Merge branch 'km/beeep/safe-password-protected-key-envelope' of github.com:bitwarden/sdk-internal into km/beeep/safe-password-protected-key-envelope

Author: quexten

.github/workflows/build-android.yml

@@ -71,9 +71,9 @@ jobs:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
 
-      - name: Checkout repo (Push)
+      - name: Checkout repo (Push or manual run)
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        if: github.event_name == 'push'
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         with:
           fetch-depth: 0
 

.github/workflows/scan.yml

@@ -26,100 +26,30 @@ jobs:
       contents: read
 
   sast:
-    name: SAST scan
-    runs-on: ubuntu-24.04
+    name: Checkmarx
+    uses: bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
     needs: check-run
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
       pull-requests: write
       security-events: write
       id-token: write
 
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{  github.event.pull_request.head.sha }}
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@9fda4ab4c1b67c35de380552a972a82997d97731 # 2.0.42
-        env:
-          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
-        with:
-          project_name: ${{ github.repository }}
-          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
-          base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
-          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
-          additional_params: |
-            --report-format sarif \
-            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
-            --output-path . ${{ env.INCREMENTAL }}
-
-      - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
-        with:
-          sarif_file: cx_result.sarif
-          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
-          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
-
   quality:
-    name: Quality scan
-    runs-on: ubuntu-24.04
+    name: Sonar
+    uses: bitwarden/gh-actions/.github/workflows/_sonar.yml@main
     needs: check-run
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
       pull-requests: write
       id-token: write
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{  github.event.pull_request.head.sha }}
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "SONAR-TOKEN"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Scan with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
-        env:
-          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
-        with:
-          args: >
-            -Dsonar.organization=${{ github.repository_owner }}
-            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-            -Dsonar.exclusions=crates/bitwarden-uniffi/kotlin/**,crates/bitwarden-uniffi/swift/**
-            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+    with:
+      sonar-exclusions: "crates/bitwarden-uniffi/kotlin/**,crates/bitwarden-uniffi/swift/**"

Cargo.lock

@@ -23,6 +23,7 @@ bitwarden-api-api = { path = "crates/bitwarden-api-api", version = "=1.0.0" }
 bitwarden-api-identity = { path = "crates/bitwarden-api-identity", version = "=1.0.0" }
 bitwarden-auth = { path = "crates/bitwarden-auth", version = "=1.0.0" }
 bitwarden-cli = { path = "crates/bitwarden-cli", version = "=1.0.0" }
+bitwarden-collections = { path = "crates/bitwarden-collections", version = "=1.0.0" }
 bitwarden-core = { path = "crates/bitwarden-core", version = "=1.0.0" }
 bitwarden-crypto = { path = "crates/bitwarden-crypto", version = "=1.0.0" }
 bitwarden-error = { path = "crates/bitwarden-error", version = "=1.0.0" }

Cargo.toml

@@ -52,22 +52,20 @@ You can also browse the latest published documentation:
 The project is structured as a monorepo using cargo workspaces. Some of the more noteworthy crates
 are:
 
-- [`bitwarden-api-api`](./crates/bitwarden-api-api/): Auto-generated API bindings for the API
-  server.
-- [`bitwarden-api-identity`](./crates/bitwarden-api-identity/): Auto-generated API bindings for the
+- [`bitwarden-api-api`](./crates/bitwarden-api-api): Auto-generated API bindings for the API server.
+- [`bitwarden-api-identity`](./crates/bitwarden-api-identity): Auto-generated API bindings for the
   Identity server.
-- [`bitwarden-core`](./crates/bitwarden-core/): The core functionality consumed by the other crates.
-- [`bitwarden-crypto`](./crates/bitwarden-crypto/): Crypto library.
-- [`bitwarden-wasm-internal`](./crates/bitwarden-wasm-internal/): WASM bindings for the internal
-  SDK.
-- [`bitwarden-uniffi`](./crates/bitwarden-uniffi/): Mobile bindings for swift and kotlin using
+- [`bitwarden-core`](./crates/bitwarden-core): The core functionality consumed by the other crates.
+- [`bitwarden-crypto`](./crates/bitwarden-crypto): Crypto library.
+- [`bitwarden-wasm-internal`](./crates/bitwarden-wasm-internal): WASM bindings for the internal SDK.
+- [`bitwarden-uniffi`](./crates/bitwarden-uniffi): Mobile bindings for swift and kotlin using
   [UniFFI](https://github.com/mozilla/uniffi-rs/).
 
 ## API Bindings
 
-We autogenerate the server bindings using
-[openapi-generator](https://github.com/OpenAPITools/openapi-generator). To do this we first need to
-build the internal swagger documentation.
+We autogenerate the server bindings
+using[openapi-generator](https://github.com/OpenAPITools/openapi-generator). To do this, we first
+need to build the internal swagger documentation.
 
 ### Swagger generation
 
@@ -83,15 +81,16 @@ ASPNETCORE_ENVIRONMENT=development dotnet swagger tofile --output ../../identity
 
 ### OpenApi Generator
 
-To generate a new version of the bindings run the following script from the root of the SDK project.
+To generate a new version of the bindings, run the following script from the root of the SDK
+project.
 
 ```bash
 ./support/build-api.sh
 ```
 
-This project uses customized templates which lives in the `support/openapi-templates` directory.
-These templates resolves some outstanding issues we've experienced with the rust generator. But we
-strive towards modifying the templates as little as possible to ease future upgrades.
+This project uses customized templates that live in the `support/openapi-templates` directory. These
+templates resolve some outstanding issues we've experienced with the rust generator. But we strive
+towards modifying the templates as little as possible to ease future upgrades.
 
 ### Note
 
@@ -102,9 +101,9 @@ strive towards modifying the templates as little as possible to ease future upgr
 
 ## Developer tools
 
-This project recommends the use of certain developer tools, and also includes configurations for
-them to make developers lives easier. The use of these tools is optional and they might require a
-separate installation step.
+This project recommends the use of certain developer tools and includes configurations for them to
+make developers' lives easier. The use of these tools is optional, and they might require a separate
+installation step.
 
 The list of developer tools is:
 
@@ -122,11 +121,11 @@ The list of developer tools is:
 ## Formatting & Linting
 
 This repository uses various tools to check formatting and linting before it's merged. It's
-recommended to run the checks prior to submitting a PR.
+recommended to run the checks before submitting a PR.
 
 ### Installation
 
-Please see the [lint.yml](./.github/workflows/lint.yml) file for example installation commands &
+Please see the [lint.yml](./.github/workflows/lint.yml) file, for example, installation commands and
 versions. Here are the cli tools we use:
 
 - Nightly [cargo fmt](https://github.com/rust-lang/rustfmt) and