From afd797f2f36670312fc2b5d739d79669d8c54c73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20St=C3=B8vring?= Date: Mon, 19 Jan 2026 15:56:51 +0100 Subject: [PATCH 1/3] Decouples 1Password --- README.md | 21 ++++++++-- .../README.md | 34 ++++++++------- .../action.yml | 42 +++++++++++-------- install-asc-api-key/README.md | 16 +++---- install-asc-api-key/action.yml | 34 ++++++++++----- install-certificate/README.md | 32 +++++++++----- install-certificate/action.yml | 28 +++++++++---- install-ci-ssh-key/action.yml | 7 +++- install-provisioning-profile/README.md | 13 +++++- install-provisioning-profile/action.yml | 20 +++++++-- install-shipshape/README.md | 11 +---- install-shipshape/action.yml | 14 ++++--- install-ssh-key/README.md | 23 +++++++--- install-ssh-key/action.yml | 40 ++++++++++++------ jira-comment/README.md | 4 +- jira-comment/action.yml | 20 +++------ loco-translation-status-checker/README.md | 4 +- loco-translation-status-checker/action.yml | 9 ++-- loco-translation-status-poster/README.md | 6 +-- loco-translation-status-poster/action.yml | 14 +++---- post-slack-message/README.md | 21 +++------- post-slack-message/action.yml | 13 ++---- upload-apk-shipshape/README.md | 9 +++- upload-apk-shipshape/action.yml | 34 ++++++++++----- upload-artifact-firebase/README.md | 22 +++++----- upload-artifact-firebase/action.yml | 33 +++++++++------ 26 files changed, 319 insertions(+), 205 deletions(-) diff --git a/README.md b/README.md index 201e93be..0b6cdd12 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,24 @@ ## 🚀 Getting Started -Several of these actions depend on the 1Password CLI being installed. Please use 1Password's [install-cli-action](https://github.com/1Password/install-cli-action) action to install the 1Password CLI or [load-secrets-action](https://github.com/1Password/load-secrets-action) to load secrets into the workflow's environment. - -Inputs prefixed with `op-` expect a 1Password item reference, for example `op://My Vault/My Item/field`. The action will use `op read` to fetch the value or file from 1Password at runtime. +Most actions expect secrets to be provided directly via inputs. If you use 1Password's load-secrets-action, run it before these actions and pass the resulting environment variables or file paths into the inputs. + +Example using 1Password load-secrets-action: + +```yml +- name: Load secrets from 1Password + id: op + uses: 1password/load-secrets-action@v3 + env: + SLACK_TOKEN: op://GitHub Actions/Slack Token/token + +- name: Post to Slack + uses: shapehq/actions/post-slack-message@v1 + with: + channel: "#builds" + message: "Build started" + slack-token: ${{ steps.op.outputs.SLACK_TOKEN }} +``` Click on any action name below to view detailed documentation, usage examples, and configuration options for that specific action. diff --git a/build-and-upload-to-app-store-connect/README.md b/build-and-upload-to-app-store-connect/README.md index 364e7db7..1623e14b 100644 --- a/build-and-upload-to-app-store-connect/README.md +++ b/build-and-upload-to-app-store-connect/README.md @@ -9,11 +9,11 @@ As a side effect, the action will upload the dSYM files as an artifact to the jo with: scheme: Example configuration: Debug - op-app-store-connect-api-key-issuer-id-reference: op://GitHub Actions/Company App Store Connect API Key/Issuer ID - op-app-store-connect-api-key-id-reference: op://GitHub Actions/Company App Store Connect API Key/Key ID - op-app-store-connect-api-key-file-reference: op://GitHub Actions/Company App Store Connect API Key/AuthKey.p8 - op-development-certificate-reference: op://GitHub Actions/Company Development Certificate/Certificate.p12 - op-development-certificate-password-reference: op://GitHub Actions/Company Development Certificate/password + app-store-connect-api-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }} + app-store-connect-api-key-id: ${{ secrets.ASC_KEY_ID }} + app-store-connect-api-key-base64: ${{ secrets.ASC_KEY_BASE64 }} + development-certificate-base64: ${{ secrets.DEVELOPMENT_CERTIFICATE_BASE64 }} + development-certificate-password: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSWORD }} ``` You may use the `marketing-version` and `build-number` inputs to automatically set a version number and build number prior to building the project. @@ -26,11 +26,11 @@ You may use the `marketing-version` and `build-number` inputs to automatically s configuration: Debug marketing-version: ${{ inputs.version_number }} build-number: ${{ github.run_number }} - op-app-store-connect-api-key-issuer-id-reference: op://GitHub Actions/Company App Store Connect API Key/Issuer ID - op-app-store-connect-api-key-id-reference: op://GitHub Actions/Company App Store Connect API Key/Key ID - op-app-store-connect-api-key-file-reference: op://GitHub Actions/Company App Store Connect API Key/AuthKey.p8 - op-development-certificate-reference: op://GitHub Actions/Company Development Certificate/Certificate.p12 - op-development-certificate-password-reference: op://GitHub Actions/Company Development Certificate/password + app-store-connect-api-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }} + app-store-connect-api-key-id: ${{ secrets.ASC_KEY_ID }} + app-store-connect-api-key-base64: ${{ secrets.ASC_KEY_BASE64 }} + development-certificate-base64: ${{ secrets.DEVELOPMENT_CERTIFICATE_BASE64 }} + development-certificate-password: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSWORD }} ``` The action supports the following inputs. @@ -43,13 +43,15 @@ The action supports the following inputs. | marketing-version | No | | The marketing version number of the app, such as "1.0.0". This sets the MARKETING_VERSION in Xcode, determining the version displayed on the App Store. | | build-number | No | | An incrementing number specifying the build version, which is used to uniquely identify an archive or build sent to the App Store Connect. | | testflight-internal-testing-only | Yes | false | When enabled, the build cannot be distributed via external TestFlight or the App Store. Must be either "true" or "false". | -| op-app-store-connect-api-key-issuer-id-reference | Yes | | A reference to the location in 1Password where the Issuer ID for the App Store Connect API key is stored. This ID is crucial for API interactions with App Store Connect. | -| op-app-store-connect-api-key-id-reference | Yes | | A reference to the location in 1Password where the App Store Connect API Key ID is stored, used for authentication during API requests. | -| op-app-store-connect-api-key-file-reference | Yes | | A reference to the 1Password field containing the AuthKey.p8 file, essential for establishing connections to App Store Connect. | -| op-development-certificate-reference | Yes | | Points to a field in 1Password where the development certificate and its corresponding private key (.p12 file) are stored, necessary for signing the app during the development phase. | -| op-development-certificate-password-reference | Yes | | Indicates the location in 1Password where the password for decrypting the development certificate (.p12 file) is kept. | +| app-store-connect-api-key-issuer-id | Yes | | Issuer ID for the App Store Connect API key. | +| app-store-connect-api-key-id | Yes | | App Store Connect API Key ID. | +| app-store-connect-api-key-base64 | No | | Base64-encoded AuthKey.p8 file. Provide this or `app-store-connect-api-key-file`. | +| app-store-connect-api-key-file | No | | Path to an AuthKey.p8 file. Provide this or `app-store-connect-api-key-base64`. | +| development-certificate-base64 | No | | Base64-encoded development certificate (.p12). Provide this or `development-certificate-file`. | +| development-certificate-file | No | | Path to a development certificate (.p12). Provide this or `development-certificate-base64`. | +| development-certificate-password | Yes | | Password for decrypting the development certificate (.p12 file). | | additional-archive-args | No | | Additional arguments passed to xcodebuild when archiving the app. | | additional-altool-args | No | | Additional arguments passed to altool when uploading the app. | | build-directory | Yes | .build | Defines the directory where the build artifacts, like the final binary or intermediate files, will be stored. | | dsyms-archive-name | Yes | dSYMs | Name of the uploaded archive containing the dSYMs. | -| pretty-xcodebuild-output | Yes | true | Whether to pipe xcodebuild output through [xcbeautify](https://github.com/cpisciotta/xcbeautify) for prettier formatting. | \ No newline at end of file +| pretty-xcodebuild-output | Yes | true | Whether to pipe xcodebuild output through [xcbeautify](https://github.com/cpisciotta/xcbeautify) for prettier formatting. | diff --git a/build-and-upload-to-app-store-connect/action.yml b/build-and-upload-to-app-store-connect/action.yml index 49f659d7..2c66effb 100644 --- a/build-and-upload-to-app-store-connect/action.yml +++ b/build-and-upload-to-app-store-connect/action.yml @@ -21,20 +21,26 @@ inputs: description: When enabled, the build cannot be distributed via external TestFlight or the App Store. Must be either "true" or "false". default: false required: true - op-app-store-connect-api-key-issuer-id-reference: - description: A reference to the location in 1Password where the Issuer ID for the App Store Connect API key is stored. This ID is crucial for API interactions with App Store Connect. + app-store-connect-api-key-issuer-id: + description: Issuer ID for the App Store Connect API key. required: true - op-app-store-connect-api-key-id-reference: - description: A reference to the location in 1Password where the App Store Connect API Key ID is stored, used for authentication during API requests. + app-store-connect-api-key-id: + description: App Store Connect API Key ID. required: true - op-app-store-connect-api-key-file-reference: - description: A reference to the 1Password field containing the AuthKey.p8 file, essential for establishing connections to App Store Connect. - required: true - op-development-certificate-reference: - description: Points to a field in 1Password where the development certificate and its corresponding private key (.p12 file) are stored, necessary for signing the app during the development phase. - required: true - op-development-certificate-password-reference: - description: Indicates the location in 1Password where the password for decrypting the development certificate (.p12 file) is kept. + app-store-connect-api-key-base64: + description: Base64-encoded AuthKey.p8 file. + required: false + app-store-connect-api-key-file: + description: Path to an AuthKey.p8 file. + required: false + development-certificate-base64: + description: Base64-encoded development certificate (.p12). + required: false + development-certificate-file: + description: Path to a development certificate (.p12). + required: false + development-certificate-password: + description: Password for decrypting the development certificate (.p12 file). required: true additional-archive-args: description: Additional arguments passed to xcodebuild when archiving the app. @@ -61,15 +67,17 @@ runs: id: install-app-store-connect-api-key uses: shapehq/actions/install-asc-api-key@v1 with: - op-asc-key-issuer-id-reference: ${{ inputs.op-app-store-connect-api-key-issuer-id-reference }} - op-asc-key-id-reference: ${{ inputs.op-app-store-connect-api-key-id-reference }} - op-asc-key-file-reference: ${{ inputs.op-app-store-connect-api-key-file-reference }} + asc-key-issuer-id: ${{ inputs.app-store-connect-api-key-issuer-id }} + asc-key-id: ${{ inputs.app-store-connect-api-key-id }} + asc-key-base64: ${{ inputs.app-store-connect-api-key-base64 }} + asc-key-file: ${{ inputs.app-store-connect-api-key-file }} output-asc-key-file-directory: ~/.private_keys - name: Install Development Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: ${{ inputs.op-development-certificate-password-reference }} - certificate-op-reference: ${{ inputs.op-development-certificate-reference }} + certificate-password: ${{ inputs.development-certificate-password }} + certificate-base64: ${{ inputs.development-certificate-base64 }} + certificate-file: ${{ inputs.development-certificate-file }} - name: Create Export Options Plist id: create-export-options-plist working-directory: ${{ inputs.working-directory }} diff --git a/install-asc-api-key/README.md b/install-asc-api-key/README.md index c667e76b..a70d6d6f 100644 --- a/install-asc-api-key/README.md +++ b/install-asc-api-key/README.md @@ -7,21 +7,23 @@ Installs an App Store Connect API key file on the runner and outputs the issuer id: install-asc-api-key uses: shapehq/actions/install-asc-api-key@v1 with: - op-asc-key-issuer-id-reference: op://My Vault/My App Store Connect API Key/Issuer ID - op-asc-key-id-reference: op://My Vault/My App Store Connect API Key/Key ID - op-asc-key-file-reference: op://My Vault/My App Store Connect API Key/AuthKey.p8 + asc-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }} + asc-key-id: ${{ secrets.ASC_KEY_ID }} + asc-key-base64: ${{ secrets.ASC_KEY_BASE64 }} ``` You may optionally pass the `output-asc-key-file-directory` parameter to specify the directory in which to store the AuthKey file. This defaults to the current directory. +If you already have the AuthKey file on disk, you can pass `asc-key-file` instead of `asc-key-base64`. + ```yml - name: Install App Store Connect API Key id: install-asc-api-key uses: shapehq/actions/install-asc-api-key@v1 with: - op-asc-key-issuer-id-reference: op://My Vault/My App Store Connect API Key/Issuer ID - op-asc-key-id-reference: op://My Vault/My App Store Connect API Key/Key ID - op-asc-key-file-reference: op://My Vault/My App Store Connect API Key/AuthKey.p8 + asc-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }} + asc-key-id: ${{ secrets.ASC_KEY_ID }} + asc-key-base64: ${{ secrets.ASC_KEY_BASE64 }} output-asc-key-file-directory: ./private_keys ``` @@ -43,4 +45,4 @@ The outputs can be used to access the API key. The following example shows how t ASC_API_KEY_ISSUER_ID: ${{ steps.install-asc-api-key.outputs.issuer-id }} ASC_API_KEY_ID: ${{ steps.install-asc-api-key.outputs.key-id }} ASC_API_KEY: ${{ steps.install-asc-api-key.outputs.key-file-path }} -``` \ No newline at end of file +``` diff --git a/install-asc-api-key/action.yml b/install-asc-api-key/action.yml index f2d67c23..3372ef4b 100644 --- a/install-asc-api-key/action.yml +++ b/install-asc-api-key/action.yml @@ -1,11 +1,13 @@ name: Install App Store Connect API Key inputs: - op-asc-key-issuer-id-reference: + asc-key-issuer-id: required: true - op-asc-key-id-reference: - required: true - op-asc-key-file-reference: + asc-key-id: required: true + asc-key-base64: + required: false + asc-key-file: + required: false output-asc-key-file-directory: required: false default: . @@ -23,22 +25,32 @@ runs: steps: - id: read run: | - # Read issuer id - issuer_id=$(op read "${{ inputs.op-asc-key-issuer-id-reference }}") + set -euo pipefail + issuer_id="${{ inputs.asc-key-issuer-id }}" + key_id="${{ inputs.asc-key-id }}" + if [ -z "$issuer_id" ] || [ -z "$key_id" ]; then + echo "Error: asc-key-issuer-id and asc-key-id are required." + exit 1 + fi echo "issuer_id=${issuer_id}" >> $GITHUB_OUTPUT - - # Read key id - key_id=$(op read "${{ inputs.op-asc-key-id-reference }}") echo "key_id=${key_id}" >> $GITHUB_OUTPUT # Ensure output directory exists eval output_dir="${{ inputs.output-asc-key-file-directory }}" mkdir -p "$output_dir" - # Read key file + # Write key file key_filename="AuthKey_${key_id}.p8" key_file_path="${output_dir}/${key_filename}" - op read --out-file "${key_file_path}" "${{ inputs.op-asc-key-file-reference }}" + if [[ -n "${{ inputs.asc-key-base64 }}" ]]; then + printf '%s' "${{ inputs.asc-key-base64 }}" | openssl base64 -d -A -out "${key_file_path}" + elif [[ -n "${{ inputs.asc-key-file }}" ]]; then + eval asc_key_file="${{ inputs.asc-key-file }}" + cp "${asc_key_file}" "${key_file_path}" + else + echo "Error: Provide asc-key-base64 or asc-key-file." + exit 1 + fi key_full_file_path=$(readlink -f $key_file_path) echo "key_filename=${key_filename}" >> $GITHUB_OUTPUT echo "key_file_path=${key_full_file_path}" >> $GITHUB_OUTPUT diff --git a/install-certificate/README.md b/install-certificate/README.md index 8792ae9f..2bcb2fc3 100644 --- a/install-certificate/README.md +++ b/install-certificate/README.md @@ -6,20 +6,30 @@ Installs the specified certificate in the keychain. - name: Install Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: op://My Vault/My Certificate/password - certificate-op-reference: op://My Vault/My Certificate/Certificate.p12 + certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} + certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }} ``` Note that you must supply a password. Empty passwords are not supported. +You may supply a file path instead of base64: + +```yml +- name: Install Certificate + uses: shapehq/actions/install-certificate@v1 + with: + certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} + certificate-file: ${{ env.CERTIFICATE_PATH }} +``` + The action makes the keychain the default keychain on the system. You can disable this as shown below. ```yml - name: Install Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: op://My Vault/My Certificate/password - certificate-op-reference: op://My Vault/My Certificate/Certificate.p12 + certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} + certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }} set-default-keychain: false ``` @@ -29,8 +39,8 @@ You may optionally specify the name of the keychain to install the certificate a - name: Install Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: op://My Vault/My Certificate/password - certificate-op-reference: op://My Vault/My Certificate/Certificate.p12 + certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }} + certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }} keychain-name: signing.keychain keychain-password: h3ll0w0rld ``` @@ -47,13 +57,13 @@ The keychain will be created with a random password if no password is specified. - name: Install First Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: op://My Vault/First Certificate/password - certificate-op-reference: op://My Vault/First Certificate/Certificate.p12 + certificate-password: ${{ secrets.FIRST_CERTIFICATE_PASSWORD }} + certificate-base64: ${{ secrets.FIRST_CERTIFICATE_BASE64 }} keychain-password: ${{ steps.generate-keychain-password.outputs.password }} - name: Install Second Certificate uses: shapehq/actions/install-certificate@v1 with: - password-op-reference: op://My Vault/Second Certificate/password - certificate-op-reference: op://My Vault/Second Certificate/Certificate.p12 + certificate-password: ${{ secrets.SECOND_CERTIFICATE_PASSWORD }} + certificate-base64: ${{ secrets.SECOND_CERTIFICATE_BASE64 }} keychain-password: ${{ steps.generate-keychain-password.outputs.password }} -``` \ No newline at end of file +``` diff --git a/install-certificate/action.yml b/install-certificate/action.yml index eb1b28da..23d92f8a 100644 --- a/install-certificate/action.yml +++ b/install-certificate/action.yml @@ -2,12 +2,15 @@ name: Install Certificate description: Installs a certificate in the keychain. author: Simon B. Støvring inputs: - password-op-reference: - description: Reference to the password for the certificate in 1Password. - required: true - certificate-op-reference: - description: Reference to the certificate in 1Password. + certificate-password: + description: Password for the certificate. required: true + certificate-base64: + description: Base64-encoded certificate (.p12). + required: false + certificate-file: + description: Path to a certificate file (.p12). + required: false keychain-name: description: Name of the keychain to add the certificate to. The keychain will be created if it does not exist. required: false @@ -24,8 +27,9 @@ runs: steps: - name: Install Certificate run: | - CERTIFICATE_PASSWORD=$(op read "${{ inputs.password-op-reference }}") - CERTIFICATE_FILE_PATH=$(uuidgen).p12 + set -euo pipefail + CERTIFICATE_PASSWORD="${{ inputs.certificate-password }}" + CERTIFICATE_FILE_PATH=$(mktemp) INPUT_KEYCHAIN_PASSWORD_VALUE="${{ inputs.keychain-password }}" KEYCHAIN_PASSWORD="${INPUT_KEYCHAIN_PASSWORD_VALUE:-$(uuidgen)}" KEYCHAIN_NAME="${{ inputs.keychain-name }}" @@ -35,7 +39,15 @@ runs: echo "The password for the certificate cannot be empty." exit 1 fi - op read --out-file $CERTIFICATE_FILE_PATH "${{ inputs.certificate-op-reference }}" + if [[ -n "${{ inputs.certificate-base64 }}" ]]; then + printf '%s' "${{ inputs.certificate-base64 }}" | openssl base64 -d -A -out "$CERTIFICATE_FILE_PATH" + elif [[ -n "${{ inputs.certificate-file }}" ]]; then + eval certificate_file="${{ inputs.certificate-file }}" + cp "$certificate_file" "$CERTIFICATE_FILE_PATH" + else + echo "Error: Provide certificate-base64 or certificate-file." + exit 1 + fi if [ ! -f "$KEYCHAIN_DB_PATH" ]; then security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychains -d user -s $KEYCHAIN_DB_PATH $(security list-keychains -d user | sed s/\"//g) diff --git a/install-ci-ssh-key/action.yml b/install-ci-ssh-key/action.yml index 6a34ebd6..3b0c4051 100644 --- a/install-ci-ssh-key/action.yml +++ b/install-ci-ssh-key/action.yml @@ -9,8 +9,13 @@ inputs: runs: using: composite steps: + - name: Load CI SSH Key + id: ci-ssh-key + uses: 1password/load-secrets-action@v3 + env: + CI_SSH_KEY: op://GitHub Actions/CI SSH Private Key/ci-ssh-key - name: Install CI SSH Key uses: shapehq/actions/install-ssh-key@v1 with: - op-reference: op://GitHub Actions/CI SSH Private Key/ci-ssh-key + ssh-key: ${{ steps.ci-ssh-key.outputs.CI_SSH_KEY }} filename: ${{ inputs.filename }} diff --git a/install-provisioning-profile/README.md b/install-provisioning-profile/README.md index ff95c5af..0696c57d 100644 --- a/install-provisioning-profile/README.md +++ b/install-provisioning-profile/README.md @@ -6,5 +6,14 @@ Installs a provisioning profile. - name: Install Provisioning Profile uses: shapehq/actions/install-provisioning-profile@v1 with: - op-reference: op://My Vault/My Provisioning Profile/profile.mobileprovision -``` \ No newline at end of file + provisioning-profile-base64: ${{ secrets.PROVISIONING_PROFILE_BASE64 }} +``` + +Alternatively, provide a file path to a provisioning profile: + +```yml +- name: Install Provisioning Profile + uses: shapehq/actions/install-provisioning-profile@v1 + with: + provisioning-profile-file: ${{ env.PROVISIONING_PROFILE_PATH }} +``` diff --git a/install-provisioning-profile/action.yml b/install-provisioning-profile/action.yml index a1d56db1..ba782478 100644 --- a/install-provisioning-profile/action.yml +++ b/install-provisioning-profile/action.yml @@ -2,16 +2,28 @@ name: Install Provisioning Profile description: Installs a provisioning profile author: Simon B. Støvring inputs: - op-reference: - description: Reference to the provisioning profile in 1Password. - required: true + provisioning-profile-base64: + description: Base64-encoded provisioning profile (.mobileprovision). + required: false + provisioning-profile-file: + description: Path to a provisioning profile file (.mobileprovision). + required: false runs: using: composite steps: - name: Install Provisioning Profile run: | + set -euo pipefail PROVISIONING_PROFILE_DIR=~/Library/MobileDevice/Provisioning\ Profiles PROVISIONING_PROFILE_FILE_PATH=$PROVISIONING_PROFILE_DIR/$(uuidgen).mobileprovision mkdir -p "${PROVISIONING_PROFILE_DIR}" - op read --out-file "${PROVISIONING_PROFILE_FILE_PATH}" "${{ inputs.op-reference }}" + if [[ -n "${{ inputs.provisioning-profile-base64 }}" ]]; then + printf '%s' "${{ inputs.provisioning-profile-base64 }}" | openssl base64 -d -A -out "${PROVISIONING_PROFILE_FILE_PATH}" + elif [[ -n "${{ inputs.provisioning-profile-file }}" ]]; then + eval provisioning_profile_file="${{ inputs.provisioning-profile-file }}" + cp "${provisioning_profile_file}" "${PROVISIONING_PROFILE_FILE_PATH}" + else + echo "Error: Provide provisioning-profile-base64 or provisioning-profile-file." + exit 1 + fi shell: bash diff --git a/install-shipshape/README.md b/install-shipshape/README.md index 4e0a61cc..b72d1e4a 100644 --- a/install-shipshape/README.md +++ b/install-shipshape/README.md @@ -5,13 +5,6 @@ Installs Shipshape and sets an activation code. ```yml - name: Install Shipshape uses: shapehq/actions/install-shipshape@v1 -``` - -You may optionally specify an activation code to be used by Shipshape. You will likely want to use the default activation code though. - -```yml -- name: Install CI SSH Key - uses: shapehq/actions/install-shipshape@v1 with: - op-reference: op://My Vault/My Shipshape Activation Code/password -``` \ No newline at end of file + activation-code: ${{ secrets.SHIPSHAPE_ACTIVATION_CODE }} +``` diff --git a/install-shipshape/action.yml b/install-shipshape/action.yml index 7d57e917..4add9dac 100644 --- a/install-shipshape/action.yml +++ b/install-shipshape/action.yml @@ -2,10 +2,9 @@ name: Install Shipshape description: Installs Shipshape and sets an activation code. author: Simon B. Støvring inputs: - op-reference: - description: Reference to the activation code in 1Password. - required: false - default: "op://GitHub Actions/CI Shipshape Activation Code/password" + activation-code: + description: Activation code for Shipshape. + required: true runs: using: composite steps: @@ -14,6 +13,11 @@ runs: shell: bash - name: Setup Shipshape Activation Code run: | - SHIPSHAPE_ACTIVATION_CODE=$(op read "${{ inputs.op-reference }}") + set -euo pipefail + SHIPSHAPE_ACTIVATION_CODE="${{ inputs.activation-code }}" + if [ -z "$SHIPSHAPE_ACTIVATION_CODE" ]; then + echo "Error: activation-code cannot be empty." + exit 1 + fi echo '{"ship_activation_code":"'${SHIPSHAPE_ACTIVATION_CODE}'"}' > ~/shape-dev.config shell: bash diff --git a/install-ssh-key/README.md b/install-ssh-key/README.md index 4b3bc672..55e1d0c6 100644 --- a/install-ssh-key/README.md +++ b/install-ssh-key/README.md @@ -6,17 +6,17 @@ Installs an SSH key or a [deploy key](https://docs.github.com/en/authentication/ - name: Install SSH Key uses: shapehq/actions/install-ssh-key@v1 with: - op-reference: op://My Vault/My SSH Key/ssh-key + ssh-key: ${{ secrets.SSH_KEY }} ``` -Set the `op-password-reference` input to install a password-protected SSH key. +Set the `ssh-key-password` input to install a password-protected SSH key. ```yml - name: Install SSH Key uses: shapehq/actions/install-ssh-key@v1 with: - op-reference: op://My Vault/My SSH Key/ssh-key - op-password-reference: op://My Vault/My SSH Key/password + ssh-key: ${{ secrets.SSH_KEY }} + ssh-key-password: ${{ secrets.SSH_KEY_PASSWORD }} ``` You may optionally specify the name of the file to store the SSH key in. Only do this if you are storing multiple SSH keys to avoid overriding an SSH key. @@ -25,14 +25,25 @@ You may optionally specify the name of the file to store the SSH key in. Only do - name: Install SSH Key uses: shapehq/actions/install-ssh-key@v1 with: - op-reference: op://My Vault/My SSH Key/ssh-key + ssh-key: ${{ secrets.SSH_KEY }} filename: my_ssh_key ``` +If you already have the key on disk, you may pass `ssh-key-file` instead: + +```yml +- name: Install SSH Key + uses: shapehq/actions/install-ssh-key@v1 + with: + ssh-key-file: ${{ env.SSH_KEY_PATH }} +``` + +If your key is base64-encoded, use `ssh-key-base64`. + Attempting to install multiple SSH keys with the same name will cause the SSH key to be overwritten. When installing multiple SSH keys, you may need to specify which SSH key to use when accessing a repository. For example, you may clone a repository using a specific SSH key by setting the `GIT_SSH_COMMAND` environment variable as shown below: ```bash GIT_SSH_COMMAND='ssh -i ~/.ssh/my_ssh_key’ git clone git@github.com:shapehq/example.git -``` \ No newline at end of file +``` diff --git a/install-ssh-key/action.yml b/install-ssh-key/action.yml index d5b46899..f6e896e8 100644 --- a/install-ssh-key/action.yml +++ b/install-ssh-key/action.yml @@ -1,22 +1,29 @@ -name: Install SSH Key with 1Password -description: Installs a SSH key read from 1Password +name: Install SSH Key +description: Installs an SSH key author: Simon B. Støvring inputs: - op-reference: - description: Reference to the SSH key in 1Password. - required: true + ssh-key: + description: SSH private key contents. + required: false + ssh-key-base64: + description: Base64-encoded SSH private key. + required: false + ssh-key-file: + description: Path to an SSH private key file. + required: false filename: description: Name of the file to store the key in. required: false default: id_rsa - op-password-reference: - description: Reference to the password for the SSH key in 1Password. + ssh-key-password: + description: Password for the SSH key. required: false runs: using: composite steps: - name: Install SSH Key run: | + set -euo pipefail # Helper function used to cause ssh-add to timeout instead of hanging indefinitely upon error. function timeout() { perl -e 'alarm shift; exec @ARGV' "$@" > /dev/null 2>&1 @@ -35,17 +42,26 @@ runs: ssh-agent -a $SSH_AUTH_SOCK > /dev/null 2>&1 || true # Set password if needed. - if [[ -n "${{ inputs.op-password-reference }}" ]]; then - SSH_KEY_PASSWORD=$(op read "${{ inputs.op-password-reference }}") - fi + SSH_KEY_PASSWORD="${{ inputs.ssh-key-password }}" # Remove the SSH key if it exists. ssh-add -d "$SSH_KEY_PATH" &>/dev/null || true rm -f "$SSH_KEY_PATH" - # Load the SSH key from 1Password. + # Write the SSH key to disk. mkdir -p ~/.ssh - op read --out-file "$SSH_KEY_PATH" "${{ inputs.op-reference }}" + if [[ -n "${{ inputs.ssh-key-base64 }}" ]]; then + printf '%s' "${{ inputs.ssh-key-base64 }}" | openssl base64 -d -A -out "$SSH_KEY_PATH" + elif [[ -n "${{ inputs.ssh-key }}" ]]; then + printf '%s' "${{ inputs.ssh-key }}" > "$SSH_KEY_PATH" + elif [[ -n "${{ inputs.ssh-key-file }}" ]]; then + eval ssh_key_file="${{ inputs.ssh-key-file }}" + cp "$ssh_key_file" "$SSH_KEY_PATH" + else + echo "Error: Provide ssh-key, ssh-key-base64, or ssh-key-file." + exit 1 + fi + chmod 600 "$SSH_KEY_PATH" # Install the SSH key either without a password or with one. if [ -z "$SSH_KEY_PASSWORD" ]; then diff --git a/jira-comment/README.md b/jira-comment/README.md index 0d304f58..8afb666b 100644 --- a/jira-comment/README.md +++ b/jira-comment/README.md @@ -10,5 +10,5 @@ Adds comment to a Jira issue. issues: ${{ steps.changelog.outputs.issues }} jira-base-url: https://shapedk.atlassian.net jira-user-email: ci@shape.dk - op-jira-api-token-reference: op://My Vault/Shape CI Bot API Token for Jira credentials -``` \ No newline at end of file + jira-api-token: ${{ secrets.JIRA_API_TOKEN }} +``` diff --git a/jira-comment/action.yml b/jira-comment/action.yml index 5e331e95..87504e04 100644 --- a/jira-comment/action.yml +++ b/jira-comment/action.yml @@ -16,30 +16,20 @@ inputs: description: The Jira user who should post the comment. required: true default: ci@shape.dk - op-jira-api-token-reference: - description: 1Password reference to a Jira API token + jira-api-token: + description: Jira API token required: true runs: using: composite - steps: - - name: Install 1Password CLI - uses: 1password/install-cli-action@v2 - with: - version: 2.18.0 - - name: Jira API token - id: api-token - run: | - api_token=$(op read "${{ inputs.op-jira-api-token-reference }}") - echo "token=$api_token" >> $GITHUB_OUTPUT - shell: bash + steps: - name: Login to Jira uses: atlassian/gajira-login@v3 env: JIRA_BASE_URL: ${{ inputs.jira-base-url }} JIRA_USER_EMAIL: ${{ inputs.jira-user-email }} - JIRA_API_TOKEN: ${{ steps.api-token.outputs.token }} + JIRA_API_TOKEN: ${{ inputs.jira-api-token }} - name: Comment on issues uses: shapehq/gajira-comment@feature/multiple-issues with: issues: ${{ inputs.issues }} - comment: ${{ inputs.message }} \ No newline at end of file + comment: ${{ inputs.message }} diff --git a/loco-translation-status-checker/README.md b/loco-translation-status-checker/README.md index 8e0b5fcd..15a77471 100644 --- a/loco-translation-status-checker/README.md +++ b/loco-translation-status-checker/README.md @@ -6,5 +6,5 @@ Checks if there are missing translations in the Localize.biz project throws erro - name: Verify Loco Translations uses: shapehq/actions/loco-translation-status-checker@v1 with: - op-loco-api-key-reference: op://My Vault/My Loco API Key/key -``` \ No newline at end of file + loco-api-key: ${{ secrets.LOCO_API_KEY }} +``` diff --git a/loco-translation-status-checker/action.yml b/loco-translation-status-checker/action.yml index adb080e5..28ac77e1 100644 --- a/loco-translation-status-checker/action.yml +++ b/loco-translation-status-checker/action.yml @@ -1,14 +1,13 @@ name: Check Loco Translation Status inputs: - op-loco-api-key-reference: - description: Loco api key reference + loco-api-key: + description: Loco api key required: true runs: using: composite steps: - name: Check Status run: | - loco_api_key=$(op read "${{ inputs.op-loco-api-key-reference }}") cd "${{ github.action_path }}/LocoTranslationStatusChecker" - swift run LocoTranslationStatusChecker --loco-api-key "${loco_api_key}" - shell: bash \ No newline at end of file + swift run LocoTranslationStatusChecker --loco-api-key "${{ inputs.loco-api-key }}" + shell: bash diff --git a/loco-translation-status-poster/README.md b/loco-translation-status-poster/README.md index fc5d3a1a..09c2a861 100644 --- a/loco-translation-status-poster/README.md +++ b/loco-translation-status-poster/README.md @@ -7,6 +7,6 @@ Checks if there are missing translations in the Localize.biz project and posts w uses: shapehq/actions/loco-translation-status-poster@v1 with: channel: "#my-channel" - op-slack-token-reference: op://My Vault/My Slack Token/token - op-loco-api-key-reference: op://My Vault/My Loco API Key/key -``` \ No newline at end of file + slack-token: ${{ secrets.SLACK_TOKEN }} + loco-api-key: ${{ secrets.LOCO_API_KEY }} +``` diff --git a/loco-translation-status-poster/action.yml b/loco-translation-status-poster/action.yml index a07d04d2..9f53155f 100644 --- a/loco-translation-status-poster/action.yml +++ b/loco-translation-status-poster/action.yml @@ -3,21 +3,19 @@ inputs: channel: description: Slack channel to post message in required: true - op-slack-token-reference: - description: Slack access token reference + slack-token: + description: Slack access token required: true - op-loco-api-key-reference: - description: Loco api key reference + loco-api-key: + description: Loco api key required: true runs: using: composite steps: - name: Post Status run: | - slack_token=$(op read "${{ inputs.op-slack-token-reference }}") - loco_api_key=$(op read "${{ inputs.op-loco-api-key-reference }}") job_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" cd "${{ github.action_path }}/LocoTranslationStatusPoster" - swift run LocoTranslationStatusPoster --channel "${{ inputs.channel }}" --token "${slack_token}" --loco-api-key "${loco_api_key}" --workflow "${{ github.workflow }}" --started-by "${{ github.actor }}" --job-url "${job_url}" - shell: bash \ No newline at end of file + swift run LocoTranslationStatusPoster --channel "${{ inputs.channel }}" --token "${{ inputs.slack-token }}" --loco-api-key "${{ inputs.loco-api-key }}" --workflow "${{ github.workflow }}" --started-by "${{ github.actor }}" --job-url "${job_url}" + shell: bash diff --git a/post-slack-message/README.md b/post-slack-message/README.md index 67796c2b..1d8c181c 100644 --- a/post-slack-message/README.md +++ b/post-slack-message/README.md @@ -8,7 +8,7 @@ Posts a message to Slack. with: channel: "#my-channel" message: "Started a new build 🏃‍♀️" - op-slack-token-reference: op://My Vault/My Slack Token/token + slack-token: ${{ secrets.SLACK_TOKEN }} ``` The action will automatically add the following details to the Slack message: @@ -27,7 +27,7 @@ The details above can be omitted by setting the `add-workflow-info-fields` and ` with: channel: "#my-channel" message: "Started a new build 🏃‍♀️" - op-slack-token-reference: op://My Vault/My Slack Token/token + slack-token: ${{ secrets.SLACK_TOKEN }} add-workflow-info-fields: false add-view-logs-button: false ``` @@ -41,7 +41,7 @@ If you wish to only post to Slack if the jobs fails you can use the `failure()` with: channel: "#my-channel" message: "Failed building project 💥" - op-slack-token-reference: op://My Vault/My Slack Token/token + slack-token: ${{ secrets.SLACK_TOKEN }} ``` Similarly, you can have the action only post a message on success using the `success()` status check function: @@ -53,7 +53,7 @@ Similarly, you can have the action only post a message on success using the `suc with: channel: "#my-channel" message: "Successfully built project 🚀" - op-slack-token-reference: op://My Vault/My Slack Token/token + slack-token: ${{ secrets.SLACK_TOKEN }} ``` Custom fields and buttons can be added to the message as shown below. The fields and buttons must be JSON encoded as GitHub Actions inputs do not support arrays. @@ -66,16 +66,7 @@ Custom fields and buttons can be added to the message as shown below. The fields message: Hello world! fields: '[{"title": "Foo", "value": "Bar"}]' buttons: '[{"title": "Open Website", "url": "https://example.com"}]' - op-slack-token-reference: op://GitHub Actions/Slack Token/token + slack-token: ${{ secrets.SLACK_TOKEN }} ``` -You may use the Slack token residing in the shared GitHub Actions vault to post messages. - -```yml -- name: Post to Slack - uses: shapehq/actions/post-slack-message@v1 - with: - channel: "#my-channel" - message: "Hello world!" - op-slack-token-reference: op://GitHub Actions/Slack Token/token -``` \ No newline at end of file +Provide the Slack token via a secret or environment variable in your workflow. diff --git a/post-slack-message/action.yml b/post-slack-message/action.yml index e56c36da..1cbd811e 100644 --- a/post-slack-message/action.yml +++ b/post-slack-message/action.yml @@ -10,8 +10,8 @@ inputs: description: Runner to post required: true default: ${{ runner.name }} - op-slack-token-reference: - description: Slack access token reference + slack-token: + description: Slack access token required: true buttons: description: A JSON array of buttons @@ -32,13 +32,6 @@ inputs: runs: using: composite steps: - - name: Read Slack Token - id: read-token - run: | - TOKEN=$(op read "${{ inputs.op-slack-token-reference }}") - echo "::add-mask::$TOKEN" - echo "token=$TOKEN" >> "$GITHUB_OUTPUT" - shell: bash - name: Post to Slack uses: actions/github-script@v8 with: @@ -49,7 +42,7 @@ runs: const fields = '${{ inputs.fields }}' const addWorkflowInfoFields = ${{ inputs.add-workflow-info-fields }} const addViewLogsButton = ${{ inputs.add-view-logs-button }} - const accessToken = '${{ steps.read-token.outputs.token }}' + const accessToken = '${{ inputs.slack-token }}' if (!channel || channel.length == 0) { core.setFailed('Error: Channel must be specified and be non-empty.') diff --git a/upload-apk-shipshape/README.md b/upload-apk-shipshape/README.md index c0e67327..73bc2e36 100644 --- a/upload-apk-shipshape/README.md +++ b/upload-apk-shipshape/README.md @@ -14,6 +14,11 @@ The action has the following inputs: | distributionListDefinitions | The available distribution lists in JSON format. E.g. `{"Shape": ["a@shape.dk", "b@shape.dk"], "Client": ["a@example.com", "b@example.com"]}` | | distributionListTargets | The distribution lists that will receive the builds, comma-separated. Should be one or more of the keys in `distributionListDefinitions`. E.g. `Shape,Client`. | | releaseNotes | The release notes that are going to be shown in Shipshape for this build. | +| ssh-key | SSH private key contents used to access Shipshape. | +| ssh-key-base64 | Base64-encoded SSH private key. | +| ssh-key-file | Path to an SSH private key file. | +| ssh-key-password | Password for the SSH key, if needed. | +| shipshape-activation-code | Activation code for Shipshape. | Example: @@ -29,4 +34,6 @@ Example: distributionListDefinitions: ${{ vars.DISTRIBUTION_LISTS }} distributionListTargets: ${{ github.event.inputs.DISTRIBUTION_LISTS }} releaseNotes: ${{ github.event.inputs.RELEASE_NOTES }} -``` \ No newline at end of file + ssh-key: ${{ secrets.CI_SSH_KEY }} + shipshape-activation-code: ${{ secrets.SHIPSHAPE_ACTIVATION_CODE }} +``` diff --git a/upload-apk-shipshape/action.yml b/upload-apk-shipshape/action.yml index 40e38da5..b2aebdd5 100644 --- a/upload-apk-shipshape/action.yml +++ b/upload-apk-shipshape/action.yml @@ -35,23 +35,37 @@ inputs: description: 'Send Push' default: false required: false + ssh-key: + description: SSH private key contents for Shipshape access. + required: false + ssh-key-base64: + description: Base64-encoded SSH private key. + required: false + ssh-key-file: + description: Path to an SSH private key file. + required: false + ssh-key-password: + description: Password for the SSH key. + required: false + shipshape-activation-code: + description: Activation code for Shipshape. + required: true runs: using: composite steps: - - name: Check 1Password CLI Installed - shell: bash - run: op > /dev/null || echo "ONEPASSWORD_NOT_INSTALLED=true" >> $GITHUB_ENV - - - name: Install 1Password CLI - if: ${{ env.ONEPASSWORD_NOT_INSTALLED }} - uses: 1password/install-cli-action@v2 - - - name: Install CI SSH Key - uses: shapehq/actions/install-ci-ssh-key@v1 + - name: Install SSH Key + uses: shapehq/actions/install-ssh-key@v1 + with: + ssh-key: ${{ inputs.ssh-key }} + ssh-key-base64: ${{ inputs.ssh-key-base64 }} + ssh-key-file: ${{ inputs.ssh-key-file }} + ssh-key-password: ${{ inputs.ssh-key-password }} - name: Install Shipshape uses: shapehq/actions/install-shipshape@v1 + with: + activation-code: ${{ inputs.shipshape-activation-code }} - name: Create shape-app.config shell: bash diff --git a/upload-artifact-firebase/README.md b/upload-artifact-firebase/README.md index 379ed6c3..69b5fd2f 100644 --- a/upload-artifact-firebase/README.md +++ b/upload-artifact-firebase/README.md @@ -4,14 +4,16 @@ Uploads an APK to Firebase App Distribution. The action has the following inputs: -| Name | Required | Description | -| ------------------------------- | -------- | ------------------------------------------------------------------------------------ | -| `serviceCredentialsOpReference` | YES | 1Password reference to Google service account credentials json file (without quotes) | -| `appId` | YES | Firebase App ID | -| `apkPath` | YES | Path to the APK that will be uploaded | -| `releaseNotes` | NO | Release notes for this distribution | -| `groups` | NO | Comma separated list of Firebase tester group names | -| `testers` | NO | Comma separated email list of testers to invite | +| Name | Required | Description | +| --------------------------- | -------- | ----------------------------------------------------------------------------------------- | +| `serviceCredentialsJson` | NO | Google service account credentials JSON. Provide this or one of the alternatives below. | +| `serviceCredentialsBase64` | NO | Base64-encoded credentials JSON. Provide this or one of the alternatives above/below. | +| `serviceCredentialsFile` | NO | Path to a credentials JSON file. Provide this or one of the alternatives above. | +| `appId` | YES | Firebase App ID | +| `apkPath` | YES | Path to the APK that will be uploaded | +| `releaseNotes` | NO | Release notes for this distribution | +| `groups` | NO | Comma separated list of Firebase tester group names | +| `testers` | NO | Comma separated email list of testers to invite | and the following outputs: |Name|Description| @@ -26,10 +28,10 @@ Example: - name: Upload to Firebase distribution uses: shapehq/actions/upload-artifact-firebase@v1 with: - serviceCredentialsOpReference: op://1Password vault/1Password json key item/credentials-file-name.json + serviceCredentialsJson: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_JSON }} appId: 1:123456789012:android:1234567890abcdef1234567 apkPath: app/build/outputs/apk/inhouse/app-inhouse.apk releaseNotes: ${{ inputs.releaseNotes }} groups: ${{ inputs.groups }} testers: ${{ inputs.testers }} -``` \ No newline at end of file +``` diff --git a/upload-artifact-firebase/action.yml b/upload-artifact-firebase/action.yml index 1e23b71f..aa7f0bd7 100644 --- a/upload-artifact-firebase/action.yml +++ b/upload-artifact-firebase/action.yml @@ -3,9 +3,15 @@ description: "Uploads an APK to Firebase App Distribution" author: "Mikkel Schläger" inputs: - serviceCredentialsOpReference: - description: "1Password reference to Google service account credentials json file (without quotes)" - required: true + serviceCredentialsJson: + description: "Google service account credentials JSON" + required: false + serviceCredentialsBase64: + description: "Base64-encoded Google service account credentials JSON" + required: false + serviceCredentialsFile: + description: "Path to a Google service account credentials JSON file" + required: false appId: description: "Firebase App ID" @@ -47,18 +53,21 @@ runs: shell: bash run: npm install -g firebase-tools - - name: Load credentials - id: upload-artifact-firebase-credentials - uses: 1password/load-secrets-action@v3 - env: - SERVICE_ACCOUNT_CREDENTIALS: ${{ inputs.serviceCredentialsOpReference }} - - name: Write credentials file shell: bash - env: - SERVICE_ACCOUNT_CREDENTIALS: ${{ steps.upload-artifact-firebase-credentials.outputs.SERVICE_ACCOUNT_CREDENTIALS }} run: | - echo "$SERVICE_ACCOUNT_CREDENTIALS" > service-account.json + set -euo pipefail + if [[ -n "${{ inputs.serviceCredentialsBase64 }}" ]]; then + printf '%s' "${{ inputs.serviceCredentialsBase64 }}" | openssl base64 -d -A -out service-account.json + elif [[ -n "${{ inputs.serviceCredentialsJson }}" ]]; then + printf '%s' "${{ inputs.serviceCredentialsJson }}" > service-account.json + elif [[ -n "${{ inputs.serviceCredentialsFile }}" ]]; then + eval credentials_file="${{ inputs.serviceCredentialsFile }}" + cp "$credentials_file" service-account.json + else + echo "Error: Provide serviceCredentialsJson, serviceCredentialsBase64, or serviceCredentialsFile." + exit 1 + fi echo "GOOGLE_APPLICATION_CREDENTIALS=service-account.json" >> $GITHUB_ENV - name: "Distribute apk" From 9072229cd8b56720109dd85eca00c6405767a189 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=2E=20St=C3=B8vring?= Date: Mon, 19 Jan 2026 16:59:23 +0100 Subject: [PATCH 2/3] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 0b6cdd12..93f39bbb 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,6 @@ Example using 1Password load-secrets-action: uses: 1password/load-secrets-action@v3 env: SLACK_TOKEN: op://GitHub Actions/Slack Token/token - - name: Post to Slack uses: shapehq/actions/post-slack-message@v1 with: From b1a43a943802ac324483588b93669c814ed30518 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20St=C3=B8vring?= Date: Mon, 19 Jan 2026 17:01:57 +0100 Subject: [PATCH 3/3] Updates README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93f39bbb..cd564327 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ ## 🚀 Getting Started -Most actions expect secrets to be provided directly via inputs. If you use 1Password's load-secrets-action, run it before these actions and pass the resulting environment variables or file paths into the inputs. +Most actions expect secrets to be provided directly via inputs. Use 1Password’s [load-secrets-action](https://github.com/1Password/load-secrets-action) to load secrets. Run it first and pass the resulting environment variables or file paths into the action inputs. Example using 1Password load-secrets-action: