Expand Up @@ -4,6 +4,7 @@ on: push: branches: - main - release/* pull_request: workflow_dispatch: Expand Down Expand Up @@ -969,7 +970,7 @@ jobs: needs: changes # We always build the dylibs on Go changes to verify we're not merging unbuildable code, # but they need only be signed and uploaded on coder/coder main. if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/') runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} steps: # Harden Runner doesn't work on macOS Expand Down Expand Up @@ -997,7 +998,7 @@ jobs: uses: ./.github/actions/setup-go - name: Install rcodesign if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }} if: ${{ github.repository_owner == 'coder' &&( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }} run: | set -euo pipefail wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz Expand All @@ -1008,7 +1009,7 @@ jobs: rm /tmp/rcodesign.tar.gz - name: Setup Apple Developer certificate and API key if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }} if: ${{ github.repository_owner == 'coder' &&( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }} run: | set -euo pipefail touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} Expand All @@ -1029,12 +1030,12 @@ jobs: make gen/mark-fresh make build/coder-dylib env: CODER_SIGN_DARWIN: ${{ github.ref == 'refs/heads/main' && '1' || '0' }} CODER_SIGN_DARWIN: ${{( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && '1' || '0' }} AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt - name: Upload build artifacts if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }} if: ${{ github.repository_owner == 'coder' &&( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dylibs Expand All @@ -1044,7 +1045,7 @@ jobs: retention-days: 7 - name: Delete Apple Developer certificate and API key if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }} if: ${{ github.repository_owner == 'coder' &&( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) }} run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} check-build: Expand Down Expand Up @@ -1094,7 +1095,7 @@ jobs: needs: - changes - build-dylib if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork if:( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }} permissions: # Necessary to push docker images to ghcr.io. Expand Down Expand Up @@ -1247,40 +1248,45 @@ jobs: id: build-docker env: CODER_IMAGE_BASE: ghcr.io/coder/coder-preview CODER_IMAGE_TAG_PREFIX: main DOCKER_CLI_EXPERIMENTAL: "enabled" run: | set -euxo pipefail # build Docker images for each architecture version="$(./scripts/version.sh)" tag="main- ${version//+/-}" tag="${version//+/-}" echo "tag=$tag" >> "$GITHUB_OUTPUT" # build images for each architecture # note: omitting the -j argument to avoid race conditions when pushing make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag # only push if we are on main branch if [ "${GITHUB_REF}" == "refs/heads/main" ]; then # only push if we are on main branch or release branch if [[ "${GITHUB_REF}" == "refs/heads/main"|| "${GITHUB_REF}" == refs/heads/release/* ] ]; then # build and push multi-arch manifest, this depends on the other images # being pushed so will automatically push them # note: omitting the -j argument to avoid race conditions when pushing make push/build/coder_"$version"_linux_{amd64,arm64,armv7}.tag # Define specific tags tags=("$tag" "main" "latest") tags=("$tag") if [ "${GITHUB_REF}" == "refs/heads/main" ]; then tags+=("main" "latest") elif [[ "${GITHUB_REF}" == refs/heads/release/* ]]; then tags+=("release-${GITHUB_REF#refs/heads/release/}") fi # Create and push a multi-arch manifest for each tag # we are adding `latest` tag and keeping `main` for backward # compatibality for t in "${tags[@]}"; do # shellcheck disable=SC2046 ./scripts/build_docker_multiarch.sh \ --push \ --target "ghcr.io/coder/coder-preview:$t" \ --version "$version" \ $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag) echo "Pushing multi-arch manifest for tag: $t" # shellcheck disable=SC2046 ./scripts/build_docker_multiarch.sh \ --push \ --target "ghcr.io/coder/coder-preview:$t" \ --version "$version" \ $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag) done fi Expand Down Expand Up @@ -1471,112 +1477,28 @@ jobs: ./build/*.deb retention-days: 7 # Deploy is handled in deploy.yaml so we can apply concurrency limits. deploy: name: "deploy" runs-on: ubuntu-latest timeout-minutes: 30 needs: - changes - build if: | github.ref == 'refs/heads/main'&& ! github.event.pull_request.head.repo.fork ( github.ref == 'refs/heads/main'|| startsWith( github.ref, 'refs/heads/release/')) && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork uses: ./.github/workflows/deploy.yaml with: image: ${{ needs.build.outputs.IMAGE }} permissions: contents: read id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Authenticate to Google Cloud uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }} service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} - name: Set up Google Cloud SDK uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 - name: Set up Flux CLI uses: fluxcd/flux2/action@6bf37f6a560fd84982d67f853162e4b3c2235edb # v2.6.4 with: # Keep this and the github action up to date with the version of flux installed in dogfood cluster version: "2.5.1" - name: Get Cluster Credentials uses: google-github-actions/get-gke-credentials@3da1e46a907576cefaa90c484278bb5b259dd395 # v3.0.0 with: cluster_name: dogfood-v2 location: us-central1-a project_id: coder-dogfood-v2 - name: Reconcile Flux run: | set -euxo pipefail flux --namespace flux-system reconcile source git flux-system flux --namespace flux-system reconcile source git coder-main flux --namespace flux-system reconcile kustomization flux-system flux --namespace flux-system reconcile kustomization coder flux --namespace flux-system reconcile source chart coder-coder flux --namespace flux-system reconcile source chart coder-coder-provisioner flux --namespace coder reconcile helmrelease coder flux --namespace coder reconcile helmrelease coder-provisioner # Just updating Flux is usually not enough. The Helm release may get # redeployed, but unless something causes the Deployment to update the # pods won't be recreated. It's important that the pods get recreated, # since we use `imagePullPolicy: Always` to ensure we're running the # latest image. - name: Rollout Deployment run: | set -euxo pipefail kubectl --namespace coder rollout restart deployment/coder kubectl --namespace coder rollout status deployment/coder kubectl --namespace coder rollout restart deployment/coder-provisioner kubectl --namespace coder rollout status deployment/coder-provisioner kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged kubectl --namespace coder rollout status deployment/coder-provisioner-tagged deploy-wsproxies: runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork steps: - name: Harden Runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Setup flyctl uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # v1.5 - name: Deploy workspace proxies run: | flyctl deploy --image "$IMAGE" --app paris-coder --config ./.github/fly-wsproxies/paris-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_PARIS" --yes flyctl deploy --image "$IMAGE" --app sydney-coder --config ./.github/fly-wsproxies/sydney-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_SYDNEY" --yes flyctl deploy --image "$IMAGE" --app sao-paulo-coder --config ./.github/fly-wsproxies/sao-paulo-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_SAO_PAULO" --yes flyctl deploy --image "$IMAGE" --app jnb-coder --config ./.github/fly-wsproxies/jnb-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_JNB" --yes env: FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} IMAGE: ${{ needs.build.outputs.IMAGE }} TOKEN_PARIS: ${{ secrets.FLY_PARIS_CODER_PROXY_SESSION_TOKEN }} TOKEN_SYDNEY: ${{ secrets.FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN }} TOKEN_SAO_PAULO: ${{ secrets.FLY_SAO_PAULO_CODER_PROXY_SESSION_TOKEN }} TOKEN_JNB: ${{ secrets.FLY_JNB_CODER_PROXY_SESSION_TOKEN }} packages: write # to retag image as dogfood secrets: FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} FLY_PARIS_CODER_PROXY_SESSION_TOKEN: ${{ secrets.FLY_PARIS_CODER_PROXY_SESSION_TOKEN }} FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN: ${{ secrets.FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN }} FLY_SAO_PAULO_CODER_PROXY_SESSION_TOKEN: ${{ secrets.FLY_SAO_PAULO_CODER_PROXY_SESSION_TOKEN }} FLY_JNB_CODER_PROXY_SESSION_TOKEN: ${{ secrets.FLY_JNB_CODER_PROXY_SESSION_TOKEN }} # sqlc-vet runs a postgres docker container, runs Coder migrations, and then # runs sqlc-vet to ensure all queries are valid. This catches any mistakes Expand Down