Merge branch 'main' into matt/PM-13104-remove-biometrics-integrity-ch…

…ecks

.github/actions/dispatch-and-download/action.yml

@@ -27,16 +27,17 @@ runs:
   using: "composite"
   steps:
     - name: Log inputs to job summary
+      shell: bash
       run: |
-        echo "<details><summary>Workflow Inputs</summary>" >> $GITHUB_STEP_SUMMARY
+        echo "<details><summary>Dispatch and Download Action Workflow Inputs</summary>" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
         echo '```json' >> $GITHUB_STEP_SUMMARY
         echo '${{ toJson(inputs) }}' >> $GITHUB_STEP_SUMMARY
         echo '```' >> $GITHUB_STEP_SUMMARY
         echo "</details>" >> $GITHUB_STEP_SUMMARY
 
     - name: Dispatch an action and get the run ID and URL
-      uses: codex-/return-dispatch@bcb9c46cb8ee849d5e6cca0ba9c8529d620ae006 # v1.15.0
+      uses: codex-/return-dispatch@8e5959a15e0ef0a34b9569395f994e61fed5dd26 # v1.16.0
       id: return_dispatch
       with:
         token: ${{ inputs.token }}
@@ -53,6 +54,40 @@ runs:
       run: |
         echo ${{steps.return_dispatch.outputs.run_id}}
         echo ${{steps.return_dispatch.outputs.run_url}}
+    - name: Wait for workflow to finish
+      shell: bash
+      run: |
+        sleep 5
+
+        timeout="30" # in seconds
+        interval="10" # in seconds
+        counter=0
+        timeout_counter=0
+        url="https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/actions/runs/${{steps.return_dispatch.outputs.run_id}}"
+        while true; do
+          run_data=$(curl -s -H "Accept: application/vnd.github+json" -H "Authorization: token ${{ inputs.token }}" $url)
+          status=$(echo "$run_data" | jq -r '.status')
+
+          echo "Try -> $timeout_counter; status -> $status"
+          if [ "$status" = "completed" ]; then
+            conclusion=$(echo "$run_data" | jq -r '.conclusion')
+            if [ "$conclusion" != "success" ]; then
+              echo "::error::Dispatched workflow failed."
+              exit 1
+            else
+              echo "::debug::Dispatched workflow completed successfully!"
+              break
+            fi
+          fi
+
+          timeout_counter=$((timeout_counter + 1))
+          if [ $((timeout_counter * interval)) -ge $((timeout * 60)) ]; then
+            echo "::error::Timeout waiting for the Dispatched workflow to complete."
+            exit 1
+          fi
+
+          sleep $interval
+        done
 
     - name: Download all artifacts
       uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

.github/workflows/CI-main.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
           filter: tree:0

.github/workflows/_version.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
     inputs:
       base_version_number:
-        description: "Base version number to use for version calculation"
+        description: "Base Version Number - Will be added to the calculated version number"
         type: number
         default: 0
       version_name:
@@ -31,7 +31,7 @@ jobs:
     steps:
       - name: Log inputs to job summary
         run: |
-          echo "<details><summary>Workflow Inputs</summary>" >> $GITHUB_STEP_SUMMARY
+          echo "<details><summary>Version Workflow Inputs</summary>" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo '```json' >> $GITHUB_STEP_SUMMARY
           echo '${{ toJson(inputs) }}' >> $GITHUB_STEP_SUMMARY
@@ -43,7 +43,7 @@ jobs:
 
       - name: Check out repository
         if: ${{ !inputs.skip_checkout || false }}
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
 
@@ -80,7 +80,7 @@ jobs:
           latest_major_version=$(echo $latest_version | cut -d "." -f 1)
           latest_minor_version=$(echo $latest_version | cut -d "." -f 2)
           patch_version=0
-          if [[ ! -z "${{ inputs.version_name }}" ]]; then
+          if [[ ! -z "${{ inputs.patch_version }}" ]]; then
             patch_version=${{ inputs.patch_version }}
             echo "::warning::Patch Version Override applied: $patch_version"
           elif [[ "$current_year" == "$latest_major_version" && "$current_month" == "$latest_minor_version" ]]; then

.github/workflows/build.yml

@@ -6,7 +6,7 @@ on:
       build-variant:
         description: "Build Variant"
         required: true
-        default: "Production"
+        default: "Beta"
         type: choice
         options:
           - Beta
@@ -16,13 +16,21 @@ on:
         type: string
       build-number:
         description: "Version Number Override - e.g. '1021'"
-        type: number
+        type: string
       xcode-version:
         description: "Xcode Version Override - e.g. '15.2'"
         type: string
       compiler-flags:
         description: "Compiler Flags - e.g. 'DEBUG_MENU FEATURE2'"
         type: string
+        default: "DEBUG_MENU"
+      base_version_number:
+        description: "Base Version Number - Will be added to the calculated version number"
+        type: number
+        default: 2000
+      patch_version:
+        description: "Patch Version Override - e.g. '999'"
+        type: string
   workflow_call:
     inputs:
       build-variant:
@@ -40,7 +48,13 @@ on:
       compiler-flags:
         description: "Compiler Flags - e.g. 'DEBUG_MENU FEATURE2'"
         type: string
-
+      base_version_number:
+        description: "Base Version Number - Will be added to the calculated version number"
+        type: number
+        default: 2000
+      patch_version:
+        description: "Patch Version Override - e.g. '999'"
+        type: string
 env:
   BUILD_VARIANT: ${{ inputs.build-variant || 'Beta' }}
   XCODE_VERSION: ${{ inputs.xcode-version || '15.4' }}
@@ -54,62 +68,58 @@ jobs:
       MINT_LINK_PATH: .mint/bin
 
     steps:
+      - name: Log inputs to job summary
+        run: |
+          echo "<details><summary>Build Workflow Inputs</summary>" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo '```json' >> $GITHUB_STEP_SUMMARY
+          echo '${{ toJson(inputs) }}' >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "</details>" >> $GITHUB_STEP_SUMMARY
+
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
           filter: tree:0
 
-      - name: Calculate build version and number
-        id: calculate
+      - name: Calculate version
+        uses: bitwarden/ios/.github/actions/dispatch-and-download@main
+        id: dispatch-version
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          owner: bitwarden
+          repo: ios
+          ref: main
+          workflow: _version.yml
+          workflow_inputs: '{"base_version_number": "${{ inputs.base_version_number }}", "version_name": "${{ inputs.build-version }}", "version_number": "${{ inputs.build-number }}", "patch_version": "${{ inputs.patch_version }}"}'
+
+      - name: Read version info
+        id: version_info
         run: |
-          if [[ ! -z "${{ inputs.build-version }}" ]]; then
-            echo -e "\nApplying build version override"
-            next_version=${{ inputs.build-version }}
+          # test if dispatch-version was skipped. In that case, creates the same .json file expected by the Upload artifact step
+          if [ ! -f version-info/version_info.json ]; then
+            echo "::warning::version-version.json not found, was the previous step skipped? Creating a new file"
+            json='{
+              "version_number": "${{ inputs.build-number }}",
+              "version_name": "${{ inputs.build-version }}"
+            }'
+
+            # file will be used by the upload step
+            mkdir version-info
+            echo "$json" > version-info/version_info.json
           else
-            echo -e "\nCalculating next version..."
-            current_year=$(date +%Y)
-            current_month=$(date +%-m)
-
-            latest_tag_version=$(git tag --sort=committerdate --list | tail -1)
-            latest_version=${latest_tag_version:1}  # remove 'v' from tag version
-
-            latest_major_version=$(echo $latest_version | cut -d "." -f 1)
-            latest_minor_version=$(echo $latest_version | cut -d "." -f 2)
-            latest_patch_version=$(echo $latest_version | cut -d "." -f 3)
-
-            echo "  Current Year:         $current_year"
-            echo "  Current Month:        $current_month"
-            echo "  Latest Version:       $latest_version"
-            echo "  Latest Major Version: $latest_major_version"
-            echo "  Latest Minor Version: $latest_minor_version"
-            echo "  Latest Patch Version: $latest_patch_version"
-
-            if [[ "$current_year" == "$latest_major_version" && "$current_month" == "$latest_minor_version" ]]; then
-              next_version="${latest_major_version}.${latest_minor_version}.$(($latest_patch_version + 1))"
-            else
-              next_version="${current_year}.${current_month}.0"
-            fi
+              echo "::notice::version-version.json found!"
           fi
 
-          if [[ ! -z "${{ inputs.build-number }}" ]]; then
-            echo -e "\nApplying build number override"
-            next_number=${{ inputs.build-number }}
-          else
-            echo -e "\nCalculating build number..."
-            next_number=$(($GITHUB_RUN_NUMBER))
-          fi
-
-          echo -e "\n"
-          echo "version=$next_version" >> $GITHUB_OUTPUT
-          echo "build_number=$next_number" >> $GITHUB_OUTPUT
-
-      - name: Print values
-        run: |
-          echo "**Variant**: ${{ env.BUILD_VARIANT }}" | tee -a $GITHUB_STEP_SUMMARY
-          echo "**Version**: ${{ steps.calculate.outputs.version }}" | tee -a $GITHUB_STEP_SUMMARY
-          echo "**Number**: ${{ steps.calculate.outputs.build_number }}" | tee -a $GITHUB_STEP_SUMMARY
-          echo "**Xcode**: ${{ env.XCODE_VERSION }}" | tee -a $GITHUB_STEP_SUMMARY
+          content=$(cat version-info/version_info.json)
+          echo "version_name=$(echo $content | jq -r .version_name)" >> $GITHUB_OUTPUT
+          echo "version_number=$(echo $content | jq -r .version_number)" >> $GITHUB_OUTPUT
+      - name: Upload version info artifact
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: version-info
+          path: version-info/version_info.json
 
       - name: Set Xcode version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -280,7 +290,7 @@ jobs:
           plutil -replace aps-environment -string production Bitwarden/Application/Support/Bitwarden.entitlements
 
       - name: Configure Ruby
-        uses: ruby/setup-ruby@a6b46b8a08edb18935835849f2a17072d5cc8c73 # v1.192.0
+        uses: ruby/setup-ruby@c04af2bb7258bb6a03df1d3c1865998ac9390972 # v1.194.0
         with:
           bundler-cache: true
 
@@ -298,12 +308,9 @@ jobs:
           ./Scripts/select_variant.sh ${{ env.BUILD_VARIANT }} "${{ inputs.compiler-flags }}"
 
       - name: Update build version and number
-        env:
-          build_version: ${{ steps.calculate.outputs.version }}
-          build_number: ${{ steps.calculate.outputs.build_number }}
         run: |
-          yq -i '.settings.MARKETING_VERSION = "${{ env.build_version }}"' 'project.yml'
-          yq -i '.settings.CURRENT_PROJECT_VERSION = "${{ env.build_number }}"' 'project.yml'
+          yq -i '.settings.MARKETING_VERSION = "${{ steps.version_info.outputs.version_name }}"' 'project.yml'
+          yq -i '.settings.CURRENT_PROJECT_VERSION = "${{ steps.version_info.outputs.version_number }}"' 'project.yml'
 
       - name: Update CI build info
         run: |
@@ -322,7 +329,7 @@ jobs:
       - name: Upload IPA & dSYM files
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
-          name: Bitwarden iOS ${{ steps.calculate.outputs.version }} (${{ steps.calculate.outputs.build_number }}) ${{ env.BUILD_VARIANT }} ${{ env.XCODE_VERSION }}
+          name: Bitwarden iOS ${{ steps.version_info.outputs.version_name }} (${{ steps.version_info.outputs.version_number }}) ${{ env.BUILD_VARIANT }} ${{ env.XCODE_VERSION }}
           path: export
           if-no-files-found: error
 

.github/workflows/crowdin-pull.yml

@@ -9,12 +9,12 @@ on:
 jobs:
   crowdin-sync:
     name: Autosync
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -29,7 +29,7 @@ jobs:
           secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Download translations
-        uses: crowdin/github-action@cf0ccf9a71f614e66e011d461ea11e5dbabb93ca # v2.1.2
+        uses: crowdin/github-action@95d6e895e871c3c7acf0cfb962f296baa41e63c6 # v2.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/crowdin-push.yml

@@ -9,12 +9,12 @@ on:
 jobs:
   crowdin-push:
     name: Crowdin Push
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       _CROWDIN_PROJECT_ID: "269690"
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Log in to Azure
         uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
@@ -29,7 +29,7 @@ jobs:
           secrets: "crowdin-api-token"
 
       - name: Upload sources
-        uses: crowdin/github-action@cf0ccf9a71f614e66e011d461ea11e5dbabb93ca # v2.1.2
+        uses: crowdin/github-action@95d6e895e871c3c7acf0cfb962f296baa41e63c6 # v2.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}

.github/workflows/scan.yml

@@ -17,7 +17,7 @@ jobs:
 
   sast:
     name: SAST scan
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     permissions:
       contents: read
@@ -26,12 +26,12 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd # 2.0.33
+        uses: checkmarx/ast-github-action@ed196cdaec9cd1bc5aacac4ca2010dd773b20893 # 2.0.35
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -46,21 +46,21 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
         with:
           sarif_file: cx_result.sarif
 
   quality:
     name: Quality scan
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     permissions:
       contents: read
       pull-requests: write
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
           ref: ${{  github.event.pull_request.head.sha }}