fix syntax error

make version backwards compatiable
Remove all reference to CLI
2026-06-21 14:23:48 +00:00 · 2026-02-20 19:04:29 -05:00 · 2026-02-20 18:59:19 -05:00 · 2026-02-20 18:49:05 -05:00 · 2026-02-20 18:19:18 -05:00 · 2026-02-20 18:06:37 -05:00
52 changed files with 33547 additions and 41834 deletions
@@ -20,38 +20,33 @@ on:
        required: true
      OP_SERVICE_ACCOUNT_TOKEN:
        required: true
-      OP_WORKLOAD_ID:
-        required: true
-      OP_ENVIRONMENT_ID:
-        required: true
-      OP_INTEGRATION_KEY:
-        required: true
      VAULT:
-        description: "1Password vault name or UUID"
+        description: "1Password vault name"
+        required: true
+      VAULT_ID:
+        description: "1Password vault UUID"
        required: true

 jobs:
  test-service-account:
-    name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
+    name: Service Account (${{ matrix.os }}, export-env=${{ matrix.export-env }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: true
-      max-parallel: 4
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
-        version: [latest, 2.30.0]
        export-env: [true, false]
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref }}

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: 20
          cache: npm

      - name: Install dependencies
@@ -63,15 +58,24 @@ jobs:
      - name: Generate .env.tpl
        shell: bash
        run: |
-          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
-          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
-          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
-          echo "FILE_WEBSITE=op://${VAULT}/test-secret/website" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
+          mkdir -p tests
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
+
+      - name: Generate .vaultId_env.tpl
+        shell: bash
+        run: |
+          echo "FILE_SECRET=op://${{ secrets.VAULT_ID }}/test-secret/password" > tests/.vaultId_env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT_ID }}/test-secret/test-section/password" >> tests/.vaultId_env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl

-        env:
-          VAULT: ${{ secrets.VAULT }}
      - name: Configure Service account
        uses: ./configure
        with:
@@ -81,58 +85,36 @@ jobs:
        id: load_secrets
        uses: ./
        with:
-          version: ${{ matrix.version }}
          export-env: ${{ matrix.export-env }}
        env:
          SECRET: op://${{ secrets.VAULT }}/test-secret/password
          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
-          WEBSITE: op://${{ secrets.VAULT }}/test-secret/website
-          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
-          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
+          SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
          OP_ENV_FILE: ./tests/.env.tpl

      - name: Assert test secret values [step output]
        if: ${{ !matrix.export-env }}
        shell: bash
        env:
-          ASSERT_WEBSITE: "true"
          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
-          WEBSITE: ${{ steps.load_secrets.outputs.WEBSITE }}
-          FILE_WEBSITE: ${{ steps.load_secrets.outputs.FILE_WEBSITE }}
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
        run: ./tests/assert-env-set.sh

-      - name: Assert SSH key env vars [step output]
-        if: ${{ !matrix.export-env }}
-        shell: bash
-        env:
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-ssh-keys-set.sh
-
      - name: Assert test secret values [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
-        env:
-          ASSERT_WEBSITE: "true"
        run: ./tests/assert-env-set.sh

-      - name: Assert SSH key env vars [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: ./tests/assert-ssh-keys-set.sh
-
      - name: Remove secrets [exported env]
        if: ${{ matrix.export-env }}
        uses: ./
@@ -144,25 +126,69 @@ jobs:
        shell: bash
        run: ./tests/assert-env-unset.sh

+      - name: Load secrets (invalid ref - expect failure)
+        id: load_invalid
+        continue-on-error: true
+        uses: ./
+        env:
+          BAD_REF: "op://x"
+        with:
+          export-env: true
+
+      - name: Assert invalid ref failed
+        shell: bash
+        run: ./tests/assert-invalid-ref-failed.sh
+        env:
+          STEP_OUTCOME: ${{ steps.load_invalid.outcome }}
+
+      - name: Load secrets by vault ID
+        id: load_secrets_by_vault_id
+        uses: ./
+        with:
+          export-env: ${{ matrix.export-env }}
+        env:
+          SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT_ID }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT_ID }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.vaultId_env.tpl
+
+      - name: Assert test secret values [vault by ID]
+        if: ${{ !matrix.export-env }}
+        shell: bash
+        env:
+          SECRET: ${{ steps.load_secrets_by_vault_id.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh
+
  test-connect:
-    name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
+    name: Connect (ubuntu-latest, export-env=${{ matrix.export-env }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
-        version: [latest, 2.30.0]
+        os: [ubuntu-latest, macos-latest, windows-latest]
        export-env: [true, false]
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref }}

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: 20
          cache: npm

      - name: Install dependencies
@@ -174,21 +200,28 @@ jobs:
      - name: Generate .env.tpl
        run: |
          mkdir -p tests
-          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
-          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
-          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
-          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
+          echo "FILE_SECRET=op://${{ secrets.VAULT }}/test-secret/password" > tests/.env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT }}/test-secret/test-section/password" >> tests/.env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT }}/multiline-secret/notesPlain" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT }}/file-secret/test.txt" >> tests/.env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT }}/file-secret/file section/test.txt" >> tests/.env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT }}/double-section-secret/test-section/password" >> tests/.env.tpl
+
+      - name: Generate .vaultId_env.tpl
+        run: |
+          echo "FILE_SECRET=op://${{ secrets.VAULT_ID }}/test-secret/password" > tests/.vaultId_env.tpl
+          echo "FILE_SECRET_IN_SECTION=op://${{ secrets.VAULT_ID }}/test-secret/test-section/password" >> tests/.vaultId_env.tpl
+          echo "FILE_MULTILINE_SECRET=op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE=op://${{ secrets.VAULT_ID }}/file-secret/test.txt" >> tests/.vaultId_env.tpl
+          echo "SECRET_WITH_FILE_IN_SECTION=op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt" >> tests/.vaultId_env.tpl
+          echo "DOUBLE_SECTION_SECRET=op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password" >> tests/.vaultId_env.tpl

-        env:
-          VAULT: ${{ secrets.VAULT }}
      - name: Launch 1Password Connect instance
        env:
          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
        run: |
          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
-          docker compose -f tests/fixtures/docker-compose.yml up -d
-          timeout 60 bash -c 'until curl -sf http://localhost:8080/health >/dev/null 2>&1; do sleep 2; done'
+          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 30

      - name: Configure 1Password Connect
        uses: ./configure
@@ -200,51 +233,34 @@ jobs:
        id: load_secrets
        uses: ./
        with:
-          version: ${{ matrix.version }}
          export-env: ${{ matrix.export-env }}
        env:
          SECRET: op://${{ secrets.VAULT }}/test-secret/password
          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
-          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
-          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
+          SECRET_WITH_FILE: op://${{ secrets.VAULT }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT }}/double-section-secret/test-section/password
          OP_ENV_FILE: ./tests/.env.tpl

      - name: Assert test secret values [step output]
        if: ${{ !matrix.export-env }}
        env:
-          ASSERT_WEBSITE: "false"
          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets.outputs.DOUBLE_SECTION_SECRET }}
        run: ./tests/assert-env-set.sh

-      - name: Assert SSH key env vars [step output]
-        if: ${{ !matrix.export-env }}
-        env:
-          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
-          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
-          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
-          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
-        run: ./tests/assert-ssh-keys-set.sh
-
      - name: Assert test secret values [exported env]
        if: ${{ matrix.export-env }}
-        env:
-          ASSERT_WEBSITE: "false"
        run: ./tests/assert-env-set.sh

-      - name: Assert SSH key env vars [exported env]
-        if: ${{ matrix.export-env }}
-        run: ./tests/assert-ssh-keys-set.sh
-
      - name: Remove secrets [exported env]
        if: ${{ matrix.export-env }}
        uses: ./
@@ -255,72 +271,46 @@ jobs:
        if: ${{ matrix.export-env }}
        run: ./tests/assert-env-unset.sh

-  test-workload-identity:
-    name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }})
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    strategy:
-      fail-fast: true
-      matrix:
-        export-env: [true, false]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
+      - name: Load secrets (invalid ref - expect failure)
+        id: load_invalid
+        continue-on-error: true
+        uses: ./
+        env:
+          BAD_REF: "op://x"
        with:
-          fetch-depth: 0
-          ref: ${{ inputs.ref }}
+          export-env: true

-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24
-          cache: npm
+      - name: Assert invalid ref failed
+        shell: bash
+        run: ./tests/assert-invalid-ref-failed.sh
+        env:
+          STEP_OUTCOME: ${{ steps.load_invalid.outcome }}

-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build actions
-        run: npm run build:all
-
-      - name: Load secrets
-        id: load_secrets
+      - name: Load secrets by vault ID
+        id: load_secrets_by_vault_id
        uses: ./
        with:
          export-env: ${{ matrix.export-env }}
        env:
-          OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
-          OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
-          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
+          SECRET: op://${{ secrets.VAULT_ID }}/test-secret/password
+          SECRET_IN_SECTION: op://${{ secrets.VAULT_ID }}/test-secret/test-section/password
+          MULTILINE_SECRET: op://${{ secrets.VAULT_ID }}/multiline-secret/notesPlain
+          SECRET_WITH_FILE: op://${{ secrets.VAULT_ID }}/file-secret/test.txt
+          SECRET_WITH_FILE_IN_SECTION: op://${{ secrets.VAULT_ID }}/file-secret/file section/test.txt
+          DOUBLE_SECTION_SECRET: op://${{ secrets.VAULT_ID }}/double-section-secret/test-section/password
+          OP_ENV_FILE: ./tests/.vaultId_env.tpl

-      - name: Assert test secret values [step output]
+      - name: Assert test secret values [vault by ID]
        if: ${{ !matrix.export-env }}
        shell: bash
        env:
-          ANOTHER_TEST: ${{ steps.load_secrets.outputs.ANOTHER_TEST }}
-          SUPER_SECRET: ${{ steps.load_secrets.outputs.SUPER_SECRET }}
-          TEST_SECRET: ${{ steps.load_secrets.outputs.TEST_SECRET }}
-        run: ./tests/assert-workload-identity.sh
-
-      - name: Assert test secret values [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: ./tests/assert-workload-identity.sh
-
-      - name: Remove secrets [exported env]
-        if: ${{ matrix.export-env }}
-        uses: ./
-        with:
-          unset-previous: true
-
-      - name: Assert removed secrets [exported env]
-        if: ${{ matrix.export-env }}
-        shell: bash
-        run: |
-          for var in ANOTHER_TEST SUPER_SECRET TEST_SECRET; do
-            if [ -n "$(printenv "$var")" ]; then
-              echo "Expected secret $var to be unset"
-              exit 1
-            fi
-          done
+          SECRET: ${{ steps.load_secrets_by_vault_id.outputs.SECRET }}
+          SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_IN_SECTION }}
+          MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.MULTILINE_SECRET }}
+          FILE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET }}
+          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.FILE_SECRET_IN_SECTION }}
+          FILE_MULTILINE_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.FILE_MULTILINE_SECRET }}
+          SECRET_WITH_FILE: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE }}
+          SECRET_WITH_FILE_IN_SECTION: ${{ steps.load_secrets_by_vault_id.outputs.SECRET_WITH_FILE_IN_SECTION }}
+          DOUBLE_SECTION_SECRET: ${{ steps.load_secrets_by_vault_id.outputs.DOUBLE_SECTION_SECRET }}
+        run: ./tests/assert-env-set.sh
@@ -9,18 +9,18 @@ jobs:
  lint-and-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5

      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        uses: ludeeus/action-shellcheck@2.0.0
        with:
          ignore_paths: >-
            .husky

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: 20
          cache: npm

      - name: Install dependencies
@@ -15,7 +15,7 @@ jobs:
    if: ${{ github.event.issue.pull_request }}
    steps:
      - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@9bdcd7914ec1b75590b790b844aa3b8eee7c683a # v5
+        uses: peter-evans/slash-command-dispatch@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -10,4 +10,4 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        uses: 1Password/check-signed-commits-action@v1
@@ -65,7 +65,7 @@ jobs:
              echo "condition=skip" >> $GITHUB_OUTPUT
              echo "Setting condition=skip (sha does not match or empty)"
            fi
-          elif [ "${{ github.event_name }}" == "push" ] && [ "${REF_NAME}" == "main" ]; then
+          elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_name }}" == "main" ]; then
            echo "condition=push-to-main" >> $GITHUB_OUTPUT
            echo "Setting condition=push-to-main (push to main)"
            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
@@ -75,8 +75,6 @@ jobs:
            echo "Setting condition=skip (unknown event type: ${{ github.event_name }})"
          fi

-        env:
-          REF_NAME: ${{ github.ref_name }}
  e2e:
    needs: check-external-pr
    if: |
@@ -92,10 +90,8 @@ jobs:
      OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
      OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-      OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
-      OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
-      OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
      VAULT: ${{ secrets.VAULT }}
+      VAULT_ID: ${{ secrets.VAULT_ID }}

  # Post comment on fork PRs after /ok-to-test
  comment-pr:
@@ -110,7 +106,7 @@ jobs:
        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT

      - name: Create comment on PR
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
+        uses: peter-evans/create-or-update-comment@v5
        with:
          issue-number: ${{ github.event.client_payload.pull_request.number }}
          body: |
@@ -17,8 +17,6 @@ Specify in your workflow YAML file which secrets from 1Password should be loaded

 Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).

-_This project is licensed under [MIT](./LICENSE). Use of the 1Password APIs and services accessed through these tools is governed by the [1Password API Terms of Service](https://1password.com/legal/api-sdk-terms-of-service)._
-
 ## 🪄 See it in action!

 [![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
@@ -37,7 +35,7 @@ jobs:

      - name: Load secret
        id: load_secrets
-        uses: 1password/load-secrets-action@v4
+        uses: 1password/load-secrets-action@v3
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret
@@ -59,7 +57,7 @@ jobs:
      - uses: actions/checkout@v4

      - name: Load secret
-        uses: 1password/load-secrets-action@v4
+        uses: 1password/load-secrets-action@v3
        with:
          # Export loaded secrets as environment variables
          export-env: true
@@ -79,43 +77,14 @@ When loading SSH keys, you can specify the format using the `ssh-format` query p

 ```yml
 - name: Load SSH key
-  uses: 1password/load-secrets-action@v4
+  uses: 1password/load-secrets-action@v3
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    # Load SSH private key in OpenSSH format
    SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
 ```

-For more details on secret reference syntax, see the [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
-
-## 🧪 Workload Identity (private beta)
-
-> [!NOTE]
-> Workload Identity is in **private beta**. It's available to invited participants only. [Contact 1Password](https://developer.1password.com/joinslack) if you're interested in joining the beta.
-
-Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access. To use it, set all three of the following environment variables (and do not set the Service Account token or the Connect variables):
-
-```yml
-on: push
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write # required for the action to request a GitHub OIDC token
-      contents: read
-    steps:
-      - name: Load secret
-        id: load_secrets
-        uses: 1password/load-secrets-action@v5beta
-        env:
-          OP_WORKLOAD_ID: ${{ vars.OP_WORKLOAD_ID }}
-          OP_ENVIRONMENT_ID: ${{ vars.OP_ENVIRONMENT_ID }}
-          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
-```
-
-Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** and each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
-
-If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
+For more details on secret reference syntax, see the [1Password documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).

 ## 💙 Community & Support

@@ -11,9 +11,10 @@ inputs:
  export-env:
    description: Export the secrets as environment variables
    default: "false"
+    # Backward-compatible no-op input (intentionally ignored)
  version:
-    description: Specify which 1Password CLI version to install. Defaults to "latest".
+    description: "(Deprecated) No longer used. Kept for backwards compatibility."
    default: "latest"
 runs:
-  using: "node24"
+  using: "node20"
  main: "dist/index.js"
@@ -10,12 +10,6 @@ const jestConfig = {
 	rootDir: "../src/",
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
-	moduleNameMapper: {
-		"^@actions/core$": "<rootDir>/__mocks__/actions-core.ts",
-		"^@actions/tool-cache$": "<rootDir>/__mocks__/actions-tool-cache.ts",
-		"^@actions/exec$": "<rootDir>/__mocks__/actions-exec.ts",
-		"^@1password/sdk$": "<rootDir>/__mocks__/1password-sdk.ts",
-	},
 	transform: {
 		".ts": [
 			"ts-jest",
@@ -31,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };

-module.exports = jestConfig;
+export default jestConfig;
@@ -9,5 +9,5 @@ inputs:
  service-account-token:
    description: Your 1Password service account token
 runs:
-  using: "node24"
+  using: "node20"
  main: "dist/index.js"
@@ -1,4 +1,4 @@
-import * as core from "@actions/core";
+const core = require("@actions/core");

 const configure = () => {
 	const OP_CONNECT_HOST =
@@ -17,7 +17,8 @@ This document explains how to run e2e tests locally using `act`.
 | Secret                     | Description           |
 | -------------------------- | --------------------- |
 | `OP_SERVICE_ACCOUNT_TOKEN` | Service Account token |
-| `VAULT`                    | Vault name or UUID    |
+| `VAULT`                    | Vault name            |
+| `VAULT_ID`                 | Vault UUID            |

 ## Building Before Testing

@@ -1,19 +1,19 @@
 {
 	"name": "load-secrets-action",
-	"version": "5.0.0-beta.1",
+	"version": "3.1.0",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "load-secrets-action",
-			"version": "5.0.0-beta.1",
+			"version": "3.1.0",
 			"license": "MIT",
 			"dependencies": {
-				"@1password/op-js": "^0.1.11",
-				"@1password/sdk": "0.5.0-beta.1",
-				"@actions/core": "^3.0.0",
-				"@actions/exec": "^3.0.0",
-				"@actions/tool-cache": "^4.0.0",
+				"@1password/connect": "^1.4.2",
+				"@1password/sdk": "^0.4.0",
+				"@actions/core": "^1.10.1",
+				"@actions/exec": "^1.1.1",
+				"@actions/tool-cache": "^2.0.2",
 				"dotenv": "^17.2.2"
 			},
 			"devDependencies": {
@@ -29,6 +29,19 @@
 				"typescript": "^5.4.2"
 			}
 		},
+		"node_modules/@1password/connect": {
+			"version": "1.4.2",
+			"resolved": "https://registry.npmjs.org/@1password/connect/-/connect-1.4.2.tgz",
+			"integrity": "sha512-CxcDQIr76nloWwGWRrmz/U7DuU65WKrN/yarq45LrC3L6b/pC7bZyskvougadG32fRwBieLJX143lTI8T1bAtQ==",
+			"license": "MIT",
+			"dependencies": {
+				"axios": "^1.10.0",
+				"debug": "^4.4.1",
+				"lodash.clonedeep": "^4.5.0",
+				"slugify": "^1.6.6",
+				"uuid": "^9.0.1"
+			}
+		},
 		"node_modules/@1password/eslint-config": {
 			"version": "4.3.1",
 			"resolved": "https://registry.npmjs.org/@1password/eslint-config/-/eslint-config-4.3.1.tgz",
@@ -53,16 +66,6 @@
 				"typescript": "^5.0.0"
 			}
 		},
-		"node_modules/@1password/op-js": {
-			"version": "0.1.13",
-			"resolved": "https://registry.npmjs.org/@1password/op-js/-/op-js-0.1.13.tgz",
-			"integrity": "sha512-ZZBLxVqywFdvIbLv2xWw2N1ImSi183rRKf90vV19KRMReNyLwuD0dv6IrKrIdrJU33IuV3Gz85Z4K2a1PJTBDg==",
-			"license": "MIT",
-			"dependencies": {
-				"lookpath": "^1.2.2",
-				"semver": "^7.6.2"
-			}
-		},
 		"node_modules/@1password/prettier-config": {
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/@1password/prettier-config/-/prettier-config-1.2.0.tgz",
@@ -74,64 +77,73 @@
 			}
 		},
 		"node_modules/@1password/sdk": {
-			"version": "0.5.0-beta.1",
-			"resolved": "https://registry.npmjs.org/@1password/sdk/-/sdk-0.5.0-beta.1.tgz",
-			"integrity": "sha512-GY1kcn86qkb39jt20AyOftEu5Tw/Kyq4f84GOHXKRjur4TvqvzdhapynBBosRcBL+kBrc+E8cx7Tp7GEfqAomw==",
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/@1password/sdk/-/sdk-0.4.0.tgz",
+			"integrity": "sha512-RIypujc9R/UeUaobjyClTYokqRFpcaIkHq+EO/X9XoHId98Vg+SbjwGV+yygRC4MyHwYNo1KP1iEbZcqJ4ZTdw==",
 			"license": "MIT",
 			"dependencies": {
-				"@1password/sdk-core": "0.5.0-beta.1"
+				"@1password/sdk-core": "0.4.0"
 			}
 		},
 		"node_modules/@1password/sdk-core": {
-			"version": "0.5.0-beta.1",
-			"resolved": "https://registry.npmjs.org/@1password/sdk-core/-/sdk-core-0.5.0-beta.1.tgz",
-			"integrity": "sha512-61Q2n0kKYXBVAbW5ZVFqtbK1KX3lUfFi8wdsv+UjIVtbFd+X1GpFbLFs+nPtPgX+Z7oc2tTN/czK0S9Cz4oF/A==",
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/@1password/sdk-core/-/sdk-core-0.4.0.tgz",
+			"integrity": "sha512-vjeI1o4wiONY+t1naA4dtUp6HktdLH1D2S+tN1Lh4l41S9XIUHxrljov9B5u6G+VHr7f2MUoxmzXA9zT3aokQQ==",
 			"license": "MIT"
 		},
 		"node_modules/@actions/core": {
-			"version": "3.0.0",
-			"resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz",
-			"integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==",
+			"version": "1.11.1",
+			"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+			"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
 			"license": "MIT",
 			"dependencies": {
-				"@actions/exec": "^3.0.0",
-				"@actions/http-client": "^4.0.0"
+				"@actions/exec": "^1.1.1",
+				"@actions/http-client": "^2.0.1"
 			}
 		},
 		"node_modules/@actions/exec": {
-			"version": "3.0.0",
-			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
-			"integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+			"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+			"license": "MIT",
 			"dependencies": {
-				"@actions/io": "^3.0.2"
+				"@actions/io": "^1.0.1"
 			}
 		},
 		"node_modules/@actions/http-client": {
-			"version": "4.0.0",
-			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz",
-			"integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==",
+			"version": "2.2.3",
+			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
+			"integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
 			"license": "MIT",
 			"dependencies": {
 				"tunnel": "^0.0.6",
-				"undici": "^6.23.0"
+				"undici": "^5.25.4"
 			}
 		},
 		"node_modules/@actions/io": {
-			"version": "3.0.2",
-			"resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
-			"integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="
+			"version": "1.1.3",
+			"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+			"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+			"license": "MIT"
 		},
 		"node_modules/@actions/tool-cache": {
-			"version": "4.0.0",
-			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
-			"integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
-			"license": "MIT",
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.2.tgz",
+			"integrity": "sha512-fBhNNOWxuoLxztQebpOaWu6WeVmuwa77Z+DxIZ1B+OYvGkGQon6kTVg6Z32Cb13WCuw0szqonK+hh03mJV7Z6w==",
 			"dependencies": {
-				"@actions/core": "^3.0.0",
-				"@actions/exec": "^3.0.0",
-				"@actions/http-client": "^4.0.0",
-				"@actions/io": "^3.0.0",
-				"semver": "^7.7.3"
+				"@actions/core": "^1.11.1",
+				"@actions/exec": "^1.0.0",
+				"@actions/http-client": "^2.0.1",
+				"@actions/io": "^1.1.1",
+				"semver": "^6.1.0"
+			}
+		},
+		"node_modules/@actions/tool-cache/node_modules/semver": {
+			"version": "6.3.1",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+			"integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+			"bin": {
+				"semver": "bin/semver.js"
 			}
 		},
 		"node_modules/@ampproject/remapping": {
@@ -766,6 +778,15 @@
 				"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
 			}
 		},
+		"node_modules/@fastify/busboy": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+			"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=14"
+			}
+		},
 		"node_modules/@humanwhocodes/config-array": {
 			"version": "0.13.0",
 			"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
@@ -1572,6 +1593,32 @@
 				}
 			}
 		},
+		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"balanced-match": "^1.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
+			"version": "9.0.3",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
+			"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"brace-expansion": "^2.0.1"
+			},
+			"engines": {
+				"node": ">=16 || 14 >=14.17"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/isaacs"
+			}
+		},
 		"node_modules/@typescript-eslint/utils": {
 			"version": "6.21.0",
 			"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.21.0.tgz",
@@ -1660,10 +1707,11 @@
 			}
 		},
 		"node_modules/ajv": {
-			"version": "6.14.0",
-			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
-			"integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+			"version": "6.12.6",
+			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+			"integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
 			"dev": true,
+			"license": "MIT",
 			"peer": true,
 			"dependencies": {
 				"fast-deep-equal": "^3.1.1",
@@ -1935,6 +1983,12 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/asynckit": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+			"integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
+			"license": "MIT"
+		},
 		"node_modules/available-typed-arrays": {
 			"version": "1.0.7",
 			"resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz",
@@ -1961,6 +2015,17 @@
 				"node": ">=4"
 			}
 		},
+		"node_modules/axios": {
+			"version": "1.13.5",
+			"resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz",
+			"integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==",
+			"license": "MIT",
+			"dependencies": {
+				"follow-redirects": "^1.15.11",
+				"form-data": "^4.0.5",
+				"proxy-from-env": "^1.1.0"
+			}
+		},
 		"node_modules/axobject-query": {
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
@@ -2105,13 +2170,14 @@
 			"license": "MIT"
 		},
 		"node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "1.1.12",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
-				"balanced-match": "^1.0.0"
+				"balanced-match": "^1.0.0",
+				"concat-map": "0.0.1"
 			}
 		},
 		"node_modules/braces": {
@@ -2226,7 +2292,6 @@
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.1.tgz",
 			"integrity": "sha512-BhYE+WDaywFg2TBWYNXAE+8B1ATnThNBqXHP5nQu0jWJdVvY2hvkpyB3qOmtmDePiS5/BDQ8wASEWGMWRG148g==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"es-errors": "^1.3.0",
@@ -2471,6 +2536,18 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/combined-stream": {
+			"version": "1.0.8",
+			"resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+			"integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+			"license": "MIT",
+			"dependencies": {
+				"delayed-stream": "~1.0.0"
+			},
+			"engines": {
+				"node": ">= 0.8"
+			}
+		},
 		"node_modules/commander": {
 			"version": "12.1.0",
 			"resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
@@ -2491,6 +2568,13 @@
 				"node": ">= 12.0.0"
 			}
 		},
+		"node_modules/concat-map": {
+			"version": "0.0.1",
+			"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+			"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/convert-source-map": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -2597,10 +2681,9 @@
 			}
 		},
 		"node_modules/debug": {
-			"version": "4.4.0",
-			"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-			"integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-			"dev": true,
+			"version": "4.4.3",
+			"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+			"integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
 			"license": "MIT",
 			"dependencies": {
 				"ms": "^2.1.3"
@@ -2683,6 +2766,15 @@
 				"url": "https://github.com/sponsors/ljharb"
 			}
 		},
+		"node_modules/delayed-stream": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+			"integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.4.0"
+			}
+		},
 		"node_modules/detect-newline": {
 			"version": "3.1.0",
 			"resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-3.1.0.tgz",
@@ -2746,7 +2838,6 @@
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
 			"integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"call-bind-apply-helpers": "^1.0.1",
@@ -2890,7 +2981,6 @@
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
 			"integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -2900,7 +2990,6 @@
 			"version": "1.3.0",
 			"resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
 			"integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -2937,7 +3026,6 @@
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.0.0.tgz",
 			"integrity": "sha512-MZ4iQ6JwHOBQjahnjwaC1ZtIBH+2ohjamzAO3oaHcXYup7qxjF2fixyH+Q71voWHeOkI2q/TnJao/KfXYIZWbw==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"es-errors": "^1.3.0"
@@ -2947,15 +3035,15 @@
 			}
 		},
 		"node_modules/es-set-tostringtag": {
-			"version": "2.0.3",
-			"resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.3.tgz",
-			"integrity": "sha512-3T8uNMC3OQTHkFUsFq8r/BwAXLHvU/9O9mE0fBc/MY5iq/8H7ncvO947LmYA6ldWw9Uh8Yhf25zu6n7nML5QWQ==",
-			"dev": true,
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+			"integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
 			"license": "MIT",
 			"dependencies": {
-				"get-intrinsic": "^1.2.4",
+				"es-errors": "^1.3.0",
+				"get-intrinsic": "^1.2.6",
 				"has-tostringtag": "^1.0.2",
-				"hasown": "^2.0.1"
+				"hasown": "^2.0.2"
 			},
 			"engines": {
 				"node": ">= 0.4"
@@ -3714,6 +3802,29 @@
 				"minimatch": "^5.0.1"
 			}
 		},
+		"node_modules/filelist/node_modules/brace-expansion": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"balanced-match": "^1.0.0"
+			}
+		},
+		"node_modules/filelist/node_modules/minimatch": {
+			"version": "5.1.6",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+			"integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"brace-expansion": "^2.0.1"
+			},
+			"engines": {
+				"node": ">=10"
+			}
+		},
 		"node_modules/fill-range": {
 			"version": "7.1.1",
 			"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -3758,12 +3869,33 @@
 			}
 		},
 		"node_modules/flatted": {
-			"version": "3.4.2",
-			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-			"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+			"version": "3.3.2",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.2.tgz",
+			"integrity": "sha512-AiwGJM8YcNOaobumgtng+6NHuOqC3A7MixFeDafM3X9cIUM+xUXoS5Vfgf+OihAYe20fxqNM9yPBXJzRtZ/4eA==",
 			"dev": true,
+			"license": "ISC",
 			"peer": true
 		},
+		"node_modules/follow-redirects": {
+			"version": "1.15.11",
+			"resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+			"integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+			"funding": [
+				{
+					"type": "individual",
+					"url": "https://github.com/sponsors/RubenVerborgh"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=4.0"
+			},
+			"peerDependenciesMeta": {
+				"debug": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/for-each": {
 			"version": "0.3.3",
 			"resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz",
@@ -3774,6 +3906,22 @@
 				"is-callable": "^1.1.3"
 			}
 		},
+		"node_modules/form-data": {
+			"version": "4.0.5",
+			"resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+			"integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+			"license": "MIT",
+			"dependencies": {
+				"asynckit": "^0.4.0",
+				"combined-stream": "^1.0.8",
+				"es-set-tostringtag": "^2.1.0",
+				"hasown": "^2.0.2",
+				"mime-types": "^2.1.12"
+			},
+			"engines": {
+				"node": ">= 6"
+			}
+		},
 		"node_modules/fs.realpath": {
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
@@ -3800,7 +3948,6 @@
 			"version": "1.1.2",
 			"resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
 			"integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
-			"dev": true,
 			"license": "MIT",
 			"funding": {
 				"url": "https://github.com/sponsors/ljharb"
@@ -3873,7 +4020,6 @@
 			"version": "1.2.6",
 			"resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.6.tgz",
 			"integrity": "sha512-qxsEs+9A+u85HhllWJJFicJfPDhRmjzoYdl64aMWW9yRIJmSyxdn8IEkuIM530/7T+lv0TIHd8L6Q/ra0tEoeA==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"call-bind-apply-helpers": "^1.0.1",
@@ -4030,7 +4176,6 @@
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
 			"integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -4116,7 +4261,6 @@
 			"version": "1.1.0",
 			"resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
 			"integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -4129,7 +4273,6 @@
 			"version": "1.0.2",
 			"resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
 			"integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"has-symbols": "^1.0.3"
@@ -4145,7 +4288,6 @@
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
 			"integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
-			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"function-bind": "^1.1.2"
@@ -5876,6 +6018,12 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/lodash.clonedeep": {
+			"version": "4.5.0",
+			"resolved": "https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz",
+			"integrity": "sha512-H5ZhCF25riFd9uB5UCkVKo61m3S/xZk1x4wA6yp/L3RFP6Z/eHH1ymQcGLo7J3GMPfm0V/7m1tryHuGVxpqEBQ==",
+			"license": "MIT"
+		},
 		"node_modules/lodash.memoize": {
 			"version": "4.1.2",
 			"resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz",
@@ -6002,18 +6150,6 @@
 				"url": "https://github.com/chalk/strip-ansi?sponsor=1"
 			}
 		},
-		"node_modules/lookpath": {
-			"version": "1.2.2",
-			"resolved": "https://registry.npmjs.org/lookpath/-/lookpath-1.2.2.tgz",
-			"integrity": "sha512-k2Gmn8iV6qdME3ztZC2spubmQISimFOPLuQKiPaLcVdRz0IpdxrNClVepMlyTJlhodm/zG/VfbkWERm3kUIh+Q==",
-			"license": "MIT",
-			"bin": {
-				"lookpath": "bin/lookpath.js"
-			},
-			"engines": {
-				"npm": ">=6.13.4"
-			}
-		},
 		"node_modules/loose-envify": {
 			"version": "1.4.0",
 			"resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
@@ -6074,7 +6210,6 @@
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.0.0.tgz",
 			"integrity": "sha512-4MqMiKP90ybymYvsut0CH2g4XWbfLtmlCkXmtmdcDCxNB+mQcu1w/1+L/VD7vi/PSv7X2JYV7SCcR+jiPXnQtA==",
-			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">= 0.4"
@@ -6111,6 +6246,27 @@
 				"node": ">=8.6"
 			}
 		},
+		"node_modules/mime-db": {
+			"version": "1.52.0",
+			"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+			"integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
+		"node_modules/mime-types": {
+			"version": "2.1.35",
+			"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+			"integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+			"license": "MIT",
+			"dependencies": {
+				"mime-db": "1.52.0"
+			},
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
 		"node_modules/mimic-fn": {
 			"version": "2.1.0",
 			"resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz",
@@ -6135,19 +6291,16 @@
 			}
 		},
 		"node_modules/minimatch": {
-			"version": "9.0.9",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-			"integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+			"version": "3.1.2",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+			"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
 			"dev": true,
 			"license": "ISC",
 			"dependencies": {
-				"brace-expansion": "^2.0.2"
+				"brace-expansion": "^1.1.7"
 			},
 			"engines": {
-				"node": ">=16 || 14 >=14.17"
-			},
-			"funding": {
-				"url": "https://github.com/sponsors/isaacs"
+				"node": "*"
 			}
 		},
 		"node_modules/minimist": {
@@ -6164,7 +6317,6 @@
 			"version": "2.1.3",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
 			"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/natural-compare": {
@@ -6650,6 +6802,12 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/proxy-from-env": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+			"integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
+			"license": "MIT"
+		},
 		"node_modules/punycode": {
 			"version": "2.3.1",
 			"resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
@@ -6965,9 +7123,10 @@
 			}
 		},
 		"node_modules/semver": {
-			"version": "7.7.4",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
-			"integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
+			"version": "7.6.3",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
+			"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+			"dev": true,
 			"license": "ISC",
 			"bin": {
 				"semver": "bin/semver.js"
@@ -7163,6 +7322,15 @@
 				"url": "https://github.com/chalk/ansi-styles?sponsor=1"
 			}
 		},
+		"node_modules/slugify": {
+			"version": "1.6.6",
+			"resolved": "https://registry.npmjs.org/slugify/-/slugify-1.6.6.tgz",
+			"integrity": "sha512-h+z7HKHYXj6wJU+AnS/+IH8Uh9fdcX1Lrhg1/VMdf9PwoBQXFcXiAdsy2tSK0P6gKwJLXp02r90ahUCqHk9rrw==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=8.0.0"
+			}
+		},
 		"node_modules/source-map": {
 			"version": "0.6.1",
 			"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
@@ -7834,11 +8002,15 @@
 			}
 		},
 		"node_modules/undici": {
-			"version": "6.24.1",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
-			"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
+			"version": "5.29.0",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
+			"integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+			"license": "MIT",
+			"dependencies": {
+				"@fastify/busboy": "^2.0.0"
+			},
 			"engines": {
-				"node": ">=18.17"
+				"node": ">=14.0"
 			}
 		},
 		"node_modules/undici-types": {
@@ -7890,6 +8062,19 @@
 				"punycode": "^2.1.0"
 			}
 		},
+		"node_modules/uuid": {
+			"version": "9.0.1",
+			"resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+			"integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+			"funding": [
+				"https://github.com/sponsors/broofa",
+				"https://github.com/sponsors/ctavan"
+			],
+			"license": "MIT",
+			"bin": {
+				"uuid": "dist/bin/uuid"
+			}
+		},
 		"node_modules/v8-to-istanbul": {
 			"version": "9.3.0",
 			"resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.3.0.tgz",
@@ -1,6 +1,6 @@
 {
 	"name": "load-secrets-action",
-	"version": "5.0.0-beta.1",
+	"version": "3.1.0",
 	"description": "Load Secrets from 1Password",
 	"main": "dist/index.js",
 	"directories": {
@@ -40,16 +40,13 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
-		"@1password/sdk": "0.5.0-beta.1",
-		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^3.0.0",
-		"@actions/exec": "^3.0.0",
-		"@actions/tool-cache": "^4.0.0",
+		"@1password/sdk": "^0.4.0",
+		"@1password/connect": "^1.4.2",
+		"@actions/core": "^1.10.1",
+		"@actions/exec": "^1.1.1",
+		"@actions/tool-cache": "^2.0.2",
 		"dotenv": "^17.2.2"
 	},
-	"overrides": {
-		"minimatch": "^9.0.7"
-	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",
 		"@1password/prettier-config": "^1.2.0",
@@ -1 +0,0 @@
-export const createClient = jest.fn();
@@ -1,16 +0,0 @@
-module.exports = {
-	getInput: jest.fn(() => ""),
-	getBooleanInput: jest.fn(() => false),
-	setOutput: jest.fn(),
-	setSecret: jest.fn(),
-	exportVariable: jest.fn(),
-	setFailed: jest.fn(),
-	info: jest.fn(),
-	warning: jest.fn(),
-	error: jest.fn(),
-	debug: jest.fn(),
-	addPath: jest.fn(),
-	isDebug: jest.fn(() => false),
-	// eslint-disable-next-line @typescript-eslint/naming-convention
-	getIDToken: jest.fn().mockResolvedValue("mock-oidc-token"),
-};
@@ -1,5 +0,0 @@
-module.exports = {
-	getExecOutput: jest.fn(() => ({
-		stdout: "MOCK_SECRET",
-	})),
-};
@@ -1,10 +0,0 @@
-module.exports = {
-	downloadTool: jest.fn(),
-	extractTar: jest.fn(),
-	extractZip: jest.fn(),
-	cacheDir: jest.fn<Promise<string>, [string]>(async (dir) => {
-		await Promise.resolve();
-		return dir;
-	}),
-	find: jest.fn<string, [string, string?, string?]>(() => ""),
-};
@@ -3,8 +3,5 @@ export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
 export const envFilePath = "OP_ENV_FILE";
-export const envWorkloadId = "OP_WORKLOAD_ID";
-export const envEnvironmentId = "OP_ENVIRONMENT_ID";
-export const envIntegrationKey = "OP_INTEGRATION_KEY";

 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;
@@ -1,15 +1,6 @@
 import dotenv from "dotenv";
 import * as core from "@actions/core";
-import { validateCli } from "@1password/op-js";
-import { installCliOnGithubActionRunner } from "./op-cli-installer";
-import {
-	getWorkloadIdentityConfig,
-	hasCliAuth,
-	loadSecrets,
-	unsetPrevious,
-	validateAuth,
-} from "./utils";
-import { loadSecretsFromSDK } from "./sdk-client";
+import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 import { envFilePath } from "./constants";

 const loadSecretsAction = async () => {
@@ -23,42 +14,18 @@ const loadSecretsAction = async () => {
 			unsetPrevious();
 		}

-		const workloadConfig = getWorkloadIdentityConfig();
+		// Validate that a proper authentication configuration is set (Connect or service account)
+		validateAuth();

-		// `unset-previous` can run with no credentials present: Workload Identity creds
-		// are inline per-step and intentionally not persisted (persisting them would make
-		// every later step re-load all variables). Nothing to auth or load, we're done.
-		if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
-			core.info(
-				"No authentication configured; unset previously managed variables. No secrets were loaded.",
-			);
-			return;
+		// Set environment variables from OP_ENV_FILE
+		const file = process.env[envFilePath];
+		if (file) {
+			core.info(`Loading environment variables from file: ${file}`);
+			dotenv.config({ path: file });
 		}

-		if (workloadConfig) {
-			await loadSecretsFromSDK(
-				workloadConfig.workloadId,
-				workloadConfig.environmentId,
-				workloadConfig.integrationKey,
-				shouldExportEnv,
-			);
-		} else {
-			// Validate that a proper authentication configuration is set for the CLI
-			validateAuth();
-
-			// Set environment variables from OP_ENV_FILE
-			const file = process.env[envFilePath];
-			if (file) {
-				core.info(`Loading environment variables from file: ${file}`);
-				dotenv.config({ path: file });
-			}
-
-			// Download and install the CLI
-			await installCLI();
-
-			// Load secrets
-			await loadSecrets(shouldExportEnv);
-		}
+		// Load secrets
+		await loadSecrets(shouldExportEnv);
 	} catch (error) {
 		// It's possible for the Error constructor to be modified to be anything
 		// in JavaScript, so the following code accounts for this possibility.
@@ -67,22 +34,10 @@ const loadSecretsAction = async () => {
 		if (error instanceof Error) {
 			message = error.message;
 		} else {
-			String(error);
+			message = String(error);
 		}
 		core.setFailed(message);
 	}
 };

-// This function's name is an exception from the naming convention
-// since we refer to the 1Password CLI here.
-// eslint-disable-next-line @typescript-eslint/naming-convention
-const installCLI = async (): Promise<void> => {
-	// validateCli checks if there's an existing 1Password CLI installed on the runner.
-	// If there's no CLI installed, then validateCli will throw an error, which we will use
-	// as an indicator that we need to execute the installation script.
-	await validateCli().catch(async () => {
-		await installCliOnGithubActionRunner();
-	});
-};
-
 void loadSecretsAction();
@@ -1,58 +0,0 @@
-import os from "os";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-export type SupportedPlatform = Extract<
-	NodeJS.Platform,
-	"linux" | "darwin" | "win32"
->;
-
-// maps OS architecture names to 1Password CLI installer architecture names
-export const archMap: Record<string, string> = {
-	ia32: "386",
-	x64: "amd64",
-	arm: "arm",
-	arm64: "arm64",
-};
-
-// Builds the download URL for the 1Password CLI based on the platform and version.
-export const cliUrlBuilder: Record<
-	SupportedPlatform,
-	(version: string, arch?: string) => string
-> = {
-	linux: (version, arch) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_linux_${arch}_${version}.zip`,
-	darwin: (version) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_apple_universal_${version}.pkg`,
-	win32: (version, arch) =>
-		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_windows_${arch}_${version}.zip`,
-};
-
-export class CliInstaller {
-	public readonly version: string;
-	public readonly arch: string;
-
-	public constructor(version: string) {
-		this.version = version;
-		this.arch = this.getArch();
-	}
-
-	public async install(url: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${url}`);
-		const downloadPath = await tc.downloadTool(url);
-		console.info("Installing 1Password CLI");
-		const extractedPath = await tc.extractZip(downloadPath);
-		core.addPath(extractedPath);
-		core.info("1Password CLI installed");
-	}
-
-	private getArch(): string {
-		const arch = archMap[os.arch()];
-		if (!arch) {
-			throw new Error("Unsupported architecture");
-		}
-
-		return arch;
-	}
-}
@@ -1 +0,0 @@
-export { type Installer, newCliInstaller } from "./installer";
@@ -1,43 +0,0 @@
-import os from "os";
-
-import { newCliInstaller } from "./installer";
-import { LinuxInstaller } from "./linux";
-import { MacOsInstaller } from "./macos";
-import { WindowsInstaller } from "./windows";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("newCliInstaller", () => {
-	const version = "1.0.0";
-
-	afterEach(() => {
-		jest.resetAllMocks();
-	});
-
-	it("should return LinuxInstaller for linux platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("linux");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(LinuxInstaller);
-	});
-
-	it("should return MacOsInstaller for darwin platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("darwin");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(MacOsInstaller);
-	});
-
-	it("should return WindowsInstaller for win32 platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("win32");
-		const installer = newCliInstaller(version);
-		expect(installer).toBeInstanceOf(WindowsInstaller);
-	});
-
-	it("should throw error for unsupported platform", () => {
-		jest.spyOn(os, "platform").mockReturnValue("sunos");
-		expect(() => newCliInstaller(version)).toThrow(
-			"Unsupported platform: sunos",
-		);
-	});
-});
@@ -1,23 +0,0 @@
-import os from "os";
-
-import { LinuxInstaller } from "./linux";
-import { MacOsInstaller } from "./macos";
-import { WindowsInstaller } from "./windows";
-
-export interface Installer {
-	installCli(): Promise<void>;
-}
-
-export const newCliInstaller = (version: string): Installer => {
-	const platform = os.platform();
-	switch (platform) {
-		case "linux":
-			return new LinuxInstaller(version);
-		case "darwin":
-			return new MacOsInstaller(version);
-		case "win32":
-			return new WindowsInstaller(version);
-		default:
-			throw new Error(`Unsupported platform: ${platform}`);
-	}
-};
@@ -1,38 +0,0 @@
-import os from "os";
-
-import {
-	archMap,
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { LinuxInstaller } from "./linux";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("LinuxInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "arm64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new LinuxInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new LinuxInstaller(version);
-		const installMock = jest
-			.spyOn(CliInstaller.prototype, "install")
-			.mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["linux" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-});
@@ -1,19 +0,0 @@
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import type { Installer } from "./installer";
-
-export class LinuxInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "linux"; // Node.js platform identifier for Linux
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await super.install(urlBuilder(this.version, this.arch));
-	}
-}
@@ -1,35 +0,0 @@
-import os from "os";
-
-import {
-	archMap,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { MacOsInstaller } from "./macos";
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("MacOsInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "x64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new MacOsInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new MacOsInstaller(version);
-		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["darwin" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-});
@@ -1,49 +0,0 @@
-import { execFile } from "child_process";
-import * as fs from "fs";
-import * as path from "path";
-import { promisify } from "util";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { type Installer } from "./installer";
-
-const execFileAsync = promisify(execFile);
-
-export class MacOsInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "darwin"; // Node.js platform identifier for macOS
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await this.install(urlBuilder(this.version));
-	}
-
-	// @actions/tool-cache package does not support .pkg files, so we need to handle the installation manually
-	public override async install(downloadUrl: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${downloadUrl}`);
-		const pkgPath = await tc.downloadTool(downloadUrl);
-		const pkgWithExtension = `${pkgPath}.pkg`;
-		fs.renameSync(pkgPath, pkgWithExtension);
-
-		const expandDir = "temp-pkg";
-		await execFileAsync("pkgutil", ["--expand", pkgWithExtension, expandDir]);
-		const payloadPath = path.join(expandDir, "op.pkg", "Payload");
-		console.info("Installing 1Password CLI");
-		const cliPath = await tc.extractTar(payloadPath);
-		core.addPath(cliPath);
-
-		fs.rmSync(expandDir, { recursive: true, force: true });
-		fs.rmSync(pkgPath, { force: true });
-
-		core.info("1Password CLI installed");
-	}
-}
@@ -1,60 +0,0 @@
-import fs from "fs";
-import os from "os";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	archMap,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import { WindowsInstaller } from "./windows";
-
-jest.mock("fs");
-
-afterEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("WindowsInstaller", () => {
-	const version = "1.2.3";
-	const arch: NodeJS.Architecture = "x64";
-
-	it("should construct with given version and architecture", () => {
-		jest.spyOn(os, "arch").mockReturnValue(arch);
-		const installer = new WindowsInstaller(version);
-		expect(installer.version).toEqual(version);
-		expect(installer.arch).toEqual(archMap[arch]);
-	});
-
-	it("should call install with correct URL", async () => {
-		const installer = new WindowsInstaller(version);
-		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
-
-		await installer.installCli();
-
-		const builder = cliUrlBuilder["win32" as SupportedPlatform];
-		const url = builder(version, installer.arch);
-		expect(installMock).toHaveBeenCalledWith(url);
-	});
-
-	it("should rename downloaded file with .zip extension before extracting", async () => {
-		const downloadPath = "/tmp/abc-123";
-		const extractedPath = "/tmp/extracted";
-
-		(tc.downloadTool as jest.Mock).mockResolvedValue(downloadPath);
-		(tc.extractZip as jest.Mock).mockResolvedValue(extractedPath);
-
-		const installer = new WindowsInstaller(version);
-		await installer.installCli();
-
-		expect(tc.downloadTool).toHaveBeenCalled();
-		expect(fs.renameSync).toHaveBeenCalledWith(
-			downloadPath,
-			`${downloadPath}.zip`,
-		);
-		expect(tc.extractZip).toHaveBeenCalledWith(`${downloadPath}.zip`);
-		expect(core.addPath).toHaveBeenCalledWith(extractedPath);
-	});
-});
@@ -1,37 +0,0 @@
-import * as fs from "fs";
-
-import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
-
-import {
-	CliInstaller,
-	cliUrlBuilder,
-	type SupportedPlatform,
-} from "./cli-installer";
-import type { Installer } from "./installer";
-
-export class WindowsInstaller extends CliInstaller implements Installer {
-	private readonly platform: SupportedPlatform = "win32"; // Node.js platform identifier for Windows
-
-	public constructor(version: string) {
-		super(version);
-	}
-
-	public async installCli(): Promise<void> {
-		const urlBuilder = cliUrlBuilder[this.platform];
-		await this.install(urlBuilder(this.version, this.arch));
-	}
-
-	// Windows PowerShell's Expand-Archive requires files to have a .zip extension.
-	// tc.downloadTool saves to a UUID filename with no extension, so we rename it.
-	public override async install(url: string): Promise<void> {
-		console.info(`Downloading 1Password CLI from: ${url}`);
-		const downloadPath = await tc.downloadTool(url);
-		const zipPath = `${downloadPath}.zip`;
-		fs.renameSync(downloadPath, zipPath);
-		console.info("Installing 1Password CLI");
-		const extractedPath = await tc.extractZip(zipPath);
-		core.addPath(extractedPath);
-		core.info("1Password CLI installed");
-	}
-}
@@ -1,18 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel, VersionResolver } from "../version";
-
-import { newCliInstaller } from "./cli-installer";
-
-// Installs the 1Password CLI on a GitHub Action runner.
-export const installCliOnGithubActionRunner = async (
-	version?: string,
-): Promise<void> => {
-	// Get the version from parameter, if not passed - from the job input. Defaults to latest if no version is provided
-	const providedVersion =
-		version || core.getInput("version") || ReleaseChannel.latest;
-	const versionResolver = new VersionResolver(providedVersion);
-	await versionResolver.resolve();
-	const installer = newCliInstaller(versionResolver.get());
-	await installer.installCli();
-};
@@ -1,81 +0,0 @@
-import * as core from "@actions/core";
-
-import { newCliInstaller } from "./github-action/cli-installer";
-import {
-	installCliOnGithubActionRunner,
-	ReleaseChannel,
-	VersionResolver,
-} from "./index";
-
-jest.mock("./github-action/cli-installer", () => ({
-	newCliInstaller: jest.fn().mockImplementation((_resolved: string) => ({
-		installCli: jest.fn(),
-	})),
-}));
-
-beforeEach(() => {
-	jest.restoreAllMocks();
-});
-
-describe("installCliOnGithubActionRunner", () => {
-	it("should defaults to `latest` when nothing is passed", async () => {
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(ReleaseChannel.latest);
-
-		await installCliOnGithubActionRunner();
-
-		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
-	});
-
-	it("should defaults to `latest` when undefined is passed", async () => {
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(ReleaseChannel.latest);
-
-		await installCliOnGithubActionRunner(undefined);
-
-		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
-	});
-
-	it("should set provided explicit version", async () => {
-		const providedVersion = "1.2.3";
-		jest.spyOn(core, "getInput").mockReturnValue("");
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await installCliOnGithubActionRunner(providedVersion);
-
-		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
-	});
-
-	it("should set version provided as job input", async () => {
-		const providedVersion = "3.0.0";
-		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await installCliOnGithubActionRunner();
-
-		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
-	});
-
-	it("should throw error for invalid version", async () => {
-		const providedVersion = "invalid";
-		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
-		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
-		jest
-			.spyOn(VersionResolver.prototype, "get")
-			.mockReturnValue(providedVersion);
-
-		await expect(installCliOnGithubActionRunner()).rejects.toThrow();
-	});
-});
@@ -1,2 +0,0 @@
-export { installCliOnGithubActionRunner } from "./github-action";
-export { ReleaseChannel, VersionResolver } from "./version";
@@ -1,13 +0,0 @@
-export enum ReleaseChannel {
-	latest = "latest",
-	latestBeta = "latest-beta",
-}
-
-export interface VersionResponse {
-	// eslint disabled next line as CLI2 is expected in getting CLI versions response
-	/* eslint-disable-next-line @typescript-eslint/naming-convention */
-	CLI2: {
-		release: { version: string };
-		beta: { version: string };
-	};
-}
@@ -1,91 +0,0 @@
-import { ReleaseChannel } from "./constants";
-import { getLatestVersion } from "./helper";
-
-describe("getLatestVersion", () => {
-	beforeEach(() => {
-		jest.restoreAllMocks();
-	});
-
-	it("should return latest stable version", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.31.0" },
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		const version = await getLatestVersion(ReleaseChannel.latest);
-		expect(version).toBe("2.31.0");
-	});
-
-	it("should return latest beta version", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.31.0" },
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		const version = await getLatestVersion(ReleaseChannel.latestBeta);
-		expect(version).toBe("2.32.0-beta.01");
-	});
-
-	it("should throw if no CLI2 field", async () => {
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => ({}),
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
-			`No ${ReleaseChannel.latest} versions found`,
-		);
-	});
-
-	it("should throw if no stable version found", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				beta: { version: "2.32.0-beta.01" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
-			`No ${ReleaseChannel.latest} versions found`,
-		);
-	});
-
-	it("should throw if no beta version found", async () => {
-		const mockResponse = {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
-			CLI2: {
-				release: { version: "2.32.0" },
-			},
-		};
-
-		jest.spyOn(global, "fetch").mockResolvedValueOnce({
-			// eslint-disable-next-line @typescript-eslint/require-await
-			json: async () => mockResponse,
-		} as Response);
-
-		await expect(getLatestVersion(ReleaseChannel.latestBeta)).rejects.toThrow(
-			`No ${ReleaseChannel.latestBeta} versions found`,
-		);
-	});
-});
@@ -1,23 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel, type VersionResponse } from "./constants";
-
-// Returns the latest version of the 1Password CLI based on the specified channel.
-export const getLatestVersion = async (
-	channel: ReleaseChannel,
-): Promise<string> => {
-	core.info(`Getting ${channel} version number`);
-	const res = await fetch("https://app-updates.agilebits.com/latest");
-	const json = (await res.json()) as VersionResponse;
-	const latestStable = json?.CLI2?.release?.version;
-	const latestBeta = json?.CLI2?.beta?.version;
-	const version =
-		channel === ReleaseChannel.latestBeta ? latestBeta : latestStable;
-
-	if (!version) {
-		core.error(`No ${channel} versions found`);
-		throw new Error(`No ${channel} versions found`);
-	}
-
-	return version;
-};
@@ -1,2 +0,0 @@
-export { VersionResolver } from "./version-resolver";
-export { ReleaseChannel } from "./constants";
@@ -1,45 +0,0 @@
-import { describe, expect, it } from "@jest/globals";
-
-import { validateVersion } from "./validate";
-
-describe("validateVersion", () => {
-	it('should not throw for "latest"', () => {
-		expect(() => validateVersion("latest")).not.toThrow();
-	});
-
-	it('should not throw for "latest-beta"', () => {
-		expect(() => validateVersion("latest-beta")).not.toThrow();
-	});
-
-	it('should not throw for valid semver version "2.18.0"', () => {
-		expect(() => validateVersion("2.18.0")).not.toThrow();
-	});
-
-	it('should throw for partial version "2"', () => {
-		expect(() => validateVersion("2")).toThrow();
-	});
-
-	it('should throw for partial version "2.1"', () => {
-		expect(() => validateVersion("2.1")).toThrow();
-	});
-
-	it('should not throw for valid beta "2.19.0-beta.01"', () => {
-		expect(() => validateVersion("2.19.0-beta.01")).not.toThrow();
-	});
-
-	it('should not throw for valid beta "2.19.3-beta.12"', () => {
-		expect(() => validateVersion("2.19.3-beta.12")).not.toThrow();
-	});
-
-	it('should not throw for coerced version "v2.19.0"', () => {
-		expect(() => validateVersion("v2.19.0")).not.toThrow();
-	});
-
-	it('should throw for invalid version "latest-abc"', () => {
-		expect(() => validateVersion("latest-abc")).toThrow();
-	});
-
-	it("should throw for empty string", () => {
-		expect(() => validateVersion("")).toThrow();
-	});
-});
@@ -1,23 +0,0 @@
-import semver from "semver";
-
-import { ReleaseChannel } from "./constants";
-
-// Validates if the provided version type is a valid enum value or a valid semver version.
-export const validateVersion = (input: string): void => {
-	if (Object.values(ReleaseChannel).includes(input as ReleaseChannel)) {
-		return;
-	}
-
-	// 1Password beta releases (aka 2.19.0-beta.01) are not semver compliant.
-	// According to semver, it should be "2.19.0-beta.1".
-	// That's why we need to normalize them before validating.
-	// Accepts valid semver versions like "2.18.0" or beta-releases like "2.19.0-beta.01"
-	// or versions with 'v' prefix like "v2.19.0"
-	const normalized = input.replace(/-beta\.0*(\d+)/, "-beta.$1");
-	const normInput = new semver.SemVer(normalized);
-	if (semver.valid(normInput)) {
-		return;
-	}
-
-	throw new Error(`Invalid version input: ${input}`);
-};
@@ -1,58 +0,0 @@
-import { expect } from "@jest/globals";
-
-import { ReleaseChannel } from "./constants";
-import { VersionResolver } from "./version-resolver";
-
-describe("VersionResolver", () => {
-	test("should throw error when invalid version provided", () => {
-		expect(() => new VersionResolver("vv")).toThrow();
-	});
-
-	test("should throw error when version is empty", () => {
-		expect(() => new VersionResolver("")).toThrow();
-	});
-
-	test("should throw error for major version only", () => {
-		expect(() => new VersionResolver("1")).toThrow();
-	});
-
-	test("should throw error for major and minor version only", () => {
-		expect(() => new VersionResolver("1.0")).toThrow();
-	});
-
-	test("should resolve latest stable version", async () => {
-		const versionResolver = new VersionResolver(ReleaseChannel.latest);
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBeDefined();
-	});
-
-	test("should resolve latest beta version", async () => {
-		const versionResolver = new VersionResolver(ReleaseChannel.latestBeta);
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBeDefined();
-	});
-
-	test("should resolve version without 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("1.0.0");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v1.0.0");
-	});
-
-	test("should resolve version with 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("v1.0.0");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v1.0.0");
-	});
-
-	test("should resolve beta version without 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("2.19.0-beta.01");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
-	});
-
-	test("should resolve beta version with 'v' prefix", async () => {
-		const versionResolver = new VersionResolver("v2.19.0-beta.01");
-		await versionResolver.resolve();
-		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
-	});
-});
@@ -1,45 +0,0 @@
-import * as core from "@actions/core";
-
-import { ReleaseChannel } from "./constants";
-import { getLatestVersion } from "./helper";
-import { validateVersion } from "./validate";
-
-export class VersionResolver {
-	private version: string;
-
-	public constructor(version: string) {
-		this.validate(version);
-		this.version = version;
-	}
-
-	public get(): string {
-		return this.version;
-	}
-
-	public async resolve(): Promise<void> {
-		core.info(`Resolving version: ${this.version}`);
-		if (!this.version) {
-			core.error("Version is not provided");
-			throw new Error("Version is not provided");
-		}
-
-		if (this.isReleaseChannel(this.version)) {
-			this.version = await getLatestVersion(this.version);
-		}
-
-		// add `v` prefix if not already present
-		this.version = this.version.startsWith("v")
-			? this.version
-			: `v${this.version}`;
-	}
-
-	private validate(version: string) {
-		core.info(`Validating version number: '${version}'`);
-		validateVersion(version);
-		core.info(`Version number '${version}' is valid`);
-	}
-
-	private isReleaseChannel(value: string): value is ReleaseChannel {
-		return Object.values(ReleaseChannel).includes(value as ReleaseChannel);
-	}
-}
@@ -1,114 +0,0 @@
-import * as core from "@actions/core";
-import { createClient } from "@1password/sdk";
-import { envManagedVariables } from "./constants";
-import { getOIDCToken, loadSecretsFromSDK } from "./sdk-client";
-
-jest.mock("@1password/sdk");
-
-const mockGetVariables = jest.fn();
-
-beforeEach(() => {
-	jest.clearAllMocks();
-	(createClient as jest.Mock).mockResolvedValue({
-		environments: {
-			getVariables: mockGetVariables,
-		},
-	});
-});
-
-describe("getOIDCToken", () => {
-	it("delegates to core.getIDToken", async () => {
-		(core.getIDToken as jest.Mock).mockResolvedValue("oidc-token");
-
-		await expect(getOIDCToken("test-audience")).resolves.toBe("oidc-token");
-		expect(core.getIDToken).toHaveBeenCalledWith("test-audience");
-	});
-});
-
-describe("loadSecretsFromSDK", () => {
-	const workloadId = "workload-uuid";
-	const environmentId = "environment-uuid";
-	const integrationKey = "integration-key";
-
-	const variables = [
-		{ name: "DOCKERHUB_USERNAME", value: "myuser" },
-		{ name: "DOCKERHUB_TOKEN", value: "mypassword" },
-	];
-
-	beforeEach(() => {
-		mockGetVariables.mockResolvedValue({ variables });
-	});
-
-	it("sets secrets as step outputs by default", async () => {
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, false);
-
-		expect(core.setOutput).toHaveBeenCalledWith("DOCKERHUB_USERNAME", "myuser");
-		expect(core.setOutput).toHaveBeenCalledWith(
-			"DOCKERHUB_TOKEN",
-			"mypassword",
-		);
-		expect(core.exportVariable).not.toHaveBeenCalledWith(
-			"DOCKERHUB_USERNAME",
-			"myuser",
-		);
-		expect(core.setSecret).toHaveBeenCalledWith("myuser");
-		expect(core.setSecret).toHaveBeenCalledWith("mypassword");
-		expect(core.exportVariable).not.toHaveBeenCalledWith(
-			envManagedVariables,
-			expect.any(String),
-		);
-	});
-
-	it("exports secrets as environment variables when shouldExportEnv is true", async () => {
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			"DOCKERHUB_USERNAME",
-			"myuser",
-		);
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			"DOCKERHUB_TOKEN",
-			"mypassword",
-		);
-		expect(core.setOutput).not.toHaveBeenCalled();
-		expect(core.exportVariable).toHaveBeenCalledWith(
-			envManagedVariables,
-			"DOCKERHUB_USERNAME,DOCKERHUB_TOKEN",
-		);
-	});
-
-	describe("when secret value is empty string", () => {
-		beforeEach(() => {
-			mockGetVariables.mockResolvedValue({
-				variables: [{ name: "EMPTY_SECRET", value: "" }],
-			});
-		});
-
-		it("sets empty string as step output", async () => {
-			await loadSecretsFromSDK(
-				workloadId,
-				environmentId,
-				integrationKey,
-				false,
-			);
-
-			expect(core.setOutput).toHaveBeenCalledWith("EMPTY_SECRET", "");
-			expect(core.setSecret).not.toHaveBeenCalledWith("");
-		});
-
-		it("sets empty string as environment variable", async () => {
-			await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-			expect(core.exportVariable).toHaveBeenCalledWith("EMPTY_SECRET", "");
-			expect(core.setSecret).not.toHaveBeenCalledWith("");
-		});
-	});
-
-	it("does not export OP_MANAGED_VARIABLES when no variables are returned", async () => {
-		mockGetVariables.mockResolvedValue({ variables: [] });
-
-		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
-
-		expect(core.exportVariable).not.toHaveBeenCalled();
-	});
-});
@@ -1,52 +0,0 @@
-import * as core from "@actions/core";
-import { createClient } from "@1password/sdk";
-import { version } from "../package.json";
-import { envManagedVariables } from "./constants";
-
-// eslint-disable-next-line @typescript-eslint/naming-convention
-export const getOIDCToken = async (audience: string): Promise<string> =>
-	core.getIDToken(audience);
-
-// eslint-disable-next-line @typescript-eslint/naming-convention
-export const loadSecretsFromSDK = async (
-	workloadId: string,
-	environmentId: string,
-	integrationKey: string,
-	shouldExportEnv: boolean,
-): Promise<void> => {
-	// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
-	const customerManagedSecret = integrationKey.replace(/=+$/, "");
-	core.setSecret(customerManagedSecret);
-
-	const client = await createClient({
-		integrationName: "1Password GitHub Action",
-		integrationVersion: version,
-		oidcFetcher: getOIDCToken,
-		workloadDetails: {
-			customerManagedSecret,
-			workloadUuid: workloadId,
-		},
-	});
-
-	core.info("Authenticated with Workload Identity.");
-
-	const { variables } = await client.environments.getVariables(environmentId);
-
-	const envNames: string[] = [];
-	for (const { name, value } of variables) {
-		core.info(`Populating variable: ${name}`);
-		if (shouldExportEnv) {
-			core.exportVariable(name, value);
-		} else {
-			core.setOutput(name, value);
-		}
-		if (value) {
-			core.setSecret(value);
-		}
-		envNames.push(name);
-	}
-
-	if (shouldExportEnv && envNames.length > 0) {
-		core.exportVariable(envManagedVariables, envNames.join());
-	}
-};
@@ -1,6 +1,6 @@
 import * as core from "@actions/core";
-import * as exec from "@actions/exec";
-import { read, setClientInfo, semverToInt } from "@1password/op-js";
+import { createClient, Secrets } from "@1password/sdk";
+import { OnePasswordConnect, FullItem, OPConnect } from "@1password/connect";
 import { version } from "../package.json";
 import {
 	authErr,
@@ -8,61 +8,298 @@ import {
 	envConnectToken,
 	envServiceAccountToken,
 	envManagedVariables,
-	envWorkloadId,
-	envEnvironmentId,
-	envIntegrationKey,
 } from "./constants";

-export interface WorkloadIdentityConfig {
-	workloadId: string;
-	environmentId: string;
-	integrationKey: string;
+// #region Op ref parsing
+interface ParsedOpRef {
+	vault: string;
+	item: string;
+	section: string | undefined;
+	field: string;
 }

-// Returns the Workload Identity configuration when all variables are set,
-// or null when none are set (so the CLI auth path can be used instead).
-// Throws if the configuration is only partially set, or if it is combined
-// with the CLI auth methods (Connect / service account).
-export const getWorkloadIdentityConfig = (): WorkloadIdentityConfig | null => {
-	const workloadId = process.env[envWorkloadId];
-	const environmentId = process.env[envEnvironmentId];
-	const integrationKey = process.env[envIntegrationKey];
-
-	// None set: fall back to the CLI auth path.
-	if (!workloadId && !environmentId && !integrationKey) {
-		return null;
+export const parseOpRef = (ref: string): ParsedOpRef => {
+	// Safety check: refs are validated by validateSecretRefs before this runs
+	// this guards against parseOpRef being called directly with invalid input
+	if (!ref.startsWith("op://")) {
+		throw new Error(`Invalid op reference: ${ref}`);
 	}

-	// Some but not all set: configuration is incomplete.
-	if (!workloadId || !environmentId || !integrationKey) {
+	const segments = ref
+		.slice("op://".length)
+		.split("/")
+		.map((s) => decodeURIComponent(s));
+
+	if (segments.length < 3 || segments.length > 4) {
 		throw new Error(
-			`Incomplete Workload Identity configuration. To use Workload Identity, set all of ${envWorkloadId}, ${envEnvironmentId}, and ${envIntegrationKey}.`,
+			`Invalid op reference: use op://<vault>/<item>/<field> or op://<vault>/<item>/<section>/<field>. Got: ${ref}`,
 		);
 	}

-	// Workload Identity is fully configured, so it must not be combined with the
-	// CLI auth methods (Connect / service account), which are mutually exclusive.
-	if (
-		process.env[envConnectHost] ||
-		process.env[envConnectToken] ||
-		process.env[envServiceAccountToken]
-	) {
+	const vault = segments[0] ?? "";
+	if (!vault) {
+		throw new Error(`Invalid op reference: vault is required`);
+	}
+
+	const item = segments[1] ?? "";
+	if (!item) {
+		throw new Error(`Invalid op reference: item is required`);
+	}
+
+	// Last segment is always the field
+	const field = segments[segments.length - 1] ?? "";
+	if (!field) {
+		throw new Error(`Invalid op reference: field is required`);
+	}
+
+	// Second to last segment is the section if it exists
+	let section: string | undefined;
+	if (segments.length === 4) {
+		section = segments[2];
+		if (!section) {
+			throw new Error(
+				`Invalid op reference: section is required when using 4 path segments`,
+			);
+		}
+	}
+
+	return {
+		vault,
+		item,
+		field,
+		section,
+	};
+};
+// #endregion
+
+// #region Connect item resolution
+const getSecretFromConnectItem = async (
+	client: OPConnect,
+	item: FullItem,
+	parsed: ParsedOpRef,
+): Promise<string> => {
+	const sectionIds = parsed.section
+		? findSectionIdsByQuery(item.sections, parsed.section)
+		: [];
+	const { fieldValue, fileId } = findMatchingFieldAndFile(
+		item,
+		parsed.field,
+		sectionIds,
+	);
+
+	if (fieldValue !== undefined) {
+		return fieldValue;
+	}
+
+	// If a file was found, get the content of the file (with retry on 503)
+	if (fileId) {
+		const maxAttempts = 3;
+		const retryDelayMs = 2000;
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			try {
+				const content = await client.getFileContent(
+					parsed.vault,
+					parsed.item,
+					fileId,
+				);
+				return content;
+			} catch (err) {
+				const is503 =
+					err &&
+					typeof err === "object" &&
+					(err as Record<string, unknown>).statusCode === 503;
+				if (is503 && attempt < maxAttempts) {
+					await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
+					continue;
+				}
+				throw err;
+			}
+		}
+	}
+
+	if (parsed.section) {
 		throw new Error(
-			`Conflicting authentication configuration: Workload Identity cannot be combined with Connect (${envConnectHost}/${envConnectToken}) or a service account (${envServiceAccountToken}). Set only one authentication method.`,
+			`could not find field or file ${parsed.field} in section ${parsed.section} on item ${parsed.item} in vault ${parsed.vault}`,
 		);
 	}

-	return { workloadId, environmentId, integrationKey };
+	throw new Error(
+		`could not find field or file ${parsed.field} on item ${parsed.item} in vault ${parsed.vault}`,
+	);
 };

-// Whether CLI authentication (1Password Connect or a service account) is
-// configured via environment variables.
-export const hasCliAuth = (): boolean =>
-	Boolean(
-		(process.env[envConnectHost] && process.env[envConnectToken]) ||
-			process.env[envServiceAccountToken],
+export const findSectionIdsByQuery = (
+	sections: FullItem["sections"],
+	sectionQuery: string | undefined,
+): string[] => {
+	// If no sections were returned with the item throw an error
+	if (!sections || sections.length === 0) {
+		throw new Error(
+			`section ${sectionQuery} could not be found in specified item`,
+		);
+	}
+
+	const ids = sections
+		.filter((s) => s.id === sectionQuery || s.label === sectionQuery)
+		.flatMap((s) => (s.id ? [s.id] : []));
+
+	// If no sections were found with the given query throw an error
+	if (ids.length === 0) {
+		throw new Error(
+			`section ${sectionQuery} could not be found in specified item`,
+		);
+	}
+
+	return ids;
+};
+
+export const findMatchingFieldAndFile = (
+	item: FullItem,
+	fieldOrFileQuery: string,
+	sectionIds: string[],
+): { fieldValue?: string; fileId?: string } => {
+	// Get the fields/files from the item and check if the ref has a section filter
+	const fields = item.fields ?? [];
+	const files = item.files ?? [];
+	const sectionFilter = sectionIds.length > 0;
+
+	const fieldMatchesQuery = (f: (typeof fields)[0]) =>
+		f.id === fieldOrFileQuery || f.label === fieldOrFileQuery;
+	const fileMatchesQuery = (f: (typeof files)[0]) =>
+		f.id === fieldOrFileQuery || f.name === fieldOrFileQuery;
+
+	let matchedField: (typeof fields)[0] | undefined;
+	let matchedFile: (typeof files)[0] | undefined;
+
+	if (sectionFilter) {
+		// If the ref has a section filter only accept matches inside the referenced sections
+		const matchingFields = fields.filter((f) => {
+			const sectionId = f.section?.id;
+			const inRefSections =
+				sectionId !== null &&
+				sectionId !== undefined &&
+				sectionIds.includes(sectionId);
+			return fieldMatchesQuery(f) && inRefSections;
+		});
+		matchedField = findSingleMatch(matchingFields);
+
+		const matchingFiles = files.filter((f) => {
+			const sectionId = f.section?.id;
+			const inRefSections =
+				sectionId !== null &&
+				sectionId !== undefined &&
+				sectionIds.includes(sectionId);
+			return fileMatchesQuery(f) && inRefSections;
+		});
+		matchedFile = findSingleMatch(matchingFiles);
+	} else {
+		// If the ref has no section filter search for matches with no section
+		const matchingFields = fields.filter((f) => {
+			const hasNoSection =
+				f.section?.id === null || f.section?.id === undefined;
+			return fieldMatchesQuery(f) && hasNoSection;
+		});
+		matchedField = findSingleMatch(matchingFields);
+
+		// If no matches were found with no section, search for matches in any section
+		if (!matchedField) {
+			const matchingFieldsInAnySection = fields.filter(fieldMatchesQuery);
+			matchedField = findSingleMatch(matchingFieldsInAnySection);
+		}
+
+		const matchingFiles = files.filter((f) => {
+			const hasNoSection =
+				f.section?.id === null || f.section?.id === undefined;
+			return fileMatchesQuery(f) && hasNoSection;
+		});
+		matchedFile = findSingleMatch(matchingFiles);
+
+		if (!matchedFile) {
+			const matchingFilesInAnySection = files.filter(fileMatchesQuery);
+			matchedFile = findSingleMatch(matchingFilesInAnySection);
+		}
+	}
+
+	if (matchedField && matchedFile) {
+		throw new Error(
+			`Both a field and a file match "${fieldOrFileQuery}". Rename one or use the ID in your op:// reference.`,
+		);
+	}
+
+	if (matchedField) {
+		if (matchedField.value === undefined || matchedField.value === null) {
+			throw new Error(
+				`field ${fieldOrFileQuery} has no value in specified item`,
+			);
+		}
+		return { fieldValue: matchedField.value };
+	}
+
+	if (matchedFile?.id) {
+		return { fileId: matchedFile.id };
+	}
+
+	return {};
+};
+
+const findSingleMatch = <T>(matches: T[]): T | undefined => {
+	if (matches.length > 1) {
+		throw new Error(
+			"Multiple matches found. Rename one or use an ID in your op:// reference.",
+		);
+	}
+	return matches[0];
+};
+// #endregion
+
+// #region Shared helpers and auth
+export const getEnvVarNamesWithSecretRefs = (): string[] =>
+	Object.keys(process.env).filter(
+		(key) =>
+			typeof process.env[key] === "string" &&
+			process.env[key]?.startsWith("op://"),
 	);

+const validateSecretRefs = (envNames: string[]): void => {
+	const invalid: string[] = [];
+
+	for (const envName of envNames) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		try {
+			Secrets.validateSecretReference(ref);
+		} catch {
+			invalid.push(envName);
+		}
+	}
+
+	// Throw an error if any secret references are invalid
+	if (invalid.length > 0) {
+		const names = invalid.join(", ");
+		throw new Error(`Invalid secret reference(s): ${names}`);
+	}
+};
+
+const setResolvedSecret = (
+	envName: string,
+	secretValue: string,
+	shouldExportEnv: boolean,
+): void => {
+	core.info(`Populating variable: ${envName}`);
+
+	if (shouldExportEnv) {
+		core.exportVariable(envName, secretValue);
+	} else {
+		core.setOutput(envName, secretValue);
+	}
+	if (secretValue) {
+		core.setSecret(secretValue);
+	}
+};
+
 export const validateAuth = (): void => {
 	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
 	const isServiceAccount = process.env[envServiceAccountToken];
@@ -82,61 +319,6 @@ export const validateAuth = (): void => {
 	core.info(`Authenticated with ${authType}.`);
 };

-export const extractSecret = (
-	envName: string,
-	shouldExportEnv: boolean,
-): void => {
-	core.info(`Populating variable: ${envName}`);
-
-	const ref = process.env[envName];
-	if (!ref) {
-		return;
-	}
-
-	const secretValue = read.parse(ref);
-	if (secretValue === null || secretValue === undefined) {
-		return;
-	}
-
-	if (shouldExportEnv) {
-		core.exportVariable(envName, secretValue);
-	} else {
-		core.setOutput(envName, secretValue);
-	}
-	// Skip setSecret for empty strings to avoid the warning:
-	// "Can't add secret mask for empty string in ##[add-mask] command."
-	if (secretValue) {
-		core.setSecret(secretValue);
-	}
-};
-
-export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
-	// Strip any prerelease suffix; semverToInt only accepts MAJOR.MINOR.PATCH.
-	const [releaseVersion] = version.split("-");
-	setClientInfo({
-		name: "1Password GitHub Action",
-		id: "GHA",
-		build: semverToInt(releaseVersion ?? version),
-	});
-
-	// Load secrets from environment variables using 1Password CLI.
-	// Iterate over them to find 1Password references, extract the secret values,
-	// and make them available in the next steps either as step outputs or as environment variables.
-	const res = await exec.getExecOutput(`sh -c "op env ls"`);
-
-	if (res.stdout === "") {
-		return;
-	}
-
-	const envs = res.stdout.replace(/\n+$/g, "").split(/\r?\n/);
-	for (const envName of envs) {
-		extractSecret(envName, shouldExportEnv);
-	}
-	if (shouldExportEnv) {
-		core.exportVariable(envManagedVariables, envs.join());
-	}
-};
-
 export const unsetPrevious = (): void => {
 	if (process.env[envManagedVariables]) {
 		core.info("Unsetting previous values ...");
@@ -147,3 +329,150 @@ export const unsetPrevious = (): void => {
 		}
 	}
 };
+
+const fetchVaultId = async (
+	client: OPConnect,
+	vaultQuery: string,
+	ref: string,
+	cache: Map<string, string>,
+): Promise<string> => {
+	// Check if the vault ID is already cached
+	const cached = cache.get(vaultQuery);
+	if (cached !== undefined) {
+		return cached;
+	}
+
+	const vault = await client.getVault(vaultQuery);
+	if (!vault.id) {
+		throw new Error(
+			`Could not find valid vault "${vaultQuery}" for ref "${ref}"`,
+		);
+	}
+
+	cache.set(vaultQuery, vault.id);
+	return vault.id;
+};
+// #endregion
+
+// #region Load secrets
+// Connect loads secrets via the Connect JS SDK
+const loadSecretsViaConnect = async (
+	shouldExportEnv: boolean,
+): Promise<void> => {
+	const envs = getEnvVarNamesWithSecretRefs();
+	if (envs.length === 0) {
+		return;
+	}
+
+	validateSecretRefs(envs);
+
+	const host = process.env[envConnectHost];
+	const token = process.env[envConnectToken];
+	if (!host || !token) {
+		throw new Error(authErr);
+	}
+
+	// Authenticate with the Connect SDK
+	let client;
+	try {
+		client = OnePasswordConnect({
+			// eslint-disable-next-line @typescript-eslint/naming-convention
+			serverURL: host,
+			token,
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Connect authentication failed: ${message}`);
+	}
+
+	const vaultIdByQuery = new Map<string, string>();
+
+	for (const envName of envs) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		try {
+			// Parse the op ref and get the item from the Connect SDK
+			const parsed = parseOpRef(ref);
+
+			const vaultId = await fetchVaultId(
+				client,
+				parsed.vault,
+				ref,
+				vaultIdByQuery,
+			);
+			const item = await client.getItem(vaultId, parsed.item);
+
+			// Get the secret value from the item as Connect returns a full item object
+			const secretValue = await getSecretFromConnectItem(client, item, parsed);
+			setResolvedSecret(envName, secretValue, shouldExportEnv);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			throw new Error(`Failed to load ref "${ref}": ${msg}`);
+		}
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+// Service Account loads secrets via the 1Password SDK
+const loadSecretsViaServiceAccount = async (
+	shouldExportEnv: boolean,
+): Promise<void> => {
+	const envs = getEnvVarNamesWithSecretRefs();
+	if (envs.length === 0) {
+		return;
+	}
+
+	validateSecretRefs(envs);
+
+	const token = process.env[envServiceAccountToken];
+	if (!token) {
+		throw new Error(authErr);
+	}
+
+	// Authenticate with the 1Password SDK
+	let client;
+	try {
+		client = await createClient({
+			auth: token,
+			integrationName: "1Password GitHub Action",
+			integrationVersion: version,
+		});
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Service account authentication failed: ${message}`);
+	}
+
+	for (const envName of envs) {
+		const ref = process.env[envName];
+		if (!ref) {
+			continue;
+		}
+
+		// Resolve the secret value using the 1Password SDK
+		// and make it available either as step outputs or as environment variables
+		const secretValue = await client.secrets.resolve(ref);
+		setResolvedSecret(envName, secretValue, shouldExportEnv);
+	}
+
+	if (shouldExportEnv) {
+		core.exportVariable(envManagedVariables, envs.join());
+	}
+};
+
+export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
+	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
+
+	if (isConnect) {
+		await loadSecretsViaConnect(shouldExportEnv);
+		return;
+	}
+
+	await loadSecretsViaServiceAccount(shouldExportEnv);
+};
+// #endregion
@@ -10,6 +10,9 @@ assert_env_equals() {
 }

 readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+readonly FILE_SECRET_CONTENT="This is a test"
+readonly DOUBLE_SECTION_SECRET_CONTENT="test-password"
+
 MULTILINE_SECRET="$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
@@ -26,7 +29,6 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 EOF
 )"
 readonly MULTILINE_SECRET
-readonly WEBSITE="www.test.com"

 assert_env_equals "SECRET" "${SECRET}"
 assert_env_equals "FILE_SECRET" "${SECRET}"
@@ -37,8 +39,7 @@ assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
 assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
 assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"

-# WEBSITE/FILE_WEBSITE: required when ASSERT_WEBSITE=true (Service Account), skipped when false (Connect)
-if [ "${ASSERT_WEBSITE:-false}" = "true" ]; then
-  assert_env_equals "WEBSITE" "${WEBSITE}"
-  assert_env_equals "FILE_WEBSITE" "${WEBSITE}"
-fi
+assert_env_equals "SECRET_WITH_FILE" "${FILE_SECRET_CONTENT}"
+assert_env_equals "SECRET_WITH_FILE_IN_SECTION" "${FILE_SECRET_CONTENT}"
+
+assert_env_equals "DOUBLE_SECTION_SECRET" "${DOUBLE_SECTION_SECRET_CONTENT}"
@@ -18,10 +18,6 @@ assert_env_unset "FILE_SECRET_IN_SECTION"
 assert_env_unset "MULTILINE_SECRET"
 assert_env_unset "FILE_MULTILINE_SECRET"

-assert_env_unset "WEBSITE"
-assert_env_unset "FILE_WEBSITE"
-
-assert_env_unset "TEST_SSH_KEY"
-assert_env_unset "FILE_TEST_SSH_KEY"
-assert_env_unset "TEST_SSH_KEY_OPENSSH"
-assert_env_unset "FILE_TEST_SSH_KEY_OPENSSH"
+assert_env_unset "SECRET_WITH_FILE"
+assert_env_unset "SECRET_WITH_FILE_IN_SECTION"
+assert_env_unset "DOUBLE_SECTION_SECRET"
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+if [ "$STEP_OUTCOME" != "failure" ]; then
+  echo "Expected action to fail on invalid ref, got: $STEP_OUTCOME"
+  exit 1
+fi
+echo "Action correctly failed on invalid ref"
@@ -1,26 +0,0 @@
-#!/bin/bash
-set -e
-
-assert_ssh_key_set() {
-  local var="$1"
-  local val
-  val="$(printenv "$var" || true)"
-  if [ -z "$val" ]; then
-    echo "Expected $var to be set"
-    exit 1
-  fi
-  [ "$val" = "***" ] && return 0
-  local line
-  line="$(echo "$val" | head -1)"
-  if echo "$var" | grep -q "OPENSSH"; then
-    echo "$line" | grep -q "OPENSSH" || { echo "Expected $var to start with -----BEGIN OPENSSH PRIVATE KEY-----"; exit 1; }
-  else
-    echo "$line" | grep -q "BEGIN.*PRIVATE KEY" || { echo "Expected $var to be a private key"; exit 1; }
-  fi
-  echo "$var OK"
-}
-
-assert_ssh_key_set "TEST_SSH_KEY"
-assert_ssh_key_set "TEST_SSH_KEY_OPENSSH"
-assert_ssh_key_set "FILE_TEST_SSH_KEY"
-assert_ssh_key_set "FILE_TEST_SSH_KEY_OPENSSH"
@@ -1,16 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2086
-set -e
-
-# Asserts the secrets loaded via Workload Identity.
-
-assert_env_equals() {
-  if [ "$(printenv $1)" != "$2" ]; then
-    echo -e "Expected $1 to be set to:\n$2\nBut got:\n$(printenv $1)"
-    exit 1
-  fi
-}
-
-assert_env_equals "ANOTHER_TEST" "anothertest123"
-assert_env_equals "SUPER_SECRET" "supersecret"
-assert_env_equals "TEST_SECRET" "thisisatest"
Author	SHA1	Message	Date
Jill Regan	be2bd38fd6	fix syntax error	2026-02-20 19:04:29 -05:00
Jill Regan	9bdf6cdcfc	make version backwards compatiable	2026-02-20 18:59:19 -05:00
Jill Regan	85fc7ef953	Remove all reference to CLI	2026-02-20 18:49:05 -05:00
Jill Regan	5523b3fd67	Remove error handeling	2026-02-20 18:19:18 -05:00
Jill Regan	44ef890925	Fix syntax error	2026-02-20 18:06:37 -05:00
Jill Regan	d7959a3396	Add retry	2026-02-20 18:03:59 -05:00
Jill Regan	ba2e69a32e	Increase startup	2026-02-20 18:00:12 -05:00
Jill Regan	e5946f890f	Add more robust logging	2026-02-20 17:56:04 -05:00
Jill Regan	6afd0621a7	Test to see why get file content failed	2026-02-20 17:53:22 -05:00
Jill Regan	72c110fb96	Try mroe logging	2026-02-20 17:50:24 -05:00
Jill Regan	b590204659	Try nested error logging	2026-02-20 17:47:00 -05:00
Jill Regan	6490b7af0e	Increase tiemout	2026-02-20 17:43:00 -05:00
Jill Regan	676313036e	Add error handeling	2026-02-20 17:14:24 -05:00
Jill Regan	43c1f24739	Add more e2e tests	2026-02-20 17:00:26 -05:00
Jill Regan	3c643fe809	Code clean up and add tests	2026-02-20 15:59:25 -05:00
Jill Regan	41f600a118	Fix service account tests	2026-02-20 11:19:53 -05:00
Jill Regan	a03b151beb	Fix test order	2026-02-20 11:11:29 -05:00
Jill Regan	9ef8ce29fa	Add missing vault id	2026-02-20 10:47:11 -05:00
Jill Regan	cc33b584d1	Update formatting	2026-02-20 10:44:46 -05:00
Jill Regan	21385b0c31	Add e2e test	2026-02-20 10:43:17 -05:00
Jill Regan	2a0e01171e	Add query for vault id first	2026-02-20 09:35:27 -05:00
Jill Regan	8f91e40957	Test with error message descontruction	2026-02-20 09:29:15 -05:00
Jill Regan	d4fc305bfa	Assign error message to string	2026-02-20 09:26:38 -05:00
Jill Regan	cb3e4f29eb	Fix error message	2026-02-20 09:12:10 -05:00
Jill Regan	f4ee2a9d76	remove unused import	2026-02-20 09:07:45 -05:00
Jill Regan	59b7671409	Fix linting errors	2026-02-20 09:04:02 -05:00
Jill Regan	d7da1c3ae2	Fix merge confict	2026-02-20 08:41:37 -05:00
Jill Regan	ffffc2db51	Migrate connect to use SDK	2026-02-20 08:24:08 -05:00
				`@@ -1 +0,0 @@`
				`export { type Installer, newCliInstaller } from "./installer";`