 16) random_heredoc_identifier=$(openssl rand -hex 32)
{ {
# Populate env var, using heredoc syntax with generated identifier # Populate env var, using heredoc syntax with generated identifier