name: Auth Warden description: Authenticate with Bitwarden and retrieve dynamic secrets author: Jamie Schouten inputs: email: description: "Bitwarden email" required: true password: description: "Bitwarden password" required: true server: description: "Bitwarden server" required: false default: ${{ vars.WARDEN_URL }} client-id: description: "Bitwarden client ID" required: true client-secret: description: "Bitwarden client secret" required: true secrets: description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')" required: true dot-env-path: description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV" required: true runs: using: "composite" steps: - name: Configure Bitwarden Server shell: sh run: bw config server "${{ inputs.server }}" - name: Unlock Vault shell: sh run: | bw login --apikey BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw) echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV env: BW_CLIENTID: "${{ inputs.client-id }}" BW_CLIENTSECRET: "${{ inputs.client-secret }}" - name: Retrieve Secrets shell: sh run: | echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//') ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//') if [ -z "$SECRET_ID" ] || [ -z "$ENV_VAR" ]; then continue fi echo "🔍 Retrieving secret" SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null) if [ -n "$SECRET_VALUE" ]; then if [ "$ENV_VAR" = "DOT_ENV" ]; then mkdir -p "$(dirname "${{ inputs.dot-env-path }}")" umask 077 printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}" echo "Stored $ENV_VAR file" else echo "Unsupported ENV_VAR: $ENV_VAR" exit 1 fi else echo "Failed to retrieve requested secret" exit 1 fi done