From fc7983c704e6690b0b158fb648d4ed63044aeaf1 Mon Sep 17 00:00:00 2001
From: Johan Rooijakkers <johan@qlic.nl>
Date: Wed, 26 Feb 2025 14:14:30 +0100
Subject: [PATCH] add secrets

---
 action.yml | 46 +++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/action.yml b/action.yml
index 21b4f4d..ef81d84 100644
--- a/action.yml
+++ b/action.yml
@@ -1,23 +1,55 @@
 name: Auth Warden
-description: Authenticate with Bitwarden
+description: Authenticate with Bitwarden and retrieve dynamic secrets
 author: Jamie Schouten
+
 inputs:
   email:
-    description: 'email'
+    description: 'Bitwarden email'
     required: true
   password:
-    description: 'password'
+    description: 'Bitwarden password'
     required: true
   server:
     description: 'Bitwarden server'
     required: false
-    default: ${{ vars.WARDEN_URL  }}
+    default: ${{ vars.WARDEN_URL }}
+  secrets:
+    description: "One or more secret Ids to retrieve and the corresponding GitHub environment variable name to set"
+    required: true
 
 runs:
   using: "composite"
   steps:
-    - name: Auth Warden
+    - name: Configure Bitwarden Server
+      shell: sh
+      run: bw config server ${{ inputs.server }}
+
+    - name: Unlock Vault
       shell: sh
       run: |
-        bw config server ${{ inputs.server }}
-        export BW_SESSION=$(bw login '${{ inputs.email }}' '${{ inputs.password }}' --raw)
+        bw login --apikey
+        export BW_SESSION=$(bw unlock '${{ secrets.WARDEN_PASSWORD }}' --raw)
+      env:
+        BW_CLIENTID: ${{ secrets.WARDEN_CLIENT_ID }}
+        BW_CLIENTSECRET: ${{ secrets.WARDEN_CLIENT_SECRET }}
+    
+    - name: Retrieve Requested Secrets
+      shell: sh
+      run: |
+        IFS=',' read -r -a secret_pairs <<< "${{ inputs.secrets }}"
+        for pair in "${secret_pairs[@]}"; do
+          SECRET_ID=$(echo "$pair" | cut -d'=' -f1)
+          ENV_VAR=$(echo "$pair" | cut -d'=' -f2)
+          
+          echo "Retrieving secret: $SECRET_ID..."
+          SECRET_VALUE=$(bw get item "$SECRET_ID" --session "$BW_SESSION")
+
+          if [ -n "$SECRET_VALUE" ]; then
+            echo "$ENV_VAR=$SECRET_VALUE" >> $GITHUB_ENV
+            echo "✅ Stored $SECRET_ID in $ENV_VAR"
+          else
+            echo "❌ Failed to retrieve secret: $SECRET_ID"
+          fi
+        done
+      env:
+        BW_SESSION: ${{ env.BW_SESSION }}