name: Auth Warden description: Authenticate with Bitwarden and retrieve dynamic secrets author: Jamie Schouten inputs: email: description: 'Bitwarden email' required: true password: description: 'Bitwarden password' required: true server: description: 'Bitwarden server' required: false default: ${{ vars.WARDEN_URL }} client-id: description: 'Bitwarden client id' required: true client-secret: description: 'Bitwarden client secret' required: true secrets: description: "One or more secret Ids to retrieve and the corresponding Gitea environment variable name to set" required: true runs: using: "composite" steps: - name: Configure Bitwarden Server shell: sh run: bw config server ${{ inputs.server }} - name: Unlock Vault shell: sh run: | # Ensure Bitwarden is logged in if ! bw login --check; then bw login --apikey fi # Unlock the vault and store the session key BW_SESSION=$(bw unlock "${{ inputs.password }}" --raw) # Verify if BW_SESSION is set correctly if [ -n "$BW_SESSION" ]; then echo "BW_SESSION=$BW_SESSION" >> "$GITHUB_ENV" export BW_SESSION echo "✅ Vault unlocked successfully!" else echo "❌ Failed to unlock Bitwarden vault" exit 1 fi env: BW_CLIENTID: ${{ inputs.client-id }} BW_CLIENTSECRET: ${{ inputs.client-secret }} - name: Retrieve Requested Secrets shell: sh run: | OLDIFS="$IFS" IFS="," set -- "${{ inputs.secrets }}" IFS="$OLDIFS" for pair in "$@"; do SECRET_ID=$(echo "$pair" | cut -d"=" -f1) ENV_VAR=$(echo "$pair" | cut -d"=" -f2) echo "Retrieving secret: $SECRET_ID..." SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION") if [ -n "$SECRET_VALUE" ]; then echo "$ENV_VAR=$SECRET_VALUE" >> "$GITHUB_ENV" echo "✅ Stored $SECRET_ID in $ENV_VAR" else echo "❌ Failed to retrieve secret: $SECRET_ID" fi done