bitwarden · addisonbeck · Oct 28, 2025 · Nov 5, 2025 · Nov 5, 2025 · addisonbeck
@@ -6,6 +6,20 @@
 
 <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
 
+## 🚨 Breaking Changes
+
+<!-- Does this PR introduce any breaking changes? If so, please describe the impact and migration path for clients.
+
+If you're unsure, the automated TypeScript compatibility check will run when you open/update this PR and provide feedback.
+
+For breaking changes:
+1. Describe what changed in the client interface
+2. Explain why the change was necessary
+3. Provide migration steps for client developers
+4. Link to any paired client PRs if needed
+
+Otherwise, you can remove this section. -->
+
 ## ⏰ Reminders before review
 
 - Contributor guidelines followed

@@ -35,13 +35,15 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set version (PR)
         if: ${{ github.event_name == 'pull_request' }}
         env:
           PR_HEAD_REF: "${{ github.event.pull_request.head.ref }}"
         run: |
-          echo REF_NAME="$PR_HEAD_REF" >> $GITHUB_ENV
+          echo REF_NAME="${PR_HEAD_REF}" >> $GITHUB_ENV
           echo SHA="${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
 
       - name: Set env variables (Branch/Tag)
@@ -117,24 +119,55 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve github PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: bitwarden
+          repositories: sdk-internal
+          permission-actions: write
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
       - name: Trigger WASM publish
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
               repo: 'sdk-internal',
               workflow_id: 'publish-wasm-internal.yml',
               ref: 'main',
             })
+
+  trigger-breaking-change-check:
+    name: Trigger client breaking change checks
+    if: github.event_name == 'pull_request'
+    needs: build
+    permissions:
+      contents: write
+      actions: write
+      pull-requests: write
+      id-token: write
+    uses: ./.github/workflows/detect-breaking-changes.yml
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.number }}
+      pr_head_sha: ${{ github.event.pull_request.head.sha }}
+      pr_head_ref: ${{ github.event.pull_request.head.ref }}
+      build_run_id: ${{ github.run_id }}
+      client_repo: "bitwarden/clients"
+      client_event_type: "sdk-breaking-change-check"
+      client_label: "typescript"
+      client_workflow: "sdk-breaking-change-check.yml"