From 10306995e67407f956dedba9962add41403fcfef Mon Sep 17 00:00:00 2001
From: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Date: Wed, 2 Apr 2025 13:56:30 -0400
Subject: [PATCH] Add comments to build workflows to indicate their intended
 use (#14069)

* Added comments to build workflows.

* Updated comments and job names.
---
 .github/workflows/build-browser-target.yml | 8 +++++++-
 .github/workflows/build-browser.yml        | 4 ++++
 .github/workflows/build-cli-target.yml     | 8 +++++++-
 .github/workflows/build-cli.yml            | 4 ++++
 .github/workflows/build-desktop-target.yml | 9 ++++++++-
 .github/workflows/build-desktop.yml        | 4 ++++
 .github/workflows/build-web-target.yml     | 8 +++++++-
 .github/workflows/build-web.yml            | 4 ++++
 8 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-browser-target.yml b/.github/workflows/build-browser-target.yml
index 3334326920..b2e90605d6 100644
--- a/.github/workflows/build-browser-target.yml
+++ b/.github/workflows/build-browser-target.yml
@@ -1,3 +1,9 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts that require secrets
+# when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been introduced,
+# as it could allow the code on the forked branch to have access to workflow secrets.
+
 name: Build Browser on PR Target
 
 on:
@@ -25,7 +31,7 @@ jobs:
     uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
 
   run-workflow:
-    name: Run Build Browser on PR Target
+    name: Build Browser
     needs: check-run
     if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     uses: ./.github/workflows/build-browser.yml
diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml
index 4748a6a9f1..f7b8eeabef 100644
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@@ -1,3 +1,7 @@
+# This workflow will run in the context of the source of the PR.
+# On a PR from a fork, the workflow will not have access to secrets, and so any parts of the build that require secrets will not run.
+# If additional artifacts are needed, the failed "build-browser-target.yml" workflow held up by the check-run should be re-run.
+
 name: Build Browser
 
 on:
diff --git a/.github/workflows/build-cli-target.yml b/.github/workflows/build-cli-target.yml
index 81ec417868..589b0cc166 100644
--- a/.github/workflows/build-cli-target.yml
+++ b/.github/workflows/build-cli-target.yml
@@ -1,3 +1,9 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts that require secrets
+# when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been introduced,
+# as it could allow the code on the forked branch to have access to workflow secrets.
+
 name: Build CLI on PR Target
 
 on:
@@ -25,7 +31,7 @@ jobs:
     uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
 
   run-workflow:
-    name: Run Build CLI on PR Target
+    name: Build CLI
     needs: check-run
     if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     uses: ./.github/workflows/build-cli.yml
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index 8599a699d9..a78d3bda5a 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -1,3 +1,7 @@
+# This workflow will run in the context of the source of the PR.
+# On a PR from a fork, the workflow will not have access to secrets, and so any parts of the build that require secrets will not run.
+# If additional artifacts are needed, the failed "build-cli-target.yml" workflow held up by the check-run should be re-run.
+
 name: Build CLI
 
 on:
diff --git a/.github/workflows/build-desktop-target.yml b/.github/workflows/build-desktop-target.yml
index 8c26f99117..42ca2be137 100644
--- a/.github/workflows/build-desktop-target.yml
+++ b/.github/workflows/build-desktop-target.yml
@@ -1,3 +1,10 @@
+
+# This workflow is intended to be run when we need to build the client and produce artifacts that require secrets
+# when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been introduced,
+# as it could allow the code on the forked branch to have access to workflow secrets.
+
 name: Build Desktop on PR Target
 
 on:
@@ -24,7 +31,7 @@ jobs:
     uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
 
   run-workflow:
-    name: Run Build Desktop on PR Target
+    name: Build Desktop
     needs: check-run
     if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     uses: ./.github/workflows/build-desktop.yml
diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml
index 72b60da97a..4c35eb4c42 100644
--- a/.github/workflows/build-desktop.yml
+++ b/.github/workflows/build-desktop.yml
@@ -1,3 +1,7 @@
+# This workflow will run in the context of the source of the PR.
+# On a PR from a fork, the workflow will not have access to secrets, and so any parts of the build that require secrets will not run.
+# If additional artifacts are needed, the failed "build-desktop-target.yml" workflow held up by the check-run should be re-run.
+
 name: Build Desktop
 
 on:
diff --git a/.github/workflows/build-web-target.yml b/.github/workflows/build-web-target.yml
index fb7074292b..390b3c1c57 100644
--- a/.github/workflows/build-web-target.yml
+++ b/.github/workflows/build-web-target.yml
@@ -1,3 +1,9 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts that require secrets
+# when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been introduced,
+# as it could allow the code on the forked branch to have access to workflow secrets.
+
 name: Build Web on PR Target
 
 on:
@@ -24,7 +30,7 @@ jobs:
     uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
 
   run-workflow:
-    name: Run Build Web on PR Target
+    name: Build Web
     needs: check-run
     if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     uses: ./.github/workflows/build-web.yml
diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml
index a0d9026e47..f706bba610 100644
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,3 +1,7 @@
+# This workflow will run in the context of the source of the PR.
+# On a PR from a fork, the workflow will not have access to secrets, and so any parts of the build that require secrets will not run.
+# If additional artifacts are needed, the failed "build-web-target.yml" workflow held up by the check-run should be re-run.
+
 name: Build Web
 
 on: