mirror of
https://github.com/hashicorp/vault-action.git
synced 2025-11-07 15:16:56 +00:00
feat: Always allow scoped access to vault token through outputs
This commit is contained in:
Thomas
parent
ae2f303e37
commit
e92c0909f9
4 changed files with 1515 additions and 776 deletions
|
|
@ -411,6 +411,12 @@ Here are all the inputs available through `with`:
|
|||
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
|
||||
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
|
||||
|
||||
Here are outputs that are always available:
|
||||
|
||||
| Output | Description |
|
||||
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `vault_token` | The Vault either used for authentication, or obtained via an auth method. |
|
||||
|
||||
## Masking - Hiding Secrets from Logs
|
||||
|
||||
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
|
||||
|
|
|
|||
2267
dist/index.js
vendored
2267
dist/index.js
vendored
File diff suppressed because one or more lines are too long
|
|
@ -69,8 +69,9 @@ async function exportSecrets() {
|
|||
defaultOptions.headers['X-Vault-Token'] = vaultToken;
|
||||
const client = got.extend(defaultOptions);
|
||||
|
||||
command.issue('add-mask', vaultToken);
|
||||
core.setOutput('vault_token', `${vaultToken}`);
|
||||
if (exportToken === true) {
|
||||
command.issue('add-mask', vaultToken);
|
||||
core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -194,6 +194,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('intl secret retrieval', async () => {
|
||||
|
|
@ -206,6 +207,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('测试', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('mapped secret retrieval', async () => {
|
||||
|
|
@ -218,6 +220,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('TEST_NAME', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval from K/V v1', async () => {
|
||||
|
|
@ -235,6 +238,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('simple secret retrieval with extra headers', async () => {
|
||||
|
|
@ -250,6 +254,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('nested secret retrieval', async () => {
|
||||
|
|
@ -262,6 +267,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key__value', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('export Vault token', async () => {
|
||||
|
|
@ -278,6 +284,7 @@ describe('exportSecrets', () => {
|
|||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('not export Vault token', async () => {
|
||||
|
|
@ -293,6 +300,7 @@ describe('exportSecrets', () => {
|
|||
|
||||
expect(core.exportVariable).toBeCalledWith('KEY', '1');
|
||||
expect(core.setOutput).toBeCalledWith('key', '1');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
});
|
||||
|
||||
it('single-line secret gets masked', async () => {
|
||||
|
|
@ -304,10 +312,11 @@ describe('exportSecrets', () => {
|
|||
|
||||
await exportSecrets();
|
||||
|
||||
expect(command.issue).toBeCalledTimes(1);
|
||||
expect(command.issue).toBeCalledTimes(2);
|
||||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('key', 'secret');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('multi-line secret gets masked for each line', async () => {
|
||||
|
|
@ -324,11 +333,12 @@ with blank lines
|
|||
|
||||
await exportSecrets();
|
||||
|
||||
expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
|
||||
expect(command.issue).toBeCalledTimes(3); // 1 for each non-empty line.
|
||||
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
|
||||
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
|
||||
expect(core.setOutput).toBeCalledWith('key', multiLineString);
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
|
||||
it('export only Vault token, no secrets', async () => {
|
||||
|
|
@ -338,5 +348,6 @@ with blank lines
|
|||
|
||||
expect(core.exportVariable).toBeCalledTimes(1);
|
||||
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
|
||||
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
|
||||
})
|
||||
});
|
||||
|
|
|
|||
Loading…
Reference in a new issue