Update install-cli-action import

Use install function from install-cli-action
2026-06-21 14:23:48 +00:00 · 2025-07-25 13:40:53 -05:00 · 2025-07-25 13:11:13 -05:00
60 changed files with 46566 additions and 55124 deletions
@@ -0,0 +1,96 @@
+name: Acceptance test
+
+on:
+  workflow_call:
+    inputs:
+      secret:
+        required: true
+        type: string
+      secret-in-section:
+        required: true
+        type: string
+      multiline-secret:
+        required: true
+        type: string
+      export-env:
+        required: true
+        type: boolean
+
+jobs:
+  acceptance-test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        auth: [connect, service-account]
+        exclude:
+          - os: macos-latest
+            auth: connect
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Base checkout
+        uses: actions/checkout@v4
+        if: |
+          github.event_name != 'repository_dispatch' &&
+          (
+            github.ref == 'refs/heads/main' || 
+            (
+              github.event_name == 'pull_request' && 
+              github.event.pull_request.head.repo.full_name == github.repository
+            )
+          )
+      - name: Fork based /ok-to-test checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+        if: |
+          github.event_name == 'repository_dispatch' &&
+          github.event.client_payload.slash_command.args.named.sha != '' &&
+          contains(
+            github.event.client_payload.pull_request.head.sha,
+            github.event.client_payload.slash_command.args.named.sha
+          )
+      - name: Launch 1Password Connect instance
+        if: ${{ matrix.auth == 'connect' }}
+        env:
+          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
+        run: |
+          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
+      - name: Configure Service account
+        if: ${{ matrix.auth == 'service-account' }}
+        uses: ./configure
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Configure 1Password Connect
+        if: ${{ matrix.auth == 'connect' }}
+        uses: ./configure # 1password/load-secrets-action/configure@<version>
+        with:
+          connect-host: http://localhost:8080
+          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
+      - name: Load secrets
+        id: load_secrets
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          export-env: ${{ inputs.export-env }}
+        env:
+          SECRET: ${{ inputs.secret }}
+          SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
+          MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+      - name: Assert test secret values [step output]
+        if: ${{ !inputs.export-env }}
+        env:
+          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+        run: ./tests/assert-env-set.sh
+      - name: Assert test secret values [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-set.sh
+      - name: Remove secrets [exported env]
+        if: ${{ inputs.export-env }}
+        uses: ./ # 1password/load-secrets-action@<version>
+        with:
+          unset-previous: true
+      - name: Assert removed secrets [exported env]
+        if: ${{ inputs.export-env }}
+        run: ./tests/assert-env-unset.sh
@@ -1,326 +0,0 @@
-name: E2E Tests
-
-on:
-  # For local testing with: act push -W .github/workflows/e2e-tests.yml
-  push:
-    branches-ignore:
-      - "**" # Never runs on GitHub, only locally with act
-
-  # For test.yml to call this workflow
-  workflow_call:
-    inputs:
-      ref:
-        description: "Git ref to checkout"
-        required: true
-        type: string
-    secrets:
-      OP_CONNECT_CREDENTIALS:
-        required: true
-      OP_CONNECT_TOKEN:
-        required: true
-      OP_SERVICE_ACCOUNT_TOKEN:
-        required: true
-      OP_WORKLOAD_ID:
-        required: true
-      OP_ENVIRONMENT_ID:
-        required: true
-      OP_INTEGRATION_KEY:
-        required: true
-      VAULT:
-        description: "1Password vault name or UUID"
-        required: true
-
-jobs:
-  test-service-account:
-    name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: true
-      max-parallel: 4
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, 2.30.0]
-        export-env: [true, false]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.ref }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build actions
-        run: npm run build:all
-
-      - name: Generate .env.tpl
-        shell: bash
-        run: |
-          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
-          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
-          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
-          echo "FILE_WEBSITE=op://${VAULT}/test-secret/website" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
-
-        env:
-          VAULT: ${{ secrets.VAULT }}
-      - name: Configure Service account
-        uses: ./configure
-        with:
-          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-
-      - name: Load secrets
-        id: load_secrets
-        uses: ./
-        with:
-          version: ${{ matrix.version }}
-          export-env: ${{ matrix.export-env }}
-        env:
-          SECRET: op://${{ secrets.VAULT }}/test-secret/password
-          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
-          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
-          WEBSITE: op://${{ secrets.VAULT }}/test-secret/website
-          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
-          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
-          OP_ENV_FILE: ./tests/.env.tpl
-
-      - name: Assert test secret values [step output]
-        if: ${{ !matrix.export-env }}
-        shell: bash
-        env:
-          ASSERT_WEBSITE: "true"
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
-          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
-          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
-          WEBSITE: ${{ steps.load_secrets.outputs.WEBSITE }}
-          FILE_WEBSITE: ${{ steps.load_secrets.outputs.FILE_WEBSITE }}
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-env-set.sh
-
-      - name: Assert SSH key env vars [step output]
-        if: ${{ !matrix.export-env }}
-        shell: bash
-        env:
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-ssh-keys-set.sh
-
-      - name: Assert test secret values [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        env:
-          ASSERT_WEBSITE: "true"
-        run: ./tests/assert-env-set.sh
-
-      - name: Assert SSH key env vars [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: ./tests/assert-ssh-keys-set.sh
-
-      - name: Remove secrets [exported env]
-        if: ${{ matrix.export-env }}
-        uses: ./
-        with:
-          unset-previous: true
-
-      - name: Assert removed secrets [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: ./tests/assert-env-unset.sh
-
-  test-connect:
-    name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        version: [latest, 2.30.0]
-        export-env: [true, false]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.ref }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build actions
-        run: npm run build:all
-
-      - name: Generate .env.tpl
-        run: |
-          mkdir -p tests
-          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
-          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
-          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
-
-        env:
-          VAULT: ${{ secrets.VAULT }}
-      - name: Launch 1Password Connect instance
-        env:
-          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-        run: |
-          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker compose -f tests/fixtures/docker-compose.yml up -d
-          timeout 60 bash -c 'until curl -sf http://localhost:8080/health >/dev/null 2>&1; do sleep 2; done'
-
-      - name: Configure 1Password Connect
-        uses: ./configure
-        with:
-          connect-host: http://localhost:8080
-          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
-
-      - name: Load secrets
-        id: load_secrets
-        uses: ./
-        with:
-          version: ${{ matrix.version }}
-          export-env: ${{ matrix.export-env }}
-        env:
-          SECRET: op://${{ secrets.VAULT }}/test-secret/password
-          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
-          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
-          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
-          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
-          OP_ENV_FILE: ./tests/.env.tpl
-
-      - name: Assert test secret values [step output]
-        if: ${{ !matrix.export-env }}
-        env:
-          ASSERT_WEBSITE: "false"
-          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
-          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
-          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
-          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
-          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
-          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-env-set.sh
-
-      - name: Assert SSH key env vars [step output]
-        if: ${{ !matrix.export-env }}
-        env:
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-ssh-keys-set.sh
-
-      - name: Assert test secret values [exported env]
-        if: ${{ matrix.export-env }}
-        env:
-          ASSERT_WEBSITE: "false"
-        run: ./tests/assert-env-set.sh
-
-      - name: Assert SSH key env vars [exported env]
-        if: ${{ matrix.export-env }}
-        run: ./tests/assert-ssh-keys-set.sh
-
-      - name: Remove secrets [exported env]
-        if: ${{ matrix.export-env }}
-        uses: ./
-        with:
-          unset-previous: true
-
-      - name: Assert removed secrets [exported env]
-        if: ${{ matrix.export-env }}
-        run: ./tests/assert-env-unset.sh
-
-  test-workload-identity:
-    name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }})
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    strategy:
-      fail-fast: true
-      matrix:
-        export-env: [true, false]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.ref }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build actions
-        run: npm run build:all
-
-      - name: Load secrets
-        id: load_secrets
-        uses: ./
-        with:
-          export-env: ${{ matrix.export-env }}
-        env:
-          OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
-          OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
-          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
-
-      - name: Assert test secret values [step output]
-        if: ${{ !matrix.export-env }}
-        shell: bash
-        env:
-          ANOTHER_TEST: ${{ steps.load_secrets.outputs.ANOTHER_TEST }}
-          SUPER_SECRET: ${{ steps.load_secrets.outputs.SUPER_SECRET }}
-          TEST_SECRET: ${{ steps.load_secrets.outputs.TEST_SECRET }}
-        run: ./tests/assert-workload-identity.sh
-
-      - name: Assert test secret values [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: ./tests/assert-workload-identity.sh
-
-      - name: Remove secrets [exported env]
-        if: ${{ matrix.export-env }}
-        uses: ./
-        with:
-          unset-previous: true
-
-      - name: Assert removed secrets [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: |
-          for var in ANOTHER_TEST SUPER_SECRET TEST_SECRET; do
-            if [ -n "$(printenv "$var")" ]; then
-              echo "Expected secret $var to be unset"
-              exit 1
-            fi
-          done
@@ -1,36 +1,29 @@
-name: Lint and Test
-
 on:
  push:
    branches: [main]
  pull_request:
+name: Lint

 jobs:
-  lint-and-test:
+  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
-
+      - uses: actions/checkout@v3
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        uses: ludeeus/action-shellcheck@2.0.0
        with:
          ignore_paths: >-
            .husky
-
      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        id: setup-node
+        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: 20
          cache: npm
-
-      - name: Install dependencies
+      - name: Install Dependencies
+        id: install
        run: npm ci
-
      - name: Check formatting
        run: npm run format:check
-
      - name: Check lint
        run: npm run lint
-
-      - name: Run unit tests
-        run: npm test
@@ -1,4 +1,4 @@
-# Write comments "/ok-to-test sha=<hash>" on a pull request. This will emit a repository_dispatch event.
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
 name: Ok To Test

 on:
@@ -15,7 +15,7 @@ jobs:
    if: ${{ github.event.issue.pull_request }}
    steps:
      - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@9bdcd7914ec1b75590b790b844aa3b8eee7c683a # v5
+        uses: peter-evans/slash-command-dispatch@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -10,4 +10,4 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        uses: 1Password/check-signed-commits-action@v1
@@ -1,125 +0,0 @@
-name: E2E Tests
-
-on:
-  push:
-    branches: [main]
-    paths-ignore: &ignore_paths
-      - "docs/**"
-      - "config/**"
-      - "*.md"
-      - ".gitignore"
-      - "LICENSE"
-  pull_request:
-    paths-ignore: *ignore_paths
-  repository_dispatch:
-    types: [ok-to-test-command]
-
-concurrency:
-  group: >-
-    ${{ github.event_name == 'pull_request' &&
-          format('e2e-{0}', github.event.pull_request.head.ref) ||
-          format('e2e-{0}', github.ref) }}
-  cancel-in-progress: true
-
-jobs:
-  check-external-pr:
-    runs-on: ubuntu-latest
-    outputs:
-      condition: ${{ steps.check.outputs.condition }}
-      ref: ${{ steps.check.outputs.ref }}
-    steps:
-      - name: Check if PR is from external contributor
-        id: check
-        run: |
-          echo "Event name: ${{ github.event_name }}"
-          echo "Repository: ${{ github.repository }}"
-
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            # For pull_request events, check if PR is from external fork
-            echo "PR head repo: ${{ github.event.pull_request.head.repo.full_name }}"
-            if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
-              echo "condition=skip" >> $GITHUB_OUTPUT
-              echo "Setting condition=skip (Dependabot PR)"
-            elif [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-              echo "condition=skip" >> $GITHUB_OUTPUT
-              echo "Setting condition=skip (external fork PR creation)"
-            else
-              echo "condition=pr-creation-maintainer" >> $GITHUB_OUTPUT
-              echo "Setting condition=pr-creation-maintainer (internal PR creation)"
-              echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
-            fi
-          elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
-            # For repository_dispatch events (ok-to-test), check if sha matches
-            SHA_PARAM="${{ github.event.client_payload.slash_command.args.named.sha }}"
-            PR_HEAD_SHA="${{ github.event.client_payload.pull_request.head.sha }}"
-
-            echo "Checking dispatch event conditions..."
-            echo "SHA from command: $SHA_PARAM"
-            echo "PR head SHA: $PR_HEAD_SHA"
-
-            if [ -n "$SHA_PARAM" ] && [[ "$PR_HEAD_SHA" == *"$SHA_PARAM"* ]]; then
-              echo "condition=dispatch-event" >> $GITHUB_OUTPUT
-              echo "Setting condition=dispatch-event (sha matches)"
-              echo "ref=$PR_HEAD_SHA" >> $GITHUB_OUTPUT
-            else
-              echo "condition=skip" >> $GITHUB_OUTPUT
-              echo "Setting condition=skip (sha does not match or empty)"
-            fi
-          elif [ "${{ github.event_name }}" == "push" ] && [ "${REF_NAME}" == "main" ]; then
-            echo "condition=push-to-main" >> $GITHUB_OUTPUT
-            echo "Setting condition=push-to-main (push to main)"
-            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
-          else
-            # Unknown event type
-            echo "condition=skip" >> $GITHUB_OUTPUT
-            echo "Setting condition=skip (unknown event type: ${{ github.event_name }})"
-          fi
-
-        env:
-          REF_NAME: ${{ github.ref_name }}
-  e2e:
-    needs: check-external-pr
-    if: |
-      (needs.check-external-pr.outputs.condition == 'pr-creation-maintainer')
-      ||
-      (needs.check-external-pr.outputs.condition == 'dispatch-event')
-      ||
-      needs.check-external-pr.outputs.condition == 'push-to-main'
-    uses: ./.github/workflows/e2e-tests.yml
-    with:
-      ref: ${{ needs.check-external-pr.outputs.ref }}
-    secrets:
-      OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
-      OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
-      OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
-      OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
-      VAULT: ${{ secrets.VAULT }}
-
-  # Post comment on fork PRs after /ok-to-test
-  comment-pr:
-    needs: [check-external-pr, e2e]
-    runs-on: ubuntu-latest
-    if: always() && needs.check-external-pr.outputs.condition == 'dispatch-event'
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Create URL to the run output
-        id: vars
-        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
-
-      - name: Create comment on PR
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
-        with:
-          issue-number: ${{ github.event.client_payload.pull_request.number }}
-          body: |
-            ${{
-                needs.e2e.result == 'success' && '✅ E2E tests passed.' ||
-                needs.e2e.result == 'failure' && '❌ E2E tests failed.' ||
-                '⚠️ E2E tests completed.'
-            }}
-
-            [View test run output][1]
-
-            [1]: ${{ steps.vars.outputs.run-url }}
@@ -0,0 +1,92 @@
+on:
+  repository_dispatch:
+    types: [ok-to-test-command]
+name: Run acceptance tests [fork]
+
+jobs:
+  test-with-output-secrets:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: false
+  test-with-export-env:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+  test-references-with-ids:
+    if: |
+      github.event_name == 'repository_dispatch' &&
+      github.event.client_payload.slash_command.args.named.sha != '' &&
+      contains(
+        github.event.client_payload.pull_request.head.sha,
+        github.event.client_payload.slash_command.args.named.sha
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
+      export-env: false
+  update-checks:
+    # required permissions for updating the status of the pull request checks
+    permissions:
+      pull-requests: write
+      checks: write
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    strategy:
+      matrix:
+        job-name:
+          [
+            test-with-output-secrets,
+            test-with-export-env,
+            test-references-with-ids,
+          ]
+    needs:
+      [test-with-output-secrets, test-with-export-env, test-references-with-ids]
+    steps:
+      - uses: actions/github-script@v6
+        env:
+          job: ${{ matrix.job-name }}
+          ref: ${{ github.event.client_payload.pull_request.head.sha }}
+          conclusion: ${{ needs[format('{0}', matrix.job-name )].result }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { data: checks } = await github.rest.checks.listForRef({
+              ...context.repo,
+              ref: process.env.ref
+            });
+
+            const check = checks.check_runs.filter(c => c.name === process.env.job);
+
+            const { data: result } = await github.rest.checks.update({
+              ...context.repo,
+              check_run_id: check[0].id,
+              status: 'completed',
+              conclusion: process.env.conclusion
+            });
+
+            return result;
@@ -0,0 +1,58 @@
+on:
+  push:
+    branches: [main]
+  pull_request:
+name: Run acceptance tests
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - run: npm ci
+      - run: npm test
+  test-with-output-secrets:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: false
+  test-with-export-env:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://acceptance-tests/test-secret/password
+      secret-in-section: op://acceptance-tests/test-secret/test-section/password
+      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
+      export-env: true
+  test-references-with-ids:
+    if: |
+      github.ref == 'refs/heads/main' ||
+      (
+        github.event_name == 'pull_request' && 
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
+    secrets: inherit
+    with:
+      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
+      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
+      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
+      export-env: false
@@ -1,4 +1,2 @@
 coverage/
 node_modules/
-.idea/
-1password-credentials.json
@@ -17,106 +17,34 @@ Specify in your workflow YAML file which secrets from 1Password should be loaded

 Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).

-_This project is licensed under [MIT](./LICENSE). Use of the 1Password APIs and services accessed through these tools is governed by the [1Password API Terms of Service](https://1password.com/legal/api-sdk-terms-of-service)._
-
 ## 🪄 See it in action!

 [![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")

 ## ✨ Quickstart

-### Export secrets as a step's output (recommended)
-
 ```yml
 on: push
 jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3

      - name: Load secret
-        id: load_secrets
-        uses: 1password/load-secrets-action@v4
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          SECRET: op://app-cicd/hello-world/secret
-          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
-
-      - name: Print masked secret
-        run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
-        # Prints: Secret: ***
-```
-
-### Export secrets as env variables
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Load secret
-        uses: 1password/load-secrets-action@v4
+        uses: 1password/load-secrets-action@v2
        with:
          # Export loaded secrets as environment variables
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret
-          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example

      - name: Print masked secret
        run: 'echo "Secret: $SECRET"'
        # Prints: Secret: ***
 ```

-### 🔑 SSH Key Format
-
-When loading SSH keys, you can specify the format using the `ssh-format` query parameter. This is useful when you need the private key in a specific format like OpenSSH.
-
-```yml
- name: Load SSH key
-  uses: 1password/load-secrets-action@v4
-  env:
-    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    # Load SSH private key in OpenSSH format
-    SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
-```
-
-For more details on secret reference syntax, see the [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
-
-## 🧪 Workload Identity (private beta)
-
-> [!NOTE]
-> Workload Identity is in **private beta**. It's available to invited participants only. [Contact 1Password](https://developer.1password.com/joinslack) if you're interested in joining the beta.
-
-Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access. To use it, set all three of the following environment variables (and do not set the Service Account token or the Connect variables):
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write # required for the action to request a GitHub OIDC token
-      contents: read
-    steps:
-      - name: Load secret
-        id: load_secrets
-        uses: 1password/load-secrets-action@v5beta
-        env:
-          OP_WORKLOAD_ID: ${{ vars.OP_WORKLOAD_ID }}
-          OP_ENVIRONMENT_ID: ${{ vars.OP_ENVIRONMENT_ID }}
-          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
-```
-
-Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** and each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
-
-If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
-
 ## 💙 Community & Support

 - File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
@@ -10,10 +10,7 @@ inputs:
    default: "false"
  export-env:
    description: Export the secrets as environment variables
-    default: "false"
-  version:
-    description: Specify which 1Password CLI version to install. Defaults to "latest".
-    default: "latest"
+    default: "true"
 runs:
-  using: "node24"
+  using: "node20"
  main: "dist/index.js"
@@ -10,12 +10,6 @@ const jestConfig = {
 	rootDir: "../src/",
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
-	moduleNameMapper: {
-		"^@actions/core$": "<rootDir>/__mocks__/actions-core.ts",
-		"^@actions/tool-cache$": "<rootDir>/__mocks__/actions-tool-cache.ts",
-		"^@actions/exec$": "<rootDir>/__mocks__/actions-exec.ts",
-		"^@1password/sdk$": "<rootDir>/__mocks__/1password-sdk.ts",
-	},
 	transform: {
 		".ts": [
 			"ts-jest",
@@ -31,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };

-module.exports = jestConfig;
+export default jestConfig;
@@ -9,5 +9,12 @@ inputs:
  service-account-token:
    description: Your 1Password service account token
 runs:
-  using: "node24"
-  main: "dist/index.js"
+  using: composite
+  steps:
+    - shell: bash
+      env:
+        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
+        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
+        INPUT_SERVICE_ACCOUNT_TOKEN: ${{ inputs.service-account-token }}
+      run: |
+        ${{ github.action_path }}/entrypoint.sh
@@ -1,3 +0,0 @@
-{
-  "type": "commonjs"
-}
@@ -0,0 +1,21 @@
+#!/bin/bash
+# shellcheck disable=SC2086
+set -e
+
+# Capture Connect configuration in $GITHUB_ENV, giving (optional) inputs 
+# precendence over OP_CONNECT_* environment variables.
+
+OP_CONNECT_HOST="${INPUT_CONNECT_HOST:-$OP_CONNECT_HOST}"
+if [ -n "$OP_CONNECT_HOST" ]; then
+  echo "OP_CONNECT_HOST=$OP_CONNECT_HOST" >> $GITHUB_ENV
+fi
+
+OP_CONNECT_TOKEN="${INPUT_CONNECT_TOKEN:-$OP_CONNECT_TOKEN}"
+if [ -n "$OP_CONNECT_TOKEN" ]; then
+  echo "OP_CONNECT_TOKEN=$OP_CONNECT_TOKEN" >> $GITHUB_ENV
+fi
+
+OP_SERVICE_ACCOUNT_TOKEN="${INPUT_SERVICE_ACCOUNT_TOKEN:-$OP_SERVICE_ACCOUNT_TOKEN}"
+if [ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
+  echo "OP_SERVICE_ACCOUNT_TOKEN=$OP_SERVICE_ACCOUNT_TOKEN" >> $GITHUB_ENV
+fi
@@ -1,27 +0,0 @@
-import * as core from "@actions/core";
-
-const configure = () => {
-	const OP_CONNECT_HOST =
-		core.getInput("connect-host", { required: false }) ||
-		process.env.OP_CONNECT_HOST;
-	const OP_CONNECT_TOKEN =
-		core.getInput("connect-token", { required: false }) ||
-		process.env.OP_CONNECT_TOKEN;
-	const OP_SERVICE_ACCOUNT_TOKEN =
-		core.getInput("service-account-token", { required: false }) ||
-		process.env.OP_SERVICE_ACCOUNT_TOKEN;
-
-	if (OP_CONNECT_HOST) {
-		core.exportVariable("OP_CONNECT_HOST", OP_CONNECT_HOST);
-	}
-
-	if (OP_CONNECT_TOKEN) {
-		core.exportVariable("OP_CONNECT_TOKEN", OP_CONNECT_TOKEN);
-	}
-
-	if (OP_SERVICE_ACCOUNT_TOKEN) {
-		core.exportVariable("OP_SERVICE_ACCOUNT_TOKEN", OP_SERVICE_ACCOUNT_TOKEN);
-	}
-};
-
-configure();
@@ -1,3 +1,3 @@
 {
-  "type": "commonjs"
+  "type": "module"
 }
@@ -1,32 +0,0 @@
-# Fork PR Testing Guide
-
-This document explains how testing works for external pull requests from forks.
-
-## Overview
-
-The testing system consists of two main workflows:
-
-1. **E2E Tests** (`test-e2e.yml`) - Runs automatically for internal PRs, need manual trigger on external PRs.
-2. **Ok To Test** (`ok-to-test.yml`) - Dispatches `repository_dispatch` event when maintainer puts the `/ok-to-test sha=<commit hash>` comment in the forked PR thread.
-
-## How It Works
-
-### 1. PR is created by maintainer:
-
-For the PR created by maintainer `E2E Test` workflow starts automatically. The PR check will reflect the status of the job.
-
-### 2. PR is created by external contributor:
-
-For the PR created by external contributor `E2E Test` workflow **won't** start automatically.
-Maintainer should make a sanity check of the changes and run it manually by:
-
-1. Putting a comment `/ok-to-test sha=<latest commit hash>` in the PR thread.
-2. `E2E Test` workflow starts.
-3. After `E2E Test` workflow finishes, a comment with a link to the workflow, along with its status will be posted in the PR.
-4. Maintainer can merge PR or request the changes based on the `E2E Test` results.
-
-## Notes
-
- Only users with **write** permissions can trigger the `/ok-to-test` command.
- External PRs are automatically detected and prevented from running e2e tests automatically.
- Running e2e test on the external PR is optional. Maintainer can merge PR without running it. Maintainer decides whether it's needed to run an E2E test.
@@ -1,46 +0,0 @@
-# Local Testing Guide
-
-This document explains how to run e2e tests locally using `act`.
-
-## Prerequisites
-
-1. **Docker** installed and running
-2. **act** installed ([install guide](https://github.com/nektos/act#installation))
-   ```bash
-   brew install act  # macOS
-   ```
-3. **1Password credentials** (see [Required Secrets](#required-secrets))
-4. Build action
-
-## Required env variables
-
-| Secret                     | Description           |
-| -------------------------- | --------------------- |
-| `OP_SERVICE_ACCOUNT_TOKEN` | Service Account token |
-| `VAULT`                    | Vault name or UUID    |
-
-## Building Before Testing
-
-If you've modified TypeScript code, rebuild before running E2E tests:
-
-```bash
-npm run build
-```
-
-## Testing
-
-### Run E2E tests using Service Account
-
-```bash
-act push -W .github/workflows/e2e-tests.yml \
-  -s OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN" \
-  -s VAULT="$VAULT" \
-  -j test-service-account \
-  --matrix os:ubuntu-latest
-```
-
-## Run unit tests
-
-```bash
-npm test
-```
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+# Install op-cli
+install_op_cli() {
+  # Create a temporary directory where the CLI is installed
+  OP_INSTALL_DIR="$(mktemp -d)"
+  if [[ ! -d "$OP_INSTALL_DIR" ]]; then
+    echo "Install dir $OP_INSTALL_DIR not found"
+    exit 1
+  fi
+  echo "::debug::OP_INSTALL_DIR: ${OP_INSTALL_DIR}"
+
+  # Get the latest stable version of the CLI
+  CLI_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
+
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    # Get runner's architecture
+    ARCH=$(uname -m)
+    if [[ "$(getconf LONG_BIT)" = 32 ]]; then
+      ARCH="386"
+    elif [[ "$ARCH" == "x86_64" ]]; then
+      ARCH="amd64"
+    elif [[ "$ARCH" == "aarch64" ]]; then
+      ARCH="arm64"
+    fi
+
+    if [[ "$ARCH" != "386" ]] && [[ "$ARCH" != "amd64" ]] && [[ "$ARCH" != "arm" ]] && [[ "$ARCH" != "arm64" ]]; then
+      echo "Unsupported architecture for the 1Password CLI: $ARCH."
+      exit 1
+    fi
+
+    curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_linux_${ARCH}_${CLI_VERSION}.zip"
+    unzip -od "$OP_INSTALL_DIR" op.zip && rm op.zip
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -sSfLo op.pkg "https://cache.agilebits.com/dist/1P/op2/pkg/${CLI_VERSION}/op_apple_universal_${CLI_VERSION}.pkg"
+    pkgutil --expand op.pkg temp-pkg
+    tar -xvf temp-pkg/op.pkg/Payload -C "$OP_INSTALL_DIR"
+    rm -rf temp-pkg && rm op.pkg
+  else
+    echo "Operating system not supported yet for this GitHub Action: $OSTYPE."
+    exit 1
+  fi
+}
+
+install_op_cli
@@ -1,15 +1,14 @@
 {
 	"name": "load-secrets-action",
-	"version": "5.0.0-beta.1",
+	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
+	"type": "module",
 	"main": "dist/index.js",
 	"directories": {
 		"test": "tests"
 	},
 	"scripts": {
 		"build": "ncc build ./src/index.ts",
-		"build:configure": "ncc build ./configure/index.js -o ./configure/dist",
-		"build:all": "npm run build && npm run build:configure",
 		"format": "prettier --ignore-path ./config/.prettierignore",
 		"format:check": "npm run format -- --check ./",
 		"format:write": "npm run format -- --write ./",
@@ -40,15 +39,10 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@1password/sdk": "0.5.0-beta.1",
+		"@1password/install-cli-action": "github:1password/install-cli-action#vzt/export-install-function",
 		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^3.0.0",
-		"@actions/exec": "^3.0.0",
-		"@actions/tool-cache": "^4.0.0",
-		"dotenv": "^17.2.2"
-	},
-	"overrides": {
-		"minimatch": "^9.0.7"
+		"@actions/core": "^1.10.1",
+		"@actions/exec": "^1.1.1"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",
@@ -1 +0,0 @@
-export const createClient = jest.fn();
@@ -1,16 +0,0 @@
-module.exports = {
-	getInput: jest.fn(() => ""),
-	getBooleanInput: jest.fn(() => false),
-	setOutput: jest.fn(),
-	setSecret: jest.fn(),
-	exportVariable: jest.fn(),
-	setFailed: jest.fn(),
-	info: jest.fn(),
-	warning: jest.fn(),
-	error: jest.fn(),
-	debug: jest.fn(),
-	addPath: jest.fn(),
-	isDebug: jest.fn(() => false),
-	// eslint-disable-next-line @typescript-eslint/naming-convention
-	getIDToken: jest.fn().mockResolvedValue("mock-oidc-token"),
-};
@@ -1,5 +0,0 @@
-module.exports = {
-	getExecOutput: jest.fn(() => ({
-		stdout: "MOCK_SECRET",
-	})),
-};
@@ -1,10 +0,0 @@
-module.exports = {
-	downloadTool: jest.fn(),
-	extractTar: jest.fn(),
-	extractZip: jest.fn(),
-	cacheDir: jest.fn<Promise<string>, [string]>(async (dir) => {
-		await Promise.resolve();
-		return dir;
-	}),
-	find: jest.fn<string, [string, string?, string?]>(() => ""),
-};
@@ -2,9 +2,5 @@ export const envConnectHost = "OP_CONNECT_HOST";
 export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
-export const envFilePath = "OP_ENV_FILE";
-export const envWorkloadId = "OP_WORKLOAD_ID";
-export const envEnvironmentId = "OP_ENVIRONMENT_ID";
-export const envIntegrationKey = "OP_INTEGRATION_KEY";

 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;
@@ -1,16 +1,7 @@
-import dotenv from "dotenv";
 import * as core from "@actions/core";
 import { validateCli } from "@1password/op-js";
-import { installCliOnGithubActionRunner } from "./op-cli-installer";
-import {
-	getWorkloadIdentityConfig,
-	hasCliAuth,
-	loadSecrets,
-	unsetPrevious,
-	validateAuth,
-} from "./utils";
-import { loadSecretsFromSDK } from "./sdk-client";
-import { envFilePath } from "./constants";
+import { install } from "@1password/install-cli-action";
+import { loadSecrets, unsetPrevious, validateAuth } from "./utils";

 const loadSecretsAction = async () => {
 	try {
@@ -23,42 +14,14 @@ const loadSecretsAction = async () => {
 			unsetPrevious();
 		}

-		const workloadConfig = getWorkloadIdentityConfig();
+		// Validate that a proper authentication configuration is set for the CLI
+		validateAuth();

-		// `unset-previous` can run with no credentials present: Workload Identity creds
-		// are inline per-step and intentionally not persisted (persisting them would make
-		// every later step re-load all variables). Nothing to auth or load, we're done.
-		if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
-			core.info(
-				"No authentication configured; unset previously managed variables. No secrets were loaded.",
-			);
-			return;
-		}
+		// Download and install the CLI
+		await installCLI();

-		if (workloadConfig) {
-			await loadSecretsFromSDK(
-				workloadConfig.workloadId,
-				workloadConfig.environmentId,
-				workloadConfig.integrationKey,
-				shouldExportEnv,
-			);
-		} else {
-			// Validate that a proper authentication configuration is set for the CLI
-			validateAuth();
-
-			// Set environment variables from OP_ENV_FILE
-			const file = process.env[envFilePath];
-			if (file) {
-				core.info(`Loading environment variables from file: ${file}`);
-				dotenv.config({ path: file });
-			}
-
-			// Download and install the CLI
-			await installCLI();
-
-			// Load secrets
-			await loadSecrets(shouldExportEnv);
-		}
+		// Load secrets
+		await loadSecrets(shouldExportEnv);
 	} catch (error) {
 		// It's possible for the Error constructor to be modified to be anything
 		// in JavaScript, so the following code accounts for this possibility.
@@ -81,7 +44,7 @@ const installCLI = async (): Promise<void> => {
 	// If there's no CLI installed, then validateCli will throw an error, which we will use
 	// as an indicator that we need to execute the installation script.
 	await validateCli().catch(async () => {
-		await installCliOnGithubActionRunner();
+		await install()
 	});
 };

@@ -1,58 +0,0 @@
-import os from "os";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-export type SupportedPlatform = Extract<
-	NodeJS.Platform,
-	"linux" | "darwin" | "win32"
->;
-
-// maps OS architecture names to 1Password CLI installer architecture names
-export const archMap: Record<string, string> = {
-	ia32: "386",
-	x64: "amd64",
-	arm: "arm",
-	arm64: "arm64",
-};
-
-// Builds the download URL for the 1Password CLI based on the platform and version.
-export const cliUrlBuilder: Record<
-	SupportedPlatform,
-	(version: string, arch?: string) => string
-> = {
-	linux: (version, arch) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_linux_${arch}_${version}.zip`,
-	darwin: (version) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_apple_universal_${version}.pkg`,
-	win32: (version, arch) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_windows_${arch}_${version}.zip`,
-};
-
-export class CliInstaller {
-	public readonly version: string;
-	public readonly arch: string;
-
-	public constructor(version: string) {
-		this.version = version;
-		this.arch = this.getArch();
-	}
-
-	public async install(url: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${url}`);
-		const downloadPath = await tc.downloadTool(url);
-		console.info("Installing 1Password CLI");
-		const extractedPath = await tc.extractZip(downloadPath);
-		core.addPath(extractedPath);
-		core.info("1Password CLI installed");
-	}
-
-	private getArch(): string {
-		const arch = archMap[os.arch()];
-		if (!arch) {
-			throw new Error("Unsupported architecture");
-		}
-
-		return arch;
-	}
-}
@@ -1 +0,0 @@
-export { type Installer, newCliInstaller } from "./installer";
@@ -1,43 +0,0 @@
-import os from "os";
-
-import { newCliInstaller } from "./installer";
-import { LinuxInstaller } from "./linux";
-import { MacOsInstaller } from "./macos";
-import { WindowsInstaller } from "./windows";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("newCliInstaller", () => {
-	const version = "1.0.0";
-
-	afterEach(() => {
-		jest.resetAllMocks();
-	});
-
-	it("should return LinuxInstaller for linux platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("linux");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(LinuxInstaller);
-	});
-
-	it("should return MacOsInstaller for darwin platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("darwin");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(MacOsInstaller);
-	});
-
-	it("should return WindowsInstaller for win32 platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("win32");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(WindowsInstaller);
-	});
-
-	it("should throw error for unsupported platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("sunos");
-		expect(() => newCliInstaller(version)).toThrow(
-			"Unsupported platform: sunos",
-		);
-	});
-});
@@ -1,23 +0,0 @@
-import os from "os";
-
-import { LinuxInstaller } from "./linux";
-import { MacOsInstaller } from "./macos";
-import { WindowsInstaller } from "./windows";
-
-export interface Installer {
-	installCli(): Promise<void>;
-}
-
-export const newCliInstaller = (version: string): Installer => {
-	const platform = os.platform();
-	switch (platform) {
-		case "linux":
-			return new LinuxInstaller(version);
-		case "darwin":
-			return new MacOsInstaller(version);
-		case "win32":
-			return new WindowsInstaller(version);
-		default:
-			throw new Error(`Unsupported platform: ${platform}`);
-	}
-};
@@ -1,38 +0,0 @@
-import os from "os";
-
-import {
-	archMap,
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { LinuxInstaller } from "./linux";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("LinuxInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "arm64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new LinuxInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new LinuxInstaller(version);
-		const installMock = jest
-			.spyOn(CliInstaller.prototype, "install")
-			.mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["linux" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-});
@@ -1,19 +0,0 @@
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import type { Installer } from "./installer";
-
-export class LinuxInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "linux"; // Node.js platform identifier for Linux
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await super.install(urlBuilder(this.version, this.arch));
-	}
-}
@@ -1,35 +0,0 @@
-import os from "os";
-
-import {
-	archMap,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { MacOsInstaller } from "./macos";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("MacOsInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "x64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new MacOsInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new MacOsInstaller(version);
-		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["darwin" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-});
@@ -1,49 +0,0 @@
-import { execFile } from "child_process";
-import * as fs from "fs";
-import * as path from "path";
-import { promisify } from "util";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { type Installer } from "./installer";
-
-const execFileAsync = promisify(execFile);
-
-export class MacOsInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "darwin"; // Node.js platform identifier for macOS
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await this.install(urlBuilder(this.version));
-	}
-
-	// @actions/tool-cache package does not support .pkg files, so we need to handle the installation manually
-	public override async install(downloadUrl: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${downloadUrl}`);
-		const pkgPath = await tc.downloadTool(downloadUrl);
-		const pkgWithExtension = `${pkgPath}.pkg`;
-		fs.renameSync(pkgPath, pkgWithExtension);
-
-		const expandDir = "temp-pkg";
-		await execFileAsync("pkgutil", ["--expand", pkgWithExtension, expandDir]);
-		const payloadPath = path.join(expandDir, "op.pkg", "Payload");
-		console.info("Installing 1Password CLI");
-		const cliPath = await tc.extractTar(payloadPath);
-		core.addPath(cliPath);
-
-		fs.rmSync(expandDir, { recursive: true, force: true });
-		fs.rmSync(pkgPath, { force: true });
-
-		core.info("1Password CLI installed");
-	}
-}
@@ -1,60 +0,0 @@
-import fs from "fs";
-import os from "os";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	archMap,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { WindowsInstaller } from "./windows";
-
-jest.mock("fs");
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("WindowsInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "x64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new WindowsInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new WindowsInstaller(version);
-		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["win32" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-
-	it("should rename downloaded file with .zip extension before extracting", async () => {
-		const downloadPath = "/tmp/abc-123";
-		const extractedPath = "/tmp/extracted";
-
-		(tc.downloadTool as jest.Mock).mockResolvedValue(downloadPath);
-		(tc.extractZip as jest.Mock).mockResolvedValue(extractedPath);
-
-		const installer = new WindowsInstaller(version);
-		await installer.installCli();
-
-		expect(tc.downloadTool).toHaveBeenCalled();
-		expect(fs.renameSync).toHaveBeenCalledWith(
-			downloadPath,
-			`${downloadPath}.zip`,
-		);
-		expect(tc.extractZip).toHaveBeenCalledWith(`${downloadPath}.zip`);
-		expect(core.addPath).toHaveBeenCalledWith(extractedPath);
-	});
-});
@@ -1,37 +0,0 @@
-import * as fs from "fs";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import type { Installer } from "./installer";
-
-export class WindowsInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "win32"; // Node.js platform identifier for Windows
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await this.install(urlBuilder(this.version, this.arch));
-	}
-
-	// Windows PowerShell's Expand-Archive requires files to have a .zip extension.
-	// tc.downloadTool saves to a UUID filename with no extension, so we rename it.
-	public override async install(url: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${url}`);
-		const downloadPath = await tc.downloadTool(url);
-		const zipPath = `${downloadPath}.zip`;
-		fs.renameSync(downloadPath, zipPath);
-		console.info("Installing 1Password CLI");
-		const extractedPath = await tc.extractZip(zipPath);
-		core.addPath(extractedPath);
-		core.info("1Password CLI installed");
-	}
-}
@@ -1,18 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel, VersionResolver } from "../version";
-
-import { newCliInstaller } from "./cli-installer";
-
-// Installs the 1Password CLI on a GitHub Action runner.
-export const installCliOnGithubActionRunner = async (
-	version?: string,
-): Promise<void> => {
-	// Get the version from parameter, if not passed - from the job input. Defaults to latest if no version is provided
-	const providedVersion =
-		version || core.getInput("version") || ReleaseChannel.latest;
-	const versionResolver = new VersionResolver(providedVersion);
-	await versionResolver.resolve();
-	const installer = newCliInstaller(versionResolver.get());
-	await installer.installCli();
-};
@@ -1,81 +0,0 @@
-import * as core from "@actions/core";
-
-import { newCliInstaller } from "./github-action/cli-installer";
-import {
-	installCliOnGithubActionRunner,
-	ReleaseChannel,
-	VersionResolver,
-} from "./index";
-
-jest.mock("./github-action/cli-installer", () => ({
-	newCliInstaller: jest.fn().mockImplementation((_resolved: string) => ({
-		installCli: jest.fn(),
-	})),
-}));
-
-beforeEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("installCliOnGithubActionRunner", () => {
-	it("should defaults to `latest` when nothing is passed", async () => {
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(ReleaseChannel.latest);
-
-		await installCliOnGithubActionRunner();
-
-		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
-	});
-
-	it("should defaults to `latest` when undefined is passed", async () => {
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(ReleaseChannel.latest);
-
-		await installCliOnGithubActionRunner(undefined);
-
-		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
-	});
-
-	it("should set provided explicit version", async () => {
-		const providedVersion = "1.2.3";
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await installCliOnGithubActionRunner(providedVersion);
-
-		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
-	});
-
-	it("should set version provided as job input", async () => {
-		const providedVersion = "3.0.0";
-		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await installCliOnGithubActionRunner();
-
-		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
-	});
-
-	it("should throw error for invalid version", async () => {
-		const providedVersion = "invalid";
-		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await expect(installCliOnGithubActionRunner()).rejects.toThrow();
-	});
-});
@@ -1,2 +0,0 @@
-export { installCliOnGithubActionRunner } from "./github-action";
-export { ReleaseChannel, VersionResolver } from "./version";
@@ -1,13 +0,0 @@
-export enum ReleaseChannel {
-	latest = "latest",
-	latestBeta = "latest-beta",
-}
-
-export interface VersionResponse {
-	// eslint disabled next line as CLI2 is expected in getting CLI versions response
-	/* eslint-disable-next-line @typescript-eslint/naming-convention */
-	CLI2: {
-		release: { version: string };
-		beta: { version: string };
-	};
-}
@@ -1,91 +0,0 @@
-import { ReleaseChannel } from "./constants";
-import { getLatestVersion } from "./helper";
-
-describe("getLatestVersion", () => {
-	beforeEach(() => {
-		jest.restoreAllMocks();
-	});
-
-	it("should return latest stable version", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.31.0" },
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		const version = await getLatestVersion(ReleaseChannel.latest);
-		expect(version).toBe("2.31.0");
-	});
-
-	it("should return latest beta version", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.31.0" },
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		const version = await getLatestVersion(ReleaseChannel.latestBeta);
-		expect(version).toBe("2.32.0-beta.01");
-	});
-
-	it("should throw if no CLI2 field", async () => {
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => ({}),
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
-			`No ${ReleaseChannel.latest} versions found`,
-		);
-	});
-
-	it("should throw if no stable version found", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
-			`No ${ReleaseChannel.latest} versions found`,
-		);
-	});
-
-	it("should throw if no beta version found", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.32.0" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latestBeta)).rejects.toThrow(
-			`No ${ReleaseChannel.latestBeta} versions found`,
-		);
-	});
-});
@@ -1,23 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel, type VersionResponse } from "./constants";
-
-// Returns the latest version of the 1Password CLI based on the specified channel.
-export const getLatestVersion = async (
-	channel: ReleaseChannel,
-): Promise<string> => {
-	core.info(`Getting ${channel} version number`);
-	const res = await fetch("https://app-updates.agilebits.com/latest");
-	const json = (await res.json()) as VersionResponse;
-	const latestStable = json?.CLI2?.release?.version;
-	const latestBeta = json?.CLI2?.beta?.version;
-	const version =
-		channel === ReleaseChannel.latestBeta ? latestBeta : latestStable;
-
-	if (!version) {
-		core.error(`No ${channel} versions found`);
-		throw new Error(`No ${channel} versions found`);
-	}
-
-	return version;
-};
@@ -1,2 +0,0 @@
-export { VersionResolver } from "./version-resolver";
-export { ReleaseChannel } from "./constants";
@@ -1,45 +0,0 @@
-import { describe, expect, it } from "@jest/globals";
-
-import { validateVersion } from "./validate";
-
-describe("validateVersion", () => {
-	it('should not throw for "latest"', () => {
-		expect(() => validateVersion("latest")).not.toThrow();
-	});
-
-	it('should not throw for "latest-beta"', () => {
-		expect(() => validateVersion("latest-beta")).not.toThrow();
-	});
-
-	it('should not throw for valid semver version "2.18.0"', () => {
-		expect(() => validateVersion("2.18.0")).not.toThrow();
-	});
-
-	it('should throw for partial version "2"', () => {
-		expect(() => validateVersion("2")).toThrow();
-	});
-
-	it('should throw for partial version "2.1"', () => {
-		expect(() => validateVersion("2.1")).toThrow();
-	});
-
-	it('should not throw for valid beta "2.19.0-beta.01"', () => {
-		expect(() => validateVersion("2.19.0-beta.01")).not.toThrow();
-	});
-
-	it('should not throw for valid beta "2.19.3-beta.12"', () => {
-		expect(() => validateVersion("2.19.3-beta.12")).not.toThrow();
-	});
-
-	it('should not throw for coerced version "v2.19.0"', () => {
-		expect(() => validateVersion("v2.19.0")).not.toThrow();
-	});
-
-	it('should throw for invalid version "latest-abc"', () => {
-		expect(() => validateVersion("latest-abc")).toThrow();
-	});
-
-	it("should throw for empty string", () => {
-		expect(() => validateVersion("")).toThrow();
-	});
-});
@@ -1,23 +0,0 @@
-import semver from "semver";
-
-import { ReleaseChannel } from "./constants";
-
-// Validates if the provided version type is a valid enum value or a valid semver version.
-export const validateVersion = (input: string): void => {
-	if (Object.values(ReleaseChannel).includes(input as ReleaseChannel)) {
-		return;
-	}
-
-	// 1Password beta releases (aka 2.19.0-beta.01) are not semver compliant.
-	// According to semver, it should be "2.19.0-beta.1".
-	// That's why we need to normalize them before validating.
-	// Accepts valid semver versions like "2.18.0" or beta-releases like "2.19.0-beta.01"
-	// or versions with 'v' prefix like "v2.19.0"
-	const normalized = input.replace(/-beta\.0*(\d+)/, "-beta.$1");
-	const normInput = new semver.SemVer(normalized);
-	if (semver.valid(normInput)) {
-		return;
-	}
-
-	throw new Error(`Invalid version input: ${input}`);
-};
@@ -1,58 +0,0 @@
-import { expect } from "@jest/globals";
-
-import { ReleaseChannel } from "./constants";
-import { VersionResolver } from "./version-resolver";
-
-describe("VersionResolver", () => {
-	test("should throw error when invalid version provided", () => {
-		expect(() => new VersionResolver("vv")).toThrow();
-	});
-
-	test("should throw error when version is empty", () => {
-		expect(() => new VersionResolver("")).toThrow();
-	});
-
-	test("should throw error for major version only", () => {
-		expect(() => new VersionResolver("1")).toThrow();
-	});
-
-	test("should throw error for major and minor version only", () => {
-		expect(() => new VersionResolver("1.0")).toThrow();
-	});
-
-	test("should resolve latest stable version", async () => {
-		const versionResolver = new VersionResolver(ReleaseChannel.latest);
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBeDefined();
-	});
-
-	test("should resolve latest beta version", async () => {
-		const versionResolver = new VersionResolver(ReleaseChannel.latestBeta);
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBeDefined();
-	});
-
-	test("should resolve version without 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("1.0.0");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v1.0.0");
-	});
-
-	test("should resolve version with 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("v1.0.0");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v1.0.0");
-	});
-
-	test("should resolve beta version without 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("2.19.0-beta.01");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
-	});
-
-	test("should resolve beta version with 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("v2.19.0-beta.01");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
-	});
-});
@@ -1,45 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel } from "./constants";
-import { getLatestVersion } from "./helper";
-import { validateVersion } from "./validate";
-
-export class VersionResolver {
-	private version: string;
-
-	public constructor(version: string) {
-		this.validate(version);
-		this.version = version;
-	}
-
-	public get(): string {
-		return this.version;
-	}
-
-	public async resolve(): Promise<void> {
-		core.info(`Resolving version: ${this.version}`);
-		if (!this.version) {
-			core.error("Version is not provided");
-			throw new Error("Version is not provided");
-		}
-
-		if (this.isReleaseChannel(this.version)) {
-			this.version = await getLatestVersion(this.version);
-		}
-
-		// add `v` prefix if not already present
-		this.version = this.version.startsWith("v")
-			? this.version
-			: `v${this.version}`;
-	}
-
-	private validate(version: string) {
-		core.info(`Validating version number: '${version}'`);
-		validateVersion(version);
-		core.info(`Version number '${version}' is valid`);
-	}
-
-	private isReleaseChannel(value: string): value is ReleaseChannel {
-		return Object.values(ReleaseChannel).includes(value as ReleaseChannel);
-	}
-}
@@ -1,114 +0,0 @@
-import * as core from "@actions/core";
-import { createClient } from "@1password/sdk";
-import { envManagedVariables } from "./constants";
-import { getOIDCToken, loadSecretsFromSDK } from "./sdk-client";
-
-jest.mock("@1password/sdk");
-
-const mockGetVariables = jest.fn();
-
-beforeEach(() => {
-	jest.clearAllMocks();
-	(createClient as jest.Mock).mockResolvedValue({
-		environments: {
-			getVariables: mockGetVariables,
-		},
-	});
-});
-
-describe("getOIDCToken", () => {
-	it("delegates to core.getIDToken", async () => {
-		(core.getIDToken as jest.Mock).mockResolvedValue("oidc-token");
-
-		await expect(getOIDCToken("test-audience")).resolves.toBe("oidc-token");
-		expect(core.getIDToken).toHaveBeenCalledWith("test-audience");
-	});
-});
-
-describe("loadSecretsFromSDK", () => {
-	const workloadId = "workload-uuid";
-	const environmentId = "environment-uuid";
-	const integrationKey = "integration-key";
-
-	const variables = [
-		{ name: "DOCKERHUB_USERNAME", value: "myuser" },
-		{ name: "DOCKERHUB_TOKEN", value: "mypassword" },
-	];
-
-	beforeEach(() => {
-		mockGetVariables.mockResolvedValue({ variables });
-	});
-
-	it("sets secrets as step outputs by default", async () => {
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, false);
-
-		expect(core.setOutput).toHaveBeenCalledWith("DOCKERHUB_USERNAME", "myuser");
-		expect(core.setOutput).toHaveBeenCalledWith(
-			"DOCKERHUB_TOKEN",
-			"mypassword",
-		);
-		expect(core.exportVariable).not.toHaveBeenCalledWith(
-			"DOCKERHUB_USERNAME",
-			"myuser",
-		);
-		expect(core.setSecret).toHaveBeenCalledWith("myuser");
-		expect(core.setSecret).toHaveBeenCalledWith("mypassword");
-		expect(core.exportVariable).not.toHaveBeenCalledWith(
-			envManagedVariables,
-			expect.any(String),
-		);
-	});
-
-	it("exports secrets as environment variables when shouldExportEnv is true", async () => {
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			"DOCKERHUB_USERNAME",
-			"myuser",
-		);
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			"DOCKERHUB_TOKEN",
-			"mypassword",
-		);
-		expect(core.setOutput).not.toHaveBeenCalled();
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			envManagedVariables,
-			"DOCKERHUB_USERNAME,DOCKERHUB_TOKEN",
-		);
-	});
-
-	describe("when secret value is empty string", () => {
-		beforeEach(() => {
-			mockGetVariables.mockResolvedValue({
-				variables: [{ name: "EMPTY_SECRET", value: "" }],
-			});
-		});
-
-		it("sets empty string as step output", async () => {
-			await loadSecretsFromSDK(
-				workloadId,
-				environmentId,
-				integrationKey,
-				false,
-			);
-
-			expect(core.setOutput).toHaveBeenCalledWith("EMPTY_SECRET", "");
-			expect(core.setSecret).not.toHaveBeenCalledWith("");
-		});
-
-		it("sets empty string as environment variable", async () => {
-			await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-			expect(core.exportVariable).toHaveBeenCalledWith("EMPTY_SECRET", "");
-			expect(core.setSecret).not.toHaveBeenCalledWith("");
-		});
-	});
-
-	it("does not export OP_MANAGED_VARIABLES when no variables are returned", async () => {
-		mockGetVariables.mockResolvedValue({ variables: [] });
-
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-		expect(core.exportVariable).not.toHaveBeenCalled();
-	});
-});
@@ -1,52 +0,0 @@
-import * as core from "@actions/core";
-import { createClient } from "@1password/sdk";
-import { version } from "../package.json";
-import { envManagedVariables } from "./constants";
-
-// eslint-disable-next-line @typescript-eslint/naming-convention
-export const getOIDCToken = async (audience: string): Promise<string> =>
-	core.getIDToken(audience);
-
-// eslint-disable-next-line @typescript-eslint/naming-convention
-export const loadSecretsFromSDK = async (
-	workloadId: string,
-	environmentId: string,
-	integrationKey: string,
-	shouldExportEnv: boolean,
-): Promise<void> => {
-	// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
-	const customerManagedSecret = integrationKey.replace(/=+$/, "");
-	core.setSecret(customerManagedSecret);
-
-	const client = await createClient({
-		integrationName: "1Password GitHub Action",
-		integrationVersion: version,
-		oidcFetcher: getOIDCToken,
-		workloadDetails: {
-			customerManagedSecret,
-			workloadUuid: workloadId,
-		},
-	});
-
-	core.info("Authenticated with Workload Identity.");
-
-	const { variables } = await client.environments.getVariables(environmentId);
-
-	const envNames: string[] = [];
-	for (const { name, value } of variables) {
-		core.info(`Populating variable: ${name}`);
-		if (shouldExportEnv) {
-			core.exportVariable(name, value);
-		} else {
-			core.setOutput(name, value);
-		}
-		if (value) {
-			core.setSecret(value);
-		}
-		envNames.push(name);
-	}
-
-	if (shouldExportEnv && envNames.length > 0) {
-		core.exportVariable(envManagedVariables, envNames.join());
-	}
-};
@@ -3,8 +3,6 @@ import * as exec from "@actions/exec";
 import { read, setClientInfo } from "@1password/op-js";
 import {
 	extractSecret,
-	getWorkloadIdentityConfig,
-	hasCliAuth,
 	loadSecrets,
 	unsetPrevious,
 	validateAuth,
@@ -13,13 +11,16 @@ import {
 	authErr,
 	envConnectHost,
 	envConnectToken,
-	envEnvironmentId,
-	envIntegrationKey,
 	envManagedVariables,
 	envServiceAccountToken,
-	envWorkloadId,
 } from "./constants";

+jest.mock("@actions/core");
+jest.mock("@actions/exec", () => ({
+	getExecOutput: jest.fn(() => ({
+		stdout: "MOCK_SECRET",
+	})),
+}));
 jest.mock("@1password/op-js");

 beforeEach(() => {
@@ -71,96 +72,6 @@ describe("validateAuth", () => {
 	});
 });

-describe("getWorkloadIdentityConfig", () => {
-	const testWorkloadId = "workload-id";
-	const testEnvironmentId = "environment-id";
-	const testIntegrationKey = "integration-key";
-
-	beforeEach(() => {
-		process.env[envWorkloadId] = "";
-		process.env[envEnvironmentId] = "";
-		process.env[envIntegrationKey] = "";
-		process.env[envConnectHost] = "";
-		process.env[envConnectToken] = "";
-		process.env[envServiceAccountToken] = "";
-	});
-
-	it("should return null when no variables are set", () => {
-		expect(getWorkloadIdentityConfig()).toBeNull();
-	});
-
-	it("should return the config when all variables are set", () => {
-		process.env[envWorkloadId] = testWorkloadId;
-		process.env[envEnvironmentId] = testEnvironmentId;
-		process.env[envIntegrationKey] = testIntegrationKey;
-
-		expect(getWorkloadIdentityConfig()).toEqual({
-			workloadId: testWorkloadId,
-			environmentId: testEnvironmentId,
-			integrationKey: testIntegrationKey,
-		});
-	});
-
-	it("should throw an error when only some variables are set", () => {
-		process.env[envWorkloadId] = testWorkloadId;
-
-		expect(getWorkloadIdentityConfig).toThrow(
-			/Incomplete Workload Identity configuration/,
-		);
-	});
-
-	it("should throw an error when combined with Connect credentials", () => {
-		process.env[envWorkloadId] = testWorkloadId;
-		process.env[envEnvironmentId] = testEnvironmentId;
-		process.env[envIntegrationKey] = testIntegrationKey;
-		process.env[envConnectHost] = "https://localhost:8000";
-		process.env[envConnectToken] = "token";
-
-		expect(getWorkloadIdentityConfig).toThrow(
-			/Conflicting authentication configuration/,
-		);
-	});
-
-	it("should throw an error when combined with a service account token", () => {
-		process.env[envWorkloadId] = testWorkloadId;
-		process.env[envEnvironmentId] = testEnvironmentId;
-		process.env[envIntegrationKey] = testIntegrationKey;
-		process.env[envServiceAccountToken] = "ops_token";
-
-		expect(getWorkloadIdentityConfig).toThrow(
-			/Conflicting authentication configuration/,
-		);
-	});
-});
-
-describe("hasCliAuth", () => {
-	beforeEach(() => {
-		process.env[envConnectHost] = "";
-		process.env[envConnectToken] = "";
-		process.env[envServiceAccountToken] = "";
-	});
-
-	it("returns false when no CLI auth is configured", () => {
-		expect(hasCliAuth()).toBe(false);
-	});
-
-	it("returns false when only the Connect host is set", () => {
-		process.env[envConnectHost] = "https://localhost:8000";
-		expect(hasCliAuth()).toBe(false);
-	});
-
-	it("returns true with both Connect host and token", () => {
-		process.env[envConnectHost] = "https://localhost:8000";
-		process.env[envConnectToken] = "token";
-		expect(hasCliAuth()).toBe(true);
-	});
-
-	it("returns true with a service account token", () => {
-		process.env[envServiceAccountToken] = "ops_token";
-		expect(hasCliAuth()).toBe(true);
-	});
-});
-
 describe("extractSecret", () => {
 	const envTestSecretEnv = "TEST_SECRET";
 	const testSecretRef = "op://vault/item/secret";
@@ -195,41 +106,6 @@ describe("extractSecret", () => {
 		);
 		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
 	});
-
-	describe("when secret value is empty string", () => {
-		const emptySecretValue = "";
-
-		beforeEach(() => {
-			(read.parse as jest.Mock).mockReturnValue(emptySecretValue);
-		});
-
-		afterEach(() => {
-			(read.parse as jest.Mock).mockReturnValue(testSecretValue);
-		});
-
-		it("should set empty string as step output", () => {
-			extractSecret(envTestSecretEnv, false);
-			expect(core.setOutput).toHaveBeenCalledWith(
-				envTestSecretEnv,
-				emptySecretValue,
-			);
-			expect(core.exportVariable).not.toHaveBeenCalled();
-		});
-
-		it("should set empty string as environment variable", () => {
-			extractSecret(envTestSecretEnv, true);
-			expect(core.exportVariable).toHaveBeenCalledWith(
-				envTestSecretEnv,
-				emptySecretValue,
-			);
-			expect(core.setOutput).not.toHaveBeenCalled();
-		});
-
-		it("should not call setSecret for empty string", () => {
-			extractSecret(envTestSecretEnv, false);
-			expect(core.setSecret).not.toHaveBeenCalled();
-		});
-	});
 });

 describe("loadSecrets", () => {
@@ -285,24 +161,4 @@ describe("unsetPrevious", () => {
 		expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
 		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
 	});
-
-	it("should unset every variable listed in OP_MANAGED_VARIABLES", () => {
-		process.env[envManagedVariables] = "TEST_SECRET,ANOTHER_TEST,SUPER_SECRET";
-
-		unsetPrevious();
-
-		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
-		expect(core.exportVariable).toHaveBeenCalledWith("ANOTHER_TEST", "");
-		expect(core.exportVariable).toHaveBeenCalledWith("SUPER_SECRET", "");
-		expect(core.exportVariable).toHaveBeenCalledTimes(3);
-	});
-
-	it("should do nothing when no variables are managed", () => {
-		process.env[envManagedVariables] = "";
-
-		unsetPrevious();
-
-		expect(core.exportVariable).not.toHaveBeenCalled();
-		expect(core.info).not.toHaveBeenCalledWith("Unsetting previous values ...");
-	});
 });
@@ -8,61 +8,8 @@ import {
 	envConnectToken,
 	envServiceAccountToken,
 	envManagedVariables,
-	envWorkloadId,
-	envEnvironmentId,
-	envIntegrationKey,
 } from "./constants";

-export interface WorkloadIdentityConfig {
-	workloadId: string;
-	environmentId: string;
-	integrationKey: string;
-}
-
-// Returns the Workload Identity configuration when all variables are set,
-// or null when none are set (so the CLI auth path can be used instead).
-// Throws if the configuration is only partially set, or if it is combined
-// with the CLI auth methods (Connect / service account).
-export const getWorkloadIdentityConfig = (): WorkloadIdentityConfig | null => {
-	const workloadId = process.env[envWorkloadId];
-	const environmentId = process.env[envEnvironmentId];
-	const integrationKey = process.env[envIntegrationKey];
-
-	// None set: fall back to the CLI auth path.
-	if (!workloadId && !environmentId && !integrationKey) {
-		return null;
-	}
-
-	// Some but not all set: configuration is incomplete.
-	if (!workloadId || !environmentId || !integrationKey) {
-		throw new Error(
-			`Incomplete Workload Identity configuration. To use Workload Identity, set all of ${envWorkloadId}, ${envEnvironmentId}, and ${envIntegrationKey}.`,
-		);
-	}
-
-	// Workload Identity is fully configured, so it must not be combined with the
-	// CLI auth methods (Connect / service account), which are mutually exclusive.
-	if (
-		process.env[envConnectHost] ||
-		process.env[envConnectToken] ||
-		process.env[envServiceAccountToken]
-	) {
-		throw new Error(
-			`Conflicting authentication configuration: Workload Identity cannot be combined with Connect (${envConnectHost}/${envConnectToken}) or a service account (${envServiceAccountToken}). Set only one authentication method.`,
-		);
-	}
-
-	return { workloadId, environmentId, integrationKey };
-};
-
-// Whether CLI authentication (1Password Connect or a service account) is
-// configured via environment variables.
-export const hasCliAuth = (): boolean =>
-	Boolean(
-		(process.env[envConnectHost] && process.env[envConnectToken]) ||
-			process.env[envServiceAccountToken],
-	);
-
 export const validateAuth = (): void => {
 	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
 	const isServiceAccount = process.env[envServiceAccountToken];
@@ -94,7 +41,7 @@ export const extractSecret = (
 	}

 	const secretValue = read.parse(ref);
-	if (secretValue === null || secretValue === undefined) {
+	if (!secretValue) {
 		return;
 	}

@@ -103,20 +50,15 @@ export const extractSecret = (
 	} else {
 		core.setOutput(envName, secretValue);
 	}
-	// Skip setSecret for empty strings to avoid the warning:
-	// "Can't add secret mask for empty string in ##[add-mask] command."
-	if (secretValue) {
-		core.setSecret(secretValue);
-	}
+	core.setSecret(secretValue);
 };

 export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
-	// Strip any prerelease suffix; semverToInt only accepts MAJOR.MINOR.PATCH.
-	const [releaseVersion] = version.split("-");
+	// Pass User-Agent Information to the 1Password CLI
 	setClientInfo({
 		name: "1Password GitHub Action",
 		id: "GHA",
-		build: semverToInt(releaseVersion ?? version),
+		build: semverToInt(version),
 	});

 	// Load secrets from environment variables using 1Password CLI.
@@ -9,8 +9,11 @@ assert_env_equals() {
  fi
 }

-readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-MULTILINE_SECRET="$(cat << EOF
+assert_env_equals "SECRET" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+
+assert_env_equals "SECRET_IN_SECTION" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+
+assert_env_equals "MULTILINE_SECRET" "$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
 ZSB3ZSBkZWVwbHkgYXBwcmVjaWF0ZSB5b3VyIHZp
@@ -25,20 +28,3 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 -----END PRIVATE KEY-----
 EOF
 )"
-readonly MULTILINE_SECRET
-readonly WEBSITE="www.test.com"
-
-assert_env_equals "SECRET" "${SECRET}"
-assert_env_equals "FILE_SECRET" "${SECRET}"
-
-assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
-assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
-
-assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
-assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
-
-# WEBSITE/FILE_WEBSITE: required when ASSERT_WEBSITE=true (Service Account), skipped when false (Connect)
-if [ "${ASSERT_WEBSITE:-false}" = "true" ]; then
-  assert_env_equals "WEBSITE" "${WEBSITE}"
-  assert_env_equals "FILE_WEBSITE" "${WEBSITE}"
-fi
@@ -10,18 +10,5 @@ assert_env_unset() {
 }

 assert_env_unset "SECRET"
-assert_env_unset "FILE_SECRET"
-
 assert_env_unset "SECRET_IN_SECTION"
-assert_env_unset "FILE_SECRET_IN_SECTION"
-
 assert_env_unset "MULTILINE_SECRET"
-assert_env_unset "FILE_MULTILINE_SECRET"
-
-assert_env_unset "WEBSITE"
-assert_env_unset "FILE_WEBSITE"
-
-assert_env_unset "TEST_SSH_KEY"
-assert_env_unset "FILE_TEST_SSH_KEY"
-assert_env_unset "TEST_SSH_KEY_OPENSSH"
-assert_env_unset "FILE_TEST_SSH_KEY_OPENSSH"
@@ -1,26 +0,0 @@
-#!/bin/bash
-set -e
-
-assert_ssh_key_set() {
-  local var="$1"
-  local val
-  val="$(printenv "$var" || true)"
-  if [ -z "$val" ]; then
-    echo "Expected $var to be set"
-    exit 1
-  fi
-  [ "$val" = "***" ] && return 0
-  local line
-  line="$(echo "$val" | head -1)"
-  if echo "$var" | grep -q "OPENSSH"; then
-    echo "$line" | grep -q "OPENSSH" || { echo "Expected $var to start with -----BEGIN OPENSSH PRIVATE KEY-----"; exit 1; }
-  else
-    echo "$line" | grep -q "BEGIN.*PRIVATE KEY" || { echo "Expected $var to be a private key"; exit 1; }
-  fi
-  echo "$var OK"
-}
-
-assert_ssh_key_set "TEST_SSH_KEY"
-assert_ssh_key_set "TEST_SSH_KEY_OPENSSH"
-assert_ssh_key_set "FILE_TEST_SSH_KEY"
-assert_ssh_key_set "FILE_TEST_SSH_KEY_OPENSSH"
@@ -1,16 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Asserts the secrets loaded via Workload Identity.
-
-assert_env_equals() {
-  if [ "$(printenv $1)" != "$2" ]; then
-    echo -e "Expected $1 to be set to:\n$2\nBut got:\n$(printenv $1)"
-    exit 1
-  fi
-}
-
-assert_env_equals "ANOTHER_TEST" "anothertest123"
-assert_env_equals "SUPER_SECRET" "supersecret"
-assert_env_equals "TEST_SECRET" "thisisatest"
Author	SHA1	Message	Date
Volodymyr Zotov	e34c300a89	Update `install-cli-action` import	2025-07-25 13:40:53 -05:00
Volodymyr Zotov	37a38cf129	Use `install` function from `install-cli-action`	2025-07-25 13:11:13 -05:00
				`@@ -1 +0,0 @@`
				`export { type Installer, newCliInstaller } from "./installer";`