[PM-24375] Convert base64 string for dotenv values to individual key-value pairs (#356)

* replace ENV-FILE secret with individual key-value pairs

* further adjustments

* further further adjustments

* Trying out shared action for setting up env file

* cleanup

* move setup-env-file action out of workflows directory

---------

Co-authored-by: Andy Pixley <[email protected]>

Author: jprusik

.github/actions/setup-env-file/action.yml

@@ -0,0 +1,132 @@
+name: Create Env File
+description: "Creates a .env file with necessary environment variables including secrets for the workflow."
+inputs:
+  AZURE_SUBSCRIPTION_ID:
+    description: "Azure Subscription ID for the service principal."
+    required: true
+  AZURE_TENANT_ID:
+    description: "Azure Tenant ID for the service principal."
+    required: true
+  AZURE_CLIENT_ID:
+    description: "Azure Client ID for the service principal."
+    required: true
+  BW_DB_PORT:
+    description: "Port for the Bitwarden database."
+    required: true
+  BW_DB_PROVIDER:
+    description: "Database provider for Bitwarden."
+    required: true
+  BW_DB_SERVER:
+    description: "Database server for Bitwarden."
+    required: true
+  BW_DOMAIN:
+    description: "Domain for Bitwarden."
+    required: true
+  BW_ENABLE_SSL:
+    description: "Enable SSL for Bitwarden."
+    required: true
+  BW_SSL_CERT:
+    description: "SSL certificate for Bitwarden."
+    required: true
+  BW_SSL_KEY:
+    description: "SSL key for Bitwarden."
+    required: true
+  CI:
+    description: "CI environment variable."
+    required: true
+  CLI_SERVE_HOST:
+    description: "Host for CLI serve."
+    required: true
+  CLI_SERVE_PORT:
+    description: "Port for CLI serve."
+    required: true
+  EXTENSION_BUILD_PATH:
+    description: "Path to extension build."
+    required: true
+  PAGES_HOST:
+    description: "Host for pages."
+    required: true
+  PAGES_HOST_INSECURE_PORT:
+    description: "Insecure port for pages host."
+    required: true
+  PAGES_HOST_PORT:
+    description: "Port for pages host."
+    required: true
+  VAULT_HOST_INSECURE_PORT:
+    description: "Insecure port for vault host."
+    required: true
+  VAULT_HOST_PORT:
+    description: "Port for vault host."
+    required: true
+  VAULT_HOST_URL:
+    description: "URL for vault host."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to Azure
+      uses: bitwarden/gh-actions/azure-login@main
+      with:
+        subscription_id: ${{ inputs.AZURE_SUBSCRIPTION_ID }}
+        tenant_id: ${{ inputs.AZURE_TENANT_ID }}
+        client_id: ${{ inputs.AZURE_CLIENT_ID }}
+
+    - name: Get Azure Key Vault secrets
+      id: get-kv-secrets
+      uses: bitwarden/gh-actions/get-keyvault-secrets@main
+      with:
+        keyvault: gh-browser-interactions
+        secrets: "
+          BW-INSTALLATION-ID,
+          BW-INSTALLATION-KEY,
+          GENERATED-RSA-KEY-PAIR-PROTECTED-PRIVATE-KEY,
+          GENERATED-RSA-KEY-PAIR-PUBLIC-KEY,
+          PROTECTED-SYMMETRIC-KEY,
+          MASTER-PASSWORD-HASH,
+          KDF-ITERATIONS,
+          BW-DB-PASSWORD,
+          BW-DB-USERNAME,
+          BW-DB-DATABASE,
+          VAULT-EMAIL,
+          VAULT-PASSWORD,
+          PUBLIC-TEST-EMAIL"
+
+    - name: Log out from Azure
+      uses: bitwarden/gh-actions/azure-logout@main
+
+    - name: Create dotenv file
+      shell: bash
+      run: |
+        sudo setcap 'cap_net_bind_service=+ep' `which node`
+        > .env
+        echo "BW_DB_DATABASE=\"${{ steps.get-kv-secrets.outputs.BW-DB-DATABASE }}\"" >> .env
+        echo "BW_DB_PASSWORD=\"${{ steps.get-kv-secrets.outputs.BW-DB-PASSWORD }}\"" >> .env
+        echo "BW_DB_USERNAME=\"${{ steps.get-kv-secrets.outputs.BW-DB-USERNAME }}\"" >> .env
+        echo "BW_INSTALLATION_ID=\"${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}\"" >> .env
+        echo "BW_INSTALLATION_KEY=\"${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}\"" >> .env
+        echo "GENERATED_RSA_KEY_PAIR_PROTECTED_PRIVATE_KEY=\"${{ steps.get-kv-secrets.outputs.GENERATED-RSA-KEY-PAIR-PROTECTED-PRIVATE-KEY }}\"" >> .env
+        echo "GENERATED_RSA_KEY_PAIR_PUBLIC_KEY=\"${{ steps.get-kv-secrets.outputs.GENERATED-RSA-KEY-PAIR-PUBLIC-KEY }}\"" >> .env
+        echo "KDF_ITERATIONS=${{ steps.get-kv-secrets.outputs.KDF-ITERATIONS }}" >> .env
+        echo "MASTER_PASSWORD_HASH=\"${{ steps.get-kv-secrets.outputs.MASTER-PASSWORD-HASH }}\"" >> .env
+        echo "PROTECTED_SYMMETRIC_KEY=\"${{ steps.get-kv-secrets.outputs.PROTECTED-SYMMETRIC-KEY }}\"" >> .env
+        echo "PUBLIC_TEST_EMAIL=\"${{ steps.get-kv-secrets.outputs.PUBLIC-TEST-EMAIL }}\"" >> .env
+        echo "VAULT_EMAIL=\"${{ steps.get-kv-secrets.outputs.VAULT-EMAIL }}\"" >> .env
+        echo "VAULT_PASSWORD=\"${{ steps.get-kv-secrets.outputs.VAULT-PASSWORD }}\"" >> .env
+        echo "BW_DB_PORT=${{ inputs.BW_DB_PORT }}" >> .env
+        echo "BW_DB_PROVIDER=\"${{ inputs.BW_DB_PROVIDER }}\"" >> .env
+        echo "BW_DB_SERVER=\"${{ inputs.BW_DB_SERVER }}\"" >> .env
+        echo "BW_DOMAIN=\"${{ inputs.BW_DOMAIN }}\"" >> .env
+        echo "BW_ENABLE_SSL=\"${{ inputs.BW_ENABLE_SSL }}\"" >> .env
+        echo "BW_SSL_CERT=\"${{ inputs.BW_SSL_CERT }}\"" >> .env
+        echo "BW_SSL_KEY=\"${{ inputs.BW_SSL_KEY }}\"" >> .env
+        echo "CI=${{ inputs.CI }}" >> .env
+        echo "CLI_SERVE_HOST=\"${{ inputs.CLI_SERVE_HOST }}\"" >> .env
+        echo "CLI_SERVE_PORT=${{ inputs.CLI_SERVE_PORT }}" >> .env
+        echo "EXTENSION_BUILD_PATH=\"${{ inputs.EXTENSION_BUILD_PATH }}\"" >> .env
+        echo "PAGES_HOST_INSECURE_PORT=${{ inputs.PAGES_HOST_INSECURE_PORT }}" >> .env
+        echo "PAGES_HOST_PORT=${{ inputs.PAGES_HOST_PORT }}" >> .env
+        echo "PAGES_HOST=\"${{ inputs.PAGES_HOST }}\"" >> .env
+        echo "VAULT_HOST_INSECURE_PORT=${{ inputs.VAULT_HOST_INSECURE_PORT }}" >> .env
+        echo "VAULT_HOST_PORT=${{ inputs.VAULT_HOST_PORT }}" >> .env
+        echo "VAULT_HOST_URL=\"${{ inputs.VAULT_HOST_URL }}\"" >> .env

.github/workflows/a11y-eval-all.yml

@@ -31,29 +31,29 @@ jobs:
           cache-dependency-path: "**/package-lock.json"
           node-version: "23"
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-browser-interactions
-          secrets: "ENV-FILE,BW-INSTALLATION-ID,BW-INSTALLATION-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Create dotenv file
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' `which node`
-          echo "${{ steps.get-kv-secrets.outputs.ENV-FILE }}" | base64 --decode > .env
-          echo "BW_INSTALLATION_ID=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}" >> .env
-          echo "BW_INSTALLATION_KEY=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}" >> .env
+        uses: ./.github/actions/setup-env-file
+        with:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          BW_DB_PORT: ${{ vars.BW_DB_PORT }}
+          BW_DB_PROVIDER: ${{ vars.BW_DB_PROVIDER }}
+          BW_DB_SERVER: ${{ vars.BW_DB_SERVER }}
+          BW_DOMAIN: ${{ vars.BW_DOMAIN }}
+          BW_ENABLE_SSL: ${{ vars.BW_ENABLE_SSL }}
+          BW_SSL_CERT: ${{ vars.BW_SSL_CERT }}
+          BW_SSL_KEY: ${{ vars.BW_SSL_KEY }}
+          CI: true
+          CLI_SERVE_HOST: ${{ vars.CLI_SERVE_HOST }}
+          CLI_SERVE_PORT: ${{ vars.CLI_SERVE_PORT }}
+          EXTENSION_BUILD_PATH: ${{ vars.EXTENSION_BUILD_PATH }}
+          PAGES_HOST_INSECURE_PORT: ${{ vars.PAGES_HOST_INSECURE_PORT }}
+          PAGES_HOST_PORT: ${{ vars.PAGES_HOST_PORT }}
+          PAGES_HOST: ${{ vars.PAGES_HOST }}
+          VAULT_HOST_INSECURE_PORT: ${{ vars.VAULT_HOST_INSECURE_PORT }}
+          VAULT_HOST_PORT: ${{ vars.VAULT_HOST_PORT }}
+          VAULT_HOST_URL: ${{ vars.VAULT_HOST_URL }}
 
       - name: Create feature flags file
         run: echo "{\"flagValues\":${{ inputs.FEATURE_FLAGS }}}" > flags.json

.github/workflows/a11y-eval-browser.yml

@@ -31,29 +31,29 @@ jobs:
           cache-dependency-path: "**/package-lock.json"
           node-version: "23"
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-browser-interactions
-          secrets: "ENV-FILE,BW-INSTALLATION-ID,BW-INSTALLATION-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Create dotenv file
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' `which node`
-          echo "${{ steps.get-kv-secrets.outputs.ENV-FILE }}" | base64 --decode > .env
-          echo "BW_INSTALLATION_ID=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}" >> .env
-          echo "BW_INSTALLATION_KEY=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}" >> .env
+        uses: ./.github/actions/setup-env-file
+        with:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          BW_DB_PORT: ${{ vars.BW_DB_PORT }}
+          BW_DB_PROVIDER: ${{ vars.BW_DB_PROVIDER }}
+          BW_DB_SERVER: ${{ vars.BW_DB_SERVER }}
+          BW_DOMAIN: ${{ vars.BW_DOMAIN }}
+          BW_ENABLE_SSL: ${{ vars.BW_ENABLE_SSL }}
+          BW_SSL_CERT: ${{ vars.BW_SSL_CERT }}
+          BW_SSL_KEY: ${{ vars.BW_SSL_KEY }}
+          CI: true
+          CLI_SERVE_HOST: ${{ vars.CLI_SERVE_HOST }}
+          CLI_SERVE_PORT: ${{ vars.CLI_SERVE_PORT }}
+          EXTENSION_BUILD_PATH: ${{ vars.EXTENSION_BUILD_PATH }}
+          PAGES_HOST_INSECURE_PORT: ${{ vars.PAGES_HOST_INSECURE_PORT }}
+          PAGES_HOST_PORT: ${{ vars.PAGES_HOST_PORT }}
+          PAGES_HOST: ${{ vars.PAGES_HOST }}
+          VAULT_HOST_INSECURE_PORT: ${{ vars.VAULT_HOST_INSECURE_PORT }}
+          VAULT_HOST_PORT: ${{ vars.VAULT_HOST_PORT }}
+          VAULT_HOST_URL: ${{ vars.VAULT_HOST_URL }}
 
       - name: Create feature flags file
         run: echo "{\"flagValues\":${{ inputs.FEATURE_FLAGS }}}" > flags.json

.github/workflows/a11y-eval-web.yml

@@ -27,29 +27,29 @@ jobs:
           cache-dependency-path: "**/package-lock.json"
           node-version: "23"
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-browser-interactions
-          secrets: "ENV-FILE,BW-INSTALLATION-ID,BW-INSTALLATION-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Create dotenv file
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' `which node`
-          echo "${{ steps.get-kv-secrets.outputs.ENV-FILE }}" | base64 --decode > .env
-          echo "BW_INSTALLATION_ID=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}" >> .env
-          echo "BW_INSTALLATION_KEY=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}" >> .env
+        uses: ./.github/actions/setup-env-file
+        with:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          BW_DB_PORT: ${{ vars.BW_DB_PORT }}
+          BW_DB_PROVIDER: ${{ vars.BW_DB_PROVIDER }}
+          BW_DB_SERVER: ${{ vars.BW_DB_SERVER }}
+          BW_DOMAIN: ${{ vars.BW_DOMAIN }}
+          BW_ENABLE_SSL: ${{ vars.BW_ENABLE_SSL }}
+          BW_SSL_CERT: ${{ vars.BW_SSL_CERT }}
+          BW_SSL_KEY: ${{ vars.BW_SSL_KEY }}
+          CI: true
+          CLI_SERVE_HOST: ${{ vars.CLI_SERVE_HOST }}
+          CLI_SERVE_PORT: ${{ vars.CLI_SERVE_PORT }}
+          EXTENSION_BUILD_PATH: ${{ vars.EXTENSION_BUILD_PATH }}
+          PAGES_HOST_INSECURE_PORT: ${{ vars.PAGES_HOST_INSECURE_PORT }}
+          PAGES_HOST_PORT: ${{ vars.PAGES_HOST_PORT }}
+          PAGES_HOST: ${{ vars.PAGES_HOST }}
+          VAULT_HOST_INSECURE_PORT: ${{ vars.VAULT_HOST_INSECURE_PORT }}
+          VAULT_HOST_PORT: ${{ vars.VAULT_HOST_PORT }}
+          VAULT_HOST_URL: ${{ vars.VAULT_HOST_URL }}
 
       - name: Create feature flags file
         run: echo "{\"flagValues\":${{ inputs.FEATURE_FLAGS }}}" > flags.json

.github/workflows/test-all-custom-flags.yml

@@ -35,29 +35,29 @@ jobs:
           cache-dependency-path: "**/package-lock.json"
           node-version: "23"
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-browser-interactions
-          secrets: "ENV-FILE,BW-INSTALLATION-ID,BW-INSTALLATION-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Create dotenv file
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' `which node`
-          echo "${{ steps.get-kv-secrets.outputs.ENV-FILE }}" | base64 --decode > .env
-          echo "BW_INSTALLATION_ID=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}" >> .env
-          echo "BW_INSTALLATION_KEY=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}" >> .env
+        uses: ./.github/actions/setup-env-file
+        with:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          BW_DB_PORT: ${{ vars.BW_DB_PORT }}
+          BW_DB_PROVIDER: ${{ vars.BW_DB_PROVIDER }}
+          BW_DB_SERVER: ${{ vars.BW_DB_SERVER }}
+          BW_DOMAIN: ${{ vars.BW_DOMAIN }}
+          BW_ENABLE_SSL: ${{ vars.BW_ENABLE_SSL }}
+          BW_SSL_CERT: ${{ vars.BW_SSL_CERT }}
+          BW_SSL_KEY: ${{ vars.BW_SSL_KEY }}
+          CI: true
+          CLI_SERVE_HOST: ${{ vars.CLI_SERVE_HOST }}
+          CLI_SERVE_PORT: ${{ vars.CLI_SERVE_PORT }}
+          EXTENSION_BUILD_PATH: ${{ vars.EXTENSION_BUILD_PATH }}
+          PAGES_HOST_INSECURE_PORT: ${{ vars.PAGES_HOST_INSECURE_PORT }}
+          PAGES_HOST_PORT: ${{ vars.PAGES_HOST_PORT }}
+          PAGES_HOST: ${{ vars.PAGES_HOST }}
+          VAULT_HOST_INSECURE_PORT: ${{ vars.VAULT_HOST_INSECURE_PORT }}
+          VAULT_HOST_PORT: ${{ vars.VAULT_HOST_PORT }}
+          VAULT_HOST_URL: ${{ vars.VAULT_HOST_URL }}
 
       - name: Create feature flags file
         run: echo "{\"flagValues\":${{ inputs.FEATURE_FLAGS || '{}' }}}" > flags.json

.github/workflows/test-all.yml

@@ -34,30 +34,29 @@ jobs:
           cache-dependency-path: "**/package-lock.json"
           node-version: "23"
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-browser-interactions
-          secrets: "ENV-FILE,BW-INSTALLATION-ID,BW-INSTALLATION-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Create dotenv file
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' `which node`
-          echo "${{ steps.get-kv-secrets.outputs.ENV-FILE }}" | base64 --decode > .env
-          echo "BW_INSTALLATION_ID=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-ID }}" >> .env
-          echo "BW_INSTALLATION_KEY=${{ steps.get-kv-secrets.outputs.BW-INSTALLATION-KEY }}" >> .env
-          echo "REMOTE_VAULT_CONFIG_MATCH=${{ inputs.REMOTE_VAULT_CONFIG_MATCH || vars.BW_REMOTE_VAULT_CONFIG_MATCH }}" >> .env
+        uses: ./.github/actions/setup-env-file
+        with:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          BW_DB_PORT: ${{ vars.BW_DB_PORT }}
+          BW_DB_PROVIDER: ${{ vars.BW_DB_PROVIDER }}
+          BW_DB_SERVER: ${{ vars.BW_DB_SERVER }}
+          BW_DOMAIN: ${{ vars.BW_DOMAIN }}
+          BW_ENABLE_SSL: ${{ vars.BW_ENABLE_SSL }}
+          BW_SSL_CERT: ${{ vars.BW_SSL_CERT }}
+          BW_SSL_KEY: ${{ vars.BW_SSL_KEY }}
+          CI: true
+          CLI_SERVE_HOST: ${{ vars.CLI_SERVE_HOST }}
+          CLI_SERVE_PORT: ${{ vars.CLI_SERVE_PORT }}
+          EXTENSION_BUILD_PATH: ${{ vars.EXTENSION_BUILD_PATH }}
+          PAGES_HOST_INSECURE_PORT: ${{ vars.PAGES_HOST_INSECURE_PORT }}
+          PAGES_HOST_PORT: ${{ vars.PAGES_HOST_PORT }}
+          PAGES_HOST: ${{ vars.PAGES_HOST }}
+          VAULT_HOST_INSECURE_PORT: ${{ vars.VAULT_HOST_INSECURE_PORT }}
+          VAULT_HOST_PORT: ${{ vars.VAULT_HOST_PORT }}
+          VAULT_HOST_URL: ${{ vars.VAULT_HOST_URL }}
 
       - name: Download extension artifact
         uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4