Migrate to use 1Password SDK with Service Account

[JillRegan]

Overview

** This targets a feature branch

This PR migrates the action to use the 1Password SDK for Service Account authentication, while maintaining backward compatibility with the existing Connect-based authentication.

When using a Service Account token (OP_SERVICE_ACCOUNT_TOKEN), the action now uses the @1password/sdk package to resolve secrets directly, without requiring the 1Password CLI to be installed. The action automatically detects which authentication method to use:

• If OP_CONNECT_HOST and OP_CONNECT_TOKEN are set → uses Connect (existing behavior)
• Otherwise → uses Service Account with SDK (new behavior)

How to Test Manually

I tested this locally by:

1. Checking out this branch

npm install
npm run build
export OP_SERVICE_ACCOUNT_TOKEN="ops_your_token_here"

3. Create workflow file: .github/workflows/manual-test.yml and added the below

name: Test Locally

on: [push, workflow_dispatch]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install and build
        run: npm install && npm run build

      # TEST 1: Step outputs (export-env: false)
      - name: Test (outputs)
        id: load_secrets
        uses: ./
        env:
          MY_SECRET: op://<vault-name>/<item-name>/password
          NOTES: op://<vaultUUID>/<itemUUID>/notesPlain
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
        with:
          export-env: false
      - name: Assert outputs
        run: |
          [ -n "${{ steps.load_secrets.outputs.MY_SECRET }}" ] && [ -n "${{ steps.load_secrets.outputs.NOTES }}" ] || exit 1

      # TEST 2: OP_ENV_FILE + export-env true
      - name: Create env file
        run: |
          cat > my-secrets.env << 'EOF'
          MY_SECRET=op://<vault-name>/<item-name>/password
      - name: Load from OP_ENV_FILE
        uses: ./
        env:
          OP_ENV_FILE: my-secrets.env
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
        with:
          export-env: true
      - name: Assert env vars
        run: for v in MY_SECRET; do [ -n "${!v}" ] || exit 1; done

4. Ensure Docker is running and then run brew install act
5. Run act -j test -s OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN"

[bertrmz]

This looks great! Just left a few small comments.

[bertrmz]

Tested successfully via act 🎉