Merge remote-tracking branch 'origin/main' into feature/passkey-provider

.github/CODEOWNERS

@@ -38,10 +38,12 @@ libs/importer @bitwarden/team-tools-dev
 libs/tools @bitwarden/team-tools-dev
 
 ## Dirt (Data Insights & Reporting) team files ##
+apps/browser/src/dirt @bitwarden/team-data-insights-and-reporting-dev
 apps/web/src/app/dirt @bitwarden/team-data-insights-and-reporting-dev
 bitwarden_license/bit-common/src/dirt @bitwarden/team-data-insights-and-reporting-dev
 bitwarden_license/bit-web/src/app/dirt @bitwarden/team-data-insights-and-reporting-dev
 libs/dirt @bitwarden/team-data-insights-and-reporting-dev
+libs/common/src/dirt @bitwarden/team-data-insights-and-reporting-dev
 
 ## Localization/Crowdin (Platform and Tools team)
 apps/browser/src/_locales @bitwarden/team-tools-dev @bitwarden/team-platform-dev
@@ -96,7 +98,6 @@ libs/storage-core @bitwarden/team-platform-dev
 libs/logging @bitwarden/team-platform-dev
 libs/storage-test-utils @bitwarden/team-platform-dev
 libs/messaging @bitwarden/team-platform-dev
-libs/messaging-internal @bitwarden/team-platform-dev
 libs/serialization @bitwarden/team-platform-dev
 libs/guid @bitwarden/team-platform-dev
 libs/client-type @bitwarden/team-platform-dev
@@ -139,7 +140,7 @@ nx.json @bitwarden/team-platform-dev
 
 ## Autofill team files ##
 apps/browser/src/autofill @bitwarden/team-autofill-dev
-apps/desktop/src/autofill @bitwarden/team-autofill-dev
+apps/desktop/src/autofill @bitwarden/team-autofill-desktop-dev
 libs/common/src/autofill @bitwarden/team-autofill-dev
 apps/desktop/macos/autofill-extension @bitwarden/team-autofill-desktop-dev
 .github/workflows/test-browser-interactions.yml @bitwarden/team-autofill-dev
@@ -161,6 +162,7 @@ apps/desktop/desktop_native/core/src/ssh_agent @bitwarden/team-autofill-desktop-
 libs/components @bitwarden/team-ui-foundation
 libs/assets @bitwarden/team-ui-foundation
 libs/ui @bitwarden/team-ui-foundation
+libs/angular/src/scss @bitwarden/team-ui-foundation
 apps/browser/src/platform/popup/layout @bitwarden/team-ui-foundation
 apps/browser/src/popup/app-routing.animations.ts @bitwarden/team-ui-foundation
 apps/browser/src/popup/components/extension-anon-layout-wrapper @bitwarden/team-ui-foundation
@@ -203,11 +205,12 @@ apps/web/src/locales/en/messages.json
 .github/workflows/release-desktop.yml @bitwarden/dept-bre
 .github/workflows/release-web.yml @bitwarden/dept-bre
 
-## Docker files have shared ownership ##
-**/Dockerfile
-**/*.Dockerfile
-**/.dockerignore
-**/entrypoint.sh
+## Docker-related files
+**/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre
+**/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre
 
 ## Overrides
 # For the time being platform owns tsconfig and jest config

.github/renovate.json5

@@ -106,7 +106,6 @@
         "@emotion/css",
         "@webcomponents/custom-elements",
         "bitwarden-russh",
-        "bytes",
         "concurrently",
         "cross-env",
         "del",

.github/workflows/alert-ddg-files-modified.yml

@@ -29,19 +29,56 @@ jobs:
             - 'apps/desktop/src/services/duckduckgo-message-handler.service.ts'
             - 'apps/desktop/src/services/encrypted-message-handler.service.ts'
 
+    - name: Remove past BIT status comments
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      with:
+        script: |
+          // Note: should match the first line of `message` in the communication steps
+          const workflowCommentTag = '<!-- comment_tag: ddg-test-warning -->';
+
+          const issueComments = await github.rest.issues.listComments({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+          });
+
+          for (const comment of issueComments.data || []) {
+            const shouldDeleteComment =
+              // Do not delete comments that were not automated
+              !!comment.performed_via_github_app &&
+
+              // Do not delete user comments
+              comment.user.type === 'Bot' &&
+
+              // Do not delete edited comments
+              comment.created_at === comment.updated_at &&
+
+              // Only delete comments from this workflow
+              comment.body.trim().startsWith(workflowCommentTag);
+
+            if (shouldDeleteComment) {
+              await github.rest.issues.deleteComment({
+                comment_id: comment.id,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+              });
+            }
+          }
+
     - name: Comment on PR if monitored files changed
       if: steps.changed-files.outputs.monitored == 'true'
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         script: |
           const changedFiles = `${{ steps.changed-files.outputs.monitored_files }}`.split(' ').filter(file => file.trim() !== '');
 
-          const message = `⚠️🦆 **DuckDuckGo Integration files have been modified in this PR:**
-          
+          const message = `<!-- comment_tag: ddg-test-warning -->
+          ⚠️🦆 **DuckDuckGo Integration files have been modified in this PR:**
+
           ${changedFiles.map(file => `- \`${file}\``).join('\n')}
-          
+
           Please run the DuckDuckGo native messaging test runner from this branch using [these instructions](https://contributing.bitwarden.com/getting-started/clients/desktop/native-messaging-test-runner) and ensure it functions properly.`;
-          
+
           github.rest.issues.createComment({
             issue_number: context.issue.number,
             owner: context.repo.owner,

.github/workflows/auto-reply-discussions.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Get discussion label and template name
         id: discussion-label
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const discussion = context.payload.discussion;
@@ -29,7 +29,7 @@ jobs:
 
       - name: Get selected topic
         id: get_selected_topic
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -45,7 +45,7 @@ jobs:
             }
 
       - name: Reply or close Discussion
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           TEMPLATE_NAME: ${{ steps.discussion-label.outputs.template_name }}
           TOPIC: ${{ steps.get_selected_topic.outputs.result }}

.github/workflows/build-desktop.yml

@@ -387,6 +387,15 @@ jobs:
           rustup target add aarch64-unknown-linux-musl
           node build.js --target=aarch64-unknown-linux-musl --release
 
+      - name: Check index.d.ts generated
+        if: github.event_name == 'pull_request' && steps.cache.outputs.cache-hit != 'true'
+        working-directory: apps/desktop/desktop_native
+        run: |
+          if ! git diff --quiet --name-only -- napi/index.d.ts; then
+            echo "NAPI index.d.ts doesn't match, make sure to regenerate it and commit it"
+            exit 1
+          fi
+
       - name: Build application
         run: npm run dist:lin:arm64
 

.github/workflows/build-web.yml

@@ -106,6 +106,10 @@ jobs:
           - artifact_name: selfhosted-COMMERCIAL
             image_name: web
             npm_command: dist:bit:selfhost
+          - artifact_name: selfhosted-DEV
+            image_name: web
+            npm_command: build:bit:selfhost:dev
+            git_metadata: true
           - artifact_name: cloud-QA
             image_name: web-qa-cloud
             npm_command: build:bit:qa
@@ -405,7 +409,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger web vault deploy using GitHub Run ID
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           script: |

.github/workflows/chromatic.yml

@@ -97,7 +97,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Publish to Chromatic
-        uses: chromaui/action@e8cc4c31775280b175a3c440076c00d19a9014d7 # v11.28.2
+        uses: chromaui/action@d0795df816d05c4a89c80295303970fddd247cce # v13.1.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           projectToken: ${{ steps.get-kv-secrets.outputs.CHROMATIC-PROJECT-TOKEN }}

.github/workflows/lint.yml

@@ -49,6 +49,7 @@ jobs:
             ! -path "*/Cargo.toml" \
             ! -path "*/Cargo.lock" \
             ! -path "./apps/desktop/macos/*" \
+            ! -path "*/CLAUDE.md" \
             > tmp.txt
           diff <(sort .github/whitelist-capital-letters.txt) <(sort tmp.txt)
 

.github/workflows/nx.yml

@@ -0,0 +1,42 @@
+name: Experimental Nx CI
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  nx-experiment:
+    name: Run Nx Affected Tasks
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      
+      - name: Get Node Version
+        id: retrieve-node-version
+        working-directory: ./
+        run: |
+          NODE_NVMRC=$(cat .nvmrc)
+          NODE_VERSION=${NODE_NVMRC/v/''}
+          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Set up Node
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+          node-version: ${{ env._NODE_VERSION }}
+      
+      - name: Install dependencies
+        run: npm ci
+      
+      - name: Set Nx SHAs for affected detection
+        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
+      
+      - name: Run Nx affected tasks
+        continue-on-error: true
+        run: npx nx affected -t build lint test

.github/workflows/publish-cli.yml

@@ -183,6 +183,7 @@ jobs:
 
   npm:
     name: Publish NPM
+    environment: CLI - NPM
     runs-on: ubuntu-22.04
     needs: setup
     permissions:
@@ -195,23 +196,20 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Get Node version
+        id: retrieve-node-version
+        run: |
+          NODE_NVMRC=$(cat .nvmrc)
+          NODE_VERSION=${NODE_NVMRC/v/''}
+          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Set up Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "npm-api-key"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+          node-version: ${{ steps.retrieve-node-version.outputs.node_version }}
+          npm-version: "11.5.1" # FIXME: npm 11.5.1 or later is required to publish w/ OIDC; move version management to somewhere maintainable by automation
+          registry-url: "https://registry.npmjs.org/"
 
       - name: Download and set up artifact
         run: |
@@ -219,19 +217,9 @@ jobs:
           wget https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip
           unzip bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip -d build
 
-      - name: Setup NPM
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-        env:
-          NPM_TOKEN: ${{ steps.retrieve-secrets.outputs.npm-api-key }}
-
-      - name: Install Husky
-        run: npm install -g husky
-
       - name: Publish NPM
         if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: npm publish --access public --regsitry=https://registry.npmjs.org/  --userconfig=./.npmrc
+        run: npm publish --access public
 
   update-deployment:
     name: Update Deployment Status

.github/workflows/publish-web.yml

@@ -179,7 +179,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger self-host build
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           script: |

.github/workflows/test-browser-interactions.yml

@@ -11,6 +11,7 @@ jobs:
   check-files:
     name: Check files
     runs-on: ubuntu-22.04
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     permissions:
       actions: write
       contents: read