Add tests

.github/workflows/e2e-tests.yml

@@ -262,8 +262,6 @@ jobs:
   test-workload-identity:
     name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }})
     runs-on: ubuntu-latest
-    # Workload Identity exchanges the GitHub OIDC token for 1Password access,
-    # so the job needs permission to request an OIDC token.
     permissions:
       id-token: write
       contents: read
@@ -290,8 +288,6 @@ jobs:
       - name: Build actions
         run: npm run build:all
 
-      # No ./configure step and no op:// references: Workload Identity authenticates
-      # via OIDC and loads all variables from the configured 1Password environment.
       - name: Load secrets
         id: load_secrets
         uses: ./

README.md

@@ -113,7 +113,9 @@ jobs:
           OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
 ```
 
-When Workload Identity is configured, secrets are loaded directly from your environment's variables. You don't need to specify individual `op://` secret references. If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
+Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** — each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
+
+If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
 
 ## 💙 Community & Support
 

dist/index.js

@@ -38431,7 +38431,10 @@ var sdk = __nccwpck_require__(7837);
 
 
 
+// Names use the OIDC/SDK acronyms, which break strictCamelCase.
+// eslint-disable-next-line @typescript-eslint/naming-convention
 const getOIDCToken = async (audience) => getIDToken(audience);
+// eslint-disable-next-line @typescript-eslint/naming-convention
 const loadSecretsFromSDK = async (workloadId, environmentId, integrationKey, shouldExportEnv) => {
     // Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
     integrationKey = integrationKey.replace(/=+$/, "");
@@ -38487,7 +38490,7 @@ const loadSecretsAction = async () => {
         // are inline per-step and intentionally not persisted (persisting them would make
         // every later step re-load all variables). Nothing to auth or load, we're done.
         if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
-            info("No authentication configured; unset complete.");
+            info("No authentication configured; unset previously managed variables. No secrets were loaded.");
             return;
         }
         if (workloadConfig) {

src/index.ts

@@ -29,7 +29,9 @@ const loadSecretsAction = async () => {
 		// are inline per-step and intentionally not persisted (persisting them would make
 		// every later step re-load all variables). Nothing to auth or load, we're done.
 		if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
-			core.info("No authentication configured; unset complete.");
+			core.info(
+				"No authentication configured; unset previously managed variables. No secrets were loaded.",
+			);
 			return;
 		}
 

src/sdk-client.ts

@@ -16,14 +16,14 @@ export const loadSecretsFromSDK = async (
 	shouldExportEnv: boolean,
 ): Promise<void> => {
 	// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
-	integrationKey = integrationKey.replace(/=+$/, "");
+	const customerManagedSecret = integrationKey.replace(/=+$/, "");
 
 	const client = await createClient({
 		integrationName: "1Password GitHub Action",
 		integrationVersion: version,
 		oidcFetcher: getOIDCToken,
 		workloadDetails: {
-			customerManagedSecret: integrationKey,
+			customerManagedSecret,
 			workloadUuid: workloadId,
 		},
 	});

src/utils.test.ts

@@ -285,4 +285,24 @@ describe("unsetPrevious", () => {
 		expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
 		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
 	});
+
+	it("should unset every variable listed in OP_MANAGED_VARIABLES", () => {
+		process.env[envManagedVariables] = "TEST_SECRET,ANOTHER_TEST,SUPER_SECRET";
+
+		unsetPrevious();
+
+		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
+		expect(core.exportVariable).toHaveBeenCalledWith("ANOTHER_TEST", "");
+		expect(core.exportVariable).toHaveBeenCalledWith("SUPER_SECRET", "");
+		expect(core.exportVariable).toHaveBeenCalledTimes(3);
+	});
+
+	it("should do nothing when no variables are managed", () => {
+		process.env[envManagedVariables] = "";
+
+		unsetPrevious();
+
+		expect(core.exportVariable).not.toHaveBeenCalled();
+		expect(core.info).not.toHaveBeenCalledWith("Unsetting previous values ...");
+	});
 });