name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: 'Bitwarden email'
    required: true
  password:
    description: 'Bitwarden password'
    required: true
  server:
    description: 'Bitwarden server'
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: 'Bitwarden client id'
    required: true
  client-secret:
    description: 'Bitwarden client secret'
    required: true
  secrets:
    description: "One or more secret Ids to retrieve and the corresponding Gitea environment variable name to set"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server ${{ inputs.server }}

    - name: Unlock Vault
      shell: sh
      run: |
        bw login --apikey
        echo "BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)" >> $GITHUB_ENV
      env:
        BW_CLIENTID: ${{ inputs.client-id }}
        BW_CLIENTSECRET: ${{ inputs.client-secret }}
    
    - name: Retrieve Requested Secrets
      shell: bash
      run: |
        IFS=$'\n' read -d '' -r -a secret_pairs <<< "${{ inputs.secrets }}"
        
        for pair in "${secret_pairs[@]}"; do
          SECRET_ID=$(echo "$pair" | cut -d'>' -f1 | xargs)
          ENV_VAR=$(echo "$pair" | cut -d'>' -f2 | xargs)

          if [[ -z "$SECRET_ID" || -z "$ENV_VAR" ]]; then
            echo "❌ Invalid secret pair format: $pair"
            continue
          fi
          
          echo "🔍 Retrieving secret: $SECRET_ID..."
          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" 2>/dev/null)

          if [[ -n "$SECRET_VALUE" ]]; then
            echo "$ENV_VAR=$SECRET_VALUE" >> "$GITHUB_ENV"
            echo "✅ Stored $SECRET_ID in $ENV_VAR"
          else
            echo "❌ Failed to retrieve secret: $SECRET_ID"
          fi
        done