name: Build on: push: branches: - main pull_request: branches: - main # Note: if: success() is used in several jobs - # this ensures that it only executes if all previous jobs succeeded. # if: steps.cache-yarn.outputs.cache-hit != 'true' # will skip running `yarn install` if it successfully fetched from cache jobs: prebuild: name: Pre-build checks runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout repo uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Install helm uses: azure/setup-helm@v1.1 # NOTE@jsjoeio # disabling this until we can audit the build process # and the usefulness of this step # See: https://github.com/coder/code-server/issues/4287 # - name: Fetch dependencies from cache # id: cache-yarn # uses: actions/cache@v2 # with: # path: "**/node_modules" # key: yarn-build-${{ hashFiles('**/yarn.lock') }} # restore-keys: | # yarn-build- - name: Install dependencies # if: steps.cache-yarn.outputs.cache-hit != 'true' run: yarn --frozen-lockfile - name: Run yarn fmt run: yarn fmt if: success() - name: Run yarn lint run: yarn lint if: success() audit-ci: name: Run audit-ci needs: prebuild runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout repo uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Fetch dependencies from cache id: cache-yarn uses: actions/cache@v2 with: path: "**/node_modules" key: yarn-build-${{ hashFiles('**/yarn.lock') }} restore-keys: | yarn-build- - name: Install dependencies if: steps.cache-yarn.outputs.cache-hit != 'true' run: yarn --frozen-lockfile - name: Audit for vulnerabilities run: yarn _audit if: success() build: name: Build needs: prebuild runs-on: ubuntu-latest timeout-minutes: 30 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} steps: - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" # TODO@Teffen investigate why this omits code-oss-dev/node_modules # - name: Fetch dependencies from cache # id: cache-yarn # uses: actions/cache@v2 # with: # path: | # "**/node_modules" # "**/vendor/modules" # "**/vendor/modules/code-oss-dev/node_modules" # key: yarn-build-${{ hashFiles('**/yarn.lock') }}-${{ hashFiles('**/vendor/yarn.lock') }} # restore-keys: | # yarn-build- - name: Install dependencies # if: steps.cache-yarn.outputs.cache-hit != 'true' run: yarn --frozen-lockfile - name: Build code-server run: yarn build # Parse the hash of the latest commit inside vendor/modules/code-oss-dev # use this to avoid rebuilding it if nothing changed # How it works: the `git log` command fetches the hash of the last commit # that changed a file inside `vendor/modules/code-oss-dev`. If a commit changes any file in there, # the hash returned will change, and we rebuild vscode. If the hash did not change, # (for example, a change to `src/` or `docs/`), we reuse the same build as last time. # This saves a lot of time in CI, as compiling VSCode can take anywhere from 5-10 minutes. - name: Get latest vendor/modules/code-oss-dev rev id: vscode-rev run: echo "::set-output name=rev::$(jq -r '.devDependencies["code-oss-dev"]' vendor/package.json | sed -r 's|.*#(.*)$|\1|')" - name: Attempt to fetch vscode build from cache id: cache-vscode uses: actions/cache@v2 with: path: | vendor/modules/code-oss-dev/.build vendor/modules/code-oss-dev/out-build vendor/modules/code-oss-dev/out-vscode-reh-web vendor/modules/code-oss-dev/out-vscode-reh-web-min key: vscode-reh-build-${{ steps.vscode-rev.outputs.rev }} - name: Build vscode if: steps.cache-vscode.outputs.cache-hit != 'true' run: yarn build:vscode # Our code imports code from VS Code's `out` directory meaning VS Code # must be built before running these tests. # TODO: Move to its own step? - name: Run code-server unit tests run: yarn test:unit if: success() - name: Upload coverage report to Codecov run: yarn coverage if: success() # The release package does not contain any native modules # and is neutral to architecture/os/libc version. - name: Create release package run: yarn release if: success() # https://github.com/actions/upload-artifact/issues/38 - name: Compress release package run: tar -czf package.tar.gz release - name: Upload npm package artifact uses: actions/upload-artifact@v2 with: name: npm-package path: ./package.tar.gz # TODO: cache building yarn --production # possibly 2m30s of savings(?) # this requires refactoring our release scripts package-linux-amd64: name: x86-64 Linux build needs: build runs-on: ubuntu-latest timeout-minutes: 15 container: "centos:7" steps: - uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Install development tools run: | yum install -y epel-release centos-release-scl yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync - name: Install nfpm and envsubst run: | curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1 curl -L https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst chmod +x envsubst mv envsubst ~/.local/bin echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install yarn run: npm install -g yarn - name: Download npm package uses: actions/download-artifact@v2 with: name: npm-package - name: Decompress npm package run: tar -xzf package.tar.gz # NOTE: && here is deliberate - GitHub puts each line in its own `.sh` # file when running inside a docker container. - name: Build standalone release run: source scl_source enable devtoolset-9 && yarn release:standalone - name: Sanity test standalone release run: yarn test:standalone-release - name: Build packages with nfpm run: yarn package - name: Upload release artifacts uses: actions/upload-artifact@v2 with: name: release-packages path: ./release-packages # NOTE@oxy: # We use Ubuntu 16.04 here, so that our build is more compatible # with older libc versions. We used to (Q1'20) use CentOS 7 here, # but it has a full update EOL of Q4'20 and a 'critical security' # update EOL of 2024. We're dropping full support a few years before # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase. # It is not feasible to cross-compile with CentOS. # Cross-compile notes: To compile native dependencies for arm64, # we install the aarch64/armv7l cross toolchain and then set it as the default # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables. # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly, # so we just build with "native"/x86_64 node, then download arm64/armv7l node # and then put it in our release. We can't smoke test the cross build this way, # but this means we don't need to maintain a self-hosted runner! # NOTE@jsjoeio: # We used to use 16.04 until GitHub deprecated it on September 20, 2021 # See here: https://github.com/actions/virtual-environments/pull/3862/files package-linux-cross: name: Linux cross-compile builds needs: build runs-on: ubuntu-18.04 timeout-minutes: 15 strategy: matrix: include: - prefix: aarch64-linux-gnu arch: arm64 - prefix: arm-linux-gnueabihf arch: armv7l env: AR: ${{ format('{0}-ar', matrix.prefix) }} CC: ${{ format('{0}-gcc', matrix.prefix) }} CXX: ${{ format('{0}-g++', matrix.prefix) }} LINK: ${{ format('{0}-g++', matrix.prefix) }} NPM_CONFIG_ARCH: ${{ matrix.arch }} NODE_VERSION: v14.17.4 steps: - uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Install nfpm run: | curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1 echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install cross-compiler run: sudo apt update && sudo apt install $PACKAGE env: PACKAGE: ${{ format('g++-{0}', matrix.prefix) }} - name: Download npm package uses: actions/download-artifact@v2 with: name: npm-package - name: Decompress npm package run: tar -xzf package.tar.gz - name: Build standalone release run: yarn release:standalone - name: Replace node with cross-compile equivalent run: | wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2 mv ./node ./release-standalone/lib/node - name: Build packages with nfpm run: yarn package ${NPM_CONFIG_ARCH} - name: Upload release artifacts uses: actions/upload-artifact@v2 with: name: release-packages path: ./release-packages package-macos-amd64: name: x86-64 macOS build needs: build runs-on: macos-latest timeout-minutes: 15 steps: - uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Install nfpm run: | curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1 echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Download npm package uses: actions/download-artifact@v2 with: name: npm-package - name: Decompress npm package run: tar -xzf package.tar.gz - name: Build standalone release run: yarn release:standalone - name: Sanity test standalone release run: yarn test:standalone-release - name: Build packages with nfpm run: yarn package - name: Upload release artifacts uses: actions/upload-artifact@v2 with: name: release-packages path: ./release-packages test-e2e: name: End-to-end tests needs: package-linux-amd64 runs-on: ubuntu-latest timeout-minutes: 15 env: # Since we build code-server we might as well run tests from the release # since VS Code will load faster due to the bundling. CODE_SERVER_TEST_ENTRY: "./release-packages/code-server-linux-amd64" steps: - uses: actions/checkout@v2 - name: Install Node.js v14 uses: actions/setup-node@v2 with: node-version: "14" - name: Fetch dependencies from cache id: cache-yarn uses: actions/cache@v2 with: path: "**/node_modules" key: yarn-build-${{ hashFiles('**/yarn.lock') }} restore-keys: | yarn-build- - name: Download release packages uses: actions/download-artifact@v2 with: name: release-packages path: ./release-packages - name: Untar code-server release run: | cd release-packages tar -xzf code-server*-linux-amd64.tar.gz mv code-server*-linux-amd64 code-server-linux-amd64 - name: Install dependencies if: steps.cache-yarn.outputs.cache-hit != 'true' run: yarn --frozen-lockfile - name: Install Playwright OS dependencies run: | ./test/node_modules/.bin/playwright install-deps ./test/node_modules/.bin/playwright install - name: Run end-to-end tests run: yarn test:e2e - name: Upload test artifacts if: always() uses: actions/upload-artifact@v2 with: name: failed-test-videos path: ./test/test-results - name: Remove release packages and test artifacts run: rm -rf ./release-packages ./test/test-results trivy-scan-repo: runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@v2 - name: Run Trivy vulnerability scanner in repo mode #Commit SHA for v0.0.17 uses: aquasecurity/trivy-action@9c21d3ca2c14eb35419e2a8b66d1195946d579b8 with: scan-type: "fs" scan-ref: "." ignore-unfixed: true format: "template" template: "@/contrib/sarif.tpl" output: "trivy-repo-results.sarif" severity: "HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: "trivy-repo-results.sarif"