chore: prettierignore updates and setup-helm upgrade (#5721)

* chore: update prettierignore

* chore: upgrade setup-helm 3.4

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-* @coder/code-server-reviewers
+* @coder/code-server
 
 ci/helm-chart/ @Matthew-Beckett @alexgorbatchev
 

.github/PULL_REQUEST_TEMPLATE/release_template.md

@@ -12,5 +12,6 @@ Follow "Publishing a release" steps in `ci/README.md`
 
 <!-- Note some of these steps below are redundant since they're listed in the "Publishing a release" docs -->
 
-- [ ] publish release and merge PR
-- [ ] update the AUR package
+- [ ] update `CHANGELOG.md`
+- [ ] manually run "Draft release" workflow after merging this PR
+- [ ] merge PR opened in [code-server-aur](https://github.com/coder/code-server-aur)

.github/workflows/build.yaml

@@ -0,0 +1,425 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+# Note: if: success() is used in several jobs -
+# this ensures that it only executes if all previous jobs succeeded.
+
+# if: steps.cache-node-modules.outputs.cache-hit != 'true'
+# will skip running `yarn install` if it successfully fetched from cache
+
+jobs:
+  prettier:
+    name: Format with Prettier
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Run prettier with actionsx/prettier
+        uses: actionsx/prettier@v2
+        with:
+          args: --check --loglevel=warn .
+
+  doctoc:
+    name: Doctoc markdown files
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v26.1
+        with:
+          files: |
+            docs/**
+
+      - name: Install Node.js v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "yarn"
+
+      - name: Install doctoc
+        run: yarn global add doctoc@2.2.1
+
+      - name: Run doctoc
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: yarn doctoc
+
+  lint-helm:
+    name: Lint Helm chart
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v26.1
+        with:
+          files: |
+            ci/helm-chart/**
+
+      - name: Install helm
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: azure/setup-helm@v3.4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install helm kubeval plugin
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: helm plugin install https://github.com/instrumenta/helm-kubeval
+
+      - name: Lint Helm chart
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: helm kubeval ci/helm-chart
+
+  lint-ts:
+    name: Lint TypeScript files
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v26.1
+        with:
+          files: |
+            **/*.ts
+            **/*.js
+          files_ignore: |
+            lib/vscode/**
+
+      - name: Install Node.js v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        if: steps.changed-files.outputs.any_changed == 'true'
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Lint TypeScript files
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: yarn lint:ts
+
+  build:
+    name: Build code-server
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - name: Install quilt
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: quilt
+          version: 1.0
+
+      - name: Patch Code
+        run: quilt push -a
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: yarn --frozen-lockfile
+
+      - name: Build code-server
+        run: yarn build
+
+      # Get Code's git hash.  When this changes it means the content is
+      # different and we need to rebuild.
+      - name: Get latest lib/vscode rev
+        id: vscode-rev
+        run: echo "::set-output name=rev::$(git rev-parse HEAD:./lib/vscode)"
+
+      - name: Get version
+        id: version
+        run: echo "::set-output name=version::$(jq -r .version package.json)"
+
+      # We need to rebuild when we have a new version of Code, when any of
+      # the patches changed, or when the code-server version changes (since
+      # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
+      # force a rebuild.
+      - name: Fetch prebuilt Code package from cache
+        id: cache-vscode
+        uses: actions/cache@v3
+        with:
+          path: lib/vscode-reh-web-*
+          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ steps.version.outputs.version }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
+
+      - name: Build vscode
+        if: steps.cache-vscode.outputs.cache-hit != 'true'
+        run: yarn build:vscode
+
+      # Our code imports code from VS Code's `out` directory meaning VS Code
+      # must be built before running these tests.
+      # TODO: Move to its own step?
+      - name: Run code-server unit tests
+        run: yarn test:unit
+        if: success()
+
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+        if: success()
+
+      # The release package does not contain any native modules
+      # and is neutral to architecture/os/libc version.
+      - name: Create release package
+        run: yarn release
+        if: success()
+
+      # https://github.com/actions/upload-artifact/issues/38
+      - name: Compress release package
+        run: tar -czf package.tar.gz release
+
+      - name: Upload npm package artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: npm-package
+          path: ./package.tar.gz
+
+  npm:
+    name: Publish npm package
+    # the npm-package gets uploaded as an artifact in Build
+    # so we need that to complete before this runs
+    needs: build
+    # This environment "npm" requires someone from
+    # coder/code-server-reviewers to approve the PR before this job runs.
+    environment: npm
+    # Only run if PR comes from base repo or event is not a PR
+    # Reason: forks cannot access secrets and this will always fail
+    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        id: download
+        with:
+          name: "npm-package"
+          path: release-npm-package
+
+      - name: Run ./ci/steps/publish-npm.sh
+        run: yarn publish:npm
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # NOTE@jsjoeio
+          # NPM_ENVIRONMENT intentionally not set here.
+          # Instead, itis determined in publish-npm.sh script
+          # using GITHUB environment variables
+
+      - name: Comment npm information
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          GITHUB_TOKEN: ${{ github.token }}
+          header: npm-dev-build
+          message: |
+            ✨ code-server dev build published to npm for PR #${{ github.event.number }}!
+            * _Last publish status_: success
+            * _Commit_: ${{ github.event.pull_request.head.sha }}
+
+            To install in a local project, run:
+            ```shell-session
+            npm install @coder/code-server-pr@${{ github.event.number }}
+            ```
+
+            To install globally, run:
+            ```shell-session
+            npm install -g @coder/code-server-pr@${{ github.event.number }}
+            ```
+
+  test-e2e:
+    name: Run e2e tests
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Install release package dependencies
+        run: cd release && yarn install
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Install Playwright OS dependencies
+        run: |
+          ./test/node_modules/.bin/playwright install-deps
+          ./test/node_modules/.bin/playwright install
+
+      - name: Run end-to-end tests
+        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e --global-timeout 840000
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./test/test-results
+
+      - name: Remove release packages and test artifacts
+        run: rm -rf ./release ./test/test-results
+
+  test-e2e-proxy:
+    name: Run e2e tests behind proxy
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Install release package dependencies
+        run: cd release && yarn install
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Install Playwright OS dependencies
+        run: |
+          ./test/node_modules/.bin/playwright install-deps
+          ./test/node_modules/.bin/playwright install
+
+      - name: Cache Caddy
+        uses: actions/cache@v2
+        id: caddy-cache
+        with:
+          path: |
+            ~/.cache/caddy
+          key: cache-caddy-2.5.2
+
+      - name: Install Caddy
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: steps.caddy-cache.outputs.cache-hit != 'true'
+        run: |
+          gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
+          mkdir -p ~/.cache/caddy 
+          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
+
+      - name: Start Caddy
+        run: sudo ~/.cache/caddy/caddy start --config ./ci/Caddyfile
+
+      - name: Run end-to-end tests
+        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e:proxy --global-timeout 840000
+
+      - name: Stop Caddy
+        if: always()
+        run: sudo ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos-proxy
+          path: ./test/test-results
+
+      - name: Remove release packages and test artifacts
+        run: rm -rf ./release ./test/test-results

.github/workflows/ci.yaml

@@ -1,625 +0,0 @@
-name: Build
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-# Note: if: success() is used in several jobs -
-# this ensures that it only executes if all previous jobs succeeded.
-
-# if: steps.cache-yarn.outputs.cache-hit != 'true'
-# will skip running `yarn install` if it successfully fetched from cache
-
-jobs:
-  prebuild:
-    name: Pre-build checks
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Install helm
-        uses: azure/setup-helm@v3.3
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Run yarn fmt
-        run: yarn fmt
-        if: success()
-
-      - name: Run yarn lint
-        run: yarn lint
-        if: success()
-
-  audit-ci:
-    name: Run audit-ci
-    needs: prebuild
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Audit for vulnerabilities
-        run: yarn _audit
-        if: success()
-
-  build:
-    name: Build
-    needs: prebuild
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    env:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Install quilt
-        run: sudo apt update && sudo apt install quilt
-
-      - name: Patch Code
-        run: quilt push -a
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Build code-server
-        run: yarn build
-
-      # Get Code's git hash.  When this changes it means the content is
-      # different and we need to rebuild.
-      - name: Get latest lib/vscode rev
-        id: vscode-rev
-        run: echo "::set-output name=rev::$(git rev-parse HEAD:./lib/vscode)"
-
-      - name: Get version
-        id: version
-        run: echo "::set-output name=version::$(jq -r .version package.json)"
-
-      # We need to rebuild when we have a new version of Code, when any of
-      # the patches changed, or when the code-server version changes (since
-      # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
-      # force a rebuild.
-      - name: Fetch prebuilt Code package from cache
-        id: cache-vscode
-        uses: actions/cache@v3
-        with:
-          path: lib/vscode-reh-web-*
-          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ steps.version.outputs.version }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
-
-      - name: Build vscode
-        if: steps.cache-vscode.outputs.cache-hit != 'true'
-        run: yarn build:vscode
-
-      # Our code imports code from VS Code's `out` directory meaning VS Code
-      # must be built before running these tests.
-      # TODO: Move to its own step?
-      - name: Run code-server unit tests
-        run: yarn test:unit
-        if: success()
-
-      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-        if: success()
-
-      # The release package does not contain any native modules
-      # and is neutral to architecture/os/libc version.
-      - name: Create release package
-        run: yarn release
-        if: success()
-
-      # https://github.com/actions/upload-artifact/issues/38
-      - name: Compress release package
-        run: tar -czf package.tar.gz release
-
-      - name: Upload npm package artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: npm-package
-          path: ./package.tar.gz
-
-  npm:
-    # the npm-package gets uploaded as an artifact in Build
-    # so we need that to complete before this runs
-    needs: build
-    # This environment "npm" requires someone from
-    # coder/code-server-reviewers to approve the PR before this job runs.
-    environment: npm
-    # Only run if PR comes from base repo or event is not a PR
-    # Reason: forks cannot access secrets and this will always fail
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Download artifact
-        uses: actions/download-artifact@v3
-        id: download
-        with:
-          name: "npm-package"
-          path: release-npm-package
-
-      - name: Run ./ci/steps/publish-npm.sh
-        run: yarn publish:npm
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          # NOTE@jsjoeio
-          # NPM_ENVIRONMENT intentionally not set here.
-          # Instead, itis determined in publish-npm.sh script
-          # using GITHUB environment variables
-
-      - name: Comment npm information
-        uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          GITHUB_TOKEN: ${{ github.token }}
-          header: npm-dev-build
-          message: |
-            ✨ code-server dev build published to npm for PR #${{ github.event.number }}!
-            * _Last publish status_: success
-            * _Commit_: ${{ github.event.pull_request.head.sha }}
-
-            To install in a local project, run:
-            ```shell-session
-            npm install @coder/code-server-pr@${{ github.event.number }}
-            ```
-
-            To install globally, run:
-            ```shell-session
-            npm install -g @coder/code-server-pr@${{ github.event.number }}
-            ```
-
-  # TODO: cache building yarn --production
-  # possibly 2m30s of savings(?)
-  # this requires refactoring our release scripts
-  package-linux-amd64:
-    name: x86-64 Linux build
-    needs: build
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    container: "centos:7"
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Install development tools
-        run: |
-          yum install -y epel-release centos-release-scl
-          yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync python3
-
-      - name: Install nfpm and envsubst
-        run: |
-          mkdir -p ~/.local/bin
-          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
-          curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
-          chmod +x envsubst
-          mv envsubst ~/.local/bin
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install yarn
-        run: npm install -g yarn
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
-      # file when running inside a docker container.
-      - name: Build standalone release
-        run: source scl_source enable devtoolset-9 && yarn release:standalone
-
-      - name: Install test dependencies
-        run: SKIP_SUBMODULE_DEPS=1 yarn install
-
-      - name: Run integration tests on standalone release
-        run: yarn test:integration
-
-      - name: Build packages with nfpm
-        run: yarn package
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  # NOTE@oxy:
-  # We use Ubuntu 16.04 here, so that our build is more compatible
-  # with older libc versions. We used to (Q1'20) use CentOS 7 here,
-  # but it has a full update EOL of Q4'20 and a 'critical security'
-  # update EOL of 2024. We're dropping full support a few years before
-  # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
-  # It is not feasible to cross-compile with CentOS.
-
-  # Cross-compile notes: To compile native dependencies for arm64,
-  # we install the aarch64/armv7l cross toolchain and then set it as the default
-  # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
-  # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
-  # so we just build with "native"/x86_64 node, then download arm64/armv7l node
-  # and then put it in our release. We can't smoke test the cross build this way,
-  # but this means we don't need to maintain a self-hosted runner!
-
-  # NOTE@jsjoeio:
-  # We used to use 16.04 until GitHub deprecated it on September 20, 2021
-  # See here: https://github.com/actions/virtual-environments/pull/3862/files
-  package-linux-cross:
-    name: Linux cross-compile builds
-    needs: build
-    runs-on: ubuntu-18.04
-    timeout-minutes: 15
-    strategy:
-      matrix:
-        include:
-          - prefix: aarch64-linux-gnu
-            arch: arm64
-          - prefix: arm-linux-gnueabihf
-            arch: armv7l
-
-    env:
-      AR: ${{ format('{0}-ar', matrix.prefix) }}
-      CC: ${{ format('{0}-gcc', matrix.prefix) }}
-      CXX: ${{ format('{0}-g++', matrix.prefix) }}
-      LINK: ${{ format('{0}-g++', matrix.prefix) }}
-      NPM_CONFIG_ARCH: ${{ matrix.arch }}
-      NODE_VERSION: v16.13.0
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Install nfpm
-        run: |
-          mkdir -p ~/.local/bin
-          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install cross-compiler
-        run: sudo apt update && sudo apt install $PACKAGE
-        env:
-          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: yarn release:standalone
-
-      - name: Replace node with cross-compile equivalent
-        run: |
-          wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
-          tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
-          mv ./node ./release-standalone/lib/node
-
-      - name: Build packages with nfpm
-        run: yarn package ${NPM_CONFIG_ARCH}
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  package-macos-amd64:
-    name: x86-64 macOS build
-    needs: build
-    runs-on: macos-latest
-    timeout-minutes: 15
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Install nfpm
-        run: |
-          mkdir -p ~/.local/bin
-          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: yarn release:standalone
-
-      - name: Install test dependencies
-        run: SKIP_SUBMODULE_DEPS=1 yarn install
-
-      - name: Run integration tests on standalone release
-        run: yarn test:integration
-
-      - name: Build packages with nfpm
-        run: yarn package
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  test-e2e:
-    name: End-to-end tests
-    needs: package-linux-amd64
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    env:
-      # Since we build code-server we might as well run tests from the release
-      # since VS Code will load faster due to the bundling.
-      CODE_SERVER_TEST_ENTRY: "./release-packages/code-server-linux-amd64"
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Download release packages
-        uses: actions/download-artifact@v3
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Untar code-server release
-        run: |
-          cd release-packages
-          tar -xzf code-server*-linux-amd64.tar.gz
-          mv code-server*-linux-amd64 code-server-linux-amd64
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Install Playwright OS dependencies
-        run: |
-          ./test/node_modules/.bin/playwright install-deps
-          ./test/node_modules/.bin/playwright install
-
-      - name: Run end-to-end tests
-        run: yarn test:e2e --global-timeout 840000
-
-      - name: Upload test artifacts
-        if: always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: failed-test-videos
-          path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release-packages ./test/test-results
-
-  test-e2e-proxy:
-    name: End-to-end tests behind proxy
-    needs: package-linux-amd64
-    runs-on: ubuntu-latest
-    timeout-minutes: 25
-    env:
-      # Since we build code-server we might as well run tests from the release
-      # since VS Code will load faster due to the bundling.
-      CODE_SERVER_TEST_ENTRY: "./release-packages/code-server-linux-amd64"
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Download release packages
-        uses: actions/download-artifact@v3
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Untar code-server release
-        run: |
-          cd release-packages
-          tar -xzf code-server*-linux-amd64.tar.gz
-          mv code-server*-linux-amd64 code-server-linux-amd64
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Install Playwright OS dependencies
-        run: |
-          ./test/node_modules/.bin/playwright install-deps
-          ./test/node_modules/.bin/playwright install
-
-      - name: Cache Caddy
-        uses: actions/cache@v2
-        id: caddy-cache
-        with:
-          path: |
-            ~/.cache/caddy
-          key: cache-caddy-2.5.2
-
-      - name: Install Caddy
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        if: steps.caddy-cache.outputs.cache-hit != 'true'
-        run: |
-          gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
-          mkdir -p ~/.cache/caddy 
-          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
-
-      - name: Start Caddy
-        run: sudo ~/.cache/caddy/caddy start --config ./ci/Caddyfile
-
-      - name: Run end-to-end tests
-        run: yarn test:e2e:proxy
-
-      - name: Stop Caddy
-        if: always()
-        run: sudo ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
-
-      - name: Upload test artifacts
-        if: always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: failed-test-videos-proxy
-          path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release-packages ./test/test-results
-
-  trivy-scan-repo:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@12814ff8bcb32c97f4d963e6e7903674b1692fa0
-        with:
-          scan-type: "fs"
-          scan-ref: "."
-          ignore-unfixed: true
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-repo-results.sarif"
-          severity: "HIGH,CRITICAL"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-repo-results.sarif"

.github/workflows/codeql-analysis.yml

@@ -1,47 +0,0 @@
-name: "Code Scanning"
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [main]
-  schedule:
-    # Runs every Monday morning PST
-    - cron: "17 15 * * 1"
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-permissions:
-  contents: read
-
-jobs:
-  analyze:
-    permissions:
-      actions: read # for github/codeql-action/init to get workflow details
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/autobuild to send a status report
-    name: Analyze
-    runs-on: ubuntu-20.04
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          config-file: ./.github/codeql-config.yml
-          languages: javascript
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2

.github/workflows/docker.yaml

@@ -1,60 +0,0 @@
-name: Publish on Docker
-
-on:
-  # Shows the manual trigger in GitHub UI
-  # helpful as a back-up in case the GitHub Actions Workflow fails
-  workflow_dispatch:
-
-  release:
-    types:
-      - released
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-jobs:
-  docker-images:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get version
-        id: version
-        run: echo "::set-output name=version::$(jq -r .version package.json)"
-
-      - name: Download release artifacts
-        uses: robinraju/release-downloader@v1.4
-        with:
-          repository: "coder/code-server"
-          tag: v${{ steps.version.outputs.version }}
-          fileName: "*.deb"
-          out-file-path: "release-packages"
-
-      - name: Publish to Docker
-        run: yarn publish:docker
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/installer.yaml

@@ -6,11 +6,13 @@ on:
       - main
     paths:
       - "install.sh"
+      - ".github/workflows/installer.yaml"
   pull_request:
     branches:
       - main
     paths:
       - "install.sh"
+      - ".github/workflows/installer.yaml"
 
 # Cancel in-progress runs for pull requests when developers push
 # additional changes, and serialize builds in branches.
@@ -33,8 +35,8 @@ jobs:
       - name: Install code-server
         run: ./install.sh
 
-      - name: Test code-server
-        run: CODE_SERVER_PATH="code-server" yarn test:integration
+      - name: Test code-server was installed globally
+        run: code-server --help
 
   alpine:
     name: Test installer on Alpine
@@ -54,6 +56,11 @@ jobs:
       - name: Test standalone to a non-existent prefix
         run: su coder -c "./install.sh --method standalone --prefix /tmp/does/not/yet/exist"
 
+      # We do not actually have Alpine standalone builds so running code-server
+      # will not work.
+      - name: Test code-server was installed to prefix
+        run: test -f /tmp/does/not/yet/exist/bin/code-server
+
   macos:
     name: Test installer on macOS
     runs-on: macos-latest
@@ -65,5 +72,5 @@ jobs:
       - name: Install code-server
         run: ./install.sh
 
-      - name: Test code-server
-        run: CODE_SERVER_PATH="code-server" yarn test:integration
+      - name: Test code-server was installed globally
+        run: code-server --help

.github/workflows/npm-brew.yaml

@@ -1,69 +0,0 @@
-name: Publish on npm and brew
-
-on:
-  # Shows the manual trigger in GitHub UI
-  # helpful as a back-up in case the GitHub Actions Workflow fails
-  workflow_dispatch:
-
-  release:
-    types: [released]
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-jobs:
-  # NOTE: this job requires curl, jq and yarn
-  # All of them are included in ubuntu-latest.
-  npm:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Get version
-        id: version
-        run: echo "::set-output name=version::$(jq -r .version package.json)"
-
-      - name: Download artifact
-        uses: dawidd6/action-download-artifact@v2
-        id: download
-        with:
-          branch: release/v${{ steps.version.outputs.version }}
-          workflow: ci.yaml
-          workflow_conclusion: completed
-          name: "npm-package"
-          path: release-npm-package
-
-      - name: Publish npm package and tag with "latest"
-        run: yarn publish:npm
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_ENVIRONMENT: "production"
-
-  homebrew:
-    needs: npm
-    runs-on: ubuntu-latest
-    steps:
-      # Ensure things are up to date
-      # Suggested by homebrew maintainers
-      # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
-      - name: Set up Homebrew
-        id: set-up-homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Checkout code-server
-        uses: actions/checkout@v3
-
-      - name: Configure git
-        run: |
-          git config --global user.name cdrci
-          git config --global user.email opensource@coder.com
-
-      - name: Bump code-server homebrew version
-        env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
-        run: ./ci/steps/brew-bump.sh

.github/workflows/publish.yaml

@@ -0,0 +1,161 @@
+name: Publish code-server
+
+on:
+  # Shows the manual trigger in GitHub UI
+  # helpful as a back-up in case the GitHub Actions Workflow fails
+  workflow_dispatch:
+
+  release:
+    types: [released]
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # NOTE: this job requires curl, jq and yarn
+  # All of them are included in ubuntu-latest.
+  npm:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+
+      - name: Get version
+        id: version
+        run: echo "::set-output name=version::$(jq -r .version package.json)"
+
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@v2
+        id: download
+        with:
+          branch: release/v${{ steps.version.outputs.version }}
+          workflow: build.yaml
+          workflow_conclusion: completed
+          name: "npm-package"
+          path: release-npm-package
+
+      - name: Publish npm package and tag with "latest"
+        run: yarn publish:npm
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_ENVIRONMENT: "production"
+
+  homebrew:
+    needs: npm
+    runs-on: ubuntu-latest
+    steps:
+      # Ensure things are up to date
+      # Suggested by homebrew maintainers
+      # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+
+      - name: Configure git
+        run: |
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+
+      - name: Bump code-server homebrew version
+        env:
+          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+        run: ./ci/steps/brew-bump.sh
+
+  aur:
+    needs: npm
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+    steps:
+      # We need to checkout code-server so we can get the version
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          path: "./code-server"
+
+      - name: Get code-server version
+        id: version
+        run: |
+          pushd code-server
+          echo "::set-output name=version::$(jq -r .version package.json)"
+          popd
+
+      - name: Checkout code-server-aur repo
+        uses: actions/checkout@v3
+        with:
+          repository: "cdrci/code-server-aur"
+          token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+          ref: "master"
+
+      - name: Configure git
+        run: |
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+
+      - name: Validate package
+        uses: hapakaien/archlinux-package-action@v2
+        with:
+          pkgver: ${{ steps.version.outputs.version }}
+          updpkgsums: true
+          srcinfo: true
+
+      - name: Open PR
+        # We need to git push -u otherwise gh will prompt
+        # asking where to push the branch.
+        run: |
+          git checkout -b update-version-${{ steps.version.outputs.version }}
+          git add . 
+          git commit -m "chore: updating version to ${{ steps.version.outputs.version }}"
+          git push -u origin $(git branch --show)
+          gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ steps.version.outputs.version }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
+  docker:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get version
+        id: version
+        run: echo "::set-output name=version::$(jq -r .version package.json)"
+
+      - name: Download release artifacts
+        uses: robinraju/release-downloader@v1.5
+        with:
+          repository: "coder/code-server"
+          tag: v${{ steps.version.outputs.version }}
+          fileName: "*.deb"
+          out-file-path: "release-packages"
+
+      - name: Publish to Docker
+        run: yarn publish:docker
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/release.yaml

@@ -0,0 +1,251 @@
+name: Draft release
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write # For creating releases.
+  discussions: write #  For creating a discussion.
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # TODO: cache building yarn --production
+  # possibly 2m30s of savings(?)
+  # this requires refactoring our release scripts
+  package-linux-amd64:
+    name: x86-64 Linux build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    container: "centos:7"
+    env:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install development tools
+        run: |
+          yum install -y epel-release centos-release-scl make
+          yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync python3
+
+      - name: Install nfpm and envsubst
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
+          chmod +x envsubst
+          mv envsubst ~/.local/bin
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Install yarn
+        run: npm install -g yarn
+
+      - name: Download artifacts
+        uses: dawidd6/action-download-artifact@v2
+        id: download
+        with:
+          branch: ${{ github.ref }}
+          workflow: build.yaml
+          workflow_conclusion: completed
+          check_artifacts: true
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
+      # file when running inside a docker container.
+      - name: Build standalone release
+        run: source scl_source enable devtoolset-9 && yarn release:standalone
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install test dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Run integration tests on standalone release
+        run: yarn test:integration
+
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+        if: success()
+
+      - name: Build packages with nfpm
+        run: yarn package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  # NOTE@oxy:
+  # We use Ubuntu 16.04 here, so that our build is more compatible
+  # with older libc versions. We used to (Q1'20) use CentOS 7 here,
+  # but it has a full update EOL of Q4'20 and a 'critical security'
+  # update EOL of 2024. We're dropping full support a few years before
+  # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
+  # It is not feasible to cross-compile with CentOS.
+
+  # Cross-compile notes: To compile native dependencies for arm64,
+  # we install the aarch64/armv7l cross toolchain and then set it as the default
+  # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
+  # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
+  # so we just build with "native"/x86_64 node, then download arm64/armv7l node
+  # and then put it in our release. We can't smoke test the cross build this way,
+  # but this means we don't need to maintain a self-hosted runner!
+
+  # NOTE@jsjoeio:
+  # We used to use 16.04 until GitHub deprecated it on September 20, 2021
+  # See here: https://github.com/actions/virtual-environments/pull/3862/files
+  package-linux-cross:
+    name: Linux cross-compile builds
+    runs-on: ubuntu-18.04
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        include:
+          - prefix: aarch64-linux-gnu
+            arch: arm64
+          - prefix: arm-linux-gnueabihf
+            arch: armv7l
+
+    env:
+      AR: ${{ format('{0}-ar', matrix.prefix) }}
+      CC: ${{ format('{0}-gcc', matrix.prefix) }}
+      CXX: ${{ format('{0}-g++', matrix.prefix) }}
+      LINK: ${{ format('{0}-g++', matrix.prefix) }}
+      NPM_CONFIG_ARCH: ${{ matrix.arch }}
+      NODE_VERSION: v16.13.0
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install nfpm
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Install cross-compiler
+        run: sudo apt update && sudo apt install $PACKAGE
+        env:
+          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
+
+      - name: Download artifacts
+        uses: dawidd6/action-download-artifact@v2
+        id: download
+        with:
+          branch: ${{ github.ref }}
+          workflow: build.yaml
+          workflow_conclusion: completed
+          check_artifacts: true
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Build standalone release
+        run: yarn release:standalone
+
+      - name: Replace node with cross-compile equivalent
+        run: |
+          wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
+          tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
+          mv ./node ./release-standalone/lib/node
+
+      - name: Build packages with nfpm
+        run: yarn package ${NPM_CONFIG_ARCH}
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  package-macos-amd64:
+    name: x86-64 macOS build
+    runs-on: macos-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install nfpm
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Download artifacts
+        uses: dawidd6/action-download-artifact@v2
+        id: download
+        with:
+          branch: ${{ github.ref }}
+          workflow: build.yaml
+          workflow_conclusion: completed
+          check_artifacts: true
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Build standalone release
+        run: yarn release:standalone
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install test dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn install
+
+      - name: Run native module tests on standalone release
+        run: yarn test:native
+
+      - name: Build packages with nfpm
+        run: yarn package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*

.github/workflows/scripts.yaml

@@ -51,3 +51,17 @@ jobs:
 
       - name: Run script unit tests
         run: ./ci/dev/test-scripts.sh
+
+  lint:
+    name: Lint shell files
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install lint utilities
+        run: sudo apt install shellcheck
+
+      - name: Lint shell files
+        run: ./ci/dev/lint-scripts.sh

.github/workflows/security.yaml

@@ -0,0 +1,106 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "package.json"
+  pull_request:
+    paths:
+      - "package.json"
+  schedule:
+    # Runs every Monday morning PST
+    - cron: "17 15 * * 1"
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  audit-ci:
+    name: Audit node modules
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-yarn
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Audit for vulnerabilities
+        run: yarn _audit
+        if: success()
+
+  trivy-scan-repo:
+    name: Scan repo with Trivy
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@e55de85beea5fcec743de6bb6bc56943a0af3c33
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-repo-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-repo-results.sarif"
+
+  codeql-analyze:
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/autobuild to send a status report
+    name: Analyze with CodeQL
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/codeql-config.yml
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/trivy-docker.yaml

@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@12814ff8bcb32c97f4d963e6e7903674b1692fa0
+        uses: aquasecurity/trivy-action@e55de85beea5fcec743de6bb6bc56943a0af3c33
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true

.prettierignore

@@ -1 +1,8 @@
-lib/vscode
+lib/vscode
+lib/vscode-reh-web-linux-x64
+release-standalone
+release
+helm-chart
+test/scripts
+test/e2e/extensions/test-extension
+.pc

.stylelintrc.yaml

@@ -1,2 +0,0 @@
-extends:
-  - stylelint-config-recommended

CHANGELOG.md

@@ -20,6 +20,104 @@ Code v99.99.999
 
 -->
 
+## [4.8.1](https://github.com/coder/code-server/releases/tag/v4.8.1) - 2022-10-28
+
+Code v1.72.1
+
+### Fixed
+
+- Fixed CSP error introduced in 4.8.0 that caused issues with webviews and most
+  extensions.
+
+## [4.8.0](https://github.com/coder/code-server/releases/tag/v4.8.0) - 2022-10-24
+
+Code v1.72.1
+
+### Added
+
+- Support for the Ports panel which leverages code-server's built-in proxy. It
+  also uses `VSCODE_PROXY_URI` where `{{port}}` is replace when forwarding a port.
+  Example: `VSCODE_PROXY_URI=https://{{port}}.kyle.dev` would forward an
+  application running on localhost:3000 to https://3000.kyle.dev
+- Support for `--disable-workspace-trust` CLI flag
+- Support for `--goto` flag to open file @ line:column
+- Added Ubuntu-based images for Docker releases. If you run into issues with
+  `PATH` being overwritten in Docker please try the Ubuntu image as this is a
+  problem in the Debian base image.
+
+### Changed
+
+- Updated Code to 1.72.1
+
+### Fixed
+
+- Enabled `BROWSER` environment variable
+- Patched `asExternalUri` to work so now extensions run inside code-server can use it
+
+## [4.7.1](https://github.com/coder/code-server/releases/tag/v4.7.1) - 2022-09-30
+
+Code v1.71.2
+
+### Changed
+
+- Updated Code to 1.71.2
+
+### Fixed
+
+- Fixed install script not upgrading code-server when already installed on RPM-based machines
+- Fixed install script failing to gain root permissions on FreeBSD
+
+## [4.7.0](https://github.com/coder/code-server/releases/tag/v4.7.0) - 2022-09-09
+
+Code v1.71.0
+
+### Changed
+
+- Updated Code to 1.71.0
+
+### Removed
+
+- Dropped heartbeat patch because it was implemented upstream
+
+### Fixed
+
+- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstsall.sh` which ensures installing with npm works correctly
+
+## [4.6.1](https://github.com/coder/code-server/releases/tag/v4.6.1) - 2022-09-31
+
+Code v1.70.2
+
+### Changed
+
+- Updated Code to 1.70.2
+- Updated `argon2` to 0.29.0 which should fix issues on FreeBSD
+- Updated docs to suggest using `npm` instead of `yarn`
+
+### Removed
+
+- Dropped database migration patch affected to 4.0.2 versions and earlier.
+
+### Fixed
+
+- Fixed preservation of `process.execArgv` which means you can pass `--prof` to profile code-server
+
+## [4.6.0](https://github.com/coder/code-server/releases/tag/v4.6.0) - 2022-08-17
+
+Code v1.70.1
+
+### Changed
+
+- Updated Code to 1.70.1.
+
+### Added
+
+- Added a heartbeat to sockets. This should prevent them from getting closed by
+  reverse proxy timeouts when idle like NGINX's default 60-second timeout.
+
+### Fixed
+
+- Fixed logout option appearing even when authentication is disabled.
+
 ## [4.5.2](https://github.com/coder/code-server/releases/tag/v4.5.2) - 2022-08-15
 
 Code v1.68.1

ci/build/build-release.sh

@@ -18,6 +18,8 @@ main() {
   VSCODE_SRC_PATH="lib/vscode"
   VSCODE_OUT_PATH="$RELEASE_PATH/lib/vscode"
 
+  create_shrinkwraps
+
   mkdir -p "$RELEASE_PATH"
 
   bundle_code_server
@@ -55,15 +57,6 @@ bundle_code_server() {
 EOF
   ) > "$RELEASE_PATH/package.json"
   rsync yarn.lock "$RELEASE_PATH"
-
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we seed
-  # an npm-shrinkwrap file from our yarn lockfile and the current node-modules installed.
-  synp --source-file yarn.lock
-  npm shrinkwrap
-  # HACK@edvincent: The shrinkwrap file will contain the devDependencies, which by default
-  # are installed if present in a lockfile. To avoid every user having to specify --production
-  # to skip them, we carefully remove them from the shrinkwrap file.
-  json -f npm-shrinkwrap.json -I -e "Object.keys(this.dependencies).forEach(dependency => { if (this.dependencies[dependency].dev) { delete this.dependencies[dependency] } } )"
   mv npm-shrinkwrap.json "$RELEASE_PATH"
 
   rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
@@ -105,11 +98,44 @@ bundle_vscode() {
     "$VSCODE_SRC_PATH/package.json" > "$VSCODE_OUT_PATH/package.json"
 
   rsync "$VSCODE_SRC_PATH/remote/yarn.lock" "$VSCODE_OUT_PATH/yarn.lock"
+  mv "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
 
   # Include global extension dependencies as well.
   rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions/package.json"
   rsync "$VSCODE_SRC_PATH/extensions/yarn.lock" "$VSCODE_OUT_PATH/extensions/yarn.lock"
+  mv "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
   rsync "$VSCODE_SRC_PATH/extensions/postinstall.mjs" "$VSCODE_OUT_PATH/extensions/postinstall.mjs"
 }
 
+create_shrinkwraps() {
+  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
+  # not packaged when publishing to the NPM registry.
+  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
+  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
+  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
+  # These will include devDependencies, but those will be ignored when installing globally (for code-server), and
+  # because we use --omit=dev when installing vscode.
+
+  # We first generate the shrinkwrap file for code-server itself - which is the current directory
+  create_shrinkwrap_keeping_yarn_lock
+
+  # Then the shrinkwrap files for the bundled VSCode
+  pushd "$VSCODE_SRC_PATH/remote/"
+  create_shrinkwrap_keeping_yarn_lock
+  popd
+
+  pushd "$VSCODE_SRC_PATH/extensions/"
+  create_shrinkwrap_keeping_yarn_lock
+  popd
+}
+
+create_shrinkwrap_keeping_yarn_lock() {
+  # HACK@edvincent: Generating a shrinkwrap alters the yarn.lock which we don't want (with NPM URLs rather than the Yarn URLs)
+  # But to generate a valid shrinkwrap, it has to exist... So we copy it to then restore it
+  cp yarn.lock yarn.lock.temp
+  npm shrinkwrap
+  cp yarn.lock.temp yarn.lock
+  rm yarn.lock.temp
+}
+
 main "$@"

ci/build/build-standalone-release.sh

@@ -24,11 +24,8 @@ main() {
   rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
   rsync "$node_path" "$RELEASE_PATH/lib/node"
 
-  ln -s "./bin/code-server" "$RELEASE_PATH/code-server"
-  ln -s "./lib/node" "$RELEASE_PATH/node"
-
   pushd "$RELEASE_PATH"
-  yarn --production --frozen-lockfile
+  npm install --unsafe-perm --omit=dev
   popd
 }
 

ci/build/build-vscode.sh

@@ -23,6 +23,9 @@ copy-bin-script() {
   # shellcheck disable=SC2016
   sed -i.bak 's/^ROOT=\(.*\)$/VSROOT=\1\nROOT="$(dirname "$(dirname "$VSROOT")")"/g' "$dest"
   sed -i.bak 's/ROOT\/out/VSROOT\/out/g' "$dest"
+  # We do not want expansion here; this text should make it to the file as-is.
+  # shellcheck disable=SC2016
+  sed -i.bak 's/$ROOT\/node/${NODE_EXEC_PATH:-$ROOT\/lib\/node}/g' "$dest"
 
   # Fix Node path on Windows.
   sed -i.bak 's/^set ROOT_DIR=\(.*\)$/set ROOT_DIR=%~dp0..\\..\\..\\..\r\nset VSROOT_DIR=\1/g' "$dest"
@@ -79,7 +82,10 @@ main() {
     "newsletterSignupUrl": "https://www.research.net/r/vsc-newsletter",
     "linkProtectionTrustedDomains": [
       "https://open-vsx.org"
-    ]
+    ],
+    "aiConfig": {
+      "ariaKey": "code-server"
+    }
   }
 EOF
   ) > product.json

ci/build/code-server.sh

@@ -11,14 +11,6 @@ _realpath() {
   cd "$(dirname "$script")"
 
   while [ -L "$(basename "$script")" ]; do
-    if [ -L "./node" ] && [ -L "./code-server" ] \
-      && [ -f "package.json" ] \
-      && cat package.json | grep -q '^  "name": "code-server",$'; then
-      echo "***** Please use the script in bin/code-server instead!" >&2
-      echo "***** This script will soon be removed!" >&2
-      echo "***** See the release notes at https://github.com/coder/code-server/releases/tag/v3.4.0" >&2
-    fi
-
     script="$(readlink "$(basename "$script")")"
     cd "$(dirname "$script")"
   done

ci/build/npm-postinstall.sh

@@ -110,7 +110,7 @@ main() {
     echo "Failed to download cloud agent; --link will not work"
   fi
 
-  if ! vscode_yarn; then
+  if ! vscode_install; then
     echo "You may not have the required dependencies to build the native modules."
     echo "Please see https://github.com/coder/code-server/blob/main/docs/npm.md"
     exit 1
@@ -123,17 +123,47 @@ main() {
   fi
 }
 
-vscode_yarn() {
+install_with_yarn_or_npm() {
+  # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
+  # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
+  case "${npm_config_user_agent-}" in
+    yarn*)
+      if [ -f "yarn.lock" ]; then
+        yarn --production --frozen-lockfile --no-default-rc
+      else
+        echo "yarn.lock file not present, not running in development mode. use npm to install code-server!"
+        exit 1
+      fi
+      ;;
+    npm*)
+      if [ -f "yarn.lock" ]; then
+        echo "yarn.lock file present, running in development mode. use yarn to install code-server!"
+        exit 1
+      else
+        # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
+        # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
+        # See https://github.com//pull/5071
+        npm install --unsafe-perm --legacy-peer-deps --omit=dev
+      fi
+      ;;
+    *)
+      echo "Could not determine which package manager is being used to install code-server"
+      exit 1
+      ;;
+  esac
+}
+
+vscode_install() {
   echo 'Installing Code dependencies...'
   cd lib/vscode
-  yarn --production --frozen-lockfile --no-default-rc
+  install_with_yarn_or_npm
 
   symlink_asar
   symlink_bin_script remote-cli code code-server
   symlink_bin_script helpers browser browser .sh
 
   cd extensions
-  yarn --production --frozen-lockfile
+  install_with_yarn_or_npm
 }
 
 main "$@"

ci/build/release-github-assets.sh

@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Downloads the release artifacts from CI for the current
-# commit and then uploads them to the release with the version
-# in package.json.
-# You will need $GITHUB_TOKEN set.
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-  source ./ci/steps/steps-lib.sh
-
-  # NOTE@jsjoeio - only needed if we use the download_artifact
-  # because we talk to the GitHub API.
-  # Needed to use GitHub API
-  if ! is_env_var_set "GITHUB_TOKEN"; then
-    echo "GITHUB_TOKEN is not set. Cannot download npm release-packages without GitHub credentials."
-    exit 1
-  fi
-
-  download_artifact release-packages ./release-packages
-  local assets=(./release-packages/code-server*"$VERSION"*{.tar.gz,.deb,.rpm})
-
-  EDITOR=true gh release upload "v$VERSION" "${assets[@]}" --clobber
-}
-
-main "$@"

ci/build/release-github-draft.sh

@@ -1,50 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Creates a draft release with the template for the version in package.json
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  gh release create "v$VERSION" \
-    --notes-file - \
-    --target "$(git rev-parse HEAD)" \
-    --draft << EOF
-v$VERSION
-
-VS Code v$(vscode_version)
-
-Upgrading is as easy as installing the new version over the old one. code-server
-maintains all user data in \`~/.local/share/code-server\` so that it is preserved in between
-installations.
-
-## New Features
-
-⭐ Summarize new features here with references to issues
-
-  - item
-
-## Bug Fixes
-
-⭐ Summarize bug fixes here with references to issues
-
-  - item
-
-## Documentation
-
-⭐ Summarize doc changes here with references to issues
-
-  - item
-
-## Development
-
-⭐ Summarize development/testing changes here with references to issues
-
-  - item
-
-Cheers! 🍻
-EOF
-}
-
-main "$@"

ci/build/release-prep.sh

@@ -9,6 +9,9 @@
 
 set -euo pipefail
 
+CHECKMARK="\xE2\x9C\x94"
+DASH="-"
+
 main() {
   if [ "${DRY_RUN-}" = 1 ]; then
     echo "Performing a dry run..."
@@ -76,11 +79,12 @@ main() {
   CODE_SERVER_CURRENT_VERSION=$(node -pe "require('./package.json').version")
   # Ask which version we should update to
   # In the future, we'll automate this and determine the latest version automatically
-  echo "Current version: ${CODE_SERVER_CURRENT_VERSION}"
+  echo -e "$DASH Current version: ${CODE_SERVER_CURRENT_VERSION}"
   # The $'\n' adds a line break. See: https://stackoverflow.com/a/39581815/3015595
-  read -r -p "What version of code-server do you want to update to?"$'\n' CODE_SERVER_VERSION_TO_UPDATE
+  CODE_SERVER_VERSION_TO_UPDATE=$(git rev-parse --abbrev-ref HEAD | perl -pe '($_)=/([0-9]+([.][0-9]+)+)/')
+  echo -e "$CHECKMARK Version in branch name"
+  echo -e "$CHECKMARK Updating to: $CODE_SERVER_VERSION_TO_UPDATE"
 
-  echo -e "Great! We'll prep a PR for updating to $CODE_SERVER_VERSION_TO_UPDATE\n"
   $CMD rg -g '!yarn.lock' -g '!*.svg' -g '!CHANGELOG.md' -g '!lib/vscode/**' --files-with-matches --fixed-strings "${CODE_SERVER_CURRENT_VERSION}" | $CMD xargs sd "$CODE_SERVER_CURRENT_VERSION" "$CODE_SERVER_VERSION_TO_UPDATE"
 
   $CMD git commit --no-verify -am "chore(release): bump version to $CODE_SERVER_VERSION_TO_UPDATE"
@@ -90,7 +94,7 @@ main() {
 
   echo -e "\nOpening a draft PR on GitHub"
   # To read about these flags, visit the docs: https://cli.github.com/manual/gh_pr_create
-  $CMD gh pr create --base main --title "release: $CODE_SERVER_VERSION_TO_UPDATE" --body "$RELEASE_TEMPLATE_STRING" --reviewer @coder/code-server-reviewers --repo coder/code-server --draft --assignee "@me"
+  $CMD gh pr create --base main --title "release: $CODE_SERVER_VERSION_TO_UPDATE" --body "$RELEASE_TEMPLATE_STRING" --reviewer @coder/code-server --repo coder/code-server --draft --assignee "@me"
 
   # Open PR in browser
   $CMD gh pr view --web

ci/dev/doctoc.sh

@@ -4,24 +4,6 @@ set -euo pipefail
 main() {
   cd "$(dirname "$0")/../.."
 
-  local prettierExts
-  prettierExts=(
-    "*.js"
-    "*.ts"
-    "*.tsx"
-    "*.html"
-    "*.json"
-    "*.css"
-    "*.md"
-    "*.toml"
-    "*.yaml"
-    "*.yml"
-    "*.sh"
-  )
-  prettier --write --loglevel=warn $(
-    git ls-files "${prettierExts[@]}" | grep -v "lib/vscode" | grep -v 'helm-chart'
-  )
-
   doctoc --title '# FAQ' docs/FAQ.md > /dev/null
   doctoc --title '# Setup Guide' docs/guide.md > /dev/null
   doctoc --title '# Install' docs/install.md > /dev/null
@@ -32,12 +14,11 @@ main() {
   doctoc --title '# iPad' docs/ipad.md > /dev/null
   doctoc --title '# Termux' docs/termux.md > /dev/null
 
-  # TODO: replace with a method that generates fewer false positives.
   if [[ ${CI-} && $(git ls-files --other --modified --exclude-standard) ]]; then
     echo "Files need generation or are formatted incorrectly:"
     git -c color.ui=always status | grep --color=no '\[31m'
     echo "Please run the following locally:"
-    echo "  yarn fmt"
+    echo "  yarn doctoc"
     exit 1
   fi
 }

ci/dev/lint-scripts.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+  shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090,SC2002 $(git ls-files '*.sh' | grep -v 'lib/vscode')
+}
+
+main "$@"

ci/dev/lint.sh

@@ -1,18 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  eslint --max-warnings=0 --fix $(git ls-files "*.ts" "*.tsx" "*.js" | grep -v "lib/vscode")
-  stylelint $(git ls-files "*.css" | grep -v "lib/vscode")
-  tsc --noEmit --skipLibCheck
-  shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090,SC2002 $(git ls-files "*.sh" | grep -v "lib/vscode")
-  if command -v helm && helm kubeval --help > /dev/null; then
-    helm kubeval ci/helm-chart
-  fi
-
-  cd "$OLDPWD"
-}
-
-main "$@"

ci/dev/test-native.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+help() {
+  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  Or you can pass in a custom path."
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+}
+
+# Make sure a code-server release works. You can pass in the path otherwise it
+# will look for release-standalone in the current directory.
+#
+# This is to make sure we don't have Node version errors or any other
+# compilation-related errors.
+main() {
+  cd "$(dirname "$0")/../.."
+
+  source ./ci/lib.sh
+
+  local path="$RELEASE_PATH-standalone/bin/code-server"
+  if [[ ! ${CODE_SERVER_PATH-} ]]; then
+    echo "Set CODE_SERVER_PATH to test another build of code-server"
+  else
+    path="$CODE_SERVER_PATH"
+  fi
+
+  echo "Running tests with code-server binary: '$path'"
+
+  if [[ ! -f $path ]]; then
+    echo >&2 "No code-server build detected"
+    echo >&2 "Looked in $path"
+    help
+    exit 1
+  fi
+
+  CODE_SERVER_PATH="$path" ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration/help.test.ts"
+}
+
+main "$@"

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.1.0
+version: 3.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.5.2
+appVersion: 4.8.1

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.5.2'
+  tag: '4.8.1'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

ci/lib.sh

@@ -44,47 +44,6 @@ arch() {
   echo "$cpu"
 }
 
-# Grabs the most recent ci.yaml github workflow run that was triggered from the
-# pull request of the release branch for this version (regardless of whether
-# that run succeeded or failed). The release branch name must be in semver
-# format with a v prepended.
-# This will contain the artifacts we want.
-# https://developer.github.com/v3/actions/workflow-runs/#list-workflow-runs
-get_artifacts_url() {
-  local artifacts_url
-  local version_branch="release/v$VERSION"
-  local workflow_runs_url="repos/:owner/:repo/actions/workflows/ci.yaml/runs?event=pull_request&branch=$version_branch"
-  artifacts_url=$(gh api "$workflow_runs_url" | jq -r ".workflow_runs[] | select(.head_branch == \"$version_branch\") | .artifacts_url" | head -n 1)
-  if [[ -z "$artifacts_url" ]]; then
-    echo >&2 "ERROR: artifacts_url came back empty"
-    echo >&2 "We looked for a successful run triggered by a pull_request with for code-server version: $VERSION and a branch named $version_branch"
-    echo >&2 "URL used for gh API call: $workflow_runs_url"
-    exit 1
-  fi
-
-  echo "$artifacts_url"
-}
-
-# Grabs the artifact's download url.
-# https://developer.github.com/v3/actions/artifacts/#list-workflow-run-artifacts
-get_artifact_url() {
-  local artifact_name="$1"
-  gh api "$(get_artifacts_url)" | jq -r ".artifacts[] | select(.name == \"$artifact_name\") | .archive_download_url" | head -n 1
-}
-
-# Uses the above two functions to download a artifact into a directory.
-download_artifact() {
-  local artifact_name="$1"
-  local dst="$2"
-
-  local tmp_file
-  tmp_file="$(mktemp)"
-
-  gh api "$(get_artifact_url "$artifact_name")" > "$tmp_file"
-  unzip -q -o "$tmp_file" -d "$dst"
-  rm "$tmp_file"
-}
-
 rsync() {
   command rsync -a --del "$@"
 }

ci/release-image/Dockerfile

@@ -1,12 +1,13 @@
 # syntax=docker/dockerfile:experimental
 
+ARG BASE=debian:11
 FROM scratch AS packages
 COPY release-packages/code-server*.deb /tmp/
 
-FROM debian:11
+FROM $BASE
 
 RUN apt-get update \
- && apt-get install -y \
+  && apt-get install -y \
     curl \
     dumb-init \
     zsh \
@@ -29,15 +30,15 @@ RUN sed -i "s/# en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen \
   && locale-gen
 ENV LANG=en_US.UTF-8
 
-RUN adduser --gecos '' --disabled-password coder && \
-  echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+RUN adduser --gecos '' --disabled-password coder \
+  && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
 
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - && \
-    chown root:root /usr/local/bin/fixuid && \
-    chmod 4755 /usr/local/bin/fixuid && \
-    mkdir -p /etc/fixuid && \
-    printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+RUN ARCH="$(dpkg --print-architecture)" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
 
 COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
 RUN --mount=from=packages,src=/tmp,dst=/tmp/packages dpkg -i /tmp/packages/code-server*$(dpkg --print-architecture).deb

ci/release-image/docker-bake.hcl

@@ -6,17 +6,63 @@ variable "VERSION" {
     default = "latest"
 }
 
-group "default" {
-    targets = ["code-server"]
+variable "DOCKER_REGISTRY" {
+    default = "docker.io/codercom/code-server"
 }
 
-target "code-server" {
-    dockerfile = "ci/release-image/Dockerfile"
-    tags = [
-        "docker.io/codercom/code-server:latest",
-        notequal("latest",VERSION) ? "docker.io/codercom/code-server:${VERSION}" : "",
-        "ghcr.io/coder/code-server:latest",
-        notequal("latest",VERSION) ? "ghcr.io/coder/code-server:${VERSION}" : "",
+variable "GITHUB_REGISTRY" {
+    default = "ghcr.io/coder/code-server"
+}
+
+group "default" {
+    targets = [
+        "code-server-debian-11", 
+        "code-server-ubuntu-focal",
     ]
+}
+
+function "prepend_hyphen_if_not_null" {
+    params = [tag]
+    result = notequal("","${tag}") ? "-${tag}" : "${tag}"
+}
+
+# use empty tag (tag="") to generate default tags
+function "gen_tags" {
+    params = [registry, tag]
+    result = notequal("","${registry}") ? [
+        notequal("", "${tag}") ? "${registry}:${tag}" : "${registry}:latest",
+        notequal("latest",VERSION) ? "${registry}:${VERSION}${prepend_hyphen_if_not_null(tag)}" : "",
+    ] : []
+}
+
+# helper function to generate tags for docker registry and github registry.
+# set (DOCKER|GITHUB)_REGISTRY="" to disable corresponding registry
+function "gen_tags_for_docker_and_ghcr" {
+    params = [tag]
+    result = concat(
+        gen_tags("${DOCKER_REGISTRY}", "${tag}"),
+        gen_tags("${GITHUB_REGISTRY}", "${tag}"),
+    )
+}
+
+target "code-server-debian-11" {
+    dockerfile = "ci/release-image/Dockerfile"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr(""),
+        gen_tags_for_docker_and_ghcr("debian"),
+        gen_tags_for_docker_and_ghcr("bullseye"),
+    )
+    platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "code-server-ubuntu-focal" {
+    dockerfile = "ci/release-image/Dockerfile"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr("ubuntu"),
+        gen_tags_for_docker_and_ghcr("focal"),
+    )
+    args = {
+        BASE = "ubuntu:focal"
+    }
     platforms = ["linux/amd64", "linux/arm64"]
 }

ci/steps/publish-npm.sh

@@ -65,7 +65,8 @@ main() {
   # "production" - this means we tag with `latest` (default), allowing
   # a developer to install this version with `yarn add code-server@latest`
   if ! is_env_var_set "NPM_ENVIRONMENT"; then
-    echo "NPM_ENVIRONMENT is not set. Determining in script based on GITHUB environment variables."
+    echo "NPM_ENVIRONMENT is not set."
+    echo "Determining in script based on GITHUB environment variables."
 
     if [[ "$GITHUB_EVENT_NAME" == 'push' && "$GITHUB_REF" == 'refs/heads/main' ]]; then
       NPM_ENVIRONMENT="staging"
@@ -73,7 +74,6 @@ main() {
       NPM_ENVIRONMENT="development"
     fi
 
-    echo "Using npm environment: $NPM_ENVIRONMENT"
   fi
 
   # NOTE@jsjoeio - this script assumes we have the artifact downloaded on disk
@@ -96,9 +96,6 @@ main() {
     NPM_TAG="latest"
   else
     COMMIT_SHA="$GITHUB_SHA"
-    echo "Not a production environment"
-    echo "Found environment: $NPM_ENVIRONMENT"
-    echo "Manually bumping npm version..."
 
     if [[ "$NPM_ENVIRONMENT" == "staging" ]]; then
       NPM_VERSION="$VERSION-beta-$COMMIT_SHA"
@@ -117,8 +114,10 @@ main() {
       NPM_TAG="$PR_NUMBER"
     fi
 
-    echo "using tag: $NPM_TAG"
-    echo "using package name: $PACKAGE_NAME"
+    echo "- tag: $NPM_TAG"
+    echo "- version: $NPM_VERSION"
+    echo "- package name: $PACKAGE_NAME"
+    echo "- npm environment: $NPM_ENVIRONMENT"
 
     # We modify the version in the package.json
     # to be the current version + the PR number + commit SHA
@@ -140,13 +139,13 @@ main() {
     popd
   fi
 
+  # NOTE@jsjoeio
   # We need to make sure we haven't already published the version.
-  # This is because npm view won't exit with non-zero so we have
-  # to check the output.
+  # If we get error, continue with script because we want to publish
+  # If version is valid, we check if we're publishing the same one
   local hasVersion
-  hasVersion=$(npm view "code-server@$NPM_VERSION" version)
-  if [[ $hasVersion == "$NPM_VERSION" ]]; then
-    echo "$NPM_VERSION is already published"
+  if hasVersion=$(npm view "$PACKAGE_NAME@$NPM_VERSION" version 2> /dev/null) && [[ $hasVersion == "$NPM_VERSION" ]]; then
+    echo "$NPM_VERSION is already published under $PACKAGE_NAME"
     return
   fi
 

docs/CODE_OF_CONDUCT.md

@@ -1,5 +1,18 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+# Contributor Covenant Code of Conduct
+
+- [Contributor Covenant Code of Conduct](#contributor-covenant-code-of-conduct)
+  - [Our Pledge](#our-pledge)
+  - [Our Standards](#our-standards)
+  - [Our Responsibilities](#our-responsibilities)
+  - [Scope](#scope)
+  - [Enforcement](#enforcement)
+  - [Attribution](#attribution)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 # Contributor Covenant Code of Conduct
 

docs/CONTRIBUTING.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Contributing
@@ -24,6 +25,7 @@
   - [Currently Known Issues](#currently-known-issues)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 - [Detailed CI and build process docs](../ci)
 
@@ -111,6 +113,15 @@ re-apply the patches.
 6. Commit the updated submodule and patches to `code-server`.
 7. Open a PR.
 
+Tip: if you're certain all patches are applied correctly and you simply need to
+refresh, you can use this trick:
+
+```shell
+while quilt push; do quilt refresh; done
+```
+
+[Source](https://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/)
+
 ### Patching Code
 
 0. You can go through the patch stack with `quilt push` and `quilt pop`.
@@ -141,7 +152,7 @@ Run your build:
 
 ```shell
 cd release
-yarn --production # Skip if you used KEEP_MODULES=1
+npm install --omit=dev # Skip if you used KEEP_MODULES=1
 # Runs the built JavaScript with Node.
 node .
 ```

docs/FAQ.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # FAQ
@@ -33,6 +34,7 @@
 - [How do I change the port?](#how-do-i-change-the-port)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 ## Questions?
 

docs/MAINTAINING.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Maintaining
@@ -8,7 +9,6 @@
 - [Workflow](#workflow)
   - [Milestones](#milestones)
   - [Triage](#triage)
-  - [Project boards](#project-boards)
 - [Versioning](#versioning)
 - [Pull requests](#pull-requests)
   - [Merge strategies](#merge-strategies)
@@ -25,6 +25,7 @@
   - [Troubleshooting](#troubleshooting)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 This document is meant to serve current and future maintainers of code-server,
 as well as share our workflow for maintaining the project.
@@ -42,7 +43,7 @@ Occasionally, other Coder employees may step in time to time to assist with code
 
 To onboard a new maintainer to the project, please make sure to do the following:
 
-- [ ] Add to [coder/code-server-reviewers](https://github.com/orgs/coder/teams/code-server-reviewers)
+- [ ] Add to [coder/code-server](https://github.com/orgs/coder/teams/code-server)
 - [ ] Add as Admin under [Repository Settings > Access](https://github.com/coder/code-server/settings/access)
 - [ ] Add to [npm Coder org](https://www.npmjs.com/org/coder)
 - [ ] Add as [AUR maintainer](https://aur.archlinux.org/packages/code-server/) (talk to Colin)
@@ -72,7 +73,7 @@ Here are the milestones we use and how we use them:
 - "On Deck" -> Work under consideration for upcoming milestones.
 - "Backlog Candidates" -> Work that is not yet accepted for the backlog. We wait
   for the community to weigh in.
-- "<0.0.0>" -> Work to be done for a specific version.
+- "<Month>" -> Work to be done for said month.
 
 With this flow, any un-assigned issues are essentially in triage state. Once
 triaged, issues are either "Backlog" or "Backlog Candidates". They will
@@ -91,19 +92,6 @@ We use the following process for triaging GitHub issues:
    2. If not urgent, add to "Backlog"
    3. Otherwise, add to "Backlog Candidate" for future consideration
 
-### Project boards
-
-We use project boards for projects or goals that span multiple milestones.
-
-Think of this as a place to put miscellaneous things (like testing, clean up
-stuff, etc). As a maintainer, random tasks may come up here and there. The
-project boards give you places to add temporary notes before opening a new
-issue. Given that our release milestones function off of issues, we believe
-tasks should have dedicated issues.
-
-Project boards also give us a way to separate the issue triage from
-bigger-picture, long-term work.
-
 ## Versioning
 
 `<major.minor.patch>`
@@ -151,43 +139,19 @@ changelog](https://github.com/emacs-mirror/emacs/blob/master/etc/NEWS).
 
 ## Releases
 
-With each release, we rotate the role of release manager to ensure every
-maintainer goes through the process. This helps us keep documentation up-to-date
-and encourages us to continually review and improve the flow.
-
-If you're the current release manager, follow these steps:
-
-1. Create a [release issue](../.github/ISSUE_TEMPLATE/release.md)
-1. Fill out checklist
-1. Publish the release
-1. After release is published, close release milestone
-
 ### Publishing a release
 
 1. Create a new branch called `release/v0.0.0` (replace 0s with actual version aka v4.5.0)
    1. If you don't do this, the `npm-brew` GitHub workflow will fail. It looks for the release artifacts under the branch pattern.
-1. Run `yarn release:prep` and type in the new version (e.g., `3.8.1`)
-1. GitHub Actions will generate the `npm-package`, `release-packages` and
-   `release-images` artifacts. You do not have to wait for this step to complete
-   before proceeding.
-1. Run `yarn release:github-draft` to create a GitHub draft release from the
-   template with the updated version. Make sure to update the `CHANGELOG.md`.
+1. Run `yarn release:prep`
 1. Bump chart version in `Chart.yaml`.
-1. Summarize the major changes in the release notes and link to the relevant
-   issues.
-1. Change the @ to target the version branch. Example: `v3.9.0 @ Target: release/v3.9.0`
-1. Wait for the `npm-package`, `release-packages` and `release-images` artifacts
-   to build.
-1. Run `yarn release:github-assets` to download the `release-packages` artifact.
-   They will upload them to the draft release.
-1. Run some basic sanity tests on one of the released packages (pay special
-   attention to making sure the terminal works).
-1. Publish the release and merge the PR. CI will automatically grab the
+1. Summarize the major changes in the `CHANGELOG.md`
+1. Download CI artifacts and make sure code-server works locally.
+1. Merge PR and wait for CI build on `main` to finish.
+1. Go to GitHub Actions > Draft release > Run workflow off `main`. CI will automatically upload the artifacts to the release.
+1. Add the release notes from the `CHANGELOG.md` and publish release. CI will automatically grab the
    artifacts, publish the NPM package from `npm-package`, and publish the Docker
    Hub image from `release-images`.
-1. Update the AUR package. Instructions for updating the AUR package are at
-   [coder/code-server-aur](https://github.com/coder/code-server-aur).
-1. Wait for the npm package to be published.
 
 #### AUR
 

docs/SECURITY.md

@@ -16,10 +16,10 @@ We use the following tools to help us stay on top of vulnerability mitigation.
   - [trivy](https://github.com/aquasecurity/trivy)
     - Comprehensive vulnerability scanner that runs on PRs into the default
       branch and scans both our container image and repository code (see
-      `trivy-scan-repo` and `trivy-scan-image` jobs in `ci.yaml`)
+      `trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
 - [`audit-ci`](https://github.com/IBM/audit-ci)
   - Audits npm and Yarn dependencies in CI (see `Audit for vulnerabilities` step
-    in `ci.yaml`) on PRs into the default branch and fails CI if moderate or
+    in `build.yaml`) on PRs into the default branch and fails CI if moderate or
     higher vulnerabilities (see the `audit.sh` script) are present.
 
 ## Supported Versions

docs/android.md

@@ -3,7 +3,7 @@
 1. Install UserLAnd from [Google Play](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US&gl=US)
 2. Install an Ubuntu VM
 3. Start app
-4. Install Node.js, `curl` and `yarn` using `sudo apt install nodejs npm yarn curl -y`
+4. Install Node.js and `curl` using `sudo apt install nodejs npm curl -y`
 5. Install `nvm`:
 
 ```shell
@@ -18,6 +18,6 @@ nvm install 16
 nvm use 16
 ```
 
-8. Install code-server globally on device with: `npm i -g code-server`
+8. Install code-server globally on device with: `npm install --global code-server --unsafe-perm`
 9. Run code-server with `code-server`
 10. Access on localhost:8080 in your browser

docs/collaboration.md

@@ -60,6 +60,6 @@ As `code-server` is based on VS Code, you can follow the steps described on Duck
    code-server --enable-proposed-api genuitecllc.codetogether
    ```
 
-   Another option would be to add a value in code-server's [config file](https://coder.com/docs/code-server/v4.5.2/FAQ#how-does-the-config-file-work).
+   Another option would be to add a value in code-server's [config file](https://coder.com/docs/code-server/latest/FAQ#how-does-the-config-file-work).
 
 3. Refresh code-server and navigate to the CodeTogether icon in the sidebar to host or join a coding session.

docs/guide.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Setup Guide
@@ -22,6 +23,7 @@
   - [Option 2: ngrok tunnel](#option-2-ngrok-tunnel)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 This article will walk you through exposing code-server securely once you've
 completed the [installation process](install.md).
@@ -89,11 +91,10 @@ we recommend using another method, such as [Let's Encrypt](#let-encrypt) instead
    using [mutagen](https://mutagen.io/documentation/introduction/installation)
    to do so. Once you've installed mutagen, you can port forward as follows:
 
-   ```console
+   ```shell
    # This is the same as the above SSH command, but it runs in the background
    # continuously. Be sure to add `mutagen daemon start` to your ~/.bashrc to
    # start the mutagen daemon when you open a shell.
-   
    mutagen forward create --name=code-server tcp:127.0.0.1:8080 < instance-ip > :tcp:127.0.0.1:8080
    ```
 
@@ -417,20 +418,20 @@ sudo passwd {user} # replace user with your code-server user
 
 [![Cloudflared](https://img.shields.io/badge/Cloudflared-E4863B?style=for-the-badge&logo=cloudflare&logoColor=ffffff)](https://github.com/cloudflare/cloudflared)
 
-1.  Install [cloudflared](https://github.com/cloudflare/cloudflared#installing-cloudflared) on your local computer
-2.  Then go to `~/.ssh/config` and add the following:
+1.  Install [cloudflared](https://github.com/cloudflare/cloudflared#installing-cloudflared) on your local computer and remote server
+2.  Then go to `~/.ssh/config` and add the following on your local computer:
 
 ```shell
 Host *.trycloudflare.com
 HostName %h
-User root
+User user
 Port 22
 ProxyCommand "cloudflared location" access ssh --hostname %h
 ```
 
 3. Run `cloudflared tunnel --url ssh://localhost:22` on the remote server
 
-4. Finally on VS Code or any IDE that supports SSH, run `ssh coder@https://your-link.trycloudflare.com` or `ssh coder@your-link.trycloudflare.com`
+4. Finally on VS Code or any IDE that supports SSH, run `ssh user@https://your-link.trycloudflare.com` or `ssh user@your-link.trycloudflare.com`
 
 ### Option 2: ngrok tunnel
 

docs/helm.md

@@ -1,6 +1,6 @@
 # code-server Helm Chart
 
-[![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square)](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) [![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![AppVersion: 4.5.2](https://img.shields.io/badge/AppVersion-4.5.2-informational?style=flat-square)](https://img.shields.io/badge/AppVersion-4.5.2-informational?style=flat-square)
+[![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square)](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) [![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![AppVersion: 4.8.0](https://img.shields.io/badge/AppVersion-4.8.0-informational?style=flat-square)](https://img.shields.io/badge/AppVersion-4.8.0-informational?style=flat-square)
 
 [code-server](https://github.com/coder/code-server) code-server is VS Code running
 on a remote server, accessible through the browser.
@@ -73,7 +73,7 @@ and their default values.
 | hostnameOverride                            | string | `""`                     |
 | image.pullPolicy                            | string | `"Always"`               |
 | image.repository                            | string | `"codercom/code-server"` |
-| image.tag                                   | string | `"4.5.2"`                |
+| image.tag                                   | string | `"4.8.0"`                |
 | imagePullSecrets                            | list   | `[]`                     |
 | ingress.enabled                             | bool   | `false`                  |
 | nameOverride                                | string | `""`                     |

docs/install.md

@@ -1,10 +1,11 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Install
 
 - [install.sh](#installsh)
   - [Detection reference](#detection-reference)
-- [yarn, npm](#yarn-npm)
+- [npm](#npm)
 - [Standalone releases](#standalone-releases)
 - [Debian, Ubuntu](#debian-ubuntu)
 - [Fedora, CentOS, RHEL, SUSE](#fedora-centos-rhel-suse)
@@ -20,10 +21,11 @@
 - [Uninstall](#uninstall)
   - [install.sh](#installsh-1)
   - [Homebrew](#homebrew)
-  - [yarn, npm](#yarn-npm-1)
+  - [npm](#npm-1)
   - [Debian, Ubuntu](#debian-ubuntu-1)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 This document demonstrates how to install `code-server` on various distros and
 operating systems.
@@ -88,17 +90,16 @@ _exact_ same commands presented in the rest of this document.
 
   - Ensure that you add `~/.local/bin` to your `$PATH` to run code-server.
 
-- For FreeBSD, code-server will install the [npm package](#yarn-npm) with `yarn`
-  or `npm`.
+- For FreeBSD, code-server will install the [npm package](#npm) with `npm`
 
 - If you're installing code-server onto architecture with no releases,
-  code-server will install the [npm package](#yarn-npm) with `yarn` or `npm`
+  code-server will install the [npm package](#npm) with `npm`
   - We currently offer releases for amd64 and arm64.
-  - The [npm package](#yarn-npm) builds the native modules on post-install.
+  - The [npm package](#npm) builds the native modules on post-install.
 
-## yarn, npm
+## npm
 
-We recommend installing with `yarn` or `npm` when:
+We recommend installing with `npm` when:
 
 1. You aren't using a machine with `amd64` or `arm64`.
 1. You are installing code-server on Windows
@@ -108,9 +109,9 @@ We recommend installing with `yarn` or `npm` when:
    [#1430](https://github.com/coder/code-server/issues/1430#issuecomment-629883198)
    for more information.
 
-Installing code-server with `yarn` or `npm` builds native modules on install.
+Installing code-server with `npm` builds native modules on install.
 
-This process requires C dependencies; see our guide on [installing with yarn and npm][./npm.md](./npm.md) for more information.
+This process requires C dependencies; see our guide on [installing with npm](./npm.md) for more information.
 
 ## Standalone releases
 
@@ -118,7 +119,7 @@ We publish self-contained `.tar.gz` archives for every release on
 [GitHub](https://github.com/coder/code-server/releases). The archives bundle the
 node binary and node modules.
 
-We create the standalone releases using the [npm package](#yarn-npm), and we
+We create the standalone releases using the [npm package](#npm), and we
 then create the remaining releases using the standalone version.
 
 The only requirement to use the standalone release is `glibc` >= 2.17 and
@@ -152,11 +153,11 @@ code-server
 ## Debian, Ubuntu
 
 > The standalone arm64 .deb does not support Ubuntu 16.04 or earlier. Please
-> upgrade or [build with yarn](#yarn-npm).
+> upgrade or [build with npm](#npm).
 
 ```bash
-curl -fOL https://github.com/coder/code-server/releases/download/v$VERSION/code-server_$VERSION_amd64.deb
-sudo dpkg -i code-server_$VERSION_amd64.deb
+curl -fOL https://github.com/coder/code-server/releases/download/v$VERSION/code-server_${VERSION}_amd64.deb
+sudo dpkg -i code-server_${VERSION}_amd64.deb
 sudo systemctl enable --now code-server@$USER
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@@ -164,7 +165,7 @@ sudo systemctl enable --now code-server@$USER
 ## Fedora, CentOS, RHEL, SUSE
 
 > The standalone arm64 .rpm does not support CentOS 7. Please upgrade or [build
-> with yarn](#yarn-npm).
+> with npm](#npm).
 
 ```bash
 curl -fOL https://github.com/coder/code-server/releases/download/v$VERSION/code-server-$VERSION-amd64.rpm
@@ -295,14 +296,13 @@ You can install code-server using the [Helm package manager](https://coder.com/d
 
 ## Windows
 
-We currently [do not publish Windows releases](https://github.com/coder/code-server/issues/1397). We recommend installing code-server onto Windows with [`yarn` or `npm`](#yarn-npm).
+We currently [do not publish Windows releases](https://github.com/coder/code-server/issues/1397). We recommend installing code-server onto Windows with [`npm`](#npm).
 
 > Note: You will also need to [build coder/cloud-agent manually](https://github.com/coder/cloud-agent/issues/17) if you would like to use `code-server --link` on Windows.
 
 ## Raspberry Pi
 
-We recommend installing code-server onto Raspberry Pi with [`yarn` or
-`npm`](#yarn-npm).
+We recommend installing code-server onto Raspberry Pi with [`npm`](#npm).
 
 If you see an error related to `node-gyp` during installation, See [#5174](https://github.com/coder/code-server/issues/5174) for more information.
 
@@ -346,18 +346,12 @@ brew remove code-server
 brew uninstall code-server
 ```
 
-### yarn, npm
+### npm
 
 To remove the code-server global module, run:
 
 ```shell
-yarn global remove code-server
-```
-
-or
-
-```shell
-npm uninstall -g code-server
+npm uninstall --global code-server
 ```
 
 ### Debian, Ubuntu

docs/ipad.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # iPad
@@ -13,6 +14,7 @@
   - [Sharing a self-signed certificate with an iPad](#sharing-a-self-signed-certificate-with-an-ipad)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 Once you've installed code-server, you can access it from an iPad.
 

docs/manifest.json

@@ -1,5 +1,5 @@
 {
-  "versions": ["v4.5.2"],
+  "versions": ["v4.8.0"],
   "routes": [
     {
       "title": "Home",
@@ -21,7 +21,7 @@
       "children": [
         {
           "title": "npm",
-          "description": "How to install code-server using npm or yarn",
+          "description": "How to install code-server using npm",
           "path": "./npm.md"
         },
         {

docs/npm.md

@@ -1,3 +1,4 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # npm Install Requirements
@@ -15,11 +16,17 @@
   - [Debugging install issues with npm](#debugging-install-issues-with-npm)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 If you're installing code-server via `npm`, you'll need to install additional
 dependencies required to build the native modules used by VS Code. This article
 includes installing instructions based on your operating system.
 
+> **WARNING**: Do not use `yarn` to install code-server. Unlike `npm`, it does not respect
+> lockfiles for distributed applications. It will instead use the latest version
+> available at installation time - which might not be the one used for a given
+> code-server release, and [might lead to unexpected behavior](https://github.com/coder/code-server/issues/4927).
+
 ## Node.js version
 
 We use the same major version of Node.js shipped with Code's remote, which is
@@ -72,7 +79,7 @@ Proceed to [installing](#installing)
 ## FreeBSD
 
 ```sh
-pkg install -y git python npm-node16 yarn-node16 pkgconf
+pkg install -y git python npm-node16 pkgconf
 pkg install -y libinotify
 ```
 
@@ -85,8 +92,7 @@ Installing code-server requires all of the [prerequisites for VS Code developmen
 Next, install code-server with:
 
 ```bash
-yarn global add code-server
-# Or: npm install -g code-server
+npm install --global code-server --unsafe-perm
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@@ -96,8 +102,7 @@ A `postinstall.sh` script will attempt to run. Select your terminal (e.g., Git b
 If the `code-server` command is not found, you'll need to [add a directory to your PATH](https://www.architectryan.com/2018/03/17/add-to-the-path-on-windows-10/). To find the directory, use the following command:
 
 ```shell
-yarn global bin
-# Or: npm config get prefix
+npm config get prefix
 ```
 
 For help and additional troubleshooting, see [#1397](https://github.com/coder/code-server/issues/1397).
@@ -107,8 +112,7 @@ For help and additional troubleshooting, see [#1397](https://github.com/coder/co
 After adding the dependencies for your OS, install the code-server package globally:
 
 ```bash
-yarn global add code-server
-# Or: npm install -g code-server
+npm install --global code-server --unsafe-perm
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@@ -122,7 +126,7 @@ page](https://github.com/coder/code-server/discussions).
 
 Occasionally, you may run into issues with Node.js.
 
-If you install code-server using `yarn` or `npm`, and you upgrade your Node.js
+If you install code-server using `npm`, and you upgrade your Node.js
 version, you may need to reinstall code-server to recompile native modules.
 Sometimes, you can get around this by navigating into code-server's `lib/vscode`
 directory and running `npm rebuild` to recompile the modules.
@@ -136,12 +140,12 @@ A step-by-step example of how you might do this is:
 
 ### Debugging install issues with npm
 
-`yarn` suppresses logs when running `yarn global add`, so to debug installation issues, install with `npm` instead:
+To debug installation issues, install with `npm`:
 
 ```shell
 # Uninstall
-npm uninstall -g --unsafe-perm code-server > /dev/null 2>&1
+npm uninstall --global --unsafe-perm code-server > /dev/null 2>&1
 
 # Install with logging
-npm install --loglevel verbose -g --unsafe-perm code-server
+npm install --loglevel verbose --global --unsafe-perm code-server
 ```

docs/termux.md

@@ -1,9 +1,10 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Termux
 
 - [Install](#install)
-- [Yarn Installation](#yarn-installation)
+- [NPM Installation](#npm-installation)
 - [Upgrade](#upgrade)
 - [Known Issues](#known-issues)
   - [Git won't work in `/sdcard`](#git-wont-work-in-sdcard)
@@ -14,6 +15,7 @@
   - [Working with PRoot](#working-with-proot)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->
 
 ## Install
 
@@ -66,7 +68,7 @@ curl -fsSL https://code-server.dev/install.sh | sh
 > Consider using a new user instead of root, read [here](https://www.howtogeek.com/124950/htg-explains-why-you-shouldnt-log-into-your-linux-system-as-root/) why using root is not recommended.\
 > Learn how to add a user [here](#create-a-new-user).
 
-## Yarn Installation
+## NPM Installation
 
 1. Get [Termux](https://f-droid.org/en/packages/com.termux/) from **F-Droid**.
 
@@ -93,7 +95,6 @@ pkg install -y \
   binutils \
   pkg-config \
   python3 \
-  yarn \
   nodejs-lts
 npm config set python python3
 node -v
@@ -101,11 +102,7 @@ node -v
 
 you will get node version `v16.15.0`
 
-5. Now install code-server
-
-```sh
-yarn global add code-server
-```
+5. Now install code-server following our guide on [installing with npm](./npm.md)
 
 6. Congratulation code-server is installed on your device using the following command.
 
@@ -116,7 +113,7 @@ code-server --auth none
 7. If already installed then use the following command for upgradation.
 
 ```
-yarn upgrade code-server
+npm update --global code-server --unsafe-perm
 ```
 
 ## Upgrade

flake.lock

@@ -0,0 +1,41 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1660639432,
+        "narHash": "sha256-2WDiboOCfB0LhvnDVMXOAr8ZLDfm3WdO54CkoDPwN1A=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6c6409e965a6c883677be7b9d87a95fab6c3472e",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,25 @@
+{
+  description = "code-server";
+
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem
+      (system:
+        let pkgs = nixpkgs.legacyPackages.${system};
+            nodejs = pkgs.nodejs-16_x;
+            yarn' = pkgs.yarn.override { inherit nodejs; };
+        in {
+          devShells.default = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [
+              nodejs yarn' python pkg-config git rsync jq moreutils
+            ];
+            buildInputs = with pkgs; (lib.optionals (!stdenv.isDarwin) [ libsecret ]
+                          ++ (with xorg; [ libX11 libxkbfile ])
+                          ++ lib.optionals stdenv.isDarwin [
+                            AppKit Cocoa CoreServices Security cctools xcbuild
+                          ]);
+          };
+        }
+      );
+}

install.sh

@@ -364,7 +364,7 @@ install_rpm() {
 
   fetch "https://github.com/coder/code-server/releases/download/v$VERSION/code-server-$VERSION-$ARCH.rpm" \
     "$CACHE_DIR/code-server-$VERSION-$ARCH.rpm"
-  sudo_sh_c rpm -i "$CACHE_DIR/code-server-$VERSION-$ARCH.rpm"
+  sudo_sh_c rpm -U "$CACHE_DIR/code-server-$VERSION-$ARCH.rpm"
 
   echo_systemd_postinstall rpm
 }
@@ -553,15 +553,17 @@ sh_c() {
 sudo_sh_c() {
   if [ "$(id -u)" = 0 ]; then
     sh_c "$@"
+  elif command_exists doas; then
+    sh_c "doas $*"
   elif command_exists sudo; then
     sh_c "sudo $*"
   elif command_exists su; then
-    sh_c "su - -c '$*'"
+    sh_c "su root -c '$*'"
   else
     echoh
     echoerr "This script needs to run the following command as root."
     echoerr "  $*"
-    echoerr "Please install sudo or su."
+    echoerr "Please install doas, sudo, or su."
     exit 1
   fi
 }

package.json

@@ -1,7 +1,7 @@
 {
   "name": "code-server",
   "license": "MIT",
-  "version": "4.5.2",
+  "version": "4.8.1",
   "description": "Run VS Code on a remote server.",
   "homepage": "https://github.com/coder/code-server",
   "bugs": {
@@ -12,23 +12,25 @@
     "clean": "./ci/build/clean.sh",
     "build": "./ci/build/build-code-server.sh",
     "build:vscode": "./ci/build/build-vscode.sh",
+    "doctoc": "./ci/dev/doctoc.sh",
     "release": "./ci/build/build-release.sh",
     "release:standalone": "./ci/build/build-standalone-release.sh",
-    "release:github-draft": "./ci/build/release-github-draft.sh",
-    "release:github-assets": "./ci/build/release-github-assets.sh",
     "release:prep": "./ci/build/release-prep.sh",
     "test:e2e": "VSCODE_IPC_HOOK_CLI= ./ci/dev/test-e2e.sh",
     "test:e2e:proxy": "USE_PROXY=1 ./ci/dev/test-e2e.sh",
     "test:unit": "./ci/dev/test-unit.sh --forceExit --detectOpenHandles",
     "test:integration": "./ci/dev/test-integration.sh",
+    "test:native": "./ci/dev/test-native.sh",
     "test:scripts": "./ci/dev/test-scripts.sh",
     "package": "./ci/build/build-packages.sh",
+    "prettier": "prettier --write --loglevel=warn --cache .",
     "postinstall": "./ci/dev/postinstall.sh",
     "publish:npm": "./ci/steps/publish-npm.sh",
     "publish:docker": "./ci/steps/docker-buildx-push.sh",
     "_audit": "./ci/dev/audit.sh",
-    "fmt": "./ci/dev/fmt.sh",
-    "lint": "./ci/dev/lint.sh",
+    "fmt": "yarn prettier && ./ci/dev/doctoc.sh",
+    "lint:scripts": "./ci/dev/lint-scripts.sh",
+    "lint:ts": "eslint --max-warnings=0 --fix $(git ls-files '*.ts' '*.js' | grep -v 'lib/vscode')",
     "test": "echo 'Run yarn test:unit or yarn test:e2e' && exit 1",
     "ci": "./ci/dev/ci.sh",
     "watch": "VSCODE_DEV=1 VSCODE_IPC_HOOK_CLI= NODE_OPTIONS='--max_old_space_size=32384 --trace-warnings' ts-node ./ci/dev/watch.ts",
@@ -50,28 +52,23 @@
     "@types/split2": "^3.2.0",
     "@types/trusted-types": "^2.0.2",
     "@types/ws": "^8.5.3",
-    "@typescript-eslint/eslint-plugin": "^5.23.0",
-    "@typescript-eslint/parser": "^5.23.0",
+    "@typescript-eslint/eslint-plugin": "^5.41.0",
+    "@typescript-eslint/parser": "^5.41.0",
     "audit-ci": "^6.0.0",
-    "doctoc": "^2.0.0",
-    "eslint": "^7.7.0",
-    "eslint-config-prettier": "^8.1.0",
-    "eslint-import-resolver-typescript": "^2.5.0",
-    "eslint-plugin-import": "^2.18.2",
-    "eslint-plugin-prettier": "^4.0.0",
-    "json": "^11.0.0",
-    "prettier": "^2.2.1",
-    "prettier-plugin-sh": "^0.12.0",
-    "shellcheck": "^1.0.0",
-    "stylelint": "^13.0.0",
-    "stylelint-config-recommended": "^5.0.0",
-    "synp": "^1.9.10",
+    "doctoc": "2.2.1",
+    "eslint": "^8.26.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-import-resolver-typescript": "^3.5.2",
+    "eslint-plugin-import": "^2.26.0",
+    "eslint-plugin-prettier": "^4.2.1",
+    "prettier": "2.7.1",
+    "prettier-plugin-sh": "^0.12.8",
     "ts-node": "^10.0.0",
     "typescript": "^4.6.2"
   },
   "resolutions": {
     "ansi-regex": "^5.0.1",
-    "normalize-package-data": "^4.0.0",
+    "normalize-package-data": "^5.0.0",
     "doctoc/underscore": "^1.13.1",
     "doctoc/**/trim": "^1.0.0",
     "postcss": "^8.2.1",
@@ -80,7 +77,7 @@
     "vfile-message": "^2.0.2",
     "tar": "^6.1.9",
     "path-parse": "^1.0.7",
-    "vm2": "^3.9.6",
+    "vm2": "^3.9.11",
     "follow-redirects": "^1.14.8",
     "node-fetch": "^2.6.7",
     "nanoid": "^3.1.31",
@@ -89,8 +86,8 @@
     "@types/node": "^16.0.0"
   },
   "dependencies": {
-    "@coder/logger": "1.1.16",
-    "argon2": "^0.28.0",
+    "@coder/logger": "^3.0.0",
+    "argon2": "0.29.0",
     "compression": "^1.7.4",
     "cookie-parser": "^1.4.5",
     "env-paths": "^2.2.0",
@@ -108,8 +105,7 @@
     "semver": "^7.1.3",
     "split2": "^4.0.0",
     "ws": "^8.0.0",
-    "xdg-basedir": "^4.0.0",
-    "yarn": "^1.22.4"
+    "xdg-basedir": "^4.0.0"
   },
   "bin": {
     "code-server": "out/node/entry.js"

patches/base-path.diff

@@ -104,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/platform/remote/browser/browserSocketFactor
  	connect(host: string, port: number, path: string, query: string, debugLabel: string, callback: IConnectCallback): void {
  		const webSocketSchema = (/^https:/.test(window.location.href) ? 'wss' : 'ws');
 +		path = (window.location.pathname + "/" + path).replace(/\/\/+/g, "/")
- 		const socket = this._webSocketFactory.create(`${webSocketSchema}://${/:/.test(host) ? `[${host}]` : host}:${port}${path}?${query}&skipWebSocketFrames=false`, debugLabel);
+ 		const socket = this._webSocketFactory.create(`${webSocketSchema}://${(/:/.test(host) && !/\[/.test(host)) ? `[${host}]` : host}:${port}${path}?${query}&skipWebSocketFrames=false`, debugLabel);
  		const errorListener = socket.onError((err) => callback(err, undefined));
  		socket.onOpen(() => {
 @@ -282,6 +283,3 @@ export class BrowserSocketFactory implem
@@ -262,7 +262,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 +++ code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
-@@ -485,6 +485,7 @@ function doCreateUri(path: string, query
+@@ -489,6 +489,7 @@ function doCreateUri(path: string, query
  		});
  	}
  
@@ -270,7 +270,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  	return URI.parse(window.location.href).with({ path, query });
  }
  
-@@ -496,7 +497,7 @@ function doCreateUri(path: string, query
+@@ -500,7 +501,7 @@ function doCreateUri(path: string, query
  	if (!configElement || !configElementAttribute) {
  		throw new Error('Missing web configuration element');
  	}

patches/cli-window-open.diff

@@ -13,62 +13,15 @@ To test:
 The file or directory should only open from the instance attached to that
 terminal.
 
-Index: code-server/lib/vscode/src/vs/server/node/remoteTerminalChannel.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/server/node/remoteTerminalChannel.ts
-+++ code-server/lib/vscode/src/vs/server/node/remoteTerminalChannel.ts
-@@ -89,7 +89,7 @@ export class RemoteTerminalChannel exten
- 		uriTransformer: IURITransformer;
- 	}>();
- 
--	private readonly _onExecuteCommand = this._register(new Emitter<{ reqId: number; commandId: string; commandArgs: any[] }>());
-+	private readonly _onExecuteCommand = this._register(new Emitter<{ reqId: number; terminalId: number; commandId: string; commandArgs: any[] }>());
- 	readonly onExecuteCommand = this._onExecuteCommand.event;
- 
- 	constructor(
-@@ -241,20 +241,20 @@ export class RemoteTerminalChannel exten
- 		const ipcHandlePath = createRandomIPCHandle();
- 		env.VSCODE_IPC_HOOK_CLI = ipcHandlePath;
- 		const commandsExecuter: ICommandsExecuter = {
--			executeCommand: <T>(id: string, ...args: any[]): Promise<T> => this._executeCommand(id, args, uriTransformer)
-+			executeCommand: <T>(commandId: string, ...args: any[]): Promise<T> => this._executeCommand(terminalId, commandId, args, uriTransformer)
- 		};
- 		const cliServer = new CLIServerBase(commandsExecuter, this._logService, ipcHandlePath);
- 
--		const id = await this._ptyService.createProcess(shellLaunchConfig, initialCwd, args.cols, args.rows, args.unicodeVersion, env, baseEnv, args.options, args.shouldPersistTerminal, args.workspaceId, args.workspaceName);
--		this._ptyService.onProcessExit(e => e.id === id && cliServer.dispose());
-+		const terminalId = await this._ptyService.createProcess(shellLaunchConfig, initialCwd, args.cols, args.rows, args.unicodeVersion, env, baseEnv, args.options, args.shouldPersistTerminal, args.workspaceId, args.workspaceName);
-+		this._ptyService.onProcessExit(e => e.id === terminalId && cliServer.dispose());
- 
- 		return {
--			persistentTerminalId: id,
-+			persistentTerminalId: terminalId,
- 			resolvedShellLaunchConfig: shellLaunchConfig
- 		};
- 	}
- 
--	private _executeCommand<T>(commandId: string, commandArgs: any[], uriTransformer: IURITransformer): Promise<T> {
-+	private _executeCommand<T>(terminalId: number, commandId: string, commandArgs: any[], uriTransformer: IURITransformer): Promise<T> {
- 		let resolve!: (data: any) => void;
- 		let reject!: (err: any) => void;
- 		const result = new Promise<T>((_resolve, _reject) => {
-@@ -277,6 +277,7 @@ export class RemoteTerminalChannel exten
- 		});
- 		this._onExecuteCommand.fire({
- 			reqId,
-+			terminalId,
- 			commandId,
- 			commandArgs: serializedCommandArgs
- 		});
 Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
-@@ -94,10 +94,14 @@ class RemoteTerminalBackend extends Base
- 		this._remoteTerminalChannel.onExecuteCommand(async e => {
+@@ -100,10 +100,14 @@ class RemoteTerminalBackend extends Base
+ 			}
  			const reqId = e.reqId;
  			const commandId = e.commandId;
-+			const terminalId = e.terminalId;
++			const terminalId = e.persistentProcessId;
  			if (!allowedCommands.includes(commandId)) {
  				this._remoteTerminalChannel.sendCommandResult(reqId, true, 'Invalid remote cli command: ' + commandId);
  				return;
@@ -79,18 +32,3 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTe
  			const commandArgs = e.commandArgs.map(arg => revive(arg));
  			try {
  				const result = await this._commandService.executeCommand(e.commandId, ...commandArgs);
-Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/remoteTerminalChannel.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/common/remoteTerminalChannel.ts
-+++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/remoteTerminalChannel.ts
-@@ -88,8 +88,8 @@ export class RemoteTerminalChannelClient
- 	get onProcessOrphanQuestion(): Event<{ id: number }> {
- 		return this._channel.listen<{ id: number }>('$onProcessOrphanQuestion');
- 	}
--	get onExecuteCommand(): Event<{ reqId: number; commandId: string; commandArgs: any[] }> {
--		return this._channel.listen<{ reqId: number; commandId: string; commandArgs: any[] }>('$onExecuteCommand');
-+	get onExecuteCommand(): Event<{ reqId: number; terminalId: number; commandId: string; commandArgs: any[] }> {
-+		return this._channel.listen<{ reqId: number; terminalId: number; commandId: string; commandArgs: any[] }>('$onExecuteCommand');
- 	}
- 	get onDidRequestDetach(): Event<{ requestId: number; workspaceId: string; instanceId: number }> {
- 		return this._channel.listen<{ requestId: number; workspaceId: string; instanceId: number }>('$onDidRequestDetach');

patches/connection-type.diff

@@ -1,26 +0,0 @@
-Add connection type to web sockets
-
-This allows the backend to distinguish them.  In our case we use them to count a
-single "open" of Code so we need to be able to distinguish between web sockets
-from two instances and two web sockets used in a single instance.
-
-To test this,
-1. Run code-server
-2. Open Network tab in Browser DevTools and filter for websocket requests
-3. You should see the `type=<connection-type>` in the request url
-
-
-Index: code-server/lib/vscode/src/vs/platform/remote/common/remoteAgentConnection.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/platform/remote/common/remoteAgentConnection.ts
-+++ code-server/lib/vscode/src/vs/platform/remote/common/remoteAgentConnection.ts
-@@ -233,7 +233,8 @@ async function connectToRemoteExtensionH
- 
- 	let socket: ISocket;
- 	try {
--		socket = await createSocket(options.logService, options.socketFactory, options.host, options.port, getRemoteServerRootPath(options), `reconnectionToken=${options.reconnectionToken}&reconnection=${options.reconnectionProtocol ? 'true' : 'false'}`, `renderer-${connectionTypeToString(connectionType)}-${options.reconnectionToken}`, timeoutCancellationToken);
-+
-+		socket = await createSocket(options.logService, options.socketFactory, options.host, options.port, getRemoteServerRootPath(options), `type=${connectionTypeToString(connectionType)}&reconnectionToken=${options.reconnectionToken}&reconnection=${options.reconnectionProtocol ? 'true' : 'false'}`, `renderer-${connectionTypeToString(connectionType)}-${options.reconnectionToken}`, timeoutCancellationToken);
- 	} catch (error) {
- 		options.logService.error(`${logPrefix} socketFactory.connect() failed or timed out. Error:`);
- 		options.logService.error(error);

patches/disable-builtin-ext-update.diff

@@ -18,7 +18,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
  			if (!this.local.preRelease && this.gallery.properties.isPreReleaseVersion) {
  				return false;
  			}
-@@ -1122,6 +1126,10 @@ export class ExtensionsWorkbenchService
+@@ -1234,6 +1238,10 @@ export class ExtensionsWorkbenchService 
  				// Skip if check updates only for builtin extensions and current extension is not builtin.
  				continue;
  			}

patches/disable-downloads.diff

@@ -12,7 +12,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -267,6 +267,11 @@ export interface IWorkbenchConstructionO
+@@ -271,6 +271,11 @@ export interface IWorkbenchConstructionO
  	 */
  	readonly userDataPath?: string
  
@@ -66,7 +66,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -95,6 +96,7 @@ export interface ServerParsedArgs {
+@@ -94,6 +95,7 @@ export interface ServerParsedArgs {
  	/* ----- code-server ----- */
  	'disable-update-check'?: boolean;
  	'auth'?: string
@@ -84,8 +84,8 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
  			userDataPath: this._environmentService.userDataPath,
 +			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
  			_wrapWebWorkerExtHostInIframe,
- 			developmentOptions: {
- 				enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined,
+ 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
+ 			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
 Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/contextkeys.ts
@@ -93,16 +93,16 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 @@ -7,12 +7,11 @@ import { Event } from 'vs/base/common/ev
  import { Disposable } from 'vs/base/common/lifecycle';
  import { IContextKeyService, IContextKey } from 'vs/platform/contextkey/common/contextkey';
- import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext } from 'vs/platform/contextkey/common/contextkeys';
--import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext } from 'vs/workbench/common/contextkeys';
-+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, IsEnabledFileDownloads } from 'vs/workbench/common/contextkeys';
+ import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from 'vs/platform/contextkey/common/contextkeys';
+-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext } from 'vs/workbench/common/contextkeys';
++import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, IsEnabledFileDownloads } from 'vs/workbench/common/contextkeys';
  import { TEXT_DIFF_EDITOR_ID, EditorInputCapabilities, SIDE_BY_SIDE_EDITOR_ID, DEFAULT_EDITOR_ASSOCIATION } from 'vs/workbench/common/editor';
  import { trackFocus, addDisposableListener, EventType } from 'vs/base/browser/dom';
  import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from 'vs/workbench/services/editor/common/editorGroupsService';
  import { IConfigurationService } from 'vs/platform/configuration/common/configuration';
 -import { IWorkbenchEnvironmentService } from 'vs/workbench/services/environment/common/environmentService';
  import { IEditorService } from 'vs/workbench/services/editor/common/editorService';
- import { WorkbenchState, IWorkspaceContextService } from 'vs/platform/workspace/common/workspace';
+ import { WorkbenchState, IWorkspaceContextService, isTemporaryWorkspace } from 'vs/platform/workspace/common/workspace';
  import { IWorkbenchLayoutService, Parts, positionToString } from 'vs/workbench/services/layout/browser/layoutService';
 @@ -25,6 +24,7 @@ import { IPaneCompositePartService } fro
  import { Schemas } from 'vs/base/common/network';
@@ -112,7 +112,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
  
  export class WorkbenchContextKeysHandler extends Disposable {
  	private inputFocusedContext: IContextKey<boolean>;
-@@ -76,7 +76,7 @@ export class WorkbenchContextKeysHandler
+@@ -77,7 +77,7 @@ export class WorkbenchContextKeysHandler
  		@IContextKeyService private readonly contextKeyService: IContextKeyService,
  		@IWorkspaceContextService private readonly contextService: IWorkspaceContextService,
  		@IConfigurationService private readonly configurationService: IConfigurationService,
@@ -121,7 +121,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
  		@IProductService private readonly productService: IProductService,
  		@IEditorService private readonly editorService: IEditorService,
  		@IEditorResolverService private readonly editorResolverService: IEditorResolverService,
-@@ -199,6 +199,9 @@ export class WorkbenchContextKeysHandler
+@@ -202,6 +202,9 @@ export class WorkbenchContextKeysHandler
  		this.auxiliaryBarVisibleContext = AuxiliaryBarVisibleContext.bindTo(this.contextKeyService);
  		this.auxiliaryBarVisibleContext.set(this.layoutService.isVisible(Parts.AUXILIARYBAR_PART));
  
@@ -172,7 +172,7 @@ Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
-@@ -30,6 +30,8 @@ export const IsFullscreenContext = new R
+@@ -32,6 +32,8 @@ export const IsFullscreenContext = new R
  
  export const HasWebFileSystemAccess = new RawContextKey<boolean>('hasWebFileSystemAccess', false, true); // Support for FileSystemAccess web APIs (https://wicg.github.io/file-system-access)
  

patches/display-language.diff

@@ -19,7 +19,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverServices.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverServices.ts
-@@ -212,6 +212,9 @@ export async function setupServerService
+@@ -209,6 +209,9 @@ export async function setupServerService
  		const channel = new ExtensionManagementChannel(extensionManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority));
  		socketServer.registerChannel('extensions', channel);
  
@@ -39,11 +39,11 @@ Index: code-server/lib/vscode/src/vs/base/common/platform.ts
   *--------------------------------------------------------------------------------------------*/
 -import * as nls from 'vs/nls';
 -
- const LANGUAGE_DEFAULT = 'en';
+ export const LANGUAGE_DEFAULT = 'en';
  
  let _isWindows = false;
-@@ -81,17 +79,19 @@ if (typeof navigator === 'object' && !is
- 	_isLinux = _userAgent.indexOf('Linux') >= 0;
+@@ -83,17 +81,19 @@ if (typeof navigator === 'object' && !is
+ 	_isMobile = _userAgent?.indexOf('Mobi') >= 0;
  	_isWeb = true;
  
 -	const configuredLocale = nls.getConfiguredDefaultLocale(
@@ -216,7 +216,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
  
  		const workbenchWebConfiguration = {
  			remoteAuthority,
-@@ -339,6 +342,7 @@ export class WebClientServer {
+@@ -336,6 +339,7 @@ export class WebClientServer {
  			WORKBENCH_NLS_BASE_URL: vscodeBase + (nlsBaseUrl ? `${nlsBaseUrl}${!nlsBaseUrl.endsWith('/') ? '/' : ''}${this._productService.commit}/${this._productService.version}/` : ''),
  			BASE: base,
  			VS_BASE: vscodeBase,
@@ -236,7 +236,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -97,6 +98,7 @@ export interface ServerParsedArgs {
+@@ -96,6 +97,7 @@ export interface ServerParsedArgs {
  	'disable-update-check'?: boolean;
  	'auth'?: string
  	'disable-file-downloads'?: boolean;
@@ -248,7 +248,7 @@ Index: code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/workbench.web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
-@@ -122,8 +122,9 @@ import 'vs/workbench/contrib/logs/browse
+@@ -123,8 +123,9 @@ import 'vs/workbench/contrib/logs/browse
  // Explorer
  import 'vs/workbench/contrib/files/browser/files.web.contribution';
  
@@ -314,19 +314,3 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/localization/electron-san
  		await this.jsonEditingService.write(this.environmentService.argvResource, [{ path: ['locale'], value: locale }], true);
  		return true;
  	}
-Index: code-server/lib/vscode/src/vs/base/node/languagePacks.js
-===================================================================
---- code-server.orig/lib/vscode/src/vs/base/node/languagePacks.js
-+++ code-server/lib/vscode/src/vs/base/node/languagePacks.js
-@@ -73,7 +73,10 @@
- 		function getLanguagePackConfigurations(userDataPath) {
- 			const configFile = path.join(userDataPath, 'languagepacks.json');
- 			try {
--				return nodeRequire(configFile);
-+				// This must not use Node's require otherwise it will be cached forever.
-+				// Code can get away with this since the process actually restarts but
-+				// that is not currently the case with code-server.
-+				return JSON.parse(fs.readFileSync(configFile, "utf8"));
- 			} catch (err) {
- 				// Do nothing. If we can't read the file we have no
- 				// language pack config.

patches/exec-argv.diff

@@ -0,0 +1,24 @@
+Preserve process.execArgv
+
+This ensures flags like `--prof` are passed down to the code-server process so
+we can profile everything.
+
+To test this:
+1. run `./lib/node --prof .` 
+2. in another terminal, run `ps -ejww`
+
+You should see `--prof` next to every code-server process. 
+
+Index: code-server/lib/vscode/src/vs/server/node/extensionHostConnection.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/extensionHostConnection.ts
++++ code-server/lib/vscode/src/vs/server/node/extensionHostConnection.ts
+@@ -228,7 +228,7 @@ export class ExtensionHostConnection {
+ 
+ 	public async start(startParams: IRemoteExtensionHostStartParams): Promise<void> {
+ 		try {
+-			let execArgv: string[] = [];
++			let execArgv: string[] = process.execArgv ? process.execArgv.filter(a => !/^--inspect(-brk)?=/.test(a)) : [];
+ 			if (startParams.port && !(<any>process).pkg) {
+ 				execArgv = [`--inspect${startParams.break ? '-brk' : ''}=${startParams.port}`];
+ 			}

patches/heartbeat.diff

@@ -1,37 +0,0 @@
-Add a heartbeat to web socket connections
-
-This prevents them from being killed when they are idle.  To test run behind
-NGINX, make sure the sockets are idle (check dev tools), then wait 60+ seconds.
-
-Index: code-server/lib/vscode/src/vs/base/parts/ipc/common/ipc.net.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/base/parts/ipc/common/ipc.net.ts
-+++ code-server/lib/vscode/src/vs/base/parts/ipc/common/ipc.net.ts
-@@ -7,6 +7,7 @@ import { VSBuffer } from 'vs/base/common
- import { Emitter, Event } from 'vs/base/common/event';
- import { Disposable, dispose, IDisposable } from 'vs/base/common/lifecycle';
- import { IIPCLogger, IMessagePassingProtocol, IPCClient } from 'vs/base/parts/ipc/common/ipc';
-+import { isWeb } from 'vs/base/common/platform';
- 
- export const enum SocketDiagnosticsEventType {
- 	Created = 'created',
-@@ -828,6 +829,19 @@ export class PersistentProtocol implemen
- 		this._socketDisposables.push(this._socketWriter);
- 		this._socketReader = new ProtocolReader(this._socket);
- 		this._socketDisposables.push(this._socketReader);
-+		// Send empty messages to keep the socket alive.  We only need this on the
-+		// web where sockets can be killed by reverse proxies for inactivity.
-+		if (isWeb) {
-+			const timer = setInterval(() => {
-+				const msg = new ProtocolMessage(ProtocolMessageType.None, 0, 0, getEmptyBuffer());
-+				this._socketWriter.write(msg);
-+			}, 45000); // NGINX has a 60 second default timeout so try 45 seconds.
-+			this._socketDisposables.push({
-+				dispose: () => {
-+					clearInterval(timer);
-+				},
-+			});
-+		}
- 		this._socketDisposables.push(this._socketReader.onMessage(msg => this._receiveMessage(msg)));
- 		this._socketDisposables.push(this._socket.onClose((e) => this._onSocketClose.fire(e)));
- 		if (initialChunk) {

patches/insecure-notification.diff

@@ -27,7 +27,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
  	) {
  		super();
  	}
-@@ -42,5 +45,32 @@ export class CodeServerClient extends Di
+@@ -42,5 +45,31 @@ export class CodeServerClient extends Di
  				}
  			});
  		}
@@ -49,7 +49,6 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 +							class: undefined,
 +							enabled: true,
 +							checked: true,
-+							dispose: () => undefined,
 +							run: () => {
 +								return Promise.resolve();
 +							},

patches/integration.diff

@@ -221,12 +221,13 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench-dev.html
  
  		<!-- Disable pinch zooming -->
  		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
-@@ -26,8 +27,9 @@
+@@ -26,9 +27,9 @@
  		<meta id="vscode-workbench-builtin-extensions" data-settings="{{WORKBENCH_BUILTIN_EXTENSIONS}}">
  
  		<!-- Workbench Icon/Manifest/CSS -->
 -		<link rel="icon" href="{{WORKBENCH_WEB_BASE_URL}}/resources/server/favicon.ico" type="image/x-icon" />
 -		<link rel="manifest" href="{{WORKBENCH_WEB_BASE_URL}}/resources/server/manifest.json" crossorigin="use-credentials" />
+-
 +		<link rel="icon" href="/_static/src/browser/media/favicon-dark-support.svg" />
 +		<link rel="alternate icon" href="/_static/src/browser/media/favicon.ico" type="image/x-icon" />
 +		<link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />

patches/local-storage.diff

@@ -26,13 +26,13 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
  			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 +			userDataPath: this._environmentService.userDataPath,
  			_wrapWebWorkerExtHostInIframe,
- 			developmentOptions: {
- 				enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined,
+ 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
+ 			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -262,6 +262,11 @@ export interface IWorkbenchConstructionO
+@@ -266,6 +266,11 @@ export interface IWorkbenchConstructionO
  	 */
  	readonly configurationDefaults?: Record<string, any>;
  

patches/log-level.diff

@@ -1,21 +0,0 @@
-Propagate the log level to the client
-
-This can be tested by using `--log trace`.  You should see plenty of debug and
-trace logs in the console.
-
-Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
-+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -304,7 +304,10 @@ export class WebClientServer {
- 			remoteAuthority,
- 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
- 			_wrapWebWorkerExtHostInIframe,
--			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined },
-+			developmentOptions: {
-+				enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined,
-+				logLevel: this._logService.getLevel(),
-+			},
- 			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
- 			enableWorkspaceTrust: !this._environmentService.args['disable-workspace-trust'],
- 			folderUri: resolveWorkspaceURI(this._environmentService.args['default-folder']),

patches/logout.diff

@@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -93,6 +94,7 @@ export const serverOptions: OptionDescri
+@@ -92,6 +93,7 @@ export const serverOptions: OptionDescri
  export interface ServerParsedArgs {
  	/* ----- code-server ----- */
  	'disable-update-check'?: boolean;
@@ -68,7 +68,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
  	constructor (
  		@ILogService private logService: ILogService,
  		@INotificationService private notificationService: INotificationService,
-@@ -82,6 +86,10 @@ export class CodeServerClient extends Di
+@@ -81,6 +85,10 @@ export class CodeServerClient extends Di
  		if (this.productService.updateEndpoint) {
  			this.checkUpdates(this.productService.updateEndpoint)
  		}
@@ -79,7 +79,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
  	}
  
  	private checkUpdates(updateEndpoint: string) {
-@@ -133,4 +141,25 @@ export class CodeServerClient extends Di
+@@ -132,4 +140,25 @@ export class CodeServerClient extends Di
  
  		updateLoop();
  	}

patches/marketplace.diff

@@ -19,22 +19,23 @@ Index: code-server/lib/vscode/src/vs/platform/product/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/product/common/product.ts
 +++ code-server/lib/vscode/src/vs/platform/product/common/product.ts
-@@ -45,7 +45,14 @@ else if (typeof require?.__$__nodeRequir
+@@ -53,6 +53,16 @@ else if (typeof require?.__$__nodeRequir
+ 			version: pkg.version
+ 		});
  	}
- 
- 	Object.assign(product, {
--		version: pkg.version
-+		version: pkg.version,
++
++	Object.assign(product, {
 +		extensionsGallery: env.EXTENSIONS_GALLERY ? JSON.parse(env.EXTENSIONS_GALLERY) : (product.extensionsGallery || {
 +			serviceUrl: "https://open-vsx.org/vscode/gallery",
 +			itemUrl: "https://open-vsx.org/vscode/item",
 +			resourceUrlTemplate: "https://open-vsx.org/vscode/asset/{publisher}/{name}/{version}/Microsoft.VisualStudio.Code.WebResources/{path}",
 +			controlUrl: "",
 +			recommendationsUrl: "",
-+		}),
- 	});
++		})
++	});
  }
  
+ // Web environment or unknown
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts

patches/parent-origin.diff

@@ -1,24 +0,0 @@
-Remove parentOriginHash checko
-
-This fixes webviews from not working properly due to a change upstream.
-Upstream added a check to ensure parent authority is encoded into the webview
-origin. Since our webview origin is the parent authority, we can bypass this
-check.
-
-Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
-===================================================================
---- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
-+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
-@@ -317,6 +317,12 @@ const hostMessaging = new class HostMess
- 		const id = searchParams.get('id');
- 
- 		const hostname = location.hostname;
-+
-+		// It is safe to run if we are on the same host.
-+		const parent = new URL(parentOrigin)
-+		if (parent.hostname == location.hostname) {
-+			return start(parentOrigin)
-+		}
- 
- 		if (!crypto.subtle) {
- 			// cannot validate, not running in a secure context

patches/proposed-api.diff

@@ -9,7 +9,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/abstra
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/abstractExtensionService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/abstractExtensionService.ts
-@@ -1460,7 +1460,7 @@ class ProposedApiController {
+@@ -1462,7 +1462,7 @@ class ProposedApiController {
  
  		this._envEnabledExtensions = new Set((_environmentService.extensionEnabledProposedApi ?? []).map(id => ExtensionIdentifier.toKey(id)));
  

patches/proxy-uri.diff

@@ -10,6 +10,22 @@ extensions, use --extensions-dir, or symlink it).
 
 This has e2e tests.
 
+For the `asExternalUri` changes, you'll need to test manually by:
+1. running code-server with the test extension
+2. Command Palette > code-server: asExternalUri test
+3. input a url like http://localhost:3000
+4. it should show a notification and show output as <code-server>/proxy/3000
+
+Do the same thing but set `VSCODE_PROXY_URI: "https://{{port}}-main-workspace-name-user-name.coder.com"`
+and the output should replace `{{port}}` with port used in input url.
+
+This also enables the forwared ports view panel by default.
+
+Lastly, it adds a tunnelProvider so that ports are forwarded using code-server's
+built-in proxy. You can test this by starting a server i.e. `python3 -m
+http.server` and it should show a notification and show up in the ports panel
+using the /proxy/port.
+
 Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
@@ -35,19 +51,19 @@ Index: code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityReso
  import { getRemoteServerRootPath, parseAuthorityWithOptionalPort } from 'vs/platform/remote/common/remoteHosts';
  
  export class RemoteAuthorityResolverService extends Disposable implements IRemoteAuthorityResolverService {
-@@ -22,7 +22,7 @@ export class RemoteAuthorityResolverServ
- 	private readonly _connectionToken: string | undefined;
+@@ -23,7 +23,7 @@ export class RemoteAuthorityResolverServ
+ 	private readonly _connectionToken: Promise<string> | string | undefined;
  	private readonly _connectionTokens: Map<string, string>;
  
--	constructor(@IProductService productService: IProductService, connectionToken: string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined) {
-+	constructor(@IProductService productService: IProductService, connectionToken: string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined, private readonly proxyEndpointTemplate?: string) {
+-	constructor(@IProductService productService: IProductService, connectionToken: Promise<string> | string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined) {
++	constructor(@IProductService productService: IProductService, connectionToken: Promise<string> | string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined, private readonly proxyEndpointTemplate?: string) {
  		super();
- 		this._cache = new Map<string, ResolverResult>();
  		this._connectionToken = connectionToken;
-@@ -62,9 +62,14 @@ export class RemoteAuthorityResolverServ
+ 		this._connectionTokens = new Map<string, string>();
+@@ -61,9 +61,14 @@ export class RemoteAuthorityResolverServ
  
- 	private _doResolveAuthority(authority: string): ResolverResult {
- 		const connectionToken = this._connectionTokens.get(authority) || this._connectionToken;
+ 	private async _doResolveAuthority(authority: string): Promise<ResolverResult> {
+ 		const connectionToken = await Promise.resolve(this._connectionTokens.get(authority) || this._connectionToken);
 +		let options: ResolvedOptions | undefined;
 +		if (this.proxyEndpointTemplate) {
 +			const proxyUrl = new URL(this.proxyEndpointTemplate, window.location.href);
@@ -55,11 +71,11 @@ Index: code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityReso
 +		}
  		const defaultPort = (/^https:/.test(window.location.href) ? 443 : 80);
  		const { host, port } = parseAuthorityWithOptionalPort(authority, defaultPort);
--		return { authority: { authority, host: host, port: port, connectionToken } };
-+		return { authority: { authority, host: host, port: port, connectionToken }, options };
- 	}
- 
- 	_clearResolvedAuthority(authority: string): void {
+-		const result: ResolverResult = { authority: { authority, host: host, port: port, connectionToken } };
++		const result: ResolverResult = { authority: { authority, host: host, port: port, connectionToken }, options };
+ 		RemoteAuthorities.set(authority, result.authority.host, result.authority.port);
+ 		this._cache.set(authority, result);
+ 		this._onDidChangeConnectionData.fire();
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
@@ -68,7 +84,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
  				rootEndpoint: base,
  				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
  				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
-+				proxyEndpointTemplate: base + '/proxy/{{port}}',
++				proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
  				embedderIdentifier: 'server-distro',
  				extensionsGallery: this._productService.extensionsGallery,
  			},
@@ -76,7 +92,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
-@@ -239,7 +239,7 @@ export class BrowserMain extends Disposa
+@@ -247,7 +247,7 @@ export class BrowserMain extends Disposa
  
  		// Remote
  		const connectionToken = environmentService.options.connectionToken || getCookieValue(connectionTokenCookieName);
@@ -89,7 +105,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalE
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
-@@ -388,7 +388,7 @@ export async function createTerminalEnvi
+@@ -392,7 +392,7 @@ export async function createTerminalEnvi
  
  		// Sanitize the environment, removing any undesirable VS Code and Electron environment
  		// variables
@@ -98,3 +114,68 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalE
  
  		// Merge config (settings) and ShellLaunchConfig environments
  		mergeEnvironments(env, allowedEnvFromConfig);
+Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.ts
++++ code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
+@@ -21,6 +21,7 @@ import type { ICredentialsProvider } fro
+ import type { IURLCallbackProvider } from 'vs/workbench/services/url/browser/urlService';
+ import type { IWorkbenchConstructionOptions } from 'vs/workbench/browser/web.api';
+ import type { IWorkspace, IWorkspaceProvider } from 'vs/workbench/services/host/browser/browserHostService';
++import { extractLocalHostUriMetaDataForPortMapping, TunnelOptions, TunnelCreationOptions } from 'vs/platform/tunnel/common/tunnel';
+ 
+ interface ICredential {
+ 	service: string;
+@@ -511,6 +512,38 @@ function doCreateUri(path: string, query
+ 		} : undefined,
+ 		workspaceProvider: WorkspaceProvider.create(config),
+ 		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),
+-		credentialsProvider: config.remoteAuthority ? undefined : new LocalStorageCredentialsProvider() // with a remote, we don't use a local credentials provider
++		credentialsProvider: config.remoteAuthority ? undefined : new LocalStorageCredentialsProvider(), // with a remote, we don't use a local credentials provider
++		resolveExternalUri: (uri: URI): Promise<URI> => {
++			let resolvedUri = uri
++			const localhostMatch = extractLocalHostUriMetaDataForPortMapping(resolvedUri)
++
++			if (localhostMatch && resolvedUri.authority !== location.host) {
++				if (config.productConfiguration && config.productConfiguration.proxyEndpointTemplate) {
++					resolvedUri = URI.parse(new URL(config.productConfiguration.proxyEndpointTemplate.replace('{{port}}', localhostMatch.port.toString()), window.location.href).toString())
++				} else {
++					throw new Error(`Failed to resolve external URI: ${uri.toString()}. Could not determine base url because productConfiguration missing.`)
++				}
++			}
++
++			// If not localhost, return unmodified
++			return Promise.resolve(resolvedUri)
++		},
++		tunnelProvider: {
++			tunnelFactory: (tunnelOptions: TunnelOptions, tunnelCreationOptions: TunnelCreationOptions) => {
++				const onDidDispose: Emitter<void> = new Emitter();
++				let isDisposed = false;
++				return Promise.resolve({
++					remoteAddress: tunnelOptions.remoteAddress,
++					localAddress: `localhost:${tunnelOptions.remoteAddress.port}`,
++					onDidDispose: onDidDispose.event,
++					dispose: () => {
++						if (!isDisposed) {
++							isDisposed = true;
++							onDidDispose.fire();
++						}
++					}
++				})
++			}
++		}
+ 	});
+ })();
+Index: code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
++++ code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
+@@ -73,7 +73,7 @@ export class ForwardedPortsView extends 
+ 			this.contextKeyListener = undefined;
+ 		}
+ 
+-		const viewEnabled: boolean = !!forwardedPortsViewEnabled.getValue(this.contextKeyService);
++		const viewEnabled: boolean = true;
+ 
+ 		if (this.environmentService.remoteAuthority && viewEnabled) {
+ 			const viewContainer = await this.getViewContainer();

patches/series

@@ -11,13 +11,11 @@ store-socket.diff
 proxy-uri.diff
 github-auth.diff
 unique-db.diff
-log-level.diff
 local-storage.diff
 service-worker.diff
-connection-type.diff
 sourcemaps.diff
 disable-downloads.diff
 telemetry.diff
 display-language.diff
 cli-window-open.diff
-heartbeat.diff
+exec-argv.diff

patches/service-worker.diff

@@ -17,26 +17,11 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
  
  	readonly version: string;
  	readonly date?: string;
-Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
-+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -319,6 +319,10 @@ export class WebClientServer {
- 				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
- 				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
- 				proxyEndpointTemplate: base + '/proxy/{{port}}',
-+				serviceWorker: {
-+					scope: vscodeBase + '/',
-+					path: base + '/_static/out/browser/serviceWorker.js',
-+				},
- 				embedderIdentifier: 'server-distro',
- 				extensionsGallery: this._productService.extensionsGallery,
- 			},
 Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/client.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/client.ts
-@@ -90,6 +90,10 @@ export class CodeServerClient extends Di
+@@ -89,6 +89,10 @@ export class CodeServerClient extends Di
  		if (this.productService.logoutEndpoint) {
  			this.addLogoutCommand(this.productService.logoutEndpoint);
  		}
@@ -47,7 +32,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
  	}
  
  	private checkUpdates(updateEndpoint: string) {
-@@ -162,4 +166,17 @@ export class CodeServerClient extends Di
+@@ -161,4 +165,17 @@ export class CodeServerClient extends Di
  			});
  		}
  	}
@@ -65,3 +50,18 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 +		}
 +	}
  }
+Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
++++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+@@ -316,6 +316,10 @@ export class WebClientServer {
+ 				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
+ 				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
+ 				proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
++				serviceWorker: {
++					scope: vscodeBase + '/',
++					path: base + '/_static/out/browser/serviceWorker.js',
++				},
+ 				embedderIdentifier: 'server-distro',
+ 				extensionsGallery: this._productService.extensionsGallery,
+ 			},

patches/sourcemaps.diff

@@ -10,7 +10,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.js
 +++ code-server/lib/vscode/build/gulpfile.reh.js
-@@ -194,8 +194,7 @@ function packageTask(type, platform, arc
+@@ -191,8 +191,7 @@ function packageTask(type, platform, arc
  
  		const src = gulp.src(sourceFolderName + '/**', { base: '.' })
  			.pipe(rename(function (path) { path.dirname = path.dirname.replace(new RegExp('^' + sourceFolderName), 'out'); }))
@@ -20,7 +20,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
  
  		const workspaceExtensionPoints = ['debuggers', 'jsonValidation'];
  		const isUIExtension = (manifest) => {
-@@ -234,9 +233,9 @@ function packageTask(type, platform, arc
+@@ -231,9 +230,9 @@ function packageTask(type, platform, arc
  			.map(name => `.build/extensions/${name}/**`);
  
  		const extensions = gulp.src(extensionPaths, { base: '.build', dot: true });
@@ -32,12 +32,12 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
  
  		let version = packageJson.version;
  		const quality = product.quality;
-@@ -371,7 +370,7 @@ function tweakProductForServerWeb(produc
+@@ -387,7 +386,7 @@ function tweakProductForServerWeb(produc
  	const minifyTask = task.define(`minify-vscode-${type}`, task.series(
  		optimizeTask,
  		util.rimraf(`out-vscode-${type}-min`),
--		common.minifyTask(`out-vscode-${type}`, `https://ticino.blob.core.windows.net/sourcemaps/${commit}/core`)
-+		common.minifyTask(`out-vscode-${type}`, '')
+-		optimize.minifyTask(`out-vscode-${type}`, `https://ticino.blob.core.windows.net/sourcemaps/${commit}/core`)
++		optimize.minifyTask(`out-vscode-${type}`, ``)
  	));
  	gulp.task(minifyTask);
  

patches/telemetry.diff

@@ -1,5 +1,12 @@
 Add support for telemetry endpoint
 
+To test:
+1. Create a RequestBin - https://requestbin.io/
+2. Run code-server with `CS_TELEMETRY_URL` set: 
+  i.e. `CS_TELEMETRY_URL="https://requestbin.io/1ebub9z1" ./code-server-<version>-macos-amd64/bin/code-server`
+3. Load code-server in browser an do things (i.e. open a file)
+4. Refresh RequestBin and you should see logs
+
 Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverServices.ts
@@ -82,62 +89,11 @@ Index: code-server/lib/vscode/src/vs/server/node/telemetryClient.ts
 +		} catch (error) {}
 +	}
 +}
-Index: code-server/lib/vscode/src/vs/workbench/services/telemetry/browser/telemetryService.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/workbench/services/telemetry/browser/telemetryService.ts
-+++ code-server/lib/vscode/src/vs/workbench/services/telemetry/browser/telemetryService.ts
-@@ -38,26 +38,30 @@ export class TelemetryService extends Di
- 	) {
- 		super();
- 
--		if (supportsTelemetry(productService, environmentService) && productService.aiConfig?.ariaKey) {
-+		if (supportsTelemetry(productService, environmentService)) {
- 			// If remote server is present send telemetry through that, else use the client side appender
- 			const appenders = [];
- 			const isInternal = isInternalTelemetry(productService, configurationService);
--			const telemetryProvider: ITelemetryAppender = remoteAgentService.getConnection() !== null ? { log: remoteAgentService.logTelemetry.bind(remoteAgentService), flush: remoteAgentService.flushTelemetry.bind(remoteAgentService) } : new OneDataSystemWebAppender(isInternal, 'monacoworkbench', null, productService.aiConfig?.ariaKey);
--			appenders.push(telemetryProvider);
--			appenders.push(new TelemetryLogAppender(loggerService, environmentService));
--			const config: ITelemetryServiceConfig = {
--				appenders,
--				commonProperties: resolveWorkbenchCommonProperties(storageService, productService.commit, productService.version, isInternal, environmentService.remoteAuthority, productService.embedderIdentifier, productService.removeTelemetryMachineId, environmentService.options && environmentService.options.resolveCommonTelemetryProperties),
--				sendErrorTelemetry: this.sendErrorTelemetry,
--			};
--			this.impl = this._register(new BaseTelemetryService(config, configurationService, productService));
-+			const telemetryProvider: ITelemetryAppender | undefined = remoteAgentService.getConnection() !== null ? { log: remoteAgentService.logTelemetry.bind(remoteAgentService), flush: remoteAgentService.flushTelemetry.bind(remoteAgentService) } : productService.aiConfig?.ariaKey ? new OneDataSystemWebAppender(isInternal, 'monacoworkbench', null, productService.aiConfig?.ariaKey) : undefined;
-+			if (telemetryProvider) {
-+				appenders.push(telemetryProvider);
-+				appenders.push(new TelemetryLogAppender(loggerService, environmentService));
-+				const config: ITelemetryServiceConfig = {
-+					appenders,
-+					commonProperties: resolveWorkbenchCommonProperties(storageService, productService.commit, productService.version, isInternal, environmentService.remoteAuthority, productService.embedderIdentifier, productService.removeTelemetryMachineId, environmentService.options && environmentService.options.resolveCommonTelemetryProperties),
-+					sendErrorTelemetry: this.sendErrorTelemetry,
-+				};
-+				this.impl = this._register(new BaseTelemetryService(config, configurationService, productService));
- 
--			if (getTelemetryLevel(configurationService) !== TelemetryLevel.NONE) {
--				// If we cannot fetch the endpoint it means it is down and we should not send any telemetry.
--				// This is most likely due to ad blockers
--				fetch(telemetryEndpointUrl, { method: 'POST' }).catch(err => {
--					this.impl = NullTelemetryService;
--				});
-+				if (remoteAgentService.getConnection() === null && getTelemetryLevel(configurationService) !== TelemetryLevel.NONE) {
-+					// If we cannot fetch the endpoint it means it is down and we should not send any telemetry.
-+					// This is most likely due to ad blockers
-+					fetch(telemetryEndpointUrl, { method: 'POST' }).catch(err => {
-+						this.impl = NullTelemetryService;
-+					});
-+				}
-+			} else {
-+				this.impl = NullTelemetryService;
- 			}
- 		} else {
- 			this.impl = NullTelemetryService;
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -324,6 +324,7 @@ export class WebClientServer {
+@@ -321,6 +321,7 @@ export class WebClientServer {
  					scope: vscodeBase + '/',
  					path: base + '/_static/out/browser/serviceWorker.js',
  				},

patches/unique-db.diff

@@ -9,59 +9,28 @@ ensures that different browser paths will be unique (for example /workspace1 and
 The easiest way to test is to open files in the same workspace using both / and
 /vscode and make sure they are not interacting with each other.
 
-It should also migrate old databases which can be tested by opening in an old
-code-server.
-
-This has e2e tests.
-
 Index: code-server/lib/vscode/src/vs/workbench/services/storage/browser/storageService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/storage/browser/storageService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/storage/browser/storageService.ts
 @@ -17,6 +17,7 @@ import { AbstractStorageService, isProfi
- import { IUserDataProfile } from 'vs/platform/userDataProfile/common/userDataProfile';
+ import { isUserDataProfile, IUserDataProfile } from 'vs/platform/userDataProfile/common/userDataProfile';
  import { IAnyWorkspaceIdentifier } from 'vs/platform/workspace/common/workspace';
  import { IUserDataProfileService } from 'vs/workbench/services/userDataProfile/common/userDataProfile';
 +import { hash } from 'vs/base/common/hash';
  
  export class BrowserStorageService extends AbstractStorageService {
  
-@@ -67,7 +68,11 @@ export class BrowserStorageService exten
- 					return `global-${this.profileStorageProfile.id}`;
- 				}
- 			case StorageScope.WORKSPACE:
--				return this.payload.id;
-+				// Add a unique ID based on the current path for per-workspace databases.
-+				// This prevents workspaces on different machines that share the same domain
-+				// and file path from colliding (since it does not appear IndexedDB can be
-+				// scoped to a path) as long as they are hosted on different paths.
-+				return this.payload.id + '-' + hash(location.pathname.toString().replace(/\/$/, "")).toString(16);
- 		}
+@@ -297,7 +298,11 @@ export class IndexedDBStorageDatabase ex
  	}
  
-@@ -141,6 +146,25 @@ export class BrowserStorageService exten
- 
- 		await this.workspaceStorage.init();
- 
-+		const firstWorkspaceOpen = this.workspaceStorage.getBoolean(IS_NEW_KEY);
-+		if (firstWorkspaceOpen === undefined) {
-+			// Migrate the old database.
-+			let db: IIndexedDBStorageDatabase | undefined
-+			try {
-+				db = await IndexedDBStorageDatabase.create({ id: this.payload.id }, this.logService)
-+				const items = await db.getItems()
-+				for (const [key, value] of items) {
-+					this.workspaceStorage.set(key, value);
-+				}
-+			} catch (error) {
-+				this.logService.error(`[IndexedDB Storage ${this.payload.id}] migrate error: ${toErrorMessage(error)}`);
-+			} finally {
-+				if (db) {
-+					db.close()
-+				}
-+			}
-+		}
-+
- 		this.updateIsNew(this.workspaceStorage);
+ 	static async createWorkspaceStorage(workspaceId: string, logService: ILogService): Promise<IIndexedDBStorageDatabase> {
+-		return IndexedDBStorageDatabase.create({ id: workspaceId }, logService);
++		// Add a unique ID based on the current path for per-workspace databases.
++		// This prevents workspaces on different machines that share the same domain
++		// and file path from colliding (since it does not appear IndexedDB can be
++		// scoped to a path) as long as they are hosted on different paths.
++		return IndexedDBStorageDatabase.create({ id: workspaceId + '-' + hash(location.pathname.toString().replace(/\/$/, "")).toString(16) }, logService);
  	}
  
+ 	static async create(options: IndexedDBStorageDatabaseOptions, logService: ILogService): Promise<IIndexedDBStorageDatabase> {

patches/update-check.diff

@@ -29,7 +29,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
  	) {
  		super();
  	}
-@@ -72,5 +78,59 @@ export class CodeServerClient extends Di
+@@ -71,5 +77,59 @@ export class CodeServerClient extends Di
  				},
  			});
  		}
@@ -126,7 +126,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -89,6 +91,8 @@ export const serverOptions: OptionDescri
+@@ -88,6 +90,8 @@ export const serverOptions: OptionDescri
  };
  
  export interface ServerParsedArgs {

patches/webview.diff

@@ -20,6 +20,23 @@ webview host is separate by default but we serve on the same host).
 
 To test, open a few types of webviews (images, markdown, extension details, etc).
 
+Make sure to update the hash. To do so:
+1. run code-server 
+2. open any webview (i.e. preview Markdown)
+3. see error in console and copy hash
+
+That will test the hash change in pre/index.html
+
+Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
+which also requires a hash change.
+
+parentOriginHash changes
+
+This fixes webviews from not working properly due to a change upstream.
+Upstream added a check to ensure parent authority is encoded into the webview
+origin. Since our webview origin is the parent authority, we can bypass this
+check.
+
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -43,7 +60,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
  			remoteAuthority,
 +			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
  			_wrapWebWorkerExtHostInIframe,
- 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined },
+ 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
  			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
 Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
 ===================================================================
@@ -53,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
  	<meta charset="UTF-8">
  
  	<meta http-equiv="Content-Security-Policy"
--		content="default-src 'none'; script-src 'sha256-JpX/ganPoxpavjxWCz9DUZgwVZ59o2lwSYTQrziPsdU=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-BRi/ZOLWtsisl3jAheglVzKmoA1T6n2Mmf2NM4UnIXE=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
++		content="default-src 'none'; script-src 'sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
  
  	<!-- Disable pinch zooming -->
  	<meta name="viewport"
@@ -70,7 +87,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 +
  				if (!crypto.subtle) {
  					// cannot validate, not running in a secure context
- 					throw new Error(`Cannot validate in current context!`);
+ 					throw new Error(`'crypto.subtle' is not available so webviews will not work. This is likely because the editor is not running in a secure context (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).`);
 Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
@@ -87,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 +
  				if (!crypto.subtle) {
  					// cannot validate, not running in a secure context
- 					throw new Error(`Cannot validate in current context!`);
+ 					throw new Error(`'crypto.subtle' is not available so webviews will not work. This is likely because the editor is not running in a secure context (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).`);
 Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html

src/browser/pages/login.html

@@ -10,7 +10,7 @@
       http-equiv="Content-Security-Policy"
       content="style-src 'self'; script-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
     />
-    <title>code-server login</title>
+    <title>{{APP_NAME}} login</title>
     <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon-dark-support.svg" />
     <link rel="alternate icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" />
     <link rel="manifest" href="{{BASE}}/manifest.json" crossorigin="use-credentials" />
@@ -24,7 +24,7 @@
     <div class="center-container">
       <div class="card-box">
         <div class="header">
-          <h1 class="main">Welcome to code-server</h1>
+          <h1 class="main">{{WELCOME_TEXT}}</h1>
           <div class="sub">Please log in below. {{PASSWORD_MSG}}</div>
         </div>
         <div class="content">

src/node/cli.ts

@@ -1,6 +1,6 @@
 import { field, Level, logger } from "@coder/logger"
 import { promises as fs } from "fs"
-import yaml from "js-yaml"
+import { load } from "js-yaml"
 import * as os from "os"
 import * as path from "path"
 import { canConnect, generateCertificate, generatePassword, humanPath, paths, isNodeJSErrnoException } from "./util"
@@ -50,6 +50,7 @@ export interface UserProvidedCodeArgs {
   "github-auth"?: string
   "disable-update-check"?: boolean
   "disable-file-downloads"?: boolean
+  "disable-workspace-trust"?: boolean
 }
 
 /**
@@ -84,6 +85,8 @@ export interface UserProvidedArgs extends UserProvidedCodeArgs {
   "ignore-last-opened"?: boolean
   link?: OptionalString
   verbose?: boolean
+  "app-name"?: string
+  "welcome-text"?: string
   /* Positional arguments. */
   _?: string[]
 }
@@ -163,6 +166,10 @@ export const options: Options<Required<UserProvidedArgs>> = {
     description:
       "Disable file downloads from Code. This can also be set with CS_DISABLE_FILE_DOWNLOADS set to 'true' or '1'.",
   },
+  "disable-workspace-trust": {
+    type: "boolean",
+    description: "Disable Workspace Trust feature. This switch only affects the current session.",
+  },
   // --enable can be used to enable experimental features. These features
   // provide no guarantees.
   enable: { type: "string[]" },
@@ -233,7 +240,16 @@ export const options: Options<Required<UserProvidedArgs>> = {
 
   log: { type: LogLevel },
   verbose: { type: "boolean", short: "vvv", description: "Enable verbose logging." },
-
+  "app-name": {
+    type: "string",
+    short: "an",
+    description: "The name to use in branding. Will be shown in titlebar and welcome message",
+  },
+  "welcome-text": {
+    type: "string",
+    short: "w",
+    description: "Text to show on login page",
+  },
   link: {
     type: OptionalString,
     description: `
@@ -501,7 +517,7 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
       args.verbose = false
       break
     case LogLevel.Warn:
-      logger.level = Level.Warning
+      logger.level = Level.Warn
       args.verbose = false
       break
     case LogLevel.Error:
@@ -641,7 +657,7 @@ export function parseConfigFile(configFile: string, configPath: string): ConfigA
     return { config: configPath }
   }
 
-  const config = yaml.load(configFile, {
+  const config = load(configFile, {
     filename: configPath,
   })
   if (!config || typeof config === "string") {

src/node/main.ts

@@ -9,7 +9,7 @@ import { AuthType, DefaultedArgs, Feature, SpawnCodeCli, toCodeArgs, UserProvide
 import { coderCloudBind } from "./coder_cloud"
 import { commit, version } from "./constants"
 import { register } from "./routes"
-import { humanPath, isFile, loadAMDModule, open } from "./util"
+import { humanPath, isDirectory, loadAMDModule, open } from "./util"
 
 /**
  * Return true if the user passed an extension-related VS Code flag.
@@ -69,14 +69,15 @@ export const openInExistingInstance = async (args: DefaultedArgs, socketPath: st
     fileURIs: [],
     forceReuseWindow: args["reuse-window"],
     forceNewWindow: args["new-window"],
+    gotoLineMode: true,
   }
   const paths = args._ || []
   for (let i = 0; i < paths.length; i++) {
     const fp = path.resolve(paths[i])
-    if (await isFile(fp)) {
-      pipeArgs.fileURIs.push(fp)
-    } else {
+    if (await isDirectory(fp)) {
       pipeArgs.folderURIs.push(fp)
+    } else {
+      pipeArgs.fileURIs.push(fp)
     }
   }
   if (pipeArgs.forceNewWindow && pipeArgs.fileURIs.length > 0) {

src/node/routes/login.ts

@@ -28,6 +28,8 @@ export class RateLimiter {
 
 const getRoot = async (req: Request, error?: Error): Promise<string> => {
   const content = await fs.readFile(path.join(rootPath, "src/browser/pages/login.html"), "utf8")
+  const appName = req.args["app-name"] || "code-server"
+  const welcomeText = req.args["welcome-text"] || `Welcome to ${appName}`
   let passwordMsg = `Check the config file at ${humanPath(os.homedir(), req.args.config)} for the password.`
   if (req.args.usingEnvPassword) {
     passwordMsg = "Password was set from $PASSWORD."
@@ -38,6 +40,8 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
   return replaceTemplates(
     req,
     content
+      .replace(/{{APP_NAME}}/g, appName)
+      .replace(/{{WELCOME_TEXT}}/g, welcomeText)
       .replace(/{{PASSWORD_MSG}}/g, passwordMsg)
       .replace(/{{ERROR}}/, error ? `<div class="error">${escapeHtml(error.message)}</div>` : ""),
   )

src/node/routes/vscode.ts

@@ -156,9 +156,7 @@ export class CodeServerRouteWrapper {
     try {
       this._codeServerMain = await createVSServer(null, {
         ...(await toCodeArgs(args)),
-        // TODO: Make the browser helper script work.
         "without-connection-token": true,
-        "without-browser-env-var": true,
       })
     } catch (error) {
       logError(logger, "CodeServerRouteWrapper", error)

src/node/util.ts

@@ -482,6 +482,15 @@ export const isFile = async (path: string): Promise<boolean> => {
   }
 }
 
+export const isDirectory = async (path: string): Promise<boolean> => {
+  try {
+    const stat = await fs.stat(path)
+    return stat.isDirectory()
+  } catch (error) {
+    return false
+  }
+}
+
 /**
  * Escapes any HTML string special characters, like &, <, >, ", and '.
  *

src/node/wrapper.ts

@@ -317,11 +317,11 @@ export class ParentProcess extends Process {
   }
 
   private spawn(): cp.ChildProcess {
-    // Use spawn (instead of fork) to use the new binary in case it was updated.
-    return cp.spawn(process.argv[0], process.argv.slice(1), {
+    return cp.fork(path.join(__dirname, "entry"), {
       env: {
         ...process.env,
         CODE_SERVER_PARENT_PID: process.pid.toString(),
+        NODE_EXEC_PATH: process.execPath,
       },
       stdio: ["pipe", "pipe", "pipe", "ipc"],
     })

test/e2e/codeServer.test.ts

@@ -1,13 +1,10 @@
-import * as cp from "child_process"
 import { promises as fs } from "fs"
-import * as os from "os"
 import * as path from "path"
-import * as util from "util"
 import { getMaybeProxiedCodeServer } from "../utils/helpers"
 import { describe, test, expect } from "./baseFixture"
 import { CodeServer } from "./models/CodeServer"
 
-describe("code-server", [], {}, () => {
+describe("code-server", ["--disable-workspace-trust"], {}, () => {
   // TODO@asher: Generalize this?  Could be nice if we were to ever need
   // multiple migration tests in other suites.
   const instances = new Map<string, CodeServer>()
@@ -17,30 +14,6 @@ describe("code-server", [], {}, () => {
     await Promise.all(procs.map((cs) => cs.close()))
   })
 
-  /**
-   * Spawn a specific version of code-server using the install script.
-   */
-  const spawn = async (version: string, dir?: string): Promise<CodeServer> => {
-    let instance = instances.get(version)
-    if (!instance) {
-      await util.promisify(cp.exec)(`./install.sh --method standalone --version ${version}`, {
-        cwd: path.join(__dirname, "../.."),
-      })
-
-      instance = new CodeServer(
-        "code-server@" + version,
-        ["--auth=none"],
-        { VSCODE_DEV: "" },
-        dir,
-        `${os.homedir()}/.local/lib/code-server-${version}`,
-      )
-
-      instances.set(version, instance)
-    }
-
-    return instance
-  }
-
   test("should navigate to home page", async ({ codeServerPage }) => {
     // We navigate codeServer before each test
     // and we start the test with a storage state
@@ -68,54 +41,4 @@ describe("code-server", [], {}, () => {
     await fs.writeFile(file, "bar")
     await codeServerPage.openFile(file)
   })
-
-  test("should migrate state to avoid collisions", async ({ codeServerPage }) => {
-    // This can take a very long time in development because of how long pages
-    // take to load and we are doing a lot of that here.
-    if (process.env.VSCODE_DEV === "1") {
-      test.slow()
-    }
-
-    const dir = await codeServerPage.workspaceDir
-    const files = [path.join(dir, "foo"), path.join(dir, "bar")]
-    await Promise.all(
-      files.map((file) => {
-        return fs.writeFile(file, path.basename(file))
-      }),
-    )
-
-    // Open a file in the latest instance.
-    await codeServerPage.openFile(files[0])
-    await codeServerPage.stateFlush()
-
-    // Open a file in an older version of code-server.  It should not see the
-    // file opened in the new instance since the database has a different
-    // name.  This must be accessed through the proxy so it shares the same
-    // domain and can write to the same database.
-    const cs = await spawn("4.0.2", dir)
-    const address = new URL(await cs.address())
-
-    await codeServerPage.navigate("/proxy/" + address.port + "/")
-    await codeServerPage.openFile(files[1])
-    expect(await codeServerPage.tabIsVisible(files[0])).toBe(false)
-    await codeServerPage.stateFlush()
-
-    // Move back to latest code-server.  We should see the file we previously
-    // opened with it but not the old code-server file because the new instance
-    // already created its own database on this path and will avoid migrating.
-    await codeServerPage.navigate()
-    await codeServerPage.waitForTab(files[0])
-    expect(await codeServerPage.tabIsVisible(files[1])).toBe(false)
-
-    // Open a new path in latest code-server.  This one should migrate the
-    // database from old code-server but see nothing from the new database
-    // created on the root.
-    await codeServerPage.navigate("/vscode")
-    await codeServerPage.waitForTab(files[1])
-    expect(await codeServerPage.tabIsVisible(files[0])).toBe(false)
-    // Should still be open after a reload.
-    await codeServerPage.navigate("/vscode")
-    await codeServerPage.waitForTab(files[1])
-    expect(await codeServerPage.tabIsVisible(files[0])).toBe(false)
-  })
 })

test/e2e/displayLang.test.ts

@@ -0,0 +1,19 @@
+import * as path from "path"
+import { describe, test, expect } from "./baseFixture"
+
+// Given a code-server environment with Spanish Language Pack extension installed
+// and a languagepacks.json in the data-dir
+describe(
+  "--locale es",
+  ["--disable-workspace-trust", "--extensions-dir", path.join(__dirname, "./extensions"), "--locale", "es"],
+  {},
+  () => {
+    test("should load code-server in Spanish", async ({ codeServerPage }) => {
+      // When
+      const visible = await codeServerPage.page.isVisible("text=Explorador")
+
+      // Then
+      expect(visible).toBe(true)
+    })
+  },
+)

test/e2e/downloads.test.ts

@@ -3,7 +3,7 @@ import * as path from "path"
 import { clean } from "../utils/helpers"
 import { describe, test, expect } from "./baseFixture"
 
-describe("Downloads (enabled)", [], {}, async () => {
+describe("Downloads (enabled)", ["--disable-workspace-trust"], {}, async () => {
   const testName = "downloads-enabled"
   test.beforeAll(async () => {
     await clean(testName)
@@ -25,7 +25,7 @@ describe("Downloads (enabled)", [], {}, async () => {
   })
 })
 
-describe("Downloads (disabled)", ["--disable-file-downloads"], {}, async () => {
+describe("Downloads (disabled)", ["--disable-workspace-trust", "--disable-file-downloads"], {}, async () => {
   const testName = "downloads-disabled"
   test.beforeAll(async () => {
     await clean(testName)

test/e2e/extensions.test.ts

@@ -8,16 +8,18 @@ function runTestExtensionTests() {
   test("should have access to VSCODE_PROXY_URI", async ({ codeServerPage }) => {
     const address = await getMaybeProxiedCodeServer(codeServerPage)
 
+    await codeServerPage.waitForTestExtensionLoaded()
     await codeServerPage.executeCommandViaMenus("code-server: Get proxy URI")
 
-    const text = await codeServerPage.page.locator(".notification-list-item-message").textContent()
+    await codeServerPage.page.waitForSelector("text=proxyUri", { timeout: 3000 })
+    const text = await codeServerPage.page.locator("text=proxyUri").first().textContent()
     // Remove end slash in address
     const normalizedAddress = address.replace(/\/+$/, "")
-    expect(text).toBe(`${normalizedAddress}/proxy/{{port}}`)
+    expect(text).toBe(`Info: proxyUri: ${normalizedAddress}/proxy/{{port}}/`)
   })
 }
 
-const flags = ["--extensions-dir", path.join(__dirname, "./extensions")]
+const flags = ["--disable-workspace-trust", "--extensions-dir", path.join(__dirname, "./extensions")]
 
 describe("Extensions", flags, {}, () => {
   runTestExtensionTests()

test/e2e/extensions/ms-ceintl.vscode-language-pack-es-1.70.0/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "vscode-language-pack-es",
+  "displayName": "Spanish Language Pack for Visual Studio Code",
+  "description": "Language pack extension for Spanish",
+  "version": "1.70.0",
+  "publisher": "MS-CEINTL",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Microsoft/vscode-loc"
+  },
+  "engines": {
+    "vscode": "^1.70.0"
+  },
+  "categories": [
+    "Language Packs"
+  ],
+  "contributes": {
+    "localizations": [
+      {
+        "languageId": "es",
+        "languageName": "Spanish",
+        "localizedLanguageName": "español",
+        "translations": [
+          {
+            "id": "vscode",
+            "path": "./translations/main.i18n.json"
+          }
+        ]
+      }
+    ]
+  },
+  "__metadata": {
+    "id": "47e020a1-33db-4cc0-a1b4-42f97781749a",
+    "publisherDisplayName": "MS-CEINTL",
+    "publisherId": "0b0882c3-aee3-4d7c-b5f9-872f9be0a115",
+    "isPreReleaseVersion": false
+  }
+}

test/e2e/extensions/ms-ceintl.vscode-language-pack-es-1.70.0/translations/main.i18n.json

@@ -0,0 +1,15 @@
+{
+  "": [
+    "--------------------------------------------------------------------------------------------",
+    "Copyright (c) Microsoft Corporation. All rights reserved.",
+    "Licensed under the MIT License. See License.txt in the project root for license information.",
+    "--------------------------------------------------------------------------------------------",
+    "Do not edit this file. It is machine generated."
+  ],
+  "version": "1.0.0",
+  "contents": {
+    "vs/workbench/contrib/files/browser/explorerViewlet": {
+      "explore": "Explorador"
+    }
+  }
+}

test/e2e/extensions/test-extension/extension.ts

@@ -1,13 +1,31 @@
 import * as vscode from "vscode"
 
 export function activate(context: vscode.ExtensionContext) {
+  vscode.window.showInformationMessage("test extension loaded")
+  // Test extension
   context.subscriptions.push(
     vscode.commands.registerCommand("codeServerTest.proxyUri", () => {
       if (process.env.VSCODE_PROXY_URI) {
-        vscode.window.showInformationMessage(process.env.VSCODE_PROXY_URI)
+        vscode.window.showInformationMessage(`proxyUri: ${process.env.VSCODE_PROXY_URI}`)
       } else {
         vscode.window.showErrorMessage("No proxy URI was set")
       }
     }),
   )
+
+  // asExternalUri extension
+  context.subscriptions.push(
+    vscode.commands.registerCommand("codeServerTest.asExternalUri", async () => {
+      const input = await vscode.window.showInputBox({
+        prompt: "URL to pass through to asExternalUri",
+      })
+
+      if (input) {
+        const output = await vscode.env.asExternalUri(vscode.Uri.parse(input))
+        vscode.window.showInformationMessage(`input: ${input} output: ${output}`)
+      } else {
+        vscode.window.showErrorMessage(`Failed to run test case. No input provided.`)
+      }
+    }),
+  )
 }

test/e2e/extensions/test-extension/package.json

@@ -3,8 +3,9 @@
   "description": "code-server test extension",
   "version": "0.0.1",
   "publisher": "coder",
+  "license": "MIT",
   "activationEvents": [
-    "onCommand:codeServerTest.proxyUri"
+    "onStartupFinished"
   ],
   "engines": {
     "vscode": "^1.56.0"
@@ -16,6 +17,11 @@
         "command": "codeServerTest.proxyUri",
         "title": "Get proxy URI",
         "category": "code-server"
+      },
+      {
+        "command": "codeServerTest.asExternalUri",
+        "title": "asExternalUri test",
+        "category": "code-server"
       }
     ]
   },

test/e2e/github.test.ts

@@ -2,7 +2,7 @@ import { test as base } from "@playwright/test"
 import { describe, expect, test } from "./baseFixture"
 
 if (process.env.GITHUB_TOKEN) {
-  describe("GitHub token", [], {}, () => {
+  describe("GitHub token", ["--disable-workspace-trust"], {}, () => {
     test("should be logged in to pull requests extension", async ({ codeServerPage }) => {
       await codeServerPage.exec("git init")
       await codeServerPage.exec("git remote add origin https://github.com/coder/code-server")
@@ -16,7 +16,7 @@ if (process.env.GITHUB_TOKEN) {
     })
   })
 
-  describe("No GitHub token", [], { GITHUB_TOKEN: "" }, () => {
+  describe("No GitHub token", ["--disable-workspace-trust"], { GITHUB_TOKEN: "" }, () => {
     test("should not be logged in to pull requests extension", async ({ codeServerPage }) => {
       await codeServerPage.exec("git init")
       await codeServerPage.exec("git remote add origin https://github.com/coder/code-server")

test/e2e/login.test.ts

@@ -1,7 +1,7 @@
 import { PASSWORD } from "../utils/constants"
 import { describe, test, expect } from "./baseFixture"
 
-describe("login", ["--auth", "password"], {}, () => {
+describe("login", ["--disable-workspace-trust", "--auth", "password"], {}, () => {
   test("should see the login page", async ({ codeServerPage }) => {
     // It should send us to the login page
     expect(await codeServerPage.page.title()).toBe("code-server login")

test/e2e/logout.test.ts

@@ -1,7 +1,7 @@
 // NOTE@jsjoeio commenting out until we can figure out what's wrong
 // import { describe, test, expect } from "./baseFixture"
 
-// describe("logout", true, [], {}, () => {
+// describe("logout", true, ["--disable-workspace-trust"], {}, () => {
 //   test("should be able logout", async ({ codeServerPage }) => {
 //     // Recommended by Playwright for async navigation
 //     // https://github.com/microsoft/playwright/issues/1987#issuecomment-620182151

test/e2e/models/CodeServer.ts

@@ -82,12 +82,33 @@ export class CodeServer {
       path.join(dir, "User/settings.json"),
       JSON.stringify({
         "workbench.startupEditor": "none",
-        // NOTE@jsjoeio - needed to prevent Trust Policy prompt
-        // in end-to-end tests.
-        "security.workspace.trust.enabled": false,
       }),
       "utf8",
     )
+
+    const extensionsDir = path.join(__dirname, "../extensions")
+    const languagepacksContent = {
+      es: {
+        hash: "8d919a946475223861fa0c62665a4c50",
+        extensions: [
+          {
+            extensionIdentifier: {
+              id: "ms-ceintl.vscode-language-pack-es",
+              uuid: "47e020a1-33db-4cc0-a1b4-42f97781749a",
+            },
+            version: "1.70.0",
+          },
+        ],
+        translations: {
+          vscode: `${extensionsDir}/ms-ceintl.vscode-language-pack-es-1.70.0/translations/main.i18n.json`,
+        },
+        label: "español",
+      },
+    }
+
+    // NOTE@jsjoeio - code-server should automatically generate the languagepacks.json for
+    // using different display languages. This is a temporary workaround until we fix that.
+    await fs.writeFile(path.join(dir, "languagepacks.json"), JSON.stringify(languagepacksContent))
     return dir
   }
 
@@ -296,6 +317,16 @@ export class CodeServerPage {
     return visible
   }
 
+  /**
+   * Checks if the test extension loaded
+   */
+  async waitForTestExtensionLoaded(): Promise<void> {
+    const selector = "text=test extension loaded"
+    this.codeServer.logger.debug("Waiting for test extension to load...")
+
+    await this.page.waitForSelector(selector)
+  }
+
   /**
    * Focuses the integrated terminal by navigating through the command palette.
    *

test/e2e/openHelpAbout.test.ts

@@ -1,7 +1,7 @@
 import { version } from "../../src/node/constants"
 import { describe, test, expect } from "./baseFixture"
 
-describe("Open Help > About", [], {}, () => {
+describe("Open Help > About", ["--disable-workspace-trust"], {}, () => {
   test("should see code-server version in about dialog", async ({ codeServerPage }) => {
     // Open using the menu.
     await codeServerPage.navigateMenus(["Help", "About"])

test/e2e/terminal.test.ts

@@ -5,7 +5,7 @@ import util from "util"
 import { clean, getMaybeProxiedCodeServer, tmpdir } from "../utils/helpers"
 import { describe, expect, test } from "./baseFixture"
 
-describe("Integrated Terminal", [], {}, () => {
+describe("Integrated Terminal", ["--disable-workspace-trust"], {}, () => {
   const testName = "integrated-terminal"
   test.beforeAll(async () => {
     await clean(testName)
@@ -30,6 +30,7 @@ describe("Integrated Terminal", [], {}, () => {
     expect(stdout).toMatch(address)
   })
 
+  // TODO@jsjoeio - add test to make sure full code-server path works
   test("should be able to invoke `code-server` to open a file", async ({ codeServerPage }) => {
     const tmpFolderPath = await tmpdir(testName)
     const tmpFile = path.join(tmpFolderPath, "test-file")

test/e2e/trust.test.ts

@@ -0,0 +1,13 @@
+import { describe, test, expect } from "./baseFixture"
+
+describe("Workspace trust (enabled)", [], {}, async () => {
+  test("should see the 'I Trust...' option", async ({ codeServerPage }) => {
+    expect(await codeServerPage.page.isVisible("text=Yes, I trust")).toBe(true)
+  })
+})
+
+describe("Workspace trust (disabled)", ["--disable-workspace-trust"], {}, async () => {
+  test("should not see the 'I Trust...' option", async ({ codeServerPage }) => {
+    expect(await codeServerPage.page.isVisible("text=Yes, I trust")).toBe(false)
+  })
+})

test/playwright.config.ts

@@ -8,6 +8,7 @@ import path from "path"
 //   yarn test:e2e --workers 1        # Run with one worker
 //   yarn test:e2e --project Chromium # Only run on Chromium
 //   yarn test:e2e --grep login       # Run tests matching "login"
+//   PWDEBUG=1 yarn test:e2e          # Run Playwright inspector
 const config: PlaywrightTestConfig = {
   testDir: path.join(__dirname, "e2e"), // Search for tests in this directory.
   timeout: 60000, // Each test is given 60 seconds.