gh-actions/.github/workflows/test-get-secrets.yml

name: Test Azure Login and Get Key Vault Action

on:
  pull_request:
    paths:
      - "azure-login/**"
      - "azure-logout/**"
      - "get-keyvault-secrets/**"
      - ".github/workflows/test-get-secrets.yml"

  push:
    branches:
      - "main"
  workflow_dispatch:

permissions:
  contents: read
  id-token: write
env:
  _TEST_SECRET_VALUE_1: Test Value 1
  _TEST_SECRET_VALUE_2: Test Value 2

jobs:
  test-repo-secrets:
    name: Test Get Secrets
    runs-on: ubuntu-24.04
    steps:
      - name: Check out repo
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Log in to Azure
        uses: ./azure-login # Use the local action for testing
        with:
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Verify Azure Login
        id: verify-login
        run: |
                        az account show --query name --output tsv

      - name: Get KV Secrets
        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main # TODO: Use ./get-keyvault-secrets for testing of local action changes
        with:
          keyvault: gh-gh-actions
          secrets: "test-secret-1,test-secret-2"

      - name: Log out from Azure
        id: azure-logout
        uses: ./azure-logout # Use the local action for testing

      - name: Verify Logged Out
        id: verify-logout
        run: |
                    az account show --query name --output tsv && (echo "Unexpectedly returned account name instead of being logged out" && exit 1) || echo "Successfully logged out of Azure"

      - name: Verify test secret value
        run: |
          if [[ "${{ steps.get-kv-secrets.outputs.test-secret-1 }}" != "$_TEST_SECRET_VALUE_1" ]]; then
            echo "test-secret-1 value is not as expected"
            exit 1
          fi
          if [[ "${{ steps.get-kv-secrets.outputs.test-secret-2 }}" != "$_TEST_SECRET_VALUE_2" ]]; then
            echo "test-secret-2 value is not as expected"
            exit 1
          fi
          echo "Test secret values checks successful!"          

      - name: Check environment
        run: |
          exit_code=0
          env | grep -q "test-secret" || exit_code=$?
          if [ $exit_code -eq 0 ]; then
            echo "Found test secrets in environment"
            exit 1
          elif [ $exit_code -eq 1 ]; then
            echo "Correctly found no secrets found in environment"
          else
            exit $exit_code
          fi          

  test-repo-secrets-matrix:
    name: Test Get Secrets - Matrix
    strategy:
      fail-fast: false
      matrix:
        include:
          - secret_key: test-secret-1
            secret_value: $_TEST_SECRET_VALUE_1
          - secret_key: test-secret-2
            secret_value: $_TEST_SECRET_VALUE_2
    runs-on: ubuntu-24.04
    steps:
      - name: Check out repo
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Log in to Azure
        uses: ./azure-login # Use the local action for testing
        with:
          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Get KV Secrets
        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main # TODO: Use ./get-keyvault-secrets for testing of local action changes
        with:
          keyvault: gh-gh-actions
          secrets: "${{ matrix.secret_key }}"

      - name: Log out from Azure
        id: azure-logout
        uses: ./azure-logout # Use the local action for testing

      - name: Verify test secret value
        run: |
          if [[ "${{ steps.get-kv-secrets.outputs[matrix.secret_key] }}" != "${{ matrix.secret_value }}" ]]; then
            echo "${{ matrix.secret_key }} value is not as expected"
            exit 1
          fi
          echo "Test secret values checks successful!"