actions/warden
5
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: actions/warden:fix/changes-env-file-handling
Branches Tags
actions/warden:main actions/warden:fix/changes-env-file-handling
actions/warden:v1
..
compare: actions/warden:340763a47810e52c96abf82e3e23756d5a86f3e9
Branches Tags
actions/warden:main actions/warden:fix/changes-env-file-handling
actions/warden:v1

1 Commits
fix/changes-env-file-handling .. 340763a478

Author SHA1 Message Date
jamie 340763a478 Add readme 2025-08-05 15:23:10 +02:00
2 changed files with 56 additions and 28 deletions
Expand all files Collapse all files
README.md
+34 -4
View File
@@ -6,12 +6,21 @@ A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets
Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow.
## Features
- 🔐 Secure authentication with Bitwarden using API keys
- 🌐 Support for custom Bitwarden servers
- 📝 Retrieve secrets from Bitwarden secure notes
- 🔄 Dynamic mapping of secrets to environment variables
- 🛡️ Secure handling of sensitive data
## Usage
```yaml
- name: Retrieve secrets from Bitwarden
uses: https://git.qlic.nl/actions/warden@v1
uses: ./path/to/auth-warden
with:
email: ${{ secrets.BITWARDEN_EMAIL }}
password: ${{ secrets.BITWARDEN_PASSWORD }}
server: https://your-bitwarden-server.com
client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
@@ -25,7 +34,8 @@ Auth Warden provides a secure way to authenticate with a Bitwarden server and dy
## Inputs
| Input | Description | Required | Default |
|-----------------|---------------------------------------------------------|----------|--------------------------|
|-------|-------------|----------|---------|
| `email` | Bitwarden account email | Yes | - |
| `password` | Bitwarden account password | Yes | - |
| `server` | Bitwarden server URL | No | `${{ vars.WARDEN_URL }}` |
| `client-id` | Bitwarden API client ID | Yes | - |
@@ -59,7 +69,10 @@ secrets: |
## Security Considerations
- Store all sensitive inputs (password, client-id, client-secret) as Gitea repository secrets
- Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets
- Use organization or repository variables for the server URL if it's not sensitive
- The action automatically handles session management and cleanup
- Retrieved secrets are securely added to the Gitea Actions environment
## Example Workflow
@@ -74,8 +87,9 @@ jobs:
- uses: actions/checkout@v4
- name: Retrieve secrets
uses: https://git.qlic.nl/actions/warden@v1
uses: ./path/to/auth-warden
with:
email: ${{ secrets.BITWARDEN_EMAIL }}
password: ${{ secrets.BITWARDEN_PASSWORD }}
client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
@@ -89,3 +103,19 @@ jobs:
echo "API Key is available as: $API_KEY"
# Your deployment commands here
```
## Error Handling
The action will:
- Continue processing other secrets if one fails to retrieve
- Log which secrets were successfully retrieved
- Log errors for failed secret retrievals
- Not fail the entire workflow if individual secrets cannot be retrieved
## Author
Jamie Schouten
## License
See repository license for details.
action.yml
+16 -18
View File
@@ -3,6 +3,9 @@ description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten
inputs:
email:
description: "Bitwarden email"
required: true
password:
description: "Bitwarden password"
required: true
@@ -19,9 +22,6 @@ inputs:
secrets:
description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
required: true
dot-env-path:
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
required: true
runs:
using: "composite"
@@ -30,15 +30,19 @@ runs:
shell: sh
run: bw config server "${{ inputs.server }}"
- name: Unlock vault and retrieve secrets
- name: Unlock Vault
shell: sh
env:
BW_CLIENTID: "${{ inputs.client-id }}"
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
run: |
bw login --apikey
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
env:
BW_CLIENTID: "${{ inputs.client-id }}"
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
- name: Retrieve Secrets
shell: sh
run: |
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
@@ -51,17 +55,11 @@ runs:
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
if [ -n "$SECRET_VALUE" ]; then
if [ "$ENV_VAR" = "DOT_ENV" ]; then
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
umask 077
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
echo "Stored $ENV_VAR file"
echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
echo "$SECRET_VALUE" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
echo "Stored $SECRET_ID in $ENV_VAR"
else
echo "Unsupported ENV_VAR: $ENV_VAR"
exit 1
fi
else
echo "Failed to retrieve requested secret"
exit 1
echo "Failed to retrieve secret: $SECRET_ID"
fi
done