feat: secrets input accepts a map; log per-call API response time (#16)

* feat: secrets input accepts a map; log per-call API timing

Three changes from the latest deploy run feedback.

1. Map-shaped `secrets` input
   Mirror the `tags` refactor: accept a YAML block mapping (the canonical
   workflow form) or a JSON object string, instead of multi-line
   `KEY=VALUE` lines. Same key validation as before — must start with a
   letter or underscore, alphanumeric + underscores only — and secret
   values can still contain any characters. Each value is added to the
   runner's secret-mask list before any API call.

2. Per-call API response time
   Every Spice Cloud Management API call now logs
   `<METHOD> <path> → <status> <statusText> (<durationMs>ms)` so the
   user can see each request's latency inline. Network failures log
   `<METHOD> <path> → network error in <durationMs>ms: <message>`.
   Removed the redundant pre-call path logs in deploy.ts that the
   timing line now covers.

3. Branch missing from step summary
   The list-deployments endpoint sometimes returns Deployment objects
   without `branch` even when the create request set it. The summary
   now falls back to the `branch` and `commit-sha` inputs we sent so
   the right values surface even when the API echoes them inconsistently.

Tests: 107 passing (up from 101). New cases cover the YAML and JSON
secret forms (incl. quote-stripping, special characters in values, and
JSON validation) and the post-rebuild `dist/` round-trip.

* chore: bump version to 1.1.0 for release

- package.json: 1.0.0 → 1.1.0.
- CHANGELOG.md: collapse the [Unreleased] block into a [1.1.0] section
  dated 2026-05-03, with explicit Breaking changes / Added / Changed /
  Fixed buckets. Added an empty [Unreleased] header for future entries.

The release rolls up everything since v1.0.0:

- Breaking: secrets input switched from KEY=VALUE to YAML/JSON map
  (matches `tags`); tag-value validation tightened to alphanumeric +
  `_@-` only.
- Added: `org`, `flight-url`, `dataset-ready-timeout-seconds` inputs;
  `datasets` output; auto-captured `repository` tag; per-call
  `<METHOD> <path> → <status> (<ms>ms)` API timing in logs.
- Changed: action runtime bumped from Node 20 to Node 24.
- Fixed: app-url URL pattern, SQL probe gRPC connection, api-key field
  names, step-summary branch fallback, punycode deprecation warning,
  action.yml `${{ … }}` example evaluation bug.

* Revert "chore: bump version to 1.1.0 for release"

This reverts commit 57ecfd2.

* fix: address PR review comments

- src/main.ts: Use a length-aware fallback (deployment.branch?.length
  ? deployment.branch : inputs.branch ?? "") so the step summary still
  falls back when the API returns an empty string, while documenting
  why we treat empty-string as equivalent to missing here.
- src/secrets.ts: Stop calling `.trim()` on secret values. Strip only
  the leading whitespace separator after `:` and a matching pair of
  outer quotes; trailing whitespace and inner whitespace are preserved
  verbatim. Also pass the un-trimmed raw input to parseBlockMap so a
  trailing space on the last line isn't lost. Whitespace-significant
  values still need quoting to make the boundaries explicit.
- src/api.ts: Move the timing log to AFTER the response body is read
  so the duration reflects true end-to-end request latency, not just
  time-to-first-byte. Body-read errors retry on the next attempt and
  fail with a clear `Failed to read response body for …` message on
  exhaustion.

New tests cover trailing whitespace preserved in unquoted secret
values, leading whitespace preserved inside quoted secret values, and
multiple-spaces-after-colon handling.

Author: lukekim

CHANGELOG.md

@@ -6,6 +6,13 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Changed
+- `secrets` input now accepts the same YAML block mapping or JSON object form as `tags`, instead of multi-line `KEY=VALUE` lines. Existing key validation is unchanged (must start with a letter or underscore, alphanumeric + underscores only); values can contain any characters and are added to the runner's secret-mask list. Update your workflows to swap `=` for `:` between key and value.
+- Every Spice Cloud Management API call now logs `<METHOD> <path> → <status> <statusText> (<durationMs>ms)` so you can see latency for each request inline in the action logs. Network failures log `<METHOD> <path> → network error in <durationMs>ms: <message>`. Removed the redundant pre-call path logs in `deploy.ts` since the timing line covers them.
+
+### Fixed
+- The step-summary "Branch" cell was empty when the management API's list-deployments response omitted the `branch` field even though the create request set it. The summary now falls back to the `branch` and `commit-sha` inputs we sent so the right values surface even when the API echoes them inconsistently.
+
 ### Added
 - New `org` input. The action now constructs the `app-url` output as `https://spice.ai/<org>/<app-name>` (the canonical Spice Cloud portal URL pattern). When `org` is unset, it falls back to the owner part of `GITHUB_REPOSITORY`, which matches the Spice org slug for personal orgs and orgs created from a connected GitHub organization.
 - New `flight-url` input. The action now passes a regional Apache Arrow Flight gRPC endpoint to the `@spiceai/spice` SDK so the SQL probe uses gRPC instead of falling through to localhost. When `flight-url` is unset, it's derived from the resolved app's region as `<region>-prod-aws-flight.spiceai.io:443` (mirrors the data hostname with `-data` swapped for `-flight`). A `grpc+tls://` / `grpc://` scheme prefix on the input is stripped automatically.

README.md

@@ -92,7 +92,7 @@ Grant exactly the scopes for the features you use. The "All-in" row at the botto
 | `commit-sha`            | no | `${{ github.sha }}` | Commit SHA attributed to the deployment. |
 | `commit-message`        | no | head-commit message | Commit message attributed to the deployment. |
 | `debug`                 | no | `false` | Enable runtime debug mode for this deployment. |
-| `secrets`               | no | — | Multi-line `KEY=VALUE` app secrets to upsert before deploy. Values are masked. |
+| `secrets`               | no | — | YAML or JSON map of app secrets to upsert before deploy. Values are masked in logs. |
 | `wait-for-completion`   | no | `true` | Poll the deployment until it finishes. |
 | `timeout-seconds`       | no | `600` | Max wait when `wait-for-completion` is true. |
 | `poll-interval-seconds` | no | `10` | Seconds between status polls. |
@@ -159,8 +159,8 @@ Grant exactly the scopes for the features you use. The "All-in" row at the botto
     client-secret: ${{ secrets.SPICE_CLIENT_SECRET }}
     app-name:      analytics
     secrets: |
-      OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
-      PG_PASSWORD=${{ secrets.PG_PASSWORD }}
+      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+      PG_PASSWORD: ${{ secrets.PG_PASSWORD }}
     test-sql: SELECT count(*) FROM taxi_trips
 ```
 

__tests__/deploy.test.ts

@@ -128,7 +128,7 @@ describe("runDeploy", () => {
 
     await runDeploy(api, {
       ...baseInputs,
-      secretsRaw: "OPENAI=sk-1\nPG_PASS=hunter2",
+      secretsRaw: "OPENAI: sk-1\nPG_PASS: hunter2",
     });
 
     expect(upsertSecret).toHaveBeenNthCalledWith(1, 42, "OPENAI", "sk-1");

__tests__/secrets.test.ts

@@ -11,44 +11,98 @@ describe("parseSecrets", () => {
     expect(parseSecrets(undefined)).toEqual([]);
     expect(parseSecrets("")).toEqual([]);
     expect(parseSecrets("\n  \n")).toEqual([]);
+    expect(parseSecrets("{}")).toEqual([]);
   });
 
-  it("parses KEY=VALUE pairs across lines", () => {
-    const result = parseSecrets("FOO=bar\nBAZ=qux quux\n");
-    expect(result).toEqual([
-      { name: "FOO", value: "bar" },
-      { name: "BAZ", value: "qux quux" },
-    ]);
-  });
+  describe("YAML block-map form", () => {
+    it("parses KEY: VALUE lines", () => {
+      expect(parseSecrets("FOO: bar\nBAZ: qux\n")).toEqual([
+        { name: "FOO", value: "bar" },
+        { name: "BAZ", value: "qux" },
+      ]);
+    });
 
-  it("preserves '=' inside the value", () => {
-    expect(parseSecrets("URL=https://x.com?a=1&b=2")).toEqual([
-      { name: "URL", value: "https://x.com?a=1&b=2" },
-    ]);
-  });
+    it("preserves any character (incl. ':' '=' '/') inside the value", () => {
+      // Splits on the first ':' only. Values are otherwise unrestricted.
+      expect(parseSecrets("URL: https://x.com:8080?a=1&b=2!@#$%^&*()")).toEqual([
+        { name: "URL", value: "https://x.com:8080?a=1&b=2!@#$%^&*()" },
+      ]);
+    });
 
-  it("ignores blank lines and comments", () => {
-    const result = parseSecrets("\n# a comment\nFOO=bar\n   # indented comment\nBAZ=qux\n");
-    expect(result).toEqual([
-      { name: "FOO", value: "bar" },
-      { name: "BAZ", value: "qux" },
-    ]);
-  });
+    it("strips matching single or double quotes around values", () => {
+      expect(parseSecrets("A: \"with spaces and : colons\"\nB: 'special !@#$ chars'")).toEqual([
+        { name: "A", value: "with spaces and : colons" },
+        { name: "B", value: "special !@#$ chars" },
+      ]);
+    });
 
-  it("rejects lines without '='", () => {
-    expect(() => parseSecrets("FOO\nBAR=baz")).toThrow(/missing "="/);
-  });
+    it("preserves trailing whitespace in unquoted values (don't auto-trim secrets)", () => {
+      // The leading separator after `:` is stripped, but trailing whitespace
+      // is preserved verbatim. Whitespace-significant secret values should
+      // be quoted to make the boundaries explicit.
+      const result = parseSecrets("KEY: trailing-space ");
+      expect(result).toEqual([{ name: "KEY", value: "trailing-space " }]);
+    });
 
-  it("rejects names that don't match the API pattern", () => {
-    expect(() => parseSecrets("1FOO=x")).toThrow(/must start with a letter or underscore/);
-    expect(() => parseSecrets("FOO-BAR=x")).toThrow(/letters, numbers, and underscores/);
-  });
+    it("preserves leading whitespace inside quoted values", () => {
+      expect(parseSecrets('KEY: "  inner-leading"')).toEqual([
+        { name: "KEY", value: "  inner-leading" },
+      ]);
+    });
+
+    it("strips multiple spaces between ':' and a quoted value", () => {
+      expect(parseSecrets('KEY:    "value"')).toEqual([{ name: "KEY", value: "value" }]);
+    });
+
+    it("ignores blank lines and #-comment lines", () => {
+      expect(parseSecrets("\n# header\nFOO: bar\n  # indented\nBAZ: qux")).toEqual([
+        { name: "FOO", value: "bar" },
+        { name: "BAZ", value: "qux" },
+      ]);
+    });
 
-  it("rejects duplicate names", () => {
-    expect(() => parseSecrets("FOO=a\nFOO=b")).toThrow(/duplicate secret "FOO"/);
+    it("rejects lines without ':'", () => {
+      expect(() => parseSecrets("FOO\nBAR: baz")).toThrow(/expected "KEY: VALUE"/);
+    });
+
+    it("rejects names that don't match the API pattern", () => {
+      expect(() => parseSecrets("1FOO: x")).toThrow(/start with a letter or underscore/);
+      expect(() => parseSecrets("FOO-BAR: x")).toThrow(/letters, numbers, and underscores/);
+    });
+
+    it("rejects duplicate names", () => {
+      expect(() => parseSecrets("FOO: a\nFOO: b")).toThrow(/duplicate secret "FOO"/);
+    });
+
+    it("allows empty values without crashing", () => {
+      expect(parseSecrets("EMPTY: ")).toEqual([{ name: "EMPTY", value: "" }]);
+    });
   });
 
-  it("allows empty values without crashing", () => {
-    expect(parseSecrets("EMPTY=")).toEqual([{ name: "EMPTY", value: "" }]);
+  describe("JSON object form", () => {
+    it("parses a JSON object", () => {
+      expect(parseSecrets('{"FOO":"bar","BAZ":"qux"}')).toEqual([
+        { name: "FOO", value: "bar" },
+        { name: "BAZ", value: "qux" },
+      ]);
+    });
+
+    it("preserves any string value", () => {
+      expect(parseSecrets('{"URL":"https://x.com:8080?a=1&b=2!@#"}')).toEqual([
+        { name: "URL", value: "https://x.com:8080?a=1&b=2!@#" },
+      ]);
+    });
+
+    it("rejects malformed JSON that begins with {", () => {
+      expect(() => parseSecrets("{ not json")).toThrow(/not valid JSON/);
+    });
+
+    it("rejects non-string JSON values", () => {
+      expect(() => parseSecrets('{"REPLICAS":3}')).toThrow(/must be a string/);
+    });
+
+    it("rejects JSON keys that don't match the API pattern", () => {
+      expect(() => parseSecrets('{"1FOO":"x"}')).toThrow(/start with a letter or underscore/);
+    });
   });
 });

action.yml

@@ -97,13 +97,20 @@ inputs:
     default: "false"
   secrets:
     description: |
-      Newline-separated `KEY=VALUE` pairs to upsert as app secrets before deploy.
-      Lines starting with `#` are comments. Values are masked in logs.
+      App secrets to upsert before deploy, as a YAML or JSON map. Values are
+      added to the runner's secret-mask list so they don't appear in logs.
 
-      Example:
+      YAML form (recommended):
         secrets: |
-          OPENAI_API_KEY=<openai-api-key>
-          PG_PASSWORD=<pg-password>
+          OPENAI_API_KEY: <openai-api-key>
+          PG_PASSWORD: <pg-password>
+
+      JSON form:
+        secrets: '{"OPENAI_API_KEY":"<openai-api-key>","PG_PASSWORD":"<pg-password>"}'
+
+      Lines beginning with `#` are treated as comments. Secret values can
+      contain any characters; only the secret name is constrained (must
+      start with a letter or underscore, alphanumeric + underscores only).
     required: false
   wait-for-completion:
     description: Poll the deployment until it succeeds or fails.

dist/index.js

@@ -33,8 +33,8 @@ jobs:
             team: data-platform
             commit: ${{ github.sha }}
           secrets: |
-            OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
-            PG_PASSWORD=${{ secrets.PG_PASSWORD }}
+            OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+            PG_PASSWORD: ${{ secrets.PG_PASSWORD }}
           test-sql:        SELECT count(*) AS n FROM taxi_trips
           test-nsql:       Show me revenue by month for the last 6 months
           test-chat:       "Summarize today's top 3 trips"

dist/index.js.map

@@ -97,6 +97,7 @@ export class SpiceApiClient {
       };
       if (body !== undefined) headers["Content-Type"] = "application/json";
 
+      const startMs = Date.now();
       let res: Response;
       try {
         res = await this.fetchImpl(url, {
@@ -105,7 +106,9 @@ export class SpiceApiClient {
           body: body === undefined ? undefined : JSON.stringify(body),
         });
       } catch (err) {
+        const durationMs = Date.now() - startMs;
         lastError = err as Error;
+        core.info(`${method} ${path} → network error in ${durationMs}ms: ${lastError.message}`);
         if (attempt < this.maxAttempts) {
           await this.sleep(this.backoff(attempt));
           continue;
@@ -117,21 +120,44 @@ export class SpiceApiClient {
         );
       }
 
+      // Read the body before logging so the timing covers true end-to-end
+      // request latency (request send → response headers → full body received),
+      // not just time-to-first-byte. 204 No Content has no body to read.
+      let bodyText = "";
+      let bodyError: Error | undefined;
+      if (res.status !== 204) {
+        try {
+          bodyText = await res.text();
+        } catch (err) {
+          bodyError = err as Error;
+        }
+      }
+      const durationMs = Date.now() - startMs;
+      core.info(`${method} ${path} → ${res.status} ${res.statusText} (${durationMs}ms)`);
+
       if (res.status === 204) {
         return undefined as T;
       }
 
+      if (bodyError) {
+        if (attempt < this.maxAttempts) {
+          await this.sleep(this.backoff(attempt));
+          continue;
+        }
+        throw new SpiceApiError(
+          `Failed to read response body for ${method} ${path}: ${bodyError.message}`,
+          res.status,
+          url,
+        );
+      }
+
       if (res.ok) {
-        if (res.status === 202 || res.status === 201 || res.status === 200) {
-          const text = await res.text();
-          if (!text) return undefined as T;
-          try {
-            return JSON.parse(text) as T;
-          } catch {
-            return text as unknown as T;
-          }
+        if (!bodyText) return undefined as T;
+        try {
+          return JSON.parse(bodyText) as T;
+        } catch {
+          return bodyText as unknown as T;
         }
-        return (await res.json()) as T;
       }
 
       if (RETRYABLE_STATUSES.has(res.status) && attempt < this.maxAttempts) {
@@ -143,7 +169,7 @@ export class SpiceApiClient {
         continue;
       }
 
-      const errorBody = await readErrorBody(res);
+      const errorBody = parseErrorBody(bodyText);
       throw new SpiceApiError(
         formatApiError(method, path, res, errorBody),
         res.status,
@@ -170,8 +196,7 @@ export class SpiceApiClient {
   }
 }
 
-async function readErrorBody(res: Response): Promise<ApiErrorBody | string | undefined> {
-  const text = await res.text().catch(() => "");
+function parseErrorBody(text: string): ApiErrorBody | string | undefined {
   if (!text) return undefined;
   try {
     return JSON.parse(text) as ApiErrorBody;

examples/full.yml

@@ -51,7 +51,6 @@ export async function runDeploy(
 
   const body = buildDeploymentBody(inputs);
   core.startGroup("Trigger deployment");
-  core.info(`POST /v1/apps/${app.id}/deployments`);
   core.info(`Payload: ${JSON.stringify(body)}`);
   const deployment = await api.createDeployment(app.id, body);
   core.info(`Deployment created (id=${deployment.id}, status=${deployment.status}).`);
@@ -162,7 +161,7 @@ async function maybeUpdateAppMetadata(
   const merged = { ...(app.tags ?? {}), ...tags };
   const update: UpdateAppBody = { tags: merged };
   core.startGroup("Update app tags");
-  core.info(`PUT /v1/apps/${app.id} tags=${JSON.stringify(merged)}`);
+  core.info(`Tags: ${JSON.stringify(merged)}`);
   await api.updateApp(app.id, update);
   core.endGroup();
 }
@@ -192,7 +191,7 @@ async function maybeUpsertSecrets(
 
   core.startGroup(`Upsert ${secrets.length} secret(s)`);
   for (const secret of secrets) {
-    core.info(`POST /v1/apps/${app.id}/secrets — ${secret.name}`);
+    core.info(`Secret: ${secret.name}`);
     await api.upsertSecret(app.id, secret.name, secret.value);
   }
   core.endGroup();