elastic · chrisnavar · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
@@ -0,0 +1,30 @@
+name: Run Unit Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+      - name: Find and test all packages
+        run: |
+          find . -type f -name package.json -not -path "*/dist/*" -print0 | while IFS= read -r -d '' file; do
+            dir=$(dirname "$file")
+            echo "Testing in $dir"
+            cd "$dir" || continue
+            if [ -f package.json ] && grep -q '"test"' package.json; then
+              npm install
+              npm test
+            else
+              echo "No test script found in $dir, skipping..."
+            fi
+            cd - > /dev/null || exit 1
+          done
@@ -5,7 +5,7 @@ on:
     branches:
       - main
     paths:
-      - './*/action.yml'
+      - './fetch-github-token/**'
       - '.github/workflows/test-fetch_token.yaml'
 
 jobs:

@@ -1,13 +1,20 @@
 # <!--name-->Get Ephemeral GitHub Token from CI Vault<!--/name-->
+
+[![usages](https://img.shields.io/badge/usages-white?logo=githubactions&logoColor=blue)](https://github.com/search?q=elastic%2Foblt-actions%2Ffetch-github-token-js+%28path%3A.github%2Fworkflows+OR+path%3A**%2Faction.yml+OR+path%3A**%2Faction.yaml%29&type=code)
+[![test-fetch-github-token-js](https://github.com/elastic/ci-gh-actions/actions/workflows/test-fetch-github-token-js.yml/badge.svg?branch=main)](https://github.com/elastic/ci-gh-actions/actions/workflows/fetch-github-token-js.yml)
+
+> **Note:** Some sections of this documentation are automatically generated with the retrieved content from 'action.yml'. Please do not manually edit content between HTML comment markers.
+
 <!--description-->
 Fetch an ephemeral GitHub token from Vault using OIDC authentication
 <!--/description-->
 ## Inputs
 <!--inputs-->
-| Name             | Description                                      | Required | Default |
-|------------------|--------------------------------------------------|----------|---------|
-| `vault-instance` | Vault instance to connect to (ci-prod or ci-dev) | `true`   | ` `     |
-| `vault-role`     | Vault role to assume for GitHub token retrieval  | `false`  | ` `     |
+| Name                | Description                                                                                                                        | Required | Default |
+|---------------------|------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
+| `vault-instance`    | Vault instance to connect to (ci-prod or ci-dev)                                                                                   | `true`   | ` `     |
+| `vault-role`        | Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action. | `false`  | ` `     |
+| `skip-token-revoke` | If true, skip revoking the GitHub token on exit                                                                                    | `false`  | `false` |
 <!--/inputs-->
 ## Outputs
 <!--outputs-->
@@ -19,10 +26,9 @@ Fetch an ephemeral GitHub token from Vault using OIDC authentication
 <!--usage action="elastic/ci-gh-actions**" version="env:VERSION"-->
 ```yaml
 permissions:
-  contents: read
   id-token: write
 steps:
-  - uses: elastic/ci-gh-actions/fetch-github-token@v1
+  - uses: elastic/ci-gh-actions/fetch-github-token-js@v1
     id: fetch-token
     with:
       vault-instance: "ci-prod"

@@ -1,89 +1,21 @@
 name: Get Ephemeral GitHub Token from CI Vault
 description: 'Fetch an ephemeral GitHub token from Vault using OIDC authentication'
-
 inputs:
   vault-instance:
     description: 'Vault instance to connect to (ci-prod or ci-dev)'
     required: true
   vault-role:
-    description: 'Vault role to assume for GitHub token retrieval'
+    description: 'Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action.'
     required: false
     default: ''
-  # skip-token-revoke:
-  #   description: 'Revoke the Vault token on exit'
-  #   default: false
+  skip-token-revoke:
+    description: 'If true, skip revoking the GitHub token on exit'
+    required: false
+    default: 'false'
 outputs:
   token:
     description: GitHub App installation access token.
-    value: ${{ steps.vault-action.outputs.token }}
-
 runs:
-  using: "composite"
-  steps:
-    - name: Set Vault Address
-      shell: bash
-      id: vault-address
-      env:
-        VAULT_INSTANCE: ${{ inputs.vault-instance }}
-      run: |
-        set -euo pipefail
-
-        if [[ "$VAULT_INSTANCE" == "ci-dev" ]]; then
-          echo "url=https://vault-ci.dev.elastic.dev" >> "$GITHUB_OUTPUT"
-          echo "Vault address set to CI-DEV."
-        elif [[ "$VAULT_INSTANCE" == "ci-prod" ]]; then
-          echo "url=https://vault-ci-prod.elastic.dev" >> "$GITHUB_OUTPUT"
-          echo "Vault address set to CI-PROD."
-        else
-          echo "::error title=Input Validation Failed::Invalid vault instance: $VAULT_INSTANCE. Must be 'ci-dev' or 'ci-prod'."
-          exit 1
-        fi
-
-    - name: Retrieve GitHub Workflow Ref and generate Vault Role name (vault-role input overrides this if provided)
-      shell: bash
-      id: vault-role
-      if: ${{ inputs.vault-role == '' }}
-      run: |
-        set -euo pipefail
-
-        echo "Workflow ref: $GITHUB_WORKFLOW_REF"
-        WORKFLOW_REF_BASE="${GITHUB_WORKFLOW_REF%@*}"
-        echo "Workflow ref base for role generation: $WORKFLOW_REF_BASE"
-        # Generate role name using SHA-256 hash of workflow ref base
-        WORKFLOW_HASH=$(echo -n "$WORKFLOW_REF_BASE" | sha256sum | cut -c1-12)
-        VAULT_ROLE="token-policy-$WORKFLOW_HASH"
-        echo "Generated role name: $VAULT_ROLE"
-        echo "role=$VAULT_ROLE" >> "$GITHUB_OUTPUT"
-
-    - name: "Diagnostic: Log Final Vault Parameters"
-      shell: bash
-      env:
-        VAULT_ADDR: ${{ steps.vault-address.outputs.url }}
-        VAULT_ROLE: ${{ inputs.vault-role == '' && steps.vault-role.outputs.role || inputs.vault-role }}
-      run: |
-        echo "--- Vault Action Input Parameters ---"
-        echo "VAULT_ADDR (URL): $VAULT_ADDR"
-        echo "VAULT_ROLE: $VAULT_ROLE"
-        echo "Vault Secrets Path Expected: github/token/$VAULT_ROLE"
-        echo "-------------------------------------"
-
-    - name: Use Vault Action to login and retrieve Ephemeral GitHub Token
-      id: vault-action
-      env:
-        VAULT_ROLE: ${{ inputs.vault-role == '' && steps.vault-role.outputs.role || inputs.vault-role }}
-      uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
-      with:
-        url: ${{ steps.vault-address.outputs.url }}
-        role: ${{ env.VAULT_ROLE }}
-        path: github-oidc
-        method: jwt
-        jwtGithubAudience: vault
-        exportEnv: false
-        secrets: |
-          github/token/${{ env.VAULT_ROLE }} token
-
-    - name: Token status check
-      shell: bash
-      run: gh auth status
-      env:
-        GH_TOKEN: ${{ steps.vault-action.outputs.token }}
+  using: 'node24'
+  main: 'dist/main.js'
+  post: 'dist/revoke.js'