actions/warden
5
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
098308b84c2f2b8aed69ab5295f41a826d506a91
warden/action.yml
T

71 lines
2.1 KiB
YAML
Raw Blame History

name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten
inputs:
email:
description: "Bitwarden email"
required: true
password:
description: "Bitwarden password"
required: true
server:
description: "Bitwarden server"
required: false
default: ${{ vars.WARDEN_URL }}
client-id:
description: "Bitwarden client ID"
required: true
client-secret:
description: "Bitwarden client secret"
required: true
secrets:
description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
required: true
dot-env-path:
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
required: true
runs:
using: "composite"
steps:
- name: Configure Bitwarden Server
shell: sh
run: bw config server "${{ inputs.server }}"
- name: Unlock vault and retrieve secrets
shell: sh
env:
BW_CLIENTID: "${{ inputs.client-id }}"
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
run: |
bw login --apikey
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
if [ -z "$SECRET_ID" ] || [ -z "$ENV_VAR" ]; then
continue
fi
echo "🔍 Retrieving secret: $SECRET_ID"
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
if [ -n "$SECRET_VALUE" ]; then
if [ "$ENV_VAR" = "DOT_ENV" ]; then
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
umask 077
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
echo "Stored $ENV_VAR file"
else
echo "Unsupported ENV_VAR: $ENV_VAR"
exit 1
fi
else
echo "Failed to retrieve requested secret"
exit 1
fi
done
Reference in New Issue View Git Blame Copy Permalink