Add item create command workaround

This content will easily let the users know the alternate way in which they have to create items in GitHub pipelines.

.github/workflows/lint.yml

@@ -5,6 +5,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_paths: >-
+            .husky

.github/workflows/test.yml

@@ -2,24 +2,40 @@ on: push
 name: Run acceptance tests
 
 jobs:
-  use-connect-without-export-env:
-    runs-on: ubuntu-latest
+  test-with-output-secrets:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
-          connect-host: http://localhost:8080
+          connect-host: localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          export-env: false
         env:
           SECRET: op://acceptance-tests/test-secret/password
           SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -30,17 +46,31 @@ jobs:
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
         run: ./tests/assert-env-set.sh
-  use-connect-with-export-env:
-    runs-on: ubuntu-latest
+  test-with-export-env:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
@@ -48,8 +78,6 @@ jobs:
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          export-env: true
         env:
           SECRET: op://acceptance-tests/test-secret/password
           SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
@@ -62,77 +90,41 @@ jobs:
           unset-previous: true
       - name: Assert removed secrets
         run: ./tests/assert-env-unset.sh
-  use-connect-with-references-with-id:
-    runs-on: ubuntu-latest
+  test-references-with-ids:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+        auth: [ connect, service-account ]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
           docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
       - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
         uses: ./configure # 1password/load-secrets-action/configure@<version>
         with:
           connect-host: http://localhost:8080
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-          MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
-  use-service-account-without-export-env:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
-  use-service-account-with-export-env:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
       - name: Load secrets
         id: load_secrets
         uses: ./ # 1password/load-secrets-action@<version>
         with:
-          export-env: true
+          export-env: false
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        run: ./tests/assert-env-set.sh
-  use-service-account-with-references-with-id:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
           SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
           MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
@@ -142,21 +134,3 @@ jobs:
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
         run: ./tests/assert-env-set.sh
-  run-on-macos-12:
-    runs-on: macos-12
-    steps:
-      - uses: actions/checkout@v2
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh

.gitignore

@@ -1 +1,2 @@
+coverage/
 node_modules/

README.md

@@ -1,11 +1,10 @@
 # Load Secrets from 1Password - GitHub Action
 
-This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/).
+This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://developer.1password.com/docs/connect) or a [Service Account <sup>[BETA]</sup>](https://developer.1password.com/docs/service-accounts).
 
 Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
-Read more on the [1Password Developer Portal](https://developer.1password.com/ci-cd/github-actions).
-
+Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
 
 ## Requirements
 
@@ -16,13 +15,16 @@ Before you get started, you'll need to:
 
 _Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
 
-
 ## Usage
 
 You can configure the action to use your 1Password Connect instance.
 
 If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
 
+If you provide `OP_SERVICE_ACCOUNT_TOKEN` variable, the service account will be used to load secrets.
+
+**_Note_**: If all environment variables have been set, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.
+
 There are two ways that secrets can be loaded:
 
 - [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
@@ -38,11 +40,13 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Load secret
         id: op-load-secret
         uses: 1password/load-secrets-action@v1
+        with:
+          export-env: false
         env:
           OP_CONNECT_HOST: <Your Connect instance URL>
           OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
@@ -53,6 +57,33 @@ jobs:
         # Prints: Secret: ***
 ```
 
+<details>
+<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
+
+```yml
+on: push
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Load secret
+        id: op-load-secret
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          SECRET: op://app-cicd/hello-world/secret
+
+      - name: Print masked secret
+        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
+        # Prints: Secret: ***
+```
+
+</details>
+
 <details>
 <summary><b>Longer usage example</b></summary>
 
@@ -64,32 +95,78 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Configure 1Password Connect
         uses: 1password/load-secrets-action/configure@v1
         with:
           # Persist the 1Password Connect URL for next steps. You can also persist
           # the Connect token using input `connect-token`, but keep in mind that
-          # every single step in the job would then be able to access the token.
+          # this will grant all steps of the job access to the token.
           connect-host: https://1password.acme.com
 
       - name: Load Docker credentials
         id: load-docker-credentials
         uses: 1password/load-secrets-action@v1
+        with:
+          export-env: false
         env:
           OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
           DOCKERHUB_USERNAME: op://app-cicd/docker/username
           DOCKERHUB_TOKEN: op://app-cicd/docker/token
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
           password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          tags: acme/app:latest
+```
+
+</details>
+
+<details>
+<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
+
+```yml
+on: push
+name: Deploy app
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Configure 1Password Connect
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          # Persist the 1Password Service Account token. This will grant
+          # all steps of the job access to the token.
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+
+      - name: Load Docker credentials
+        id: load-docker-credentials
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: false
+        env:
+          DOCKERHUB_USERNAME: op://app-cicd/docker/username
+          DOCKERHUB_TOKEN: op://app-cicd/docker/token
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
+          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: acme/app:latest
@@ -107,7 +184,32 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+
+      - name: Load secret
+        uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          SECRET: op://app-cicd/hello-world/secret
+
+      - name: Print masked secret
+        run: echo "Secret: $SECRET"
+        # Prints: Secret: ***
+```
+
+<details>
+<summary><b>Usage example with Service Accounts <sup>BETA</sup></b></summary>
+
+```yml
+on: push
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
 
       - name: Load secret
         uses: 1password/load-secrets-action@v1
@@ -124,6 +226,8 @@ jobs:
         # Prints: Secret: ***
 ```
 
+</details>
+
 <details>
 <summary><b>Longer usage example</b></summary>
 
@@ -135,14 +239,14 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Configure 1Password Connect
         uses: 1password/load-secrets-action/configure@v1
         with:
           # Persist the 1Password Connect URL for next steps. You can also persist
           # the Connect token using input `connect-token`, but keep in mind that
-          # every single step in the job would then be able to access the token.
+          # this will grant all steps of the job access to the token.
           connect-host: https://1password.acme.com
 
       - name: Load Docker credentials
@@ -156,7 +260,7 @@ jobs:
           DOCKERHUB_TOKEN: op://app-cicd/docker/token
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ env.DOCKERHUB_USERNAME }}
           password: ${{ env.DOCKERHUB_TOKEN }}
@@ -165,7 +269,7 @@ jobs:
         run: printenv
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           tags: acme/app:latest
@@ -175,7 +279,7 @@ jobs:
         with:
           # Export loaded secrets as environment variables
           export-env: true
-          # Remove local copies of the Docker credentials, which are not needed anymore
+          # Remove local copies of the Docker credentials, which aren't needed anymore
           unset-previous: true
         env:
           OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
@@ -183,8 +287,71 @@ jobs:
           AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
 
       - name: Deploy app
-        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
-        # done automatically by the step above
+        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
+        # This happened using secret references in the preceding lines.
+        run: ./deploy.sh
+```
+
+</details>
+
+<details>
+<summary><b>Longer usage example with Service Accounts <sup>BETA</sup></b></summary>
+
+```yml
+on: push
+name: Deploy app
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Configure 1Password Connect
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          # Persist the 1Password Service Account token. This will grant
+          # all steps of the job access to the token.
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+
+      - name: Load Docker credentials
+        uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
+        env:
+          DOCKERHUB_USERNAME: op://app-cicd/docker/username
+          DOCKERHUB_TOKEN: op://app-cicd/docker/token
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: Print environment variables with masked secrets
+        run: printenv
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          tags: acme/app:latest
+
+      - name: Load AWS credentials
+        uses: 1password/load-secrets-action@v1
+        with:
+          # Export loaded secrets as environment variables
+          export-env: true
+          # Remove local copies of the Docker credentials, which aren't needed anymore
+          unset-previous: true
+        env:
+          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
+          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
+
+      - name: Deploy app
+        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set.
+        # This happened using secret references in the preceding lines.
         run: ./deploy.sh
 ```
 
@@ -194,7 +361,7 @@ jobs:
 
 | Name             | Default | Description                                                                        |
 | ---------------- | ------- | ---------------------------------------------------------------------------------- |
-| `export-env`     | `false` | Export the loaded secrets as environment variables                                 |
+| `export-env`     | `true`  | Export the loaded secrets as environment variables                                 |
 | `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
 
 ## Secrets Reference Syntax
@@ -220,7 +387,9 @@ So if one of these values accidentally gets printed, it'll get replaced with `**
 ## 1Password Configuration
 
 To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
-To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.  
+To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.
+
+To configure the action with your service account token <sup>BETA</sup>, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable.
 
 If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
 
@@ -230,7 +399,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Configure 1Password Connect
         uses: 1password/load-secrets-action/configure@v1
@@ -245,22 +414,54 @@ jobs:
 
 ### `configure` Action Inputs
 
-| Name                    | Default | Environment variable       | Description                                              |
-| ----------------------- | ------- | -------------------------- | -------------------------------------------------------- |
-| `connect-host`          |         | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
-| `connect-token`         |         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
+| Name                    | Environment variable       | Description                                              |
+| ----------------------- | -------------------------- | -------------------------------------------------------- |
+| `connect-host`          | `OP_CONNECT_HOST`          | Your 1Password Connect instance URL                      |
+| `connect-token`         | `OP_CONNECT_TOKEN`         | Token to authenticate to your 1Password Connect instance |
+| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | Your 1Password service account token                     |
 
 ## Supported Runners
 
 You can run the action on Linux and macOS runners. Windows is currently not supported.
 
+## Warnings
+
+If you're using the CLI in your GitHub pipelines and you want to create items with it, the following command will fail:
+
+```
+op item create --category=login --title='My Example Item' --vault='Test' \
+                --url https://www.acme.com/login \
+                --generate-password=20,letters,digits \
+                username=jane@acme.com \
+                'Test Field 1=my test secret' \
+                'Test Section 1.Test Field2[text]=Jane Doe' \
+                'Test Section 1.Test Field3[date]=1995-02-23' \
+                'Test Section 2.Test Field4[text]='$myNotes
+```
+
+This is caused by the fact that the environment in these pipelines is in piped mode, which triggers the CLI's pipe detection to expect a piped input.
+To be able to create items in such environments, do the following steps:
+
+1. Get the template of the item category you want:
+
+   ```sh
+   op item template get --out-file=new-item.json <category>
+   ```
+
+2. Edit [the template](https://developer.1password.com/docs/cli/item-template-json) to add your information.
+3. Pipe the item content to the command:
+
+   ```sh
+   cat new-item.json | op item create --vault='Test'
+   ```
+
 ## Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
+Please file requests through [BugCrowd](https://bugcrowd.com/agilebits).
 
-For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
+For information about our security practices, visit the [1Password Security homepage](https://1password.com/security).
 
 ## Getting help
 

action.yml

@@ -7,10 +7,10 @@ branding:
 inputs:
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
-    default: false
+    default: "false"
   export-env:
     description: Export the secrets as environment variables
-    default: false
+    default: "true"
 runs:
-  using: 'node16'
-  main: 'dist/index.js'
+  using: "node16"
+  main: "dist/index.js"

config/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged --config ./config/lint-staged.config.js

config/.husky/pre-push

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npm run validate

config/.prettierignore

@@ -0,0 +1,3 @@
+coverage/
+dist/
+node_modules/

config/jest.config.js

@@ -0,0 +1,19 @@
+const jestConfig = {
+	/**
+	 * Jest docs: "We recommend placing the extensions most commonly used in your project
+	 *             on the left, so if you are using TypeScript, you may want to consider
+	 *             moving 'ts' to the beginning of the array."
+	 *
+	 * https://jestjs.io/docs/configuration#modulefileextensions-arraystring
+	 */
+	moduleFileExtensions: ["ts", "js", "json"],
+	rootDir: "../src/",
+	testEnvironment: "node",
+	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
+	transform: {
+		".ts": ["ts-jest"],
+	},
+	verbose: true,
+};
+
+export default jestConfig;

config/lint-staged.config.js

@@ -0,0 +1,9 @@
+const lintStagedConfig = {
+	// run formatting and linting on all supported file types
+	"*.{js,json,md,ts,yaml,yml}": "npm run format:write",
+	"*.{js,ts}": ["npm run lint:fix"],
+	// run testing on all supported file types within the src/ directory
+	"src/**/*.{js,ts}": ["npm run test -- --findRelatedTests"],
+};
+
+export default lintStagedConfig;

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

entrypoint.sh

@@ -14,6 +14,10 @@ auth_type=$CONNECT
 managed_variables_var="OP_MANAGED_VARIABLES"
 IFS=','
 
+if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
+  export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
+fi
+
 # Unset all secrets managed by 1Password if `unset-previous` is set.
 unset_prev_secrets() {
   if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
@@ -35,12 +39,28 @@ unset_prev_secrets() {
 
 # Install op-cli
 install_op_cli() {
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
+  fi
+  export OP_INSTALL_DIR
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
   if [[ "$OSTYPE" == "linux-gnu"* ]]; then
     curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
-    unzip -od /usr/local/bin/ op.zip && rm op.zip
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
   elif [[ "$OSTYPE" == "darwin"* ]]; then
     curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
-    sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  fi
+}
+
+# Uninstall op-cli
+uninstall_op_cli() {
+  if [[ -d "$OP_INSTALL_DIR" ]]; then
+    rm -fr "$OP_INSTALL_DIR"
   fi
 }
 
@@ -48,7 +68,7 @@ populating_secret() {
   ref=$(printenv $1)
 
   echo "Populating variable: $1"
-  secret_value=$(op read "$ref")
+  secret_value=$("${OP_INSTALL_DIR}/op" read "$ref")
 
   if [ -z "$secret_value" ]; then
     echo "Could not find or access secret $ref"
@@ -96,7 +116,7 @@ populating_secret() {
 # and make them available as environment variables in the next steps.
 extract_secrets() {
   IFS=$'\n'
-  for env_var in $(op env ls); do
+  for env_var in $("${OP_INSTALL_DIR}/op" env ls); do
     populating_secret $env_var
   done
 }
@@ -117,6 +137,7 @@ printf "Authenticated with %s \n" $auth_type
 unset_prev_secrets
 install_op_cli
 extract_secrets
+uninstall_op_cli
 
 unset IFS
 # Add extra env var that lists which secrets are managed by 1Password so that in a later step

package.json

@@ -1,37 +1,66 @@
 {
-  "name": "load-secrets-action",
-  "version": "1.1.0",
-  "description": "Load Secrets from 1Password",
-  "main": "dist/index.js",
-  "directories": {
-    "test": "tests"
-  },
-  "scripts": {
-    "build": "ncc build src/index.ts"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/1Password/load-secrets-action.git"
-  },
-  "keywords": [
-    "actions",
-    "1password",
-    "load secrets",
-    "connect"
-  ],
-  "author": "1Password",
-  "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/1Password/load-secrets-action/issues"
-  },
-  "homepage": "https://github.com/1Password/load-secrets-action#readme",
-  "dependencies": {
-    "@actions/core": "^1.9.1",
-    "@actions/exec": "^1.1.1"
-  },
-  "devDependencies": {
-    "@types/node": "^18.7.14",
-    "@vercel/ncc": "^0.34.0",
-    "typescript": "^4.8.2"
-  }
+	"name": "load-secrets-action",
+	"version": "1.2.0",
+	"description": "Load Secrets from 1Password",
+	"type": "module",
+	"main": "dist/index.js",
+	"directories": {
+		"test": "tests"
+	},
+	"scripts": {
+		"build": "ncc build ./src/index.ts",
+		"format": "prettier --ignore-path ./config/.prettierignore",
+		"format:check": "npm run format -- --check ./",
+		"format:write": "npm run format -- --write ./",
+		"lint": "eslint ./",
+		"lint:fix": "npm run lint -- --fix",
+		"prepare": "husky install ./config/.husky",
+		"test": "jest --config=./config/jest.config.js",
+		"test:clearcache": "jest --clearCache",
+		"test:coverage": "npm run test -- --coverage",
+		"test:watch": "npm run test -- --watch",
+		"typecheck": "tsc",
+		"validate": "npm run format:check && npm run lint && npm run test:coverage && npm run typecheck && npm run build"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/1Password/load-secrets-action.git"
+	},
+	"keywords": [
+		"actions",
+		"1password",
+		"load secrets",
+		"connect"
+	],
+	"author": "1Password",
+	"license": "MIT",
+	"bugs": {
+		"url": "https://github.com/1Password/load-secrets-action/issues"
+	},
+	"homepage": "https://github.com/1Password/load-secrets-action#readme",
+	"dependencies": {
+		"@actions/core": "^1.10.0",
+		"@actions/exec": "^1.1.1"
+	},
+	"devDependencies": {
+		"@1password/front-end-style": "^6.0.1",
+		"@types/jest": "^29.5.0",
+		"@types/node": "^18.15.10",
+		"@vercel/ncc": "^0.36.1",
+		"husky": "^8.0.3",
+		"jest": "^29.5.0",
+		"lint-staged": "^13.2.0",
+		"ts-jest": "^29.0.5",
+		"typescript": "^4.9.5"
+	},
+	"eslintConfig": {
+		"extends": "./node_modules/@1password/front-end-style/eslintrc.yml",
+		"ignorePatterns": [
+			"coverage/"
+		],
+		"parserOptions": {
+			"project": "./tsconfig.json"
+		}
+	},
+	"prettier": "./node_modules/@1password/front-end-style/prettierrc.json"
 }

src/index.ts

@@ -1,21 +1,32 @@
-import * as core from '@actions/core';
-import * as exec from '@actions/exec';
-import path from 'path';
+import path from "path";
+import url from "url";
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
 
-async function run(): Promise<void> {
-  try {
-    const parentDir = path.resolve(__dirname, '..');
-    
-    // Get action inputs
-    process.env.INPUT_UNSET_PREVIOUS = core.getInput('unset-previous');
-    process.env.INPUT_EXPORT_ENV = core.getInput('export-env');
+const run = async () => {
+	try {
+		const currentFile = url.fileURLToPath(import.meta.url);
+		const currentDir = path.dirname(currentFile);
+		const parentDir = path.resolve(currentDir, "..");
 
-    // Execute bash script
-    await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+		// Get action inputs
+		process.env.INPUT_UNSET_PREVIOUS = core.getInput("unset-previous");
+		process.env.INPUT_EXPORT_ENV = core.getInput("export-env");
 
-  } catch (error: any) {
-    core.setFailed(error.message);
-  }
-}
+		// Execute bash script
+		await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+	} catch (error) {
+		// It's possible for the Error constructor to be modified to be anything
+		// in JavaScript, so the following code accounts for this possibility.
+		// https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
+		let message = "Unknown Error";
+		if (error instanceof Error) {
+			message = error.message;
+		} else {
+			String(error);
+		}
+		core.setFailed(message);
+	}
+};
 
-run();
+void run();

tsconfig.json

@@ -1,13 +1,25 @@
 {
-    "compilerOptions": {
-        "target": "es6",
-        "module": "commonjs",
-        "moduleResolution": "node",
-        "outDir": "./dist",
-        "rootDir": "./src",
-        "strict": true,
-        "noImplicitAny": true,
-        "esModuleInterop": true
-    },
-    "exclude": ["node_modules"]
+	"compilerOptions": {
+		"allowJs": false,
+		"allowUnreachableCode": false,
+		"allowUnusedLabels": false,
+		"esModuleInterop": true,
+		"exactOptionalPropertyTypes": true,
+		"forceConsistentCasingInFileNames": true,
+		"importsNotUsedAsValues": "error",
+		"isolatedModules": true,
+		"module": "esnext",
+		"moduleResolution": "node",
+		"noEmit": true,
+		"noEmitOnError": true,
+		"noFallthroughCasesInSwitch": true,
+		"noImplicitReturns": true,
+		"noUncheckedIndexedAccess": true,
+		"noUnusedLocals": true,
+		"noUnusedParameters": true,
+		"outDir": "./dist/",
+		"rootDir": "./src/",
+		"strict": true,
+		"target": "es2022"
+	}
 }