From 098308b84c2f2b8aed69ab5295f41a826d506a91 Mon Sep 17 00:00:00 2001
From: Iwan Huiting <iwan@qlic.nl>
Date: Wed, 15 Apr 2026 15:37:38 +0200
Subject: [PATCH] Stops bitwarden session from getting printed to logs

---
 action.yml | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/action.yml b/action.yml
index ac9d773..b51ae85 100644
--- a/action.yml
+++ b/action.yml
@@ -33,19 +33,15 @@ runs:
       shell: sh
       run: bw config server "${{ inputs.server }}"
 
-    - name: Unlock Vault
+    - name: Unlock vault and retrieve secrets
       shell: sh
-      run: |
-         bw login --apikey
-         BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
-         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
       env:
         BW_CLIENTID: "${{ inputs.client-id }}"
         BW_CLIENTSECRET: "${{ inputs.client-secret }}"
-
-    - name: Retrieve Secrets
-      shell: sh
       run: |
+        bw login --apikey
+        BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
+
         echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
           SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
           ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
@@ -54,7 +50,7 @@ runs:
             continue
           fi
 
-          echo "🔍 Retrieving secret"
+          echo "🔍 Retrieving secret: $SECRET_ID"
           SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
 
           if [ -n "$SECRET_VALUE" ]; then