load-secrets-action icon indicating copy to clipboard operation
load-secrets-action copied to clipboard
verified publisher icon 1Password

[Feature] load template file

Open jamesarosen opened this issue 11 months ago • 1 comments

The load-secrets action lets me export secrets into my GitHub Actions environment:

- name: Load secrets
  id: op-load-secret
  uses: 1password/load-secrets-action@v2
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    FOO: op://MyVault/MyItem/Foo
    BAR: op://MyVault/MyItem/Bar
    BAZ: op://MyVault/MyItem/BaZ

This works, but it's duplicative with my .env.tpl file:

FOO = "op://MyVault/MyItem/Foo"
BAR = "op://MyVault/MyItem/Bar"
BAZ = "op://MyVault/MyItem/BaZ"

I process this file in local development with op run or op inject, e.g. op inject -i .env.tpl -o .env.

The first thing I tried was to load the .env.tpl file in a GitHub action and pipe it into $GITHUB_ENV:

- name: Install 1Password CLI
  uses: 1password/install-cli-action@v1

- name: Load Secrets
  run: op inject -i .env.tpl >> $GITHUB_ENV # <-- insecure; don't do this

This is a bad idea because those variables aren't marked as secrets. GitHub will log the values of FOO, BAR, and BAZ on every subsequent run step.

Perhaps something like

- name: Load secrets
  id: op-load-secret
  uses: 1password/load-secrets-action@v2
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    OP_ENV_FILE: "path/to/.env.tpl"

jamesarosen avatar Dec 31 '24 21:12 jamesarosen

Hello @jamesarosen, Thank you for your suggestion! We can definitely see the value in supporting this use case, and we appreciate you bringing it up. We’d love to see a contribution for this feature! If you’re interested in implementing it, please feel free to open a pull request. We’d be happy to review and collaborate with you on it. In the meantime, as a potential workaround, you can make use of GitHub Action’s workflow command for masking values in logs. This should help mitigate your issue until there is a more permanent solution in place. For your use case, it can look like this:

while IFS= read -r line || [[ -n "$line" ]]; do
    env=${line%\=*}
    [ -z "$env" ] && echo "::add-mask::$env"
done < "path/to/.env.tpl"
op inject -i "path/to/.env.tpl" >> $GITHUB_ENV

Thanks again for your input, and feel free to reach out if you have any more questions!

moward98 avatar Jan 03 '25 15:01 moward98