action.yml

@@ -1,23 +1,65 @@
 name: Auth Warden
-description: Authenticate with Bitwarden
+description: Authenticate with Bitwarden and retrieve dynamic secrets
 author: Jamie Schouten
+
 inputs:
   email:
-    description: 'email'
+    description: "Bitwarden email"
     required: true
   password:
-    description: 'password'
+    description: "Bitwarden password"
     required: true
   server:
-    description: 'Bitwarden server'
+    description: "Bitwarden server"
     required: false
-    default: ${{ vars.WARDEN_URL  }}
+    default: ${{ vars.WARDEN_URL }}
+  client-id:
+    description: "Bitwarden client ID"
+    required: true
+  client-secret:
+    description: "Bitwarden client secret"
+    required: true
+  secrets:
+    description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
+    required: true
 
 runs:
   using: "composite"
   steps:
-    - name: Auth Warden
+    - name: Configure Bitwarden Server
+      shell: sh
+      run: bw config server "${{ inputs.server }}"
+
+    - name: Unlock Vault
       shell: sh
       run: |
-        bw config server ${{ inputs.server }}
+         bw login --apikey
-        export BW_SESSION=$(bw login '${{ inputs.email }}' '${{ inputs.password }}' --raw)
+         BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
+         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
+      env:
+        BW_CLIENTID: "${{ inputs.client-id }}"
+        BW_CLIENTSECRET: "${{ inputs.client-secret }}"
+
+    - name: Retrieve Secrets
+      shell: sh
+      run: |
+        echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
+          SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
+          ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
+
+          if [ -z "$SECRET_ID" ] || [ -z "$ENV_VAR" ]; then
+            continue
+          fi
+
+          echo "🔍 Retrieving secret: $SECRET_ID"
+          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
+
+          if [ -n "$SECRET_VALUE" ]; then
+            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+            echo "$SECRET_VALUE" >> $GITHUB_ENV
+            echo "EOF" >> $GITHUB_ENV
+            echo "Stored $SECRET_ID in $ENV_VAR"
+          else
+            echo "Failed to retrieve secret: $SECRET_ID"
+          fi
+        done