Merge pull request #118 from wcarlsen/main

volodymyrZotov · web-flow · commit 564bf5b01fef · 2025-09-08T14:09:57.000-05:00
feature: enable loading 1password secrets from file
diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml
@@ -36,9 +36,9 @@ jobs:
         if: |
           github.event_name != 'repository_dispatch' &&
           (
-            github.ref == 'refs/heads/main' || 
+            github.ref == 'refs/heads/main' ||
             (
-              github.event_name == 'pull_request' && 
+              github.event_name == 'pull_request' &&
               github.event.pull_request.head.repo.full_name == github.repository
             )
           )
@@ -96,12 +96,14 @@ jobs:
           SECRET: ${{ inputs.secret }}
           SECRET_IN_SECTION: ${{ inputs.secret-in-section }}
           MULTILINE_SECRET: ${{ inputs.multiline-secret }}
+          OP_ENV_FILE: ./tests/.env.tpl
       - name: Assert test secret values [step output]
         if: ${{ !inputs.export-env }}
         env:
           SECRET: ${{ steps.load_secrets.outputs.SECRET }}
           SECRET_IN_SECTION: ${{ steps.load_secrets.outputs.SECRET_IN_SECTION }}
           MULTILINE_SECRET: ${{ steps.load_secrets.outputs.MULTILINE_SECRET }}
+          OP_ENV_FILE: ./tests/.env.tpl
         run: ./tests/assert-env-set.sh
       - name: Assert test secret values [exported env]
         if: ${{ inputs.export-env }}
diff --git a/README.md b/README.md
@@ -39,6 +39,7 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
@@ -63,6 +64,7 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           SECRET: op://app-cicd/hello-world/secret
+          OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
 
       - name: Print masked secret
         run: 'echo "Secret: $SECRET"'
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -43,6 +43,7 @@
 		"@1password/op-js": "^0.1.11",
 		"@actions/core": "^1.10.1",
 		"@actions/exec": "^1.1.1",
+		"dotenv": "^17.2.2",
 		"op-cli-installer": "github:1Password/op-cli-installer#e6c1c758bc3339e5fe9b06255728039f688f73fa"
 	},
 	"devDependencies": {
diff --git a/src/constants.ts b/src/constants.ts
@@ -2,5 +2,6 @@ export const envConnectHost = "OP_CONNECT_HOST";
 export const envConnectToken = "OP_CONNECT_TOKEN";
 export const envServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
 export const envManagedVariables = "OP_MANAGED_VARIABLES";
+export const envFilePath = "OP_ENV_FILE";
 
 export const authErr = `Authentication error with environment variables: you must set either 1) ${envServiceAccountToken}, or 2) both ${envConnectHost} and ${envConnectToken}.`;
diff --git a/src/index.ts b/src/index.ts
@@ -1,7 +1,9 @@
 import * as core from "@actions/core";
 import { validateCli } from "@1password/op-js";
 import { installCliOnGithubActionRunner } from "op-cli-installer";
+import dotenv from "dotenv";
 import { loadSecrets, unsetPrevious, validateAuth } from "./utils";
+import { envFilePath } from "./constants";
 
 const loadSecretsAction = async () => {
 	try {
@@ -17,6 +19,13 @@ const loadSecretsAction = async () => {
 		// Validate that a proper authentication configuration is set for the CLI
 		validateAuth();
 
+		// Set environment variables from OP_ENV_FILE
+		const file = process.env[envFilePath];
+		if (file) {
+			core.info(`Loading environment variables from file: ${file}`);
+			dotenv.config({ path: file });
+		}
+
 		// Download and install the CLI
 		await installCLI();
 
diff --git a/tests/.env.tpl b/tests/.env.tpl
@@ -0,0 +1,3 @@
+FILE_SECRET=op://acceptance-tests/test-secret/password
+FILE_SECRET_IN_SECTION=op://acceptance-tests/test-secret/test-section/password
+FILE_MULTILINE_SECRET=op://acceptance-tests/multiline-secret/notesPlain
diff --git a/tests/assert-env-set.sh b/tests/assert-env-set.sh
@@ -9,11 +9,8 @@ assert_env_equals() {
   fi
 }
 
-assert_env_equals "SECRET" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-
-assert_env_equals "SECRET_IN_SECTION" "RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
-
-assert_env_equals "MULTILINE_SECRET" "$(cat << EOF
+readonly SECRET="RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLCB0aGlzIGlzIGp1c3QgYSBkdW1teSBzZWNyZXQuIFBsZWFzZSBkb24ndCByZXBvcnQgaXQu"
+MULTILINE_SECRET="$(cat << EOF
 -----BEGIN PRIVATE KEY-----
 RGVhciBzZWN1cml0eSByZXNlYXJjaGVyLApXaGls
 ZSB3ZSBkZWVwbHkgYXBwcmVjaWF0ZSB5b3VyIHZp
@@ -28,3 +25,13 @@ IApTbyBwbGVhc2UgZG9uJ3QgcmVwb3J0IGl0IQo=
 -----END PRIVATE KEY-----
 EOF
 )"
+readonly MULTILINE_SECRET
+
+assert_env_equals "SECRET" "${SECRET}"
+assert_env_equals "FILE_SECRET" "${SECRET}"
+
+assert_env_equals "SECRET_IN_SECTION" "${SECRET}"
+assert_env_equals "FILE_SECRET_IN_SECTION" "${SECRET}"
+
+assert_env_equals "MULTILINE_SECRET" "${MULTILINE_SECRET}"
+assert_env_equals "FILE_MULTILINE_SECRET" "${MULTILINE_SECRET}"
diff --git a/tests/assert-env-unset.sh b/tests/assert-env-unset.sh
@@ -10,5 +10,10 @@ assert_env_unset() {
 }
 
 assert_env_unset "SECRET"
+assert_env_unset "FILE_SECRET"
+
 assert_env_unset "SECRET_IN_SECTION"
+assert_env_unset "FILE_SECRET_IN_SECTION"
+
 assert_env_unset "MULTILINE_SECRET"
+assert_env_unset "FILE_MULTILINE_SECRET"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FILE_SECRET=op://acceptance-tests/test-secret/password`
	`2`	`+FILE_SECRET_IN_SECTION=op://acceptance-tests/test-secret/test-section/password`
	`3`	`+FILE_MULTILINE_SECRET=op://acceptance-tests/multiline-secret/notesPlain`