mirror of
https://github.com/hashicorp/vault-action.git
synced 2025-11-10 00:26:55 +00:00
Make optional instead of always, in case of untrusted steps
This commit is contained in:
Thomas
Tom North
parent
5ecb000964
commit
c2f2763a3d
2 changed files with 13 additions and 16 deletions
|
|
@ -447,12 +447,6 @@ Here are all the inputs available through `with`:
|
|||
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
|
||||
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
|
||||
|
||||
Here are outputs that are always available:
|
||||
|
||||
| Output | Description |
|
||||
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `vault_token` | The Vault either used for authentication, or obtained via an auth method. |
|
||||
|
||||
## Masking - Hiding Secrets from Logs
|
||||
|
||||
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
|
||||
|
|
|
|||
|
|
@ -194,6 +194,11 @@ describe('exportSecrets', () => {
|
|||
.calledWith('secretEncodingType', expect.anything())
|
||||
.mockReturnValueOnce(doEncode);
|
||||
}
|
||||
function mockOutputToken(doOutput) {
|
||||
when(core.getInput)
|
||||
.calledWith('outputToken', expect.anything())
|
||||
.mockReturnValueOnce(doOutput);
|
||||
}
|
||||
|
||||
it('simple secret retrieval', async () => {
|
||||
mockInput('test key');
|
||||
|
|
@ -205,7 +210,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('encoded secret retrieval', async () => {
|
||||
|
|
@ -231,7 +235,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('mapped secret retrieval', async () => {
|
||||
|
|
@ -244,7 +247,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval from K/V v1', async () => {
|
||||
|
|
@ -262,7 +264,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval with extra headers', async () => {
|
||||
|
|
@ -278,7 +279,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('nested secret retrieval', async () => {
|
||||
|
|
@ -291,7 +291,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key__value', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('export Vault token', async () => {
|
||||
|
|
@ -308,7 +307,6 @@ describe('exportSecrets', () => {
|
|||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('not export Vault token', async () => {
|
||||
|
|
@ -324,7 +322,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('single-line secret gets masked', async () => {
|
||||
|
|
@ -340,7 +337,6 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('key', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('multi-line secret gets masked for each line', async () => {
|
||||
|
|
@ -362,7 +358,6 @@ with blank lines
|
|||
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
|
||||
expect(core.setOutput).toBeCalledWith('key', multiLineString);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('export only Vault token, no secrets', async () => {
|
||||
|
|
@ -372,6 +367,14 @@ with blank lines
|
|||
|
||||
expect(core.exportVariable).toBeCalledTimes(1);
|
||||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('output only Vault token, no secrets', async () => {
|
||||
mockOutputToken("true")
|
||||
|
||||
await exportSecrets();
|
||||
|
||||
expect(core.setOutput).toBeCalledTimes(1);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue