feat: support action inputs as environment variables (#1338)

* support action inputs as environment variables * update dist * fix: update tsconfig for package step * fix: update environment variable setting method * fix: make biome happy --------- Co-authored-by: Michael Lehmann <lehmanmj@amazon.com>
2026-06-05 21:17:05 +00:00 · 2025-04-25 13:15:03 -07:00 · 2025-04-25 13:15:03 -07:00 · 2c168adcae
commit 2c168adcae
parent 4d5f2395c0
19 changed files with 100 additions and 197 deletions
--- a/dist/cleanup/CredentialsClient.d.ts
+++ b/dist/cleanup/CredentialsClient.d.ts
@ -1,14 +0,0 @@
-import { STSClient } from '@aws-sdk/client-sts';
-export interface CredentialsClientProps {
-    region?: string;
-    proxyServer?: string;
-}
-export declare class CredentialsClient {
-    region?: string;
-    private _stsClient?;
-    private readonly requestHandler?;
-    constructor(props: CredentialsClientProps);
-    get stsClient(): STSClient;
-    validateCredentials(expectedAccessKeyId?: string, roleChaining?: boolean): Promise<void>;
-    private loadCredentials;
-}
--- a/dist/cleanup/assumeRole.d.ts
+++ b/dist/cleanup/assumeRole.d.ts
@ -1,17 +0,0 @@
-import type { CredentialsClient } from './CredentialsClient';
-export interface assumeRoleParams {
-    credentialsClient: CredentialsClient;
-    roleToAssume: string;
-    roleDuration: number;
-    roleSessionName: string;
-    roleSkipSessionTagging?: boolean;
-    sourceAccountId?: string;
-    roleExternalId?: string;
-    webIdentityTokenFile?: string;
-    webIdentityToken?: string;
-    inlineSessionPolicy?: string;
-    managedSessionPolicies?: {
-        arn: string;
-    }[];
-}
-export declare function assumeRole(params: assumeRoleParams): Promise<import("@aws-sdk/client-sts").AssumeRoleCommandOutput>;
--- a/dist/cleanup/cleanup/index.d.ts
+++ b/dist/cleanup/cleanup/index.d.ts
@ -1,11 +0,0 @@
-/**
- * When the GitHub Actions job is done, clean up any environment variables that
- * may have been set by the configure-aws-credentials steps in the job.
- *
- * Environment variables are not intended to be shared across different jobs in
- * the same GitHub Actions workflow: GitHub Actions documentation states that
- * each job runs in a fresh instance.  However, doing our own cleanup will
- * give us additional assurance that these environment variables are not shared
- * with any other jobs.
- */
-export declare function cleanup(): void;
--- a/dist/cleanup/helpers.d.ts
+++ b/dist/cleanup/helpers.d.ts
@ -1,17 +0,0 @@
-import type { Credentials } from '@aws-sdk/client-sts';
-import type { CredentialsClient } from './CredentialsClient';
-export declare function exportCredentials(creds?: Partial<Credentials>, outputCredentials?: boolean): void;
-export declare function unsetCredentials(): void;
-export declare function exportRegion(region: string): void;
-export declare function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: boolean): Promise<string>;
-export declare function sanitizeGitHubVariables(name: string): string;
-export declare function defaultSleep(ms: number): Promise<unknown>;
-declare let sleep: typeof defaultSleep;
-export declare function withsleep(s: typeof sleep): void;
-export declare function reset(): void;
-export declare function verifyKeys(creds: Partial<Credentials> | undefined): boolean;
-export declare function retryAndBackoff<T>(fn: () => Promise<T>, isRetryable: boolean, maxRetries?: number, retries?: number, base?: number): Promise<T>;
-export declare function errorMessage(error: unknown): string;
-export declare function isDefined<T>(i: T | undefined | null): i is T;
-export declare function areCredentialsValid(credentialsClient: CredentialsClient): Promise<boolean>;
-export {};
--- a/dist/cleanup/index.d.ts
+++ b/dist/cleanup/index.d.ts
@ -1 +0,0 @@
-export declare function run(): Promise<void>;
--- a/dist/cleanup/index.js
+++ b/dist/cleanup/index.js
@ -46498,6 +46498,7 @@ var __importStar = (this && this.__importStar) || (function () {
    };
 })();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.translateEnvVariables = translateEnvVariables;
 exports.exportCredentials = exportCredentials;
 exports.unsetCredentials = unsetCredentials;
 exports.exportRegion = exportRegion;
@ -46516,6 +46517,37 @@ const client_sts_1 = __nccwpck_require__(1695);
 const MAX_TAG_VALUE_LENGTH = 256;
 const SANITIZATION_CHARACTER = '_';
 const SPECIAL_CHARS_REGEX = /[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?]+/;
+function translateEnvVariables() {
+    const envVars = [
+        'AWS_REGION',
+        'ROLE_TO_ASSUME',
+        'AWS_ACCESS_KEY_ID',
+        'AWS_SECRET_ACCESS_KEY',
+        'AWS_SESSION_TOKEN',
+        'WEB_IDENTITY_TOKEN_FILE',
+        'ROLE_CHAINING',
+        'AUDIENCE',
+        'HTTP_PROXY',
+        'MASK_AWS_ACCOUNT_ID',
+        'ROLE_DURATION_SECONDS',
+        'ROLE_EXTERNAL_ID',
+        'ROLE_SESSION_NAME',
+        'ROLE_SKIP_SESSION_TAGGING',
+        'INLINE_SESSION_POLICY',
+        'MANAGED_SESSION_POLICIES',
+        'OUTPUT_CREDENTIALS',
+        'UNSET_CURRENT_CREDENTIALS',
+        'DISABLE_RETRY',
+        'RETRY_MAX_ATTEMPTS',
+        'SPECIAL_CHARACTERS_WORKAROUND',
+        'USE_EXISTING_CREDENTIALS',
+    ];
+    for (const envVar of envVars) {
+        if (process.env[envVar]) {
+            process.env[`INPUT_${envVar.replace(/_/g, '-')}`] = process.env[envVar];
+        }
+    }
+}
 // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
 // Setting the credentials as secrets masks them in Github Actions logs
 function exportCredentials(creds, outputCredentials) {
--- a/dist/cleanup/src/CredentialsClient.d.ts
+++ b/dist/cleanup/src/CredentialsClient.d.ts
@ -1,14 +0,0 @@
-import { STSClient } from '@aws-sdk/client-sts';
-export interface CredentialsClientProps {
-    region?: string;
-    proxyServer?: string;
-}
-export declare class CredentialsClient {
-    region?: string;
-    private _stsClient?;
-    private readonly requestHandler?;
-    constructor(props: CredentialsClientProps);
-    get stsClient(): STSClient;
-    validateCredentials(expectedAccessKeyId?: string, roleChaining?: boolean): Promise<void>;
-    private loadCredentials;
-}
--- a/dist/cleanup/src/assumeRole.d.ts
+++ b/dist/cleanup/src/assumeRole.d.ts
@ -1,17 +0,0 @@
-import type { CredentialsClient } from './CredentialsClient';
-export interface assumeRoleParams {
-    credentialsClient: CredentialsClient;
-    roleToAssume: string;
-    roleDuration: number;
-    roleSessionName: string;
-    roleSkipSessionTagging?: boolean;
-    sourceAccountId?: string;
-    roleExternalId?: string;
-    webIdentityTokenFile?: string;
-    webIdentityToken?: string;
-    inlineSessionPolicy?: string;
-    managedSessionPolicies?: {
-        arn: string;
-    }[];
-}
-export declare function assumeRole(params: assumeRoleParams): Promise<import("@aws-sdk/client-sts").AssumeRoleCommandOutput>;
--- a/dist/cleanup/src/cleanup/index.d.ts
+++ b/dist/cleanup/src/cleanup/index.d.ts
@ -1,11 +0,0 @@
-/**
- * When the GitHub Actions job is done, clean up any environment variables that
- * may have been set by the configure-aws-credentials steps in the job.
- *
- * Environment variables are not intended to be shared across different jobs in
- * the same GitHub Actions workflow: GitHub Actions documentation states that
- * each job runs in a fresh instance.  However, doing our own cleanup will
- * give us additional assurance that these environment variables are not shared
- * with any other jobs.
- */
-export declare function cleanup(): void;
--- a/dist/cleanup/src/helpers.d.ts
+++ b/dist/cleanup/src/helpers.d.ts
@ -1,16 +0,0 @@
-import type { Credentials } from '@aws-sdk/client-sts';
-import type { CredentialsClient } from './CredentialsClient';
-export declare function exportCredentials(creds?: Partial<Credentials>, outputCredentials?: boolean): void;
-export declare function unsetCredentials(): void;
-export declare function exportRegion(region: string): void;
-export declare function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: boolean): Promise<string>;
-export declare function sanitizeGitHubVariables(name: string): string;
-export declare function defaultSleep(ms: number): Promise<unknown>;
-declare let sleep: typeof defaultSleep;
-export declare function withsleep(s: typeof sleep): void;
-export declare function reset(): void;
-export declare function verifyKeys(creds: Partial<Credentials> | undefined): boolean;
-export declare function retryAndBackoff<T>(fn: () => Promise<T>, isRetryable: boolean, maxRetries?: number, retries?: number, base?: number): Promise<T>;
-export declare function errorMessage(error: unknown): string;
-export declare function isDefined<T>(i: T | undefined | null): i is T;
-export {};
--- a/dist/cleanup/src/index.d.ts
+++ b/dist/cleanup/src/index.d.ts
@ -1 +0,0 @@
-export declare function run(): Promise<void>;
--- a/dist/cleanup/test/cleanup.test.d.ts
+++ b/dist/cleanup/test/cleanup.test.d.ts
@ -1 +0,0 @@
-export {};
--- a/dist/cleanup/test/helpers.test.d.ts
+++ b/dist/cleanup/test/helpers.test.d.ts
@ -1 +0,0 @@
-export {};
--- a/dist/cleanup/test/index.test.d.ts
+++ b/dist/cleanup/test/index.test.d.ts
@ -1 +0,0 @@
-export {};
--- a/dist/cleanup/test/mockinputs.test.d.ts
+++ b/dist/cleanup/test/mockinputs.test.d.ts
@ -1,74 +0,0 @@
-import type * as core from '@actions/core';
-declare const _default: {
-    readonly outputs: {
-        STS_CREDENTIALS: {
-            Credentials: {
-                AccessKeyId: string;
-                SecretAccessKey: string;
-                SessionToken: string;
-                Expiration: Date;
-            };
-            AssumedRoleUser: {
-                Arn: string;
-                AssumedRoleId: string;
-            };
-        };
-        GET_CALLER_IDENTITY: {
-            Account: string;
-            Arn: string;
-        };
-        FAKE_STS_ACCESS_KEY_ID: string;
-        FAKE_STS_SECRET_ACCESS_KEY: string;
-        FAKE_STS_SESSION_TOKEN: string;
-        ODD_CHARACTER_CREDENTIALS: {
-            Credentials: {
-                AccessKeyId: string;
-                SecretAccessKey: string;
-                SessionToken: string;
-                Expiration: Date;
-            };
-            AssumedRoleUser: {
-                Arn: string;
-                AssumedRoleId: string;
-            };
-        };
-    };
-    readonly envs: {
-        GITHUB_REPOSITORY: string;
-        GITHUB_WORKFLOW: string;
-        GITHUB_ACTION: string;
-        GITHUB_ACTOR: string;
-        GITHUB_SHA: string;
-        GITHUB_WORKSPACE: string;
-        GITHUB_ACTIONS: string;
-    };
-    readonly GH_OIDC_INPUTS: {
-        'role-to-assume': string;
-        'aws-region': string;
-        'special-characters-workaround': string;
-    };
-    readonly IAM_USER_INPUTS: {
-        'aws-access-key-id': string;
-        'aws-secret-access-key': string;
-        'aws-region': string;
-    };
-    readonly IAM_ASSUMEROLE_INPUTS: {
-        'aws-access-key-id': string;
-        'aws-secret-access-key': string;
-        'role-to-assume': string;
-        'aws-region': string;
-    };
-    readonly WEBIDENTITY_TOKEN_FILE_INPUTS: {
-        'web-identity-token-file': string;
-        'role-to-assume': string;
-        'aws-region': string;
-    };
-    readonly EXISTING_ROLE_INPUTS: {
-        'role-to-assume': string;
-        'role-chaining': string;
-        'aws-region': string;
-    };
-    readonly getInput: (fakeEnv: Record<string, string>) => (name: string, options?: core.InputOptions) => string;
-    readonly getMultilineInput: (fakeEnv: Record<string, string[]>) => (name: string, options?: core.InputOptions) => string[];
-};
-export default _default;
--- a/dist/index.js
+++ b/dist/index.js
@ -263,6 +263,7 @@ var __importStar = (this && this.__importStar) || (function () {
    };
 })();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.translateEnvVariables = translateEnvVariables;
 exports.exportCredentials = exportCredentials;
 exports.unsetCredentials = unsetCredentials;
 exports.exportRegion = exportRegion;
@ -281,6 +282,37 @@ const client_sts_1 = __nccwpck_require__(1695);
 const MAX_TAG_VALUE_LENGTH = 256;
 const SANITIZATION_CHARACTER = '_';
 const SPECIAL_CHARS_REGEX = /[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?]+/;
+function translateEnvVariables() {
+    const envVars = [
+        'AWS_REGION',
+        'ROLE_TO_ASSUME',
+        'AWS_ACCESS_KEY_ID',
+        'AWS_SECRET_ACCESS_KEY',
+        'AWS_SESSION_TOKEN',
+        'WEB_IDENTITY_TOKEN_FILE',
+        'ROLE_CHAINING',
+        'AUDIENCE',
+        'HTTP_PROXY',
+        'MASK_AWS_ACCOUNT_ID',
+        'ROLE_DURATION_SECONDS',
+        'ROLE_EXTERNAL_ID',
+        'ROLE_SESSION_NAME',
+        'ROLE_SKIP_SESSION_TAGGING',
+        'INLINE_SESSION_POLICY',
+        'MANAGED_SESSION_POLICIES',
+        'OUTPUT_CREDENTIALS',
+        'UNSET_CURRENT_CREDENTIALS',
+        'DISABLE_RETRY',
+        'RETRY_MAX_ATTEMPTS',
+        'SPECIAL_CHARACTERS_WORKAROUND',
+        'USE_EXISTING_CREDENTIALS',
+    ];
+    for (const envVar of envVars) {
+        if (process.env[envVar]) {
+            process.env[`INPUT_${envVar.replace(/_/g, '-')}`] = process.env[envVar];
+        }
+    }
+}
 // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
 // Setting the credentials as secrets masks them in Github Actions logs
 function exportCredentials(creds, outputCredentials) {
@ -469,6 +501,7 @@ const ROLE_SESSION_NAME = 'GitHubActions';
 const REGION_REGEX = /^[a-z0-9-]+$/g;
 async function run() {
    try {
+        (0, helpers_1.translateEnvVariables)();
        // Get inputs
        const AccessKeyId = core.getInput('aws-access-key-id', { required: false });
        const SecretAccessKey = core.getInput('aws-secret-access-key', {
--- a/src/helpers.ts
+++ b/src/helpers.ts
@ -7,6 +7,38 @@ const MAX_TAG_VALUE_LENGTH = 256;
 const SANITIZATION_CHARACTER = '_';
 const SPECIAL_CHARS_REGEX = /[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?]+/;

+export function translateEnvVariables() {
+  const envVars = [
+    'AWS_REGION',
+    'ROLE_TO_ASSUME',
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+    'WEB_IDENTITY_TOKEN_FILE',
+    'ROLE_CHAINING',
+    'AUDIENCE',
+    'HTTP_PROXY',
+    'MASK_AWS_ACCOUNT_ID',
+    'ROLE_DURATION_SECONDS',
+    'ROLE_EXTERNAL_ID',
+    'ROLE_SESSION_NAME',
+    'ROLE_SKIP_SESSION_TAGGING',
+    'INLINE_SESSION_POLICY',
+    'MANAGED_SESSION_POLICIES',
+    'OUTPUT_CREDENTIALS',
+    'UNSET_CURRENT_CREDENTIALS',
+    'DISABLE_RETRY',
+    'RETRY_MAX_ATTEMPTS',
+    'SPECIAL_CHARACTERS_WORKAROUND',
+    'USE_EXISTING_CREDENTIALS',
+  ];
+  for (const envVar of envVars) {
+    if (process.env[envVar]) {
+      process.env[`INPUT_${envVar.replace(/_/g, '-')}`] = process.env[envVar];
+    }
+  }
+}
+
 // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
 // Setting the credentials as secrets masks them in Github Actions logs
 export function exportCredentials(creds?: Partial<Credentials>, outputCredentials?: boolean) {
--- a/src/index.ts
+++ b/src/index.ts
@ -9,6 +9,7 @@ import {
  exportCredentials,
  exportRegion,
  retryAndBackoff,
+  translateEnvVariables,
  unsetCredentials,
  verifyKeys,
 } from './helpers';
@ -19,6 +20,7 @@ const REGION_REGEX = /^[a-z0-9-]+$/g;

 export async function run() {
  try {
+    translateEnvVariables();
    // Get inputs
    const AccessKeyId = core.getInput('aws-access-key-id', { required: false });
    const SecretAccessKey = core.getInput('aws-secret-access-key', {
--- a/tsconfig.json
+++ b/tsconfig.json
@ -13,7 +13,7 @@
    "module": "CommonJS",
    "resolveJsonModule": true,
    "outDir": "build",
-    "declaration": true,
+    "declaration": false,
    "newLine": "lf",
    "noEmitOnError": true,
    "sourceMap": true,
				`@ -1 +0,0 @@`
				`export declare function run(): Promise<void>;`