444 lines
14 KiB
YAML
444 lines
14 KiB
YAML
name: Build
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
# Note: if: success() is used in several jobs -
|
|
# this ensures that it only executes if all previous jobs succeeded.
|
|
|
|
# if: steps.cache-yarn.outputs.cache-hit != 'true'
|
|
# will skip running `yarn install` if it successfully fetched from cache
|
|
|
|
jobs:
|
|
prebuild:
|
|
name: Pre-build checks
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Install helm
|
|
uses: azure/setup-helm@v1.1
|
|
|
|
# NOTE@jsjoeio
|
|
# disabling this until we can audit the build process
|
|
# and the usefulness of this step
|
|
# See: https://github.com/cdr/code-server/issues/4287
|
|
# - name: Fetch dependencies from cache
|
|
# id: cache-yarn
|
|
# uses: actions/cache@v2
|
|
# with:
|
|
# path: "**/node_modules"
|
|
# key: yarn-build-${{ hashFiles('**/yarn.lock') }}
|
|
# restore-keys: |
|
|
# yarn-build-
|
|
|
|
- name: Install dependencies
|
|
# if: steps.cache-yarn.outputs.cache-hit != 'true'
|
|
run: yarn --frozen-lockfile
|
|
|
|
- name: Run yarn fmt
|
|
run: yarn fmt
|
|
if: success()
|
|
|
|
- name: Run yarn lint
|
|
run: yarn lint
|
|
if: success()
|
|
|
|
audit-ci:
|
|
name: Run audit-ci
|
|
needs: prebuild
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Fetch dependencies from cache
|
|
id: cache-yarn
|
|
uses: actions/cache@v2
|
|
with:
|
|
path: "**/node_modules"
|
|
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
|
|
restore-keys: |
|
|
yarn-build-
|
|
|
|
- name: Install dependencies
|
|
if: steps.cache-yarn.outputs.cache-hit != 'true'
|
|
run: yarn --frozen-lockfile
|
|
|
|
- name: Audit for vulnerabilities
|
|
run: yarn _audit
|
|
if: success()
|
|
|
|
build:
|
|
name: Build
|
|
needs: prebuild
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
env:
|
|
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
# TODO@Teffen investigate why this omits code-oss-dev/node_modules
|
|
# - name: Fetch dependencies from cache
|
|
# id: cache-yarn
|
|
# uses: actions/cache@v2
|
|
# with:
|
|
# path: |
|
|
# "**/node_modules"
|
|
# "**/vendor/modules"
|
|
# "**/vendor/modules/code-oss-dev/node_modules"
|
|
# key: yarn-build-${{ hashFiles('**/yarn.lock') }}-${{ hashFiles('**/vendor/yarn.lock') }}
|
|
# restore-keys: |
|
|
# yarn-build-
|
|
|
|
- name: Install dependencies
|
|
# if: steps.cache-yarn.outputs.cache-hit != 'true'
|
|
run: yarn --frozen-lockfile
|
|
|
|
- name: Build code-server
|
|
run: yarn build
|
|
|
|
# Parse the hash of the latest commit inside vendor/modules/code-oss-dev
|
|
# use this to avoid rebuilding it if nothing changed
|
|
# How it works: the `git log` command fetches the hash of the last commit
|
|
# that changed a file inside `vendor/modules/code-oss-dev`. If a commit changes any file in there,
|
|
# the hash returned will change, and we rebuild vscode. If the hash did not change,
|
|
# (for example, a change to `src/` or `docs/`), we reuse the same build as last time.
|
|
# This saves a lot of time in CI, as compiling VSCode can take anywhere from 5-10 minutes.
|
|
- name: Get latest vendor/modules/code-oss-dev rev
|
|
id: vscode-rev
|
|
run: echo "::set-output name=rev::$(jq -r '.devDependencies["code-oss-dev"]' vendor/package.json | sed -r 's|.*#(.*)$|\1|')"
|
|
|
|
- name: Attempt to fetch vscode build from cache
|
|
id: cache-vscode
|
|
uses: actions/cache@v2
|
|
with:
|
|
path: |
|
|
vendor/modules/code-oss-dev/.build
|
|
vendor/modules/code-oss-dev/out-build
|
|
vendor/modules/code-oss-dev/out-vscode-reh-web
|
|
vendor/modules/code-oss-dev/out-vscode-reh-web-min
|
|
key: vscode-reh-build-${{ steps.vscode-rev.outputs.rev }}
|
|
|
|
- name: Build vscode
|
|
if: steps.cache-vscode.outputs.cache-hit != 'true'
|
|
run: yarn build:vscode
|
|
|
|
# Our code imports code from VS Code's `out` directory meaning VS Code
|
|
# must be built before running these tests.
|
|
# TODO: Move to its own step?
|
|
- name: Run code-server unit tests
|
|
run: yarn test:unit
|
|
if: success()
|
|
|
|
- name: Upload coverage report to Codecov
|
|
run: yarn coverage
|
|
if: success()
|
|
|
|
# The release package does not contain any native modules
|
|
# and is neutral to architecture/os/libc version.
|
|
- name: Create release package
|
|
run: yarn release
|
|
if: success()
|
|
|
|
# https://github.com/actions/upload-artifact/issues/38
|
|
- name: Compress release package
|
|
run: tar -czf package.tar.gz release
|
|
|
|
- name: Upload npm package artifact
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: npm-package
|
|
path: ./package.tar.gz
|
|
|
|
# TODO: cache building yarn --production
|
|
# possibly 2m30s of savings(?)
|
|
# this requires refactoring our release scripts
|
|
package-linux-amd64:
|
|
name: x86-64 Linux build
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
container: "centos:7"
|
|
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Install development tools
|
|
run: |
|
|
yum install -y epel-release centos-release-scl
|
|
yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync
|
|
|
|
- name: Install nfpm and envsubst
|
|
run: |
|
|
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
|
|
curl -L https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
|
|
chmod +x envsubst
|
|
mv envsubst ~/.local/bin
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Install yarn
|
|
run: npm install -g yarn
|
|
|
|
- name: Download npm package
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npm-package
|
|
|
|
- name: Decompress npm package
|
|
run: tar -xzf package.tar.gz
|
|
|
|
# NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
|
|
# file when running inside a docker container.
|
|
- name: Build standalone release
|
|
run: source scl_source enable devtoolset-9 && yarn release:standalone
|
|
|
|
- name: Sanity test standalone release
|
|
run: yarn test:standalone-release
|
|
|
|
- name: Build packages with nfpm
|
|
run: yarn package
|
|
|
|
- name: Upload release artifacts
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: release-packages
|
|
path: ./release-packages
|
|
|
|
# NOTE@oxy:
|
|
# We use Ubuntu 16.04 here, so that our build is more compatible
|
|
# with older libc versions. We used to (Q1'20) use CentOS 7 here,
|
|
# but it has a full update EOL of Q4'20 and a 'critical security'
|
|
# update EOL of 2024. We're dropping full support a few years before
|
|
# the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
|
|
# It is not feasible to cross-compile with CentOS.
|
|
|
|
# Cross-compile notes: To compile native dependencies for arm64,
|
|
# we install the aarch64/armv7l cross toolchain and then set it as the default
|
|
# compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
|
|
# qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
|
|
# so we just build with "native"/x86_64 node, then download arm64/armv7l node
|
|
# and then put it in our release. We can't smoke test the cross build this way,
|
|
# but this means we don't need to maintain a self-hosted runner!
|
|
|
|
# NOTE@jsjoeio:
|
|
# We used to use 16.04 until GitHub deprecated it on September 20, 2021
|
|
# See here: https://github.com/actions/virtual-environments/pull/3862/files
|
|
package-linux-cross:
|
|
name: Linux cross-compile builds
|
|
needs: build
|
|
runs-on: ubuntu-18.04
|
|
timeout-minutes: 15
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- prefix: aarch64-linux-gnu
|
|
arch: arm64
|
|
- prefix: arm-linux-gnueabihf
|
|
arch: armv7l
|
|
|
|
env:
|
|
AR: ${{ format('{0}-ar', matrix.prefix) }}
|
|
CC: ${{ format('{0}-gcc', matrix.prefix) }}
|
|
CXX: ${{ format('{0}-g++', matrix.prefix) }}
|
|
LINK: ${{ format('{0}-g++', matrix.prefix) }}
|
|
NPM_CONFIG_ARCH: ${{ matrix.arch }}
|
|
NODE_VERSION: v14.17.4
|
|
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Install nfpm
|
|
run: |
|
|
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Install cross-compiler
|
|
run: sudo apt update && sudo apt install $PACKAGE
|
|
env:
|
|
PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
|
|
|
|
- name: Download npm package
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npm-package
|
|
|
|
- name: Decompress npm package
|
|
run: tar -xzf package.tar.gz
|
|
|
|
- name: Build standalone release
|
|
run: yarn release:standalone
|
|
|
|
- name: Replace node with cross-compile equivalent
|
|
run: |
|
|
wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
|
|
tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
|
|
mv ./node ./release-standalone/lib/node
|
|
|
|
- name: Build packages with nfpm
|
|
run: yarn package ${NPM_CONFIG_ARCH}
|
|
|
|
- name: Upload release artifacts
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: release-packages
|
|
path: ./release-packages
|
|
|
|
package-macos-amd64:
|
|
name: x86-64 macOS build
|
|
needs: build
|
|
runs-on: macos-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Install nfpm
|
|
run: |
|
|
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Download npm package
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: npm-package
|
|
|
|
- name: Decompress npm package
|
|
run: tar -xzf package.tar.gz
|
|
|
|
- name: Build standalone release
|
|
run: yarn release:standalone
|
|
|
|
- name: Sanity test standalone release
|
|
run: yarn test:standalone-release
|
|
|
|
- name: Build packages with nfpm
|
|
run: yarn package
|
|
|
|
- name: Upload release artifacts
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: release-packages
|
|
path: ./release-packages
|
|
|
|
test-e2e:
|
|
name: End-to-end tests
|
|
needs: package-linux-amd64
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
env:
|
|
# Since we build code-server we might as well run tests from the release
|
|
# since VS Code will load faster due to the bundling.
|
|
CODE_SERVER_TEST_ENTRY: "./release-packages/code-server-linux-amd64"
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
|
|
- name: Install Node.js v14
|
|
uses: actions/setup-node@v2
|
|
with:
|
|
node-version: "14"
|
|
|
|
- name: Fetch dependencies from cache
|
|
id: cache-yarn
|
|
uses: actions/cache@v2
|
|
with:
|
|
path: "**/node_modules"
|
|
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
|
|
restore-keys: |
|
|
yarn-build-
|
|
|
|
- name: Download release packages
|
|
uses: actions/download-artifact@v2
|
|
with:
|
|
name: release-packages
|
|
path: ./release-packages
|
|
|
|
- name: Untar code-server release
|
|
run: |
|
|
cd release-packages
|
|
tar -xzf code-server*-linux-amd64.tar.gz
|
|
mv code-server*-linux-amd64 code-server-linux-amd64
|
|
|
|
- name: Install dependencies
|
|
if: steps.cache-yarn.outputs.cache-hit != 'true'
|
|
run: yarn --frozen-lockfile
|
|
|
|
- name: Install Playwright OS dependencies
|
|
run: |
|
|
./test/node_modules/.bin/playwright install-deps
|
|
./test/node_modules/.bin/playwright install
|
|
|
|
- name: Run end-to-end tests
|
|
run: yarn test:e2e
|
|
|
|
- name: Upload test artifacts
|
|
if: always()
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: failed-test-videos
|
|
path: ./test/test-results
|
|
|
|
- name: Remove release packages and test artifacts
|
|
run: rm -rf ./release-packages ./test/test-results
|
|
|
|
trivy-scan-repo:
|
|
runs-on: ubuntu-20.04
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v2
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
#Commit SHA for v0.0.17
|
|
uses: aquasecurity/trivy-action@8f4c7160b470bafe4299efdc1c8a1fb495f8325a
|
|
with:
|
|
scan-type: "fs"
|
|
scan-ref: "."
|
|
ignore-unfixed: true
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-repo-results.sarif"
|
|
severity: "HIGH,CRITICAL"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v1
|
|
with:
|
|
sarif_file: "trivy-repo-results.sarif"
|