[Compliance] - PR Template Changes Required (#586)

Co-authored-by: compliance-pr-automation[bot] <1425255+compliance-pr-automation-bot[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -3,21 +3,29 @@ name: Bug report
 about: Create a report to help us improve
 title: "[BUG] "
 labels: bug
-assignees: RichiCoder1
 
 ---
 
-**Describe the bug**
+## Vault server version
+v0.0.0
+
+## vault-action version
+v0.0.0
+
+## Describe the bug
 A clear and concise description of what the bug is.
 
-**To Reproduce**
+## To Reproduce
 The yaml of the `vault-action` step, with any sensitive information masked or removed.
 
-**Expected behavior**
+## Expected behavior
 A clear and concise description of what you expected to happen.
 
-**Log Output**
-For the most verbose logs, [add a secret called `ACTIONS_STEP_DEBUG` with the value `true`](https://github.com/actions/toolkit/blob/main/docs/action-debugging.md). Then, re-run the workflow if possible and post the *raw logs* for the step here with any sensitive information masked or removed.
+## Log Output
+For the most verbose logs, add a secret called
+[`ACTIONS_STEP_DEBUG`](https://github.com/actions/toolkit/blob/main/docs/action-debugging.md)
+with the value `true`. Then, re-run the workflow if possible and post the *raw
+logs* for the step here with any sensitive information masked or removed.
 
-**Additional context**
+## Additional context
 Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -3,18 +3,17 @@ name: Feature request
 about: Suggest an idea for this project
 title: "[FEAT] "
 labels: enhancement
-assignees: RichiCoder1
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
+## Is your feature request related to a problem? Please describe.
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Describe the solution you'd like**
+## Describe the solution you'd like
 A clear and concise description of what you want to happen.
 
-**Describe alternatives you've considered**
+## Describe alternatives you've considered
 A clear and concise description of any alternative solutions or features you've considered.
 
-**Additional context**
+## Additional context
 Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+### Description
+<!--- Description of the change. For example: This PR updates ABC resource so that we can XYZ --->
+
+
+<!--- If your PR fully resolves and should automatically close the linked issue, use Closes. Otherwise, use Relates --->
+Relates OR Closes #0000
+
+
+### Checklist
+- [ ] Added [CHANGELOG](https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.md) entry (only for user-facing changes)
+
+
+### Community Note
+
+* Please vote on this pull request by adding a 👍
+  [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/)
+  to the original pull request comment to help the community and maintainers
+  prioritize this request
+* Please do not leave "+1" comments, they generate extra noise for pull request
+  followers and do not help prioritize the request
+
+## PCI review checklist
+
+<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
+
+- [ ] I have documented a clear reason for, and description of, the change I am making.
+
+- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
+
+- [ ] If applicable, I've documented the impact of any changes to security controls.
+
+  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

.github/dependabot.yml

@@ -1,11 +1,14 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
 
 version: 2
 updates:
-  - package-ecosystem: "npm" # See documentation for possible values
+  - package-ecosystem: "npm"
     directory: "/" # Location of package manifests
+    open-pull-requests-limit: 0 # only require security updates and exclude version updates
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    # For got, ignore all updates since it is now native ESM
+    # see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
+    ignore:
+      - dependency-name: "got"

.github/workflows/actionlint.yaml

@@ -0,0 +1,22 @@
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+    - '.github/workflows/**'
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: "Lint workflow files"
+        uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
+        with:
+          # Ignore actionlint errors from strict typing for outputs that we use
+          # in our e2e tests.
+          # This error occurs because vault-action's outputs are dynamic but
+          # actionlint expects action.yml to define them.
+          args: >
+            -ignore "property \"othersecret\" is not defined in object type"
+            -ignore "property \"jsonstring\" is not defined in object type"
+            -ignore "property \"jsonstringmultiline\" is not defined in object type"

.github/workflows/build.yml

@@ -1,289 +1,287 @@
 on:
   push:
-    branches:
-      - main
-  pull_request_target:
-    types: [opened, reopened, synchronize]
   workflow_dispatch:
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run Test
-      run: npm run test
+      - name: NPM Run Test
+        run: npm run test
 
   integrationOSS:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault
+      - name: Run docker compose
+        run: docker compose up -d vault
 
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run test;integration:basic
-      run: npm run test:integration:basic
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        CI: true
+      - name: NPM Run test;integration:basic
+        run: npm run test:integration:basic
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          CI: true
 
   integrationEnterprise:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault-enterprise
-      env:
-        VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+      - name: Run docker compose
+        run: docker compose up -d vault-enterprise
+        env:
+          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
 
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run test:integration:enterprise
-      run: npm run test:integration:enterprise
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        CI: true
+      - name: NPM Run test:integration:enterprise
+        run: npm run test:integration:enterprise
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          CI: true
 
   e2e:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault
+      - name: Run docker compose
+        run: docker compose up -d vault
 
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: Setup Vault
-      run: node ./integrationTests/e2e/setup.js
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
+      - name: Setup Vault
+        run: node ./integrationTests/e2e/setup.js
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
 
-    - name: Test Vault Action (default KV V2)
-      uses: ./
-      id: kv-secrets
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          secret/data/test secret ;
-          secret/data/test secret | NAMED_SECRET ;
-          secret/data/nested/test otherSecret ;
+      - name: Test Vault Action (default KV V2)
+        uses: ./
+        id: kv-secrets
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            secret/data/test secret ;
+            secret/data/test secret | NAMED_SECRET ;
+            secret/data/nested/test otherSecret ;
 
-    - name: Test Vault Action (default KV V1)
-      uses: ./
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          my-secret/test altSecret ;
-          my-secret/test altSecret | NAMED_ALTSECRET ;
-          my-secret/nested/test otherAltSecret ;
+      - name: Test Vault Action (default KV V1)
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            my-secret/test altSecret ;
+            my-secret/test altSecret | NAMED_ALTSECRET ;
+            my-secret/nested/test otherAltSecret ;
 
-    - name: Test Vault Action (cubbyhole)
-      uses: ./
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          /cubbyhole/test foo ;
-          /cubbyhole/test zip | NAMED_CUBBYSECRET ;
+      - name: Test Vault Action (cubbyhole)
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            /cubbyhole/test foo ;
+            /cubbyhole/test zip | NAMED_CUBBYSECRET ;
 
-    - name: Verify Vault Action Outputs
-      run: npm run test:e2e
-      env:
-        OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
+      # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
+      # They should come before the Verify Vault Action Outputs step
+      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
+        uses: ./
+        with:
+          url: http://localhost:8200/
+          token: testtoken
+          secrets: |
+            secret/data/test secret | SUBSEQUENT_TEST_SECRET;
+
+      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
+        uses: ./
+        with:
+          url: http://localhost:8200/
+          token: testtoken
+          secrets: |
+            secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
+
+      - name: Test JSON Secrets
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            secret/data/test-json-data jsonData;
+            secret/data/test-json-string jsonString;
+            secret/data/test-json-string-multiline jsonStringMultiline;
+
+      - name: Verify Vault Action Outputs
+        run: npm run test:integration:e2e
+        env:
+          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
 
   e2e-tls:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault-tls
+      - name: Run docker compose
+        run: docker compose up -d vault-tls
 
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: Setup Vault
-      run: node ./integrationTests/e2e-tls/setup.js
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        VAULTCA: ${{ secrets.VAULTCA }}
-        VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
-        VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
+      - name: Setup Vault
+        run: node ./integrationTests/e2e-tls/setup.js
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          VAULTCA: ${{ secrets.VAULTCA }}
+          VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
+          VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
 
-    - name: Test Vault Action (default KV V2)
-      uses: ./
-      id: kv-secrets
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          secret/data/test secret ;
-          secret/data/test secret | NAMED_SECRET ;
-          secret/data/nested/test otherSecret ;
+      - name: Test Vault Action (default KV V2)
+        uses: ./
+        id: kv-secrets-tls
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            secret/data/test secret ;
+            secret/data/test secret | NAMED_SECRET ;
+            secret/data/nested/test otherSecret ;
 
-    - name: Test Vault Action (tlsSkipVerify)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        tlsSkipVerify: true
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          secret/data/tlsSkipVerify skip ;
+      - name: Test Vault Action (tlsSkipVerify)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          tlsSkipVerify: true
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            secret/data/tlsSkipVerify skip ;
 
-    - name: Test Vault Action (default KV V1)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          my-secret/test altSecret ;
-          my-secret/test altSecret | NAMED_ALTSECRET ;
-          my-secret/nested/test otherAltSecret ;
+      - name: Test Vault Action (default KV V1)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            my-secret/test altSecret ;
+            my-secret/test altSecret | NAMED_ALTSECRET ;
+            my-secret/nested/test otherAltSecret ;
 
-    - name: Test Vault Action (cubbyhole)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        secrets: |
-          /cubbyhole/test foo ;
-          /cubbyhole/test zip | NAMED_CUBBYSECRET ;
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+      - name: Test Vault Action (cubbyhole)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          secrets: |
+            /cubbyhole/test foo ;
+            /cubbyhole/test zip | NAMED_CUBBYSECRET ;
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
 
-    - name: Verify Vault Action Outputs
-      run: npm run test:e2e-tls
-      env:
-        OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
-
-# Removing publish step for now.
-#  publish:
-#    if: github.event_name	== 'push' && contains(github.ref, 'main')
-#    runs-on: ubuntu-latest
-#    needs: [build, integration, e2e]
-#    steps:
-#    - uses: actions/checkout@v1
-#    - uses: actions/setup-node@v3
-#      with:
-#        node-version: '16.14.0'
-#    - name: setup npm cache
-#      uses: actions/cache@v1
-#      with:
-#        path: ~/.npm
-#        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-#        restore-keys: |
-#          ${{ runner.os }}-node-
-#    - name: npm install
-#      run: npm ci
-#    - name: release
-#      if: success() && endsWith(github.ref, 'main')
-#      run: npx semantic-release
-#      env:
-#        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Verify Vault Action Outputs
+        run: npm run test:integration:e2e-tls
+        env:
+          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}

.github/workflows/jira.yaml

@@ -1,3 +1,4 @@
+name: JIRA Sync
 on:
   issues:
     types: [opened, closed, deleted, reopened]
@@ -5,68 +6,12 @@ on:
     types: [opened, closed, reopened]
   issue_comment: # Also triggers when commenting on a PR from the conversation view
     types: [created]
-
-name: Jira Sync
-
 jobs:
   sync:
-    runs-on: ubuntu-latest
-    name: Jira sync
-    steps:
-    - name: Login
-      uses: atlassian/gajira-login@v2.0.0
-      env:
-        JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
-        JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
-        JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
-
-    - name: Preprocess
-      if: github.event.action == 'opened' || github.event.action == 'created'
-      id: preprocess
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
-          echo "::set-output name=type::PR"
-        else
-          echo "::set-output name=type::ISS"
-        fi
-
-    - name: Create ticket
-      if: github.event.action == 'opened'
-      uses: tomhjp/gh-action-jira-create@v0.2.0
-      with:
-        project: VAULT
-        issuetype: "GH Issue"
-        summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
-        description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
-        # customfield_10089 is Issue Link custom field
-        # customfield_10091 is team custom field
-        extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
-
-    - name: Search
-      if: github.event.action != 'opened'
-      id: search
-      uses: tomhjp/gh-action-jira-search@v0.2.1
-      with:
-        # cf[10089] is Issue Link custom field
-        jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
-
-    - name: Sync comment
-      if: github.event.action == 'created' && steps.search.outputs.issue
-      uses: tomhjp/gh-action-jira-comment@v0.2.0
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
-
-    - name: Close ticket
-      if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: Closed
-
-    - name: Reopen ticket
-      if: github.event.action == 'reopened' && steps.search.outputs.issue
-      uses: atlassian/gajira-transition@v2.0.1
-      with:
-        issue: ${{ steps.search.outputs.issue }}
-        transition: "Pending Triage"
+    uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main
+    secrets:
+      JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
+      JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
+      JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
+    with:
+      teams-array: '["ecosystem", "applications-eco"]'

.github/workflows/local-test.yaml

@@ -0,0 +1,73 @@
+# This is a sample workflow to help test contributions
+# Change the branch name, url and token to fit with your own environment
+
+# To run this locally with act use:
+#     act workflow_dispatch -j local-test
+#
+# If you have permissions, you can run this workflow via the GitHub UI.
+# Otherwise, use 'on: push' instead of 'on: workflow_dispatch'.
+
+# Don't forget to revert the file changes and invalidate any tokens that were
+# committed before opening a pull request.
+on: workflow_dispatch
+
+name: local-test
+
+jobs:
+  local-test:
+    name: local-test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      with:
+        node-version: '20.9.0'
+
+    - name: NPM Install
+      run: npm ci
+
+    - name: NPM Build
+      run: npm run build
+
+    - name: Setup Vault
+      run: node ./integrationTests/e2e/setup.js
+      env:
+        VAULT_HOST: localhost
+        VAULT_PORT: 8200
+
+    - name: Import Secrets
+      id: import-secrets
+      # use the local changes
+      uses: ./
+      # run against a specific version of vault-action
+      # uses: hashicorp/vault-action@v2.1.2
+      with:
+        url: http://localhost:8200
+        method: token
+        token: testtoken
+        secrets: |
+          secret/data/test-json-string jsonString;
+          secret/data/test-json-data jsonData;
+
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        github-token: "foobar"
+        script: |
+          const { JSONSTRING, JSONDATA } = process.env
+
+          console.log(`string ${JSONSTRING}`)
+          console.log(`data ${JSONDATA}`)
+          const str = JSONDATA
+
+          let valid = true
+          try {
+              JSON.parse(str)
+          } catch (e) {
+            valid = false
+          }
+          if (valid) {
+            console.log("valid json")
+          } else {
+            console.log("not valid json")
+          }

.gitignore

@@ -59,3 +59,6 @@ typings/
 
 # next.js build output
 .next
+
+# GoLand IDE project files
+.idea

CHANGELOG.md

@@ -1,5 +1,145 @@
 ## Unreleased
 
+## 3.4.0 (June 13, 2025)
+
+Bugs:
+
+* replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
+
+Improvements:
+
+* Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
+
+## 3.3.0 (March 3, 2025)
+
+Features:
+* Wildcard secret imports can use `**` to retain case of exported env keys [GH-545](https://github.com/hashicorp/vault-action/pull/545)
+
+## 3.2.0 (March 3, 2025)
+
+Improvements:
+
+* Add retry for jwt auth login to fix intermittent login failures [GH-574](https://github.com/hashicorp/vault-action/pull/574)
+
+## 3.1.0 (January 9, 2025)
+
+Improvements:
+
+* fix wildcard handling when field contains dot [GH-542](https://github.com/hashicorp/vault-action/pull/542)
+* bump body-parser from 1.20.0 to 1.20.3
+* bump braces from 3.0.2 to 3.0.3
+* bump cross-spawn from 7.0.3 to 7.0.6
+* bump micromatch from 4.0.5 to 4.0.8
+
+Features:
+
+* `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)
+* Use `pki` configuration to generate certificates from Vault [GH-564](https://github.com/hashicorp/vault-action/pull/564)
+
+## 3.0.0 (February 15, 2024)
+
+Improvements:
+
+* Bump node runtime from node16 to node20 [GH-529](https://github.com/hashicorp/vault-action/pull/529)
+
+## 2.8.1 (February 15, 2024)
+
+Bugs:
+
+* Revert [GH-509](https://github.com/hashicorp/vault-action/pull/509) which made a backwards incompatible bump of the node runtime from node16 to node20 [GH-527](https://github.com/hashicorp/vault-action/pull/527)
+
+## 2.8.0 (February 1, 2024)
+
+Features:
+
+* Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
+
+Improvements:
+
+* bump jsrsasign from 10.8.6 to 11.0.0 [GH-513](https://github.com/hashicorp/vault-action/pull/513)
+* bump @actions/core from 1.10.0 to 1.10.1 [GH-489](https://github.com/hashicorp/vault-action/pull/489)
+* bump jest-when from 3.5.2 to 3.6.0 [GH-484](https://github.com/hashicorp/vault-action/pull/484)
+* bump jest from 29.5.0 to 29.7.0 [GH-490](https://github.com/hashicorp/vault-action/pull/490)
+* bump @vercel/ncc from 0.36.1 to 0.38.1 [GH-503](https://github.com/hashicorp/vault-action/pull/503)
+
+## 2.7.5 (January 30, 2024)
+
+Improvements:
+
+* Bump node runtime from node16 to node20 [GH-509](https://github.com/hashicorp/vault-action/pull/509)
+* Bump got from 11.8.5 to 11.8.6 [GH-492](https://github.com/hashicorp/vault-action/pull/492)
+
+## 2.7.4 (October 26, 2023)
+
+Features:
+
+* Add ability to specify a wildcard for the key name to get all keys in the path [GH-488](https://github.com/hashicorp/vault-action/pull/488)
+
+## 2.7.3 (July 13, 2023)
+
+Bugs:
+
+* Revert to the handling of secrets in JSON format since v2.1.2 [GH-478](https://github.com/hashicorp/vault-action/pull/478)
+
+## 2.7.2 (July 6, 2023)
+
+Bugs:
+
+* Fix a regression that broke support for secrets in JSON format [GH-473](https://github.com/hashicorp/vault-action/pull/473)
+
+## 2.7.1 (July 3, 2023)
+
+Bugs:
+
+* Revert [GH-466](https://github.com/hashicorp/vault-action/pull/466) which caused a regression in secrets stored as JSON strings [GH-471](https://github.com/hashicorp/vault-action/pull/471)
+
+## 2.7.0 (June 21, 2023)
+
+Bugs:
+
+* Fix a regression that broke support for secrets in JSON format [GH-466](https://github.com/hashicorp/vault-action/pull/466)
+
+Improvements:
+
+* Fix a warning about outputToken being an unexpected input [GH-461](https://github.com/hashicorp/vault-action/pull/461)
+
+## 2.6.0 (June 7, 2023)
+
+Features:
+
+* Add ability to set the `vault_token` output to contain the Vault token after authentication [GH-441](https://github.com/hashicorp/vault-action/pull/441)
+* Add support for userpass and ldap authentication methods [GH-440](https://github.com/hashicorp/vault-action/pull/440)
+* Define an output, `errorMessage`, for vault-action's error messages so subsequent steps can read the errors [GH-446](https://github.com/hashicorp/vault-action/pull/446)
+
+Bugs:
+
+* Handle undefined response in getSecrets error handler [GH-431](https://github.com/hashicorp/vault-action/pull/431)
+
+## 2.5.0 (Jan 26th, 2023)
+
+Features:
+
+* Adds ability to automatically decode secrets from base64, hex, and utf8 encodings. [GH-408](https://github.com/hashicorp/vault-action/pull/408)
+
+Improvements:
+
+* Improves error messages for Vault authentication failures [GH-409](https://github.com/hashicorp/vault-action/pull/409)
+* bump jest from 28.1.1 to 29.3.1 [GH-397](https://github.com/hashicorp/vault-action/pull/397)
+* bump @types/jest from 28.1.3 to 29.2.6 [GH-397](https://github.com/hashicorp/vault-action/pull/397), [GH-413](https://github.com/hashicorp/vault-action/pull/413)
+* bump jsrsasign from 10.5.27 to 10.6.1 [GH-401](https://github.com/hashicorp/vault-action/pull/401)
+* bump json5 from 2.2.1 to 2.2.3 [GH-404](https://github.com/hashicorp/vault-action/pull/404)
+* bump minimatch from 3.0.4 to 3.1.2 [GH-410](https://github.com/hashicorp/vault-action/pull/410)
+
+## 2.4.3 (Nov 8th, 2022)
+
+Improvements:
+
+* bump jest-when from 3.5.1 to 3.5.2 [GH-388](https://github.com/hashicorp/vault-action/pull/388)
+* bump semantic-release from 19.0.3 to 19.0.5 [GH-360](https://github.com/hashicorp/vault-action/pull/360)
+* bump jsrsasign from 10.5.25 to 10.5.27 [GH-358](https://github.com/hashicorp/vault-action/pull/358)
+* bump @actions/core from 1.9.0 to 1.10.0 [GH-371](https://github.com/hashicorp/vault-action/pull/371)
+* update runtime to node16 for action [GH-375](https://github.com/hashicorp/vault-action/pull/375)
+
 ## 2.4.2 (Aug 15, 2022)
 
 Bugs:
@@ -7,7 +147,7 @@ Bugs:
 * Errors due to replication delay for tokens will now be retried [GH-333](https://github.com/hashicorp/vault-action/pull/333)
 
 Improvements:
-* bump got from 11.5.1 to 11.8.5 [GH-344](https://github.com/hashicorp/vault-action/pull/344)  
+* bump got from 11.5.1 to 11.8.5 [GH-344](https://github.com/hashicorp/vault-action/pull/344)
 
 ## 2.4.1 (April 28th, 2022)
 
@@ -15,11 +155,11 @@ Improvements:
 * Make secrets parameter optional [GH-299](https://github.com/hashicorp/vault-action/pull/299)
 * auth/jwt: make "role" input optional [GH-291](https://github.com/hashicorp/vault-action/pull/291)
 * Write a better error message when secret not found [GH-306](https://github.com/hashicorp/vault-action/pull/306)
-* bump jest-when from 2.7.2 to 3.5.1 [GH-294](https://github.com/hashicorp/vault-action/pull/294)  
-* bump node-fetch from 2.6.1 to 2.6.7 [GH-308](https://github.com/hashicorp/vault-action/pull/308)  
-* bump @types/jest from 26.0.23 to 27.4.1 [GH-297](https://github.com/hashicorp/vault-action/pull/297)  
-* bump trim-off-newlines from 1.0.1 to 1.0.3 [GH-309](https://github.com/hashicorp/vault-action/pull/309)  
-* bump moment from 2.28.0 to 2.29.2 [GH-304](https://github.com/hashicorp/vault-action/pull/304)  
+* bump jest-when from 2.7.2 to 3.5.1 [GH-294](https://github.com/hashicorp/vault-action/pull/294)
+* bump node-fetch from 2.6.1 to 2.6.7 [GH-308](https://github.com/hashicorp/vault-action/pull/308)
+* bump @types/jest from 26.0.23 to 27.4.1 [GH-297](https://github.com/hashicorp/vault-action/pull/297)
+* bump trim-off-newlines from 1.0.1 to 1.0.3 [GH-309](https://github.com/hashicorp/vault-action/pull/309)
+* bump moment from 2.28.0 to 2.29.2 [GH-304](https://github.com/hashicorp/vault-action/pull/304)
 * bump @types/got from 9.6.11 to 9.6.12 [GH-266](https://github.com/hashicorp/vault-action/pull/266)
 
 ## 2.4.0 (October 21st, 2021)

CODEOWNERS

@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem

Makefile

@@ -0,0 +1,3 @@
+.PHONY: local-test
+local-test:
+	docker compose down;  docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml

README.md

@@ -8,6 +8,9 @@
 
 A helper action for easily pulling secrets from HashiCorp Vault™.
 
+Note: The Vault Github Action is a read-only action, and in general
+is not meant to modify Vault’s state.
+
 <!-- TOC -->
 
 - [Vault GitHub Action](#vault-github-action)
@@ -19,11 +22,15 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
     - [GitHub](#github)
     - [JWT with OIDC Provider](#jwt-with-oidc-provider)
     - [Kubernetes](#kubernetes)
+    - [Userpass](#userpass)
+    - [Ldap](#ldap)
     - [Other Auth Methods](#other-auth-methods)
+    - [Custom Path](#custom-path-name)
   - [Key Syntax](#key-syntax)
     - [Simple Key](#simple-key)
     - [Set Output Variable Name](#set-output-variable-name)
     - [Multiple Secrets](#multiple-secrets)
+    - [KV secrets engine version 2](#kv-secrets-engine-version-2)
   - [Other Secret Engines](#other-secret-engines)
   - [Adding Extra Headers](#adding-extra-headers)
   - [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
@@ -31,6 +38,7 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
   - [Reference](#reference)
   - [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
   - [Normalization](#normalization)
+  - [Contributing](#contributing)
 
 <!-- /TOC -->
 
@@ -38,23 +46,61 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
 
 ```yaml
 jobs:
-    build:
-        # ...
-        steps:
-            # ...
-            - name: Import Secrets
-              uses: hashicorp/vault-action@v2.4.0
-              with:
-                url: https://vault.mycompany.com:8200
-                token: ${{ secrets.VAULT_TOKEN }}
-                caCertificate: ${{ secrets.VAULT_CA_CERT }}
-                secrets: |
-                    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-                    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
-                    secret/data/ci npm_token
-            # ...
+  build:
+    # ...
+    steps:
+      # ...
+      - name: Import Secrets
+        id: import-secrets
+        uses: hashicorp/vault-action@v2
+        with:
+          url: https://vault.mycompany.com:8200
+          token: ${{ secrets.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          secrets: |
+            secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+            secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+            secret/data/ci npm_token
+      # ...
 ```
 
+Retrieved secrets are available as environment variables or outputs for subsequent steps:
+
+```yaml
+#...
+- name: Step following 'Import Secrets'
+  run: |
+    ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
+    SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
+
+# ...
+```
+
+If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
+For example, a common pattern is to save all the secrets in a JSON file:
+
+```yaml
+#...
+- name: Step following 'Import Secrets'
+  run: |
+    touch secrets.json
+    echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
+
+# ...
+```
+
+Which with our example would yield a file containing:
+
+```json
+{
+  "ACCESS_KEY_ID": "MY_KEY_ID",
+  "SECRET_ACCESS_KEY": "MY_SECRET_KEY",
+  "NPM_TOKEN": "MY_NPM_TOKEN"
+}
+```
+
+Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder.
+
 ## Authentication Methods
 
 Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with
@@ -68,7 +114,7 @@ and Vault using the
 Each GitHub Actions workflow receives an auto-generated OIDC token with claims
 to establish the identity of the workflow.
 
-__Vault Configuration__
+**Vault Configuration**
 
 <details>
 <summary>Click to toggle instructions for configuring Vault.</summary>
@@ -79,7 +125,6 @@ Pass the following parameters to your auth method configuration:
 - `oidc_discovery_url`: `https://token.actions.githubusercontent.com`
 - `bound_issuer`: `https://token.actions.githubusercontent.com`
 
-
 Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method.
 
 - `role_type`: `jwt`
@@ -95,12 +140,12 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
 
   - For wildcard (non-exact) matches, use `bound_claims`.
 
-     - `bound_claims_type`: `glob`
+    - `bound_claims_type`: `glob`
 
-     - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
-       ```json
-       {"sub": "repo:<orgName>/*"}
-       ```
+    - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
+      ```json
+      { "sub": "repo:<orgName>/*" }
+      ```
 
   - For exact matches, use `bound_subject`.
 
@@ -113,17 +158,17 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
 
 </details>
 
-__GitHub Actions Workflow__
+**GitHub Actions Workflow**
 
 In the GitHub Actions workflow, the workflow needs permissions to read contents
 and write the ID token.
 
 ```yaml
 jobs:
-    retrieve-secret:
-        permissions:
-            contents: read
-            id-token: write
+  retrieve-secret:
+    permissions:
+      contents: read
+      id-token: write
 ```
 
 In the action, provide the name of the Vault role you created to the `role` parameter.
@@ -221,16 +266,65 @@ with:
   kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token # default token path
 ```
 
+### Userpass
+
+The [Userpass auth method](https://developer.hashicorp.com/vault/docs/auth/userpass) allows
+your GitHub Actions workflow to authenticate to Vault with a username and password.
+Set the username and password as GitHub secrets and pass them to the
+`username` and `password` parameters.
+
+This is not the same as ldap or okta auth methods.
+
+```yaml
+with:
+  url: https://vault.mycompany.com:8200
+  caCertificate: ${{ secrets.VAULT_CA_CERT }}
+  method: userpass
+  username: ${{ secrets.VAULT_USERNAME }}
+  password: ${{ secrets.VAULT_PASSWORD }}
+```
+
+### Ldap
+
+The [LDAP auth method](https://developer.hashicorp.com/vault/docs/auth/ldap) allows
+your GitHub Actions workflow to authenticate to Vault with a username and password inturn verfied with ldap servers.
+Set the username and password as GitHub secrets and pass them to the
+`username` and `password` parameters.
+
+```yaml
+with:
+  url: https://vault.mycompany.com:8200
+  caCertificate: ${{ secrets.VAULT_CA_CERT }}
+  method: ldap
+  username: ${{ secrets.VAULT_USERNAME }}
+  password: ${{ secrets.VAULT_PASSWORD }}
+```
+
 ### Other Auth Methods
 
 If any other method is specified and you provide an `authPayload`, the action will
 attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
 
+### Custom Path Name
+
+Auth methods at custom path names can be configured using the [`path`](#path) parameter
+
+```yaml
+with:
+  url: https://vault.mycompany.com:8200
+  caCertificate: ${{ secrets.VAULT_CA_CERT }}
+  path: my-custom-path
+  method: userpass
+  username: ${{ secrets.VAULT_USERNAME }}
+  password: ${{ secrets.VAULT_PASSWORD }}
+```
+
 ## Key Syntax
 
 The `secrets` parameter is a set of multiple secret requests separated by the `;` character.
 
 Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
+Note that the selector is using [JSONata](https://docs.jsonata.org/overview.html) and certain characters in keys may need to be escaped.
 
 ```raw
 {{ Secret Path }} {{ Secret Key or Selector }} | {{ Env/Output Variable Name }}
@@ -242,7 +336,7 @@ To retrieve a key `npmToken` from path `secret/data/ci` that has value `somelong
 
 ```yaml
 with:
-    secrets: secret/data/ci npmToken
+  secrets: secret/data/ci npmToken
 ```
 
 `vault-action` will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job:
@@ -255,12 +349,12 @@ You can also access the secret via outputs:
 
 ```yaml
 steps:
-    # ...
-    - name: Import Secrets
-      id: secrets
-      # Import config...
-    - name: Sensitive Operation
-      run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
+  # ...
+  - name: Import Secrets
+    id: secrets
+    # Import config...
+  - name: Sensitive Operation
+    run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
 ```
 
 _**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._
@@ -271,7 +365,7 @@ However, if you want to set it to a specific name, say `NPM_TOKEN`, you could do
 
 ```yaml
 with:
-    secrets: secret/data/ci npmToken | NPM_TOKEN
+  secrets: secret/data/ci npmToken | NPM_TOKEN
 ```
 
 With that, `vault-action` will now use your requested name and output:
@@ -288,7 +382,6 @@ steps:
     # Import config...
   - name: Sensitive Operation
     run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"
-
 ```
 
 ### Multiple Secrets
@@ -297,25 +390,81 @@ This action can take multi-line input, so say you had your AWS keys stored in a
 
 ```yaml
 with:
-    secrets: |
-        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
+  secrets: |
+    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
 ```
 
+You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
+
+```yaml
+with:
+  secrets: |
+    secret/data/ci/aws * | MYAPP_ ;
+```
+
+When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
+You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
+
+```yaml
+with:
+    secrets: |
+        secret/data/ci/aws ** | MYAPP_ ;
+```
+
+### KV secrets engine version 2
+
+When accessing secrets from the KV secrets engine version 2, Vault Action
+requires the full path to the secret. This is the same path that would be used
+in a Vault policy for the secret. You can find the full path to your secret by
+performing a `kv get` command like the following:
+
+```bash
+$ vault kv get secret/test
+== Secret Path ==
+secret/data/test
+
+...
+```
+
+Note that the full path is not `secret/test`, but `secret/data/test`.
+
+## PKI Certificate Requests
+
+You can use the `pki` option to generate a certificate and private key for a given role.
+
+````yaml
+with:
+    pki: |
+        pki/issue/rolename {"common_name": "role.mydomain.com", "ttl": "1h"} ;
+        pki/issue/otherrole {"common_name": "otherrole.mydomain.com", "ttl": "1h"} ;
+```
+
+Resulting in:
+
+```bash
+ROLENAME_CA=-----BEGIN CERTIFICATE-----...
+ROLENAME_CERT=-----BEGIN CERTIFICATE-----...
+ROLENAME_KEY=-----BEGIN RSA PRIVATE KEY-----...
+ROLENAME_CA_CHAIN=-----BEGIN CERTIFICATE-----...
+OTHERROLE_CA=-----BEGIN CERTIFICATE-----...
+OTHERROLE_CERT=-----BEGIN CERTIFICATE-----...
+OTHERROLE_KEY=-----BEGIN RSA PRIVATE KEY-----...
+OTHERROLE_CA_CHAIN=-----BEGIN CERTIFICATE-----...
+````
+
 ## Other Secret Engines
 
 Vault Action currently supports retrieving secrets from any engine where secrets
-are retrieved via `GET` requests.  This means secret engines such as PKI are currently
-not supported due to their requirement of sending parameters along with the request
-(such as `common_name`).
+are retrieved via `GET` requests, except for the PKI engine as noted above.
 
 For example, to request a secret from the `cubbyhole` secret engine:
 
 ```yaml
 with:
-    secrets: |
-        /cubbyhole/foo foo ;
-        /cubbyhole/foo zip | MY_KEY ;
+  secrets: |
+    /cubbyhole/foo foo ;
+    /cubbyhole/foo zip | MY_KEY ;
 ```
 
 Resulting in:
@@ -343,12 +492,12 @@ If you ever need to add extra headers to the vault request, say if you need to a
 
 ```yaml
 with:
-    secrets: |
-        secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-        secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
-    extraHeaders: |
-      X-Secure-Id: ${{ secrets.SECURE_ID }}
-      X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
+  secrets: |
+    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
+  extraHeaders: |
+    X-Secure-Id: ${{ secrets.SECURE_ID }}
+    X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
 ```
 
 This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault.
@@ -366,50 +515,216 @@ parameter specifying the namespace. In HCP Vault, the namespace defaults to `adm
 
 ```yaml
 steps:
-    # ...
-    - name: Import Secrets
-      uses: hashicorp/vault-action
-      with:
-        url: https://vault-enterprise.mycompany.com:8200
-        caCertificate: ${{ secrets.VAULT_CA_CERT }}
-        method: token
-        token: ${{ secrets.VAULT_TOKEN }}
-        namespace: admin
-        secrets: |
-            secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-            secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
-            secret/ci npm_token
+  # ...
+  - name: Import Secrets
+    uses: hashicorp/vault-action
+    with:
+      url: https://vault-enterprise.mycompany.com:8200
+      method: token
+      token: ${{ secrets.VAULT_TOKEN }}
+      namespace: admin
+      secrets: |
+        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+        secret/data/ci npm_token
+```
+
+Alternatively, you may need to authenticate to the root namespace and retrieve
+a secret from a different namespace. To do this, do not set the `namespace`
+parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
+
+```yaml
+steps:
+  # ...
+  - name: Import Secrets
+    uses: hashicorp/vault-action
+    with:
+      url: https://vault-enterprise.mycompany.com:8200
+      method: token
+      token: ${{ secrets.VAULT_TOKEN }}
+      secrets: |
+        namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+        namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+        namespace-1/secret/data/ci npm_token
 ```
 
 ## Reference
 
 Here are all the inputs available through `with`:
 
-| Input               | Description                                                                                                                                          | Default | Required |
-| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
-| `url`               | The URL for the vault endpoint                                                                                                                       |         | ✔        |
-| `secrets`           | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details |         |          |
-| `namespace`         | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default                                                             |         |          |
-| `method`            | The method to use to authenticate with Vault.                                                                                                        | `token` |          |
-| `role`              | Vault role for specified auth method                                                                                                                 |         |          |
-| `path`              | Custom vault path, if the auth method was enabled at a different path                                                                                                |         |          |
-| `token`             | The Vault Token to be used to authenticate with Vault                                                                                                |         |          |
-| `roleId`            | The Role Id for App Role authentication                                                                                                              |         |          |
-| `secretId`          | The Secret Id for App Role authentication                                                                                                            |         |          |
-| `githubToken`       | The Github Token to be used to authenticate with Vault                                                                                               |         |          |
-| `jwtPrivateKey`     | Base64 encoded Private key to sign JWT                                                                                                               |         |          |
-| `jwtKeyPassword`    | Password for key stored in jwtPrivateKey (if needed)                                                                                                 |         |          |
-| `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for                                                                                   |`sigstore`|          |
-| `jwtTtl`            | Time in seconds, after which token expires                                                                                                           |         | 3600     |
-| `kubernetesTokenPath`         | The path to the service-account secret with the jwt token for kubernetes based authentication                                                                                               |`/var/run/secrets/kubernetes.io/serviceaccount/token`         |          |
-| `authPayload`       | The JSON payload to be sent to Vault when using a custom authentication method.                                                                      |         |          |
-| `extraHeaders`      | A string of newline separated extra headers to include on every request.                                                                             |         |          |
-| `exportEnv`         | Whether or not export secrets as environment variables.                                                                                              | `true`  |          |
-| `exportToken`       | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).                                                                        | `false` |          |
-| `caCertificate`     | Base64 encoded CA certificate the server certificate was signed with.                                                                                |         |          |
-| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled.                                                   |         |          |
-| `clientKey`         | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled.                                                           |         |          |
-| `tlsSkipVerify`     | When set to true, disables verification of server certificates when testing the action.                                                              | `false` |          |
+### `url`
+
+**Type: `string`**\
+**Required**
+
+The URL for the Vault endpoint.
+
+### `secrets`
+
+**Type: `string`**
+
+A semicolon-separated list of secrets to retrieve. These will automatically be
+converted to environmental variable keys. See [Key Syntax](#key-syntax) for
+more details.
+
+### `namespace`
+
+**Type: `string`**
+
+The Vault namespace from which to query secrets. Vault Enterprise only, unset by default.
+
+### `method`
+
+**Type: `string`**\
+**Default: `token`**
+
+The method to use to authenticate with Vault.
+
+### `role`
+
+**Type: `string`**
+
+Vault role for the specified auth method.
+
+### `path`
+
+**Type: `string`**
+
+The Vault path for the auth method.
+
+### `token`
+
+**Type: `string`**
+
+The Vault token to be used to authenticate with Vault.
+
+### `roleId`
+
+**Type: `string`**
+
+The role ID for App Role authentication.
+
+### `secretId`
+
+**Type: `string`**
+
+The secret ID for App Role authentication.
+
+### `githubToken`
+
+**Type: `string`**
+
+The Github Token to be used to authenticate with Vault.
+
+### `jwtPrivateKey`
+
+**Type: `string`**
+
+Base64 encoded private key to sign the JWT.
+
+### `jwtKeyPassword`
+
+**Type: `string`**
+
+Password for key stored in `jwtPrivateKey` (if needed).
+
+### `jwtGithubAudience`
+
+**Type: `string`**\
+**Default: `sigstore`**
+
+Identifies the recipient ("aud" claim) that the JWT is intended for.
+
+### `jwtTtl`
+
+**Type: `string`**\
+**Default: `3600`**
+
+Time in seconds, after which token expires.
+
+### `kubernetesTokenPath`
+
+**Type: `string`**\
+**Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`**
+
+The path to the service-account secret with the jwt token for kubernetes based authentication.
+
+### `username`
+
+**Type: `string`**
+
+The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods.
+
+### `password`
+
+**Type: `string`**
+
+The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods.
+
+### `authPayload`
+
+**Type: `string`**
+
+The JSON payload to be sent to Vault when using a custom authentication method.
+
+### `extraHeaders`
+
+**Type: `string`**
+
+A string of newline separated extra headers to include on every request.
+
+### `exportEnv`
+
+**Type: `string`**\
+**Default: `true`**
+
+Whether or not to export secrets as environment variables.
+
+### `exportToken`
+
+**Type: `string`**\
+**Default: `false`**
+
+Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).
+
+### `outputToken`
+
+**Type: `string`**\
+**Default: `false`**
+
+Whether or not to set the `vault_token` output to contain the Vault token after authentication.
+
+### `caCertificate`
+
+**Type: `string`**
+
+Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla.
+
+### `clientCertificate`
+
+**Type: `string`**
+
+Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled.
+
+### `clientKey`
+
+**Type: `string`**
+
+Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled.
+
+### `tlsSkipVerify`
+
+**Type: `string`**\
+**Default: `false`**
+
+When set to true, disables verification of server certificates when testing the action.
+
+### `ignoreNotFound`
+
+**Type: `string`**\
+**Default: `false`**
+
+When set to true, prevents the action from failing when a secret does not exist.
 
 ## Masking - Hiding Secrets from Logs
 
@@ -419,3 +734,76 @@ This action uses GitHub Action's built-in masking, so all variables will automat
 ## Normalization
 
 To make it simpler to consume certain secrets as env vars, if no Env/Output Var Name is specified `vault-action` will replace and `.` chars with `__`, remove any other non-letter or number characters. If you're concerned about the result, it's recommended to provide an explicit Output Var Key.
+
+## Contributing
+
+If you wish to contribute to this project, the following dependencies are recommended for local development:
+
+- [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
+- [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
+- [docker compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
+- [act](https://github.com/nektos/act) to run the vault-action locally
+
+### Build
+
+Use npm to install dependencies and build the project:
+
+```sh
+$ npm install && npm run build
+```
+
+### Vault test instance
+
+The Github Action needs access to a working Vault instance to function.
+Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.
+
+```sh
+$ docker compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
+```
+
+Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:
+
+```sh
+$ export VAULT_HOST=<YOUR VAULT CLUSTER LOCATION> # localhost if undefined
+$ export VAULT_PORT=<YOUR VAULT PORT> # 8200 if undefined
+$ export VAULT_TOKEN=<YOUR VAULT TOKEN> # testtoken if undefined
+```
+
+### Running unit tests
+
+Unit tests can be executed at any time with no dependencies or prior setup.
+
+```sh
+$ npm test
+```
+
+### Running acceptance tests
+
+With a succesful build to take your local changes into account and a working Vault instance configured, you can now run acceptance tests to validate if any regressions were introduced.
+
+```sh
+$ npm run test:integration:basic # Choose one of: basic, enterprise, e2e, e2e-tls
+```
+
+### Running the action locally
+
+You can use the [act](https://github.com/nektos/act) command to test your
+changes locally.
+
+Edit the ./.github/workflows/local-test.yaml file and add any steps necessary
+to test your changes. You may have to additionally edit the Vault url, token
+and secret path if you are not using one of the provided containerized
+instances. The `local-test` job will call the ./integrationTests/e2e/setup.js
+script to bootstrap your local Vault instance with secrets.
+
+Run your feature branch locally:
+
+```sh
+act workflow_dispatch -j local-test
+```
+
+Or use the provided make target which will also spin up a Vault container:
+
+```sh
+make local-test
+```

action.yml

@@ -1,4 +1,4 @@
-name: 'Vault Secrets'
+name: 'HashiCorp Vault'
 description: 'A Github Action that allows you to consume HashiCorp Vault™ secrets as secure environment variables'
 inputs:
   url:
@@ -7,6 +7,9 @@ inputs:
   secrets:
     description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
     required: false
+  pki:
+    description: 'A semicolon-separated list of certificates to generate. These will automatically be converted to environment variable keys. Cannot be used with "secrets". See README for more details'
+    required: false
   namespace:
     description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
     required: false
@@ -18,16 +21,16 @@ inputs:
     description: 'Vault role for specified auth method'
     required: false
   path:
-    description: 'Custom Vault path, if the auth method was mounted at a different path'
+    description: 'The Vault path for the auth method.'
     required: false
   token:
-    description: 'The Vault Token to be used to authenticate with Vault'
+    description: 'The Vault token to be used to authenticate with Vault'
     required: false
   roleId:
-    description: 'The Role Id for App Role authentication'
+    description: 'The role ID for App Role authentication'
     required: false
   secretId:
-    description: 'The Secret Id for App Role authentication'
+    description: 'The secret ID for App Role authentication'
     required: false
   githubToken:
     description: 'The Github Token to be used to authenticate with Vault'
@@ -36,6 +39,12 @@ inputs:
     description: 'The path to the Kubernetes service account secret'
     required: false
     default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
+  username:
+    description: 'The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods'
+    required: false
+  password:
+    description: 'The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods'
+    required: false
   authPayload:
     description: 'The JSON payload to be sent to Vault when using a custom authentication method.'
     required: false
@@ -50,8 +59,12 @@ inputs:
     description: 'Whether or not export Vault token as environment variables.'
     default: 'false'
     required: false
+  outputToken:
+    description: 'Whether or not to set the `vault_token` output to contain the Vault token after authentication.'
+    default: 'false'
+    required: false
   caCertificate:
-    description: 'Base64 encoded CA certificate to verify the Vault server certificate.'
+    description: 'Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla.'
     required: false
   clientCertificate:
     description: 'Base64 encoded client certificate for mTLS communication with the Vault server.'
@@ -76,8 +89,15 @@ inputs:
     description: 'Time in seconds, after which token expires'
     required: false
     default: 3600
+  secretEncodingType:
+    description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
+    required: false
+  ignoreNotFound:
+    description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
+    required: false
+    default: 'false'
 runs:
-  using: 'node12'
+  using: 'node20'
   main: 'dist/index.js'
 branding:
   icon: 'unlock'

docker-compose.yml

@@ -2,7 +2,7 @@
 version: "3.0"
 services:
   vault:
-    image: vault:latest
+    image: hashicorp/vault:latest
     environment:
       VAULT_DEV_ROOT_TOKEN_ID: testtoken
     ports:
@@ -17,7 +17,7 @@ services:
       - 8200:8200
     privileged: true
   vault-tls:
-    image: vault:latest
+    image: hashicorp/vault:latest
     hostname: vault-tls
     environment:
       VAULT_CAPATH: /etc/vault/ca.crt

integrationTests/basic/approle_auth.test.js

@@ -0,0 +1,134 @@
+jest.mock('@actions/core');
+jest.mock('@actions/core/lib/command');
+const core = require('@actions/core');
+
+const got = require('got');
+const { when } = require('jest-when');
+
+const { exportSecrets } = require('../../src/action');
+
+const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
+const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`
+
+describe('authenticate with approle', () => {
+    let roleId;
+    let secretId;
+    beforeAll(async () => {
+        try {
+            // Verify Connection
+            await got(`${vaultUrl}/v1/secret/config`, {
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+            });
+
+            await got(`${vaultUrl}/v1/secret/data/approle-test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    data: {
+                        secret: 'SUPERSECRET_WITH_APPROLE',
+                    },
+                },
+            });
+
+            // Enable approle
+            try {
+                await got(`${vaultUrl}/v1/sys/auth/approle`, {
+                    method: 'POST',
+                    headers: {
+                        'X-Vault-Token': vaultToken
+                    },
+                    json: {
+                        type: 'approle'
+                    },
+                });
+            } catch (error) {
+                const {response} = error;
+                if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                    // Approle might already be enabled from previous test runs
+                } else {
+                    throw error;
+                }
+            }
+
+            // Create policies
+            await got(`${vaultUrl}/v1/sys/policies/acl/test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                json: {
+                    "name":"test",
+                    "policy":"path \"auth/approle/*\" {\n    capabilities = [\"read\", \"list\"]\n}\npath \"auth/approle/role/my-role/role-id\"\n{\n    capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\npath \"auth/approle/role/my-role/secret-id\"\n{\n    capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\npath \"secret/data/*\" {\n    capabilities = [\"list\"]\n}\npath \"secret/metadata/*\" {\n    capabilities = [\"list\"]\n}\n\npath \"secret/data/approle-test\" {\n    capabilities = [\"read\", \"list\"]\n}\npath \"secret/metadata/approle-test\" {\n    capabilities = [\"read\", \"list\"]\n}\n"
+                },
+            });
+
+            // Create approle
+            await got(`${vaultUrl}/v1/auth/approle/role/my-role`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                json: {
+                    policies: 'test'
+                },
+            });
+
+            // Get role-id
+            const roldIdResponse = await got(`${vaultUrl}/v1/auth/approle/role/my-role/role-id`, {
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                responseType: 'json',
+            });
+            roleId = roldIdResponse.body.data.role_id;
+
+            // Get secret-id
+            const secretIdResponse = await got(`${vaultUrl}/v1/auth/approle/role/my-role/secret-id`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                responseType: 'json',
+            });
+            secretId = secretIdResponse.body.data.secret_id;
+        } catch(err) {
+            console.warn('Create approle', err.response.body);
+            throw err;
+        }
+    });
+
+    beforeEach(() => {
+        jest.resetAllMocks();
+
+        when(core.getInput)
+            .calledWith('method', expect.anything())
+            .mockReturnValueOnce('approle');
+        when(core.getInput)
+            .calledWith('roleId', expect.anything())
+            .mockReturnValueOnce(roleId);
+        when(core.getInput)
+            .calledWith('secretId', expect.anything())
+            .mockReturnValueOnce(secretId);
+        when(core.getInput)
+            .calledWith('url', expect.anything())
+            .mockReturnValueOnce(`${vaultUrl}`);
+    });
+
+    function mockInput(secrets) {
+        when(core.getInput)
+            .calledWith('secrets', expect.anything())
+            .mockReturnValueOnce(secrets);
+    }
+
+    it('authenticate with approle', async() => {
+        mockInput('secret/data/approle-test secret');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_WITH_APPROLE');
+    })
+});

integrationTests/basic/integration.test.js

@@ -8,20 +8,21 @@ const { when } = require('jest-when');
 const { exportSecrets } = require('../../src/action');
 
 const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
+const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`
 
 describe('integration', () => {
     beforeAll(async () => {
         // Verify Connection
         await got(`${vaultUrl}/v1/secret/config`, {
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
         });
 
         await got(`${vaultUrl}/v1/secret/data/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -30,10 +31,26 @@ describe('integration', () => {
             },
         });
 
+        await got(`${vaultUrl}/v1/secret/data/test-with-dot-char`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            body: `{"data":{"secret.foo":"SUPERSECRET"}}`
+        });
+
+        await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
+        });
+
         await got(`${vaultUrl}/v1/secret/data/nested/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -45,7 +62,7 @@ describe('integration', () => {
         await got(`${vaultUrl}/v1/secret/data/foobar`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -59,7 +76,7 @@ describe('integration', () => {
             await got(`${vaultUrl}/v1/sys/mounts/secret-kv1`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
                 json: {
                     type: 'kv'
@@ -77,7 +94,7 @@ describe('integration', () => {
         await got(`${vaultUrl}/v1/secret-kv1/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 secret: 'CUSTOMSECRET',
@@ -87,7 +104,7 @@ describe('integration', () => {
         await got(`${vaultUrl}/v1/secret-kv1/foobar`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 fookv1: 'bar',
@@ -97,12 +114,75 @@ describe('integration', () => {
         await got(`${vaultUrl}/v1/secret-kv1/nested/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 "other-Secret-dash": 'OTHERCUSTOMSECRET',
             },
         });
+
+        // Enable pki engine
+        try {
+            await got(`${vaultUrl}/v1/sys/mounts/pki`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    type: 'pki'
+                }
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                // Engine might already be enabled from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        // Configure Root CA
+        try {
+            await got(`${vaultUrl}/v1/pki/root/generate/internal`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    common_name: 'test',
+                    ttl: '24h',
+                },
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("already exists")) {
+                // Root CA might already be configured from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        // Configure PKI Role
+        try {
+            await got(`${vaultUrl}/v1/pki/roles/Test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    allowed_domains: ['test'],
+                    allow_bare_domains: true,
+                    max_ttl: '1h',
+                },
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("already exists")) {
+                // Role might already be configured from previous test runs
+            } else {
+                throw error;
+            }
+        }
     });
 
     beforeEach(() => {
@@ -114,7 +194,7 @@ describe('integration', () => {
 
         when(core.getInput)
             .calledWith('token', expect.anything())
-            .mockReturnValueOnce('testtoken');
+            .mockReturnValueOnce(vaultToken);
     });
 
     function mockInput(secrets) {
@@ -123,14 +203,55 @@ describe('integration', () => {
             .mockReturnValueOnce(secrets);
     }
 
+    function mockPkiInput(pki) {
+        when(core.getInput)
+            .calledWith('pki', expect.anything())
+            .mockReturnValueOnce(pki);
+    }
+
+    function mockIgnoreNotFound(shouldIgnore) {
+        when(core.getInput)
+            .calledWith('ignoreNotFound', expect.anything())
+            .mockReturnValueOnce(shouldIgnore);
+    }
+
+
     it('prints a nice error message when secret not found', async () => {
         mockInput(`secret/data/test secret ;
         secret/data/test secret | NAMED_SECRET ;
         secret/data/notFound kehe | NO_SIR ;`);
 
-        expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
+        await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
     })
 
+    it('does not error when secret not found and ignoreNotFound is true', async () => {
+        mockInput(`secret/data/test secret ;
+        secret/data/test secret | NAMED_SECRET ;
+        secret/data/notFound kehe | NO_SIR ;`);
+
+        mockIgnoreNotFound("true");
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(2);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
+    })
+
+    it('gets a pki certificate', async () => {
+        mockPkiInput('pki/issue/Test {"common_name":"test","ttl":"1h"}');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(4);
+
+        expect(core.exportVariable).toBeCalledWith('TEST_KEY', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CERT', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CA', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CA_CHAIN', expect.anything());
+    });
+
     it('get simple secret', async () => {
         mockInput('secret/data/test secret');
 
@@ -170,6 +291,46 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET');
     });
 
+    it('get wildcard secrets with dot char', async () => {
+        mockInput(`secret/data/test-with-dot-char * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
+    });
+
+    it('get secrets with multiple dot chars', async () => {
+        mockInput(`secret/data/test-with-multi-dot-chars * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
+    });
+
+    it('get wildcard secrets', async () => {
+        mockInput(`secret/data/test * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+    });
+
+    it('get wildcard secrets with name prefix', async () => {
+        mockInput(`secret/data/test * | GROUP_ ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'SUPERSECRET');
+    });
+
     it('leading slash kvv2', async () => {
         mockInput('/secret/data/foobar fookv2');
 
@@ -194,6 +355,34 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERCUSTOMSECRET');
     });
 
+    it('get K/V v1 wildcard secrets', async () => {
+        mockInput(`secret-kv1/test * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET');
+    });
+
+    it('get K/V v1 wildcard secrets with name prefix', async () => {
+        mockInput(`secret-kv1/test * | GROUP_ ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'CUSTOMSECRET');
+    });
+
+    it('get wildcard nested secret from K/V v1', async () => {
+        mockInput('secret-kv1/nested/test *');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERCUSTOMSECRET');
+    });
+
     it('leading slash kvv1', async () => {
         mockInput('/secret-kv1/foobar fookv1');
 
@@ -207,7 +396,7 @@ describe('integration', () => {
             await got(`${vaultUrl}/v1/cubbyhole/test`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
                 json: {
                     foo: "bar",
@@ -224,6 +413,43 @@ describe('integration', () => {
             expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
         });
 
+        it('wildcard supports cubbyhole with uppercase transform', async () => {
+            mockInput('/cubbyhole/test *');
+
+            await exportSecrets();
+            
+            expect(core.exportVariable).toBeCalledTimes(2);
+
+            expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
+            expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
+        });
+
+        it('wildcard supports cubbyhole with no change in case', async () => {
+            mockInput('/cubbyhole/test **');
+
+            await exportSecrets();
+
+            expect(core.exportVariable).toBeCalledTimes(2);
+
+            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
+            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
+        });
+
+        it('wildcard supports cubbyhole with mixed case change', async () => {
+            mockInput(`
+            /cubbyhole/test * ;
+            /cubbyhole/test **`);
+
+            await exportSecrets();
+
+            expect(core.exportVariable).toBeCalledTimes(4);
+
+            expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
+            expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
+            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
+            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
+        });
+        
         it('caches responses', async () => {            
             mockInput(`
             /cubbyhole/test foo ;

integrationTests/basic/jwt_auth.test.js

@@ -14,6 +14,7 @@ const { when } = require('jest-when');
 const { exportSecrets } = require('../../src/action');
 
 const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
+const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`
 
 /**
  * Returns Github OIDC response mock
@@ -59,7 +60,7 @@ describe('jwt auth', () => {
         // Verify Connection
         await got(`${vaultUrl}/v1/secret/config`, {
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
         });
 
@@ -67,7 +68,7 @@ describe('jwt auth', () => {
             await got(`${vaultUrl}/v1/sys/auth/jwt`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
                 json: {
                     type: 'jwt'
@@ -85,7 +86,7 @@ describe('jwt auth', () => {
         await got(`${vaultUrl}/v1/sys/policy/reader`, {
             method: 'PUT',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 policy: `
@@ -96,10 +97,12 @@ describe('jwt auth', () => {
             }
         });
 
+        // write the jwt config, the jwt role will be written on a per-test
+        // basis since the audience may vary
         await got(`${vaultUrl}/v1/auth/jwt/config`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 jwt_validation_pubkeys: publicRsaKey,
@@ -107,26 +110,10 @@ describe('jwt auth', () => {
             }
         });
 
-        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
-            method: 'POST',
-            headers: {
-                'X-Vault-Token': 'testtoken',
-            },
-            json: {
-                role_type: 'jwt',
-                bound_audiences: null,
-                bound_claims: {
-                    iss: 'vault-action'
-                },
-                user_claim: 'iss',
-                policies: ['reader']
-            }
-        });
-
         await got(`${vaultUrl}/v1/secret/data/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -137,6 +124,24 @@ describe('jwt auth', () => {
     });
 
     describe('authenticate with private key', () => {
+        beforeAll(async () => {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: null,
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+        });
+
         beforeEach(() => {
             jest.resetAllMocks();
 
@@ -169,14 +174,30 @@ describe('jwt auth', () => {
 
     describe('authenticate with Github OIDC', () => {
         beforeAll(async () => {
-            await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
                 json: {
                     role_type: 'jwt',
-                    bound_audiences: null,
+                    bound_audiences: 'https://github.com/hashicorp/vault-action',
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+
+            await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: 'sigstore',
                     bound_claims: {
                         iss: 'vault-action',
                         aud: 'sigstore',

integrationTests/basic/userpass_auth.test.js

@@ -0,0 +1,116 @@
+jest.mock('@actions/core');
+jest.mock('@actions/core/lib/command');
+const core = require('@actions/core');
+
+const got = require('got');
+const { when } = require('jest-when');
+
+const { exportSecrets } = require('../../src/action');
+
+const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
+const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`
+
+describe('authenticate with userpass', () => {
+    const username = `testUsername`;
+    const password = `testPassword`;
+    beforeAll(async () => {
+        try {
+            // Verify Connection
+            await got(`${vaultUrl}/v1/secret/config`, {
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+            });
+
+            await got(`${vaultUrl}/v1/secret/data/userpass-test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    data: {
+                        secret: 'SUPERSECRET_WITH_USERPASS',
+                    },
+                },
+            });
+
+            // Enable userpass
+            try {
+                await got(`${vaultUrl}/v1/sys/auth/userpass`, {
+                    method: 'POST',
+                    headers: {
+                        'X-Vault-Token': vaultToken
+                    },
+                    json: {
+                        type: 'userpass'
+                    },
+                });
+            } catch (error) {
+                const {response} = error;
+                if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                    // Userpass might already be enabled from previous test runs
+                } else {
+                    throw error;
+                }
+            }
+
+            // Create policies
+            await got(`${vaultUrl}/v1/sys/policies/acl/userpass-test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                json: {
+                    "name":"userpass-test",
+                    "policy":`path \"auth/userpass/*\" {\n    capabilities = [\"read\", \"list\"]\n}\npath \"auth/userpass/users/${username}\"\n{\n    capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\npath \"secret/data/*\" {\n    capabilities = [\"list\"]\n}\npath \"secret/metadata/*\" {\n    capabilities = [\"list\"]\n}\n\npath \"secret/data/userpass-test\" {\n    capabilities = [\"read\", \"list\"]\n}\npath \"secret/metadata/userpass-test\" {\n    capabilities = [\"read\", \"list\"]\n}\n`
+                },
+            });
+
+            // Create user
+            await got(`${vaultUrl}/v1/auth/userpass/users/${username}`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken
+                },
+                json: {
+                    password: `${password}`,
+                    policies: 'userpass-test'
+                },
+            });
+        } catch(err) {
+            console.warn('Create user in userpass', err.response.body);
+            throw err;
+        }
+    });
+
+    beforeEach(() => {
+        jest.resetAllMocks();
+
+        when(core.getInput)
+            .calledWith('method', expect.anything())
+            .mockReturnValueOnce('userpass');
+        when(core.getInput)
+            .calledWith('username', expect.anything())
+            .mockReturnValueOnce(username);
+        when(core.getInput)
+            .calledWith('password', expect.anything())
+            .mockReturnValueOnce(password);
+        when(core.getInput)
+            .calledWith('url', expect.anything())
+            .mockReturnValueOnce(`${vaultUrl}`);
+    });
+
+    function mockInput(secrets) {
+        when(core.getInput)
+            .calledWith('secrets', expect.anything())
+            .mockReturnValueOnce(secrets);
+    }
+
+    it('authenticate with userpass', async() => {
+        mockInput('secret/data/userpass-test secret');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_WITH_USERPASS');
+    })
+});

integrationTests/e2e/e2e.test.js

@@ -9,5 +9,9 @@ describe('e2e', () => {
         expect(process.env.OTHERALTSECRET).toBe("OTHERCUSTOMSECRET");
         expect(process.env.FOO).toBe("bar");
         expect(process.env.NAMED_CUBBYSECRET).toBe("zap");
+        expect(process.env.SUBSEQUENT_TEST_SECRET).toBe("SUBSEQUENT_TEST_SECRET");
+        expect(process.env.JSONSTRING).toBe('{"x":1,"y":"qux"}');
+        expect(process.env.JSONSTRINGMULTILINE).toBe('{"x": 1, "y": "q\\nux"}');
+        expect(process.env.JSONDATA).toBe('{"x":1,"y":"qux"}');
     });
 });

integrationTests/e2e/setup.js

@@ -1,20 +1,23 @@
 const got = require('got');
 
 const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
+const vaultToken = `${process.env.VAULT_TOKEN}` === undefined ? `${process.env.VAULT_TOKEN}` : "testtoken";
+
+const jsonStringMultiline = '{"x": 1, "y": "q\\nux"}';
 
 (async () => {
     try {
         // Verify Connection
         await got(`http://${vaultUrl}/v1/secret/config`, {
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
         });
 
         await got(`http://${vaultUrl}/v1/secret/data/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -26,7 +29,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
         await got(`http://${vaultUrl}/v1/secret/data/nested/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 data: {
@@ -35,10 +38,48 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
             }
         });
 
+        await got(`http://${vaultUrl}/v1/secret/data/test-json-string`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            json: {
+                data: {
+                    // this is stored in Vault as a string
+                    jsonString: '{"x":1,"y":"qux"}',
+                },
+            },
+        });
+
+        await got(`http://${vaultUrl}/v1/secret/data/test-json-data`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            json: {
+                data: {
+                    // this is stored in Vault as a map
+                    jsonData: {"x":1,"y":"qux"},
+                },
+            },
+        });
+
+        await got(`http://${vaultUrl}/v1/secret/data/test-json-string-multiline`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            json: {
+                data: {
+                    jsonStringMultiline,
+                },
+            },
+        });
+
         await got(`http://${vaultUrl}/v1/sys/mounts/my-secret`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 type: 'kv'
@@ -48,7 +89,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
         await got(`http://${vaultUrl}/v1/my-secret/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 altSecret: 'CUSTOMSECRET',
@@ -58,7 +99,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
         await got(`http://${vaultUrl}/v1/my-secret/nested/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 otherAltSecret: 'OTHERCUSTOMSECRET',
@@ -68,13 +109,25 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
         await got(`http://${vaultUrl}/v1/cubbyhole/test`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             },
             json: {
                 foo: 'bar',
                 zip: 'zap',
             },
         });
+
+        await got(`http://${vaultUrl}/v1/secret/data/subsequent-test`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            json: {
+                data: {
+                    secret: 'SUBSEQUENT_TEST_SECRET',
+                },
+            },
+        });
     } catch (error) {
         console.log(error);
         process.exit(1);

integrationTests/enterprise/enterprise.test.js

@@ -8,6 +8,7 @@ const { when } = require('jest-when');
 const { exportSecrets } = require('../../src/action');
 
 const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8201'}`;
+const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`
 
 describe('integration', () => {
     beforeAll(async () => {
@@ -15,7 +16,7 @@ describe('integration', () => {
             // Verify Connection
             await got(`${vaultUrl}/v1/secret/config`, {
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
             });
 
@@ -48,7 +49,7 @@ describe('integration', () => {
 
         when(core.getInput)
             .calledWith('token', expect.anything())
-            .mockReturnValueOnce('testtoken');
+            .mockReturnValueOnce(vaultToken);
 
         when(core.getInput)
             .calledWith('namespace', expect.anything())
@@ -71,6 +72,22 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('TEST_KEY', 'SUPERSECRET_IN_NAMESPACE');
     });
 
+    it('get wildcard secrets', async () => {
+        mockInput('secret/data/test *');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_IN_NAMESPACE');
+    });
+
+    it('get wildcard secrets with name prefix', async () => {
+        mockInput('secret/data/test * | GROUP_');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'SUPERSECRET_IN_NAMESPACE');
+    });
+
     it('get nested secret', async () => {
         mockInput('secret/data/nested/test otherSecret');
 
@@ -102,6 +119,22 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
     });
 
+    it('get wildcard secrets from K/V v1', async () => {
+        mockInput('my-secret/test *');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
+    });
+
+    it('get wildcard secrets from K/V v1 with name prefix', async () => {
+        mockInput('my-secret/test * | GROUP_');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
+    });
+
     it('get nested secret from K/V v1', async () => {
         mockInput('my-secret/nested/test otherSecret');
 
@@ -119,7 +152,7 @@ describe('authenticate with approle', () => {
             // Verify Connection
             await got(`${vaultUrl}/v1/secret/config`, {
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                 },
             });
 
@@ -137,7 +170,7 @@ describe('authenticate with approle', () => {
                 await got(`${vaultUrl}/v1/sys/auth/approle`, {
                     method: 'POST',
                     headers: {
-                        'X-Vault-Token': 'testtoken',
+                        'X-Vault-Token': vaultToken,
                         'X-Vault-Namespace': 'ns2',
                     },
                     json: {
@@ -157,7 +190,7 @@ describe('authenticate with approle', () => {
             await got(`${vaultUrl}/v1/sys/policies/acl/test`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                     'X-Vault-Namespace': 'ns2',
                 },
                 json: {
@@ -170,7 +203,7 @@ describe('authenticate with approle', () => {
             await got(`${vaultUrl}/v1/auth/approle/role/my-role`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                     'X-Vault-Namespace': 'ns2',
                 },
                 json: {
@@ -181,7 +214,7 @@ describe('authenticate with approle', () => {
             // Get role-id
             const roldIdResponse = await got(`${vaultUrl}/v1/auth/approle/role/my-role/role-id`, {
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                     'X-Vault-Namespace': 'ns2',
                 },
                 responseType: 'json',
@@ -192,7 +225,7 @@ describe('authenticate with approle', () => {
             const secretIdResponse = await got(`${vaultUrl}/v1/auth/approle/role/my-role/secret-id`, {
                 method: 'POST',
                 headers: {
-                    'X-Vault-Token': 'testtoken',
+                    'X-Vault-Token': vaultToken,
                     'X-Vault-Namespace': 'ns2',
                 },
                 responseType: 'json',
@@ -238,7 +271,7 @@ async function enableNamespace(name) {
         await got(`${vaultUrl}/v1/sys/namespaces/${name}`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
             }
         });
     } catch (error) {
@@ -256,7 +289,7 @@ async function enableEngine(path, namespace, version) {
         await got(`${vaultUrl}/v1/sys/mounts/${path}`, {
             method: 'POST',
             headers: {
-                'X-Vault-Token': 'testtoken',
+                'X-Vault-Token': vaultToken,
                 'X-Vault-Namespace': namespace,
             },
             json: { type: 'kv', config: {}, options: { version }, generate_signing_key: true },
@@ -277,7 +310,7 @@ async function writeSecret(engine, path, namespace, version, data) {
     await got(`${vaultUrl}/v1/${secretPath}`, {
         method: 'POST',
         headers: {
-            'X-Vault-Token': 'testtoken',
+            'X-Vault-Token': vaultToken,
             'X-Vault-Namespace': namespace,
         },
         json: secretPayload

package.json

@@ -8,23 +8,13 @@
         "test": "jest",
         "test:integration:basic": "jest -c integrationTests/basic/jest.config.js",
         "test:integration:enterprise": "jest -c integrationTests/enterprise/jest.config.js",
-        "test:e2e": "jest -c integrationTests/e2e/jest.config.js",
-        "test:e2e-tls": "jest -c integrationTests/e2e-tls/jest.config.js"
+        "test:integration:e2e": "jest -c integrationTests/e2e/jest.config.js",
+        "test:integration:e2e-tls": "jest -c integrationTests/e2e-tls/jest.config.js"
     },
     "files": [
         "src/**/*",
         "dist/**/*"
     ],
-    "release": {
-        "branch": "main",
-        "plugins": [
-            "@semantic-release/commit-analyzer",
-            "@semantic-release/release-notes-generator",
-            "@semantic-release/github",
-            "@semantic-release/npm"
-        ],
-        "ci": false
-    },
     "repository": {
         "type": "git",
         "url": "git+https://github.com/hashicorp/vault-action.git"
@@ -44,21 +34,18 @@
     },
     "homepage": "https://github.com/hashicorp/vault-action#readme",
     "dependencies": {
-        "got": "^11.8.5",
-        "jsonata": "^1.8.6",
-        "jsrsasign": "^10.5.25"
+        "got": "^11.8.6",
+        "jsonata": "^2.0.3",
+        "jsrsasign": "^11.1.0"
     },
     "peerDependencies": {
         "@actions/core": ">=1 <2"
     },
     "devDependencies": {
-        "@actions/core": "^1.9.0",
-        "@types/got": "^9.6.11",
-        "@types/jest": "^28.1.3",
-        "@zeit/ncc": "^0.22.3",
-        "jest": "^28.1.1",
-        "jest-when": "^3.5.1",
-        "mock-http-server": "^1.4.5",
-        "semantic-release": "^19.0.3"
+        "@actions/core": "^1.10.1",
+        "@vercel/ncc": "^0.38.1",
+        "jest": "^29.7.0",
+        "jest-when": "^3.6.0",
+        "mock-http-server": "^1.4.5"
     }
 }

src/action.js

@@ -3,20 +3,37 @@ const core = require('@actions/core');
 const command = require('@actions/core/lib/command');
 const got = require('got').default;
 const jsonata = require('jsonata');
-const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
+const { normalizeOutputKey } = require('./utils');
+const { WILDCARD, WILDCARD_UPPERCASE } = require('./constants');
 
-const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes'];
+const { auth: { retrieveToken }, secrets: { getSecrets }, pki: { getCertificates } } = require('./index');
+
+const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes', 'ldap', 'userpass'];
+const ENCODING_TYPES = ['base64', 'hex', 'utf8'];
 
 async function exportSecrets() {
     const vaultUrl = core.getInput('url', { required: true });
     const vaultNamespace = core.getInput('namespace', { required: false });
     const extraHeaders = parseHeadersInput('extraHeaders', { required: false });
     const exportEnv = core.getInput('exportEnv', { required: false }) != 'false';
+    const outputToken = (core.getInput('outputToken', { required: false }) || 'false').toLowerCase() != 'false';
     const exportToken = (core.getInput('exportToken', { required: false }) || 'false').toLowerCase() != 'false';
 
     const secretsInput = core.getInput('secrets', { required: false });
     const secretRequests = parseSecretsInput(secretsInput);
 
+    const pkiInput = core.getInput('pki', { required: false });
+    let pkiRequests = [];
+    if (pkiInput) {
+        if (secretsInput) {
+            throw Error('You cannot provide both "secrets" and "pki" inputs.');
+        }
+
+        pkiRequests = parsePkiInput(pkiInput);
+    }
+
+    const secretEncodingType = core.getInput('secretEncodingType', { required: false });
+
     const vaultMethod = (core.getInput('method', { required: false }) || 'token').toLowerCase();
     const authPayload = core.getInput('authPayload', { required: false });
     if (!AUTH_METHODS.includes(vaultMethod) && !authPayload) {
@@ -66,29 +83,44 @@ async function exportSecrets() {
     }
 
     const vaultToken = await retrieveToken(vaultMethod, got.extend(defaultOptions));
+    core.setSecret(vaultToken)
     defaultOptions.headers['X-Vault-Token'] = vaultToken;
     const client = got.extend(defaultOptions);
 
+    if (outputToken === true) {
+      core.setOutput('vault_token', `${vaultToken}`);
+    }
     if (exportToken === true) {
-        command.issue('add-mask', vaultToken);
         core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
     }
 
-    const requests = secretRequests.map(request => {
-        const { path, selector } = request;
-        return request;
-    });
+    let results = [];
+    if (pkiRequests.length > 0) {
+        results = await getCertificates(pkiRequests, client);
+    } else {
+        results = await getSecrets(secretRequests, client);
+    }
 
-    const results = await getSecrets(requests, client);
 
     for (const result of results) {
-        const { value, request, cachedResponse } = result;
+        // Output the result
+
+        var value = result.value;
+        const request = result.request;
+        const cachedResponse = result.cachedResponse;
+
         if (cachedResponse) {
             core.debug('ℹ using cached response');
         }
+
+        // if a secret is encoded, decode it
+        if (ENCODING_TYPES.includes(secretEncodingType)) {
+            value = Buffer.from(value, secretEncodingType).toString();
+        }
+
         for (const line of value.replace(/\r/g, '').split('\n')) {
             if (line.length > 0) {
-                command.issue('add-mask', line);
+                core.setSecret(line);
             }
         }
         if (exportEnv) {
@@ -99,13 +131,50 @@ async function exportSecrets() {
     }
 };
 
-/** @typedef {Object} SecretRequest 
+/** @typedef {Object} SecretRequest
  * @property {string} path
  * @property {string} envVarName
  * @property {string} outputVarName
  * @property {string} selector
 */
 
+/**
+ * Parses a pki input string into key paths and the request parameters.
+ * @param {string} pkiInput
+ */
+function parsePkiInput(pkiInput) {
+    if (!pkiInput) {
+        return []
+    }
+
+    const secrets = pkiInput
+        .split(';')
+        .filter(key => !!key)
+        .map(key => key.trim())
+        .filter(key => key.length !== 0);
+
+    return secrets.map(secret => {
+        const path = secret.substring(0, secret.indexOf(' '));
+        const parameters = secret.substring(secret.indexOf(' ') + 1);
+
+        core.debug(`ℹ Parsing PKI: ${path} with parameters: ${parameters}`);
+
+        if (!path || !parameters) {
+            throw Error(`You must provide a valid path and parameters. Input: "${secret}"`);
+        }
+
+        let outputVarName = path.split('/').pop();
+        let envVarName = normalizeOutputKey(outputVarName);
+
+        return { 
+            path, 
+            envVarName, 
+            outputVarName,
+            parameters: JSON.parse(parameters),
+        };
+    });
+}
+
 /**
  * Parses a secrets input string into key paths and their resulting environment variable name.
  * @param {string} secretsInput
@@ -152,7 +221,7 @@ function parseSecretsInput(secretsInput) {
         const selectorAst = jsonata(selectorQuoted).ast();
         const selector = selectorQuoted.replace(new RegExp('"', 'g'), '');
 
-        if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
+        if (selector !== WILDCARD && selector !== WILDCARD_UPPERCASE && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
             throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
         }
 
@@ -172,20 +241,6 @@ function parseSecretsInput(secretsInput) {
     return output;
 }
 
-/**
- * Replaces any dot chars to __ and removes non-ascii charts
- * @param {string} dataKey
- * @param {boolean=} isEnvVar
- */
-function normalizeOutputKey(dataKey, isEnvVar = false) {
-    let outputKey = dataKey
-        .replace('.', '__').replace(new RegExp('-', 'g'), '').replace(/[^\p{L}\p{N}_-]/gu, '');
-    if (isEnvVar) {
-        outputKey = outputKey.toUpperCase();
-    }
-    return outputKey;
-}
-
 /**
  * @param {string} inputKey
  * @param {any} inputOptions
@@ -214,6 +269,6 @@ function parseHeadersInput(inputKey, inputOptions) {
 module.exports = {
     exportSecrets,
     parseSecretsInput,
-    normalizeOutputKey,
-    parseHeadersInput
+    parseHeadersInput,
 };
+

src/action.test.js

@@ -184,6 +184,17 @@ describe('exportSecrets', () => {
             .mockReturnValueOnce(doExport);
     }
 
+    function mockOutputToken(doOutput) {
+      when(core.getInput)
+          .calledWith('outputToken', expect.anything())
+          .mockReturnValueOnce(doOutput);
+  }
+    function mockEncodeType(doEncode) {
+        when(core.getInput)
+            .calledWith('secretEncodingType', expect.anything())
+            .mockReturnValueOnce(doEncode);
+    }
+
     it('simple secret retrieval', async () => {
         mockInput('test key');
         mockVaultData({
@@ -196,6 +207,68 @@ describe('exportSecrets', () => {
         expect(core.setOutput).toBeCalledWith('key', '1');
     });
 
+    it('encoded secret retrieval', async () => {
+        mockInput('test key');
+        mockVaultData({
+            key: 'MQ=='
+        });
+        mockEncodeType('base64');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', '1');
+        expect(core.setOutput).toBeCalledWith('key', '1');
+    });
+
+    it('JSON data secret retrieval', async () => {
+        const jsonData = {"x":1,"y":2};
+
+        let result = JSON.stringify(jsonData);
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonData,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', result);
+        expect(core.setOutput).toBeCalledWith('key', result);
+    });
+
+    it('JSON string secret retrieval', async () => {
+        const jsonString = '{"x":1,"y":2}';
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonString,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
+        expect(core.setOutput).toBeCalledWith('key', jsonString);
+    });
+
+    it('multi-line JSON string secret retrieval', async () => {
+        const jsonString = `
+        {
+            "x":1,
+            "y":"bar"
+        }
+        `;
+
+        mockInput('test key');
+        mockVaultData({
+            key: jsonString,
+        });
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledWith('KEY', jsonString);
+        expect(core.setOutput).toBeCalledWith('key', jsonString);
+    });
+
     it('intl secret retrieval', async () => {
         mockInput('测试 测试');
         mockVaultData({
@@ -304,13 +377,36 @@ describe('exportSecrets', () => {
 
         await exportSecrets();
 
-        expect(command.issue).toBeCalledTimes(1);
+        expect(core.setSecret).toBeCalledTimes(2);
 
-        expect(command.issue).toBeCalledWith('add-mask', 'secret');
+        expect(core.setSecret).toBeCalledWith('secret');
         expect(core.setOutput).toBeCalledWith('key', 'secret');
     })
 
-    it('multi-line secret gets masked for each line', async () => {
+    it('multi-line secret', async () => {
+        const multiLineString = `ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
+GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
+Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
+NrRFi9wrf+M7Q==`;
+
+        mockInput('test key');
+        mockVaultData({
+            key: multiLineString
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(core.setSecret).toBeCalledTimes(5); // 1 for each non-empty line + VAULT_TOKEN
+
+        expect(core.setSecret).toBeCalledWith("ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU");
+        expect(core.setSecret).toBeCalledWith("GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3");
+        expect(core.setSecret).toBeCalledWith("Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA");
+        expect(core.setSecret).toBeCalledWith("NrRFi9wrf+M7Q==");
+        expect(core.setOutput).toBeCalledWith('key', multiLineString);
+    })
+
+    it('multi-line secret gets masked for each non-empty line', async () => {
         const multiLineString = `a multi-line string
 
 with blank lines
@@ -324,10 +420,10 @@ with blank lines
 
         await exportSecrets();
 
-        expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
+        expect(core.setSecret).toBeCalledTimes(3); // 1 for each non-empty line.
 
-        expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
-        expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
+        expect(core.setSecret).toBeCalledWith('a multi-line string');
+        expect(core.setSecret).toBeCalledWith('with blank lines');
         expect(core.setOutput).toBeCalledWith('key', multiLineString);
     })
 
@@ -339,4 +435,13 @@ with blank lines
     expect(core.exportVariable).toBeCalledTimes(1);
     expect(core.exportVariable).toBeCalledWith('VAULT_TOKEN', 'EXAMPLE');
   })
+
+  it('output only Vault token, no secrets', async () => {
+    mockOutputToken("true")
+
+    await exportSecrets();
+
+    expect(core.setOutput).toBeCalledTimes(1);
+    expect(core.setOutput).toBeCalledWith('vault_token', 'EXAMPLE');
+  })
 });

src/auth.js

@@ -2,20 +2,24 @@
 const core = require('@actions/core');
 const rsasign = require('jsrsasign');
 const fs = require('fs');
+const { default: got } = require('got');
 
 const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
+const retries = 5
+const retries_delay = 3000
 /***
  * Authenticate with Vault and retrieve a Vault token that can be used for requests.
  * @param {string} method
  * @param {import('got').Got} client
  */
 async function retrieveToken(method, client) {
-    const path = core.getInput('path', { required: false }) || method;
+    let path = core.getInput('path', { required: false }) || method;
+    path = `v1/auth/${path}/login`
 
     switch (method) {
         case 'approle': {
             const vaultRoleId = core.getInput('roleId', { required: true });
-            const vaultSecretId = core.getInput('secretId', { required: true });
+            const vaultSecretId = core.getInput('secretId', { required: false });
             return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
         }
         case 'github': {
@@ -33,7 +37,10 @@ async function retrieveToken(method, client) {
             const githubAudience = core.getInput('jwtGithubAudience', { required: false });
 
             if (!privateKey) {
-                jwt = await core.getIDToken(githubAudience)
+                jwt = await retryAsyncFunction(retries, retries_delay, core.getIDToken, githubAudience)
+                  .then((result) => {
+                    return result;
+                });
             } else {
                 jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
             }
@@ -49,6 +56,13 @@ async function retrieveToken(method, client) {
             }
             return await getClientToken(client, method, path, { jwt: data, role: role })
         }
+        case 'userpass': 
+        case 'ldap': {
+            const username = core.getInput('username', { required: true });
+            const password = core.getInput('password', { required: true });
+            path = path + `/${username}`
+            return await getClientToken(client, method, path, { password: password })
+        }
 
         default: {
             if (!method || method === 'token') {
@@ -106,10 +120,19 @@ async function getClientToken(client, method, path, payload) {
         responseType,
     };
 
-    core.debug(`Retrieving Vault Token from v1/auth/${path}/login endpoint`);
+    core.debug(`Retrieving Vault Token from ${path} endpoint`);
 
     /** @type {import('got').Response<VaultLoginResponse>} */
-    const response = await client.post(`v1/auth/${path}/login`, options);
+    let response;
+    try {
+        response = await client.post(`${path}`, options);
+    } catch (err) {
+        if (err instanceof got.HTTPError) {
+            throw Error(`failed to retrieve vault token. code: ${err.code}, message: ${err.message}, vaultResponse: ${JSON.stringify(err.response.body)}`)
+        } else {
+            throw err
+        }
+    }
     if (response && response.body && response.body.auth && response.body.auth.client_token) {
         core.debug('✔ Vault Token successfully retrieved');
 
@@ -124,6 +147,30 @@ async function getClientToken(client, method, path, payload) {
     }
 }
 
+/***
+ * Generic function for retrying an async function
+ * @param {number} retries
+ * @param {number} delay
+ * @param {Function} func
+ * @param {any[]} args
+ */
+async function retryAsyncFunction(retries, delay, func, ...args) {
+  let attempt = 0;
+  while (attempt < retries) {
+    try {
+      const result = await func(...args);
+      return result;
+    } catch (error) {
+      attempt++;
+      if (attempt < retries) {
+        await new Promise(resolve => setTimeout(resolve, delay));
+      } else {
+        throw error;
+      }
+    }
+  }
+}
+
 /***
  * @typedef {Object} VaultLoginResponse
  * @property {{

src/auth.test.js

@@ -85,4 +85,23 @@ describe("test retrival for token", () => {
         const url = got.post.mock.calls[0][0]
         expect(url).toContain('differentK8sPath')
     })
+
+    it("test retrieval with jwt", async () => {
+        const method = "jwt"
+        const jwtToken = "someTestToken"
+        const testRole = "testRole"
+        const privateKeyRaw = ""
+
+        mockApiResponse()
+        mockInput("role", testRole)
+        mockInput("jwtPrivateKey", privateKeyRaw)
+        core.getIDToken = jest.fn()
+        core.getIDToken.mockReturnValueOnce(jwtToken)
+        const token = await retrieveToken(method, got)
+        expect(token).toEqual(testToken)
+        const payload = got.post.mock.calls[0][1].json
+        expect(payload).toEqual({ jwt: jwtToken,  role: testRole })
+        const url = got.post.mock.calls[0][0]
+        expect(url).toContain('jwt')
+  })
 })

src/constants.js

@@ -0,0 +1,7 @@
+const WILDCARD_UPPERCASE = '*';
+const WILDCARD = '**';
+
+module.exports = {
+    WILDCARD,
+    WILDCARD_UPPERCASE,
+};

src/entry.js

@@ -5,6 +5,7 @@ const { exportSecrets } = require('./action');
     try {
         await core.group('Get Vault Secrets', exportSecrets);
     } catch (error) {
+        core.setOutput("errorMessage", error.message);
         core.setFailed(error.message);
     }
 })();

src/index.js

@@ -1,7 +1,9 @@
 const auth = require('./auth');
 const secrets = require('./secrets');
+const pki = require('./pki');
 
 module.exports = {
     auth,
-    secrets
+    secrets,
+    pki
 };

src/pki.js

@@ -0,0 +1,76 @@
+const { normalizeOutputKey } = require('./utils');
+const core = require('@actions/core');
+
+/** A map of postfix values mapped to the key in the certificate response and a transformer function */
+const outputMap = {
+    cert: { key: 'certificate', tx: (v) => v },
+    key: { key: 'private_key', tx: (v) => v },
+    ca: { key: 'issuing_ca', tx: (v) => v },
+    ca_chain: { key: 'ca_chain', tx: (v) => v.join('\n') },
+};
+
+/**
+ * @typedef PkiRequest
+ * @type {object}
+ * @property {string} path - The path to the PKI endpoint
+ * @property {Record<string, any>} parameters - The parameters to send to the PKI endpoint
+ * @property {string} envVarName - The name of the environment variable to set
+ * @property {string} outputVarName - The name of the output variable to set
+ */
+
+/**
+ * @typedef {Object} PkiResponse
+ * @property {PkiRequest} request
+ * @property {string} value
+ * @property {boolean} cachedResponse
+ */
+
+/**
+ * Generate and return the certificates from the PKI engine
+ * @param {Array<PkiRequest>} pkiRequests
+ * @param {import('got').Got} client
+ * @return {Promise<Array<PkiResponse>>}
+ */
+async function getCertificates(pkiRequests, client) {
+    /** @type Array<PkiResponse> */
+    let results = [];
+
+    for (const pkiRequest of pkiRequests) {
+        const { path, parameters } = pkiRequest;
+
+        const requestPath = `v1/${path}`;
+        let body;
+        try {
+            const result = await client.post(requestPath, {
+                body: JSON.stringify(parameters),
+            });
+            body = result.body;
+        } catch (error) {
+            core.error(`✘ ${error.response?.body ?? error.message}`);
+            throw error;
+        }
+
+        body = JSON.parse(body);
+
+        core.info(`✔ Successfully generated certificate (serial number ${body.data.serial_number})`);
+
+        Object.entries(outputMap).forEach(([key, value]) => {
+            const val = value.tx(body.data[value.key]);
+            results.push({
+                request: {
+                    ...pkiRequest,
+                    envVarName: normalizeOutputKey(`${pkiRequest.envVarName}_${key}`, true),
+                    outputVarName: normalizeOutputKey(`${pkiRequest.outputVarName}_${key}`),
+                },
+                value: val,
+                cachedResponse: false,
+            });
+        });
+    }
+
+    return results;
+}
+
+module.exports = {
+    getCertificates,
+};

src/retries.test.js

@@ -66,4 +66,4 @@ describe('exportSecrets retries', () => {
             done();
         });
     });
-});
+});

src/secrets.js

@@ -1,5 +1,7 @@
 const jsonata = require("jsonata");
-
+const { WILDCARD, WILDCARD_UPPERCASE} = require("./constants");
+const { normalizeOutputKey } = require("./utils");
+const core = require('@actions/core');
 
 /**
  * @typedef {Object} SecretRequest
@@ -21,9 +23,11 @@ const jsonata = require("jsonata");
   * @param {import('got').Got} client
   * @return {Promise<SecretResponse<TRequest>[]>}
   */
-async function getSecrets(secretRequests, client) {
+async function getSecrets(secretRequests, client, ignoreNotFound) {
     const responseCache = new Map();
-    const results = [];
+    let results = [];
+    let upperCaseEnv = false;
+
     for (const secretRequest of secretRequests) {
         let { path, selector } = secretRequest;
 
@@ -40,42 +44,88 @@ async function getSecrets(secretRequests, client) {
                 responseCache.set(requestPath, body);
             } catch (error) {
                 const {response} = error;
-                if (response.statusCode === 404) {
-                    throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`)
+                if (response?.statusCode === 404) {
+                    notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
+                    const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
+                    if (ignoreNotFound) {
+                        core.error(`✘ ${notFoundMsg}`);
+                        continue;
+                    } else {
+                        throw Error(notFoundMsg)
+                    }
                 }
                 throw error
             }
         }
-        if (!selector.match(/.*[\.].*/)) {
-            selector = '"' + selector + '"'
-        }
-        selector = "data." + selector
-        body = JSON.parse(body)
-        if (body.data["data"] != undefined) {
-            selector = "data." + selector
-        }
 
-        const value = selectData(body, selector);
-        results.push({
-            request: secretRequest,
-            value,
-            cachedResponse
-        });
+        body = JSON.parse(body);
+
+        if (selector === WILDCARD || selector === WILDCARD_UPPERCASE) {
+            upperCaseEnv = selector === WILDCARD_UPPERCASE;
+            let keys = body.data;
+            if (body.data["data"] != undefined) {
+                keys = keys.data;
+            }
+
+            for (let key in keys) {
+                let newRequest = Object.assign({},secretRequest);
+                newRequest.selector = key;
+
+                if (secretRequest.selector === secretRequest.outputVarName) {
+                    newRequest.outputVarName = key;
+                    newRequest.envVarName = key;
+                } else {
+                    newRequest.outputVarName = secretRequest.outputVarName+key;
+                    newRequest.envVarName = secretRequest.envVarName+key;
+                }
+
+                newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
+                newRequest.envVarName = normalizeOutputKey(newRequest.envVarName, upperCaseEnv);
+
+                // JSONata field references containing reserved tokens should
+                // be enclosed in backticks
+                // https://docs.jsonata.org/simple#examples
+                if (key.includes(".")) {
+                    const backtick = '`';
+                    key = backtick.concat(key, backtick);
+                }
+                selector = key;
+
+                results = await selectAndAppendResults(
+                  selector,
+                  body,
+                  cachedResponse,
+                  newRequest,
+                  results
+                );
+            }
+        }
+        else {
+          results = await selectAndAppendResults(
+            selector,
+            body,
+            cachedResponse,
+            secretRequest,
+            results
+          );
+        }
     }
+
     return results;
 }
 
 /**
  * Uses a Jsonata selector retrieve a bit of data from the result
- * @param {object} data 
- * @param {string} selector 
+ * @param {object} data
+ * @param {string} selector
  */
-function selectData(data, selector) {
+async function selectData(data, selector) {
     const ata = jsonata(selector);
-    let result = JSON.stringify(ata.evaluate(data));
+    let result = JSON.stringify(await ata.evaluate(data));
+
     // Compat for custom engines
     if (!result && ((ata.ast().type === "path" && ata.ast()['steps'].length === 1) || ata.ast().type === "string") && selector !== 'data' && 'data' in data) {
-        result = JSON.stringify(jsonata(`data.${selector}`).evaluate(data));
+        result = JSON.stringify(await jsonata(`data.${selector}`).evaluate(data));
     } else if (!result) {
         throw Error(`Unable to retrieve result for ${selector}. No match data was found. Double check your Key or Selector.`);
     }
@@ -86,7 +136,44 @@ function selectData(data, selector) {
     return result;
 }
 
+/**
+ * Uses selectData with the selector to get the value and then appends it to the
+ * results. Returns a new array with all of the results.
+ * @param {string} selector
+ * @param {object} body
+ * @param {object} cachedResponse
+ * @param {TRequest} secretRequest
+ * @param {SecretResponse<TRequest>[]} results
+ * @return {Promise<SecretResponse<TRequest>[]>}
+ */
+const selectAndAppendResults = async (
+  selector,
+  body,
+  cachedResponse,
+  secretRequest,
+  results
+) => {
+  if (!selector.includes(".")) {
+    selector = '"' + selector + '"';
+  }
+  selector = "data." + selector;
+
+  if (body.data["data"] != undefined) {
+    selector = "data." + selector;
+  }
+
+  const value = await selectData(body, selector);
+  return [
+    ...results,
+    {
+      request: secretRequest,
+      value,
+      cachedResponse,
+    },
+  ];
+};
+
 module.exports = {
     getSecrets,
     selectData
-}
+}

src/utils.js

@@ -0,0 +1,19 @@
+/**
+ * Replaces any dot chars to __ and removes non-ascii charts
+ * @param {string} dataKey
+ * @param {boolean=} isEnvVar
+ */
+function normalizeOutputKey(dataKey, upperCase = false) {
+  let outputKey = dataKey
+    .replaceAll(".", "__")
+    .replace(new RegExp("-", "g"), "")
+    .replace(/[^\p{L}\p{N}_-]/gu, "");
+  if (upperCase) {
+    outputKey = outputKey.toUpperCase();
+  }
+  return outputKey;
+}
+
+module.exports = { 
+    normalizeOutputKey 
+};