Merge branch 'main' into renovate/anchore-scan-action-7.x

.claude/CLAUDE.md

@@ -0,0 +1,9 @@
+# Bitwarden Key Connector
+
+## References
+
+- [Architectural Decision Records (ADRs)](https://contributing.bitwarden.com/architecture/adr/)
+- [Contributing Guidelines](https://contributing.bitwarden.com/contributing/)
+- [Code Style](https://contributing.bitwarden.com/contributing/code-style/)
+- [Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/)
+- [Security Definitions](https://contributing.bitwarden.com/architecture/security/definitions)

.claude/prompts/review-code.md

@@ -0,0 +1,27 @@
+Please review this pull request with a focus on:
+
+- Code quality and best practices
+- Potential bugs or issues
+- Security implications
+- Performance considerations
+
+Note: The PR branch is already checked out in the current working directory.
+
+Provide a comprehensive review including:
+
+- Summary of changes since last review
+- Critical issues found (be thorough)
+- Suggested improvements (be thorough)
+- Good practices observed (be concise - list only the most notable items without elaboration)
+- Action items for the author
+- Leverage collapsible <details> sections where appropriate for lengthy explanations or code
+  snippets to enhance human readability
+
+When reviewing subsequent commits:
+
+- Track status of previously identified issues (fixed/unfixed/reopened)
+- Identify NEW problems introduced since last review
+- Note if fixes introduced new issues
+
+IMPORTANT: Be comprehensive about issues and improvements. For good practices, be brief - just note
+what was done well without explaining why or praising excessively.

.github/CODEOWNERS

@@ -25,3 +25,8 @@ Directory.Build.props
 .github/workflows/build.yml @bitwarden/dept-bre @bitwarden/team-key-management-dev
 .github/workflows/release.yml @bitwarden/dept-bre @bitwarden/team-key-management-dev
 .github/workflows/version-bump.yml @bitwarden/dept-bre @bitwarden/team-key-management-dev
+
+# Claude related files
+.claude/ @bitwarden/team-ai-sme
+.github/workflows/respond.yml @bitwarden/team-ai-sme
+.github/workflows/review-code.yml @bitwarden/team-ai-sme

.github/renovate.json

@@ -1,23 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": ["dockerfile", "github-actions", "nuget"],
-  "packageRules": [
-    {
-      "groupName": "dockerfile minor",
-      "matchManagers": ["dockerfile"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "groupName": "gh minor",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "groupName": "nuget minor",
-      "matchManagers": ["nuget"],
-      "matchUpdateTypes": ["minor", "patch"]
-    }
-  ],
-  "ignoreDeps": ["dotnet-sdk"]
-}

.github/renovate.json5

@@ -0,0 +1,55 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["github>bitwarden/renovate-config"],
+  enabledManagers: ["dockerfile", "github-actions", "nuget"],
+  packageRules: [
+    {
+      groupName: "dockerfile minor",
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    {
+      groupName: "gh minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    // nuget groups
+    {
+      groupName: "Entity Framework Core",
+      matchPackageNames: ["/\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    {
+      groupName: "Testing",
+      matchPackageNames: [
+        "coverlet.collector",
+        "Microsoft.NET.Test.Sdk",
+        "NSubstitute",
+        "xunit",
+        "xunit.runner.visualstudio"
+      ],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    {
+      groupName: "Serilog",
+      matchPackageNames: ["/^Serilog\\./"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    {
+      groupName: "nuget minor",
+      matchManagers: ["nuget"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    // Ignore major updates that require newer .NET SDK versions
+    {
+      matchPackageNames: [
+        "/\\.EntityFrameworkCore\\./",
+        "/^dotnet-ef/",
+        "/^Serilog\\./"
+      ],
+      matchUpdateTypes: ["major"],
+      enabled: false
+    }
+  ],
+  ignoreDeps: ["dotnet-sdk"]
+}

.github/workflows/build.yml

@@ -116,7 +116,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image with Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@@ -130,7 +130,6 @@ jobs:
             images+=("${tag}@${DIGEST}")
           done
           cosign sign --yes "${images[@]}"
-          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
 
       - name: Scan Docker image
         id: container-scan

.github/workflows/publish.yml

@@ -56,7 +56,7 @@ jobs:
       packages: write
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
@@ -75,13 +75,5 @@ jobs:
         if: ${{ inputs.publish_type != 'Dry Run' }}
         run: docker push "ghcr.io/bitwarden/key-connector:latest"
 
-      - name: Verify the signed image with Cosign
-        if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: |
-          cosign verify \
-            --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            "ghcr.io/bitwarden/key-connector:latest"
-
       - name: Log out of Docker
         run: docker logout ghcr.io

.github/workflows/respond.yml

@@ -0,0 +1,28 @@
+name: Respond
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+permissions: {}
+
+jobs:
+  respond:
+    name: Respond
+    uses: bitwarden/gh-actions/.github/workflows/_respond.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write

.github/workflows/review-code.yml

@@ -0,0 +1,20 @@
+name: Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
+jobs:
+  review:
+    name: Review
+    uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write