Sync with upstream project

.github/CODEOWNERS

@@ -3,7 +3,3 @@
 # Sort lines alphabetically within these groups to avoid accidentally adding duplicates.
 #
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-
-
-## Secrets Manager team files ##
-charts/sm-operator @bitwarden/team-secrets-manager-dev

.github/workflows/build.yml → .github/workflows/_build.yml

@@ -1,28 +1,20 @@
----
-name: Build
+name: _build
 
 on:
-  push:
-    branches-ignore:
-      - "gh-pages"
-    paths-ignore:
-      - ".github/workflows/**"
-  workflow_dispatch:
+  workflow_call:
+    inputs:
+      chart_name:
+        type: string
+        required: true
 
 jobs:
   build:
     name: Build Helm charts
     runs-on: ubuntu-22.04
     environment: Production
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - chart_name: self-host
-          - chart_name: sm-operator
     steps:
       - name: Checkout repo
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Helm
         uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -62,17 +54,17 @@ jobs:
             --key "DevOps Team" \
             --keyring private.gpg \
             --passphrase-file .passphrase \
-            charts/${{ matrix.chart_name }}
+            charts/${{ inputs.chart_name }}
           PKG_NAME=$(ls *.tgz)
           echo "name=$PKG_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Verify Helm chart
         run: helm verify ${{ steps.helm_package.outputs.name }} --keyring public.gpg
 
       - name: Upload Helm chart artifact
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
-          name: ${{ matrix.chart_name }}
+          name: ${{ inputs.chart_name }}
           path: |
             ${{ steps.helm_package.outputs.name }}
             ${{ steps.helm_package.outputs.name }}.prov

.github/workflows/build-self-host.yml

@@ -0,0 +1,17 @@
+name: Build Self Host
+
+on:
+  push:
+    branches-ignore:
+      - "gh-pages"
+    paths-ignore:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+jobs:
+  build-self-host:
+    name: Build Self Host
+    uses: ./.github/workflows/_build.yml
+    with:
+      chart_name: self-host
+    secrets: inherit

.github/workflows/build-sm-operator.yml

@@ -0,0 +1,17 @@
+name: Build SM Operator
+
+on:
+  push:
+    branches-ignore:
+      - "gh-pages"
+    paths-ignore:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+jobs:
+  build-sm-operator:
+    name: Build SM Operator
+    uses: ./.github/workflows/_build.yml
+    with:
+      chart_name: sm-operator
+    secrets: inherit

.github/workflows/linter.yml

@@ -1,4 +1,3 @@
----
 name: Lint
 
 on:
@@ -18,7 +17,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -28,7 +27,7 @@ jobs:
           version: 'v3.13.1'
 
       - name: Set up Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.12'
           check-latest: true

.github/workflows/release.yml

@@ -1,4 +1,3 @@
----
 name: Release
 run-name: Release - ${{ inputs.release_mode }}
 
@@ -24,7 +23,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout repo
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: main
@@ -42,7 +41,7 @@ jobs:
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
@@ -59,12 +58,20 @@ jobs:
         with:
           version: v3.13.1
 
-      - name: Download Helm chart artifact
+      - name: Download Helm chart artifact - Self Host
         uses: bitwarden/gh-actions/download-artifacts@main
         with:
           branch: main
           path: .cr-release-packages
-          workflow: build.yml
+          workflow: build-self-host.yml
+          workflow_conclusion: success
+
+      - name: Download Helm chart artifact - SM Operator
+        uses: bitwarden/gh-actions/download-artifacts@main
+        with:
+          branch: main
+          path: .cr-release-packages
+          workflow: build-sm-operator.yml
           workflow_conclusion: success
 
       - name: Release Helm chart

.github/workflows/scan.yml

@@ -0,0 +1,74 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@de327a92d7f419bfdc7c3e5535ad7b3bbce91677 # 2.0.38
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@02ef91109b2d589e757aefcfb2854c2783fd7b19 # v4.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}

.github/workflows/tests.yml

@@ -1,4 +1,3 @@
----
 name: Tests
 
 on:
@@ -19,7 +18,7 @@ jobs:
     environment: Production
     steps:
       - name: Checkout repo
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -44,7 +43,7 @@ jobs:
         run: sudo apt install lynx
 
       - name: Set up Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.12'
           check-latest: true

.github/workflows/update-versions-self-host.yml

@@ -1,4 +1,3 @@
----
 name: Update Versions - Self Host
 
 on:
@@ -18,7 +17,7 @@ jobs:
       web_version_update: ${{ steps.web-update.outputs.update }}
     steps:
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
 
@@ -136,12 +135,12 @@ jobs:
             github-pat-bitwarden-devops-bot-repo-scope"
 
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}

.github/workflows/update-versions-sm-operator.yml

@@ -1,4 +1,3 @@
----
 name: Update Versions - SM Operator
 
 on:
@@ -16,7 +15,7 @@ jobs:
       operator_version_update: ${{ steps.operator-update.outputs.update }}
     steps:
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ env._BRANCH }}
 
@@ -59,7 +58,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ env._BRANCH }}
 
@@ -71,7 +70,7 @@ jobs:
           git push -u origin $PR_BRANCH
 
       - name: Checkout Update Versions Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ env.PR_BRANCH }}
 

.github/workflows/version-bump-self-host.yml

@@ -1,4 +1,3 @@
----
 name: Version Bump - Self Host
 
 on:
@@ -25,7 +24,7 @@ jobs:
           version: ${{ inputs.version_number_override }}
 
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
 
@@ -44,7 +43,7 @@ jobs:
             github-pat-bitwarden-devops-bot-repo-scope"
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}

.github/workflows/version-bump-sm-operator.yml

@@ -1,4 +1,3 @@
----
 name: Version Bump - SM Operator
 
 on:
@@ -18,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout Branch
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Login to Azure - CI Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -33,7 +32,7 @@ jobs:
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}

charts/self-host/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 2024.9.2
+appVersion: 2025.1.3
 description: A Helm chart for deploying a Bitwarden instance on Kubernetes
 home: https://github.com/bitwarden/helm-charts/tree/main/charts/self-host
 icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon-square.svg
 maintainers:
 - name: dept-devops
 name: self-host
 type: application
-version: 2024.10.0
+version: 2025.1.1

charts/self-host/templates/helpers.tpl

@@ -1,8 +1,8 @@
 {{- define "bitwarden.coreVersionDefault" -}}
-{{- "2024.9.2" -}}
+{{- "2025.1.3" -}}
 {{- end -}}
 {{- define "bitwarden.webVersionDefault" -}}
-{{- "2024.10.1" -}}
+{{- "2025.1.1" -}}
 {{- end -}}
 
 {{/*