Skip to content
unlock

GitHub Action

Bitwarden Secrets Manager GitHub Action

v2.0.0 Latest version

Bitwarden Secrets Manager GitHub Action

unlock

Bitwarden Secrets Manager GitHub Action

GitHub action for retrieving secrets from Bitwarden Secrets Manager

Installation

Copy and paste the following snippet into your .yml file.

              
- name: Bitwarden Secrets Manager GitHub Action

              
  uses: bitwarden/sm-action@v2.0.0
Learn more about this action in bitwarden/sm-action

Choose a version

Use Bitwarden Secrets in GitHub Actions

The Bitwarden sm-action repository contains the source code for the Secrets Manager GitHub Action.

Use the GitHub action, bitwarden/sm-action, to retrieve secrets from the Bitwarden Secrets Manager for use inside GitHub Actions.

The bitwarden/sm-action will add retrieved secrets as masked environment variables inside a given GitHub action.

Review GitHub's recommendations for security hardening GitHub Actions when using sensitive secrets.

Usage

To use the action, add a step to your GitHub workflow using the following syntax:

- name: Step name
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      SECRET_ID > ENVIRONMENT_VARIABLE_NAME

Parameters

  • access_token

    The machine account access token for retrieving secrets.

    Use GitHub's encrypted secrets to store and retrieve machine account access tokens securely.

  • secrets

    One or more secret Ids to retrieve and the corresponding GitHub environment variable name to set.

    GitHub environment variables have stricter naming requirements than Bitwarden secrets.

    So the bitwarden/sm-action requires specifying an environment variable name for each secret retrieved in the following format:

    secrets: |
    SECRET_ID > ENVIRONMENT_VARIABLE_NAME

    Example

        secrets: |
        00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE

  • base_url

    (Optional) For self-hosted bitwarden instances provide your https://your.domain.com

    If this optional parameter is provided the parameters identity_url and api_url are not required.

    The GitHub action will use BASE_URL/identity and BASE_URL/api for the identity and api endpoints.

  • identity_url

    (Optional) For self-hosted bitwarden instances provide your https://your.domain.com/identity

    The default value will use https://identity.bitwarden.com

  • api_url

    (Optional) For self-hosted bitwarden instances provide your https://your.domain.com/api

    The default value will use https://api.bitwarden.com

Examples

- name: Get Secrets
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
      bdbb16bc-0b9b-472e-99fa-af4101309076 > TEST_EXAMPLE_2

Environment variables created:

TEST_EXAMPLE: SECRET_VALUE_FOR_00000000-0000-0000-0000-000000000000
TEST_EXAMPLE_2: SECRET_VALUE_FOR_bdbb16bc-0b9b-472e-99fa-af4101309076

Example usage

- name: Get Secrets
  uses: bitwarden/sm-action@v1
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    secrets: |
      00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
- name: Use Secret
  run: example-command "$TEST_EXAMPLE"

Developing Bitwarden sm-action

Run Locally

Install the dependencies

$ npm install

Run formatter and lint

$ npm run prettier && npm run lint

Run the tests ✔️

$ npm test

Prepare Source for Distribution

GitHub recommends using a tool called @vercel/ncc to compile code and modules into one file used for distribution.

  • Package the TypeScript for distribution
$ npm run bundle