Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit26ca647

Browse files
committed
Merge remote-tracking branch 'origin/main' into deploy-on-rancher
2 parentsb9edbcb +83f1d82 commit26ca647

File tree

683 files changed

+14961
-5337
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

683 files changed

+14961
-5337
lines changed

‎.github/ISSUE_TEMPLATE/1-bug.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name:"🐞 Bug"
22
description:"File a bug report."
3-
title:"<title>"
3+
title:"bug:"
44
labels:["needs-triage"]
55
body:
66
-type:checkboxes

‎.github/actions/setup-tf/action.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,5 +7,5 @@ runs:
77
-name:Install Terraform
88
uses:hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd# v3.1.2
99
with:
10-
terraform_version:1.10.5
10+
terraform_version:1.11.0
1111
terraform_wrapper:false

‎.github/dependabot.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ updates:
3737
# Update our Dockerfile.
3838
-package-ecosystem:"docker"
3939
directories:
40-
-"/dogfood/contents"
40+
-"/dogfood/coder"
41+
-"/dogfood/coder-envbuilder"
4142
-"/scripts"
4243
-"/examples/templates/docker/build"
4344
-"/examples/parameters/build"

‎.github/workflows/ci.yaml

Lines changed: 204 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -172,13 +172,13 @@ jobs:
172172

173173
-name:Get golangci-lint cache dir
174174
run:|
175-
linter_ver=$(egrep -o 'GOLANGCI_LINT_VERSION=\S+' dogfood/contents/Dockerfile | cut -d '=' -f 2)
175+
linter_ver=$(egrep -o 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2)
176176
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver
177177
dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
178178
echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
179179
180180
-name:golangci-lint cache
181-
uses:actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f# v4.2.1
181+
uses:actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf# v4.2.2
182182
with:
183183
path:|
184184
${{ env.LINT_CACHE_DIR }}
@@ -188,7 +188,7 @@ jobs:
188188
189189
# Check for any typos
190190
-name:Check for typos
191-
uses:crate-ci/typos@212923e4ff05b7fc2294a204405eec047b807138# v1.29.9
191+
uses:crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f# v1.29.10
192192
with:
193193
config:.github/workflows/typos.toml
194194

@@ -1021,7 +1021,14 @@ jobs:
10211021
if:github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
10221022
runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }}
10231023
permissions:
1024-
packages:write# Needed to push images to ghcr.io
1024+
# Necessary to push docker images to ghcr.io.
1025+
packages:write
1026+
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
1027+
# Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
1028+
# And for GitHub Actions attestation
1029+
id-token:write
1030+
# Required for GitHub Actions attestation
1031+
attestations:write
10251032
env:
10261033
DOCKER_CLI_EXPERIMENTAL:"enabled"
10271034
outputs:
@@ -1038,7 +1045,7 @@ jobs:
10381045
fetch-depth:0
10391046

10401047
-name:GHCR Login
1041-
uses:docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567# v3.3.0
1048+
uses:docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772# v3.4.0
10421049
with:
10431050
registry:ghcr.io
10441051
username:${{ github.actor }}
@@ -1050,14 +1057,56 @@ jobs:
10501057
-name:Setup Go
10511058
uses:./.github/actions/setup-go
10521059

1060+
# Necessary for signing Windows binaries.
1061+
-name:Setup Java
1062+
uses:actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12# v4.7.0
1063+
with:
1064+
distribution:"zulu"
1065+
java-version:"11.0"
1066+
1067+
-name:Install go-winres
1068+
run:go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e# v0.3.3
1069+
10531070
-name:Install nfpm
10541071
run:go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
10551072

10561073
-name:Install zstd
10571074
run:sudo apt-get install -y zstd
10581075

1076+
-name:Install cosign
1077+
uses:sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a# v3.8.1
1078+
with:
1079+
cosign-release:"v2.4.3"
1080+
1081+
-name:Install syft
1082+
uses:anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0# v0.18.0
1083+
with:
1084+
syft-version:"v1.20.0"
1085+
1086+
-name:Setup Windows EV Signing Certificate
1087+
run:|
1088+
set -euo pipefail
1089+
touch /tmp/ev_cert.pem
1090+
chmod 600 /tmp/ev_cert.pem
1091+
echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
1092+
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
1093+
env:
1094+
EV_SIGNING_CERT:${{ secrets.EV_SIGNING_CERT }}
1095+
1096+
# Setup GCloud for signing Windows binaries.
1097+
-name:Authenticate to Google Cloud
1098+
id:gcloud_auth
1099+
uses:google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935# v2.1.8
1100+
with:
1101+
workload_identity_provider:${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
1102+
service_account:${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
1103+
token_format:"access_token"
1104+
1105+
-name:Setup GCloud SDK
1106+
uses:google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a# v2.1.4
1107+
10591108
-name:Download dylibs
1060-
uses:actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16# v4.1.8
1109+
uses:actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806# v4.1.9
10611110
with:
10621111
name:dylibs
10631112
path:./build
@@ -1082,6 +1131,18 @@ jobs:
10821131
build/coder_linux_{amd64,arm64,armv7} \
10831132
build/coder_"$version"_windows_amd64.zip \
10841133
build/coder_"$version"_linux_amd64.{tar.gz,deb}
1134+
env:
1135+
# The Windows slim binary must be signed for Coder Desktop to accept
1136+
# it. The darwin executables don't need to be signed, but the dylibs
1137+
# do (see above).
1138+
CODER_SIGN_WINDOWS:"1"
1139+
CODER_WINDOWS_RESOURCES:"1"
1140+
EV_KEY:${{ secrets.EV_KEY }}
1141+
EV_KEYSTORE:${{ secrets.EV_KEYSTORE }}
1142+
EV_TSA_URL:${{ secrets.EV_TSA_URL }}
1143+
EV_CERTIFICATE_PATH:/tmp/ev_cert.pem
1144+
GCLOUD_ACCESS_TOKEN:${{ steps.gcloud_auth.outputs.access_token }}
1145+
JSIGN_PATH:/tmp/jsign-6.0.jar
10851146

10861147
-name:Build Linux Docker images
10871148
id:build-docker
@@ -1123,6 +1184,138 @@ jobs:
11231184
done
11241185
fi
11251186
1187+
# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
1188+
# record that these images were built in GitHub Actions with specific inputs and environment.
1189+
# This complements our existing cosign attestations which focus on SBOMs.
1190+
#
1191+
# We attest each tag separately to ensure all tags have proper provenance records.
1192+
# TODO: Consider refactoring these steps to use a matrix strategy or composite action to reduce duplication
1193+
# while maintaining the required functionality for each tag.
1194+
-name:GitHub Attestation for Docker image
1195+
id:attest_main
1196+
if:github.ref == 'refs/heads/main'
1197+
continue-on-error:true
1198+
uses:actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31# v2.2.1
1199+
with:
1200+
subject-name:"ghcr.io/coder/coder-preview:main"
1201+
predicate-type:"https://slsa.dev/provenance/v1"
1202+
predicate:|
1203+
{
1204+
"buildType": "https://github.com/actions/runner-images/",
1205+
"builder": {
1206+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1207+
},
1208+
"invocation": {
1209+
"configSource": {
1210+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1211+
"digest": {
1212+
"sha1": "${{ github.sha }}"
1213+
},
1214+
"entryPoint": ".github/workflows/ci.yaml"
1215+
},
1216+
"environment": {
1217+
"github_workflow": "${{ github.workflow }}",
1218+
"github_run_id": "${{ github.run_id }}"
1219+
}
1220+
},
1221+
"metadata": {
1222+
"buildInvocationID": "${{ github.run_id }}",
1223+
"completeness": {
1224+
"environment": true,
1225+
"materials":true
1226+
}
1227+
}
1228+
}
1229+
push-to-registry:true
1230+
1231+
-name:GitHub Attestation for Docker image (latest tag)
1232+
id:attest_latest
1233+
if:github.ref == 'refs/heads/main'
1234+
continue-on-error:true
1235+
uses:actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31# v2.2.1
1236+
with:
1237+
subject-name:"ghcr.io/coder/coder-preview:latest"
1238+
predicate-type:"https://slsa.dev/provenance/v1"
1239+
predicate:|
1240+
{
1241+
"buildType": "https://github.com/actions/runner-images/",
1242+
"builder": {
1243+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1244+
},
1245+
"invocation": {
1246+
"configSource": {
1247+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1248+
"digest": {
1249+
"sha1": "${{ github.sha }}"
1250+
},
1251+
"entryPoint": ".github/workflows/ci.yaml"
1252+
},
1253+
"environment": {
1254+
"github_workflow": "${{ github.workflow }}",
1255+
"github_run_id": "${{ github.run_id }}"
1256+
}
1257+
},
1258+
"metadata": {
1259+
"buildInvocationID": "${{ github.run_id }}",
1260+
"completeness": {
1261+
"environment": true,
1262+
"materials":true
1263+
}
1264+
}
1265+
}
1266+
push-to-registry:true
1267+
1268+
-name:GitHub Attestation for version-specific Docker image
1269+
id:attest_version
1270+
if:github.ref == 'refs/heads/main'
1271+
continue-on-error:true
1272+
uses:actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31# v2.2.1
1273+
with:
1274+
subject-name:"ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}"
1275+
predicate-type:"https://slsa.dev/provenance/v1"
1276+
predicate:|
1277+
{
1278+
"buildType": "https://github.com/actions/runner-images/",
1279+
"builder": {
1280+
"id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
1281+
},
1282+
"invocation": {
1283+
"configSource": {
1284+
"uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
1285+
"digest": {
1286+
"sha1": "${{ github.sha }}"
1287+
},
1288+
"entryPoint": ".github/workflows/ci.yaml"
1289+
},
1290+
"environment": {
1291+
"github_workflow": "${{ github.workflow }}",
1292+
"github_run_id": "${{ github.run_id }}"
1293+
}
1294+
},
1295+
"metadata": {
1296+
"buildInvocationID": "${{ github.run_id }}",
1297+
"completeness": {
1298+
"environment": true,
1299+
"materials":true
1300+
}
1301+
}
1302+
}
1303+
push-to-registry:true
1304+
1305+
# Report attestation failures but don't fail the workflow
1306+
-name:Check attestation status
1307+
if:github.ref == 'refs/heads/main'
1308+
run:|
1309+
if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then
1310+
echo "::warning::GitHub attestation for main tag failed"
1311+
fi
1312+
if [[ "${{ steps.attest_latest.outcome }}" == "failure" ]]; then
1313+
echo "::warning::GitHub attestation for latest tag failed"
1314+
fi
1315+
if [[ "${{ steps.attest_version.outcome }}" == "failure" ]]; then
1316+
echo "::warning::GitHub attestation for version-specific tag failed"
1317+
fi
1318+
11261319
-name:Prune old images
11271320
if:github.ref == 'refs/heads/main'
11281321
uses:vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641# v0.6.0
@@ -1183,13 +1376,13 @@ jobs:
11831376
uses:google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a# v2.1.4
11841377

11851378
-name:Set up Flux CLI
1186-
uses:fluxcd/flux2/action@af67405ee43a6cd66e0b73f4b3802e8583f9d961# v2.5.0
1379+
uses:fluxcd/flux2/action@8d5f40dca5aa5d3c0fc3414457dda15a0ac92fa4# v2.5.1
11871380
with:
11881381
# Keep this and the github action up to date with the version of flux installed in dogfood cluster
1189-
version:"2.2.1"
1382+
version:"2.5.1"
11901383

11911384
-name:Get Cluster Credentials
1192-
uses:google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1# v2.3.1
1385+
uses:google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729# v2.3.3
11931386
with:
11941387
cluster_name:dogfood-v2
11951388
location:us-central1-a
@@ -1219,6 +1412,8 @@ jobs:
12191412
kubectl --namespace coder rollout status deployment/coder
12201413
kubectl --namespace coder rollout restart deployment/coder-provisioner
12211414
kubectl --namespace coder rollout status deployment/coder-provisioner
1415+
kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged
1416+
kubectl --namespace coder rollout status deployment/coder-provisioner-tagged
12221417
12231418
deploy-wsproxies:
12241419
runs-on:ubuntu-latest

‎.github/workflows/docker-base.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646
uses:actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683# v4.2.2
4747

4848
-name:Docker login
49-
uses:docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567# v3.3.0
49+
uses:docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772# v3.4.0
5050
with:
5151
registry:ghcr.io
5252
username:${{ github.actor }}

‎.github/workflows/docs-ci.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
-name:Setup Node
2929
uses:./.github/actions/setup-node
3030

31-
-uses:tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8# v45.0.7
31+
-uses:tj-actions/changed-files@531f5f7d163941f0c1c04e0ff4d8bb243ac4366f# v45.0.7
3232
id:changed-files
3333
with:
3434
files:|

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp