wesley/load-secrets-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
52 Commits 18 Branches 22 Tags
1263fc888c1d7f9791ecce98aaa053fa52c9df49
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
volodymyrZotov 1263fc888c updated darwin op archive link
2022-08-10 16:57:06 +03:00
.github/workflows
added env variables to test secret section
2022-08-10 12:59:29 +03:00
configure
updated configure script
2022-08-10 10:23:14 +03:00
dist
Switch to node action
2021-09-01 18:20:57 +02:00
src
Adjust package dependencies and add newlines
2021-09-01 20:09:34 +02:00
tests
Add ShellCheck workflow
2021-05-20 17:13:25 +02:00
.gitignore
Adjust package dependencies and add newlines
2021-09-01 20:09:34 +02:00
action.yml
Enable using loaded secrets from step's output
2021-09-01 18:23:35 +02:00
entrypoint.sh
updated darwin op archive link
2022-08-10 16:57:06 +03:00
LICENSE
Add MIT license
2021-05-20 21:05:11 +02:00
package-lock.json
Switch to node action
2021-09-01 18:20:57 +02:00
package.json
Adjust package dependencies and add newlines
2021-09-01 20:09:34 +02:00
README.md
Add newline to trigger pipeline
2021-10-05 16:34:31 +02:00
tsconfig.json
Adjust package dependencies and add newlines
2021-09-01 20:09:34 +02:00

README.md

Load Secrets from 1Password - GitHub Action

This action loads secrets from 1Password Connect into GitHub Actions.

Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.

Prerequisites

Usage

There are two ways that secrets can be loaded:

Use secrets from the action's output

This approach enables the user to use the loaded secrets as an output from the step: steps.step-id.outputs.secret-name. You need to set an id for the step that uses this action to be able to access its outputs. More details about the metadata syntax here.

on: push
jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Load secret
        id: op-load-secret
        uses: 1password/load-secrets-action@v1
        env:
          OP_CONNECT_HOST: <Your Connect instance URL>
          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret

      - name: Print masked secret
        run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"
        # Prints: Secret: ***
Longer usage example 
on: push
name: Deploy app

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Configure 1Password Connect
        uses: 1password/load-secrets-action/configure@v1
        with:
          # Persist the 1Password Connect URL for next steps. You can also persist 
          # the Connect token using input `connect-token`, but keep in mind that 
          # every single step in the job would then be able to access the token.
          connect-host: https://1password.acme.com

      - name: Load Docker credentials
        id: load-docker-credentials
        uses: 1password/load-secrets-action@v1
        env:
          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
          DOCKERHUB_USERNAME: op://app-cicd/docker/username
          DOCKERHUB_TOKEN: op://app-cicd/docker/token

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
          password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: acme/app:latest

Export secrets as environment variables

In this approach, the user can access the loaded secrets as environment variables. These environment variables are accessible at a job level.

on: push
jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Load secret
        uses: 1password/load-secrets-action@v1
        with:
          # Export loaded secrets as environment variables
          export-env: true
        env:
          OP_CONNECT_HOST: <Your Connect instance URL>
          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret

      - name: Print masked secret
        run: echo "Secret: $SECRET"
        # Prints: Secret: ***
Longer usage example 
on: push
name: Deploy app

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Configure 1Password Connect
        uses: 1password/load-secrets-action/configure@v1
        with:
          # Persist the 1Password Connect URL for next steps. You can also persist 
          # the Connect token using input `connect-token`, but keep in mind that 
          # every single step in the job would then be able to access the token.
          connect-host: https://1password.acme.com

      - name: Load Docker credentials
        uses: 1password/load-secrets-action@v1
        with:
          # Export loaded secrets as environment variables
          export-env: true
        env:
          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
          DOCKERHUB_USERNAME: op://app-cicd/docker/username
          DOCKERHUB_TOKEN: op://app-cicd/docker/token

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ env.DOCKERHUB_USERNAME }}
          password: ${{ env.DOCKERHUB_TOKEN }}

      - name: Print environment variables with masked secrets
        run: printenv

      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: acme/app:latest

      - name: Load AWS credentials
        uses: 1password/load-secrets-action@v1
        with:
          # Export loaded secrets as environment variables
          export-env: true
          # Remove local copies of the Docker credentials, which are not needed anymore
          unset-previous: true
        env:
          OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
          AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
          AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key

      - name: Deploy app
        # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was 
        # done automatically by the step above
        run: ./deploy.sh

Action Inputs

Name Default Description
export-env false Export the loaded secrets as environment variables
unset-previous false Whether to unset environment variables populated by 1Password in earlier job steps

Secrets Reference Syntax

To specify which secret should be loaded into which environment variable, the action will look for op:// reference URIs in environment variables, and replace those with the actual secret values.

These reference URIs have the following syntax:

op://<vault>/<item>[/<section>]/<field>

So for example, the reference URI op://app-cicd/aws/secret-access-key would be interpreted as:

  • Vault: app-cicd
  • Item: aws
  • Section: default section
  • Field: secret-access-key

Masking

Similar to regular GitHub repository secrets, fields from 1Password will automatically be masked from the GitHub Actions logs too. So if one of these values accidentally gets printed, it'll get replaced with ***.

1Password Connect Configuration

To use the action, you need to have a 1Password Connect instance deployed somewhere. To configure the action with your Connect URL and a Connect token, you can set the OP_CONNECT_HOST and OP_CONNECT_TOKEN variables.

If you're using the load-secrets action more than once in a single job, you can use the configure action to avoid duplicate configuration:

on: push
jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Configure 1Password Connect
        uses: 1password/load-secrets-action/configure@v1
        with:
          connect-host: <Your Connect instance URL>
          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}

      - name: Load secret
        uses: 1password/load-secrets-action@v1
        env:
          SECRET: op://app-cicd/hello-world/secret

configure Action Inputs

Name Default Environment variable Description
connect-host OP_CONNECT_HOST Your 1Password Connect instance URL
connect-token OP_CONNECT_TOKEN Token to authenticate to your 1Password Connect instance

Supported Runners

You can run the action on Linux and macOS runners. Windows is currently not supported.

Security

1Password requests you practice responsible disclosure if you discover a vulnerability.

Please file requests via BugCrowd.

For information about security practices, please visit our Security homepage.

Getting help

If you find yourself stuck, visit our Support Page for help.

Description
Mirror of 1Password/load-secrets-action for local Gitea Actions use
Readme MIT 10 MiB
Languages
TypeScript 86.4%
Shell 7.7%
JavaScript 5.9%