From df5f6ffc1710a892626aacf636c161229439c2fb Mon Sep 17 00:00:00 2001
From: Michel Hiemstra <michel.hiemstra@stormzaak.nl>
Date: Thu, 9 Oct 2025 14:48:57 +0200
Subject: [PATCH 1/3] feat:  add http2 support for Vault communication

---
 README.md     | 43 ++++++++++++++++++++++++++++++++++++++++++-
 action.yml    |  4 ++++
 src/action.js |  5 +++++
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b3939f5..ca9f9e8 100644
--- a/README.md
+++ b/README.md
@@ -25,20 +25,54 @@ is not meant to modify Vault’s state.
     - [Userpass](#userpass)
     - [Ldap](#ldap)
     - [Other Auth Methods](#other-auth-methods)
-    - [Custom Path](#custom-path-name)
+    - [Custom Path Name](#custom-path-name)
   - [Key Syntax](#key-syntax)
     - [Simple Key](#simple-key)
     - [Set Output Variable Name](#set-output-variable-name)
     - [Multiple Secrets](#multiple-secrets)
     - [KV secrets engine version 2](#kv-secrets-engine-version-2)
+  - [PKI Certificate Requests](#pki-certificate-requests)
   - [Other Secret Engines](#other-secret-engines)
   - [Adding Extra Headers](#adding-extra-headers)
   - [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
     - [Namespace](#namespace)
   - [Reference](#reference)
+    - [`url`](#url)
+    - [`secrets`](#secrets)
+    - [`namespace`](#namespace-1)
+    - [`method`](#method)
+    - [`role`](#role)
+    - [`path`](#path)
+    - [`token`](#token-1)
+    - [`roleId`](#roleid)
+    - [`secretId`](#secretid)
+    - [`githubToken`](#githubtoken)
+    - [`jwtPrivateKey`](#jwtprivatekey)
+    - [`jwtKeyPassword`](#jwtkeypassword)
+    - [`jwtGithubAudience`](#jwtgithubaudience)
+    - [`jwtTtl`](#jwtttl)
+    - [`kubernetesTokenPath`](#kubernetestokenpath)
+    - [`username`](#username)
+    - [`password`](#password)
+    - [`authPayload`](#authpayload)
+    - [`extraHeaders`](#extraheaders)
+    - [`http2`](#http2)
+    - [`exportEnv`](#exportenv)
+    - [`exportToken`](#exporttoken)
+    - [`outputToken`](#outputtoken)
+    - [`caCertificate`](#cacertificate)
+    - [`clientCertificate`](#clientcertificate)
+    - [`clientKey`](#clientkey)
+    - [`tlsSkipVerify`](#tlsskipverify)
+    - [`ignoreNotFound`](#ignorenotfound)
   - [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
   - [Normalization](#normalization)
   - [Contributing](#contributing)
+    - [Build](#build)
+    - [Vault test instance](#vault-test-instance)
+    - [Running unit tests](#running-unit-tests)
+    - [Running acceptance tests](#running-acceptance-tests)
+    - [Running the action locally](#running-the-action-locally)
 
 <!-- /TOC -->
 
@@ -673,6 +707,13 @@ The JSON payload to be sent to Vault when using a custom authentication method.
 
 A string of newline separated extra headers to include on every request.
 
+### `http2`
+
+**Type: `string`**\
+**Default: `false`**
+
+Whether or not to use HTTP/2 when communicating with the Vault server.
+
 ### `exportEnv`
 
 **Type: `string`**\
diff --git a/action.yml b/action.yml
index 94c738a..fa3107a 100644
--- a/action.yml
+++ b/action.yml
@@ -51,6 +51,10 @@ inputs:
   extraHeaders:
     description: 'A string of newline separated extra headers to include on every request.'
     required: false
+  http2:
+    description: 'Whether or not to use HTTP/2 when communicating with the Vault server.'
+    default: 'false'
+    required: false
   exportEnv:
     description: 'Whether or not export secrets as environment variables.'
     default: 'true'
diff --git a/src/action.js b/src/action.js
index 3dcf1f4..9ae0fa8 100644
--- a/src/action.js
+++ b/src/action.js
@@ -54,6 +54,11 @@ async function exportSecrets() {
         }
     }
 
+    const http2 = (core.getInput('http2', { required: false }) || 'false').toLowerCase() != 'false';
+    if (http2 === true) {
+        defaultOptions.http2 = true;
+    }
+
     const tlsSkipVerify = (core.getInput('tlsSkipVerify', { required: false }) || 'false').toLowerCase() != 'false';
     if (tlsSkipVerify === true) {
         defaultOptions.https.rejectUnauthorized = false;

From c7074a41ca6ffa7e3563fc0e08e94641d526ebf0 Mon Sep 17 00:00:00 2001
From: Michel Hiemstra <michel.hiemstra@stormzaak.nl>
Date: Thu, 9 Oct 2025 14:50:05 +0200
Subject: [PATCH 2/3] chore: update to fix formatting

---
 README.md | 36 +-----------------------------------
 1 file changed, 1 insertion(+), 35 deletions(-)

diff --git a/README.md b/README.md
index ca9f9e8..4acf426 100644
--- a/README.md
+++ b/README.md
@@ -25,54 +25,20 @@ is not meant to modify Vault’s state.
     - [Userpass](#userpass)
     - [Ldap](#ldap)
     - [Other Auth Methods](#other-auth-methods)
-    - [Custom Path Name](#custom-path-name)
+    - [Custom Path](#custom-path-name)
   - [Key Syntax](#key-syntax)
     - [Simple Key](#simple-key)
     - [Set Output Variable Name](#set-output-variable-name)
     - [Multiple Secrets](#multiple-secrets)
     - [KV secrets engine version 2](#kv-secrets-engine-version-2)
-  - [PKI Certificate Requests](#pki-certificate-requests)
   - [Other Secret Engines](#other-secret-engines)
   - [Adding Extra Headers](#adding-extra-headers)
   - [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
     - [Namespace](#namespace)
   - [Reference](#reference)
-    - [`url`](#url)
-    - [`secrets`](#secrets)
-    - [`namespace`](#namespace-1)
-    - [`method`](#method)
-    - [`role`](#role)
-    - [`path`](#path)
-    - [`token`](#token-1)
-    - [`roleId`](#roleid)
-    - [`secretId`](#secretid)
-    - [`githubToken`](#githubtoken)
-    - [`jwtPrivateKey`](#jwtprivatekey)
-    - [`jwtKeyPassword`](#jwtkeypassword)
-    - [`jwtGithubAudience`](#jwtgithubaudience)
-    - [`jwtTtl`](#jwtttl)
-    - [`kubernetesTokenPath`](#kubernetestokenpath)
-    - [`username`](#username)
-    - [`password`](#password)
-    - [`authPayload`](#authpayload)
-    - [`extraHeaders`](#extraheaders)
-    - [`http2`](#http2)
-    - [`exportEnv`](#exportenv)
-    - [`exportToken`](#exporttoken)
-    - [`outputToken`](#outputtoken)
-    - [`caCertificate`](#cacertificate)
-    - [`clientCertificate`](#clientcertificate)
-    - [`clientKey`](#clientkey)
-    - [`tlsSkipVerify`](#tlsskipverify)
-    - [`ignoreNotFound`](#ignorenotfound)
   - [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
   - [Normalization](#normalization)
   - [Contributing](#contributing)
-    - [Build](#build)
-    - [Vault test instance](#vault-test-instance)
-    - [Running unit tests](#running-unit-tests)
-    - [Running acceptance tests](#running-acceptance-tests)
-    - [Running the action locally](#running-the-action-locally)
 
 <!-- /TOC -->
 

From 5d6081151c6c719d2b227bbf6c8f49d7f5cdd9b1 Mon Sep 17 00:00:00 2001
From: Michel Hiemstra <michel.hiemstra@stormzaak.nl>
Date: Thu, 9 Oct 2025 14:57:56 +0200
Subject: [PATCH 3/3] chore: update CHANGELOG.md

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f246370..12b3db7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+Improvements:
+
+* Support for HTTP/2 via new `http2` input (default `false`) to opt in to HTTP/2 communication with Vault.
+
 ## 3.4.0 (June 13, 2025)
 
 Bugs: