vault-action/.github/workflows/build.yml

on:
  push:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: "24.15.0"

      - name: Setup NPM Cache
        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: NPM Install
        run: npm ci

      - name: NPM Build
        run: npm run build

      - name: NPM Run Test
        run: npm run test

  integrationOSS:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run docker compose
        run: docker compose up -d --wait vault

      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: "24.15.0"

      - name: Setup NPM Cache
        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: NPM Install
        run: npm ci

      - name: NPM Build
        run: npm run build

      - name: NPM Run test;integration:basic
        run: npm run test:integration:basic
        env:
          VAULT_HOST: 127.0.0.1
          VAULT_PORT: 8200
          CI: true

  integrationEnterprise:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run docker compose
        if: ${{ !env.ACT }}
        run: docker compose up -d --wait vault-enterprise
        env:
          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}

      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: "24.15.0"

      - name: Setup NPM Cache
        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: NPM Install
        run: npm ci

      - name: NPM Build
        run: npm run build

      - name: NPM Run test:integration:enterprise
        run: npm run test:integration:enterprise
        env:
          VAULT_HOST: 127.0.0.1
          VAULT_PORT: 8200
          CI: true

  e2e:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Run docker compose
        if: ${{ !env.ACT }}
        run: docker compose up -d --wait vault

      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: "24.15.0"

      - name: Setup NPM Cache
        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: NPM Install
        run: npm ci

      - name: NPM Build
        run: npm run build

      - name: Setup Vault
        run: node ./integrationTests/e2e/setup.js
        env:
          VAULT_HOST: localhost
          VAULT_PORT: 8200

      - name: Test Vault Action (default KV V2)
        uses: ./
        id: kv-secrets
        with:
          url: http://localhost:8200
          token: testtoken
          secrets: |
            secret/data/test secret ;
            secret/data/test secret | NAMED_SECRET ;
            secret/data/nested/test otherSecret ;

      - name: Test Vault Action (default KV V1)
        uses: ./
        with:
          url: http://localhost:8200
          token: testtoken
          secrets: |
            my-secret/test altSecret ;
            my-secret/test altSecret | NAMED_ALTSECRET ;
            my-secret/nested/test otherAltSecret ;

      - name: Test Vault Action (cubbyhole)
        uses: ./
        with:
          url: http://localhost:8200
          token: testtoken
          secrets: |
            /cubbyhole/test foo ;
            /cubbyhole/test zip | NAMED_CUBBYSECRET ;

      # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
      # They should come before the Verify Vault Action Outputs step
      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
        uses: ./
        with:
          url: http://localhost:8200/
          token: testtoken
          secrets: |
            secret/data/test secret | SUBSEQUENT_TEST_SECRET;

      - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
        uses: ./
        with:
          url: http://localhost:8200/
          token: testtoken
          secrets: |
            secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;

      - name: Test JSON Secrets
        uses: ./
        with:
          url: http://localhost:8200
          token: testtoken
          secrets: |
            secret/data/test-json-data jsonData;
            secret/data/test-json-string jsonString;
            secret/data/test-json-string-multiline jsonStringMultiline;

      - name: Verify Vault Action Outputs
        run: npm run test:integration:e2e
        env:
          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}

  e2e-tls:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Generate TLS Certificates
        if: ${{ !env.ACT }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_GET_RETRIES: 3
        run: |
          # Source the getGH function for authenticated GitHub downloads with retries
          source ./scripts/.functions
          getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 /usr/local/bin/cfssl
          getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 /usr/local/bin/cfssljson
          chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
          ./scripts/gen-tls-certs.sh
          cat .build/e2e-tls.env >> "$GITHUB_ENV"

      - name: Run docker compose
        if: ${{ !env.ACT }}
        run: docker compose up -d --wait vault-tls

      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: "24.15.0"

      - name: Setup NPM Cache
        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: NPM Install
        run: npm ci

      - name: NPM Build
        run: npm run build

      - name: Setup Vault
        run: node ./integrationTests/e2e-tls/setup.js
        env:
          VAULT_HOST: localhost
          VAULT_PORT: 8200
          VAULTCA: ${{ env.VAULTCA }}
          VAULT_CLIENT_CERT: ${{ env.VAULT_CLIENT_CERT }}
          VAULT_CLIENT_KEY: ${{ env.VAULT_CLIENT_KEY }}

      - name: Test Vault Action (default KV V2)
        uses: ./
        id: kv-secrets-tls
        with:
          url: https://localhost:8200
          token: ${{ env.VAULT_TOKEN }}
          caCertificate: ${{ env.VAULTCA }}
          clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
          clientKey: ${{ env.VAULT_CLIENT_KEY }}
          secrets: |
            secret/data/test secret ;
            secret/data/test secret | NAMED_SECRET ;
            secret/data/nested/test otherSecret ;

      - name: Test Vault Action (tlsSkipVerify)
        uses: ./
        with:
          url: https://localhost:8200
          token: ${{ env.VAULT_TOKEN }}
          tlsSkipVerify: true
          clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
          clientKey: ${{ env.VAULT_CLIENT_KEY }}
          secrets: |
            secret/data/tlsSkipVerify skip ;

      - name: Test Vault Action (default KV V1)
        uses: ./
        with:
          url: https://localhost:8200
          token: ${{ env.VAULT_TOKEN }}
          caCertificate: ${{ env.VAULTCA }}
          clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
          clientKey: ${{ env.VAULT_CLIENT_KEY }}
          secrets: |
            my-secret/test altSecret ;
            my-secret/test altSecret | NAMED_ALTSECRET ;
            my-secret/nested/test otherAltSecret ;

      - name: Test Vault Action (cubbyhole)
        uses: ./
        with:
          url: https://localhost:8200
          token: ${{ env.VAULT_TOKEN }}
          secrets: |
            /cubbyhole/test foo ;
            /cubbyhole/test zip | NAMED_CUBBYSECRET ;
          caCertificate: ${{ env.VAULTCA }}
          clientCertificate: ${{ env.VAULT_CLIENT_CERT }}
          clientKey: ${{ env.VAULT_CLIENT_KEY }}

      - name: Verify Vault Action Outputs
        run: npm run test:integration:e2e-tls
        env:
          OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}