Skip to content

Commit 26ca647

Browse files
EdwardAngertEdwardAngert
committed
Merge remote-tracking branch 'origin/main' into deploy-on-rancher
2 parents b9edbcb + 83f1d82 commit 26ca647

File tree

683 files changed

+14961
-5337
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

683 files changed

+14961
-5337
lines changed

.github/ISSUE_TEMPLATE/1-bug.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: "🐞 Bug"
22
description: "File a bug report."
3-
title: "<title>"
3+
title: "bug: "
44
labels: ["needs-triage"]
55
body:
66
- type: checkboxes

.github/actions/setup-tf/action.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,5 +7,5 @@ runs:
77
- name: Install Terraform
88
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
99
with:
10-
terraform_version: 1.10.5
10+
terraform_version: 1.11.0
1111
terraform_wrapper: false

.github/dependabot.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ updates:
3737
# Update our Dockerfile.
3838
- package-ecosystem: "docker"
3939
directories:
40-
- "/dogfood/contents"
40+
- "/dogfood/coder"
41+
- "/dogfood/coder-envbuilder"
4142
- "/scripts"
4243
- "/examples/templates/docker/build"
4344
- "/examples/parameters/build"

.github/workflows/ci.yaml

Lines changed: 204 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -172,13 +172,13 @@ jobs:
172172

173173
- name: Get golangci-lint cache dir
174174
run: |
175-
linter_ver=$(egrep -o 'GOLANGCI_LINT_VERSION=\S+' dogfood/contents/Dockerfile | cut -d '=' -f 2)
175+
linter_ver=$(egrep -o 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2)
176176
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver
177177
dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
178178
echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
179179
180180
- name: golangci-lint cache
181-
uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
181+
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
182182
with:
183183
path: |
184184
${{ env.LINT_CACHE_DIR }}
@@ -188,7 +188,7 @@ jobs:
188188
189189
# Check for any typos
190190
- name: Check for typos
191-
uses: crate-ci/typos@212923e4ff05b7fc2294a204405eec047b807138 # v1.29.9
191+
uses: crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10
192192
with:
193193
config: .github/workflows/typos.toml
194194

@@ -1021,7 +1021,14 @@ jobs:
10211021
if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
10221022
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }}
10231023
permissions:
1024-
packages: write # Needed to push images to ghcr.io
1024+
# Necessary to push docker images to ghcr.io.
1025+
packages: write
1026+
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
1027+
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
1028+
# And for GitHub Actions attestation
1029+
id-token: write
1030+
# Required for GitHub Actions attestation
1031+
attestations: write
10251032
env:
10261033
DOCKER_CLI_EXPERIMENTAL: "enabled"
10271034
outputs:
@@ -1038,7 +1045,7 @@ jobs:
10381045
fetch-depth: 0
10391046

10401047
- name: GHCR Login
1041-
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
1048+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
10421049
with:
10431050
registry: ghcr.io
10441051
username: ${{ github.actor }}
@@ -1050,14 +1057,56 @@ jobs:
10501057
- name: Setup Go
10511058
uses: ./.github/actions/setup-go
10521059

1060+
# Necessary for signing Windows binaries.
1061+
- name: Setup Java
1062+
uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
1063+
with:
1064+
distribution: "zulu"
1065+
java-version: "11.0"
1066+
1067+
- name: Install go-winres
1068+
run: go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
1069+
10531070
- name: Install nfpm
10541071
run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
10551072

10561073
- name: Install zstd
10571074
run: sudo apt-get install -y zstd
10581075

1076+
- name: Install cosign
1077+
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
1078+
with:
1079+
cosign-release: "v2.4.3"
1080+
1081+
- name: Install syft
1082+
uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
1083+
with:
1084+
syft-version: "v1.20.0"
1085+
1086+
- name: Setup Windows EV Signing Certificate
1087+
run: |
1088+
set -euo pipefail
1089+
touch /tmp/ev_cert.pem
1090+
chmod 600 /tmp/ev_cert.pem
1091+
echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
1092+
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
1093+
env:
1094+
EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
1095+
1096+
# Setup GCloud for signing Windows binaries.
1097+
- name: Authenticate to Google Cloud
1098+
id: gcloud_auth
1099+
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
1100+
with:
1101+
workload_identity_provider: ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
1102+
service_account: ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
1103+
token_format: "access_token"
1104+
1105+
- name: Setup GCloud SDK
1106+
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
1107+
10591108
- name: Download dylibs
1060-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
1109+
uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
10611110
with:
10621111
name: dylibs
10631112
path: ./build
@@ -1082,6 +1131,18 @@ jobs:
10821131
build/coder_linux_{amd64,arm64,armv7} \
10831132
build/coder_"$version"_windows_amd64.zip \
10841133
build/coder_"$version"_linux_amd64.{tar.gz,deb}
1134+
env:
1135+
# The Windows slim binary must be signed for Coder Desktop to accept
1136+
# it. The darwin executables don't need to be signed, but the dylibs
1137+
# do (see above).
1138+
CODER_SIGN_WINDOWS: "1"
1139+
CODER_WINDOWS_RESOURCES: "1"
1140+
EV_KEY: ${{ secrets.EV_KEY }}
1141+
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
1142+
EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
1143+
EV_CERTIFICATE_PATH: /tmp/ev_cert.pem
1144+
GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
1145+
JSIGN_PATH: /tmp/jsign-6.0.jar
10851146

10861147
- name: Build Linux Docker images
10871148
id: build-docker
@@ -1123,6 +1184,138 @@ jobs:
11231184
done
11241185
fi
11251186
1187+
# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
1188+
# record that these images were built in GitHub Actions with specific inputs and environment.
1189+
# This complements our existing cosign attestations which focus on SBOMs.
1190+
#
1191+
# We attest each tag separately to ensure all tags have proper provenance records.
1192+
# TODO: Consider refactoring these steps to use a matrix strategy or composite action to reduce duplication
1193+
# while maintaining the required functionality for each tag.
1194+
- name: GitHub Attestation for Docker image
1195+
id: attest_main
1196+
if: github.ref == 'refs/heads/main'
1197+
continue-on-error: true
1198+
uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1
1199+
with:
1200+
subject-name: "ghcr.io/coder/coder-preview:main"
1201+
predicate-type: "https://slsa.dev/provenance/v1"
1202+
predicate: |
1203+
{
1204+
"buildType": "https://github.com/actions/runner-images/",
1205+
"builder": {
1206+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1207+
},
1208+
"invocation": {
1209+
"configSource": {
1210+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1211+
"digest": {
1212+
"sha1": "${{ github.sha }}"
1213+
},
1214+
"entryPoint": ".github/workflows/ci.yaml"
1215+
},
1216+
"environment": {
1217+
"github_workflow": "${{ github.workflow }}",
1218+
"github_run_id": "${{ github.run_id }}"
1219+
}
1220+
},
1221+
"metadata": {
1222+
"buildInvocationID": "${{ github.run_id }}",
1223+
"completeness": {
1224+
"environment": true,
1225+
"materials": true
1226+
}
1227+
}
1228+
}
1229+
push-to-registry: true
1230+
1231+
- name: GitHub Attestation for Docker image (latest tag)
1232+
id: attest_latest
1233+
if: github.ref == 'refs/heads/main'
1234+
continue-on-error: true
1235+
uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1
1236+
with:
1237+
subject-name: "ghcr.io/coder/coder-preview:latest"
1238+
predicate-type: "https://slsa.dev/provenance/v1"
1239+
predicate: |
1240+
{
1241+
"buildType": "https://github.com/actions/runner-images/",
1242+
"builder": {
1243+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1244+
},
1245+
"invocation": {
1246+
"configSource": {
1247+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1248+
"digest": {
1249+
"sha1": "${{ github.sha }}"
1250+
},
1251+
"entryPoint": ".github/workflows/ci.yaml"
1252+
},
1253+
"environment": {
1254+
"github_workflow": "${{ github.workflow }}",
1255+
"github_run_id": "${{ github.run_id }}"
1256+
}
1257+
},
1258+
"metadata": {
1259+
"buildInvocationID": "${{ github.run_id }}",
1260+
"completeness": {
1261+
"environment": true,
1262+
"materials": true
1263+
}
1264+
}
1265+
}
1266+
push-to-registry: true
1267+
1268+
- name: GitHub Attestation for version-specific Docker image
1269+
id: attest_version
1270+
if: github.ref == 'refs/heads/main'
1271+
continue-on-error: true
1272+
uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1
1273+
with:
1274+
subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}"
1275+
predicate-type: "https://slsa.dev/provenance/v1"
1276+
predicate: |
1277+
{
1278+
"buildType": "https://github.com/actions/runner-images/",
1279+
"builder": {
1280+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1281+
},
1282+
"invocation": {
1283+
"configSource": {
1284+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1285+
"digest": {
1286+
"sha1": "${{ github.sha }}"
1287+
},
1288+
"entryPoint": ".github/workflows/ci.yaml"
1289+
},
1290+
"environment": {
1291+
"github_workflow": "${{ github.workflow }}",
1292+
"github_run_id": "${{ github.run_id }}"
1293+
}
1294+
},
1295+
"metadata": {
1296+
"buildInvocationID": "${{ github.run_id }}",
1297+
"completeness": {
1298+
"environment": true,
1299+
"materials": true
1300+
}
1301+
}
1302+
}
1303+
push-to-registry: true
1304+
1305+
# Report attestation failures but don't fail the workflow
1306+
- name: Check attestation status
1307+
if: github.ref == 'refs/heads/main'
1308+
run: |
1309+
if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then
1310+
echo "::warning::GitHub attestation for main tag failed"
1311+
fi
1312+
if [[ "${{ steps.attest_latest.outcome }}" == "failure" ]]; then
1313+
echo "::warning::GitHub attestation for latest tag failed"
1314+
fi
1315+
if [[ "${{ steps.attest_version.outcome }}" == "failure" ]]; then
1316+
echo "::warning::GitHub attestation for version-specific tag failed"
1317+
fi
1318+
11261319
- name: Prune old images
11271320
if: github.ref == 'refs/heads/main'
11281321
uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
@@ -1183,13 +1376,13 @@ jobs:
11831376
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
11841377

11851378
- name: Set up Flux CLI
1186-
uses: fluxcd/flux2/action@af67405ee43a6cd66e0b73f4b3802e8583f9d961 # v2.5.0
1379+
uses: fluxcd/flux2/action@8d5f40dca5aa5d3c0fc3414457dda15a0ac92fa4 # v2.5.1
11871380
with:
11881381
# Keep this and the github action up to date with the version of flux installed in dogfood cluster
1189-
version: "2.2.1"
1382+
version: "2.5.1"
11901383

11911384
- name: Get Cluster Credentials
1192-
uses: google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1 # v2.3.1
1385+
uses: google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
11931386
with:
11941387
cluster_name: dogfood-v2
11951388
location: us-central1-a
@@ -1219,6 +1412,8 @@ jobs:
12191412
kubectl --namespace coder rollout status deployment/coder
12201413
kubectl --namespace coder rollout restart deployment/coder-provisioner
12211414
kubectl --namespace coder rollout status deployment/coder-provisioner
1415+
kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged
1416+
kubectl --namespace coder rollout status deployment/coder-provisioner-tagged
12221417
12231418
deploy-wsproxies:
12241419
runs-on: ubuntu-latest

.github/workflows/docker-base.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
4747

4848
- name: Docker login
49-
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
49+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
5050
with:
5151
registry: ghcr.io
5252
username: ${{ github.actor }}

.github/workflows/docs-ci.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
- name: Setup Node
2929
uses: ./.github/actions/setup-node
3030

31-
- uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
31+
- uses: tj-actions/changed-files@531f5f7d163941f0c1c04e0ff4d8bb243ac4366f # v45.0.7
3232
id: changed-files
3333
with:
3434
files: |

0 commit comments

Comments
 (0)