From 33adce15773e4ee9e8989dcd4984a238df96a26f Mon Sep 17 00:00:00 2001
From: Michael Lehmann <lehmanmj@amazon.com>
Date: Thu, 5 Jun 2025 13:55:47 -0700
Subject: [PATCH] tests for disabled output-env-credentials

---
 src/helpers.ts          |  2 +-
 test/cleanup.test.ts    |  5 +++++
 test/helpers.test.ts    | 13 ++++++++++++-
 test/index.test.ts      | 21 +++++++++++++++++++++
 test/mockinputs.test.ts | 11 +++++++++++
 5 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/src/helpers.ts b/src/helpers.ts
index ba71b50..1c179d7 100644
--- a/src/helpers.ts
+++ b/src/helpers.ts
@@ -54,7 +54,7 @@ export function exportCredentials(
 
   if (creds?.SessionToken) {
     core.setSecret(creds.SessionToken);
-  } 
+  }
 
   if (outputEnvCredentials) {
     if (creds?.AccessKeyId) {
diff --git a/test/cleanup.test.ts b/test/cleanup.test.ts
index ee68ad3..29c19ec 100644
--- a/test/cleanup.test.ts
+++ b/test/cleanup.test.ts
@@ -45,4 +45,9 @@ describe('Configure AWS Credentials cleanup', {}, () => {
     cleanup();
     expect(core.setFailed).toHaveBeenCalled();
   });
+  it(`doesn't export credentials as empty env variables if asked not to`, {}, () => {
+    vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.NO_ENV_CREDS_INPUTS));
+    cleanup();
+    expect(core.exportVariable).toHaveBeenCalledTimes(0);
+  })
 });
diff --git a/test/helpers.test.ts b/test/helpers.test.ts
index 96cb6a7..0906acf 100644
--- a/test/helpers.test.ts
+++ b/test/helpers.test.ts
@@ -27,7 +27,7 @@ describe('Configure AWS Credentials helpers', {}, () => {
     vi.spyOn(core, 'setOutput').mockImplementation(() => {});
     vi.spyOn(core, 'setSecret').mockImplementation(() => {});
     vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
-    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true);
+    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true, true);
     expect(core.setOutput).toHaveBeenCalledTimes(4);
     expect(core.setSecret).toHaveBeenCalledTimes(3);
     expect(core.exportVariable).toHaveBeenCalledTimes(3);
@@ -42,4 +42,15 @@ describe('Configure AWS Credentials helpers', {}, () => {
     expect(process.env.AWS_DEFAULT_REGION).toBeUndefined;
     process.env = env;
   });
+  it(`won't output credentials to env if told not to`, {}, () => {
+    vi.spyOn(core, 'setOutput').mockImplementation(() => {});
+    vi.spyOn(core, 'setSecret').mockImplementation(() => {});
+    vi.spyOn(core, 'exportVariable').mockImplementation(() => {});
+    helpers.exportCredentials({ AccessKeyId: 'test', SecretAccessKey: 'test', SessionToken: 'test', Expiration: new Date(8640000000000000) }, true, false);
+    helpers.unsetCredentials(false);
+    helpers.exportRegion('fake-test-region', false);
+    expect(core.setOutput).toHaveBeenCalledTimes(4);
+    expect(core.setSecret).toHaveBeenCalledTimes(3);
+    expect(core.exportVariable).toHaveBeenCalledTimes(0);
+  });
 });
diff --git a/test/index.test.ts b/test/index.test.ts
index a95443d..ca4e0b1 100644
--- a/test/index.test.ts
+++ b/test/index.test.ts
@@ -312,5 +312,26 @@ describe('Configure AWS Credentials', {}, () => {
       await run();
       expect(core.setFailed).not.toHaveBeenCalled();
     })
+    it('doesn\'t export credentials as environment variables if told not to', {}, async () => {
+      mockedSTSClient.on(AssumeRoleWithWebIdentityCommand).resolvesOnce(mocks.outputs.STS_CREDENTIALS);
+      vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.NO_ENV_CREDS_INPUTS));
+      vi.spyOn(core, 'getIDToken').mockResolvedValue('testoidctoken');
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'fake-token';
+      await run();
+      expect(core.setSecret).toHaveBeenCalledTimes(3);
+      expect(core.exportVariable).toHaveBeenCalledTimes(0);
+      expect(core.setFailed).not.toHaveBeenCalled();
+    })
+    it('can export creds as step outputs without exporting as env variables', {}, async () => {
+      mockedSTSClient.on(AssumeRoleWithWebIdentityCommand).resolvesOnce(mocks.outputs.STS_CREDENTIALS);
+      vi.spyOn(core, 'getInput').mockImplementation(mocks.getInput(mocks.STEP_BUT_NO_ENV_INPUTS));
+      vi.spyOn(core, 'getIDToken').mockResolvedValue('testoidctoken');
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'fake-token';
+      await run();
+      expect(core.setSecret).toHaveBeenCalledTimes(3);
+      expect(core.exportVariable).toHaveBeenCalledTimes(0);
+      expect(core.setOutput).toHaveBeenCalledTimes(4);
+      expect(core.setFailed).not.toHaveBeenCalled();
+    })
   });
 });
diff --git a/test/mockinputs.test.ts b/test/mockinputs.test.ts
index c5908a8..7fe72da 100644
--- a/test/mockinputs.test.ts
+++ b/test/mockinputs.test.ts
@@ -31,6 +31,17 @@ const inputs = {
     'aws-region': 'fake-region-1',
     'use-existing-credentials': 'true',
     'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+  },
+  NO_ENV_CREDS_INPUTS: {
+    'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+    'aws-region': 'fake-region-1',
+    'output-env-credentials': 'false'
+  },
+  STEP_BUT_NO_ENV_INPUTS: {
+    'role-to-assume': 'arn:aws:iam::111111111111:role/MY-ROLE',
+    'aws-region': 'fake-region-1',
+    'output-env-credentials': 'false',
+    'output-credentials': 'true',
   }
 };