name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: "Bitwarden email"
    required: true
  password:
    description: "Bitwarden password"
    required: true
  server:
    description: "Bitwarden server"
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: "Bitwarden client ID"
    required: true
  client-secret:
    description: "Bitwarden client secret"
    required: true
  secrets:
    description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server "${{ inputs.server }}"

    - name: Unlock Vault
      shell: sh
      run: |
         bw login --apikey
         BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
      env:
        BW_CLIENTID: "${{ inputs.client-id }}"
        BW_CLIENTSECRET: "${{ inputs.client-secret }}"

    - name: Retrieve Secrets
      shell: sh
      run: |
        echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
          SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
          ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')

          if [ -z "$SECRET_ID" ] || [ -z "$ENV_VAR" ]; then
            continue
          fi

          echo "🔍 Retrieving secret: $SECRET_ID"
          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)

          if [ -n "$SECRET_VALUE" ]; then
            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
            echo "$SECRET_VALUE" >> $GITHUB_ENV
            echo "EOF" >> $GITHUB_ENV
            echo "Stored $SECRET_ID in $ENV_VAR"
          else
            echo "Failed to retrieve secret: $SECRET_ID"
          fi
        done