action.yml

@@ -33,13 +33,14 @@ runs:
     - name: Unlock Vault
       shell: sh
       run: |
-        bw login --apikey
+         bw login --apikey
-        echo "BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)" >> "$GITHUB_ENV"
+         export BW_SESSION=$(bw unlock '${{ secrets.WARDEN_PASSWORD }}' --raw)
+         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
       env:
         BW_CLIENTID: "${{ inputs.client-id }}"
         BW_CLIENTSECRET: "${{ inputs.client-secret }}"
 
-    - name: Retrieve Requested Secrets
+    - name: Retrieve Secrets
       shell: bash
       run: |
         if [[ -z "$BW_SESSION" ]]; then
@@ -58,10 +59,13 @@ runs:
           fi
 
           echo "🔍 Retrieving secret: $SECRET_ID"
-          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" 2>/dev/null)
+          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
 
           if [[ -n "$SECRET_VALUE" ]]; then
-            echo "$ENV_VAR=${SECRET_VALUE}" >> "$GITHUB_ENV"
+            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+            echo "$SECRET_VALUE" >> $GITHUB_ENV
+            echo "EOF" >> $GITHUB_ENV
+            echo "$ENV_VAR=$SECRET_VALUE" >> .kamal/secrets.staging
             echo "✅ Stored $SECRET_ID in $ENV_VAR"
           else
             echo "❌ Failed to retrieve secret: $SECRET_ID"