Merge remote-tracking branch 'origin/main' into playwright

.github/CODEOWNERS

@@ -8,7 +8,9 @@
 apps/desktop/desktop_native @bitwarden/team-platform-dev
 apps/desktop/desktop_native/objc/src/native/autofill @bitwarden/team-autofill-desktop-dev
 apps/desktop/desktop_native/core/src/autofill @bitwarden/team-autofill-desktop-dev
+apps/desktop/desktop_native/macos_provider @bitwarden/team-autofill-desktop-dev
 apps/desktop/desktop_native/core/src/secure_memory @bitwarden/team-key-management-dev
+
 ## No ownership for Cargo.lock and Cargo.toml to allow dependency updates
 apps/desktop/desktop_native/Cargo.lock
 apps/desktop/desktop_native/Cargo.toml
@@ -73,6 +75,7 @@ bitwarden_license/bit-cli/src/admin-console @bitwarden/team-admin-console-dev
 libs/angular/src/admin-console @bitwarden/team-admin-console-dev
 libs/common/src/admin-console @bitwarden/team-admin-console-dev
 libs/admin-console @bitwarden/team-admin-console-dev
+libs/auto-confirm @bitwarden/team-admin-console-dev
 
 ## Billing team files ##
 apps/browser/src/billing @bitwarden/team-billing-dev
@@ -233,3 +236,4 @@ libs/pricing @bitwarden/team-billing-dev
 .claude/ @bitwarden/team-ai-sme
 .github/workflows/respond.yml @bitwarden/team-ai-sme
 .github/workflows/review-code.yml @bitwarden/team-ai-sme
+libs/subscription @bitwarden/team-billing-dev

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,27 +9,3 @@
 ## 📸 Screenshots
 
 <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. -->
-
-## ⏰ Reminders before review
-
-- Contributor guidelines followed
-- All formatters and local linters executed and passed
-- Written new unit and / or integration tests where applicable
-- Protected functional changes with optionality (feature flags)
-- Used internationalization (i18n) for all UI strings
-- CI builds passed
-- Communicated to DevOps any deployment requirements
-- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
-
-## 🦮 Reviewer guidelines
-
-<!-- Suggested interactions but feel free to use (or not) as you desire! -->
-
-- 👍 (`:+1:`) or similar for great changes
-- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
-- ❓ (`:question:`) for questions
-- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
-- 🎨 (`:art:`) for suggestions / improvements
-- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
-- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
-- ⛏ (`:pick:`) for minor or nitpick changes

.github/renovate.json5

@@ -3,6 +3,7 @@
   extends: ["github>bitwarden/renovate-config"], // Extends our default configuration for pinned dependencies
   enabledManagers: ["cargo", "github-actions", "npm"],
   packageRules: [
+    // ==================== Repo-Wide Update Behavior Rules ====================
     {
       // Group all Github Action minor updates together to reduce PR noise.
       groupName: "Minor github-actions updates",
@@ -16,13 +17,6 @@
       matchDepNames: ["rust"],
       commitMessageTopic: "Rust",
     },
-    {
-      // By default, we send patch updates to the Dependency Dashboard and do not generate a PR.
-      // We want to generate PRs for a select number of dependencies to ensure we stay up to date on these.
-      matchPackageNames: ["browserslist", "electron", "rxjs", "typescript", "webpack", "zone.js"],
-      matchUpdateTypes: ["patch"],
-      dependencyDashboardApproval: false,
-    },
     {
       // Disable major and minor updates for TypeScript and Zone.js because they are managed by Angular.
       matchPackageNames: ["typescript", "zone.js"],
@@ -44,6 +38,8 @@
       description: "Manually updated using ng update",
       enabled: false,
     },
+
+    // ==================== Team Ownership Rules ====================
     {
       matchPackageNames: ["buffer", "bufferutil", "core-js", "process", "url", "util"],
       description: "Admin Console owned dependencies",
@@ -79,28 +75,6 @@
       commitMessagePrefix: "[deps] Architecture:",
       reviewers: ["team:dept-architecture"],
     },
-    {
-      matchPackageNames: [
-        "@angular-eslint/schematics",
-        "@eslint/compat",
-        "@typescript-eslint/rule-tester",
-        "@typescript-eslint/utils",
-        "angular-eslint",
-        "eslint-config-prettier",
-        "eslint-import-resolver-typescript",
-        "eslint-plugin-import",
-        "eslint-plugin-rxjs-angular",
-        "eslint-plugin-rxjs",
-        "eslint-plugin-storybook",
-        "eslint-plugin-tailwindcss",
-        "eslint",
-        "husky",
-        "lint-staged",
-        "typescript-eslint",
-      ],
-      groupName: "Minor and patch linting updates",
-      matchUpdateTypes: ["minor", "patch"],
-    },
     {
       matchPackageNames: [
         "@emotion/css",
@@ -119,7 +93,7 @@
         "rimraf",
         "ssh-encoding",
         "ssh-key",
-        "@storybook/web-components-webpack5",
+        "@storybook/web-components-vite",
         "tabbable",
         "tldts",
         "wait-on",
@@ -154,11 +128,11 @@
         "@types/glob",
         "@types/lowdb",
         "@types/node",
-        "@types/node-forge",
         "@types/node-ipc",
         "@yao-pkg/pkg",
         "anyhow",
         "arboard",
+        "ashpd",
         "babel-loader",
         "base64-loader",
         "base64",
@@ -169,6 +143,7 @@
         "core-foundation",
         "copy-webpack-plugin",
         "css-loader",
+        "ctor",
         "dirs",
         "electron",
         "electron-builder",
@@ -184,6 +159,7 @@
         "html-webpack-injector",
         "html-webpack-plugin",
         "interprocess",
+        "itertools",
         "json5",
         "keytar",
         "libc",
@@ -192,12 +168,10 @@
         "napi",
         "napi-build",
         "napi-derive",
-        "node-forge",
         "node-ipc",
         "nx",
         "oo7",
         "oslog",
-        "parse5",
         "pin-project",
         "pkg",
         "postcss",
@@ -207,6 +181,7 @@
         "sass",
         "sass-loader",
         "scopeguard",
+        "secmem-proc",
         "security-framework",
         "security-framework-sys",
         "semver",
@@ -215,6 +190,9 @@
         "simplelog",
         "style-loader",
         "sysinfo",
+        "thiserror",
+        "tokio",
+        "tokio-util",
         "tracing",
         "tracing-subscriber",
         "ts-node",
@@ -236,61 +214,17 @@
         "windows-registry",
         "zbus",
         "zbus_polkit",
+        "zeroizing-alloc",
       ],
       description: "Platform owned dependencies",
       commitMessagePrefix: "[deps] Platform:",
       reviewers: ["team:team-platform-dev"],
     },
     {
-      // We need to group all napi-related packages together to avoid build errors caused by version incompatibilities.
-      groupName: "napi",
-      matchPackageNames: ["napi", "napi-build", "napi-derive"],
-    },
-    {
-      // We need to group all macOS/iOS binding-related packages together to avoid build errors caused by version incompatibilities.
-      groupName: "macOS/iOS bindings",
-      matchPackageNames: ["core-foundation", "security-framework", "security-framework-sys"],
-    },
-    {
-      // We need to group all zbus-related packages together to avoid build errors caused by version incompatibilities.
-      groupName: "zbus",
-      matchPackageNames: ["zbus", "zbus_polkit"],
-    },
-    {
-      // We need to group all windows-related packages together to avoid build errors caused by version incompatibilities.
-      groupName: "windows",
-      matchPackageNames: ["windows", "windows-core", "windows-future", "windows-registry"],
-    },
-    {
-      // We group all webpack build-related minor and patch updates together to reduce PR noise.
-      // We include patch updates here because we want PRs for webpack patch updates and it's in this group.
-      matchPackageNames: [
-        "@babel/core",
-        "@babel/preset-env",
-        "babel-loader",
-        "base64-loader",
-        "browserslist",
-        "copy-webpack-plugin",
-        "css-loader",
-        "html-loader",
-        "html-webpack-injector",
-        "html-webpack-plugin",
-        "mini-css-extract-plugin",
-        "postcss-loader",
-        "postcss",
-        "sass-loader",
-        "sass",
-        "style-loader",
-        "ts-loader",
-        "tsconfig-paths-webpack-plugin",
-        "webpack-cli",
-        "webpack-dev-server",
-        "webpack-node-externals",
-        "webpack",
-      ],
-      description: "webpack-related build dependencies",
-      groupName: "Minor and patch webpack updates",
-      matchUpdateTypes: ["minor", "patch"],
+      matchUpdateTypes: ["lockFileMaintenance"],
+      description: "Platform owns lock file maintenance",
+      commitMessagePrefix: "[deps] Platform:",
+      reviewers: ["team:team-platform-dev"],
     },
     {
       matchPackageNames: [
@@ -311,26 +245,24 @@
         "@compodoc/compodoc",
         "@ng-select/ng-select",
         "@storybook/addon-a11y",
-        "@storybook/addon-actions",
         "@storybook/addon-designs",
-        "@storybook/addon-essentials",
-        "@storybook/addon-interactions",
+        "@storybook/addon-docs",
         "@storybook/addon-links",
         "@storybook/test-runner",
         "@storybook/addon-themes",
         "@storybook/angular",
-        "@storybook/manager-api",
-        "@storybook/theming",
         "@types/react",
         "autoprefixer",
         "bootstrap",
         "chromatic",
         "ngx-toastr",
+        "path-browserify",
         "react",
         "react-dom",
         "remark-gfm",
         "storybook",
         "tailwindcss",
+        "vite-tsconfig-paths",
         "zone.js",
         "@tailwindcss/container-queries",
       ],
@@ -351,11 +283,6 @@
       commitMessagePrefix: "[deps] SM:",
       reviewers: ["team:team-secrets-manager-dev"],
     },
-    {
-      // We need to update several Jest-related packages together, for version compatibility.
-      groupName: "jest",
-      matchPackageNames: ["@types/jest", "jest", "ts-jest", "jest-preset-angular"],
-    },
     {
       matchPackageNames: [
         "@microsoft/signalr-protocol-msgpack",
@@ -363,6 +290,7 @@
         "@types/jsdom",
         "@types/papaparse",
         "@types/zxcvbn",
+        "aes-gcm",
         "async-trait",
         "clap",
         "jsdom",
@@ -370,6 +298,7 @@
         "oidc-client-ts",
         "papaparse",
         "utf-8-validate",
+        "verifysign",
         "zxcvbn",
       ],
       description: "Tools owned dependencies",
@@ -411,19 +340,209 @@
     },
     {
       matchPackageNames: [
+        "@types/node-forge",
         "aes",
         "big-integer",
         "cbc",
+        "chacha20poly1305",
+        "linux-keyutils",
+        "memsec",
+        "node-forge",
         "rsa",
         "russh-cryptovec",
         "sha2",
-        "memsec",
-        "linux-keyutils",
       ],
       description: "Key Management owned dependencies",
       commitMessagePrefix: "[deps] KM:",
       reviewers: ["team:team-key-management-dev"],
     },
+
+    // ==================== Grouping Rules ====================
+    // These come after any specific team assignment rules to ensure
+    // that grouping is not overridden by subsequent rule definitions.
+    {
+      matchPackageNames: [
+        "@angular-eslint/schematics",
+        "@eslint/compat",
+        "@typescript-eslint/rule-tester",
+        "@typescript-eslint/utils",
+        "angular-eslint",
+        "eslint-config-prettier",
+        "eslint-import-resolver-typescript",
+        "eslint-plugin-import",
+        "eslint-plugin-rxjs-angular",
+        "eslint-plugin-rxjs",
+        "eslint-plugin-storybook",
+        "eslint-plugin-tailwindcss",
+        "eslint",
+        "husky",
+        "lint-staged",
+        "typescript-eslint",
+      ],
+      groupName: "Minor and patch linting updates",
+      matchUpdateTypes: ["minor", "patch"],
+    },
+    {
+      // We need to group all napi-related packages together to avoid build errors caused by version incompatibilities.
+      groupName: "napi",
+      matchPackageNames: ["napi", "napi-build", "napi-derive"],
+    },
+    {
+      // We need to group all macOS/iOS binding-related packages together to avoid build errors caused by version incompatibilities.
+      groupName: "macOS/iOS bindings",
+      matchPackageNames: ["core-foundation", "security-framework", "security-framework-sys"],
+    },
+    {
+      // We need to group all zbus-related packages together to avoid build errors caused by version incompatibilities.
+      groupName: "zbus",
+      matchPackageNames: ["zbus", "zbus_polkit"],
+    },
+    {
+      // We need to group all windows-related packages together to avoid build errors caused by version incompatibilities.
+      groupName: "windows",
+      matchPackageNames: ["windows", "windows-core", "windows-future", "windows-registry"],
+    },
+    {
+      // We need to group all tokio-related packages together to avoid build errors caused by version incompatibilities.
+      groupName: "tokio",
+      matchPackageNames: ["bytes", "tokio", "tokio-util"],
+    },
+    {
+      // We group all webpack build-related minor and patch updates together to reduce PR noise.
+      // We include patch updates here because we want PRs for webpack patch updates and it's in this group.
+      matchPackageNames: [
+        "@babel/core",
+        "@babel/preset-env",
+        "babel-loader",
+        "base64-loader",
+        "browserslist",
+        "copy-webpack-plugin",
+        "css-loader",
+        "html-loader",
+        "html-webpack-injector",
+        "html-webpack-plugin",
+        "mini-css-extract-plugin",
+        "postcss-loader",
+        "postcss",
+        "sass-loader",
+        "sass",
+        "style-loader",
+        "ts-loader",
+        "tsconfig-paths-webpack-plugin",
+        "webpack-cli",
+        "webpack-dev-server",
+        "webpack-node-externals",
+        "webpack",
+      ],
+      description: "webpack-related build dependencies",
+      groupName: "Minor and patch webpack updates",
+      matchUpdateTypes: ["minor", "patch"],
+    },
+    {
+      // We need to update several Jest-related packages together, for version compatibility.
+      groupName: "jest",
+      matchPackageNames: ["@types/jest", "jest", "ts-jest", "jest-preset-angular"],
+    },
+
+    // ==================== Dashboard Rules ====================
+    {
+      // For the packages below, we have decided we will only be creating PRs
+      // for major updates, and sending minor (as well as patch) to the dashboard.
+      // This rule comes AFTER grouping rules so that groups are respected while still
+      // sending minor/patch updates to the dependency dashboard for approval.
+      matchPackageNames: [
+        "anyhow",
+        "arboard",
+        "ashpd",
+        "babel-loader",
+        "base64-loader",
+        "base64",
+        "bindgen",
+        "byteorder",
+        "bytes",
+        "core-foundation",
+        "copy-webpack-plugin",
+        "css-loader",
+        "ctor",
+        "dirs",
+        "electron-builder",
+        "electron-log",
+        "electron-reload",
+        "electron-store",
+        "electron-updater",
+        "embed_plist",
+        "futures",
+        "hex",
+        "homedir",
+        "html-loader",
+        "html-webpack-injector",
+        "html-webpack-plugin",
+        "interprocess",
+        "json5",
+        "keytar",
+        "libc",
+        "lowdb",
+        "mini-css-extract-plugin",
+        "napi",
+        "napi-build",
+        "napi-derive",
+        "node-ipc",
+        "nx",
+        "oo7",
+        "oslog",
+        "pin-project",
+        "pkg",
+        "postcss",
+        "postcss-loader",
+        "rand",
+        "sass",
+        "sass-loader",
+        "scopeguard",
+        "secmem-proc",
+        "security-framework",
+        "security-framework-sys",
+        "semver",
+        "serde",
+        "serde_json",
+        "simplelog",
+        "style-loader",
+        "sysinfo",
+        "thiserror",
+        "tokio",
+        "tokio-util",
+        "tracing",
+        "tracing-subscriber",
+        "ts-node",
+        "ts-loader",
+        "tsconfig-paths-webpack-plugin",
+        "type-fest",
+        "typenum",
+        "typescript-strict-plugin",
+        "uniffi",
+        "webpack-cli",
+        "webpack-dev-server",
+        "webpack-node-externals",
+        "widestring",
+        "windows",
+        "windows-core",
+        "windows-future",
+        "windows-registry",
+        "zbus",
+        "zbus_polkit",
+        "zeroizing-alloc",
+      ],
+      matchUpdateTypes: ["minor", "patch"],
+      dependencyDashboardApproval: true,
+    },
+    {
+      // By default, we send patch updates to the Dependency Dashboard and do not generate a PR.
+      // We want to generate PRs for a select number of dependencies to ensure we stay up to date on these.
+      matchPackageNames: ["browserslist", "electron", "rxjs", "typescript", "webpack", "zone.js"],
+      matchUpdateTypes: ["patch"],
+      dependencyDashboardApproval: false,
+    },
+
+    // ==================== Special Version Constraints ====================
     {
       // Any versions of lowdb above 1.0.0 are not compatible with CommonJS.
       matchPackageNames: ["lowdb"],

.github/whitelist-capital-letters.txt

@@ -19,8 +19,6 @@
 ./apps/cli/stores/chocolatey/tools/VERIFICATION.txt
 ./apps/browser/store/windows/AppxManifest.xml
 ./apps/browser/src/background/nativeMessaging.background.ts
-./apps/browser/src/models/browserComponentState.ts
-./apps/browser/src/models/browserGroupingsComponentState.ts
 ./apps/browser/src/models/biometricErrors.ts
 ./apps/browser/src/browser/safariApp.ts
 ./apps/browser/src/safari/desktop/ViewController.swift

.github/workflows/alert-ddg-files-modified.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     steps:
     - name: Checkout code
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false

.github/workflows/auto-branch-updater.yml

@@ -30,7 +30,7 @@ jobs:
         run: echo "branch=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: 'eu-web-${{ steps.setup.outputs.branch }}'
           fetch-depth: 0

.github/workflows/build-browser.yml

@@ -55,7 +55,7 @@ jobs:
       has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -94,7 +94,7 @@ jobs:
         working-directory: apps/browser
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -146,7 +146,7 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -193,7 +193,7 @@ jobs:
           zip -r browser-source.zip browser-source
 
       - name: Upload browser source
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{matrix.license_type.archive_name_prefix}}browser-source-${{ env._BUILD_NUMBER }}.zip
           path: browser-source.zip
@@ -254,7 +254,7 @@ jobs:
             artifact_name: "dist-opera-MV3"
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -272,7 +272,7 @@ jobs:
           npm --version
 
       - name: Download browser source
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: ${{matrix.license_type.source_archive_name_prefix}}browser-source-${{ env._BUILD_NUMBER }}.zip
 
@@ -336,7 +336,7 @@ jobs:
         working-directory: browser-source/apps/browser
 
       - name: Upload extension artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ matrix.license_type.artifact_prefix }}${{ matrix.browser.artifact_name }}-${{ env._BUILD_NUMBER }}.zip
           path: browser-source/apps/browser/dist/${{matrix.license_type.archive_name_prefix}}${{ matrix.browser.archive_name }}
@@ -349,7 +349,7 @@ jobs:
 
       - name: Upload dev extension artifact
         if: ${{ matrix.browser.archive_name_dev != '' }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ matrix.license_type.artifact_prefix }}${{ matrix.browser.artifact_name_dev }}-${{ env._BUILD_NUMBER }}.zip
           path: browser-source/apps/browser/dist/${{matrix.license_type.archive_name_prefix}}${{ matrix.browser.archive_name_dev }}
@@ -386,7 +386,7 @@ jobs:
       _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -523,7 +523,7 @@ jobs:
           ls -la
 
       - name: Upload Safari artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{matrix.license_type.archive_name_prefix}}dist-safari-${{ env._BUILD_NUMBER }}.zip
           path: apps/browser/dist/${{matrix.license_type.archive_name_prefix}}dist-safari.zip
@@ -542,7 +542,7 @@ jobs:
       - build-safari
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -565,7 +565,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Upload Sources
-        uses: crowdin/github-action@08713f00a50548bfe39b37e8f44afb53e7a802d4 # v2.12.0
+        uses: crowdin/github-action@60debf382ee245b21794321190ad0501db89d8c1 # v2.13.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/build-cli.yml

@@ -59,7 +59,7 @@ jobs:
       has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -114,7 +114,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -268,7 +268,7 @@ jobs:
           fi
 
       - name: Upload unix zip asset
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip
           path: apps/cli/dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip
@@ -311,7 +311,7 @@ jobs:
       _WIN_PKG_VERSION: 3.5
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -482,7 +482,7 @@ jobs:
           }
 
       - name: Upload windows zip asset
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bw${{ matrix.license_type.artifact_prefix }}-windows-${{ env._PACKAGE_VERSION }}.zip
           path: apps/cli/dist/bw${{ matrix.license_type.artifact_prefix }}-windows-${{ env._PACKAGE_VERSION }}.zip
@@ -490,7 +490,7 @@ jobs:
 
       - name: Upload Chocolatey asset
         if: matrix.license_type.build_prefix == 'bit'
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bitwarden-cli.${{ env._PACKAGE_VERSION }}.nupkg
           path: apps/cli/dist/chocolatey/bitwarden-cli.${{ env._PACKAGE_VERSION }}.nupkg
@@ -503,7 +503,7 @@ jobs:
 
       - name: Upload NPM Build Directory asset
         if: matrix.license_type.build_prefix == 'bit'
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bitwarden-cli-${{ env._PACKAGE_VERSION }}-npm-build.zip
           path: apps/cli/bitwarden-cli-${{ env._PACKAGE_VERSION }}-npm-build.zip
@@ -520,7 +520,7 @@ jobs:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -535,7 +535,7 @@ jobs:
           echo "BW Package Version: $_PACKAGE_VERSION"
 
       - name: Get bw linux cli
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: bw-linux-${{ env._PACKAGE_VERSION }}.zip
           path: apps/cli/dist/snap
@@ -572,7 +572,7 @@ jobs:
         run: sudo snap remove bw
 
       - name: Upload snap asset
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: bw_${{ env._PACKAGE_VERSION }}_amd64.snap
           path: apps/cli/dist/snap/bw_${{ env._PACKAGE_VERSION }}_amd64.snap

.github/workflows/build-web.yml

@@ -64,7 +64,7 @@ jobs:
       has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -112,7 +112,7 @@ jobs:
             npm_command: dist:bit:selfhost
           - artifact_name: selfhosted-DEV
             license_type: "commercial"
-            image_name: web
+            image_name: web-dev
             npm_command: build:bit:selfhost:dev
             git_metadata: true
           - artifact_name: cloud-QA
@@ -144,7 +144,7 @@ jobs:
       _VERSION: ${{ needs.setup.outputs.version }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -174,7 +174,7 @@ jobs:
           echo "server_ref=$SERVER_REF" >> "$GITHUB_OUTPUT"
 
       - name: Check out Server repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           path: server
           repository: bitwarden/server
@@ -204,7 +204,7 @@ jobs:
 
       ########## Set up Docker ##########
       - name: Set up Docker
-        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
+        uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4.7.0
         with:
           daemon-config: |
             {
@@ -218,7 +218,7 @@ jobs:
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       ########## ACRs ##########
       - name: Log in to Azure
@@ -307,7 +307,7 @@ jobs:
           zip -r web-$_VERSION-${{ matrix.artifact_name }}.zip build
 
       - name: Upload ${{ matrix.artifact_name }} artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip
           path: apps/web/web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip
@@ -334,7 +334,7 @@ jobs:
       - name: Scan Docker image
         if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         id: container-scan
-        uses: anchore/scan-action@568b89d27fc18c60e56937bff480c91c772cd993 # v7.1.0
+        uses: anchore/scan-action@62b74fb7bb810d2c45b1865f47a77655621862a5 # v7.2.3
         with:
           image: ${{ steps.image-name.outputs.name }}
           fail-build: false
@@ -367,7 +367,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -390,7 +390,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Upload Sources
-        uses: crowdin/github-action@08713f00a50548bfe39b37e8f44afb53e7a802d4 # v2.12.0
+        uses: crowdin/github-action@60debf382ee245b21794321190ad0501db89d8c1 # v2.13.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/chromatic.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{  github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -65,7 +65,7 @@ jobs:
 
       - name: Cache NPM
         id: npm-cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: "~/.npm"
           key: ${{ runner.os }}-npm-chromatic-${{ hashFiles('**/package-lock.json') }}

.github/workflows/crowdin-pull.yml

@@ -49,7 +49,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
@@ -58,7 +58,7 @@ jobs:
           permission-pull-requests: write # for generating pull requests
 
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false

.github/workflows/lint-crowdin-config.yml

@@ -22,7 +22,7 @@ jobs:
         ]
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -45,7 +45,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Lint ${{ matrix.app.name }} config
-        uses: crowdin/github-action@08713f00a50548bfe39b37e8f44afb53e7a802d4 # v2.12.0
+        uses: crowdin/github-action@60debf382ee245b21794321190ad0501db89d8c1 # v2.13.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_PROJECT_ID: ${{ matrix.app.project_id }}

.github/workflows/lint.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -52,6 +52,7 @@ jobs:
             ! -path "*/Cargo.lock" \
             ! -path "./apps/desktop/macos/*" \
             ! -path "*/CLAUDE.md" \
+            ! -path "*/SKILL.md" \
             > tmp.txt
           diff <(sort .github/whitelist-capital-letters.txt) <(sort tmp.txt)
 
@@ -94,18 +95,18 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
         with:
           toolchain: stable
           components: rustfmt, clippy
 
       - name: Install Rust nightly
-        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
         with:
           toolchain: nightly
           components: rustfmt
@@ -114,7 +115,7 @@ jobs:
         run: rustup --version
 
       - name: Cache cargo registry
-        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
 
       - name: Run cargo fmt
         working-directory: ./apps/desktop/desktop_native
@@ -127,7 +128,7 @@ jobs:
           RUSTFLAGS: "-D warnings"
 
       - name: Install cargo-sort
-        run: cargo install cargo-sort --locked --git https://github.com/DevinR528/cargo-sort.git --rev f5047967021cbb1f822faddc355b3b07674305a1
+        run: cargo install cargo-sort --locked --git https://github.com/DevinR528/cargo-sort.git --rev ac6e328faf467a39e38ab48dc60dcf4f6a46d7a5 # v2.0.2
 
       - name: Cargo sort
         working-directory: ./apps/desktop/desktop_native
@@ -141,9 +142,9 @@ jobs:
         run: cargo +nightly udeps --workspace --all-features --all-targets
 
       - name: Install cargo-deny
-        uses: taiki-e/install-action@81ee1d48d9194cdcab880cbdc7d36e87d39874cb # v2.62.45
+        uses: taiki-e/install-action@2e9d707ef49c9b094d45955b60c7e5c0dfedeb14 # v2.66.5
         with:
-          tool: cargo-deny@0.18.5
+          tool: cargo-deny@0.18.6
 
       - name: Run cargo deny
         working-directory: ./apps/desktop/desktop_native

.github/workflows/locales-lint.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Checkout base branch repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.base.sha }}
           path: base

.github/workflows/nx.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -36,7 +36,7 @@ jobs:
         run: npm ci
       
       - name: Set Nx SHAs for affected detection
-        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
+        uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0
       
       - name: Run Nx affected tasks
         continue-on-error: true

.github/workflows/publish-cli.yml

@@ -103,7 +103,7 @@ jobs:
       _PKG_VERSION: ${{ needs.setup.outputs.release_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -151,7 +151,7 @@ jobs:
       _PKG_VERSION: ${{ needs.setup.outputs.release_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -203,7 +203,7 @@ jobs:
       _PKG_VERSION: ${{ needs.setup.outputs.release_version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/publish-desktop.yml

@@ -204,7 +204,7 @@ jobs:
       _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -258,7 +258,7 @@ jobs:
       _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -315,7 +315,7 @@ jobs:
       _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -331,7 +331,7 @@ jobs:
         run: wget "https://github.com/bitwarden/clients/releases/download/${_RELEASE_TAG}/macos-build-number.json"
 
       - name: Setup Ruby and Install Fastlane
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@708024e6c902387ab41de36e1669e43b5ee7085e # v1.283.0
         with:
           ruby-version: '3.4.7'
           bundler-cache: false

.github/workflows/publish-web.yml

@@ -28,7 +28,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -74,7 +74,7 @@ jobs:
           echo "Github Release Option: $_RELEASE_OPTION"
 
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -182,11 +182,13 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: self-host
 
       - name: Trigger Bitwarden lite build
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

.github/workflows/release-browser.yml

@@ -28,7 +28,7 @@ jobs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -61,7 +61,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/release-cli.yml

@@ -29,7 +29,7 @@ jobs:
       release_version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/release-desktop.yml

@@ -31,7 +31,7 @@ jobs:
       release_channel: ${{ steps.release_channel.outputs.channel }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -98,6 +98,14 @@ jobs:
         working-directory: apps/desktop/artifacts
         run: mv "Bitwarden-${PKG_VERSION}-universal.pkg" "Bitwarden-${PKG_VERSION}-universal.pkg.archive"
 
+      - name: Rename .tar.gz to include version
+        env:
+          PKG_VERSION: ${{ steps.version.outputs.version }}
+        working-directory: apps/desktop/artifacts
+        run: |
+          mv "bitwarden_desktop_x64.tar.gz" "bitwarden_${PKG_VERSION}_x64.tar.gz"
+          mv "bitwarden_desktop_arm64.tar.gz" "bitwarden_${PKG_VERSION}_arm64.tar.gz"
+
       - name: Create Release
         uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         if: ${{ steps.release_channel.outputs.channel == 'latest' && github.event.inputs.release_type != 'Dry Run' }}

.github/workflows/release-web.yml

@@ -25,7 +25,7 @@ jobs:
       tag_version: ${{ steps.version.outputs.tag }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/repository-management.yml

@@ -29,7 +29,7 @@ on:
         default: false
       target_ref:
         default: "main"
-        description: "Branch/Tag to target for cut"
+        description: "Branch/Tag to target for cut (ignored if not cutting rc)"
         required: true
         type: string
       version_number_override:
@@ -71,6 +71,7 @@ jobs:
       version_web: ${{ steps.set-final-version-output.outputs.version_web }}
     permissions:
       id-token: write
+      contents: write
 
     steps:
       - name: Validate version input format
@@ -93,27 +94,47 @@ jobs:
           keyvault: gh-org-bitwarden
           secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
+      - name: Retrieve GPG secrets
+        id: retrieve-gpg-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
+
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write # for committing and pushing to main (bypasses rulesets)
 
       - name: Check out branch
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          ref: main
+          ref: ${{ github.ref }}
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true
 
       - name: Configure Git
         run: |
-          git config --local user.email "actions@github.com"
-          git config --local user.name "Github Actions"
+          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
+          git config --local user.name "bitwarden-devops-bot"
+
+      - name: Setup GPG signing
+        env:
+          GPG_PRIVATE_KEY: ${{ steps.retrieve-gpg-secrets.outputs.github-gpg-private-key }}
+          GPG_PASSPHRASE: ${{ steps.retrieve-gpg-secrets.outputs.github-gpg-private-key-passphrase }}
+        run: |
+          echo "$GPG_PRIVATE_KEY" | gpg --import --batch
+          GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format=long | grep -o "rsa[0-9]\+/[A-F0-9]\+" | head -n1 | cut -d'/' -f2)
+          git config --local user.signingkey "$GPG_KEY_ID"
+          git config --local commit.gpgsign true
+          export GPG_TTY=$(tty)
+          echo "test" | gpg --clearsign --pinentry-mode=loopback --passphrase "$GPG_PASSPHRASE" > /dev/null 2>&1
 
       ########################
       # VERSION BUMP SECTION #
@@ -425,13 +446,15 @@ jobs:
             echo "No changes to commit!";
           fi
 
-      - name: Commit files
+      - name: Commit version bumps with GPG signature
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git commit -m "Bumped client version(s)" -a
+        run: |
+          git commit -m "Bumped client version(s)" -a
 
-      - name: Push changes
+      - name: Push changes to main
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git push
+        run: |
+          git push
 
   cut_branch:
     name: Cut branch
@@ -462,14 +485,15 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write # for creating and pushing new branch
 
       - name: Check out target ref
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.target_ref }}
           token: ${{ steps.app-token.outputs.token }}

.github/workflows/review-code.yml

@@ -2,7 +2,7 @@ name: Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened]
 
 permissions: {}
 

.github/workflows/sdk-breaking-change-check.yml

@@ -53,7 +53,7 @@ jobs:
           secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
@@ -64,7 +64,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Check out clients repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/stale-bot.yml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
     steps:
       - name: 'Run stale action'
-        uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
         with:
           stale-issue-label: 'needs-reply'
           stale-pr-label: 'needs-changes'

.github/workflows/test-browser-interactions.yml

@@ -18,7 +18,7 @@ jobs:
       id-token: write
     steps:
     - name: Checkout code
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -75,7 +75,7 @@ jobs:
 
     - name: Trigger test-all workflow in browser-interactions-testing
       if: steps.changed-files.outputs.monitored == 'true'
-      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+      uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
       with:
         token: ${{ steps.app-token.outputs.token }}
         repository: "bitwarden/browser-interactions-testing"

.github/workflows/test.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -62,7 +62,7 @@ jobs:
         run: npm test -- --coverage --maxWorkers=3
 
       - name: Report test results
-        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
+        uses: dorny/test-reporter@b082adf0eced0765477756c2a610396589b8c637 # v2.5.0
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
         with:
           name: Test Results
@@ -71,10 +71,12 @@ jobs:
           fail-on-error: true
 
       - name: Upload results to codecov.io
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        with:
+          report_type: test_results
 
       - name: Upload test coverage
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: jest-coverage
           path: ./coverage/lcov.info
@@ -103,7 +105,7 @@ jobs:
           sudo apt-get install -y gnome-keyring dbus-x11
 
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -111,7 +113,7 @@ jobs:
         working-directory: ./apps/desktop/desktop_native
         run: cargo build
 
-      - name: Test Ubuntu
+      - name: Linux unit tests
         if: ${{ matrix.os=='ubuntu-22.04' }}
         working-directory: ./apps/desktop/desktop_native
         run: |
@@ -120,35 +122,39 @@ jobs:
           mkdir -p ~/.local/share/keyrings
           eval "$(printf '\n' | gnome-keyring-daemon --unlock)"
           eval "$(printf '\n' | /usr/bin/gnome-keyring-daemon --start)"
-          cargo test -- --test-threads=1
+          cargo test --lib -- --test-threads=1
 
-      - name: Test macOS
+      - name: MacOS unit tests
         if: ${{ matrix.os=='macos-14' }}
         working-directory: ./apps/desktop/desktop_native
-        run: cargo test -- --test-threads=1
+        run: cargo test --lib -- --test-threads=1
 
-      - name: Test Windows
+      - name: Windows unit tests
         if: ${{ matrix.os=='windows-2022'}}
         working-directory: ./apps/desktop/desktop_native
-        run: cargo test --workspace --exclude=desktop_napi -- --test-threads=1
+        run: cargo test --lib --workspace --exclude=desktop_napi -- --test-threads=1
+
+      - name: Doc tests
+        working-directory: ./apps/desktop/desktop_native
+        run: cargo test --doc
 
   rust-coverage:
     name: Rust Coverage
     runs-on: macos-14
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Install rust
-        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
         with:
           toolchain: stable
           components: llvm-tools
 
       - name: Cache cargo registry
-        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
         with:
           workspaces: "apps/desktop/desktop_native -> target"
 
@@ -160,7 +166,7 @@ jobs:
         run: cargo llvm-cov --all-features --lcov --output-path lcov.info --workspace --no-cfg-coverage
 
       - name: Upload test coverage
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: rust-coverage
           path: ./apps/desktop/desktop_native/lcov.info
@@ -173,24 +179,24 @@ jobs:
       - rust-coverage
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Download jest coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: jest-coverage
           path: ./
 
       - name: Download rust coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: rust-coverage
           path: ./apps/desktop/desktop_native
 
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           files: |
             ./lcov.info

.github/workflows/version-auto-bump.yml

@@ -31,7 +31,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
@@ -39,7 +39,7 @@ jobs:
           permission-contents: write # for committing and pushing to the current branch
 
       - name: Check out target ref
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: main
           token: ${{ steps.app-token.outputs.token }}