2025-12-16 07:58:27 +00:00
23 changed files with 1911 additions and 3229 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -8,6 +8,7 @@ Relates OR Closes #0000
 ### Checklist
 - [ ] Added [CHANGELOG](https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.md) entry (only for user-facing changes)
 - [ ] Did not commit changes to `dist/index.js` (This is only done for releases by vault-action maintainers)
 ### Community Note
@ -18,15 +19,3 @@ Relates OR Closes #0000
  prioritize this request
 * Please do not leave "+1" comments, they generate extra noise for pull request
  followers and do not help prioritize the request
 ## PCI review checklist
 <!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
 - [ ] I have documented a clear reason for, and description of, the change I am making.
 - [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
 - [ ] If applicable, I've documented the impact of any changes to security controls.
  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,14 +1,11 @@
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
-# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "npm" # See documentation for possible values
    directory: "/" # Location of package manifests
    open-pull-requests-limit: 0 # only require security updates and exclude version updates
    schedule:
-      interval: "weekly"
+      interval: "daily"
    # For got, ignore all updates since it is now native ESM
    # see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
    ignore:
      - dependency-name: "got"
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@ -8,7 +8,7 @@ jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: "Lint workflow files"
        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
        with:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -6,14 +6,14 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-          node-version: "20.9.0"
+        node-version: '16.14.0'
    - name: Setup NPM Cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
      with:
        path: ~/.npm
        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -33,17 +33,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - name: Run docker compose
+    - name: Run docker-compose
-        run: docker compose up -d vault
+      run: docker-compose up -d vault
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-          node-version: "20.9.0"
+        node-version: '16.14.0'
    - name: Setup NPM Cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
      with:
        path: ~/.npm
        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -67,19 +67,19 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - name: Run docker compose
+    - name: Run docker-compose
-        run: docker compose up -d vault-enterprise
+      run: docker-compose up -d vault-enterprise
      env:
        VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-          node-version: "20.9.0"
+        node-version: '16.14.0'
    - name: Setup NPM Cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
      with:
        path: ~/.npm
        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -103,17 +103,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - name: Run docker compose
+    - name: Run docker-compose
-        run: docker compose up -d vault
+      run: docker-compose up -d vault
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-          node-version: "20.9.0"
+        node-version: '16.14.0'
    - name: Setup NPM Cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
      with:
        path: ~/.npm
        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -195,21 +195,22 @@ jobs:
      env:
        OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
  e2e-tls:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - name: Run docker compose
+    - name: Run docker-compose
-        run: docker compose up -d vault-tls
+      run: docker-compose up -d vault-tls
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-          node-version: "20.9.0"
+        node-version: '16.14.0'
    - name: Setup NPM Cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
      with:
        path: ~/.npm
        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
--- a/.github/workflows/local-test.yaml
+++ b/.github/workflows/local-test.yaml
@ -18,11 +18,11 @@ jobs:
    name: local-test
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
      with:
-        node-version: '20.9.0'
+        node-version: '16.14.0'
    - name: NPM Install
      run: npm ci
@ -48,26 +48,14 @@ jobs:
        token: testtoken
        secrets: |
          secret/data/test-json-string jsonString;
          secret/data/test-json-data jsonData;
-    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+    - name: Check Secrets
-      with:
+      run: |
-        github-token: "foobar"
+        touch secrets.json
-        script: |
+        echo "${{ steps.import-secrets.outputs.jsonString }}" >> secrets.json
          const { JSONSTRING, JSONDATA } = process.env
-          console.log(`string ${JSONSTRING}`)
+    - name: Check json file format
-          console.log(`data ${JSONDATA}`)
+      run: |
-          const str = JSONDATA
+        echo
-
+        cat secrets.json
-          let valid = true
+        jq -c . < secrets.json
          try {
              JSON.parse(str)
          } catch (e) {
            valid = false
          }
          if (valid) {
            console.log("valid json")
          } else {
            console.log("not valid json")
          }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,67 +1,5 @@
 ## Unreleased
 ## 3.4.0 (June 13, 2025)
 Bugs:
 * replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
 Improvements:
 * Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
 ## 3.3.0 (March 3, 2025)
 Features:
 * Wildcard secret imports can use `**` to retain case of exported env keys [GH-545](https://github.com/hashicorp/vault-action/pull/545)
 ## 3.2.0 (March 3, 2025)
 Improvements:
 * Add retry for jwt auth login to fix intermittent login failures [GH-574](https://github.com/hashicorp/vault-action/pull/574)
 ## 3.1.0 (January 9, 2025)
 Improvements:
 * fix wildcard handling when field contains dot [GH-542](https://github.com/hashicorp/vault-action/pull/542)
 * bump body-parser from 1.20.0 to 1.20.3
 * bump braces from 3.0.2 to 3.0.3
 * bump cross-spawn from 7.0.3 to 7.0.6
 * bump micromatch from 4.0.5 to 4.0.8
 Features:
 * `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)
 * Use `pki` configuration to generate certificates from Vault [GH-564](https://github.com/hashicorp/vault-action/pull/564)
 ## 3.0.0 (February 15, 2024)
 Improvements:
 * Bump node runtime from node16 to node20 [GH-529](https://github.com/hashicorp/vault-action/pull/529)
 ## 2.8.1 (February 15, 2024)
 Bugs:
 * Revert [GH-509](https://github.com/hashicorp/vault-action/pull/509) which made a backwards incompatible bump of the node runtime from node16 to node20 [GH-527](https://github.com/hashicorp/vault-action/pull/527)
 ## 2.8.0 (February 1, 2024)
 Features:
 * Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
 Improvements:
 * bump jsrsasign from 10.8.6 to 11.0.0 [GH-513](https://github.com/hashicorp/vault-action/pull/513)
 * bump @actions/core from 1.10.0 to 1.10.1 [GH-489](https://github.com/hashicorp/vault-action/pull/489)
 * bump jest-when from 3.5.2 to 3.6.0 [GH-484](https://github.com/hashicorp/vault-action/pull/484)
 * bump jest from 29.5.0 to 29.7.0 [GH-490](https://github.com/hashicorp/vault-action/pull/490)
 * bump @vercel/ncc from 0.36.1 to 0.38.1 [GH-503](https://github.com/hashicorp/vault-action/pull/503)
 ## 2.7.5 (January 30, 2024)
 Improvements:
--- a/1
+++ b/1
@ -1 +0,0 @@
 * @hashicorp/vault-ecosystem
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 .PHONY: local-test
 local-test:
-	docker compose down;  docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml
+	docker compose down;  docker-compose up -d vault && act workflow_dispatch -j local-test
--- a/README.md
+++ b/README.md
@ -30,7 +30,6 @@ is not meant to modify Vault’s state.
    - [Simple Key](#simple-key)
    - [Set Output Variable Name](#set-output-variable-name)
    - [Multiple Secrets](#multiple-secrets)
    - [KV secrets engine version 2](#kv-secrets-engine-version-2)
  - [Other Secret Engines](#other-secret-engines)
  - [Adding Extra Headers](#adding-extra-headers)
  - [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
@ -65,32 +64,27 @@ jobs:
 ```
 Retrieved secrets are available as environment variables or outputs for subsequent steps:
 ```yaml
 #...
            - name: Step following 'Import Secrets'
              run: |
                ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
                SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
            # ...
 ```
 If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. 
 For example, a common pattern is to save all the secrets in a JSON file:
 ```yaml
 #...
            - name: Step following 'Import Secrets'
              run: |
                touch secrets.json
                echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
            # ...
 ```
 Which with our example would yield a file containing:
 ```json
 {
  "ACCESS_KEY_ID": "MY_KEY_ID",
@ -101,6 +95,7 @@ Which with our example would yield a file containing:
 Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder.
 ## Authentication Methods
 Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with
@ -114,7 +109,7 @@ and Vault using the
 Each GitHub Actions workflow receives an auto-generated OIDC token with claims
 to establish the identity of the workflow.
-**Vault Configuration**
+__Vault Configuration__
 <details>
 <summary>Click to toggle instructions for configuring Vault.</summary>
@ -125,6 +120,7 @@ Pass the following parameters to your auth method configuration:
 - `oidc_discovery_url`: `https://token.actions.githubusercontent.com`
 - `bound_issuer`: `https://token.actions.githubusercontent.com`
 Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method.
 - `role_type`: `jwt`
@ -158,7 +154,7 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
 </details>
-**GitHub Actions Workflow**
+__GitHub Actions Workflow__
 In the GitHub Actions workflow, the workflow needs permissions to read contents
 and write the ID token.
@ -382,6 +378,7 @@ steps:
    # Import config...
  - name: Sensitive Operation
    run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"
 ```
 ### Multiple Secrets
@ -394,8 +391,7 @@ with:
        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
 ```
-
+You can specify a wildcard * for the key name to get all keys in the path.  If you provide an output name with the wildcard, the name will be prepended to the key name:
 You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
 ```yaml
 with:
@ -403,60 +399,12 @@ with:
        secret/data/ci/aws * | MYAPP_ ;
 ```
 When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
 You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
 ```yaml
 with:
    secrets: |
        secret/data/ci/aws ** | MYAPP_ ;
 ```
 ### KV secrets engine version 2
 When accessing secrets from the KV secrets engine version 2, Vault Action
 requires the full path to the secret. This is the same path that would be used
 in a Vault policy for the secret. You can find the full path to your secret by
 performing a `kv get` command like the following:
 ```bash
 $ vault kv get secret/test
 == Secret Path ==
 secret/data/test
 ...
 ```
 Note that the full path is not `secret/test`, but `secret/data/test`.
 ## PKI Certificate Requests
 You can use the `pki` option to generate a certificate and private key for a given role.
 ````yaml
 with:
    pki: |
        pki/issue/rolename {"common_name": "role.mydomain.com", "ttl": "1h"} ;
        pki/issue/otherrole {"common_name": "otherrole.mydomain.com", "ttl": "1h"} ;
 ```
 Resulting in:
 ```bash
 ROLENAME_CA=-----BEGIN CERTIFICATE-----...
 ROLENAME_CERT=-----BEGIN CERTIFICATE-----...
 ROLENAME_KEY=-----BEGIN RSA PRIVATE KEY-----...
 ROLENAME_CA_CHAIN=-----BEGIN CERTIFICATE-----...
 OTHERROLE_CA=-----BEGIN CERTIFICATE-----...
 OTHERROLE_CERT=-----BEGIN CERTIFICATE-----...
 OTHERROLE_KEY=-----BEGIN RSA PRIVATE KEY-----...
 OTHERROLE_CA_CHAIN=-----BEGIN CERTIFICATE-----...
 ````
 ## Other Secret Engines
 Vault Action currently supports retrieving secrets from any engine where secrets
-are retrieved via `GET` requests, except for the PKI engine as noted above.
+are retrieved via `GET` requests.  This means secret engines such as PKI are currently
 not supported due to their requirement of sending parameters along with the request
 (such as `common_name`).
 For example, to request a secret from the `cubbyhole` secret engine:
@ -493,8 +441,8 @@ If you ever need to add extra headers to the vault request, say if you need to a
 ```yaml
 with:
    secrets: |
-    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+        secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
+        secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
    extraHeaders: |
      X-Secure-Id: ${{ secrets.SECURE_ID }}
      X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
@ -520,32 +468,14 @@ steps:
      uses: hashicorp/vault-action
      with:
        url: https://vault-enterprise.mycompany.com:8200
        caCertificate: ${{ secrets.VAULT_CA_CERT }}
        method: token
        token: ${{ secrets.VAULT_TOKEN }}
        namespace: admin
        secrets: |
-        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+            secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+            secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
-        secret/data/ci npm_token
+            secret/ci npm_token
 ```
 Alternatively, you may need to authenticate to the root namespace and retrieve
 a secret from a different namespace. To do this, do not set the `namespace`
 parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
 ```yaml
 steps:
  # ...
  - name: Import Secrets
    uses: hashicorp/vault-action
    with:
      url: https://vault-enterprise.mycompany.com:8200
      method: token
      token: ${{ secrets.VAULT_TOKEN }}
      secrets: |
        namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
        namespace-1/secret/data/ci npm_token
 ```
 ## Reference
@ -719,13 +649,6 @@ Base64 encoded client key the action uses to authenticate with Vault when mTLS i
 When set to true, disables verification of server certificates when testing the action.
 ### `ignoreNotFound`
 **Type: `string`**\
 **Default: `false`**
 When set to true, prevents the action from failing when a secret does not exist.
 ## Masking - Hiding Secrets from Logs
 This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
@ -738,10 +661,9 @@ To make it simpler to consume certain secrets as env vars, if no Env/Output Var
 ## Contributing
 If you wish to contribute to this project, the following dependencies are recommended for local development:
 - [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
 - [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
- [docker compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
+- [docker-compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
 - [act](https://github.com/nektos/act) to run the vault-action locally
 ### Build
@ -758,7 +680,7 @@ The Github Action needs access to a working Vault instance to function.
 Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.
 ```sh
-$ docker compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
+$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
 ```
 Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:
--- a/action.yml
+++ b/action.yml
@ -7,9 +7,6 @@ inputs:
  secrets:
    description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
    required: false
  pki:
    description: 'A semicolon-separated list of certificates to generate. These will automatically be converted to environment variable keys. Cannot be used with "secrets". See README for more details'
    required: false
  namespace:
    description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
    required: false
@ -92,10 +89,6 @@ inputs:
  secretEncodingType:
    description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
    required: false
  ignoreNotFound:
    description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
    required: false
    default: 'false'
 runs:
  using: 'node20'
  main: 'dist/index.js'
--- a/dist/index.js
+++ b/dist/index.js
--- a/integrationTests/basic/integration.test.js
+++ b/integrationTests/basic/integration.test.js
@ -31,22 +31,6 @@ describe('integration', () => {
            },
        });
        await got(`${vaultUrl}/v1/secret/data/test-with-dot-char`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': vaultToken,
            },
            body: `{"data":{"secret.foo":"SUPERSECRET"}}`
        });
        await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': vaultToken,
            },
            body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
        });
        await got(`${vaultUrl}/v1/secret/data/nested/test`, {
            method: 'POST',
            headers: {
@ -120,69 +104,6 @@ describe('integration', () => {
                "other-Secret-dash": 'OTHERCUSTOMSECRET',
            },
        });
        // Enable pki engine
        try {
            await got(`${vaultUrl}/v1/sys/mounts/pki`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': vaultToken,
                },
                json: {
                    type: 'pki'
                }
            });
        } catch (error) {
            const {response} = error;
            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
                // Engine might already be enabled from previous test runs
            } else {
                throw error;
            }
        }
        // Configure Root CA
        try {
            await got(`${vaultUrl}/v1/pki/root/generate/internal`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': vaultToken,
                },
                json: {
                    common_name: 'test',
                    ttl: '24h',
                },
            });
        } catch (error) {
            const {response} = error;
            if (response.statusCode === 400 && response.body.includes("already exists")) {
                // Root CA might already be configured from previous test runs
            } else {
                throw error;
            }
        }
        // Configure PKI Role
        try {
            await got(`${vaultUrl}/v1/pki/roles/Test`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': vaultToken,
                },
                json: {
                    allowed_domains: ['test'],
                    allow_bare_domains: true,
                    max_ttl: '1h',
                },
            });
        } catch (error) {
            const {response} = error;
            if (response.statusCode === 400 && response.body.includes("already exists")) {
                // Role might already be configured from previous test runs
            } else {
                throw error;
            }
        }
    });
    beforeEach(() => {
@ -203,55 +124,14 @@ describe('integration', () => {
            .mockReturnValueOnce(secrets);
    }
    function mockPkiInput(pki) {
        when(core.getInput)
            .calledWith('pki', expect.anything())
            .mockReturnValueOnce(pki);
    }
    function mockIgnoreNotFound(shouldIgnore) {
        when(core.getInput)
            .calledWith('ignoreNotFound', expect.anything())
            .mockReturnValueOnce(shouldIgnore);
    }
    it('prints a nice error message when secret not found', async () => {
        mockInput(`secret/data/test secret ;
        secret/data/test secret | NAMED_SECRET ;
        secret/data/notFound kehe | NO_SIR ;`);
-        await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
+        expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
    })
    it('does not error when secret not found and ignoreNotFound is true', async () => {
        mockInput(`secret/data/test secret ;
        secret/data/test secret | NAMED_SECRET ;
        secret/data/notFound kehe | NO_SIR ;`);
        mockIgnoreNotFound("true");
        await exportSecrets();
        expect(core.exportVariable).toBeCalledTimes(2);
        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
    })
    it('gets a pki certificate', async () => {
        mockPkiInput('pki/issue/Test {"common_name":"test","ttl":"1h"}');
        await exportSecrets();
        expect(core.exportVariable).toBeCalledTimes(4);
        expect(core.exportVariable).toBeCalledWith('TEST_KEY', expect.anything());
        expect(core.exportVariable).toBeCalledWith('TEST_CERT', expect.anything());
        expect(core.exportVariable).toBeCalledWith('TEST_CA', expect.anything());
        expect(core.exportVariable).toBeCalledWith('TEST_CA_CHAIN', expect.anything());
    });
    it('get simple secret', async () => {
        mockInput('secret/data/test secret');
@ -291,26 +171,6 @@ describe('integration', () => {
        expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET');
    });
    it('get wildcard secrets with dot char', async () => {
        mockInput(`secret/data/test-with-dot-char * ;`);
        await exportSecrets();
        expect(core.exportVariable).toBeCalledTimes(1);
        expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
    });
    it('get secrets with multiple dot chars', async () => {
        mockInput(`secret/data/test-with-multi-dot-chars * ;`);
        await exportSecrets();
        expect(core.exportVariable).toBeCalledTimes(1);
        expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
    });
    it('get wildcard secrets', async () => {
        mockInput(`secret/data/test * ;`);
@ -413,7 +273,7 @@ describe('integration', () => {
            expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
        });
-        it('wildcard supports cubbyhole with uppercase transform', async () => {
+        it('wildcard supports cubbyhole', async () => {            
            mockInput('/cubbyhole/test *');
            await exportSecrets();
@ -424,32 +284,6 @@ describe('integration', () => {
            expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
        });
        it('wildcard supports cubbyhole with no change in case', async () => {
            mockInput('/cubbyhole/test **');
            await exportSecrets();
            expect(core.exportVariable).toBeCalledTimes(2);
            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
        });
        it('wildcard supports cubbyhole with mixed case change', async () => {
            mockInput(`
            /cubbyhole/test * ;
            /cubbyhole/test **`);
            await exportSecrets();
            expect(core.exportVariable).toBeCalledTimes(4);
            expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
            expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
        });
        it('caches responses', async () => {            
            mockInput(`
            /cubbyhole/test foo ;
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@ -97,8 +97,6 @@ describe('jwt auth', () => {
            }
        });
        // write the jwt config, the jwt role will be written on a per-test
        // basis since the audience may vary
        await got(`${vaultUrl}/v1/auth/jwt/config`, {
            method: 'POST',
            headers: {
@ -110,6 +108,22 @@ describe('jwt auth', () => {
            }
        });
        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
            method: 'POST',
            headers: {
                'X-Vault-Token': vaultToken,
            },
            json: {
                role_type: 'jwt',
                bound_audiences: null,
                bound_claims: {
                    iss: 'vault-action'
                },
                user_claim: 'iss',
                policies: ['reader']
            }
        });
        await got(`${vaultUrl}/v1/secret/data/test`, {
            method: 'POST',
            headers: {
@ -124,24 +138,6 @@ describe('jwt auth', () => {
    });
    describe('authenticate with private key', () => {
        beforeAll(async () => {
            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': vaultToken,
                },
                json: {
                    role_type: 'jwt',
                    bound_audiences: null,
                    bound_claims: {
                        iss: 'vault-action'
                    },
                    user_claim: 'iss',
                    policies: ['reader']
                }
            });
        });
        beforeEach(() => {
            jest.resetAllMocks();
@ -174,22 +170,6 @@ describe('jwt auth', () => {
    describe('authenticate with Github OIDC', () => {
        beforeAll(async () => {
            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
                method: 'POST',
                headers: {
                    'X-Vault-Token': vaultToken,
                },
                json: {
                    role_type: 'jwt',
                    bound_audiences: 'https://github.com/hashicorp/vault-action',
                    bound_claims: {
                        iss: 'vault-action'
                    },
                    user_claim: 'iss',
                    policies: ['reader']
                }
            });
            await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
                method: 'POST',
                headers: {
@ -197,7 +177,7 @@ describe('jwt auth', () => {
                },
                json: {
                    role_type: 'jwt',
-                    bound_audiences: 'sigstore',
+                    bound_audiences: null,
                    bound_claims: {
                        iss: 'vault-action',
                        aud: 'sigstore',
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -36,16 +36,16 @@
    "dependencies": {
        "got": "^11.8.6",
        "jsonata": "^2.0.3",
-        "jsrsasign": "^11.1.0"
+        "jsrsasign": "^10.8.6"
    },
    "peerDependencies": {
        "@actions/core": ">=1 <2"
    },
    "devDependencies": {
-        "@actions/core": "^1.10.1",
+        "@actions/core": "^1.10.0",
-        "@vercel/ncc": "^0.38.1",
+        "@vercel/ncc": "^0.36.1",
-        "jest": "^29.7.0",
+        "jest": "^29.5.0",
-        "jest-when": "^3.6.0",
+        "jest-when": "^3.5.2",
        "mock-http-server": "^1.4.5"
    }
 }
--- a/src/action.js
+++ b/src/action.js
@ -4,9 +4,9 @@ const command = require('@actions/core/lib/command');
 const got = require('got').default;
 const jsonata = require('jsonata');
 const { normalizeOutputKey } = require('./utils');
-const { WILDCARD, WILDCARD_UPPERCASE } = require('./constants');
+const { WILDCARD } = require('./constants');
-const { auth: { retrieveToken }, secrets: { getSecrets }, pki: { getCertificates } } = require('./index');
+const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
 const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes', 'ldap', 'userpass'];
 const ENCODING_TYPES = ['base64', 'hex', 'utf8'];
@ -22,16 +22,6 @@ async function exportSecrets() {
    const secretsInput = core.getInput('secrets', { required: false });
    const secretRequests = parseSecretsInput(secretsInput);
    const pkiInput = core.getInput('pki', { required: false });
    let pkiRequests = [];
    if (pkiInput) {
        if (secretsInput) {
            throw Error('You cannot provide both "secrets" and "pki" inputs.');
        }
        pkiRequests = parsePkiInput(pkiInput);
    }
    const secretEncodingType = core.getInput('secretEncodingType', { required: false });
    const vaultMethod = (core.getInput('method', { required: false }) || 'token').toLowerCase();
@ -94,12 +84,12 @@ async function exportSecrets() {
        core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
    }
-    let results = [];
+    const requests = secretRequests.map(request => {
-    if (pkiRequests.length > 0) {
+        const { path, selector } = request;
-        results = await getCertificates(pkiRequests, client);
+        return request;
-    } else {
+    });
-        results = await getSecrets(secretRequests, client);
+
-    }
+    const results = await getSecrets(requests, client);
    for (const result of results) {
@ -138,43 +128,6 @@ async function exportSecrets() {
 * @property {string} selector
 */
 /**
 * Parses a pki input string into key paths and the request parameters.
 * @param {string} pkiInput
 */
 function parsePkiInput(pkiInput) {
    if (!pkiInput) {
        return []
    }
    const secrets = pkiInput
        .split(';')
        .filter(key => !!key)
        .map(key => key.trim())
        .filter(key => key.length !== 0);
    return secrets.map(secret => {
        const path = secret.substring(0, secret.indexOf(' '));
        const parameters = secret.substring(secret.indexOf(' ') + 1);
        core.debug(`ℹ Parsing PKI: ${path} with parameters: ${parameters}`);
        if (!path || !parameters) {
            throw Error(`You must provide a valid path and parameters. Input: "${secret}"`);
        }
        let outputVarName = path.split('/').pop();
        let envVarName = normalizeOutputKey(outputVarName);
        return { 
            path, 
            envVarName, 
            outputVarName,
            parameters: JSON.parse(parameters),
        };
    });
 }
 /**
 * Parses a secrets input string into key paths and their resulting environment variable name.
 * @param {string} secretsInput
@ -221,7 +174,7 @@ function parseSecretsInput(secretsInput) {
        const selectorAst = jsonata(selectorQuoted).ast();
        const selector = selectorQuoted.replace(new RegExp('"', 'g'), '');
-        if (selector !== WILDCARD && selector !== WILDCARD_UPPERCASE && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
+        if (selector !== WILDCARD && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
            throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
        }
--- a/src/auth.js
+++ b/src/auth.js
@ -5,8 +5,6 @@ const fs = require('fs');
 const { default: got } = require('got');
 const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
 const retries = 5
 const retries_delay = 3000
 /***
 * Authenticate with Vault and retrieve a Vault token that can be used for requests.
 * @param {string} method
@ -19,7 +17,7 @@ async function retrieveToken(method, client) {
    switch (method) {
        case 'approle': {
            const vaultRoleId = core.getInput('roleId', { required: true });
-            const vaultSecretId = core.getInput('secretId', { required: false });
+            const vaultSecretId = core.getInput('secretId', { required: true });
            return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
        }
        case 'github': {
@ -37,10 +35,7 @@ async function retrieveToken(method, client) {
            const githubAudience = core.getInput('jwtGithubAudience', { required: false });
            if (!privateKey) {
-                jwt = await retryAsyncFunction(retries, retries_delay, core.getIDToken, githubAudience)
+                jwt = await core.getIDToken(githubAudience)
                  .then((result) => {
                    return result;
                });
            } else {
                jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
            }
@ -147,30 +142,6 @@ async function getClientToken(client, method, path, payload) {
    }
 }
 /***
 * Generic function for retrying an async function
 * @param {number} retries
 * @param {number} delay
 * @param {Function} func
 * @param {any[]} args
 */
 async function retryAsyncFunction(retries, delay, func, ...args) {
  let attempt = 0;
  while (attempt < retries) {
    try {
      const result = await func(...args);
      return result;
    } catch (error) {
      attempt++;
      if (attempt < retries) {
        await new Promise(resolve => setTimeout(resolve, delay));
      } else {
        throw error;
      }
    }
  }
 }
 /***
 * @typedef {Object} VaultLoginResponse
 * @property {{
--- a/src/auth.test.js
+++ b/src/auth.test.js
@ -85,23 +85,4 @@ describe("test retrival for token", () => {
        const url = got.post.mock.calls[0][0]
        expect(url).toContain('differentK8sPath')
    })
    it("test retrieval with jwt", async () => {
        const method = "jwt"
        const jwtToken = "someTestToken"
        const testRole = "testRole"
        const privateKeyRaw = ""
        mockApiResponse()
        mockInput("role", testRole)
        mockInput("jwtPrivateKey", privateKeyRaw)
        core.getIDToken = jest.fn()
        core.getIDToken.mockReturnValueOnce(jwtToken)
        const token = await retrieveToken(method, got)
        expect(token).toEqual(testToken)
        const payload = got.post.mock.calls[0][1].json
        expect(payload).toEqual({ jwt: jwtToken,  role: testRole })
        const url = got.post.mock.calls[0][0]
        expect(url).toContain('jwt')
  })
 })
--- a/src/constants.js
+++ b/src/constants.js
@ -1,7 +1,5 @@
-const WILDCARD_UPPERCASE = '*';
+const WILDCARD = '*';
 const WILDCARD = '**';
 module.exports = {
-    WILDCARD,
+    WILDCARD
    WILDCARD_UPPERCASE,
 };
--- a/src/index.js
+++ b/src/index.js
@ -1,9 +1,7 @@
 const auth = require('./auth');
 const secrets = require('./secrets');
 const pki = require('./pki');
 module.exports = {
    auth,
-    secrets,
+    secrets
    pki
 };
--- a/src/pki.js
+++ b/src/pki.js
@ -1,76 +0,0 @@
 const { normalizeOutputKey } = require('./utils');
 const core = require('@actions/core');
 /** A map of postfix values mapped to the key in the certificate response and a transformer function */
 const outputMap = {
    cert: { key: 'certificate', tx: (v) => v },
    key: { key: 'private_key', tx: (v) => v },
    ca: { key: 'issuing_ca', tx: (v) => v },
    ca_chain: { key: 'ca_chain', tx: (v) => v.join('\n') },
 };
 /**
 * @typedef PkiRequest
 * @type {object}
 * @property {string} path - The path to the PKI endpoint
 * @property {Record<string, any>} parameters - The parameters to send to the PKI endpoint
 * @property {string} envVarName - The name of the environment variable to set
 * @property {string} outputVarName - The name of the output variable to set
 */
 /**
 * @typedef {Object} PkiResponse
 * @property {PkiRequest} request
 * @property {string} value
 * @property {boolean} cachedResponse
 */
 /**
 * Generate and return the certificates from the PKI engine
 * @param {Array<PkiRequest>} pkiRequests
 * @param {import('got').Got} client
 * @return {Promise<Array<PkiResponse>>}
 */
 async function getCertificates(pkiRequests, client) {
    /** @type Array<PkiResponse> */
    let results = [];
    for (const pkiRequest of pkiRequests) {
        const { path, parameters } = pkiRequest;
        const requestPath = `v1/${path}`;
        let body;
        try {
            const result = await client.post(requestPath, {
                body: JSON.stringify(parameters),
            });
            body = result.body;
        } catch (error) {
            core.error(`✘ ${error.response?.body ?? error.message}`);
            throw error;
        }
        body = JSON.parse(body);
        core.info(`✔ Successfully generated certificate (serial number ${body.data.serial_number})`);
        Object.entries(outputMap).forEach(([key, value]) => {
            const val = value.tx(body.data[value.key]);
            results.push({
                request: {
                    ...pkiRequest,
                    envVarName: normalizeOutputKey(`${pkiRequest.envVarName}_${key}`, true),
                    outputVarName: normalizeOutputKey(`${pkiRequest.outputVarName}_${key}`),
                },
                value: val,
                cachedResponse: false,
            });
        });
    }
    return results;
 }
 module.exports = {
    getCertificates,
 };
--- a/src/secrets.js
+++ b/src/secrets.js
@ -1,8 +1,6 @@
 const jsonata = require("jsonata");
-const { WILDCARD, WILDCARD_UPPERCASE} = require("./constants");
+const { WILDCARD } = require("./constants");
 const { normalizeOutputKey } = require("./utils");
 const core = require('@actions/core');
 /**
 * @typedef {Object} SecretRequest
 * @property {string} path
@ -23,10 +21,9 @@ const core = require('@actions/core');
  * @param {import('got').Got} client
  * @return {Promise<SecretResponse<TRequest>[]>}
  */
-async function getSecrets(secretRequests, client, ignoreNotFound) {
+async function getSecrets(secretRequests, client) {
    const responseCache = new Map();
    let results = [];
    let upperCaseEnv = false;
    for (const secretRequest of secretRequests) {
        let { path, selector } = secretRequest;
@ -45,14 +42,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
            } catch (error) {
                const {response} = error;
                if (response?.statusCode === 404) {
-                    notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
+                    throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`)
                    const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
                    if (ignoreNotFound) {
                        core.error(`✘ ${notFoundMsg}`);
                        continue;
                    } else {
                        throw Error(notFoundMsg)
                    }
                }
                throw error
            }
@ -60,8 +50,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
        body = JSON.parse(body);
-        if (selector === WILDCARD || selector === WILDCARD_UPPERCASE) {
+        if (selector == WILDCARD) {                     
            upperCaseEnv = selector === WILDCARD_UPPERCASE;
            let keys = body.data;
            if (body.data["data"] != undefined) {
                keys = keys.data;
@ -74,21 +63,15 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
                if (secretRequest.selector === secretRequest.outputVarName) {
                    newRequest.outputVarName = key;
                    newRequest.envVarName = key;        		
-                } else {
+                }
                else {
                    newRequest.outputVarName = secretRequest.outputVarName+key;
                    newRequest.envVarName = secretRequest.envVarName+key;        		
                }
                newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
-                newRequest.envVarName = normalizeOutputKey(newRequest.envVarName, upperCaseEnv);
+                newRequest.envVarName = normalizeOutputKey(newRequest.envVarName,true);   
                // JSONata field references containing reserved tokens should
                // be enclosed in backticks
                // https://docs.jsonata.org/simple#examples
                if (key.includes(".")) {
                    const backtick = '`';
                    key = backtick.concat(key, backtick);
                }
                selector = key;
                results = await selectAndAppendResults(
@ -153,7 +136,7 @@ const selectAndAppendResults = async (
  secretRequest,
  results
 ) => {
-  if (!selector.includes(".")) {
+  if (!selector.match(/.*[\.].*/)) {
    selector = '"' + selector + '"';
  }
  selector = "data." + selector;
--- a/src/utils.js
+++ b/src/utils.js
@ -3,12 +3,12 @@
 * @param {string} dataKey
 * @param {boolean=} isEnvVar
 */
-function normalizeOutputKey(dataKey, upperCase = false) {
+function normalizeOutputKey(dataKey, isEnvVar = false) {
  let outputKey = dataKey
-    .replaceAll(".", "__")
+    .replace(".", "__")
    .replace(new RegExp("-", "g"), "")
    .replace(/[^\p{L}\p{N}_-]/gu, "");
-  if (upperCase) {
+  if (isEnvVar) {
    outputKey = outputKey.toUpperCase();
  }
  return outputKey;