Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Iwan
|
d48f432072 | ||
|
Iwan
|
098308b84c | ||
|
Iwan
|
6f14b4d8da | ||
 jamie
|
97a0d2b2f1 | ||
|
jamie
|
e39e5362c4 | ||
|
jamie
|
f9fa48b5a5 | ||
|
Iwan
|
afc56d6e1d | ||
|
Iwan
|
e398e9153b | ||
|
jamie
|
eb48951d7f
|
@@ -10,7 +10,7 @@ Auth Warden provides a secure way to authenticate with a Bitwarden server and dy
|
||||
|
||||
```yaml
|
||||
- name: Retrieve secrets from Bitwarden
|
||||
uses: ./path/to/auth-warden
|
||||
uses: https://git.qlic.nl/actions/warden@v1
|
||||
with:
|
||||
password: ${{ secrets.BITWARDEN_PASSWORD }}
|
||||
server: https://your-bitwarden-server.com
|
||||
@@ -59,10 +59,7 @@ secrets: |
|
||||
|
||||
## Security Considerations
|
||||
|
||||
- Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets
|
||||
- Use organization or repository variables for the server URL if it's not sensitive
|
||||
- The action automatically handles session management and cleanup
|
||||
- Retrieved secrets are securely added to the Gitea Actions environment
|
||||
- Store all sensitive inputs (password, client-id, client-secret) as Gitea repository secrets
|
||||
|
||||
## Example Workflow
|
||||
|
||||
|
||||
+18
-13
@@ -19,6 +19,9 @@ inputs:
|
||||
secrets:
|
||||
description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
|
||||
required: true
|
||||
dot-env-path:
|
||||
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
|
||||
required: true
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
@@ -27,19 +30,15 @@ runs:
|
||||
shell: sh
|
||||
run: bw config server "${{ inputs.server }}"
|
||||
|
||||
- name: Unlock Vault
|
||||
- name: Unlock vault and retrieve secrets
|
||||
shell: sh
|
||||
run: |
|
||||
bw login --apikey
|
||||
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
|
||||
echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
|
||||
env:
|
||||
BW_CLIENTID: "${{ inputs.client-id }}"
|
||||
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
|
||||
|
||||
- name: Retrieve Secrets
|
||||
shell: sh
|
||||
run: |
|
||||
bw login --apikey
|
||||
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
|
||||
|
||||
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
|
||||
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
|
||||
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
|
||||
@@ -52,11 +51,17 @@ runs:
|
||||
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
|
||||
|
||||
if [ -n "$SECRET_VALUE" ]; then
|
||||
echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
|
||||
echo "$SECRET_VALUE" >> $GITHUB_ENV
|
||||
echo "EOF" >> $GITHUB_ENV
|
||||
echo "Stored $SECRET_ID in $ENV_VAR"
|
||||
if [ "$ENV_VAR" = "DOT_ENV" ]; then
|
||||
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
|
||||
umask 077
|
||||
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
|
||||
echo "Stored $ENV_VAR file"
|
||||
else
|
||||
echo "Unsupported ENV_VAR: $ENV_VAR"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "Failed to retrieve secret: $SECRET_ID"
|
||||
echo "Failed to retrieve requested secret"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
Reference in New Issue
Block a user