🔐 Bitwarden Vault Stats Workflow

This repository contains a GitHub Actions workflow that securely retrieves secrets, generates statistics from a Bitwarden vault, and sends the results via Bitwarden Send.

The workflow leverages the Bitwarden CLI tool for seamless interaction with the vault.

🛡 How Credentials Are Handled

Credentials such as EMAIL, MASTER_PASSWORD, and ORGANIZATION_ID are stored in Bitwarden and retrieved securely during the workflow using the bitwarden/sm-action@v2.

Bitwarden provides an integration with GitHub Actions to retrieve secrets from Bitwarden Secrets Manager and inject them into GitHub Actions workflows. The integration will inject retrieved secrets as masked environment variables inside an action.

The BW_ACCESS_TOKEN is stored securely in the repository’s GitHub Secrets.

Runtime Handling

• Secrets are never exposed in plaintext in the logs.
• The workflow uses environment variables to pass sensitive data (e.g., BW_SESSION) between steps securely.
• All vault interactions (e.g., logging in, unlocking, listing items, creating Sends) are handled via the Bitwarden CLI tool, which operates securely using the retrieved session token.

📝 Example Output

In GitHub Actions Logs:

🔗 Bitwarden Send URL: https://vault.bitwarden.com/#/send/7R9Qv76scUWDarJfAT5kNg/mrFiqYnLGx0X3w-Xrv_JA

In Bitwarden Send:

Your vault has access to: 15 logins, 1 cards, 0 identities, and 2 secure notes.

📂 Repository Structure

.
├── .github/
│   └── workflows/
│       └── bitwarden-vault-stats.yml  # GitHub Actions workflow file
└── README.md                          # Documentation (this file)

📋 Workflow Steps

1. 🔑 Get Bitwarden Secrets: Retrieves EMAIL, MASTER_PASSWORD, and ORGANIZATION_ID from Bitwarden Secrets Manager for a valid US account.
2. ⚙️ Install Bitwarden CLI: Installs the Bitwarden CLI tool to interact with the vault.
3. 🔐 Log in and Unlock Vault: Logs into the vault and unlocks it using the Bitwarden CLI.
4. 📊 Generate Vault Stats: Counts the total number of items for each type: Logins, Cards, Identities, and Secure Notes.
5. 📤 Send Stats via Bitwarden Send: Sends the stats securely via Bitwarden Send, and outputs a shareable URL in the logs.

🖥️ Bitwarden CLI Tool

The Bitwarden CLI tool (bw) is the core component used in this workflow to:

• Log in to Bitwarden.
• Unlock the vault.
• List and count items (Logins, Cards, Identities, Secure Notes).
• Create secure, shareable Bitwarden Sends.

For more information about the Bitwarden CLI, visit the official documentation.

⚠️ Security Considerations

• Keep BW_ACCESS_TOKEN secure: Store it in GitHub Secrets to prevent unauthorized access.
• Sensitive data is passed securely through environment variables and never exposed in plaintext logs.
• Bitwarden Send: Provides an additional layer of security by sharing the stats through a secure, time-limited URL.