mirror of
https://github.com/1Password/load-secrets-action.git
synced 2026-06-21 14:23:48 +00:00
Add tests
This commit is contained in:
Jill Regan
@@ -262,8 +262,6 @@ jobs:
|
||||
test-workload-identity:
|
||||
name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }})
|
||||
runs-on: ubuntu-latest
|
||||
# Workload Identity exchanges the GitHub OIDC token for 1Password access,
|
||||
# so the job needs permission to request an OIDC token.
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
@@ -290,8 +288,6 @@ jobs:
|
||||
- name: Build actions
|
||||
run: npm run build:all
|
||||
|
||||
# No ./configure step and no op:// references: Workload Identity authenticates
|
||||
# via OIDC and loads all variables from the configured 1Password environment.
|
||||
- name: Load secrets
|
||||
id: load_secrets
|
||||
uses: ./
|
||||
|
||||
@@ -113,7 +113,9 @@ jobs:
|
||||
OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
|
||||
```
|
||||
|
||||
When Workload Identity is configured, secrets are loaded directly from your environment's variables. You don't need to specify individual `op://` secret references. If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
|
||||
Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** — each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
|
||||
|
||||
If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
|
||||
|
||||
## 💙 Community & Support
|
||||
|
||||
|
||||
Vendored
+4
-1
@@ -38431,7 +38431,10 @@ var sdk = __nccwpck_require__(7837);
|
||||
|
||||
|
||||
|
||||
// Names use the OIDC/SDK acronyms, which break strictCamelCase.
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
const getOIDCToken = async (audience) => getIDToken(audience);
|
||||
// eslint-disable-next-line @typescript-eslint/naming-convention
|
||||
const loadSecretsFromSDK = async (workloadId, environmentId, integrationKey, shouldExportEnv) => {
|
||||
// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
|
||||
integrationKey = integrationKey.replace(/=+$/, "");
|
||||
@@ -38487,7 +38490,7 @@ const loadSecretsAction = async () => {
|
||||
// are inline per-step and intentionally not persisted (persisting them would make
|
||||
// every later step re-load all variables). Nothing to auth or load, we're done.
|
||||
if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
|
||||
info("No authentication configured; unset complete.");
|
||||
info("No authentication configured; unset previously managed variables. No secrets were loaded.");
|
||||
return;
|
||||
}
|
||||
if (workloadConfig) {
|
||||
|
||||
+3
-1
@@ -29,7 +29,9 @@ const loadSecretsAction = async () => {
|
||||
// are inline per-step and intentionally not persisted (persisting them would make
|
||||
// every later step re-load all variables). Nothing to auth or load, we're done.
|
||||
if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
|
||||
core.info("No authentication configured; unset complete.");
|
||||
core.info(
|
||||
"No authentication configured; unset previously managed variables. No secrets were loaded.",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
+2
-2
@@ -16,14 +16,14 @@ export const loadSecretsFromSDK = async (
|
||||
shouldExportEnv: boolean,
|
||||
): Promise<void> => {
|
||||
// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
|
||||
integrationKey = integrationKey.replace(/=+$/, "");
|
||||
const customerManagedSecret = integrationKey.replace(/=+$/, "");
|
||||
|
||||
const client = await createClient({
|
||||
integrationName: "1Password GitHub Action",
|
||||
integrationVersion: version,
|
||||
oidcFetcher: getOIDCToken,
|
||||
workloadDetails: {
|
||||
customerManagedSecret: integrationKey,
|
||||
customerManagedSecret,
|
||||
workloadUuid: workloadId,
|
||||
},
|
||||
});
|
||||
|
||||
@@ -285,4 +285,24 @@ describe("unsetPrevious", () => {
|
||||
expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
|
||||
expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
|
||||
});
|
||||
|
||||
it("should unset every variable listed in OP_MANAGED_VARIABLES", () => {
|
||||
process.env[envManagedVariables] = "TEST_SECRET,ANOTHER_TEST,SUPER_SECRET";
|
||||
|
||||
unsetPrevious();
|
||||
|
||||
expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
|
||||
expect(core.exportVariable).toHaveBeenCalledWith("ANOTHER_TEST", "");
|
||||
expect(core.exportVariable).toHaveBeenCalledWith("SUPER_SECRET", "");
|
||||
expect(core.exportVariable).toHaveBeenCalledTimes(3);
|
||||
});
|
||||
|
||||
it("should do nothing when no variables are managed", () => {
|
||||
process.env[envManagedVariables] = "";
|
||||
|
||||
unsetPrevious();
|
||||
|
||||
expect(core.exportVariable).not.toHaveBeenCalled();
|
||||
expect(core.info).not.toHaveBeenCalledWith("Unsetting previous values ...");
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user