From 6f14b4d8da064320bffbc4c45cdf6c3db34ee4dd Mon Sep 17 00:00:00 2001 From: Iwan Huiting Date: Wed, 15 Apr 2026 15:21:06 +0200 Subject: [PATCH 1/4] Stop showing secret --- action.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/action.yml b/action.yml index 0402c72..ac9d773 100644 --- a/action.yml +++ b/action.yml @@ -24,8 +24,7 @@ inputs: required: true dot-env-path: description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV" - required: false - default: "" + required: true runs: using: "composite" @@ -55,22 +54,21 @@ runs: continue fi - echo "🔍 Retrieving secret: $SECRET_ID" + echo "🔍 Retrieving secret" SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null) if [ -n "$SECRET_VALUE" ]; then - if [ "$ENV_VAR" = "DOT_ENV" ] && [ -n "${{ inputs.dot-env-path }}" ]; then + if [ "$ENV_VAR" = "DOT_ENV" ]; then mkdir -p "$(dirname "${{ inputs.dot-env-path }}")" umask 077 printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}" - echo "Stored $SECRET_ID in $ENV_VAR file" + echo "Stored $ENV_VAR file" else - echo "$ENV_VAR<> $GITHUB_ENV - echo "$SECRET_VALUE" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - echo "Stored $SECRET_ID in $ENV_VAR" + echo "Unsupported ENV_VAR: $ENV_VAR" + exit 1 fi else - echo "Failed to retrieve secret: $SECRET_ID" + echo "Failed to retrieve requested secret" + exit 1 fi done From 098308b84c2f2b8aed69ab5295f41a826d506a91 Mon Sep 17 00:00:00 2001 From: Iwan Huiting Date: Wed, 15 Apr 2026 15:37:38 +0200 Subject: [PATCH 2/4] Stops bitwarden session from getting printed to logs --- action.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index ac9d773..b51ae85 100644 --- a/action.yml +++ b/action.yml @@ -33,19 +33,15 @@ runs: shell: sh run: bw config server "${{ inputs.server }}" - - name: Unlock Vault + - name: Unlock vault and retrieve secrets shell: sh - run: | - bw login --apikey - BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw) - echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV env: BW_CLIENTID: "${{ inputs.client-id }}" BW_CLIENTSECRET: "${{ inputs.client-secret }}" - - - name: Retrieve Secrets - shell: sh run: | + bw login --apikey + BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw) + echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//') ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//') @@ -54,7 +50,7 @@ runs: continue fi - echo "🔍 Retrieving secret" + echo "🔍 Retrieving secret: $SECRET_ID" SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null) if [ -n "$SECRET_VALUE" ]; then From 344458686a15cef88abc66b9047c0ba41fdea0cd Mon Sep 17 00:00:00 2001 From: Iwan Huiting Date: Wed, 15 Apr 2026 15:47:55 +0200 Subject: [PATCH 3/4] Revert changes in logging --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index b51ae85..57b7030 100644 --- a/action.yml +++ b/action.yml @@ -64,7 +64,7 @@ runs: exit 1 fi else - echo "Failed to retrieve requested secret" + echo "Failed to retrieve secret: $SECRET_ID" exit 1 fi done From 68e05b9866cc79b81795bf40788dd3594988f71e Mon Sep 17 00:00:00 2001 From: Iwan Huiting Date: Wed, 15 Apr 2026 15:50:05 +0200 Subject: [PATCH 4/4] Fix logs back to original --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index b1329f4..fc8a262 100644 --- a/action.yml +++ b/action.yml @@ -55,7 +55,7 @@ runs: mkdir -p "$(dirname "${{ inputs.dot-env-path }}")" umask 077 printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}" - echo "Stored $ENV_VAR file" + echo "Stored $SECRET_ID in $ENV_VAR file" else echo "Unsupported ENV_VAR: $ENV_VAR" exit 1