warden/action.yml

name: Auth Warden
description: Authenticate with Bitwarden and retrieve dynamic secrets
author: Jamie Schouten

inputs:
  email:
    description: "Bitwarden email"
    required: true
  password:
    description: "Bitwarden password"
    required: true
  server:
    description: "Bitwarden server"
    required: false
    default: ${{ vars.WARDEN_URL }}
  client-id:
    description: "Bitwarden client ID"
    required: true
  client-secret:
    description: "Bitwarden client secret"
    required: true
  secrets:
    description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
    required: true

runs:
  using: "composite"
  steps:
    - name: Configure Bitwarden Server
      shell: sh
      run: bw config server "${{ inputs.server }}"

    - name: Unlock Vault
      shell: sh
      run: |
         bw login --apikey
         export BW_SESSION=$(bw unlock '${{ secrets.WARDEN_PASSWORD }}' --raw)
         echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
      env:
        BW_CLIENTID: "${{ inputs.client-id }}"
        BW_CLIENTSECRET: "${{ inputs.client-secret }}"

    - name: Retrieve Secrets
      shell: bash
      run: |
        if [[ -z "$BW_SESSION" ]]; then
          echo "❌ BW_SESSION is not set. Please log in to Bitwarden first."
          exit 1
        fi

        echo "${{ inputs.secrets }}" | while IFS='>' read -r SECRET_ID ENV_VAR; do
          # Trim whitespace
          SECRET_ID=$(echo "$SECRET_ID" | xargs)
          ENV_VAR=$(echo "$ENV_VAR" | xargs)

          # Skip empty or invalid lines
          if [[ -z "$SECRET_ID" || -z "$ENV_VAR" ]]; then
            continue
          fi

          echo "🔍 Retrieving secret: $SECRET_ID"
          SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)

          if [[ -n "$SECRET_VALUE" ]]; then
            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
            echo "$SECRET_VALUE" >> $GITHUB_ENV
            echo "EOF" >> $GITHUB_ENV
            echo "$ENV_VAR=$SECRET_VALUE" >> .kamal/secrets.staging
            echo "✅ Stored $SECRET_ID in $ENV_VAR"
          else
            echo "❌ Failed to retrieve secret: $SECRET_ID"
          fi
        done