[PM-28029] Address SonarCloud and zizmor errors

[vvolkgang]

🎟️ Tracking

PM-28029

📔 Objective

Address SonarCube and zizmor findings, following similar work in bitwarden/android#6151

• Removed unused dispatch-and-download action.
• Removed secrets: inherit from _version.yml jobs.
• Set default value for Patch version when repo doesn't have a tag.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @vvolkgang's task —— View job

---

Review Complete

• Read repository guidelines
• Review PR title and description
• Analyze changed files
• Perform comprehensive code review
• Update comment with findings

---

Summary

This PR addresses security findings from SonarCloud and zizmor by removing an unused GitHub Action, eliminating unnecessary secret inheritance in version calculation jobs, and fixing a bash parameter expansion bug. The changes are minimal and security-focused.

Findings

Finding 1: The distinct_id input parameter descriptions at .github/workflows/_version.yml:20 and .github/workflows/_version.yml:43 still reference "dispatch-and-download.yml" which was deleted in this PR.

💭 These descriptions should be updated or the parameter should be evaluated for removal if no longer needed.

Suggested fix

# Either update the description:
distinct_id:
  description: "Unique ID for workflow dispatch tracking"

# Or if truly unused, consider removing the parameter entirely

Finding 2: The PR only removes secrets: inherit from the version job calls, but both ci-bwa.yml and ci-bwpm.yml still have secrets: inherit in their build-manual and build-public jobs (ci-bwa.yml:78, ci-bwa.yml:103; ci-bwpm.yml:81, ci-bwpm.yml:111).

⚠️ If the zizmor finding indicates that secrets should not be inherited when not explicitly needed, these remaining instances may also warrant review. The PR objective states "Removed secrets: inherit from _version.yml jobs" but doesn't clarify whether the other jobs legitimately need secrets.

Context

The _version.yml workflow only performs version calculations using git tags and environment variables - it doesn't need any repository secrets. However, the build jobs likely do need secrets for code signing, API tokens, etc.

Question for the author: Did the zizmor/SonarCloud finding specifically flag only the version job, or should the build jobs also be reviewed for whether they truly need all secrets?

Finding 3: The bash parameter expansion fix at .github/workflows/_version.yml:111 correctly adds a default value (${_PATCH_VERSION:-0}), preventing an undefined variable error when no tags exist and no patch override is provided.

👍 Good defensive programming - this handles the edge case properly.

PR Title and Description Quality

💭 The PR description is clear and concise. However, it could be improved by:

1. Explaining why secrets: inherit was problematic for the version job specifically
2. Clarifying whether the remaining secrets: inherit usage in build jobs was evaluated
3. Including a link to the zizmor findings or explaining what security issue it identified

Suggested additions to PR description

## Security Context

The `_version.yml` workflow performs only version calculations using git operations and doesn't require access to repository secrets. The zizmor tool flagged this as a violation of the principle of least privilege - secrets should only be inherited by jobs that actually need them.

The build jobs (`build-manual` and `build-public`) still use `secrets: inherit` as they legitimately require secrets for code signing and distribution.

Good Practices Observed

• Principle of least privilege applied to version calculation workflow
• Defensive bash scripting with parameter defaults
• Removal of unused code (dispatch-and-download action)

Action Items

1. Required: Update or remove distinct_id parameter descriptions referencing the deleted dispatch-and-download.yml (.github/workflows/_version.yml:20, .github/workflows/_version.yml:43)
2. Optional: Clarify in PR description whether build job secret inheritance was evaluated

---

[github-actions]

Checkmarx One – Scan Summary & Details – 6ba76e38-66c1-4ebb-a6fa-b340fe7b3288

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.04%. Comparing base (bdc2c53) to head (d89465a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2124      +/-   ##
==========================================
- Coverage   85.38%   84.04%   -1.35%     
==========================================
  Files        1726     1982     +256     
  Lines      145621   161180   +15559     
==========================================
+ Hits       124343   135459   +11116     
- Misses      21278    25721    +4443     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[claude]

👍 Good fix - the :-0 default prevents bash errors when _PATCH_VERSION is unset and no tags exist in the repository.