Update install-cli-action package

As ncc uses commonjs bundle type and we import `install-cli-action` which is also commonjs, we should not set `type: module` in the package.json so it doesn't break the load-secrets-action bundle. Therefore, we can safely remove it at all.

Revert package.json

.github/workflows/acceptance-test.yml

@@ -96,6 +96,8 @@ jobs:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Verify installed op cli version
+        run: ./tests/assert-cli-version.sh ${{ inputs.version }}
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:

.github/workflows/ok-to-test.yml

@@ -15,7 +15,7 @@ jobs:
     if: ${{ github.event.issue.pull_request }}
     steps:
       - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@v4
+        uses: peter-evans/slash-command-dispatch@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -22,13 +22,13 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect
@@ -50,13 +50,13 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect
@@ -78,13 +78,13 @@ jobs:
         github.event_name == 'pull_request' && 
         github.event.pull_request.head.repo.full_name == github.repository
       )
-    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/windows-support2 #TODO: after merge, this to main, revert to consume yml file from main (delete '@vzt/windows-support2')
     secrets: inherit
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
-        auth: [connect, service-account]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        version: [ latest, latest-beta, 2.30.0, 2.30.0-beta.03 ]
+        auth: [ connect, service-account ]
         exclude:
           - os: macos-latest
             auth: connect

README.md

@@ -23,40 +23,16 @@ Read more on the [1Password Developer Portal](https://developer.1password.com/do
 
 ## ✨ Quickstart
 
-### Export secrets as a step's output (recommended)
-
 ```yml
 on: push
 jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
       - name: Load secret
-        id: load_secrets
-        uses: 1password/load-secrets-action@v3
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-
-      - name: Print masked secret
-        run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
-        # Prints: Secret: ***
-```
-
-### Export secrets as env variables
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Load secret
-        uses: 1password/load-secrets-action@v3
+        uses: 1password/load-secrets-action@v2
         with:
           # Export loaded secrets as environment variables
           export-env: true

action.yml

@@ -5,15 +5,15 @@ branding:
   icon: lock
   color: blue
 inputs:
+  version:
+    description: Version of the 1Password CLI to install
+    default: latest
   unset-previous:
     description: Whether to unset environment variables populated by 1Password in earlier job steps
     default: "false"
   export-env:
     description: Export the secrets as environment variables
-    default: "false"
-  version:
-    description: Specify which 1Password CLI version to install. Defaults to "latest".
-    default: "latest"
+    default: "true"
 runs:
   using: "node20"
   main: "dist/index.js"

config/jest.config.js

@@ -25,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };
 
-export default jestConfig;
+module.exports = jestConfig;

configure/dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "commonjs"
-}

dist/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "commonjs"
-}

install_cli.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+# Install op-cli
+install_op_cli() {
+  # Create a temporary directory where the CLI is installed
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
+  fi
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
+
+  # Get the latest stable version of the CLI
+  CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
+
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    # Get runner's architecture
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
+
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_linux_${ARCH}_${CLI_VERSION}.zip"
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_apple_universal_${CLI_VERSION}.pkg"
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
+  fi
+}
+
+install_op_cli

package.json

@@ -1,7 +1,8 @@
 {
 	"name": "load-secrets-action",
-	"version": "3.0.0",
+	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
+	"type": "commonjs",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
@@ -9,7 +10,6 @@
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
 		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
-		"build:all": "npm run build && npm run build:configure",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -40,10 +40,11 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
+		"@1password/install-cli-action": "github:1password/install-cli-action#vzt/export-install-function",
 		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^1.10.1",
+		"@actions/core": "^1.11.1",
 		"@actions/exec": "^1.1.1",
-		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
+		"@actions/tool-cache": "^2.0.2"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",

src/index.ts

@@ -1,6 +1,5 @@
 import * as core from "@actions/core";
 import { validateCli } from "@1password/op-js";
-import { installCliOnGithubActionRunner } from "op-cli-installer";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 
 const loadSecretsAction = async () => {
@@ -44,7 +43,10 @@ const installCLI = async (): Promise<void> => {
 	// If there's no CLI installed, then validateCli will throw an error, which we will use
 	// as an indicator that we need to execute the installation script.
 	await validateCli().catch(async () => {
-		await installCliOnGithubActionRunner();
+		// eslint-disable-next-line
+		const { install } = require("@1password/install-cli-action");
+		// eslint-disable-next-line @typescript-eslint/no-unsafe-call
+		await install();
 	});
 };
 

tests/assert-cli-version.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+OP_CLI_VERSION="$1"
+CLI_URL="https://app-updates.agilebits.com/product_history/CLI2"
+
+get_latest_cli_version() {
+    conditional_path="/beta/"
+    if [ "$1" == "non_beta" ]; then
+        conditional_path="!/beta/"
+    fi
+    # This long command parses the HTML page at "CLI_URL" and finds the latest CLI version
+    # based on the release channel we're looking for (stable or beta).
+    #
+    # The ideal call (i.e. 'curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/Y -s | jq -r .version')
+    # doesn't retrieve the latest CLI version on a channel basis.
+    # If the latest release is stable and we want the latest beta, this command will return the stable still.
+    OP_CLI_VERSION="$(curl -s $CLI_URL | awk -v RS='<h3>|</h3>' 'NR % 2 == 0 {gsub(/[[:blank:]]+/, ""); gsub(/<span[^>]*>|<\/span>|[\r\n]+/, ""); gsub(/&nbsp;.*$/, ""); if (!'"$1"' && '"$conditional_path"'){print; '"$1"'=1;}}')"
+}
+
+if [ "$OP_CLI_VERSION" == "latest" ]; then
+    get_latest_cli_version non_beta
+elif [ "$OP_CLI_VERSION" == "latest-beta" ]; then
+    get_latest_cli_version beta
+fi
+
+if [ "$(op --version)" != "$OP_CLI_VERSION" ]; then
+    echo -e "Expected CLI version to be:\n$OP_CLI_VERSION\nBut got:\n$(op --version)"
+    exit 1
+fi