Merge branch 'main' into SM-1571-DisableSMAdsForUsers

Author: cd-bitwarden

.github/CODEOWNERS

@@ -36,6 +36,7 @@ util/Setup/** @bitwarden/dept-bre @bitwarden/team-platform-dev
 
 # UIF
 src/Core/MailTemplates/Mjml @bitwarden/team-ui-foundation # Teams are expected to own sub-directories of this project
+src/Core/MailTemplates/Mjml/.mjmlconfig # This change allows teams to add components within their own subdirectories without requiring a code review from UIF.
 
 # Auth team
 **/Auth @bitwarden/team-auth-dev

.github/ISSUE_TEMPLATE/bw-unified.yml renamed to .github/ISSUE_TEMPLATE/bw-lite.yml

@@ -1,6 +1,6 @@
-name: Bitwarden Unified Deployment Bug Report
+name: Bitwarden lite Deployment Bug Report
 description: File a bug report
-labels: [bug, bw-unified-deploy]
+labels: [bug, bw-lite-deploy]
 body:
   - type: markdown
     attributes:
@@ -74,7 +74,7 @@ body:
     id: epic-label
     attributes:
       label: Issue-Link
-      description: Link to our pinned issue, tracking all Bitwarden Unified
+      description: Link to our pinned issue, tracking all Bitwarden lite
       value: |
         https://github.com/bitwarden/server/issues/2480
     validations:

.github/renovate.json5

@@ -42,7 +42,7 @@
       dependencyDashboardApproval: false,
     },
     {
-      matchSourceUrls: ["https://github.com/bitwarden/sdk-internal"],
+      matchPackageNames: ["https://github.com/bitwarden/sdk-internal.git"],
       groupName: "sdk-internal",
     },
     {
@@ -63,7 +63,6 @@
     },
     {
       matchPackageNames: [
-        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
         "DuoUniversal",
         "Fido2.AspNet",
         "Duende.IdentityServer",
@@ -90,11 +89,7 @@
         "Microsoft.AspNetCore.Mvc.Testing",
         "Newtonsoft.Json",
         "NSubstitute",
-        "Sentry.Serilog",
-        "Serilog.AspNetCore",
-        "Serilog.Extensions.Logging",
         "Serilog.Extensions.Logging.File",
-        "Serilog.Sinks.SyslogMessages",
         "Stripe.net",
         "Swashbuckle.AspNetCore",
         "Swashbuckle.AspNetCore.SwaggerGen",
@@ -141,6 +136,7 @@
         "AspNetCoreRateLimit",
         "AspNetCoreRateLimit.Redis",
         "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
         "Azure.Messaging.EventGrid",
         "Azure.Messaging.ServiceBus",
         "Azure.Storage.Blobs",

.github/workflows/build.yml

@@ -22,7 +22,7 @@ env:
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -38,14 +38,15 @@ jobs:
 
   build-artifacts:
     name: Build Docker images
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - lint
     outputs:
       has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
     permissions:
       security-events: write
       id-token: write
+    timeout-minutes: 45
     strategy:
       fail-fast: false
       matrix:
@@ -122,7 +123,7 @@ jobs:
         uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
 
       - name: Set up Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
@@ -159,7 +160,7 @@ jobs:
           ls -atlh ../../../
 
       - name: Upload project artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: ${{ matrix.dotnet }}
         with:
           name: ${{ matrix.project_name }}.zip
@@ -184,13 +185,6 @@ jobs:
       - name: Log in to ACR - production subscription
         run: az acr login -n bitwardenprod
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
         id: tag
@@ -249,8 +243,6 @@ jobs:
             linux/arm64
           push: true
           tags: ${{ steps.image-tags.outputs.tags }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Install Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@@ -279,7 +271,7 @@ jobs:
           output-format: sarif
 
       - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
@@ -290,7 +282,7 @@ jobs:
 
   upload:
     name: Upload
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs: build-artifacts
     permissions:
       id-token: write
@@ -364,7 +356,7 @@ jobs:
         if: |
           github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: docker-stub-US.zip
           path: docker-stub-US.zip
@@ -374,7 +366,7 @@ jobs:
         if: |
           github.event_name != 'pull_request'
           && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: docker-stub-EU.zip
           path: docker-stub-EU.zip
@@ -386,29 +378,29 @@ jobs:
           pwsh ./generate_openapi_files.ps1
 
       - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: swagger.json
           path: api.public.json
           if-no-files-found: error
 
       - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: internal.json
           path: api.json
           if-no-files-found: error
 
       - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: identity.json
           path: identity.json
           if-no-files-found: error
 
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - lint
     defaults:
@@ -446,15 +438,15 @@ jobs:
 
       - name: Upload project artifact for Windows
         if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
           if-no-files-found: error
 
       - name: Upload project artifact
         if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: MsSqlMigratorUtility-${{ matrix.target }}
           path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
@@ -465,7 +457,7 @@ jobs:
     if: |
       github.event_name != 'pull_request'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     needs:
       - build-artifacts
     permissions:
@@ -478,25 +470,34 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
-      - name: Trigger self-host build
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: self-host
+
+      - name: Trigger Bitwarden lite build
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
               repo: 'self-host',
-              workflow_id: 'build-unified.yml',
+              workflow_id: 'build-bitwarden-lite.yml',
               ref: 'main',
               inputs: {
                 server_branch: process.env.GITHUB_REF
@@ -519,20 +520,29 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: devops
+
       - name: Trigger k8s deploy
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',

.github/workflows/review-code.yml

@@ -15,6 +15,7 @@ jobs:
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
+      actions: read
       contents: read
       id-token: write
       pull-requests: write

.github/workflows/test-database.yml

@@ -62,7 +62,7 @@ jobs:
           docker compose --profile mssql --profile postgres --profile mysql up -d
         shell: pwsh
 
-      - name: Add MariaDB for unified
+      - name: Add MariaDB for Bitwarden lite
         # Use a different port than MySQL
         run: |
           docker run --detach --name mariadb --env MARIADB_ROOT_PASSWORD=mariadb-password -p 4306:3306 mariadb:10
@@ -133,7 +133,7 @@ jobs:
           # Default Sqlite
           BW_TEST_DATABASES__3__TYPE: "Sqlite"
           BW_TEST_DATABASES__3__CONNECTIONSTRING: "Data Source=${{ runner.temp }}/test.db"
-          # Unified MariaDB
+          # Bitwarden lite MariaDB
           BW_TEST_DATABASES__4__TYPE: "MySql"
           BW_TEST_DATABASES__4__CONNECTIONSTRING: "server=localhost;port=4306;uid=root;pwd=mariadb-password;database=vault_dev;Allow User Variables=true"
         run: dotnet test --logger "trx;LogFileName=infrastructure-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
@@ -197,7 +197,7 @@ jobs:
         shell: pwsh
 
       - name: Upload DACPAC
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: sql.dacpac
           path: Sql.dacpac
@@ -223,7 +223,7 @@ jobs:
         shell: pwsh
 
       - name: Report validation results
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: report.xml
           path: |
@@ -262,3 +262,26 @@ jobs:
         working-directory: "dev"
         run: docker compose down
         shell: pwsh
+
+  validate-migration-naming:
+    name: Validate new migration naming and order
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Validate new migrations for pull request
+        if: github.event_name == 'pull_request'
+        run: |
+          git fetch origin main:main
+          pwsh dev/verify_migrations.ps1 -BaseRef main
+        shell: pwsh
+
+      - name: Validate new migrations for push
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: pwsh dev/verify_migrations.ps1 -BaseRef HEAD~1
+        shell: pwsh

Directory.Build.props

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
 
-    <Version>2025.11.0</Version>
+    <Version>2025.12.0</Version>
 
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>

bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs

@@ -35,8 +35,9 @@ public class ProviderService : IProviderService
 {
     private static readonly PlanType[] _resellerDisallowedOrganizationTypes = [
         PlanType.Free,
-        PlanType.FamiliesAnnually,
-        PlanType.FamiliesAnnually2019
+        PlanType.FamiliesAnnually2025,
+        PlanType.FamiliesAnnually2019,
+        PlanType.FamiliesAnnually
     ];
 
     private readonly IDataProtector _dataProtector;