Merge branch 'main' into update-java-read-me

.github/CODEOWNERS

@@ -11,3 +11,8 @@
 # Secrets Manager team
 crates/bitwarden-sm @bitwarden/team-secrets-manager-dev
 crates/bws @bitwarden/team-secrets-manager-dev
+
+# BRE Automations
+crates/bws/Cargo.toml
+crates/bws/scripts/install.ps1
+crates/bws/scripts/install.sh

.github/workflows/build-cli-docker.yml

@@ -5,8 +5,6 @@ on:
   push:
     branches:
       - "main"
-      - "rc"
-      - "hotfix-rc"
   workflow_dispatch:
   pull_request:
 
@@ -22,15 +20,9 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Check Branch to Publish
-        env:
-          PUBLISH_BRANCHES: "master,rc,hotfix-rc"
         id: publish-branch-check
         run: |
-          REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
-
-          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
-
-          if [[ "${publish_branches[*]}" =~ "${REF}" ]]; then
+          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
             echo "is_publish_branch=true" >> $GITHUB_ENV
           else
             echo "is_publish_branch=false" >> $GITHUB_ENV
@@ -77,10 +69,8 @@ jobs:
         run: |
           REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
           IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
-          if [[ "${IMAGE_TAG}" == "master" ]]; then
+          if [[ "${IMAGE_TAG}" == "main" ]]; then
             IMAGE_TAG=dev
-          elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
-            IMAGE_TAG=rc
           fi
 
           echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
@@ -89,9 +79,8 @@ jobs:
         id: tag-list
         env:
           IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
-          IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
         run: |
-          if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "rc") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
+          if [[ "${IMAGE_TAG}" == "dev" ]]; then
             echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
           else
             echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
@@ -123,10 +112,7 @@ jobs:
     needs: build-docker
     steps:
       - name: Check if any job failed
-        if: |
-          github.ref == 'refs/heads/master'
-          || github.ref == 'refs/heads/rc'
-          || github.ref == 'refs/heads/hotfix-rc'
+        if: github.ref == 'refs/heads/main'
         env:
           BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
         run: |

.github/workflows/build-cli.yml

@@ -6,8 +6,6 @@ on:
   push:
     branches:
       - "main"
-      - "rc"
-      - "hotfix-rc"
   workflow_dispatch:
 
 defaults:
@@ -74,7 +72,7 @@ jobs:
       - name: Build
         env:
           TARGET: ${{ matrix.settings.target }}
-        run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}
+        run: cargo build -p bws --release --target=${{ matrix.settings.target }}
 
       - name: Login to Azure
         if: ${{ needs.setup.outputs.sign == 'true' }}
@@ -132,8 +130,7 @@ jobs:
   build-macos:
     name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
     runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
-    needs:
-      - setup
+    needs: setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
     strategy:
@@ -164,7 +161,7 @@ jobs:
       - name: Build
         env:
           TARGET: ${{ matrix.settings.target }}
-        run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}
+        run: cargo build -p bws --release --target=${{ matrix.settings.target }}
 
       - name: Login to Azure
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -242,8 +239,7 @@ jobs:
   build-linux:
     name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
     runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
-    needs:
-      - setup
+    needs: setup
     env:
       _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
     strategy:
@@ -271,7 +267,8 @@ jobs:
           toolchain: stable
           targets: ${{ matrix.settings.target }}
 
-      - uses: goto-bus-stop/setup-zig@7ab2955eb728f5440978d5824358023be3a2802d # v2.2.0
+      - name: Set up Zig
+        uses: goto-bus-stop/setup-zig@7ab2955eb728f5440978d5824358023be3a2802d # v2.2.0
         with:
           version: 0.12.0
 
@@ -286,7 +283,7 @@ jobs:
       - name: Build
         env:
           TARGET: ${{ matrix.settings.target }}
-        run: cargo zigbuild ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}
+        run: cargo zigbuild -p bws --release --target=${{ matrix.settings.target }}
 
       - name: Zip linux
         run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws
@@ -325,7 +322,7 @@ jobs:
           unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin
           unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin
 
-      - name: lipo create universal package
+      - name: Create universal package with lipo
         run: |
           mkdir ./bws-macos-universal
 
@@ -375,7 +372,7 @@ jobs:
       - name: Sign binary
         env:
           MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
-        run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp  ./bws-aarch64-apple-darwin/bws
+        run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal/bws
 
       - name: Notarize app
         env:
@@ -389,7 +386,7 @@ jobs:
           xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
 
           echo "Creating notarization archive"
-          zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws
+          zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws
 
           codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp  ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip
 
@@ -441,8 +438,7 @@ jobs:
   manpages:
     name: Generate manpages
     runs-on: ubuntu-22.04
-    needs:
-      - setup
+    needs: setup
     steps:
       - name: Checkout repo
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.github/workflows/build-rust-crates.yml

@@ -7,8 +7,6 @@ on:
   push:
     branches:
       - "main"
-      - "rc"
-      - "hotfix-rc"
 
 env:
   CARGO_TERM_COLOR: always
@@ -17,7 +15,7 @@ jobs:
   build:
     name: Building ${{matrix.package}} for - ${{ matrix.os }}
 
-    runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
 
     strategy:
       fail-fast: false
@@ -42,7 +40,6 @@ jobs:
         uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
         with:
           toolchain: stable
-          targets: ${{ matrix.settings.target }}
 
       - name: Cache cargo registry
         uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
@@ -61,9 +58,8 @@ jobs:
   release-dry-run:
     name: Release dry-run
     runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/head/main' || github.ref == 'refs/head/rc' || github.ref == 'refs/head/hotfix-rc' }}
-    needs:
-      - build
+    if: ${{ github.ref == 'refs/head/main' }}
+    needs: build
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -72,7 +68,6 @@ jobs:
         uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
         with:
           toolchain: stable
-          targets: ${{ matrix.settings.target }}
 
       - name: Cache cargo registry
         uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3

.github/workflows/build-rust-cross-platform.yml

@@ -26,6 +26,9 @@ jobs:
             target: x86_64-pc-windows-msvc
           - os: windows-2022
             target: x86_64-pc-windows-gnu
+          # caution: updating the linux runner OS version for GNU
+          #   targets will likely break libbitwarden_c for older OS versions.
+          #   prefer using oldest supported runner for for these targets
           - os: ubuntu-22.04
             target: x86_64-unknown-linux-gnu
           - os: ubuntu-22.04
@@ -57,16 +60,26 @@ jobs:
       - name: Add build architecture
         run: rustup target add ${{ matrix.settings.target }}
 
+      # Build Rust for musl
       - name: Build Rust for - ${{ matrix.settings.target }}
         if: ${{ contains(matrix.settings.target, 'musl') }}
         env:
           RUSTFLAGS: "-D warnings"
         run: cargo zigbuild -p bitwarden-c --target ${{ matrix.settings.target }} --release
 
+      # Build Rust for windows-gnu
       - name: Build Rust for - ${{ matrix.settings.target }}
-        if: ${{ !contains(matrix.settings.target, 'musl') }}
+        if: ${{ matrix.settings.target == 'x86_64-pc-windows-gnu' }}
         env:
           RUSTFLAGS: "-D warnings"
+        run: cargo build -p bitwarden-c --target ${{ matrix.settings.target }} --profile=release-windows
+
+      # Build Rust for !musl && !windows-gnu
+      - name: Build Rust for - ${{ matrix.settings.target }}
+        if: ${{ !contains(matrix.settings.target, 'musl') && matrix.settings.target != 'x86_64-pc-windows-gnu' }}
+        env:
+          RUSTFLAGS: "-D warnings"
+          MACOSX_DEPLOYMENT_TARGET: "10.14" # allows using new macos runner versions while still supporting older systems
         run: cargo build -p bitwarden-c --target ${{ matrix.settings.target }} --release
 
       - name: Upload Artifact
@@ -75,3 +88,4 @@ jobs:
           name: libbitwarden_c_files-${{ matrix.settings.target }}
           path: |
             target/${{ matrix.settings.target }}/release/*bitwarden_c*
+            target/${{ matrix.settings.target }}/release-windows/*bitwarden_c*

.github/workflows/build-swift.yml

@@ -61,11 +61,16 @@ jobs:
           # SHA Short
           echo "short-sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
+      - name: Zip BitwardenFFI.xcframework
+        run: |
+          mkdir artifacts
+          cp -rf languages/swift/BitwardenFFI.xcframework artifacts
+
       - name: Upload BitwardenFFI.xcframework artifact
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: BitwardenFFI-${{ env._VERSION }}-${{ steps.build.outputs.short-sha }}.xcframework
-          path: languages/swift/BitwardenFFI.xcframework
+          path: artifacts
           if-no-files-found: error
 
       - name: Upload BitwardenSdk sources

.github/workflows/publish-ruby.yml

@@ -18,31 +18,23 @@ permissions:
   id-token: write
 
 jobs:
-  setup:
-    name: Setup
+  publish_ruby:
+    name: Publish Ruby
     runs-on: ubuntu-22.04
     steps:
-      - name: Checkout repo
+      - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Branch check
-        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        if: ${{ inputs.release_type != 'Dry Run' }}
         run: |
-          if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc" ]]; then
+          if [[ "$GITHUB_REF" != "refs/heads/main" ]]; then
             echo "==================================="
-            echo "[!] Can only release from the 'rc' or 'hotfix-rc' branches"
+            echo "[!] Can only release from the 'main' branch"
             echo "==================================="
             exit 1
           fi
 
-  publish_ruby:
-    name: Publish Ruby
-    runs-on: ubuntu-22.04
-    needs: setup
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
       - name: Set up Ruby
         uses: ruby/setup-ruby@52753b7da854d5c07df37391a986c76ab4615999 # v1.191.0
         with:
@@ -54,7 +46,7 @@ jobs:
           workflow: generate_schemas.yml
           path: languages/ruby/bitwarden_sdk_secrets/lib
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          branch: main
           artifacts: schemas.rb
 
       - name: Download x86_64-apple-darwin artifact
@@ -63,15 +55,15 @@ jobs:
           workflow: build-rust-cross-platform.yml
           path: temp/macos-x64
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          branch: main
           artifacts: libbitwarden_c_files-x86_64-apple-darwin
 
       - name: Download aarch64-apple-darwin artifact
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           workflow: build-rust-cross-platform.yml
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          branch: main
           artifacts: libbitwarden_c_files-aarch64-apple-darwin
           path: temp/macos-arm64
 
@@ -80,7 +72,7 @@ jobs:
         with:
           workflow: build-rust-cross-platform.yml
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          branch: main
           artifacts: libbitwarden_c_files-x86_64-unknown-linux-gnu
           path: temp/linux-x64
 
@@ -89,7 +81,7 @@ jobs:
         with:
           workflow: build-rust-cross-platform.yml
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_type == 'Dry Run' && 'main' ||  github.ref_name }}
+          branch: main
           artifacts: libbitwarden_c_files-x86_64-pc-windows-msvc
           path: temp/windows-x64
 
@@ -128,6 +120,7 @@ jobs:
         working-directory: languages/ruby/bitwarden_sdk_secrets
 
       - name: Push gem to Rubygems
+        if: ${{ inputs.release_type != 'Dry Run' }}
         run: |
           mkdir -p $HOME/.gem
           touch $HOME/.gem/credentials