name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: 'Bitwarden email'
    required: true
  password:
    description: 'Bitwarden password'
    required: true
  server:
    description: 'Bitwarden server'
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: 'Bitwarden client id'
    required: true
  client-secret:
    description: 'Bitwarden client secret'
    required: true
  secrets:
    description: "One or more secret Ids to retrieve and the corresponding Gitea environment variable name to set"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server ${{ inputs.server }}

    - name: Unlock Vault
      shell: sh
      run: |
        # Ensure Bitwarden is logged in
        if ! bw login --check; then
          bw login --apikey
        fi

        # Unlock the vault and store the session key
        BW_SESSION=$(bw unlock "${{ inputs.password }}" --raw)
        
        # Verify if BW_SESSION is set correctly
        if [ -n "$BW_SESSION" ]; then
          echo "BW_SESSION=$BW_SESSION" >> "$GITHUB_ENV"
          export BW_SESSION
          echo "✅ Vault unlocked successfully!"
        else
          echo "❌ Failed to unlock Bitwarden vault"
          exit 1
        fi
      env:
        BW_CLIENTID: ${{ inputs.client-id }}
        BW_CLIENTSECRET: ${{ inputs.client-secret }}
    
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'
    
    - name: Retrieve Requested Secrets
      shell: sh
      run: node retrieveSecrets.js