actions/vault-action
2
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-12-18 08:58:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:v2.7.3
Branches Tags
actions:main
actions:compliance/add-headers-batch-1
actions:docs/VAULT-36003/tcf
actions:fix-module-not-found
actions:update-jsonata
actions:fairclothjm/colpal/main
actions:test-multiline-stringify-check-2
actions:test-multiline-stringify-check
actions:v3
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.8.1
actions:v2
actions:v2.8.0
actions:v2.7.5
actions:v2.7.4
actions:v2.7.3
actions:v2.7.2
actions:v2.7.1
actions:v2.7.0
actions:v2.6.0
actions:v2.5.0
actions:v2.4.3
actions:v2.4.2
actions:v2.4.1
actions:v2.4.0
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.1
actions:v2.0.0
actions:v1.0.1
actions:v1.0.0
actions:v0.10.2
actions:v0.10.1
actions:v0.10.0
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.2
actions:v0.6.1
actions:v0.6.0
actions:v0.5.0
actions:v0.4.0
actions:v0.3.1
actions:v0.3.0
actions:v0.2.2
actions:v0.2.0
actions:v0.2.1
actions:v0.1.0
...
compare: actions:main
Branches Tags
actions:compliance/add-headers-batch-1
actions:main
actions:docs/VAULT-36003/tcf
actions:fix-module-not-found
actions:update-jsonata
actions:fairclothjm/colpal/main
actions:test-multiline-stringify-check-2
actions:test-multiline-stringify-check
actions:v3
actions:v3.4.0
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.8.1
actions:v2
actions:v2.8.0
actions:v2.7.5
actions:v2.7.4
actions:v2.7.3
actions:v2.7.2
actions:v2.7.1
actions:v2.7.0
actions:v2.6.0
actions:v2.5.0
actions:v2.4.3
actions:v2.4.2
actions:v2.4.1
actions:v2.4.0
actions:v2.3.1
actions:v2.3.0
actions:v2.2.0
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.1
actions:v2.0.0
actions:v1.0.1
actions:v1.0.0
actions:v0.10.2
actions:v0.10.1
actions:v0.10.0
actions:v0.9.0
actions:v0.8.0
actions:v0.7.0
actions:v0.6.2
actions:v0.6.1
actions:v0.6.0
actions:v0.5.0
actions:v0.4.0
actions:v0.3.1
actions:v0.3.0
actions:v0.2.2
actions:v0.2.0
actions:v0.2.1
actions:v0.1.0

46 commits
v2.7.3 ... main

Author SHA1 Message Date
compliance-pr-automation-bot[bot]
2c5827061f
[Compliance] - PR Template Changes Required (#586) 
Co-authored-by: compliance-pr-automation[bot] <1425255+compliance-pr-automation-bot[bot]@users.noreply.github.com>
 2025-07-28 16:10:23 -07:00
John-Michael Faircloth
4c06c5ccf5
Prepare for v3.4.0 release (#584) 
* Prepare for v3.4.0 release

* update dist
 2025-06-13 11:30:03 -05:00
dependabot[bot]
d07b4dc505
chore(deps): bump jsrsasign from 11.0.0 to 11.1.0 (#521) 
Bumps [jsrsasign](https://github.com/kjur/jsrsasign) from 11.0.0 to 11.1.0.
- [Release notes](https://github.com/kjur/jsrsasign/releases)
- [Changelog](https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt)
- [Commits](https://github.com/kjur/jsrsasign/compare/11.0.0...11.1.0)

---
updated-dependencies:
- dependency-name: jsrsasign
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-13 10:30:05 -05:00
John-Michael Faircloth
8ab17d80fa
Prevent possible DoS via polynomial regex (#583) 2025-06-13 09:17:23 -05:00
John-Michael Faircloth
b022ecdb0c
fix: replace all dot chars during normalization (#580) 
* fix: replace all dot chars during normalization

* changelog
 2025-05-14 09:32:58 -05:00
Tom Chwojko-Frank
4d5899dd0e
Adding codeowners file (#578) 2025-04-14 16:20:35 -07:00
Rory
7709c60978
feat: added double asterisk wildcard selector to prevent uppercasing of keys before exporting envs (#545) 
* feat: added double asterisk wildcard selector to prevent uppercasing of keys before exporting envs

* chore: update changelog

---------

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
 2025-03-03 15:31:00 -06:00
John-Michael Faircloth
4b1f32b395
Prepare for v3.2.0 release (#575) 
* Prepare for v3.2.0 release

* changelog update
 2025-03-03 14:18:41 -06:00
Andre Fuentes
5d06ce836f
Retry core.getIDToken for JWT Auth Method (#574) 
* adding generic async retry function and retry core.getIDToken

* adding test and build
 2025-03-03 12:02:57 -06:00
kpcraig
a1b77a0929
Prepare for v3.1.0 release (#571) 2025-01-09 13:09:19 -05:00
Dave Sewell
3b999aeea2
chore: Update dist/index for latest code (#568) 2024-12-20 17:41:11 -08:00
Dave Sewell
c46b8b8822
chore: Update docker compose command (#567) 2024-12-06 12:47:10 -05:00
Dave Sewell
33b70ff01a
feat: Add PKI capability (#564) 2024-12-05 12:22:45 -05:00
John-Michael Faircloth
8b7eaceb79
docs: add namespace example to readme (#562) 
* docs: add namespace example to readme

* fix integration test jwt audience
 2024-08-01 08:50:57 -05:00
John-Michael Faircloth
148ee648cc
chore: add details on kvv2 path (#554) 2024-05-22 15:22:30 -05:00
John-Michael Faircloth
0f302fb182
chore: bump and pin github actions (#552) 2024-05-14 16:12:19 -05:00
John-Michael Faircloth
47dbc643a8
fix wildcard handling when field contains dot (#542) 
* fix wildcard handling when field contains dot

* changelog
 2024-04-15 16:42:20 -05:00
John-Michael Faircloth
66531b2752
Revert convert to esm (#544) 
* Revert "update got dependency and convert to esm module (#533)"

This reverts commit 77efb36ae3.

* keep new local test file changes

* keep changes to PR template

* update changelog
 2024-04-15 16:39:55 -05:00
dependabot[bot]
ee41aa2fcf
chore(deps): bump jsonata from 2.0.3 to 2.0.4 (#531) 
* chore(deps): bump jsonata from 2.0.3 to 2.0.4

Bumps [jsonata](https://github.com/jsonata-js/jsonata) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/jsonata-js/jsonata/releases)
- [Changelog](https://github.com/jsonata-js/jsonata/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jsonata-js/jsonata/compare/v2.0.3...v2.0.4)

---
updated-dependencies:
- dependency-name: jsonata
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* changelog

* changelog++

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JM Faircloth <jmfaircloth@hashicorp.com>
 2024-03-22 09:18:20 -05:00
John-Michael Faircloth
77efb36ae3
update got dependency and convert to esm module (#533) 
* update require got to import got

* convert remaining to esm

* wip: replace jest with vitest

* fix test imports and vitest config

* remove dist package.json

* fix import in ent test

* add dist

* move actions/core to prod dependency

* remove unused import that was breaking esm compilation

* simplify imports

* use module.createRequire to import jsonata

* add doc link comment

* add comments on import insanity

* add more comments

* update PR tempalte

* bump got and remove jest deps

* revert debug npm run command

* fix fs import

* simplify vitest config for each test suite
 2024-03-19 10:42:34 -05:00
John-Michael Faircloth
a727ce205a
approle: do not require secret_id (#522) 
* approle: support bind_secret_id

* add changelog
 2024-02-28 11:15:56 -06:00
John-Michael Faircloth
d1720f055e
fix changelog link (#530) 2024-02-15 11:55:33 -06:00
John-Michael Faircloth
92626383ce
Prepare for v3.0.0 release (#529) 2024-02-15 11:53:53 -06:00
John-Michael Faircloth
9c2d817b85
Fix changelog link (#528) 2024-02-15 11:42:04 -06:00
John-Michael Faircloth
b477844b5f
Prepare for v2.8.1 release (#527) 2024-02-15 11:38:07 -06:00
John-Michael Faircloth
9f522b8598
Update to v2.8.0 (#519) 2024-02-01 08:48:51 -06:00
John-Michael Faircloth
efab57ede0
feature: add ignoreNotFound option (#518) 
* add ignoreNotFound option

* update README
 2024-02-01 08:42:56 -06:00
dependabot[bot]
d523bb05b2
chore(deps-dev): bump @vercel/ncc from 0.36.1 to 0.38.1 (#503) 
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.36.1 to 0.38.1.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.36.1...0.38.1)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-31 15:52:19 -06:00
dependabot[bot]
11845b19f6
chore(deps-dev): bump jest from 29.5.0 to 29.7.0 (#490) 
Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) from 29.5.0 to 29.7.0.
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v29.7.0/packages/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-31 15:33:32 -06:00
dependabot[bot]
7a6258bb0b
chore(deps-dev): bump jest-when from 3.5.2 to 3.6.0 (#484) 
Bumps [jest-when](https://github.com/timkindberg/jest-when) from 3.5.2 to 3.6.0.
- [Release notes](https://github.com/timkindberg/jest-when/releases)
- [Commits](https://github.com/timkindberg/jest-when/compare/v3.5.2...v3.6.0)

---
updated-dependencies:
- dependency-name: jest-when
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-31 15:28:35 -06:00
dependabot[bot]
a0b66b1cc3
chore(deps-dev): bump @actions/core from 1.10.0 to 1.10.1 (#489) 
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.0 to 1.10.1.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-31 15:26:53 -06:00
dependabot[bot]
c616aba63e
chore(deps): bump jsrsasign from 10.8.6 to 11.0.0 (#513) 
Bumps [jsrsasign](https://github.com/kjur/jsrsasign) from 10.8.6 to 11.0.0.
- [Release notes](https://github.com/kjur/jsrsasign/releases)
- [Changelog](https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt)
- [Commits](https://github.com/kjur/jsrsasign/compare/10.8.6...11.0.0)

---
updated-dependencies:
- dependency-name: jsrsasign
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-01-31 15:26:26 -06:00
John-Michael Faircloth
e3d5714d59
Update to v2.7.5 (#517) 2024-01-30 16:42:42 -06:00
Max Winslow
00bce0da9c
Add path parameter example (#511) 
* x

* Update README.md

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

---------

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
 2024-01-03 14:11:01 -06:00
Jean-François Roche
6853090cd9
Use nodejs 20 (#509) 
Node 16 has reached its end of life

More details here: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/
 2023-12-22 09:34:55 -05:00
John-Michael Faircloth
45dc5344f1
Update README.md (#510) 2023-12-21 11:14:42 -06:00
Calvin Leung Huang
2fb925f14c
action: update marketplace name (#500) 2023-11-03 10:17:35 -07:00
Nicholas Farley
caba6efd0e
Bump got from 11.8.5 to 11.8.6 (#492) 
* Bump got from 11.8.5 to 11.8.6
* Revert changes to dist/index.js
 2023-11-01 10:27:02 -04:00
John-Michael Faircloth
affa6f04da
Update to v2.7.4 (#499) 2023-10-26 09:47:04 -05:00
John-Michael Faircloth
4727f0b168
chore: update readme reference for readability (#497) 2023-10-23 13:46:51 -05:00
Calvin Leung Huang
86c7f837eb
Revert "Update action.yml (#495)" (#496) 
This reverts commit 375956aa33.
 2023-09-26 14:35:18 -07:00
Calvin Leung Huang
375956aa33
Update action.yml (#495) 
Updates the Vault Secrets name to Vault in the GH Marketplace
 2023-09-26 14:15:43 -07:00
Calvin Leung Huang
1328cd9fa9
Revert "Update Vault Action name in package.json (#493)" (#494) 
This reverts commit d4437ee96c.
 2023-09-26 14:14:07 -07:00
Calvin Leung Huang
d4437ee96c
Update Vault Action name in package.json (#493) 2023-09-26 14:12:24 -07:00
Mike F
a5f6c67fe1
Update README.md (#491) 2023-09-15 16:09:04 -04:00
keattang
d9197ec2d2
Implemented wildcard selector (based on #238) (#488) 
* Initial check-in of wildcard to get all secrets in path (Issue#234)
* Fix wildcard for K/V v2 and Cubbyhole.  Add more tests
* Refactored out selectAndAppendResults
* Use selectAndAppendResults for wildcard
* Use normalizeOutputKey in action.js
* Refactored wildcard

---------

Co-authored-by: Scott Lemme <68233981+slemme1@users.noreply.github.com>
Co-authored-by: Lemme <slemme@massmutual.com>
 2023-09-15 08:56:07 -04:00
26 changed files with 3772 additions and 1983 deletions
Show stats Expand all files Collapse all files

22
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -3,21 +3,29 @@ name: Bug report
about: Create a report to help us improve
title: "[BUG] "
labels: bug
assignees: RichiCoder1
---
**Describe the bug**
## Vault server version
v0.0.0
## vault-action version
v0.0.0
## Describe the bug
A clear and concise description of what the bug is.
**To Reproduce**
## To Reproduce
The yaml of the `vault-action` step, with any sensitive information masked or removed.
**Expected behavior**
## Expected behavior
A clear and concise description of what you expected to happen.
**Log Output**
For the most verbose logs, [add a secret called `ACTIONS_STEP_DEBUG` with the value `true`](https://github.com/actions/toolkit/blob/main/docs/action-debugging.md). Then, re-run the workflow if possible and post the *raw logs* for the step here with any sensitive information masked or removed.
## Log Output
For the most verbose logs, add a secret called
[`ACTIONS_STEP_DEBUG`](https://github.com/actions/toolkit/blob/main/docs/action-debugging.md)
with the value `true`. Then, re-run the workflow if possible and post the *raw
logs* for the step here with any sensitive information masked or removed.
**Additional context**
## Additional context
Add any other context about the problem here.

9
.github/ISSUE_TEMPLATE/feature_request.md vendored
View file

@ -3,18 +3,17 @@ name: Feature request
about: Suggest an idea for this project
title: "[FEAT] "
labels: enhancement
assignees: RichiCoder1
---
**Is your feature request related to a problem? Please describe.**
## Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
## Describe the solution you'd like
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
## Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
## Additional context
Add any other context or screenshots about the feature request here.

32
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View file

@ -0,0 +1,32 @@
### Description
<!--- Description of the change. For example: This PR updates ABC resource so that we can XYZ --->
<!--- If your PR fully resolves and should automatically close the linked issue, use Closes. Otherwise, use Relates --->
Relates OR Closes #0000
### Checklist
- [ ] Added [CHANGELOG](https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.md) entry (only for user-facing changes)
### Community Note
* Please vote on this pull request by adding a 👍
[reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/)
to the original pull request comment to help the community and maintainers
prioritize this request
* Please do not leave "+1" comments, they generate extra noise for pull request
followers and do not help prioritize the request
## PCI review checklist
<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
- [ ] I have documented a clear reason for, and description of, the change I am making.
- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
- [ ] If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

13
.github/dependabot.yml vendored
View file

@ -1,11 +1,14 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
version: 2
updates:
- package-ecosystem: "npm" # See documentation for possible values
- package-ecosystem: "npm"
directory: "/" # Location of package manifests
open-pull-requests-limit: 0 # only require security updates and exclude version updates
schedule:
interval: "daily"
interval: "weekly"
# For got, ignore all updates since it is now native ESM
# see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
ignore:
- dependency-name: "got"

2
.github/workflows/actionlint.yaml vendored
View file

@ -8,7 +8,7 @@ jobs:
actionlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Lint workflow files"
uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
with:

437
.github/workflows/build.yml vendored
View file

@ -6,283 +6,282 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: '16.14.0'
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run Test
run: npm run test
- name: NPM Run Test
run: npm run test
integrationOSS:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run docker-compose
run: docker-compose up -d vault
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: '16.14.0'
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run test;integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
- name: NPM Run test;integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
integrationEnterprise:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run docker-compose
run: docker-compose up -d vault-enterprise
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
- name: Run docker compose
run: docker compose up -d vault-enterprise
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: '16.14.0'
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run test:integration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
- name: NPM Run test:integration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
e2e:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run docker-compose
run: docker-compose up -d vault
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: '16.14.0'
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: Setup Vault
run: node ./integrationTests/e2e/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
- name: Setup Vault
run: node ./integrationTests/e2e/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
# The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
# They should come before the Verify Vault Action Outputs step
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/test secret | SUBSEQUENT_TEST_SECRET;
# The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
# They should come before the Verify Vault Action Outputs step
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/test secret | SUBSEQUENT_TEST_SECRET;
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
- name: Test JSON Secrets
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test-json-data jsonData;
secret/data/test-json-string jsonString;
secret/data/test-json-string-multiline jsonStringMultiline;
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
- name: Test JSON Secrets
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test-json-data jsonData;
secret/data/test-json-string jsonString;
secret/data/test-json-string-multiline jsonStringMultiline;
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
e2e-tls:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run docker-compose
run: docker-compose up -d vault-tls
- name: Run docker compose
run: docker compose up -d vault-tls
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: '16.14.0'
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: Setup Vault
run: node ./integrationTests/e2e-tls/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
VAULTCA: ${{ secrets.VAULTCA }}
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Setup Vault
run: node ./integrationTests/e2e-tls/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
VAULTCA: ${{ secrets.VAULTCA }}
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets-tls
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets-tls
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (tlsSkipVerify)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
tlsSkipVerify: true
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/tlsSkipVerify skip ;
- name: Test Vault Action (tlsSkipVerify)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
tlsSkipVerify: true
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/tlsSkipVerify skip ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e-tls
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e-tls
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}

36
.github/workflows/local-test.yaml vendored
View file

@ -18,11 +18,11 @@ jobs:
name: local-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: '16.14.0'
node-version: '20.9.0'
- name: NPM Install
run: npm ci
@ -48,14 +48,26 @@ jobs:
token: testtoken
secrets: |
secret/data/test-json-string jsonString;
secret/data/test-json-data jsonData;
- name: Check Secrets
run: |
touch secrets.json
echo "${{ steps.import-secrets.outputs.jsonString }}" >> secrets.json
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: "foobar"
script: |
const { JSONSTRING, JSONDATA } = process.env
- name: Check json file format
run: |
echo
cat secrets.json
jq -c . < secrets.json
console.log(`string ${JSONSTRING}`)
console.log(`data ${JSONDATA}`)
const str = JSONDATA
let valid = true
try {
JSON.parse(str)
} catch (e) {
valid = false
}
if (valid) {
console.log("valid json")
} else {
console.log("not valid json")
}

75
CHANGELOG.md
View file

@ -1,6 +1,79 @@
## Unreleased
* Add changes here
## 3.4.0 (June 13, 2025)
Bugs:
* replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
Improvements:
* Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
## 3.3.0 (March 3, 2025)
Features:
* Wildcard secret imports can use `**` to retain case of exported env keys [GH-545](https://github.com/hashicorp/vault-action/pull/545)
## 3.2.0 (March 3, 2025)
Improvements:
* Add retry for jwt auth login to fix intermittent login failures [GH-574](https://github.com/hashicorp/vault-action/pull/574)
## 3.1.0 (January 9, 2025)
Improvements:
* fix wildcard handling when field contains dot [GH-542](https://github.com/hashicorp/vault-action/pull/542)
* bump body-parser from 1.20.0 to 1.20.3
* bump braces from 3.0.2 to 3.0.3
* bump cross-spawn from 7.0.3 to 7.0.6
* bump micromatch from 4.0.5 to 4.0.8
Features:
* `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)
* Use `pki` configuration to generate certificates from Vault [GH-564](https://github.com/hashicorp/vault-action/pull/564)
## 3.0.0 (February 15, 2024)
Improvements:
* Bump node runtime from node16 to node20 [GH-529](https://github.com/hashicorp/vault-action/pull/529)
## 2.8.1 (February 15, 2024)
Bugs:
* Revert [GH-509](https://github.com/hashicorp/vault-action/pull/509) which made a backwards incompatible bump of the node runtime from node16 to node20 [GH-527](https://github.com/hashicorp/vault-action/pull/527)
## 2.8.0 (February 1, 2024)
Features:
* Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
Improvements:
* bump jsrsasign from 10.8.6 to 11.0.0 [GH-513](https://github.com/hashicorp/vault-action/pull/513)
* bump @actions/core from 1.10.0 to 1.10.1 [GH-489](https://github.com/hashicorp/vault-action/pull/489)
* bump jest-when from 3.5.2 to 3.6.0 [GH-484](https://github.com/hashicorp/vault-action/pull/484)
* bump jest from 29.5.0 to 29.7.0 [GH-490](https://github.com/hashicorp/vault-action/pull/490)
* bump @vercel/ncc from 0.36.1 to 0.38.1 [GH-503](https://github.com/hashicorp/vault-action/pull/503)
## 2.7.5 (January 30, 2024)
Improvements:
* Bump node runtime from node16 to node20 [GH-509](https://github.com/hashicorp/vault-action/pull/509)
* Bump got from 11.8.5 to 11.8.6 [GH-492](https://github.com/hashicorp/vault-action/pull/492)
## 2.7.4 (October 26, 2023)
Features:
* Add ability to specify a wildcard for the key name to get all keys in the path [GH-488](https://github.com/hashicorp/vault-action/pull/488)
## 2.7.3 (July 13, 2023)

1
CODEOWNERS Normal file
View file

@ -0,0 +1 @@
* @hashicorp/vault-ecosystem

2
Makefile
View file

@ -1,3 +1,3 @@
.PHONY: local-test
local-test:
docker compose down; docker-compose up -d vault && act workflow_dispatch -j local-test
docker compose down; docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml

459
README.md
View file

@ -8,6 +8,9 @@
A helper action for easily pulling secrets from HashiCorp Vault™.
Note: The Vault Github Action is a read-only action, and in general
is not meant to modify Vaults state.
<!-- TOC -->
- [Vault GitHub Action](#vault-github-action)
@ -22,10 +25,12 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
- [Userpass](#userpass)
- [Ldap](#ldap)
- [Other Auth Methods](#other-auth-methods)
- [Custom Path](#custom-path-name)
- [Key Syntax](#key-syntax)
- [Simple Key](#simple-key)
- [Set Output Variable Name](#set-output-variable-name)
- [Multiple Secrets](#multiple-secrets)
- [KV secrets engine version 2](#kv-secrets-engine-version-2)
- [Other Secret Engines](#other-secret-engines)
- [Adding Extra Headers](#adding-extra-headers)
- [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
@ -41,46 +46,51 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
```yaml
jobs:
build:
# ...
steps:
# ...
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v2
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULT_CA_CERT }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
build:
# ...
steps:
# ...
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v2
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULT_CA_CERT }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
```
Retrieved secrets are available as environment variables or outputs for subsequent steps:
```yaml
#...
- name: Step following 'Import Secrets'
run: |
ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
# ...
- name: Step following 'Import Secrets'
run: |
ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
# ...
```
If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
For example, a common pattern is to save all the secrets in a JSON file:
```yaml
#...
- name: Step following 'Import Secrets'
run: |
touch secrets.json
echo "${{ toJson(steps.import-secrets.outputs) }}" >> secrets.json
# ...
- name: Step following 'Import Secrets'
run: |
touch secrets.json
echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
# ...
```
Which with our example would yield a file containing:
```json
{
"ACCESS_KEY_ID": "MY_KEY_ID",
@ -91,7 +101,6 @@ Which with our example would yield a file containing:
Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder.
## Authentication Methods
Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with
@ -105,7 +114,7 @@ and Vault using the
Each GitHub Actions workflow receives an auto-generated OIDC token with claims
to establish the identity of the workflow.
__Vault Configuration__
**Vault Configuration**
<details>
<summary>Click to toggle instructions for configuring Vault.</summary>
@ -116,7 +125,6 @@ Pass the following parameters to your auth method configuration:
- `oidc_discovery_url`: `https://token.actions.githubusercontent.com`
- `bound_issuer`: `https://token.actions.githubusercontent.com`
Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method.
- `role_type`: `jwt`
@ -132,12 +140,12 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
- For wildcard (non-exact) matches, use `bound_claims`.
- `bound_claims_type`: `glob`
- `bound_claims_type`: `glob`
- `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
```json
{"sub": "repo:<orgName>/*"}
```
- `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
```json
{ "sub": "repo:<orgName>/*" }
```
- For exact matches, use `bound_subject`.
@ -150,17 +158,17 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
</details>
__GitHub Actions Workflow__
**GitHub Actions Workflow**
In the GitHub Actions workflow, the workflow needs permissions to read contents
and write the ID token.
```yaml
jobs:
retrieve-secret:
permissions:
contents: read
id-token: write
retrieve-secret:
permissions:
contents: read
id-token: write
```
In the action, provide the name of the Vault role you created to the `role` parameter.
@ -297,11 +305,25 @@ with:
If any other method is specified and you provide an `authPayload`, the action will
attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
### Custom Path Name
Auth methods at custom path names can be configured using the [`path`](#path) parameter
```yaml
with:
url: https://vault.mycompany.com:8200
caCertificate: ${{ secrets.VAULT_CA_CERT }}
path: my-custom-path
method: userpass
username: ${{ secrets.VAULT_USERNAME }}
password: ${{ secrets.VAULT_PASSWORD }}
```
## Key Syntax
The `secrets` parameter is a set of multiple secret requests separated by the `;` character.
Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
Note that the selector is using [JSONata](https://docs.jsonata.org/overview.html) and certain characters in keys may need to be escaped.
```raw
@ -314,7 +336,7 @@ To retrieve a key `npmToken` from path `secret/data/ci` that has value `somelong
```yaml
with:
secrets: secret/data/ci npmToken
secrets: secret/data/ci npmToken
```
`vault-action` will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job:
@ -327,12 +349,12 @@ You can also access the secret via outputs:
```yaml
steps:
# ...
- name: Import Secrets
id: secrets
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
# ...
- name: Import Secrets
id: secrets
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
```
_**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._
@ -343,7 +365,7 @@ However, if you want to set it to a specific name, say `NPM_TOKEN`, you could do
```yaml
with:
secrets: secret/data/ci npmToken | NPM_TOKEN
secrets: secret/data/ci npmToken | NPM_TOKEN
```
With that, `vault-action` will now use your requested name and output:
@ -360,7 +382,6 @@ steps:
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"
```
### Multiple Secrets
@ -369,25 +390,81 @@ This action can take multi-line input, so say you had your AWS keys stored in a
```yaml
with:
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
```
You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
```yaml
with:
secrets: |
secret/data/ci/aws * | MYAPP_ ;
```
When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
```yaml
with:
secrets: |
secret/data/ci/aws ** | MYAPP_ ;
```
### KV secrets engine version 2
When accessing secrets from the KV secrets engine version 2, Vault Action
requires the full path to the secret. This is the same path that would be used
in a Vault policy for the secret. You can find the full path to your secret by
performing a `kv get` command like the following:
```bash
$ vault kv get secret/test
== Secret Path ==
secret/data/test
...
```
Note that the full path is not `secret/test`, but `secret/data/test`.
## PKI Certificate Requests
You can use the `pki` option to generate a certificate and private key for a given role.
````yaml
with:
pki: |
pki/issue/rolename {"common_name": "role.mydomain.com", "ttl": "1h"} ;
pki/issue/otherrole {"common_name": "otherrole.mydomain.com", "ttl": "1h"} ;
```
Resulting in:
```bash
ROLENAME_CA=-----BEGIN CERTIFICATE-----...
ROLENAME_CERT=-----BEGIN CERTIFICATE-----...
ROLENAME_KEY=-----BEGIN RSA PRIVATE KEY-----...
ROLENAME_CA_CHAIN=-----BEGIN CERTIFICATE-----...
OTHERROLE_CA=-----BEGIN CERTIFICATE-----...
OTHERROLE_CERT=-----BEGIN CERTIFICATE-----...
OTHERROLE_KEY=-----BEGIN RSA PRIVATE KEY-----...
OTHERROLE_CA_CHAIN=-----BEGIN CERTIFICATE-----...
````
## Other Secret Engines
Vault Action currently supports retrieving secrets from any engine where secrets
are retrieved via `GET` requests. This means secret engines such as PKI are currently
not supported due to their requirement of sending parameters along with the request
(such as `common_name`).
are retrieved via `GET` requests, except for the PKI engine as noted above.
For example, to request a secret from the `cubbyhole` secret engine:
```yaml
with:
secrets: |
/cubbyhole/foo foo ;
/cubbyhole/foo zip | MY_KEY ;
secrets: |
/cubbyhole/foo foo ;
/cubbyhole/foo zip | MY_KEY ;
```
Resulting in:
@ -415,12 +492,12 @@ If you ever need to add extra headers to the vault request, say if you need to a
```yaml
with:
secrets: |
secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
extraHeaders: |
X-Secure-Id: ${{ secrets.SECURE_ID }}
X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
extraHeaders: |
X-Secure-Id: ${{ secrets.SECURE_ID }}
X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
```
This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault.
@ -438,53 +515,216 @@ parameter specifying the namespace. In HCP Vault, the namespace defaults to `adm
```yaml
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
caCertificate: ${{ secrets.VAULT_CA_CERT }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
namespace: admin
secrets: |
secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/ci npm_token
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
namespace: admin
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
```
Alternatively, you may need to authenticate to the root namespace and retrieve
a secret from a different namespace. To do this, do not set the `namespace`
parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
```yaml
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
namespace-1/secret/data/ci npm_token
```
## Reference
Here are all the inputs available through `with`:
| Input | Description | Default | Required |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
| `url` | The URL for the vault endpoint | | ✔ |
| `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | |
| `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | |
| `method` | The method to use to authenticate with Vault. | `token` | |
| `role` | Vault role for specified auth method | | |
| `path` | Custom vault path, if the auth method was enabled at a different path | | |
| `token` | The Vault Token to be used to authenticate with Vault | | |
| `roleId` | The Role Id for App Role authentication | | |
| `secretId` | The Secret Id for App Role authentication | | |
| `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | |
| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | |
| `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for |`sigstore`| |
| `jwtTtl` | Time in seconds, after which token expires | | 3600 |
| `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | |
| `username` | The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods | | |
| `password` | The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods | | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | |
| `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | |
| `outputToken` | Whether or not to set the `vault_token` output to contain the Vault token after authentication. | `false` | |
| `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | |
| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | |
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
### `url`
**Type: `string`**\
**Required**
The URL for the Vault endpoint.
### `secrets`
**Type: `string`**
A semicolon-separated list of secrets to retrieve. These will automatically be
converted to environmental variable keys. See [Key Syntax](#key-syntax) for
more details.
### `namespace`
**Type: `string`**
The Vault namespace from which to query secrets. Vault Enterprise only, unset by default.
### `method`
**Type: `string`**\
**Default: `token`**
The method to use to authenticate with Vault.
### `role`
**Type: `string`**
Vault role for the specified auth method.
### `path`
**Type: `string`**
The Vault path for the auth method.
### `token`
**Type: `string`**
The Vault token to be used to authenticate with Vault.
### `roleId`
**Type: `string`**
The role ID for App Role authentication.
### `secretId`
**Type: `string`**
The secret ID for App Role authentication.
### `githubToken`
**Type: `string`**
The Github Token to be used to authenticate with Vault.
### `jwtPrivateKey`
**Type: `string`**
Base64 encoded private key to sign the JWT.
### `jwtKeyPassword`
**Type: `string`**
Password for key stored in `jwtPrivateKey` (if needed).
### `jwtGithubAudience`
**Type: `string`**\
**Default: `sigstore`**
Identifies the recipient ("aud" claim) that the JWT is intended for.
### `jwtTtl`
**Type: `string`**\
**Default: `3600`**
Time in seconds, after which token expires.
### `kubernetesTokenPath`
**Type: `string`**\
**Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`**
The path to the service-account secret with the jwt token for kubernetes based authentication.
### `username`
**Type: `string`**
The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods.
### `password`
**Type: `string`**
The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods.
### `authPayload`
**Type: `string`**
The JSON payload to be sent to Vault when using a custom authentication method.
### `extraHeaders`
**Type: `string`**
A string of newline separated extra headers to include on every request.
### `exportEnv`
**Type: `string`**\
**Default: `true`**
Whether or not to export secrets as environment variables.
### `exportToken`
**Type: `string`**\
**Default: `false`**
Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).
### `outputToken`
**Type: `string`**\
**Default: `false`**
Whether or not to set the `vault_token` output to contain the Vault token after authentication.
### `caCertificate`
**Type: `string`**
Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla.
### `clientCertificate`
**Type: `string`**
Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled.
### `clientKey`
**Type: `string`**
Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled.
### `tlsSkipVerify`
**Type: `string`**\
**Default: `false`**
When set to true, disables verification of server certificates when testing the action.
### `ignoreNotFound`
**Type: `string`**\
**Default: `false`**
When set to true, prevents the action from failing when a secret does not exist.
## Masking - Hiding Secrets from Logs
@ -498,9 +738,10 @@ To make it simpler to consume certain secrets as env vars, if no Env/Output Var
## Contributing
If you wish to contribute to this project, the following dependencies are recommended for local development:
- [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
- [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
- [docker-compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
- [docker compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
- [act](https://github.com/nektos/act) to run the vault-action locally
### Build
@ -513,11 +754,11 @@ $ npm install && npm run build
### Vault test instance
The Github Action needs access to a working Vault instance to function.
The Github Action needs access to a working Vault instance to function.
Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.
```sh
$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
$ docker compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
```
Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:

21
action.yml
View file

@ -1,4 +1,4 @@
name: 'Vault Secrets'
name: 'HashiCorp Vault'
description: 'A Github Action that allows you to consume HashiCorp Vault™ secrets as secure environment variables'
inputs:
url:
@ -7,6 +7,9 @@ inputs:
secrets:
description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
required: false
pki:
description: 'A semicolon-separated list of certificates to generate. These will automatically be converted to environment variable keys. Cannot be used with "secrets". See README for more details'
required: false
namespace:
description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
required: false
@ -18,16 +21,16 @@ inputs:
description: 'Vault role for specified auth method'
required: false
path:
description: 'Custom Vault path, if the auth method was mounted at a different path'
description: 'The Vault path for the auth method.'
required: false
token:
description: 'The Vault Token to be used to authenticate with Vault'
description: 'The Vault token to be used to authenticate with Vault'
required: false
roleId:
description: 'The Role Id for App Role authentication'
description: 'The role ID for App Role authentication'
required: false
secretId:
description: 'The Secret Id for App Role authentication'
description: 'The secret ID for App Role authentication'
required: false
githubToken:
description: 'The Github Token to be used to authenticate with Vault'
@ -61,7 +64,7 @@ inputs:
default: 'false'
required: false
caCertificate:
description: 'Base64 encoded CA certificate to verify the Vault server certificate.'
description: 'Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla.'
required: false
clientCertificate:
description: 'Base64 encoded client certificate for mTLS communication with the Vault server.'
@ -89,8 +92,12 @@ inputs:
secretEncodingType:
description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
required: false
ignoreNotFound:
description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
required: false
default: 'false'
runs:
using: 'node16'
using: 'node20'
main: 'dist/index.js'
branding:
icon: 'unlock'

409
dist/index.js vendored
View file

File diff suppressed because one or more lines are too long

227
integrationTests/basic/integration.test.js
View file

@ -31,6 +31,22 @@ describe('integration', () => {
},
});
await got(`${vaultUrl}/v1/secret/data/test-with-dot-char`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
body: `{"data":{"secret.foo":"SUPERSECRET"}}`
});
await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
});
await got(`${vaultUrl}/v1/secret/data/nested/test`, {
method: 'POST',
headers: {
@ -104,6 +120,69 @@ describe('integration', () => {
"other-Secret-dash": 'OTHERCUSTOMSECRET',
},
});
// Enable pki engine
try {
await got(`${vaultUrl}/v1/sys/mounts/pki`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
type: 'pki'
}
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("path is already in use")) {
// Engine might already be enabled from previous test runs
} else {
throw error;
}
}
// Configure Root CA
try {
await got(`${vaultUrl}/v1/pki/root/generate/internal`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
common_name: 'test',
ttl: '24h',
},
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("already exists")) {
// Root CA might already be configured from previous test runs
} else {
throw error;
}
}
// Configure PKI Role
try {
await got(`${vaultUrl}/v1/pki/roles/Test`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
allowed_domains: ['test'],
allow_bare_domains: true,
max_ttl: '1h',
},
});
} catch (error) {
const {response} = error;
if (response.statusCode === 400 && response.body.includes("already exists")) {
// Role might already be configured from previous test runs
} else {
throw error;
}
}
});
beforeEach(() => {
@ -124,14 +203,55 @@ describe('integration', () => {
.mockReturnValueOnce(secrets);
}
function mockPkiInput(pki) {
when(core.getInput)
.calledWith('pki', expect.anything())
.mockReturnValueOnce(pki);
}
function mockIgnoreNotFound(shouldIgnore) {
when(core.getInput)
.calledWith('ignoreNotFound', expect.anything())
.mockReturnValueOnce(shouldIgnore);
}
it('prints a nice error message when secret not found', async () => {
mockInput(`secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/notFound kehe | NO_SIR ;`);
expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
})
it('does not error when secret not found and ignoreNotFound is true', async () => {
mockInput(`secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/notFound kehe | NO_SIR ;`);
mockIgnoreNotFound("true");
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(2);
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
})
it('gets a pki certificate', async () => {
mockPkiInput('pki/issue/Test {"common_name":"test","ttl":"1h"}');
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(4);
expect(core.exportVariable).toBeCalledWith('TEST_KEY', expect.anything());
expect(core.exportVariable).toBeCalledWith('TEST_CERT', expect.anything());
expect(core.exportVariable).toBeCalledWith('TEST_CA', expect.anything());
expect(core.exportVariable).toBeCalledWith('TEST_CA_CHAIN', expect.anything());
});
it('get simple secret', async () => {
mockInput('secret/data/test secret');
@ -171,6 +291,46 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET');
});
it('get wildcard secrets with dot char', async () => {
mockInput(`secret/data/test-with-dot-char * ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
});
it('get secrets with multiple dot chars', async () => {
mockInput(`secret/data/test-with-multi-dot-chars * ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
});
it('get wildcard secrets', async () => {
mockInput(`secret/data/test * ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
});
it('get wildcard secrets with name prefix', async () => {
mockInput(`secret/data/test * | GROUP_ ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'SUPERSECRET');
});
it('leading slash kvv2', async () => {
mockInput('/secret/data/foobar fookv2');
@ -195,6 +355,34 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERCUSTOMSECRET');
});
it('get K/V v1 wildcard secrets', async () => {
mockInput(`secret-kv1/test * ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET');
});
it('get K/V v1 wildcard secrets with name prefix', async () => {
mockInput(`secret-kv1/test * | GROUP_ ;`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(1);
expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'CUSTOMSECRET');
});
it('get wildcard nested secret from K/V v1', async () => {
mockInput('secret-kv1/nested/test *');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERCUSTOMSECRET');
});
it('leading slash kvv1', async () => {
mockInput('/secret-kv1/foobar fookv1');
@ -225,6 +413,43 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
});
it('wildcard supports cubbyhole with uppercase transform', async () => {
mockInput('/cubbyhole/test *');
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(2);
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
});
it('wildcard supports cubbyhole with no change in case', async () => {
mockInput('/cubbyhole/test **');
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(2);
expect(core.exportVariable).toBeCalledWith('foo', 'bar');
expect(core.exportVariable).toBeCalledWith('zip', 'zap');
});
it('wildcard supports cubbyhole with mixed case change', async () => {
mockInput(`
/cubbyhole/test * ;
/cubbyhole/test **`);
await exportSecrets();
expect(core.exportVariable).toBeCalledTimes(4);
expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
expect(core.exportVariable).toBeCalledWith('foo', 'bar');
expect(core.exportVariable).toBeCalledWith('zip', 'zap');
});
it('caches responses', async () => {
mockInput(`
/cubbyhole/test foo ;

54
integrationTests/basic/jwt_auth.test.js
View file

@ -97,6 +97,8 @@ describe('jwt auth', () => {
}
});
// write the jwt config, the jwt role will be written on a per-test
// basis since the audience may vary
await got(`${vaultUrl}/v1/auth/jwt/config`, {
method: 'POST',
headers: {
@ -108,22 +110,6 @@ describe('jwt auth', () => {
}
});
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});
await got(`${vaultUrl}/v1/secret/data/test`, {
method: 'POST',
headers: {
@ -138,6 +124,24 @@ describe('jwt auth', () => {
});
describe('authenticate with private key', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});
});
beforeEach(() => {
jest.resetAllMocks();
@ -170,6 +174,22 @@ describe('jwt auth', () => {
describe('authenticate with Github OIDC', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: 'https://github.com/hashicorp/vault-action',
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
method: 'POST',
headers: {
@ -177,7 +197,7 @@ describe('jwt auth', () => {
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_audiences: 'sigstore',
bound_claims: {
iss: 'vault-action',
aud: 'sigstore',

32
integrationTests/enterprise/enterprise.test.js
View file

@ -72,6 +72,22 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('TEST_KEY', 'SUPERSECRET_IN_NAMESPACE');
});
it('get wildcard secrets', async () => {
mockInput('secret/data/test *');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET_IN_NAMESPACE');
});
it('get wildcard secrets with name prefix', async () => {
mockInput('secret/data/test * | GROUP_');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'SUPERSECRET_IN_NAMESPACE');
});
it('get nested secret', async () => {
mockInput('secret/data/nested/test otherSecret');
@ -103,6 +119,22 @@ describe('integration', () => {
expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
});
it('get wildcard secrets from K/V v1', async () => {
mockInput('my-secret/test *');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
});
it('get wildcard secrets from K/V v1 with name prefix', async () => {
mockInput('my-secret/test * | GROUP_');
await exportSecrets();
expect(core.exportVariable).toBeCalledWith('GROUP_SECRET', 'CUSTOMSECRET_IN_NAMESPACE');
});
it('get nested secret from K/V v1', async () => {
mockInput('my-secret/nested/test otherSecret');

3548
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

12
package.json
View file

@ -34,18 +34,18 @@
},
"homepage": "https://github.com/hashicorp/vault-action#readme",
"dependencies": {
"got": "^11.8.5",
"got": "^11.8.6",
"jsonata": "^2.0.3",
"jsrsasign": "^10.8.6"
"jsrsasign": "^11.1.0"
},
"peerDependencies": {
"@actions/core": ">=1 <2"
},
"devDependencies": {
"@actions/core": "^1.10.0",
"@vercel/ncc": "^0.36.1",
"jest": "^29.5.0",
"jest-when": "^3.5.2",
"@actions/core": "^1.10.1",
"@vercel/ncc": "^0.38.1",
"jest": "^29.7.0",
"jest-when": "^3.6.0",
"mock-http-server": "^1.4.5"
}
}

84
src/action.js
View file

@ -3,7 +3,10 @@ const core = require('@actions/core');
const command = require('@actions/core/lib/command');
const got = require('got').default;
const jsonata = require('jsonata');
const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
const { normalizeOutputKey } = require('./utils');
const { WILDCARD, WILDCARD_UPPERCASE } = require('./constants');
const { auth: { retrieveToken }, secrets: { getSecrets }, pki: { getCertificates } } = require('./index');
const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes', 'ldap', 'userpass'];
const ENCODING_TYPES = ['base64', 'hex', 'utf8'];
@ -19,6 +22,16 @@ async function exportSecrets() {
const secretsInput = core.getInput('secrets', { required: false });
const secretRequests = parseSecretsInput(secretsInput);
const pkiInput = core.getInput('pki', { required: false });
let pkiRequests = [];
if (pkiInput) {
if (secretsInput) {
throw Error('You cannot provide both "secrets" and "pki" inputs.');
}
pkiRequests = parsePkiInput(pkiInput);
}
const secretEncodingType = core.getInput('secretEncodingType', { required: false });
const vaultMethod = (core.getInput('method', { required: false }) || 'token').toLowerCase();
@ -81,12 +94,12 @@ async function exportSecrets() {
core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
}
const requests = secretRequests.map(request => {
const { path, selector } = request;
return request;
});
const results = await getSecrets(requests, client);
let results = [];
if (pkiRequests.length > 0) {
results = await getCertificates(pkiRequests, client);
} else {
results = await getSecrets(secretRequests, client);
}
for (const result of results) {
@ -125,6 +138,43 @@ async function exportSecrets() {
* @property {string} selector
*/
/**
* Parses a pki input string into key paths and the request parameters.
* @param {string} pkiInput
*/
function parsePkiInput(pkiInput) {
if (!pkiInput) {
return []
}
const secrets = pkiInput
.split(';')
.filter(key => !!key)
.map(key => key.trim())
.filter(key => key.length !== 0);
return secrets.map(secret => {
const path = secret.substring(0, secret.indexOf(' '));
const parameters = secret.substring(secret.indexOf(' ') + 1);
core.debug(` Parsing PKI: ${path} with parameters: ${parameters}`);
if (!path || !parameters) {
throw Error(`You must provide a valid path and parameters. Input: "${secret}"`);
}
let outputVarName = path.split('/').pop();
let envVarName = normalizeOutputKey(outputVarName);
return {
path,
envVarName,
outputVarName,
parameters: JSON.parse(parameters),
};
});
}
/**
* Parses a secrets input string into key paths and their resulting environment variable name.
* @param {string} secretsInput
@ -171,7 +221,7 @@ function parseSecretsInput(secretsInput) {
const selectorAst = jsonata(selectorQuoted).ast();
const selector = selectorQuoted.replace(new RegExp('"', 'g'), '');
if ((selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
if (selector !== WILDCARD && selector !== WILDCARD_UPPERCASE && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
}
@ -191,20 +241,6 @@ function parseSecretsInput(secretsInput) {
return output;
}
/**
* Replaces any dot chars to __ and removes non-ascii charts
* @param {string} dataKey
* @param {boolean=} isEnvVar
*/
function normalizeOutputKey(dataKey, isEnvVar = false) {
let outputKey = dataKey
.replace('.', '__').replace(new RegExp('-', 'g'), '').replace(/[^\p{L}\p{N}_-]/gu, '');
if (isEnvVar) {
outputKey = outputKey.toUpperCase();
}
return outputKey;
}
/**
* @param {string} inputKey
* @param {any} inputOptions
@ -233,6 +269,6 @@ function parseHeadersInput(inputKey, inputOptions) {
module.exports = {
exportSecrets,
parseSecretsInput,
normalizeOutputKey,
parseHeadersInput
parseHeadersInput,
};

33
src/auth.js
View file

@ -5,6 +5,8 @@ const fs = require('fs');
const { default: got } = require('got');
const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
const retries = 5
const retries_delay = 3000
/***
* Authenticate with Vault and retrieve a Vault token that can be used for requests.
* @param {string} method
@ -17,7 +19,7 @@ async function retrieveToken(method, client) {
switch (method) {
case 'approle': {
const vaultRoleId = core.getInput('roleId', { required: true });
const vaultSecretId = core.getInput('secretId', { required: true });
const vaultSecretId = core.getInput('secretId', { required: false });
return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
}
case 'github': {
@ -35,7 +37,10 @@ async function retrieveToken(method, client) {
const githubAudience = core.getInput('jwtGithubAudience', { required: false });
if (!privateKey) {
jwt = await core.getIDToken(githubAudience)
jwt = await retryAsyncFunction(retries, retries_delay, core.getIDToken, githubAudience)
.then((result) => {
return result;
});
} else {
jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
}
@ -142,6 +147,30 @@ async function getClientToken(client, method, path, payload) {
}
}
/***
* Generic function for retrying an async function
* @param {number} retries
* @param {number} delay
* @param {Function} func
* @param {any[]} args
*/
async function retryAsyncFunction(retries, delay, func, ...args) {
let attempt = 0;
while (attempt < retries) {
try {
const result = await func(...args);
return result;
} catch (error) {
attempt++;
if (attempt < retries) {
await new Promise(resolve => setTimeout(resolve, delay));
} else {
throw error;
}
}
}
}
/***
* @typedef {Object} VaultLoginResponse
* @property {{

19
src/auth.test.js
View file

@ -85,4 +85,23 @@ describe("test retrival for token", () => {
const url = got.post.mock.calls[0][0]
expect(url).toContain('differentK8sPath')
})
it("test retrieval with jwt", async () => {
const method = "jwt"
const jwtToken = "someTestToken"
const testRole = "testRole"
const privateKeyRaw = ""
mockApiResponse()
mockInput("role", testRole)
mockInput("jwtPrivateKey", privateKeyRaw)
core.getIDToken = jest.fn()
core.getIDToken.mockReturnValueOnce(jwtToken)
const token = await retrieveToken(method, got)
expect(token).toEqual(testToken)
const payload = got.post.mock.calls[0][1].json
expect(payload).toEqual({ jwt: jwtToken, role: testRole })
const url = got.post.mock.calls[0][0]
expect(url).toContain('jwt')
})
})

7
src/constants.js Normal file
View file

@ -0,0 +1,7 @@
const WILDCARD_UPPERCASE = '*';
const WILDCARD = '**';
module.exports = {
WILDCARD,
WILDCARD_UPPERCASE,
};

4
src/index.js
View file

@ -1,7 +1,9 @@
const auth = require('./auth');
const secrets = require('./secrets');
const pki = require('./pki');
module.exports = {
auth,
secrets
secrets,
pki
};

76
src/pki.js Normal file
View file

@ -0,0 +1,76 @@
const { normalizeOutputKey } = require('./utils');
const core = require('@actions/core');
/** A map of postfix values mapped to the key in the certificate response and a transformer function */
const outputMap = {
cert: { key: 'certificate', tx: (v) => v },
key: { key: 'private_key', tx: (v) => v },
ca: { key: 'issuing_ca', tx: (v) => v },
ca_chain: { key: 'ca_chain', tx: (v) => v.join('\n') },
};
/**
* @typedef PkiRequest
* @type {object}
* @property {string} path - The path to the PKI endpoint
* @property {Record<string, any>} parameters - The parameters to send to the PKI endpoint
* @property {string} envVarName - The name of the environment variable to set
* @property {string} outputVarName - The name of the output variable to set
*/
/**
* @typedef {Object} PkiResponse
* @property {PkiRequest} request
* @property {string} value
* @property {boolean} cachedResponse
*/
/**
* Generate and return the certificates from the PKI engine
* @param {Array<PkiRequest>} pkiRequests
* @param {import('got').Got} client
* @return {Promise<Array<PkiResponse>>}
*/
async function getCertificates(pkiRequests, client) {
/** @type Array<PkiResponse> */
let results = [];
for (const pkiRequest of pkiRequests) {
const { path, parameters } = pkiRequest;
const requestPath = `v1/${path}`;
let body;
try {
const result = await client.post(requestPath, {
body: JSON.stringify(parameters),
});
body = result.body;
} catch (error) {
core.error(`${error.response?.body ?? error.message}`);
throw error;
}
body = JSON.parse(body);
core.info(`✔ Successfully generated certificate (serial number ${body.data.serial_number})`);
Object.entries(outputMap).forEach(([key, value]) => {
const val = value.tx(body.data[value.key]);
results.push({
request: {
...pkiRequest,
envVarName: normalizeOutputKey(`${pkiRequest.envVarName}_${key}`, true),
outputVarName: normalizeOutputKey(`${pkiRequest.outputVarName}_${key}`),
},
value: val,
cachedResponse: false,
});
});
}
return results;
}
module.exports = {
getCertificates,
};

122
src/secrets.js
View file

@ -1,5 +1,7 @@
const jsonata = require("jsonata");
const { WILDCARD, WILDCARD_UPPERCASE} = require("./constants");
const { normalizeOutputKey } = require("./utils");
const core = require('@actions/core');
/**
* @typedef {Object} SecretRequest
@ -21,9 +23,11 @@ const jsonata = require("jsonata");
* @param {import('got').Got} client
* @return {Promise<SecretResponse<TRequest>[]>}
*/
async function getSecrets(secretRequests, client) {
async function getSecrets(secretRequests, client, ignoreNotFound) {
const responseCache = new Map();
const results = [];
let results = [];
let upperCaseEnv = false;
for (const secretRequest of secretRequests) {
let { path, selector } = secretRequest;
@ -41,27 +45,72 @@ async function getSecrets(secretRequests, client) {
} catch (error) {
const {response} = error;
if (response?.statusCode === 404) {
throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`)
notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
if (ignoreNotFound) {
core.error(`${notFoundMsg}`);
continue;
} else {
throw Error(notFoundMsg)
}
}
throw error
}
}
if (!selector.match(/.*[\.].*/)) {
selector = '"' + selector + '"'
}
selector = "data." + selector
body = JSON.parse(body)
if (body.data["data"] != undefined) {
selector = "data." + selector
}
const value = await selectData(body, selector);
results.push({
request: secretRequest,
value,
cachedResponse
});
body = JSON.parse(body);
if (selector === WILDCARD || selector === WILDCARD_UPPERCASE) {
upperCaseEnv = selector === WILDCARD_UPPERCASE;
let keys = body.data;
if (body.data["data"] != undefined) {
keys = keys.data;
}
for (let key in keys) {
let newRequest = Object.assign({},secretRequest);
newRequest.selector = key;
if (secretRequest.selector === secretRequest.outputVarName) {
newRequest.outputVarName = key;
newRequest.envVarName = key;
} else {
newRequest.outputVarName = secretRequest.outputVarName+key;
newRequest.envVarName = secretRequest.envVarName+key;
}
newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
newRequest.envVarName = normalizeOutputKey(newRequest.envVarName, upperCaseEnv);
// JSONata field references containing reserved tokens should
// be enclosed in backticks
// https://docs.jsonata.org/simple#examples
if (key.includes(".")) {
const backtick = '`';
key = backtick.concat(key, backtick);
}
selector = key;
results = await selectAndAppendResults(
selector,
body,
cachedResponse,
newRequest,
results
);
}
}
else {
results = await selectAndAppendResults(
selector,
body,
cachedResponse,
secretRequest,
results
);
}
}
return results;
}
@ -87,6 +136,43 @@ async function selectData(data, selector) {
return result;
}
/**
* Uses selectData with the selector to get the value and then appends it to the
* results. Returns a new array with all of the results.
* @param {string} selector
* @param {object} body
* @param {object} cachedResponse
* @param {TRequest} secretRequest
* @param {SecretResponse<TRequest>[]} results
* @return {Promise<SecretResponse<TRequest>[]>}
*/
const selectAndAppendResults = async (
selector,
body,
cachedResponse,
secretRequest,
results
) => {
if (!selector.includes(".")) {
selector = '"' + selector + '"';
}
selector = "data." + selector;
if (body.data["data"] != undefined) {
selector = "data." + selector;
}
const value = await selectData(body, selector);
return [
...results,
{
request: secretRequest,
value,
cachedResponse,
},
];
};
module.exports = {
getSecrets,
selectData

19
src/utils.js Normal file
View file

@ -0,0 +1,19 @@
/**
* Replaces any dot chars to __ and removes non-ascii charts
* @param {string} dataKey
* @param {boolean=} isEnvVar
*/
function normalizeOutputKey(dataKey, upperCase = false) {
let outputKey = dataKey
.replaceAll(".", "__")
.replace(new RegExp("-", "g"), "")
.replace(/[^\p{L}\p{N}_-]/gu, "");
if (upperCase) {
outputKey = outputKey.toUpperCase();
}
return outputKey;
}
module.exports = {
normalizeOutputKey
};