Use Bitwarden Secrets in GitHub Actions

The Bitwarden sm-action repository contains the source code for the Secrets Manager GitHub Action.

Use the GitHub action, bitwarden/sm-action, to retrieve secrets from the Bitwarden Secrets Manager for use inside GitHub Actions.

The bitwarden/sm-action will add retrieved secrets as masked environment variables inside a given GitHub action.

Review GitHub's recommendations for security hardening GitHub Actions when using sensitive secrets.

Usage

To use the action, add a step to your GitHub workflow using the following syntax:

- name: Step name
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      SECRET_ID > ENVIRONMENT_VARIABLE_NAME

Parameters

access_token

The service account access token for retrieving secrets.

Use GitHub's encrypted secrets to store and retrieve service account access tokens securely.
secrets

One or more secret Ids to retrieve and the corresponding GitHub environment variable name to set.

GitHub environment variables have stricter naming requirements than Bitwarden secrets.

So the bitwarden/sm-action requires specifying an environment variable name for each secret retrieved in the following format:
```
secrets: |
    SECRET_ID > ENVIRONMENT_VARIABLE_NAME
```
Example
```
    secrets: |
        00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
```
base_url

(Optional) For self-hosted bitwarden instances provide your https://your.domain.com

If this optional parameter is provided the parameters identity_url and api_url are not required.

The GitHub action will use BASE_URL/identity and BASE_URL/api for the identity and api endpoints.
identity_url

(Optional) For self-hosted bitwarden instances provide your https://your.domain.com/identity

The default value will use https://identity.bitwarden.com
api_url

(Optional) For self-hosted bitwarden instances provide your https://your.domain.com/api

The default value will use https://api.bitwarden.com

Examples

- name: Get Secrets
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
      bdbb16bc-0b9b-472e-99fa-af4101309076 > TEST_EXAMPLE_2

Environment variables created:

TEST_EXAMPLE: SECRET_VALUE_FOR_00000000-0000-0000-0000-000000000000
TEST_EXAMPLE_2: SECRET_VALUE_FOR_bdbb16bc-0b9b-472e-99fa-af4101309076

Example usage

- name: Get Secrets
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
- name: Use Secret
  run: example-command "$TEST_EXAMPLE"

Developing Bitwarden sm-action

Run Locally

Install the dependencies

$ npm install

Run formatter and lint

$ npm run prettier && npm run lint

Run the tests ✔️

$ npm test

Prepare Source for Distribution

GitHub recommends using a tool called @vercel/ncc to compile code and modules into one file used for distribution.

Package the TypeScript for distribution

$ npm run bundle

Name		Name	Last commit message	Last commit date
Latest commit History 78 Commits
.github		.github
.husky		.husky
__tests__		__tests__
dist		dist
src		src
.eslintignore		.eslintignore
.eslintrc.json		.eslintrc.json
.gitattributes		.gitattributes
.gitignore		.gitignore
.prettierignore		.prettierignore
.prettierrc.json		.prettierrc.json
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml
jest.config.js		jest.config.js
pack.ps1		pack.ps1
package-lock.json		package-lock.json
package.json		package.json
tsconfig.eslint.json		tsconfig.eslint.json
tsconfig.json		tsconfig.json

License

bitwarden/sm-action

Folders and files

Latest commit

History

Repository files navigation

Use Bitwarden Secrets in GitHub Actions

Usage

Parameters

Examples

Example usage

Developing Bitwarden sm-action

Run Locally

Prepare Source for Distribution

About

Resources

License

Stars

Watchers

Forks

Languages