fix syntax error

Migrate to use  1Password SDK with Service Account

.github/workflows/acceptance-test.yml

@@ -1,116 +0,0 @@
-name: Acceptance test
-
-on:
-  workflow_call:
-    inputs:
-      secret:
-        required: true
-        type: string
-      secret-in-section:
-        required: true
-        type: string
-      multiline-secret:
-        required: true
-        type: string
-      export-env:
-        required: true
-        type: boolean
-      version:
-        required: false
-        type: string
-        default: "latest"
-      os:
-        required: true
-        type: string
-        default: "ubuntu-latest"
-      auth:
-        required: true
-        type: string
-
-jobs:
-  acceptance-test:
-    runs-on: ${{ inputs.os }}
-    steps:
-      - name: Base checkout
-        uses: actions/checkout@v4
-        if: |
-          github.event_name != 'repository_dispatch' &&
-          (
-            github.ref == 'refs/heads/main' || 
-            (
-              github.event_name == 'pull_request' && 
-              github.event.pull_request.head.repo.full_name == github.repository
-            )
-          )
-      - name: Fork based /ok-to-test checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.client_payload.pull_request.head.sha }}
-        if: |
-          github.event_name == 'repository_dispatch' &&
-          github.event.client_payload.slash_command.args.named.sha != '' &&
-          contains(
-            github.event.client_payload.pull_request.head.sha,
-            github.event.client_payload.slash_command.args.named.sha
-          )
-      - name: Launch 1Password Connect instance
-        if: ${{ inputs.auth == 'connect' }}
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
-      - name: Configure Service account
-        if: ${{ inputs.auth == 'service-account' }}
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      - name: Verify Service Account env var is set
-        if: ${{ inputs.auth == 'service-account' }}
-        shell: bash
-        run: |
-          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
-            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
-            exit 1
-          fi
-      - name: Configure 1Password Connect
-        if: ${{ inputs.auth == 'connect' }}
-        uses: ./configure # 1password/load-secrets-action/configure@<version>
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-      - name: Verify Connect env vars are set
-        if: ${{ inputs.auth == 'connect' }}
-        run: |
-          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
-            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
-            exit 1
-          fi
-      - name: Load secrets
-        id: load_secrets
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          version: ${{ inputs.version }}
-          export-env: ${{ inputs.export-env }}
-        env:
-          SECRET: ${{ inputs.secret }}
-          SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
-          MULTILINE_SECRET: ${{ inputs.multiline-secret }}
-      - name: Assert test secret values [step output]
-        if: ${{ !inputs.export-env }}
-        env:
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-        run: ./tests/assert-env-set.sh
-      - name: Assert test secret values [exported env]
-        if: ${{ inputs.export-env }}
-        run: ./tests/assert-env-set.sh
-      - name: Remove secrets [exported env]
-        if: ${{ inputs.export-env }}
-        uses: ./ # 1password/load-secrets-action@<version>
-        with:
-          unset-previous: true
-      - name: Assert removed secrets [exported env]
-        if: ${{ inputs.export-env }}
-        run: ./tests/assert-env-unset.sh

.github/workflows/e2e-tests.yml

@@ -0,0 +1,316 @@
+name: E2E Tests
+
+on:
+  # For local testing with: act push -W .github/workflows/e2e-tests.yml
+  push:
+    branches-ignore:
+      - "**" # Never runs on GitHub, only locally with act
+
+  # For test.yml to call this workflow
+  workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to checkout"
+        required: true
+        type: string
+    secrets:
+      OP_CONNECT_CREDENTIALS:
+        required: true
+      OP_CONNECT_TOKEN:
+        required: true
+      OP_SERVICE_ACCOUNT_TOKEN:
+        required: true
+      VAULT:
+        description: "1Password vault name"
+        required: true
+      VAULT_ID:
+        description: "1Password vault UUID"
+        required: true
+
+jobs:
+  test-service-account:
+    name: Service Account (${{ matrix.os }}, export-env=${{ matrix.export-env }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        export-env: [true, false]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build actions
+        run: npm run build:all
+
+      - name: Generate .env.tpl
+        shell: bash
+        run: |
+          mkdir -p tests
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
+
+      - name: Generate .vaultId_env.tpl
+        shell: bash
+        run: |
+          echo "FILE_SECRET=op://${{ secrets.VAULT_ID }}/test-secret/password" > tests/.vaultId_env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT_ID }}/test-secret/test-section/password" >> tests/.vaultId_env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl
+
+      - name: Configure Service account
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+
+      - name: Load secrets
+        id: load_secrets
+        uses: ./
+        with:
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.env.tpl
+
+      - name: Assert test secret values [step output]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Assert test secret values [exported env]
+        if: ${{ matrix.export-env }}
+        shell: bash
+        run: ./tests/assert-env-set.sh
+
+      - name: Remove secrets [exported env]
+        if: ${{ matrix.export-env }}
+        uses: ./
+        with:
+          unset-previous: true
+
+      - name: Assert removed secrets [exported env]
+        if: ${{ matrix.export-env }}
+        shell: bash
+        run: ./tests/assert-env-unset.sh
+
+      - name: Load secrets (invalid ref - expect failure)
+        id: load_invalid
+        continue-on-error: true
+        uses: ./
+        env:
+          BAD_REF: "op://x"
+        with:
+          export-env: true
+
+      - name: Assert invalid ref failed
+        shell: bash
+        run: ./tests/assert-invalid-ref-failed.sh
+        env:
+          STEP_OUTCOME: ${{ steps.load_invalid.outcome }}
+
+      - name: Load secrets by vault ID
+        id: load_secrets_by_vault_id
+        uses: ./
+        with:
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT_ID }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT_ID }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.vaultId_env.tpl
+
+      - name: Assert test secret values [vault by ID]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          SECRET: ${{ steps.load_secrets_by_vault_id.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh
+
+  test-connect:
+    name: Connect (ubuntu-latest, export-env=${{ matrix.export-env }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        export-env: [true, false]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build actions
+        run: npm run build:all
+
+      - name: Generate .env.tpl
+        run: |
+          mkdir -p tests
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
+
+      - name: Generate .vaultId_env.tpl
+        run: |
+          echo "FILE_SECRET=op://${{ secrets.VAULT_ID }}/test-secret/password" > tests/.vaultId_env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT_ID }}/test-secret/test-section/password" >> tests/.vaultId_env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl
+
+      - name: Launch 1Password Connect instance
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 30
+
+      - name: Configure 1Password Connect
+        uses: ./configure
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+
+      - name: Load secrets
+        id: load_secrets
+        uses: ./
+        with:
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.env.tpl
+
+      - name: Assert test secret values [step output]
+        if: ${{ !matrix.export-env }}
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Assert test secret values [exported env]
+        if: ${{ matrix.export-env }}
+        run: ./tests/assert-env-set.sh
+
+      - name: Remove secrets [exported env]
+        if: ${{ matrix.export-env }}
+        uses: ./
+        with:
+          unset-previous: true
+
+      - name: Assert removed secrets [exported env]
+        if: ${{ matrix.export-env }}
+        run: ./tests/assert-env-unset.sh
+
+      - name: Load secrets (invalid ref - expect failure)
+        id: load_invalid
+        continue-on-error: true
+        uses: ./
+        env:
+          BAD_REF: "op://x"
+        with:
+          export-env: true
+
+      - name: Assert invalid ref failed
+        shell: bash
+        run: ./tests/assert-invalid-ref-failed.sh
+        env:
+          STEP_OUTCOME: ${{ steps.load_invalid.outcome }}
+
+      - name: Load secrets by vault ID
+        id: load_secrets_by_vault_id
+        uses: ./
+        with:
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT_ID }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT_ID }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.vaultId_env.tpl
+
+      - name: Assert test secret values [vault by ID]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          SECRET: ${{ steps.load_secrets_by_vault_id.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh

.github/workflows/lint-and-test.yml

@@ -1,29 +1,36 @@
+name: Lint and Test
+
 on:
   push:
     branches: [main]
   pull_request:
-name: Lint
 
 jobs:
-  lint:
+  lint-and-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
+
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@2.0.0
         with:
           ignore_paths: >-
             .husky
+
       - name: Setup Node.js
-        id: setup-node
         uses: actions/setup-node@v4
         with:
           node-version: 20
           cache: npm
-      - name: Install Dependencies
+
-        id: install
+      - name: Install dependencies
         run: npm ci
+
       - name: Check formatting
         run: npm run format:check
+
       - name: Check lint
         run: npm run lint
+
+      - name: Run unit tests
+        run: npm test

.github/workflows/ok-to-test.yml

@@ -1,4 +1,4 @@
-# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+# Write comments "/ok-to-test sha=<hash>" on a pull request. This will emit a repository_dispatch event.
 name: Ok To Test
 
 on:
@@ -15,7 +15,7 @@ jobs:
     if: ${{ github.event.issue.pull_request }}
     steps:
       - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@v3
+        uses: peter-evans/slash-command-dispatch@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-e2e.yml

@@ -0,0 +1,121 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+    paths-ignore: &ignore_paths
+      - "docs/**"
+      - "config/**"
+      - "*.md"
+      - ".gitignore"
+      - "LICENSE"
+  pull_request:
+    paths-ignore: *ignore_paths
+  repository_dispatch:
+    types: [ok-to-test-command]
+
+concurrency:
+  group: >-
+    ${{ github.event_name == 'pull_request' &&
+          format('e2e-{0}', github.event.pull_request.head.ref) ||
+          format('e2e-{0}', github.ref) }}
+  cancel-in-progress: true
+
+jobs:
+  check-external-pr:
+    runs-on: ubuntu-latest
+    outputs:
+      condition: ${{ steps.check.outputs.condition }}
+      ref: ${{ steps.check.outputs.ref }}
+    steps:
+      - name: Check if PR is from external contributor
+        id: check
+        run: |
+          echo "Event name: ${{ github.event_name }}"
+          echo "Repository: ${{ github.repository }}"
+
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            # For pull_request events, check if PR is from external fork
+            echo "PR head repo: ${{ github.event.pull_request.head.repo.full_name }}"
+            if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (Dependabot PR)"
+            elif [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (external fork PR creation)"
+            else
+              echo "condition=pr-creation-maintainer" >> $GITHUB_OUTPUT
+              echo "Setting condition=pr-creation-maintainer (internal PR creation)"
+              echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
+            fi
+          elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
+            # For repository_dispatch events (ok-to-test), check if sha matches
+            SHA_PARAM="${{ github.event.client_payload.slash_command.args.named.sha }}"
+            PR_HEAD_SHA="${{ github.event.client_payload.pull_request.head.sha }}"
+
+            echo "Checking dispatch event conditions..."
+            echo "SHA from command: $SHA_PARAM"
+            echo "PR head SHA: $PR_HEAD_SHA"
+
+            if [ -n "$SHA_PARAM" ] && [[ "$PR_HEAD_SHA" == *"$SHA_PARAM"* ]]; then
+              echo "condition=dispatch-event" >> $GITHUB_OUTPUT
+              echo "Setting condition=dispatch-event (sha matches)"
+              echo "ref=$PR_HEAD_SHA" >> $GITHUB_OUTPUT
+            else
+              echo "condition=skip" >> $GITHUB_OUTPUT
+              echo "Setting condition=skip (sha does not match or empty)"
+            fi
+          elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_name }}" == "main" ]; then
+            echo "condition=push-to-main" >> $GITHUB_OUTPUT
+            echo "Setting condition=push-to-main (push to main)"
+            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
+          else
+            # Unknown event type
+            echo "condition=skip" >> $GITHUB_OUTPUT
+            echo "Setting condition=skip (unknown event type: ${{ github.event_name }})"
+          fi
+
+  e2e:
+    needs: check-external-pr
+    if: |
+      (needs.check-external-pr.outputs.condition == 'pr-creation-maintainer')
+      ||
+      (needs.check-external-pr.outputs.condition == 'dispatch-event')
+      ||
+      needs.check-external-pr.outputs.condition == 'push-to-main'
+    uses: ./.github/workflows/e2e-tests.yml
+    with:
+      ref: ${{ needs.check-external-pr.outputs.ref }}
+    secrets:
+      OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+      OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
+      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      VAULT: ${{ secrets.VAULT }}
+      VAULT_ID: ${{ secrets.VAULT_ID }}
+
+  # Post comment on fork PRs after /ok-to-test
+  comment-pr:
+    needs: [check-external-pr, e2e]
+    runs-on: ubuntu-latest
+    if: always() && needs.check-external-pr.outputs.condition == 'dispatch-event'
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Create URL to the run output
+        id: vars
+        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
+
+      - name: Create comment on PR
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          issue-number: ${{ github.event.client_payload.pull_request.number }}
+          body: |
+            ${{
+                needs.e2e.result == 'success' && '✅ E2E tests passed.' ||
+                needs.e2e.result == 'failure' && '❌ E2E tests failed.' ||
+                '⚠️ E2E tests completed.'
+            }}
+
+            [View test run output][1]
+
+            [1]: ${{ steps.vars.outputs.run-url }}

.github/workflows/test-fork.yml

@@ -1,92 +0,0 @@
-on:
-  repository_dispatch:
-    types: [ok-to-test-command]
-name: Run acceptance tests [fork]
-
-jobs:
-  test-with-output-secrets:
-    if: |
-      github.event_name == 'repository_dispatch' &&
-      github.event.client_payload.slash_command.args.named.sha != '' &&
-      contains(
-        github.event.client_payload.pull_request.head.sha,
-        github.event.client_payload.slash_command.args.named.sha
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    with:
-      secret: op://acceptance-tests/test-secret/password
-      secret-in-section: op://acceptance-tests/test-secret/test-section/password
-      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
-      export-env: false
-  test-with-export-env:
-    if: |
-      github.event_name == 'repository_dispatch' &&
-      github.event.client_payload.slash_command.args.named.sha != '' &&
-      contains(
-        github.event.client_payload.pull_request.head.sha,
-        github.event.client_payload.slash_command.args.named.sha
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    with:
-      secret: op://acceptance-tests/test-secret/password
-      secret-in-section: op://acceptance-tests/test-secret/test-section/password
-      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
-      export-env: true
-  test-references-with-ids:
-    if: |
-      github.event_name == 'repository_dispatch' &&
-      github.event.client_payload.slash_command.args.named.sha != '' &&
-      contains(
-        github.event.client_payload.pull_request.head.sha,
-        github.event.client_payload.slash_command.args.named.sha
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    with:
-      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      export-env: false
-  update-checks:
-    # required permissions for updating the status of the pull request checks
-    permissions:
-      pull-requests: write
-      checks: write
-    runs-on: ubuntu-latest
-    if: ${{ always() }}
-    strategy:
-      matrix:
-        job-name:
-          [
-            test-with-output-secrets,
-            test-with-export-env,
-            test-references-with-ids,
-          ]
-    needs:
-      [test-with-output-secrets, test-with-export-env, test-references-with-ids]
-    steps:
-      - uses: actions/github-script@v6
-        env:
-          job: ${{ matrix.job-name }}
-          ref: ${{ github.event.client_payload.pull_request.head.sha }}
-          conclusion: ${{ needs[format('{0}', matrix.job-name )].result }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { data: checks } = await github.rest.checks.listForRef({
-              ...context.repo,
-              ref: process.env.ref
-            });
-
-            const check = checks.check_runs.filter(c => c.name === process.env.job);
-
-            const { data: result } = await github.rest.checks.update({
-              ...context.repo,
-              check_run_id: check[0].id,
-              status: 'completed',
-              conclusion: process.env.conclusion
-            });
-
-            return result;

.github/workflows/test.yml

@@ -1,100 +0,0 @@
-on:
-  push:
-    branches: [main]
-  pull_request:
-name: Run acceptance tests
-
-jobs:
-  unit-tests:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 20
-      - run: npm ci
-      - run: npm test
-
-  test-with-output-secrets:
-    if: |
-      github.ref == 'refs/heads/main' ||
-      (
-        github.event_name == 'pull_request' && 
-        github.event.pull_request.head.repo.full_name == github.repository
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-          - os: windows-latest
-            auth: connect
-    with:
-      os: ${{ matrix.os }}
-      version: ${{ matrix.version }}
-      auth: ${{ matrix.auth }}
-      secret: op://acceptance-tests/test-secret/password
-      secret-in-section: op://acceptance-tests/test-secret/test-section/password
-      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
-      export-env: false
-
-  test-with-export-env:
-    if: |
-      github.ref == 'refs/heads/main' ||
-      (
-        github.event_name == 'pull_request' && 
-        github.event.pull_request.head.repo.full_name == github.repository
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-          - os: windows-latest
-            auth: connect
-    with:
-      os: ${{ matrix.os }}
-      version: ${{ matrix.version }}
-      auth: ${{ matrix.auth }}
-      secret: op://acceptance-tests/test-secret/password
-      secret-in-section: op://acceptance-tests/test-secret/test-section/password
-      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
-      export-env: true
-
-  test-references-with-ids:
-    if: |
-      github.ref == 'refs/heads/main' ||
-      (
-        github.event_name == 'pull_request' && 
-        github.event.pull_request.head.repo.full_name == github.repository
-      )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
-    secrets: inherit
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
-        exclude:
-          - os: macos-latest
-            auth: connect
-          - os: windows-latest
-            auth: connect
-    with:
-      os: ${{ matrix.os }}
-      version: ${{ matrix.version }}
-      auth: ${{ matrix.auth }}
-      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
-      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
-      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
-      export-env: false

.gitignore

@@ -1,2 +1,4 @@
 coverage/
 node_modules/
+.idea/
+1password-credentials.json

README.md

@@ -39,6 +39,7 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
@@ -63,12 +64,28 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: $SECRET"'
         # Prints: Secret: ***
 ```
 
+### 🔑 SSH Key Format
+
+When loading SSH keys, you can specify the format using the `ssh-format` query parameter. This is useful when you need the private key in a specific format like OpenSSH.
+
+```yml
+- name: Load SSH key
+  uses: 1password/load-secrets-action@v3
+  env:
+    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+    # Load SSH private key in OpenSSH format
+    SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
+```
+
+For more details on secret reference syntax, see the [1Password documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
+
 ## 💙 Community & Support
 
 - File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.

action.yml

@@ -11,8 +11,9 @@ inputs:
   export-env:
     description: Export the secrets as environment variables
     default: "false"
+    # Backward-compatible no-op input (intentionally ignored)
   version:
-    description: Specify which 1Password CLI version to install. Defaults to "latest".
+    description: "(Deprecated) No longer used. Kept for backwards compatibility."
     default: "latest"
 runs:
   using: "node20"

docs/fork-pr-testing.md

@@ -0,0 +1,32 @@
+# Fork PR Testing Guide
+
+This document explains how testing works for external pull requests from forks.
+
+## Overview
+
+The testing system consists of two main workflows:
+
+1. **E2E Tests** (`test-e2e.yml`) - Runs automatically for internal PRs, need manual trigger on external PRs.
+2. **Ok To Test** (`ok-to-test.yml`) - Dispatches `repository_dispatch` event when maintainer puts the `/ok-to-test sha=<commit hash>` comment in the forked PR thread.
+
+## How It Works
+
+### 1. PR is created by maintainer:
+
+For the PR created by maintainer `E2E Test` workflow starts automatically. The PR check will reflect the status of the job.
+
+### 2. PR is created by external contributor:
+
+For the PR created by external contributor `E2E Test` workflow **won't** start automatically.
+Maintainer should make a sanity check of the changes and run it manually by:
+
+1. Putting a comment `/ok-to-test sha=<latest commit hash>` in the PR thread.
+2. `E2E Test` workflow starts.
+3. After `E2E Test` workflow finishes, a comment with a link to the workflow, along with its status will be posted in the PR.
+4. Maintainer can merge PR or request the changes based on the `E2E Test` results.
+
+## Notes
+
+- Only users with **write** permissions can trigger the `/ok-to-test` command.
+- External PRs are automatically detected and prevented from running e2e tests automatically.
+- Running e2e test on the external PR is optional. Maintainer can merge PR without running it. Maintainer decides whether it's needed to run an E2E test.

docs/local-testing.md

@@ -0,0 +1,47 @@
+# Local Testing Guide
+
+This document explains how to run e2e tests locally using `act`.
+
+## Prerequisites
+
+1. **Docker** installed and running
+2. **act** installed ([install guide](https://github.com/nektos/act#installation))
+   ```bash
+   brew install act  # macOS
+   ```
+3. **1Password credentials** (see [Required Secrets](#required-secrets))
+4. Build action
+
+## Required env variables
+
+| Secret                     | Description           |
+| -------------------------- | --------------------- |
+| `OP_SERVICE_ACCOUNT_TOKEN` | Service Account token |
+| `VAULT`                    | Vault name            |
+| `VAULT_ID`                 | Vault UUID            |
+
+## Building Before Testing
+
+If you've modified TypeScript code, rebuild before running E2E tests:
+
+```bash
+npm run build
+```
+
+## Testing
+
+### Run E2E tests using Service Account
+
+```bash
+act push -W .github/workflows/e2e-tests.yml \
+  -s OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN" \
+  -s VAULT="$VAULT" \
+  -j test-service-account \
+  --matrix os:ubuntu-latest
+```
+
+## Run unit tests
+
+```bash
+npm test
+```

package-lock.json

@@ -1,18 +1,20 @@
 {
 	"name": "load-secrets-action",
-	"version": "3.0.0",
+	"version": "3.1.0",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "load-secrets-action",
-			"version": "3.0.0",
+			"version": "3.1.0",
 			"license": "MIT",
 			"dependencies": {
-				"@1password/op-js": "^0.1.11",
+				"@1password/connect": "^1.4.2",
+				"@1password/sdk": "^0.4.0",
 				"@actions/core": "^1.10.1",
 				"@actions/exec": "^1.1.1",
-				"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
+				"@actions/tool-cache": "^2.0.2",
+				"dotenv": "^17.2.2"
 			},
 			"devDependencies": {
 				"@1password/eslint-config": "^4.3.1",
@@ -27,6 +29,19 @@
 				"typescript": "^5.4.2"
 			}
 		},
+		"node_modules/@1password/connect": {
+			"version": "1.4.2",
+			"resolved": "https://registry.npmjs.org/@1password/connect/-/connect-1.4.2.tgz",
+			"integrity": "sha512-CxcDQIr76nloWwGWRrmz/U7DuU65WKrN/yarq45LrC3L6b/pC7bZyskvougadG32fRwBieLJX143lTI8T1bAtQ==",
+			"license": "MIT",
+			"dependencies": {
+				"axios": "^1.10.0",
+				"debug": "^4.4.1",
+				"lodash.clonedeep": "^4.5.0",
+				"slugify": "^1.6.6",
+				"uuid": "^9.0.1"
+			}
+		},
 		"node_modules/@1password/eslint-config": {
 			"version": "4.3.1",
 			"resolved": "https://registry.npmjs.org/@1password/eslint-config/-/eslint-config-4.3.1.tgz",
@@ -51,16 +66,6 @@
 				"typescript": "^5.0.0"
 			}
 		},
-		"node_modules/@1password/op-js": {
-			"version": "0.1.13",
-			"resolved": "https://registry.npmjs.org/@1password/op-js/-/op-js-0.1.13.tgz",
-			"integrity": "sha512-ZZBLxVqywFdvIbLv2xWw2N1ImSi183rRKf90vV19KRMReNyLwuD0dv6IrKrIdrJU33IuV3Gz85Z4K2a1PJTBDg==",
-			"license": "MIT",
-			"dependencies": {
-				"lookpath": "^1.2.2",
-				"semver": "^7.6.2"
-			}
-		},
 		"node_modules/@1password/prettier-config": {
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/@1password/prettier-config/-/prettier-config-1.2.0.tgz",
@@ -71,6 +76,21 @@
 				"prettier": "^2.0.0 || ^3.0.0"
 			}
 		},
+		"node_modules/@1password/sdk": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/@1password/sdk/-/sdk-0.4.0.tgz",
+			"integrity": "sha512-RIypujc9R/UeUaobjyClTYokqRFpcaIkHq+EO/X9XoHId98Vg+SbjwGV+yygRC4MyHwYNo1KP1iEbZcqJ4ZTdw==",
+			"license": "MIT",
+			"dependencies": {
+				"@1password/sdk-core": "0.4.0"
+			}
+		},
+		"node_modules/@1password/sdk-core": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/@1password/sdk-core/-/sdk-core-0.4.0.tgz",
+			"integrity": "sha512-vjeI1o4wiONY+t1naA4dtUp6HktdLH1D2S+tN1Lh4l41S9XIUHxrljov9B5u6G+VHr7f2MUoxmzXA9zT3aokQQ==",
+			"license": "MIT"
+		},
 		"node_modules/@actions/core": {
 			"version": "1.11.1",
 			"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
@@ -734,9 +754,9 @@
 			"peer": true
 		},
 		"node_modules/@eslint/eslintrc/node_modules/js-yaml": {
-			"version": "4.1.0",
+			"version": "4.1.1",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-			"integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+			"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
 			"dev": true,
 			"license": "MIT",
 			"peer": true,
@@ -1963,6 +1983,12 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/asynckit": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+			"integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
+			"license": "MIT"
+		},
 		"node_modules/available-typed-arrays": {
 			"version": "1.0.7",
 			"resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz",
@@ -1989,6 +2015,17 @@
 				"node": ">=4"
 			}
 		},
+		"node_modules/axios": {
+			"version": "1.13.5",
+			"resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz",
+			"integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==",
+			"license": "MIT",
+			"dependencies": {
+				"follow-redirects": "^1.15.11",
+				"form-data": "^4.0.5",
+				"proxy-from-env": "^1.1.0"
+			}
+		},
 		"node_modules/axobject-query": {
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
@@ -2255,7 +2292,6 @@
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.1.tgz",
 			"integrity": "sha512-BhYE+WDaywFg2TBWYNXAE+8B1ATnThNBqXHP5nQu0jWJdVvY2hvkpyB3qOmtmDePiS5/BDQ8wASEWGMWRG148g==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"es-errors": "^1.3.0",
@@ -2500,6 +2536,18 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/combined-stream": {
+			"version": "1.0.8",
+			"resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+			"integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+			"license": "MIT",
+			"dependencies": {
+				"delayed-stream": "~1.0.0"
+			},
+			"engines": {
+				"node": ">= 0.8"
+			}
+		},
 		"node_modules/commander": {
 			"version": "12.1.0",
 			"resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
@@ -2633,10 +2681,9 @@
 			}
 		},
 		"node_modules/debug": {
-			"version": "4.4.0",
+			"version": "4.4.3",
-			"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+			"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-			"integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
+			"integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"ms": "^2.1.3"
@@ -2719,6 +2766,15 @@
 				"url": "https://github.com/sponsors/ljharb"
 			}
 		},
+		"node_modules/delayed-stream": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+			"integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.4.0"
+			}
+		},
 		"node_modules/detect-newline": {
 			"version": "3.1.0",
 			"resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-3.1.0.tgz",
@@ -2766,11 +2822,22 @@
 				"node": ">=6.0.0"
 			}
 		},
+		"node_modules/dotenv": {
+			"version": "17.2.2",
+			"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.2.tgz",
+			"integrity": "sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==",
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=12"
+			},
+			"funding": {
+				"url": "https://dotenvx.com"
+			}
+		},
 		"node_modules/dunder-proto": {
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
 			"integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"call-bind-apply-helpers": "^1.0.1",
@@ -2914,7 +2981,6 @@
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
 			"integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -2924,7 +2990,6 @@
 			"version": "1.3.0",
 			"resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
 			"integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -2961,7 +3026,6 @@
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.0.0.tgz",
 			"integrity": "sha512-MZ4iQ6JwHOBQjahnjwaC1ZtIBH+2ohjamzAO3oaHcXYup7qxjF2fixyH+Q71voWHeOkI2q/TnJao/KfXYIZWbw==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"es-errors": "^1.3.0"
@@ -2971,15 +3035,15 @@
 			}
 		},
 		"node_modules/es-set-tostringtag": {
-			"version": "2.0.3",
+			"version": "2.1.0",
-			"resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.3.tgz",
+			"resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
-			"integrity": "sha512-3T8uNMC3OQTHkFUsFq8r/BwAXLHvU/9O9mE0fBc/MY5iq/8H7ncvO947LmYA6ldWw9Uh8Yhf25zu6n7nML5QWQ==",
+			"integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
-				"get-intrinsic": "^1.2.4",
+				"es-errors": "^1.3.0",
+				"get-intrinsic": "^1.2.6",
 				"has-tostringtag": "^1.0.2",
-				"hasown": "^2.0.1"
+				"hasown": "^2.0.2"
 			},
 			"engines": {
 				"node": ">= 0.4"
@@ -3457,9 +3521,9 @@
 			}
 		},
 		"node_modules/eslint/node_modules/js-yaml": {
-			"version": "4.1.0",
+			"version": "4.1.1",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-			"integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+			"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
 			"dev": true,
 			"license": "MIT",
 			"peer": true,
@@ -3812,6 +3876,26 @@
 			"license": "ISC",
 			"peer": true
 		},
+		"node_modules/follow-redirects": {
+			"version": "1.15.11",
+			"resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+			"integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+			"funding": [
+				{
+					"type": "individual",
+					"url": "https://github.com/sponsors/RubenVerborgh"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=4.0"
+			},
+			"peerDependenciesMeta": {
+				"debug": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/for-each": {
 			"version": "0.3.3",
 			"resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz",
@@ -3822,6 +3906,22 @@
 				"is-callable": "^1.1.3"
 			}
 		},
+		"node_modules/form-data": {
+			"version": "4.0.5",
+			"resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+			"integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+			"license": "MIT",
+			"dependencies": {
+				"asynckit": "^0.4.0",
+				"combined-stream": "^1.0.8",
+				"es-set-tostringtag": "^2.1.0",
+				"hasown": "^2.0.2",
+				"mime-types": "^2.1.12"
+			},
+			"engines": {
+				"node": ">= 6"
+			}
+		},
 		"node_modules/fs.realpath": {
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
@@ -3848,7 +3948,6 @@
 			"version": "1.1.2",
 			"resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
 			"integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
-			"dev": true,
 			"license": "MIT",
 			"funding": {
 				"url": "https://github.com/sponsors/ljharb"
@@ -3921,7 +4020,6 @@
 			"version": "1.2.6",
 			"resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.6.tgz",
 			"integrity": "sha512-qxsEs+9A+u85HhllWJJFicJfPDhRmjzoYdl64aMWW9yRIJmSyxdn8IEkuIM530/7T+lv0TIHd8L6Q/ra0tEoeA==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"call-bind-apply-helpers": "^1.0.1",
@@ -4078,7 +4176,6 @@
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
 			"integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -4164,7 +4261,6 @@
 			"version": "1.1.0",
 			"resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
 			"integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -4177,7 +4273,6 @@
 			"version": "1.0.2",
 			"resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
 			"integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"has-symbols": "^1.0.3"
@@ -4193,7 +4288,6 @@
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
 			"integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"function-bind": "^1.1.2"
@@ -5526,9 +5620,9 @@
 			"license": "MIT"
 		},
 		"node_modules/js-yaml": {
-			"version": "3.14.1",
+			"version": "3.14.2",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
-			"integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+			"integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
@@ -5924,6 +6018,12 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/lodash.clonedeep": {
+			"version": "4.5.0",
+			"resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz",
+			"integrity": "sha512-H5ZhCF25riFd9uB5UCkVKo61m3S/xZk1x4wA6yp/L3RFP6Z/eHH1ymQcGLo7J3GMPfm0V/7m1tryHuGVxpqEBQ==",
+			"license": "MIT"
+		},
 		"node_modules/lodash.memoize": {
 			"version": "4.1.2",
 			"resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz",
@@ -6050,18 +6150,6 @@
 				"url": "https://github.com/chalk/strip-ansi?sponsor=1"
 			}
 		},
-		"node_modules/lookpath": {
-			"version": "1.2.2",
-			"resolved": "https://registry.npmjs.org/lookpath/-/lookpath-1.2.2.tgz",
-			"integrity": "sha512-k2Gmn8iV6qdME3ztZC2spubmQISimFOPLuQKiPaLcVdRz0IpdxrNClVepMlyTJlhodm/zG/VfbkWERm3kUIh+Q==",
-			"license": "MIT",
-			"bin": {
-				"lookpath": "bin/lookpath.js"
-			},
-			"engines": {
-				"npm": ">=6.13.4"
-			}
-		},
 		"node_modules/loose-envify": {
 			"version": "1.4.0",
 			"resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
@@ -6122,7 +6210,6 @@
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.0.0.tgz",
 			"integrity": "sha512-4MqMiKP90ybymYvsut0CH2g4XWbfLtmlCkXmtmdcDCxNB+mQcu1w/1+L/VD7vi/PSv7X2JYV7SCcR+jiPXnQtA==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -6159,6 +6246,27 @@
 				"node": ">=8.6"
 			}
 		},
+		"node_modules/mime-db": {
+			"version": "1.52.0",
+			"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+			"integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
+		"node_modules/mime-types": {
+			"version": "2.1.35",
+			"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+			"integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+			"license": "MIT",
+			"dependencies": {
+				"mime-db": "1.52.0"
+			},
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
 		"node_modules/mimic-fn": {
 			"version": "2.1.0",
 			"resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz",
@@ -6209,7 +6317,6 @@
 			"version": "2.1.3",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
 			"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/natural-compare": {
@@ -6386,28 +6493,6 @@
 				"url": "https://github.com/sponsors/sindresorhus"
 			}
 		},
-		"node_modules/op-cli-installer": {
-			"version": "1.0.0",
-			"resolved": "git+ssh://git@github.com/1Password/op-cli-installer.git#e6c1c758bc3339e5fe9b06255728039f688f73fa",
-			"integrity": "sha512-ueyYQAgtbIHP2QWx9iCiztoPov01GdxPZNZ4+Qg3IaAyC4khMIk4/vYPagRhRKta+HI6fWV6jO3/ajBj27KBZA==",
-			"license": "MIT",
-			"dependencies": {
-				"@actions/core": "^1.11.1",
-				"@actions/tool-cache": "^2.0.2",
-				"semver": "^7.7.2"
-			}
-		},
-		"node_modules/op-cli-installer/node_modules/semver": {
-			"version": "7.7.2",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-			"integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
-			"bin": {
-				"semver": "bin/semver.js"
-			},
-			"engines": {
-				"node": ">=10"
-			}
-		},
 		"node_modules/optionator": {
 			"version": "0.9.4",
 			"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
@@ -6717,6 +6802,12 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/proxy-from-env": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+			"integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
+			"license": "MIT"
+		},
 		"node_modules/punycode": {
 			"version": "2.3.1",
 			"resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
@@ -7035,6 +7126,7 @@
 			"version": "7.6.3",
 			"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
 			"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+			"dev": true,
 			"license": "ISC",
 			"bin": {
 				"semver": "bin/semver.js"
@@ -7230,6 +7322,15 @@
 				"url": "https://github.com/chalk/ansi-styles?sponsor=1"
 			}
 		},
+		"node_modules/slugify": {
+			"version": "1.6.6",
+			"resolved": "https://registry.npmjs.org/slugify/-/slugify-1.6.6.tgz",
+			"integrity": "sha512-h+z7HKHYXj6wJU+AnS/+IH8Uh9fdcX1Lrhg1/VMdf9PwoBQXFcXiAdsy2tSK0P6gKwJLXp02r90ahUCqHk9rrw==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=8.0.0"
+			}
+		},
 		"node_modules/source-map": {
 			"version": "0.6.1",
 			"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
@@ -7961,6 +8062,19 @@
 				"punycode": "^2.1.0"
 			}
 		},
+		"node_modules/uuid": {
+			"version": "9.0.1",
+			"resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+			"integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+			"funding": [
+				"https://github.com/sponsors/broofa",
+				"https://github.com/sponsors/ctavan"
+			],
+			"license": "MIT",
+			"bin": {
+				"uuid": "dist/bin/uuid"
+			}
+		},
 		"node_modules/v8-to-istanbul": {
 			"version": "9.3.0",
 			"resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.3.0.tgz",

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "load-secrets-action",
-	"version": "3.0.0",
+	"version": "3.1.0",
 	"description": "Load Secrets from 1Password",
 	"main": "dist/index.js",
 	"directories": {
@@ -40,10 +40,12 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@1password/op-js": "^0.1.11",
+		"@1password/sdk": "^0.4.0",
+		"@1password/connect": "^1.4.2",
 		"@actions/core": "^1.10.1",
 		"@actions/exec": "^1.1.1",
-		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
+		"@actions/tool-cache": "^2.0.2",
+		"dotenv": "^17.2.2"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",

src/constants.ts

@@ -2,5 +2,6 @@ export const envConnectHost = "OP_CONNECT_HOST";
 export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
+export const envFilePath = "OP_ENV_FILE";
 
 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;

src/index.ts

@@ -1,7 +1,7 @@
+import dotenv from "dotenv";
 import * as core from "@actions/core";
-import { validateCli } from "@1password/op-js";
-import { installCliOnGithubActionRunner } from "op-cli-installer";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
+import { envFilePath } from "./constants";
 
 const loadSecretsAction = async () => {
 	try {
@@ -14,11 +14,15 @@ const loadSecretsAction = async () => {
 			unsetPrevious();
 		}
 
-		// Validate that a proper authentication configuration is set for the CLI
+		// Validate that a proper authentication configuration is set (Connect or service account)
 		validateAuth();
 
-		// Download and install the CLI
+		// Set environment variables from OP_ENV_FILE
-		await installCLI();
+		const file = process.env[envFilePath];
+		if (file) {
+			core.info(`Loading environment variables from file: ${file}`);
+			dotenv.config({ path: file });
+		}
 
 		// Load secrets
 		await loadSecrets(shouldExportEnv);
@@ -30,22 +34,10 @@ const loadSecretsAction = async () => {
 		if (error instanceof Error) {
 			message = error.message;
 		} else {
-			String(error);
+			message = String(error);
 		}
 		core.setFailed(message);
 	}
 };
 
-// This function's name is an exception from the naming convention
-// since we refer to the 1Password CLI here.
-// eslint-disable-next-line @typescript-eslint/naming-convention
-const installCLI = async (): Promise<void> => {
-	// validateCli checks if there's an existing 1Password CLI installed on the runner.
-	// If there's no CLI installed, then validateCli will throw an error, which we will use
-	// as an indicator that we need to execute the installation script.
-	await validateCli().catch(async () => {
-		await installCliOnGithubActionRunner();
-	});
-};
-
 void loadSecretsAction();

src/utils.test.ts

@@ -1,11 +1,15 @@
 import * as core from "@actions/core";
 import * as exec from "@actions/exec";
-import { read, setClientInfo } from "@1password/op-js";
+import { createClient, Secrets } from "@1password/sdk";
+import { OnePasswordConnect, FullItem } from "@1password/connect";
 import {
-	extractSecret,
 	loadSecrets,
 	unsetPrevious,
 	validateAuth,
+	findMatchingFieldAndFile,
+	findSectionIdsByQuery,
+	parseOpRef,
+	getEnvVarNamesWithSecretRefs,
 } from "./utils";
 import {
 	authErr,
@@ -21,7 +25,14 @@ jest.mock("@actions/exec", () => ({
 		stdout: "MOCK_SECRET",
 	})),
 }));
-jest.mock("@1password/op-js");
+jest.mock("@1password/sdk", () => ({
+	createClient: jest.fn(),
+	// eslint-disable-next-line @typescript-eslint/naming-convention
+	Secrets: {
+		validateSecretReference: jest.fn(),
+	},
+}));
+jest.mock("@1password/connect");
 
 beforeEach(() => {
 	jest.clearAllMocks();
@@ -72,70 +83,227 @@ describe("validateAuth", () => {
 	});
 });
 
-describe("extractSecret", () => {
+describe("loadSecrets when using Connect", () => {
-	const envTestSecretEnv = "TEST_SECRET";
+	beforeEach(() => {
-	const testSecretRef = "op://vault/item/secret";
+		process.env[envConnectHost] = "https://connect.example";
-	const testSecretValue = "Secret1@3$";
+		process.env[envConnectToken] = "test-token";
+		process.env[envServiceAccountToken] = "";
 
-	read.parse = jest.fn().mockReturnValue(testSecretValue);
+		Object.keys(process.env).forEach((key) => {
+			if (
+				typeof process.env[key] === "string" &&
+				process.env[key]?.startsWith("op://")
+			) {
+				delete process.env[key];
+			}
+		});
+		process.env.MY_SECRET = "op://vault/item/field";
 
-	process.env[envTestSecretEnv] = testSecretRef;
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
-
+			getVault: jest.fn().mockResolvedValue({ id: "vault-id-123" }),
-	it("should set secret as step output", () => {
+			getItem: jest.fn().mockResolvedValue({
-		extractSecret(envTestSecretEnv, false);
+				fields: [
-		expect(core.exportVariable).not.toHaveBeenCalledWith(
+					{ label: "field", value: "resolved-via-connect", section: undefined },
-			envTestSecretEnv,
+				],
-			testSecretValue,
+				sections: [],
-		);
+			}),
-		expect(core.setOutput).toHaveBeenCalledWith(
+		});
-			envTestSecretEnv,
-			testSecretValue,
-		);
-		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
 	});
 
-	it("should set secret as environment variable", () => {
+	it("resolves ref via Connect SDK and exports secret", async () => {
-		extractSecret(envTestSecretEnv, true);
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			envTestSecretEnv,
-			testSecretValue,
-		);
-		expect(core.setOutput).not.toHaveBeenCalledWith(
-			envTestSecretEnv,
-			testSecretValue,
-		);
-		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
-	});
-});
-
-describe("loadSecrets", () => {
-	it("sets the client info and gets the executed output", async () => {
 		await loadSecrets(true);
 
-		expect(setClientInfo).toHaveBeenCalledWith({
-			name: "1Password GitHub Action",
-			id: "GHA",
-		});
-		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
 		expect(core.exportVariable).toHaveBeenCalledWith(
-			"OP_MANAGED_VARIABLES",
+			"MY_SECRET",
-			"MOCK_SECRET",
+			"resolved-via-connect",
+		);
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			envManagedVariables,
+			"MY_SECRET",
 		);
 	});
 
 	it("return early if no env vars with secrets found", async () => {
-		(exec.getExecOutput as jest.Mock).mockReturnValueOnce({ stdout: "" });
+		delete process.env.MY_SECRET;
 		await loadSecrets(true);
 
-		expect(exec.getExecOutput).toHaveBeenCalledWith('sh -c "op env ls"');
 		expect(core.exportVariable).not.toHaveBeenCalled();
 	});
 
+	it("sets step output when shouldExportEnv is false", async () => {
+		await loadSecrets(false);
+
+		expect(core.setOutput).toHaveBeenCalledWith(
+			"MY_SECRET",
+			"resolved-via-connect",
+		);
+		expect(core.exportVariable).not.toHaveBeenCalled();
+	});
+
+	it("masks resolved secret with setSecret", async () => {
+		await loadSecrets(true);
+
+		expect(core.setSecret).toHaveBeenCalledWith("resolved-via-connect");
+	});
+
+	it("calls getVault with vault segment from ref", async () => {
+		process.env.MY_SECRET = "op://my-vault-name/my-item/field";
+		const mockGetVault = jest.fn().mockResolvedValue({ id: "vault-uuid" });
+		const mockGetItem = jest.fn().mockResolvedValue({
+			fields: [{ label: "field", value: "secret-value", section: undefined }],
+			sections: [],
+		});
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await loadSecrets(false);
+
+		expect(mockGetVault).toHaveBeenCalledWith("my-vault-name");
+	});
+
+	it("throws when getVault returns vault without id", async () => {
+		const mockGetVault = jest.fn().mockResolvedValue({});
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: jest.fn(),
+		});
+
+		await expect(loadSecrets(true)).rejects.toThrow(
+			/Could not find valid vault "vault" for ref "op:\/\/vault\/item\/field"/,
+		);
+		expect(mockGetVault).toHaveBeenCalledWith("vault");
+	});
+
+	it("resolves vault by name and uses returned id for getItem", async () => {
+		process.env.MY_SECRET = "op://My Vault/My Item/field";
+		const mockGetVault = jest
+			.fn()
+			.mockResolvedValue({ id: "uuid-for-my-vault" });
+		const mockGetItem = jest.fn().mockResolvedValue({
+			fields: [
+				{
+					label: "field",
+					value: "secret-from-named-vault",
+					section: undefined,
+				},
+			],
+			sections: [],
+		});
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await loadSecrets(true);
+
+		expect(mockGetVault).toHaveBeenCalledWith("My Vault");
+		expect(mockGetItem).toHaveBeenCalledWith("uuid-for-my-vault", "My Item");
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			"MY_SECRET",
+			"secret-from-named-vault",
+		);
+	});
+
+	it("calls getItem with vault id from getVault, not ref vault segment", async () => {
+		const mockGetVault = jest
+			.fn()
+			.mockResolvedValue({ id: "resolved-vault-id" });
+		const mockGetItem = jest.fn().mockResolvedValue({
+			fields: [
+				{ label: "field", value: "resolved-via-connect", section: undefined },
+			],
+			sections: [],
+		});
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await loadSecrets(true);
+
+		expect(mockGetVault).toHaveBeenCalledWith("vault");
+		expect(mockGetItem).toHaveBeenCalledWith("resolved-vault-id", "item");
+	});
+
+	it("rejects when getItem fails", async () => {
+		const mockGetVault = jest.fn().mockResolvedValue({ id: "vault-id-123" });
+		const mockGetItem = jest
+			.fn()
+			.mockRejectedValue(new Error("Item not found"));
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await expect(loadSecrets(true)).rejects.toThrow("Item not found");
+	});
+
+	it("resolves refs in different vaults using each vault id", async () => {
+		delete process.env.MY_SECRET;
+		process.env.SECRET_A = "op://vault-a/item1/field1";
+		process.env.SECRET_B = "op://vault-b/item2/field2";
+		const mockGetVault = jest
+			.fn()
+			.mockImplementation(async (vaultName: string) =>
+				Promise.resolve({
+					id: vaultName === "vault-a" ? "id-a" : "id-b",
+				}),
+			);
+		const mockGetItem = jest
+			.fn()
+			.mockResolvedValueOnce({
+				fields: [{ label: "field1", value: "value-a", section: undefined }],
+				sections: [],
+			})
+			.mockResolvedValueOnce({
+				fields: [{ label: "field2", value: "value-b", section: undefined }],
+				sections: [],
+			});
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await loadSecrets(true);
+
+		expect(mockGetVault).toHaveBeenCalledWith("vault-a");
+		expect(mockGetVault).toHaveBeenCalledWith("vault-b");
+		expect(mockGetItem).toHaveBeenNthCalledWith(1, "id-a", "item1");
+		expect(mockGetItem).toHaveBeenNthCalledWith(2, "id-b", "item2");
+		expect(core.exportVariable).toHaveBeenCalledWith("SECRET_A", "value-a");
+		expect(core.exportVariable).toHaveBeenCalledWith("SECRET_B", "value-b");
+	});
+
+	it("throws on invalid ref before calling Connect", async () => {
+		delete process.env.MY_SECRET;
+		process.env.BAD_REF = "op://x";
+		const mockGetVault = jest.fn();
+		const mockGetItem = jest.fn();
+		(OnePasswordConnect as jest.Mock).mockReturnValue({
+			getVault: mockGetVault,
+			getItem: mockGetItem,
+		});
+
+		await expect(loadSecrets(true)).rejects.toThrow(/invalid|reference/i);
+		expect(mockGetVault).not.toHaveBeenCalled();
+		expect(mockGetItem).not.toHaveBeenCalled();
+	});
+
 	describe("core.exportVariable", () => {
 		it("is called when shouldExportEnv is true", async () => {
 			await loadSecrets(true);
 
-			expect(core.exportVariable).toHaveBeenCalledTimes(1);
+			expect(core.exportVariable).toHaveBeenCalledTimes(2);
+			expect(core.exportVariable).toHaveBeenCalledWith(
+				"MY_SECRET",
+				"resolved-via-connect",
+			);
+			expect(core.exportVariable).toHaveBeenCalledWith(
+				envManagedVariables,
+				"MY_SECRET",
+			);
 		});
 
 		it("is not called when shouldExportEnv is false", async () => {
@@ -146,6 +314,195 @@ describe("loadSecrets", () => {
 	});
 });
 
+describe("loadSecrets when using Service Account", () => {
+	const mockResolve = jest.fn();
+
+	beforeEach(() => {
+		process.env[envConnectHost] = "";
+		process.env[envConnectToken] = "";
+		process.env[envServiceAccountToken] = "ops_token";
+
+		Object.keys(process.env).forEach((key) => {
+			if (
+				typeof process.env[key] === "string" &&
+				process.env[key]?.startsWith("op://")
+			) {
+				delete process.env[key];
+			}
+		});
+		process.env.MY_SECRET = "op://vault/item/field";
+
+		(createClient as jest.Mock).mockResolvedValue({
+			secrets: { resolve: mockResolve },
+		});
+
+		mockResolve.mockResolvedValue("resolved-secret-value");
+	});
+
+	it("sets step output with resolved value when export-env is false", async () => {
+		await loadSecrets(false);
+		expect(core.setOutput).toHaveBeenCalledTimes(1);
+		expect(core.setOutput).toHaveBeenCalledWith(
+			"MY_SECRET",
+			"resolved-secret-value",
+		);
+	});
+
+	it("masks secret with setSecret when export-env is false", async () => {
+		await loadSecrets(false);
+		expect(core.setSecret).toHaveBeenCalledTimes(1);
+		expect(core.setSecret).toHaveBeenCalledWith("resolved-secret-value");
+	});
+
+	it("does not call exportVariable when export-env is false", async () => {
+		await loadSecrets(false);
+		expect(core.exportVariable).not.toHaveBeenCalled();
+	});
+
+	it("exports env and sets OP_MANAGED_VARIABLES when export-env is true", async () => {
+		await loadSecrets(true);
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			"MY_SECRET",
+			"resolved-secret-value",
+		);
+		expect(core.exportVariable).toHaveBeenCalledWith(
+			envManagedVariables,
+			"MY_SECRET",
+		);
+	});
+
+	it("does not set step output when export-env is true", async () => {
+		await loadSecrets(true);
+		expect(core.setOutput).not.toHaveBeenCalledWith(
+			"MY_SECRET",
+			expect.anything(),
+		);
+	});
+
+	it("masks secret with setSecret when export-env is true", async () => {
+		await loadSecrets(true);
+		expect(core.setSecret).toHaveBeenCalledTimes(1);
+		expect(core.setSecret).toHaveBeenCalledWith("resolved-secret-value");
+	});
+
+	it("returns early when no env vars have op:// refs", async () => {
+		Object.keys(process.env).forEach((key) => {
+			if (
+				typeof process.env[key] === "string" &&
+				process.env[key]?.startsWith("op://")
+			) {
+				delete process.env[key];
+			}
+		});
+		await loadSecrets(true);
+		expect(exec.getExecOutput).not.toHaveBeenCalled();
+		expect(core.exportVariable).not.toHaveBeenCalled();
+	});
+
+	it("wraps createClient errors with a descriptive message", async () => {
+		(createClient as jest.Mock).mockRejectedValue(
+			new Error("invalid token format"),
+		);
+		await expect(loadSecrets(false)).rejects.toThrow(
+			"Service account authentication failed: invalid token format",
+		);
+	});
+
+	describe("multiple refs", () => {
+		const ref1 = "op://vault/item/field";
+		const ref2 = "op://vault/other/item";
+		const ref3 = "op://vault/file/secret";
+
+		beforeEach(() => {
+			process.env.MY_SECRET = ref1;
+			process.env.ANOTHER_SECRET = ref2;
+			process.env.FILE_SECRET = ref3;
+
+			mockResolve
+				.mockResolvedValueOnce("value1")
+				.mockResolvedValueOnce("value2")
+				.mockResolvedValueOnce("value3");
+		});
+
+		it("resolves each ref and sets step output for each when export-env is false", async () => {
+			await loadSecrets(false);
+
+			expect(mockResolve).toHaveBeenCalledTimes(3);
+			expect(mockResolve).toHaveBeenCalledWith(ref1);
+			expect(mockResolve).toHaveBeenCalledWith(ref2);
+			expect(mockResolve).toHaveBeenCalledWith(ref3);
+
+			expect(core.setOutput).toHaveBeenCalledTimes(3);
+			expect(core.setOutput).toHaveBeenCalledWith("MY_SECRET", "value1");
+			expect(core.setOutput).toHaveBeenCalledWith("ANOTHER_SECRET", "value2");
+			expect(core.setOutput).toHaveBeenCalledWith("FILE_SECRET", "value3");
+
+			expect(core.setSecret).toHaveBeenCalledTimes(3);
+		});
+
+		it("resolves each ref and exports each and sets OP_MANAGED_VARIABLES when export-env is true", async () => {
+			await loadSecrets(true);
+
+			expect(mockResolve).toHaveBeenCalledTimes(3);
+
+			expect(core.exportVariable).toHaveBeenCalledWith("MY_SECRET", "value1");
+			expect(core.exportVariable).toHaveBeenCalledWith(
+				"ANOTHER_SECRET",
+				"value2",
+			);
+			expect(core.exportVariable).toHaveBeenCalledWith("FILE_SECRET", "value3");
+
+			const exportVariableCalls = (core.exportVariable as jest.Mock).mock
+				.calls as [string, string][];
+			const managedVarsCall = exportVariableCalls.find(
+				([name]) => name === envManagedVariables,
+			);
+			expect(managedVarsCall).toBeDefined();
+			const managedList = (managedVarsCall as [string, string])[1].split(",");
+			expect(managedList).toContain("MY_SECRET");
+			expect(managedList).toContain("ANOTHER_SECRET");
+			expect(managedList).toContain("FILE_SECRET");
+			expect(managedList).toHaveLength(3);
+
+			expect(core.setSecret).toHaveBeenCalledTimes(3);
+		});
+	});
+
+	describe("secret reference validation", () => {
+		it("fails with clear message when a secret reference is invalid", async () => {
+			process.env.MY_SECRET = "op://invalid/ref/form";
+			(Secrets.validateSecretReference as jest.Mock).mockImplementationOnce(
+				() => {
+					throw new Error("invalid reference format");
+				},
+			);
+
+			await expect(loadSecrets(true)).rejects.toThrow(
+				"Invalid secret reference(s): MY_SECRET",
+			);
+			expect(mockResolve).not.toHaveBeenCalled();
+		});
+
+		it("validates all refs before resolving any secrets", async () => {
+			process.env.MY_SECRET = "op://vault/item/field";
+			process.env.OTHER = "op://vault/other/item";
+			(Secrets.validateSecretReference as jest.Mock).mockImplementation(
+				(ref: string) => {
+					if (ref === "op://vault/other/item") {
+						throw new Error("invalid");
+					}
+				},
+			);
+			mockResolve.mockResolvedValue("value1");
+
+			await expect(loadSecrets(false)).rejects.toThrow(
+				"Invalid secret reference(s): OTHER",
+			);
+			expect(mockResolve).not.toHaveBeenCalled();
+		});
+	});
+});
+
 describe("unsetPrevious", () => {
 	const testManagedEnv = "TEST_SECRET";
 	const testSecretValue = "MyS3cr#T";
@@ -162,3 +519,360 @@ describe("unsetPrevious", () => {
 		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
 	});
 });
+
+describe("findMatchingFieldAndFile", () => {
+	interface TestField {
+		id?: string;
+		label?: string;
+		value?: string | null;
+		section?: { id: string } | null | undefined;
+	}
+	interface TestFile {
+		id?: string;
+		name?: string;
+		section?: { id: string } | null | undefined;
+	}
+
+	const item = (opts: { fields?: TestField[]; files?: TestFile[] }): FullItem =>
+		({
+			fields: opts.fields ?? [],
+			files: opts.files ?? [],
+			sections: [],
+		}) as unknown as FullItem;
+
+	const find = (
+		opts: { fields?: TestField[]; files?: TestFile[] },
+		sectionIds: string[] = [],
+	) => findMatchingFieldAndFile(item(opts), "password", sectionIds);
+
+	describe("when section filter is used (sectionIds.length > 0)", () => {
+		it.each<{
+			name: string;
+			itemOpts: { fields?: TestField[]; files?: TestFile[] };
+			expected: { fieldValue?: string; fileId?: string };
+		}>([
+			{
+				name: "returns field value when one field matches query and is in ref sections",
+				itemOpts: {
+					fields: [
+						{
+							id: "f1",
+							label: "password",
+							value: "secret123",
+							section: { id: "section-1" },
+						},
+					],
+				},
+				expected: { fieldValue: "secret123" },
+			},
+			{
+				name: "returns file id when one file matches query and is in ref sections",
+				itemOpts: {
+					files: [
+						{
+							id: "file-uuid",
+							name: "password",
+							section: { id: "section-1" },
+						},
+					],
+				},
+				expected: { fileId: "file-uuid" },
+			},
+			{
+				name: "returns empty object when no field or file matches",
+				itemOpts: {
+					fields: [
+						{ label: "other", value: "x", section: { id: "section-1" } },
+					],
+					files: [],
+				},
+				expected: {},
+			},
+			{
+				name: "returns field value when field matches by id",
+				itemOpts: {
+					fields: [
+						{
+							id: "password",
+							label: "Password Label",
+							value: "secret-by-id",
+							section: { id: "section-1" },
+						},
+					],
+				},
+				expected: { fieldValue: "secret-by-id" },
+			},
+		])("$name", ({ itemOpts, expected }) => {
+			expect(find(itemOpts, ["section-1"])).toEqual(expected);
+		});
+
+		it.each<{
+			name: string;
+			itemOpts: { fields?: TestField[]; files?: TestFile[] };
+			error: RegExp;
+		}>([
+			{
+				name: "throws when multiple fields match",
+				itemOpts: {
+					fields: [
+						{ label: "password", value: "a", section: { id: "section-1" } },
+						{ label: "password", value: "b", section: { id: "section-1" } },
+					],
+				},
+				error: /Multiple matches/,
+			},
+			{
+				name: "throws when multiple files match",
+				itemOpts: {
+					files: [
+						{ id: "id1", name: "password", section: { id: "section-1" } },
+						{ id: "id2", name: "password", section: { id: "section-1" } },
+					],
+				},
+				error: /Multiple matches/,
+			},
+			{
+				name: "throws when both a field and a file match",
+				itemOpts: {
+					fields: [
+						{ label: "password", value: "v", section: { id: "section-1" } },
+					],
+					files: [
+						{ id: "fid", name: "password", section: { id: "section-1" } },
+					],
+				},
+				error: /Both a field and a file match/,
+			},
+			{
+				name: "throws when field has no value",
+				itemOpts: {
+					fields: [
+						{ label: "password", value: null, section: { id: "section-1" } },
+					],
+				},
+				error: /has no value/,
+			},
+		])("$name", ({ itemOpts, error }) => {
+			expect(() => find(itemOpts, ["section-1"])).toThrow(error);
+		});
+	});
+
+	describe("when no section filter (sectionIds.length === 0)", () => {
+		const sectionIds: string[] = [];
+
+		it.each<{
+			name: string;
+			itemOpts: { fields?: TestField[]; files?: TestFile[] };
+			expected: { fieldValue?: string; fileId?: string };
+		}>([
+			{
+				name: "returns field value when one field has no section and matches query",
+				itemOpts: {
+					fields: [{ label: "password", value: "secret", section: undefined }],
+				},
+				expected: { fieldValue: "secret" },
+			},
+			{
+				name: "returns file id when one file has no section and matches query",
+				itemOpts: {
+					files: [{ id: "file-id", name: "password", section: undefined }],
+				},
+				expected: { fileId: "file-id" },
+			},
+			{
+				name: "returns field value from fallback (any section) when no field with no section matches",
+				itemOpts: {
+					fields: [
+						{ label: "other", value: "x", section: undefined },
+						{
+							label: "password",
+							value: "from-any-section",
+							section: { id: "sec" },
+						},
+					],
+				},
+				expected: { fieldValue: "from-any-section" },
+			},
+			{
+				name: "returns file id from fallback (any section) when no file with no section matches",
+				itemOpts: {
+					files: [
+						{ id: "other", name: "x", section: undefined },
+						{ id: "file-any", name: "password", section: { id: "sec" } },
+					],
+				},
+				expected: { fileId: "file-any" },
+			},
+			{
+				name: "returns empty object when no match",
+				itemOpts: {
+					fields: [{ label: "other", value: "x", section: undefined }],
+					files: [],
+				},
+				expected: {},
+			},
+		])("$name", ({ itemOpts, expected }) => {
+			expect(find(itemOpts, sectionIds)).toEqual(expected);
+		});
+
+		it.each<{
+			name: string;
+			itemOpts: { fields?: TestField[]; files?: TestFile[] };
+			error: RegExp;
+		}>([
+			{
+				name: "throws when multiple fields with no section match",
+				itemOpts: {
+					fields: [
+						{ label: "password", value: "a", section: undefined },
+						{ label: "password", value: "b", section: undefined },
+					],
+				},
+				error: /Multiple matches/,
+			},
+			{
+				name: "throws when multiple files with no section match",
+				itemOpts: {
+					files: [
+						{ id: "1", name: "password", section: undefined },
+						{ id: "2", name: "password", section: undefined },
+					],
+				},
+				error: /Multiple matches/,
+			},
+			{
+				name: "throws when both field and file match",
+				itemOpts: {
+					fields: [{ label: "password", value: "value", section: undefined }],
+					files: [{ id: "fid", name: "password", section: undefined }],
+				},
+				error: /Both a field and a file match/,
+			},
+		])("$name", ({ itemOpts, error }) => {
+			expect(() => find(itemOpts, sectionIds)).toThrow(error);
+		});
+	});
+});
+
+describe("findSectionIdsByQuery", () => {
+	it("throws when sections is empty", () => {
+		expect(() => findSectionIdsByQuery([], "section-1")).toThrow(
+			/section section-1 could not be found/,
+		);
+	});
+
+	it("throws when sections is null/undefined", () => {
+		expect(() =>
+			findSectionIdsByQuery(undefined as unknown as FullItem["sections"], "x"),
+		).toThrow(/could not be found/);
+	});
+
+	it("returns section id when section matches by id", () => {
+		const sections = [{ id: "sec-1", label: "Section 1" }];
+		expect(
+			findSectionIdsByQuery(sections as FullItem["sections"], "sec-1"),
+		).toEqual(["sec-1"]);
+	});
+
+	it("returns section id when section matches by label", () => {
+		const sections = [{ id: "sec-1", label: "My Section" }];
+		expect(
+			findSectionIdsByQuery(sections as FullItem["sections"], "My Section"),
+		).toEqual(["sec-1"]);
+	});
+
+	it("throws when section query matches no section", () => {
+		const sections = [{ id: "sec-1", label: "Other" }];
+		expect(() =>
+			findSectionIdsByQuery(sections as FullItem["sections"], "nonexistent"),
+		).toThrow(/could not be found/);
+	});
+
+	it("returns multiple ids when multiple sections match", () => {
+		const sections = [
+			{ id: "sec-1", label: "A" },
+			{ id: "sec-2", label: "A" },
+		];
+		expect(
+			findSectionIdsByQuery(sections as FullItem["sections"], "A"),
+		).toEqual(["sec-1", "sec-2"]);
+	});
+});
+
+describe("parseOpRef", () => {
+	it("parses 3-segment ref (vault/item/field)", () => {
+		expect(parseOpRef("op://vault/item/field")).toEqual({
+			vault: "vault",
+			item: "item",
+			field: "field",
+			section: undefined,
+		});
+	});
+
+	it("parses 4-segment ref (vault/item/section/field)", () => {
+		expect(parseOpRef("op://vault/item/MySection/password")).toEqual({
+			vault: "vault",
+			item: "item",
+			section: "MySection",
+			field: "password",
+		});
+	});
+
+	it("decodes URI-encoded segments", () => {
+		expect(parseOpRef("op://my%20vault/my%20item/field")).toEqual({
+			vault: "my vault",
+			item: "my item",
+			field: "field",
+			section: undefined,
+		});
+	});
+
+	it("throws when ref does not start with op://", () => {
+		expect(() => parseOpRef("invalid-ref")).toThrow(
+			/Invalid op reference: invalid-ref/,
+		);
+	});
+
+	it("throws when segment count is invalid", () => {
+		expect(() => parseOpRef("op://vault/item")).toThrow(
+			/use op:\/\/<vault>\/<item>\/<field>/,
+		);
+		expect(() => parseOpRef("op://a/b/c/d/e")).toThrow(
+			/use op:\/\/<vault>\/<item>\/<field>/,
+		);
+	});
+
+	it("throws when vault or item or field is empty", () => {
+		expect(() => parseOpRef("op:///item/field")).toThrow(/vault is required/);
+		expect(() => parseOpRef("op://vault//field")).toThrow(/item is required/);
+		expect(() => parseOpRef("op://vault/item/")).toThrow(/field is required/);
+	});
+
+	it("throws when 4-segment ref has empty section", () => {
+		expect(() => parseOpRef("op://vault/item//field")).toThrow(
+			/section is required when using 4 path segments/,
+		);
+	});
+
+	it("throws when last segment is empty (trailing slash)", () => {
+		expect(() => parseOpRef("op://vault/item/field/")).toThrow(
+			/field is required/,
+		);
+	});
+});
+
+describe("getEnvVarNamesWithSecretRefs", () => {
+	it("returns only env var names whose value is a string starting with op://", () => {
+		process.env.OP_REF = "op://vault/item/field";
+		process.env.NOT_OP_REF = "https://example.com";
+		process.env.EMPTY_REF = "";
+		process.env.OP_REF_OTHER = "op://other/vault/item/secret";
+
+		const result = getEnvVarNamesWithSecretRefs();
+
+		expect(result).toContain("OP_REF");
+		expect(result).toContain("OP_REF_OTHER");
+		expect(result).not.toContain("NOT_OP_REF");
+		expect(result).not.toContain("EMPTY_REF");
+	});
+});

src/utils.ts

@@ -1,6 +1,6 @@
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
+import { createClient, Secrets } from "@1password/sdk";
-import { read, setClientInfo, semverToInt } from "@1password/op-js";
+import { OnePasswordConnect, FullItem, OPConnect } from "@1password/connect";
 import { version } from "../package.json";
 import {
 	authErr,
@@ -10,6 +10,296 @@ import {
 	envManagedVariables,
 } from "./constants";
 
+// #region Op ref parsing
+interface ParsedOpRef {
+	vault: string;
+	item: string;
+	section: string | undefined;
+	field: string;
+}
+
+export const parseOpRef = (ref: string): ParsedOpRef => {
+	// Safety check: refs are validated by validateSecretRefs before this runs
+	// this guards against parseOpRef being called directly with invalid input
+	if (!ref.startsWith("op://")) {
+		throw new Error(`Invalid op reference: ${ref}`);
+	}
+
+	const segments = ref
+		.slice("op://".length)
+		.split("/")
+		.map((s) => decodeURIComponent(s));
+
+	if (segments.length < 3 || segments.length > 4) {
+		throw new Error(
+			`Invalid op reference: use op://<vault>/<item>/<field> or op://<vault>/<item>/<section>/<field>. Got: ${ref}`,
+		);
+	}
+
+	const vault = segments[0] ?? "";
+	if (!vault) {
+		throw new Error(`Invalid op reference: vault is required`);
+	}
+
+	const item = segments[1] ?? "";
+	if (!item) {
+		throw new Error(`Invalid op reference: item is required`);
+	}
+
+	// Last segment is always the field
+	const field = segments[segments.length - 1] ?? "";
+	if (!field) {
+		throw new Error(`Invalid op reference: field is required`);
+	}
+
+	// Second to last segment is the section if it exists
+	let section: string | undefined;
+	if (segments.length === 4) {
+		section = segments[2];
+		if (!section) {
+			throw new Error(
+				`Invalid op reference: section is required when using 4 path segments`,
+			);
+		}
+	}
+
+	return {
+		vault,
+		item,
+		field,
+		section,
+	};
+};
+// #endregion
+
+// #region Connect item resolution
+const getSecretFromConnectItem = async (
+	client: OPConnect,
+	item: FullItem,
+	parsed: ParsedOpRef,
+): Promise<string> => {
+	const sectionIds = parsed.section
+		? findSectionIdsByQuery(item.sections, parsed.section)
+		: [];
+	const { fieldValue, fileId } = findMatchingFieldAndFile(
+		item,
+		parsed.field,
+		sectionIds,
+	);
+
+	if (fieldValue !== undefined) {
+		return fieldValue;
+	}
+
+	// If a file was found, get the content of the file (with retry on 503)
+	if (fileId) {
+		const maxAttempts = 3;
+		const retryDelayMs = 2000;
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			try {
+				const content = await client.getFileContent(
+					parsed.vault,
+					parsed.item,
+					fileId,
+				);
+				return content;
+			} catch (err) {
+				const is503 =
+					err &&
+					typeof err === "object" &&
+					(err as Record<string, unknown>).statusCode === 503;
+				if (is503 && attempt < maxAttempts) {
+					await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
+					continue;
+				}
+				throw err;
+			}
+		}
+	}
+
+	if (parsed.section) {
+		throw new Error(
+			`could not find field or file ${parsed.field} in section ${parsed.section} on item ${parsed.item} in vault ${parsed.vault}`,
+		);
+	}
+
+	throw new Error(
+		`could not find field or file ${parsed.field} on item ${parsed.item} in vault ${parsed.vault}`,
+	);
+};
+
+export const findSectionIdsByQuery = (
+	sections: FullItem["sections"],
+	sectionQuery: string | undefined,
+): string[] => {
+	// If no sections were returned with the item throw an error
+	if (!sections || sections.length === 0) {
+		throw new Error(
+			`section ${sectionQuery} could not be found in specified item`,
+		);
+	}
+
+	const ids = sections
+		.filter((s) => s.id === sectionQuery || s.label === sectionQuery)
+		.flatMap((s) => (s.id ? [s.id] : []));
+
+	// If no sections were found with the given query throw an error
+	if (ids.length === 0) {
+		throw new Error(
+			`section ${sectionQuery} could not be found in specified item`,
+		);
+	}
+
+	return ids;
+};
+
+export const findMatchingFieldAndFile = (
+	item: FullItem,
+	fieldOrFileQuery: string,
+	sectionIds: string[],
+): { fieldValue?: string; fileId?: string } => {
+	// Get the fields/files from the item and check if the ref has a section filter
+	const fields = item.fields ?? [];
+	const files = item.files ?? [];
+	const sectionFilter = sectionIds.length > 0;
+
+	const fieldMatchesQuery = (f: (typeof fields)[0]) =>
+		f.id === fieldOrFileQuery || f.label === fieldOrFileQuery;
+	const fileMatchesQuery = (f: (typeof files)[0]) =>
+		f.id === fieldOrFileQuery || f.name === fieldOrFileQuery;
+
+	let matchedField: (typeof fields)[0] | undefined;
+	let matchedFile: (typeof files)[0] | undefined;
+
+	if (sectionFilter) {
+		// If the ref has a section filter only accept matches inside the referenced sections
+		const matchingFields = fields.filter((f) => {
+			const sectionId = f.section?.id;
+			const inRefSections =
+				sectionId !== null &&
+				sectionId !== undefined &&
+				sectionIds.includes(sectionId);
+			return fieldMatchesQuery(f) && inRefSections;
+		});
+		matchedField = findSingleMatch(matchingFields);
+
+		const matchingFiles = files.filter((f) => {
+			const sectionId = f.section?.id;
+			const inRefSections =
+				sectionId !== null &&
+				sectionId !== undefined &&
+				sectionIds.includes(sectionId);
+			return fileMatchesQuery(f) && inRefSections;
+		});
+		matchedFile = findSingleMatch(matchingFiles);
+	} else {
+		// If the ref has no section filter search for matches with no section
+		const matchingFields = fields.filter((f) => {
+			const hasNoSection =
+				f.section?.id === null || f.section?.id === undefined;
+			return fieldMatchesQuery(f) && hasNoSection;
+		});
+		matchedField = findSingleMatch(matchingFields);
+
+		// If no matches were found with no section, search for matches in any section
+		if (!matchedField) {
+			const matchingFieldsInAnySection = fields.filter(fieldMatchesQuery);
+			matchedField = findSingleMatch(matchingFieldsInAnySection);
+		}
+
+		const matchingFiles = files.filter((f) => {
+			const hasNoSection =
+				f.section?.id === null || f.section?.id === undefined;
+			return fileMatchesQuery(f) && hasNoSection;
+		});
+		matchedFile = findSingleMatch(matchingFiles);
+
+		if (!matchedFile) {
+			const matchingFilesInAnySection = files.filter(fileMatchesQuery);
+			matchedFile = findSingleMatch(matchingFilesInAnySection);
+		}
+	}
+
+	if (matchedField && matchedFile) {
+		throw new Error(
+			`Both a field and a file match "${fieldOrFileQuery}". Rename one or use the ID in your op:// reference.`,
+		);
+	}
+
+	if (matchedField) {
+		if (matchedField.value === undefined || matchedField.value === null) {
+			throw new Error(
+				`field ${fieldOrFileQuery} has no value in specified item`,
+			);
+		}
+		return { fieldValue: matchedField.value };
+	}
+
+	if (matchedFile?.id) {
+		return { fileId: matchedFile.id };
+	}
+
+	return {};
+};
+
+const findSingleMatch = <T>(matches: T[]): T | undefined => {
+	if (matches.length > 1) {
+		throw new Error(
+			"Multiple matches found. Rename one or use an ID in your op:// reference.",
+		);
+	}
+	return matches[0];
+};
+// #endregion
+
+// #region Shared helpers and auth
+export const getEnvVarNamesWithSecretRefs = (): string[] =>
+	Object.keys(process.env).filter(
+		(key) =>
+			typeof process.env[key] === "string" &&
+			process.env[key]?.startsWith("op://"),
+	);
+
+const validateSecretRefs = (envNames: string[]): void => {
+	const invalid: string[] = [];
+
+	for (const envName of envNames) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		try {
+			Secrets.validateSecretReference(ref);
+		} catch {
+			invalid.push(envName);
+		}
+	}
+
+	// Throw an error if any secret references are invalid
+	if (invalid.length > 0) {
+		const names = invalid.join(", ");
+		throw new Error(`Invalid secret reference(s): ${names}`);
+	}
+};
+
+const setResolvedSecret = (
+	envName: string,
+	secretValue: string,
+	shouldExportEnv: boolean,
+): void => {
+	core.info(`Populating variable: ${envName}`);
+
+	if (shouldExportEnv) {
+		core.exportVariable(envName, secretValue);
+	} else {
+		core.setOutput(envName, secretValue);
+	}
+	if (secretValue) {
+		core.setSecret(secretValue);
+	}
+};
+
 export const validateAuth = (): void => {
 	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
 	const isServiceAccount = process.env[envServiceAccountToken];
@@ -29,56 +319,6 @@ export const validateAuth = (): void => {
 	core.info(`Authenticated with ${authType}.`);
 };
 
-export const extractSecret = (
-	envName: string,
-	shouldExportEnv: boolean,
-): void => {
-	core.info(`Populating variable: ${envName}`);
-
-	const ref = process.env[envName];
-	if (!ref) {
-		return;
-	}
-
-	const secretValue = read.parse(ref);
-	if (!secretValue) {
-		return;
-	}
-
-	if (shouldExportEnv) {
-		core.exportVariable(envName, secretValue);
-	} else {
-		core.setOutput(envName, secretValue);
-	}
-	core.setSecret(secretValue);
-};
-
-export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
-	// Pass User-Agent Information to the 1Password CLI
-	setClientInfo({
-		name: "1Password GitHub Action",
-		id: "GHA",
-		build: semverToInt(version),
-	});
-
-	// Load secrets from environment variables using 1Password CLI.
-	// Iterate over them to find 1Password references, extract the secret values,
-	// and make them available in the next steps either as step outputs or as environment variables.
-	const res = await exec.getExecOutput(`sh -c "op env ls"`);
-
-	if (res.stdout === "") {
-		return;
-	}
-
-	const envs = res.stdout.replace(/\n+$/g, "").split(/\r?\n/);
-	for (const envName of envs) {
-		extractSecret(envName, shouldExportEnv);
-	}
-	if (shouldExportEnv) {
-		core.exportVariable(envManagedVariables, envs.join());
-	}
-};
-
 export const unsetPrevious = (): void => {
 	if (process.env[envManagedVariables]) {
 		core.info("Unsetting previous values ...");
@@ -89,3 +329,150 @@ export const unsetPrevious = (): void => {
 		}
 	}
 };
+
+const fetchVaultId = async (
+	client: OPConnect,
+	vaultQuery: string,
+	ref: string,
+	cache: Map<string, string>,
+): Promise<string> => {
+	// Check if the vault ID is already cached
+	const cached = cache.get(vaultQuery);
+	if (cached !== undefined) {
+		return cached;
+	}
+
+	const vault = await client.getVault(vaultQuery);
+	if (!vault.id) {
+		throw new Error(
+			`Could not find valid vault "${vaultQuery}" for ref "${ref}"`,
+		);
+	}
+
+	cache.set(vaultQuery, vault.id);
+	return vault.id;
+};
+// #endregion
+
+// #region Load secrets
+// Connect loads secrets via the Connect JS SDK
+const loadSecretsViaConnect = async (
+	shouldExportEnv: boolean,
+): Promise<void> => {
+	const envs = getEnvVarNamesWithSecretRefs();
+	if (envs.length === 0) {
+		return;
+	}
+
+	validateSecretRefs(envs);
+
+	const host = process.env[envConnectHost];
+	const token = process.env[envConnectToken];
+	if (!host || !token) {
+		throw new Error(authErr);
+	}
+
+	// Authenticate with the Connect SDK
+	let client;
+	try {
+		client = OnePasswordConnect({
+			// eslint-disable-next-line @typescript-eslint/naming-convention
+			serverURL: host,
+			token,
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Connect authentication failed: ${message}`);
+	}
+
+	const vaultIdByQuery = new Map<string, string>();
+
+	for (const envName of envs) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		try {
+			// Parse the op ref and get the item from the Connect SDK
+			const parsed = parseOpRef(ref);
+
+			const vaultId = await fetchVaultId(
+				client,
+				parsed.vault,
+				ref,
+				vaultIdByQuery,
+			);
+			const item = await client.getItem(vaultId, parsed.item);
+
+			// Get the secret value from the item as Connect returns a full item object
+			const secretValue = await getSecretFromConnectItem(client, item, parsed);
+			setResolvedSecret(envName, secretValue, shouldExportEnv);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			throw new Error(`Failed to load ref "${ref}": ${msg}`);
+		}
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+// Service Account loads secrets via the 1Password SDK
+const loadSecretsViaServiceAccount = async (
+	shouldExportEnv: boolean,
+): Promise<void> => {
+	const envs = getEnvVarNamesWithSecretRefs();
+	if (envs.length === 0) {
+		return;
+	}
+
+	validateSecretRefs(envs);
+
+	const token = process.env[envServiceAccountToken];
+	if (!token) {
+		throw new Error(authErr);
+	}
+
+	// Authenticate with the 1Password SDK
+	let client;
+	try {
+		client = await createClient({
+			auth: token,
+			integrationName: "1Password GitHub Action",
+			integrationVersion: version,
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Service account authentication failed: ${message}`);
+	}
+
+	for (const envName of envs) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		// Resolve the secret value using the 1Password SDK
+		// and make it available either as step outputs or as environment variables
+		const secretValue = await client.secrets.resolve(ref);
+		setResolvedSecret(envName, secretValue, shouldExportEnv);
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
+	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
+
+	if (isConnect) {
+		await loadSecretsViaConnect(shouldExportEnv);
+		return;
+	}
+
+	await loadSecretsViaServiceAccount(shouldExportEnv);
+};
+// #endregion

tests/assert-env-set.sh

@@ -9,11 +9,11 @@ assert_env_equals() {
   fi
 }
 
-assert_env_equals "SECRET" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+readonly FILE_SECRET_CONTENT="This is a test"
+readonly DOUBLE_SECTION_SECRET_CONTENT="test-password"
 
-assert_env_equals "SECRET_IN_SECTION" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+MULTILINE_SECRET="$(cat << EOF
-
-assert_env_equals "MULTILINE_SECRET" "$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
 ZSB3ZSBkZWVwbHkgYXBwcmVjaWF0ZSB5b3VyIHZp
@@ -28,3 +28,18 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 -----END PRIVATE KEY-----
 EOF
 )"
+readonly MULTILINE_SECRET
+
+assert_env_equals "SECRET" "${SECRET}"
+assert_env_equals "FILE_SECRET" "${SECRET}"
+
+assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
+assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
+
+assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
+assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
+
+assert_env_equals "SECRET_WITH_FILE" "${FILE_SECRET_CONTENT}"
+assert_env_equals "SECRET_WITH_FILE_IN_SECTION" "${FILE_SECRET_CONTENT}"
+
+assert_env_equals "DOUBLE_SECTION_SECRET" "${DOUBLE_SECTION_SECRET_CONTENT}"

tests/assert-env-unset.sh

@@ -10,5 +10,14 @@ assert_env_unset() {
 }
 
 assert_env_unset "SECRET"
+assert_env_unset "FILE_SECRET"
+
 assert_env_unset "SECRET_IN_SECTION"
+assert_env_unset "FILE_SECRET_IN_SECTION"
+
 assert_env_unset "MULTILINE_SECRET"
+assert_env_unset "FILE_MULTILINE_SECRET"
+
+assert_env_unset "SECRET_WITH_FILE"
+assert_env_unset "SECRET_WITH_FILE_IN_SECTION"
+assert_env_unset "DOUBLE_SECTION_SECRET"

tests/assert-invalid-ref-failed.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+if [ "$STEP_OUTCOME" != "failure" ]; then
+  echo "Expected action to fail on invalid ref, got: $STEP_OUTCOME"
+  exit 1
+fi
+echo "Action correctly failed on invalid ref"