diff --git a/README.md b/README.md index b57907b..4b8e620 100644 --- a/README.md +++ b/README.md @@ -406,17 +406,12 @@ Here are all the inputs available through `with`: | `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | | +| `outputToken` | Whether or not to set the `vault_token` output to contain the Vault token after authentication. | `false` | | | `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | | | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | | `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | | -Here are outputs that are always available: - -| Output | Description | -|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| -| `vault_token` | The Vault either used for authentication, or obtained via an auth method. | - ## Masking - Hiding Secrets from Logs This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs. diff --git a/dist/index.js b/dist/index.js index 60241da..b7d06d7 100644 --- a/dist/index.js +++ b/dist/index.js @@ -16448,6 +16448,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; + const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false'; const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: false }); @@ -16506,7 +16507,9 @@ async function exportSecrets() { const client = got.extend(defaultOptions); command.issue('add-mask', vaultToken); - core.setOutput('vault_token', `${vaultToken}`); + if (outputToken === true) { + core.setOutput('vault_token', `${vaultToken}`); + } if (exportToken === true) { core.exportVariable('VAULT_TOKEN', `${vaultToken}`); } diff --git a/src/action.js b/src/action.js index 9d198a1..6a9761a 100644 --- a/src/action.js +++ b/src/action.js @@ -12,6 +12,7 @@ async function exportSecrets() { const vaultNamespace = core.getInput('namespace', { required: false }); const extraHeaders = parseHeadersInput('extraHeaders', { required: false }); const exportEnv = core.getInput('exportEnv', { required: false }) != 'false'; + const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false'; const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false'; const secretsInput = core.getInput('secrets', { required: false }); @@ -70,7 +71,9 @@ async function exportSecrets() { const client = got.extend(defaultOptions); command.issue('add-mask', vaultToken); - core.setOutput('vault_token', `${vaultToken}`); + if (outputToken === true) { + core.setOutput('vault_token', `${vaultToken}`); + } if (exportToken === true) { core.exportVariable('VAULT_TOKEN', `${vaultToken}`); } diff --git a/src/action.test.js b/src/action.test.js index 8036e89..1fb9ef6 100644 --- a/src/action.test.js +++ b/src/action.test.js @@ -184,6 +184,12 @@ describe('exportSecrets', () => { .mockReturnValueOnce(doExport); } + function mockOutputToken(doOutput) { + when(core.getInput) + .calledWith('outputToken', expect.anything()) + .mockReturnValueOnce(doOutput); + } + it('simple secret retrieval', async () => { mockInput('test key'); mockVaultData({ @@ -194,7 +200,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.setOutput).toBeCalledWith('key', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('intl secret retrieval', async () => { @@ -207,7 +212,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('测试', '1'); expect(core.setOutput).toBeCalledWith('测试', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('mapped secret retrieval', async () => { @@ -220,7 +224,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('TEST_NAME', '1'); expect(core.setOutput).toBeCalledWith('TEST_NAME', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('simple secret retrieval from K/V v1', async () => { @@ -238,7 +241,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.setOutput).toBeCalledWith('key', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('simple secret retrieval with extra headers', async () => { @@ -254,7 +256,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.setOutput).toBeCalledWith('key', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('nested secret retrieval', async () => { @@ -267,7 +268,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY__VALUE', '1'); expect(core.setOutput).toBeCalledWith('key__value', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('export Vault token', async () => { @@ -284,7 +284,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.setOutput).toBeCalledWith('key', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('not export Vault token', async () => { @@ -300,7 +299,6 @@ describe('exportSecrets', () => { expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.setOutput).toBeCalledWith('key', '1'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }); it('single-line secret gets masked', async () => { @@ -316,7 +314,6 @@ describe('exportSecrets', () => { expect(command.issue).toBeCalledWith('add-mask', 'secret'); expect(core.setOutput).toBeCalledWith('key', 'secret'); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }) it('multi-line secret gets masked for each line', async () => { @@ -338,7 +335,6 @@ with blank lines expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string'); expect(command.issue).toBeCalledWith('add-mask', 'with blank lines'); expect(core.setOutput).toBeCalledWith('key', multiLineString); - expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }) it('export only Vault token, no secrets', async () => { @@ -348,6 +344,14 @@ with blank lines expect(core.exportVariable).toBeCalledTimes(1); expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE'); + }) + + it('output only Vault token, no secrets', async () => { + mockOutputToken("true") + + await exportSecrets(); + + expect(core.setOutput).toBeCalledTimes(1); expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE'); }) });