Add encoding option

sethvargo · sethvargo · commit 6d8a2faa65a7 · 2024-05-31T15:47:04.000-04:00
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -17,7 +17,6 @@ concurrency:
 
 jobs:
   integration:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     permissions:
       contents: 'read'
       id-token: 'write'
@@ -48,3 +47,15 @@ jobs:
 
     - name: 'outputs'
       run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
+
+    - id: 'secrets-encoded'
+      name: 'secrets-encoded'
+      uses: './'
+      with:
+        encoding: 'hex'
+        secrets: |-
+          token:${{ vars.SECRET_NAME }}
+          password:${{ vars.SECRET_VERSION_NAME }}
+
+    - name: 'outputs-encoded'
+      run: echo '${{ steps.secrets-encoded.outputs.token }}${{ steps.secrets-encoded.outputs.password }}'
diff --git a/README.md b/README.md
@@ -96,6 +96,13 @@ jobs:
 
 -   <a name="export_to_environment"></a><a href="#user-content-export_to_environment"><code>export_to_environment</code></a>: _(Optional)_ Make the fetched secrets additionally available as environment variables.
 
+-   <a name="encoding"></a><a href="#user-content-encoding"><code>encoding</code></a>: _(Optional, default: `utf8`)_ Encoding in which secrets will be exported into environment variables. For
+    secrets that cannot be represented in text, such as encryption key bytes,
+    choose an encoding that has a safe character set for environment variable
+    values like `base64` or `hex`. For more information about available
+    encoding types, please see the [Node.js Buffer and character
+    encodings](https://nodejs.org/docs/latest/api/buffer.html#buffers-and-character-encodings).
+
 
 <!-- END_AUTOGEN_INPUTS -->
 
diff --git a/action.yml b/action.yml
@@ -65,6 +65,17 @@ inputs:
     required: false
     default: false
 
+  encoding:
+    description: |-
+      Encoding in which secrets will be exported into environment variables. For
+      secrets that cannot be represented in text, such as encryption key bytes,
+      choose an encoding that has a safe character set for environment variable
+      values like `base64` or `hex`. For more information about available
+      encoding types, please see the [Node.js Buffer and character
+      encodings](https://nodejs.org/docs/latest/api/buffer.html#buffers-and-character-encodings).
+    required: false
+    default: 'utf8'
+
 outputs:
   secrets:
     description: |-
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/client.ts b/src/client.ts
@@ -15,7 +15,7 @@
  */
 
 import { GoogleAuth } from 'google-auth-library';
-import { errorMessage, fromBase64 } from '@google-github-actions/actions-utils';
+import { errorMessage } from '@google-github-actions/actions-utils';
 import { HttpClient } from '@actions/http-client';
 
 // Do not listen to the linter - this can NOT be rewritten as an ES6 import statement.
@@ -77,7 +77,7 @@ export class Client {
    * @param ref String of the full secret reference.
    * @returns string secret contents.
    */
-  async accessSecret(ref: string): Promise<string> {
+  async accessSecret(ref: string, encoding: BufferEncoding): Promise<string> {
     if (!ref) {
       throw new Error(`Secret ref "${ref}" is empty!`);
     }
@@ -101,7 +101,9 @@ export class Client {
         throw new Error(`Secret "${ref}" returned no data!`);
       }
 
-      return fromBase64(b64data);
+      let str = b64data.replace(/-/g, '+').replace(/_/g, '/');
+      while (str.length % 4) str += '=';
+      return Buffer.from(str, 'base64').toString(encoding);
     } catch (err) {
       const msg = errorMessage(err);
       throw new Error(`Failed to access secret "${ref}": ${msg}`);
diff --git a/src/main.ts b/src/main.ts
@@ -20,20 +20,18 @@ import { errorMessage, parseBoolean } from '@google-github-actions/actions-utils
 import { Client } from './client';
 import { parseSecretsRefs } from './reference';
 
+type X = keyof BufferEncoding;
+
 /**
  * Executes the main action. It includes the main business logic and is the
  * primary entry point. It is documented inline.
  */
 async function run(): Promise<void> {
   try {
-    // Fetch the list of secrets provided by the user.
     const secretsInput = getInput('secrets', { required: true });
-
-    // Get the minimum mask length.
     const minMaskLength = parseInt(getInput('min_mask_length'));
-
-    // Get the setting for whether to export secrets as environment variables.
     const exportEnvironment = parseBoolean(getInput('export_to_environment'));
+    const encoding = (getInput('encoding') || 'utf8') as BufferEncoding;
 
     // Create an API client.
     const client = new Client();
@@ -43,7 +41,7 @@ async function run(): Promise<void> {
 
     // Access and export each secret.
     for (const ref of secretsRefs) {
-      const value = await client.accessSecret(ref.selfLink());
+      const value = await client.accessSecret(ref.selfLink(), encoding);
 
       // Split multiline secrets by line break and mask each line.
       // Read more here: https://github.com/actions/runner/issues/161
