actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-10 16:46:56 +00:00
Code Activity Actions

feat: Always allow scoped access to vault token through outputs

Browse source
This commit is contained in:
Thomas 2022-08-03 15:02:46 +01:00 committed by Tom North
parent fc1e2ce126
commit 5ecb000964
3 changed files with 17 additions and 19198 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -447,6 +447,12 @@ Here are all the inputs available through `with`:
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | | | `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
Here are outputs that are always available:
| Output | Description |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| `vault_token` | The Vault either used for authentication, or obtained via an auth method. |
## Masking - Hiding Secrets from Logs ## Masking - Hiding Secrets from Logs
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.

19198
dist/index.js vendored
View file

File diff suppressed because one or more lines are too long

11
src/action.test.js
View file

@ -205,6 +205,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('encoded secret retrieval', async () => { it('encoded secret retrieval', async () => {
@ -230,6 +231,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('测试', '1'); expect(core.exportVariable).toBeCalledWith('测试', '1');
expect(core.setOutput).toBeCalledWith('测试', '1'); expect(core.setOutput).toBeCalledWith('测试', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('mapped secret retrieval', async () => { it('mapped secret retrieval', async () => {
@ -242,6 +244,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1'); expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1'); expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('simple secret retrieval from K/V v1', async () => { it('simple secret retrieval from K/V v1', async () => {
@ -259,6 +262,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('simple secret retrieval with extra headers', async () => { it('simple secret retrieval with extra headers', async () => {
@ -274,6 +278,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('nested secret retrieval', async () => { it('nested secret retrieval', async () => {
@ -286,6 +291,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1'); expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
expect(core.setOutput).toBeCalledWith('key__value', '1'); expect(core.setOutput).toBeCalledWith('key__value', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('export Vault token', async () => { it('export Vault token', async () => {
@ -302,6 +308,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('not export Vault token', async () => { it('not export Vault token', async () => {
@ -317,6 +324,7 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}); });
it('single-line secret gets masked', async () => { it('single-line secret gets masked', async () => {
@ -332,6 +340,7 @@ describe('exportSecrets', () => {
expect(command.issue).toBeCalledWith('add-mask', 'secret'); expect(command.issue).toBeCalledWith('add-mask', 'secret');
expect(core.setOutput).toBeCalledWith('key', 'secret'); expect(core.setOutput).toBeCalledWith('key', 'secret');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
it('multi-line secret gets masked for each line', async () => { it('multi-line secret gets masked for each line', async () => {
@ -353,6 +362,7 @@ with blank lines
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string'); expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines'); expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
expect(core.setOutput).toBeCalledWith('key', multiLineString); expect(core.setOutput).toBeCalledWith('key', multiLineString);
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
it('export only Vault token, no secrets', async () => { it('export only Vault token, no secrets', async () => {
@ -362,6 +372,7 @@ with blank lines
expect(core.exportVariable).toBeCalledTimes(1); expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
}) })
it('output only Vault token, no secrets', async () => { it('output only Vault token, no secrets', async () => {