# Auth Warden

A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets for use in CI/CD workflows.

## Overview

Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow.

## Usage

```yaml
- name: Retrieve secrets from Bitwarden
  uses: https://git.qlic.nl/actions/warden@v1
  with:
    password: ${{ secrets.BITWARDEN_PASSWORD }}
    server: https://your-bitwarden-server.com
    client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
    client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
    secrets: |
      secret-id-1 > DATABASE_URL
      secret-id-2 > API_KEY
      secret-id-3 > WEBHOOK_SECRET
```

## Inputs

| Input           | Description                                             | Required | Default                  |
|-----------------|---------------------------------------------------------|----------|--------------------------|
| `password`      | Bitwarden account password                              | Yes      | -                        |
| `server`        | Bitwarden server URL                                    | No       | `${{ vars.WARDEN_URL }}` |
| `client-id`     | Bitwarden API client ID                                 | Yes      | -                        |
| `client-secret` | Bitwarden API client secret                             | Yes      | -                        |
| `secrets`       | List of secret mappings (format: `SECRET_ID > ENV_VAR`) | Yes      | -                        |

## Secret Mapping Format

The `secrets` input expects a multiline string where each line contains a mapping in the format:

```
SECRET_ID > ENVIRONMENT_VARIABLE_NAME
```

- `SECRET_ID`: The ID of the secure note in Bitwarden
- `ENVIRONMENT_VARIABLE_NAME`: The name of the environment variable to create

Example:
```yaml
secrets: |
  db-connection-string > DATABASE_URL
  stripe-api-key > STRIPE_API_KEY
  jwt-secret > JWT_SECRET
```

## Prerequisites

- Bitwarden CLI must be available in the runner environment
- Valid Bitwarden account with API access configured
- Secrets must be stored as secure notes in Bitwarden

## Security Considerations

- Store all sensitive inputs (password, client-id, client-secret) as Gitea repository secrets

## Example Workflow

```yaml
name: Deploy Application
on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Retrieve secrets
        uses: https://git.qlic.nl/actions/warden@v1
        with:
          password: ${{ secrets.BITWARDEN_PASSWORD }}
          client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
          client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
          secrets: |
            database-url > DATABASE_URL
            api-key > API_KEY
      
      - name: Deploy
        run: |
          echo "Database URL is available as: $DATABASE_URL"
          echo "API Key is available as: $API_KEY"
          # Your deployment commands here
```