diff --git a/README.md b/README.md index 66f8027..dfc17b3 100644 --- a/README.md +++ b/README.md @@ -1 +1,121 @@ -# Warden +# Auth Warden + +A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets for use in CI/CD workflows. + +## Overview + +Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow. + +## Features + +- 🔐 Secure authentication with Bitwarden using API keys +- 🌐 Support for custom Bitwarden servers +- 📝 Retrieve secrets from Bitwarden secure notes +- 🔄 Dynamic mapping of secrets to environment variables +- 🛡️ Secure handling of sensitive data + +## Usage + +```yaml +- name: Retrieve secrets from Bitwarden + uses: ./path/to/auth-warden + with: + email: ${{ secrets.BITWARDEN_EMAIL }} + password: ${{ secrets.BITWARDEN_PASSWORD }} + server: https://your-bitwarden-server.com + client-id: ${{ secrets.BITWARDEN_CLIENT_ID }} + client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }} + secrets: | + secret-id-1 > DATABASE_URL + secret-id-2 > API_KEY + secret-id-3 > WEBHOOK_SECRET +``` + +## Inputs + +| Input | Description | Required | Default | +|-------|-------------|----------|---------| +| `email` | Bitwarden account email | Yes | - | +| `password` | Bitwarden account password | Yes | - | +| `server` | Bitwarden server URL | No | `${{ vars.WARDEN_URL }}` | +| `client-id` | Bitwarden API client ID | Yes | - | +| `client-secret` | Bitwarden API client secret | Yes | - | +| `secrets` | List of secret mappings (format: `SECRET_ID > ENV_VAR`) | Yes | - | + +## Secret Mapping Format + +The `secrets` input expects a multiline string where each line contains a mapping in the format: + +``` +SECRET_ID > ENVIRONMENT_VARIABLE_NAME +``` + +- `SECRET_ID`: The ID of the secure note in Bitwarden +- `ENVIRONMENT_VARIABLE_NAME`: The name of the environment variable to create + +Example: +```yaml +secrets: | + db-connection-string > DATABASE_URL + stripe-api-key > STRIPE_API_KEY + jwt-secret > JWT_SECRET +``` + +## Prerequisites + +- Bitwarden CLI must be available in the runner environment +- Valid Bitwarden account with API access configured +- Secrets must be stored as secure notes in Bitwarden + +## Security Considerations + +- Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets +- Use organization or repository variables for the server URL if it's not sensitive +- The action automatically handles session management and cleanup +- Retrieved secrets are securely added to the Gitea Actions environment + +## Example Workflow + +```yaml +name: Deploy Application +on: [push] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Retrieve secrets + uses: ./path/to/auth-warden + with: + email: ${{ secrets.BITWARDEN_EMAIL }} + password: ${{ secrets.BITWARDEN_PASSWORD }} + client-id: ${{ secrets.BITWARDEN_CLIENT_ID }} + client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }} + secrets: | + database-url > DATABASE_URL + api-key > API_KEY + + - name: Deploy + run: | + echo "Database URL is available as: $DATABASE_URL" + echo "API Key is available as: $API_KEY" + # Your deployment commands here +``` + +## Error Handling + +The action will: +- Continue processing other secrets if one fails to retrieve +- Log which secrets were successfully retrieved +- Log errors for failed secret retrievals +- Not fail the entire workflow if individual secrets cannot be retrieved + +## Author + +Jamie Schouten + +## License + +See repository license for details.