fix: replace orchestrator-develop branch references with main

The orchestrator-develop branch no longer exists. Update all fallback
clone commands and test fixtures to use main instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

action.yml

@@ -194,6 +194,15 @@ inputs:
     description:
       '[Orchestrator] Either local, k8s or aws can be used to run builds on a remote cluster. Additional parameters must
       be configured.'
+  secretSource:
+    default: ''
+    required: false
+    description:
+      '[Orchestrator] Premade secret source for pulling build secrets. Supported values: aws-secrets-manager,
+      aws-parameter-store, gcp-secret-manager, azure-key-vault, hashicorp-vault, hashicorp-vault-kv1,
+      vault (alias for hashicorp-vault), env. Can also be a custom shell command with {0} placeholder
+      for the key, or a path to a YAML file defining custom sources. Takes precedence over
+      inputPullCommand when set.'
   resourceTracking:
     default: 'false'
     required: false
@@ -269,28 +278,6 @@ inputs:
     default: 'false'
     required: false
     description: 'Skip the activation/deactivation of Unity. This assumes Unity is already activated.'
-  artifactOutputTypes:
-    description: 'Comma-separated list of output types to collect (build, logs, test-results, coverage, images, metrics, data-export, server-build, custom)'
-    required: false
-    default: 'build,logs,test-results'
-  artifactUploadTarget:
-    description: 'Where to upload artifacts: github-artifacts, storage, local, none'
-    required: false
-    default: 'github-artifacts'
-  artifactUploadPath:
-    description: 'Destination path for artifact upload (storage URI or local path)'
-    required: false
-  artifactCompression:
-    description: 'Compression for artifacts: none, gzip, lz4'
-    required: false
-    default: 'gzip'
-  artifactRetentionDays:
-    description: 'Retention period for uploaded artifacts in days'
-    required: false
-    default: '30'
-  artifactCustomTypes:
-    description: 'JSON string defining custom output types [{name, defaultPath, description}]'
-    required: false
   cloneDepth:
     default: '50'
     required: false
@@ -314,8 +301,6 @@ outputs:
       'Returns the exit code from the build scripts. This code is 0 if the build was successful. If there was an error
       during activation, the code is from the activation step. If activation is successful, the code is from the project
       build step.'
-  artifactManifestPath:
-    description: 'Path to the generated artifact manifest JSON file'
 branding:
   icon: 'box'
   color: 'gray-dark'

src/index.ts

@@ -1,12 +1,8 @@
 import * as core from '@actions/core';
-import path from 'node:path';
 import { Action, BuildParameters, Cache, Orchestrator, Docker, ImageTag, Output } from './model';
 import { Cli } from './model/cli/cli';
 import MacBuilder from './model/mac-builder';
 import PlatformSetup from './model/platform-setup';
-import { OutputService } from './model/orchestrator/services/output/output-service';
-import { OutputTypeRegistry } from './model/orchestrator/services/output/output-type-registry';
-import { ArtifactUploadHandler } from './model/orchestrator/services/output/artifact-upload-handler';
 
 async function runMain() {
   try {
@@ -46,64 +42,6 @@ async function runMain() {
     await Output.setAndroidVersionCode(buildParameters.androidVersionCode);
     await Output.setEngineExitCode(exitCode);
 
-    // Artifact collection and upload (runs on both success and failure)
-    try {
-      // Register custom output types if provided
-      if (buildParameters.artifactCustomTypes) {
-        try {
-          const customTypes = JSON.parse(buildParameters.artifactCustomTypes);
-          if (Array.isArray(customTypes)) {
-            for (const ct of customTypes) {
-              OutputTypeRegistry.registerType({
-                name: ct.name,
-                defaultPath: ct.defaultPath || ct.pattern || `./${ct.name}/`,
-                description: ct.description || `Custom output type: ${ct.name}`,
-                builtIn: false,
-              });
-            }
-          }
-        } catch (parseError) {
-          core.warning(`Failed to parse artifactCustomTypes: ${(parseError as Error).message}`);
-        }
-      }
-
-      // Collect outputs and generate manifest
-      const manifestPath = path.join(buildParameters.projectPath, 'output-manifest.json');
-      const manifest = await OutputService.collectOutputs(
-        buildParameters.projectPath,
-        buildParameters.buildGuid,
-        buildParameters.artifactOutputTypes,
-        manifestPath,
-      );
-
-      core.setOutput('artifactManifestPath', manifestPath);
-
-      // Upload artifacts
-      const uploadConfig = ArtifactUploadHandler.parseConfig(
-        buildParameters.artifactUploadTarget,
-        buildParameters.artifactUploadPath || undefined,
-        buildParameters.artifactCompression,
-        buildParameters.artifactRetentionDays,
-      );
-
-      const uploadResult = await ArtifactUploadHandler.uploadArtifacts(
-        manifest,
-        uploadConfig,
-        buildParameters.projectPath,
-      );
-
-      if (!uploadResult.success) {
-        core.warning(
-          `Artifact upload completed with errors: ${uploadResult.entries
-            .filter((e) => !e.success)
-            .map((e) => `${e.type}: ${e.error}`)
-            .join('; ')}`,
-        );
-      }
-    } catch (artifactError) {
-      core.warning(`Artifact collection/upload failed: ${(artifactError as Error).message}`);
-    }
-
     if (exitCode !== 0) {
       core.setFailed(`Build failed with exit code ${exitCode}`);
     }

src/model/build-parameters.ts

@@ -106,12 +106,6 @@ class BuildParameters {
   public cacheUnityInstallationOnMac!: boolean;
   public unityHubVersionOnMac!: string;
   public dockerWorkspacePath!: string;
-  public artifactOutputTypes!: string;
-  public artifactUploadTarget!: string;
-  public artifactUploadPath!: string;
-  public artifactCompression!: string;
-  public artifactRetentionDays!: string;
-  public artifactCustomTypes!: string;
 
   public static shouldUseRetainedWorkspaceMode(buildParameters: BuildParameters) {
     return buildParameters.maxRetainedWorkspaces > 0 && Orchestrator.lockedWorkspace !== ``;
@@ -248,12 +242,6 @@ class BuildParameters {
       cacheUnityInstallationOnMac: Input.cacheUnityInstallationOnMac,
       unityHubVersionOnMac: Input.unityHubVersionOnMac,
       dockerWorkspacePath: Input.dockerWorkspacePath,
-      artifactOutputTypes: Input.artifactOutputTypes,
-      artifactUploadTarget: Input.artifactUploadTarget,
-      artifactUploadPath: Input.artifactUploadPath,
-      artifactCompression: Input.artifactCompression,
-      artifactRetentionDays: Input.artifactRetentionDays,
-      artifactCustomTypes: Input.artifactCustomTypes,
     };
   }
 

src/model/input.ts

@@ -278,30 +278,6 @@ class Input {
     return Input.getInput('containerRegistryImageVersion') ?? '3';
   }
 
-  static get artifactOutputTypes(): string {
-    return Input.getInput('artifactOutputTypes') ?? 'build,logs,test-results';
-  }
-
-  static get artifactUploadTarget(): string {
-    return Input.getInput('artifactUploadTarget') ?? 'github-artifacts';
-  }
-
-  static get artifactUploadPath(): string {
-    return Input.getInput('artifactUploadPath') ?? '';
-  }
-
-  static get artifactCompression(): string {
-    return Input.getInput('artifactCompression') ?? 'gzip';
-  }
-
-  static get artifactRetentionDays(): string {
-    return Input.getInput('artifactRetentionDays') ?? '30';
-  }
-
-  static get artifactCustomTypes(): string {
-    return Input.getInput('artifactCustomTypes') ?? '';
-  }
-
   static get skipActivation(): string {
     return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
   }

src/model/orchestrator/options/orchestrator-options.ts

@@ -190,6 +190,10 @@ class OrchestratorOptions {
     return OrchestratorOptions.getInput('pullInputList')?.split(`,`) || [];
   }
 
+  static get secretSource(): string {
+    return OrchestratorOptions.getInput('secretSource') || '';
+  }
+
   static get inputPullCommand(): string {
     const value = OrchestratorOptions.getInput('inputPullCommand');
 

src/model/orchestrator/options/orchestrator-query-override.ts

@@ -1,6 +1,9 @@
+import * as core from '@actions/core';
 import Input from '../../input';
 import { GenericInputReader } from '../../input-readers/generic-input-reader';
 import OrchestratorOptions from './orchestrator-options';
+import { SecretSourceService, validateSecretKey } from '../services/secrets/secret-source-service';
+import OrchestratorLogger from '../services/core/orchestrator-logger';
 
 const formatFunction = (value: string, arguments_: any[]) => {
   for (const element of arguments_) {
@@ -13,8 +16,6 @@ const formatFunction = (value: string, arguments_: any[]) => {
 class OrchestratorQueryOverride {
   static queryOverrides: { [key: string]: string } | undefined;
 
-  // TODO accept premade secret sources or custom secret source definition yamls
-
   public static query(key: string, alternativeKey: string) {
     if (OrchestratorQueryOverride.queryOverrides && OrchestratorQueryOverride.queryOverrides[key] !== undefined) {
       return OrchestratorQueryOverride.queryOverrides[key];
@@ -49,14 +50,62 @@ class OrchestratorQueryOverride {
       throw new Error(`Should not be trying to run override query on ${query}`);
     }
 
-    return await GenericInputReader.Run(
+    // Validate the query key before interpolating it into a shell command
+    validateSecretKey(query);
+
+    const result = await GenericInputReader.Run(
       formatFunction(OrchestratorOptions.inputPullCommand, [{ key: 0, value: query }]),
     );
+
+    // Mask the fetched secret value so it does not appear in GitHub Actions logs
+    if (result && result.trim().length > 0) {
+      core.setSecret(result);
+    }
+
+    return result;
   }
 
+  /**
+   * Populate query overrides using either:
+   * 1. Premade/custom secret sources (via secretSource input), or
+   * 2. Shell command (via inputPullCommand, legacy approach)
+   *
+   * The secretSource input takes precedence if set. It supports:
+   * - Premade names: 'aws-secrets-manager', 'aws-parameter-store', 'gcp-secret-manager', 'azure-key-vault', 'env'
+   * - Custom commands: any string containing {0} placeholder
+   * - YAML file path: a path ending in .yml or .yaml containing custom source definitions
+   */
   public static async PopulateQueryOverrideInput() {
     const queries = OrchestratorOptions.pullInputList;
     OrchestratorQueryOverride.queryOverrides = {};
+
+    const secretSource = OrchestratorOptions.secretSource;
+
+    // Use SecretSourceService if secretSource is configured
+    if (secretSource) {
+      OrchestratorLogger.log(`Using secret source: ${secretSource}`);
+
+      // YAML file: load definitions and use the first source
+      if (secretSource.endsWith('.yml') || secretSource.endsWith('.yaml')) {
+        const definitions = SecretSourceService.loadFromYaml(secretSource);
+        if (definitions.length > 0) {
+          OrchestratorLogger.log(`Loaded ${definitions.length} secret source(s) from ${secretSource}`);
+          for (const key of queries) {
+            OrchestratorQueryOverride.queryOverrides[key] = await SecretSourceService.fetchSecret(definitions[0], key);
+          }
+        }
+
+        return;
+      }
+
+      // Premade or custom command source
+      const results = await SecretSourceService.fetchAll(secretSource, queries);
+      Object.assign(OrchestratorQueryOverride.queryOverrides, results);
+
+      return;
+    }
+
+    // Legacy: use inputPullCommand if set
     for (const element of queries) {
       if (OrchestratorQueryOverride.shouldUseOverride(element)) {
         OrchestratorQueryOverride.queryOverrides[element] = await OrchestratorQueryOverride.queryOverride(element);

src/model/orchestrator/services/output/artifact-service.test.ts

@@ -1,607 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { OutputTypeRegistry, OutputTypeDefinition } from './output-type-registry';
-import { OutputService } from './output-service';
-import { OutputManifest } from './output-manifest';
-import { ArtifactUploadHandler, ArtifactUploadConfig } from './artifact-upload-handler';
-
-// Mock node:fs
-jest.mock('node:fs');
-const mockedFs = fs as jest.Mocked<typeof fs>;
-
-// Mock @actions/core (used by OrchestratorLogger)
-jest.mock('@actions/core', () => ({
-  info: jest.fn(),
-  warning: jest.fn(),
-  error: jest.fn(),
-  setOutput: jest.fn(),
-  getInput: jest.fn(),
-  setFailed: jest.fn(),
-  setSecret: jest.fn(),
-}));
-
-// Mock @actions/exec (used by upload handler for rclone)
-jest.mock('@actions/exec', () => ({
-  exec: jest.fn().mockResolvedValue(0),
-}));
-
-afterEach(() => {
-  jest.restoreAllMocks();
-  OutputTypeRegistry.resetCustomTypes();
-});
-
-// ---------------------------------------------------------------------------
-// OutputTypeRegistry Tests
-// ---------------------------------------------------------------------------
-describe('OutputTypeRegistry', () => {
-  describe('built-in types', () => {
-    it('should have 8 built-in types', () => {
-      const allTypes = OutputTypeRegistry.getAllTypes();
-      const builtInTypes = allTypes.filter((t) => t.builtIn);
-      expect(builtInTypes).toHaveLength(8);
-    });
-
-    it.each(['build', 'test-results', 'server-build', 'data-export', 'images', 'logs', 'metrics', 'coverage'])(
-      'should include built-in type "%s"',
-      (typeName) => {
-        const typeDef = OutputTypeRegistry.getType(typeName);
-        expect(typeDef).toBeDefined();
-        expect(typeDef!.name).toBe(typeName);
-        expect(typeDef!.builtIn).toBe(true);
-      },
-    );
-
-    it('should return undefined for unknown types', () => {
-      const typeDef = OutputTypeRegistry.getType('nonexistent');
-      expect(typeDef).toBeUndefined();
-    });
-
-    it('should include default paths for all built-in types', () => {
-      const allTypes = OutputTypeRegistry.getAllTypes();
-      for (const typeDef of allTypes) {
-        expect(typeDef.defaultPath).toBeTruthy();
-        expect(typeof typeDef.defaultPath).toBe('string');
-      }
-    });
-
-    it('should include descriptions for all built-in types', () => {
-      const allTypes = OutputTypeRegistry.getAllTypes();
-      for (const typeDef of allTypes) {
-        expect(typeDef.description).toBeTruthy();
-        expect(typeof typeDef.description).toBe('string');
-      }
-    });
-  });
-
-  describe('custom type registration', () => {
-    it('should register a custom type', () => {
-      const customType: OutputTypeDefinition = {
-        name: 'custom-reports',
-        defaultPath: './Reports/',
-        description: 'Custom generated reports',
-        builtIn: false,
-      };
-
-      OutputTypeRegistry.registerType(customType);
-      const retrieved = OutputTypeRegistry.getType('custom-reports');
-      expect(retrieved).toBeDefined();
-      expect(retrieved!.name).toBe('custom-reports');
-      expect(retrieved!.builtIn).toBe(false);
-    });
-
-    it('should not override built-in types', () => {
-      const override: OutputTypeDefinition = {
-        name: 'build',
-        defaultPath: './Override/',
-        description: 'Should not override',
-        builtIn: false,
-      };
-
-      OutputTypeRegistry.registerType(override);
-      const buildType = OutputTypeRegistry.getType('build');
-      expect(buildType!.defaultPath).not.toBe('./Override/');
-      expect(buildType!.builtIn).toBe(true);
-    });
-
-    it('should include custom types in getAllTypes', () => {
-      OutputTypeRegistry.registerType({
-        name: 'custom-a',
-        defaultPath: './A/',
-        description: 'Custom A',
-        builtIn: false,
-      });
-
-      const allTypes = OutputTypeRegistry.getAllTypes();
-      expect(allTypes.length).toBe(9); // 8 built-in + 1 custom
-      expect(allTypes.some((t) => t.name === 'custom-a')).toBe(true);
-    });
-
-    it('should reset custom types', () => {
-      OutputTypeRegistry.registerType({
-        name: 'temp-type',
-        defaultPath: './Temp/',
-        description: 'Temporary type',
-        builtIn: false,
-      });
-
-      expect(OutputTypeRegistry.getType('temp-type')).toBeDefined();
-      OutputTypeRegistry.resetCustomTypes();
-      expect(OutputTypeRegistry.getType('temp-type')).toBeUndefined();
-    });
-
-    it('should force builtIn to false when registering custom types', () => {
-      OutputTypeRegistry.registerType({
-        name: 'sneaky',
-        defaultPath: './Sneaky/',
-        description: 'Tries to be built-in',
-        builtIn: true, // Intentionally setting to true
-      });
-
-      const retrieved = OutputTypeRegistry.getType('sneaky');
-      expect(retrieved).toBeDefined();
-      expect(retrieved!.builtIn).toBe(false);
-    });
-  });
-
-  describe('parseOutputTypes', () => {
-    it('should parse a comma-separated string of valid types', () => {
-      const types = OutputTypeRegistry.parseOutputTypes('build,logs,coverage');
-      expect(types).toHaveLength(3);
-      expect(types.map((t) => t.name)).toEqual(['build', 'logs', 'coverage']);
-    });
-
-    it('should skip unknown types', () => {
-      const types = OutputTypeRegistry.parseOutputTypes('build,unknown,logs');
-      expect(types).toHaveLength(2);
-      expect(types.map((t) => t.name)).toEqual(['build', 'logs']);
-    });
-
-    it('should handle empty string', () => {
-      const types = OutputTypeRegistry.parseOutputTypes('');
-      expect(types).toHaveLength(0);
-    });
-
-    it('should handle whitespace in type names', () => {
-      const types = OutputTypeRegistry.parseOutputTypes(' build , logs , coverage ');
-      expect(types).toHaveLength(3);
-    });
-
-    it('should include custom types when parsing', () => {
-      OutputTypeRegistry.registerType({
-        name: 'my-reports',
-        defaultPath: './Reports/',
-        description: 'Custom reports',
-        builtIn: false,
-      });
-
-      const types = OutputTypeRegistry.parseOutputTypes('build,my-reports');
-      expect(types).toHaveLength(2);
-      expect(types[1].name).toBe('my-reports');
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// OutputService Tests
-// ---------------------------------------------------------------------------
-describe('OutputService', () => {
-  const projectPath = '/project';
-  const buildGuid = 'test-guid-1234';
-
-  beforeEach(() => {
-    // Reset all fs mocks
-    mockedFs.existsSync.mockReset();
-    mockedFs.statSync.mockReset();
-    mockedFs.readdirSync.mockReset();
-    mockedFs.writeFileSync.mockReset();
-    mockedFs.mkdirSync.mockReset();
-  });
-
-  describe('collectOutputs', () => {
-    it('should return an empty manifest when no output types are declared', async () => {
-      const manifest = await OutputService.collectOutputs(projectPath, buildGuid, '');
-      expect(manifest.buildGuid).toBe(buildGuid);
-      expect(manifest.outputs).toHaveLength(0);
-      expect(manifest.timestamp).toBeTruthy();
-    });
-
-    it('should skip outputs where the path does not exist', async () => {
-      mockedFs.existsSync.mockReturnValue(false);
-
-      const manifest = await OutputService.collectOutputs(projectPath, buildGuid, 'build,logs');
-      expect(manifest.outputs).toHaveLength(0);
-    });
-
-    it('should collect directory outputs with file listings', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => true, size: 0 } as any);
-      mockedFs.readdirSync.mockImplementation((_dirPath: any, options?: any) => {
-        if (options?.withFileTypes) {
-          return [
-            { name: 'file1.txt', isDirectory: () => false },
-            { name: 'file2.txt', isDirectory: () => false },
-          ] as any;
-        }
-
-        return ['file1.txt', 'file2.txt'] as any;
-      });
-
-      const manifest = await OutputService.collectOutputs(projectPath, buildGuid, 'logs');
-      expect(manifest.outputs).toHaveLength(1);
-      expect(manifest.outputs[0].type).toBe('logs');
-      expect(manifest.outputs[0].files).toEqual(['file1.txt', 'file2.txt']);
-    });
-
-    it('should collect file output with correct size', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 4096 } as any);
-
-      const manifest = await OutputService.collectOutputs(projectPath, buildGuid, 'coverage');
-      expect(manifest.outputs).toHaveLength(1);
-      expect(manifest.outputs[0].size).toBe(4096);
-    });
-
-    it('should write manifest to disk when manifestPath is provided', async () => {
-      // existsSync returns false for output paths (no outputs found) but mkdirSync/writeFileSync should still be called
-      // The service only writes manifest when at least one output type is declared and types are resolved
-      // So we need to provide a valid output type and have its path exist
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 100 } as any);
-      mockedFs.mkdirSync.mockReturnValue(undefined);
-      mockedFs.writeFileSync.mockImplementation(() => {});
-
-      const manifestPath = '/output/manifest.json';
-      await OutputService.collectOutputs(projectPath, buildGuid, 'logs', manifestPath);
-
-      expect(mockedFs.mkdirSync).toHaveBeenCalledWith(path.dirname(manifestPath), { recursive: true });
-      expect(mockedFs.writeFileSync).toHaveBeenCalledWith(manifestPath, expect.any(String), 'utf8');
-    });
-
-    it('should generate valid JSON in the manifest file', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 200 } as any);
-      mockedFs.mkdirSync.mockReturnValue(undefined);
-      mockedFs.writeFileSync.mockImplementation(() => {});
-
-      const manifestPath = '/output/manifest.json';
-      await OutputService.collectOutputs(projectPath, buildGuid, 'coverage', manifestPath);
-
-      const writtenContent = (mockedFs.writeFileSync as jest.Mock).mock.calls[0][1];
-      const parsed = JSON.parse(writtenContent);
-      expect(parsed.buildGuid).toBe(buildGuid);
-      expect(Array.isArray(parsed.outputs)).toBe(true);
-      expect(parsed.outputs.length).toBeGreaterThan(0);
-    });
-
-    it('should set a valid ISO 8601 timestamp', async () => {
-      const manifest = await OutputService.collectOutputs(projectPath, buildGuid, '');
-      const parsed = new Date(manifest.timestamp);
-      expect(parsed.toISOString()).toBe(manifest.timestamp);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// ArtifactUploadHandler Tests
-// ---------------------------------------------------------------------------
-describe('ArtifactUploadHandler', () => {
-  const projectPath = '/project';
-
-  beforeEach(() => {
-    mockedFs.existsSync.mockReset();
-    mockedFs.statSync.mockReset();
-    mockedFs.readdirSync.mockReset();
-    mockedFs.mkdirSync.mockReset();
-    mockedFs.copyFileSync.mockReset();
-  });
-
-  describe('parseConfig', () => {
-    it('should parse valid config values', () => {
-      const config = ArtifactUploadHandler.parseConfig('github-artifacts', '/dest', 'gzip', '14');
-      expect(config.target).toBe('github-artifacts');
-      expect(config.destination).toBe('/dest');
-      expect(config.compression).toBe('gzip');
-      expect(config.retentionDays).toBe(14);
-    });
-
-    it('should default invalid target to github-artifacts', () => {
-      const config = ArtifactUploadHandler.parseConfig('invalid', undefined, 'none', '30');
-      expect(config.target).toBe('github-artifacts');
-    });
-
-    it('should default invalid compression to gzip', () => {
-      const config = ArtifactUploadHandler.parseConfig('local', '/dest', 'brotli', '30');
-      expect(config.compression).toBe('gzip');
-    });
-
-    it('should default invalid retention to 30 days', () => {
-      const config = ArtifactUploadHandler.parseConfig('local', '/dest', 'gzip', 'abc');
-      expect(config.retentionDays).toBe(30);
-    });
-
-    it('should default negative retention to 30 days', () => {
-      const config = ArtifactUploadHandler.parseConfig('local', '/dest', 'gzip', '-5');
-      expect(config.retentionDays).toBe(30);
-    });
-
-    it('should set destination to undefined when empty string', () => {
-      const config = ArtifactUploadHandler.parseConfig('storage', '', 'none', '7');
-      expect(config.destination).toBeUndefined();
-    });
-  });
-
-  describe('uploadArtifacts', () => {
-    it('should skip upload when target is none', async () => {
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/' }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'none',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(true);
-      expect(result.entries).toHaveLength(0);
-    });
-
-    it('should return success with no entries for empty manifest', async () => {
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'github-artifacts',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(true);
-      expect(result.entries).toHaveLength(0);
-      expect(result.totalBytes).toBe(0);
-    });
-
-    it('should fail entry when output path does not exist', async () => {
-      mockedFs.existsSync.mockReturnValue(false);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/Missing/' }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'local',
-        destination: '/output',
-        compression: 'none',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(false);
-      expect(result.entries).toHaveLength(1);
-      expect(result.entries[0].success).toBe(false);
-      expect(result.entries[0].error).toContain('does not exist');
-    });
-
-    it('should copy files for local upload target', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 1024 } as any);
-      mockedFs.mkdirSync.mockReturnValue(undefined);
-      mockedFs.copyFileSync.mockReturnValue(undefined);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'logs', path: './Logs/build.log', size: 1024 }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'local',
-        destination: '/output',
-        compression: 'none',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(true);
-      expect(result.entries).toHaveLength(1);
-      expect(result.entries[0].success).toBe(true);
-      expect(result.totalBytes).toBe(1024);
-    });
-
-    it('should fail local upload when no destination is provided', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 512 } as any);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'logs', path: './Logs/build.log', size: 512 }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'local',
-        compression: 'none',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(false);
-      expect(result.entries[0].success).toBe(false);
-      expect(result.entries[0].error).toContain('destination path');
-    });
-
-    it('should report correct duration', async () => {
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'none',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.durationMs).toBeGreaterThanOrEqual(0);
-    });
-  });
-
-  describe('collectFiles', () => {
-    it('should return single file for a file path', () => {
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false } as any);
-
-      const files = ArtifactUploadHandler.collectFiles('/path/to/file.txt');
-      expect(files).toEqual(['/path/to/file.txt']);
-    });
-
-    it('should return all files recursively for a directory', () => {
-      mockedFs.statSync.mockImplementation((p: any) => {
-        const pathStr = typeof p === 'string' ? p : p.toString();
-        if (pathStr.endsWith('.txt') || pathStr.endsWith('.log')) {
-          return { isDirectory: () => false } as any;
-        }
-
-        return { isDirectory: () => true } as any;
-      });
-
-      mockedFs.readdirSync.mockImplementation((dirPath: any, _options?: any) => {
-        const dirStr = typeof dirPath === 'string' ? dirPath : dirPath.toString();
-        if (dirStr === '/root') {
-          return [
-            { name: 'file1.txt', isDirectory: () => false },
-            { name: 'sub', isDirectory: () => true },
-          ] as any;
-        }
-        if (dirStr.endsWith('sub')) {
-          return [{ name: 'file2.log', isDirectory: () => false }] as any;
-        }
-
-        return [] as any;
-      });
-
-      const files = ArtifactUploadHandler.collectFiles('/root');
-      expect(files).toHaveLength(2);
-      expect(files).toContain(path.join('/root', 'file1.txt'));
-      expect(files).toContain(path.join('/root', 'sub', 'file2.log'));
-    });
-  });
-
-  describe('storage upload validation', () => {
-    it('should fail storage upload when no destination is provided', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 256 } as any);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/', size: 256 }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'storage',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(false);
-      expect(result.entries[0].error).toContain('destination URI');
-    });
-
-    it('should fail storage upload when destination URI has invalid format', async () => {
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 256 } as any);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/', size: 256 }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'storage',
-        destination: '/just/a/local/path',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(false);
-      expect(result.entries[0].error).toContain('Invalid storage destination URI');
-    });
-
-    it('should fail storage upload when rclone is not installed', async () => {
-      // Mock child_process.execFileSync to throw (rclone not found)
-      const childProcess = require('node:child_process');
-      const originalExecFileSync = childProcess.execFileSync;
-      childProcess.execFileSync = jest.fn(() => {
-        throw new Error('ENOENT');
-      });
-
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 256 } as any);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/', size: 256 }],
-      };
-
-      const config: ArtifactUploadConfig = {
-        target: 'storage',
-        destination: 's3:my-bucket/artifacts',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      expect(result.success).toBe(false);
-      expect(result.entries[0].error).toContain('rclone is not installed');
-
-      // Restore
-      childProcess.execFileSync = originalExecFileSync;
-    });
-
-    it('should accept valid rclone storage URI formats', async () => {
-      // Mock child_process.execFileSync to succeed (rclone available)
-      const childProcess = require('node:child_process');
-      const originalExecFileSync = childProcess.execFileSync;
-      childProcess.execFileSync = jest.fn(() => 'rclone v1.65.0');
-
-      mockedFs.existsSync.mockReturnValue(true);
-      mockedFs.statSync.mockReturnValue({ isDirectory: () => false, size: 256 } as any);
-
-      const manifest: OutputManifest = {
-        buildGuid: 'test-guid',
-        timestamp: new Date().toISOString(),
-        outputs: [{ type: 'build', path: './Builds/', size: 256 }],
-      };
-
-      // s3:bucket format should pass URI validation and reach the exec call
-      const config: ArtifactUploadConfig = {
-        target: 'storage',
-        destination: 's3:my-bucket/artifacts',
-        compression: 'gzip',
-        retentionDays: 30,
-      };
-
-      const result = await ArtifactUploadHandler.uploadArtifacts(manifest, config, projectPath);
-      // Should succeed because exec is mocked to return 0
-      expect(result.entries[0].success).toBe(true);
-
-      // Restore
-      childProcess.execFileSync = originalExecFileSync;
-    });
-  });
-});

src/model/orchestrator/services/output/artifact-upload-handler.ts

@@ -1,474 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { execFileSync } from 'node:child_process';
-import { exec } from '@actions/exec';
-import OrchestratorLogger from '../core/orchestrator-logger';
-import { OutputManifest, OutputEntry } from './output-manifest';
-
-/**
- * Configuration for artifact upload.
- */
-export interface ArtifactUploadConfig {
-  /** Upload target: 'github-artifacts', 'storage', 'local', 'none' */
-  target: 'github-artifacts' | 'storage' | 'local' | 'none';
-
-  /** Destination path — storage URI for 'storage', local path for 'local' */
-  destination?: string;
-
-  /** Compression method */
-  compression: 'none' | 'gzip' | 'lz4';
-
-  /** Retention period in days (GitHub Artifacts only) */
-  retentionDays: number;
-}
-
-/**
- * Result of an artifact upload operation.
- */
-export interface UploadResult {
-  /** Whether the upload succeeded overall */
-  success: boolean;
-
-  /** Per-entry upload results */
-  entries: UploadEntryResult[];
-
-  /** Total bytes uploaded */
-  totalBytes: number;
-
-  /** Duration in milliseconds */
-  durationMs: number;
-}
-
-export interface UploadEntryResult {
-  /** The output type name */
-  type: string;
-
-  /** The output path */
-  path: string;
-
-  /** Whether this entry uploaded successfully */
-  success: boolean;
-
-  /** Bytes uploaded for this entry */
-  bytes: number;
-
-  /** Error message if upload failed */
-  error?: string;
-}
-
-/**
- * GitHub Artifacts size limit per artifact (10 GB).
- * Files larger than this must be split.
- */
-const GITHUB_ARTIFACT_SIZE_LIMIT = 10 * 1024 * 1024 * 1024;
-
-/**
- * Minimum valid storage URI pattern: "remote:path" or "remote:".
- * rclone requires at least a remote name followed by a colon.
- */
-const STORAGE_URI_PATTERN = /^[a-zA-Z][\w-]*:/;
-
-/**
- * Check whether rclone is installed and available on PATH.
- * Returns true if `rclone version` executes successfully.
- */
-function isRcloneAvailable(): boolean {
-  try {
-    execFileSync('rclone', ['version'], { stdio: 'pipe', timeout: 5000 });
-
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Validate that a storage destination URI has the correct rclone format.
- * Valid format: "remoteName:path" (e.g., "s3:bucket/prefix", "gdrive:folder").
- */
-function isValidStorageUri(uri: string): boolean {
-  return STORAGE_URI_PATTERN.test(uri);
-}
-
-/**
- * Handles uploading build artifacts to various targets.
- */
-export class ArtifactUploadHandler {
-  /**
-   * Upload artifacts described by a manifest to the configured target.
-   */
-  static async uploadArtifacts(
-    manifest: OutputManifest,
-    config: ArtifactUploadConfig,
-    projectPath: string,
-  ): Promise<UploadResult> {
-    const startTime = Date.now();
-    const result: UploadResult = {
-      success: true,
-      entries: [],
-      totalBytes: 0,
-      durationMs: 0,
-    };
-
-    if (config.target === 'none') {
-      OrchestratorLogger.log('[ArtifactUpload] Upload target is "none", skipping upload');
-      result.durationMs = Date.now() - startTime;
-
-      return result;
-    }
-
-    if (manifest.outputs.length === 0) {
-      OrchestratorLogger.log('[ArtifactUpload] No outputs in manifest, nothing to upload');
-      result.durationMs = Date.now() - startTime;
-
-      return result;
-    }
-
-    OrchestratorLogger.log(`[ArtifactUpload] Uploading ${manifest.outputs.length} output(s) to ${config.target}`);
-
-    for (const entry of manifest.outputs) {
-      const entryResult = await ArtifactUploadHandler.uploadEntry(entry, config, projectPath);
-      result.entries.push(entryResult);
-      result.totalBytes += entryResult.bytes;
-
-      if (!entryResult.success) {
-        result.success = false;
-      }
-    }
-
-    result.durationMs = Date.now() - startTime;
-
-    OrchestratorLogger.log(
-      `[ArtifactUpload] Upload complete: ${result.entries.filter((e) => e.success).length}/${
-        result.entries.length
-      } succeeded, ${result.totalBytes} bytes, ${result.durationMs}ms`,
-    );
-
-    return result;
-  }
-
-  /**
-   * Upload a single output entry.
-   */
-  private static async uploadEntry(
-    entry: OutputEntry,
-    config: ArtifactUploadConfig,
-    projectPath: string,
-  ): Promise<UploadEntryResult> {
-    const entryResult: UploadEntryResult = {
-      type: entry.type,
-      path: entry.path,
-      success: false,
-      bytes: entry.size || 0,
-    };
-
-    const resolvedPath = path.resolve(
-      projectPath,
-      entry.path.replace('{platform}', process.env.BUILD_TARGET || 'Unknown'),
-    );
-
-    if (!fs.existsSync(resolvedPath)) {
-      entryResult.error = `Output path does not exist: ${resolvedPath}`;
-      OrchestratorLogger.logWarning(`[ArtifactUpload] ${entryResult.error}`);
-
-      return entryResult;
-    }
-
-    try {
-      switch (config.target) {
-        case 'github-artifacts':
-          await ArtifactUploadHandler.uploadToGitHubArtifacts(entry, resolvedPath, config);
-          break;
-        case 'storage':
-          await ArtifactUploadHandler.uploadToStorage(entry, resolvedPath, config);
-          break;
-        case 'local':
-          await ArtifactUploadHandler.uploadToLocal(entry, resolvedPath, config);
-          break;
-      }
-      entryResult.success = true;
-      OrchestratorLogger.log(
-        `[ArtifactUpload] Uploaded '${entry.type}' (${entryResult.bytes} bytes) to ${config.target}`,
-      );
-    } catch (error: any) {
-      entryResult.error = error.message || String(error);
-      OrchestratorLogger.logWarning(`[ArtifactUpload] Failed to upload '${entry.type}': ${entryResult.error}`);
-    }
-
-    return entryResult;
-  }
-
-  /**
-   * Upload to GitHub Artifacts via @actions/artifact.
-   * Handles large file splitting if artifacts exceed the size limit.
-   */
-  private static async uploadToGitHubArtifacts(
-    entry: OutputEntry,
-    resolvedPath: string,
-    config: ArtifactUploadConfig,
-  ): Promise<void> {
-    // Dynamically require @actions/artifact — it may not be available in all environments.
-    // Using a variable to prevent TypeScript from resolving the module at compile time.
-    let artifact: any;
-    try {
-      const artifactModule = '@actions/artifact';
-      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      artifact = require(artifactModule);
-    } catch {
-      throw new Error('@actions/artifact package is not available. Install it to use github-artifacts upload target.');
-    }
-
-    const artifactClient = artifact.DefaultArtifactClient
-      ? new artifact.DefaultArtifactClient()
-      : artifact.default
-      ? new artifact.default()
-      : artifact;
-
-    const files = ArtifactUploadHandler.collectFiles(resolvedPath);
-
-    if (files.length === 0) {
-      OrchestratorLogger.logWarning(`[ArtifactUpload] No files found at ${resolvedPath} for '${entry.type}'`);
-
-      return;
-    }
-
-    const totalSize = entry.size || 0;
-    const artifactName = `unity-output-${entry.type}`;
-
-    if (totalSize > GITHUB_ARTIFACT_SIZE_LIMIT) {
-      OrchestratorLogger.log(
-        `[ArtifactUpload] Output '${entry.type}' exceeds GitHub Artifacts size limit (${totalSize} > ${GITHUB_ARTIFACT_SIZE_LIMIT}), splitting into chunks`,
-      );
-      await ArtifactUploadHandler.uploadChunked(artifactClient, artifactName, files, resolvedPath, config);
-    } else {
-      const rootDirectory = fs.statSync(resolvedPath).isDirectory() ? resolvedPath : path.dirname(resolvedPath);
-
-      if (typeof artifactClient.uploadArtifact === 'function') {
-        await artifactClient.uploadArtifact(artifactName, files, rootDirectory, {
-          retentionDays: config.retentionDays,
-          compressionLevel: config.compression === 'none' ? 0 : 6,
-        });
-      } else {
-        throw new Error(
-          '@actions/artifact client does not have uploadArtifact method. Ensure the package version is compatible.',
-        );
-      }
-    }
-  }
-
-  /**
-   * Upload large artifacts in chunks to stay within GitHub size limits.
-   */
-  private static async uploadChunked(
-    artifactClient: any,
-    baseName: string,
-    files: string[],
-    rootDirectory: string,
-    config: ArtifactUploadConfig,
-  ): Promise<void> {
-    const chunkSize = GITHUB_ARTIFACT_SIZE_LIMIT;
-    let currentChunkFiles: string[] = [];
-    let currentChunkSize = 0;
-    let chunkIndex = 0;
-
-    for (const filePath of files) {
-      const fileSize = fs.statSync(filePath).size;
-
-      if (currentChunkSize + fileSize > chunkSize && currentChunkFiles.length > 0) {
-        await ArtifactUploadHandler.uploadSingleChunk(
-          artifactClient,
-          `${baseName}-part${chunkIndex}`,
-          currentChunkFiles,
-          rootDirectory,
-          config,
-        );
-        chunkIndex++;
-        currentChunkFiles = [];
-        currentChunkSize = 0;
-      }
-
-      currentChunkFiles.push(filePath);
-      currentChunkSize += fileSize;
-    }
-
-    if (currentChunkFiles.length > 0) {
-      await ArtifactUploadHandler.uploadSingleChunk(
-        artifactClient,
-        chunkIndex > 0 ? `${baseName}-part${chunkIndex}` : baseName,
-        currentChunkFiles,
-        rootDirectory,
-        config,
-      );
-    }
-  }
-
-  private static async uploadSingleChunk(
-    artifactClient: any,
-    name: string,
-    files: string[],
-    rootDirectory: string,
-    config: ArtifactUploadConfig,
-  ): Promise<void> {
-    OrchestratorLogger.log(`[ArtifactUpload] Uploading chunk '${name}' with ${files.length} file(s)`);
-
-    if (typeof artifactClient.uploadArtifact === 'function') {
-      await artifactClient.uploadArtifact(name, files, rootDirectory, {
-        retentionDays: config.retentionDays,
-        compressionLevel: config.compression === 'none' ? 0 : 6,
-      });
-    }
-  }
-
-  /**
-   * Upload to remote storage via rclone.
-   *
-   * Validates rclone availability and destination URI format before attempting
-   * the upload. If rclone is not installed, falls back to local copy when a
-   * local-compatible destination is provided, or skips with a clear error.
-   */
-  private static async uploadToStorage(
-    entry: OutputEntry,
-    resolvedPath: string,
-    config: ArtifactUploadConfig,
-  ): Promise<void> {
-    if (!config.destination) {
-      throw new Error('Storage upload requires a destination URI in artifactUploadPath');
-    }
-
-    // Validate storage URI format before attempting upload
-    if (!isValidStorageUri(config.destination)) {
-      throw new Error(
-        `Invalid storage destination URI: "${config.destination}". ` +
-          'Expected rclone remote format "remoteName:path" (e.g., "s3:my-bucket/artifacts", "gdrive:builds").',
-      );
-    }
-
-    // Check rclone availability before attempting upload
-    if (!isRcloneAvailable()) {
-      OrchestratorLogger.error(
-        'rclone is not installed or not in PATH. ' +
-          'Install rclone (https://rclone.org/install/) to use storage-based artifact upload. ' +
-          'Falling back to local copy.',
-      );
-
-      // Attempt local copy fallback using the destination as a hint
-      // Strip the remote prefix to get a local-ish path for fallback
-      OrchestratorLogger.logWarning(
-        `[ArtifactUpload] Storage upload skipped for '${entry.type}' — rclone not available`,
-      );
-      throw new Error(
-        'rclone is not installed or not in PATH. ' +
-          'Install rclone from https://rclone.org/install/ to use storage-based artifact upload.',
-      );
-    }
-
-    const destination = `${config.destination}/${entry.type}`;
-
-    OrchestratorLogger.log(`[ArtifactUpload] Uploading '${entry.type}' to storage: ${destination}`);
-
-    const args = ['copy', resolvedPath, destination, '--progress'];
-
-    if (config.compression !== 'none') {
-      // rclone doesn't have built-in compression flags for copy;
-      // compression is typically handled by the remote configuration.
-      // Log as informational.
-      OrchestratorLogger.log(
-        `[ArtifactUpload] Note: compression '${config.compression}' is configured at the remote level for rclone`,
-      );
-    }
-
-    await exec('rclone', args);
-  }
-
-  /**
-   * Upload to a local path (copy).
-   */
-  private static async uploadToLocal(
-    entry: OutputEntry,
-    resolvedPath: string,
-    config: ArtifactUploadConfig,
-  ): Promise<void> {
-    if (!config.destination) {
-      throw new Error('Local upload requires a destination path in artifactUploadPath');
-    }
-
-    const destination = path.join(config.destination, entry.type);
-    fs.mkdirSync(destination, { recursive: true });
-
-    OrchestratorLogger.log(`[ArtifactUpload] Copying '${entry.type}' to local path: ${destination}`);
-
-    ArtifactUploadHandler.copyRecursive(resolvedPath, destination);
-  }
-
-  /**
-   * Recursively copy files from source to destination.
-   */
-  private static copyRecursive(source: string, destination: string): void {
-    const stat = fs.statSync(source);
-
-    if (stat.isDirectory()) {
-      fs.mkdirSync(destination, { recursive: true });
-      const entries = fs.readdirSync(source);
-      for (const entry of entries) {
-        ArtifactUploadHandler.copyRecursive(path.join(source, entry), path.join(destination, entry));
-      }
-    } else {
-      fs.copyFileSync(source, destination);
-    }
-  }
-
-  /**
-   * Collect all files at a given path (recursively if directory).
-   */
-  static collectFiles(targetPath: string): string[] {
-    const stat = fs.statSync(targetPath);
-
-    if (!stat.isDirectory()) {
-      return [targetPath];
-    }
-
-    const files: string[] = [];
-    const entries = fs.readdirSync(targetPath, { withFileTypes: true });
-
-    for (const entry of entries) {
-      const fullPath = path.join(targetPath, entry.name);
-      if (entry.isDirectory()) {
-        files.push(...ArtifactUploadHandler.collectFiles(fullPath));
-      } else {
-        files.push(fullPath);
-      }
-    }
-
-    return files;
-  }
-
-  /**
-   * Parse an ArtifactUploadConfig from action inputs.
-   */
-  static parseConfig(
-    target: string,
-    destination: string | undefined,
-    compression: string,
-    retentionDays: string,
-  ): ArtifactUploadConfig {
-    const validTargets = ['github-artifacts', 'storage', 'local', 'none'] as const;
-    const resolvedTarget = validTargets.includes(target as any)
-      ? (target as ArtifactUploadConfig['target'])
-      : 'github-artifacts';
-
-    const validCompressions = ['none', 'gzip', 'lz4'] as const;
-    const resolvedCompression = validCompressions.includes(compression as any)
-      ? (compression as ArtifactUploadConfig['compression'])
-      : 'gzip';
-
-    const parsedRetention = Number.parseInt(retentionDays, 10);
-    const resolvedRetention = Number.isNaN(parsedRetention) || parsedRetention <= 0 ? 30 : parsedRetention;
-
-    return {
-      target: resolvedTarget,
-      destination: destination || undefined,
-      compression: resolvedCompression,
-      retentionDays: resolvedRetention,
-    };
-  }
-}

src/model/orchestrator/services/output/index.ts

@@ -1,3 +0,0 @@
-export { OutputManifest, OutputEntry } from './output-manifest';
-export { OutputTypeRegistry, OutputTypeDefinition } from './output-type-registry';
-export { OutputService } from './output-service';

src/model/orchestrator/services/output/output-manifest.ts

@@ -1,41 +0,0 @@
-/**
- * Structured build output manifest.
- * Describes all artifacts produced by a build with type, path, size, hash, and metadata.
- */
-
-export interface OutputEntry {
-  /** Output type identifier (e.g., 'build', 'test-results', 'images') */
-  type: string;
-
-  /** Relative path to the output */
-  path: string;
-
-  /** Output format (e.g., 'nunit3', 'junit', 'json') */
-  format?: string;
-
-  /** File size in bytes */
-  size?: number;
-
-  /** Content hash (e.g., 'sha256:abc...') */
-  hash?: string;
-
-  /** Individual files within the output path */
-  files?: string[];
-
-  /** Type-specific summary (e.g., test counts, build size) */
-  summary?: Record<string, unknown>;
-
-  /** Arbitrary metadata */
-  metadata?: Record<string, unknown>;
-}
-
-export interface OutputManifest {
-  /** Unique build identifier */
-  buildGuid: string;
-
-  /** ISO 8601 timestamp */
-  timestamp: string;
-
-  /** All outputs produced by this build */
-  outputs: OutputEntry[];
-}

src/model/orchestrator/services/output/output-service.ts

@@ -1,118 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import OrchestratorLogger from '../core/orchestrator-logger';
-import { OutputManifest, OutputEntry } from './output-manifest';
-import { OutputTypeRegistry } from './output-type-registry';
-
-/**
- * Service for collecting, manifesting, and managing build outputs.
- *
- * After a build completes, this service scans declared output paths,
- * generates a structured manifest, and prepares outputs for post-processing.
- */
-export class OutputService {
-  /**
-   * Collect outputs from the workspace and generate a manifest.
-   *
-   * @param projectPath - Path to the Unity project root
-   * @param buildGuid - Unique build identifier
-   * @param outputTypesInput - Comma-separated output type names
-   * @param manifestPath - Where to write the manifest JSON (optional)
-   * @returns The generated output manifest
-   */
-  static async collectOutputs(
-    projectPath: string,
-    buildGuid: string,
-    outputTypesInput: string,
-    manifestPath?: string,
-  ): Promise<OutputManifest> {
-    const types = OutputTypeRegistry.parseOutputTypes(outputTypesInput);
-    const manifest: OutputManifest = {
-      buildGuid,
-      timestamp: new Date().toISOString(),
-      outputs: [],
-    };
-
-    if (types.length === 0) {
-      OrchestratorLogger.log('[Output] No output types declared, skipping collection');
-
-      return manifest;
-    }
-
-    OrchestratorLogger.log(
-      `[Output] Collecting ${types.length} output type(s): ${types.map((t) => t.name).join(', ')}`,
-    );
-
-    for (const typeDef of types) {
-      const outputPath = path.join(
-        projectPath,
-        typeDef.defaultPath.replace('{platform}', process.env.BUILD_TARGET || 'Unknown'),
-      );
-
-      if (!fs.existsSync(outputPath)) {
-        OrchestratorLogger.log(`[Output] No output found for '${typeDef.name}' at ${outputPath}`);
-        continue;
-      }
-
-      const entry: OutputEntry = {
-        type: typeDef.name,
-        path: typeDef.defaultPath,
-      };
-
-      // Collect file listing for directory outputs
-      try {
-        const stat = fs.statSync(outputPath);
-        if (stat.isDirectory()) {
-          entry.files = fs.readdirSync(outputPath);
-          entry.size = OutputService.getDirectorySize(outputPath);
-        } else {
-          entry.size = stat.size;
-        }
-      } catch {
-        OrchestratorLogger.logWarning(`[Output] Failed to stat output '${typeDef.name}' at ${outputPath}`);
-      }
-
-      manifest.outputs.push(entry);
-      OrchestratorLogger.log(
-        `[Output] Collected '${typeDef.name}': ${entry.files?.length || 1} file(s), ${entry.size || 0} bytes`,
-      );
-    }
-
-    // Write manifest to disk
-    if (manifestPath) {
-      try {
-        const manifestDir = path.dirname(manifestPath);
-        fs.mkdirSync(manifestDir, { recursive: true });
-        fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2), 'utf8');
-        OrchestratorLogger.log(`[Output] Manifest written to ${manifestPath}`);
-      } catch (error: any) {
-        OrchestratorLogger.logWarning(`[Output] Failed to write manifest: ${error.message}`);
-      }
-    }
-
-    return manifest;
-  }
-
-  /**
-   * Calculate total size of a directory recursively.
-   */
-  private static getDirectorySize(dirPath: string): number {
-    let totalSize = 0;
-
-    try {
-      const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path.join(dirPath, entry.name);
-        if (entry.isDirectory()) {
-          totalSize += OutputService.getDirectorySize(fullPath);
-        } else {
-          totalSize += fs.statSync(fullPath).size;
-        }
-      }
-    } catch {
-      // Ignore errors in size calculation
-    }
-
-    return totalSize;
-  }
-}

src/model/orchestrator/services/output/output-type-registry.ts

@@ -1,136 +0,0 @@
-import OrchestratorLogger from '../core/orchestrator-logger';
-
-/**
- * Registry of known output types with default paths and processing hints.
- */
-
-export interface OutputTypeDefinition {
-  /** Type identifier */
-  name: string;
-
-  /** Default output path (relative to project root) */
-  defaultPath: string;
-
-  /** Human-readable description */
-  description: string;
-
-  /** Whether this type is built-in or user-registered */
-  builtIn: boolean;
-}
-
-export class OutputTypeRegistry {
-  private static readonly builtInTypes: Record<string, OutputTypeDefinition> = {
-    build: {
-      name: 'build',
-      defaultPath: './Builds/{platform}/',
-      description: 'Standard game build artifact',
-      builtIn: true,
-    },
-    'test-results': {
-      name: 'test-results',
-      defaultPath: './TestResults/',
-      description: 'NUnit/JUnit XML test results',
-      builtIn: true,
-    },
-    'server-build': {
-      name: 'server-build',
-      defaultPath: './Builds/{platform}-server/',
-      description: 'Dedicated server build artifact',
-      builtIn: true,
-    },
-    'data-export': {
-      name: 'data-export',
-      defaultPath: './Exports/',
-      description: 'Exported data files (CSV, JSON, binary)',
-      builtIn: true,
-    },
-    images: {
-      name: 'images',
-      defaultPath: './Captures/',
-      description: 'Screenshots, render captures, atlas previews',
-      builtIn: true,
-    },
-    logs: {
-      name: 'logs',
-      defaultPath: './Logs/',
-      description: 'Structured build and test logs',
-      builtIn: true,
-    },
-    metrics: {
-      name: 'metrics',
-      defaultPath: './Metrics/',
-      description: 'Build performance metrics and asset statistics',
-      builtIn: true,
-    },
-    coverage: {
-      name: 'coverage',
-      defaultPath: './Coverage/',
-      description: 'Code coverage reports',
-      builtIn: true,
-    },
-  };
-
-  private static customTypes: Record<string, OutputTypeDefinition> = {};
-
-  /**
-   * Get a type definition by name. Checks custom types first, then built-in.
-   */
-  static getType(name: string): OutputTypeDefinition | undefined {
-    return OutputTypeRegistry.customTypes[name] || OutputTypeRegistry.builtInTypes[name];
-  }
-
-  /**
-   * Get all registered types (built-in + custom).
-   */
-  static getAllTypes(): OutputTypeDefinition[] {
-    return [...Object.values(OutputTypeRegistry.builtInTypes), ...Object.values(OutputTypeRegistry.customTypes)];
-  }
-
-  /**
-   * Register a custom output type.
-   */
-  static registerType(definition: OutputTypeDefinition): void {
-    if (OutputTypeRegistry.builtInTypes[definition.name]) {
-      OrchestratorLogger.logWarning(`[OutputTypes] Cannot override built-in type '${definition.name}'`);
-
-      return;
-    }
-
-    OutputTypeRegistry.customTypes[definition.name] = { ...definition, builtIn: false };
-    OrchestratorLogger.log(`[OutputTypes] Registered custom type '${definition.name}'`);
-  }
-
-  /**
-   * Parse a comma-separated output types string into type definitions.
-   * Unknown types are logged as warnings and skipped.
-   */
-  static parseOutputTypes(outputTypesInput: string): OutputTypeDefinition[] {
-    if (!outputTypesInput) {
-      return [];
-    }
-
-    const names = outputTypesInput
-      .split(',')
-      .map((s) => s.trim())
-      .filter(Boolean);
-    const types: OutputTypeDefinition[] = [];
-
-    for (const name of names) {
-      const typeDef = OutputTypeRegistry.getType(name);
-      if (typeDef) {
-        types.push(typeDef);
-      } else {
-        OrchestratorLogger.logWarning(`[OutputTypes] Unknown output type '${name}', skipping`);
-      }
-    }
-
-    return types;
-  }
-
-  /**
-   * Reset custom types (for testing).
-   */
-  static resetCustomTypes(): void {
-    OutputTypeRegistry.customTypes = {};
-  }
-}

src/model/orchestrator/services/secrets/secret-source-service.test.ts

@@ -0,0 +1,446 @@
+import fs from 'node:fs';
+import * as core from '@actions/core';
+import { SecretSourceService, validateSecretKey } from './secret-source-service';
+
+jest.mock('node:fs');
+jest.mock('@actions/core', () => ({
+  setSecret: jest.fn(),
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn(),
+}));
+jest.mock('../core/orchestrator-system', () => ({
+  OrchestratorSystem: {
+    Run: jest.fn().mockResolvedValue(''),
+  },
+}));
+jest.mock('../core/orchestrator-logger', () => ({
+  __esModule: true,
+  default: {
+    log: jest.fn(),
+    logWarning: jest.fn(),
+    error: jest.fn(),
+  },
+}));
+
+const mockFs = fs as jest.Mocked<typeof fs>;
+
+describe('SecretSourceService', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('validateSecretKey', () => {
+    it('should accept alphanumeric keys', () => {
+      expect(validateSecretKey('MY_SECRET_KEY')).toBe('MY_SECRET_KEY');
+    });
+
+    it('should accept keys with hyphens', () => {
+      expect(validateSecretKey('my-secret-key')).toBe('my-secret-key');
+    });
+
+    it('should accept keys with dots', () => {
+      expect(validateSecretKey('my.secret.key')).toBe('my.secret.key');
+    });
+
+    it('should accept keys with forward slashes', () => {
+      expect(validateSecretKey('path/to/secret')).toBe('path/to/secret');
+    });
+
+    it('should accept keys with mixed valid characters', () => {
+      expect(validateSecretKey('my-app/prod_db.password')).toBe('my-app/prod_db.password');
+    });
+
+    it('should reject keys with semicolons (shell injection)', () => {
+      expect(() => validateSecretKey('; rm -rf /')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with backticks (command substitution)', () => {
+      expect(() => validateSecretKey('`whoami`')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with dollar signs (variable expansion)', () => {
+      expect(() => validateSecretKey('$HOME')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with pipe characters', () => {
+      expect(() => validateSecretKey('key | cat /etc/passwd')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with ampersands', () => {
+      expect(() => validateSecretKey('key && echo pwned')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with newlines', () => {
+      expect(() => validateSecretKey('key\nmalicious')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with quotes', () => {
+      expect(() => validateSecretKey('"key"')).toThrow('Invalid secret key name');
+      expect(() => validateSecretKey("'key'")).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with parentheses (subshell)', () => {
+      expect(() => validateSecretKey('$(whoami)')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject empty keys', () => {
+      expect(() => validateSecretKey('')).toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with spaces', () => {
+      expect(() => validateSecretKey('key with spaces')).toThrow('Invalid secret key name');
+    });
+  });
+
+  describe('isPremadeSource', () => {
+    it('should return true for aws-secrets-manager', () => {
+      expect(SecretSourceService.isPremadeSource('aws-secrets-manager')).toBe(true);
+    });
+
+    it('should return true for aws-secret-manager (legacy alias)', () => {
+      expect(SecretSourceService.isPremadeSource('aws-secret-manager')).toBe(true);
+    });
+
+    it('should return true for aws-parameter-store', () => {
+      expect(SecretSourceService.isPremadeSource('aws-parameter-store')).toBe(true);
+    });
+
+    it('should return true for gcp-secret-manager', () => {
+      expect(SecretSourceService.isPremadeSource('gcp-secret-manager')).toBe(true);
+    });
+
+    it('should return true for azure-key-vault', () => {
+      expect(SecretSourceService.isPremadeSource('azure-key-vault')).toBe(true);
+    });
+
+    it('should return true for hashicorp-vault', () => {
+      expect(SecretSourceService.isPremadeSource('hashicorp-vault')).toBe(true);
+    });
+
+    it('should return true for hashicorp-vault-kv1', () => {
+      expect(SecretSourceService.isPremadeSource('hashicorp-vault-kv1')).toBe(true);
+    });
+
+    it('should return true for vault (short alias)', () => {
+      expect(SecretSourceService.isPremadeSource('vault')).toBe(true);
+    });
+
+    it('should return false for unknown source', () => {
+      expect(SecretSourceService.isPremadeSource('unknown-source')).toBe(false);
+    });
+  });
+
+  describe('getAvailableSources', () => {
+    it('should return all premade source names', () => {
+      const sources = SecretSourceService.getAvailableSources();
+      expect(sources).toContain('aws-secrets-manager');
+      expect(sources).toContain('aws-parameter-store');
+      expect(sources).toContain('gcp-secret-manager');
+      expect(sources).toContain('azure-key-vault');
+      expect(sources).toContain('hashicorp-vault');
+      expect(sources).toContain('hashicorp-vault-kv1');
+      expect(sources).toContain('vault');
+      expect(sources.length).toBeGreaterThanOrEqual(8);
+    });
+  });
+
+  describe('resolveSource', () => {
+    it('should resolve premade source by name', () => {
+      const source = SecretSourceService.resolveSource('aws-secrets-manager');
+      expect(source).toBeDefined();
+      expect(source!.name).toBe('aws-secrets-manager');
+      expect(source!.command).toContain('secretsmanager');
+    });
+
+    it('should resolve custom command with {0} placeholder', () => {
+      const source = SecretSourceService.resolveSource('vault kv get -field=value secret/{0}');
+      expect(source).toBeDefined();
+      expect(source!.name).toBe('custom-command');
+      expect(source!.command).toContain('{0}');
+    });
+
+    it('should resolve command with spaces as custom command', () => {
+      const source = SecretSourceService.resolveSource('my-tool get-secret');
+      expect(source).toBeDefined();
+      expect(source!.name).toBe('custom-command');
+    });
+
+    it('should return undefined for unknown single-word source', () => {
+      const source = SecretSourceService.resolveSource('unknown');
+      expect(source).toBeUndefined();
+    });
+  });
+
+  describe('fetchSecret', () => {
+    it('should run the command with {0} replaced by key', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue('my-secret-value');
+
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      const result = await SecretSourceService.fetchSecret(source, 'MY_SECRET');
+
+      expect(result).toBe('my-secret-value');
+      expect(OrchestratorSystem.Run).toHaveBeenCalledWith(expect.stringContaining('MY_SECRET'), false, true);
+    });
+
+    it('should parse JSON output when parseOutput is json-field', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'extracted-secret' }));
+
+      const source = {
+        name: 'test-source',
+        command: 'fetch {0}',
+        parseOutput: 'json-field' as const,
+        jsonField: 'value',
+      };
+      const result = await SecretSourceService.fetchSecret(source, 'KEY');
+
+      expect(result).toBe('extracted-secret');
+    });
+
+    it('should fall back to raw output on invalid JSON with json-field mode', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue('not-json');
+
+      const source = {
+        name: 'test-source',
+        command: 'fetch {0}',
+        parseOutput: 'json-field' as const,
+        jsonField: 'value',
+      };
+      const result = await SecretSourceService.fetchSecret(source, 'KEY');
+
+      expect(result).toBe('not-json');
+    });
+
+    it('should return empty string on command failure', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockRejectedValue(new Error('command not found'));
+
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      const result = await SecretSourceService.fetchSecret(source, 'KEY');
+
+      expect(result).toBe('');
+    });
+
+    it('should reject keys with shell injection characters', async () => {
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+
+      await expect(SecretSourceService.fetchSecret(source, '; rm -rf /')).rejects.toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with command substitution', async () => {
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+
+      await expect(SecretSourceService.fetchSecret(source, '$(whoami)')).rejects.toThrow('Invalid secret key name');
+    });
+
+    it('should reject keys with backtick command substitution', async () => {
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+
+      await expect(SecretSourceService.fetchSecret(source, '`cat /etc/passwd`')).rejects.toThrow(
+        'Invalid secret key name',
+      );
+    });
+
+    it('should accept keys with valid path-like patterns', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue('secret-value');
+
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      const result = await SecretSourceService.fetchSecret(source, 'prod/database/password');
+
+      expect(result).toBe('secret-value');
+    });
+
+    it('should mask fetched secret values with core.setSecret', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue('super-secret-value');
+
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
+
+      expect(core.setSecret).toHaveBeenCalledWith('super-secret-value');
+    });
+
+    it('should not mask empty secret values', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue('');
+
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
+
+      expect(core.setSecret).not.toHaveBeenCalled();
+    });
+
+    it('should mask JSON-extracted secret values', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'json-secret' }));
+
+      const source = {
+        name: 'test-source',
+        command: 'fetch {0}',
+        parseOutput: 'json-field' as const,
+        jsonField: 'value',
+      };
+      await SecretSourceService.fetchSecret(source, 'KEY');
+
+      expect(core.setSecret).toHaveBeenCalledWith('json-secret');
+    });
+  });
+
+  describe('fetchFromEnv', () => {
+    it('should return env var value when set', () => {
+      process.env.TEST_SECRET_KEY = 'env-value';
+      const result = SecretSourceService.fetchFromEnv('TEST_SECRET_KEY');
+      expect(result).toBe('env-value');
+      delete process.env.TEST_SECRET_KEY;
+    });
+
+    it('should return empty string when env var is not set', () => {
+      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_12345');
+      expect(result).toBe('');
+    });
+
+    it('should mask env var values with core.setSecret', () => {
+      process.env.TEST_MASK_KEY = 'masked-env-value';
+      SecretSourceService.fetchFromEnv('TEST_MASK_KEY');
+      expect(core.setSecret).toHaveBeenCalledWith('masked-env-value');
+      delete process.env.TEST_MASK_KEY;
+    });
+
+    it('should not mask empty env var values', () => {
+      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_99999');
+      expect(result).toBe('');
+      expect(core.setSecret).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('fetchAll', () => {
+    it('should fetch all keys from env source', async () => {
+      process.env.KEY_A = 'val-a';
+      process.env.KEY_B = 'val-b';
+
+      const results = await SecretSourceService.fetchAll('env', ['KEY_A', 'KEY_B']);
+
+      expect(results.KEY_A).toBe('val-a');
+      expect(results.KEY_B).toBe('val-b');
+
+      delete process.env.KEY_A;
+      delete process.env.KEY_B;
+    });
+
+    it('should fetch all keys from premade source', async () => {
+      const { OrchestratorSystem } = require('../core/orchestrator-system');
+      OrchestratorSystem.Run.mockResolvedValueOnce('secret-1').mockResolvedValueOnce('secret-2');
+
+      const results = await SecretSourceService.fetchAll('aws-parameter-store', ['param1', 'param2']);
+
+      expect(results.param1).toBe('secret-1');
+      expect(results.param2).toBe('secret-2');
+      expect(OrchestratorSystem.Run).toHaveBeenCalledTimes(2);
+    });
+
+    it('should return empty results for unknown source', async () => {
+      const results = await SecretSourceService.fetchAll('unknown', ['key1']);
+      expect(results).toEqual({});
+    });
+  });
+
+  describe('loadFromYaml', () => {
+    it('should return empty array when file does not exist', () => {
+      (mockFs.existsSync as jest.Mock).mockReturnValue(false);
+      const result = SecretSourceService.loadFromYaml('/nonexistent.yml');
+      expect(result).toEqual([]);
+    });
+
+    it('should parse valid YAML source definitions', () => {
+      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
+      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
+sources:
+  - name: my-vault
+    command: 'vault kv get -field=value secret/{0}'
+  - name: my-api
+    command: 'curl -s https://api.example.com/{0}'
+    parseOutput: json-field
+    jsonField: secret_value
+`);
+
+      const result = SecretSourceService.loadFromYaml('/sources.yml');
+
+      expect(result).toHaveLength(2);
+      expect(result[0].name).toBe('my-vault');
+      expect(result[0].command).toBe('vault kv get -field=value secret/{0}');
+      expect(result[1].name).toBe('my-api');
+      expect(result[1].parseOutput).toBe('json-field');
+      expect(result[1].jsonField).toBe('secret_value');
+    });
+
+    it('should handle YAML with single source', () => {
+      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
+      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
+sources:
+  - name: simple
+    command: echo {0}
+`);
+
+      const result = SecretSourceService.loadFromYaml('/simple.yml');
+      expect(result).toHaveLength(1);
+      expect(result[0].name).toBe('simple');
+    });
+
+    it('should return empty array on parse error', () => {
+      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
+      (mockFs.readFileSync as jest.Mock).mockImplementation(() => {
+        throw new Error('Permission denied');
+      });
+
+      const result = SecretSourceService.loadFromYaml('/error.yml');
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('premade source commands', () => {
+    it('aws-secrets-manager uses --query SecretString', () => {
+      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
+      expect(source.command).toContain('--query SecretString');
+      expect(source.command).toContain('--output text');
+    });
+
+    it('aws-parameter-store uses --with-decryption', () => {
+      const source = SecretSourceService.resolveSource('aws-parameter-store')!;
+      expect(source.command).toContain('--with-decryption');
+      expect(source.command).toContain('--query Parameter.Value');
+    });
+
+    it('gcp-secret-manager uses latest version', () => {
+      const source = SecretSourceService.resolveSource('gcp-secret-manager')!;
+      expect(source.command).toContain('latest');
+    });
+
+    it('azure-key-vault uses AZURE_VAULT_NAME env var', () => {
+      const source = SecretSourceService.resolveSource('azure-key-vault')!;
+      expect(source.command).toContain('$AZURE_VAULT_NAME');
+    });
+
+    it('hashicorp-vault uses vault kv get with VAULT_MOUNT', () => {
+      const source = SecretSourceService.resolveSource('hashicorp-vault')!;
+      expect(source.command).toContain('vault kv get');
+      expect(source.command).toContain('VAULT_MOUNT');
+      expect(source.command).toContain('-field=value');
+    });
+
+    it('hashicorp-vault-kv1 uses vault read for KV v1', () => {
+      const source = SecretSourceService.resolveSource('hashicorp-vault-kv1')!;
+      expect(source.command).toContain('vault read');
+      expect(source.command).toContain('-field=value');
+    });
+
+    it('vault alias resolves to same command as hashicorp-vault', () => {
+      const vault = SecretSourceService.resolveSource('vault')!;
+      const hashicorpVault = SecretSourceService.resolveSource('hashicorp-vault')!;
+      expect(vault.command).toBe(hashicorpVault.command);
+    });
+  });
+});

src/model/orchestrator/services/secrets/secret-source-service.ts

@@ -0,0 +1,337 @@
+import fs from 'node:fs';
+import * as core from '@actions/core';
+import OrchestratorLogger from '../core/orchestrator-logger';
+import { OrchestratorSystem } from '../core/orchestrator-system';
+
+/**
+ * A secret source definition: how to fetch a secret value by key.
+ */
+export interface SecretSourceDefinition {
+  name: string;
+  command: string;
+  parseOutput?: 'raw' | 'json-field';
+  jsonField?: string;
+}
+
+/**
+ * Validate that a secret key name contains only safe characters.
+ * Prevents shell injection when keys are interpolated into commands.
+ *
+ * Allowed characters: alphanumeric, hyphens, underscores, dots, forward slashes.
+ *
+ * @param key - The secret key name to validate
+ * @returns The validated key (unchanged)
+ * @throws Error if the key contains disallowed characters
+ */
+export function validateSecretKey(key: string): string {
+  if (!/^[a-zA-Z0-9\-_./]+$/.test(key)) {
+    throw new Error(
+      `Invalid secret key name: "${key}". Keys may only contain alphanumeric characters, hyphens, underscores, dots, and forward slashes.`,
+    );
+  }
+
+  return key;
+}
+
+/**
+ * Mask a secret value so it does not appear in GitHub Actions logs.
+ * Empty or whitespace-only values are skipped (core.setSecret would be a no-op).
+ */
+function maskSecretValue(value: string): void {
+  if (value.trim().length > 0) {
+    core.setSecret(value);
+  }
+}
+
+/**
+ * Premade secret sources and custom YAML-based secret source definitions.
+ *
+ * Premade sources are string shortcuts that expand to shell commands:
+ *   - `aws-secrets-manager` -- AWS Secrets Manager
+ *   - `aws-parameter-store` -- AWS Systems Manager Parameter Store
+ *   - `gcp-secret-manager` -- Google Cloud Secret Manager
+ *   - `azure-key-vault` -- Azure Key Vault (requires AZURE_VAULT_NAME env var)
+ *   - `hashicorp-vault` -- HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
+ *   - `hashicorp-vault-kv1` -- HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
+ *   - `env` -- Read from environment variables (no shell command needed)
+ *
+ * Custom YAML format:
+ *   sources:
+ *     - name: my-vault
+ *       command: 'vault kv get -field=value secret/{0}'
+ *     - name: my-api
+ *       command: 'curl -s https://secrets.example.com/api/{0}'
+ *       parseOutput: json-field
+ *       jsonField: value
+ */
+export class SecretSourceService {
+  private static readonly premadeSources: Record<string, SecretSourceDefinition> = {
+    'aws-secrets-manager': {
+      name: 'aws-secrets-manager',
+      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
+      parseOutput: 'raw',
+    },
+    'aws-secret-manager': {
+      // Alias for backward compatibility (original name in inputPullCommand)
+      name: 'aws-secret-manager',
+      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
+      parseOutput: 'raw',
+    },
+    'aws-parameter-store': {
+      name: 'aws-parameter-store',
+      command: 'aws ssm get-parameter --name {0} --with-decryption --query Parameter.Value --output text',
+      parseOutput: 'raw',
+    },
+    'gcp-secret-manager': {
+      name: 'gcp-secret-manager',
+      command: 'gcloud secrets versions access latest --secret="{0}"',
+      parseOutput: 'raw',
+    },
+    'azure-key-vault': {
+      name: 'azure-key-vault',
+      command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
+      parseOutput: 'raw',
+    },
+    'hashicorp-vault': {
+      // HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
+      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
+      // Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
+      name: 'hashicorp-vault',
+      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
+    'hashicorp-vault-kv1': {
+      // HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
+      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
+      name: 'hashicorp-vault-kv1',
+      command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
+    vault: {
+      // Short alias for hashicorp-vault (KV v2)
+      name: 'vault',
+      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
+  };
+
+  /**
+   * Check if a source name is a known premade source.
+   */
+  static isPremadeSource(sourceName: string): boolean {
+    return sourceName in SecretSourceService.premadeSources;
+  }
+
+  /**
+   * Get the list of available premade source names.
+   */
+  static getAvailableSources(): string[] {
+    return Object.keys(SecretSourceService.premadeSources);
+  }
+
+  /**
+   * Resolve a source name to a SecretSourceDefinition.
+   *
+   * - If the name matches a premade source, returns that definition.
+   * - If it looks like a shell command (contains spaces or {0}), wraps it as a custom command.
+   * - Otherwise, returns undefined.
+   */
+  static resolveSource(sourceName: string): SecretSourceDefinition | undefined {
+    // Check premade sources
+    if (SecretSourceService.isPremadeSource(sourceName)) {
+      return SecretSourceService.premadeSources[sourceName];
+    }
+
+    // If it contains a placeholder or spaces, treat it as a raw command
+    if (sourceName.includes('{0}') || sourceName.includes(' ')) {
+      return {
+        name: 'custom-command',
+        command: sourceName,
+        parseOutput: 'raw',
+      };
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Load custom secret source definitions from a YAML file.
+   *
+   * Expected format:
+   *   sources:
+   *     - name: my-source
+   *       command: 'my-tool get-secret {0}'
+   *     - name: my-api
+   *       command: 'curl -s https://api.example.com/secrets/{0}'
+   *       parseOutput: json-field
+   *       jsonField: value
+   */
+  static loadFromYaml(filePath: string): SecretSourceDefinition[] {
+    if (!fs.existsSync(filePath)) {
+      OrchestratorLogger.logWarning(`Secret source YAML not found: ${filePath}`);
+
+      return [];
+    }
+
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const parsed = SecretSourceService.parseSimpleYaml(content);
+
+      return parsed;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`Failed to parse secret source YAML: ${error.message}`);
+
+      return [];
+    }
+  }
+
+  /**
+   * Fetch a secret value using the given source definition.
+   *
+   * Validates the key against an allowlist pattern before interpolating it
+   * into the command string to prevent shell injection. The fetched secret
+   * value is masked via core.setSecret() so it does not leak in logs.
+   *
+   * @param source - The secret source definition to use
+   * @param key - The secret key to fetch
+   * @returns The secret value, or empty string on failure
+   */
+  static async fetchSecret(source: SecretSourceDefinition, key: string): Promise<string> {
+    // Validate the key to prevent shell injection
+    validateSecretKey(key);
+
+    const command = source.command.replace(/\{0\}/g, key);
+
+    try {
+      const output = await OrchestratorSystem.Run(command, false, true);
+
+      let value: string;
+
+      if (source.parseOutput === 'json-field' && source.jsonField) {
+        try {
+          const parsed = JSON.parse(output);
+          value = parsed[source.jsonField] || '';
+        } catch {
+          OrchestratorLogger.logWarning(`Failed to parse JSON output from ${source.name} for key ${key}`);
+          value = output.trim();
+        }
+      } else {
+        value = output.trim();
+      }
+
+      // Mask the secret value so it does not appear in GitHub Actions logs
+      maskSecretValue(value);
+
+      return value;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`Failed to fetch secret '${key}' from ${source.name}: ${error.message}`);
+
+      return '';
+    }
+  }
+
+  /**
+   * Fetch a secret from an environment variable. No shell command needed.
+   * The value is masked via core.setSecret() so it does not leak in logs.
+   */
+  static fetchFromEnv(key: string): string {
+    const value = process.env[key] || '';
+    maskSecretValue(value);
+
+    return value;
+  }
+
+  /**
+   * Resolve a source name and fetch all secrets from it.
+   *
+   * @param sourceName - Premade source name, shell command, or 'env'
+   * @param keys - List of secret keys to fetch
+   * @returns Map of key -> value
+   */
+  static async fetchAll(sourceName: string, keys: string[]): Promise<Record<string, string>> {
+    const results: Record<string, string> = {};
+
+    if (sourceName === 'env') {
+      for (const key of keys) {
+        results[key] = SecretSourceService.fetchFromEnv(key);
+      }
+
+      return results;
+    }
+
+    const source = SecretSourceService.resolveSource(sourceName);
+    if (!source) {
+      OrchestratorLogger.logWarning(
+        `Unknown secret source '${sourceName}'. Available sources: ${SecretSourceService.getAvailableSources().join(
+          ', ',
+        )}`,
+      );
+
+      return results;
+    }
+
+    OrchestratorLogger.log(`Fetching ${keys.length} secret(s) from ${source.name}`);
+
+    for (const key of keys) {
+      results[key] = await SecretSourceService.fetchSecret(source, key);
+    }
+
+    return results;
+  }
+
+  /**
+   * Simple YAML parser for secret source definitions.
+   * Handles the specific structure we expect without requiring a YAML library.
+   */
+  private static parseSimpleYaml(content: string): SecretSourceDefinition[] {
+    const definitions: SecretSourceDefinition[] = [];
+    const lines = content.split('\n');
+    let current: Partial<SecretSourceDefinition> | null = null;
+
+    for (const rawLine of lines) {
+      const line = rawLine.replace(/\r$/, '');
+      const trimmed = line.trim();
+
+      if (trimmed === '' || trimmed.startsWith('#')) continue;
+
+      if (trimmed === '- name:' || trimmed.startsWith('- name:')) {
+        if (current?.name && current?.command) {
+          definitions.push(current as SecretSourceDefinition);
+        }
+
+        current = {
+          name: trimmed
+            .replace('- name:', '')
+            .trim()
+            .replace(/^['"]|['"]$/g, ''),
+          parseOutput: 'raw',
+        };
+        continue;
+      }
+
+      if (current && trimmed.startsWith('command:')) {
+        current.command = trimmed
+          .replace('command:', '')
+          .trim()
+          .replace(/^['"]|['"]$/g, '');
+      } else if (current && trimmed.startsWith('parseOutput:')) {
+        const value = trimmed
+          .replace('parseOutput:', '')
+          .trim()
+          .replace(/^['"]|['"]$/g, '');
+        current.parseOutput = value as 'raw' | 'json-field';
+      } else if (current && trimmed.startsWith('jsonField:')) {
+        current.jsonField = trimmed
+          .replace('jsonField:', '')
+          .trim()
+          .replace(/^['"]|['"]$/g, '');
+      }
+    }
+
+    if (current?.name && current?.command) {
+      definitions.push(current as SecretSourceDefinition);
+    }
+
+    return definitions;
+  }
+}