forgejo/extract-bitwarden-env-action
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
A Forgejo Action that extracts secrets from Bitwarden and exposes them as environment variables in your Forgejo Actions workflow.
11 commits 1 branch 1 tag 38 KiB
Find a file
Exact
jeckel 0799b8b48f Actualiser README.md
2026-03-03 07:51:16 +00:00
action.yml Cleanup 2025-12-01 15:37:31 +01:00
LICENSE Initial commit 2025-12-01 13:36:05 +00:00
README.md Actualiser README.md 2026-03-03 07:51:16 +00:00

README.md

🔐 extract-bitwarden-env-action

A Forgejo Action that extracts secrets from Bitwarden and exposes them as environment variables in your Forgejo Actions workflow.

This action allows you to securely retrieve secrets stored in Bitwarden (via machine access token) and make them available to subsequent workflow steps.

Features

  • 🔓 Retrieve secrets directly from Bitwarden
  • 🌍 Supports Bitwarden Cloud (US/EU) and self-hosted instances
  • 🔐 Secure authentication using a machine access token
  • 📦 Export secrets as environment variables
  • Simple integration into existing CI/CD workflows

Requirements

The bitwarden cli client must be installed in your runner first.

You can check (or use) my custom runner.

📥 Inputs

Name Required Description
client_id Bitwarden client ID
client_secret Bitwarden client Secret
vault_id Bitwarden vault ID
server url Bitwarden server URL
password Bitwarden password
env_list List of environment variables to extract

📤 Outputs

Each requested secret is exposed:

  • As an environment variable for subsequent steps
  • As a step output (steps.<id>.outputs.<VAR_NAME>)

Example:

${{ steps.extract.outputs.API_TOKEN }}

🚀 Usage Example

name: CI

on:
  push:
    branches: [ "main" ]

env:
  ENV_LIST: SECRET_USER_EMAIL,SECRET_USER_PASSWORD
  BITWARDEN_VAULT_ID: tools

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Extract env variables from Vault
        uses: https://forge.jeckel.fr/forgejo/extract-bitwarden-env-action@v1
        with:
          bitwarden_client_id: ${{ secrets.BITWARDEN_CLIENT_ID }}
          bitwarden_client_secret: ${{ secrets.BITWARDEN_CLIENT_SECRET }}
          bitwarden_server: ${{ secrets.BITWARDEN_SERVER }}
          bitwarden_password: ${{ secrets.BITWARDEN_PASSWORD }}
          bitwarden_vault_id: ${{ env.BITWARDEN_VAULT_ID }}
          env_list: ${{ env.ENV_LIST }}

      - name: Use secrets
        run: |
          echo "API Token is available"
          echo "Database password length: ${{ env.SECRET_USER_PASSWORD }}"

🔐 Security Considerations

  • Never commit your Bitwarden sensitive to source control.
  • Store the secrets and password in Forgejo repository or organization secrets.
  • Secrets are automatically masked in Forgejo Actions logs.
  • Follow the principle of least privilege when creating machine accounts in Bitwarden.

🏷 Versioning

This project follows semantic versioning.

Use major version tags (e.g., @v1) in your workflows to receive backward-compatible updates.

📄 License

This project is released under the MIT License.

🤝 Contributing

Issues and pull requests are welcome.

If youd like to propose improvements, bug fixes, or new features, feel free to open an issue or submit a PR.