migrate to onepassword version 2.30.0

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
           npm install
       - run: |
           npm run all
-  test: # make sure the action works on a clean machine without building
+  test: # make sure the action works
     strategy:
       matrix:
         runs-on: [macos-latest, ubuntu-20.04, ubuntu-22.04, ubuntu-latest]
@@ -30,6 +30,10 @@ jobs:
       - name: Checkout Github
         uses: actions/checkout@v3
         if: ${{ !env.ACT }}
+      - name: Install dependencies
+        run: npm install
+      - name: Build Typescript
+        run: npm run all
       - name: Test Action
         uses: ./
         id: secrets

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.0.0
+
+- Migrated from 1Password CLI version 1.8.0 to 2.30.0
+
 ## 2.1.0
 
 - Support for multi word names. Resolves [#54](https://github.com/RobotsAndPencils/1password-action/issues/54)

__tests__/parsing.test.ts

@@ -42,15 +42,19 @@ test('parses multiple unquoted, renamed items', async () => {
 })
 
 test('parses single unquoted multi word item', async () => {
-  const output = parseItemRequestsInput('GitHub Action Test Vault > Test Login Four Words')
+  const output = parseItemRequestsInput(
+    'GitHub Action Test Vault > Test Login Four Words'
+  )
   expect(output).toHaveLength(1)
   expect(output[0].vault).toBe('GitHub Action Test Vault')
   expect(output[0].name).toBe('Test Login Four Words')
   expect(output[0].outputName).toBe('test_login_four_words')
 })
 
 test('parses single unquoted multi word item separated by periods', async () => {
-  const output = parseItemRequestsInput('GitHub Action Test Vault > Test.Login.Four.Words')
+  const output = parseItemRequestsInput(
+    'GitHub Action Test Vault > Test.Login.Four.Words'
+  )
   expect(output).toHaveLength(1)
   expect(output[0].vault).toBe('GitHub Action Test Vault')
   expect(output[0].name).toBe('Test.Login.Four.Words')

src/1password.ts

@@ -3,7 +3,7 @@ import {install} from './install'
 import * as tc from '@actions/tool-cache'
 import {execWithOutput} from './exec'
 
-const ONE_PASSWORD_VERSION = '1.8.0'
+const ONE_PASSWORD_VERSION = '2.30.0'
 
 export class OnePassword {
   onePasswordEnv: {[key: string]: string}
@@ -37,13 +37,18 @@ export class OnePassword {
       const output = await execWithOutput(
         'op',
         [
-          'signin',
+          'account',
+          'add',
+          '--address',
           signInAddress,
+          '--email',
           emailAddress,
+          '--secret-key',
           secretKey,
           '--raw',
           '--shorthand',
-          'github_action'
+          'github_action',
+          '--signin'
         ],
         {
           env,
@@ -67,23 +72,31 @@ export class OnePassword {
   async listItemsInVault(vault: string): Promise<string> {
     const env = this.onePasswordEnv
 
-    return await execWithOutput('op', ['list', 'items', '--vault', vault], {
-      env
-    })
+    return await execWithOutput(
+      'op',
+      ['item', 'list', '--vault', vault, '--format=json'],
+      {
+        env
+      }
+    )
   }
 
   async getItemInVault(vault: string, uuid: string): Promise<string> {
     const env = this.onePasswordEnv
-    return await execWithOutput('op', ['get', 'item', uuid, '--vault', vault], {
-      env
-    })
+    return await execWithOutput(
+      'op',
+      ['item', 'get', uuid, '--vault', vault, '--format=json'],
+      {
+        env
+      }
+    )
   }
 
   async getDocument(uuid: string, filename: string): Promise<void> {
     const env = this.onePasswordEnv
     await execWithOutput(
       'op',
-      ['get', 'document', uuid, '--output', filename],
+      ['document', 'get', uuid, '--output', filename],
       {
         env
       }
@@ -92,6 +105,6 @@ export class OnePassword {
 
   async signOut(): Promise<void> {
     const env = this.onePasswordEnv
-    await execWithOutput('op', ['signout', '--forget'], {env})
+    await execWithOutput('op', ['signout', '--account', 'github_action', '--forget'], {env})
   }
 }

src/install.ts

@@ -4,48 +4,24 @@ import {mv} from '@actions/io'
 import {chmod} from '@actions/io/lib/io-util'
 import * as tc from '@actions/tool-cache'
 import * as exec from '@actions/exec'
-import {execWithOutput} from './exec'
 
-const CERT_IDENTIFIER = 'Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)'
 const KEY_FINGERPRINT = '3FEF9748469ADBE15DA7CA80AC2D62742012EA22'
 
 export async function install(onePasswordVersion: string): Promise<void> {
   const platform = os.platform().toLowerCase()
 
-  let extension = 'zip'
+  let arch = 'amd64'
   if (platform === 'darwin') {
-    extension = 'pkg'
+    arch = 'arm64'
   }
-  const onePasswordUrl = `https://cache.agilebits.com/dist/1P/op/pkg/v${onePasswordVersion}/op_${platform}_amd64_v${onePasswordVersion}.${extension}`
-  const archive = await tc.downloadTool(onePasswordUrl)
+  const onePasswordUrl = `https://cache.agilebits.com/dist/1P/op2/pkg/v${onePasswordVersion}/op_${platform}_${arch}_v${onePasswordVersion}.zip`
   core.info(
     `Downloading ${onePasswordVersion} for ${platform} from ${onePasswordUrl}`
   )
+  const archive = await tc.downloadTool(onePasswordUrl)
+  const extracted = await tc.extractZip(archive)
 
-  let extracted: string
-  if (platform === 'darwin') {
-    const signatureCheck = await execWithOutput('pkgutil', [
-      '--check-signature',
-      archive
-    ])
-    if (signatureCheck.includes(CERT_IDENTIFIER) === false) {
-      throw new Error(
-        `Signature verification of the installer package downloaded from ${onePasswordUrl} failed.\nExpecting it to include ${CERT_IDENTIFIER}.\nReceived:\n${signatureCheck}`
-      )
-    } else {
-      core.info('Verified the code signature of the installer package.')
-    }
-
-    // Expanding the package manually to avoid needing an admin password for installation and to be able to put it into the tool cache.
-    const destination = 'op.unpkg'
-    await exec.exec('pkgutil', ['--expand', archive, destination])
-    await exec.exec(
-      `/bin/bash -c "cat ${destination}/Payload | gzip -d | cpio -id"`
-    )
-    extracted = '.'
-  } else {
-    extracted = await tc.extractZip(archive)
-
+  if (platform !== 'darwin') {
     await exec.exec('gpg', [
       '--keyserver',
       'keyserver.ubuntu.com',