actions/vault-action
3
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2026-04-12 07:00:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Scoped token access (#441)

Browse source 
* feat: Always allow scoped access to vault token through outputs
* Make optional instead of always, in case of untrusted steps
---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Thomas <thomas.north@dazn.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit is contained in:
TomNorth 2023-05-19 19:11:33 +01:00 committed by GitHub
parent 72c092c8af
commit cd5a8995f3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/action.test.js
View file

@ -184,6 +184,11 @@ describe('exportSecrets', () => {
.mockReturnValueOnce(doExport);
}
function mockOutputToken(doOutput) {
when(core.getInput)
.calledWith('outputToken', expect.anything())
.mockReturnValueOnce(doOutput);
}
function mockEncodeType(doEncode) {
when(core.getInput)
.calledWith('secretEncodingType', expect.anything())
@ -323,9 +328,9 @@ describe('exportSecrets', () => {
await exportSecrets();
expect(command.issue).toBeCalledTimes(1);
expect(core.setSecret).toBeCalledTimes(2);
expect(command.issue).toBeCalledWith('add-mask', 'secret');
expect(core.setSecret).toBeCalledWith('secret');
expect(core.setOutput).toBeCalledWith('key', 'secret');
})
@ -343,10 +348,10 @@ with blank lines
await exportSecrets();
expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line.
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
expect(core.setSecret).toBeCalledWith('a multi-line string');
expect(core.setSecret).toBeCalledWith('with blank lines');
expect(core.setOutput).toBeCalledWith('key', multiLineString);
})
@ -358,4 +363,13 @@ with blank lines
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
})
it('output only Vault token, no secrets', async () => {
mockOutputToken("true")
await exportSecrets();
expect(core.setOutput).toBeCalledTimes(1);
expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
})
});