actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

feature: add ignoreNotFound option (#518)

Browse source 
* add ignoreNotFound option

* update README
This commit is contained in:
John-Michael Faircloth 2024-02-01 08:42:56 -06:00 committed by GitHub
parent d523bb05b2
commit efab57ede0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 49 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -1,5 +1,9 @@
## Unreleased ## Unreleased
Features:
* Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
## 2.7.5 (January 30, 2024) ## 2.7.5 (January 30, 2024)
Improvements: Improvements:

7
README.md
View file

@ -649,6 +649,13 @@ Base64 encoded client key the action uses to authenticate with Vault when mTLS i
When set to true, disables verification of server certificates when testing the action. When set to true, disables verification of server certificates when testing the action.
### `ignoreNotFound`
**Type: `string`**\
**Default: `false`**
When set to true, prevents the action from failing when a secret does not exist.
## Masking - Hiding Secrets from Logs ## Masking - Hiding Secrets from Logs
This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.

4
action.yml
View file

@ -89,6 +89,10 @@ inputs:
secretEncodingType: secretEncodingType:
description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8' description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
required: false required: false
ignoreNotFound:
description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
required: false
default: 'false'
runs: runs:
using: 'node20' using: 'node20'
main: 'dist/index.js' main: 'dist/index.js'

24
integrationTests/basic/integration.test.js
View file

@ -124,12 +124,34 @@ describe('integration', () => {
.mockReturnValueOnce(secrets); .mockReturnValueOnce(secrets);
} }
function mockIgnoreNotFound(shouldIgnore) {
when(core.getInput)
.calledWith('ignoreNotFound', expect.anything())
.mockReturnValueOnce(shouldIgnore);
}
it('prints a nice error message when secret not found', async () => { it('prints a nice error message when secret not found', async () => {
mockInput(`secret/data/test secret ; mockInput(`secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ; secret/data/test secret | NAMED_SECRET ;
secret/data/notFound kehe | NO_SIR ;`); secret/data/notFound kehe | NO_SIR ;`);
expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`)); await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
})
it('does not error when secret not found and ignoreNotFound is true', async () => {
mockInput(`secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/notFound kehe | NO_SIR ;`);
mockIgnoreNotFound("true");
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(2);
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
}) })
it('get simple secret', async () => { it('get simple secret', async () => {

13
src/secrets.js
View file

@ -1,6 +1,8 @@
const jsonata = require("jsonata"); const jsonata = require("jsonata");
const { WILDCARD } = require("./constants"); const { WILDCARD } = require("./constants");
const { normalizeOutputKey } = require("./utils"); const { normalizeOutputKey } = require("./utils");
const core = require('@actions/core');
/** /**
* @typedef {Object} SecretRequest * @typedef {Object} SecretRequest
* @property {string} path * @property {string} path
@ -21,7 +23,7 @@ const { normalizeOutputKey } = require("./utils");
* @param {import('got').Got} client * @param {import('got').Got} client
* @return {Promise<SecretResponse<TRequest>[]>} * @return {Promise<SecretResponse<TRequest>[]>}
*/ */
async function getSecrets(secretRequests, client) { async function getSecrets(secretRequests, client, ignoreNotFound) {
const responseCache = new Map(); const responseCache = new Map();
let results = []; let results = [];
@ -42,7 +44,14 @@ async function getSecrets(secretRequests, client) {
} catch (error) { } catch (error) {
const {response} = error; const {response} = error;
if (response?.statusCode === 404) { if (response?.statusCode === 404) {
throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`) notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
if (ignoreNotFound) {
core.error(`${notFoundMsg}`);
continue;
} else {
throw Error(notFoundMsg)
}
} }
throw error throw error
} }