Merge branch 'main' into PM-27628-conditional-send-export

Author: bmbitwarden

.github/workflows/build-browser.yml

@@ -341,7 +341,7 @@ jobs:
 
   build-safari:
     name: Build Safari - ${{ matrix.license_type.readable }}
-    runs-on: macos-13
+    runs-on: macos-15
     permissions:
       contents: read
       id-token: write

.github/workflows/build-cli.yml

@@ -93,8 +93,8 @@ jobs:
           [
             { base: "linux", distro: "ubuntu-22.04", target_suffix: "" },
             { base: "linux", distro: "ubuntu-22.04-arm", target_suffix: "-arm64" },
-            { base: "mac", distro: "macos-13", target_suffix: "" },
-            { base: "mac", distro: "macos-14", target_suffix: "-arm64" }
+            { base: "mac", distro: "macos-15-intel", target_suffix: "" },
+            { base: "mac", distro: "macos-15", target_suffix: "-arm64" }
           ]
         license_type:
           [

.github/workflows/build-desktop.yml

@@ -725,6 +725,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up Node
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
@@ -826,22 +827,22 @@ jobs:
       - name: Rename appx files for store
         if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
-          Copy-Item "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-ia32.appx" `
-            -Destination "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
-          Copy-Item "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-x64.appx" `
-            -Destination "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-x64-store.appx"
-          Copy-Item "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-arm64.appx" `
-            -Destination "./dist/Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
+          Copy-Item "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-ia32.appx" `
+            -Destination "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-ia32-store.appx"
+          Copy-Item "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-x64.appx" `
+            -Destination "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-x64-store.appx"
+          Copy-Item "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-arm64.appx" `
+            -Destination "./dist/Bitwarden-Beta-$env:_PACKAGE_VERSION-arm64-store.appx"
 
       - name: Fix NSIS artifact names for auto-updater
         if: ${{ needs.setup.outputs.has_secrets == 'true' }}
         run: |
-          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
-            -NewName bitwarden-beta-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
-          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-x64.nsis.7z `
-            -NewName bitwarden-beta-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
-          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z `
-            -NewName bitwarden-beta-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
+          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-$env:_PACKAGE_VERSION-ia32.nsis.7z `
+            -NewName bitwarden-beta-$env:_PACKAGE_VERSION-ia32.nsis.7z
+          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-$env:_PACKAGE_VERSION-x64.nsis.7z `
+            -NewName bitwarden-beta-$env:_PACKAGE_VERSION-x64.nsis.7z
+          Rename-Item -Path .\dist\nsis-web\Bitwarden-Beta-$env:_PACKAGE_VERSION-arm64.nsis.7z `
+            -NewName bitwarden-beta-$env:_PACKAGE_VERSION-arm64.nsis.7z
 
       - name: Upload portable exe artifact
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -940,7 +941,7 @@ jobs:
 
   macos-build:
     name: MacOS Build
-    runs-on: macos-13
+    runs-on: macos-15
     needs:
       - setup
     permissions:
@@ -966,7 +967,12 @@ jobs:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
-
+      
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.12'
+      
       - name: Set up Node-gyp
         run: python3 -m pip install setuptools
 
@@ -1162,7 +1168,7 @@ jobs:
 
   macos-package-github:
     name: MacOS Package GitHub Release Assets
-    runs-on: macos-13
+    runs-on: macos-15
     if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
       - browser-build
@@ -1191,7 +1197,12 @@ jobs:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
-
+      
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.12'
+      
       - name: Set up Node-gyp
         run: python3 -m pip install setuptools
 
@@ -1422,7 +1433,7 @@ jobs:
 
   macos-package-mas:
     name: MacOS Package Prod Release Asset
-    runs-on: macos-13
+    runs-on: macos-15
     if: ${{ needs.setup.outputs.has_secrets == 'true' }}
     needs:
       - browser-build
@@ -1451,7 +1462,12 @@ jobs:
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
           node-version: ${{ env._NODE_VERSION }}
-
+      
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.12'
+          
       - name: Set up Node-gyp
         run: python3 -m pip install setuptools
 

.github/workflows/deploy-web.yml

@@ -54,8 +54,7 @@ on:
         type: string
         required: false
 
-permissions:
-  deployments: write
+permissions: {}
 
 jobs:
   setup:
@@ -373,10 +372,16 @@ jobs:
 
       - name: Login to Azure
         uses: bitwarden/gh-actions/azure-login@main
+        env:
+          # The following 2 values are ignored in Zizmor, because they have to be dynamically mapped from secrets
+          # The only way around this is to create separate steps per environment with static secret references, which is not maintainable
+          SUBSCRIPTION_ID: ${{ secrets[ needs.setup.outputs.azure_login_subscription_id_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          CLIENT_ID: ${{ secrets[ needs.setup.outputs.azure_login_client_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
         with:
-          subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }}
+          subscription_id: ${{ env.SUBSCRIPTION_ID }}
+          tenant_id: ${{ env.TENANT_ID }}
+          client_id: ${{ env.CLIENT_ID }}
 
       - name: Retrieve Storage Account name
         id: retrieve-secrets-azcopy

.github/workflows/sdk-breaking-change-check.yml

@@ -1,10 +1,26 @@
 # This workflow runs TypeScript compatibility checks when the SDK is updated.
-# Triggered automatically by the SDK repository via repository_dispatch when SDK PRs are created/updated.
+# Triggered automatically by the SDK repository via workflow_dispatch when SDK PRs are created/updated.
 name: SDK Breaking Change Check
-run-name: "SDK breaking change check (${{ github.event.client_payload.sdk_version }})"
+run-name: "SDK breaking change check (${{ github.event.inputs.sdk_version }})"
 on:
-  repository_dispatch:
-    types: [sdk-breaking-change-check]
+  workflow_dispatch:
+    inputs:
+      sdk_version:
+        description: "SDK version being tested"
+        required: true
+        type: string
+      source_repo:
+        description: "Source repository"
+        required: true
+        type: string
+      artifacts_run_id:
+        description: "Artifacts run ID"
+        required: true
+        type: string
+      artifact_name:
+        description: "Artifact name"
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -17,12 +33,11 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 15
     env:
-      _SOURCE_REPO: ${{ github.event.client_payload.source_repo }}
-      _SDK_VERSION: ${{ github.event.client_payload.sdk_version }}
-      _ARTIFACTS_RUN_ID: ${{ github.event.client_payload.artifacts_info.run_id }}
-      _ARTIFACT_NAME: ${{ github.event.client_payload.artifacts_info.artifact_name }}
-      _CLIENT_LABEL: ${{ github.event.client_payload.client_label }}
-
+      _SOURCE_REPO: ${{ github.event.inputs.source_repo }}
+      _SDK_VERSION: ${{ github.event.inputs.sdk_version }}
+      _ARTIFACTS_RUN_ID: ${{ github.event.inputs.artifacts_run_id }}
+      _ARTIFACT_NAME: ${{ github.event.inputs.artifact_name }}
+      
     steps:
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -45,21 +60,7 @@ jobs:
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
-      - name: Validate inputs
-        run: |
-          echo "🔍 Validating required client_payload fields..."
-
-          if [ -z "${_SOURCE_REPO}" ] || [ -z "${_SDK_VERSION}" ] || [ -z "${_ARTIFACTS_RUN_ID}" ] || [ -z "${_ARTIFACT_NAME}" ]; then
-            echo "::error::Missing required client_payload fields"
-            echo "SOURCE_REPO: ${_SOURCE_REPO}"
-            echo "SDK_VERSION: ${_SDK_VERSION}"
-            echo "ARTIFACTS_RUN_ID: ${_ARTIFACTS_RUN_ID}"
-            echo "ARTIFACT_NAME: ${_ARTIFACT_NAME}"
-            echo "CLIENT_LABEL: ${_CLIENT_LABEL}"
-            exit 1
-          fi
 
-          echo "✅ All required payload fields are present"
       - name: Check out clients repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -134,34 +135,30 @@ jobs:
       - name: Run TypeScript compatibility check
         run: |
 
-          echo "🔍 Running TypeScript type checking for ${_CLIENT_LABEL} client with SDK version: ${_SDK_VERSION}"
+          echo "🔍 Running TypeScript type checking with SDK version: ${_SDK_VERSION}"
           echo "🎯 Type checking command: npm run test:types"
 
           # Add GitHub Step Summary output
-          {
-            echo "## 📊 TypeScript Compatibility Check (${_CLIENT_LABEL})"
-            echo "- **Client**: ${_CLIENT_LABEL}"
-            echo "- **SDK Version**: ${_SDK_VERSION}"
-            echo "- **Source Repository**: ${_SOURCE_REPO}"
-            echo "- **Artifacts Run ID**: ${_ARTIFACTS_RUN_ID}"
-            echo ""
-          } >> "$GITHUB_STEP_SUMMARY"
-
-
+          echo "## 📊 TypeScript Compatibility Check" >> $GITHUB_STEP_SUMMARY
+          echo "- **SDK Version**: ${_SDK_VERSION}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Source Repository**: ${_SOURCE_REPO}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Artifacts Run ID**: ${_ARTIFACTS_RUN_ID}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          
           TYPE_CHECK_START=$(date +%s)
 
           # Run type check with timeout - exit code determines gh run watch result
           if timeout 10m npm run test:types; then
             TYPE_CHECK_END=$(date +%s)
             TYPE_CHECK_DURATION=$((TYPE_CHECK_END - TYPE_CHECK_START))
-            echo "✅ TypeScript compilation successful for ${_CLIENT_LABEL} client (${TYPE_CHECK_DURATION}s)"
-            echo "✅ **Result**: TypeScript compilation successful" >> "$GITHUB_STEP_SUMMARY"
-            echo "No breaking changes detected in ${_CLIENT_LABEL} client for SDK version ${_SDK_VERSION}" >> "$GITHUB_STEP_SUMMARY"
+            echo "✅ TypeScript compilation successful (${TYPE_CHECK_DURATION}s)"
+            echo "✅ **Result**: TypeScript compilation successful" >> $GITHUB_STEP_SUMMARY
+            echo "No breaking changes detected for SDK version ${_SDK_VERSION}" >> $GITHUB_STEP_SUMMARY
           else
             TYPE_CHECK_END=$(date +%s)
             TYPE_CHECK_DURATION=$((TYPE_CHECK_END - TYPE_CHECK_START))
-            echo "❌ TypeScript compilation failed for ${_CLIENT_LABEL} client after ${TYPE_CHECK_DURATION}s - breaking changes detected"
-            echo "❌ **Result**: TypeScript compilation failed" >> "$GITHUB_STEP_SUMMARY"
-            echo "Breaking changes detected in ${_CLIENT_LABEL} client for SDK version ${_SDK_VERSION}" >> "$GITHUB_STEP_SUMMARY"
+            echo "❌ TypeScript compilation failed after ${TYPE_CHECK_DURATION}s - breaking changes detected"
+            echo "❌ **Result**: TypeScript compilation failed" >> $GITHUB_STEP_SUMMARY
+            echo "Breaking changes detected for SDK version ${_SDK_VERSION}" >> $GITHUB_STEP_SUMMARY
             exit 1
-          fi
+          fi

apps/browser/src/_locales/ar/messages.json

@@ -1523,12 +1523,6 @@
   "enableAutoBiometricsPrompt": {
     "message": "اسأل عن القياسات الحيوية عند الإطلاق"
   },
-  "premiumRequired": {
-    "message": "حساب البريميوم مطلوب"
-  },
-  "premiumRequiredDesc": {
-    "message": "هذه المِيزة متاحة فقط للعضوية المميزة."
-  },
   "authenticationTimeout": {
     "message": "مهلة المصادقة"
   },
@@ -1641,6 +1635,9 @@
   "selfHostedEnvFormInvalid": {
     "message": "يجب عليك إضافة رابط الخادم الأساسي أو على الأقل بيئة مخصصة."
   },
+  "selfHostedEnvMustUseHttps": {
+    "message": "URLs must use HTTPS."
+  },
   "customEnvironment": {
     "message": "بيئة مخصصة"
   },
@@ -4977,6 +4974,16 @@
       }
     }
   },
+  "defaultLabelWithValue": {
+    "message": "Default ( $VALUE$ )",
+    "description": "A label that indicates the default value for a field with the current default value in parentheses.",
+    "placeholders": {
+      "value": {
+        "content": "$1",
+        "example": "Base domain"
+      }
+    }
+  },
   "showMatchDetection": {
     "message": "Show match detection $WEBSITE$",
     "placeholders": {
@@ -5769,6 +5776,30 @@
   "atRiskLoginsSecured": {
     "message": "Great job securing your at-risk logins!"
   },
+  "upgradeNow": {
+    "message": "Upgrade now"
+  },
+  "builtInAuthenticator": {
+    "message": "Built-in authenticator"
+  },
+  "secureFileStorage": {
+    "message": "Secure file storage"
+  },
+  "emergencyAccess": {
+    "message": "Emergency access"
+  },
+  "breachMonitoring": {
+    "message": "Breach monitoring"
+  },
+  "andMoreFeatures": {
+    "message": "And more!"
+  },
+  "planDescPremium": {
+    "message": "Complete online security"
+  },
+  "upgradeToPremium": {
+    "message": "Upgrade to Premium"
+  },
   "settingDisabledByPolicy": {
     "message": "This setting is disabled by your organization's policy.",
     "description": "This hint text is displayed when a user setting is disabled due to an organization policy."