warden/action.yml

name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: "Bitwarden email"
    required: true
  password:
    description: "Bitwarden password"
    required: true
  server:
    description: "Bitwarden server"
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: "Bitwarden client ID"
    required: true
  client-secret:
    description: "Bitwarden client secret"
    required: true
  secrets:
    description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server ${{ inputs.server }}

    - name: Unlock Vault
      shell: sh
      run: |
        bw login --apikey
        echo "BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)" >> "$GITHUB_ENV"
      env:
        BW_CLIENTID: ${{ inputs.client-id }}
        BW_CLIENTSECRET: ${{ inputs.client-secret }}
    
    - name: Retrieve Requested Secrets
      shell: bash
      run: |
          if [[ -z "$BW_SESSION" ]]; then
            echo "❌ BW_SESSION is not set. Please log in to Bitwarden first."
            exit 1
          fi

          echo "${{ inputs.secrets }}" | while IFS='>' read -r SECRET_ID ENV_VAR; do
              # Trim whitespace
              SECRET_ID=$(echo "$SECRET_ID" | xargs)
              ENV_VAR=$(echo "$ENV_VAR" | xargs)

              # Validate input format
              if [[ -z "$SECRET_ID" || -z "$ENV_VAR" ]]; then
                  echo "❌ Invalid secret pair format: $SECRET_ID > $ENV_VAR"
                  continue
              fi

              echo "🔍 Retrieving secret: $SECRET_ID..."
              
              # Fetch secret from Bitwarden
              SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" 2>/dev/null)

              if [[ -n "$SECRET_VALUE" ]]; then
                  echo "$ENV_VAR=$SECRET_VALUE" >> "$GITHUB_ENV"
                  echo "✅ Stored $SECRET_ID in $ENV_VAR"
              else
                  echo "❌ Failed to retrieve secret: $SECRET_ID"
              fi
          done