actions/vault-action
2
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-12-16 16:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:main
Branches Tags
actions:main
actions:compliance/add-headers-batch-1
actions:docs/VAULT-36003/tcf
actions:fix-module-not-found
actions:update-jsonata
actions:fairclothjm/colpal/main
actions:test-multiline-stringify-check-2
actions:test-multiline-stringify-check
actions:v3
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.8.1
actions:v2
actions:v2.8.0
actions:v2.7.5
actions:v2.7.4
actions:v2.7.3
actions:v2.7.2
actions:v2.7.1
actions:v2.7.0
actions:v2.6.0
actions:v2.5.0
actions:v2.4.3
actions:v2.4.2
actions:v2.4.1
actions:v2.4.0
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.1
actions:v2.0.0
actions:v1.0.1
actions:v1.0.0
actions:v0.10.2
actions:v0.10.1
actions:v0.10.0
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.2
actions:v0.6.1
actions:v0.6.0
actions:v0.5.0
actions:v0.4.0
actions:v0.3.1
actions:v0.3.0
actions:v0.2.2
actions:v0.2.0
actions:v0.2.1
actions:v0.1.0
..
compare: actions:v3.1.0
Branches Tags
actions:compliance/add-headers-batch-1
actions:main
actions:docs/VAULT-36003/tcf
actions:fix-module-not-found
actions:update-jsonata
actions:fairclothjm/colpal/main
actions:test-multiline-stringify-check-2
actions:test-multiline-stringify-check
actions:v3
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.8.1
actions:v2
actions:v2.8.0
actions:v2.7.5
actions:v2.7.4
actions:v2.7.3
actions:v2.7.2
actions:v2.7.1
actions:v2.7.0
actions:v2.6.0
actions:v2.5.0
actions:v2.4.3
actions:v2.4.2
actions:v2.4.1
actions:v2.4.0
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.1
actions:v2.0.0
actions:v1.0.1
actions:v1.0.0
actions:v0.10.2
actions:v0.10.1
actions:v0.10.0
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.2
actions:v0.6.1
actions:v0.6.0
actions:v0.5.0
actions:v0.4.0
actions:v0.3.1
actions:v0.3.0
actions:v0.2.2
actions:v0.2.0
actions:v0.2.1
actions:v0.1.0

No commits in common. "main" and "v3.1.0" have entirely different histories.
main ... v3.1.0

18 changed files with 61 additions and 240 deletions
Show stats Expand all files Collapse all files

12
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -18,15 +18,3 @@ Relates OR Closes #0000
prioritize this request
* Please do not leave "+1" comments, they generate extra noise for pull request
followers and do not help prioritize the request
## PCI review checklist
<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
- [ ] I have documented a clear reason for, and description of, the change I am making.
- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
- [ ] If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

13
.github/dependabot.yml vendored
View file

@ -1,14 +1,11 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "npm"
- package-ecosystem: "npm" # See documentation for possible values
directory: "/" # Location of package manifests
open-pull-requests-limit: 0 # only require security updates and exclude version updates
schedule:
interval: "weekly"
# For got, ignore all updates since it is now native ESM
# see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
ignore:
- dependency-name: "got"
interval: "daily"

2
.github/workflows/actionlint.yaml vendored
View file

@ -8,7 +8,7 @@ jobs:
actionlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: "Lint workflow files"
uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
with:

30
.github/workflows/build.yml vendored
View file

@ -6,14 +6,14 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -33,17 +33,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -67,19 +67,19 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker compose
run: docker compose up -d vault-enterprise
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -103,17 +103,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -199,17 +199,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker compose
run: docker compose up -d vault-tls
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

4
.github/workflows/local-test.yaml vendored
View file

@ -18,9 +18,9 @@ jobs:
name: local-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'

23
CHANGELOG.md
View file

@ -1,26 +1,3 @@
## Unreleased
## 3.4.0 (June 13, 2025)
Bugs:
* replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
Improvements:
* Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
## 3.3.0 (March 3, 2025)
Features:
* Wildcard secret imports can use `**` to retain case of exported env keys [GH-545](https://github.com/hashicorp/vault-action/pull/545)
## 3.2.0 (March 3, 2025)
Improvements:
* Add retry for jwt auth login to fix intermittent login failures [GH-574](https://github.com/hashicorp/vault-action/pull/574)
## 3.1.0 (January 9, 2025)
Improvements:

1
CODEOWNERS
View file

@ -1 +0,0 @@
* @hashicorp/vault-ecosystem

9
README.md
View file

@ -403,15 +403,6 @@ with:
secret/data/ci/aws * | MYAPP_ ;
```
When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
```yaml
with:
secrets: |
secret/data/ci/aws ** | MYAPP_ ;
```
### KV secrets engine version 2
When accessing secrets from the KV secrets engine version 2, Vault Action

66
dist/index.js vendored
View file

File diff suppressed because one or more lines are too long

46
integrationTests/basic/integration.test.js
View file

@ -39,14 +39,6 @@ describe('integration', () => {
body: `{"data":{"secret.foo":"SUPERSECRET"}}`
});
await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
});
await got(`${vaultUrl}/v1/secret/data/nested/test`, {
method: 'POST',
headers: {
@ -301,16 +293,6 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
});
it('get secrets with multiple dot chars', async () => {
mockInput(`secret/data/test-with-multi-dot-chars * ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
});
it('get wildcard secrets', async () => {
mockInput(`secret/data/test * ;`);
@ -413,7 +395,7 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
});
it('wildcard supports cubbyhole with uppercase transform', async () => {
it('wildcard supports cubbyhole', async () => {
mockInput('/cubbyhole/test *');
await exportSecrets();
@ -423,32 +405,6 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
});
it('wildcard supports cubbyhole with no change in case', async () => {
mockInput('/cubbyhole/test **');
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(2);
expect(core.exportVariable).toBeCalledWith('foo', 'bar');
expect(core.exportVariable).toBeCalledWith('zip', 'zap');
});
it('wildcard supports cubbyhole with mixed case change', async () => {
mockInput(`
/cubbyhole/test * ;
/cubbyhole/test **`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(4);
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
expect(core.exportVariable).toBeCalledWith('foo', 'bar');
expect(core.exportVariable).toBeCalledWith('zip', 'zap');
});
it('caches responses', async () => {
mockInput(`

15
package-lock.json generated
View file

@ -11,7 +11,7 @@
"dependencies": {
"got": "^11.8.6",
"jsonata": "^2.0.3",
"jsrsasign": "^11.1.0"
"jsrsasign": "^11.0.0"
},
"devDependencies": {
"@actions/core": "^1.10.1",
@ -3375,10 +3375,9 @@
}
},
"node_modules/jsrsasign": {
"version": "11.1.0",
"resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.1.0.tgz",
"integrity": "sha512-Ov74K9GihaK9/9WncTe1mPmvrO7Py665TUfUKvraXBpu+xcTWitrtuOwcjf4KMU9maPaYn0OuaWy0HOzy/GBXg==",
"license": "MIT",
"version": "11.0.0",
"resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.0.0.tgz",
"integrity": "sha512-BtRwVKS+5dsgPpAtzJcpo5OoWjSs1/zllSBG0+8o8/aV0Ki76m6iZwHnwnsqoTdhfFZDN1XIdcaZr5ZkP+H2gg==",
"funding": {
"url": "https://github.com/kjur/jsrsasign#donations"
}
@ -7226,9 +7225,9 @@
"integrity": "sha512-vfavX4/G/yrYxE+UrmT/oUJ3ph7KqUrb0R7b0LVRcntQwxw+Z5kA1pNUIQzX5hF04Oe1eKxyoIPsmXtc2LgJTQ=="
},
"jsrsasign": {
"version": "11.1.0",
"resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.1.0.tgz",
"integrity": "sha512-Ov74K9GihaK9/9WncTe1mPmvrO7Py665TUfUKvraXBpu+xcTWitrtuOwcjf4KMU9maPaYn0OuaWy0HOzy/GBXg=="
"version": "11.0.0",
"resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.0.0.tgz",
"integrity": "sha512-BtRwVKS+5dsgPpAtzJcpo5OoWjSs1/zllSBG0+8o8/aV0Ki76m6iZwHnwnsqoTdhfFZDN1XIdcaZr5ZkP+H2gg=="
},
"keyv": {
"version": "4.3.2",

2
package.json
View file

@ -36,7 +36,7 @@
"dependencies": {
"got": "^11.8.6",
"jsonata": "^2.0.3",
"jsrsasign": "^11.1.0"
"jsrsasign": "^11.0.0"
},
"peerDependencies": {
"@actions/core": ">=1 <2"

4
src/action.js
View file

@ -4,7 +4,7 @@ const command = require('@actions/core/lib/command');
const got = require('got').default;
const jsonata = require('jsonata');
const { normalizeOutputKey } = require('./utils');
const { WILDCARD, WILDCARD_UPPERCASE } = require('./constants');
const { WILDCARD } = require('./constants');
const { auth: { retrieveToken }, secrets: { getSecrets }, pki: { getCertificates } } = require('./index');
@ -221,7 +221,7 @@ function parseSecretsInput(secretsInput) {
const selectorAst = jsonata(selectorQuoted).ast();
const selector = selectorQuoted.replace(new RegExp('"', 'g'), '');
if (selector !== WILDCARD && selector !== WILDCARD_UPPERCASE && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
if (selector !== WILDCARD && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
}

31
src/auth.js
View file

@ -5,8 +5,6 @@ const fs = require('fs');
const { default: got } = require('got');
const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
const retries = 5
const retries_delay = 3000
/***
* Authenticate with Vault and retrieve a Vault token that can be used for requests.
* @param {string} method
@ -37,10 +35,7 @@ async function retrieveToken(method, client) {
const githubAudience = core.getInput('jwtGithubAudience', { required: false });
if (!privateKey) {
jwt = await retryAsyncFunction(retries, retries_delay, core.getIDToken, githubAudience)
.then((result) => {
return result;
});
jwt = await core.getIDToken(githubAudience)
} else {
jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
}
@ -147,30 +142,6 @@ async function getClientToken(client, method, path, payload) {
}
}
/***
* Generic function for retrying an async function
* @param {number} retries
* @param {number} delay
* @param {Function} func
* @param {any[]} args
*/
async function retryAsyncFunction(retries, delay, func, ...args) {
let attempt = 0;
while (attempt < retries) {
try {
const result = await func(...args);
return result;
} catch (error) {
attempt++;
if (attempt < retries) {
await new Promise(resolve => setTimeout(resolve, delay));
} else {
throw error;
}
}
}
}
/***
* @typedef {Object} VaultLoginResponse
* @property {{

19
src/auth.test.js
View file

@ -85,23 +85,4 @@ describe("test retrival for token", () => {
const url = got.post.mock.calls[0][0]
expect(url).toContain('differentK8sPath')
})
it("test retrieval with jwt", async () => {
const method = "jwt"
const jwtToken = "someTestToken"
const testRole = "testRole"
const privateKeyRaw = ""
mockApiResponse()
mockInput("role", testRole)
mockInput("jwtPrivateKey", privateKeyRaw)
core.getIDToken = jest.fn()
core.getIDToken.mockReturnValueOnce(jwtToken)
const token = await retrieveToken(method, got)
expect(token).toEqual(testToken)
const payload = got.post.mock.calls[0][1].json
expect(payload).toEqual({ jwt: jwtToken, role: testRole })
const url = got.post.mock.calls[0][0]
expect(url).toContain('jwt')
})
})

8
src/constants.js
View file

@ -1,7 +1,5 @@
const WILDCARD_UPPERCASE = '*';
const WILDCARD = '**';
const WILDCARD = '*';
module.exports = {
WILDCARD,
WILDCARD_UPPERCASE,
};
WILDCARD
};

10
src/secrets.js
View file

@ -1,5 +1,5 @@
const jsonata = require("jsonata");
const { WILDCARD, WILDCARD_UPPERCASE} = require("./constants");
const { WILDCARD } = require("./constants");
const { normalizeOutputKey } = require("./utils");
const core = require('@actions/core');
@ -26,7 +26,6 @@ const core = require('@actions/core');
async function getSecrets(secretRequests, client, ignoreNotFound) {
const responseCache = new Map();
let results = [];
let upperCaseEnv = false;
for (const secretRequest of secretRequests) {
let { path, selector } = secretRequest;
@ -60,8 +59,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
body = JSON.parse(body);
if (selector === WILDCARD || selector === WILDCARD_UPPERCASE) {
upperCaseEnv = selector === WILDCARD_UPPERCASE;
if (selector == WILDCARD) {
let keys = body.data;
if (body.data["data"] != undefined) {
keys = keys.data;
@ -80,7 +78,7 @@ async function getSecrets(secretRequests, client, ignoreNotFound) {
}
newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
newRequest.envVarName = normalizeOutputKey(newRequest.envVarName, upperCaseEnv);
newRequest.envVarName = normalizeOutputKey(newRequest.envVarName,true);
// JSONata field references containing reserved tokens should
// be enclosed in backticks
@ -153,7 +151,7 @@ const selectAndAppendResults = async (
secretRequest,
results
) => {
if (!selector.includes(".")) {
if (!selector.match(/.*[\.].*/)) {
selector = '"' + selector + '"';
}
selector = "data." + selector;

6
src/utils.js
View file

@ -3,12 +3,12 @@
* @param {string} dataKey
* @param {boolean=} isEnvVar
*/
function normalizeOutputKey(dataKey, upperCase = false) {
function normalizeOutputKey(dataKey, isEnvVar = false) {
let outputKey = dataKey
.replaceAll(".", "__")
.replace(".", "__")
.replace(new RegExp("-", "g"), "")
.replace(/[^\p{L}\p{N}_-]/gu, "");
if (upperCase) {
if (isEnvVar) {
outputKey = outputKey.toUpperCase();
}
return outputKey;