[PM-15126] Third attempt: Remove reliance on secrets in build pipelines

[coroiu]

This is a re-introduction of the original PR. The following is the original description:

📔 Objective

This PR changes how our CI workflows run so that they are able to run even without secrets. It also adds another another set of workflows that can be manually triggered by Bitwarden employees to build contributor PRs with full access to secrets if needed.

• build-<app>.yml workflows now run on pull_request instead of pull_request_target, this means that:
  • When the PR originates from within Bitwarden it should have full access to all secrets
  • When the PR originates from outside Bitwarden it won't have any access to secrets
  • Because "external PRs" no longer have access to secrets we can safely triggers these automatically
• build-<app>-target.yml have been added to let Bitwarden employees manually trigger build-<app>.yml using pull_request_target which gives it access to all the secrets
  • These workflows are protected from running when triggered by a contributor
  • These workflows are skipped when the PR originates from within Bitwarden
  • These are very simple workflows which just trigger the regular build-<app>.yml but with full inherited secrets
• A nice consequence of this is that the workflows now also function in forks, even without access to secrets
• All executions of these workflows generate and upload artifacts (in forks too)
  • Artifacts which require secrets for things like signing will not be generated when no secrets are available

Here is an example of these workflows running in a fork: coroiu#1

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[coroiu]

@justindbaur adding you as reviewer too because of how highly discussed this has been

[github-actions]

Checkmarx One – Scan Summary & Details – 79051f70-e87f-4c6f-8802-ad78d6f3c3e6

Great job, no security vulnerabilities found in this Pull Request

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 35.20%. Comparing base (55c1dd9) to head (cadd475).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13222      +/-   ##
==========================================
- Coverage   35.21%   35.20%   -0.01%     
==========================================
  Files        3126     3126              
  Lines       92567    92567              
  Branches    16857    16857              
==========================================
- Hits        32597    32590       -7     
- Misses      57513    57520       +7     
  Partials     2457     2457              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[withinfocus]

I'd say this is blocked from merging until bitwarden/renovate-config#18 is in.

[trmartin4]

@coroiu the blocking PR has been merged 🥳 .

[justindbaur]

Just a question about passing inputs, otherwise everything looks good.