Skip to content

Migrate to use 1Password SDK with Service Account#134

Merged
JillRegan merged 7 commits intofeature/migrate-to-sdkfrom
jill/use-sdk-for-service-account
Feb 20, 2026
Merged

Migrate to use 1Password SDK with Service Account#134
JillRegan merged 7 commits intofeature/migrate-to-sdkfrom
jill/use-sdk-for-service-account

Conversation

@JillRegan
Copy link

@JillRegan JillRegan commented Feb 18, 2026

Overview

** This targets a feature branch

This PR migrates the action to use the 1Password SDK for Service Account authentication, while maintaining backward compatibility with the existing Connect-based authentication.

When using a Service Account token (OP_SERVICE_ACCOUNT_TOKEN), the action now uses the @1password/sdk package to resolve secrets directly, without requiring the 1Password CLI to be installed. The action automatically detects which authentication method to use:

  • If OP_CONNECT_HOST and OP_CONNECT_TOKEN are set → uses Connect (existing behavior)
  • Otherwise → uses Service Account with SDK (new behavior)

How to Test Manually

I tested this locally by:

  1. Checking out this branch
npm install
npm run build
export OP_SERVICE_ACCOUNT_TOKEN="ops_your_token_here"
  1. Create workflow file: .github/workflows/manual-test.yml and added the below
name: Test Locally

on: [push, workflow_dispatch]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install and build
        run: npm install && npm run build

      # TEST 1: Step outputs (export-env: false)
      - name: Test (outputs)
        id: load_secrets
        uses: ./
        env:
          MY_SECRET: op://<vault-name>/<item-name>/password
          NOTES: op://<vaultUUID>/<itemUUID>/notesPlain
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
        with:
          export-env: false
      - name: Assert outputs
        run: |
          [ -n "${{ steps.load_secrets.outputs.MY_SECRET }}" ] && [ -n "${{ steps.load_secrets.outputs.NOTES }}" ] || exit 1

      # TEST 2: OP_ENV_FILE + export-env true
      - name: Create env file
        run: |
          cat > my-secrets.env << 'EOF'
          MY_SECRET=op://<vault-name>/<item-name>/password
      - name: Load from OP_ENV_FILE
        uses: ./
        env:
          OP_ENV_FILE: my-secrets.env
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
        with:
          export-env: true
      - name: Assert env vars
        run: for v in MY_SECRET; do [ -n "${!v}" ] || exit 1; done
  1. Ensure Docker is running and then run brew install act
  2. Run act -j test -s OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN"

@JillRegan JillRegan changed the title [DRAFT] Migrate to use 1Password SDK with Service Account Migrate to use 1Password SDK with Service Account Feb 18, 2026
@JillRegan JillRegan marked this pull request as ready for review February 18, 2026 21:39
Copy link

@bertrmz bertrmz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Just left a few small comments.

Copy link

@bertrmz bertrmz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested successfully via act 🎉

@JillRegan JillRegan merged commit 3f9ba48 into feature/migrate-to-sdk Feb 20, 2026
28 checks passed
@JillRegan JillRegan deleted the jill/use-sdk-for-service-account branch February 20, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants