# Auth Warden A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets for use in CI/CD workflows. ## Overview Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow. ## Features - 🔐 Secure authentication with Bitwarden using API keys - 🌐 Support for custom Bitwarden servers - 📝 Retrieve secrets from Bitwarden secure notes - 🔄 Dynamic mapping of secrets to environment variables - 🛡️ Secure handling of sensitive data ## Usage ```yaml - name: Retrieve secrets from Bitwarden uses: ./path/to/auth-warden with: email: ${{ secrets.BITWARDEN_EMAIL }} password: ${{ secrets.BITWARDEN_PASSWORD }} server: https://your-bitwarden-server.com client-id: ${{ secrets.BITWARDEN_CLIENT_ID }} client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }} secrets: | secret-id-1 > DATABASE_URL secret-id-2 > API_KEY secret-id-3 > WEBHOOK_SECRET ``` ## Inputs | Input | Description | Required | Default | |-------|-------------|----------|---------| | `email` | Bitwarden account email | Yes | - | | `password` | Bitwarden account password | Yes | - | | `server` | Bitwarden server URL | No | `${{ vars.WARDEN_URL }}` | | `client-id` | Bitwarden API client ID | Yes | - | | `client-secret` | Bitwarden API client secret | Yes | - | | `secrets` | List of secret mappings (format: `SECRET_ID > ENV_VAR`) | Yes | - | ## Secret Mapping Format The `secrets` input expects a multiline string where each line contains a mapping in the format: ``` SECRET_ID > ENVIRONMENT_VARIABLE_NAME ``` - `SECRET_ID`: The ID of the secure note in Bitwarden - `ENVIRONMENT_VARIABLE_NAME`: The name of the environment variable to create Example: ```yaml secrets: | db-connection-string > DATABASE_URL stripe-api-key > STRIPE_API_KEY jwt-secret > JWT_SECRET ``` ## Prerequisites - Bitwarden CLI must be available in the runner environment - Valid Bitwarden account with API access configured - Secrets must be stored as secure notes in Bitwarden ## Security Considerations - Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets - Use organization or repository variables for the server URL if it's not sensitive - The action automatically handles session management and cleanup - Retrieved secrets are securely added to the Gitea Actions environment ## Example Workflow ```yaml name: Deploy Application on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Retrieve secrets uses: ./path/to/auth-warden with: email: ${{ secrets.BITWARDEN_EMAIL }} password: ${{ secrets.BITWARDEN_PASSWORD }} client-id: ${{ secrets.BITWARDEN_CLIENT_ID }} client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }} secrets: | database-url > DATABASE_URL api-key > API_KEY - name: Deploy run: | echo "Database URL is available as: $DATABASE_URL" echo "API Key is available as: $API_KEY" # Your deployment commands here ``` ## Error Handling The action will: - Continue processing other secrets if one fails to retrieve - Log which secrets were successfully retrieved - Log errors for failed secret retrievals - Not fail the entire workflow if individual secrets cannot be retrieved ## Author Jamie Schouten ## License See repository license for details.