Merge branch 'main' into km/beeep/fido2-deps

2026-02-24 08:33:29 +00:00 · 2024-12-19 10:54:53 -08:00
parent 6055da1fc3 0f9e18b828
commit 22b9bd5d94
560 changed files with 28337 additions and 7230 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -105,7 +105,8 @@ apps/desktop/macos/autofill-extension @bitwarden/team-autofill-dev
 # DuckDuckGo integration
 apps/desktop/native-messaging-test-runner @bitwarden/team-autofill-dev
 apps/desktop/src/services/duckduckgo-message-handler.service.ts @bitwarden/team-autofill-dev
-
+# SSH Agent
+apps/desktop/desktop_native/core/src/ssh_agent @bitwarden/team-autofill-dev @bitwarden/wg-ssh-keys

 ## Component Library ##
 .storybook @bitwarden/team-design-system
@@ -138,9 +139,6 @@ apps/cli/src/locales/en/messages.json
 apps/desktop/src/locales/en/messages.json
 apps/web/src/locales/en/messages.json

-## Ssh agent temporary co-codeowner
-apps/desktop/desktop_native/core/src/ssh_agent @bitwarden/team-platform-dev @bitwarden/wg-ssh-keys
-
 ## BRE team owns these workflows ##
 .github/workflows/brew-bump-desktop.yml @bitwarden/dept-bre
 .github/workflows/deploy-web.yml @bitwarden/dept-bre
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -174,6 +174,9 @@ jobs:
  build-containers:
    name: Build Docker images
    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+      id-token: write
    needs:
      - setup
      - build-artifacts
@@ -270,6 +273,7 @@ jobs:
        run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Build Docker image
+        id: build-docker
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          context: apps/web
@@ -279,11 +283,40 @@ jobs:
          tags: ${{ steps.image-name.outputs.name }}
          secrets: |
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+      
+      - name: Install Cosign
+        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign image with Cosign
+        if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-name.outputs.name }}
+        run: |
+          IFS="," read -a tags <<< "${TAGS}"
+          images=""
+          for tag in "${tags[@]}"; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+
+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
+        with:
+          image: ${{ steps.image-name.outputs.name }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}

      - name: Log out of Docker
        run: docker logout

-
  crowdin-push:
    name: Crowdin Push
    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'