@@ -811,8 +811,7 @@ jobs:
811811needs :changes
812812# We always build the dylibs on PRs to verify we're not merging unbuildable code,
813813# but they need only be signed on main.
814- # TODO: Uncomment
815- # if: needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
814+ if :needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
816815runs-on :${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
817816steps :
818817 -name :Harden Runner
@@ -836,8 +835,7 @@ jobs:
836835uses :./.github/actions/setup-go
837836
838837 -name :Install rcodesign
839- # TODO: Uncomment
840- # if: github.ref == 'refs/heads/main'
838+ if :github.ref == 'refs/heads/main'
841839run :|
842840 set -euo pipefail
843841 wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz
@@ -848,8 +846,7 @@ jobs:
848846 rm /tmp/rcodesign.tar.gz
849847
850848name :Setup Apple Developer certificate and API key
851- # TODO: Uncomment
852- # if: github.ref == 'refs/heads/main'
849+ if :github.ref == 'refs/heads/main'
853850run :|
854851 set -euo pipefail
855852 touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
@@ -870,9 +867,7 @@ jobs:
870867 make gen/mark-fresh
871868 make build/coder-dylib
872869env :
873- # TODO: Uncomment
874- # CODER_SIGN_DARWIN: ${{ github.ref == 'refs/heads/main' && '1' || '0' }}
875- CODER_SIGN_DARWIN :1
870+ CODER_SIGN_DARWIN :${{ github.ref == 'refs/heads/main' && '1' || '0' }}
876871AC_CERTIFICATE_FILE :/tmp/apple_cert.p12
877872AC_CERTIFICATE_PASSWORD_FILE :/tmp/apple_cert_password.txt
878873
@@ -886,8 +881,7 @@ jobs:
886881retention-days :7
887882
888883 -name :Delete Apple Developer certificate and API key
889- # TODO: Uncomment
890- # if: github.ref == 'refs/heads/main'
884+ if :github.ref == 'refs/heads/main'
891885run :rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
892886
893887build :
@@ -896,15 +890,14 @@ jobs:
896890needs :
897891 -changes
898892 -build-dylib
899- # TODO: Uncomment
900- # if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
893+ if :github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
901894runs-on :${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
902- #
903- #
904- #
905- #
906- #
907- #
895+ permissions :
896+ packages :write # Needed to push images to ghcr.io
897+ env :
898+ DOCKER_CLI_EXPERIMENTAL :" enabled"
899+ outputs :
900+ IMAGE :ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
908901steps :
909902 -name :Harden Runner
910903uses :step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -943,9 +936,9 @@ jobs:
943936
944937 -name :Insert dylibs
945938run :|
946-
947-
948-
939+ mv ./build/*amd64.dylib ./site/out/bin/coder-vpn-darwin-amd64.dylib
940+ mv ./build/*arm64.dylib ./site/out/bin/coder-vpn-darwin-arm64.dylib
941+ mv ./build/*arm64.h ./site/out/bin/coder-vpn-darwin-dylib.h
949942
950943name :Build
951944run :|
@@ -962,65 +955,63 @@ jobs:
962955 build/coder_"$version"_windows_amd64.zip \
963956 build/coder_"$version"_linux_amd64.{tar.gz,deb}
964957
965- # TODO: Uncomment
966- # - name: Build Linux Docker images
967- # id: build-docker
968- # env:
969- # CODER_IMAGE_BASE: ghcr.io/coder/coder-preview
970- # CODER_IMAGE_TAG_PREFIX: main
971- # DOCKER_CLI_EXPERIMENTAL: "enabled"
972- # run: |
973- # set -euxo pipefail
974-
975- # # build Docker images for each architecture
976- # version="$(./scripts/version.sh)"
977- # tag="main-$(echo "$version" | sed 's/+/-/g')"
978- # echo "tag=$tag" >> $GITHUB_OUTPUT
979-
980- # # build images for each architecture
981- # # note: omitting the -j argument to avoid race conditions when pushing
982- # make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
983-
984- # # only push if we are on main branch
985- # if [ "${{ github.ref }}" == "refs/heads/main" ]; then
986- # # build and push multi-arch manifest, this depends on the other images
987- # # being pushed so will automatically push them
988- # # note: omitting the -j argument to avoid race conditions when pushing
989- # make push/build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
990-
991- # # Define specific tags
992- # tags=("$tag" "main" "latest")
993-
994- # # Create and push a multi-arch manifest for each tag
995- # # we are adding `latest` tag and keeping `main` for backward
996- # # compatibality
997- # for t in "${tags[@]}"; do
998- # ./scripts/build_docker_multiarch.sh \
999- # --push \
1000- # --target "ghcr.io/coder/coder-preview:$t" \
1001- # --version $version \
1002- # $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
1003- # done
1004- # fi
1005-
1006- # - name: Prune old images
1007- # if: github.ref == 'refs/heads/main'
1008- # uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
1009- # with:
1010- # token: ${{ secrets.GITHUB_TOKEN }}
1011- # organization: coder
1012- # container: coder-preview
1013- # keep-younger-than: 7 # days
1014- # keep-tags: latest
1015- # keep-tags-regexes: ^pr
1016- # prune-tags-regexes: |
1017- # ^main-
1018- # ^v
1019- # prune-untagged: true
958+ name :Build Linux Docker images
959+ id :build-docker
960+ env :
961+ CODER_IMAGE_BASE :ghcr.io/coder/coder-preview
962+ CODER_IMAGE_TAG_PREFIX :main
963+ DOCKER_CLI_EXPERIMENTAL :" enabled"
964+ run :|
965+ set -euxo pipefail
966+
967+ # build Docker images for each architecture
968+ version="$(./scripts/version.sh)"
969+ tag="main-$(echo "$version" | sed 's/+/-/g')"
970+ echo "tag=$tag" >> $GITHUB_OUTPUT
971+
972+ # build images for each architecture
973+ # note: omitting the -j argument to avoid race conditions when pushing
974+ make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
975+
976+ # only push if we are on main branch
977+ if [ "${{ github.ref }}" == "refs/heads/main" ]; then
978+ # build and push multi-arch manifest, this depends on the other images
979+ # being pushed so will automatically push them
980+ # note: omitting the -j argument to avoid race conditions when pushing
981+ make push/build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
982+
983+ # Define specific tags
984+ tags=("$tag" "main" "latest")
985+
986+ # Create and push a multi-arch manifest for each tag
987+ # we are adding `latest` tag and keeping `main` for backward
988+ # compatibality
989+ for t in "${tags[@]}"; do
990+ ./scripts/build_docker_multiarch.sh \
991+ --push \
992+ --target "ghcr.io/coder/coder-preview:$t" \
993+ --version $version \
994+ $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
995+ done
996+ fi
997+
998+ name :Prune old images
999+ if :github.ref == 'refs/heads/main'
1000+ uses :vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
1001+ with :
1002+ token :${{ secrets.GITHUB_TOKEN }}
1003+ organization :coder
1004+ container :coder-preview
1005+ keep-younger-than :7 # days
1006+ keep-tags :latest
1007+ keep-tags-regexes :^pr
1008+ prune-tags-regexes :|
1009+ ^main-
1010+ ^v
1011+ prune-untagged :true
10201012
10211013 -name :Upload build artifacts
1022- # TODO: Uncomment
1023- # if: github.ref == 'refs/heads/main'
1014+ if :github.ref == 'refs/heads/main'
10241015uses :actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
10251016with :
10261017name :coder