migrate to onepassword version 2.30.0

aerickson14 · aerickson14 · commit 86c1a704fd08 · 2024-10-16T09:56:31.000-06:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,7 +16,7 @@ jobs:
           npm install
       - run: |
           npm run all
-  test: # make sure the action works on a clean machine without building
+  test: # make sure the action works
     strategy:
       matrix:
         runs-on: [macos-latest, ubuntu-20.04, ubuntu-22.04, ubuntu-latest]
@@ -30,6 +30,10 @@ jobs:
       - name: Checkout Github
         uses: actions/checkout@v3
         if: ${{ !env.ACT }}
+      - name: Install dependencies
+        run: npm install
+      - name: Build Typescript
+        run: npm run all
       - name: Test Action
         uses: ./
         id: secrets
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.0.0
+
+- Migrated from 1Password CLI version 1.8.0 to 2.30.0
+
 ## 2.1.0
 
 - Support for multi word names. Resolves [#54](https://github.com/RobotsAndPencils/1password-action/issues/54)
diff --git a/__tests__/parsing.test.ts b/__tests__/parsing.test.ts
@@ -42,15 +42,19 @@ test('parses multiple unquoted, renamed items', async () => {
 })
 
 test('parses single unquoted multi word item', async () => {
-  const output = parseItemRequestsInput('GitHub Action Test Vault > Test Login Four Words')
+  const output = parseItemRequestsInput(
+    'GitHub Action Test Vault > Test Login Four Words'
+  )
   expect(output).toHaveLength(1)
   expect(output[0].vault).toBe('GitHub Action Test Vault')
   expect(output[0].name).toBe('Test Login Four Words')
   expect(output[0].outputName).toBe('test_login_four_words')
 })
 
 test('parses single unquoted multi word item separated by periods', async () => {
-  const output = parseItemRequestsInput('GitHub Action Test Vault > Test.Login.Four.Words')
+  const output = parseItemRequestsInput(
+    'GitHub Action Test Vault > Test.Login.Four.Words'
+  )
   expect(output).toHaveLength(1)
   expect(output[0].vault).toBe('GitHub Action Test Vault')
   expect(output[0].name).toBe('Test.Login.Four.Words')
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/1password.ts b/src/1password.ts
@@ -3,7 +3,7 @@ import {install} from './install'
 import * as tc from '@actions/tool-cache'
 import {execWithOutput} from './exec'
 
-const ONE_PASSWORD_VERSION = '1.8.0'
+const ONE_PASSWORD_VERSION = '2.30.0'
 
 export class OnePassword {
   onePasswordEnv: {[key: string]: string}
@@ -37,13 +37,18 @@ export class OnePassword {
       const output = await execWithOutput(
         'op',
         [
-          'signin',
+          'account',
+          'add',
+          '--address',
           signInAddress,
+          '--email',
           emailAddress,
+          '--secret-key',
           secretKey,
           '--raw',
           '--shorthand',
-          'github_action'
+          'github_action',
+          '--signin'
         ],
         {
           env,
@@ -67,23 +72,31 @@ export class OnePassword {
   async listItemsInVault(vault: string): Promise<string> {
     const env = this.onePasswordEnv
 
-    return await execWithOutput('op', ['list', 'items', '--vault', vault], {
-      env
-    })
+    return await execWithOutput(
+      'op',
+      ['item', 'list', '--vault', vault, '--format=json'],
+      {
+        env
+      }
+    )
   }
 
   async getItemInVault(vault: string, uuid: string): Promise<string> {
     const env = this.onePasswordEnv
-    return await execWithOutput('op', ['get', 'item', uuid, '--vault', vault], {
-      env
-    })
+    return await execWithOutput(
+      'op',
+      ['item', 'get', uuid, '--vault', vault, '--format=json'],
+      {
+        env
+      }
+    )
   }
 
   async getDocument(uuid: string, filename: string): Promise<void> {
     const env = this.onePasswordEnv
     await execWithOutput(
       'op',
-      ['get', 'document', uuid, '--output', filename],
+      ['document', 'get', uuid, '--output', filename],
       {
         env
       }
@@ -92,6 +105,6 @@ export class OnePassword {
 
   async signOut(): Promise<void> {
     const env = this.onePasswordEnv
-    await execWithOutput('op', ['signout', '--forget'], {env})
+    await execWithOutput('op', ['signout', '--account', 'github_action', '--forget'], {env})
   }
 }
diff --git a/src/install.ts b/src/install.ts
@@ -4,48 +4,24 @@ import {mv} from '@actions/io'
 import {chmod} from '@actions/io/lib/io-util'
 import * as tc from '@actions/tool-cache'
 import * as exec from '@actions/exec'
-import {execWithOutput} from './exec'
 
-const CERT_IDENTIFIER = 'Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)'
 const KEY_FINGERPRINT = '3FEF9748469ADBE15DA7CA80AC2D62742012EA22'
 
 export async function install(onePasswordVersion: string): Promise<void> {
   const platform = os.platform().toLowerCase()
 
-  let extension = 'zip'
+  let arch = 'amd64'
   if (platform === 'darwin') {
-    extension = 'pkg'
+    arch = 'arm64'
   }
-  const onePasswordUrl = `https://cache.agilebits.com/dist/1P/op/pkg/v${onePasswordVersion}/op_${platform}_amd64_v${onePasswordVersion}.${extension}`
-  const archive = await tc.downloadTool(onePasswordUrl)
+  const onePasswordUrl = `https://cache.agilebits.com/dist/1P/op2/pkg/v${onePasswordVersion}/op_${platform}_${arch}_v${onePasswordVersion}.zip`
   core.info(
     `Downloading ${onePasswordVersion} for ${platform} from ${onePasswordUrl}`
   )
+  const archive = await tc.downloadTool(onePasswordUrl)
+  const extracted = await tc.extractZip(archive)
 
-  let extracted: string
-  if (platform === 'darwin') {
-    const signatureCheck = await execWithOutput('pkgutil', [
-      '--check-signature',
-      archive
-    ])
-    if (signatureCheck.includes(CERT_IDENTIFIER) === false) {
-      throw new Error(
-        `Signature verification of the installer package downloaded from ${onePasswordUrl} failed.\nExpecting it to include ${CERT_IDENTIFIER}.\nReceived:\n${signatureCheck}`
-      )
-    } else {
-      core.info('Verified the code signature of the installer package.')
-    }
-
-    // Expanding the package manually to avoid needing an admin password for installation and to be able to put it into the tool cache.
-    const destination = 'op.unpkg'
-    await exec.exec('pkgutil', ['--expand', archive, destination])
-    await exec.exec(
-      `/bin/bash -c "cat ${destination}/Payload | gzip -d | cpio -id"`
-    )
-    extracted = '.'
-  } else {
-    extracted = await tc.extractZip(archive)
-
+  if (platform !== 'darwin') {
     await exec.exec('gpg', [
       '--keyserver',
       'keyserver.ubuntu.com',
diff --git a/src/main.ts b/src/main.ts
@@ -34,6 +34,7 @@ async function run(): Promise<void> {
   core.setSecret(secretKey)
 
   core.startGroup('Signing in to 1Password')
+
   try {
     await onePassword.signIn(
       signInAddress,
@@ -92,13 +93,12 @@ async function requestItems(
       core.info(
         `Getting items in 1Password Vault:${style.bold.open} ${itemRequest.vault}`
       )
-
       const itemsJSON = await onePassword.listItemsInVault(itemRequest.vault)
 
       const items: Item[] = JSON.parse(itemsJSON)
       const uuid = items
-        .filter(item => item.overview.title === itemRequest.name)
-        .map(item => item.uuid)[0]
+        .filter(item => item.title === itemRequest.name)
+        .map(item => item.id)[0]
 
       if (!uuid) {
         throw new Error(
@@ -110,14 +110,13 @@ async function requestItems(
       const itemJSON = await onePassword.getItemInVault(itemRequest.vault, uuid)
       const item: Item = JSON.parse(itemJSON)
 
-      switch (item.templateUuid) {
-        // Item
-        case '001': {
-          const username = (item.details.fields ?? []).filter(
-            field => field.designation === 'username'
+      switch (item.category) {
+        case 'LOGIN': {
+          const username = (item.fields ?? []).filter(
+            field => field.purpose === 'USERNAME'
           )[0].value
-          const password = (item.details.fields ?? []).filter(
-            field => field.designation === 'password'
+          const password = (item.fields ?? []).filter(
+            field => field.purpose === 'PASSWORD'
           )[0].value
 
           const usernameOutputName = `${itemRequest.outputName}_username`
@@ -128,12 +127,14 @@ async function requestItems(
 
           break
         }
-        // Password
-        case '005': {
-          const password = item.details.password
+        case 'PASSWORD': {
+          const password = (item.fields ?? []).filter(
+            field => field.purpose === 'PASSWORD'
+          )[0].value
+
           if (password === undefined) {
             throw new Error(
-              `${style.inverse.open}Expected string for property item.details.password, got undefined.`
+              `${style.inverse.open}Expected string for field password, got undefined.`
             )
           }
 
@@ -143,12 +144,11 @@ async function requestItems(
 
           break
         }
-        // Document
-        case '006': {
-          const filename = item.details.documentAttributes?.fileName
+        case 'DOCUMENT': {
+          const filename = (item.files ?? [])[0].name
           if (filename === undefined) {
             throw new Error(
-              `${style.inverse.open}Expected string for property document.details.documentAttributes?.filename, got undefined.`
+              `${style.inverse.open}Expected string for file name, got undefined.`
             )
           }
 
diff --git a/src/types.ts b/src/types.ts
