bitwarden_workflow_linter 0.8.0__tar.gz → 0.9.0__tar.gz

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.9.0}/.github/workflows/bwwl_operations.yml

@@ -12,7 +12,7 @@ on:
         required: false
         type: string
   schedule:
-  - cron: '0 0 1 * *'
+  - cron: '0 0 * * 1'
 
 jobs:
   actions-operation:
@@ -63,23 +63,21 @@ jobs:
         run: python -m pip install --upgrade bitwarden_workflow_linter
 
       - name: Create Branch
-        if: ${{ github.events_name == 'schedule' }} || ${{ inputs.operation == 'update' }}
-        id: create-branch
+        if: ${{ github.events_name == 'schedule' || inputs.operation == 'update' }}
         run: |
           NAME="update-actions-$(date +'%Y%m%d-%H%M%S')"
           git switch -c $NAME
-          echo "name=$NAME" >> $GITHUB_OUTPUT
+          echo "BRANCH_NAME=$NAME" >> $GITHUB_ENV
 
       - name: Create Branch
         if: ${{ inputs.operation == 'add' }}
-        id: create-branch
         run: |
-          NAME= "add-action-$_ACTION"
+          NAME="add-action-$_ACTION"
           git switch -c $NAME
-          echo "name=$NAME" >> $GITHUB_OUTPUT
+          echo "BRANCH_NAME=$NAME" >> $GITHUB_ENV
 
       - name: Run bwwl update
-        if: ${{ github.events_name == 'schedule' }} || ${{ inputs.operation == 'update' }}
+        if: ${{ github.events_name == 'schedule' || inputs.operation == 'update' }}
         run: bwwl actions update -o src/bitwarden_workflow_linter/default_actions.json
 
       - name: Run bwwl add
@@ -93,37 +91,33 @@ jobs:
             echo "new_changes=TRUE" >> $GITHUB_OUTPUT
           else
             echo "new_changes=FALSE" >> $GITHUB_OUTPUT
-            echo "No changes to commit!";
+            echo "No changes to commit!"
           fi
 
       - name: Commit changes
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
-        env:
-          _PR_BRANCH: ${{ steps.create-branch.outputs.name }}
         run: |
           git commit -m "Update approved actions" -a
-          git push origin "$_PR_BRANCH"
+          git push origin "${{ env.BRANCH_NAME }}"
 
       - name: Generate GH App token
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
         uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
         id: app-token
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_KEY }}
-          owner: ${{ github.repository_owner }}
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
 
       - name: Create PR
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
         id: create-pr
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          _PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-          _TITLE: "Update/Add bwwl approved actions"
+          TITLE: "Update/Add bwwl approved actions"
         run: |
-          PR_URL=$(gh pr create --title "$_TITLE" \
+          PR_URL=$(gh pr create --title "$TITLE" \
             --base "main" \
-            --head "$_PR_BRANCH" \
+            --head "${{ env.BRANCH_NAME }}" \
             --label "version:patch" \
             --label "automated pr" \
             --body "

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.9.0}/.github/workflows/ci.yml

@@ -7,6 +7,8 @@ on:
       - "tests/**"
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   test:
     name: CI workflow-linter (v2)
@@ -31,3 +33,15 @@ jobs:
 
       - name: Check type hinting
         run: pipenv run pytype src
+
+      - name: Test against example workflows
+        # run notes:
+        # - Changing directories will help catch any repo specific paths in the linter
+        #   that would not work in a different repository
+        # - Changing directories utilizes the default_settings.yaml rather than this repos
+        #   settings.yaml, which better simulates running from another repository
+        # - Using strict to ensure that our examples pass all checks including warnings
+        run: |
+          pipenv run pip install -e .
+          cd .github/workflows
+          pipenv run bwwl lint --strict -f ./examples

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/ci.yaml

@@ -0,0 +1,52 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on Bitwarden repositories.
+
+name: CI
+
+on:
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+  pull_request:  # When a pull request event occurs
+
+permissions:  # Sets permissions of the GITHUB_TOKEN
+  checks: write  # Permits an action to create a check run
+  contents: read  # For actions to fetch code and list commits
+  id-token: write  # Required to fetch an OpenID Connect (OIDC) token
+  pull-requests: write  # Permits an action to add a label to a pull request
+
+jobs:
+  version:
+    name: Calculate version
+    uses: ./.github/workflows/examples/example-references/_version.yml  # Path to an existing github action
+
+  test:
+    name: Run test
+    uses: ./.github/workflows/examples/example-references/_test.yml
+    with:  # Parameters specific to this action that need to be defined in order for the step to be completed
+      project-name: Billing.Test
+      project-path: ./test/Billing.Test
+
+  build:
+    name: Run build
+    needs:  # This job will not run until test and version jobs are complete
+      - test
+      - version
+    uses: ./.github/workflows/examples/example-references/_build.yml
+    with:
+      project-name: Billing
+      project-path: ./src/Billing
+      version: ${{ needs.version.outputs.version }}
+
+  build-push-docker:
+    name: Build Docker image
+    needs:
+      - test
+      - version
+      - build
+    uses: ./.github/workflows/examples/example-references/_docker.yml
+    with:
+      project-name: Billing
+      project-path: ./src/Billing
+      version: ${{ needs.version.outputs.version }}
+      image-name: billing-relay
+      push-docker-image: false

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/example-references/_build.yml

@@ -0,0 +1,64 @@
+name: _build
+run-name: Build ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Publish
+        run: |
+          echo "Publish"
+          dotnet publish ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj \
+            -c Release --no-restore \
+            -o ./tmp/publish-${{ inputs.project-name }} -p:Version=${{ inputs.version }}
+
+      - name: Create artifact
+        run: |
+          cd ./tmp/publish-${{ inputs.project-name }}
+          zip -r ${{ inputs.project-name }}.zip .
+          mv ${{ inputs.project-name }}.zip ../../
+          pwd
+          ls -atlh ../../
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: ${{ inputs.project-name }}.zip
+          path: ./${{ inputs.project-name }}.zip
+          if-no-files-found: error

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/example-references/_docker.yml

@@ -0,0 +1,83 @@
+name: _docker
+run-name: "Build ${{ inputs.project-name }} docker image and push ${{ inputs.push-docker-image }} to ACR"
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: false
+      push-docker-image:
+        type: boolean
+        required: false
+        default: false
+      image-name:
+        type: string
+        required: true
+
+jobs:
+  docker:
+    name: Docker
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Log in to Azure
+        if: ${{ inputs.push-docker-image }}
+        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.6.1
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Log in to ACR
+        if: ${{ inputs.push-docker-image }}
+        run: az acr login -n bitwardenprod
+
+      - name: Generate Docker image tag
+        id: tag
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          IMAGE_TAG=$VERSION
+          # IMAGE_TAG=$(echo "${GITHUB_REF#refs/heads/}" | sed "s#/#-#g")  # slash safe branch name
+          # if [[ "$IMAGE_TAG" == "main" ]]; then
+          #   IMAGE_TAG=$VERSION
+          # fi
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate tag list
+        id: tag-list
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          IMAGE_NAME: ${{ inputs.image-name }}
+        run: echo "tags=bitwardenprod.azurecr.io/${IMAGE_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Get build artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.project-name }}.zip
+
+      - name: Set up build artifact
+        run: |
+          mkdir -p ${{ inputs.project-path }}/obj/build-output/publish
+          unzip ${{ inputs.project-name }}.zip \
+            -d ${{ inputs.project-path }}/obj/build-output/publish
+
+      - name: Build Docker image
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        with:
+          context: ${{ inputs.project-path }}
+          file: ${{ inputs.project-path }}/Dockerfile
+          platforms: linux/amd64
+          push: ${{ inputs.push-docker-image }}
+          tags: ${{ steps.tag-list.outputs.tags }}
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/example-references/_test.yml

@@ -0,0 +1,75 @@
+name: _test
+run-name: Test ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+
+jobs:
+  check-test-secrets:
+    name: Check for test secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      available: ${{ steps.check-test-secrets.outputs.available }}
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check
+        id: check-test-secrets
+        run: |
+          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT;
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+          fi
+
+  testing:
+    name: Test
+    runs-on: ubuntu-22.04
+    needs: check-test-secrets
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore --locked-mode ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Test
+        run: dotnet test ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj --no-build --logger "trx;LogFileName=mothership-test-results.trx"
+
+      - name: Report test results
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
+        with:
+          name: Test Results
+          path: "**/*-test-results.trx"
+          reporter: dotnet-trx
+          fail-on-error: true

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/example-references/_version.yml

@@ -0,0 +1,68 @@
+name: _version
+run-name: Calculate version
+
+on:
+  workflow_call:
+    inputs:
+      is-release:
+        type: boolean
+        default: false
+    outputs:
+      version:
+        description: "version to be built"
+        value: ${{ jobs.version.outputs.version }}
+
+jobs:
+  version:
+    name: Calculate version
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.version.outputs.value }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Generate version
+        id: version
+        run: |
+          ls -la
+          git fetch --prune --tags
+
+          echo "Calculating next version..."
+
+          base_version=$(cat Directory.build.props |
+            grep -o "<BaseVersion>.*</BaseVersion>" |
+            grep -Eo "[0-9]+\.[0-9]+"
+          )
+          major_version=$(echo $base_version | grep -Eo "[0-9]+" | head -1)
+          minor_version=$(echo $base_version | grep -Eo "[0-9]+" | sed -n 2p)
+
+          latest_tag_version=$(git tag --sort=committerdate --list | tail -1)
+          echo "  latest_tag_version: $latest_tag_version"
+
+          major_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | head -1)
+          echo "  major_latest_tag_version: $major_latest_tag_version"
+
+          minor_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | sed -n 2p)
+          echo "  minor_latest_tag_version: $minor_latest_tag_version"
+
+          if [[ "$major_latest_tag_version" != "$major_version" ]] || \
+          [[ "$minor_latest_tag_version" != "$minor_version" ]]; then
+            patch_version="0"
+          else
+            patch_version=$((${latest_tag_version##*.} + 1))
+          fi
+
+          echo "  patch_version: $patch_version"
+
+          version_suffix=$patch_version
+
+          if [[ "${{ inputs.is-release }}" == "false" ]]; then
+            version_suffix=$version_suffix-${GITHUB_SHA:0:7}
+          fi
+
+          echo "  version: $base_version.$version_suffix"
+          echo "value=$base_version.$version_suffix" >> $GITHUB_OUTPUT
+          echo "Done"

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/example.yaml

@@ -0,0 +1,100 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on ACME repositories.
+
+# This imaginary workflow runs two steps and illustrates a number of options that we use throughout workflows in the Bitwarden repositories
+
+name: Build
+
+on:  # Describes when to run the workflow
+  # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+
+  workflow_dispatch:  # When triggered manually
+
+  push:  # On push to the following branches. Temporarily add a development branch to prompt workflow runs for troubleshooting
+    branches: ["main", "rc", "hotfix-rc"]
+    paths-ignore:  # Updates to these directories or files will not trigger a workflow run
+      - ".github/workflows/**"
+
+  # Pull_request_target:  #We strongly discourage using this unless absolutely necessary as it requires access to certain Github secrets.
+  # If using this, include the .github/workflows/check-run.yml job and target only the main branch
+  # More info at https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
+
+  pull_request:  # When a pull request event occurs
+    types: [opened, synchronize, unlabeled, labeled, unlabeled, reopened, edited]
+    branches: ["main"]  # Branches where a pull request will trigger the workflow
+
+
+  release:  # Runs your workflow when release activity in your repository occurs
+    types: [published, created]
+
+  merge_group:  # Runs required status checks on merge groups created by merge queue
+    types: [checks_requested]
+
+  repository_dispatch:  # Runs when a webook event triggers a workflow from outside of github
+    types: [contentful-publish]  # Optional, limit repository dispatch events to those in a specified list
+
+  workflow_call:  # Workflow can be called by another workflow
+
+env:  # Environment variables set for this step but not accessible by all workflows, steps or jobs.
+  _AZ_REGISTRY: "ACMEprod.azurecr.io"
+  INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+
+jobs:  # A workflow run is made up of one or more jobs that can run sequentially or in parallel
+  first-job:
+    name: First Job Name
+    uses: ./.github/workflows/examples/example-references/_version.yml  # Path to an existing github action
+    if: github.event.pull_request.draft == false  # prevent part of a job from running on a draft PR
+    secrets: inherit  # When called by another workflow, pass all the calling workflow's secrets to the called workflow
+    # "secrets" is only available for a reusable workflow call with "uses"
+    strategy:  # Create multiple job runs for each of a set of variables
+      fail-fast: false  # If true, cancel entire run if any job in the matrix fails
+      matrix:  # Matrix of variables used to define multiple job runs
+        include:
+          - project_name: Admin
+            base_path: ./src
+            node: true  # Enables steps with if: ${{ matrix.node }}
+
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+    permissions:  # Sets permissions of the GITHUB_TOKEN
+      security-events: write  # Allow actions to upload results to Github
+      id-token: write  # Required to fetch an OpenID Connect (OIDC) token
+      contents: read  # For actions/checkout to fetch code
+      deployments: write  # Permits an action to create a new deployment
+      issues: write  # Permits an action to create a new issue
+      checks: write  # Permits an action to create a check run
+      actions: write  # Permits an action to cancel a workflow run
+      packages: read  # Permits an action to access packages on GitHub Packages
+      pull-requests: write  # Permits an action to add a label to a pull request
+
+  # steps: when a reusable workflow is called with "uses", "steps" is not available
+  second-job:
+    name: Second Job Name
+    runs-on: ubuntu-22.04  # The type of runner that the job will run on, not available if "uses" is used
+    defaults:
+      run:  # Set the default shell and working directory
+        shell: bash
+        working-directory: "home/WorkingDirectory"
+
+    needs:
+      - first-job  # This job will wait until first-job completes
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
+    steps:
+      - name: Descriptive step name
+        # NOT RECOMMENDED if: always()  # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
+        if: failure()  # run when any previous step of a job fails
+        # if: '!cancelled()'  # run even if previous steps failed
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2 Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
+        with:  # Parameters specific to this action that need to be defined in order for the step to be completed
+          fetch-depth: 0  # Full git history for actions that rely on whether a change has occurred
+          ref: ${{ github.event.pull_request.head.sha }}
+          creds: ${{ secrets.SECRETS_OR_CREDENTIALS }}
+      - name: Another descriptive step name
+        # Run a script instead of an existing github action
+        run: |
+          whoami
+          dotnet --info
+          node --version
+          npm --version
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"

bitwarden_workflow_linter-0.9.0/.github/workflows/examples/scan.yaml

@@ -0,0 +1,126 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on Bitwarden repositories.
+
+# The Scan Workflow enables you to trigger SAST and quality scans directly
+# From the GitHub workflow.
+
+name: Scan
+
+on:
+  # Controls when the workflow will run
+
+  # Can use other triggers such as multiple events, activity types and fiters:
+  # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#on
+  workflow_dispatch:  # When triggered manually
+
+  push:
+    # On push to the following branches.  Temporarily add a development
+    # branch to prompt workflow runs for troubleshooting
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request_target:
+    # When a pull request event occurs. Default is opened or reopened unless
+    # otherwise specified, as below:
+    types: [opened, synchronize]  # Options include labeled, unlabeled, reopened
+    branches: 'main'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in
+# parallel
+jobs:
+  # This workflow contains the jobs "check-run", "sast", and "quality"
+  # This job is relatively simple and just imports a previously written action
+  # to be used in this workflow
+  check-run:  # You set this value with the name of the job you're describing
+    name: Check PR run  # Human readable descriptor
+    # location and branch of bitwarden-owned action being used
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    # A more complex job that has multiple actions as steps described below
+    name: SAST scan
+    runs-on: ubuntu-22.04  # The type of runner that the job will run on
+    needs: check-run  # This job will wait until check-run completes
+    permissions:  # Sets permissions of the GITHUB_TOKEN
+      contents: read  # For actions/checkout to fetch code
+      pull-requests: write  # For github actions to upload feedback to PR
+      # For github/codeql-action/upload-sarif to upload SARIF results
+      security-events: write
+
+    # Steps represent a sequence of tasks executed as part of the job
+    steps:
+      - name: Check out repo
+        # Always pin a public action version to a full git SHA.
+        # Version pins are insecure and can introduce vulnerabilities
+        # into workflows.
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          # Parameters specific to this action that need to be defined
+          # in order for the step to be completed
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        if: github.event.pull_request.draft == false  # Prevent step from running on draft PR
+        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81  # 2.0.36
+        # Environment variables set for this step but not accessible by all
+        # workflows, steps or jobs
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') \
+          && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter \
+            "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT"\
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      # Set up whatever resources your environment will need
+      # to run workflows on your code
+      - name: Set up JDK 17
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b  # v4.5.0
+        with:
+          java-version: 17
+          distribution: "zulu"
+      # This step checks out a copy of your repository
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4.1.0
+      # Install a tool without a Github Action
+      - name: Install SonarCloud scanner
+        run: dotnet tool install dotnet-sonarscanner -g
+
+      - name: Scan with SonarCloud
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # Additional scripts to run outside of a Github Action
+        run: |
+          dotnet-sonarscanner begin /k:" \
+          ${{ github.repository_owner }}_${{ github.event.repository.name }}" \
+          /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
+          /d:sonar.exclusions=test/,bitwarden_license/test/ \
+          /o:"${{ github.repository_owner }}" \
+          /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
+          /d:sonar.host.url="https://sonarcloud.io"
+          dotnet build
+          dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"