forked from hashicorp/vault-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
104 lines (104 loc) · 4.08 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: 'HashiCorp Vault'
description: 'A Github Action that allows you to consume HashiCorp Vault™ secrets as secure environment variables'
inputs:
url:
description: 'The URL for the vault endpoint'
required: true
secrets:
description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
required: false
pki:
description: 'A semicolon-separated list of certificates to generate. These will automatically be converted to environment variable keys. Cannot be used with "secrets". See README for more details'
required: false
namespace:
description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
required: false
method:
description: 'The method to use to authenticate with Vault.'
default: 'token'
required: false
role:
description: 'Vault role for specified auth method'
required: false
path:
description: 'The Vault path for the auth method.'
required: false
token:
description: 'The Vault token to be used to authenticate with Vault'
required: false
roleId:
description: 'The role ID for App Role authentication'
required: false
secretId:
description: 'The secret ID for App Role authentication'
required: false
githubToken:
description: 'The Github Token to be used to authenticate with Vault'
required: false
kubernetesTokenPath:
description: 'The path to the Kubernetes service account secret'
required: false
default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
username:
description: 'The username of the user to log in to Vault as. Available to both Userpass and LDAP auth methods'
required: false
password:
description: 'The password of the user to log in to Vault as. Available to both Userpass and LDAP auth methods'
required: false
authPayload:
description: 'The JSON payload to be sent to Vault when using a custom authentication method.'
required: false
extraHeaders:
description: 'A string of newline separated extra headers to include on every request.'
required: false
exportEnv:
description: 'Whether or not export secrets as environment variables.'
default: 'true'
required: false
exportToken:
description: 'Whether or not export Vault token as environment variables.'
default: 'false'
required: false
outputToken:
description: 'Whether or not to set the `vault_token` output to contain the Vault token after authentication.'
default: 'false'
required: false
caCertificate:
description: 'Base64 encoded CA certificate the server certificate was signed with. Defaults to CAs provided by Mozilla.'
required: false
clientCertificate:
description: 'Base64 encoded client certificate for mTLS communication with the Vault server.'
required: false
clientKey:
description: 'Base64 encoded client key for mTLS communication with the Vault server.'
required: false
tlsSkipVerify:
description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.'
required: false
default: 'false'
jwtPrivateKey:
description: 'Base64 encoded Private key to sign JWT'
required: false
jwtKeyPassword:
description: 'Password for key stored in jwtPrivateKey (if needed)'
required: false
jwtGithubAudience:
description: 'Identifies the recipient ("aud" claim) that the JWT is intended for'
required: false
jwtTtl:
description: 'Time in seconds, after which token expires'
required: false
default: 3600
secretEncodingType:
description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
required: false
ignoreNotFound:
description: 'Whether or not the action should exit successfully if some requested secrets were not found.'
required: false
default: 'false'
runs:
using: 'node20'
main: 'dist/index.js'
branding:
icon: 'unlock'
color: 'gray-dark'