diff --git a/README.md b/README.md index 4735bbc..875cfff 100644 --- a/README.md +++ b/README.md @@ -480,6 +480,7 @@ Here are all the inputs available through `with`: | `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | | +| `outputToken` | Whether or not to set the `vault_token` output to contain the Vault token after authentication. | `false` | | | `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | | | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | diff --git a/src/action.js b/src/action.js index 836a11b..e193650 100644 --- a/src/action.js +++ b/src/action.js @@ -13,6 +13,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; + const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false'; const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: false }); @@ -69,11 +70,14 @@ async function exportSecrets() { } const vaultToken = await retrieveToken(vaultMethod, got.extend(defaultOptions)); + core.setSecret(vaultToken) defaultOptions.headers['X-Vault-Token'] = vaultToken; const client = got.extend(defaultOptions); + if (outputToken === true) { + core.setOutput('vault_token', `${vaultToken}`); + } if (exportToken === true) { - command.issue('add-mask', vaultToken); core.exportVariable('VAULT_TOKEN', `${vaultToken}`); } @@ -103,7 +107,7 @@ async function exportSecrets() { for (const line of value.replace(/\r/g, '').split('\n')) { if (line.length > 0) { - command.issue('add-mask', line); + core.setSecret(line); } } if (exportEnv) { diff --git a/src/action.test.js b/src/action.test.js index 45899bd..49c33cd 100644 --- a/src/action.test.js +++ b/src/action.test.js @@ -184,6 +184,11 @@ describe('exportSecrets', () => { .mockReturnValueOnce(doExport); } + function mockOutputToken(doOutput) { + when(core.getInput) + .calledWith('outputToken', expect.anything()) + .mockReturnValueOnce(doOutput); + } function mockEncodeType(doEncode) { when(core.getInput) .calledWith('secretEncodingType', expect.anything()) @@ -323,9 +328,9 @@ describe('exportSecrets', () => { await exportSecrets(); - expect(command.issue).toBeCalledTimes(1); + expect(core.setSecret).toBeCalledTimes(2); - expect(command.issue).toBeCalledWith('add-mask', 'secret'); + expect(core.setSecret).toBeCalledWith('secret'); expect(core.setOutput).toBeCalledWith('key', 'secret'); }) @@ -343,10 +348,10 @@ with blank lines await exportSecrets(); - expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line. + expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line. - expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string'); - expect(command.issue).toBeCalledWith('add-mask', 'with blank lines'); + expect(core.setSecret).toBeCalledWith('a multi-line string'); + expect(core.setSecret).toBeCalledWith('with blank lines'); expect(core.setOutput).toBeCalledWith('key', multiLineString); }) @@ -358,4 +363,13 @@ with blank lines expect(core.exportVariable).toBeCalledTimes(1); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); }) + + it('output only Vault token, no secrets', async () => { + mockOutputToken("true") + + await exportSecrets(); + + expect(core.setOutput).toBeCalledTimes(1); + expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); + }) });