Adapt action runtime for Gitea node20 runners

Bump Actions

.github/workflows/e2e-tests.yml

@@ -8,6 +8,11 @@ on:
 
   # For test.yml to call this workflow
   workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to checkout"
+        required: true
+        type: string
     secrets:
       OP_CONNECT_CREDENTIALS:
         required: true
@@ -25,15 +30,29 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: true
+      max-parallel: 4
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
         version: [latest, 2.30.0]
         export-env: [true, false]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build actions
+        run: npm run build:all
 
       - name: Generate .env.tpl
         shell: bash
@@ -41,6 +60,9 @@ jobs:
           echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
           echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
           echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "FILE_WEBSITE=op://${{ secrets.VAULT }}/test-secret/website" >> tests/.env.tpl
+          echo "FILE_TEST_SSH_KEY=op://${{ secrets.VAULT }}/test-ssh-key/private key" >> tests/.env.tpl
+          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
 
       - name: Configure Service account
         uses: ./configure
@@ -57,25 +79,52 @@ jobs:
           SECRET: op://${{ secrets.VAULT }}/test-secret/password
           SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
           MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          WEBSITE: op://${{ secrets.VAULT }}/test-secret/website
+          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
+          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
           OP_ENV_FILE: ./tests/.env.tpl
 
       - name: Assert test secret values [step output]
         if: ${{ !matrix.export-env }}
         shell: bash
         env:
+          ASSERT_WEBSITE: "true"
           SECRET: ${{ steps.load_secrets.outputs.SECRET }}
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
           FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
           FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
           FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+          WEBSITE: ${{ steps.load_secrets.outputs.WEBSITE }}
+          FILE_WEBSITE: ${{ steps.load_secrets.outputs.FILE_WEBSITE }}
+          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
+          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
+          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
+          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
         run: ./tests/assert-env-set.sh
 
+      - name: Assert SSH key env vars [step output]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
+          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
+          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
+          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
+        run: ./tests/assert-ssh-keys-set.sh
+
       - name: Assert test secret values [exported env]
         if: ${{ matrix.export-env }}
         shell: bash
+        env:
+          ASSERT_WEBSITE: "true"
         run: ./tests/assert-env-set.sh
 
+      - name: Assert SSH key env vars [exported env]
+        if: ${{ matrix.export-env }}
+        shell: bash
+        run: ./tests/assert-ssh-keys-set.sh
+
       - name: Remove secrets [exported env]
         if: ${{ matrix.export-env }}
         uses: ./
@@ -93,14 +142,26 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
         version: [latest, 2.30.0]
         export-env: [true, false]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build actions
+        run: npm run build:all
 
       - name: Generate .env.tpl
         run: |
@@ -108,13 +169,16 @@ jobs:
           echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
           echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
           echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "FILE_TEST_SSH_KEY=op://${{ secrets.VAULT }}/test-ssh-key/private key" >> tests/.env.tpl
+          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
 
       - name: Launch 1Password Connect instance
         env:
           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
         run: |
           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+          docker compose -f tests/fixtures/docker-compose.yml up -d
+          timeout 60 bash -c 'until curl -sf http://localhost:8080/health >/dev/null 2>&1; do sleep 2; done'
 
       - name: Configure 1Password Connect
         uses: ./configure
@@ -132,23 +196,45 @@ jobs:
           SECRET: op://${{ secrets.VAULT }}/test-secret/password
           SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
           MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
+          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
           OP_ENV_FILE: ./tests/.env.tpl
 
       - name: Assert test secret values [step output]
         if: ${{ !matrix.export-env }}
         env:
+          ASSERT_WEBSITE: "false"
           SECRET: ${{ steps.load_secrets.outputs.SECRET }}
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
           FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
           FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
           FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
+          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
+          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
+          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
         run: ./tests/assert-env-set.sh
 
+      - name: Assert SSH key env vars [step output]
+        if: ${{ !matrix.export-env }}
+        env:
+          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
+          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
+          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
+          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
+        run: ./tests/assert-ssh-keys-set.sh
+
       - name: Assert test secret values [exported env]
         if: ${{ matrix.export-env }}
+        env:
+          ASSERT_WEBSITE: "false"
         run: ./tests/assert-env-set.sh
 
+      - name: Assert SSH key env vars [exported env]
+        if: ${{ matrix.export-env }}
+        run: ./tests/assert-ssh-keys-set.sh
+
       - name: Remove secrets [exported env]
         if: ${{ matrix.export-env }}
         uses: ./

.github/workflows/lint-and-test.yml

@@ -9,7 +9,7 @@ jobs:
   lint-and-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@2.0.0
@@ -18,9 +18,9 @@ jobs:
             .husky
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 24
           cache: npm
 
       - name: Install dependencies

.github/workflows/test-e2e.yml

@@ -26,6 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       condition: ${{ steps.check.outputs.condition }}
+      ref: ${{ steps.check.outputs.ref }}
     steps:
       - name: Check if PR is from external contributor
         id: check
@@ -45,6 +46,7 @@ jobs:
             else
               echo "condition=pr-creation-maintainer" >> $GITHUB_OUTPUT
               echo "Setting condition=pr-creation-maintainer (internal PR creation)"
+              echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
             fi
           elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
             # For repository_dispatch events (ok-to-test), check if sha matches
@@ -58,6 +60,7 @@ jobs:
             if [ -n "$SHA_PARAM" ] && [[ "$PR_HEAD_SHA" == *"$SHA_PARAM"* ]]; then
               echo "condition=dispatch-event" >> $GITHUB_OUTPUT
               echo "Setting condition=dispatch-event (sha matches)"
+              echo "ref=$PR_HEAD_SHA" >> $GITHUB_OUTPUT
             else
               echo "condition=skip" >> $GITHUB_OUTPUT
               echo "Setting condition=skip (sha does not match or empty)"
@@ -65,6 +68,7 @@ jobs:
           elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_name }}" == "main" ]; then
             echo "condition=push-to-main" >> $GITHUB_OUTPUT
             echo "Setting condition=push-to-main (push to main)"
+            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
           else
             # Unknown event type
             echo "condition=skip" >> $GITHUB_OUTPUT
@@ -80,6 +84,8 @@ jobs:
       ||
       needs.check-external-pr.outputs.condition == 'push-to-main'
     uses: ./.github/workflows/e2e-tests.yml
+    with:
+      ref: ${{ needs.check-external-pr.outputs.ref }}
     secrets:
       OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
       OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}

README.md

@@ -35,7 +35,7 @@ jobs:
 
       - name: Load secret
         id: load_secrets
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@v4
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
@@ -57,7 +57,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Load secret
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@v4
         with:
           # Export loaded secrets as environment variables
           export-env: true
@@ -71,6 +71,21 @@ jobs:
         # Prints: Secret: ***
 ```
 
+### 🔑 SSH Key Format
+
+When loading SSH keys, you can specify the format using the `ssh-format` query parameter. This is useful when you need the private key in a specific format like OpenSSH.
+
+```yml
+- name: Load SSH key
+  uses: 1password/load-secrets-action@v4
+  env:
+    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+    # Load SSH private key in OpenSSH format
+    SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
+```
+
+For more details on secret reference syntax, see the [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
+
 ## 💙 Community & Support
 
 - File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.

config/jest.config.js

@@ -10,6 +10,11 @@ const jestConfig = {
 	rootDir: "../src/",
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
+	moduleNameMapper: {
+		"^@actions/core$": "<rootDir>/__mocks__/actions-core.ts",
+		"^@actions/tool-cache$": "<rootDir>/__mocks__/actions-tool-cache.ts",
+		"^@actions/exec$": "<rootDir>/__mocks__/actions-exec.ts",
+	},
 	transform: {
 		".ts": [
 			"ts-jest",
@@ -25,4 +30,4 @@ const jestConfig = {
 	verbose: true,
 };
 
-export default jestConfig;
+module.exports = jestConfig;

configure/index.js

@@ -1,4 +1,4 @@
-const core = require("@actions/core");
+import * as core from "@actions/core";
 
 const configure = () => {
 	const OP_CONNECT_HOST =

package-lock.json

@@ -1,18 +1,18 @@
 {
 	"name": "load-secrets-action",
-	"version": "3.1.0",
+	"version": "4.0.0",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "load-secrets-action",
-			"version": "3.1.0",
+			"version": "4.0.0",
 			"license": "MIT",
 			"dependencies": {
 				"@1password/op-js": "^0.1.11",
-				"@actions/core": "^1.10.1",
-				"@actions/exec": "^1.1.1",
-				"@actions/tool-cache": "^2.0.2",
+				"@actions/core": "^3.0.0",
+				"@actions/exec": "^3.0.0",
+				"@actions/tool-cache": "^4.0.0",
 				"dotenv": "^17.2.2"
 			},
 			"devDependencies": {
@@ -73,58 +73,49 @@
 			}
 		},
 		"node_modules/@actions/core": {
-			"version": "1.11.1",
-			"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
-			"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz",
+			"integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==",
 			"license": "MIT",
 			"dependencies": {
-				"@actions/exec": "^1.1.1",
-				"@actions/http-client": "^2.0.1"
+				"@actions/exec": "^3.0.0",
+				"@actions/http-client": "^4.0.0"
 			}
 		},
 		"node_modules/@actions/exec": {
-			"version": "1.1.1",
-			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
-			"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
-			"license": "MIT",
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+			"integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
 			"dependencies": {
-				"@actions/io": "^1.0.1"
+				"@actions/io": "^3.0.2"
 			}
 		},
 		"node_modules/@actions/http-client": {
-			"version": "2.2.3",
-			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
-			"integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz",
+			"integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==",
 			"license": "MIT",
 			"dependencies": {
 				"tunnel": "^0.0.6",
-				"undici": "^5.25.4"
+				"undici": "^6.23.0"
 			}
 		},
 		"node_modules/@actions/io": {
-			"version": "1.1.3",
-			"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
-			"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
-			"license": "MIT"
+			"version": "3.0.2",
+			"resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+			"integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="
 		},
 		"node_modules/@actions/tool-cache": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.2.tgz",
-			"integrity": "sha512-fBhNNOWxuoLxztQebpOaWu6WeVmuwa77Z+DxIZ1B+OYvGkGQon6kTVg6Z32Cb13WCuw0szqonK+hh03mJV7Z6w==",
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
+			"integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
+			"license": "MIT",
 			"dependencies": {
-				"@actions/core": "^1.11.1",
-				"@actions/exec": "^1.0.0",
-				"@actions/http-client": "^2.0.1",
-				"@actions/io": "^1.1.1",
-				"semver": "^6.1.0"
-			}
-		},
-		"node_modules/@actions/tool-cache/node_modules/semver": {
-			"version": "6.3.1",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-			"integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-			"bin": {
-				"semver": "bin/semver.js"
+				"@actions/core": "^3.0.0",
+				"@actions/exec": "^3.0.0",
+				"@actions/http-client": "^4.0.0",
+				"@actions/io": "^3.0.0",
+				"semver": "^7.7.3"
 			}
 		},
 		"node_modules/@ampproject/remapping": {
@@ -759,15 +750,6 @@
 				"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
 			}
 		},
-		"node_modules/@fastify/busboy": {
-			"version": "2.1.1",
-			"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
-			"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
-			"license": "MIT",
-			"engines": {
-				"node": ">=14"
-			}
-		},
 		"node_modules/@humanwhocodes/config-array": {
 			"version": "0.13.0",
 			"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
@@ -1574,32 +1556,6 @@
 				}
 			}
 		},
-		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
-			"dev": true,
-			"license": "MIT",
-			"dependencies": {
-				"balanced-match": "^1.0.0"
-			}
-		},
-		"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-			"version": "9.0.3",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
-			"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
-			"dev": true,
-			"license": "ISC",
-			"dependencies": {
-				"brace-expansion": "^2.0.1"
-			},
-			"engines": {
-				"node": ">=16 || 14 >=14.17"
-			},
-			"funding": {
-				"url": "https://github.com/sponsors/isaacs"
-			}
-		},
 		"node_modules/@typescript-eslint/utils": {
 			"version": "6.21.0",
 			"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.21.0.tgz",
@@ -1688,11 +1644,10 @@
 			}
 		},
 		"node_modules/ajv": {
-			"version": "6.12.6",
-			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-			"integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+			"version": "6.14.0",
+			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+			"integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
 			"dev": true,
-			"license": "MIT",
 			"peer": true,
 			"dependencies": {
 				"fast-deep-equal": "^3.1.1",
@@ -2134,14 +2089,13 @@
 			"license": "MIT"
 		},
 		"node_modules/brace-expansion": {
-			"version": "1.1.12",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
-				"balanced-match": "^1.0.0",
-				"concat-map": "0.0.1"
+				"balanced-match": "^1.0.0"
 			}
 		},
 		"node_modules/braces": {
@@ -2521,13 +2475,6 @@
 				"node": ">= 12.0.0"
 			}
 		},
-		"node_modules/concat-map": {
-			"version": "0.0.1",
-			"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-			"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
-			"dev": true,
-			"license": "MIT"
-		},
 		"node_modules/convert-source-map": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -3751,29 +3698,6 @@
 				"minimatch": "^5.0.1"
 			}
 		},
-		"node_modules/filelist/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
-			"dev": true,
-			"license": "MIT",
-			"dependencies": {
-				"balanced-match": "^1.0.0"
-			}
-		},
-		"node_modules/filelist/node_modules/minimatch": {
-			"version": "5.1.6",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
-			"integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
-			"dev": true,
-			"license": "ISC",
-			"dependencies": {
-				"brace-expansion": "^2.0.1"
-			},
-			"engines": {
-				"node": ">=10"
-			}
-		},
 		"node_modules/fill-range": {
 			"version": "7.1.1",
 			"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -3818,11 +3742,10 @@
 			}
 		},
 		"node_modules/flatted": {
-			"version": "3.3.2",
-			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.2.tgz",
-			"integrity": "sha512-AiwGJM8YcNOaobumgtng+6NHuOqC3A7MixFeDafM3X9cIUM+xUXoS5Vfgf+OihAYe20fxqNM9yPBXJzRtZ/4eA==",
+			"version": "3.4.2",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+			"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
 			"dev": true,
-			"license": "ISC",
 			"peer": true
 		},
 		"node_modules/for-each": {
@@ -6196,16 +6119,19 @@
 			}
 		},
 		"node_modules/minimatch": {
-			"version": "3.1.2",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-			"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+			"version": "9.0.9",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+			"integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
 			"dev": true,
 			"license": "ISC",
 			"dependencies": {
-				"brace-expansion": "^1.1.7"
+				"brace-expansion": "^2.0.2"
 			},
 			"engines": {
-				"node": "*"
+				"node": ">=16 || 14 >=14.17"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/isaacs"
 			}
 		},
 		"node_modules/minimist": {
@@ -7023,9 +6949,9 @@
 			}
 		},
 		"node_modules/semver": {
-			"version": "7.6.3",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
-			"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+			"version": "7.7.4",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+			"integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
 			"license": "ISC",
 			"bin": {
 				"semver": "bin/semver.js"
@@ -7892,15 +7818,11 @@
 			}
 		},
 		"node_modules/undici": {
-			"version": "5.29.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
-			"integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
-			"license": "MIT",
-			"dependencies": {
-				"@fastify/busboy": "^2.0.0"
-			},
+			"version": "6.24.1",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
+			"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
 			"engines": {
-				"node": ">=14.0"
+				"node": ">=18.17"
 			}
 		},
 		"node_modules/undici-types": {

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "load-secrets-action",
-	"version": "3.1.0",
+	"version": "4.0.0",
 	"description": "Load Secrets from 1Password",
 	"main": "dist/index.js",
 	"directories": {
@@ -41,11 +41,14 @@
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
 		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^1.10.1",
-		"@actions/exec": "^1.1.1",
-		"@actions/tool-cache": "^2.0.2",
+		"@actions/core": "^3.0.0",
+		"@actions/exec": "^3.0.0",
+		"@actions/tool-cache": "^4.0.0",
 		"dotenv": "^17.2.2"
 	},
+	"overrides": {
+		"minimatch": "^9.0.7"
+	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",
 		"@1password/prettier-config": "^1.2.0",

src/__mocks__/actions-core.ts

@@ -0,0 +1,14 @@
+module.exports = {
+	getInput: jest.fn(() => ""),
+	getBooleanInput: jest.fn(() => false),
+	setOutput: jest.fn(),
+	setSecret: jest.fn(),
+	exportVariable: jest.fn(),
+	setFailed: jest.fn(),
+	info: jest.fn(),
+	warning: jest.fn(),
+	error: jest.fn(),
+	debug: jest.fn(),
+	addPath: jest.fn(),
+	isDebug: jest.fn(() => false),
+};

src/__mocks__/actions-exec.ts

@@ -0,0 +1,5 @@
+module.exports = {
+	getExecOutput: jest.fn(() => ({
+		stdout: "MOCK_SECRET",
+	})),
+};

src/__mocks__/actions-tool-cache.ts

@@ -0,0 +1,10 @@
+module.exports = {
+	downloadTool: jest.fn(),
+	extractTar: jest.fn(),
+	extractZip: jest.fn(),
+	cacheDir: jest.fn<Promise<string>, [string]>(async (dir) => {
+		await Promise.resolve();
+		return dir;
+	}),
+	find: jest.fn<string, [string, string?, string?]>(() => ""),
+};

src/utils.test.ts

@@ -15,12 +15,6 @@ import {
 	envServiceAccountToken,
 } from "./constants";
 
-jest.mock("@actions/core");
-jest.mock("@actions/exec", () => ({
-	getExecOutput: jest.fn(() => ({
-		stdout: "MOCK_SECRET",
-	})),
-}));
 jest.mock("@1password/op-js");
 
 beforeEach(() => {
@@ -106,6 +100,41 @@ describe("extractSecret", () => {
 		);
 		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
 	});
+
+	describe("when secret value is empty string", () => {
+		const emptySecretValue = "";
+
+		beforeEach(() => {
+			(read.parse as jest.Mock).mockReturnValue(emptySecretValue);
+		});
+
+		afterEach(() => {
+			(read.parse as jest.Mock).mockReturnValue(testSecretValue);
+		});
+
+		it("should set empty string as step output", () => {
+			extractSecret(envTestSecretEnv, false);
+			expect(core.setOutput).toHaveBeenCalledWith(
+				envTestSecretEnv,
+				emptySecretValue,
+			);
+			expect(core.exportVariable).not.toHaveBeenCalled();
+		});
+
+		it("should set empty string as environment variable", () => {
+			extractSecret(envTestSecretEnv, true);
+			expect(core.exportVariable).toHaveBeenCalledWith(
+				envTestSecretEnv,
+				emptySecretValue,
+			);
+			expect(core.setOutput).not.toHaveBeenCalled();
+		});
+
+		it("should not call setSecret for empty string", () => {
+			extractSecret(envTestSecretEnv, false);
+			expect(core.setSecret).not.toHaveBeenCalled();
+		});
+	});
 });
 
 describe("loadSecrets", () => {

src/utils.ts

@@ -41,7 +41,7 @@ export const extractSecret = (
 	}
 
 	const secretValue = read.parse(ref);
-	if (!secretValue) {
+	if (secretValue === null || secretValue === undefined) {
 		return;
 	}
 
@@ -50,7 +50,11 @@ export const extractSecret = (
 	} else {
 		core.setOutput(envName, secretValue);
 	}
-	core.setSecret(secretValue);
+	// Skip setSecret for empty strings to avoid the warning:
+	// "Can't add secret mask for empty string in ##[add-mask] command."
+	if (secretValue) {
+		core.setSecret(secretValue);
+	}
 };
 
 export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {

tests/assert-env-set.sh

@@ -26,6 +26,7 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 EOF
 )"
 readonly MULTILINE_SECRET
+readonly WEBSITE="www.test.com"
 
 assert_env_equals "SECRET" "${SECRET}"
 assert_env_equals "FILE_SECRET" "${SECRET}"
@@ -34,4 +35,10 @@ assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
 assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
 
 assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
-assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
+assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
+
+# WEBSITE/FILE_WEBSITE: required when ASSERT_WEBSITE=true (Service Account), skipped when false (Connect)
+if [ "${ASSERT_WEBSITE:-false}" = "true" ]; then
+  assert_env_equals "WEBSITE" "${WEBSITE}"
+  assert_env_equals "FILE_WEBSITE" "${WEBSITE}"
+fi

tests/assert-env-unset.sh

@@ -17,3 +17,11 @@ assert_env_unset "FILE_SECRET_IN_SECTION"
 
 assert_env_unset "MULTILINE_SECRET"
 assert_env_unset "FILE_MULTILINE_SECRET"
+
+assert_env_unset "WEBSITE"
+assert_env_unset "FILE_WEBSITE"
+
+assert_env_unset "TEST_SSH_KEY"
+assert_env_unset "FILE_TEST_SSH_KEY"
+assert_env_unset "TEST_SSH_KEY_OPENSSH"
+assert_env_unset "FILE_TEST_SSH_KEY_OPENSSH"

tests/assert-ssh-keys-set.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+assert_ssh_key_set() {
+  local var="$1"
+  local val
+  val="$(printenv "$var" || true)"
+  if [ -z "$val" ]; then
+    echo "Expected $var to be set"
+    exit 1
+  fi
+  [ "$val" = "***" ] && return 0
+  local line
+  line="$(echo "$val" | head -1)"
+  if echo "$var" | grep -q "OPENSSH"; then
+    echo "$line" | grep -q "OPENSSH" || { echo "Expected $var to start with -----BEGIN OPENSSH PRIVATE KEY-----"; exit 1; }
+  else
+    echo "$line" | grep -q "BEGIN.*PRIVATE KEY" || { echo "Expected $var to be a private key"; exit 1; }
+  fi
+  echo "$var OK"
+}
+
+assert_ssh_key_set "TEST_SSH_KEY"
+assert_ssh_key_set "TEST_SSH_KEY_OPENSSH"
+assert_ssh_key_set "FILE_TEST_SSH_KEY"
+assert_ssh_key_set "FILE_TEST_SSH_KEY_OPENSSH"