Add json-secret-keys parameter for selective JSON key extraction

[jnewton03]

Summary

This PR adds a new optional json-secret-keys parameter that allows users to specify which keys from JSON secrets should be extracted as environment variables. This solves the over-masking problem where ALL values in JSON secrets get marked as secrets, making debugging nearly impossible.

Problem Description

When using parse-json-secrets: true, all JSON values are marked as secrets via core.setSecret(), causing over-masking where innocent values like usernames, hostnames, and API endpoints get redacted throughout GitHub Action logs.

Example: A JSON secret containing {"DOCKER_USERNAME": "liquibase", "DOCKER_PASSWORD": "secret123"} would mask the word "liquibase" everywhere in logs, making debugging very difficult.

Solution

The new json-secret-keys parameter allows selective extraction:

- name: Get secrets with selective key extraction
  uses: aws-actions/aws-secretsmanager-get-secrets@v2
  with:
    secret-ids: database/credentials
    parse-json-secrets: true
    json-secret-keys: |
      password
      api_key

This would only extract and mask the password and api_key values, leaving other non-sensitive values like username and host unmasked.

Key Features

• Backward Compatible: If json-secret-keys is not provided, all keys are extracted (existing behavior)
• Flexible: Supports both simple and nested JSON structures
• Cost-Effective: Maintains the cost benefit of storing multiple secrets in one JSON object
• Selective Masking: Only specified values are marked as secrets, reducing over-masking

Changes Made

• Added json-secret-keys input parameter to action.yml
• Modified injectSecret() function in utils.ts to support selective key filtering
• Updated index.ts to read and pass the new parameter
• Added comprehensive unit tests covering various scenarios
• Added integration tests for the new functionality
• Updated README.md with parameter documentation and usage examples

Testing

• ✅ All existing tests pass (maintaining backward compatibility)
• ✅ New unit tests cover selective key extraction scenarios
• ✅ Integration tests verify end-to-end functionality
• ✅ Test coverage maintained at 98.75% statements, 98.55% branches
• ✅ Linting passes without errors
• ✅ Build successfully updates dist/ directory

Examples

Before: All JSON values get masked, making debugging difficult

{
  "username": "admin",        // Gets masked everywhere
  "password": "secret123",    // Gets masked (correctly)
  "host": "db.example.com",   // Gets masked everywhere  
  "port": "5432"              // Gets masked everywhere
}

After: Only sensitive values get masked

json-secret-keys: |
  password

• ✅ Only password value gets masked
• ✅ username, host, port remain visible in logs for debugging

Fixes #263

🤖 Generated with Claude Code