Mirror the existing codecov.io upload to GitHub's new code coverage
feature (public preview, announced 2026-05-26) so coverage shows up
directly on pull requests. Merges per-project Cobertura files with
dotnet-coverage before upload.
* Remove BW-GHAPP tokens from repository-management workflow
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- No GPG signing to remove (wasn't present)
* Fix
template injection security issue
* Remove BW-GHAPP tokens from repository-management workflow
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- Add 'version update' label to automated PRs
- Fix template injection security issue
- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- No GPG signing to remove (wasn't present)
The move_edd_db_scripts job in repository-management.yml had
permissions: {} while calling _move_edd_db_scripts.yml, which
declares pull-requests: write and contents: write at its top
level. GitHub Actions blocks permission escalation in reusable
workflow callers at startup, producing a startup_failure.
Additionally, _move_edd_db_scripts.yml was missing id-token: write
and actions: read from its own top-level permissions block, which
its jobs require.
Fixed by granting the caller job explicit permissions matching what
the reusable workflow needs, and adding the missing permissions to
the reusable workflow's top-level block.
* temporary change to test bre-1670
* removing temporary change
* replace pat token with built in github token
* sign commits with bot token
* replace pat token with app token
* fix api signing of git commits
* create new dockerfile for SeederApi
* troubleshoot cargo issues
* troubleshoot cargo issues
* Ensure Rustup run on build env for appropriate target
* Musl targets do not support cdylibs
* Ensure default triple set to target
* Set target triple rather than update default host
* Change build platforms per project
* Switch to debian since we can't use musl
* Debian build for seeder should work with arm targets
* Move app stage to distroless
* remove SeederApi from server publish section
* suppress unrelated warnings"
* ruling out builds as error source
* override platforms for SeederApi
* troubleshoot matrix
* add extra step for evaluating platforms
* fix syntax error
* exclude unrelated error
* exclude unrelated error
* exclude unrelated error
* exclude unrelated error
* exclude unrelated error
* temporarily reduce number of builds
* exclude unrelated error
* remove temporary block on other builds
* remove unused builds from dockerfile
* add nginx location for seeder, wrap it behind an if check defaulting to false. This was discuss with Matt G, as this will enable QA usage of it without repetitive intervention with config files and reloading the nginx service etc. Handlebars will continously overwrite the nginx conf file on update
* opted to remove conditional location to seederApi, instead include additional conf files in the same directory allowing for extensibility and not directly placing the non-prod seeder location in the config builder
---------
Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
Co-authored-by: AJ Mabry <81774843+aj-bw@users.noreply.github.com>
