Point to the feature branch to run tests

Set `export-env` input to `false` by default

.github/workflows/acceptance-test.yml

@@ -0,0 +1,116 @@
+name: Acceptance test
+
+on:
+  workflow_call:
+    inputs:
+      secret:
+        required: true
+        type: string
+      secret-in-section:
+        required: true
+        type: string
+      multiline-secret:
+        required: true
+        type: string
+      export-env:
+        required: true
+        type: boolean
+      cli-version:
+        required: false
+        type: string
+        default: "latest"
+      os:
+        required: true
+        type: string
+        default: "ubuntu-latest"
+      auth:
+        required: true
+        type: string
+
+jobs:
+  acceptance-test:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Base checkout
+        uses: actions/checkout@v4
+        if: |
+          github.event_name != 'repository_dispatch' &&
+          (
+            github.ref == 'refs/heads/main' || 
+            (
+              github.event_name == 'pull_request' && 
+              github.event.pull_request.head.repo.full_name == github.repository
+            )
+          )
+      - name: Fork based /ok-to-test checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+        if: |
+          github.event_name == 'repository_dispatch' &&
+          github.event.client_payload.slash_command.args.named.sha != '' &&
+          contains(
+            github.event.client_payload.pull_request.head.sha,
+            github.event.client_payload.slash_command.args.named.sha
+          )
+      - name: Launch 1Password Connect instance
+        if: ${{ inputs.auth == 'connect' }}
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ inputs.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Verify Service Account env var is set
+        if: ${{ inputs.auth == 'service-account' }}
+        shell: bash
+        run: |
+          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
+            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
+            exit 1
+          fi
+      - name: Configure 1Password Connect
+        if: ${{ inputs.auth == 'connect' }}
+        uses: ./configure # 1password/load-secrets-action/configure@<version>
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Verify Connect env vars are set
+        if: ${{ inputs.auth == 'connect' }}
+        run: |
+          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
+            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
+            exit 1
+          fi
+      - name: Load secrets
+        id: load_secrets
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          cli-version: ${{ inputs.cli-version }}
+          export-env: ${{ inputs.export-env }}
+        env:
+          SECRET: ${{ inputs.secret }}
+          SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
+          MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Assert test secret values [step output]
+        if: ${{ !inputs.export-env }}
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+      - name: Assert test secret values [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-set.sh
+      - name: Remove secrets [exported env]
+        if: ${{ inputs.export-env }}
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          unset-previous: true
+      - name: Assert removed secrets [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-unset.sh

.github/workflows/lint.yml

@@ -1,4 +1,7 @@
-on: pull_request
+on:
+  push:
+    branches: [main]
+  pull_request:
 name: Lint
 
 jobs:
@@ -11,3 +14,16 @@ jobs:
         with:
           ignore_paths: >-
             .husky
+      - name: Setup Node.js
+        id: setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - name: Install Dependencies
+        id: install
+        run: npm ci
+      - name: Check formatting
+        run: npm run format:check
+      - name: Check lint
+        run: npm run lint

.github/workflows/ok-to-test.yml

@@ -0,0 +1,25 @@
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+name: Ok To Test
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  ok-to-test:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # For adding reactions to the pull request comments
+      contents: write # For executing the repository_dispatch event
+    # Only run for PRs, not issue comments
+    if: ${{ github.event.issue.pull_request }}
+    steps:
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          reaction-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-type: pull-request
+          commands: ok-to-test
+          # The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this.
+          permission: write

.github/workflows/pr-check-signed-commits.yml

@@ -0,0 +1,13 @@
+name: Check signed commits in PR
+on: pull_request_target
+
+jobs:
+  build:
+    name: Check signed commits in PR
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@v1

.github/workflows/test-fork.yml

@@ -0,0 +1,92 @@
+on:
+  repository_dispatch:
+    types: [ok-to-test-command]
+name: Run acceptance tests [fork]
+
+jobs:
+  test-with-output-secrets:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: false
+  test-with-export-env:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+  test-references-with-ids:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
+      export-env: false
+  update-checks:
+    # required permissions for updating the status of the pull request checks
+    permissions:
+      pull-requests: write
+      checks: write
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    strategy:
+      matrix:
+        job-name:
+          [
+            test-with-output-secrets,
+            test-with-export-env,
+            test-references-with-ids,
+          ]
+    needs:
+      [test-with-output-secrets, test-with-export-env, test-references-with-ids]
+    steps:
+      - uses: actions/github-script@v6
+        env:
+          job: ${{ matrix.job-name }}
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+          conclusion: ${{ needs[format('{0}', matrix.job-name )].result }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { data: checks } = await github.rest.checks.listForRef({
+              ...context.repo,
+              ref: process.env.ref
+            });
+
+            const check = checks.check_runs.filter(c => c.name === process.env.job);
+
+            const { data: result } = await github.rest.checks.update({
+              ...context.repo,
+              check_run_id: check[0].id,
+              status: 'completed',
+              conclusion: process.env.conclusion
+            });
+
+            return result;

.github/workflows/test.yml

@@ -1,136 +1,100 @@
-on: push
+on:
+  push:
+    branches: [main]
+  pull_request:
 name: Run acceptance tests
 
 jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - run: npm ci
+      - run: npm test
+
   test-with-output-secrets:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
+    secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
         auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          export-env: false
-        env:
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
+          - os: windows-latest
+            auth: connect
+    with:
+      os: ${{ matrix.os }}
+      cli-version: ${{ matrix.cli-version }}
+      auth: ${{ matrix.auth }}
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: false
+
   test-with-export-env:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
+    secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
         auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        env:
-          SECRET: op://acceptance-tests/test-secret/password
-          SECRET_IN_SECTION: op://acceptance-tests/test-secret/test-section/password
-          MULTILINE_SECRET: op://acceptance-tests/multiline-secret/notesPlain
-      - name: Assert test secret values
-        run: ./tests/assert-env-set.sh
-      - name: Remove secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          unset-previous: true
-      - name: Assert removed secrets
-        run: ./tests/assert-env-unset.sh
+          - os: windows-latest
+            auth: connect
+    with:
+      os: ${{ matrix.os }}
+      cli-version: ${{ matrix.cli-version }}
+      auth: ${{ matrix.auth }}
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+
   test-references-with-ids:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
+    secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
         auth: [connect, service-account]
         exclude:
           - os: macos-latest
             auth: connect
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Launch 1Password Connect instance
-        if: ${{ matrix.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker-compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ matrix.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Configure 1Password Connect
-        if: ${{ matrix.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          export-env: false
-        env:
-          SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-          SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-          MULTILINE_SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      - name: Assert test secret values
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
+          - os: windows-latest
+            auth: connect
+    with:
+      os: ${{ matrix.os }}
+      cli-version: ${{ matrix.cli-version }}
+      auth: ${{ matrix.auth }}
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
+      export-env: false

CONTRIBUTING.md

@@ -0,0 +1,54 @@
+# Contributing
+
+Thank you for your interest in contributing to the 1Password load-secrets-action project 👋! Before you start, please take a moment to read through this guide to understand our contribution process.
+
+## Testing
+
+Unit tests can be run with `npm run test`.
+
+After following the steps below for signing commits, you can test against your PR with these steps:
+
+1. Create or use an existing repo to run the `load-secrets` GitHub Action.
+2. In a workflow yaml file that uses the GitHub Action, modify the `uses: 1Password/load-secrets-action` line to be
+
+   ```yaml
+   uses: 1Password/load-secrets-action@<branch-name>
+   ```
+
+   OR
+
+   ```yaml
+   uses: 1Password/load-secrets-action@<commit-hash>
+   ```
+
+3. Trigger the action, which now includes your changes.
+
+## Documentation Updates
+
+If applicable, update the [README.md](./README.md) to reflect any changes introduced by the new code.
+
+## Sign your commits
+
+To get your PR merged, we require you to sign your commits.
+
+### Sign commits with 1Password
+
+You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.
+
+Learn how to use [1Password to sign your commits](https://developer.1password.com/docs/ssh/git-commit-signing/).
+
+### Sign commits with ssh-agent
+
+Follow the steps below to set up commit signing with `ssh-agent`:
+
+1. [Generate an SSH key and add it to ssh-agent](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent)
+2. [Add the SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)
+3. [Configure git to use your SSH key for commits signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key)
+
+### Sign commits with gpg
+
+Follow the steps below to set up commit signing with `gpg`:
+
+1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
+2. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account)
+3. [Configure git to use your GPG key for commits signing](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key)

README.md

@@ -23,16 +23,40 @@ Read more on the [1Password Developer Portal](https://developer.1password.com/do
 
 ## ✨ Quickstart
 
+### Export secrets as a step's output (recommended)
+
 ```yml
 on: push
 jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Load secret
-        uses: 1password/load-secrets-action@v1
+        id: load_secret
+        uses: 1password/load-secrets-action@v3
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          SECRET: op://app-cicd/hello-world/secret
+
+      - name: Print masked secret
+        run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
+        # Prints: Secret: ***
+```
+
+### Export secrets as env variables
+
+```yml
+on: push
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Load secret
+        uses: 1password/load-secrets-action@v3
         with:
           # Export loaded secrets as environment variables
           export-env: true
@@ -41,20 +65,18 @@ jobs:
           SECRET: op://app-cicd/hello-world/secret
 
       - name: Print masked secret
-        run: echo "Secret: $SECRET"
+        run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
 
 ## 💙 Community & Support
 
 - File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
-- Join the [Developer Slack workspace](https://join.slack.com/t/1password-devs/shared_invite/zt-1halo11ps-6o9pEv96xZ3LtX_VE0fJQA).
+- Join the [Developer Slack workspace](https://developer.1password.com/joinslack).
 - Subscribe to the [Developer Newsletter](https://1password.com/dev-subscribe/).
 
 ## 🔐 Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability.
 
-Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits).
-
-For information about security practices, please visit the [1Password Bug Bounty Program](https://bugcrowd.com/agilebits).
+Please file requests by sending an email to bugbounty@agilebits.com.

action.yml

@@ -10,7 +10,10 @@ inputs:
     default: "false"
   export-env:
     description: Export the secrets as environment variables
-    default: "true"
+    default: "false"
+  cli-version:
+    description: Specify which 1Password CLI version to install. Defaults to "latest".
+    default: "latest"
 runs:
-  using: "node16"
+  using: "node20"
   main: "dist/index.js"

config/jest.config.js

@@ -11,7 +11,16 @@ const jestConfig = {
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
 	transform: {
-		".ts": ["ts-jest"],
+		".ts": [
+			"ts-jest",
+			{
+				// Note: We shouldn't need to include `isolatedModules` here because it's a deprecated config option in TS 5,
+				// but setting it to `true` fixes the `ESM syntax is not allowed in a CommonJS module when
+				// 'verbatimModuleSyntax' is enabled` error that we're seeing when running our Jest tests.
+				isolatedModules: true,
+				useESM: true,
+			},
+		],
 	},
 	verbose: true,
 };

configure/action.yml

@@ -9,12 +9,5 @@ inputs:
   service-account-token:
     description: Your 1Password service account token
 runs:
-  using: composite
-  steps:
-    - shell: bash
-      env:
-        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
-        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
-        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
-      run: |
-        ${{ github.action_path }}/entrypoint.sh
+  using: "node20"
+  main: "dist/index.js"

configure/dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

configure/entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Capture Connect configuration in $GITHUB_ENV, giving (optional) inputs 
-# precendence over OP_CONNECT_* environment variables.
-
-OP_CONNECT_HOST="${INPUT_CONNECT_HOST:-$OP_CONNECT_HOST}"
-if [ -n "$OP_CONNECT_HOST" ]; then
-  echo "OP_CONNECT_HOST=$OP_CONNECT_HOST" >> $GITHUB_ENV
-fi
-
-OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
-if [ -n "$OP_CONNECT_TOKEN" ]; then
-  echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
-fi
-
-OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
-if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
-fi

configure/index.js

@@ -0,0 +1,27 @@
+const core = require("@actions/core");
+
+const configure = () => {
+	const OP_CONNECT_HOST =
+		core.getInput("connect-host", { required: false }) ||
+		process.env.OP_CONNECT_HOST;
+	const OP_CONNECT_TOKEN =
+		core.getInput("connect-token", { required: false }) ||
+		process.env.OP_CONNECT_TOKEN;
+	const OP_SERVICE_ACCOUNT_TOKEN =
+		core.getInput("service-account-token", { required: false }) ||
+		process.env.OP_SERVICE_ACCOUNT_TOKEN;
+
+	if (OP_CONNECT_HOST) {
+		core.exportVariable("OP_CONNECT_HOST", OP_CONNECT_HOST);
+	}
+
+	if (OP_CONNECT_TOKEN) {
+		core.exportVariable("OP_CONNECT_TOKEN", OP_CONNECT_TOKEN);
+	}
+
+	if (OP_SERVICE_ACCOUNT_TOKEN) {
+		core.exportVariable("OP_SERVICE_ACCOUNT_TOKEN", OP_SERVICE_ACCOUNT_TOKEN);
+	}
+};
+
+configure();

dist/package.json

@@ -1,3 +1,3 @@
 {
-  "type": "module"
+  "type": "commonjs"
 }

entrypoint.sh

@@ -1,172 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2046,SC2001,SC2086
-set -e
-
-# Pass User-Agent Inforomation to the 1Password CLI
-export OP_INTEGRATION_NAME="1Password GitHub Action"
-export OP_INTEGRATION_ID="GHA"
-export OP_INTEGRATION_BUILDNUMBER="1010001"
-
-readonly CONNECT="CONNECT"
-readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
-
-auth_type=$CONNECT
-managed_variables_var="OP_MANAGED_VARIABLES"
-IFS=','
-
-if [[ "$OP_CONNECT_HOST" != "http://"* ]] && [[ "$OP_CONNECT_HOST" != "https://"* ]]; then
-  export OP_CONNECT_HOST="http://"$OP_CONNECT_HOST
-fi
-
-# Unset all secrets managed by 1Password if `unset-previous` is set.
-unset_prev_secrets() {
-  if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
-    echo "Unsetting previous values..."
-
-    # Find environment variables that are managed by 1Password.
-    for env_var in "${managed_variables[@]}"; do
-      echo "Unsetting $env_var"
-      unset $env_var
-
-      echo "$env_var=" >> $GITHUB_ENV
-
-      # Keep the masks, just in case.
-    done
-
-    managed_variables=()
-  fi
-}
-
-# Install op-cli
-install_op_cli() {
-  # Create a temporary directory where the CLI is installed
-  OP_INSTALL_DIR="$(mktemp -d)"
-  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
-    echo "Install dir $OP_INSTALL_DIR not found"
-    exit 1
-  fi
-  export OP_INSTALL_DIR
-  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
-
-  # Get the latest stable version of the CLI
-  OP_CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | jq -r .version)"
-
-  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    # Get runner's architecture
-    ARCH=$(uname -m)
-    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
-      ARCH="386"
-    elif [[ "$ARCH" == "x86_64" ]]; then
-      ARCH="amd64"
-    elif [[ "$ARCH" == "aarch64" ]]; then
-      ARCH="arm64"
-    fi
-
-    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
-      echo "Unsupported architecture for the 1Password CLI: $ARCH."
-      exit 1
-    fi
-
-    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_linux_${ARCH}_${OP_CLI_VERSION}.zip"
-    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
-  elif [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_CLI_VERSION}/op_apple_universal_${OP_CLI_VERSION}.pkg"
-    pkgutil --expand op.pkg temp-pkg
-    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
-    rm -rf temp-pkg && rm op.pkg
-  else
-    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
-    exit 1
-  fi
-}
-
-# Uninstall op-cli
-uninstall_op_cli() {
-  if [[ -d "$OP_INSTALL_DIR" ]]; then
-    rm -fr "$OP_INSTALL_DIR"
-  fi
-}
-
-populating_secret() {
-  ref=$(printenv $1)
-
-  echo "Populating variable: $1"
-  secret_value=$("${OP_INSTALL_DIR}/op" read "$ref")
-
-  if [ -z "$secret_value" ]; then
-    echo "Could not find or access secret $ref"
-    exit 1
-  fi
-
-  # Register a mask for the secret to prevent accidental log exposure.
-  # To support multiline secrets, escape percent signs and add a mask per line.
-  escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
-  IFS=$'\n'
-  for line in $escaped_mask_value; do
-    if [ "${#line}" -lt 3 ]; then
-      # To avoid false positives and unreadable logs, omit mask for lines that are too short.
-      continue
-    fi
-    echo "::add-mask::$line"
-  done
-  unset IFS
-
-  # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
-  # As the heredoc identifier, we'll use a randomly generated 64-character string,
-  # so that collisions are practically impossible.
-  # Read more: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
-  delimiter="$(openssl rand -hex 32)"
-
-  if [ "$INPUT_EXPORT_ENV" == "true" ]; then
-    {
-      # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${delimiter}"
-      echo "$secret_value"
-      echo "${delimiter}"
-    } >> $GITHUB_ENV
-    echo "GITHUB_ENV: $(cat $GITHUB_ENV)"
-
-  else
-    {
-      # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${delimiter}"
-      echo "$secret_value"
-      echo "${delimiter}"
-    } >> $GITHUB_OUTPUT
-  fi
-
-  managed_variables+=("$env_var")
-}
-
-# Load environment variables using op cli. Iterate over them to find 1Password references, load the secret values,
-# and make them available as environment variables in the next steps.
-extract_secrets() {
-  IFS=$'\n'
-  for env_var in $("${OP_INSTALL_DIR}/op" env ls); do
-    populating_secret $env_var
-  done
-}
-
-read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
-
-if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
-  if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
-    echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
-    exit 1
-  fi
-
-  auth_type=$SERVICE_ACCOUNT
-fi
-
-printf "Authenticated with %s \n" $auth_type
-
-unset_prev_secrets
-install_op_cli
-extract_secrets
-uninstall_op_cli
-
-unset IFS
-# Add extra env var that lists which secrets are managed by 1Password so that in a later step
-# these can be unset again.
-managed_variables_str=$(IFS=','; echo "${managed_variables[*]}")
-echo "$managed_variables_var=$managed_variables_str" >> $GITHUB_ENV

package.json

@@ -1,14 +1,15 @@
 {
 	"name": "load-secrets-action",
-	"version": "1.2.0",
+	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
-	"type": "module",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
 	},
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
+		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
+		"build:all": "npm run build && npm run build:configure",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -39,22 +40,25 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@actions/core": "^1.10.0",
-		"@actions/exec": "^1.1.1"
+		"@1password/op-js": "^0.1.11",
+		"@actions/core": "^1.10.1",
+		"@actions/exec": "^1.1.1",
+		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 	},
 	"devDependencies": {
-		"@1password/front-end-style": "^6.0.1",
-		"@types/jest": "^29.5.0",
-		"@types/node": "^18.15.10",
-		"@vercel/ncc": "^0.36.1",
-		"husky": "^8.0.3",
-		"jest": "^29.5.0",
-		"lint-staged": "^13.2.0",
-		"ts-jest": "^29.0.5",
-		"typescript": "^4.9.5"
+		"@1password/eslint-config": "^4.3.1",
+		"@1password/prettier-config": "^1.2.0",
+		"@types/jest": "^29.5.12",
+		"@types/node": "^20.11.30",
+		"@vercel/ncc": "^0.38.1",
+		"husky": "^9.0.11",
+		"jest": "^29.7.0",
+		"lint-staged": "^15.2.2",
+		"ts-jest": "^29.1.2",
+		"typescript": "^5.4.2"
 	},
 	"eslintConfig": {
-		"extends": "./node_modules/@1password/front-end-style/eslintrc.yml",
+		"extends": "@1password/eslint-config",
 		"ignorePatterns": [
 			"coverage/"
 		],
@@ -62,5 +66,5 @@
 			"project": "./tsconfig.json"
 		}
 	},
-	"prettier": "./node_modules/@1password/front-end-style/prettierrc.json"
+	"prettier": "@1password/prettier-config"
 }

src/constants.ts

@@ -0,0 +1,6 @@
+export const envConnectHost = "OP_CONNECT_HOST";
+export const envConnectToken = "OP_CONNECT_TOKEN";
+export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
+export const envManagedVariables = "OP_MANAGED_VARIABLES";
+
+export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;

src/index.ts

@@ -1,20 +1,27 @@
-import path from "path";
-import url from "url";
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
+import { validateCli } from "@1password/op-js";
+import { installCliOnGithubActionRunner } from "op-cli-installer";
+import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 
-const run = async () => {
+const loadSecretsAction = async () => {
 	try {
-		const currentFile = url.fileURLToPath(import.meta.url);
-		const currentDir = path.dirname(currentFile);
-		const parentDir = path.resolve(currentDir, "..");
-
 		// Get action inputs
-		process.env.INPUT_UNSET_PREVIOUS = core.getInput("unset-previous");
-		process.env.INPUT_EXPORT_ENV = core.getInput("export-env");
+		const shouldUnsetPrevious = core.getBooleanInput("unset-previous");
+		const shouldExportEnv = core.getBooleanInput("export-env");
 
-		// Execute bash script
-		await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
+		// Unset all secrets managed by 1Password if `unset-previous` is set.
+		if (shouldUnsetPrevious) {
+			unsetPrevious();
+		}
+
+		// Validate that a proper authentication configuration is set for the CLI
+		validateAuth();
+
+		// Download and install the CLI
+		await installCLI();
+
+		// Load secrets
+		await loadSecrets(shouldExportEnv);
 	} catch (error) {
 		// It's possible for the Error constructor to be modified to be anything
 		// in JavaScript, so the following code accounts for this possibility.
@@ -29,4 +36,18 @@ const run = async () => {
 	}
 };
 
-void run();
+// This function's name is an exception from the naming convention
+// since we refer to the 1Password CLI here.
+// eslint-disable-next-line @typescript-eslint/naming-convention
+const installCLI = async (): Promise<void> => {
+	// validateCli checks if there's an existing 1Password CLI installed on the runner.
+	// If there's no CLI installed, then validateCli will throw an error, which we will use
+	// as an indicator that we need to execute the installation script.
+	await validateCli().catch(async () => {
+		// defaults to `latest` if not provided
+		const cliVersion = core.getInput("cli-version");
+		await installCliOnGithubActionRunner(cliVersion);
+	});
+};
+
+void loadSecretsAction();

src/utils.test.ts

@@ -0,0 +1,164 @@
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+import { read, setClientInfo } from "@1password/op-js";
+import {
+	extractSecret,
+	loadSecrets,
+	unsetPrevious,
+	validateAuth,
+} from "./utils";
+import {
+	authErr,
+	envConnectHost,
+	envConnectToken,
+	envManagedVariables,
+	envServiceAccountToken,
+} from "./constants";
+
+jest.mock("@actions/core");
+jest.mock("@actions/exec", () => ({
+	getExecOutput: jest.fn(() => ({
+		stdout: "MOCK_SECRET",
+	})),
+}));
+jest.mock("@1password/op-js");
+
+beforeEach(() => {
+	jest.clearAllMocks();
+});
+
+describe("validateAuth", () => {
+	const testConnectHost = "https://localhost:8000";
+	const testConnectToken = "token";
+	const testServiceAccountToken = "ops_token";
+
+	beforeEach(() => {
+		process.env[envConnectHost] = "";
+		process.env[envConnectToken] = "";
+		process.env[envServiceAccountToken] = "";
+	});
+
+	it("should throw an error when no config is provided", () => {
+		expect(validateAuth).toThrow(authErr);
+	});
+
+	it("should throw an error when partial Connect config is provided", () => {
+		process.env[envConnectHost] = testConnectHost;
+		expect(validateAuth).toThrow(authErr);
+	});
+
+	it("should be authenticated as a Connect client", () => {
+		process.env[envConnectHost] = testConnectHost;
+		process.env[envConnectToken] = testConnectToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.info).toHaveBeenCalledWith("Authenticated with Connect.");
+	});
+
+	it("should be authenticated as a service account", () => {
+		process.env[envServiceAccountToken] = testServiceAccountToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.info).toHaveBeenCalledWith(
+			"Authenticated with Service account.",
+		);
+	});
+
+	it("should prioritize Connect over service account if both are configured", () => {
+		process.env[envServiceAccountToken] = testServiceAccountToken;
+		process.env[envConnectHost] = testConnectHost;
+		process.env[envConnectToken] = testConnectToken;
+		expect(validateAuth).not.toThrow(authErr);
+		expect(core.warning).toHaveBeenCalled();
+		expect(core.info).toHaveBeenCalledWith("Authenticated with Connect.");
+	});
+});
+
+describe("extractSecret", () => {
+	const envTestSecretEnv = "TEST_SECRET";
+	const testSecretRef = "op://vault/item/secret";
+	const testSecretValue = "Secret1@3$";
+
+	read.parse = jest.fn().mockReturnValue(testSecretValue);
+
+	process.env[envTestSecretEnv] = testSecretRef;
+
+	it("should set secret as step output", () => {
+		extractSecret(envTestSecretEnv, false);
+		expect(core.exportVariable).not.toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setOutput).toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
+	});
+
+	it("should set secret as environment variable", () => {
+		extractSecret(envTestSecretEnv, true);
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setOutput).not.toHaveBeenCalledWith(
+			envTestSecretEnv,
+			testSecretValue,
+		);
+		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
+	});
+});
+
+describe("loadSecrets", () => {
+	it("sets the client info and gets the executed output", async () => {
+		await loadSecrets(true);
+
+		expect(setClientInfo).toHaveBeenCalledWith({
+			name: "1Password GitHub Action",
+			id: "GHA",
+		});
+		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			"OP_MANAGED_VARIABLES",
+			"MOCK_SECRET",
+		);
+	});
+
+	it("return early if no env vars with secrets found", async () => {
+		(exec.getExecOutput as jest.Mock).mockReturnValueOnce({ stdout: "" });
+		await loadSecrets(true);
+
+		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
+		expect(core.exportVariable).not.toHaveBeenCalled();
+	});
+
+	describe("core.exportVariable", () => {
+		it("is called when shouldExportEnv is true", async () => {
+			await loadSecrets(true);
+
+			expect(core.exportVariable).toHaveBeenCalledTimes(1);
+		});
+
+		it("is not called when shouldExportEnv is false", async () => {
+			await loadSecrets(false);
+
+			expect(core.exportVariable).not.toHaveBeenCalled();
+		});
+	});
+});
+
+describe("unsetPrevious", () => {
+	const testManagedEnv = "TEST_SECRET";
+	const testSecretValue = "MyS3cr#T";
+
+	beforeEach(() => {
+		process.env[testManagedEnv] = testSecretValue;
+		process.env[envManagedVariables] = testManagedEnv;
+	});
+
+	it("should unset the environment variable if user wants it", () => {
+		unsetPrevious();
+		expect(core.info).toHaveBeenCalledWith("Unsetting previous values ...");
+		expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
+		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
+	});
+});

src/utils.ts

@@ -0,0 +1,91 @@
+import * as core from "@actions/core";
+import * as exec from "@actions/exec";
+import { read, setClientInfo, semverToInt } from "@1password/op-js";
+import { version } from "../package.json";
+import {
+	authErr,
+	envConnectHost,
+	envConnectToken,
+	envServiceAccountToken,
+	envManagedVariables,
+} from "./constants";
+
+export const validateAuth = (): void => {
+	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
+	const isServiceAccount = process.env[envServiceAccountToken];
+
+	if (isConnect && isServiceAccount) {
+		core.warning(
+			"WARNING: Both service account and Connect credentials are provided. Connect credentials will take priority.",
+		);
+	}
+
+	if (!isConnect && !isServiceAccount) {
+		throw new Error(authErr);
+	}
+
+	const authType = isConnect ? "Connect" : "Service account";
+
+	core.info(`Authenticated with ${authType}.`);
+};
+
+export const extractSecret = (
+	envName: string,
+	shouldExportEnv: boolean,
+): void => {
+	core.info(`Populating variable: ${envName}`);
+
+	const ref = process.env[envName];
+	if (!ref) {
+		return;
+	}
+
+	const secretValue = read.parse(ref);
+	if (!secretValue) {
+		return;
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envName, secretValue);
+	} else {
+		core.setOutput(envName, secretValue);
+	}
+	core.setSecret(secretValue);
+};
+
+export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
+	// Pass User-Agent Information to the 1Password CLI
+	setClientInfo({
+		name: "1Password GitHub Action",
+		id: "GHA",
+		build: semverToInt(version),
+	});
+
+	// Load secrets from environment variables using 1Password CLI.
+	// Iterate over them to find 1Password references, extract the secret values,
+	// and make them available in the next steps either as step outputs or as environment variables.
+	const res = await exec.getExecOutput(`sh -c "op env ls"`);
+
+	if (res.stdout === "") {
+		return;
+	}
+
+	const envs = res.stdout.replace(/\n+$/g, "").split(/\r?\n/);
+	for (const envName of envs) {
+		extractSecret(envName, shouldExportEnv);
+	}
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+export const unsetPrevious = (): void => {
+	if (process.env[envManagedVariables]) {
+		core.info("Unsetting previous values ...");
+		const managedEnvs = process.env[envManagedVariables].split(",");
+		for (const envName of managedEnvs) {
+			core.info(`Unsetting ${envName}`);
+			core.exportVariable(envName, "");
+		}
+	}
+};

tsconfig.json

@@ -6,8 +6,6 @@
 		"esModuleInterop": true,
 		"exactOptionalPropertyTypes": true,
 		"forceConsistentCasingInFileNames": true,
-		"importsNotUsedAsValues": "error",
-		"isolatedModules": true,
 		"module": "esnext",
 		"moduleResolution": "node",
 		"noEmit": true,
@@ -17,9 +15,9 @@
 		"noUncheckedIndexedAccess": true,
 		"noUnusedLocals": true,
 		"noUnusedParameters": true,
-		"outDir": "./dist/",
-		"rootDir": "./src/",
+		"resolveJsonModule": true,
 		"strict": true,
-		"target": "es2022"
+		"target": "es2022",
+		"verbatimModuleSyntax": true
 	}
 }