Scoped token access (#441)

* feat: Always allow scoped access to vault token through outputs * Make optional instead of always, in case of untrusted steps --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Thomas <thomas.north@dazn.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-07 07:06:56 +00:00 · 2023-05-19 19:11:33 +01:00 · 2023-05-19 19:11:33 +01:00 · cd5a8995f3
commit cd5a8995f3
parent 72c092c8af
3 changed files with 26 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -480,6 +480,7 @@ Here are all the inputs available through `with`:
 | `extraHeaders`      | A string of newline separated extra headers to include on every request.                                                                             |         |          |
 | `exportEnv`         | Whether or not export secrets as environment variables.                                                                                              | `true`  |          |
 | `exportToken`       | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).                                                                        | `false` |          |
+| `outputToken`       | Whether or not to set the `vault_token` output to contain the Vault token after authentication.                                                      | `false` |          |
 | `caCertificate`     | Base64 encoded CA certificate the server certificate was signed with.                                                                                |         |          |
 | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled.                                                   |         |          |
 | `clientKey`         | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled.                                                           |         |          |
--- a/src/action.js
+++ b/src/action.js
@ -13,6 +13,7 @@ async function exportSecrets() {
    const vaultNamespace = core.getInput('namespace', { required: false });
    const extraHeaders = parseHeadersInput('extraHeaders', { required: false });
    const exportEnv = core.getInput('exportEnv', { required: false }) != 'false';
+    const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false';
    const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false';

    const secretsInput = core.getInput('secrets', { required: false });
@ -69,11 +70,14 @@ async function exportSecrets() {
    }

    const vaultToken = await retrieveToken(vaultMethod, got.extend(defaultOptions));
+    core.setSecret(vaultToken)
    defaultOptions.headers['X-Vault-Token'] = vaultToken;
    const client = got.extend(defaultOptions);

+    if (outputToken === true) {
+      core.setOutput('vault_token', `${vaultToken}`);
+    }
    if (exportToken === true) {
-        command.issue('add-mask', vaultToken);
        core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
    }

@ -103,7 +107,7 @@ async function exportSecrets() {

        for (const line of value.replace(/\r/g, '').split('\n')) {
            if (line.length > 0) {
-                command.issue('add-mask', line);
+                core.setSecret(line);
            }
        }
        if (exportEnv) {
--- a/src/action.test.js
+++ b/src/action.test.js
@ -184,6 +184,11 @@ describe('exportSecrets', () => {
            .mockReturnValueOnce(doExport);
    }

+    function mockOutputToken(doOutput) {
+      when(core.getInput)
+          .calledWith('outputToken', expect.anything())
+          .mockReturnValueOnce(doOutput);
+  }
    function mockEncodeType(doEncode) {
        when(core.getInput)
            .calledWith('secretEncodingType', expect.anything())
@ -323,9 +328,9 @@ describe('exportSecrets', () => {

        await exportSecrets();

-        expect(command.issue).toBeCalledTimes(1);
+        expect(core.setSecret).toBeCalledTimes(2);

-        expect(command.issue).toBeCalledWith('add-mask', 'secret');
+        expect(core.setSecret).toBeCalledWith('secret');
        expect(core.setOutput).toBeCalledWith('key', 'secret');
    })

@ -343,10 +348,10 @@ with blank lines

        await exportSecrets();

-        expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
+        expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line.

-        expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
-        expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
+        expect(core.setSecret).toBeCalledWith('a multi-line string');
+        expect(core.setSecret).toBeCalledWith('with blank lines');
        expect(core.setOutput).toBeCalledWith('key', multiLineString);
    })

@ -358,4 +363,13 @@ with blank lines
    expect(core.exportVariable).toBeCalledTimes(1);
    expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
  })
+
+  it('output only Vault token, no secrets', async () => {
+    mockOutputToken("true")
+
+    await exportSecrets();
+
+    expect(core.setOutput).toBeCalledTimes(1);
+    expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
+  })
 });