diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 2bfafb6..c531d1e 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -262,8 +262,6 @@ jobs: test-workload-identity: name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }}) runs-on: ubuntu-latest - # Workload Identity exchanges the GitHub OIDC token for 1Password access, - # so the job needs permission to request an OIDC token. permissions: id-token: write contents: read @@ -290,8 +288,6 @@ jobs: - name: Build actions run: npm run build:all - # No ./configure step and no op:// references: Workload Identity authenticates - # via OIDC and loads all variables from the configured 1Password environment. - name: Load secrets id: load_secrets uses: ./ diff --git a/README.md b/README.md index 44c8d91..39406f8 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,9 @@ jobs: OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }} ``` -When Workload Identity is configured, secrets are loaded directly from your environment's variables. You don't need to specify individual `op://` secret references. If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error. +Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** — each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job. + +If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error. ## 💙 Community & Support diff --git a/dist/index.js b/dist/index.js index 163ce73..d11ecc2 100644 --- a/dist/index.js +++ b/dist/index.js @@ -38431,7 +38431,10 @@ var sdk = __nccwpck_require__(7837); +// Names use the OIDC/SDK acronyms, which break strictCamelCase. +// eslint-disable-next-line @typescript-eslint/naming-convention const getOIDCToken = async (audience) => getIDToken(audience); +// eslint-disable-next-line @typescript-eslint/naming-convention const loadSecretsFromSDK = async (workloadId, environmentId, integrationKey, shouldExportEnv) => { // Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself integrationKey = integrationKey.replace(/=+$/, ""); @@ -38487,7 +38490,7 @@ const loadSecretsAction = async () => { // are inline per-step and intentionally not persisted (persisting them would make // every later step re-load all variables). Nothing to auth or load, we're done. if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) { - info("No authentication configured; unset complete."); + info("No authentication configured; unset previously managed variables. No secrets were loaded."); return; } if (workloadConfig) { diff --git a/src/index.ts b/src/index.ts index 89a49ca..bd64646 100644 --- a/src/index.ts +++ b/src/index.ts @@ -29,7 +29,9 @@ const loadSecretsAction = async () => { // are inline per-step and intentionally not persisted (persisting them would make // every later step re-load all variables). Nothing to auth or load, we're done. if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) { - core.info("No authentication configured; unset complete."); + core.info( + "No authentication configured; unset previously managed variables. No secrets were loaded.", + ); return; } diff --git a/src/sdk-client.ts b/src/sdk-client.ts index 95a5486..9d8607b 100644 --- a/src/sdk-client.ts +++ b/src/sdk-client.ts @@ -16,14 +16,14 @@ export const loadSecretsFromSDK = async ( shouldExportEnv: boolean, ): Promise => { // Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself - integrationKey = integrationKey.replace(/=+$/, ""); + const customerManagedSecret = integrationKey.replace(/=+$/, ""); const client = await createClient({ integrationName: "1Password GitHub Action", integrationVersion: version, oidcFetcher: getOIDCToken, workloadDetails: { - customerManagedSecret: integrationKey, + customerManagedSecret, workloadUuid: workloadId, }, }); diff --git a/src/utils.test.ts b/src/utils.test.ts index 9e92ab2..0f6b5ef 100644 --- a/src/utils.test.ts +++ b/src/utils.test.ts @@ -285,4 +285,24 @@ describe("unsetPrevious", () => { expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET"); expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", ""); }); + + it("should unset every variable listed in OP_MANAGED_VARIABLES", () => { + process.env[envManagedVariables] = "TEST_SECRET,ANOTHER_TEST,SUPER_SECRET"; + + unsetPrevious(); + + expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", ""); + expect(core.exportVariable).toHaveBeenCalledWith("ANOTHER_TEST", ""); + expect(core.exportVariable).toHaveBeenCalledWith("SUPER_SECRET", ""); + expect(core.exportVariable).toHaveBeenCalledTimes(3); + }); + + it("should do nothing when no variables are managed", () => { + process.env[envManagedVariables] = ""; + + unsetPrevious(); + + expect(core.exportVariable).not.toHaveBeenCalled(); + expect(core.info).not.toHaveBeenCalledWith("Unsetting previous values ..."); + }); });