From 420c239c7217052dd269861701a682465d55930d Mon Sep 17 00:00:00 2001 From: Jill Regan Date: Wed, 17 Jun 2026 08:43:31 -0400 Subject: [PATCH] Rebuild --- README.md | 4 ++-- dist/index.js | 5 ++--- src/sdk-client.ts | 1 - 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 39406f8..a064b64 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ For more details on secret reference syntax, see the [1Password CLI documentatio > [!NOTE] > Workload Identity is in **private beta**. It's available to invited participants only. [Contact 1Password](https://developer.1password.com/joinslack) if you're interested in joining the beta. -Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access — no long-lived secret to store. To use it, set all three of the following environment variables (and do not set `OP_SERVICE_ACCOUNT_TOKEN` or the Connect variables): +Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access. To use it, set all three of the following environment variables (and do not set the Service Account token or the Connect variables): ```yml on: push @@ -113,7 +113,7 @@ jobs: OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }} ``` -Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** — each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job. +Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** and each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job. If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error. diff --git a/dist/index.js b/dist/index.js index d11ecc2..8cff6a0 100644 --- a/dist/index.js +++ b/dist/index.js @@ -38431,19 +38431,18 @@ var sdk = __nccwpck_require__(7837); -// Names use the OIDC/SDK acronyms, which break strictCamelCase. // eslint-disable-next-line @typescript-eslint/naming-convention const getOIDCToken = async (audience) => getIDToken(audience); // eslint-disable-next-line @typescript-eslint/naming-convention const loadSecretsFromSDK = async (workloadId, environmentId, integrationKey, shouldExportEnv) => { // Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself - integrationKey = integrationKey.replace(/=+$/, ""); + const customerManagedSecret = integrationKey.replace(/=+$/, ""); const client = await (0,sdk.createClient)({ integrationName: "1Password GitHub Action", integrationVersion: package_namespaceObject.rE, oidcFetcher: getOIDCToken, workloadDetails: { - customerManagedSecret: integrationKey, + customerManagedSecret, workloadUuid: workloadId, }, }); diff --git a/src/sdk-client.ts b/src/sdk-client.ts index 9d8607b..99def28 100644 --- a/src/sdk-client.ts +++ b/src/sdk-client.ts @@ -3,7 +3,6 @@ import { createClient } from "@1password/sdk"; import { version } from "../package.json"; import { envManagedVariables } from "./constants"; -// Names use the OIDC/SDK acronyms, which break strictCamelCase. // eslint-disable-next-line @typescript-eslint/naming-convention export const getOIDCToken = async (audience: string): Promise => core.getIDToken(audience);