tests for disabled output-env-credentials

Author: lehmanmj

src/helpers.ts

@@ -54,7 +54,7 @@ export function exportCredentials(
 
   if (creds?.SessionToken) {
     core.setSecret(creds.SessionToken);
-  } 
+  }
 
   if (outputEnvCredentials) {
     if (creds?.AccessKeyId) {

test/cleanup.test.ts

@@ -45,4 +45,9 @@ describe('Configure AWS Credentials cleanup', {}, () => {
     cleanup();
     expect(core.setFailed).toHaveBeenCalled();
   });
+  it(`doesn't export credentials as empty env variables if asked not to`, {}, () => {
+    vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.NO_ENV_CREDS_INPUTS));
+    cleanup();
+    expect(core.exportVariable).toHaveBeenCalledTimes(0);
+  })
 });

test/helpers.test.ts

@@ -27,7 +27,7 @@ describe('Configure AWS Credentials helpers', {}, () => {
     vi.spyOn(core, 'setOutput').mockImplementation(() => {});
     vi.spyOn(core, 'setSecret').mockImplementation(() => {});
     vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
-    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true);
+    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true, true);
     expect(core.setOutput).toHaveBeenCalledTimes(4);
     expect(core.setSecret).toHaveBeenCalledTimes(3);
     expect(core.exportVariable).toHaveBeenCalledTimes(3);
@@ -42,4 +42,15 @@ describe('Configure AWS Credentials helpers', {}, () => {
     expect(process.env.AWS_DEFAULT_REGION).toBeUndefined;
     process.env = env;
   });
+  it(`won't output credentials to env if told not to`, {}, () => {
+    vi.spyOn(core, 'setOutput').mockImplementation(() => {});
+    vi.spyOn(core, 'setSecret').mockImplementation(() => {});
+    vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
+    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true, false);
+    helpers.unsetCredentials(false);
+    helpers.exportRegion('fake-test-region', false);
+    expect(core.setOutput).toHaveBeenCalledTimes(4);
+    expect(core.setSecret).toHaveBeenCalledTimes(3);
+    expect(core.exportVariable).toHaveBeenCalledTimes(0);
+  });
 });

test/index.test.ts

@@ -312,5 +312,26 @@ describe('Configure AWS Credentials', {}, () => {
       await run();
       expect(core.setFailed).not.toHaveBeenCalled();
     })
+    it('doesn\'t export credentials as environment variables if told not to', {}, async () => {
+      mockedSTSClient.on(AssumeRoleWithWebIdentityCommand).resolvesOnce(mocks.outputs.STS_CREDENTIALS);
+      vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.NO_ENV_CREDS_INPUTS));
+      vi.spyOn(core, 'getIDToken').mockResolvedValue('testoidctoken');
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'fake-token';
+      await run();
+      expect(core.setSecret).toHaveBeenCalledTimes(3);
+      expect(core.exportVariable).toHaveBeenCalledTimes(0);
+      expect(core.setFailed).not.toHaveBeenCalled();
+    })
+    it('can export creds as step outputs without exporting as env variables', {}, async () => {
+      mockedSTSClient.on(AssumeRoleWithWebIdentityCommand).resolvesOnce(mocks.outputs.STS_CREDENTIALS);
+      vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.STEP_BUT_NO_ENV_INPUTS));
+      vi.spyOn(core, 'getIDToken').mockResolvedValue('testoidctoken');
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'fake-token';
+      await run();
+      expect(core.setSecret).toHaveBeenCalledTimes(3);
+      expect(core.exportVariable).toHaveBeenCalledTimes(0);
+      expect(core.setOutput).toHaveBeenCalledTimes(4);
+      expect(core.setFailed).not.toHaveBeenCalled();
+    })
   });
 });

test/mockinputs.test.ts

@@ -31,6 +31,17 @@ const inputs = {
     'aws-region': 'fake-region-1',
     'use-existing-credentials': 'true',
     'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+  },
+  NO_ENV_CREDS_INPUTS: {
+    'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+    'aws-region': 'fake-region-1',
+    'output-env-credentials': 'false'
+  },
+  STEP_BUT_NO_ENV_INPUTS: {
+    'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+    'aws-region': 'fake-region-1',
+    'output-env-credentials': 'false',
+    'output-credentials': 'true',
   }
 };