Merge branch 'main' into jmccannon/ac/pm-32073-bulk-org-ability

# Conflicts:
#	src/Core/Services/Implementations/FeatureRoutedCacheService.cs

Author: jrmccannon

.github/workflows/_move_edd_db_scripts.yml

@@ -20,27 +20,9 @@ jobs:
       copy_edd_scripts: ${{ steps.check-script-existence.outputs.copy_edd_scripts }}
 
     steps:
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Check out branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           persist-credentials: false
 
       - name: Get script prefix
@@ -64,14 +46,46 @@ jobs:
       contents: write
       pull-requests: write
       id-token: write
-      actions: read
     if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }}
     steps:
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Retrieve Slack secrets
+        id: retrieve-slack
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "devops-alerts-slack-webhook-url"
+
+      - name: Retrieve secrets
+        id: retrieve-secret
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: true
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Generate branch name
         id: branch_name
@@ -82,7 +96,9 @@ jobs:
       - name: "Create branch"
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-        run: git switch -c "$BRANCH"
+        run: |
+          git switch -c "$BRANCH"
+          git push -u origin "$BRANCH"
 
       - name: Move scripts and finalization database schema
         id: move-files
@@ -134,58 +150,32 @@ jobs:
           done
 
           echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase,
-            devops-alerts-slack-webhook-url"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Import GPG keys
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
-          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-
-      - name: Commit and push changes
+      
+      - name: Check for changes
         id: commit
-        env:
-          BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }}
         run: |
-          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
-          git config --local user.name "bitwarden-devops-bot"
           if [ -n "$(git status --porcelain)" ]; then
-            git add .
-            git commit -m "Move EDD database scripts" -a
-            git push -u origin "${BRANCH_NAME}"
             echo "pr_needed=true" >> "$GITHUB_OUTPUT"
           else
-            echo "No changes to commit!";
             echo "pr_needed=false" >> "$GITHUB_OUTPUT"
-            echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY"
+            echo "No changes to commit!"
+            echo "### :mega: No changes to commit! PR was omitted." >> "$GITHUB_STEP_SUMMARY"
           fi
 
+      - name: Commit and push changes
+        if: ${{ steps.commit.outputs.pr_needed == 'true' }}
+        uses: bitwarden/gh-actions/api-commit@main
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          branch: ${{ steps.branch_name.outputs.branch_name }}
+          message: "Move EDD database scripts"
+
       - name: Create PR for ${{ steps.branch_name.outputs.branch_name }}
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}
         id: create-pr
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           MOVED_FILES: ${{ steps.move-files.outputs.moved_files }}
           TITLE: "Move EDD database scripts"
         run: |
@@ -205,7 +195,7 @@ jobs:
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}
         uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
         env:
-          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
+          SLACK_WEBHOOK_URL: ${{ steps.retrieve-slack.outputs.devops-alerts-slack-webhook-url }}
         with:
           message: "Created PR for moving EDD database scripts: ${{ steps.create-pr.outputs.pr_url }}"
           status: ${{ job.status }}

.github/workflows/build.yml

@@ -480,9 +480,7 @@ jobs:
 
   bitwarden-lite-build:
     name: Trigger Bitwarden lite build
-    if: |
-      github.event_name != 'pull_request'
-      && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
+    if: github.event_name != 'pull_request'
     runs-on: ubuntu-22.04
     needs: build-artifacts
     permissions:

.github/workflows/cleanup-rc-branch.yml

@@ -21,20 +21,28 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Retrieve bot secrets
-        id: retrieve-bot-secrets
+        id: retrieve-secret
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: bitwarden-ci
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: main
-          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false
           fetch-depth: 0
 

src/Api/AdminConsole/Authorization/NoopAuthorizeAttribute.cs

@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.AdminConsole.Authorization;
+
+/// <summary>
+/// A no-op attribute which documents an intentional choice to not use
+/// <see cref="AuthorizeAttribute{T}"/> - for example, because you are manually handling
+/// authorization in imperative code, or the endpoint does not require authorization.
+/// Unlike <see cref="AllowAnonymousAttribute"/>, this does not bypass the class-level <see cref="AuthorizeAttribute"/>;
+/// it indicates that no <b>additional</b> authorization is needed.
+/// </summary>
+[AttributeUsage(AttributeTargets.Method)]
+public class NoopAuthorizeAttribute : Attribute;

src/Api/AdminConsole/Controllers/BaseAdminConsoleController.cs

@@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Utilities.v2;
 using Bit.Core.AdminConsole.Utilities.v2.Results;
 using Bit.Core.Models.Api;
+using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Bit.Api.AdminConsole.Controllers;
@@ -11,16 +12,29 @@ protected static IResult Handle(CommandResult commandResult) =>
         commandResult.Match<IResult>(
             error => error switch
             {
-                BadRequestError badRequest => TypedResults.BadRequest(new ErrorResponseModel(badRequest.Message)),
-                NotFoundError notFound => TypedResults.NotFound(new ErrorResponseModel(notFound.Message)),
-                InternalError internalError => TypedResults.Json(
-                    new ErrorResponseModel(internalError.Message),
-                    statusCode: StatusCodes.Status500InternalServerError),
-                _ => TypedResults.Json(
-                    new ErrorResponseModel(error.Message),
-                    statusCode: StatusCodes.Status500InternalServerError
-                )
+                BadRequestError badRequest => Error.BadRequest(badRequest.Message),
+                NotFoundError notFound => Error.NotFound(notFound.Message),
+                InternalError internalError => Error.InternalError(internalError.Message),
+                _ => Error.InternalError(error.Message)
             },
             _ => TypedResults.NoContent()
         );
+
+    protected static class Error
+    {
+        public static NotFound<ErrorResponseModel> NotFound(string message = "Resource not found.") =>
+            TypedResults.NotFound(new ErrorResponseModel(message));
+
+        public static UnauthorizedHttpResult Unauthorized() =>
+            TypedResults.Unauthorized();
+
+        public static BadRequest<ErrorResponseModel> BadRequest(string message) =>
+            TypedResults.BadRequest(new ErrorResponseModel(message));
+
+        public static JsonHttpResult<ErrorResponseModel> InternalError(
+            string message = "Something went wrong with your request. Please contact support for assistance.") =>
+            TypedResults.Json(
+                new ErrorResponseModel(message),
+                statusCode: StatusCodes.Status500InternalServerError);
+    }
 }