Decouple 1Password usage

README.md

@@ -29,9 +29,23 @@
 
 ## 🚀 Getting Started
 
-Several of these actions depend on the 1Password CLI being installed. Please use 1Password's [install-cli-action](https://github.com/1Password/install-cli-action) action to install the 1Password CLI or [load-secrets-action](https://github.com/1Password/load-secrets-action) to load secrets into the workflow's environment.
-
-Inputs prefixed with `op-` expect a 1Password item reference, for example `op://My Vault/My Item/field`. The action will use `op read` to fetch the value or file from 1Password at runtime.
+Most actions expect secrets to be provided directly via inputs. Use 1Password’s [load-secrets-action](https://github.com/1Password/load-secrets-action) to load secrets. Run it first and pass the resulting environment variables or file paths into the action inputs.
+
+Example using 1Password load-secrets-action:
+
+```yml
+- name: Load secrets from 1Password
+  id: op
+  uses: 1password/load-secrets-action@v3
+  env:
+    SLACK_TOKEN: op://GitHub Actions/Slack Token/token
+- name: Post to Slack
+  uses: shapehq/actions/post-slack-message@v1
+  with:
+    channel: "#builds"
+    message: "Build started"
+    slack-token: ${{ steps.op.outputs.SLACK_TOKEN }}
+```
 
 Click on any action name below to view detailed documentation, usage examples, and configuration options for that specific action.
 

build-and-upload-to-app-store-connect/README.md

@@ -9,11 +9,11 @@ As a side effect, the action will upload the dSYM files as an artifact to the jo
   with:
     scheme: Example
     configuration: Debug
-    op-app-store-connect-api-key-issuer-id-reference: op://GitHub Actions/Company App Store Connect API Key/Issuer ID
-    op-app-store-connect-api-key-id-reference: op://GitHub Actions/Company App Store Connect API Key/Key ID
-    op-app-store-connect-api-key-file-reference: op://GitHub Actions/Company App Store Connect API Key/AuthKey.p8
-    op-development-certificate-reference: op://GitHub Actions/Company Development Certificate/Certificate.p12
-    op-development-certificate-password-reference: op://GitHub Actions/Company Development Certificate/password
+    app-store-connect-api-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }}
+    app-store-connect-api-key-id: ${{ secrets.ASC_KEY_ID }}
+    app-store-connect-api-key-base64: ${{ secrets.ASC_KEY_BASE64 }}
+    development-certificate-base64: ${{ secrets.DEVELOPMENT_CERTIFICATE_BASE64 }}
+    development-certificate-password: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSWORD }}
 ```
 
 You may use the `marketing-version` and `build-number` inputs to automatically set a version number and build number prior to building the project.
@@ -26,11 +26,11 @@ You may use the `marketing-version` and `build-number` inputs to automatically s
     configuration: Debug
     marketing-version: ${{ inputs.version_number }}
     build-number: ${{ github.run_number }}
-    op-app-store-connect-api-key-issuer-id-reference: op://GitHub Actions/Company App Store Connect API Key/Issuer ID
-    op-app-store-connect-api-key-id-reference: op://GitHub Actions/Company App Store Connect API Key/Key ID
-    op-app-store-connect-api-key-file-reference: op://GitHub Actions/Company App Store Connect API Key/AuthKey.p8
-    op-development-certificate-reference: op://GitHub Actions/Company Development Certificate/Certificate.p12
-    op-development-certificate-password-reference: op://GitHub Actions/Company Development Certificate/password
+    app-store-connect-api-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }}
+    app-store-connect-api-key-id: ${{ secrets.ASC_KEY_ID }}
+    app-store-connect-api-key-base64: ${{ secrets.ASC_KEY_BASE64 }}
+    development-certificate-base64: ${{ secrets.DEVELOPMENT_CERTIFICATE_BASE64 }}
+    development-certificate-password: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSWORD }}
 ```
 
 The action supports the following inputs.
@@ -43,13 +43,15 @@ The action supports the following inputs.
 | marketing-version                                | No       |               | The marketing version number of the app, such as "1.0.0". This sets the MARKETING_VERSION in Xcode, determining the version displayed on the App Store.                                |
 | build-number                                     | No       |               | An incrementing number specifying the build version, which is used to uniquely identify an archive or build sent to the App Store Connect.                                             |
 | testflight-internal-testing-only                 | Yes      | false         | When enabled, the build cannot be distributed via external TestFlight or the App Store. Must be either "true" or "false".                                                              |
-| op-app-store-connect-api-key-issuer-id-reference | Yes      |               | A reference to the location in 1Password where the Issuer ID for the App Store Connect API key is stored. This ID is crucial for API interactions with App Store Connect.              |
-| op-app-store-connect-api-key-id-reference        | Yes      |               | A reference to the location in 1Password where the App Store Connect API Key ID is stored, used for authentication during API requests.                                                |
-| op-app-store-connect-api-key-file-reference      | Yes      |               | A reference to the 1Password field containing the AuthKey.p8 file, essential for establishing connections to App Store Connect.                                                        |
-| op-development-certificate-reference             | Yes      |               | Points to a field in 1Password where the development certificate and its corresponding private key (.p12 file) are stored, necessary for signing the app during the development phase. |
-| op-development-certificate-password-reference    | Yes      |               | Indicates the location in 1Password where the password for decrypting the development certificate (.p12 file) is kept.                                                                 |
+| app-store-connect-api-key-issuer-id              | Yes      |               | Issuer ID for the App Store Connect API key.                                                                                                                                            |
+| app-store-connect-api-key-id                     | Yes      |               | App Store Connect API Key ID.                                                                                                                                                            |
+| app-store-connect-api-key-base64                 | No       |               | Base64-encoded AuthKey.p8 file. Provide this or `app-store-connect-api-key-file`.                                                                                                        |
+| app-store-connect-api-key-file                   | No       |               | Path to an AuthKey.p8 file. Provide this or `app-store-connect-api-key-base64`.                                                                                                          |
+| development-certificate-base64                   | No       |               | Base64-encoded development certificate (.p12). Provide this or `development-certificate-file`.                                                                                          |
+| development-certificate-file                     | No       |               | Path to a development certificate (.p12). Provide this or `development-certificate-base64`.                                                                                             |
+| development-certificate-password                 | Yes      |               | Password for decrypting the development certificate (.p12 file).                                                                                                                         |
 | additional-archive-args                          | No       |               | Additional arguments passed to xcodebuild when archiving the app.                                                                                                                      |
 | additional-altool-args                           | No       |               | Additional arguments passed to altool when uploading the app.                                                                                                                          |
 | build-directory                                  | Yes      | .build        | Defines the directory where the build artifacts, like the final binary or intermediate files, will be stored.                                                                          |
 | dsyms-archive-name                               | Yes      | dSYMs         | Name of the uploaded archive containing the dSYMs.                                                                                                                                     |
-| pretty-xcodebuild-output                         | Yes      | true          | Whether to pipe xcodebuild output through [xcbeautify](https://github.com/cpisciotta/xcbeautify) for prettier formatting.                                                              |
+| pretty-xcodebuild-output                         | Yes      | true          | Whether to pipe xcodebuild output through [xcbeautify](https://github.com/cpisciotta/xcbeautify) for prettier formatting.                                                              |

build-and-upload-to-app-store-connect/action.yml

@@ -21,20 +21,26 @@ inputs:
     description: When enabled, the build cannot be distributed via external TestFlight or the App Store. Must be either "true" or "false".
     default: false
     required: true
-  op-app-store-connect-api-key-issuer-id-reference:
-    description: A reference to the location in 1Password where the Issuer ID for the App Store Connect API key is stored. This ID is crucial for API interactions with App Store Connect.
+  app-store-connect-api-key-issuer-id:
+    description: Issuer ID for the App Store Connect API key.
     required: true
-  op-app-store-connect-api-key-id-reference:
-    description: A reference to the location in 1Password where the App Store Connect API Key ID is stored, used for authentication during API requests.
+  app-store-connect-api-key-id:
+    description: App Store Connect API Key ID.
     required: true
-  op-app-store-connect-api-key-file-reference:
-    description: A reference to the 1Password field containing the AuthKey.p8 file, essential for establishing connections to App Store Connect.
-    required: true
-  op-development-certificate-reference:
-    description: Points to a field in 1Password where the development certificate and its corresponding private key (.p12 file) are stored, necessary for signing the app during the development phase.
-    required: true
-  op-development-certificate-password-reference:
-    description: Indicates the location in 1Password where the password for decrypting the development certificate (.p12 file) is kept.
+  app-store-connect-api-key-base64:
+    description: Base64-encoded AuthKey.p8 file.
+    required: false
+  app-store-connect-api-key-file:
+    description: Path to an AuthKey.p8 file.
+    required: false
+  development-certificate-base64:
+    description: Base64-encoded development certificate (.p12).
+    required: false
+  development-certificate-file:
+    description: Path to a development certificate (.p12).
+    required: false
+  development-certificate-password:
+    description: Password for decrypting the development certificate (.p12 file).
     required: true
   additional-archive-args:
     description: Additional arguments passed to xcodebuild when archiving the app.
@@ -61,15 +67,17 @@ runs:
       id: install-app-store-connect-api-key
       uses: shapehq/actions/install-asc-api-key@v1
       with:
-        op-asc-key-issuer-id-reference: ${{ inputs.op-app-store-connect-api-key-issuer-id-reference }}
-        op-asc-key-id-reference: ${{ inputs.op-app-store-connect-api-key-id-reference }}
-        op-asc-key-file-reference: ${{ inputs.op-app-store-connect-api-key-file-reference }}
+        asc-key-issuer-id: ${{ inputs.app-store-connect-api-key-issuer-id }}
+        asc-key-id: ${{ inputs.app-store-connect-api-key-id }}
+        asc-key-base64: ${{ inputs.app-store-connect-api-key-base64 }}
+        asc-key-file: ${{ inputs.app-store-connect-api-key-file }}
         output-asc-key-file-directory: ~/.private_keys
     - name: Install Development Certificate
       uses: shapehq/actions/install-certificate@v1
       with:
-        password-op-reference: ${{ inputs.op-development-certificate-password-reference }}
-        certificate-op-reference: ${{ inputs.op-development-certificate-reference }}
+        certificate-password: ${{ inputs.development-certificate-password }}
+        certificate-base64: ${{ inputs.development-certificate-base64 }}
+        certificate-file: ${{ inputs.development-certificate-file }}
     - name: Create Export Options Plist
       id: create-export-options-plist
       working-directory: ${{ inputs.working-directory }}

install-asc-api-key/README.md

@@ -7,21 +7,23 @@ Installs an App Store Connect API key file on the runner and outputs the issuer
   id: install-asc-api-key
   uses: shapehq/actions/install-asc-api-key@v1
   with:
-    op-asc-key-issuer-id-reference: op://My Vault/My App Store Connect API Key/Issuer ID
-    op-asc-key-id-reference: op://My Vault/My App Store Connect API Key/Key ID
-    op-asc-key-file-reference: op://My Vault/My App Store Connect API Key/AuthKey.p8
+    asc-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }}
+    asc-key-id: ${{ secrets.ASC_KEY_ID }}
+    asc-key-base64: ${{ secrets.ASC_KEY_BASE64 }}
 ```
 
 You may optionally pass the `output-asc-key-file-directory` parameter to specify the directory in which to store the AuthKey file. This defaults to the current directory.
 
+If you already have the AuthKey file on disk, you can pass `asc-key-file` instead of `asc-key-base64`.
+
 ```yml
 - name: Install App Store Connect API Key
   id: install-asc-api-key
   uses: shapehq/actions/install-asc-api-key@v1
   with:
-    op-asc-key-issuer-id-reference: op://My Vault/My App Store Connect API Key/Issuer ID
-    op-asc-key-id-reference: op://My Vault/My App Store Connect API Key/Key ID
-    op-asc-key-file-reference: op://My Vault/My App Store Connect API Key/AuthKey.p8
+    asc-key-issuer-id: ${{ secrets.ASC_KEY_ISSUER_ID }}
+    asc-key-id: ${{ secrets.ASC_KEY_ID }}
+    asc-key-base64: ${{ secrets.ASC_KEY_BASE64 }}
     output-asc-key-file-directory: ./private_keys
 ```
 
@@ -43,4 +45,4 @@ The outputs can be used to access the API key. The following example shows how t
     ASC_API_KEY_ISSUER_ID: ${{ steps.install-asc-api-key.outputs.issuer-id }}
     ASC_API_KEY_ID: ${{ steps.install-asc-api-key.outputs.key-id }}
     ASC_API_KEY: ${{ steps.install-asc-api-key.outputs.key-file-path }}
-```
+```

install-asc-api-key/action.yml

@@ -1,11 +1,13 @@
 name: Install App Store Connect API Key
 inputs:
-  op-asc-key-issuer-id-reference:
+  asc-key-issuer-id:
     required: true
-  op-asc-key-id-reference:
-    required: true
-  op-asc-key-file-reference:
+  asc-key-id:
     required: true
+  asc-key-base64:
+    required: false
+  asc-key-file:
+    required: false
   output-asc-key-file-directory:
     required: false
     default: .
@@ -23,22 +25,32 @@ runs:
   steps:
     - id: read
       run: |
-        # Read issuer id
-        issuer_id=$(op read "${{ inputs.op-asc-key-issuer-id-reference }}")
+        set -euo pipefail
+        issuer_id="${{ inputs.asc-key-issuer-id }}"
+        key_id="${{ inputs.asc-key-id }}"
+        if [ -z "$issuer_id" ] || [ -z "$key_id" ]; then
+          echo "Error: asc-key-issuer-id and asc-key-id are required."
+          exit 1
+        fi
         echo "issuer_id=${issuer_id}" >> $GITHUB_OUTPUT
-
-        # Read key id
-        key_id=$(op read "${{ inputs.op-asc-key-id-reference }}")
         echo "key_id=${key_id}" >> $GITHUB_OUTPUT
 
         # Ensure output directory exists
         eval output_dir="${{ inputs.output-asc-key-file-directory }}"
         mkdir -p "$output_dir"
 
-        # Read key file
+        # Write key file
         key_filename="AuthKey_${key_id}.p8"
         key_file_path="${output_dir}/${key_filename}"
-        op read --out-file "${key_file_path}" "${{ inputs.op-asc-key-file-reference }}"
+        if [[ -n "${{ inputs.asc-key-base64 }}" ]]; then
+          printf '%s' "${{ inputs.asc-key-base64 }}" | openssl base64 -d -A -out "${key_file_path}"
+        elif [[ -n "${{ inputs.asc-key-file }}" ]]; then
+          eval asc_key_file="${{ inputs.asc-key-file }}"
+          cp "${asc_key_file}" "${key_file_path}"
+        else
+          echo "Error: Provide asc-key-base64 or asc-key-file."
+          exit 1
+        fi
         key_full_file_path=$(readlink -f $key_file_path)
         echo "key_filename=${key_filename}" >> $GITHUB_OUTPUT
         echo "key_file_path=${key_full_file_path}" >> $GITHUB_OUTPUT

install-certificate/README.md

@@ -6,20 +6,30 @@ Installs the specified certificate in the keychain.
 - name: Install Certificate
   uses: shapehq/actions/install-certificate@v1
   with:
-    password-op-reference: op://My Vault/My Certificate/password
-    certificate-op-reference: op://My Vault/My Certificate/Certificate.p12
+    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+    certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }}
 ```
 
 Note that you must supply a password. Empty passwords are not supported.
 
+You may supply a file path instead of base64:
+
+```yml
+- name: Install Certificate
+  uses: shapehq/actions/install-certificate@v1
+  with:
+    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+    certificate-file: ${{ env.CERTIFICATE_PATH }}
+```
+
 The action makes the keychain the default keychain on the system. You can disable this as shown below.
 
 ```yml
 - name: Install Certificate
   uses: shapehq/actions/install-certificate@v1
   with:
-    password-op-reference: op://My Vault/My Certificate/password
-    certificate-op-reference: op://My Vault/My Certificate/Certificate.p12
+    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+    certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }}
     set-default-keychain: false
 ```
 
@@ -29,8 +39,8 @@ You may optionally specify the name of the keychain to install the certificate a
 - name: Install Certificate
   uses: shapehq/actions/install-certificate@v1
   with:
-    password-op-reference: op://My Vault/My Certificate/password
-    certificate-op-reference: op://My Vault/My Certificate/Certificate.p12
+    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+    certificate-base64: ${{ secrets.CERTIFICATE_BASE64 }}
     keychain-name: signing.keychain
     keychain-password: h3ll0w0rld
 ```
@@ -47,13 +57,13 @@ The keychain will be created with a random password if no password is specified.
 - name: Install First Certificate
   uses: shapehq/actions/install-certificate@v1
   with:
-    password-op-reference: op://My Vault/First Certificate/password
-    certificate-op-reference: op://My Vault/First Certificate/Certificate.p12
+    certificate-password: ${{ secrets.FIRST_CERTIFICATE_PASSWORD }}
+    certificate-base64: ${{ secrets.FIRST_CERTIFICATE_BASE64 }}
     keychain-password: ${{ steps.generate-keychain-password.outputs.password }}
 - name: Install Second Certificate
   uses: shapehq/actions/install-certificate@v1
   with:
-    password-op-reference: op://My Vault/Second Certificate/password
-    certificate-op-reference: op://My Vault/Second Certificate/Certificate.p12
+    certificate-password: ${{ secrets.SECOND_CERTIFICATE_PASSWORD }}
+    certificate-base64: ${{ secrets.SECOND_CERTIFICATE_BASE64 }}
     keychain-password: ${{ steps.generate-keychain-password.outputs.password }}
-```
+```