name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: "Bitwarden email"
    required: true
  password:
    description: "Bitwarden password"
    required: true
  server:
    description: "Bitwarden server"
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: "Bitwarden client ID"
    required: true
  client-secret:
    description: "Bitwarden client secret"
    required: true
  secrets:
    description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server ${{ inputs.server }}

    - name: Unlock Vault
      shell: sh
      run: |
        bw login --apikey
        echo "BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)" >> "$GITHUB_ENV"
      env:
        BW_CLIENTID: ${{ inputs.client-id }}
        BW_CLIENTSECRET: ${{ inputs.client-secret }}
    
    - name: Retrieve Requested Secrets
      shell: bash
      run: |
          if [[ -z "$BW_SESSION" ]]; then
            echo "❌ BW_SESSION is not set. Please log in to Bitwarden first."
            exit 1
          fi

          echo "${{ inputs.secrets }}" | while IFS='>' read -r SECRET_ID ENV_VAR; do

          SECRET_ID=$(echo "$SECRET_ID" | xargs)
          ENV_VAR=$(echo "$ENV_VAR" | xargs)

          # Skip empty or invalid lines
          if [[ -z "$SECRET_ID" || -z "$ENV_VAR" ]]; then
              continue
          fi

          echo "🔍 Retrieving secret: $SECRET_ID..."
          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" 2>/dev/null)

          if [[ -n "$SECRET_VALUE" ]]; then
              echo "$ENV_VAR=$SECRET_VALUE" >> "$GITHUB_ENV"
              echo "✅ Stored $SECRET_ID in $ENV_VAR"
          else
              echo "❌ Failed to retrieve secret: $SECRET_ID"
          fi
      done