actions/warden
4
1
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
340763a47810e52c96abf82e3e23756d5a86f3e9
warden/README.md
Jamie Schouten 340763a478 Add readme
2025-08-05 15:23:10 +02:00

3.5 KiB
Raw Blame History

Auth Warden

A Gitea Action for authenticating with Bitwarden and retrieving dynamic secrets for use in CI/CD workflows.

Overview

Auth Warden provides a secure way to authenticate with a Bitwarden server and dynamically retrieve secrets stored as secure notes, making them available as environment variables in your Gitea Actions workflow.

Features

  • 🔐 Secure authentication with Bitwarden using API keys
  • 🌐 Support for custom Bitwarden servers
  • 📝 Retrieve secrets from Bitwarden secure notes
  • 🔄 Dynamic mapping of secrets to environment variables
  • 🛡️ Secure handling of sensitive data

Usage

- name: Retrieve secrets from Bitwarden
  uses: ./path/to/auth-warden
  with:
    email: ${{ secrets.BITWARDEN_EMAIL }}
    password: ${{ secrets.BITWARDEN_PASSWORD }}
    server: https://your-bitwarden-server.com
    client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
    client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
    secrets: |
      secret-id-1 > DATABASE_URL
      secret-id-2 > API_KEY
      secret-id-3 > WEBHOOK_SECRET

Inputs

Input Description Required Default
email Bitwarden account email Yes -
password Bitwarden account password Yes -
server Bitwarden server URL No ${{ vars.WARDEN_URL }}
client-id Bitwarden API client ID Yes -
client-secret Bitwarden API client secret Yes -
secrets List of secret mappings (format: SECRET_ID > ENV_VAR) Yes -

Secret Mapping Format

The secrets input expects a multiline string where each line contains a mapping in the format:

SECRET_ID > ENVIRONMENT_VARIABLE_NAME
  • SECRET_ID: The ID of the secure note in Bitwarden
  • ENVIRONMENT_VARIABLE_NAME: The name of the environment variable to create

Example:

secrets: |
  db-connection-string > DATABASE_URL
  stripe-api-key > STRIPE_API_KEY
  jwt-secret > JWT_SECRET

Prerequisites

  • Bitwarden CLI must be available in the runner environment
  • Valid Bitwarden account with API access configured
  • Secrets must be stored as secure notes in Bitwarden

Security Considerations

  • Store all sensitive inputs (email, password, client-id, client-secret) as Gitea repository secrets
  • Use organization or repository variables for the server URL if it's not sensitive
  • The action automatically handles session management and cleanup
  • Retrieved secrets are securely added to the Gitea Actions environment

Example Workflow

name: Deploy Application
on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Retrieve secrets
        uses: ./path/to/auth-warden
        with:
          email: ${{ secrets.BITWARDEN_EMAIL }}
          password: ${{ secrets.BITWARDEN_PASSWORD }}
          client-id: ${{ secrets.BITWARDEN_CLIENT_ID }}
          client-secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
          secrets: |
            database-url > DATABASE_URL
            api-key > API_KEY
      
      - name: Deploy
        run: |
          echo "Database URL is available as: $DATABASE_URL"
          echo "API Key is available as: $API_KEY"
          # Your deployment commands here

Error Handling

The action will:

  • Continue processing other secrets if one fails to retrieve
  • Log which secrets were successfully retrieved
  • Log errors for failed secret retrievals
  • Not fail the entire workflow if individual secrets cannot be retrieved

Author

Jamie Schouten

License

See repository license for details.