bitwarden
diff --git a/‎.cargo/config.toml‎
Lines changed: 1 addition & 1 deletion b/‎.cargo/config.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 14 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/renovate.json‎
Lines changed: 10 additions & 0 deletions b/‎.github/renovate.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/build-android.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/build-android.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/build-rust-crates.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/build-rust-crates.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/build-swift.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/build-swift.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.github/workflows/build-wasm-internal.yml‎
Lines changed: 40 additions & 10 deletions b/‎.github/workflows/build-wasm-internal.yml‎
Lines changed: 40 additions & 10 deletions
diff --git a/‎.github/workflows/check-powerset.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/check-powerset.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/cloc.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/cloc.yml‎
Lines changed: 2 additions & 0 deletions
@@ -6,7 +6,7 @@ rustflags = ["--cfg", "aes_armv8"]
 
 [target.wasm32-unknown-unknown]
 rustflags = ['--cfg', 'getrandom_backend="wasm_js"']
-runner = 'wasm-bindgen-test-runner'
+runner = 'cargo run -p wasm-bindgen-cli-runner --bin wasm-bindgen-test-runner'
 
 # Enable support for 16k pages on Android, JNA is using these same flags
 # https://android-developers.googleblog.com/2024/08/adding-16-kb-page-size-to-android.html
 
@@ -6,6 +6,20 @@
 
 <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
 
+## 🚨 Breaking Changes
+
+<!-- Does this PR introduce any breaking changes? If so, please describe the impact and migration path for clients.
+
+If you're unsure, the automated TypeScript compatibility check will run when you open/update this PR and provide feedback.
+
+For breaking changes:
+1. Describe what changed in the client interface
+2. Explain why the change was necessary
+3. Provide migration steps for client developers
+4. Link to any paired client PRs if needed
+
+Otherwise, you can remove this section. -->
+
 ## ⏰ Reminders before review
 
 - Contributor guidelines followed
 
@@ -15,12 +15,22 @@
     "go": "1.21"
   },
   "packageRules": [
+    {
+      "groupName": "rust",
+      "matchManagers": ["custom.regex", "dockerfile"],
+      "matchDepNames": ["rust"]
+    },
     {
       "matchManagers": ["cargo"],
       "matchUpdateTypes": ["minor", "patch"],
       "groupName": "pyo3 non-major",
       "matchPackageNames": ["/pyo3*/"]
     },
+    {
+      "matchManagers": ["cargo"],
+      "groupName": "wasm-bindgen group",
+      "matchPackageNames": ["/wasm-bindgen*/"]
+    },
     {
       "groupName": "dockerfile minor",
       "matchManagers": ["dockerfile"],
 
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -54,7 +56,7 @@ jobs:
         run: cross build -p bitwarden-uniffi --release --target=${{ matrix.settings.target }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: android-${{ matrix.settings.target }}
           path: ./target/${{ matrix.settings.target }}/release/libbitwarden_uniffi.so
@@ -78,12 +80,14 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
+          persist-credentials: false
 
       - name: Checkout repo (Push or manual run)
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -102,7 +106,7 @@ jobs:
           java-version: 17
 
       - name: Download Artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
 
       - name: Move artifacts
         working-directory: crates/bitwarden-uniffi/kotlin/sdk/src/main/jniLibs
@@ -118,7 +122,7 @@ jobs:
         run: ./build-schemas.sh
 
       - name: Setup gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
 
       - name: Test build demo app
         working-directory: crates/bitwarden-uniffi/kotlin
 
@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -60,6 +62,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
 
@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get Package Version
         id: retrieve-version
@@ -38,6 +40,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
@@ -81,14 +85,14 @@ jobs:
           cp -rf crates/bitwarden-uniffi/swift/BitwardenFFI.xcframework artifacts
 
       - name: Upload BitwardenFFI.xcframework artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: BitwardenFFI-${{ env._VERSION }}-${{ steps.build.outputs.short-sha }}.xcframework
           path: artifacts
           if-no-files-found: error
 
       - name: Upload BitwardenSdk sources
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: BitwardenSdk-${{ env._VERSION }}-${{ steps.build.outputs.short-sha }}-sources
           path: crates/bitwarden-uniffi/swift/Sources/BitwardenSdk
 
@@ -9,6 +9,8 @@ on:
       - "hotfix-rc"
   workflow_dispatch:
 
+permissions: {}
+
 defaults:
   run:
     shell: bash
@@ -35,13 +37,15 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set version (PR)
         if: ${{ github.event_name == 'pull_request' }}
         env:
           PR_HEAD_REF: "${{ github.event.pull_request.head.ref }}"
         run: |
-          echo REF_NAME="$PR_HEAD_REF" >> $GITHUB_ENV
+          echo REF_NAME="${PR_HEAD_REF}" >> $GITHUB_ENV
           echo SHA="${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
 
       - name: Set env variables (Branch/Tag)
@@ -89,14 +93,11 @@ jobs:
         with:
           key: wasm-cargo-cache
 
-      - name: Install wasm-bindgen-cli
-        run: cargo install wasm-bindgen-cli --version 0.2.105 --locked
-
       - name: Build
         run: ./build.sh -r ${{ matrix.license_type.build_flags }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: ${{ matrix.license_type.artifact_name }}
           path: ${{ github.workspace }}/crates/bitwarden-wasm-internal/${{ matrix.license_type.npm_folder }}/*
@@ -117,24 +118,53 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve github PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: bitwarden
+          repositories: sdk-internal
+          permission-actions: write
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger WASM publish
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
               repo: 'sdk-internal',
               workflow_id: 'publish-wasm-internal.yml',
               ref: 'main',
             })
+
+  trigger-breaking-change-check:
+    name: Trigger client breaking change checks
+    if: github.event_name == 'pull_request'
+    needs: build
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    uses: ./.github/workflows/detect-breaking-changes.yml
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.number }}
+      pr_head_sha: ${{ github.event.pull_request.head.sha }}
+      pr_head_ref: ${{ github.event.pull_request.head.ref }}
+      build_run_id: ${{ github.run_id }}
+      client_repo: "bitwarden/clients"
+      client_label: "typescript"
+      client_workflow: "sdk-breaking-change-check.yml"
@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install rust
         uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
 
@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up cloc
         run: |