The Bitwarden sm-action repository contains the source code for the Secrets Manager GitHub Action.
Use the GitHub Action, bitwarden/sm-action, to retrieve secrets from the Bitwarden Secrets Manager for use inside GitHub Actions.
The bitwarden/sm-action will add retrieved secrets as masked environment variables inside a given GitHub Action.
Review GitHub's recommendations for security hardening GitHub Actions when using sensitive secrets.
To use the action, add a step to your GitHub workflow using the following syntax:
- name: Step name
uses: bitwarden/sm-action@v3
with:
access_token: ${{ secrets.SM_ACCESS_TOKEN }}
secrets: |
SECRET_ID > ENVIRONMENT_VARIABLE_NAMEThe action sets step outputs for each secret retrieved, allowing you to access secrets in subsequent steps:
- name: Get Secrets
id: secrets
uses: bitwarden/sm-action@v3
with:
access_token: ${{ secrets.SM_ACCESS_TOKEN }}
secrets: |
00000000-0000-0000-0000-000000000000 > DATABASE_PASSWORD
bdbb16bc-0b9b-472e-99fa-af4101309076 > API_KEY
- name: Use secrets in another step
run: |
echo "Database password: ${{ steps.secrets.outputs.DATABASE_PASSWORD }}"
echo "API key: ${{ steps.secrets.outputs.API_KEY }}"
# These values will be automatically masked in GitHub Actions logs-
access_tokenThe machine account access token for retrieving secrets.
Use GitHub's encrypted secrets to store and retrieve machine account access tokens securely.
-
secretsOne or more secret Ids to retrieve and the corresponding GitHub environment variable name to set.
GitHub environment variables have stricter naming requirements than Bitwarden secrets.
So the bitwarden/sm-action requires specifying an environment variable name for each secret retrieved in the following format:
secrets: | SECRET_ID > ENVIRONMENT_VARIABLE_NAME
Example:
secrets: | 00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
-
cloud_region(Optional) For usage with the cloud-hosted services on either https://vault.bitwarden.com or https://vault.bitwarden.eu
The default value will use
us, which is the region for https://vault.bitwarden.comTo use https://vault.bitwarden.eu, set the value to
eu -
base_url(Optional) For self-hosted bitwarden instances provide your https://your.domain.com
If this optional parameter is provided the parameters identity_url and api_url are not required.
The GitHub action will use
BASE_URL/identityandBASE_URL/apifor the identity and api endpoints. -
identity_url(Optional) For self-hosted bitwarden instances provide your https://your.domain.com/identity
Depending on the
cloud_regionsetting, the default value will use https://identity.bitwarden.com forus(default) or https://identity.bitwarden.eu foreu. -
api_url(Optional) For self-hosted bitwarden instances provide your https://your.domain.com/api
Depending on the
cloud_regionsetting, the default value will use https://api.bitwarden.com forus(default) or https://api.bitwarden.eu foreu. -
set_env(Optional) Set to
trueto set the retrieved secrets as environment variables in the GitHub action.The default value is
true.If set to
false, the secrets will not be set as environment variables, but will still be available in the GitHub Action output.Example:
- name: Get Secrets uses: bitwarden/sm-action@v3 id: get_secrets # set an ID so we can access the output with: access_token: ${{ secrets.SM_ACCESS_TOKEN }} secrets: | 00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE set_env: false # don't set TEST_EXAMPLE as an environment variable - name: Use Secret run: | echo "Accessing secret via output." echo "Secret from GITHUB_OUTPUT - ${{ steps.get_secrets.outputs.TEST_EXAMPLE }}" echo "Attempting to access TEST_EXAMPLE as an environment variable." echo "This will fail because the environment variable is not set." echo "TEST_SECRET environment variable should be empty - $TEST_EXAMPLE"
- name: Get Secrets
uses: bitwarden/sm-action@v3
with:
access_token: ${{ secrets.SM_ACCESS_TOKEN }}
secrets: |
00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
bdbb16bc-0b9b-472e-99fa-af4101309076 > TEST_EXAMPLE_2Environment variables created:
TEST_EXAMPLE=SECRET_VALUE_FOR_00000000-0000-0000-0000-000000000000
TEST_EXAMPLE_2=SECRET_VALUE_FOR_bdbb16bc-0b9b-472e-99fa-af4101309076- name: Get Secrets
uses: bitwarden/sm-action@v3
with:
access_token: ${{ secrets.SM_ACCESS_TOKEN }}
cloud_region: eu
secrets: |
00000000-0000-0000-0000-000000000000 > TEST_EXAMPLE
- name: Use Secret
run: example-command "$TEST_EXAMPLE"To build the Bitwarden sm-action locally, you will need to have NodeJS and Rust installed.
Set the required environment variables for the Action:
export INPUT_ACCESS_TOKEN="<your_access_token>"
export INPUT_CLOUD_REGION=us # or eu; setting this will mean ignoring SM_BASE_URL, SM_API_URL, and SM_IDENTITY_URL
export INPUT_BASE_URL=https://your.domain.com # optional; only needed for self-hosted
export INPUT_API_URL=https://your.domain.com/api # optional; only needed for self-hosted; ignored if SM_BASE_URL is set
export INPUT_IDENTITY_URL=https://your.domain.com/identity # optional; only needed for self-hosted; ignored if SM_BASE_URL is set
export INPUT_SET_ENV=true # set to false to disable setting environment variables and only use ${{ github.output }}
export GITHUB_ENV=/tmp/sm-action.env # must be set to any file for local testing
export GITHUB_OUTPUT=/tmp/sm-action.out # must be set to any file for local testing
export INPUT_SECRETS='4994471d-0b20-4c3c-8040-f65c42d4f80f > FAKE_SECRET_1
dfc20e02-fb1a-4d63-8a7e-d02acce1feb4 > FAKE_SECRET_2'Build and run the action locally using the following command:
node index.js # or just `cargo run`, to skip the JS wrapperRun the tests ✔️
cargo test
cargo run -- --version # ensures the binary compiles and runs
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
