Point to the feature branch to run tests

Make latest build
Fix tests
2026-06-21 14:23:48 +00:00 · 2025-08-14 11:43:38 -05:00 · 2025-08-14 11:40:05 -05:00 · 2025-08-14 11:39:57 -05:00 · 2025-08-14 10:58:58 -05:00
56 changed files with 35520 additions and 43690 deletions
@@ -0,0 +1,116 @@
 name: Acceptance test
 on:
  workflow_call:
    inputs:
      secret:
        required: true
        type: string
      secret-in-section:
        required: true
        type: string
      multiline-secret:
        required: true
        type: string
      export-env:
        required: true
        type: boolean
      cli-version:
        required: false
        type: string
        default: "latest"
      os:
        required: true
        type: string
        default: "ubuntu-latest"
      auth:
        required: true
        type: string
 jobs:
  acceptance-test:
    runs-on: ${{ inputs.os }}
    steps:
      - name: Base checkout
        uses: actions/checkout@v4
        if: |
          github.event_name != 'repository_dispatch' &&
          (
            github.ref == 'refs/heads/main' || 
            (
              github.event_name == 'pull_request' && 
              github.event.pull_request.head.repo.full_name == github.repository
            )
          )
      - name: Fork based /ok-to-test checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.client_payload.pull_request.head.sha }}
        if: |
          github.event_name == 'repository_dispatch' &&
          github.event.client_payload.slash_command.args.named.sha != '' &&
          contains(
            github.event.client_payload.pull_request.head.sha,
            github.event.client_payload.slash_command.args.named.sha
          )
      - name: Launch 1Password Connect instance
        if: ${{ inputs.auth == 'connect' }}
        env:
          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
        run: |
          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
          docker compose -f tests/fixtures/docker-compose.yml up -d && sleep 10
      - name: Configure Service account
        if: ${{ inputs.auth == 'service-account' }}
        uses: ./configure
        with:
          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
      - name: Verify Service Account env var is set
        if: ${{ inputs.auth == 'service-account' }}
        shell: bash
        run: |
          if [ -z "${OP_SERVICE_ACCOUNT_TOKEN}" ]; then
            echo "OP_SERVICE_ACCOUNT_TOKEN environment variable is not set" >&2
            exit 1
          fi
      - name: Configure 1Password Connect
        if: ${{ inputs.auth == 'connect' }}
        uses: ./configure # 1password/load-secrets-action/configure@<version>
        with:
          connect-host: http://localhost:8080
          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
      - name: Verify Connect env vars are set
        if: ${{ inputs.auth == 'connect' }}
        run: |
          if [ -z "$OP_CONNECT_HOST" ] || [ -z "$OP_CONNECT_TOKEN" ]; then
            echo "OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables are not set" >&2
            exit 1
          fi
      - name: Load secrets
        id: load_secrets
        uses: ./ # 1password/load-secrets-action@<version>
        with:
          cli-version: ${{ inputs.cli-version }}
          export-env: ${{ inputs.export-env }}
        env:
          SECRET: ${{ inputs.secret }}
          SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
          MULTILINE_SECRET: ${{ inputs.multiline-secret }}
      - name: Assert test secret values [step output]
        if: ${{ !inputs.export-env }}
        env:
          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
        run: ./tests/assert-env-set.sh
      - name: Assert test secret values [exported env]
        if: ${{ inputs.export-env }}
        run: ./tests/assert-env-set.sh
      - name: Remove secrets [exported env]
        if: ${{ inputs.export-env }}
        uses: ./ # 1password/load-secrets-action@<version>
        with:
          unset-previous: true
      - name: Assert removed secrets [exported env]
        if: ${{ inputs.export-env }}
        run: ./tests/assert-env-unset.sh
@@ -1,326 +0,0 @@
 name: E2E Tests
 on:
  # For local testing with: act push -W .github/workflows/e2e-tests.yml
  push:
    branches-ignore:
      - "**" # Never runs on GitHub, only locally with act
  # For test.yml to call this workflow
  workflow_call:
    inputs:
      ref:
        description: "Git ref to checkout"
        required: true
        type: string
    secrets:
      OP_CONNECT_CREDENTIALS:
        required: true
      OP_CONNECT_TOKEN:
        required: true
      OP_SERVICE_ACCOUNT_TOKEN:
        required: true
      OP_WORKLOAD_ID:
        required: true
      OP_ENVIRONMENT_ID:
        required: true
      OP_INTEGRATION_KEY:
        required: true
      VAULT:
        description: "1Password vault name or UUID"
        required: true
 jobs:
  test-service-account:
    name: Service Account (${{ matrix.os }}, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: true
      max-parallel: 4
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        version: [latest, 2.30.0]
        export-env: [true, false]
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref }}
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm
      - name: Install dependencies
        run: npm ci
      - name: Build actions
        run: npm run build:all
      - name: Generate .env.tpl
        shell: bash
        run: |
          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
          echo "FILE_WEBSITE=op://${VAULT}/test-secret/website" >> tests/.env.tpl
          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
        env:
          VAULT: ${{ secrets.VAULT }}
      - name: Configure Service account
        uses: ./configure
        with:
          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
      - name: Load secrets
        id: load_secrets
        uses: ./
        with:
          version: ${{ matrix.version }}
          export-env: ${{ matrix.export-env }}
        env:
          SECRET: op://${{ secrets.VAULT }}/test-secret/password
          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
          WEBSITE: op://${{ secrets.VAULT }}/test-secret/website
          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
          OP_ENV_FILE: ./tests/.env.tpl
      - name: Assert test secret values [step output]
        if: ${{ !matrix.export-env }}
        shell: bash
        env:
          ASSERT_WEBSITE: "true"
          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
          WEBSITE: ${{ steps.load_secrets.outputs.WEBSITE }}
          FILE_WEBSITE: ${{ steps.load_secrets.outputs.FILE_WEBSITE }}
          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
        run: ./tests/assert-env-set.sh
      - name: Assert SSH key env vars [step output]
        if: ${{ !matrix.export-env }}
        shell: bash
        env:
          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
        run: ./tests/assert-ssh-keys-set.sh
      - name: Assert test secret values [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
        env:
          ASSERT_WEBSITE: "true"
        run: ./tests/assert-env-set.sh
      - name: Assert SSH key env vars [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
        run: ./tests/assert-ssh-keys-set.sh
      - name: Remove secrets [exported env]
        if: ${{ matrix.export-env }}
        uses: ./
        with:
          unset-previous: true
      - name: Assert removed secrets [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
        run: ./tests/assert-env-unset.sh
  test-connect:
    name: Connect (ubuntu-latest, ${{ matrix.version }}, export-env=${{ matrix.export-env }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        version: [latest, 2.30.0]
        export-env: [true, false]
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref }}
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm
      - name: Install dependencies
        run: npm ci
      - name: Build actions
        run: npm run build:all
      - name: Generate .env.tpl
        run: |
          mkdir -p tests
          echo "FILE_SECRET=op://${VAULT}/test-secret/password" > tests/.env.tpl
          echo "FILE_SECRET_IN_SECTION=op://${VAULT}/test-secret/test-section/password" >> tests/.env.tpl
          echo "FILE_MULTILINE_SECRET=op://${VAULT}/multiline-secret/notesPlain" >> tests/.env.tpl
          echo "FILE_TEST_SSH_KEY=op://${VAULT}/test-ssh-key/private key" >> tests/.env.tpl
          echo "FILE_TEST_SSH_KEY_OPENSSH=op://${VAULT}/test-ssh-key/private key?ssh-format=openssh" >> tests/.env.tpl
        env:
          VAULT: ${{ secrets.VAULT }}
      - name: Launch 1Password Connect instance
        env:
          OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
        run: |
          echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
          docker compose -f tests/fixtures/docker-compose.yml up -d
          timeout 60 bash -c 'until curl -sf http://localhost:8080/health >/dev/null 2>&1; do sleep 2; done'
      - name: Configure 1Password Connect
        uses: ./configure
        with:
          connect-host: http://localhost:8080
          connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
      - name: Load secrets
        id: load_secrets
        uses: ./
        with:
          version: ${{ matrix.version }}
          export-env: ${{ matrix.export-env }}
        env:
          SECRET: op://${{ secrets.VAULT }}/test-secret/password
          SECRET_IN_SECTION: op://${{ secrets.VAULT }}/test-secret/test-section/password
          MULTILINE_SECRET: op://${{ secrets.VAULT }}/multiline-secret/notesPlain
          TEST_SSH_KEY: op://${{ secrets.VAULT }}/test-ssh-key/private key
          TEST_SSH_KEY_OPENSSH: "op://${{ secrets.VAULT }}/test-ssh-key/private key?ssh-format=openssh"
          OP_ENV_FILE: ./tests/.env.tpl
      - name: Assert test secret values [step output]
        if: ${{ !matrix.export-env }}
        env:
          ASSERT_WEBSITE: "false"
          SECRET: ${{ steps.load_secrets.outputs.SECRET }}
          SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
          MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
          FILE_SECRET: ${{ steps.load_secrets.outputs.FILE_SECRET }}
          FILE_SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.FILE_SECRET_IN_SECTION }}
          FILE_MULTILINE_SECRET: ${{ steps.load_secrets.outputs.FILE_MULTILINE_SECRET }}
          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
        run: ./tests/assert-env-set.sh
      - name: Assert SSH key env vars [step output]
        if: ${{ !matrix.export-env }}
        env:
          TEST_SSH_KEY: ${{ steps.load_secrets.outputs.TEST_SSH_KEY }}
          FILE_TEST_SSH_KEY: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY }}
          TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.TEST_SSH_KEY_OPENSSH }}
          FILE_TEST_SSH_KEY_OPENSSH: ${{ steps.load_secrets.outputs.FILE_TEST_SSH_KEY_OPENSSH }}
        run: ./tests/assert-ssh-keys-set.sh
      - name: Assert test secret values [exported env]
        if: ${{ matrix.export-env }}
        env:
          ASSERT_WEBSITE: "false"
        run: ./tests/assert-env-set.sh
      - name: Assert SSH key env vars [exported env]
        if: ${{ matrix.export-env }}
        run: ./tests/assert-ssh-keys-set.sh
      - name: Remove secrets [exported env]
        if: ${{ matrix.export-env }}
        uses: ./
        with:
          unset-previous: true
      - name: Assert removed secrets [exported env]
        if: ${{ matrix.export-env }}
        run: ./tests/assert-env-unset.sh
  test-workload-identity:
    name: Workload Identity (ubuntu-latest, export-env=${{ matrix.export-env }})
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    strategy:
      fail-fast: true
      matrix:
        export-env: [true, false]
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref }}
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm
      - name: Install dependencies
        run: npm ci
      - name: Build actions
        run: npm run build:all
      - name: Load secrets
        id: load_secrets
        uses: ./
        with:
          export-env: ${{ matrix.export-env }}
        env:
          OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
          OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
      - name: Assert test secret values [step output]
        if: ${{ !matrix.export-env }}
        shell: bash
        env:
          ANOTHER_TEST: ${{ steps.load_secrets.outputs.ANOTHER_TEST }}
          SUPER_SECRET: ${{ steps.load_secrets.outputs.SUPER_SECRET }}
          TEST_SECRET: ${{ steps.load_secrets.outputs.TEST_SECRET }}
        run: ./tests/assert-workload-identity.sh
      - name: Assert test secret values [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
        run: ./tests/assert-workload-identity.sh
      - name: Remove secrets [exported env]
        if: ${{ matrix.export-env }}
        uses: ./
        with:
          unset-previous: true
      - name: Assert removed secrets [exported env]
        if: ${{ matrix.export-env }}
        shell: bash
        run: |
          for var in ANOTHER_TEST SUPER_SECRET TEST_SECRET; do
            if [ -n "$(printenv "$var")" ]; then
              echo "Expected secret $var to be unset"
              exit 1
            fi
          done
@@ -1,36 +1,29 @@
 name: Lint and Test
 on:
  push:
    branches: [main]
  pull_request:
 name: Lint
 jobs:
-  lint-and-test:
+  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v3
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        uses: ludeeus/action-shellcheck@2.0.0
        with:
          ignore_paths: >-
            .husky
      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        id: setup-node
        uses: actions/setup-node@v4
        with:
-          node-version: 24
+          node-version: 20
          cache: npm
-
+      - name: Install Dependencies
-      - name: Install dependencies
+        id: install
        run: npm ci
      - name: Check formatting
        run: npm run format:check
      - name: Check lint
        run: npm run lint
      - name: Run unit tests
        run: npm test
@@ -1,4 +1,4 @@
-# Write comments "/ok-to-test sha=<hash>" on a pull request. This will emit a repository_dispatch event.
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
 name: Ok To Test
 on:
@@ -15,7 +15,7 @@ jobs:
    if: ${{ github.event.issue.pull_request }}
    steps:
      - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@9bdcd7914ec1b75590b790b844aa3b8eee7c683a # v5
+        uses: peter-evans/slash-command-dispatch@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -10,4 +10,4 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        uses: 1Password/check-signed-commits-action@v1
@@ -1,125 +0,0 @@
 name: E2E Tests
 on:
  push:
    branches: [main]
    paths-ignore: &ignore_paths
      - "docs/**"
      - "config/**"
      - "*.md"
      - ".gitignore"
      - "LICENSE"
  pull_request:
    paths-ignore: *ignore_paths
  repository_dispatch:
    types: [ok-to-test-command]
 concurrency:
  group: >-
    ${{ github.event_name == 'pull_request' &&
          format('e2e-{0}', github.event.pull_request.head.ref) ||
          format('e2e-{0}', github.ref) }}
  cancel-in-progress: true
 jobs:
  check-external-pr:
    runs-on: ubuntu-latest
    outputs:
      condition: ${{ steps.check.outputs.condition }}
      ref: ${{ steps.check.outputs.ref }}
    steps:
      - name: Check if PR is from external contributor
        id: check
        run: |
          echo "Event name: ${{ github.event_name }}"
          echo "Repository: ${{ github.repository }}"
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            # For pull_request events, check if PR is from external fork
            echo "PR head repo: ${{ github.event.pull_request.head.repo.full_name }}"
            if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
              echo "condition=skip" >> $GITHUB_OUTPUT
              echo "Setting condition=skip (Dependabot PR)"
            elif [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
              echo "condition=skip" >> $GITHUB_OUTPUT
              echo "Setting condition=skip (external fork PR creation)"
            else
              echo "condition=pr-creation-maintainer" >> $GITHUB_OUTPUT
              echo "Setting condition=pr-creation-maintainer (internal PR creation)"
              echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
            fi
          elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
            # For repository_dispatch events (ok-to-test), check if sha matches
            SHA_PARAM="${{ github.event.client_payload.slash_command.args.named.sha }}"
            PR_HEAD_SHA="${{ github.event.client_payload.pull_request.head.sha }}"
            echo "Checking dispatch event conditions..."
            echo "SHA from command: $SHA_PARAM"
            echo "PR head SHA: $PR_HEAD_SHA"
            if [ -n "$SHA_PARAM" ] && [[ "$PR_HEAD_SHA" == *"$SHA_PARAM"* ]]; then
              echo "condition=dispatch-event" >> $GITHUB_OUTPUT
              echo "Setting condition=dispatch-event (sha matches)"
              echo "ref=$PR_HEAD_SHA" >> $GITHUB_OUTPUT
            else
              echo "condition=skip" >> $GITHUB_OUTPUT
              echo "Setting condition=skip (sha does not match or empty)"
            fi
          elif [ "${{ github.event_name }}" == "push" ] && [ "${REF_NAME}" == "main" ]; then
            echo "condition=push-to-main" >> $GITHUB_OUTPUT
            echo "Setting condition=push-to-main (push to main)"
            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
          else
            # Unknown event type
            echo "condition=skip" >> $GITHUB_OUTPUT
            echo "Setting condition=skip (unknown event type: ${{ github.event_name }})"
          fi
        env:
          REF_NAME: ${{ github.ref_name }}
  e2e:
    needs: check-external-pr
    if: |
      (needs.check-external-pr.outputs.condition == 'pr-creation-maintainer')
      ||
      (needs.check-external-pr.outputs.condition == 'dispatch-event')
      ||
      needs.check-external-pr.outputs.condition == 'push-to-main'
    uses: ./.github/workflows/e2e-tests.yml
    with:
      ref: ${{ needs.check-external-pr.outputs.ref }}
    secrets:
      OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
      OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
      OP_WORKLOAD_ID: ${{ secrets.OP_WORKLOAD_ID }}
      OP_ENVIRONMENT_ID: ${{ secrets.OP_ENVIRONMENT_ID }}
      OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
      VAULT: ${{ secrets.VAULT }}
  # Post comment on fork PRs after /ok-to-test
  comment-pr:
    needs: [check-external-pr, e2e]
    runs-on: ubuntu-latest
    if: always() && needs.check-external-pr.outputs.condition == 'dispatch-event'
    permissions:
      pull-requests: write
    steps:
      - name: Create URL to the run output
        id: vars
        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
      - name: Create comment on PR
        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
        with:
          issue-number: ${{ github.event.client_payload.pull_request.number }}
          body: |
            ${{
                needs.e2e.result == 'success' && '✅ E2E tests passed.' ||
                needs.e2e.result == 'failure' && '❌ E2E tests failed.' ||
                '⚠️ E2E tests completed.'
            }}
            [View test run output][1]
            [1]: ${{ steps.vars.outputs.run-url }}
@@ -0,0 +1,92 @@
 on:
  repository_dispatch:
    types: [ok-to-test-command]
 name: Run acceptance tests [fork]
 jobs:
  test-with-output-secrets:
    if: |
      github.event_name == 'repository_dispatch' &&
      github.event.client_payload.slash_command.args.named.sha != '' &&
      contains(
        github.event.client_payload.pull_request.head.sha,
        github.event.client_payload.slash_command.args.named.sha
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
    secrets: inherit
    with:
      secret: op://acceptance-tests/test-secret/password
      secret-in-section: op://acceptance-tests/test-secret/test-section/password
      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
      export-env: false
  test-with-export-env:
    if: |
      github.event_name == 'repository_dispatch' &&
      github.event.client_payload.slash_command.args.named.sha != '' &&
      contains(
        github.event.client_payload.pull_request.head.sha,
        github.event.client_payload.slash_command.args.named.sha
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
    secrets: inherit
    with:
      secret: op://acceptance-tests/test-secret/password
      secret-in-section: op://acceptance-tests/test-secret/test-section/password
      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
      export-env: true
  test-references-with-ids:
    if: |
      github.event_name == 'repository_dispatch' &&
      github.event.client_payload.slash_command.args.named.sha != '' &&
      contains(
        github.event.client_payload.pull_request.head.sha,
        github.event.client_payload.slash_command.args.named.sha
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@main
    secrets: inherit
    with:
      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
      export-env: false
  update-checks:
    # required permissions for updating the status of the pull request checks
    permissions:
      pull-requests: write
      checks: write
    runs-on: ubuntu-latest
    if: ${{ always() }}
    strategy:
      matrix:
        job-name:
          [
            test-with-output-secrets,
            test-with-export-env,
            test-references-with-ids,
          ]
    needs:
      [test-with-output-secrets, test-with-export-env, test-references-with-ids]
    steps:
      - uses: actions/github-script@v6
        env:
          job: ${{ matrix.job-name }}
          ref: ${{ github.event.client_payload.pull_request.head.sha }}
          conclusion: ${{ needs[format('{0}', matrix.job-name )].result }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const { data: checks } = await github.rest.checks.listForRef({
              ...context.repo,
              ref: process.env.ref
            });
            const check = checks.check_runs.filter(c => c.name === process.env.job);
            const { data: result } = await github.rest.checks.update({
              ...context.repo,
              check_run_id: check[0].id,
              status: 'completed',
              conclusion: process.env.conclusion
            });
            return result;
@@ -0,0 +1,100 @@
 on:
  push:
    branches: [main]
  pull_request:
 name: Run acceptance tests
 jobs:
  unit-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 20
      - run: npm ci
      - run: npm test
  test-with-output-secrets:
    if: |
      github.ref == 'refs/heads/main' ||
      (
        github.event_name == 'pull_request' && 
        github.event.pull_request.head.repo.full_name == github.repository
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
    secrets: inherit
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
        auth: [connect, service-account]
        exclude:
          - os: macos-latest
            auth: connect
          - os: windows-latest
            auth: connect
    with:
      os: ${{ matrix.os }}
      cli-version: ${{ matrix.cli-version }}
      auth: ${{ matrix.auth }}
      secret: op://acceptance-tests/test-secret/password
      secret-in-section: op://acceptance-tests/test-secret/test-section/password
      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
      export-env: false
  test-with-export-env:
    if: |
      github.ref == 'refs/heads/main' ||
      (
        github.event_name == 'pull_request' && 
        github.event.pull_request.head.repo.full_name == github.repository
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
    secrets: inherit
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
        auth: [connect, service-account]
        exclude:
          - os: macos-latest
            auth: connect
          - os: windows-latest
            auth: connect
    with:
      os: ${{ matrix.os }}
      cli-version: ${{ matrix.cli-version }}
      auth: ${{ matrix.auth }}
      secret: op://acceptance-tests/test-secret/password
      secret-in-section: op://acceptance-tests/test-secret/test-section/password
      multiline-secret: op://acceptance-tests/multiline-secret/notesPlain
      export-env: true
  test-references-with-ids:
    if: |
      github.ref == 'refs/heads/main' ||
      (
        github.event_name == 'pull_request' && 
        github.event.pull_request.head.repo.full_name == github.repository
      )
    uses: 1password/load-secrets-action/.github/workflows/acceptance-test.yml@vzt/rename-version-input # TODO: temporary point to this branch so tests can run with update input
    secrets: inherit
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        cli-version: [latest, latest-beta, 2.30.0, 2.30.0-beta.03]
        auth: [connect, service-account]
        exclude:
          - os: macos-latest
            auth: connect
          - os: windows-latest
            auth: connect
    with:
      os: ${{ matrix.os }}
      cli-version: ${{ matrix.cli-version }}
      auth: ${{ matrix.auth }}
      secret: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
      secret-in-section: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/Section_tco6nsqycj6jcbyx63h5isxcny/doxu3mhkozcznnk5vjrkpdqayy
      multiline-secret: op://v5pz6venw4roosmkzdq2nhpv6u/ghtz3jvcc6dqmzc53d3r3eskge/notesPlain
      export-env: false
@@ -1,4 +1,2 @@
 coverage/
 node_modules/
 .idea/
 1password-credentials.json
@@ -17,8 +17,6 @@ Specify in your workflow YAML file which secrets from 1Password should be loaded
 Read more on the [1Password Developer Portal](https://developer.1password.com/docs/ci-cd/github-actions).
 _This project is licensed under [MIT](./LICENSE). Use of the 1Password APIs and services accessed through these tools is governed by the [1Password API Terms of Service](https://1password.com/legal/api-sdk-terms-of-service)._
 ## 🪄 See it in action!
 [![Using 1Password Service Accounts with GitHub Actions - showcase](https://img.youtube.com/vi/kVBl5iQYgSA/maxresdefault.jpg)](https://www.youtube.com/watch?v=kVBl5iQYgSA "Using 1Password Service Accounts with GitHub Actions")
@@ -36,12 +34,11 @@ jobs:
      - uses: actions/checkout@v4
      - name: Load secret
-        id: load_secrets
+        id: load_secret
-        uses: 1password/load-secrets-action@v4
+        uses: 1password/load-secrets-action@v3
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret
          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
      - name: Print masked secret
        run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
@@ -59,64 +56,19 @@ jobs:
      - uses: actions/checkout@v4
      - name: Load secret
-        uses: 1password/load-secrets-action@v4
+        uses: 1password/load-secrets-action@v3
        with:
          # Export loaded secrets as environment variables
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret
          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
      - name: Print masked secret
        run: 'echo "Secret: $SECRET"'
        # Prints: Secret: ***
 ```
 ### 🔑 SSH Key Format
 When loading SSH keys, you can specify the format using the `ssh-format` query parameter. This is useful when you need the private key in a specific format like OpenSSH.
 ```yml
 - name: Load SSH key
  uses: 1password/load-secrets-action@v4
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    # Load SSH private key in OpenSSH format
    SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
 ```
 For more details on secret reference syntax, see the [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-reference-syntax/#ssh-format-parameter).
 ## 🧪 Workload Identity (private beta)
 > [!NOTE]
 > Workload Identity is in **private beta**. It's available to invited participants only. [Contact 1Password](https://developer.1password.com/joinslack) if you're interested in joining the beta.
 Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access. To use it, set all three of the following environment variables (and do not set the Service Account token or the Connect variables):
 ```yml
 on: push
 jobs:
  hello-world:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # required for the action to request a GitHub OIDC token
      contents: read
    steps:
      - name: Load secret
        id: load_secrets
        uses: 1password/load-secrets-action@v5beta
        env:
          OP_WORKLOAD_ID: ${{ vars.OP_WORKLOAD_ID }}
          OP_ENVIRONMENT_ID: ${{ vars.OP_ENVIRONMENT_ID }}
          OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
 ```
 Unlike the Service Account and Connect flows, you don't select secrets with individual `op://` references. Instead, **all variables defined in the configured 1Password environment are loaded** and each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
 If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
 ## 💙 Community & Support
 - File an [issue](https://github.com/1Password/load-secrets-action/issues) for bugs and feature requests.
@@ -11,9 +11,9 @@ inputs:
  export-env:
    description: Export the secrets as environment variables
    default: "false"
-  version:
+  cli-version:
    description: Specify which 1Password CLI version to install. Defaults to "latest".
    default: "latest"
 runs:
-  using: "node24"
+  using: "node20"
  main: "dist/index.js"
@@ -10,12 +10,6 @@ const jestConfig = {
 	rootDir: "../src/",
 	testEnvironment: "node",
 	testRegex: "(/__tests__/.*|(\\.|/)test)\\.ts",
 	moduleNameMapper: {
 		"^@actions/core$": "<rootDir>/__mocks__/actions-core.ts",
 		"^@actions/tool-cache$": "<rootDir>/__mocks__/actions-tool-cache.ts",
 		"^@actions/exec$": "<rootDir>/__mocks__/actions-exec.ts",
 		"^@1password/sdk$": "<rootDir>/__mocks__/1password-sdk.ts",
 	},
 	transform: {
 		".ts": [
 			"ts-jest",
@@ -31,4 +25,4 @@ const jestConfig = {
 	verbose: true,
 };
-module.exports = jestConfig;
+export default jestConfig;
@@ -9,5 +9,5 @@ inputs:
  service-account-token:
    description: Your 1Password service account token
 runs:
-  using: "node24"
+  using: "node20"
  main: "dist/index.js"
@@ -1,4 +1,4 @@
-import * as core from "@actions/core";
+const core = require("@actions/core");
 const configure = () => {
 	const OP_CONNECT_HOST =
@@ -1,32 +0,0 @@
 # Fork PR Testing Guide
 This document explains how testing works for external pull requests from forks.
 ## Overview
 The testing system consists of two main workflows:
 1. **E2E Tests** (`test-e2e.yml`) - Runs automatically for internal PRs, need manual trigger on external PRs.
 2. **Ok To Test** (`ok-to-test.yml`) - Dispatches `repository_dispatch` event when maintainer puts the `/ok-to-test sha=<commit hash>` comment in the forked PR thread.
 ## How It Works
 ### 1. PR is created by maintainer:
 For the PR created by maintainer `E2E Test` workflow starts automatically. The PR check will reflect the status of the job.
 ### 2. PR is created by external contributor:
 For the PR created by external contributor `E2E Test` workflow **won't** start automatically.
 Maintainer should make a sanity check of the changes and run it manually by:
 1. Putting a comment `/ok-to-test sha=<latest commit hash>` in the PR thread.
 2. `E2E Test` workflow starts.
 3. After `E2E Test` workflow finishes, a comment with a link to the workflow, along with its status will be posted in the PR.
 4. Maintainer can merge PR or request the changes based on the `E2E Test` results.
 ## Notes
 - Only users with **write** permissions can trigger the `/ok-to-test` command.
 - External PRs are automatically detected and prevented from running e2e tests automatically.
 - Running e2e test on the external PR is optional. Maintainer can merge PR without running it. Maintainer decides whether it's needed to run an E2E test.
@@ -1,46 +0,0 @@
 # Local Testing Guide
 This document explains how to run e2e tests locally using `act`.
 ## Prerequisites
 1. **Docker** installed and running
 2. **act** installed ([install guide](https://github.com/nektos/act#installation))
   ```bash
   brew install act  # macOS
   ```
 3. **1Password credentials** (see [Required Secrets](#required-secrets))
 4. Build action
 ## Required env variables
 | Secret                     | Description           |
 | -------------------------- | --------------------- |
 | `OP_SERVICE_ACCOUNT_TOKEN` | Service Account token |
 | `VAULT`                    | Vault name or UUID    |
 ## Building Before Testing
 If you've modified TypeScript code, rebuild before running E2E tests:
 ```bash
 npm run build
 ```
 ## Testing
 ### Run E2E tests using Service Account
 ```bash
 act push -W .github/workflows/e2e-tests.yml \
  -s OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN" \
  -s VAULT="$VAULT" \
  -j test-service-account \
  --matrix os:ubuntu-latest
 ```
 ## Run unit tests
 ```bash
 npm test
 ```
@@ -1,20 +1,18 @@
 {
 	"name": "load-secrets-action",
-	"version": "5.0.0-beta.1",
+	"version": "2.0.0",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "load-secrets-action",
-			"version": "5.0.0-beta.1",
+			"version": "2.0.0",
 			"license": "MIT",
 			"dependencies": {
 				"@1password/op-js": "^0.1.11",
-				"@1password/sdk": "0.5.0-beta.1",
+				"@actions/core": "^1.10.1",
-				"@actions/core": "^3.0.0",
+				"@actions/exec": "^1.1.1",
-				"@actions/exec": "^3.0.0",
+				"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 				"@actions/tool-cache": "^4.0.0",
 				"dotenv": "^17.2.2"
 			},
 			"devDependencies": {
 				"@1password/eslint-config": "^4.3.1",
@@ -73,65 +71,59 @@
 				"prettier": "^2.0.0 || ^3.0.0"
 			}
 		},
 		"node_modules/@1password/sdk": {
 			"version": "0.5.0-beta.1",
 			"resolved": "https://registry.npmjs.org/@1password/sdk/-/sdk-0.5.0-beta.1.tgz",
 			"integrity": "sha512-GY1kcn86qkb39jt20AyOftEu5Tw/Kyq4f84GOHXKRjur4TvqvzdhapynBBosRcBL+kBrc+E8cx7Tp7GEfqAomw==",
 			"license": "MIT",
 			"dependencies": {
 				"@1password/sdk-core": "0.5.0-beta.1"
 			}
 		},
 		"node_modules/@1password/sdk-core": {
 			"version": "0.5.0-beta.1",
 			"resolved": "https://registry.npmjs.org/@1password/sdk-core/-/sdk-core-0.5.0-beta.1.tgz",
 			"integrity": "sha512-61Q2n0kKYXBVAbW5ZVFqtbK1KX3lUfFi8wdsv+UjIVtbFd+X1GpFbLFs+nPtPgX+Z7oc2tTN/czK0S9Cz4oF/A==",
 			"license": "MIT"
 		},
 		"node_modules/@actions/core": {
-			"version": "3.0.0",
+			"version": "1.11.1",
-			"resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz",
+			"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
-			"integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==",
+			"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
 			"license": "MIT",
 			"dependencies": {
-				"@actions/exec": "^3.0.0",
+				"@actions/exec": "^1.1.1",
-				"@actions/http-client": "^4.0.0"
+				"@actions/http-client": "^2.0.1"
 			}
 		},
 		"node_modules/@actions/exec": {
-			"version": "3.0.0",
+			"version": "1.1.1",
-			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+			"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
-			"integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+			"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
 			"license": "MIT",
 			"dependencies": {
-				"@actions/io": "^3.0.2"
+				"@actions/io": "^1.0.1"
 			}
 		},
 		"node_modules/@actions/http-client": {
-			"version": "4.0.0",
+			"version": "2.2.3",
-			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz",
+			"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
-			"integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==",
+			"integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
 			"license": "MIT",
 			"dependencies": {
 				"tunnel": "^0.0.6",
-				"undici": "^6.23.0"
+				"undici": "^5.25.4"
 			}
 		},
 		"node_modules/@actions/io": {
-			"version": "3.0.2",
+			"version": "1.1.3",
-			"resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+			"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
-			"integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="
+			"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
 			"license": "MIT"
 		},
 		"node_modules/@actions/tool-cache": {
-			"version": "4.0.0",
+			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
+			"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.2.tgz",
-			"integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
+			"integrity": "sha512-fBhNNOWxuoLxztQebpOaWu6WeVmuwa77Z+DxIZ1B+OYvGkGQon6kTVg6Z32Cb13WCuw0szqonK+hh03mJV7Z6w==",
 			"license": "MIT",
 			"dependencies": {
-				"@actions/core": "^3.0.0",
+				"@actions/core": "^1.11.1",
-				"@actions/exec": "^3.0.0",
+				"@actions/exec": "^1.0.0",
-				"@actions/http-client": "^4.0.0",
+				"@actions/http-client": "^2.0.1",
-				"@actions/io": "^3.0.0",
+				"@actions/io": "^1.1.1",
-				"semver": "^7.7.3"
+				"semver": "^6.1.0"
 			}
 		},
 		"node_modules/@actions/tool-cache/node_modules/semver": {
 			"version": "6.3.1",
 			"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
 			"integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
 			"bin": {
 				"semver": "bin/semver.js"
 			}
 		},
 		"node_modules/@ampproject/remapping": {
@@ -742,9 +734,9 @@
 			"peer": true
 		},
 		"node_modules/@eslint/eslintrc/node_modules/js-yaml": {
-			"version": "4.1.1",
+			"version": "4.1.0",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-			"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+			"integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
 			"dev": true,
 			"license": "MIT",
 			"peer": true,
@@ -766,6 +758,15 @@
 				"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
 			}
 		},
 		"node_modules/@fastify/busboy": {
 			"version": "2.1.1",
 			"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
 			"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
 			"license": "MIT",
 			"engines": {
 				"node": ">=14"
 			}
 		},
 		"node_modules/@humanwhocodes/config-array": {
 			"version": "0.13.0",
 			"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
@@ -1572,6 +1573,32 @@
 				}
 			}
 		},
 		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
 			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"balanced-match": "^1.0.0"
 			}
 		},
 		"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
 			"version": "9.0.3",
 			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
 			"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
 			"dev": true,
 			"license": "ISC",
 			"dependencies": {
 				"brace-expansion": "^2.0.1"
 			},
 			"engines": {
 				"node": ">=16 || 14 >=14.17"
 			},
 			"funding": {
 				"url": "https://github.com/sponsors/isaacs"
 			}
 		},
 		"node_modules/@typescript-eslint/utils": {
 			"version": "6.21.0",
 			"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.21.0.tgz",
@@ -1660,10 +1687,11 @@
 			}
 		},
 		"node_modules/ajv": {
-			"version": "6.14.0",
+			"version": "6.12.6",
-			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-			"integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+			"integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
 			"dev": true,
 			"license": "MIT",
 			"peer": true,
 			"dependencies": {
 				"fast-deep-equal": "^3.1.1",
@@ -2105,13 +2133,14 @@
 			"license": "MIT"
 		},
 		"node_modules/brace-expansion": {
-			"version": "2.0.2",
+			"version": "1.1.12",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
-				"balanced-match": "^1.0.0"
+				"balanced-match": "^1.0.0",
 				"concat-map": "0.0.1"
 			}
 		},
 		"node_modules/braces": {
@@ -2491,6 +2520,13 @@
 				"node": ">= 12.0.0"
 			}
 		},
 		"node_modules/concat-map": {
 			"version": "0.0.1",
 			"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
 			"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
 			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/convert-source-map": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -2730,18 +2766,6 @@
 				"node": ">=6.0.0"
 			}
 		},
 		"node_modules/dotenv": {
 			"version": "17.2.2",
 			"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.2.tgz",
 			"integrity": "sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==",
 			"license": "BSD-2-Clause",
 			"engines": {
 				"node": ">=12"
 			},
 			"funding": {
 				"url": "https://dotenvx.com"
 			}
 		},
 		"node_modules/dunder-proto": {
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
@@ -3433,9 +3457,9 @@
 			}
 		},
 		"node_modules/eslint/node_modules/js-yaml": {
-			"version": "4.1.1",
+			"version": "4.1.0",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-			"integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+			"integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
 			"dev": true,
 			"license": "MIT",
 			"peer": true,
@@ -3714,6 +3738,29 @@
 				"minimatch": "^5.0.1"
 			}
 		},
 		"node_modules/filelist/node_modules/brace-expansion": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
 			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"balanced-match": "^1.0.0"
 			}
 		},
 		"node_modules/filelist/node_modules/minimatch": {
 			"version": "5.1.6",
 			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
 			"integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
 			"dev": true,
 			"license": "ISC",
 			"dependencies": {
 				"brace-expansion": "^2.0.1"
 			},
 			"engines": {
 				"node": ">=10"
 			}
 		},
 		"node_modules/fill-range": {
 			"version": "7.1.1",
 			"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -3758,10 +3805,11 @@
 			}
 		},
 		"node_modules/flatted": {
-			"version": "3.4.2",
+			"version": "3.3.2",
-			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.2.tgz",
-			"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+			"integrity": "sha512-AiwGJM8YcNOaobumgtng+6NHuOqC3A7MixFeDafM3X9cIUM+xUXoS5Vfgf+OihAYe20fxqNM9yPBXJzRtZ/4eA==",
 			"dev": true,
 			"license": "ISC",
 			"peer": true
 		},
 		"node_modules/for-each": {
@@ -5478,9 +5526,9 @@
 			"license": "MIT"
 		},
 		"node_modules/js-yaml": {
-			"version": "3.14.2",
+			"version": "3.14.1",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-			"integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
+			"integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
 			"dev": true,
 			"license": "MIT",
 			"dependencies": {
@@ -6135,19 +6183,16 @@
 			}
 		},
 		"node_modules/minimatch": {
-			"version": "9.0.9",
+			"version": "3.1.2",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-			"integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+			"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
 			"dev": true,
 			"license": "ISC",
 			"dependencies": {
-				"brace-expansion": "^2.0.2"
+				"brace-expansion": "^1.1.7"
 			},
 			"engines": {
-				"node": ">=16 || 14 >=14.17"
+				"node": "*"
 			},
 			"funding": {
 				"url": "https://github.com/sponsors/isaacs"
 			}
 		},
 		"node_modules/minimist": {
@@ -6341,6 +6386,28 @@
 				"url": "https://github.com/sponsors/sindresorhus"
 			}
 		},
 		"node_modules/op-cli-installer": {
 			"version": "1.0.0",
 			"resolved": "git+ssh://git@github.com/1Password/op-cli-installer.git#e6c1c758bc3339e5fe9b06255728039f688f73fa",
 			"integrity": "sha512-ueyYQAgtbIHP2QWx9iCiztoPov01GdxPZNZ4+Qg3IaAyC4khMIk4/vYPagRhRKta+HI6fWV6jO3/ajBj27KBZA==",
 			"license": "MIT",
 			"dependencies": {
 				"@actions/core": "^1.11.1",
 				"@actions/tool-cache": "^2.0.2",
 				"semver": "^7.7.2"
 			}
 		},
 		"node_modules/op-cli-installer/node_modules/semver": {
 			"version": "7.7.2",
 			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
 			"integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
 			"bin": {
 				"semver": "bin/semver.js"
 			},
 			"engines": {
 				"node": ">=10"
 			}
 		},
 		"node_modules/optionator": {
 			"version": "0.9.4",
 			"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
@@ -6965,9 +7032,9 @@
 			}
 		},
 		"node_modules/semver": {
-			"version": "7.7.4",
+			"version": "7.6.3",
-			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
-			"integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
+			"integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
 			"license": "ISC",
 			"bin": {
 				"semver": "bin/semver.js"
@@ -7834,11 +7901,15 @@
 			}
 		},
 		"node_modules/undici": {
-			"version": "6.24.1",
+			"version": "5.29.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
-			"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
+			"integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
 			"license": "MIT",
 			"dependencies": {
 				"@fastify/busboy": "^2.0.0"
 			},
 			"engines": {
-				"node": ">=18.17"
+				"node": ">=14.0"
 			}
 		},
 		"node_modules/undici-types": {
@@ -1,6 +1,6 @@
 {
 	"name": "load-secrets-action",
-	"version": "5.0.0-beta.1",
+	"version": "2.0.0",
 	"description": "Load Secrets from 1Password",
 	"main": "dist/index.js",
 	"directories": {
@@ -40,15 +40,10 @@
 	},
 	"homepage": "https://github.com/1Password/load-secrets-action#readme",
 	"dependencies": {
 		"@1password/sdk": "0.5.0-beta.1",
 		"@1password/op-js": "^0.1.11",
-		"@actions/core": "^3.0.0",
+		"@actions/core": "^1.10.1",
-		"@actions/exec": "^3.0.0",
+		"@actions/exec": "^1.1.1",
-		"@actions/tool-cache": "^4.0.0",
+		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 		"dotenv": "^17.2.2"
 	},
 	"overrides": {
 		"minimatch": "^9.0.7"
 	},
 	"devDependencies": {
 		"@1password/eslint-config": "^4.3.1",
@@ -1 +0,0 @@
 export const createClient = jest.fn();
@@ -1,16 +0,0 @@
 module.exports = {
 	getInput: jest.fn(() => ""),
 	getBooleanInput: jest.fn(() => false),
 	setOutput: jest.fn(),
 	setSecret: jest.fn(),
 	exportVariable: jest.fn(),
 	setFailed: jest.fn(),
 	info: jest.fn(),
 	warning: jest.fn(),
 	error: jest.fn(),
 	debug: jest.fn(),
 	addPath: jest.fn(),
 	isDebug: jest.fn(() => false),
 	// eslint-disable-next-line @typescript-eslint/naming-convention
 	getIDToken: jest.fn().mockResolvedValue("mock-oidc-token"),
 };
@@ -1,5 +0,0 @@
 module.exports = {
 	getExecOutput: jest.fn(() => ({
 		stdout: "MOCK_SECRET",
 	})),
 };
@@ -1,10 +0,0 @@
 module.exports = {
 	downloadTool: jest.fn(),
 	extractTar: jest.fn(),
 	extractZip: jest.fn(),
 	cacheDir: jest.fn<Promise<string>, [string]>(async (dir) => {
 		await Promise.resolve();
 		return dir;
 	}),
 	find: jest.fn<string, [string, string?, string?]>(() => ""),
 };
@@ -2,9 +2,5 @@ export const envConnectHost = "OP_CONNECT_HOST";
 export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
 export const envFilePath = "OP_ENV_FILE";
 export const envWorkloadId = "OP_WORKLOAD_ID";
 export const envEnvironmentId = "OP_ENVIRONMENT_ID";
 export const envIntegrationKey = "OP_INTEGRATION_KEY";
 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;
@@ -1,16 +1,7 @@
 import dotenv from "dotenv";
 import * as core from "@actions/core";
 import { validateCli } from "@1password/op-js";
-import { installCliOnGithubActionRunner } from "./op-cli-installer";
+import { installCliOnGithubActionRunner } from "op-cli-installer";
-import {
+import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
 	getWorkloadIdentityConfig,
 	hasCliAuth,
 	loadSecrets,
 	unsetPrevious,
 	validateAuth,
 } from "./utils";
 import { loadSecretsFromSDK } from "./sdk-client";
 import { envFilePath } from "./constants";
 const loadSecretsAction = async () => {
 	try {
@@ -23,42 +14,14 @@ const loadSecretsAction = async () => {
 			unsetPrevious();
 		}
 		const workloadConfig = getWorkloadIdentityConfig();
 		// `unset-previous` can run with no credentials present: Workload Identity creds
 		// are inline per-step and intentionally not persisted (persisting them would make
 		// every later step re-load all variables). Nothing to auth or load, we're done.
 		if (shouldUnsetPrevious && !workloadConfig && !hasCliAuth()) {
 			core.info(
 				"No authentication configured; unset previously managed variables. No secrets were loaded.",
 			);
 			return;
 		}
 		if (workloadConfig) {
 			await loadSecretsFromSDK(
 				workloadConfig.workloadId,
 				workloadConfig.environmentId,
 				workloadConfig.integrationKey,
 				shouldExportEnv,
 			);
 		} else {
 		// Validate that a proper authentication configuration is set for the CLI
 		validateAuth();
 			// Set environment variables from OP_ENV_FILE
 			const file = process.env[envFilePath];
 			if (file) {
 				core.info(`Loading environment variables from file: ${file}`);
 				dotenv.config({ path: file });
 			}
 		// Download and install the CLI
 		await installCLI();
 		// Load secrets
 		await loadSecrets(shouldExportEnv);
 		}
 	} catch (error) {
 		// It's possible for the Error constructor to be modified to be anything
 		// in JavaScript, so the following code accounts for this possibility.
@@ -81,7 +44,9 @@ const installCLI = async (): Promise<void> => {
 	// If there's no CLI installed, then validateCli will throw an error, which we will use
 	// as an indicator that we need to execute the installation script.
 	await validateCli().catch(async () => {
-		await installCliOnGithubActionRunner();
+		// defaults to `latest` if not provided
 		const cliVersion = core.getInput("cli-version");
 		await installCliOnGithubActionRunner(cliVersion);
 	});
 };
@@ -1,58 +0,0 @@
 import os from "os";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
 export type SupportedPlatform = Extract<
 	NodeJS.Platform,
 	"linux" | "darwin" | "win32"
 >;
 // maps OS architecture names to 1Password CLI installer architecture names
 export const archMap: Record<string, string> = {
 	ia32: "386",
 	x64: "amd64",
 	arm: "arm",
 	arm64: "arm64",
 };
 // Builds the download URL for the 1Password CLI based on the platform and version.
 export const cliUrlBuilder: Record<
 	SupportedPlatform,
 	(version: string, arch?: string) => string
 > = {
 	linux: (version, arch) =>
 		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_linux_${arch}_${version}.zip`,
 	darwin: (version) =>
 		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_apple_universal_${version}.pkg`,
 	win32: (version, arch) =>
 		`https://cache.agilebits.com/dist/1P/op2/pkg/${version}/op_windows_${arch}_${version}.zip`,
 };
 export class CliInstaller {
 	public readonly version: string;
 	public readonly arch: string;
 	public constructor(version: string) {
 		this.version = version;
 		this.arch = this.getArch();
 	}
 	public async install(url: string): Promise<void> {
 		console.info(`Downloading 1Password CLI from: ${url}`);
 		const downloadPath = await tc.downloadTool(url);
 		console.info("Installing 1Password CLI");
 		const extractedPath = await tc.extractZip(downloadPath);
 		core.addPath(extractedPath);
 		core.info("1Password CLI installed");
 	}
 	private getArch(): string {
 		const arch = archMap[os.arch()];
 		if (!arch) {
 			throw new Error("Unsupported architecture");
 		}
 		return arch;
 	}
 }
@@ -1 +0,0 @@
 export { type Installer, newCliInstaller } from "./installer";
@@ -1,43 +0,0 @@
 import os from "os";
 import { newCliInstaller } from "./installer";
 import { LinuxInstaller } from "./linux";
 import { MacOsInstaller } from "./macos";
 import { WindowsInstaller } from "./windows";
 afterEach(() => {
 	jest.restoreAllMocks();
 });
 describe("newCliInstaller", () => {
 	const version = "1.0.0";
 	afterEach(() => {
 		jest.resetAllMocks();
 	});
 	it("should return LinuxInstaller for linux platform", () => {
 		jest.spyOn(os, "platform").mockReturnValue("linux");
 		const installer = newCliInstaller(version);
 		expect(installer).toBeInstanceOf(LinuxInstaller);
 	});
 	it("should return MacOsInstaller for darwin platform", () => {
 		jest.spyOn(os, "platform").mockReturnValue("darwin");
 		const installer = newCliInstaller(version);
 		expect(installer).toBeInstanceOf(MacOsInstaller);
 	});
 	it("should return WindowsInstaller for win32 platform", () => {
 		jest.spyOn(os, "platform").mockReturnValue("win32");
 		const installer = newCliInstaller(version);
 		expect(installer).toBeInstanceOf(WindowsInstaller);
 	});
 	it("should throw error for unsupported platform", () => {
 		jest.spyOn(os, "platform").mockReturnValue("sunos");
 		expect(() => newCliInstaller(version)).toThrow(
 			"Unsupported platform: sunos",
 		);
 	});
 });
@@ -1,23 +0,0 @@
 import os from "os";
 import { LinuxInstaller } from "./linux";
 import { MacOsInstaller } from "./macos";
 import { WindowsInstaller } from "./windows";
 export interface Installer {
 	installCli(): Promise<void>;
 }
 export const newCliInstaller = (version: string): Installer => {
 	const platform = os.platform();
 	switch (platform) {
 		case "linux":
 			return new LinuxInstaller(version);
 		case "darwin":
 			return new MacOsInstaller(version);
 		case "win32":
 			return new WindowsInstaller(version);
 		default:
 			throw new Error(`Unsupported platform: ${platform}`);
 	}
 };
@@ -1,38 +0,0 @@
 import os from "os";
 import {
 	archMap,
 	CliInstaller,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import { LinuxInstaller } from "./linux";
 afterEach(() => {
 	jest.restoreAllMocks();
 });
 describe("LinuxInstaller", () => {
 	const version = "1.2.3";
 	const arch: NodeJS.Architecture = "arm64";
 	it("should construct with given version and architecture", () => {
 		jest.spyOn(os, "arch").mockReturnValue(arch);
 		const installer = new LinuxInstaller(version);
 		expect(installer.version).toEqual(version);
 		expect(installer.arch).toEqual(archMap[arch]);
 	});
 	it("should call install with correct URL", async () => {
 		const installer = new LinuxInstaller(version);
 		const installMock = jest
 			.spyOn(CliInstaller.prototype, "install")
 			.mockResolvedValue();
 		await installer.installCli();
 		const builder = cliUrlBuilder["linux" as SupportedPlatform];
 		const url = builder(version, installer.arch);
 		expect(installMock).toHaveBeenCalledWith(url);
 	});
 });
@@ -1,19 +0,0 @@
 import {
 	CliInstaller,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import type { Installer } from "./installer";
 export class LinuxInstaller extends CliInstaller implements Installer {
 	private readonly platform: SupportedPlatform = "linux"; // Node.js platform identifier for Linux
 	public constructor(version: string) {
 		super(version);
 	}
 	public async installCli(): Promise<void> {
 		const urlBuilder = cliUrlBuilder[this.platform];
 		await super.install(urlBuilder(this.version, this.arch));
 	}
 }
@@ -1,35 +0,0 @@
 import os from "os";
 import {
 	archMap,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import { MacOsInstaller } from "./macos";
 afterEach(() => {
 	jest.restoreAllMocks();
 });
 describe("MacOsInstaller", () => {
 	const version = "1.2.3";
 	const arch: NodeJS.Architecture = "x64";
 	it("should construct with given version and architecture", () => {
 		jest.spyOn(os, "arch").mockReturnValue(arch);
 		const installer = new MacOsInstaller(version);
 		expect(installer.version).toEqual(version);
 		expect(installer.arch).toEqual(archMap[arch]);
 	});
 	it("should call install with correct URL", async () => {
 		const installer = new MacOsInstaller(version);
 		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
 		await installer.installCli();
 		const builder = cliUrlBuilder["darwin" as SupportedPlatform];
 		const url = builder(version, installer.arch);
 		expect(installMock).toHaveBeenCalledWith(url);
 	});
 });
@@ -1,49 +0,0 @@
 import { execFile } from "child_process";
 import * as fs from "fs";
 import * as path from "path";
 import { promisify } from "util";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
 import {
 	CliInstaller,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import { type Installer } from "./installer";
 const execFileAsync = promisify(execFile);
 export class MacOsInstaller extends CliInstaller implements Installer {
 	private readonly platform: SupportedPlatform = "darwin"; // Node.js platform identifier for macOS
 	public constructor(version: string) {
 		super(version);
 	}
 	public async installCli(): Promise<void> {
 		const urlBuilder = cliUrlBuilder[this.platform];
 		await this.install(urlBuilder(this.version));
 	}
 	// @actions/tool-cache package does not support .pkg files, so we need to handle the installation manually
 	public override async install(downloadUrl: string): Promise<void> {
 		console.info(`Downloading 1Password CLI from: ${downloadUrl}`);
 		const pkgPath = await tc.downloadTool(downloadUrl);
 		const pkgWithExtension = `${pkgPath}.pkg`;
 		fs.renameSync(pkgPath, pkgWithExtension);
 		const expandDir = "temp-pkg";
 		await execFileAsync("pkgutil", ["--expand", pkgWithExtension, expandDir]);
 		const payloadPath = path.join(expandDir, "op.pkg", "Payload");
 		console.info("Installing 1Password CLI");
 		const cliPath = await tc.extractTar(payloadPath);
 		core.addPath(cliPath);
 		fs.rmSync(expandDir, { recursive: true, force: true });
 		fs.rmSync(pkgPath, { force: true });
 		core.info("1Password CLI installed");
 	}
 }
@@ -1,60 +0,0 @@
 import fs from "fs";
 import os from "os";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
 import {
 	archMap,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import { WindowsInstaller } from "./windows";
 jest.mock("fs");
 afterEach(() => {
 	jest.restoreAllMocks();
 });
 describe("WindowsInstaller", () => {
 	const version = "1.2.3";
 	const arch: NodeJS.Architecture = "x64";
 	it("should construct with given version and architecture", () => {
 		jest.spyOn(os, "arch").mockReturnValue(arch);
 		const installer = new WindowsInstaller(version);
 		expect(installer.version).toEqual(version);
 		expect(installer.arch).toEqual(archMap[arch]);
 	});
 	it("should call install with correct URL", async () => {
 		const installer = new WindowsInstaller(version);
 		const installMock = jest.spyOn(installer, "install").mockResolvedValue();
 		await installer.installCli();
 		const builder = cliUrlBuilder["win32" as SupportedPlatform];
 		const url = builder(version, installer.arch);
 		expect(installMock).toHaveBeenCalledWith(url);
 	});
 	it("should rename downloaded file with .zip extension before extracting", async () => {
 		const downloadPath = "/tmp/abc-123";
 		const extractedPath = "/tmp/extracted";
 		(tc.downloadTool as jest.Mock).mockResolvedValue(downloadPath);
 		(tc.extractZip as jest.Mock).mockResolvedValue(extractedPath);
 		const installer = new WindowsInstaller(version);
 		await installer.installCli();
 		expect(tc.downloadTool).toHaveBeenCalled();
 		expect(fs.renameSync).toHaveBeenCalledWith(
 			downloadPath,
 			`${downloadPath}.zip`,
 		);
 		expect(tc.extractZip).toHaveBeenCalledWith(`${downloadPath}.zip`);
 		expect(core.addPath).toHaveBeenCalledWith(extractedPath);
 	});
 });
@@ -1,37 +0,0 @@
 import * as fs from "fs";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
 import {
 	CliInstaller,
 	cliUrlBuilder,
 	type SupportedPlatform,
 } from "./cli-installer";
 import type { Installer } from "./installer";
 export class WindowsInstaller extends CliInstaller implements Installer {
 	private readonly platform: SupportedPlatform = "win32"; // Node.js platform identifier for Windows
 	public constructor(version: string) {
 		super(version);
 	}
 	public async installCli(): Promise<void> {
 		const urlBuilder = cliUrlBuilder[this.platform];
 		await this.install(urlBuilder(this.version, this.arch));
 	}
 	// Windows PowerShell's Expand-Archive requires files to have a .zip extension.
 	// tc.downloadTool saves to a UUID filename with no extension, so we rename it.
 	public override async install(url: string): Promise<void> {
 		console.info(`Downloading 1Password CLI from: ${url}`);
 		const downloadPath = await tc.downloadTool(url);
 		const zipPath = `${downloadPath}.zip`;
 		fs.renameSync(downloadPath, zipPath);
 		console.info("Installing 1Password CLI");
 		const extractedPath = await tc.extractZip(zipPath);
 		core.addPath(extractedPath);
 		core.info("1Password CLI installed");
 	}
 }
@@ -1,18 +0,0 @@
 import * as core from "@actions/core";
 import { ReleaseChannel, VersionResolver } from "../version";
 import { newCliInstaller } from "./cli-installer";
 // Installs the 1Password CLI on a GitHub Action runner.
 export const installCliOnGithubActionRunner = async (
 	version?: string,
 ): Promise<void> => {
 	// Get the version from parameter, if not passed - from the job input. Defaults to latest if no version is provided
 	const providedVersion =
 		version || core.getInput("version") || ReleaseChannel.latest;
 	const versionResolver = new VersionResolver(providedVersion);
 	await versionResolver.resolve();
 	const installer = newCliInstaller(versionResolver.get());
 	await installer.installCli();
 };
@@ -1,81 +0,0 @@
 import * as core from "@actions/core";
 import { newCliInstaller } from "./github-action/cli-installer";
 import {
 	installCliOnGithubActionRunner,
 	ReleaseChannel,
 	VersionResolver,
 } from "./index";
 jest.mock("./github-action/cli-installer", () => ({
 	newCliInstaller: jest.fn().mockImplementation((_resolved: string) => ({
 		installCli: jest.fn(),
 	})),
 }));
 beforeEach(() => {
 	jest.restoreAllMocks();
 });
 describe("installCliOnGithubActionRunner", () => {
 	it("should defaults to `latest` when nothing is passed", async () => {
 		jest.spyOn(core, "getInput").mockReturnValue("");
 		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
 		jest
 			.spyOn(VersionResolver.prototype, "get")
 			.mockReturnValue(ReleaseChannel.latest);
 		await installCliOnGithubActionRunner();
 		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
 	});
 	it("should defaults to `latest` when undefined is passed", async () => {
 		jest.spyOn(core, "getInput").mockReturnValue("");
 		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
 		jest
 			.spyOn(VersionResolver.prototype, "get")
 			.mockReturnValue(ReleaseChannel.latest);
 		await installCliOnGithubActionRunner(undefined);
 		expect(newCliInstaller).toHaveBeenCalledWith(ReleaseChannel.latest);
 	});
 	it("should set provided explicit version", async () => {
 		const providedVersion = "1.2.3";
 		jest.spyOn(core, "getInput").mockReturnValue("");
 		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
 		jest
 			.spyOn(VersionResolver.prototype, "get")
 			.mockReturnValue(providedVersion);
 		await installCliOnGithubActionRunner(providedVersion);
 		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
 	});
 	it("should set version provided as job input", async () => {
 		const providedVersion = "3.0.0";
 		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
 		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
 		jest
 			.spyOn(VersionResolver.prototype, "get")
 			.mockReturnValue(providedVersion);
 		await installCliOnGithubActionRunner();
 		expect(newCliInstaller).toHaveBeenCalledWith(providedVersion);
 	});
 	it("should throw error for invalid version", async () => {
 		const providedVersion = "invalid";
 		jest.spyOn(core, "getInput").mockReturnValue(providedVersion);
 		jest.spyOn(VersionResolver.prototype, "resolve").mockResolvedValue();
 		jest
 			.spyOn(VersionResolver.prototype, "get")
 			.mockReturnValue(providedVersion);
 		await expect(installCliOnGithubActionRunner()).rejects.toThrow();
 	});
 });
@@ -1,2 +0,0 @@
 export { installCliOnGithubActionRunner } from "./github-action";
 export { ReleaseChannel, VersionResolver } from "./version";
@@ -1,13 +0,0 @@
 export enum ReleaseChannel {
 	latest = "latest",
 	latestBeta = "latest-beta",
 }
 export interface VersionResponse {
 	// eslint disabled next line as CLI2 is expected in getting CLI versions response
 	/* eslint-disable-next-line @typescript-eslint/naming-convention */
 	CLI2: {
 		release: { version: string };
 		beta: { version: string };
 	};
 }
@@ -1,91 +0,0 @@
 import { ReleaseChannel } from "./constants";
 import { getLatestVersion } from "./helper";
 describe("getLatestVersion", () => {
 	beforeEach(() => {
 		jest.restoreAllMocks();
 	});
 	it("should return latest stable version", async () => {
 		const mockResponse = {
 			// eslint-disable-next-line @typescript-eslint/naming-convention
 			CLI2: {
 				release: { version: "2.31.0" },
 				beta: { version: "2.32.0-beta.01" },
 			},
 		};
 		jest.spyOn(global, "fetch").mockResolvedValueOnce({
 			// eslint-disable-next-line @typescript-eslint/require-await
 			json: async () => mockResponse,
 		} as Response);
 		const version = await getLatestVersion(ReleaseChannel.latest);
 		expect(version).toBe("2.31.0");
 	});
 	it("should return latest beta version", async () => {
 		const mockResponse = {
 			// eslint-disable-next-line @typescript-eslint/naming-convention
 			CLI2: {
 				release: { version: "2.31.0" },
 				beta: { version: "2.32.0-beta.01" },
 			},
 		};
 		jest.spyOn(global, "fetch").mockResolvedValueOnce({
 			// eslint-disable-next-line @typescript-eslint/require-await
 			json: async () => mockResponse,
 		} as Response);
 		const version = await getLatestVersion(ReleaseChannel.latestBeta);
 		expect(version).toBe("2.32.0-beta.01");
 	});
 	it("should throw if no CLI2 field", async () => {
 		jest.spyOn(global, "fetch").mockResolvedValueOnce({
 			// eslint-disable-next-line @typescript-eslint/require-await
 			json: async () => ({}),
 		} as Response);
 		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
 			`No ${ReleaseChannel.latest} versions found`,
 		);
 	});
 	it("should throw if no stable version found", async () => {
 		const mockResponse = {
 			// eslint-disable-next-line @typescript-eslint/naming-convention
 			CLI2: {
 				beta: { version: "2.32.0-beta.01" },
 			},
 		};
 		jest.spyOn(global, "fetch").mockResolvedValueOnce({
 			// eslint-disable-next-line @typescript-eslint/require-await
 			json: async () => mockResponse,
 		} as Response);
 		await expect(getLatestVersion(ReleaseChannel.latest)).rejects.toThrow(
 			`No ${ReleaseChannel.latest} versions found`,
 		);
 	});
 	it("should throw if no beta version found", async () => {
 		const mockResponse = {
 			// eslint-disable-next-line @typescript-eslint/naming-convention
 			CLI2: {
 				release: { version: "2.32.0" },
 			},
 		};
 		jest.spyOn(global, "fetch").mockResolvedValueOnce({
 			// eslint-disable-next-line @typescript-eslint/require-await
 			json: async () => mockResponse,
 		} as Response);
 		await expect(getLatestVersion(ReleaseChannel.latestBeta)).rejects.toThrow(
 			`No ${ReleaseChannel.latestBeta} versions found`,
 		);
 	});
 });
@@ -1,23 +0,0 @@
 import * as core from "@actions/core";
 import { ReleaseChannel, type VersionResponse } from "./constants";
 // Returns the latest version of the 1Password CLI based on the specified channel.
 export const getLatestVersion = async (
 	channel: ReleaseChannel,
 ): Promise<string> => {
 	core.info(`Getting ${channel} version number`);
 	const res = await fetch("https://app-updates.agilebits.com/latest");
 	const json = (await res.json()) as VersionResponse;
 	const latestStable = json?.CLI2?.release?.version;
 	const latestBeta = json?.CLI2?.beta?.version;
 	const version =
 		channel === ReleaseChannel.latestBeta ? latestBeta : latestStable;
 	if (!version) {
 		core.error(`No ${channel} versions found`);
 		throw new Error(`No ${channel} versions found`);
 	}
 	return version;
 };
@@ -1,2 +0,0 @@
 export { VersionResolver } from "./version-resolver";
 export { ReleaseChannel } from "./constants";
@@ -1,45 +0,0 @@
 import { describe, expect, it } from "@jest/globals";
 import { validateVersion } from "./validate";
 describe("validateVersion", () => {
 	it('should not throw for "latest"', () => {
 		expect(() => validateVersion("latest")).not.toThrow();
 	});
 	it('should not throw for "latest-beta"', () => {
 		expect(() => validateVersion("latest-beta")).not.toThrow();
 	});
 	it('should not throw for valid semver version "2.18.0"', () => {
 		expect(() => validateVersion("2.18.0")).not.toThrow();
 	});
 	it('should throw for partial version "2"', () => {
 		expect(() => validateVersion("2")).toThrow();
 	});
 	it('should throw for partial version "2.1"', () => {
 		expect(() => validateVersion("2.1")).toThrow();
 	});
 	it('should not throw for valid beta "2.19.0-beta.01"', () => {
 		expect(() => validateVersion("2.19.0-beta.01")).not.toThrow();
 	});
 	it('should not throw for valid beta "2.19.3-beta.12"', () => {
 		expect(() => validateVersion("2.19.3-beta.12")).not.toThrow();
 	});
 	it('should not throw for coerced version "v2.19.0"', () => {
 		expect(() => validateVersion("v2.19.0")).not.toThrow();
 	});
 	it('should throw for invalid version "latest-abc"', () => {
 		expect(() => validateVersion("latest-abc")).toThrow();
 	});
 	it("should throw for empty string", () => {
 		expect(() => validateVersion("")).toThrow();
 	});
 });
@@ -1,23 +0,0 @@
 import semver from "semver";
 import { ReleaseChannel } from "./constants";
 // Validates if the provided version type is a valid enum value or a valid semver version.
 export const validateVersion = (input: string): void => {
 	if (Object.values(ReleaseChannel).includes(input as ReleaseChannel)) {
 		return;
 	}
 	// 1Password beta releases (aka 2.19.0-beta.01) are not semver compliant.
 	// According to semver, it should be "2.19.0-beta.1".
 	// That's why we need to normalize them before validating.
 	// Accepts valid semver versions like "2.18.0" or beta-releases like "2.19.0-beta.01"
 	// or versions with 'v' prefix like "v2.19.0"
 	const normalized = input.replace(/-beta\.0*(\d+)/, "-beta.$1");
 	const normInput = new semver.SemVer(normalized);
 	if (semver.valid(normInput)) {
 		return;
 	}
 	throw new Error(`Invalid version input: ${input}`);
 };
@@ -1,58 +0,0 @@
 import { expect } from "@jest/globals";
 import { ReleaseChannel } from "./constants";
 import { VersionResolver } from "./version-resolver";
 describe("VersionResolver", () => {
 	test("should throw error when invalid version provided", () => {
 		expect(() => new VersionResolver("vv")).toThrow();
 	});
 	test("should throw error when version is empty", () => {
 		expect(() => new VersionResolver("")).toThrow();
 	});
 	test("should throw error for major version only", () => {
 		expect(() => new VersionResolver("1")).toThrow();
 	});
 	test("should throw error for major and minor version only", () => {
 		expect(() => new VersionResolver("1.0")).toThrow();
 	});
 	test("should resolve latest stable version", async () => {
 		const versionResolver = new VersionResolver(ReleaseChannel.latest);
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBeDefined();
 	});
 	test("should resolve latest beta version", async () => {
 		const versionResolver = new VersionResolver(ReleaseChannel.latestBeta);
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBeDefined();
 	});
 	test("should resolve version without 'v' prefix", async () => {
 		const versionResolver = new VersionResolver("1.0.0");
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBe("v1.0.0");
 	});
 	test("should resolve version with 'v' prefix", async () => {
 		const versionResolver = new VersionResolver("v1.0.0");
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBe("v1.0.0");
 	});
 	test("should resolve beta version without 'v' prefix", async () => {
 		const versionResolver = new VersionResolver("2.19.0-beta.01");
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
 	});
 	test("should resolve beta version with 'v' prefix", async () => {
 		const versionResolver = new VersionResolver("v2.19.0-beta.01");
 		await versionResolver.resolve();
 		expect(versionResolver.get()).toBe("v2.19.0-beta.01");
 	});
 });
@@ -1,45 +0,0 @@
 import * as core from "@actions/core";
 import { ReleaseChannel } from "./constants";
 import { getLatestVersion } from "./helper";
 import { validateVersion } from "./validate";
 export class VersionResolver {
 	private version: string;
 	public constructor(version: string) {
 		this.validate(version);
 		this.version = version;
 	}
 	public get(): string {
 		return this.version;
 	}
 	public async resolve(): Promise<void> {
 		core.info(`Resolving version: ${this.version}`);
 		if (!this.version) {
 			core.error("Version is not provided");
 			throw new Error("Version is not provided");
 		}
 		if (this.isReleaseChannel(this.version)) {
 			this.version = await getLatestVersion(this.version);
 		}
 		// add `v` prefix if not already present
 		this.version = this.version.startsWith("v")
 			? this.version
 			: `v${this.version}`;
 	}
 	private validate(version: string) {
 		core.info(`Validating version number: '${version}'`);
 		validateVersion(version);
 		core.info(`Version number '${version}' is valid`);
 	}
 	private isReleaseChannel(value: string): value is ReleaseChannel {
 		return Object.values(ReleaseChannel).includes(value as ReleaseChannel);
 	}
 }
@@ -1,114 +0,0 @@
 import * as core from "@actions/core";
 import { createClient } from "@1password/sdk";
 import { envManagedVariables } from "./constants";
 import { getOIDCToken, loadSecretsFromSDK } from "./sdk-client";
 jest.mock("@1password/sdk");
 const mockGetVariables = jest.fn();
 beforeEach(() => {
 	jest.clearAllMocks();
 	(createClient as jest.Mock).mockResolvedValue({
 		environments: {
 			getVariables: mockGetVariables,
 		},
 	});
 });
 describe("getOIDCToken", () => {
 	it("delegates to core.getIDToken", async () => {
 		(core.getIDToken as jest.Mock).mockResolvedValue("oidc-token");
 		await expect(getOIDCToken("test-audience")).resolves.toBe("oidc-token");
 		expect(core.getIDToken).toHaveBeenCalledWith("test-audience");
 	});
 });
 describe("loadSecretsFromSDK", () => {
 	const workloadId = "workload-uuid";
 	const environmentId = "environment-uuid";
 	const integrationKey = "integration-key";
 	const variables = [
 		{ name: "DOCKERHUB_USERNAME", value: "myuser" },
 		{ name: "DOCKERHUB_TOKEN", value: "mypassword" },
 	];
 	beforeEach(() => {
 		mockGetVariables.mockResolvedValue({ variables });
 	});
 	it("sets secrets as step outputs by default", async () => {
 		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, false);
 		expect(core.setOutput).toHaveBeenCalledWith("DOCKERHUB_USERNAME", "myuser");
 		expect(core.setOutput).toHaveBeenCalledWith(
 			"DOCKERHUB_TOKEN",
 			"mypassword",
 		);
 		expect(core.exportVariable).not.toHaveBeenCalledWith(
 			"DOCKERHUB_USERNAME",
 			"myuser",
 		);
 		expect(core.setSecret).toHaveBeenCalledWith("myuser");
 		expect(core.setSecret).toHaveBeenCalledWith("mypassword");
 		expect(core.exportVariable).not.toHaveBeenCalledWith(
 			envManagedVariables,
 			expect.any(String),
 		);
 	});
 	it("exports secrets as environment variables when shouldExportEnv is true", async () => {
 		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
 		expect(core.exportVariable).toHaveBeenCalledWith(
 			"DOCKERHUB_USERNAME",
 			"myuser",
 		);
 		expect(core.exportVariable).toHaveBeenCalledWith(
 			"DOCKERHUB_TOKEN",
 			"mypassword",
 		);
 		expect(core.setOutput).not.toHaveBeenCalled();
 		expect(core.exportVariable).toHaveBeenCalledWith(
 			envManagedVariables,
 			"DOCKERHUB_USERNAME,DOCKERHUB_TOKEN",
 		);
 	});
 	describe("when secret value is empty string", () => {
 		beforeEach(() => {
 			mockGetVariables.mockResolvedValue({
 				variables: [{ name: "EMPTY_SECRET", value: "" }],
 			});
 		});
 		it("sets empty string as step output", async () => {
 			await loadSecretsFromSDK(
 				workloadId,
 				environmentId,
 				integrationKey,
 				false,
 			);
 			expect(core.setOutput).toHaveBeenCalledWith("EMPTY_SECRET", "");
 			expect(core.setSecret).not.toHaveBeenCalledWith("");
 		});
 		it("sets empty string as environment variable", async () => {
 			await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
 			expect(core.exportVariable).toHaveBeenCalledWith("EMPTY_SECRET", "");
 			expect(core.setSecret).not.toHaveBeenCalledWith("");
 		});
 	});
 	it("does not export OP_MANAGED_VARIABLES when no variables are returned", async () => {
 		mockGetVariables.mockResolvedValue({ variables: [] });
 		await loadSecretsFromSDK(workloadId, environmentId, integrationKey, true);
 		expect(core.exportVariable).not.toHaveBeenCalled();
 	});
 });
@@ -1,52 +0,0 @@
 import * as core from "@actions/core";
 import { createClient } from "@1password/sdk";
 import { version } from "../package.json";
 import { envManagedVariables } from "./constants";
 // eslint-disable-next-line @typescript-eslint/naming-convention
 export const getOIDCToken = async (audience: string): Promise<string> =>
 	core.getIDToken(audience);
 // eslint-disable-next-line @typescript-eslint/naming-convention
 export const loadSecretsFromSDK = async (
 	workloadId: string,
 	environmentId: string,
 	integrationKey: string,
 	shouldExportEnv: boolean,
 ): Promise<void> => {
 	// Temporary fix: strip base64 padding from integrationKey — this will eventually be handled by the SDK core itself
 	const customerManagedSecret = integrationKey.replace(/=+$/, "");
 	core.setSecret(customerManagedSecret);
 	const client = await createClient({
 		integrationName: "1Password GitHub Action",
 		integrationVersion: version,
 		oidcFetcher: getOIDCToken,
 		workloadDetails: {
 			customerManagedSecret,
 			workloadUuid: workloadId,
 		},
 	});
 	core.info("Authenticated with Workload Identity.");
 	const { variables } = await client.environments.getVariables(environmentId);
 	const envNames: string[] = [];
 	for (const { name, value } of variables) {
 		core.info(`Populating variable: ${name}`);
 		if (shouldExportEnv) {
 			core.exportVariable(name, value);
 		} else {
 			core.setOutput(name, value);
 		}
 		if (value) {
 			core.setSecret(value);
 		}
 		envNames.push(name);
 	}
 	if (shouldExportEnv && envNames.length > 0) {
 		core.exportVariable(envManagedVariables, envNames.join());
 	}
 };
@@ -3,8 +3,6 @@ import * as exec from "@actions/exec";
 import { read, setClientInfo } from "@1password/op-js";
 import {
 	extractSecret,
 	getWorkloadIdentityConfig,
 	hasCliAuth,
 	loadSecrets,
 	unsetPrevious,
 	validateAuth,
@@ -13,13 +11,16 @@ import {
 	authErr,
 	envConnectHost,
 	envConnectToken,
 	envEnvironmentId,
 	envIntegrationKey,
 	envManagedVariables,
 	envServiceAccountToken,
 	envWorkloadId,
 } from "./constants";
 jest.mock("@actions/core");
 jest.mock("@actions/exec", () => ({
 	getExecOutput: jest.fn(() => ({
 		stdout: "MOCK_SECRET",
 	})),
 }));
 jest.mock("@1password/op-js");
 beforeEach(() => {
@@ -71,96 +72,6 @@ describe("validateAuth", () => {
 	});
 });
 describe("getWorkloadIdentityConfig", () => {
 	const testWorkloadId = "workload-id";
 	const testEnvironmentId = "environment-id";
 	const testIntegrationKey = "integration-key";
 	beforeEach(() => {
 		process.env[envWorkloadId] = "";
 		process.env[envEnvironmentId] = "";
 		process.env[envIntegrationKey] = "";
 		process.env[envConnectHost] = "";
 		process.env[envConnectToken] = "";
 		process.env[envServiceAccountToken] = "";
 	});
 	it("should return null when no variables are set", () => {
 		expect(getWorkloadIdentityConfig()).toBeNull();
 	});
 	it("should return the config when all variables are set", () => {
 		process.env[envWorkloadId] = testWorkloadId;
 		process.env[envEnvironmentId] = testEnvironmentId;
 		process.env[envIntegrationKey] = testIntegrationKey;
 		expect(getWorkloadIdentityConfig()).toEqual({
 			workloadId: testWorkloadId,
 			environmentId: testEnvironmentId,
 			integrationKey: testIntegrationKey,
 		});
 	});
 	it("should throw an error when only some variables are set", () => {
 		process.env[envWorkloadId] = testWorkloadId;
 		expect(getWorkloadIdentityConfig).toThrow(
 			/Incomplete Workload Identity configuration/,
 		);
 	});
 	it("should throw an error when combined with Connect credentials", () => {
 		process.env[envWorkloadId] = testWorkloadId;
 		process.env[envEnvironmentId] = testEnvironmentId;
 		process.env[envIntegrationKey] = testIntegrationKey;
 		process.env[envConnectHost] = "https://localhost:8000";
 		process.env[envConnectToken] = "token";
 		expect(getWorkloadIdentityConfig).toThrow(
 			/Conflicting authentication configuration/,
 		);
 	});
 	it("should throw an error when combined with a service account token", () => {
 		process.env[envWorkloadId] = testWorkloadId;
 		process.env[envEnvironmentId] = testEnvironmentId;
 		process.env[envIntegrationKey] = testIntegrationKey;
 		process.env[envServiceAccountToken] = "ops_token";
 		expect(getWorkloadIdentityConfig).toThrow(
 			/Conflicting authentication configuration/,
 		);
 	});
 });
 describe("hasCliAuth", () => {
 	beforeEach(() => {
 		process.env[envConnectHost] = "";
 		process.env[envConnectToken] = "";
 		process.env[envServiceAccountToken] = "";
 	});
 	it("returns false when no CLI auth is configured", () => {
 		expect(hasCliAuth()).toBe(false);
 	});
 	it("returns false when only the Connect host is set", () => {
 		process.env[envConnectHost] = "https://localhost:8000";
 		expect(hasCliAuth()).toBe(false);
 	});
 	it("returns true with both Connect host and token", () => {
 		process.env[envConnectHost] = "https://localhost:8000";
 		process.env[envConnectToken] = "token";
 		expect(hasCliAuth()).toBe(true);
 	});
 	it("returns true with a service account token", () => {
 		process.env[envServiceAccountToken] = "ops_token";
 		expect(hasCliAuth()).toBe(true);
 	});
 });
 describe("extractSecret", () => {
 	const envTestSecretEnv = "TEST_SECRET";
 	const testSecretRef = "op://vault/item/secret";
@@ -195,41 +106,6 @@ describe("extractSecret", () => {
 		);
 		expect(core.setSecret).toHaveBeenCalledWith(testSecretValue);
 	});
 	describe("when secret value is empty string", () => {
 		const emptySecretValue = "";
 		beforeEach(() => {
 			(read.parse as jest.Mock).mockReturnValue(emptySecretValue);
 		});
 		afterEach(() => {
 			(read.parse as jest.Mock).mockReturnValue(testSecretValue);
 		});
 		it("should set empty string as step output", () => {
 			extractSecret(envTestSecretEnv, false);
 			expect(core.setOutput).toHaveBeenCalledWith(
 				envTestSecretEnv,
 				emptySecretValue,
 			);
 			expect(core.exportVariable).not.toHaveBeenCalled();
 		});
 		it("should set empty string as environment variable", () => {
 			extractSecret(envTestSecretEnv, true);
 			expect(core.exportVariable).toHaveBeenCalledWith(
 				envTestSecretEnv,
 				emptySecretValue,
 			);
 			expect(core.setOutput).not.toHaveBeenCalled();
 		});
 		it("should not call setSecret for empty string", () => {
 			extractSecret(envTestSecretEnv, false);
 			expect(core.setSecret).not.toHaveBeenCalled();
 		});
 	});
 });
 describe("loadSecrets", () => {
@@ -285,24 +161,4 @@ describe("unsetPrevious", () => {
 		expect(core.info).toHaveBeenCalledWith("Unsetting TEST_SECRET");
 		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
 	});
 	it("should unset every variable listed in OP_MANAGED_VARIABLES", () => {
 		process.env[envManagedVariables] = "TEST_SECRET,ANOTHER_TEST,SUPER_SECRET";
 		unsetPrevious();
 		expect(core.exportVariable).toHaveBeenCalledWith("TEST_SECRET", "");
 		expect(core.exportVariable).toHaveBeenCalledWith("ANOTHER_TEST", "");
 		expect(core.exportVariable).toHaveBeenCalledWith("SUPER_SECRET", "");
 		expect(core.exportVariable).toHaveBeenCalledTimes(3);
 	});
 	it("should do nothing when no variables are managed", () => {
 		process.env[envManagedVariables] = "";
 		unsetPrevious();
 		expect(core.exportVariable).not.toHaveBeenCalled();
 		expect(core.info).not.toHaveBeenCalledWith("Unsetting previous values ...");
 	});
 });
@@ -8,61 +8,8 @@ import {
 	envConnectToken,
 	envServiceAccountToken,
 	envManagedVariables,
 	envWorkloadId,
 	envEnvironmentId,
 	envIntegrationKey,
 } from "./constants";
 export interface WorkloadIdentityConfig {
 	workloadId: string;
 	environmentId: string;
 	integrationKey: string;
 }
 // Returns the Workload Identity configuration when all variables are set,
 // or null when none are set (so the CLI auth path can be used instead).
 // Throws if the configuration is only partially set, or if it is combined
 // with the CLI auth methods (Connect / service account).
 export const getWorkloadIdentityConfig = (): WorkloadIdentityConfig | null => {
 	const workloadId = process.env[envWorkloadId];
 	const environmentId = process.env[envEnvironmentId];
 	const integrationKey = process.env[envIntegrationKey];
 	// None set: fall back to the CLI auth path.
 	if (!workloadId && !environmentId && !integrationKey) {
 		return null;
 	}
 	// Some but not all set: configuration is incomplete.
 	if (!workloadId || !environmentId || !integrationKey) {
 		throw new Error(
 			`Incomplete Workload Identity configuration. To use Workload Identity, set all of ${envWorkloadId}, ${envEnvironmentId}, and ${envIntegrationKey}.`,
 		);
 	}
 	// Workload Identity is fully configured, so it must not be combined with the
 	// CLI auth methods (Connect / service account), which are mutually exclusive.
 	if (
 		process.env[envConnectHost] ||
 		process.env[envConnectToken] ||
 		process.env[envServiceAccountToken]
 	) {
 		throw new Error(
 			`Conflicting authentication configuration: Workload Identity cannot be combined with Connect (${envConnectHost}/${envConnectToken}) or a service account (${envServiceAccountToken}). Set only one authentication method.`,
 		);
 	}
 	return { workloadId, environmentId, integrationKey };
 };
 // Whether CLI authentication (1Password Connect or a service account) is
 // configured via environment variables.
 export const hasCliAuth = (): boolean =>
 	Boolean(
 		(process.env[envConnectHost] && process.env[envConnectToken]) ||
 			process.env[envServiceAccountToken],
 	);
 export const validateAuth = (): void => {
 	const isConnect = process.env[envConnectHost] && process.env[envConnectToken];
 	const isServiceAccount = process.env[envServiceAccountToken];
@@ -94,7 +41,7 @@ export const extractSecret = (
 	}
 	const secretValue = read.parse(ref);
-	if (secretValue === null || secretValue === undefined) {
+	if (!secretValue) {
 		return;
 	}
@@ -103,20 +50,15 @@ export const extractSecret = (
 	} else {
 		core.setOutput(envName, secretValue);
 	}
 	// Skip setSecret for empty strings to avoid the warning:
 	// "Can't add secret mask for empty string in ##[add-mask] command."
 	if (secretValue) {
 	core.setSecret(secretValue);
 	}
 };
 export const loadSecrets = async (shouldExportEnv: boolean): Promise<void> => {
-	// Strip any prerelease suffix; semverToInt only accepts MAJOR.MINOR.PATCH.
+	// Pass User-Agent Information to the 1Password CLI
 	const [releaseVersion] = version.split("-");
 	setClientInfo({
 		name: "1Password GitHub Action",
 		id: "GHA",
-		build: semverToInt(releaseVersion ?? version),
+		build: semverToInt(version),
 	});
 	// Load secrets from environment variables using 1Password CLI.
@@ -9,8 +9,11 @@ assert_env_equals() {
  fi
 }
-readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+assert_env_equals "SECRET" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-MULTILINE_SECRET="$(cat << EOF
+
 assert_env_equals "SECRET_IN_SECTION" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
 assert_env_equals "MULTILINE_SECRET" "$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
 ZSB3ZSBkZWVwbHkgYXBwcmVjaWF0ZSB5b3VyIHZp
@@ -25,20 +28,3 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 -----END PRIVATE KEY-----
 EOF
 )"
 readonly MULTILINE_SECRET
 readonly WEBSITE="www.test.com"
 assert_env_equals "SECRET" "${SECRET}"
 assert_env_equals "FILE_SECRET" "${SECRET}"
 assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
 assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
 assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
 assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
 # WEBSITE/FILE_WEBSITE: required when ASSERT_WEBSITE=true (Service Account), skipped when false (Connect)
 if [ "${ASSERT_WEBSITE:-false}" = "true" ]; then
  assert_env_equals "WEBSITE" "${WEBSITE}"
  assert_env_equals "FILE_WEBSITE" "${WEBSITE}"
 fi
@@ -10,18 +10,5 @@ assert_env_unset() {
 }
 assert_env_unset "SECRET"
 assert_env_unset "FILE_SECRET"
 assert_env_unset "SECRET_IN_SECTION"
 assert_env_unset "FILE_SECRET_IN_SECTION"
 assert_env_unset "MULTILINE_SECRET"
 assert_env_unset "FILE_MULTILINE_SECRET"
 assert_env_unset "WEBSITE"
 assert_env_unset "FILE_WEBSITE"
 assert_env_unset "TEST_SSH_KEY"
 assert_env_unset "FILE_TEST_SSH_KEY"
 assert_env_unset "TEST_SSH_KEY_OPENSSH"
 assert_env_unset "FILE_TEST_SSH_KEY_OPENSSH"
@@ -1,26 +0,0 @@
 #!/bin/bash
 set -e
 assert_ssh_key_set() {
  local var="$1"
  local val
  val="$(printenv "$var" || true)"
  if [ -z "$val" ]; then
    echo "Expected $var to be set"
    exit 1
  fi
  [ "$val" = "***" ] && return 0
  local line
  line="$(echo "$val" | head -1)"
  if echo "$var" | grep -q "OPENSSH"; then
    echo "$line" | grep -q "OPENSSH" || { echo "Expected $var to start with -----BEGIN OPENSSH PRIVATE KEY-----"; exit 1; }
  else
    echo "$line" | grep -q "BEGIN.*PRIVATE KEY" || { echo "Expected $var to be a private key"; exit 1; }
  fi
  echo "$var OK"
 }
 assert_ssh_key_set "TEST_SSH_KEY"
 assert_ssh_key_set "TEST_SSH_KEY_OPENSSH"
 assert_ssh_key_set "FILE_TEST_SSH_KEY"
 assert_ssh_key_set "FILE_TEST_SSH_KEY_OPENSSH"
@@ -1,16 +0,0 @@
 #!/bin/bash
 # shellcheck disable=SC2086
 set -e
 # Asserts the secrets loaded via Workload Identity.
 assert_env_equals() {
  if [ "$(printenv $1)" != "$2" ]; then
    echo -e "Expected $1 to be set to:\n$2\nBut got:\n$(printenv $1)"
    exit 1
  fi
 }
 assert_env_equals "ANOTHER_TEST" "anothertest123"
 assert_env_equals "SUPER_SECRET" "supersecret"
 assert_env_equals "TEST_SECRET" "thisisatest"
Author	SHA1	Message	Date
Volodymyr Zotov	9fd72bcae7	Point to the feature branch to run tests	2025-08-14 11:43:38 -05:00
Volodymyr Zotov	4c8b833188	Make latest build	2025-08-14 11:40:05 -05:00
Volodymyr Zotov	b10aa9ed81	Fix tests	2025-08-14 11:39:57 -05:00
Volodymyr Zotov	b9110a4b5b	Rename `version` input to `cli-version`	2025-08-14 10:58:58 -05:00
		`@@ -1 +0,0 @@`
			`export { type Installer, newCliInstaller } from "./installer";`
		`@@ -1,2 +0,0 @@`
			`export { installCliOnGithubActionRunner } from "./github-action";`
			`export { ReleaseChannel, VersionResolver } from "./version";`
		`@@ -1,2 +0,0 @@`
			`export { VersionResolver } from "./version-resolver";`
			`export { ReleaseChannel } from "./constants";`