From dd50781f5c9a40186ce4222952b315eb9fc76878 Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <andreas.coroiu@gmail.com>
Date: Fri, 13 Dec 2024 11:16:07 +0100
Subject: [PATCH] feat: add conditional permission requirement to build jobs

---
 .github/workflows/build-browser.yml |  34 ++++++---
 .github/workflows/build-cli.yml     |  42 +++++++----
 .github/workflows/build-desktop.yml | 109 +++++++++++++++++-----------
 .github/workflows/build-web.yml     |  48 ++++++++----
 4 files changed, 151 insertions(+), 82 deletions(-)

diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml
index 56a980bf0f9..fad8698a3bd 100644
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@@ -38,14 +38,38 @@ defaults:
     shell: bash
 
 jobs:
+  check-secrets:
+    name: Check Secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
+    steps:
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
+  # Enforce permissions _if_ the workflow has access to secrets to avoid
+  # bots having unsupervised access to secrets.
+  check-run:
+    name: Check PR run
+    needs:
+      - check-secrets
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    needs:
+      - check-secrets
     outputs:
       repo_url: ${{ steps.gen_vars.outputs.repo_url }}
       adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
-      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -69,14 +93,6 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Check secrets
-        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
-
 
   locales-test:
     name: Locales Test
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index 35970a8b307..b634621c5e0 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -41,13 +41,35 @@ defaults:
     working-directory: apps/cli
 
 jobs:
+  check-secrets:
+    name: Check Secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
+    steps:
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
+  # Enforce permissions _if_ the workflow has access to secrets to avoid
+  # bots having unsupervised access to secrets.
+  check-run:
+    name: Check PR run
+    needs:
+      - check-secrets
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
   setup:
     name: Setup
     runs-on: ubuntu-22.04
     outputs:
       package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
-      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -68,14 +90,6 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Check secrets
-        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
-
   cli:
     name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
     strategy:
@@ -92,6 +106,7 @@ jobs:
           ]
     runs-on: ${{ matrix.os.distro }}
     needs:
+      - check-secrets
       - setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -122,7 +137,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -135,7 +150,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.` == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -192,6 +207,7 @@ jobs:
           ]
     runs-on: windows-2022
     needs:
+      - check-secrets
       - setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -277,7 +293,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -290,7 +306,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml
index e35dee54e08..7ebabdd74a2 100644
--- a/.github/workflows/build-desktop.yml
+++ b/.github/workflows/build-desktop.yml
@@ -39,6 +39,29 @@ defaults:
     shell: bash
 
 jobs:
+  check-secrets:
+    name: Check Secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
+    steps:
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
+  # Enforce permissions _if_ the workflow has access to secrets to avoid
+  # bots having unsupervised access to secrets.
+  check-run:
+    name: Check PR run
+    needs:
+      - check-secrets
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
   electron-verify:
     name: Verify Electron Version
     runs-on: ubuntu-22.04
@@ -70,7 +93,6 @@ jobs:
       rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
       hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
-      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     defaults:
       run:
         working-directory: apps/desktop
@@ -133,14 +155,6 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Check secrets
-        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
-
   linux:
     name: Linux Build
     # Note, before updating the ubuntu version of the workflow, ensure the snap base image
@@ -294,6 +308,7 @@ jobs:
     name: Windows Build
     runs-on: windows-2022
     needs:
+      - check-secrets
       - setup
     defaults:
       run:
@@ -336,14 +351,14 @@ jobs:
           rustup show
 
       - name: Login to Azure
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
           keyvault: "bitwarden-ci"
@@ -358,7 +373,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -371,7 +386,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -396,12 +411,12 @@ jobs:
           npm run build
 
       - name: Pack
-        if: ${{ needs.setup.outputs.has_secrets == 'false' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'false' }}
         run: |
           npm run pack:win
 
       - name: Pack & Sign (dev)
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         env:
           ELECTRON_BUILDER_SIGN: 1
           SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
@@ -413,7 +428,7 @@ jobs:
           npm run pack:win
 
       - name: Rename appx files for store
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: |
           Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
             -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
@@ -423,7 +438,7 @@ jobs:
             -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
 
       - name: Package for Chocolatey
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: |
           Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
           Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
@@ -435,7 +450,7 @@ jobs:
           choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
 
       - name: Fix NSIS artifact names for auto-updater
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: |
           Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
             -NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@@ -452,7 +467,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload installer exe artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
@@ -460,7 +475,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx ia32 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
@@ -468,7 +483,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx ia32 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
@@ -476,7 +491,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS ia32 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@@ -484,7 +499,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx x64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
@@ -492,7 +507,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx x64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
@@ -500,7 +515,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS x64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
@@ -508,7 +523,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload appx ARM64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
@@ -516,7 +531,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload store appx ARM64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
@@ -524,7 +539,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload NSIS ARM64 artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
@@ -532,7 +547,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload nupkg artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
@@ -540,7 +555,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload auto-update artifact
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: ${{ needs.setup.outputs.release_channel }}.yml
@@ -552,6 +567,7 @@ jobs:
     name: MacOS Build
     runs-on: macos-13
     needs:
+      - check-secrets
       - setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -603,13 +619,13 @@ jobs:
           key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
 
       - name: Login to Azure
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Download Provisioning Profiles secrets
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         env:
           ACCOUNT_NAME: bitwardenci
           CONTAINER_NAME: profiles
@@ -622,7 +638,7 @@ jobs:
             --output none
 
       - name: Get certificates
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: |
           mkdir -p $HOME/certificates
 
@@ -645,7 +661,7 @@ jobs:
             jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
 
       - name: Set up keychain
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
@@ -675,7 +691,7 @@ jobs:
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
 
       - name: Set up provisioning profiles
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: |
           cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
             $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
@@ -695,7 +711,7 @@ jobs:
         working-directory: ./
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -708,7 +724,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -734,8 +750,10 @@ jobs:
 
   browser-build:
     name: Browser Build
-    needs: setup
-    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+    needs:
+      - check-secrets
+      - setup
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
     uses: ./.github/workflows/build-browser.yml
     secrets: inherit
 
@@ -743,11 +761,12 @@ jobs:
   macos-package-github:
     name: MacOS Package GitHub Release Assets
     runs-on: macos-13
-    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
+      - check-secrets
       - browser-build
       - macos-build
       - setup
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
@@ -985,11 +1004,12 @@ jobs:
   macos-package-mas:
     name: MacOS Package Prod Release Asset
     runs-on: macos-13
-    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
+      - check-secrets
+      - setup
       - browser-build
       - macos-build
-      - setup
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
@@ -1253,11 +1273,12 @@ jobs:
   macos-package-dev:
     name: MacOS Package Dev Release Asset
     runs-on: macos-13
-    if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
     needs:
+      - check-secrets
+      - setup
       - browser-build
       - macos-build
-      - setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml
index 2360f876826..4987fc75fc4 100644
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -43,13 +43,35 @@ env:
   _AZ_REGISTRY: bitwardenprod.azurecr.io
 
 jobs:
+  check-secrets:
+    name: Check Secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
+    steps:
+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
+  # Enforce permissions _if_ the workflow has access to secrets to avoid
+  # bots having unsupervised access to secrets.
+  check-run:
+    name: Check PR run
+    needs:
+      - check-secrets
+    if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
   setup:
     name: Setup
     runs-on: ubuntu-22.04
     outputs:
       version: ${{ steps.version.outputs.value }}
       node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
-      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,18 +89,11 @@ jobs:
           NODE_VERSION=${NODE_NVMRC/v/''}
           echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Check secrets
-        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
-
   build-artifacts:
     name: Build artifacts
     runs-on: ubuntu-22.04
     needs:
+      - check-secrets
       - setup
     env:
       _VERSION: ${{ needs.setup.outputs.version }}
@@ -133,7 +148,7 @@ jobs:
         run: npm ci
 
       - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
@@ -146,7 +161,7 @@ jobs:
           if_no_artifact_found: fail
 
       - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
         working-directory: ./
         run: |
           ls -l ../
@@ -180,6 +195,7 @@ jobs:
     name: Build Docker images
     runs-on: ubuntu-22.04
     needs:
+      - check-secrets
       - setup
       - build-artifacts
     strategy:
@@ -215,23 +231,23 @@ jobs:
 
       ########## ACRs ##########
       - name: Login to Prod Azure
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
       - name: Log into Prod container registry
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         run: az acr login -n bitwardenprod
 
       - name: Login to Azure - CI Subscription
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Retrieve github PAT secrets
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         id: retrieve-secret-pat
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
@@ -279,7 +295,7 @@ jobs:
         run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: apps/web