68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: Auth Warden
|
|
description: Authenticate with Bitwarden and retrieve dynamic secrets
|
|
author: Jamie Schouten
|
|
|
|
inputs:
|
|
password:
|
|
description: "Bitwarden password"
|
|
required: true
|
|
server:
|
|
description: "Bitwarden server"
|
|
required: false
|
|
default: ${{ vars.WARDEN_URL }}
|
|
client-id:
|
|
description: "Bitwarden client ID"
|
|
required: true
|
|
client-secret:
|
|
description: "Bitwarden client secret"
|
|
required: true
|
|
secrets:
|
|
description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
|
|
required: true
|
|
dot-env-path:
|
|
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
|
|
required: true
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Configure Bitwarden Server
|
|
shell: sh
|
|
run: bw config server "${{ inputs.server }}"
|
|
|
|
- name: Unlock vault and retrieve secrets
|
|
shell: sh
|
|
env:
|
|
BW_CLIENTID: "${{ inputs.client-id }}"
|
|
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
|
|
run: |
|
|
bw login --apikey
|
|
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
|
|
|
|
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
|
|
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
|
|
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
|
|
|
|
if [ -z "$SECRET_ID" ] || [ -z "$ENV_VAR" ]; then
|
|
continue
|
|
fi
|
|
|
|
echo "🔍 Retrieving secret: $SECRET_ID"
|
|
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
|
|
|
|
if [ -n "$SECRET_VALUE" ]; then
|
|
if [ "$ENV_VAR" = "DOT_ENV" ]; then
|
|
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
|
|
umask 077
|
|
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
|
|
echo "Stored $SECRET_ID in $ENV_VAR file"
|
|
else
|
|
echo "Unsupported ENV_VAR: $ENV_VAR"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "Failed to retrieve secret: $SECRET_ID"
|
|
exit 1
|
|
fi
|
|
done
|