feature: add ignoreNotFound option (#518)

* add ignoreNotFound option * update README
2025-11-06 23:06:54 +00:00 · 2024-02-01 08:42:56 -06:00 · 2024-02-01 08:42:56 -06:00 · efab57ede0
commit efab57ede0
parent d523bb05b2
5 changed files with 49 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 ## Unreleased

+Features:
+
+* Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
+
 ## 2.7.5 (January 30, 2024)

 Improvements:
--- a/README.md
+++ b/README.md
@ -649,6 +649,13 @@ Base64 encoded client key the action uses to authenticate with Vault when mTLS i

 When set to true, disables verification of server certificates when testing the action.

+### `ignoreNotFound`
+
+**Type: `string`**\
+**Default: `false`**
+
+When set to true, prevents the action from failing when a secret does not exist.
+
 ## Masking - Hiding Secrets from Logs

 This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
--- a/action.yml
+++ b/action.yml
@ -89,6 +89,10 @@ inputs:
  secretEncodingType:
    description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
    required: false
+  ignoreNotFound:
+    description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
+    required: false
+    default: 'false'
 runs:
  using: 'node20'
  main: 'dist/index.js'
--- a/integrationTests/basic/integration.test.js
+++ b/integrationTests/basic/integration.test.js
@ -124,12 +124,34 @@ describe('integration', () => {
            .mockReturnValueOnce(secrets);
    }

+    function mockIgnoreNotFound(shouldIgnore) {
+        when(core.getInput)
+            .calledWith('ignoreNotFound', expect.anything())
+            .mockReturnValueOnce(shouldIgnore);
+    }
+
+
    it('prints a nice error message when secret not found', async () => {
        mockInput(`secret/data/test secret ;
        secret/data/test secret | NAMED_SECRET ;
        secret/data/notFound kehe | NO_SIR ;`);

-        expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
+        await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
+    })
+
+    it('does not error when secret not found and ignoreNotFound is true', async () => {
+        mockInput(`secret/data/test secret ;
+        secret/data/test secret | NAMED_SECRET ;
+        secret/data/notFound kehe | NO_SIR ;`);
+
+        mockIgnoreNotFound("true");
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(2);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
    })

    it('get simple secret', async () => {
--- a/src/secrets.js
+++ b/src/secrets.js
@ -1,6 +1,8 @@
 const jsonata = require("jsonata");
 const { WILDCARD } = require("./constants");
 const { normalizeOutputKey } = require("./utils");
+const core = require('@actions/core');
+
 /**
 * @typedef {Object} SecretRequest
 * @property {string} path
@ -21,7 +23,7 @@ const { normalizeOutputKey } = require("./utils");
  * @param {import('got').Got} client
  * @return {Promise<SecretResponse<TRequest>[]>}
  */
-async function getSecrets(secretRequests, client) {
+async function getSecrets(secretRequests, client, ignoreNotFound) {
    const responseCache = new Map();
    let results = [];

@ -42,7 +44,14 @@ async function getSecrets(secretRequests, client) {
            } catch (error) {
                const {response} = error;
                if (response?.statusCode === 404) {
-                    throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`)
+                    notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
+                    const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
+                    if (ignoreNotFound) {
+                        core.error(`✘ ${notFoundMsg}`);
+                        continue;
+                    } else {
+                        throw Error(notFoundMsg)
+                    }
                }
                throw error
            }