[Compliance] - PR Template Changes Required (#586)

Co-authored-by: compliance-pr-automation[bot] <1425255+compliance-pr-automation-bot[bot]@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -8,7 +8,6 @@ Relates OR Closes #0000
 
 ### Checklist
 - [ ] Added [CHANGELOG](https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.md) entry (only for user-facing changes)
-- [ ] Did not commit changes to `dist/index.js` (This is only done for releases by vault-action maintainers)
 
 
 ### Community Note
@@ -19,3 +18,15 @@ Relates OR Closes #0000
   prioritize this request
 * Please do not leave "+1" comments, they generate extra noise for pull request
   followers and do not help prioritize the request
+
+## PCI review checklist
+
+<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
+
+- [ ] I have documented a clear reason for, and description of, the change I am making.
+
+- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
+
+- [ ] If applicable, I've documented the impact of any changes to security controls.
+
+  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

.github/dependabot.yml

@@ -1,11 +1,14 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
 
 version: 2
 updates:
-  - package-ecosystem: "npm" # See documentation for possible values
+  - package-ecosystem: "npm"
     directory: "/" # Location of package manifests
+    open-pull-requests-limit: 0 # only require security updates and exclude version updates
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    # For got, ignore all updates since it is now native ESM
+    # see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
+    ignore:
+      - dependency-name: "got"

.github/workflows/actionlint.yaml

@@ -8,7 +8,7 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Lint workflow files"
         uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint:latest
         with:

.github/workflows/build.yml

@@ -6,283 +6,282 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run Test
-      run: npm run test
+      - name: NPM Run Test
+        run: npm run test
 
   integrationOSS:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault
+      - name: Run docker compose
+        run: docker compose up -d vault
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run test;integration:basic
-      run: npm run test:integration:basic
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        CI: true
+      - name: NPM Run test;integration:basic
+        run: npm run test:integration:basic
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          CI: true
 
   integrationEnterprise:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault-enterprise
-      env:
-        VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+      - name: Run docker compose
+        run: docker compose up -d vault-enterprise
+        env:
+          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: NPM Run test:integration:enterprise
-      run: npm run test:integration:enterprise
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        CI: true
+      - name: NPM Run test:integration:enterprise
+        run: npm run test:integration:enterprise
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          CI: true
 
   e2e:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault
+      - name: Run docker compose
+        run: docker compose up -d vault
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: Setup Vault
-      run: node ./integrationTests/e2e/setup.js
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
+      - name: Setup Vault
+        run: node ./integrationTests/e2e/setup.js
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
 
-    - name: Test Vault Action (default KV V2)
-      uses: ./
-      id: kv-secrets
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          secret/data/test secret ;
-          secret/data/test secret | NAMED_SECRET ;
-          secret/data/nested/test otherSecret ;
+      - name: Test Vault Action (default KV V2)
+        uses: ./
+        id: kv-secrets
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            secret/data/test secret ;
+            secret/data/test secret | NAMED_SECRET ;
+            secret/data/nested/test otherSecret ;
 
-    - name: Test Vault Action (default KV V1)
-      uses: ./
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          my-secret/test altSecret ;
-          my-secret/test altSecret | NAMED_ALTSECRET ;
-          my-secret/nested/test otherAltSecret ;
+      - name: Test Vault Action (default KV V1)
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            my-secret/test altSecret ;
+            my-secret/test altSecret | NAMED_ALTSECRET ;
+            my-secret/nested/test otherAltSecret ;
 
-    - name: Test Vault Action (cubbyhole)
-      uses: ./
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          /cubbyhole/test foo ;
-          /cubbyhole/test zip | NAMED_CUBBYSECRET ;
+      - name: Test Vault Action (cubbyhole)
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            /cubbyhole/test foo ;
+            /cubbyhole/test zip | NAMED_CUBBYSECRET ;
 
-    # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
-    # They should come before the Verify Vault Action Outputs step
-    - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
-      uses: ./
-      with:
-        url: http://localhost:8200/
-        token: testtoken
-        secrets: |
-          secret/data/test secret | SUBSEQUENT_TEST_SECRET;
+      # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
+      # They should come before the Verify Vault Action Outputs step
+      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
+        uses: ./
+        with:
+          url: http://localhost:8200/
+          token: testtoken
+          secrets: |
+            secret/data/test secret | SUBSEQUENT_TEST_SECRET;
 
-    - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
-      uses: ./
-      with:
-        url: http://localhost:8200/
-        token: testtoken
-        secrets: |
-          secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
+      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
+        uses: ./
+        with:
+          url: http://localhost:8200/
+          token: testtoken
+          secrets: |
+            secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
 
-    - name: Test JSON Secrets
-      uses: ./
-      with:
-        url: http://localhost:8200
-        token: testtoken
-        secrets: |
-          secret/data/test-json-data jsonData;
-          secret/data/test-json-string jsonString;
-          secret/data/test-json-string-multiline jsonStringMultiline;
-
-    - name: Verify Vault Action Outputs
-      run: npm run test:integration:e2e
-      env:
-        OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
+      - name: Test JSON Secrets
+        uses: ./
+        with:
+          url: http://localhost:8200
+          token: testtoken
+          secrets: |
+            secret/data/test-json-data jsonData;
+            secret/data/test-json-string jsonString;
+            secret/data/test-json-string-multiline jsonStringMultiline;
 
+      - name: Verify Vault Action Outputs
+        run: npm run test:integration:e2e
+        env:
+          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
 
   e2e-tls:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Run docker-compose
-      run: docker-compose up -d vault-tls
+      - name: Run docker compose
+        run: docker compose up -d vault-tls
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-      with:
-        node-version: '16.14.0'
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "20.9.0"
 
-    - name: Setup NPM Cache
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-
+      - name: Setup NPM Cache
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
 
-    - name: NPM Install
-      run: npm ci
+      - name: NPM Install
+        run: npm ci
 
-    - name: NPM Build
-      run: npm run build
+      - name: NPM Build
+        run: npm run build
 
-    - name: Setup Vault
-      run: node ./integrationTests/e2e-tls/setup.js
-      env:
-        VAULT_HOST: localhost
-        VAULT_PORT: 8200
-        VAULTCA: ${{ secrets.VAULTCA }}
-        VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
-        VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
+      - name: Setup Vault
+        run: node ./integrationTests/e2e-tls/setup.js
+        env:
+          VAULT_HOST: localhost
+          VAULT_PORT: 8200
+          VAULTCA: ${{ secrets.VAULTCA }}
+          VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
+          VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
 
-    - name: Test Vault Action (default KV V2)
-      uses: ./
-      id: kv-secrets-tls
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          secret/data/test secret ;
-          secret/data/test secret | NAMED_SECRET ;
-          secret/data/nested/test otherSecret ;
+      - name: Test Vault Action (default KV V2)
+        uses: ./
+        id: kv-secrets-tls
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            secret/data/test secret ;
+            secret/data/test secret | NAMED_SECRET ;
+            secret/data/nested/test otherSecret ;
 
-    - name: Test Vault Action (tlsSkipVerify)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        tlsSkipVerify: true
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          secret/data/tlsSkipVerify skip ;
+      - name: Test Vault Action (tlsSkipVerify)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          tlsSkipVerify: true
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            secret/data/tlsSkipVerify skip ;
 
-    - name: Test Vault Action (default KV V1)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
-        secrets: |
-          my-secret/test altSecret ;
-          my-secret/test altSecret | NAMED_ALTSECRET ;
-          my-secret/nested/test otherAltSecret ;
+      - name: Test Vault Action (default KV V1)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+          secrets: |
+            my-secret/test altSecret ;
+            my-secret/test altSecret | NAMED_ALTSECRET ;
+            my-secret/nested/test otherAltSecret ;
 
-    - name: Test Vault Action (cubbyhole)
-      uses: ./
-      with:
-        url: https://localhost:8200
-        token: ${{ env.VAULT_TOKEN }}
-        secrets: |
-          /cubbyhole/test foo ;
-          /cubbyhole/test zip | NAMED_CUBBYSECRET ;
-        caCertificate: ${{ secrets.VAULTCA }}
-        clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
-        clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
+      - name: Test Vault Action (cubbyhole)
+        uses: ./
+        with:
+          url: https://localhost:8200
+          token: ${{ env.VAULT_TOKEN }}
+          secrets: |
+            /cubbyhole/test foo ;
+            /cubbyhole/test zip | NAMED_CUBBYSECRET ;
+          caCertificate: ${{ secrets.VAULTCA }}
+          clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
+          clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
 
-    - name: Verify Vault Action Outputs
-      run: npm run test:integration:e2e-tls
-      env:
-        OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}
+      - name: Verify Vault Action Outputs
+        run: npm run test:integration:e2e-tls
+        env:
+          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}

.github/workflows/local-test.yaml

@@ -18,11 +18,11 @@ jobs:
     name: local-test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
       with:
-        node-version: '16.14.0'
+        node-version: '20.9.0'
 
     - name: NPM Install
       run: npm ci
@@ -48,14 +48,26 @@ jobs:
         token: testtoken
         secrets: |
           secret/data/test-json-string jsonString;
+          secret/data/test-json-data jsonData;
 
-    - name: Check Secrets
-      run: |
-        touch secrets.json
-        echo "${{ steps.import-secrets.outputs.jsonString }}" >> secrets.json
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        github-token: "foobar"
+        script: |
+          const { JSONSTRING, JSONDATA } = process.env
 
-    - name: Check json file format
-      run: |
-        echo
-        cat secrets.json
-        jq -c . < secrets.json
+          console.log(`string ${JSONSTRING}`)
+          console.log(`data ${JSONDATA}`)
+          const str = JSONDATA
+
+          let valid = true
+          try {
+              JSON.parse(str)
+          } catch (e) {
+            valid = false
+          }
+          if (valid) {
+            console.log("valid json")
+          } else {
+            console.log("not valid json")
+          }

CHANGELOG.md

@@ -1,5 +1,67 @@
 ## Unreleased
 
+## 3.4.0 (June 13, 2025)
+
+Bugs:
+
+* replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
+
+Improvements:
+
+* Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
+
+## 3.3.0 (March 3, 2025)
+
+Features:
+* Wildcard secret imports can use `**` to retain case of exported env keys [GH-545](https://github.com/hashicorp/vault-action/pull/545)
+
+## 3.2.0 (March 3, 2025)
+
+Improvements:
+
+* Add retry for jwt auth login to fix intermittent login failures [GH-574](https://github.com/hashicorp/vault-action/pull/574)
+
+## 3.1.0 (January 9, 2025)
+
+Improvements:
+
+* fix wildcard handling when field contains dot [GH-542](https://github.com/hashicorp/vault-action/pull/542)
+* bump body-parser from 1.20.0 to 1.20.3
+* bump braces from 3.0.2 to 3.0.3
+* bump cross-spawn from 7.0.3 to 7.0.6
+* bump micromatch from 4.0.5 to 4.0.8
+
+Features:
+
+* `secretId` is no longer required for approle to support advanced use cases like machine login when `bind_secret_id` is false. [GH-522](https://github.com/hashicorp/vault-action/pull/522)
+* Use `pki` configuration to generate certificates from Vault [GH-564](https://github.com/hashicorp/vault-action/pull/564)
+
+## 3.0.0 (February 15, 2024)
+
+Improvements:
+
+* Bump node runtime from node16 to node20 [GH-529](https://github.com/hashicorp/vault-action/pull/529)
+
+## 2.8.1 (February 15, 2024)
+
+Bugs:
+
+* Revert [GH-509](https://github.com/hashicorp/vault-action/pull/509) which made a backwards incompatible bump of the node runtime from node16 to node20 [GH-527](https://github.com/hashicorp/vault-action/pull/527)
+
+## 2.8.0 (February 1, 2024)
+
+Features:
+
+* Add `ignoreNotFound` input (default: false) to prevent the action from failing when a secret does not exist [GH-518](https://github.com/hashicorp/vault-action/pull/518)
+
+Improvements:
+
+* bump jsrsasign from 10.8.6 to 11.0.0 [GH-513](https://github.com/hashicorp/vault-action/pull/513)
+* bump @actions/core from 1.10.0 to 1.10.1 [GH-489](https://github.com/hashicorp/vault-action/pull/489)
+* bump jest-when from 3.5.2 to 3.6.0 [GH-484](https://github.com/hashicorp/vault-action/pull/484)
+* bump jest from 29.5.0 to 29.7.0 [GH-490](https://github.com/hashicorp/vault-action/pull/490)
+* bump @vercel/ncc from 0.36.1 to 0.38.1 [GH-503](https://github.com/hashicorp/vault-action/pull/503)
+
 ## 2.7.5 (January 30, 2024)
 
 Improvements:

CODEOWNERS

@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem

Makefile

@@ -1,3 +1,3 @@
 .PHONY: local-test
 local-test:
-	docker compose down;  docker-compose up -d vault && act workflow_dispatch -j local-test
+	docker compose down;  docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml

README.md

@@ -30,6 +30,7 @@ is not meant to modify Vault’s state.
     - [Simple Key](#simple-key)
     - [Set Output Variable Name](#set-output-variable-name)
     - [Multiple Secrets](#multiple-secrets)
+    - [KV secrets engine version 2](#kv-secrets-engine-version-2)
   - [Other Secret Engines](#other-secret-engines)
   - [Adding Extra Headers](#adding-extra-headers)
   - [HashiCorp Cloud Platform or Vault Enterprise](#hashicorp-cloud-platform-or-vault-enterprise)
@@ -45,46 +46,51 @@ is not meant to modify Vault’s state.
 
 ```yaml
 jobs:
-    build:
-        # ...
-        steps:
-            # ...
-            - name: Import Secrets
-              id: import-secrets
-              uses: hashicorp/vault-action@v2
-              with:
-                url: https://vault.mycompany.com:8200
-                token: ${{ secrets.VAULT_TOKEN }}
-                caCertificate: ${{ secrets.VAULT_CA_CERT }}
-                secrets: |
-                    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-                    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
-                    secret/data/ci npm_token
-            # ...
+  build:
+    # ...
+    steps:
+      # ...
+      - name: Import Secrets
+        id: import-secrets
+        uses: hashicorp/vault-action@v2
+        with:
+          url: https://vault.mycompany.com:8200
+          token: ${{ secrets.VAULT_TOKEN }}
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          secrets: |
+            secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+            secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+            secret/data/ci npm_token
+      # ...
 ```
 
 Retrieved secrets are available as environment variables or outputs for subsequent steps:
+
 ```yaml
 #...
-            - name: Step following 'Import Secrets'
-              run: |
-                ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
-                SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
-            # ...
+- name: Step following 'Import Secrets'
+  run: |
+    ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
+    SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
+
+# ...
 ```
 
-If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. 
+If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
 For example, a common pattern is to save all the secrets in a JSON file:
+
 ```yaml
 #...
-            - name: Step following 'Import Secrets'
-              run: |
-                touch secrets.json
-                echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
-            # ...
+- name: Step following 'Import Secrets'
+  run: |
+    touch secrets.json
+    echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
+
+# ...
 ```
 
 Which with our example would yield a file containing:
+
 ```json
 {
   "ACCESS_KEY_ID": "MY_KEY_ID",
@@ -95,7 +101,6 @@ Which with our example would yield a file containing:
 
 Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder.
 
-
 ## Authentication Methods
 
 Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with
@@ -109,7 +114,7 @@ and Vault using the
 Each GitHub Actions workflow receives an auto-generated OIDC token with claims
 to establish the identity of the workflow.
 
-__Vault Configuration__
+**Vault Configuration**
 
 <details>
 <summary>Click to toggle instructions for configuring Vault.</summary>
@@ -120,7 +125,6 @@ Pass the following parameters to your auth method configuration:
 - `oidc_discovery_url`: `https://token.actions.githubusercontent.com`
 - `bound_issuer`: `https://token.actions.githubusercontent.com`
 
-
 Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method.
 
 - `role_type`: `jwt`
@@ -136,12 +140,12 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
 
   - For wildcard (non-exact) matches, use `bound_claims`.
 
-     - `bound_claims_type`: `glob`
+    - `bound_claims_type`: `glob`
 
-     - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
-       ```json
-       {"sub": "repo:<orgName>/*"}
-       ```
+    - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
+      ```json
+      { "sub": "repo:<orgName>/*" }
+      ```
 
   - For exact matches, use `bound_subject`.
 
@@ -154,17 +158,17 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
 
 </details>
 
-__GitHub Actions Workflow__
+**GitHub Actions Workflow**
 
 In the GitHub Actions workflow, the workflow needs permissions to read contents
 and write the ID token.
 
 ```yaml
 jobs:
-    retrieve-secret:
-        permissions:
-            contents: read
-            id-token: write
+  retrieve-secret:
+    permissions:
+      contents: read
+      id-token: write
 ```
 
 In the action, provide the name of the Vault role you created to the `role` parameter.
@@ -319,7 +323,7 @@ with:
 
 The `secrets` parameter is a set of multiple secret requests separated by the `;` character.
 
-Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name. 
+Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
 Note that the selector is using [JSONata](https://docs.jsonata.org/overview.html) and certain characters in keys may need to be escaped.
 
 ```raw
@@ -332,7 +336,7 @@ To retrieve a key `npmToken` from path `secret/data/ci` that has value `somelong
 
 ```yaml
 with:
-    secrets: secret/data/ci npmToken
+  secrets: secret/data/ci npmToken
 ```
 
 `vault-action` will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job:
@@ -345,12 +349,12 @@ You can also access the secret via outputs:
 
 ```yaml
 steps:
-    # ...
-    - name: Import Secrets
-      id: secrets
-      # Import config...
-    - name: Sensitive Operation
-      run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
+  # ...
+  - name: Import Secrets
+    id: secrets
+    # Import config...
+  - name: Sensitive Operation
+    run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
 ```
 
 _**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._
@@ -361,7 +365,7 @@ However, if you want to set it to a specific name, say `NPM_TOKEN`, you could do
 
 ```yaml
 with:
-    secrets: secret/data/ci npmToken | NPM_TOKEN
+  secrets: secret/data/ci npmToken | NPM_TOKEN
 ```
 
 With that, `vault-action` will now use your requested name and output:
@@ -378,7 +382,6 @@ steps:
     # Import config...
   - name: Sensitive Operation
     run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"
-
 ```
 
 ### Multiple Secrets
@@ -387,32 +390,81 @@ This action can take multi-line input, so say you had your AWS keys stored in a
 
 ```yaml
 with:
-    secrets: |
-        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
+  secrets: |
+    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
 ```
-You can specify a wildcard * for the key name to get all keys in the path.  If you provide an output name with the wildcard, the name will be prepended to the key name:
+
+You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
+
+```yaml
+with:
+  secrets: |
+    secret/data/ci/aws * | MYAPP_ ;
+```
+
+When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
+You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
 
 ```yaml
 with:
     secrets: |
-        secret/data/ci/aws * | MYAPP_ ;
+        secret/data/ci/aws ** | MYAPP_ ;
 ```
 
+### KV secrets engine version 2
+
+When accessing secrets from the KV secrets engine version 2, Vault Action
+requires the full path to the secret. This is the same path that would be used
+in a Vault policy for the secret. You can find the full path to your secret by
+performing a `kv get` command like the following:
+
+```bash
+$ vault kv get secret/test
+== Secret Path ==
+secret/data/test
+
+...
+```
+
+Note that the full path is not `secret/test`, but `secret/data/test`.
+
+## PKI Certificate Requests
+
+You can use the `pki` option to generate a certificate and private key for a given role.
+
+````yaml
+with:
+    pki: |
+        pki/issue/rolename {"common_name": "role.mydomain.com", "ttl": "1h"} ;
+        pki/issue/otherrole {"common_name": "otherrole.mydomain.com", "ttl": "1h"} ;
+```
+
+Resulting in:
+
+```bash
+ROLENAME_CA=-----BEGIN CERTIFICATE-----...
+ROLENAME_CERT=-----BEGIN CERTIFICATE-----...
+ROLENAME_KEY=-----BEGIN RSA PRIVATE KEY-----...
+ROLENAME_CA_CHAIN=-----BEGIN CERTIFICATE-----...
+OTHERROLE_CA=-----BEGIN CERTIFICATE-----...
+OTHERROLE_CERT=-----BEGIN CERTIFICATE-----...
+OTHERROLE_KEY=-----BEGIN RSA PRIVATE KEY-----...
+OTHERROLE_CA_CHAIN=-----BEGIN CERTIFICATE-----...
+````
+
 ## Other Secret Engines
 
 Vault Action currently supports retrieving secrets from any engine where secrets
-are retrieved via `GET` requests.  This means secret engines such as PKI are currently
-not supported due to their requirement of sending parameters along with the request
-(such as `common_name`).
+are retrieved via `GET` requests, except for the PKI engine as noted above.
 
 For example, to request a secret from the `cubbyhole` secret engine:
 
 ```yaml
 with:
-    secrets: |
-        /cubbyhole/foo foo ;
-        /cubbyhole/foo zip | MY_KEY ;
+  secrets: |
+    /cubbyhole/foo foo ;
+    /cubbyhole/foo zip | MY_KEY ;
 ```
 
 Resulting in:
@@ -440,12 +492,12 @@ If you ever need to add extra headers to the vault request, say if you need to a
 
 ```yaml
 with:
-    secrets: |
-        secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-        secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
-    extraHeaders: |
-      X-Secure-Id: ${{ secrets.SECURE_ID }}
-      X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
+  secrets: |
+    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
+  extraHeaders: |
+    X-Secure-Id: ${{ secrets.SECURE_ID }}
+    X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
 ```
 
 This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault.
@@ -463,19 +515,37 @@ parameter specifying the namespace. In HCP Vault, the namespace defaults to `adm
 
 ```yaml
 steps:
-    # ...
-    - name: Import Secrets
-      uses: hashicorp/vault-action
-      with:
-        url: https://vault-enterprise.mycompany.com:8200
-        caCertificate: ${{ secrets.VAULT_CA_CERT }}
-        method: token
-        token: ${{ secrets.VAULT_TOKEN }}
-        namespace: admin
-        secrets: |
-            secret/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
-            secret/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
-            secret/ci npm_token
+  # ...
+  - name: Import Secrets
+    uses: hashicorp/vault-action
+    with:
+      url: https://vault-enterprise.mycompany.com:8200
+      method: token
+      token: ${{ secrets.VAULT_TOKEN }}
+      namespace: admin
+      secrets: |
+        secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+        secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+        secret/data/ci npm_token
+```
+
+Alternatively, you may need to authenticate to the root namespace and retrieve
+a secret from a different namespace. To do this, do not set the `namespace`
+parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
+
+```yaml
+steps:
+  # ...
+  - name: Import Secrets
+    uses: hashicorp/vault-action
+    with:
+      url: https://vault-enterprise.mycompany.com:8200
+      method: token
+      token: ${{ secrets.VAULT_TOKEN }}
+      secrets: |
+        namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
+        namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
+        namespace-1/secret/data/ci npm_token
 ```
 
 ## Reference
@@ -649,6 +719,13 @@ Base64 encoded client key the action uses to authenticate with Vault when mTLS i
 
 When set to true, disables verification of server certificates when testing the action.
 
+### `ignoreNotFound`
+
+**Type: `string`**\
+**Default: `false`**
+
+When set to true, prevents the action from failing when a secret does not exist.
+
 ## Masking - Hiding Secrets from Logs
 
 This action uses GitHub Action's built-in masking, so all variables will automatically be masked (aka hidden) if printed to the console or to logs.
@@ -661,9 +738,10 @@ To make it simpler to consume certain secrets as env vars, if no Env/Output Var
 ## Contributing
 
 If you wish to contribute to this project, the following dependencies are recommended for local development:
+
 - [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
 - [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
-- [docker-compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
+- [docker compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
 - [act](https://github.com/nektos/act) to run the vault-action locally
 
 ### Build
@@ -676,11 +754,11 @@ $ npm install && npm run build
 
 ### Vault test instance
 
-The Github Action needs access to a working Vault instance to function. 
+The Github Action needs access to a working Vault instance to function.
 Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.
 
 ```sh
-$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
+$ docker compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
 ```
 
 Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:

action.yml

@@ -7,6 +7,9 @@ inputs:
   secrets:
     description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
     required: false
+  pki:
+    description: 'A semicolon-separated list of certificates to generate. These will automatically be converted to environment variable keys. Cannot be used with "secrets". See README for more details'
+    required: false
   namespace:
     description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
     required: false
@@ -89,6 +92,10 @@ inputs:
   secretEncodingType:
     description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
     required: false
+  ignoreNotFound:
+    description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
+    required: false
+    default: 'false'
 runs:
   using: 'node20'
   main: 'dist/index.js'

integrationTests/basic/integration.test.js

@@ -31,6 +31,22 @@ describe('integration', () => {
             },
         });
 
+        await got(`${vaultUrl}/v1/secret/data/test-with-dot-char`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            body: `{"data":{"secret.foo":"SUPERSECRET"}}`
+        });
+
+        await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
+            method: 'POST',
+            headers: {
+                'X-Vault-Token': vaultToken,
+            },
+            body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
+        });
+
         await got(`${vaultUrl}/v1/secret/data/nested/test`, {
             method: 'POST',
             headers: {
@@ -104,6 +120,69 @@ describe('integration', () => {
                 "other-Secret-dash": 'OTHERCUSTOMSECRET',
             },
         });
+
+        // Enable pki engine
+        try {
+            await got(`${vaultUrl}/v1/sys/mounts/pki`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    type: 'pki'
+                }
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("path is already in use")) {
+                // Engine might already be enabled from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        // Configure Root CA
+        try {
+            await got(`${vaultUrl}/v1/pki/root/generate/internal`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    common_name: 'test',
+                    ttl: '24h',
+                },
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("already exists")) {
+                // Root CA might already be configured from previous test runs
+            } else {
+                throw error;
+            }
+        }
+
+        // Configure PKI Role
+        try {
+            await got(`${vaultUrl}/v1/pki/roles/Test`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    allowed_domains: ['test'],
+                    allow_bare_domains: true,
+                    max_ttl: '1h',
+                },
+            });
+        } catch (error) {
+            const {response} = error;
+            if (response.statusCode === 400 && response.body.includes("already exists")) {
+                // Role might already be configured from previous test runs
+            } else {
+                throw error;
+            }
+        }
     });
 
     beforeEach(() => {
@@ -124,14 +203,55 @@ describe('integration', () => {
             .mockReturnValueOnce(secrets);
     }
 
+    function mockPkiInput(pki) {
+        when(core.getInput)
+            .calledWith('pki', expect.anything())
+            .mockReturnValueOnce(pki);
+    }
+
+    function mockIgnoreNotFound(shouldIgnore) {
+        when(core.getInput)
+            .calledWith('ignoreNotFound', expect.anything())
+            .mockReturnValueOnce(shouldIgnore);
+    }
+
+
     it('prints a nice error message when secret not found', async () => {
         mockInput(`secret/data/test secret ;
         secret/data/test secret | NAMED_SECRET ;
         secret/data/notFound kehe | NO_SIR ;`);
 
-        expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
+        await expect(exportSecrets()).rejects.toEqual(Error(`Unable to retrieve result for "secret/data/notFound" because it was not found: {"errors":[]}`));
     })
 
+    it('does not error when secret not found and ignoreNotFound is true', async () => {
+        mockInput(`secret/data/test secret ;
+        secret/data/test secret | NAMED_SECRET ;
+        secret/data/notFound kehe | NO_SIR ;`);
+
+        mockIgnoreNotFound("true");
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(2);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET', 'SUPERSECRET');
+        expect(core.exportVariable).toBeCalledWith('NAMED_SECRET', 'SUPERSECRET');
+    })
+
+    it('gets a pki certificate', async () => {
+        mockPkiInput('pki/issue/Test {"common_name":"test","ttl":"1h"}');
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(4);
+
+        expect(core.exportVariable).toBeCalledWith('TEST_KEY', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CERT', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CA', expect.anything());
+        expect(core.exportVariable).toBeCalledWith('TEST_CA_CHAIN', expect.anything());
+    });
+
     it('get simple secret', async () => {
         mockInput('secret/data/test secret');
 
@@ -171,6 +291,26 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('OTHERSECRETDASH', 'OTHERSUPERSECRET');
     });
 
+    it('get wildcard secrets with dot char', async () => {
+        mockInput(`secret/data/test-with-dot-char * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
+    });
+
+    it('get secrets with multiple dot chars', async () => {
+        mockInput(`secret/data/test-with-multi-dot-chars * ;`);
+
+        await exportSecrets();
+
+        expect(core.exportVariable).toBeCalledTimes(1);
+
+        expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
+    });
+
     it('get wildcard secrets', async () => {
         mockInput(`secret/data/test * ;`);
 
@@ -273,7 +413,7 @@ describe('integration', () => {
             expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
         });
 
-        it('wildcard supports cubbyhole', async () => {            
+        it('wildcard supports cubbyhole with uppercase transform', async () => {
             mockInput('/cubbyhole/test *');
 
             await exportSecrets();
@@ -283,6 +423,32 @@ describe('integration', () => {
             expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
             expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
         });
+
+        it('wildcard supports cubbyhole with no change in case', async () => {
+            mockInput('/cubbyhole/test **');
+
+            await exportSecrets();
+
+            expect(core.exportVariable).toBeCalledTimes(2);
+
+            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
+            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
+        });
+
+        it('wildcard supports cubbyhole with mixed case change', async () => {
+            mockInput(`
+            /cubbyhole/test * ;
+            /cubbyhole/test **`);
+
+            await exportSecrets();
+
+            expect(core.exportVariable).toBeCalledTimes(4);
+
+            expect(core.exportVariable).toBeCalledWith('FOO', 'bar');
+            expect(core.exportVariable).toBeCalledWith('ZIP', 'zap');
+            expect(core.exportVariable).toBeCalledWith('foo', 'bar');
+            expect(core.exportVariable).toBeCalledWith('zip', 'zap');
+        });
         
         it('caches responses', async () => {            
             mockInput(`

integrationTests/basic/jwt_auth.test.js

@@ -97,6 +97,8 @@ describe('jwt auth', () => {
             }
         });
 
+        // write the jwt config, the jwt role will be written on a per-test
+        // basis since the audience may vary
         await got(`${vaultUrl}/v1/auth/jwt/config`, {
             method: 'POST',
             headers: {
@@ -108,22 +110,6 @@ describe('jwt auth', () => {
             }
         });
 
-        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
-            method: 'POST',
-            headers: {
-                'X-Vault-Token': vaultToken,
-            },
-            json: {
-                role_type: 'jwt',
-                bound_audiences: null,
-                bound_claims: {
-                    iss: 'vault-action'
-                },
-                user_claim: 'iss',
-                policies: ['reader']
-            }
-        });
-
         await got(`${vaultUrl}/v1/secret/data/test`, {
             method: 'POST',
             headers: {
@@ -138,6 +124,24 @@ describe('jwt auth', () => {
     });
 
     describe('authenticate with private key', () => {
+        beforeAll(async () => {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: null,
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+        });
+
         beforeEach(() => {
             jest.resetAllMocks();
 
@@ -170,6 +174,22 @@ describe('jwt auth', () => {
 
     describe('authenticate with Github OIDC', () => {
         beforeAll(async () => {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: 'https://github.com/hashicorp/vault-action',
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+
             await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
                 method: 'POST',
                 headers: {
@@ -177,7 +197,7 @@ describe('jwt auth', () => {
                 },
                 json: {
                     role_type: 'jwt',
-                    bound_audiences: null,
+                    bound_audiences: 'sigstore',
                     bound_claims: {
                         iss: 'vault-action',
                         aud: 'sigstore',

package.json

@@ -36,16 +36,16 @@
     "dependencies": {
         "got": "^11.8.6",
         "jsonata": "^2.0.3",
-        "jsrsasign": "^10.8.6"
+        "jsrsasign": "^11.1.0"
     },
     "peerDependencies": {
         "@actions/core": ">=1 <2"
     },
     "devDependencies": {
-        "@actions/core": "^1.10.0",
-        "@vercel/ncc": "^0.36.1",
-        "jest": "^29.5.0",
-        "jest-when": "^3.5.2",
+        "@actions/core": "^1.10.1",
+        "@vercel/ncc": "^0.38.1",
+        "jest": "^29.7.0",
+        "jest-when": "^3.6.0",
         "mock-http-server": "^1.4.5"
     }
 }

src/action.js

@@ -4,9 +4,9 @@ const command = require('@actions/core/lib/command');
 const got = require('got').default;
 const jsonata = require('jsonata');
 const { normalizeOutputKey } = require('./utils');
-const { WILDCARD } = require('./constants');
+const { WILDCARD, WILDCARD_UPPERCASE } = require('./constants');
 
-const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
+const { auth: { retrieveToken }, secrets: { getSecrets }, pki: { getCertificates } } = require('./index');
 
 const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes', 'ldap', 'userpass'];
 const ENCODING_TYPES = ['base64', 'hex', 'utf8'];
@@ -22,6 +22,16 @@ async function exportSecrets() {
     const secretsInput = core.getInput('secrets', { required: false });
     const secretRequests = parseSecretsInput(secretsInput);
 
+    const pkiInput = core.getInput('pki', { required: false });
+    let pkiRequests = [];
+    if (pkiInput) {
+        if (secretsInput) {
+            throw Error('You cannot provide both "secrets" and "pki" inputs.');
+        }
+
+        pkiRequests = parsePkiInput(pkiInput);
+    }
+
     const secretEncodingType = core.getInput('secretEncodingType', { required: false });
 
     const vaultMethod = (core.getInput('method', { required: false }) || 'token').toLowerCase();
@@ -84,12 +94,12 @@ async function exportSecrets() {
         core.exportVariable('VAULT_TOKEN', `${vaultToken}`);
     }
 
-    const requests = secretRequests.map(request => {
-        const { path, selector } = request;
-        return request;
-    });
-
-    const results = await getSecrets(requests, client);
+    let results = [];
+    if (pkiRequests.length > 0) {
+        results = await getCertificates(pkiRequests, client);
+    } else {
+        results = await getSecrets(secretRequests, client);
+    }
 
 
     for (const result of results) {
@@ -128,6 +138,43 @@ async function exportSecrets() {
  * @property {string} selector
 */
 
+/**
+ * Parses a pki input string into key paths and the request parameters.
+ * @param {string} pkiInput
+ */
+function parsePkiInput(pkiInput) {
+    if (!pkiInput) {
+        return []
+    }
+
+    const secrets = pkiInput
+        .split(';')
+        .filter(key => !!key)
+        .map(key => key.trim())
+        .filter(key => key.length !== 0);
+
+    return secrets.map(secret => {
+        const path = secret.substring(0, secret.indexOf(' '));
+        const parameters = secret.substring(secret.indexOf(' ') + 1);
+
+        core.debug(`ℹ Parsing PKI: ${path} with parameters: ${parameters}`);
+
+        if (!path || !parameters) {
+            throw Error(`You must provide a valid path and parameters. Input: "${secret}"`);
+        }
+
+        let outputVarName = path.split('/').pop();
+        let envVarName = normalizeOutputKey(outputVarName);
+
+        return { 
+            path, 
+            envVarName, 
+            outputVarName,
+            parameters: JSON.parse(parameters),
+        };
+    });
+}
+
 /**
  * Parses a secrets input string into key paths and their resulting environment variable name.
  * @param {string} secretsInput
@@ -174,7 +221,7 @@ function parseSecretsInput(secretsInput) {
         const selectorAst = jsonata(selectorQuoted).ast();
         const selector = selectorQuoted.replace(new RegExp('"', 'g'), '');
 
-        if (selector !== WILDCARD && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
+        if (selector !== WILDCARD && selector !== WILDCARD_UPPERCASE && (selectorAst.type !== "path" || selectorAst.steps[0].stages) && selectorAst.type !== "string" && !outputVarName) {
             throw Error(`You must provide a name for the output key when using json selectors. Input: "${secret}"`);
         }
 

src/auth.js

@@ -5,6 +5,8 @@ const fs = require('fs');
 const { default: got } = require('got');
 
 const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
+const retries = 5
+const retries_delay = 3000
 /***
  * Authenticate with Vault and retrieve a Vault token that can be used for requests.
  * @param {string} method
@@ -17,7 +19,7 @@ async function retrieveToken(method, client) {
     switch (method) {
         case 'approle': {
             const vaultRoleId = core.getInput('roleId', { required: true });
-            const vaultSecretId = core.getInput('secretId', { required: true });
+            const vaultSecretId = core.getInput('secretId', { required: false });
             return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
         }
         case 'github': {
@@ -35,7 +37,10 @@ async function retrieveToken(method, client) {
             const githubAudience = core.getInput('jwtGithubAudience', { required: false });
 
             if (!privateKey) {
-                jwt = await core.getIDToken(githubAudience)
+                jwt = await retryAsyncFunction(retries, retries_delay, core.getIDToken, githubAudience)
+                  .then((result) => {
+                    return result;
+                });
             } else {
                 jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
             }
@@ -142,6 +147,30 @@ async function getClientToken(client, method, path, payload) {
     }
 }
 
+/***
+ * Generic function for retrying an async function
+ * @param {number} retries
+ * @param {number} delay
+ * @param {Function} func
+ * @param {any[]} args
+ */
+async function retryAsyncFunction(retries, delay, func, ...args) {
+  let attempt = 0;
+  while (attempt < retries) {
+    try {
+      const result = await func(...args);
+      return result;
+    } catch (error) {
+      attempt++;
+      if (attempt < retries) {
+        await new Promise(resolve => setTimeout(resolve, delay));
+      } else {
+        throw error;
+      }
+    }
+  }
+}
+
 /***
  * @typedef {Object} VaultLoginResponse
  * @property {{

src/auth.test.js

@@ -85,4 +85,23 @@ describe("test retrival for token", () => {
         const url = got.post.mock.calls[0][0]
         expect(url).toContain('differentK8sPath')
     })
+
+    it("test retrieval with jwt", async () => {
+        const method = "jwt"
+        const jwtToken = "someTestToken"
+        const testRole = "testRole"
+        const privateKeyRaw = ""
+
+        mockApiResponse()
+        mockInput("role", testRole)
+        mockInput("jwtPrivateKey", privateKeyRaw)
+        core.getIDToken = jest.fn()
+        core.getIDToken.mockReturnValueOnce(jwtToken)
+        const token = await retrieveToken(method, got)
+        expect(token).toEqual(testToken)
+        const payload = got.post.mock.calls[0][1].json
+        expect(payload).toEqual({ jwt: jwtToken,  role: testRole })
+        const url = got.post.mock.calls[0][0]
+        expect(url).toContain('jwt')
+  })
 })

src/constants.js

@@ -1,5 +1,7 @@
-const WILDCARD = '*';
+const WILDCARD_UPPERCASE = '*';
+const WILDCARD = '**';
 
 module.exports = {
-    WILDCARD
-};
+    WILDCARD,
+    WILDCARD_UPPERCASE,
+};

src/index.js

@@ -1,7 +1,9 @@
 const auth = require('./auth');
 const secrets = require('./secrets');
+const pki = require('./pki');
 
 module.exports = {
     auth,
-    secrets
+    secrets,
+    pki
 };

src/pki.js

@@ -0,0 +1,76 @@
+const { normalizeOutputKey } = require('./utils');
+const core = require('@actions/core');
+
+/** A map of postfix values mapped to the key in the certificate response and a transformer function */
+const outputMap = {
+    cert: { key: 'certificate', tx: (v) => v },
+    key: { key: 'private_key', tx: (v) => v },
+    ca: { key: 'issuing_ca', tx: (v) => v },
+    ca_chain: { key: 'ca_chain', tx: (v) => v.join('\n') },
+};
+
+/**
+ * @typedef PkiRequest
+ * @type {object}
+ * @property {string} path - The path to the PKI endpoint
+ * @property {Record<string, any>} parameters - The parameters to send to the PKI endpoint
+ * @property {string} envVarName - The name of the environment variable to set
+ * @property {string} outputVarName - The name of the output variable to set
+ */
+
+/**
+ * @typedef {Object} PkiResponse
+ * @property {PkiRequest} request
+ * @property {string} value
+ * @property {boolean} cachedResponse
+ */
+
+/**
+ * Generate and return the certificates from the PKI engine
+ * @param {Array<PkiRequest>} pkiRequests
+ * @param {import('got').Got} client
+ * @return {Promise<Array<PkiResponse>>}
+ */
+async function getCertificates(pkiRequests, client) {
+    /** @type Array<PkiResponse> */
+    let results = [];
+
+    for (const pkiRequest of pkiRequests) {
+        const { path, parameters } = pkiRequest;
+
+        const requestPath = `v1/${path}`;
+        let body;
+        try {
+            const result = await client.post(requestPath, {
+                body: JSON.stringify(parameters),
+            });
+            body = result.body;
+        } catch (error) {
+            core.error(`✘ ${error.response?.body ?? error.message}`);
+            throw error;
+        }
+
+        body = JSON.parse(body);
+
+        core.info(`✔ Successfully generated certificate (serial number ${body.data.serial_number})`);
+
+        Object.entries(outputMap).forEach(([key, value]) => {
+            const val = value.tx(body.data[value.key]);
+            results.push({
+                request: {
+                    ...pkiRequest,
+                    envVarName: normalizeOutputKey(`${pkiRequest.envVarName}_${key}`, true),
+                    outputVarName: normalizeOutputKey(`${pkiRequest.outputVarName}_${key}`),
+                },
+                value: val,
+                cachedResponse: false,
+            });
+        });
+    }
+
+    return results;
+}
+
+module.exports = {
+    getCertificates,
+};

src/secrets.js

@@ -1,6 +1,8 @@
 const jsonata = require("jsonata");
-const { WILDCARD } = require("./constants");
+const { WILDCARD, WILDCARD_UPPERCASE} = require("./constants");
 const { normalizeOutputKey } = require("./utils");
+const core = require('@actions/core');
+
 /**
  * @typedef {Object} SecretRequest
  * @property {string} path
@@ -21,9 +23,10 @@ const { normalizeOutputKey } = require("./utils");
   * @param {import('got').Got} client
   * @return {Promise<SecretResponse<TRequest>[]>}
   */
-async function getSecrets(secretRequests, client) {
+async function getSecrets(secretRequests, client, ignoreNotFound) {
     const responseCache = new Map();
     let results = [];
+    let upperCaseEnv = false;
 
     for (const secretRequest of secretRequests) {
         let { path, selector } = secretRequest;
@@ -42,7 +45,14 @@ async function getSecrets(secretRequests, client) {
             } catch (error) {
                 const {response} = error;
                 if (response?.statusCode === 404) {
-                    throw Error(`Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`)
+                    notFoundMsg = `Unable to retrieve result for "${path}" because it was not found: ${response.body.trim()}`;
+                    const ignoreNotFound = (core.getInput('ignoreNotFound', { required: false }) || 'false').toLowerCase() != 'false';
+                    if (ignoreNotFound) {
+                        core.error(`✘ ${notFoundMsg}`);
+                        continue;
+                    } else {
+                        throw Error(notFoundMsg)
+                    }
                 }
                 throw error
             }
@@ -50,7 +60,8 @@ async function getSecrets(secretRequests, client) {
 
         body = JSON.parse(body);
 
-        if (selector == WILDCARD) {                     
+        if (selector === WILDCARD || selector === WILDCARD_UPPERCASE) {
+            upperCaseEnv = selector === WILDCARD_UPPERCASE;
             let keys = body.data;
             if (body.data["data"] != undefined) {
                 keys = keys.data;
@@ -58,20 +69,26 @@ async function getSecrets(secretRequests, client) {
 
             for (let key in keys) {
                 let newRequest = Object.assign({},secretRequest);
-                newRequest.selector = key;                  
-                
+                newRequest.selector = key;
+
                 if (secretRequest.selector === secretRequest.outputVarName) {
                     newRequest.outputVarName = key;
-                    newRequest.envVarName = key;        		
-                }
-                else {
+                    newRequest.envVarName = key;
+                } else {
                     newRequest.outputVarName = secretRequest.outputVarName+key;
-                    newRequest.envVarName = secretRequest.envVarName+key;        		
+                    newRequest.envVarName = secretRequest.envVarName+key;
                 }
 
                 newRequest.outputVarName = normalizeOutputKey(newRequest.outputVarName);
-                newRequest.envVarName = normalizeOutputKey(newRequest.envVarName,true);   
+                newRequest.envVarName = normalizeOutputKey(newRequest.envVarName, upperCaseEnv);
 
+                // JSONata field references containing reserved tokens should
+                // be enclosed in backticks
+                // https://docs.jsonata.org/simple#examples
+                if (key.includes(".")) {
+                    const backtick = '`';
+                    key = backtick.concat(key, backtick);
+                }
                 selector = key;
 
                 results = await selectAndAppendResults(
@@ -85,13 +102,13 @@ async function getSecrets(secretRequests, client) {
         }
         else {
           results = await selectAndAppendResults(
-            selector, 
-            body, 
-            cachedResponse, 
-            secretRequest, 
+            selector,
+            body,
+            cachedResponse,
+            secretRequest,
             results
           );
-        }   
+        }
     }
 
     return results;
@@ -136,7 +153,7 @@ const selectAndAppendResults = async (
   secretRequest,
   results
 ) => {
-  if (!selector.match(/.*[\.].*/)) {
+  if (!selector.includes(".")) {
     selector = '"' + selector + '"';
   }
   selector = "data." + selector;

src/utils.js

@@ -3,12 +3,12 @@
  * @param {string} dataKey
  * @param {boolean=} isEnvVar
  */
-function normalizeOutputKey(dataKey, isEnvVar = false) {
+function normalizeOutputKey(dataKey, upperCase = false) {
   let outputKey = dataKey
-    .replace(".", "__")
+    .replaceAll(".", "__")
     .replace(new RegExp("-", "g"), "")
     .replace(/[^\p{L}\p{N}_-]/gu, "");
-  if (isEnvVar) {
+  if (upperCase) {
     outputKey = outputKey.toUpperCase();
   }
   return outputKey;