build: implement SDK breaking change detection (#538)

## 🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-22218
bitwarden/clients#17314
bitwarden/clients#17075

## 📔 Objective

Implement automated SDK breaking change detection that provides
immediate feedback when SDK PRs introduce TypeScript compilation issues
for client applications. This system catches breaking changes at SDK
development time rather than during client integration.

Previously, breaking changes in the SDK weren't discovered until someone
tried to update the SDK version in client repositories, making fixes
difficult and disruptive.

This PR implements a cross-repository workflow system that:

1. Triggers when SDK PRs have successful WASM artifacts built
2. Downloads and tests the new SDK artifacts against the typechecker in
`clients`
3. Provides immediate feedback via PR comments and labels

This was designed to be modular: hopefully we can just "slot in" mobile
with any appropriate available job in those repos.

## Screenshots

An example failure comment. It links to [this
run](https://github.com/bitwarden/clients/actions/runs/19080851865). I
created a breaking change on purpose and then reverted it.
<img width="1970" height="882" alt="Screenshot 2025-11-04 at 3 03 36 PM"
src="https://github.com/user-attachments/assets/b3653da7-7325-4939-a1ca-d2107686a431"
/>

The comment when no breaking changes are detected. 
<img width="1996" height="880" alt="Screenshot 2025-11-04 at 4 22 17 PM"
src="https://github.com/user-attachments/assets/562c78d9-ad5f-448a-be94-f69ba82ca978"
/>


## ⏰ Reminders before review

- [x] Contributor guidelines followed
- [x] All formatters and local linters executed and passed
- [x] Written new unit and / or integration tests where applicable
- [x] Protected functional changes with optionality (feature flags)
- [x] Used internationalization (i18n) for all UI strings
- [x] CI builds passed
- [x] Communicated to DevOps any deployment requirements
- [x] Updated any necessary documentation (Confluence, contributing
docs) or informed the documentation team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes


[PM-22218]:
https://bitwarden.atlassian.net/browse/PM-22218?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Author: addisonbeck

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,6 +6,20 @@
 
 <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
 
+## 🚨 Breaking Changes
+
+<!-- Does this PR introduce any breaking changes? If so, please describe the impact and migration path for clients.
+
+If you're unsure, the automated TypeScript compatibility check will run when you open/update this PR and provide feedback.
+
+For breaking changes:
+1. Describe what changed in the client interface
+2. Explain why the change was necessary
+3. Provide migration steps for client developers
+4. Link to any paired client PRs if needed
+
+Otherwise, you can remove this section. -->
+
 ## ⏰ Reminders before review
 
 - Contributor guidelines followed

.github/workflows/build-wasm-internal.yml

@@ -43,7 +43,7 @@ jobs:
         env:
           PR_HEAD_REF: "${{ github.event.pull_request.head.ref }}"
         run: |
-          echo REF_NAME="$PR_HEAD_REF" >> $GITHUB_ENV
+          echo REF_NAME="${PR_HEAD_REF}" >> $GITHUB_ENV
           echo SHA="${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
 
       - name: Set env variables (Branch/Tag)
@@ -119,24 +119,53 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve github PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: bitwarden
+          repositories: sdk-internal
+          permission-actions: write
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger WASM publish
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
               repo: 'sdk-internal',
               workflow_id: 'publish-wasm-internal.yml',
               ref: 'main',
             })
+
+  trigger-breaking-change-check:
+    name: Trigger client breaking change checks
+    if: github.event_name == 'pull_request'
+    needs: build
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    uses: ./.github/workflows/detect-breaking-changes.yml
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.number }}
+      pr_head_sha: ${{ github.event.pull_request.head.sha }}
+      pr_head_ref: ${{ github.event.pull_request.head.ref }}
+      build_run_id: ${{ github.run_id }}
+      client_repo: "bitwarden/clients"
+      client_label: "typescript"
+      client_workflow: "sdk-breaking-change-check.yml"