1Password/load-secrets-action
1
0
Fork 0
mirror of https://github.com/1Password/load-secrets-action.git synced 2026-06-21 22:29:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix unset previous behaviour

Browse Source
This commit is contained in:
Jill Regan
2026-06-16 18:07:51 -04:00
parent 46d02bc827
commit c407d64237
7 changed files with 67 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/e2e-tests.yml
+4
View File
@@ -33,6 +33,8 @@ on:
jobs:
test-service-account:
name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
# TODO: remove before merge temporarily disabled to avoid rate limiting while iterating on Workload Identity
if: false
runs-on: ${{ matrix.os }}
strategy:
fail-fast: true
@@ -146,6 +148,8 @@ jobs:
test-connect:
name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
# TODO: remove before merge temporarily disabled to avoid rate limiting while iterating on Workload Identity
if: false
runs-on: ubuntu-latest
strategy:
fail-fast: true
dist/index.js
Vendored
+11
View File
@@ -38353,6 +38353,10 @@ const getWorkloadIdentityConfig = () => {
}
return { workloadId, environmentId, integrationKey };
};
// Whether CLI authentication (1Password Connect or a service account) is
// configured via environment variables.
const hasCliAuth = () => Boolean((process.env[envConnectHost] && process.env[envConnectToken]) ||
process.env[envServiceAccountToken]);
const validateAuth = () => {
const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
const isServiceAccount = process.env[envServiceAccountToken];
@@ -38479,6 +38483,13 @@ const loadSecretsAction = async () => {
unsetPrevious();
}
const workloadConfig = getWorkloadIdentityConfig();
// `unset-previous` can run with no credentials present: Workload Identity creds
// are inline per-step and intentionally not persisted (persisting them would make
// every later step re-load all variables). Nothing to auth or load, we're done.
if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
info("No authentication configured; unset complete.");
return;
}
if (workloadConfig) {
await loadSecretsFromSDK(workloadConfig.workloadId, workloadConfig.environmentId, workloadConfig.integrationKey, shouldExportEnv);
}
src/index.ts
+9
View File
@@ -4,6 +4,7 @@ import { validateCli } from "@1password/op-js";
import { installCliOnGithubActionRunner } from "./op-cli-installer";
import {
getWorkloadIdentityConfig,
hasCliAuth,
loadSecrets,
unsetPrevious,
validateAuth,
@@ -24,6 +25,14 @@ const loadSecretsAction = async () => {
const workloadConfig = getWorkloadIdentityConfig();
// `unset-previous` can run with no credentials present: Workload Identity creds
// are inline per-step and intentionally not persisted (persisting them would make
// every later step re-load all variables). Nothing to auth or load, we're done.
if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
core.info("No authentication configured; unset complete.");
return;
}
if (workloadConfig) {
await loadSecretsFromSDK(
workloadConfig.workloadId,
src/sdk-client.test.ts
+5 -28
View File
@@ -40,17 +40,9 @@ describe("loadSecretsFromSDK", () => {
});
it("sets secrets as step outputs by default", async () => {
await loadSecretsFromSDK(
workloadId,
environmentId,
integrationKey,
false,
);
await loadSecretsFromSDK(workloadId, environmentId, integrationKey, false);
expect(core.setOutput).toHaveBeenCalledWith(
"DOCKERHUB_USERNAME",
"myuser",
);
expect(core.setOutput).toHaveBeenCalledWith("DOCKERHUB_USERNAME", "myuser");
expect(core.setOutput).toHaveBeenCalledWith(
"DOCKERHUB_TOKEN",
"mypassword",
@@ -68,12 +60,7 @@ describe("loadSecretsFromSDK", () => {
});
it("exports secrets as environment variables when shouldExportEnv is true", async () => {
await loadSecretsFromSDK(
workloadId,
environmentId,
integrationKey,
true,
);
await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
expect(core.exportVariable).toHaveBeenCalledWith(
"DOCKERHUB_USERNAME",
@@ -110,12 +97,7 @@ describe("loadSecretsFromSDK", () => {
});
it("sets empty string as environment variable", async () => {
await loadSecretsFromSDK(
workloadId,
environmentId,
integrationKey,
true,
);
await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
expect(core.exportVariable).toHaveBeenCalledWith("EMPTY_SECRET", "");
expect(core.setSecret).not.toHaveBeenCalled();
@@ -125,12 +107,7 @@ describe("loadSecretsFromSDK", () => {
it("does not export OP_MANAGED_VARIABLES when no variables are returned", async () => {
mockGetVariables.mockResolvedValue({ variables: [] });
await loadSecretsFromSDK(
workloadId,
environmentId,
integrationKey,
true,
);
await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
expect(core.exportVariable).not.toHaveBeenCalled();
});
src/sdk-client.ts
+1 -2
View File
@@ -12,7 +12,6 @@ export const loadSecretsFromSDK = async (
integrationKey: string,
shouldExportEnv: boolean,
): Promise<void> => {
// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
integrationKey = integrationKey.replace(/=+$/, "");
@@ -26,7 +25,7 @@ export const loadSecretsFromSDK = async (
},
});
core.info("Authenticated with Workload Identity.");
core.info("Authenticated with Workload Identity.");
const { variables } = await client.environments.getVariables(environmentId);
src/utils.test.ts
+29
View File
@@ -4,6 +4,7 @@ import { read, setClientInfo } from "@1password/op-js";
import {
extractSecret,
getWorkloadIdentityConfig,
hasCliAuth,
loadSecrets,
unsetPrevious,
validateAuth,
@@ -132,6 +133,34 @@ describe("getWorkloadIdentityConfig", () => {
});
});
describe("hasCliAuth", () => {
beforeEach(() => {
process.env[envConnectHost] = "";
process.env[envConnectToken] = "";
process.env[envServiceAccountToken] = "";
});
it("returns false when no CLI auth is configured", () => {
expect(hasCliAuth()).toBe(false);
});
it("returns false when only the Connect host is set", () => {
process.env[envConnectHost] = "https://localhost:8000";
expect(hasCliAuth()).toBe(false);
});
it("returns true with both Connect host and token", () => {
process.env[envConnectHost] = "https://localhost:8000";
process.env[envConnectToken] = "token";
expect(hasCliAuth()).toBe(true);
});
it("returns true with a service account token", () => {
process.env[envServiceAccountToken] = "ops_token";
expect(hasCliAuth()).toBe(true);
});
});
describe("extractSecret", () => {
const envTestSecretEnv = "TEST_SECRET";
const testSecretRef = "op://vault/item/secret";
src/utils.ts
+8
View File
@@ -55,6 +55,14 @@ export const getWorkloadIdentityConfig = (): WorkloadIdentityConfig | null => {
return { workloadId, environmentId, integrationKey };
};
// Whether CLI authentication (1Password Connect or a service account) is
// configured via environment variables.
export const hasCliAuth = (): boolean =>
Boolean(
(process.env[envConnectHost] && process.env[envConnectToken]) ||
process.env[envServiceAccountToken],
);
export const validateAuth = (): void => {
const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
const isServiceAccount = process.env[envServiceAccountToken];