Add support for referencing secrets from 1Password

Author: SamyPesse

.changeset/open-coins-occur.md

@@ -0,0 +1,5 @@
+---
+'@gitbook/cli': minor
+---
+
+Add support for referencing secrets from 1Password using ${{ op://... }}.

bun.lock

@@ -566,6 +566,7 @@
         "gitbook": "./cli.js",
       },
       "dependencies": {
+        "@1password/op-js": "^0.1.13",
         "@gitbook/api": "*",
         "check-node-version": "^4.2.1",
         "chokidar": "^4.0.1",
@@ -622,6 +623,8 @@
     "@gitbook/openapi-parser": "^2.1.0",
   },
   "packages": {
+    "@1password/op-js": ["@1password/op-js@0.1.13", "", { "dependencies": { "lookpath": "^1.2.2", "semver": "^7.6.2" } }, "sha512-ZZBLxVqywFdvIbLv2xWw2N1ImSi183rRKf90vV19KRMReNyLwuD0dv6IrKrIdrJU33IuV3Gz85Z4K2a1PJTBDg=="],
+
     "@ampproject/remapping": ["@ampproject/remapping@2.3.0", "", { "dependencies": { "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw=="],
 
     "@apidevtools/json-schema-ref-parser": ["@apidevtools/json-schema-ref-parser@11.7.2", "", { "dependencies": { "@jsdevtools/ono": "^7.1.3", "@types/json-schema": "^7.0.15", "js-yaml": "^4.1.0" } }, "sha512-4gY54eEGEstClvEkGnwVkTkrx0sqwemEFG5OSRRn3tD91XH0+Q8XIkYIfo7IwEWPpJZwILb9GUXeShtplRc/eA=="],
@@ -1792,6 +1795,8 @@
 
     "log-update": ["log-update@4.0.0", "", { "dependencies": { "ansi-escapes": "^4.3.0", "cli-cursor": "^3.1.0", "slice-ansi": "^4.0.0", "wrap-ansi": "^6.2.0" } }, "sha512-9fkkDevMefjg0mmzWFBW8YkFP91OrizzkW3diF7CpG+S2EYdy4+TVfGwz1zeF8x7hCx1ovSPTOE9Ngib74qqUg=="],
 
+    "lookpath": ["lookpath@1.2.3", "", { "bin": { "lookpath": "bin/lookpath.js" } }, "sha512-kthRVhf4kH4+HW3anM4UBHxsw/XFESf13euCEldhXr6GpBdmBoa7rDd7WO5G0Mhd4G5XtKTcEy8OR0iRZXpS3Q=="],
+
     "loose-envify": ["loose-envify@1.4.0", "", { "dependencies": { "js-tokens": "^3.0.0 || ^4.0.0" }, "bin": { "loose-envify": "cli.js" } }, "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q=="],
 
     "lower-case": ["lower-case@2.0.2", "", { "dependencies": { "tslib": "^2.0.3" } }, "sha512-7fm3l3NAF9WfN6W3JOmf5drwpVqX78JtoGJ3A6W0a6ZnldM41w2fV5D490psKFTpMds8TJse/eHLFFsNHHjHgg=="],

packages/cli/package.json

@@ -15,7 +15,8 @@
         "prompts": "^2.4.2",
         "zod": "^3.25.42",
         "chokidar": "^4.0.1",
-        "miniflare": "^3.20240925.0"
+        "miniflare": "^3.20240925.0",
+        "@1password/op-js": "^0.1.13"
     },
     "devDependencies": {
         "@gitbook/tsconfig": "*",

packages/cli/src/manifest.ts

@@ -2,6 +2,7 @@ import { z } from 'zod';
 import * as fs from 'fs';
 import * as yaml from 'js-yaml';
 import * as path from 'path';
+import * as op from "@1password/op-js";
 
 import * as api from '@gitbook/api';
 
@@ -215,7 +216,9 @@ async function validateIntegrationManifest(data: object): Promise<IntegrationMan
 function interpolateSecrets(secrets: { [key: string]: string }): { [key: string]: string } {
     return Object.keys(secrets).reduce(
         (acc, key) => {
-            acc[key] = secrets[key].replace(/\${{\s*env.([\S]+)\s*}}/g, (_, envVar) => {
+            acc[key] = secrets[key]
+                // Handle environment variables, defined as `${{ env.VAR }}`
+                .replace(/\${{\s*env.([\S]+)\s*}}/g, (_, envVar) => {
                 const secretEnvVar = process.env[envVar];
                 if (!secretEnvVar) {
                     throw new Error(
@@ -224,6 +227,12 @@ function interpolateSecrets(secrets: { [key: string]: string }): { [key: string]
                 }
 
                 return secretEnvVar;
+            })
+            
+            // Handle 1Password secrets, defined as `${{ op://<ref> }}`
+            .replace(/\${{\s*op:\/\/([\S]+)\s*}}/g, (_, ref) => {
+                const secret = op.read.parse(ref);
+                return secret;
             });
             return acc;
         },