Merge branch 'main' into fix/changes-env-file-handling

Reviewed-on: #2

README.md

@@ -6,21 +6,12 @@ A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets
 
 Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow.
 
-## Features
-
-- 🔐 Secure authentication with Bitwarden using API keys
-- 🌐 Support for custom Bitwarden servers
-- 📝 Retrieve secrets from Bitwarden secure notes
-- 🔄 Dynamic mapping of secrets to environment variables
-- 🛡️ Secure handling of sensitive data
-
 ## Usage
 
 ```yaml
 - name: Retrieve secrets from Bitwarden
-  uses: ./path/to/auth-warden
+  uses: https://git.qlic.nl/actions/warden@v1
   with:
-    email: ${{ secrets.BITWARDEN_EMAIL }}
     password: ${{ secrets.BITWARDEN_PASSWORD }}
     server: https://your-bitwarden-server.com
     client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
@@ -34,8 +25,7 @@ Auth Warden provides a secure way to authenticate with a Bitwarden server and dy
 ## Inputs
 
 | Input           | Description                                             | Required | Default                  |
-|-------|-------------|----------|---------|
+|-----------------|---------------------------------------------------------|----------|--------------------------|
-| `email` | Bitwarden account email | Yes | - |
 | `password`      | Bitwarden account password                              | Yes      | -                        |
 | `server`        | Bitwarden server URL                                    | No       | `${{ vars.WARDEN_URL }}` |
 | `client-id`     | Bitwarden API client ID                                 | Yes      | -                        |
@@ -69,10 +59,7 @@ secrets: |
 
 ## Security Considerations
 
-- Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets
+- Store all sensitive inputs (password, client-id, client-secret) as Gitea repository secrets
-- Use organization or repository variables for the server URL if it's not sensitive
-- The action automatically handles session management and cleanup
-- Retrieved secrets are securely added to the Gitea Actions environment
 
 ## Example Workflow
 
@@ -87,9 +74,8 @@ jobs:
       - uses: actions/checkout@v4
       
       - name: Retrieve secrets
-        uses: ./path/to/auth-warden
+        uses: https://git.qlic.nl/actions/warden@v1
         with:
-          email: ${{ secrets.BITWARDEN_EMAIL }}
           password: ${{ secrets.BITWARDEN_PASSWORD }}
           client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
           client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
@@ -103,19 +89,3 @@ jobs:
           echo "API Key is available as: $API_KEY"
           # Your deployment commands here
 ```
-
-## Error Handling
-
-The action will:
-- Continue processing other secrets if one fails to retrieve
-- Log which secrets were successfully retrieved
-- Log errors for failed secret retrievals
-- Not fail the entire workflow if individual secrets cannot be retrieved
-
-## Author
-
-Jamie Schouten
-
-## License
-
-See repository license for details.

action.yml

@@ -3,9 +3,6 @@ description: Authenticate with Bitwarden and retrieve dynamic secrets
 author: Jamie Schouten
 
 inputs:
-  email:
-    description: "Bitwarden email"
-    required: true
   password:
     description: "Bitwarden password"
     required: true
@@ -22,6 +19,9 @@ inputs:
   secrets:
     description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
     required: true
+  dot-env-path:
+    description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
+    required: true
 
 runs:
   using: "composite"
@@ -30,19 +30,15 @@ runs:
       shell: sh
       run: bw config server "${{ inputs.server }}"
 
-    - name: Unlock Vault
+    - name: Unlock vault and retrieve secrets
       shell: sh
-      run: |
-         bw login --apikey
-         BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
-         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
       env:
         BW_CLIENTID: "${{ inputs.client-id }}"
         BW_CLIENTSECRET: "${{ inputs.client-secret }}"
-
-    - name: Retrieve Secrets
-      shell: sh
       run: |
+        bw login --apikey
+        BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
+
         echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
           SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
           ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
@@ -55,11 +51,17 @@ runs:
           SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
 
           if [ -n "$SECRET_VALUE" ]; then
-            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+            if [ "$ENV_VAR" = "DOT_ENV" ]; then
-            echo "$SECRET_VALUE" >> $GITHUB_ENV
+              mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
-            echo "EOF" >> $GITHUB_ENV
+              umask 077
-            echo "Stored $SECRET_ID in $ENV_VAR"
+              printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
+              echo "Stored $ENV_VAR file"
             else
-            echo "Failed to retrieve secret: $SECRET_ID"
+              echo "Unsupported ENV_VAR: $ENV_VAR"
+              exit 1
+            fi
+          else
+            echo "Failed to retrieve requested secret"
+            exit 1
           fi
         done