wesley/load-secrets-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: wesley:v1.2.0
Branches Tags
wesley:main wesley:feature/migrate-to-sdk wesley:jill/rebuild-dist wesley:jill/handle-open-ssh-keys wesley:jill/migrate-to-connect-sdk wesley:jill/deprecate-cli wesley:vzt/prepare-relese-v3.1.0 wesley:vzt/update-ok-to-test-workflow wesley:vzt/rename-version-input wesley:vzt/test-module-package wesley:vzt/windows-support2 wesley:vzt/windows-support3 wesley:v2-alpha wesley:ruetz-automate-releases wesley:releases/v1 wesley:eddy/cli-create-item-alternative wesley:lucy/update-readme wesley:feature/add-client
wesley:v4.0.0-gitea.1 wesley:v4-gitea wesley:v4 wesley:v4.0.0 wesley:v3 wesley:v3.2.1 wesley:v3.2.0 wesley:v3.1.0 wesley:v3.0.0 wesley:v2 wesley:v2.0.0 wesley:v1 wesley:v1.3.2 wesley:v1.3.1 wesley:v1.3.0 wesley:v1.2.0 wesley:v1.1.2 wesley:v1.1.1 wesley:v1.1.0 wesley:v1.0.2 wesley:v1.0.1 wesley:v1.0.0
..
compare: wesley:feature/add-client
Branches Tags
wesley:main wesley:feature/migrate-to-sdk wesley:jill/rebuild-dist wesley:jill/handle-open-ssh-keys wesley:jill/migrate-to-connect-sdk wesley:jill/deprecate-cli wesley:vzt/prepare-relese-v3.1.0 wesley:vzt/update-ok-to-test-workflow wesley:vzt/rename-version-input wesley:vzt/test-module-package wesley:vzt/windows-support2 wesley:vzt/windows-support3 wesley:v2-alpha wesley:ruetz-automate-releases wesley:releases/v1 wesley:eddy/cli-create-item-alternative wesley:lucy/update-readme wesley:feature/add-client
wesley:v4.0.0-gitea.1 wesley:v4-gitea wesley:v4 wesley:v4.0.0 wesley:v3 wesley:v3.2.1 wesley:v3.2.0 wesley:v3.1.0 wesley:v3.0.0 wesley:v2 wesley:v2.0.0 wesley:v1 wesley:v1.3.2 wesley:v1.3.1 wesley:v1.3.0 wesley:v1.2.0 wesley:v1.1.2 wesley:v1.1.1 wesley:v1.1.0 wesley:v1.0.2 wesley:v1.0.1 wesley:v1.0.0

3 Commits
v1.2.0 ... feature/ad

Author SHA1 Message Date
Eddy Filip
cb23d65d8d Add missing config for tests
Some checks failed
Run acceptance tests / test (push) Has been cancelled
Details
Run acceptance tests / test-user (push) Has been cancelled
Details
2021-08-03 19:23:44 +02:00
Eddy Filip
adde26c41b Fix lint 2021-08-03 19:18:04 +02:00
Eddy Filip
6bfaeeb67d Enable the user to use the GitHub Action without Connect 2021-08-03 19:11:41 +02:00
12 changed files with 172 additions and 2553 deletions
Expand all files Collapse all files

173
.github/workflows/test.yml vendored
View File

@@ -2,37 +2,7 @@ on: push
name: Run acceptance tests
jobs:
use-connect-without-export-env:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Launch 1Password Connect instance
env:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
run: |
echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
- name: Configure 1Password Connect
uses: ./configure # 1password/load-secrets-action/configure@<version>
with:
connect-host: localhost:8080
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env:
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
- name: Assert test secret values
env:
SECRET: ${{ steps.load_secrets.outputs.SECRET }}
SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
run: ./tests/assert-env-set.sh
use-connect-with-export-env:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
@@ -45,124 +15,81 @@ jobs:
- name: Configure 1Password Connect
uses: ./configure # 1password/load-secrets-action/configure@<version>
with:
use-connect: yes
connect-host: http://localhost:8080
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
env:
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
UNMASKED_VALUE: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/username
- name: Load multiline secret
uses: ./ # 1password/load-secrets-action@<version>
env:
MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
- name: Print environment variables with masked secrets
run: printenv
- name: Assert test secret values
run: ./tests/assert-env-set.sh
- name: Remove secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
unset-previous: true
- name: Print environment variables with secrets removed
run: printenv
- name: Assert removed secrets
run: ./tests/assert-env-unset.sh
use-connect-with-references-with-id:
- name: Load secrets by vault and item titles
uses: ./ # 1password/load-secrets-action@<version>
env:
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
- name: Print environment variables with masked secrets
run: printenv
- name: Assert test secret values again
run: ./tests/assert-env-set.sh
test-user:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Launch 1Password Connect instance
env:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
run: |
echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
- name: Configure 1Password Connect
- name: Configure 1Password with a user
uses: ./configure # 1password/load-secrets-action/configure@<version>
with:
connect-host: http://localhost:8080
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
user-domain: ${{ secrets.USER_DOMAIN }}
user-email: ${{ secrets.USER_EMAIL }}
user-key: ${{ secrets.USER_KEY }}
user-pwd: ${{ secrets.USER_PWD }}
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env:
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
SECRET: op://p4a7xwirm3lcwtu6okulbhym5i/mybhbbwhewncjb67cy4v7hjpgi/password
SECRET_IN_SECTION: op://p4a7xwirm3lcwtu6okulbhym5i/mybhbbwhewncjb67cy4v7hjpgi/test-section/password
UNMASKED_VALUE: op://p4a7xwirm3lcwtu6okulbhym5i/mybhbbwhewncjb67cy4v7hjpgi/test-section/username
- name: Load multiline secret
uses: ./ # 1password/load-secrets-action@<version>
env:
MULTILINE_SECRET: op://p4a7xwirm3lcwtu6okulbhym5i/bcshnrykfwf5i5zm7nkqy63dca/notesPlain
- name: Print environment variables with masked secrets
run: printenv
- name: Assert test secret values
env:
SECRET: ${{ steps.load_secrets.outputs.SECRET }}
SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
run: ./tests/assert-env-set.sh
use-service-account-without-export-env:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Load secrets
id: load_secrets
- name: Remove secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
unset-previous: true
- name: Print environment variables with secrets removed
run: printenv
- name: Assert removed secrets
run: ./tests/assert-env-unset.sh
- name: Load secrets by vault and item titles
uses: ./ # 1password/load-secrets-action@<version>
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
- name: Assert test secret values
env:
SECRET: ${{ steps.load_secrets.outputs.SECRET }}
SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
run: ./tests/assert-env-set.sh
use-service-account-with-export-env:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
- name: Assert test secret values
run: ./tests/assert-env-set.sh
use-service-account-with-references-with-id:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
- name: Assert test secret values
env:
SECRET: ${{ steps.load_secrets.outputs.SECRET }}
SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
run: ./tests/assert-env-set.sh
run-on-macos-12:
runs-on: macos-12
steps:
- uses: actions/checkout@v2
- name: Load secrets
id: load_secrets
uses: ./ # 1password/load-secrets-action@<version>
with:
export-env: false
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://acceptance-tests/test-secret/password
SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
- name: Assert test secret values
env:
SECRET: ${{ steps.load_secrets.outputs.SECRET }}
SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
run: ./tests/assert-env-set.sh
- name: Print environment variables with masked secrets
run: printenv
- name: Assert test secret values again
run: ./tests/assert-env-set.sh

1
.gitignore vendored
View File

@@ -1 +0,0 @@
node_modules/

165
README.md
View File

@@ -1,110 +1,11 @@
# Load Secrets from 1Password - GitHub Action
This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/).
Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
Read more on the [1Password Developer Portal](https://developer.1password.com/ci-cd/github-actions).
## Requirements
Before you get started, you'll need to:
- [Deploy 1Password Connect](/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.
- Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials, so it'll be used to load secrets.
_Supported runners_: You can run the action on Mac and Linux runners. Windows is currently not supported.
The action to load secrets from [1Password Connect](https://1password.com/secrets/) into GitHub Actions.
Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
## Usage
You can configure the action to use your 1Password Connect instance.
If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure.
There are two ways that secrets can be loaded:
- [use the secrets from the action's ouput](#use-secrets-from-the-actions-output)
- [export secrets as environment variables](#export-secrets-as-environment-variables)
### Use secrets from the action's output
This method allows for you to use the loaded secrets as an output from the step: `steps.step-id.outputs.secret-name`. You will need to set an id for the step that uses this action to be able to access its outputs. For more details, , see [`outputs.<output_id>`](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
```yml
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Load secret
id: op-load-secret
uses: 1password/load-secrets-action@v1
with:
export-env: false
env:
OP_CONNECT_HOST: <Your Connect instance URL>
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
# Prints: Secret: ***
```
<details>
<summary><b>Longer usage example</b></summary>
```yml
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v1
with:
# Persist the 1Password Connect URL for next steps. You can also persist
# the Connect token using input `connect-token`, but keep in mind that
# every single step in the job would then be able to access the token.
connect-host: https://1password.acme.com
- name: Load Docker credentials
id: load-docker-credentials
uses: 1password/load-secrets-action@v1
with:
export-env: false
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
```
</details>
### Export secrets as environment variables
This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level.
```yml
on: push
jobs:
@@ -115,9 +16,6 @@ jobs:
- name: Load secret
uses: 1password/load-secrets-action@v1
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_HOST: <Your Connect instance URL>
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
@@ -127,7 +25,6 @@ jobs:
run: echo "Secret: $SECRET"
# Prints: Secret: ***
```
<details>
<summary><b>Longer usage example</b></summary>
@@ -144,16 +41,13 @@ jobs:
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v1
with:
# Persist the 1Password Connect URL for next steps. You can also persist
# the Connect token using input `connect-token`, but keep in mind that
# Persist the 1Password Connect URL for next steps. You can also persist
# the Connect token using input `connect-token`, but keep in mind that
# every single step in the job would then be able to access the token.
connect-host: https://1password.acme.com
- name: Load Docker credentials
uses: 1password/load-secrets-action@v1
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
@@ -177,8 +71,6 @@ jobs:
- name: Load AWS credentials
uses: 1password/load-secrets-action@v1
with:
# Export loaded secrets as environment variables
export-env: true
# Remove local copies of the Docker credentials, which are not needed anymore
unset-previous: true
env:
@@ -187,18 +79,16 @@ jobs:
AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
- name: Deploy app
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# done automatically by the step above
run: ./deploy.sh
```
</details>
## Action Inputs
| Name | Default | Description |
| ---------------- | ------- | ---------------------------------------------------------------------------------- |
| `export-env` | `true` | Export the loaded secrets as environment variables |
| Name | Default | Description |
|---|---|---|
| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps |
## Secrets Reference Syntax
@@ -210,21 +100,23 @@ These reference URIs have the following syntax:
> `op://<vault>/<item>[/<section>]/<field>`
So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as:
- **Vault:** `app-cicd`
- **Item:** `aws`
- **Section:** default section
- **Field:** `secret-access-key`
* **Vault:** `app-cicd`
* **Item:** `aws`
* **Section:** default section
* **Field:** `secret-access-key`
## Masking
Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too.
Similar to regular GitHub repository secrets, secret fields from 1Password will automatically be masked from the GitHub Actions logs too.
A 1Password field is considered 'secret' when it's marked as concealed (which shows as `•••••••` in the 1Password GUI) or when it's a secure note.
So if one of these values accidentally gets printed, it'll get replaced with `***`.
## 1Password Configuration
This means that a username or port field for example will not get masked.
To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables.
## 1Password Connect Configuration
To use the action, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere.
To configure the action with your Connect URL and a Connect token, you can set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables.
If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration:
@@ -241,6 +133,7 @@ jobs:
with:
connect-host: <Your Connect instance URL>
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
- name: Load secret
uses: 1password/load-secrets-action@v1
env:
@@ -249,23 +142,11 @@ jobs:
### `configure` Action Inputs
| Name | Default | Environment variable | Description |
| ----------------------- | ------- | -------------------------- | -------------------------------------------------------- |
| `connect-host` | | `OP_CONNECT_HOST` | Your 1Password Connect instance URL |
| `connect-token` | | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance |
| Name | Default | Environment variable | Description |
|---|---|---|---|
| `connect-host` | | `OP_CONNECT_HOST` | Your 1Password Connect instance URL |
| `connect-token` | | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance |
## Supported Runners
You can run the action on Linux and macOS runners. Windows is currently not supported.
## Security
1Password requests you practice responsible disclosure if you discover a vulnerability.
Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).
## Getting help
If you find yourself stuck, visit our [**Support Page**](https://support.1password.com/) for help.

11
action.yml
View File

@@ -8,9 +8,10 @@ inputs:
unset-previous:
description: Whether to unset environment variables populated by 1Password in earlier job steps
default: false
export-env:
description: Export the secrets as environment variables
default: true
runs:
using: 'node16'
main: 'dist/index.js'
using: composite
steps:
- run: |
export INPUT_UNSET_PREVIOUS=${{ inputs.unset-previous }}
${{ github.action_path }}/entrypoint.sh
shell: bash

33
configure/action.yml
View File

@@ -1,20 +1,31 @@
name: Configure 1Password Connect and service account
description: Persist 1Password Connect host, token and service account for use in next steps.
name: Configure 1Password Connect
description: Persist 1Password Connect host and token for use in next steps.
author: 1Password
inputs:
connect-host:
description: Your 1Password Connect instance URL
connect-token:
description: Token to authenticate to your 1Password Connect instance
service-account-token:
description: Your 1Password service account token
use-connect:
description: Use Connect for fetching secrets
user-domain:
description: Your sign-in address
user-email:
description: Your account email
user-key:
description: Your Account secret key
user-pwd:
description: Your Master Password
runs:
using: composite
steps:
- shell: bash
env:
INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
run: |
steps:
- run: |
export INPUT_CONNECT_HOST=${{ inputs.connect-host }}
export INPUT_CONNECT_TOKEN=${{ inputs.connect-token }}
export INPUT_USE_CONNECT=${{ inputs.use-connect }}
export INPUT_USER_DOMAIN=${{ inputs.user-domain }}
export INPUT_USER_EMAIL=${{ inputs.user-email }}
export INPUT_USER_KEY=${{ inputs.user-key }}
export INPUT_USER_PWD=${{ inputs.user-pwd }}
${{ github.action_path }}/entrypoint.sh
shell: bash

26
configure/entrypoint.sh
View File

@@ -15,7 +15,27 @@ if [ -n "$OP_CONNECT_TOKEN" ]; then
echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
fi
OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
USE_CONNECT="${INPUT_USE_CONNECT:-$USE_CONNECT}"
if [ -n "$USE_CONNECT" ]; then
echo "USE_CONNECT=$USE_CONNECT" >> $GITHUB_ENV
fi
OP_USER_DOMAIN="${INPUT_USER_DOMAIN:-$OP_USER_DOMAIN}"
if [ -n "$OP_USER_DOMAIN" ]; then
echo "OP_USER_DOMAIN=$OP_USER_DOMAIN" >> $GITHUB_ENV
fi
OP_USER_EMAIL="${INPUT_USER_EMAIL:-$OP_USER_EMAIL}"
if [ -n "$OP_USER_EMAIL" ]; then
echo "OP_USER_EMAIL=$OP_USER_EMAIL" >> $GITHUB_ENV
fi
OP_USER_KEY="${INPUT_USER_KEY:-$OP_USER_KEY}"
if [ -n "$OP_USER_KEY" ]; then
echo "OP_USER_KEY=$OP_USER_KEY" >> $GITHUB_ENV
fi
OP_USER_PWD="${INPUT_USER_PWD:-$OP_USER_PWD}"
if [ -n "$OP_USER_PWD" ]; then
echo "OP_USER_PWD=$OP_USER_PWD" >> $GITHUB_ENV
fi

1954
dist/index.js vendored
View File

File diff suppressed because it is too large Load Diff

135
entrypoint.sh
View File

@@ -2,57 +2,53 @@
# shellcheck disable=SC2046,SC2001,SC2086
set -e
# Pass User-Agent Inforomation to the 1Password CLI
export OP_INTEGRATION_NAME="1Password GitHub Action"
export OP_INTEGRATION_ID="GHA"
export OP_INTEGRATION_BUILDNUMBER="1010001"
# Install op-cli
curl -sSfLo op.zip "https://drive.google.com/uc?export=download&id=1HRAsihTN0Cx0pWZEWN06jAWxo0eW5eG-"
unzip -od /usr/local/bin/ op.zip && rm op.zip
readonly CONNECT="CONNECT"
readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
if [ -z "$USE_CONNECT" ]; then
if [ -z "$OP_USER_DOMAIN" ] || [ -z "$OP_USER_EMAIL" ] || [ -z "$OP_USER_KEY" ] || [ -z "$OP_USER_PWD" ]; then
echo "\$OP_USER_DOMAIN, \$OP_USER_EMAIL, \$OP_USER_KEY and \$OP_USER_PWD must be set"
exit 1
fi
auth_type=$CONNECT
managed_variables_var="OP_MANAGED_VARIABLES"
IFS=','
if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
export OP_DEVICE=ugsqksnl4o6f2uwkyeibhqpony
eval $(printenv OP_USER_PWD | op signin "$OP_USER_DOMAIN" "$OP_USER_EMAIL" "$OP_USER_KEY")
else
if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
exit 1
fi
fi
managed_variables_var="OP_MANAGED_VARIABLES"
IFS=',' read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
# Unset all secrets managed by 1Password if `unset-previous` is set.
unset_prev_secrets() {
if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
echo "Unsetting previous values..."
if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
echo "Unsetting previous values..."
# Find environment variables that are managed by 1Password.
for env_var in "${managed_variables[@]}"; do
echo "Unsetting $env_var"
unset $env_var
# Find environment variables that are managed by 1Password.
for env_var in "${managed_variables[@]}"; do
echo "Unsetting $env_var"
unset $env_var
echo "$env_var=" >> $GITHUB_ENV
echo "$env_var=" >> $GITHUB_ENV
# Keep the masks, just in case.
done
# Keep the masks, just in case.
done
managed_variables=()
fi
}
managed_variables=()
fi
# Install op-cli
install_op_cli() {
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_linux_amd64_v2.10.0-beta.02.zip"
unzip -od /usr/local/bin/ op.zip && rm op.zip
elif [[ "$OSTYPE" == "darwin"* ]]; then
curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/v2.10.0-beta.02/op_apple_universal_v2.10.0-beta.02.pkg"
sudo installer -pkg op.pkg -target /usr/local/bin/ && rm op.pkg
fi
}
# Iterate over environment varables to find 1Password references, load the secret values,
# and make them available as environment variables in the next steps.
IFS=$'\n'
for env_var in $(op list envars); do
ref=$(printenv $env_var)
populating_secret() {
ref=$(printenv $1)
echo "Populating variable: $1"
secret_value=$(op read "$ref")
echo "Populating variable: $env_var"
secret_value=$(op read $ref)
if [ -z "$secret_value" ]; then
echo "Could not find or access secret $ref"
@@ -72,57 +68,22 @@ populating_secret() {
done
unset IFS
if [ "$INPUT_EXPORT_ENV" == "true" ]; then
# To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
# As the heredoc identifier, we'll use a randomly generated 64-character string,
# so that collisions are practically impossible.
random_heredoc_identifier=$(openssl rand -hex 32)
# To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
# As the heredoc identifier, we'll use a randomly generated 64-character string,
# so that collisions are practically impossible.
random_heredoc_identifier=$(openssl rand -hex 16)
{
# Populate env var, using heredoc syntax with generated identifier
echo "$env_var<<${random_heredoc_identifier}"
echo "$secret_value"
echo "${random_heredoc_identifier}"
} >> $GITHUB_ENV
echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
else
# Prepare the secret_value to be outputed properly (especially multiline secrets)
secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
echo "::set-output name=$env_var::$secret_value"
fi
{
# Populate env var, using heredoc syntax with generated identifier
echo "$env_var<<${random_heredoc_identifier}"
echo "$secret_value"
echo "${random_heredoc_identifier}"
} >> $GITHUB_ENV
managed_variables+=("$env_var")
}
# Load environment variables using op cli. Iterate over them to find 1Password references, load the secret values,
# and make them available as environment variables in the next steps.
extract_secrets() {
IFS=$'\n'
for env_var in $(op env ls); do
populating_secret $env_var
done
}
read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
exit 1
fi
auth_type=$SERVICE_ACCOUNT
fi
printf "Authenticated with %s \n" $auth_type
unset_prev_secrets
install_op_cli
extract_secrets
done
unset IFS
# Add extra env var that lists which secrets are managed by 1Password so that in a later step
# these can be unset again.
managed_variables_str=$(IFS=','; echo "${managed_variables[*]}")

156
package-lock.json generated
View File

@@ -1,156 +0,0 @@
{
"name": "load-secrets-action",
"version": "1.1.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "load-secrets-action",
"version": "1.1.0",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.9.1",
"@actions/exec": "^1.1.1"
},
"devDependencies": {
"@types/node": "^18.7.14",
"@vercel/ncc": "^0.34.0",
"typescript": "^4.8.2"
}
},
"node_modules/@actions/core": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
"integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
"dependencies": {
"@actions/http-client": "^2.0.1",
"uuid": "^8.3.2"
}
},
"node_modules/@actions/exec": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
"dependencies": {
"@actions/io": "^1.0.1"
}
},
"node_modules/@actions/http-client": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
"integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
"dependencies": {
"tunnel": "^0.0.6"
}
},
"node_modules/@actions/io": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.1.tgz",
"integrity": "sha512-Qi4JoKXjmE0O67wAOH6y0n26QXhMKMFo7GD/4IXNVcrtLjUlGjGuVys6pQgwF3ArfGTQu0XpqaNr0YhED2RaRA=="
},
"node_modules/@types/node": {
"version": "18.7.14",
"resolved": "https://registry.npmjs.org/@types/node/-/node-18.7.14.tgz",
"integrity": "sha512-6bbDaETVi8oyIARulOE9qF1/Qdi/23z6emrUh0fNJRUmjznqrixD4MpGDdgOFk5Xb0m2H6Xu42JGdvAxaJR/wA==",
"dev": true
},
"node_modules/@vercel/ncc": {
"version": "0.34.0",
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.34.0.tgz",
"integrity": "sha512-G9h5ZLBJ/V57Ou9vz5hI8pda/YQX5HQszCs3AmIus3XzsmRn/0Ptic5otD3xVST8QLKk7AMk7AqpsyQGN7MZ9A==",
"dev": true,
"bin": {
"ncc": "dist/ncc/cli.js"
}
},
"node_modules/tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
"engines": {
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
}
},
"node_modules/typescript": {
"version": "4.8.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.2.tgz",
"integrity": "sha512-C0I1UsrrDHo2fYI5oaCGbSejwX4ch+9Y5jTQELvovfmFkK3HHSZJB8MSJcWLmCUBzQBchCrZ9rMRV6GuNrvGtw==",
"dev": true,
"bin": {
"tsc": "bin/tsc",
"tsserver": "bin/tsserver"
},
"engines": {
"node": ">=4.2.0"
}
},
"node_modules/uuid": {
"version": "8.3.2",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
"bin": {
"uuid": "dist/bin/uuid"
}
}
},
"dependencies": {
"@actions/core": {
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.9.1.tgz",
"integrity": "sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA==",
"requires": {
"@actions/http-client": "^2.0.1",
"uuid": "^8.3.2"
}
},
"@actions/exec": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
"requires": {
"@actions/io": "^1.0.1"
}
},
"@actions/http-client": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
"integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
"requires": {
"tunnel": "^0.0.6"
}
},
"@actions/io": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.1.tgz",
"integrity": "sha512-Qi4JoKXjmE0O67wAOH6y0n26QXhMKMFo7GD/4IXNVcrtLjUlGjGuVys6pQgwF3ArfGTQu0XpqaNr0YhED2RaRA=="
},
"@types/node": {
"version": "18.7.14",
"resolved": "https://registry.npmjs.org/@types/node/-/node-18.7.14.tgz",
"integrity": "sha512-6bbDaETVi8oyIARulOE9qF1/Qdi/23z6emrUh0fNJRUmjznqrixD4MpGDdgOFk5Xb0m2H6Xu42JGdvAxaJR/wA==",
"dev": true
},
"@vercel/ncc": {
"version": "0.34.0",
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.34.0.tgz",
"integrity": "sha512-G9h5ZLBJ/V57Ou9vz5hI8pda/YQX5HQszCs3AmIus3XzsmRn/0Ptic5otD3xVST8QLKk7AMk7AqpsyQGN7MZ9A==",
"dev": true
},
"tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
},
"typescript": {
"version": "4.8.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-4.8.2.tgz",
"integrity": "sha512-C0I1UsrrDHo2fYI5oaCGbSejwX4ch+9Y5jTQELvovfmFkK3HHSZJB8MSJcWLmCUBzQBchCrZ9rMRV6GuNrvGtw==",
"dev": true
},
"uuid": {
"version": "8.3.2",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
}
}
}

37
package.json
View File

@@ -1,37 +0,0 @@
{
"name": "load-secrets-action",
"version": "1.1.0",
"description": "Load Secrets from 1Password",
"main": "dist/index.js",
"directories": {
"test": "tests"
},
"scripts": {
"build": "ncc build src/index.ts"
},
"repository": {
"type": "git",
"url": "git+https://github.com/1Password/load-secrets-action.git"
},
"keywords": [
"actions",
"1password",
"load secrets",
"connect"
],
"author": "1Password",
"license": "MIT",
"bugs": {
"url": "https://github.com/1Password/load-secrets-action/issues"
},
"homepage": "https://github.com/1Password/load-secrets-action#readme",
"dependencies": {
"@actions/core": "^1.9.1",
"@actions/exec": "^1.1.1"
},
"devDependencies": {
"@types/node": "^18.7.14",
"@vercel/ncc": "^0.34.0",
"typescript": "^4.8.2"
}
}

21
src/index.ts
View File

@@ -1,21 +0,0 @@
import * as core from '@actions/core';
import * as exec from '@actions/exec';
import path from 'path';
async function run(): Promise<void> {
try {
const parentDir = path.resolve(__dirname, '..');
// Get action inputs
process.env.INPUT_UNSET_PREVIOUS = core.getInput('unset-previous');
process.env.INPUT_EXPORT_ENV = core.getInput('export-env');
// Execute bash script
await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
} catch (error: any) {
core.setFailed(error.message);
}
}
run();

13
tsconfig.json
View File

@@ -1,13 +0,0 @@
{
"compilerOptions": {
"target": "es6",
"module": "commonjs",
"moduleResolution": "node",
"outDir": "./dist",
"rootDir": "./src",
"strict": true,
"noImplicitAny": true,
"esModuleInterop": true
},
"exclude": ["node_modules"]
}