Add support for universes regional secrets

This adds support for regional secrets, but it's intentionally undocumented. It also adds support for universes, which is documented.

.github/workflows/draft-release.yml

@@ -21,4 +21,4 @@ jobs:
       version_strategy: '${{ github.event.inputs.version_strategy }}'
     # secrets must be explicitly passed to reusable workflows https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
     secrets:
-      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'
+      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'

.github/workflows/integration.yml

@@ -44,9 +44,10 @@ jobs:
         secrets: |-
           token:${{ vars.SECRET_NAME }}
           password:${{ vars.SECRET_VERSION_NAME }}
+          regional:${{ vars.REGIONAL_SECRET_NAME }}
 
     - name: 'outputs'
-      run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
+      run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}${{ steps.secrets-encoded.outputs.regional }}'
 
     - id: 'secrets-encoded'
       name: 'secrets-encoded'
@@ -56,6 +57,7 @@ jobs:
         secrets: |-
           token:${{ vars.SECRET_NAME }}
           password:${{ vars.SECRET_VERSION_NAME }}
+          regional:${{ vars.REGIONAL_SECRET_NAME }}
 
     - name: 'outputs-encoded'
-      run: echo '${{ steps.secrets-encoded.outputs.token }}${{ steps.secrets-encoded.outputs.password }}'
+      run: echo '${{ steps.secrets-encoded.outputs.token }}${{ steps.secrets-encoded.outputs.password }}${{ steps.secrets-encoded.outputs.regional }}'

.github/workflows/release.yml

@@ -8,6 +8,7 @@ on:
 
 jobs:
   release:
-    if: "startsWith(github.event.head_commit.message, 'Release: v')"
+    if: |-
+      ${{ startsWith(github.event.head_commit.message, 'Release: v') }}
     name: 'Release'
     uses: 'google-github-actions/.github/.github/workflows/release.yml@v0'

README.md

@@ -89,14 +89,6 @@ jobs:
     <project-id>/<secret-id>
     ```
 
--   <a name="region"></a><a href="#user-content-region"><code>region</code></a>: _(Optional)_ Region/location to fetch secrets from specific region. List of supported regions for Secret Manager can be [seen here](https://cloud.google.com/secret-manager/docs/locations).
-    ```yaml
-    region: us-west1
-    secrets: |-
-      output1:my-project/my-secret1
-      output2:my-project/my-secret2
-    ```
-
 -   <a name="min_mask_length"></a><a href="#user-content-min_mask_length"><code>min_mask_length</code></a>: _(Optional, default: `4`)_ Minimum line length for a secret to be masked. Extremely short secrets
     (e.g. `{` or `a`) can make GitHub Actions log output unreadable. This is
     especially important for multi-line secrets, since each line of the secret
@@ -111,6 +103,11 @@ jobs:
     available encoding types, please see the [Node.js Buffer and character
     encodings](https://nodejs.org/docs/latest/api/buffer.html#buffers-and-character-encodings).
 
+-   <a name="universe"></a><a href="#user-content-universe"><code>universe</code></a>: _(Optional, default: `googleapis.com`)_ The Google Cloud universe to use for constructing API endpoints. The
+    default universe is "googleapis.com", which corresponds to
+    https://cloud.google.com. Trusted Partner Cloud and Google Distributed
+    Hosted Cloud should set this to their universe address.
+
 
 <!-- END_AUTOGEN_INPUTS -->
 

action.yml

@@ -76,6 +76,15 @@ inputs:
     required: false
     default: 'utf8'
 
+  universe:
+    description: |-
+      The Google Cloud universe to use for constructing API endpoints. The
+      default universe is "googleapis.com", which corresponds to
+      https://cloud.google.com. Trusted Partner Cloud and Google Distributed
+      Hosted Cloud should set this to their universe address.
+    required: false
+    default: 'googleapis.com'
+
 outputs:
   secrets:
     description: |-