Merge branch 'km/new-pin-service-interface' of github.com:bitwarden/clients into km/new-pin-service-interface

Author: quexten

.github/CODEOWNERS

@@ -162,6 +162,7 @@ apps/desktop/desktop_native/core/src/ssh_agent @bitwarden/team-autofill-desktop-
 libs/components @bitwarden/team-ui-foundation
 libs/assets @bitwarden/team-ui-foundation
 libs/ui @bitwarden/team-ui-foundation
+libs/angular/src/scss @bitwarden/team-ui-foundation
 apps/browser/src/platform/popup/layout @bitwarden/team-ui-foundation
 apps/browser/src/popup/app-routing.animations.ts @bitwarden/team-ui-foundation
 apps/browser/src/popup/components/extension-anon-layout-wrapper @bitwarden/team-ui-foundation
@@ -204,10 +205,11 @@ apps/web/src/locales/en/messages.json
 .github/workflows/release-desktop.yml @bitwarden/dept-bre
 .github/workflows/release-web.yml @bitwarden/dept-bre
 
-## Docker files have shared ownership ##
+## Docker-related files
 **/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
 **/*.Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
 **/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre
 **/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre
 
 ## Overrides

.github/renovate.json5

@@ -147,6 +147,7 @@
         "@nx/eslint",
         "@nx/jest",
         "@nx/js",
+        "@nx/webpack",
         "@types/chrome",
         "@types/firefox-webext-browser",
         "@types/glob",

.github/workflows/alert-ddg-files-modified.yml

@@ -30,7 +30,7 @@ jobs:
             - 'apps/desktop/src/services/encrypted-message-handler.service.ts'
 
     - name: Remove past BIT status comments
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         script: |
           // Note: should match the first line of `message` in the communication steps
@@ -67,7 +67,7 @@ jobs:
 
     - name: Comment on PR if monitored files changed
       if: steps.changed-files.outputs.monitored == 'true'
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         script: |
           const changedFiles = `${{ steps.changed-files.outputs.monitored_files }}`.split(' ').filter(file => file.trim() !== '');

.github/workflows/auto-reply-discussions.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Get discussion label and template name
         id: discussion-label
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const discussion = context.payload.discussion;
@@ -29,7 +29,7 @@ jobs:
 
       - name: Get selected topic
         id: get_selected_topic
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -45,7 +45,7 @@ jobs:
             }
 
       - name: Reply or close Discussion
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           TEMPLATE_NAME: ${{ steps.discussion-label.outputs.template_name }}
           TOPIC: ${{ steps.get_selected_topic.outputs.result }}

.github/workflows/build-web.yml

@@ -409,7 +409,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger web vault deploy using GitHub Run ID
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           script: |

.github/workflows/lint.yml

@@ -49,6 +49,7 @@ jobs:
             ! -path "*/Cargo.toml" \
             ! -path "*/Cargo.lock" \
             ! -path "./apps/desktop/macos/*" \
+            ! -path "*/CLAUDE.md" \
             > tmp.txt
           diff <(sort .github/whitelist-capital-letters.txt) <(sort tmp.txt)
 

.github/workflows/nx.yml

@@ -38,4 +38,5 @@ jobs:
         uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
 
       - name: Run Nx affected tasks
+        continue-on-error: true
         run: npx nx affected -t build lint test

.github/workflows/publish-web.yml

@@ -179,7 +179,7 @@ jobs:
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger self-host build
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           script: |

.github/workflows/review-code.yml

@@ -0,0 +1,109 @@
+name: Review code
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions: {}
+
+jobs:
+  review:
+    name: Review
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Check for Vault team changes
+        id: check_changes
+        run: |
+          # Ensure we have the base branch
+          git fetch origin ${{ github.base_ref }}
+
+          echo "Comparing changes between origin/${{ github.base_ref }} and HEAD"
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+
+          if [ -z "$CHANGED_FILES" ]; then
+            echo "Zero files changed"
+            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Handle variations in spacing and multiple teams
+          VAULT_PATTERNS=$(grep -E "@bitwarden/team-vault-dev(\s|$)" .github/CODEOWNERS 2>/dev/null | awk '{print $1}')
+
+          if [ -z "$VAULT_PATTERNS" ]; then
+            echo "⚠️ No patterns found for @bitwarden/team-vault-dev in CODEOWNERS"
+            echo "vault_team_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          vault_team_changes=false
+          for pattern in $VAULT_PATTERNS; do
+            echo "Checking pattern: $pattern"
+
+            # Handle **/directory patterns
+            if [[ "$pattern" == "**/"* ]]; then
+              # Remove the **/ prefix
+              dir_pattern="${pattern#\*\*/}"
+              # Check if any file contains this directory in its path
+              if echo "$CHANGED_FILES" | grep -qE "(^|/)${dir_pattern}(/|$)"; then
+                vault_team_changes=true
+                echo "✅ Found files matching pattern: $pattern"
+                echo "$CHANGED_FILES" | grep -E "(^|/)${dir_pattern}(/|$)" | sed 's/^/  - /'
+                break
+              fi
+            else
+              # Handle other patterns (shouldn't happen based on your CODEOWNERS)
+              if echo "$CHANGED_FILES" | grep -q "$pattern"; then
+                vault_team_changes=true
+                echo "✅ Found files matching pattern: $pattern"
+                echo "$CHANGED_FILES" | grep "$pattern" | sed 's/^/  - /'
+                break
+              fi
+            fi
+          done
+
+          echo "vault_team_changes=$vault_team_changes" >> $GITHUB_OUTPUT
+
+          if [ "$vault_team_changes" = "true" ]; then
+            echo ""
+            echo "✅ Vault team changes detected - proceeding with review"
+          else
+            echo ""
+            echo "❌  No Vault team changes detected - skipping review"
+          fi
+
+      - name: Review with Claude Code
+        if: steps.check_changes.outputs.vault_team_changes == 'true'
+        uses: anthropics/claude-code-action@a5528eec7426a4f0c9c1ac96018daa53ebd05bc4 # v1.0.7
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          track_progress: true
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+            TITLE: ${{ github.event.pull_request.title }}
+            BODY: ${{ github.event.pull_request.body }}
+            AUTHOR: ${{ github.event.pull_request.user.login }}
+
+            Please review this pull request with a focus on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Security implications
+            - Performance considerations
+
+            Note: The PR branch is already checked out in the current working directory.
+
+            Provide detailed feedback using inline comments for specific issues.
+
+          claude_args: |
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"

.github/workflows/test-browser-interactions.yml

@@ -11,6 +11,7 @@ jobs:
   check-files:
     name: Check files
     runs-on: ubuntu-22.04
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     permissions:
       actions: write
       contents: read