Conflict resolution

.github/workflows/build-desktop.yml

@@ -444,7 +444,10 @@ jobs:
 
   macos-build:
     name: MacOS Build
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules
+    runs-on: macos-11
     needs: setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -602,7 +605,10 @@ jobs:
 
   macos-package-github:
     name: MacOS Package GitHub Release Assets
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules
+    runs-on: macos-11
     needs:
       - browser-build
       - macos-build
@@ -808,7 +814,10 @@ jobs:
 
   macos-package-mas:
     name: MacOS Package Prod Release Asset
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules
+    runs-on: macos-11
     needs:
       - browser-build
       - macos-build
@@ -1006,7 +1015,10 @@ jobs:
   macos-package-dev:
     name: MacOS Package Dev Release Asset
     if: false  # We need to look into how code signing works for dev
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules
+    runs-on: macos-11
     needs:
       - browser-build
       - macos-build

.github/workflows/build-web.yml

@@ -299,7 +299,7 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
 
-      - name: Trigger web vault deploy
+      - name: Trigger web vault deploy using GitHub Run ID
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
@@ -311,7 +311,7 @@ jobs:
               ref: 'main',
               inputs: {
                 'environment': 'USDEV',
-                'branch-or-tag': 'main'
+                'build-web-run-id': '${{ github.run_id }}'
               }
             })
 

.github/workflows/deploy-web.yml

@@ -27,6 +27,10 @@ on:
         description: "Debug mode"
         type: boolean
         default: true
+      build-web-run-id:
+        description: "Build-web workflow Run ID to use for artifact download"
+        type: string
+        required: false
 
   workflow_call:
     inputs:
@@ -46,6 +50,10 @@ on:
         description: "Debug mode"
         type: boolean
         default: true
+      build-web-run-id:
+        description: "Build-web workflow Run ID to use for artifact download"
+        type: string
+        required: false
 
 permissions:
   deployments: write
@@ -168,7 +176,20 @@ jobs:
     env:
       _ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment-artifact }}
     steps:
+      - name: 'Download latest cloud asset using GitHub Run ID: ${{ inputs.build-web-run-id }}'
+        if: ${{ inputs.build-web-run-id }}
+        uses: bitwarden/gh-actions/download-artifacts@main
+        id: download-latest-artifacts
+        continue-on-error: true
+        with:
+          workflow: build-web.yml
+          path: apps/web
+          workflow_conclusion: success
+          run_id: ${{ inputs.build-web-run-id }}
+          artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
+
       - name: 'Download latest cloud asset from branch/tag: ${{ inputs.branch-or-tag }}'
+        if: ${{ !inputs.build-web-run-id }}
         uses: bitwarden/gh-actions/download-artifacts@main
         id: download-artifacts
         continue-on-error: true
@@ -249,7 +270,20 @@ jobs:
           keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
           secrets: "sa-bitwarden-web-vault-name,sp-bitwarden-web-vault-password,sp-bitwarden-web-vault-appid,sp-bitwarden-web-vault-tenant"
 
+      - name: 'Download latest cloud asset using GitHub Run ID: ${{ inputs.build-web-run-id }}'
+        if: ${{ inputs.build-web-run-id }}
+        uses: bitwarden/gh-actions/download-artifacts@main
+        id: download-latest-artifacts
+        continue-on-error: true
+        with:
+          workflow: build-web.yml
+          path: apps/web
+          workflow_conclusion: success
+          run_id: ${{ inputs.build-web-run-id }}
+          artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
+
       - name: 'Download cloud asset from branch/tag: ${{ inputs.branch-or-tag }}'
+        if: ${{ !inputs.build-web-run-id }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           workflow: build-web.yml

.github/workflows/release-desktop-beta.yml

@@ -393,7 +393,10 @@ jobs:
 
   macos-build:
     name: MacOS Build
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules
+    runs-on: macos-11
     needs: setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.release-version }}
@@ -522,7 +525,10 @@ jobs:
 
   macos-package-github:
     name: MacOS Package GitHub Release Assets
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules  
+    runs-on: macos-11
     needs:
       - setup
       - macos-build
@@ -732,7 +738,10 @@ jobs:
 
   macos-package-mas:
     name: MacOS Package Prod Release Asset
-    runs-on: macos-13
+    # Note, this workflow is running on macOS 11 to maintain compatibility with macOS 10.15 Catalina, 
+    # as the newer versions will case the native modules to be incompatible with older macOS systems
+    # This version should stay pinned until we drop support for macOS 10.15, or we drop the native modules    
+    runs-on: macos-11
     needs:
       - setup
       - macos-build

.github/workflows/release-web.yml

@@ -113,105 +113,12 @@ jobs:
       - name: Log out of Docker
         run: docker logout
 
-
-  ghpages-deploy:
-    name: Create Deploy PR for GitHub Pages
-    runs-on: ubuntu-22.04
-    needs: setup
-    env:
-      _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
-      _TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
-      _BRANCH: "v${{ needs.setup.outputs.release_version }}-deploy"
-    steps:
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve bot secrets
-        id: retrieve-bot-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: bitwarden-ci
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Checkout GH pages repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          repository: bitwarden/web-vault-pages
-          path: ghpages-deployment
-          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
-
-      - name: Download latest cloud asset
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: build-web.yml
-          path: assets
-          workflow_conclusion: success
-          branch: ${{ github.ref_name }}
-          artifacts: web-*-cloud-COMMERCIAL.zip
-
-      - name: Dry Run - Download latest cloud asset
-        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          workflow: build-web.yml
-          path: assets
-          workflow_conclusion: success
-          branch: main
-          artifacts: web-*-cloud-COMMERCIAL.zip
-
-      - name: Unzip build asset
-        working-directory: assets
-        run: unzip web-*-cloud-COMMERCIAL.zip
-
-      - name: Create new branch
-        run: |
-          cd ${{ github.workspace }}/ghpages-deployment
-          git config user.name = "GitHub Action Bot"
-          git config user.email = "<>"
-          git config --global url."https://github.com/".insteadOf ssh://git@github.com/
-          git config --global url."https://".insteadOf ssh://
-          git checkout -b ${_BRANCH}
-
-      - name: Copy build files
-        run: |
-          rm -rf ${{ github.workspace }}/ghpages-deployment/*
-          cp -Rf ${{ github.workspace }}/assets/build/* ghpages-deployment/
-
-      - name: Commit and push changes
-        working-directory: ghpages-deployment
-        run: |
-          git add .
-          git commit -m "Deploy Web v${_RELEASE_VERSION} to GitHub Pages"
-          git push --set-upstream origin ${_BRANCH} --force
-
-      - name: Create GitHub Pages Deploy PR
-        working-directory: ghpages-deployment
-        env:
-          GITHUB_TOKEN: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
-        run: |
-          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
-            gh pr create --title "Deploy v${_RELEASE_VERSION} to GitHub Pages" \
-              --draft \
-              --body "Deploying v${_RELEASE_VERSION}" \
-              --base main \
-              --head "${_BRANCH}"
-          else
-            gh pr create --title "Deploy v${_RELEASE_VERSION} to GitHub Pages" \
-              --body "Deploying v${_RELEASE_VERSION}" \
-              --base main \
-              --head "${_BRANCH}"
-          fi
-
   release:
     name: Create GitHub Release
     runs-on: ubuntu-22.04
     needs:
       - setup
       - self-host
-      - ghpages-deploy
     steps:
       - name: Create GitHub deployment
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}

.github/workflows/scan.yml

@@ -10,8 +10,6 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions: read-all
-
 jobs:
   check-run:
     name: Check PR run
@@ -22,6 +20,8 @@ jobs:
     runs-on: ubuntu-22.04
     needs: check-run
     permissions:
+      contents: read
+      pull-requests: write
       security-events: write
 
     steps:
@@ -43,7 +43,7 @@ jobs:
           additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: cx_result.sarif
 
@@ -51,6 +51,9 @@ jobs:
     name: Quality scan
     runs-on: ubuntu-22.04
     needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Check out repo

.github/workflows/version-bump.yml

@@ -367,21 +367,27 @@ jobs:
         id: set-final-version-output
         run: |
           if [[ "${{ steps.bump-browser-version-override.outcome }}" = "success" ]]; then
-            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
+            echo "version_browser=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
           elif [[ "${{ steps.bump-browser-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-browser-version.outputs.version }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-cli-version-override.outcome }}" = "success" ]]; then
-            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
+            echo "version_browser=${{ steps.calculate-next-browser-version.outputs.version }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "${{ steps.bump-cli-version-override.outcome }}" = "success" ]]; then
+            echo "version_cli=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
           elif [[ "${{ steps.bump-cli-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-cli-version.outputs.version }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-desktop-version-override.outcome }}" = "success" ]]; then
-            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
+            echo "version_cli=${{ steps.calculate-next-cli-version.outputs.version }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "${{ steps.bump-desktop-version-override.outcome }}" = "success" ]]; then
+            echo "version_desktop=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
           elif [[ "${{ steps.bump-desktop-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-desktop-version.outputs.version }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-web-version-override.outcome }}" = "success" ]]; then
-            echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
+            echo "version_desktop=${{ steps.calculate-next-desktop-version.outputs.version }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "${{ steps.bump-web-version-override.outcome }}" = "success" ]]; then
+            echo "version_web=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
           elif [[ "${{ steps.bump-web-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-web-version.outputs.version }}" >> $GITHUB_OUTPUT
+            echo "version_web=${{ steps.calculate-next-web-version.outputs.version }}" >> $GITHUB_OUTPUT
           fi
 
       - name: Check if version changed