chore: bump i18next from 22.5.1 to 23.2.11 (#6326 )

Bumps [i18next](https://github.com/i18next/i18next) from 22.5.1 to 23.2.11. - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/i18next/compare/v22.5.1...v23.2.11) --- updated-dependencies: - dependency-name: i18next dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore: bump @typescript-eslint/eslint-plugin from 5.59.1 to 5.62.0 (#6327 )
2026-04-14 06:24:32 -05:00 · 2023-07-20 14:03:21 -05:00 · 2023-07-20 13:31:37 -05:00 · 2023-07-19 14:04:03 -08:00 · 2023-07-19 14:02:19 -08:00 · 2023-07-19 14:01:32 -08:00
5438 changed files with 19657 additions and 1441497 deletions
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@@ -36,11 +36,8 @@ rules:
  import/order:
    [error, { alphabetize: { order: "asc" }, groups: [["builtin", "external", "internal"], "parent", "sibling"] }]
  no-async-promise-executor: off
-  # This isn't a real module, just types, which apparently doesn't resolve.
-  import/no-unresolved: [error, { ignore: ["express-serve-static-core"] }]

 settings:
-  # Does not work with CommonJS unfortunately.
-  import/ignore:
-    - env-paths
-    - xdg-basedir
+  import/resolver:
+    typescript:
+      alwaysTryTypes: true
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,3 +1,7 @@
-* @cdr/code-server-reviewers
+* @coder/code-server

-ci/helm-chart @Matthew-Beckett @alexgorbatchev
+ci/helm-chart/ @Matthew-Beckett @alexgorbatchev
+
+docs/install.md @GNUxeava
+
+src/node/i18n/locales/zh-cn.json @zhaozhiming
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -1,74 +0,0 @@
---
-name: Bug report
-about: Report a bug and help us improve
-title: ""
-labels: ""
-assignees: ""
---
-
-<!--
-
-Hi there! 👋
-
-Thanks for reporting a bug.
-
-Please search for existing issues before filing, as they may contain additional
-information about the problem and descriptions of workarounds. Provide as much
-information as you can, so that we can reproduce the issue. Otherwise, we may
-not be able to help diagnose the problem, and may close the issue as
-unreproducible or incomplete. For visual defects, please include screenshots to
-help us understand the issue.
-->
-
-## OS/Web Information
-
- Web Browser:
- Local OS:
- Remote OS:
- Remote Architecture:
- `code-server --version`:
-
-## Steps to Reproduce
-
-1.
-2.
-3.
-
-## Expected
-
-<!-- What should happen? -->
-
-## Actual
-
-<!-- What actually happens? -->
-
-## Logs
-
-<!--
-First run code-server with at least debug logging (or trace to be really
-thorough) by setting the --log flag or the LOG_LEVEL environment variable. -vvv
-and --verbose are aliases for --log trace. For example:
-
-code-server --log debug
-
-Once this is done, replicate the issue you're having then collect logging
-information from the following places:
-
-    1. The most recent files from ~/.local/share/code-server/coder-logs.
-    2. The browser console.
-    3. The browser network tab.
-
-Additionally, collecting core dumps (you may need to enable them first) if
-code-server crashes can be helpful.
-->
-
-## Screenshot
-
-<!-- Ideally provide a screenshot, gif, video or screen recording. -->
-
-## Notes
-
-<!-- If you can reproduce the issue on vanilla VS Code,
-please file the issue at the VS Code repository instead. -->
-
-This issue can be reproduced in VS Code: Yes/No
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -0,0 +1,88 @@
+name: Bug report
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Please search to see if an issue already exists for the bug you encountered.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: OS/Web Information
+      description: |
+        examples:
+          - **Web Browser**: Chrome
+          - **Local OS**: macOS
+          - **Remote OS**: Ubuntu
+          - **Remote Architecture**: amd64
+          - **`code-server --version`**: 4.0.1
+      value: |
+        - Web Browser:
+        - Local OS:
+        - Remote OS:
+        - Remote Architecture:
+        - `code-server --version`:
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps to Reproduce
+      description: |
+        1. open code-server
+        2. install extension
+        3. run command
+      value: |
+        1. 
+        2.
+        3.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected
+      description: What should happen?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Actual
+      description: What actually happens?
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs
+      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `yarn global add code-server`).
+  - type: textarea
+    attributes:
+      label: Screenshot/Video
+      description: Please include a screenshot, gif or screen recording of your issue.
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Does this issue happen in VS Code or GitHub Codespaces?
+      description: Please try reproducing this issue in VS Code or GitHub Codespaces
+      options:
+        - label: I cannot reproduce this in VS Code.
+          required: true
+        - label: I cannot reproduce this in GitHub Codespaces.
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Are you accessing code-server over HTTPS?
+      description: code-server relies on service workers for many features. Double-check that you are using HTTPS.
+      options:
+        - label: I am using HTTPS.
+          required: true
+  - type: textarea
+    attributes:
+      label: Notes
+      description: Please include any addition notes that will help us resolve this issue.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Question
-    url: https://github.com/cdr/code-server/discussions/new?category_id=22503114
+  - name: Question?
+    url: https://github.com/coder/code-server/discussions/new?category_id=22503114
    about: Ask the community for help on our GitHub Discussions board
-  - name: Chat
-    about: Need immediate help or just want to talk? Hop in our Slack
+  - name: code-server Slack Community
+    about: Need immediate help or just want to talk? Hop in our Slack. Note - this Slack is not actively monitored by code-server maintainers.
    url: https://cdr.co/join-community
--- a/.github/ISSUE_TEMPLATE/doc.md
+++ b/.github/ISSUE_TEMPLATE/doc.md
@@ -1,7 +1,13 @@
 ---
 name: Documentation improvement
 about: Suggest a documentation improvement
-title: ""
+title: "[Docs]: "
 labels: "docs"
-assignees: ""
+assignees: "@jsjoeio"
 ---
+
+## What is your suggestion?
+
+## How will this improve the docs?
+
+## Are you interested in submitting a PR for this?
--- a/.github/ISSUE_TEMPLATE/extension-request.md
+++ b/.github/ISSUE_TEMPLATE/extension-request.md
@@ -1,18 +0,0 @@
---
-name: Extension request
-about: Request an extension missing from the code-server marketplace
-title: ""
-labels: extension-request
-assignees: ""
---
-
-<!--
-Details on the code-server extension marketplace are at
-
-https://github.com/cdr/code-server/blob/master/docs/FAQ.md#whats-the-deal-with-extensions
-
-Please fill in the issue template!
-->
-
- [ ] Extension name:
- [ ] Extension GitHub or homepage:
--- a/.github/ISSUE_TEMPLATE/feature-request.md
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -1,13 +1,15 @@
 ---
 name: Feature request
-about: Suggest an idea
-title: ""
-labels: feature
+about: Suggest an idea to improve code-server
+title: "[Feat]: "
+labels: enhancement
 assignees: ""
 ---

-<!--
-Please search for existing issues before filing.
+## What is your suggestion?

-Please describe the feature as clearly as possible!
-->
+## Why do you want this feature?
+
+## Are there any workarounds to get this functionality today?
+
+## Are you interested in submitting a PR for this?
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -1,16 +0,0 @@
---
-name: Release
-about: "*For maintainers only*"
-title: "release: 0.0.0"
-labels: ""
-assignees: "@cdr/code-server-reviewers"
---
-
-<!-- Maintainer: fill out the checklist -->
-
-## Checklist
-
- [ ] Assign to next release manager
- [ ] Close previous release milestone
- [ ] Create next release milestone
- [ ] Associate issue with next release milestone
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -5,6 +5,4 @@ If there is no existing issue, please first create one unless the fix is minor.
 Please make sure the base of your PR is the default branch!
 -->

-## Checklist
-
- [ ] updated `CHANGELOG.md`
+Fixes #
--- a/.github/PULL_REQUEST_TEMPLATE/release_template.md
+++ b/.github/PULL_REQUEST_TEMPLATE/release_template.md
@@ -12,5 +12,6 @@ Follow "Publishing a release" steps in `ci/README.md`

 <!-- Note some of these steps below are redundant since they're listed in the "Publishing a release" docs -->

- [ ] publish release and merge PR
- [ ] update the AUR package
+- [ ] update `CHANGELOG.md`
+- [ ] manually run "Draft release" workflow after merging this PR
+- [ ] merge PR opened in [code-server-aur](https://github.com/coder/code-server-aur)
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -0,0 +1,31 @@
+codecov:
+  require_ci_to_pass: yes
+  allow_coverage_offsets: True
+
+coverage:
+  precision: 2
+  round: down
+  range: "40...70"
+  status:
+    patch: off
+  notify:
+    slack:
+      default:
+        url: secret:v1::tXC7VwEIKYjNU8HRgRv2GdKOSCt5UzpykKZb+o1eCDqBgb2PEqwE3A26QUPYMLo4BO2qtrJhFIvwhUvlPwyzDCNGoNiuZfXr0UeZZ0y1TcZu672R/NBNMwEPO/e1Ye0pHxjzKHnuH7HqbjFucox/RBQLtiL3J56SWGE3JtbkC6o=
+        threshold: 1%
+        only_pulls: false
+        branches:
+          - "main"
+
+parsers:
+  gcov:
+    branch_detection:
+      conditional: yes
+      loop: yes
+      method: no
+      macro: no
+
+comment:
+  layout: "reach,diff,flags,files,footer"
+  behavior: default
+  require_changes: no
--- a/.github/codeql-config.yml
+++ b/.github/codeql-config.yml
@@ -1,4 +1 @@
 name: "code-server CodeQL config"
-
-paths-ignore:
-  - lib/vscode
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels: []
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
+      # Ignore major updates to Node.js types, because they need to
+      # correspond to the Node.js engine version
+      - dependency-name: "@types/node"
+        update-types:
+          - version-update:semver-major
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,32 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-      time: "11:00"
-    ignore:
-      # GitHub always delivers the latest versions for each major
-      # release tag, so handle updates manually
-      - dependency-name: "actions/*"
-      - dependency-name: "github/codeql-action/*"
-      - dependency-name: "microsoft/playwright-github-action"
-
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-      time: "11:00"
-    ignore:
-      - dependency-name: "@types/node"
-        versions: ["15.x", "14.x", "13.x"]
-      - dependency-name: "xdg-basedir"
-        # 5.0.0 has breaking changes as they switch to named exports
-        # and convert the module to ESM
-        # We can't use it until we switch to ESM across the project
-        # See release notes: https://github.com/sindresorhus/xdg-basedir/releases/tag/v5.0.0
-        versions: ["5.x"]
-      - dependency-name: "limiter"
-        # 2.0.0 has breaking changes
-        # so we can't update yet.
-        versions: ["2.x"]
--- a/.github/lock.yml
+++ b/.github/lock.yml
@@ -1,37 +0,0 @@
-# Configuration for Lock Threads - https://github.com/dessant/lock-threads-app
-
-# Number of days of inactivity before a closed issue or pull request is locked
-daysUntilLock: 90
-
-# Skip issues and pull requests created before a given timestamp. Timestamp must
-# follow ISO 8601 (`YYYY-MM-DD`). Set to `false` to disable
-skipCreatedBefore: false
-
-# Issues and pull requests with these labels will be ignored. Set to `[]` to disable
-exemptLabels: []
-
-# Label to add before locking, such as `outdated`. Set to `false` to disable
-lockLabel: false
-
-# Comment to post before locking. Set to `false` to disable
-lockComment: >
-  This thread has been automatically locked since there has not been
-  any recent activity after it was closed. Please open a new issue for
-  related bugs.
-
-# Assign `resolved` as the reason for locking. Set to `false` to disable
-setLockReason: true
-# Limit to only `issues` or `pulls`
-# only: issues
-
-# Optionally, specify configuration settings just for `issues` or `pulls`
-# issues:
-#   exemptLabels:
-#     - help-wanted
-#   lockLabel: outdated
-
-# pulls:
-#   daysUntilLock: 30
-
-# Repository to extend settings from
-# _extends: repo
--- a/.github/ranger.yml
+++ b/.github/ranger.yml
@@ -15,26 +15,10 @@ labels:
  "squash when passing": merge
  "rebase when passing": merge
  "merge when passing": merge
-  stale:
-    action: close
-    delay: 7 days
-    comment: "⚠️ This issue has been marked stale and will automatically be closed in $DELAY."
  "new contributor":
    action: comment
    delay: 5s
    message: "Thanks for making your first contribution! :slightly_smiling_face:"
-  extension-request:
-    action: close
-    delay: 5s
-    comment: >
-      Thanks for opening an extension request!
-      We are currently in the process of switching extension
-      marketplaces and transitioning over to [Open VSX](https://open-vsx.org/).
-      Once https://github.com/eclipse/openvsx/issues/249 is implemented, we
-      can fully make this transition. Therefore, we are no longer accepting
-      new requests for extension requests. We suggest installing the VSIX
-      file and then installing into code-server as a temporary workaround.
-      See [docs](https://github.com/cdr/code-server/blob/main/docs/FAQ.md#installing-vsix-extensions-via-the-command-line) for more info.
  "upstream:vscode":
    action: close
    delay: 5s
--- a/.github/semantic.yaml
+++ b/.github/semantic.yaml
@@ -0,0 +1,66 @@
+###############################################################################
+# This file configures "Semantic Pull Requests", which is documented here:
+# https://github.com/zeke/semantic-pull-requests
+###############################################################################
+
+# Scopes are optionally supplied after a 'type'. For example, in
+#
+# feat(docs): autostart ui
+#
+# '(docs)' is the scope. Scopes are used to signify where the change occurred.
+scopes:
+  # docs: changes to the code-server documentation.
+  - docs
+
+  # vendor: changes to vendored dependencies.
+  - vendor
+
+  # deps: changes to code-server's dependencies.
+  - deps
+
+  # cs: changes to code specific to code-server.
+  - cs
+
+  # cli: changes to the command-line interface.
+  - cli
+
+# We only check that the PR title is semantic. The PR title is automatically
+# applied to the "Squash & Merge" flow as the suggested commit message, so this
+# should suffice unless someone drastically alters the message in that flow.
+titleOnly: true
+
+# Types are the 'tag' types in a commit or PR title. For example, in
+#
+# chore: fix thing
+#
+# 'chore' is the type.
+types:
+  # A build of any kind.
+  - build
+
+  # A user-facing change that corrects a defect in code-server.
+  - fix
+
+  # Any code task that is ignored for changelog purposes. Examples include
+  # devbin scripts and internal-only configurations.
+  - chore
+
+  # Any work performed on CI.
+  - ci
+
+  # Work that directly implements or supports the implementation of a feature.
+  - feat
+
+  # A refactor changes code structure without any behavioral change.
+  - refactor
+
+  # A git revert for any style of commit.
+  - revert
+
+  # Adding tests of any kind. Should be separate from feature or fix
+  # implementations. For example, if a commit adds a fix + test, it's a fix
+  # commit. If a commit is simply bumping coverage, it's a test commit.
+  - test
+
+  # A new release.
+  - release
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,12 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 180
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 5
+# Label to apply when stale.
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no activity occurs in the next 5 days.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,420 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+# Note: if: success() is used in several jobs -
+# this ensures that it only executes if all previous jobs succeeded.
+
+# if: steps.cache-node-modules.outputs.cache-hit != 'true'
+# will skip running `yarn install` if it successfully fetched from cache
+
+jobs:
+  prettier:
+    name: Format with Prettier
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Run prettier with actionsx/prettier
+        uses: actionsx/prettier@v2
+        with:
+          args: --check --loglevel=warn .
+
+  doctoc:
+    name: Doctoc markdown files
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v37
+        with:
+          files: |
+            docs/**
+
+      - name: Install Node.js v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "yarn"
+
+      - name: Install doctoc
+        run: yarn global add doctoc@2.2.1
+
+      - name: Run doctoc
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: yarn doctoc
+
+  lint-helm:
+    name: Lint Helm chart
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v37
+        with:
+          files: |
+            ci/helm-chart/**
+
+      - name: Install helm
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: azure/setup-helm@v3.5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install helm kubeval plugin
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: helm plugin install https://github.com/instrumenta/helm-kubeval
+
+      - name: Lint Helm chart
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: helm kubeval ci/helm-chart
+
+  lint-ts:
+    name: Lint TypeScript files
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v37
+        with:
+          files: |
+            **/*.ts
+            **/*.js
+          files_ignore: |
+            lib/vscode/**
+
+      - name: Install Node.js v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        if: steps.changed-files.outputs.any_changed == 'true'
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Lint TypeScript files
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: yarn lint:ts
+
+  lint-actions:
+    name: Lint GitHub Actions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Check workflow files
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash)
+          ./actionlint -color -shellcheck= -ignore "set-output"
+        shell: bash
+
+  test-unit:
+    name: Run unit tests
+    runs-on: ubuntu-20.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v37
+        with:
+          files: |
+            **/*.ts
+          files_ignore: |
+            lib/vscode/**
+
+      - name: Install Node.js v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        if: steps.changed-files.outputs.any_changed == 'true'
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Run unit tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: yarn test:unit
+
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+        if: success()
+
+  build:
+    name: Build code-server
+    runs-on: ubuntu-20.04
+    timeout-minutes: 60
+    env:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - name: Install quilt
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: quilt
+          version: 1.0
+
+      - name: Patch Code
+        run: quilt push -a
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-code-server-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-code-server-
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: yarn --frozen-lockfile
+
+      - name: Build code-server
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: yarn build
+
+      # Get Code's git hash.  When this changes it means the content is
+      # different and we need to rebuild.
+      - name: Get latest lib/vscode rev
+        id: vscode-rev
+        run: echo "rev=$(git rev-parse HEAD:./lib/vscode)" >> $GITHUB_OUTPUT
+
+      # We need to rebuild when we have a new version of Code, when any of
+      # the patches changed, or when the code-server version changes (since
+      # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
+      # force a rebuild.
+      - name: Fetch prebuilt Code package from cache
+        id: cache-vscode
+        uses: actions/cache@v3
+        with:
+          path: lib/vscode-reh-web-*
+          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
+
+      - name: Build vscode
+        env:
+          VERSION: "0.0.0"
+        if: steps.cache-vscode.outputs.cache-hit != 'true'
+        run: yarn build:vscode
+
+      # The release package does not contain any native modules
+      # and is neutral to architecture/os/libc version.
+      - name: Create release package
+        run: yarn release
+        if: success()
+
+      # https://github.com/actions/upload-artifact/issues/38
+      - name: Compress release package
+        run: tar -czf package.tar.gz release
+
+      - name: Upload npm package artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: npm-package
+          path: ./package.tar.gz
+
+  test-e2e:
+    name: Run e2e tests
+    needs: build
+    runs-on: ubuntu-20.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Install release package dependencies
+        run: cd release && npm install --unsafe-perm --omit=dev
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Install Playwright OS dependencies
+        run: |
+          ./test/node_modules/.bin/playwright install-deps
+          ./test/node_modules/.bin/playwright install
+
+      - name: Run end-to-end tests
+        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./test/test-results
+
+      - name: Remove release packages and test artifacts
+        run: rm -rf ./release ./test/test-results
+
+  test-e2e-proxy:
+    name: Run e2e tests behind proxy
+    needs: build
+    runs-on: ubuntu-20.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Install release package dependencies
+        run: cd release && npm install --unsafe-perm --omit=dev
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Install Playwright OS dependencies
+        run: |
+          ./test/node_modules/.bin/playwright install-deps
+          ./test/node_modules/.bin/playwright install
+
+      - name: Cache Caddy
+        uses: actions/cache@v3
+        id: caddy-cache
+        with:
+          path: |
+            ~/.cache/caddy
+          key: cache-caddy-2.5.2
+
+      - name: Install Caddy
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: steps.caddy-cache.outputs.cache-hit != 'true'
+        run: |
+          gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
+          mkdir -p ~/.cache/caddy
+          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
+
+      - name: Start Caddy
+        run: sudo ~/.cache/caddy/caddy start --config ./ci/Caddyfile
+
+      - name: Run end-to-end tests
+        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e:proxy --global-timeout 840000
+
+      - name: Stop Caddy
+        if: always()
+        run: sudo ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos-proxy
+          path: ./test/test-results
+
+      - name: Remove release packages and test artifacts
+        run: rm -rf ./release ./test/test-results
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,486 +0,0 @@
-name: ci
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-# Note: if: success() is used in several jobs -
-# this ensures that it only executes if all previous jobs succeeded.
-
-# if: steps.cache-yarn.outputs.cache-hit != 'true'
-# will skip running `yarn install` if it successfully fetched from cache
-
-jobs:
-  prebuild:
-    name: Pre-build checks
-    runs-on: ubuntu-latest
-    env:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Install helm
-        uses: azure/setup-helm@v1.1
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v2
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Run yarn fmt
-        run: yarn fmt
-        if: success()
-
-      - name: Run yarn lint
-        run: yarn lint
-        if: success()
-
-      - name: Run code-server unit tests
-        run: yarn test:unit
-        if: success()
-
-      - name: Upload coverage report to Codecov
-        run: yarn coverage
-        if: success()
-
-  audit-ci:
-    name: Run audit-ci
-    needs: prebuild
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v2
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Audit for vulnerabilities
-        run: yarn _audit
-        if: success()
-
-  build:
-    name: Build
-    needs: prebuild
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v2
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Build code-server
-        run: yarn build
-
-      # Parse the hash of the latest commit inside lib/vscode
-      # use this to avoid rebuilding it if nothing changed
-      # How it works: the `git log` command fetches the hash of the last commit
-      # that changed a file inside `lib/vscode`. If a commit changes any file in there,
-      # the hash returned will change, and we rebuild vscode. If the hash did not change,
-      # (for example, a change to `src/` or `docs/`), we reuse the same build as last time.
-      # This saves a lot of time in CI, as compiling VSCode can take anywhere from 5-10 minutes.
-      - name: Get latest lib/vscode rev
-        id: vscode-rev
-        run: echo "::set-output name=rev::$(git log -1 --format='%H' ./lib/vscode)"
-
-      - name: Attempt to fetch vscode build from cache
-        id: cache-vscode
-        uses: actions/cache@v2
-        with:
-          path: |
-            lib/vscode/.build
-            lib/vscode/out-build
-            lib/vscode/out-vscode
-            lib/vscode/out-vscode-min
-          key: vscode-build-${{ steps.vscode-rev.outputs.rev }}
-
-      - name: Build vscode
-        if: steps.cache-vscode.outputs.cache-hit != 'true'
-        run: yarn build:vscode
-
-      # The release package does not contain any native modules
-      # and is neutral to architecture/os/libc version.
-      - name: Create release package
-        run: yarn release
-        if: success()
-
-      # https://github.com/actions/upload-artifact/issues/38
-      - name: Compress release package
-        run: tar -czf package.tar.gz release
-
-      - name: Upload npm package artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: npm-package
-          path: ./package.tar.gz
-
-  # TODO: cache building yarn --production
-  # possibly 2m30s of savings(?)
-  # this requires refactoring our release scripts
-  package-linux-amd64:
-    name: x86-64 Linux build
-    needs: build
-    runs-on: ubuntu-latest
-    container: "centos:7"
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Install development tools
-        run: |
-          yum install -y epel-release centos-release-scl
-          yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync
-
-      - name: Install nfpm and envsubst
-        run: |
-          curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
-          curl -L https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
-          chmod +x envsubst
-          mv envsubst ~/.local/bin
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install yarn
-        run: npm install -g yarn
-
-      - name: Download npm package
-        uses: actions/download-artifact@v2
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
-      # file when running inside a docker container.
-      - name: Build standalone release
-        run: source scl_source enable devtoolset-9 && yarn release:standalone
-
-      - name: Sanity test standalone release
-        run: yarn test:standalone-release
-
-      - name: Build packages with nfpm
-        run: yarn package
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  # NOTE@oxy:
-  # We use Ubuntu 16.04 here, so that our build is more compatible
-  # with older libc versions. We used to (Q1'20) use CentOS 7 here,
-  # but it has a full update EOL of Q4'20 and a 'critical security'
-  # update EOL of 2024. We're dropping full support a few years before
-  # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
-  # It is not feasible to cross-compile with CentOS.
-
-  # Cross-compile notes: To compile native dependencies for arm64,
-  # we install the aarch64 cross toolchain and then set it as the default
-  # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
-  # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
-  # so we just build with "native"/x86_64 node, then download arm64 node
-  # and then put it in our release. We can't smoke test the arm64 build this way,
-  # but this means we don't need to maintain a self-hosted runner!
-  package-linux-arm64:
-    name: Linux ARM64 cross-compile build
-    needs: build
-    runs-on: ubuntu-16.04
-    env:
-      AR: aarch64-linux-gnu-ar
-      CC: aarch64-linux-gnu-gcc
-      CXX: aarch64-linux-gnu-g++
-      LINK: aarch64-linux-gnu-g++
-      NPM_CONFIG_ARCH: arm64
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Install nfpm
-        run: |
-          curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install cross-compiler
-        run: sudo apt install g++-aarch64-linux-gnu
-
-      - name: Download npm package
-        uses: actions/download-artifact@v2
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: yarn release:standalone
-
-      - name: Replace node with arm64 equivalent
-        run: |
-          wget https://nodejs.org/dist/v12.18.4/node-v12.18.4-linux-arm64.tar.gz
-          tar -xzf node-v12.18.4-linux-arm64.tar.gz node-v12.18.4-linux-arm64/bin/node --strip-components=2
-          mv ./node ./release-standalone/lib/node
-
-      - name: Build packages with nfpm
-        run: yarn package arm64
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  package-macos-amd64:
-    name: x86-64 macOS build
-    needs: build
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Install nfpm
-        run: |
-          curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Download npm package
-        uses: actions/download-artifact@v2
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: yarn release:standalone
-
-      - name: Sanity test standalone release
-        run: yarn test:standalone-release
-
-      - name: Build packages with nfpm
-        run: yarn package
-
-      - name: Upload release artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-  test-e2e:
-    name: End-to-end tests
-    needs: package-linux-amd64
-    runs-on: ubuntu-latest
-    env:
-      PASSWORD: e45432jklfdsab
-      CODE_SERVER_ADDRESS: http://localhost:8080
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Install Node.js v12
-        uses: actions/setup-node@v2
-        with:
-          node-version: "12"
-
-      - name: Install playwright
-        uses: microsoft/playwright-github-action@v1
-
-      - name: Fetch dependencies from cache
-        id: cache-yarn
-        uses: actions/cache@v2
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-
-      - name: Download release packages
-        uses: actions/download-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Untar code-server file
-        run: |
-          cd release-packages && tar -xzf code-server*-linux-amd64.tar.gz
-
-      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      # HACK: this shouldn't need to exist, but put it here anyway
-      # in an attempt to solve Playwright cache failures.
-      - name: Reinstall playwright
-        if: steps.cache-yarn.outputs.cache-hit == 'true'
-        run: |
-          cd test/
-          rm -r node_modules/playwright
-          yarn install --check-files
-
-      - name: Run end-to-end tests
-        run: |
-          ./release-packages/code-server*-linux-amd64/bin/code-server --log trace &
-          yarn test:e2e
-
-      - name: Upload test artifacts
-        if: always()
-        uses: actions/upload-artifact@v2
-        with:
-          name: failed-test-videos
-          path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release-packages ./test/test-results
-
-  docker-amd64:
-    runs-on: ubuntu-latest
-    needs: package-linux-amd64
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Download release package
-        uses: actions/download-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Run ./ci/steps/build-docker-image.sh
-        run: ./ci/steps/build-docker-image.sh
-
-      - name: Upload release image
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-images
-          path: ./release-images
-
-  # TODO: this is the last place where we use our self-hosted arm64 runner.
-  # In the future, consider switching to docker buildx + qemu,
-  # thus removing the requirement for us to maintain the runner.
-  docker-arm64:
-    runs-on: ubuntu-arm64-latest
-    needs: package-linux-arm64
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Download release package
-        uses: actions/download-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Run ./ci/steps/build-docker-image.sh
-        run: ./ci/steps/build-docker-image.sh
-
-      - name: Upload release image
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-images
-          path: ./release-images
-
-  trivy-scan-image:
-    runs-on: ubuntu-20.04
-    needs: docker-amd64
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Download release images
-        uses: actions/download-artifact@v2
-        with:
-          name: release-images
-          path: ./release-images
-
-      - name: Run Trivy vulnerability scanner in image mode
-        # Commit SHA for v0.0.17
-        uses: aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b
-        with:
-          input: "./release-images/code-server-amd64-*.tar"
-          scan-type: "image"
-          ignore-unfixed: true
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-image-results.sarif"
-          severity: "HIGH,CRITICAL"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: "trivy-image-results.sarif"
-  # We have to use two trivy jobs
-  # because GitHub only allows
-  # codeql/upload-sarif action per job
-  trivy-scan-repo:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Run Trivy vulnerability scanner in repo mode
-        #Commit SHA for v0.0.17
-        uses: aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b
-        with:
-          scan-type: "fs"
-          scan-ref: "."
-          ignore-unfixed: true
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-repo-results.sarif"
-          severity: "HIGH,CRITICAL"
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: "trivy-repo-results.sarif"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,33 +0,0 @@
-name: "Code Scanning"
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [main]
-  schedule:
-    # Runs every Monday morning PST
-    - cron: "17 15 * * 1"
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-20.04
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
-        with:
-          config-file: ./.github/codeql-config.yml
-          languages: javascript
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
--- a/.github/workflows/installer.yaml
+++ b/.github/workflows/installer.yaml
@@ -0,0 +1,76 @@
+name: Installer integration
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "install.sh"
+      - ".github/workflows/installer.yaml"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "install.sh"
+      - ".github/workflows/installer.yaml"
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions:
+  contents: read
+
+jobs:
+  ubuntu:
+    name: Test installer on Ubuntu
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install code-server
+        run: ./install.sh
+
+      - name: Test code-server was installed globally
+        run: code-server --help
+
+  alpine:
+    name: Test installer on Alpine
+    runs-on: ubuntu-latest
+    container: "alpine:3.17"
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install curl
+        run: apk add curl
+
+      - name: Add user
+        run: adduser coder --disabled-password
+
+      # Standalone should work without root.
+      - name: Test standalone to a non-existent prefix
+        run: su coder -c "./install.sh --method standalone --prefix /tmp/does/not/yet/exist"
+
+      # We do not actually have Alpine standalone builds so running code-server
+      # will not work.
+      - name: Test code-server was installed to prefix
+        run: test -f /tmp/does/not/yet/exist/bin/code-server
+
+  macos:
+    name: Test installer on macOS
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install code-server
+        run: ./install.sh
+
+      - name: Test code-server was installed globally
+        run: code-server --help
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -1,12 +1,24 @@
-name: publish
+name: Publish code-server

 on:
  # Shows the manual trigger in GitHub UI
  # helpful as a back-up in case the GitHub Actions Workflow fails
  workflow_dispatch:
+    inputs:
+      version:
+        description: The version to publish (include "v", i.e. "v4.9.1").
+        type: string
+        required: true

  release:
-    types: [published]
+    types: [released]
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 jobs:
  # NOTE: this job requires curl, jq and yarn
@@ -14,40 +26,173 @@ jobs:
  npm:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code-server
+        uses: actions/checkout@v3

-      - name: Run ./ci/steps/publish-npm.sh
-        run: ./ci/steps/publish-npm.sh
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "yarn"
+
+      - name: Download npm package from release artifacts
+        uses: robinraju/release-downloader@v1.8
+        with:
+          repository: "coder/code-server"
+          tag: ${{ github.event.inputs.version || github.ref_name }}
+          fileName: "package.tar.gz"
+          out-file-path: "release-npm-package"
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Publish npm package and tag with "latest"
+        run: yarn publish:npm
        env:
+          VERSION: ${{ env.VERSION }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-  # NOTE: this job requires curl, jq and docker
-  # All of them are included in ubuntu-latest.
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Run ./ci/steps/push-docker-manifest.sh
-        run: ./ci/steps/push-docker-manifest.sh
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          NPM_ENVIRONMENT: "production"

  homebrew:
-    # The newest version of code-server needs to be available on npm when this runs
-    # otherwise, it will 404 and won't open a PR to bump version on homebrew/homebrew-core
    needs: npm
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      # Ensure things are up to date
+      # Suggested by homebrew maintainers
+      # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+
      - name: Configure git
        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
      - name: Bump code-server homebrew version
        env:
+          VERSION: ${{ env.VERSION }}
          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
+
        run: ./ci/steps/brew-bump.sh
+
+  aur:
+    needs: npm
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+
+    steps:
+      # We need to checkout code-server so we can get the version
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          path: "./code-server"
+
+      - name: Checkout code-server-aur repo
+        uses: actions/checkout@v3
+        with:
+          repository: "cdrci/code-server-aur"
+          token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+          ref: "master"
+
+      - name: Merge in master
+        run: |
+          git remote add upstream https://github.com/coder/code-server-aur.git
+          git fetch upstream
+          git merge upstream/master
+
+      - name: Configure git
+        run: |
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Validate package
+        uses: hapakaien/archlinux-package-action@v2
+        env:
+          VERSION: ${{ env.VERSION }}
+        with:
+          pkgver: ${{ env.VERSION }}
+          updpkgsums: true
+          srcinfo: true
+
+      - name: Open PR
+        # We need to git push -u otherwise gh will prompt
+        # asking where to push the branch.
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          git checkout -b update-version-${{ env.VERSION }}
+          git add .
+          git commit -m "chore: updating version to ${{ env.VERSION }}"
+          git push -u origin $(git branch --show)
+          gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
+  docker:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code-server
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ github.event.inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Download release artifacts
+        uses: robinraju/release-downloader@v1.8
+        with:
+          repository: "coder/code-server"
+          tag: v${{ env.VERSION }}
+          fileName: "*.deb"
+          out-file-path: "release-packages"
+
+      - name: Publish to Docker
+        run: ./ci/steps/docker-buildx-push.sh
+        env:
+          VERSION: ${{ env.VERSION }}
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,320 @@
+name: Draft release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: The version to publish (include "v", i.e. "v4.9.1").
+        type: string
+        required: true
+
+permissions:
+  contents: write # For creating releases.
+  discussions: write #  For creating a discussion.
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # TODO: cache building yarn --production
+  # possibly 2m30s of savings(?)
+  # this requires refactoring our release scripts
+  package-linux-amd64:
+    name: x86-64 Linux build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: npm-version
+    container: "centos:7"
+    env:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install development tools
+        run: |
+          yum install -y epel-release centos-release-scl make
+          yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync python3
+          # for keytar
+          yum install -y libsecret-devel
+
+      - name: Install nfpm and envsubst
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.22.2/nfpm_2.22.2_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
+          chmod +x envsubst
+          mv envsubst ~/.local/bin
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Install yarn
+        run: npm install -g yarn
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-release-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
+      # file when running inside a docker container.
+      - name: Build standalone release
+        run: source scl_source enable devtoolset-9 && npm run release:standalone
+
+      - name: Install test dependencies
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Run integration tests on standalone release
+        run: yarn test:integration
+
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+        if: success()
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Build packages with nfpm
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: yarn package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  # NOTE@oxy:
+  # We use Ubuntu 16.04 here, so that our build is more compatible
+  # with older libc versions. We used to (Q1'20) use CentOS 7 here,
+  # but it has a full update EOL of Q4'20 and a 'critical security'
+  # update EOL of 2024. We're dropping full support a few years before
+  # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
+  # It is not feasible to cross-compile with CentOS.
+
+  # Cross-compile notes: To compile native dependencies for arm64,
+  # we install the aarch64/armv7l cross toolchain and then set it as the default
+  # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
+  # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
+  # so we just build with "native"/x86_64 node, then download arm64/armv7l node
+  # and then put it in our release. We can't smoke test the cross build this way,
+  # but this means we don't need to maintain a self-hosted runner!
+
+  # NOTE@jsjoeio:
+  # We used to use 18.04 until GitHub browned it out on December 15, 2022
+  # See here: https://github.com/actions/runner-images/issues/6002
+  package-linux-cross:
+    name: Linux cross-compile builds
+    runs-on: ubuntu-20.04
+    timeout-minutes: 15
+    needs: npm-version
+    strategy:
+      matrix:
+        include:
+          - prefix: aarch64-linux-gnu
+            arch: arm64
+          - prefix: arm-linux-gnueabihf
+            arch: armv7l
+
+    env:
+      AR: ${{ format('{0}-ar', matrix.prefix) }}
+      CC: ${{ format('{0}-gcc', matrix.prefix) }}
+      CXX: ${{ format('{0}-g++', matrix.prefix) }}
+      LINK: ${{ format('{0}-g++', matrix.prefix) }}
+      NPM_CONFIG_ARCH: ${{ matrix.arch }}
+      NODE_VERSION: v16.13.0
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install nfpm
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Install cross-compiler
+        run: sudo apt update && sudo apt install $PACKAGE
+        env:
+          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-release-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      # NOTE@jsjoeio - npm fails here
+      # so use yarn
+      - name: Build standalone release
+        run: yarn release:standalone
+
+      - name: Replace node with cross-compile equivalent
+        run: |
+          wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
+          tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
+          mv ./node ./release-standalone/lib/node
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Build packages with nfpm
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: yarn package ${NPM_CONFIG_ARCH}
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  package-macos-amd64:
+    name: x86-64 macOS build
+    runs-on: macos-latest
+    timeout-minutes: 15
+    needs: npm-version
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Install nfpm
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-release-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Build standalone release
+        run: npm run release:standalone
+
+      - name: Install test dependencies
+        run: SKIP_SUBMODULE_DEPS=1 yarn install
+
+      - name: Run native module tests on standalone release
+        run: yarn test:native
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Build packages with nfpm
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: yarn package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  npm-package:
+    name: Upload npm package
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: npm-version
+    steps:
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-release-package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./package.tar.gz
+
+  npm-version:
+    name: Modify package.json version
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Download artifacts
+        uses: dawidd6/action-download-artifact@v2
+        id: download
+        with:
+          branch: ${{ github.ref }}
+          workflow: build.yaml
+          workflow_conclusion: completed
+          name: npm-package
+          check_artifacts: false
+          if_no_artifact_found: fail
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      # NOTE@jsjoeio - we do this so we can strip out the v
+      # i.e. v4.9.1 -> 4.9.1
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Modify version
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          echo "Updating version in root package.json"
+          npm version --prefix release "$VERSION"
+
+          echo "Updating version in lib/vscode/product.json"
+          tmp=$(mktemp) 
+          jq ".codeServerVersion = \"$VERSION\"" release/lib/vscode/product.json > "$tmp" && mv "$tmp" release/lib/vscode/product.json
+          # Ensure it has the same permissions as before
+          chmod 644 release/lib/vscode/product.json
+
+      - name: Compress release package
+        run: tar -czf package.tar.gz release
+
+      - name: Upload npm package artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: npm-release-package
+          path: ./package.tar.gz
--- a/.github/workflows/scripts.yaml
+++ b/.github/workflows/scripts.yaml
@@ -0,0 +1,67 @@
+name: Script unit tests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "**.sh"
+      - "**.bats"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "**.sh"
+      - "**.bats"
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  test:
+    name: Run script unit tests
+    runs-on: ubuntu-latest
+    # This runs on Alpine to make sure we're testing with actual sh.
+    container: "alpine:3.17"
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install test utilities
+        run: apk add bats checkbashisms
+
+      - name: Check Bashisms
+        run: checkbashisms ./install.sh
+
+      - name: Run script unit tests
+        run: ./ci/dev/test-scripts.sh
+
+  lint:
+    name: Lint shell files
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install lint utilities
+        run: sudo apt install shellcheck
+
+      - name: Lint shell files
+        run: ./ci/dev/lint-scripts.sh
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,105 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "package.json"
+  pull_request:
+    paths:
+      - "package.json"
+  schedule:
+    # Runs every Monday morning PST
+    - cron: "17 15 * * 1"
+
+# Cancel in-progress runs for pull requests when developers push additional
+# changes, and serialize builds in branches.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  audit-ci:
+    name: Audit node modules
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-yarn
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Install dependencies
+        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Audit for vulnerabilities
+        run: yarn _audit
+        if: success()
+
+  trivy-scan-repo:
+    name: Scan repo with Trivy
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-repo-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-repo-results.sarif"
+
+  codeql-analyze:
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/autobuild to send a status report
+    name: Analyze with CodeQL
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/codeql-config.yml
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -0,0 +1,65 @@
+name: Trivy Nightly Docker Scan
+
+on:
+  # Run scans if the workflow is modified, in order to test the
+  # workflow itself. This results in some spurious notifications,
+  # but seems okay for testing.
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  # Run scans against master whenever changes are merged.
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
+    - cron: "15 10 * * *"
+
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: write
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  trivy-scan-image:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        with:
+          image-ref: "docker.io/codercom/code-server:latest"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-image-results.sarif"
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
 .tsbuildinfo
 .cache
-dist*
-out*
+/out*/
 release/
 release-npm-package/
 release-standalone/
@@ -9,12 +8,18 @@ release-packages/
 release-gcp/
 release-images/
 node_modules
-/lib/vscode/node_modules.asar
-node-*
 /plugins
 /lib/coder-cloud-agent
 .home
 coverage
 **/.DS_Store
+
+# Code packages itself here.
+/lib/vscode-reh-web-*
+
 # Failed e2e test videos are saved here
 test/test-results
+
+# Quilt's internal data.
+/.pc
+/patches/*.diff~
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "lib/vscode"]
+	path = lib/vscode
+	url = https://github.com/microsoft/vscode
--- a/.node-version
+++ b/.node-version
@@ -0,0 +1 @@
+16
--- a/.nvmrc
+++ b/.nvmrc
@@ -0,0 +1 @@
+.node-version
--- a/.prettierignore
+++ b/.prettierignore
@@ -0,0 +1,9 @@
+lib/vscode
+lib/vscode-reh-web-linux-x64
+release-standalone
+release-packages
+release
+helm-chart
+test/scripts
+test/e2e/extensions/test-extension
+.pc
--- a/.prettierrc.yaml
+++ b/.prettierrc.yaml
@@ -2,3 +2,5 @@ printWidth: 120
 semi: false
 trailingComma: all
 arrowParens: always
+singleQuote: false
+useTabs: false
--- a/.stylelintrc.yaml
+++ b/.stylelintrc.yaml
@@ -1,2 +0,0 @@
-extends:
-  - stylelint-config-recommended
--- a/.tours/contributing.tour
+++ b/.tours/contributing.tour
@@ -50,7 +50,7 @@
    {
      "file": "src/node/heart.ts",
      "line": 7,
-      "description": "code-server's heart beats to indicate recent activity.\n\nAlso documented here: [https://github.com/cdr/code-server/blob/master/docs/FAQ.md#heartbeat-file](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#heartbeat-file)"
+      "description": "code-server's heart beats to indicate recent activity.\n\nAlso documented here: [https://github.com/coder/code-server/blob/main/docs/FAQ.md#heartbeat-file](https://github.com/coder/code-server/blob/main/docs/FAQ.md#heartbeat-file)"
    },
    {
      "file": "src/node/socket.ts",
@@ -80,12 +80,12 @@
    {
      "file": "src/node/routes/domainProxy.ts",
      "line": 18,
-      "description": "code-server provides a built-in proxy to help in developing web-based applications. This is the code for the domain-based proxy.\n\nAlso documented here: [https://github.com/cdr/code-server/blob/master/docs/FAQ.md#how-do-i-securely-access-web-services](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#how-do-i-securely-access-web-services)"
+      "description": "code-server provides a built-in proxy to help in developing web-based applications. This is the code for the domain-based proxy.\n\nAlso documented here: [https://github.com/coder/code-server/blob/main/docs/FAQ.md#how-do-i-securely-access-web-services](https://github.com/coder/code-server/blob/main/docs/FAQ.md#how-do-i-securely-access-web-services)"
    },
    {
      "file": "src/node/routes/pathProxy.ts",
      "line": 19,
-      "description": "Here is the path-based version of the proxy.\n\nAlso documented here: [https://github.com/cdr/code-server/blob/master/docs/FAQ.md#how-do-i-securely-access-web-services](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#how-do-i-securely-access-web-services)"
+      "description": "Here is the path-based version of the proxy.\n\nAlso documented here: [https://github.com/coder/code-server/blob/main/docs/FAQ.md#how-do-i-securely-access-web-services](https://github.com/coder/code-server/blob/main/docs/FAQ.md#how-do-i-securely-access-web-services)"
    },
    {
      "file": "src/node/proxy.ts",
@@ -95,7 +95,7 @@
    {
      "file": "src/node/routes/health.ts",
      "line": 5,
-      "description": "A simple endpoint that lets you see if code-server is up.\n\nAlso documented here: [https://github.com/cdr/code-server/blob/master/docs/FAQ.md#healthz-endpoint](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#healthz-endpoint)"
+      "description": "A simple endpoint that lets you see if code-server is up.\n\nAlso documented here: [https://github.com/coder/code-server/blob/main/docs/FAQ.md#healthz-endpoint](https://github.com/coder/code-server/blob/main/docs/FAQ.md#healthz-endpoint)"
    },
    {
      "file": "src/node/routes/login.ts",
@@ -145,7 +145,7 @@
    {
      "directory": "lib/vscode",
      "line": 1,
-      "description": "code-server makes use of VS Code's frontend web/remote support. Most of the modifications implement the remote server since that portion of the code is closed source and not released with VS Code.\n\nWe also have a few bug fixes and have added some features (like client-side extensions). See [https://github.com/cdr/code-server/blob/master/docs/CONTRIBUTING.md#modifications-to-vs-code](https://github.com/cdr/code-server/blob/master/docs/CONTRIBUTING.md#modifications-to-vs-code) for a list.\n\nWe make an effort to keep the modifications as few as possible."
+      "description": "code-server makes use of VS Code's frontend web/remote support. Most of the modifications implement the remote server since that portion of the code is closed source and not released with VS Code.\n\nWe also have a few bug fixes and have added some features (like client-side extensions). See [https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md#modifications-to-vs-code](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md#modifications-to-vs-code) for a list.\n\nWe make an effort to keep the modifications as few as possible."
    }
  ]
-}
+}
--- a/.tours/start-development.tour
+++ b/.tours/start-development.tour
@@ -5,7 +5,7 @@
    {
      "file": "package.json",
      "line": 31,
-      "description": "## Commands\n\nTo start developing, make sure you have Node 12+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> yarn\n\n3. Start development mode (and watch for changes):\n>> yarn watch"
+      "description": "## Commands\n\nTo start developing, make sure you have Node 16+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> yarn\n\n3. Start development mode (and watch for changes):\n>> yarn watch"
    },
    {
      "file": "src/node/app.ts",
@@ -20,7 +20,7 @@
    {
      "file": "src/node/app.ts",
      "line": 62,
-      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `yarn watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\")\n- [Docs: FAQ.md](https://github.com/cdr/code-server/blob/master/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/cdr/code-server/blob/master/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/cdr/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
+      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `yarn watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\"])\n- [Docs: FAQ.md](https://github.com/coder/code-server/blob/main/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/coder/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
    }
  ]
-}
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,163 +1,618 @@
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Changelog

- [Changelog](#changelog)
-  - [3.10.2](#3102)
-    - [New Features](#new-features)
-    - [Bug Fixes](#bug-fixes)
-    - [Development](#development)
-  - [3.10.1](#3101)
-    - [Bug Fixes](#bug-fixes-1)
-    - [Documentation](#documentation)
-    - [Development](#development-1)
-  - [3.10.0](#3100)
-    - [New Features](#new-features-1)
-    - [Bug Fixes](#bug-fixes-2)
-    - [Documentation](#documentation-1)
-    - [Development](#development-2)
-  - [Previous versions](#previous-versions)
+All notable changes to this project will be documented in this file.

-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

-# Changelog
+<!-- Example:

-<!--
+## [9.99.999] - 9090-09-09

-This should be updated on every PR.
+Code v99.99.999

-We copy from here into the release notes.
-
- -->
-
-<!--
-Add next version above previous version but below this line using the template
-
-## Next Version
-
-VS Code v0.00.0
-
-### New Features
-
- item
-
-### Bug Fixes
-
- fix(socket): did this thing #321 @githubuser
-
-### Documentation
-
- item
-
-### Development
-
- item
+### Changed
+### Added
+### Deprecated
+### Removed
+### Fixed
+### Security

 -->

-## 3.10.2
+## Unreleased

-VS Code v1.56.1
+Code v1.79.2

-### New Features
+## [4.14.1](https://github.com/coder/code-server/releases/tag/v4.14.1) - 2023-06-26

- feat: support `extraInitContainers` in helm chart values #3393 @strowk
- feat: change `extraContainers` to support templating in helm chart #3393 @strowk
+Code v1.79.2

-### Bug Fixes
+### Security

- fix: use correct command to Open Folder on Welcome page #3437 @jsjoeio
+- Remove extra write permissions on the Node binary bundled with the linux-amd64
+  tarball. If you extract the tar without a umask this could mean the Node
+  binary would be unexpectedly writable.

-### Development
+### Fixed

- fix(ci): update brew-bump.sh to update remote first #3438 @jsjoeio
+- Inability to launch multiple instances of code-server for different users.

-## 3.10.1
+### Added

-VS Code v1.56.1
+- `--session-socket` CLI flag to configure the location of the session socket.
+  By default it will be placed in `<user data dir>/code-server-ipc.sock`.

-### Bug Fixes
+## [4.14.0](https://github.com/coder/code-server/releases/tag/v4.14.0) - 2023-06-16

- fix: Check the logged user instead of $USER #3330 @videlanicolas
- fix: Fix broken node_modules.asar symlink in npm package #3355 @code-asher
- fix: Update cloud agent to fix version issue #3342 @oxy
+Code v1.79.2

-### Documentation
+### Added

- docs(install): add raspberry pi section #3376 @jsjoeio
- docs(maintaining): add pull requests section #3378 @jsjoeio
- docs(maintaining): add merge strategies section #3379 @jsjoeio
- refactor: move default PR template #3375 @jsjoeio
- docs(contributing): add commits section #3377 @jsjoeio
+- `--domain-proxy` now supports `{{port}}` and `{{host}}` template variables.

-### Development
+### Changed

- chore: ignore updates to microsoft/playwright-github-action
- fix(socket): use xdgBasedir.runtime instead of tmp #3304 @jsjoeio
- fix(ci): re-enable trivy-scan-repo #3368 @jsjoeio
+- Updated to Code 1.79.2
+- Files opened from an external terminal will now open in the most closely
+  related window rather than in the last opened window.

-## 3.10.0
+## [4.13.0](https://github.com/coder/code-server/releases/tag/v4.13.0) - 2023-05-19

-VS Code v1.56.0
+Code v1.78.2

-### New Features
+### Changed

- feat: minor connections refactor #3178 @code-asher
- feat(security): add code-scanning with CodeQL #3229 @jsjoeio
- feat(ci): add trivy job for security #3261 @jsjoeio
- feat(vscode): update to version 1.56.0 #3269 @oxy
- feat: use ptyHostService #3308 @code-asher
+- Updated to Code 1.78.2.

-### Bug Fixes
+### Fixed

- fix(socket): did this thing #321 @githubuser
- fix(login): rate limiter shouldn't count successful logins #3141 @jsjoeio
- chore(lib/vscode): update netmask #3187 @oxy
- chore(deps): update dependencies with CVEs #3223 @oxy
- fix: refactor logout #3277 @code-asher
- fix: add flag for toggling permessage-deflate #3286 @code-asher
- fix: make sure directories exist #3309 @code-asher
+- Proxying files that contain non-ASCII characters.
+- Origin check when X-Forwarded-Host contains comma-separated hosts.

-### Documentation
+## [4.12.0](https://github.com/coder/code-server/releases/tag/v4.12.0) - 2023-04-21

- docs(FAQ): add mention of sysbox #3087 @bpmct
- docs: add security policy #3148 @jsjoeio
- docs(guide.md): add `caddy` example for serving from sub-path #3217 @catthehacker
- docs: revamp debugging section #3224 @code-asher
- docs(readme): refactor to use codecov shield #3227 @jsjoeio
- docs(maintaining): use milestones over boards #3228 @jsjoeio
- docs(faq): add entry for accessing OSX folders #3247 @bpmct
- docs(termux): add workaround for Android backspace issue #3251 @jsjoeio
- docs(maintaining): add triage to workflow #3284 @jsjoeio
- docs(security): add section for tools #3287 @jsjoeio
- docs(maintaining): add versioning #3288 @jsjoeio
- docs: add changelog #3337 @jsjoeio
+Code v1.77.3

-### Development
+### Changed

- fix(update-vscode): add check/docs for git-subtree #3129 @oxy
- refactor(testing): migrate to playwright-test from jest-playwright #3133 @jsjoeio
- refactor(ci): remove unmaintained CI images and update release workflow #3147 @oxy
- chore(ci): migrate from hub to gh #3168 @oxy
- feat(testing): add e2e tests for code-server and terminal #3169 @jsjoeio
- chore(ranger): fix syntax for extension-request #3172 @oxy
- feat(testing): add codecov to generate test coverage reports #3194 @jsjoeio
- feat(testing): add tests for registerServiceWorker #3200 @jsjoeio
- refactor(testing): fix flaky terminal test #3230 @jsjoeio
- chore: ignore 15.x @types/node updates #3244 @jsjoeio
- chore(build): compile vscode+extensions in parallel #3250 @oxy
- fix(deps): remove eslint-plugin-jest-playwright #3260 @jsjoeio
- fix(testing): reduce flakiness of terminal.test.ts and use 1 worker for e2e tests #3263 @jsjoeio
- feat(testing): add isConnected check #3271 @jsjoeio
- feat(testing): add test for src/node/constants.ts #3290 @jsjoeio
- feat: test static route #3297 @code-asher
- refactor(ci): split audit from prebuild #3298 @oxy
- chore(lib/vscode): cleanup/update build deps #3314 @oxy
- fix(build): download correct cloud-agent for arch #3331 @oxy
- fix: xmldom and underscore #3332 @oxy
+- Updated to Code 1.77.3
+- Ports panel will use domain-based proxy (instead of the default path-based
+  proxy) when set via --proxy-domain.
+- Apply --app-name to the PWA title.
+
+### Added
+
+- Thai translation for login page.
+- Debug logs around the origin security check. If you are getting forbidden
+  errors on web sockets please run code-server with `--log debug` to see why the
+  requests are being blocked.
+
+## [4.11.0](https://github.com/coder/code-server/releases/tag/v4.11.0) - 2023-03-16
+
+Code v1.76.1
+
+### Changed
+
+- Updated to Code 1.76.1
+
+## [4.10.1](https://github.com/coder/code-server/releases/tag/v4.10.1) - 2023-03-04
+
+Code v1.75.1
+
+### Security
+
+Added an origin check to web sockets to prevent cross-site hijacking attacks on
+users using older or niche browser that do not support SameSite cookies and
+attacks across sub-domains that share the same root domain.
+
+The check requires the host header to be set so if you use a reverse proxy
+ensure it forwards that information otherwise web sockets will be blocked.
+
+## [4.10.0](https://github.com/coder/code-server/releases/tag/v4.10.0) - 2023-02-15
+
+Code v1.75.1
+
+### Changed
+
+- Updated to Code 1.75.1
+
+### Removed
+
+- Removed `--link` (was deprecated over thirteen months ago in 4.0.1).
+
+## [4.9.1](https://github.com/coder/code-server/releases/tag/v4.9.1) - 2022-12-15
+
+Code v1.73.1
+
+### Changed
+
+- Updated a couple steps in the build and release process to ensure we're using
+  `npm` and `yarn` consistently depending on the step.
+
+### Fixed
+
+- Fixed an issue with code-server version not displaying in the Help > About window.
+- Fixed terminal not loading on macOS clients.
+
+## [4.9.0](https://github.com/coder/code-server/releases/tag/v4.9.0) - 2022-12-06
+
+Code v1.73.1
+
+### Changed
+
+- Upgraded to Code 1.73.1
+
+### Added
+
+- `/security.txt` added as a route with info on our security policy information thanks to @ghuntley
+
+### Fixed
+
+- Installing on majaro images should now work thanks to @MrPeacockNLB for
+  adding the `--noconfirm` flag in `install.sh`
+
+### Known Issues
+
+- `--cert` on Ubuntu 22.04: OpenSSL v3 is used which breaks `pem` meaning the
+  `--cert` feature will not work. [Reference](https://github.com/adobe/fetch/pull/318#issuecomment-1306070259)
+
+## [4.8.3](https://github.com/coder/code-server/releases/tag/v4.8.3) - 2022-11-07
+
+Code v1.72.1
+
+### Added
+
+- install script now supports arch-like (i.e. manjaro, endeavourous, etc.)
+  architectures
+
+### Changed
+
+- Updated text in the Getting Started page.
+
+## [4.8.2](https://github.com/coder/code-server/releases/tag/v4.8.2) - 2022-11-02
+
+Code v1.72.1
+
+### Added
+
+- New text in the Getting Started page with info about
+  `coder/coder`. This is enabled by default but can be disabled by passing the CLI
+  flag `--disable-getting-started-override` or setting
+  `CS_DISABLE_GETTING_STARTED_OVERRIDE=1` or
+  `CS_DISABLE_GETTING_STARTED_OVERRIDE=true`.
+
+## [4.8.1](https://github.com/coder/code-server/releases/tag/v4.8.1) - 2022-10-28
+
+Code v1.72.1
+
+### Fixed
+
+- Fixed CSP error introduced in 4.8.0 that caused issues with webviews and most
+  extensions.
+
+## [4.8.0](https://github.com/coder/code-server/releases/tag/v4.8.0) - 2022-10-24
+
+Code v1.72.1
+
+### Added
+
+- Support for the Ports panel which leverages code-server's built-in proxy. It
+  also uses `VSCODE_PROXY_URI` where `{{port}}` is replace when forwarding a port.
+  Example: `VSCODE_PROXY_URI=https://{{port}}.kyle.dev` would forward an
+  application running on localhost:3000 to https://3000.kyle.dev
+- Support for `--disable-workspace-trust` CLI flag
+- Support for `--goto` flag to open file @ line:column
+- Added Ubuntu-based images for Docker releases. If you run into issues with
+  `PATH` being overwritten in Docker please try the Ubuntu image as this is a
+  problem in the Debian base image.
+
+### Changed
+
+- Updated Code to 1.72.1
+
+### Fixed
+
+- Enabled `BROWSER` environment variable
+- Patched `asExternalUri` to work so now extensions run inside code-server can use it
+
+## [4.7.1](https://github.com/coder/code-server/releases/tag/v4.7.1) - 2022-09-30
+
+Code v1.71.2
+
+### Changed
+
+- Updated Code to 1.71.2
+
+### Fixed
+
+- Fixed install script not upgrading code-server when already installed on RPM-based machines
+- Fixed install script failing to gain root permissions on FreeBSD
+
+## [4.7.0](https://github.com/coder/code-server/releases/tag/v4.7.0) - 2022-09-09
+
+Code v1.71.0
+
+### Changed
+
+- Updated Code to 1.71.0
+
+### Removed
+
+- Dropped heartbeat patch because it was implemented upstream
+
+### Fixed
+
+- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstsall.sh` which ensures installing with npm works correctly
+
+## [4.6.1](https://github.com/coder/code-server/releases/tag/v4.6.1) - 2022-09-31
+
+Code v1.70.2
+
+### Changed
+
+- Updated Code to 1.70.2
+- Updated `argon2` to 0.29.0 which should fix issues on FreeBSD
+- Updated docs to suggest using `npm` instead of `yarn`
+
+### Removed
+
+- Dropped database migration patch affected to 4.0.2 versions and earlier.
+
+### Fixed
+
+- Fixed preservation of `process.execArgv` which means you can pass `--prof` to profile code-server
+
+## [4.6.0](https://github.com/coder/code-server/releases/tag/v4.6.0) - 2022-08-17
+
+Code v1.70.1
+
+### Changed
+
+- Updated Code to 1.70.1.
+
+### Added
+
+- Added a heartbeat to sockets. This should prevent them from getting closed by
+  reverse proxy timeouts when idle like NGINX's default 60-second timeout.
+
+### Fixed
+
+- Fixed logout option appearing even when authentication is disabled.
+
+## [4.5.2](https://github.com/coder/code-server/releases/tag/v4.5.2) - 2022-08-15
+
+Code v1.68.1
+
+### Security
+
+- Fixed the proxy route not performing authentication. For example if you were
+  to run a development HTTP server using `python -m http.server 8000` then it
+  would be accessible at `my.domain/proxy/8000/` without any authentication.
+
+  If all of the following apply to you please update as soon as possible:
+
+  - You run code-server with the built-in password authentication.
+  - You run unprotected HTTP services on ports accessible by code-server.
+
+### Changed
+
+- Invoking `code-server` in the integrated terminal will now use the script that
+  comes with upstream Code. This means flags like `--wait` will be
+  automatically supported now. However the upstream script only has the ability
+  to interact with the running code-server and cannot spawn new instances. If
+  you need to spawn a new code-server from the integrated terminal please
+  specify the full path to code-server's usual script (for example
+  `/usr/bin/code-server`).
+
+### Fixed
+
+- Invoking `code-server` in the integrated terminal will now work instead of
+  erroring about not finding Node.
+
+## [4.5.1](https://github.com/coder/code-server/releases/tag/v4.5.1) - 2022-07-18
+
+Code v1.68.1
+
+### Changed
+
+- We now use `release/v<0.0.0>` for the release branch name so it doesn't
+  conflict with the tag name
+- Added `.prettierignore` to ignore formatting files in `lib/vscode`
+
+### Added
+
+- Allow more comprehensive affinity config in Helm chart
+- Added custom message in Homebrew PR to make sure code-server maintainers are
+  tagged
+- Allow setting `priorityClassName` via Helm chart
+- Added troubleshooting docs to `CONTRIBUTING.md`
+
+### Fixed
+
+- Removed default memory limit which was set via `NODE_OPTIONS`
+- Changed output in pipe to make it easier to debug code-server when doing live
+  edits
+- Fixed display-language patch to use correct path which broke in 4.5.0
+- Fixed multiple code-server windows opening when using the code-server CLI in
+  the Integrated Terminal
+- Fixed Integrated Terminal not working when web base was not the root path
+
+### Security
+
+- Updated `glob-parent` version in dependencies
+
+## [4.5.0](https://github.com/coder/code-server/releases/tag/v4.5.0) - 2022-06-29
+
+Code v1.68.1
+
+### Changed
+
+- Updated codecov to use codecov uploader
+- Moved integration tests to Jest
+- Fixed docker release to only download .deb
+- Upgraded to Code 1.68.1
+- Install `nfpm` from GitHub
+- Upgraded to TypeScript 4.6
+
+### Added
+
+- Added tests for `open`, `isWsl`, `handlePasswordValidation`
+- Provided alternate image registry to dockerhub
+- Allowed users to have scripts run on container with `ENTRYPOINTD` environment
+  variable
+
+### Fixed
+
+- Fixed open CLI command to work on macOS
+
+## [4.4.0](https://github.com/coder/code-server/releases/tag/v4.4.0) - 2022-05-06
+
+Code v1.66.2
+
+### Changed
+
+- Refactored methods in `Heart` class and made `Heart.beat()` async to make
+  testing easier.
+- Upgraded to Code 1.66.2.
+
+### Added
+
+- Added back telemetry patch which was removed in the Code reachitecture.
+- Added support to use `true` for `CS_DISABLE_FILE_DOWNLOADS` environment
+  variable. This means you can disable file downloads by setting
+  `CS_DISABLE_FILE_DOWNLOADS` to `true` or `1`.
+- Added tests for `Heart` class.
+
+### Fixed
+
+- Fixed installation issue in AUR after LICENSE rename.
+- Fixed issue with listening on IPv6 addresses.
+- Fixed issue with Docker publish action not being able to find artifacts. Now
+  it downloads the release assets from the release.
+
+## [4.3.0](https://github.com/coder/code-server/releases/tag/v4.3.0) - 2022-04-14
+
+Code v1.65.2
+
+### Changed
+
+- Excluded .deb files from release Docker image which drops the compressed and
+  uncompressed size by 58% and 34%.
+- Upgraded to Code 1.65.2.
+
+### Added
+
+- Added a new CLI flag called `--disable-file-downloads` which allows you to
+  disable the "Download..." option that shows in the UI when right-clicking on a
+  file. This can also set by running `CS_DISABLE_FILE_DOWNLOADS=1`.
+- Aligned the dependencies for binary and npm release artifacts.
+
+### Fixed
+
+- Fixed the code-server version from not displaying in the Help > About dialog.
+- Fixed issues with the TypeScript and JavaScript Language Features Extension
+  failing to activate.
+- Fixed missing files in ipynb extension.
+- Fixed the homebrew release workflow.
+- Fixed the Docker release workflow from not always publishing version tags.
+
+## [4.2.0](https://github.com/coder/code-server/releases/tag/v4.2.0) - 2022-03-22
+
+Code v1.64.2
+
+### Added
+
+- Added tests for `handleArgsSocketCatchError`, `setDefaults` and
+  `optionDescriptions`.
+
+### Changed
+
+- We switched from using the fork `coder/vscode` to a submodule of
+  `microsoft/vscode` + patches managed by `quilt` for how Code sits inside the
+  code-server codebase.
+- Upgraded to Code 1.64.2.
+
+### Fixed
+
+- Update popup notification through `--disable-update-check` is now fixed.
+- Fixed PWA icons not loading on iPad
+- Fixed the homebrew release process. Our `cdrci` bot should now automatically
+  update the version as part of the release pipeline.
+- Fixed titleBar color setting being ignored in PWA.
+
+### Security
+
+- Updated to `minimist-list`.
+- Updated `cloud-agent` to `v0.2.4` which uses `nhooyr.io/webscoket` `v1.8.7`.
+
+## [4.1.0](https://github.com/coder/code-server/releases/tag/v4.1.0) - 2022-03-03
+
+Code v1.63.0
+
+### Added
+
+- Support for injecting GitHub token into Code so extensions can make use of it.
+  This can be done with the `GITHUB_TOKEN` environment variable or `github-auth`
+  in the config file.
+- New flag `--socket-mode` allows setting the mode (file permissions) of the
+  socket created when using `--socket`.
+- The version of Code bundled with code-server now appears when using the
+  `--version` flag. For example: `4.0.2 5cdfe74686aa73e023f8354a9a6014eb30caa7dd with Code 1.63.0`.
+  If you have been parsing this flag for the version you might want to use
+  `--version --json` instead as doing that will be more stable.
+
+### Changed
+
+- The workspace or folder passed on the CLI will now use the same redirect
+  method that the last opened workspace or folder uses. This means if you use
+  something like `code-server /path/to/dir` you will now get a query parameter
+  added (like so: `my-domain.tld?folder=/path/to/dir`), making it easier to edit
+  by hand and making it consistent with the last opened and menu open behaviors.
+- The folder/workspace query parameter no longer has encoded slashes, making
+  them more readable and editable by hand. This was only affecting the last
+  opened behavior, not opens from the menu.
+
+### Fixed
+
+- Fix web sockets not connecting when using `--cert`.
+- Prevent workspace state collisions when opening a workspace that shares the
+  same file path with another workspace on a different machine that shares the
+  same domain. This was causing files opened in one workspace to be "re-"opened
+  in the other workspace when the other workspace is opened.
+- Pin the Express version which should make installing from npm work again.
+- Propagate signals to code-server in the Docker image which means it should
+  stop more quickly and gracefully.
+- Fix missing argon binaries in the standalone releases on arm machines.
+
+## [4.0.2](https://github.com/coder/code-server/releases/tag/v4.0.2) - 2022-01-27
+
+Code v1.63.0
+
+### Fixed
+
+- Unset the `BROWSER` environment variable. This fixes applications that hard
+  exit when trying to spawn the helper script `BROWSER` points to because the
+  file is missing. While we do include the script now we are leaving the
+  variable omitted because the script does not work yet.
+
+## [4.0.1](https://github.com/coder/code-server/releases/tag/v4.0.1) - 2022-01-04
+
+Code v1.63.0
+
+code-server has been rebased on upstream's newly open-sourced server
+implementation (#4414).
+
+### Changed
+
+- Web socket compression has been made the default (when supported). This means
+  the `--enable` flag will no longer take `permessage-deflate` as an option.
+- The static endpoint can no longer reach outside code-server. However the
+  vscode-remote-resource endpoint still can.
+- OpenVSX has been made the default marketplace.
+- The last opened folder/workspace is no longer stored separately in the
+  settings file (we rely on the already-existing query object instead).
+- The marketplace override environment variables `SERVICE_URL` and `ITEM_URL`
+  have been replaced with a single `EXTENSIONS_GALLERY` variable that
+  corresponds to `extensionsGallery` in Code's `product.json`.
+
+### Added
+
+- `VSCODE_PROXY_URI` env var for use in the terminal and extensions.
+
+### Removed
+
+- Extra extension directories have been removed. The `--extra-extensions-dir`
+  and `--extra-builtin-extensions-dir` flags will no longer be accepted.
+- The `--install-source` flag has been removed.
+
+### Deprecated
+
+- `--link` is now deprecated (#4562).
+
+### Security
+
+- We fixed a XSS vulnerability by escaping HTML from messages in the error page (#4430).
+
+## [3.12.0](https://github.com/coder/code-server/releases/tag/v3.12.0) - 2021-09-15
+
+Code v1.60.0
+
+### Changed
+
+- Upgrade Code to 1.60.0.
+
+### Fixed
+
+- Fix logout when using a base path (#3608).
+
+## [3.11.1](https://github.com/coder/code-server/releases/tag/v3.11.1) - 2021-08-06
+
+Undocumented (see releases page).
+
+## [3.11.0](https://github.com/coder/code-server/releases/tag/v3.11.0) - 2021-06-14
+
+Undocumented (see releases page).
+
+## [3.10.2](https://github.com/coder/code-server/releases/tag/v3.10.2) - 2021-05-21
+
+Code v1.56.1
+
+### Added
+
+- Support `extraInitContainers` in helm chart values (#3393).
+
+### Changed
+
+- Change `extraContainers` to support templating in helm chart (#3393).
+
+### Fixed
+
+- Fix "Open Folder" on welcome page (#3437).
+
+## [3.10.1](https://github.com/coder/code-server/releases/tag/v3.10.1) - 2021-05-17
+
+Code v1.56.1
+
+### Fixed
+
+- Check the logged user instead of $USER (#3330).
+- Fix broken node_modules.asar symlink in npm package (#3355).
+- Update cloud agent to fix version issue (#3342).
+
+### Changed
+
+- Use xdgBasedir.runtime instead of tmp (#3304).
+
+## [3.10.0](https://github.com/coder/code-server/releases/tag/v3.10.0) - 2021-05-10
+
+Code v1.56.0
+
+### Changed
+
+- Update to Code 1.56.0 (#3269).
+- Minor connections refactor (#3178). Improves connection stability.
+- Use ptyHostService (#3308). This brings us closer to upstream Code.
+
+### Added
+
+- Add flag for toggling permessage-deflate (#3286). The default is off so
+  compression will no longer be used by default. Use the --enable flag to
+  toggle it back on.
+
+### Fixed
+
+- Make rate limiter not count against successful logins (#3141).
+- Refactor logout (#3277). This fixes logging out in some scenarios.
+- Make sure directories exist (#3309). This fixes some errors on startup.
+
+### Security
+
+- Update dependencies with CVEs (#3223).

 ## Previous versions

-This was added with `3.10.0`, which means any previous versions are not documented in the changelog.
+This was added with `3.10.0`, which means any previous versions are not
+documented in the changelog.

-To see those, please visit the [Releases page](https://github.com/cdr/code-server/releases).
+To see those, please visit the [Releases page](https://github.com/coder/code-server/releases).
--- a/LICENSE.txt
+++ b/LICENSE.txt
--- a/README.md
+++ b/README.md
@@ -1,77 +0,0 @@
-# code-server &middot; [!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/cdr/code-server/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://cdr.co/join-community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq)
-
-[![codecov](https://codecov.io/gh/cdr/code-server/branch/main/graph/badge.svg?token=5iM9farjnC)](https://codecov.io/gh/cdr/code-server)
-[![See latest docs](https://img.shields.io/static/v1?label=Docs&message=see%20latest%20&color=blue)](https://github.com/cdr/code-server/tree/v3.10.2/docs)
-
-Run [VS Code](https://github.com/Microsoft/vscode) on any machine anywhere and access it in the browser.
-
-![Screenshot](./docs/assets/screenshot.png)
-
-## Highlights
-
- Code on any device with a consistent development environment
- Use cloud servers to speed up tests, compilations, downloads, and more
- Preserve battery life when you're on the go; all intensive tasks run on your server
-
-## Requirements
-
-For a good experience, we recommend at least:
-
- 1 GB of RAM
- 2 cores
-
-You can use whatever linux distribution floats your boat but in our [guide](./docs/guide.md) we assume Debian on Google Cloud.
-
-## Getting Started
-
-There are three ways you can get started:
-
-1. Using the [install script](./install.sh), which automates most of the process. The script uses the system package manager (if possible)
-2. Manually installing code-server; see [Installation](./docs/install.md) for instructions applicable to most use cases
-3. Use our one-click buttons and guides to [deploy code-server to a popular cloud provider](https://github.com/cdr/deploy-code-server) ⚡
-
-If you choose to use the install script, you can preview what occurs during the install process:
-
-```bash
-curl -fsSL https://code-server.dev/install.sh | sh -s -- --dry-run
-```
-
-To install, run:
-
-```bash
-curl -fsSL https://code-server.dev/install.sh | sh
-```
-
-When done, the install script prints out instructions for running and starting code-server.
-
-We also have an in-depth [setup and configuration](./docs/guide.md) guide.
-
-### code-server --link
-
-We're working on a cloud platform that makes deploying and managing code-server easier.
-Consider running code-server with the beta flag `--link` if you don't want to worry about
-
- TLS
- Authentication
- Port Forwarding
-
-```bash
-$ code-server --link
-Proxying code-server, you can access your IDE at https://valmar-jon.cdr.co
-```
-
-## FAQ
-
-See [./docs/FAQ.md](./docs/FAQ.md).
-
-## Want to help?
-
-See [CONTRIBUTING](./docs/CONTRIBUTING.md) for details.
-
-## Hiring
-
-Interested in [working at Coder](https://coder.com)? Check out [our open positions](https://jobs.lever.co/coder)!
-
-## For Organizations
-
-Visit [our website](https://coder.com) for more information about remote development for your organization or enterprise.
--- a/ci/Caddyfile
+++ b/ci/Caddyfile
@@ -0,0 +1,15 @@
+{
+	admin    localhost:4444
+}
+:8000 {
+	@portLocalhost path_regexp port ^/([0-9]+)\/ide
+        handle @portLocalhost {
+		uri strip_prefix {re.port.1}/ide
+                reverse_proxy localhost:{re.port.1}
+        }
+
+	handle {
+                respond "Bad hostname" 400
+        }
+
+}
--- a/ci/README.md
+++ b/ci/README.md
@@ -10,28 +10,6 @@ Any file or directory in this subdirectory should be documented here.
 - [./ci/lib.sh](./lib.sh)
  - Contains code duplicated across these scripts.

-## Publishing a release
-
-1. Run `yarn release:prep` and type in the new version i.e. 3.8.1
-2. GitHub actions will generate the `npm-package`, `release-packages` and `release-images` artifacts.
-   1. You do not have to wait for these.
-3. Run `yarn release:github-draft` to create a GitHub draft release from the template with
-   the updated version.
-   1. Summarize the major changes in the release notes and link to the relevant issues.
-   2. Change the @ to target the version branch. Example: `v3.9.0 @ Target: v3.9.0`
-4. Wait for the artifacts in step 2 to build.
-5. Run `yarn release:github-assets` to download the `release-packages` artifact.
-   - It will upload them to the draft release.
-6. Run some basic sanity tests on one of the released packages.
-   - Especially make sure the terminal works fine.
-7. Publish the release and merge the PR.
-   1. CI will automatically grab the artifacts and then:
-      1. Publish the NPM package from `npm-package`.
-      2. Publish the Docker Hub image from `release-images`.
-8. Update the AUR package.
-   - Instructions on updating the AUR package are at [cdr/code-server-aur](https://github.com/cdr/code-server-aur).
-9. Wait for the npm package to be published.
-
 ## dev

 This directory contains scripts used for the development of code-server.
@@ -51,7 +29,7 @@ This directory contains scripts used for the development of code-server.
 - [./ci/dev/watch.ts](./dev/watch.ts) (`yarn watch`)
  - Starts a process to build and launch code-server and restart on any code changes.
  - Example usage in [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md).
- [./ci/dev/gen_icons.sh](./ci/dev/gen_icons.sh) (`yarn icons`)
+- [./ci/dev/gen_icons.sh](./dev/gen_icons.sh) (`yarn icons`)
  - Generates the various icons from a single `.svg` favicon in
    `src/browser/media/favicon.svg`.
  - Requires [imagemagick](https://imagemagick.org/index.php)
@@ -67,9 +45,6 @@ You can disable minification by setting `MINIFY=`.
  - Builds vscode into `./lib/vscode/out-vscode`.
 - [./ci/build/build-release.sh](./build/build-release.sh) (`yarn release`)
  - Bundles the output of the above two scripts into a single node module at `./release`.
- [./ci/build/build-standalone-release.sh](./build/build-standalone-release.sh) (`yarn release:standalone`)
-  - Requires a node module already built into `./release` with the above script.
-  - Will build a standalone release with node and node_modules bundled into `./release-standalone`.
 - [./ci/build/clean.sh](./build/clean.sh) (`yarn clean`)
  - Removes all build artifacts.
  - Useful to do a clean build.
@@ -100,8 +75,8 @@ You can disable minification by setting `MINIFY=`.

 This directory contains the release docker container image.

- [./release-image/build.sh](./release-image/build.sh)
-  - Builds the release container with the tag `codercom/code-server-$ARCH:$VERSION`.
+- [./ci/steps/build-docker-buildx-push.sh](./steps/docker-buildx-push.sh)
+  - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them.
  - Assumes debian releases are ready in `./release-packages`.

 ## images
@@ -119,6 +94,8 @@ Helps avoid clobbering the CI configuration.
  - Runs `yarn lint`.
 - [./steps/test-unit.sh](./steps/test-unit.sh)
  - Runs `yarn test:unit`.
+- [./steps/test-integration.sh](./steps/test-integration.sh)
+  - Runs `yarn test:integration`.
 - [./steps/test-e2e.sh](./steps/test-e2e.sh)
  - Runs `yarn test:e2e`.
 - [./steps/release.sh](./steps/release.sh)
@@ -129,8 +106,8 @@ Helps avoid clobbering the CI configuration.
    release packages into `./release-packages`.
 - [./steps/publish-npm.sh](./steps/publish-npm.sh)
  - Grabs the `npm-package` release artifact for the current commit and publishes it on npm.
- [./steps/build-docker-image.sh](./steps/build-docker-image.sh)
-  - Builds the docker image and then saves it into `./release-images/code-server-$ARCH-$VERSION.tar`.
+- [./steps/docker-buildx-push.sh](./steps/docker-buildx-push.sh)
+  - Builds the docker image and then pushes it.
 - [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh)
  - Loads all images in `./release-images` and then builds and pushes a multi architecture
    docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and
--- a/ci/build/build-code-server.sh
+++ b/ci/build/build-code-server.sh
@@ -3,9 +3,6 @@ set -euo pipefail

 # Builds code-server into out and the frontend into dist.

-# MINIFY controls whether parcel minifies dist.
-MINIFY=${MINIFY-true}
-
 main() {
  cd "$(dirname "${0}")/../.."

@@ -17,29 +14,6 @@ main() {
    sed -i.bak "1s;^;#!/usr/bin/env node\n;" out/node/entry.js && rm out/node/entry.js.bak
    chmod +x out/node/entry.js
  fi
-
-  if ! [ -f ./lib/coder-cloud-agent ]; then
-    echo "Downloading the cloud agent..."
-
-    # for arch; we do not use OS from lib.sh and get our own.
-    # lib.sh normalizes macos to darwin - but cloud-agent's binaries do not
-    source ./ci/lib.sh
-    OS="$(uname | tr '[:upper:]' '[:lower:]')"
-
-    set +e
-    curl -fsSL "https://github.com/cdr/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent
-    chmod +x ./lib/coder-cloud-agent
-    set -e
-  fi
-
-  parcel build \
-    --public-url "." \
-    --out-dir dist \
-    $([[ $MINIFY ]] || echo --no-minify) \
-    src/browser/register.ts \
-    src/browser/serviceWorker.ts \
-    src/browser/pages/login.ts \
-    src/browser/pages/vscode.ts
 }

 main "$@"
--- a/ci/build/build-lib.sh
+++ b/ci/build/build-lib.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# This is a library which contains functions used inside ci/build
+#
+# We separated it into it's own file so that we could easily unit test
+# these functions and helpers.
+
+# On some CPU architectures (notably node/uname "armv7l", default on Raspberry Pis),
+# different package managers have different labels for the same CPU (deb=armhf, rpm=armhfp).
+# This function returns the overriden arch on platforms
+# with alternate labels, or the same arch otherwise.
+get_nfpm_arch() {
+  local PKG_FORMAT="${1:-}"
+  local ARCH="${2:-}"
+
+  case "$ARCH" in
+    armv7l)
+      if [ "$PKG_FORMAT" = "deb" ]; then
+        echo armhf
+      elif [ "$PKG_FORMAT" = "rpm" ]; then
+        echo armhfp
+      fi
+      ;;
+    *)
+      echo "$ARCH"
+      ;;
+  esac
+}
--- a/ci/build/build-packages.sh
+++ b/ci/build/build-packages.sh
@@ -7,6 +7,7 @@ set -euo pipefail
 main() {
  cd "$(dirname "${0}")/../.."
  source ./ci/lib.sh
+  source ./ci/build/build-lib.sh

  # Allow us to override architecture
  # we use this for our Linux ARM64 cross compile builds
@@ -46,11 +47,27 @@ release_gcp() {
 # Generates deb and rpm packages.
 release_nfpm() {
  local nfpm_config
-  nfpm_config="$(envsubst <./ci/build/nfpm.yaml)"

-  # The underscores are convention for .deb.
-  nfpm pkg -f <(echo "$nfpm_config") --target "release-packages/code-server_${VERSION}_$ARCH.deb"
-  nfpm pkg -f <(echo "$nfpm_config") --target "release-packages/code-server-$VERSION-$ARCH.rpm"
+  export NFPM_ARCH
+
+  # Code deletes some files from the extension node_modules directory which
+  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
+  # on these broken symlinks so clean them up.
+  rm -fr "./release-standalone/lib/vscode/extensions/node_modules/.bin"
+
+  PKG_FORMAT="deb"
+  NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
+  nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"
+  echo "Building deb"
+  echo "$nfpm_config" | head --lines=4
+  nfpm pkg -f <(echo "$nfpm_config") --target "release-packages/code-server_${VERSION}_${NFPM_ARCH}.deb"
+
+  PKG_FORMAT="rpm"
+  NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
+  nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"
+  echo "Building rpm"
+  echo "$nfpm_config" | head --lines=4
+  nfpm pkg -f <(echo "$nfpm_config") --target "release-packages/code-server-$VERSION-$NFPM_ARCH.rpm"
 }

 main "$@"
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -12,29 +12,33 @@ KEEP_MODULES="${KEEP_MODULES-0}"

 main() {
  cd "$(dirname "${0}")/../.."
+
  source ./ci/lib.sh

  VSCODE_SRC_PATH="lib/vscode"
  VSCODE_OUT_PATH="$RELEASE_PATH/lib/vscode"

+  create_shrinkwraps
+
  mkdir -p "$RELEASE_PATH"

  bundle_code_server
  bundle_vscode

-  rsync README.md "$RELEASE_PATH"
-  rsync LICENSE.txt "$RELEASE_PATH"
+  rsync ./docs/README.md "$RELEASE_PATH"
+  rsync LICENSE "$RELEASE_PATH"
  rsync ./lib/vscode/ThirdPartyNotices.txt "$RELEASE_PATH"
 }

 bundle_code_server() {
-  rsync out dist "$RELEASE_PATH"
+  rsync out "$RELEASE_PATH"

  # For source maps and images.
  mkdir -p "$RELEASE_PATH/src/browser"
  rsync src/browser/media/ "$RELEASE_PATH/src/browser/media"
  mkdir -p "$RELEASE_PATH/src/browser/pages"
  rsync src/browser/pages/*.html "$RELEASE_PATH/src/browser/pages"
+  rsync src/browser/pages/*.css "$RELEASE_PATH/src/browser/pages"
  rsync src/browser/robots.txt "$RELEASE_PATH/src/browser"

  # Add typings for plugins
@@ -43,62 +47,93 @@ bundle_code_server() {

  # Adds the commit to package.json
  jq --slurp '.[0] * .[1]' package.json <(
-    cat <<EOF
+    cat << EOF
  {
    "commit": "$(git rev-parse HEAD)",
    "scripts": {
-      "postinstall": "./postinstall.sh"
+      "postinstall": "sh ./postinstall.sh"
    }
  }
 EOF
-  ) >"$RELEASE_PATH/package.json"
+  ) > "$RELEASE_PATH/package.json"
  rsync yarn.lock "$RELEASE_PATH"
+  mv npm-shrinkwrap.json "$RELEASE_PATH"
+
  rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"

  if [ "$KEEP_MODULES" = 1 ]; then
    rsync node_modules/ "$RELEASE_PATH/node_modules"
-    mkdir -p "$RELEASE_PATH/lib"
-    rsync ./lib/coder-cloud-agent "$RELEASE_PATH/lib"
  fi
 }

 bundle_vscode() {
  mkdir -p "$VSCODE_OUT_PATH"
-  rsync "$VSCODE_SRC_PATH/yarn.lock" "$VSCODE_OUT_PATH"
-  rsync "$VSCODE_SRC_PATH/out-vscode${MINIFY:+-min}/" "$VSCODE_OUT_PATH/out"

-  rsync "$VSCODE_SRC_PATH/.build/extensions/" "$VSCODE_OUT_PATH/extensions"
-  if [ "$KEEP_MODULES" = 0 ]; then
-    rm -Rf "$VSCODE_OUT_PATH/extensions/node_modules"
-  else
-    rsync "$VSCODE_SRC_PATH/node_modules/" "$VSCODE_OUT_PATH/node_modules"
+  local rsync_opts=()
+  if [[ ${DEBUG-} = 1 ]]; then
+    rsync_opts+=(-vh)
  fi
-  rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions"
-  rsync "$VSCODE_SRC_PATH/extensions/yarn.lock" "$VSCODE_OUT_PATH/extensions"
-  rsync "$VSCODE_SRC_PATH/extensions/postinstall.js" "$VSCODE_OUT_PATH/extensions"

-  mkdir -p "$VSCODE_OUT_PATH/resources/"{linux,web}
-  rsync "$VSCODE_SRC_PATH/resources/linux/code.png" "$VSCODE_OUT_PATH/resources/linux/code.png"
-  rsync "$VSCODE_SRC_PATH/resources/web/callback.html" "$VSCODE_OUT_PATH/resources/web/callback.html"
+  # Some extensions have a .gitignore which excludes their built source from the
+  # npm package so exclude any .gitignore files.
+  rsync_opts+=(--exclude .gitignore)

-  # Adds the commit and date to product.json
-  jq --slurp '.[0] * .[1]' "$VSCODE_SRC_PATH/product.json" <(
-    cat <<EOF
-  {
-    "commit": "$(git rev-parse HEAD)",
-    "date": $(jq -n 'now | todate')
-  }
-EOF
-  ) >"$VSCODE_OUT_PATH/product.json"
+  # Exclude Node as we will add it ourselves for the standalone and will not
+  # need it for the npm package.
+  rsync_opts+=(--exclude /node)

-  # We remove the scripts field so that later on we can run
-  # yarn to fetch node_modules if necessary without build scripts running.
-  # We cannot use --no-scripts because we still want dependent package scripts to run.
-  jq 'del(.scripts)' <"$VSCODE_SRC_PATH/package.json" >"$VSCODE_OUT_PATH/package.json"
+  # Exclude Node modules.
+  if [[ $KEEP_MODULES = 0 ]]; then
+    rsync_opts+=(--exclude node_modules)
+  fi

-  pushd "$VSCODE_OUT_PATH"
-  symlink_asar
+  rsync "${rsync_opts[@]}" ./lib/vscode-reh-web-*/ "$VSCODE_OUT_PATH"
+
+  # Use the package.json for the web/remote server.  It does not have the right
+  # version though so pull that from the main package.json.
+  jq --slurp '.[0] * {version: .[1].version}' \
+    "$VSCODE_SRC_PATH/remote/package.json" \
+    "$VSCODE_SRC_PATH/package.json" > "$VSCODE_OUT_PATH/package.json"
+
+  rsync "$VSCODE_SRC_PATH/remote/yarn.lock" "$VSCODE_OUT_PATH/yarn.lock"
+  mv "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
+
+  # Include global extension dependencies as well.
+  rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions/package.json"
+  rsync "$VSCODE_SRC_PATH/extensions/yarn.lock" "$VSCODE_OUT_PATH/extensions/yarn.lock"
+  mv "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
+  rsync "$VSCODE_SRC_PATH/extensions/postinstall.mjs" "$VSCODE_OUT_PATH/extensions/postinstall.mjs"
+}
+
+create_shrinkwraps() {
+  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
+  # not packaged when publishing to the NPM registry.
+  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
+  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
+  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
+  # These will include devDependencies, but those will be ignored when installing globally (for code-server), and
+  # because we use --omit=dev when installing vscode.
+
+  # We first generate the shrinkwrap file for code-server itself - which is the current directory
+  create_shrinkwrap_keeping_yarn_lock
+
+  # Then the shrinkwrap files for the bundled VSCode
+  pushd "$VSCODE_SRC_PATH/remote/"
+  create_shrinkwrap_keeping_yarn_lock
+  popd
+
+  pushd "$VSCODE_SRC_PATH/extensions/"
+  create_shrinkwrap_keeping_yarn_lock
  popd
 }

+create_shrinkwrap_keeping_yarn_lock() {
+  # HACK@edvincent: Generating a shrinkwrap alters the yarn.lock which we don't want (with NPM URLs rather than the Yarn URLs)
+  # But to generate a valid shrinkwrap, it has to exist... So we copy it to then restore it
+  cp yarn.lock yarn.lock.temp
+  npm shrinkwrap
+  cp yarn.lock.temp yarn.lock
+  rm yarn.lock.temp
+}
+
 main "$@"
--- a/ci/build/build-standalone-release.sh
+++ b/ci/build/build-standalone-release.sh
@@ -1,8 +1,13 @@
 #!/usr/bin/env bash
 set -euo pipefail

+# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
+# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
+export npm_config_build_from_source=true
+
 main() {
  cd "$(dirname "${0}")/../.."
+
  source ./ci/lib.sh

  rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone"
@@ -12,17 +17,18 @@ main() {
  # we use the same version it's using so we instead run a script with yarn that
  # will print the path to node.
  local node_path
-  node_path="$(yarn -s node <<<'console.info(process.execPath)')"
+  node_path="$(yarn -s node <<< 'console.info(process.execPath)')"

  mkdir -p "$RELEASE_PATH/bin"
+  mkdir -p "$RELEASE_PATH/lib"
  rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
  rsync "$node_path" "$RELEASE_PATH/lib/node"

-  ln -s "./bin/code-server" "$RELEASE_PATH/code-server"
-  ln -s "./lib/node" "$RELEASE_PATH/node"
+  chmod 755 "$RELEASE_PATH/lib/node"

-  cd "$RELEASE_PATH"
-  yarn --production --frozen-lockfile
+  pushd "$RELEASE_PATH"
+  npm install --unsafe-perm --omit=dev
+  popd
 }

 main "$@"
--- a/ci/build/build-vscode.sh
+++ b/ci/build/build-vscode.sh
@@ -6,15 +6,130 @@ set -euo pipefail
 # MINIFY controls whether a minified version of vscode is built.
 MINIFY=${MINIFY-true}

+delete-bin-script() {
+  rm -f "lib/vscode-reh-web-linux-x64/bin/$1"
+}
+
+copy-bin-script() {
+  local script="$1"
+  local dest="lib/vscode-reh-web-linux-x64/bin/$script"
+  cp "lib/vscode/resources/server/bin/$script" "$dest"
+  sed -i.bak "s/@@VERSION@@/$(vscode_version)/g" "$dest"
+  sed -i.bak "s/@@COMMIT@@/$BUILD_SOURCEVERSION/g" "$dest"
+  sed -i.bak "s/@@APPNAME@@/code-server/g" "$dest"
+
+  # Fix Node path on Darwin and Linux.
+  # We do not want expansion here; this text should make it to the file as-is.
+  # shellcheck disable=SC2016
+  sed -i.bak 's/^ROOT=\(.*\)$/VSROOT=\1\nROOT="$(dirname "$(dirname "$VSROOT")")"/g' "$dest"
+  sed -i.bak 's/ROOT\/out/VSROOT\/out/g' "$dest"
+  # We do not want expansion here; this text should make it to the file as-is.
+  # shellcheck disable=SC2016
+  sed -i.bak 's/$ROOT\/node/${NODE_EXEC_PATH:-$ROOT\/lib\/node}/g' "$dest"
+
+  # Fix Node path on Windows.
+  sed -i.bak 's/^set ROOT_DIR=\(.*\)$/set ROOT_DIR=%~dp0..\\..\\..\\..\r\nset VSROOT_DIR=\1/g' "$dest"
+  sed -i.bak 's/%ROOT_DIR%\\out/%VSROOT_DIR%\\out/g' "$dest"
+
+  chmod +x "$dest"
+  rm "$dest.bak"
+}
+
 main() {
  cd "$(dirname "${0}")/../.."
-  cd lib/vscode

-  yarn gulp compile-build compile-extensions-build
-  yarn gulp optimize --gulpfile ./coder.js
-  if [[ $MINIFY ]]; then
-    yarn gulp minify --gulpfile ./coder.js
+  source ./ci/lib.sh
+
+  pushd lib/vscode
+
+  if [[ ! ${VERSION-} ]]; then
+    echo "VERSION not set. Please set before running this script:"
+    echo "VERSION='0.0.0' yarn build:vscode"
+    exit 1
  fi
+
+  # Set the commit Code will embed into the product.json.  We need to do this
+  # since Code tries to get the commit from the `.git` directory which will fail
+  # as it is a submodule.
+  export BUILD_SOURCEVERSION
+  BUILD_SOURCEVERSION=$(git rev-parse HEAD)
+
+  # Add the date, our name, links, and enable telemetry (this just makes
+  # telemetry available; telemetry can still be disabled by flag or setting).
+  # This needs to be done before building as Code will read this file and embed
+  # it into the client-side code.
+  git checkout product.json             # Reset in case the script exited early.
+  cp product.json product.original.json # Since jq has no inline edit.
+  jq --slurp '.[0] * .[1]' product.original.json <(
+    cat << EOF
+  {
+    "enableTelemetry": true,
+    "quality": "stable",
+    "codeServerVersion": "$VERSION",
+    "nameShort": "code-server",
+    "nameLong": "code-server",
+    "applicationName": "code-server",
+    "dataFolderName": ".code-server",
+    "win32MutexName": "codeserver",
+    "licenseUrl": "https://github.com/coder/code-server/blob/main/LICENSE",
+    "win32DirName": "code-server",
+    "win32NameVersion": "code-server",
+    "win32AppUserModelId": "coder.code-server",
+    "win32ShellNameShort": "c&ode-server",
+    "darwinBundleIdentifier": "com.coder.code.server",
+    "linuxIconName": "com.coder.code.server",
+    "reportIssueUrl": "https://github.com/coder/code-server/issues/new",
+    "documentationUrl": "https://go.microsoft.com/fwlink/?LinkID=533484#vscode",
+    "keyboardShortcutsUrlMac": "https://go.microsoft.com/fwlink/?linkid=832143",
+    "keyboardShortcutsUrlLinux": "https://go.microsoft.com/fwlink/?linkid=832144",
+    "keyboardShortcutsUrlWin": "https://go.microsoft.com/fwlink/?linkid=832145",
+    "introductoryVideosUrl": "https://go.microsoft.com/fwlink/?linkid=832146",
+    "tipsAndTricksUrl": "https://go.microsoft.com/fwlink/?linkid=852118",
+    "newsletterSignupUrl": "https://www.research.net/r/vsc-newsletter",
+    "linkProtectionTrustedDomains": [
+      "https://open-vsx.org"
+    ],
+    "aiConfig": {
+      "ariaKey": "code-server"
+    }
+  }
+EOF
+  ) > product.json
+
+  # Any platform here works since we will do our own packaging.  We have to do
+  # this because we have an NPM package that could be installed on any platform.
+  # The correct platform dependencies and scripts will be installed as part of
+  # the post-install during `npm install` or when building a standalone release.
+  yarn gulp "vscode-reh-web-linux-x64${MINIFY:+-min}"
+
+  # Reset so if you develop after building you will not be stuck with the wrong
+  # commit (the dev client will use `oss-dev` but the dev server will still use
+  # product.json which will have `stable-$commit`).
+  git checkout product.json
+
+  popd
+
+  pushd lib/vscode-reh-web-linux-x64
+  # Make sure Code took the version we set in the environment variable.  Not
+  # having a version will break display languages.
+  if ! jq -e .commit product.json; then
+    echo "'commit' is missing from product.json"
+    exit 1
+  fi
+  popd
+
+  # These provide a `code-server` command in the integrated terminal to open
+  # files in the current instance.
+  delete-bin-script remote-cli/code-server
+  copy-bin-script remote-cli/code-darwin.sh
+  copy-bin-script remote-cli/code-linux.sh
+  copy-bin-script remote-cli/code.cmd
+
+  # These provide a way for terminal applications to open browser windows.
+  delete-bin-script helpers/browser.sh
+  copy-bin-script helpers/browser-darwin.sh
+  copy-bin-script helpers/browser-linux.sh
+  copy-bin-script helpers/browser.cmd
 }

 main "$@"
--- a/ci/build/clean.sh
+++ b/ci/build/clean.sh
@@ -6,10 +6,6 @@ main() {
  source ./ci/lib.sh

  git clean -Xffd
-
-  pushd lib/vscode
-  git clean -xffd
-  popd
 }

 main "$@"
--- a/ci/build/code-server.sh
+++ b/ci/build/code-server.sh
@@ -5,20 +5,12 @@ set -eu
 # Runs code-server with the bundled node binary.

 _realpath() {
-  # See https://github.com/cdr/code-server/issues/1537 on why no realpath or readlink -f.
+  # See https://github.com/coder/code-server/issues/1537 on why no realpath or readlink -f.

  script="$1"
  cd "$(dirname "$script")"

  while [ -L "$(basename "$script")" ]; do
-    if [ -L "./node" ] && [ -L "./code-server" ] \
-      && [ -f "package.json" ] \
-      && cat package.json | grep -q '^  "name": "code-server",$'; then
-      echo "***** Please use the script in bin/code-server instead!" >&2
-      echo "***** This script will soon be removed!" >&2
-      echo "***** See the release notes at https://github.com/cdr/code-server/releases/tag/v3.4.0" >&2
-    fi
-
    script="$(readlink "$(basename "$script")")"
    cd "$(dirname "$script")"
  done
--- a/ci/build/nfpm.yaml
+++ b/ci/build/nfpm.yaml
@@ -1,14 +1,14 @@
 name: "code-server"
-arch: "${ARCH}"
+arch: "${NFPM_ARCH}"
 platform: "linux"
 version: "v${VERSION}"
 section: "devel"
 priority: "optional"
-maintainer: "Anmol Sethi <hi@nhooyr.io>"
+maintainer: "Joe Previte <joe@coder.com>"
 description: |
  Run VS Code in the browser.
 vendor: "Coder"
-homepage: "https://github.com/cdr/code-server"
+homepage: "https://github.com/coder/code-server"
 license: "MIT"

 contents:
@@ -22,4 +22,4 @@ contents:
    dst: /usr/lib/systemd/user/code-server.service

  - src: ./release-standalone/*
-    dst: /usr/lib/code-server/
+    dst: /usr/lib/code-server
--- a/ci/build/npm-postinstall.sh
+++ b/ci/build/npm-postinstall.sh
@@ -1,32 +1,81 @@
 #!/usr/bin/env sh
 set -eu

-# Copied from arch() in ci/lib.sh.
-detect_arch() {
-  case "$(uname -m)" in
-  aarch64)
-    echo arm64
-    ;;
-  x86_64 | amd64)
-    echo amd64
-    ;;
-  *)
-    # This will cause the download to fail, but is intentional
-    uname -m
-    ;;
+# Copied from ../lib.sh except we do not rename Darwin and we do not need to
+# detect Alpine.
+os() {
+  osname=$(uname | tr '[:upper:]' '[:lower:]')
+  case $osname in
+    cygwin* | mingw*) osname="windows" ;;
+  esac
+  echo "$osname"
+}
+
+# Create a symlink at $2 pointing to $1 on any platform.  Anything that
+# currently exists at $2 will be deleted.
+symlink() {
+  source="$1"
+  dest="$2"
+  rm -rf "$dest"
+  case $OS in
+    windows) mklink /J "$dest" "$source" ;;
+    *) ln -s "$source" "$dest" ;;
  esac
 }

-ARCH="${NPM_CONFIG_ARCH:-$(detect_arch)}"
+# VS Code bundles some modules into an asar which is an archive format that
+# works like tar. It then seems to get unpacked into node_modules.asar.
+#
+# I don't know why they do this but all the dependencies they bundle already
+# exist in node_modules so just symlink it. We have to do this since not only
+# Code itself but also extensions will look specifically in this directory for
+# files (like the ripgrep binary or the oniguruma wasm).
+symlink_asar() {
+  symlink node_modules node_modules.asar
+}
+
+# Make a symlink at bin/$1/$3 pointing to the platform-specific version of the
+# script in $2.  The extension of the link will be .cmd for Windows otherwise it
+# will be whatever is in $4 (or no extension if $4 is not set).
+symlink_bin_script() {
+  oldpwd="$(pwd)"
+  cd "bin/$1"
+  source="$2"
+  dest="$3"
+  ext="${4-}"
+  case $OS in
+    windows) symlink "$source.cmd" "$dest.cmd" ;;
+    darwin | macos) symlink "$source-darwin.sh" "$dest$ext" ;;
+    *) symlink "$source-linux.sh" "$dest$ext" ;;
+  esac
+  cd "$oldpwd"
+}
+
+OS="$(os)"
+
+# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
+# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
+export npm_config_build_from_source=true

 main() {
  # Grabs the major version of node from $npm_config_user_agent which looks like
  # yarn/1.21.1 npm/? node/v14.2.0 darwin x64
  major_node_version=$(echo "$npm_config_user_agent" | sed -n 's/.*node\/v\([^.]*\).*/\1/p')
-  if [ "$major_node_version" -lt 12 ]; then
-    echo "code-server currently requires at least node v12"
+
+  if [ -n "${FORCE_NODE_VERSION:-}" ]; then
+    echo "WARNING: Overriding required Node.js version to v$FORCE_NODE_VERSION"
+    echo "This could lead to broken functionality, and is unsupported."
+    echo "USE AT YOUR OWN RISK!"
+  fi
+
+  if [ "$major_node_version" -ne "${FORCE_NODE_VERSION:-16}" ]; then
+    echo "ERROR: code-server currently requires node v16."
+    if [ -n "$FORCE_NODE_VERSION" ]; then
+      echo "However, you have overrided the version check to use v$FORCE_NODE_VERSION."
+    fi
    echo "We have detected that you are on node v$major_node_version"
-    echo "See https://github.com/cdr/code-server/issues/1633"
+    echo "You can override this version check by setting \$FORCE_NODE_VERSION,"
+    echo "but configurations that do not use the same node version are unsupported."
    exit 1
  fi

@@ -42,45 +91,51 @@ main() {
    ;;
  esac

-  OS="$(uname | tr '[:upper:]' '[:lower:]')"
-  if curl -fsSL "https://github.com/cdr/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent; then
-    chmod +x ./lib/coder-cloud-agent
-  else
-    echo "Failed to download cloud agent; --link will not work"
-  fi
-
-  if ! vscode_yarn; then
+  if ! vscode_install; then
    echo "You may not have the required dependencies to build the native modules."
-    echo "Please see https://github.com/cdr/code-server/blob/master/docs/npm.md"
+    echo "Please see https://github.com/coder/code-server/blob/main/docs/npm.md"
    exit 1
  fi
-}

-# This is a copy of symlink_asar in ../lib.sh. Look there for details.
-symlink_asar() {
-  rm -f node_modules.asar
-  if [ "${WINDIR-}" ]; then
-    mklink /J node_modules.asar node_modules
-  else
-    ln -s node_modules node_modules.asar
+  if [ -n "${FORCE_NODE_VERSION:-}" ]; then
+    echo "WARNING: The required Node.js version was overriden to v$FORCE_NODE_VERSION"
+    echo "This could lead to broken functionality, and is unsupported."
+    echo "USE AT YOUR OWN RISK!"
  fi
 }

-vscode_yarn() {
+install_with_yarn_or_npm() {
+  echo "User agent: ${npm_config_user_agent-none}"
+  # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
+  # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
+  case "${npm_config_user_agent-}" in
+    npm*)
+      # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
+      # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
+      # See https://github.com//pull/5071
+      npm install --unsafe-perm --legacy-peer-deps --omit=dev
+      ;;
+    yarn*)
+      yarn --production --frozen-lockfile --no-default-rc
+      ;;
+    *)
+      echo "Could not determine which package manager is being used to install code-server"
+      exit 1
+      ;;
+  esac
+}
+
+vscode_install() {
+  echo 'Installing Code dependencies...'
  cd lib/vscode
-  yarn --production --frozen-lockfile
+  install_with_yarn_or_npm

  symlink_asar
+  symlink_bin_script remote-cli code code-server
+  symlink_bin_script helpers browser browser .sh

  cd extensions
-  yarn --production --frozen-lockfile
-  for ext in */; do
-    ext="${ext%/}"
-    echo "extensions/$ext: installing dependencies"
-    cd "$ext"
-    yarn --production --frozen-lockfile
-    cd "$OLDPWD"
-  done
+  install_with_yarn_or_npm
 }

 main "$@"
--- a/ci/build/release-github-assets.sh
+++ b/ci/build/release-github-assets.sh
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Downloads the release artifacts from CI for the current
-# commit and then uploads them to the release with the version
-# in package.json.
-# You will need $GITHUB_TOKEN set.
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  download_artifact release-packages ./release-packages
-  local assets=(./release-packages/code-server*"$VERSION"*{.tar.gz,.deb,.rpm})
-
-  EDITOR=true gh release upload "v$VERSION" "${assets[@]}"
-}
-
-main "$@"
--- a/ci/build/release-github-draft.sh
+++ b/ci/build/release-github-draft.sh
@@ -1,50 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Creates a draft release with the template for the version in package.json
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  gh release create "v$VERSION" \
-    --notes-file - \
-    --target "$(git rev-parse HEAD)" \
-    --draft <<EOF
-v$VERSION
-
-VS Code v$(vscode_version)
-
-Upgrading is as easy as installing the new version over the old one. code-server
-maintains all user data in \`~/.local/share/code-server\` so that it is preserved in between
-installations.
-
-## New Features
-
-⭐ Summarize new features here with references to issues
-
-  - item
-
-## Bug Fixes
-
-⭐ Summarize bug fixes here with references to issues
-
-  - item
-
-## Documentation
-
-⭐ Summarize doc changes here with references to issues
-
-  - item
-
-## Development
-
-⭐ Summarize development/testing changes here with references to issues
-
-  - item
-
-Cheers! 🍻
-EOF
-}
-
-main "$@"
--- a/ci/build/release-prep.sh
+++ b/ci/build/release-prep.sh
@@ -1,99 +0,0 @@
-#!/usr/bin/env bash
-# Description: This is a script to make the release process easier
-# Run it with `yarn release:prep` and it will do the following:
-# 1. Check that you have gh installed and that you're signed in
-# 2. Update the version of code-server (package.json, docs, etc.)
-# 3. Update the code coverage badge in the README
-# 4. Open a draft PR using the release_template.md and view in browser
-# If you want to perform a dry run of this script run DRY_RUN=1 yarn release:prep
-
-set -euo pipefail
-
-main() {
-  if [ "${DRY_RUN-}" = 1 ]; then
-    echo "Performing a dry run..."
-    CMD="echo"
-  else
-    CMD=''
-  fi
-
-  cd "$(dirname "$0")/../.."
-
-  # Check that gh is installed
-  if ! command -v gh &>/dev/null; then
-    echo "gh could not be found."
-    echo "We use this with the release-github-draft.sh and release-github-assets.sh scripts."
-    echo -e "See docs here: https://github.com/cli/cli#installation"
-    exit
-  fi
-
-  # Check that they have jq installed
-  if ! command -v jq &>/dev/null; then
-    echo "jq could not be found."
-    echo "We use this to parse the package.json and grab the current version of code-server."
-    echo -e "See docs here: https://stedolan.github.io/jq/download/"
-    exit
-  fi
-
-  # Check that they have rg installed
-  if ! command -v rg &>/dev/null; then
-    echo "rg could not be found."
-    echo "We use this when updating files across the codebase."
-    echo -e "See docs here: https://github.com/BurntSushi/ripgrep#installation"
-    exit
-  fi
-
-  # Check that they have node installed
-  if ! command -v node &>/dev/null; then
-    echo "node could not be found."
-    echo "That's surprising..."
-    echo "We use it in this script for getting the package.json version"
-    echo -e "See docs here: https://nodejs.org/en/download/"
-    exit
-  fi
-
-  # Check that gh is authenticated
-  if ! gh auth status -h github.com &>/dev/null; then
-    echo "gh isn't authenticated to github.com."
-    echo "This is needed for our scripts that use gh."
-    echo -e "See docs regarding authentication: https://cli.github.com/manual/gh_auth_login"
-    exit
-  fi
-
-  # Note: we need to set upstream as well or the gh pr create step will fail
-  # See: https://github.com/cli/cli/issues/575
-  CURRENT_BRANCH=$(git branch | grep '\*' | cut -d' ' -f2-)
-  if [[ -z $(git config "branch.${CURRENT_BRANCH}.remote") ]]; then
-    echo "Doesn't look like you've pushed this branch to remote"
-    # Note: we need to set upstream as well or the gh pr create step will fail
-    # See: https://github.com/cli/cli/issues/575
-    echo "Please set the upstream and then run the script"
-    exit 1
-  fi
-
-  # credit to jakwuh for this solution
-  # https://gist.github.com/DarrenN/8c6a5b969481725a4413#gistcomment-1971123
-  CODE_SERVER_CURRENT_VERSION=$(node -pe "require('./package.json').version")
-  # Ask which version we should update to
-  # In the future, we'll automate this and determine the latest version automatically
-  echo "Current version: ${CODE_SERVER_CURRENT_VERSION}"
-  # The $'\n' adds a line break. See: https://stackoverflow.com/a/39581815/3015595
-  read -r -p "What version of code-server do you want to update to?"$'\n' CODE_SERVER_VERSION_TO_UPDATE
-
-  echo -e "Great! We'll prep a PR for updating to $CODE_SERVER_VERSION_TO_UPDATE\n"
-  $CMD rg -g '!yarn.lock' -g '!*.svg' -g '!CHANGELOG.md' --files-with-matches --fixed-strings "${CODE_SERVER_CURRENT_VERSION}" | $CMD xargs sd "$CODE_SERVER_CURRENT_VERSION" "$CODE_SERVER_VERSION_TO_UPDATE"
-
-  $CMD git commit -am "chore(release): bump version to $CODE_SERVER_VERSION_TO_UPDATE"
-
-  # This runs from the root so that's why we use this path vs. ../../
-  RELEASE_TEMPLATE_STRING=$(cat ./.github/PULL_REQUEST_TEMPLATE/release_template.md)
-
-  echo -e "\nOpening a draft PR on GitHub"
-  # To read about these flags, visit the docs: https://cli.github.com/manual/gh_pr_create
-  $CMD gh pr create --base main --title "release: $CODE_SERVER_VERSION_TO_UPDATE" --body "$RELEASE_TEMPLATE_STRING" --reviewer @cdr/code-server-reviewers --repo cdr/code-server --draft --assignee "@me"
-
-  # Open PR in browser
-  $CMD gh pr view --web
-}
-
-main "$@"
--- a/ci/build/test-standalone-release.sh
+++ b/ci/build/test-standalone-release.sh
@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Makes sure the release works.
-# This is to make sure we don't have Node version errors or any other
-# compilation-related errors.
-main() {
-  cd "$(dirname "${0}")/../.."
-
-  local EXTENSIONS_DIR
-  EXTENSIONS_DIR="$(mktemp -d)"
-
-  echo "Testing standalone release."
-
-  # Note: using a basic theme extension because it doesn't update often and is more reliable for testing
-  ./release-standalone/bin/code-server --extensions-dir "$EXTENSIONS_DIR" --install-extension wesbos.theme-cobalt2
-  local installed_extensions
-  installed_extensions="$(./release-standalone/bin/code-server --extensions-dir "$EXTENSIONS_DIR" --list-extensions 2>&1)"
-  # We use grep as wesbos.theme-cobalt2 may have dependency extensions that change.
-  if ! echo "$installed_extensions" | grep -q "wesbos.theme-cobalt2"; then
-    echo "Unexpected output from listing extensions:"
-    echo "$installed_extensions"
-    exit 1
-  fi
-
-  echo "Standalone release works correctly."
-}
-
-main "$@"
--- a/ci/dev/doctoc.sh
+++ b/ci/dev/doctoc.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+
+  doctoc --title '# FAQ' docs/FAQ.md > /dev/null
+  doctoc --title '# Setup Guide' docs/guide.md > /dev/null
+  doctoc --title '# Install' docs/install.md > /dev/null
+  doctoc --title '# npm Install Requirements' docs/npm.md > /dev/null
+  doctoc --title '# Contributing' docs/CONTRIBUTING.md > /dev/null
+  doctoc --title '# Maintaining' docs/MAINTAINING.md > /dev/null
+  doctoc --title '# Contributor Covenant Code of Conduct' docs/CODE_OF_CONDUCT.md > /dev/null
+  doctoc --title '# iPad' docs/ipad.md > /dev/null
+  doctoc --title '# Termux' docs/termux.md > /dev/null
+
+  if [[ ${CI-} && $(git ls-files --other --modified --exclude-standard) ]]; then
+    echo "Files need generation or are formatted incorrectly:"
+    git -c color.ui=always status | grep --color=no '\[31m'
+    echo "Please run the following locally:"
+    echo "  yarn doctoc"
+    exit 1
+  fi
+}
+
+main "$@"
--- a/ci/dev/fmt.sh
+++ b/ci/dev/fmt.sh
@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  local prettierExts
-  prettierExts=(
-    "*.js"
-    "*.ts"
-    "*.tsx"
-    "*.html"
-    "*.json"
-    "*.css"
-    "*.md"
-    "*.toml"
-    "*.yaml"
-    "*.yml"
-    "*.sh"
-  )
-  prettier --write --loglevel=warn $(
-    git ls-files "${prettierExts[@]}" | grep -v "lib/vscode" | grep -v 'helm-chart'
-  )
-
-  doctoc --title '# FAQ' docs/FAQ.md >/dev/null
-  doctoc --title '# Setup Guide' docs/guide.md >/dev/null
-  doctoc --title '# Install' docs/install.md >/dev/null
-  doctoc --title '# npm Install Requirements' docs/npm.md >/dev/null
-  doctoc --title '# Contributing' docs/CONTRIBUTING.md >/dev/null
-  doctoc --title '# Maintaining' docs/MAINTAINING.md >/dev/null
-  doctoc --title '# Contributor Covenant Code of Conduct' docs/CODE_OF_CONDUCT.md >/dev/null
-  doctoc --title '# iPad' docs/ipad.md >/dev/null
-  doctoc --title '# Termux' docs/termux.md >/dev/null
-  doctoc --title '# Changelog' CHANGELOG.md >/dev/null
-
-  if [[ ${CI-} && $(git ls-files --other --modified --exclude-standard) ]]; then
-    echo "Files need generation or are formatted incorrectly:"
-    git -c color.ui=always status | grep --color=no '\[31m'
-    echo "Please run the following locally:"
-    echo "  yarn fmt"
-    exit 1
-  fi
-}
-
-main "$@"
--- a/ci/dev/gen_icons.sh
+++ b/ci/dev/gen_icons.sh
@@ -35,10 +35,10 @@ main() {
  # This escapes all newlines so that sed will accept them.
  favicon_dark_style="$(printf "%s\n" "$favicon_dark_style" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')"
  sed "$(
-    cat -n <<EOF
+    cat -n << EOF
 s%<rect id="favicon"%$favicon_dark_style<rect id="favicon"%
 EOF
-  )" favicon.svg >favicon-dark-support.svg
+  )" favicon.svg > favicon-dark-support.svg
 }

 main "$@"
--- a/ci/dev/lint-scripts.sh
+++ b/ci/dev/lint-scripts.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+  shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090,SC2002 $(git ls-files '*.sh' | grep -v 'lib/vscode')
+}
+
+main "$@"
--- a/ci/dev/lint.sh
+++ b/ci/dev/lint.sh
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  eslint --max-warnings=0 --fix $(git ls-files "*.ts" "*.tsx" "*.js" | grep -v "lib/vscode")
-  stylelint $(git ls-files "*.css" | grep -v "lib/vscode")
-  tsc --noEmit --skipLibCheck
-  shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090,SC2002 $(git ls-files "*.sh" | grep -v "lib/vscode")
-  if command -v helm && helm kubeval --help >/dev/null; then
-    helm kubeval ci/helm-chart
-  fi
-
-  cd lib/vscode
-  # Run this periodically in vanilla VS code to make sure we don't add any more warnings.
-  yarn -s eslint --max-warnings=3
-  cd "$OLDPWD"
-}
-
-main "$@"
--- a/ci/dev/postinstall.sh
+++ b/ci/dev/postinstall.sh
@@ -1,19 +1,39 @@
 #!/usr/bin/env bash
 set -euo pipefail

+# Install dependencies in $1.
+install-deps() {
+  local args=(install)
+  if [[ ${CI-} ]]; then
+    args+=(--frozen-lockfile)
+  fi
+  if [[ "$1" == "lib/vscode" ]]; then
+    args+=(--no-default-rc)
+  fi
+  # If there is no package.json then yarn will look upward and end up installing
+  # from the root resulting in an infinite loop (this can happen if you have not
+  # checked out the submodule yet for example).
+  if [[ ! -f "$1/package.json" ]]; then
+    echo "$1/package.json is missing; did you run git submodule update --init?"
+    exit 1
+  fi
+  pushd "$1"
+  echo "Installing dependencies for $PWD"
+  yarn "${args[@]}"
+  popd
+}
+
 main() {
  cd "$(dirname "$0")/../.."
  source ./ci/lib.sh

-  # This installs the dependencies needed for testing
-  cd test
-  yarn
-  cd ..
-
-  cd lib/vscode
-  yarn ${CI+--frozen-lockfile}
-
-  symlink_asar
+  install-deps test
+  install-deps test/e2e/extensions/test-extension
+  # We don't need these when running the integration tests
+  # so you can pass SKIP_SUBMODULE_DEPS
+  if [[ ! ${SKIP_SUBMODULE_DEPS-} ]]; then
+    install-deps lib/vscode
+  fi
 }

 main "$@"
--- a/ci/dev/test-e2e.sh
+++ b/ci/dev/test-e2e.sh
@@ -1,12 +1,50 @@
 #!/usr/bin/env bash
 set -euo pipefail

+help() {
+  echo >&2 "  You can build with 'yarn watch' or you can build a release"
+  echo >&2 "  For example: 'yarn build && yarn build:vscode && KEEP_MODULES=1 yarn release'"
+  echo >&2 "  Then 'CODE_SERVER_TEST_ENTRY=./release yarn test:e2e'"
+  echo >&2 "  You can manually run that release with 'node ./release'"
+}
+
 main() {
  cd "$(dirname "$0")/../.."
+
+  source ./ci/lib.sh
+
+  pushd test/e2e/extensions/test-extension
+  echo "Building test extension"
+  yarn build
+  popd
+
+  local dir="$PWD"
+  if [[ ! ${CODE_SERVER_TEST_ENTRY-} ]]; then
+    echo "Set CODE_SERVER_TEST_ENTRY to test another build of code-server"
+  else
+    pushd "$CODE_SERVER_TEST_ENTRY"
+    dir="$PWD"
+    popd
+  fi
+
+  echo "Testing build in '$dir'"
+
+  # Simple sanity checks to see that we've built. There could still be things
+  # wrong (native modules version issues, incomplete build, etc).
+  if [[ ! -d $dir/out ]]; then
+    echo >&2 "No code-server build detected"
+    help
+    exit 1
+  fi
+
+  if [[ ! -d $dir/lib/vscode/out ]]; then
+    echo >&2 "No VS Code build detected"
+    help
+    exit 1
+  fi
+
  cd test
-  # We set these environment variables because they're used in the e2e tests
-  # they don't have to be these values, but these are the defaults
-  PASSWORD=e45432jklfdsab CODE_SERVER_ADDRESS=http://localhost:8080 yarn folio --config=config.ts --reporter=list "$@"
+  yarn playwright test "$@"
 }

 main "$@"
--- a/ci/dev/test-integration.sh
+++ b/ci/dev/test-integration.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+help() {
+  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  Or you can pass in a custom path."
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+}
+
+# Make sure a code-server release works. You can pass in the path otherwise it
+# will look for release-standalone in the current directory.
+#
+# This is to make sure we don't have Node version errors or any other
+# compilation-related errors.
+main() {
+  cd "$(dirname "$0")/../.."
+
+  source ./ci/lib.sh
+
+  local path="$RELEASE_PATH-standalone/bin/code-server"
+  if [[ ! ${CODE_SERVER_PATH-} ]]; then
+    echo "Set CODE_SERVER_PATH to test another build of code-server"
+  else
+    path="$CODE_SERVER_PATH"
+  fi
+
+  echo "Running tests with code-server binary: '$path'"
+
+  if [[ ! -f $path ]]; then
+    echo >&2 "No code-server build detected"
+    echo >&2 "Looked in $path"
+    help
+    exit 1
+  fi
+
+  CODE_SERVER_PATH="$path" CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration" --testPathIgnorePatterns "./test/integration/fixtures"
+}
+
+main "$@"
--- a/ci/dev/test-native.sh
+++ b/ci/dev/test-native.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+help() {
+  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  Or you can pass in a custom path."
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+}
+
+# Make sure a code-server release works. You can pass in the path otherwise it
+# will look for release-standalone in the current directory.
+#
+# This is to make sure we don't have Node version errors or any other
+# compilation-related errors.
+main() {
+  cd "$(dirname "$0")/../.."
+
+  source ./ci/lib.sh
+
+  local path="$RELEASE_PATH-standalone/bin/code-server"
+  if [[ ! ${CODE_SERVER_PATH-} ]]; then
+    echo "Set CODE_SERVER_PATH to test another build of code-server"
+  else
+    path="$CODE_SERVER_PATH"
+  fi
+
+  echo "Running tests with code-server binary: '$path'"
+
+  if [[ ! -f $path ]]; then
+    echo >&2 "No code-server build detected"
+    echo >&2 "Looked in $path"
+    help
+    exit 1
+  fi
+
+  CODE_SERVER_PATH="$path" ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration/help.test.ts"
+}
+
+main "$@"
--- a/ci/dev/test-scripts.sh
+++ b/ci/dev/test-scripts.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+  bats ./test/scripts
+}
+
+main "$@"
--- a/ci/dev/test-unit.sh
+++ b/ci/dev/test-unit.sh
@@ -3,13 +3,18 @@ set -euo pipefail

 main() {
  cd "$(dirname "$0")/../.."
-  cd test/unit/test-plugin
+
+  source ./ci/lib.sh
+
+  echo "Building test plugin"
+  pushd test/unit/node/test-plugin
  make -s out/index.js
+  popd
+
  # We must keep jest in a sub-directory. See ../../test/package.json for more
  # information. We must also run it from the root otherwise coverage will not
  # include our source files.
-  cd "$OLDPWD"
-  CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@"
+  CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --testRegex "./test/unit/.*ts" --testPathIgnorePatterns "./test/unit/node/test-plugin"
 }

 main "$@"
--- a/ci/dev/update-vscode.sh
+++ b/ci/dev/update-vscode.sh
@@ -1,133 +0,0 @@
-#!/usr/bin/env bash
-# Description: This is a script to make the process of updating vscode versions easier
-# Run it with `yarn update:vscode` and it will do the following:
-# 1. Check that you have a remote called `vscode`
-# 2. Ask you which version you want to upgrade to
-# 3. Grab the exact version from the package.json i.e. 1.53.2
-# 4. Fetch the vscode remote branches to run the subtree update
-# 5. Run the subtree update and pull in the vscode update
-# 6. Commit the changes (including merge conflicts)
-# 7. Open a draft PR
-
-set -euo pipefail
-
-# This function expects two arguments
-# 1. the vscode version we're updating to
-# 2. the list of merge conflict files
-make_pr_body() {
-  local BODY="This PR updates vscode to $1
-
-## TODOS
-
- [ ] test editor locally
- [ ] test terminal locally
- [ ] make notes about any significant changes in docs/CONTRIBUTING.md#notes-about-changes
-
-## Files with conflicts (fix these)
-$2"
-  echo "$BODY"
-}
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  # Check if the remote exists
-  # if it doesn't, we add it
-  if ! git config remote.vscode.url >/dev/null; then
-    echo "Could not find 'vscode' as a remote"
-    echo "Adding with: git remote add vscode https://github.com/microsoft/vscode.git"
-    git remote add vscode https://github.com/microsoft/vscode.git
-  fi
-
-  # Ask which version we should update to
-  # In the future, we'll automate this and grab the latest version automatically
-  read -r -p "What version of VSCode would you like to update to? (i.e. 1.52) " VSCODE_VERSION_TO_UPDATE
-
-  # Check that this version exists
-  if [[ -z $(git ls-remote --heads vscode release/"$VSCODE_VERSION_TO_UPDATE") ]]; then
-    echo "Oops, that doesn't look like a valid version."
-    echo "You entered: $VSCODE_VERSION_TO_UPDATE"
-    echo "Verify that this branches exists here: https://github.com/microsoft/vscode/branches/all?query=release%2F$VSCODE_VERSION_TO_UPDATE"
-    exit 1
-  fi
-
-  # Check that they have jq installed
-  if ! command -v jq &>/dev/null; then
-    echo "jq could not be found."
-    echo "We use this when looking up the exact version to update to in the package.json in VS Code."
-    echo -e "See docs here: https://stedolan.github.io/jq/download/"
-    exit 1
-  fi
-
-  # Note: `git subtree` returns 129 when installed, and prints help;
-  # but when uninstalled, returns 1.
-  set +e
-  git subtree &>/dev/null
-  if [ $? -ne 129 ]; then
-    echo "git-subtree could not be found."
-    echo "We use this to fetch and update the lib/vscode subtree."
-    echo -e "Please install git subtree."
-    exit 1
-  fi
-  set -e
-
-  # Grab the exact version from package.json
-  VSCODE_EXACT_VERSION=$(curl -s "https://raw.githubusercontent.com/microsoft/vscode/release/$VSCODE_VERSION_TO_UPDATE/package.json" | jq -r ".version")
-
-  echo -e "Great! We'll prep a PR for updating to $VSCODE_EXACT_VERSION\n"
-
-  # For some reason the subtree update doesn't work
-  # unless we fetch all the branches
-  echo -e "Fetching vscode branches..."
-  echo -e "Note: this might take a while"
-  git fetch vscode
-
-  # Check if GitHub CLI is installed
-  if ! command -v gh &>/dev/null; then
-    echo "GitHub CLI could not be found."
-    echo "If you install it before you run this script next time, we'll open a draft PR for you!"
-    echo -e "See docs here: https://github.com/cli/cli#installation\n"
-    exit
-  fi
-
-  # Push branch to remote if not already pushed
-  # If we don't do this, the opening a draft PR step won't work
-  # because it will stop and ask where you want to push the branch
-  CURRENT_BRANCH=$(git branch | grep '\*' | cut -d' ' -f2-)
-  if [[ -z $(git config "branch.${CURRENT_BRANCH}.remote") ]]; then
-    echo "Doesn't look like you've pushed this branch to remote"
-    echo -e "Pushing now using: git push origin $CURRENT_BRANCH\n"
-    # Note: we need to set upstream as well or the gh pr create step will fail
-    # See: https://github.com/cli/cli/issues/575
-    echo "Please set the upstream and re-run the script"
-    exit 1
-  fi
-
-  echo "Going to try to update vscode for you..."
-  echo -e "Running: git subtree pull --prefix lib/vscode vscode release/${VSCODE_VERSION_TO_UPDATE} --squash\n"
-  # Try to run subtree update command
-  # Note: we add `|| true` because we want the script to keep running even if the squash fails
-  # We know the squash fails everytime because there will always be merge conflicts
-  git subtree pull --prefix lib/vscode vscode release/"${VSCODE_VERSION_TO_UPDATE}" --squash || true
-
-  # Get the files with conflicts before we commit them
-  # so we can list them in the PR body as todo items
-  CONFLICTS=$(git diff --name-only --diff-filter=U | while read -r line; do echo "- [ ] $line"; done)
-  PR_BODY=$(make_pr_body "$VSCODE_EXACT_VERSION" "$CONFLICTS")
-
-  echo -e "\nForcing a commit with conflicts"
-  echo "Note: this is intentional"
-  echo "If we don't do this, code review is impossible."
-  echo -e "For more info, see docs: docs/CONTRIBUTING.md#updating-vs-code\n"
-  # We need --no-verify to skip the husky pre-commit hook
-  # which fails because of the merge conflicts
-  git add . && git commit -am "chore(vscode): update to $VSCODE_EXACT_VERSION" --no-verify
-
-  # Note: we can't open a draft PR unless their are changes.
-  # Hence why we do this after the subtree update.
-  echo "Opening a draft PR on GitHub"
-  # To read about these flags, visit the docs: https://cli.github.com/manual/gh_pr_create
-  gh pr create --base main --title "feat(vscode): update to version $VSCODE_EXACT_VERSION" --body "$PR_BODY" --reviewer @cdr/code-server-reviewers --repo cdr/code-server --draft
-}
-
-main "$@"
--- a/ci/dev/watch.ts
+++ b/ci/dev/watch.ts
@@ -1,194 +1,141 @@
-import * as cp from "child_process"
-import Bundler from "parcel-bundler"
+import { spawn, ChildProcess } from "child_process"
 import * as path from "path"
+import { onLine, OnLineCallback } from "../../src/node/util"
+
+interface DevelopmentCompilers {
+  [key: string]: ChildProcess | undefined
+  vscode: ChildProcess
+  vscodeWebExtensions: ChildProcess
+  codeServer: ChildProcess
+  plugins: ChildProcess | undefined
+}
+
+class Watcher {
+  private rootPath = path.resolve(process.cwd())
+  private readonly paths = {
+    /** Path to uncompiled VS Code source. */
+    vscodeDir: path.join(this.rootPath, "lib/vscode"),
+    pluginDir: process.env.PLUGIN_DIR,
+  }
+
+  //#region Web Server
+
+  /** Development web server. */
+  private webServer: ChildProcess | undefined
+
+  private reloadWebServer = (): void => {
+    if (this.webServer) {
+      this.webServer.kill()
+    }
+
+    // Pass CLI args, save for `node` and the initial script name.
+    const args = process.argv.slice(2)
+    this.webServer = spawn("node", [path.join(this.rootPath, "out/node/entry.js"), ...args])
+    onLine(this.webServer, (line) => console.log("[code-server]", line))
+    const { pid } = this.webServer
+
+    this.webServer.on("exit", () => console.log("[code-server]", `Web process ${pid} exited`))
+
+    console.log("\n[code-server]", `Spawned web server process ${pid}`)
+  }
+
+  //#endregion
+
+  //#region Compilers
+
+  private readonly compilers: DevelopmentCompilers = {
+    codeServer: spawn("tsc", ["--watch", "--pretty", "--preserveWatchOutput"], { cwd: this.rootPath }),
+    vscode: spawn("yarn", ["watch"], { cwd: this.paths.vscodeDir }),
+    vscodeWebExtensions: spawn("yarn", ["watch-web"], { cwd: this.paths.vscodeDir }),
+    plugins: this.paths.pluginDir ? spawn("yarn", ["build", "--watch"], { cwd: this.paths.pluginDir }) : undefined,
+  }
+
+  public async initialize(): Promise<void> {
+    for (const event of ["SIGINT", "SIGTERM"]) {
+      process.on(event, () => this.dispose(0))
+    }
+
+    for (const [processName, devProcess] of Object.entries(this.compilers)) {
+      if (!devProcess) continue
+
+      devProcess.on("exit", (code) => {
+        console.log(`[${processName}]`, "Terminated unexpectedly")
+        this.dispose(code)
+      })
+
+      if (devProcess.stderr) {
+        devProcess.stderr.on("data", (d: string | Uint8Array) => process.stderr.write(d))
+      }
+    }
+
+    onLine(this.compilers.vscode, this.parseVSCodeLine)
+    onLine(this.compilers.codeServer, this.parseCodeServerLine)
+
+    if (this.compilers.plugins) {
+      onLine(this.compilers.plugins, this.parsePluginLine)
+    }
+  }
+
+  //#endregion
+
+  //#region Line Parsers
+
+  private parseVSCodeLine: OnLineCallback = (strippedLine, originalLine) => {
+    if (!strippedLine.length) return
+
+    console.log("[Code OSS]", originalLine)
+
+    if (strippedLine.includes("Finished compilation with")) {
+      console.log("[Code OSS] ✨ Finished compiling! ✨", "(Refresh your web browser ♻️)")
+      this.reloadWebServer()
+    }
+  }
+
+  private parseCodeServerLine: OnLineCallback = (strippedLine, originalLine) => {
+    if (!strippedLine.length) return
+
+    console.log("[Compiler][code-server]", originalLine)
+
+    if (strippedLine.includes("Watching for file changes")) {
+      console.log("[Compiler][code-server]", "Finished compiling!", "(Refresh your web browser ♻️)")
+      this.reloadWebServer()
+    }
+  }
+
+  private parsePluginLine: OnLineCallback = (strippedLine, originalLine) => {
+    if (!strippedLine.length) return
+
+    console.log("[Compiler][Plugin]", originalLine)
+
+    if (strippedLine.includes("Watching for file changes...")) {
+      this.reloadWebServer()
+    }
+  }
+
+  //#endregion
+
+  //#region Utilities
+
+  private dispose(code: number | null): void {
+    for (const [processName, devProcess] of Object.entries(this.compilers)) {
+      console.log(`[${processName}]`, "Killing...\n")
+      devProcess?.removeAllListeners()
+      devProcess?.kill()
+    }
+    process.exit(typeof code === "number" ? code : 0)
+  }
+
+  //#endregion
+}

 async function main(): Promise<void> {
  try {
    const watcher = new Watcher()
-    await watcher.watch()
-  } catch (error) {
+    await watcher.initialize()
+  } catch (error: any) {
    console.error(error.message)
    process.exit(1)
  }
 }

-class Watcher {
-  private readonly rootPath = path.resolve(__dirname, "../..")
-  private readonly vscodeSourcePath = path.join(this.rootPath, "lib/vscode")
-
-  private static log(message: string, skipNewline = false): void {
-    process.stdout.write(message)
-    if (!skipNewline) {
-      process.stdout.write("\n")
-    }
-  }
-
-  public async watch(): Promise<void> {
-    let server: cp.ChildProcess | undefined
-    const restartServer = (): void => {
-      if (server) {
-        server.kill()
-      }
-      const s = cp.fork(path.join(this.rootPath, "out/node/entry.js"), process.argv.slice(2))
-      console.log(`[server] spawned process ${s.pid}`)
-      s.on("exit", () => console.log(`[server] process ${s.pid} exited`))
-      server = s
-    }
-
-    const vscode = cp.spawn("yarn", ["watch"], { cwd: this.vscodeSourcePath })
-    const tsc = cp.spawn("tsc", ["--watch", "--pretty", "--preserveWatchOutput"], { cwd: this.rootPath })
-    const plugin = process.env.PLUGIN_DIR
-      ? cp.spawn("yarn", ["build", "--watch"], { cwd: process.env.PLUGIN_DIR })
-      : undefined
-    const bundler = this.createBundler()
-
-    const cleanup = (code?: number | null): void => {
-      Watcher.log("killing vs code watcher")
-      vscode.removeAllListeners()
-      vscode.kill()
-
-      Watcher.log("killing tsc")
-      tsc.removeAllListeners()
-      tsc.kill()
-
-      if (plugin) {
-        Watcher.log("killing plugin")
-        plugin.removeAllListeners()
-        plugin.kill()
-      }
-
-      if (server) {
-        Watcher.log("killing server")
-        server.removeAllListeners()
-        server.kill()
-      }
-
-      Watcher.log("killing bundler")
-      process.exit(code || 0)
-    }
-
-    process.on("SIGINT", () => cleanup())
-    process.on("SIGTERM", () => cleanup())
-
-    vscode.on("exit", (code) => {
-      Watcher.log("vs code watcher terminated unexpectedly")
-      cleanup(code)
-    })
-    tsc.on("exit", (code) => {
-      Watcher.log("tsc terminated unexpectedly")
-      cleanup(code)
-    })
-    if (plugin) {
-      plugin.on("exit", (code) => {
-        Watcher.log("plugin terminated unexpectedly")
-        cleanup(code)
-      })
-    }
-    const bundle = bundler.bundle().catch(() => {
-      Watcher.log("parcel watcher terminated unexpectedly")
-      cleanup(1)
-    })
-    bundler.on("buildEnd", () => {
-      console.log("[parcel] bundled")
-    })
-    bundler.on("buildError", (error) => {
-      console.error("[parcel]", error)
-    })
-
-    vscode.stderr.on("data", (d) => process.stderr.write(d))
-    tsc.stderr.on("data", (d) => process.stderr.write(d))
-    if (plugin) {
-      plugin.stderr.on("data", (d) => process.stderr.write(d))
-    }
-
-    // From https://github.com/chalk/ansi-regex
-    const pattern = [
-      "[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)",
-      "(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))",
-    ].join("|")
-    const re = new RegExp(pattern, "g")
-
-    /**
-     * Split stdout on newlines and strip ANSI codes.
-     */
-    const onLine = (proc: cp.ChildProcess, callback: (strippedLine: string, originalLine: string) => void): void => {
-      let buffer = ""
-      if (!proc.stdout) {
-        throw new Error("no stdout")
-      }
-      proc.stdout.setEncoding("utf8")
-      proc.stdout.on("data", (d) => {
-        const data = buffer + d
-        const split = data.split("\n")
-        const last = split.length - 1
-
-        for (let i = 0; i < last; ++i) {
-          callback(split[i].replace(re, ""), split[i])
-        }
-
-        // The last item will either be an empty string (the data ended with a
-        // newline) or a partial line (did not end with a newline) and we must
-        // wait to parse it until we get a full line.
-        buffer = split[last]
-      })
-    }
-
-    let startingVscode = false
-    let startedVscode = false
-    onLine(vscode, (line, original) => {
-      console.log("[vscode]", original)
-      // Wait for watch-client since "Finished compilation" will appear multiple
-      // times before the client starts building.
-      if (!startingVscode && line.includes("Starting watch-client")) {
-        startingVscode = true
-      } else if (startingVscode && line.includes("Finished compilation")) {
-        if (startedVscode) {
-          bundle.then(restartServer)
-        }
-        startedVscode = true
-      }
-    })
-
-    onLine(tsc, (line, original) => {
-      // tsc outputs blank lines; skip them.
-      if (line !== "") {
-        console.log("[tsc]", original)
-      }
-      if (line.includes("Watching for file changes")) {
-        bundle.then(restartServer)
-      }
-    })
-
-    if (plugin) {
-      onLine(plugin, (line, original) => {
-        // tsc outputs blank lines; skip them.
-        if (line !== "") {
-          console.log("[plugin]", original)
-        }
-        if (line.includes("Watching for file changes")) {
-          bundle.then(restartServer)
-        }
-      })
-    }
-  }
-
-  private createBundler(out = "dist"): Bundler {
-    return new Bundler(
-      [
-        path.join(this.rootPath, "src/browser/register.ts"),
-        path.join(this.rootPath, "src/browser/serviceWorker.ts"),
-        path.join(this.rootPath, "src/browser/pages/login.ts"),
-        path.join(this.rootPath, "src/browser/pages/vscode.ts"),
-      ],
-      {
-        outDir: path.join(this.rootPath, out),
-        cacheDir: path.join(this.rootPath, ".cache"),
-        minify: !!process.env.MINIFY,
-        logLevel: 1,
-        publicUrl: ".",
-      },
-    )
-  }
-}
-
 main()
--- a/ci/helm-chart/Chart.yaml
+++ b/ci/helm-chart/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: code-server
-description: A Helm chart for cdr/code-server
+description: A Helm chart for coder/code-server

 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.3
+version: 3.10.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 3.10.2
+appVersion: 4.14.1
--- a/ci/helm-chart/README.md
+++ b/ci/helm-chart/README.md
@@ -1,162 +0,0 @@
-# code-server
-
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.10.2](https://img.shields.io/badge/AppVersion-3.10.2-informational?style=flat-square)
-
-[code-server](https://github.com/cdr/code-server) code-server is VS Code running
-on a remote server, accessible through the browser.
-
-This chart is community maintained by [@Matthew-Beckett](https://github.com/Matthew-Beckett) and [@alexgorbatchev](https://github.com/alexgorbatchev)
-
-## TL;DR;
-
-```console
-$ git clone https://github.com/cdr/code-server
-$ cd code-server
-$ helm upgrade --install code-server ci/helm-chart
-```
-
-## Introduction
-
-This chart bootstraps a code-server deployment on a
-[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh)
-package manager.
-
-## Prerequisites
-
-  - Kubernetes 1.6+
-
-## Installing the Chart
-
-To install the chart with the release name `code-server`:
-
-```console
-$ git clone https://github.com/cdr/code-server
-$ cd code-server
-$ helm upgrade --install code-server ci/helm-chart
-```
-
-The command deploys code-server on the Kubernetes cluster in the default
-configuration. The [configuration](#configuration) section lists the parameters
-that can be configured during installation.
-
-> **Tip**: List all releases using `helm list`
-
-## Uninstalling the Chart
-
-To uninstall/delete the `code-server` deployment:
-
-```console
-$ helm delete code-server
-```
-
-The command removes all the Kubernetes components associated with the chart and
-deletes the release.
-
-## Configuration
-
-The following table lists the configurable parameters of the code-server chart
-and their default values.
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| affinity | object | `{}` |  |
-| extraArgs | list | `[]` |  |
-| extraConfigmapMounts | list | `[]` |  |
-| extraContainers | string | `""` |  |
-| extraInitContainers | string | `""` |  |
-| extraSecretMounts | list | `[]` |  |
-| extraVars | list | `[]` |  |
-| extraVolumeMounts | list | `[]` |  |
-| fullnameOverride | string | `""` |  |
-| hostnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"Always"` |  |
-| image.repository | string | `"codercom/code-server"` |  |
-| image.tag | string | `"3.10.2"` |  |
-| imagePullSecrets | list | `[]` |  |
-| ingress.enabled | bool | `false` |  |
-| nameOverride | string | `""` |  |
-| nodeSelector | object | `{}` |  |
-| persistence.accessMode | string | `"ReadWriteOnce"` |  |
-| persistence.annotations | object | `{}` |  |
-| persistence.enabled | bool | `true` |  |
-| persistence.size | string | `"1Gi"` |  |
-| podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
-| securityContext.enabled | bool | `true` |  |
-| securityContext.fsGroup | int | `1000` |  |
-| securityContext.runAsUser | int | `1000` |  |
-| service.port | int | `8443` |  |
-| service.type | string | `"ClusterIP"` |  |
-| serviceAccount.create | bool | `true` |  |
-| serviceAccount.name | string | `nil` |  |
-| tolerations | list | `[]` |  |
-| volumePermissions.enabled | bool | `true` |  |
-| volumePermissions.securityContext.runAsUser | int | `0` |  |
-
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm
-install`. For example,
-
-```console
-$ helm upgrade --install code-server \
-    ci/helm-chart \
-    --set persistence.enabled=false
-```
-
-The above command sets the the persistence storage to false.
-
-Alternatively, a YAML file that specifies the values for the above parameters
-can be provided while installing the chart. For example,
-
-```console
-$ helm upgrade --install code-server ci/helm-chart -f values.yaml
-```
-
-> **Tip**: You can use the default [values.yaml](values.yaml)
-
-# Extra Containers
-
-There are two parameters which allow to add more containers to pod.
-Use `extraContainers` to add regular containers 
-and `extraInitContainers` to add init containers. You can read more
-about init containers in [k8s documentation](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/).
-
-Both parameters accept strings and use them as a templates
-
-Example of using `extraInitContainers`:
-
-``` yaml
-extraInitContainers: |
-  - name: customization
-    image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-    imagePullPolicy: IfNotPresent
-    env:
-      - name: SERVICE_URL
-        value: https://open-vsx.org/vscode/gallery
-      - name: ITEM_URL
-        value: https://open-vsx.org/vscode/item
-    command:
-      - sh
-      - -c
-      - |
-        code-server --install-extension ms-python.python
-        code-server --install-extension golang.Go
-    volumeMounts:
-      - name: data
-        mountPath: /home/coder
-
-```
-
-With this yaml in file `init.yaml`, you can execute 
-
-```console
-$ helm upgrade --install code-server \
-    ci/helm-chart \
-    --values init.yaml
-```
-
-to deploy code-server with python and golang extensions preinstalled
-before main container have started. 
--- a/ci/helm-chart/templates/NOTES.txt
+++ b/ci/helm-chart/templates/NOTES.txt
@@ -15,9 +15,8 @@
  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "code-server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "code-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
+  kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ include "code-server.fullname" . }} 8080:http
 {{- end }}

 Administrator credentials:
--- a/ci/helm-chart/templates/deployment.yaml
+++ b/ci/helm-chart/templates/deployment.yaml
@@ -21,9 +21,13 @@ spec:
        app.kubernetes.io/name: {{ include "code-server.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
    spec:
+      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
      {{- if .Values.hostnameOverride }}
      hostname: {{ .Values.hostnameOverride }}
      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
      {{- if .Values.securityContext.enabled }}
      securityContext:
        fsGroup: {{ .Values.securityContext.fsGroup }}
@@ -58,6 +62,17 @@ spec:
          securityContext:
            runAsUser: {{ .Values.securityContext.runAsUser }}
          {{- end }}
+          {{- if .Values.lifecycle.enabled }}
+          lifecycle:
+            {{- if .Values.lifecycle.postStart }}
+            postStart:
+              {{ toYaml .Values.lifecycle.postStart | nindent 14 }}
+            {{- end }}
+            {{- if .Values.lifecycle.preStop }}
+            preStop:
+              {{ toYaml .Values.lifecycle.preStop | nindent 14 }}
+            {{- end }}
+          {{- end }}
          env:
        {{- if .Values.extraVars }}
 {{ toYaml .Values.extraVars | indent 10 }}
@@ -87,6 +102,7 @@ spec:
          {{- range .Values.extraSecretMounts }}
          - name: {{ .name }}
            mountPath: {{ .mountPath }}
+            subPath: {{ .subPath | default "" }}
            readOnly: {{ .readOnly }}
          {{- end }}
          {{- range .Values.extraVolumeMounts }}
@@ -99,6 +115,11 @@ spec:
            - name: http
              containerPort: 8080
              protocol: TCP
+          {{- range .Values.extraPorts }}
+            - name: {{ .name }}
+              containerPort: {{ .port }}
+              protocol: {{ .protocol }}
+          {{- end }}
          livenessProbe:
            httpGet:
              path: /
@@ -115,7 +136,7 @@ spec:
      {{- end }}
    {{- with .Values.affinity }}
      affinity:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl . $ | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
@@ -142,6 +163,12 @@ spec:
          secretName: {{ .secretName }}
          defaultMode: {{ .defaultMode }}
      {{- end }}
+      {{- range .Values.extraConfigmapMounts }}
+      - name: {{ .name }}
+        configMap:
+          name: {{ .configMap }}
+          defaultMode: {{ .defaultMode }}
+      {{- end }}
      {{- range .Values.extraVolumeMounts }}
      - name: {{ .name }}
        {{- if .existingClaim }}
--- a/ci/helm-chart/templates/ingress.yaml
+++ b/ci/helm-chart/templates/ingress.yaml
@@ -1,7 +1,9 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "code-server.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
@@ -16,6 +18,9 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
+  {{- if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
@@ -27,6 +32,22 @@ spec:
    {{- end }}
  {{- end }}
  rules:
+  {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}
+                port: 
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- else -}}
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
@@ -39,3 +60,4 @@ spec:
          {{- end }}
    {{- end }}
  {{- end }}
+{{- end }}
--- a/ci/helm-chart/templates/service.yaml
+++ b/ci/helm-chart/templates/service.yaml
@@ -14,6 +14,12 @@ spec:
      targetPort: http
      protocol: TCP
      name: http
+  {{- range .Values.extraPorts }}
+    - port: {{ .port }}
+      targetPort: {{ .port }}
+      protocol: {{ .protocol }}
+      name: {{ .name }}
+  {{- end }}
  selector:
    app.kubernetes.io/name: {{ include "code-server.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@@ -6,10 +6,15 @@ replicaCount: 1

 image:
  repository: codercom/code-server
-  tag: '3.10.2'
+  tag: '4.14.1'
  pullPolicy: Always

+# Specifies one or more secrets to be used when pulling images from a
+# private container repository
+# https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry
 imagePullSecrets: []
+#  - name: registry-creds
+
 nameOverride: ""
 fullnameOverride: ""
 hostnameOverride: ""
@@ -28,13 +33,7 @@ podAnnotations: {}
 podSecurityContext: {}
  # fsGroup: 2000

-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+priorityClassName: ""

 service:
  type: ClusterIP
@@ -43,13 +42,12 @@ service:
 ingress:
  enabled: false
  #annotations:
-  #  kubernetes.io/ingress.class: nginx
  #  kubernetes.io/tls-acme: "true"
  #hosts:
  #  - host: code-server.example.loc
  #    paths:
  #      - /
-
+  ingressClassName: ""
  #tls:
  #  - secretName: code-server
  #    hosts:
@@ -57,13 +55,25 @@ ingress:

 # Optional additional arguments
 extraArgs: []
-#  - --allow-http
-#  - --no-auth
+  # These are the arguments normally passed to code-server; run
+  # code-server --help for a list of available options.
+  #
+  # Each argument and parameter must have its own entry; if you use
+  # --param value on the command line, then enter it here as:
+  #
+  # - --param
+  # - value
+  #
+  # If you receive an error like "Unknown option --param value", it may be
+  # because both the parameter and value are specified as a single argument,
+  # rather than two separate arguments (e.g. "- --param value" on a line).

 # Optional additional environment variables
 extraVars: []
 #  - name: DISABLE_TELEMETRY
 #    value: true
+#  - name: DOCKER_HOST
+#    value: "tcp://localhost:2375"

 ##
 ## Init containers parameters:
@@ -117,13 +127,19 @@ persistence:
  # existingClaim: ""
  # hostPath: /data

-serviceAccount:
-  create: true
-  name:
+lifecycle:
+  enabled: false
+  # postStart:
+  #  exec:
+  #    command:
+  #      - /bin/bash
+  #      - -c
+  #      - curl -s -L SOME_SCRIPT | bash

 ## Enable an Specify container in extraContainers.
 ## This is meant to allow adding code-server dependencies, like docker-dind.
 extraContainers: |
+# If docker-dind is used, DOCKER_HOST env is mandatory to set in "extraVars"
 #- name: docker-dind
 #  image: docker:19.03-dind
 #  imagePullPolicy: IfNotPresent
@@ -140,10 +156,30 @@ extraContainers: |
 #  - name: DOCKER_DRIVER
 #    value: "overlay2"

+extraInitContainers: |
+# - name: customization
+#   image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+#   imagePullPolicy: IfNotPresent
+#   env:
+#     - name: SERVICE_URL
+#       value: https://open-vsx.org/vscode/gallery
+#     - name: ITEM_URL
+#       value: https://open-vsx.org/vscode/item
+#   command:
+#     - sh
+#     - -c
+#     - |
+#       code-server --install-extension ms-python.python
+#       code-server --install-extension golang.Go
+#   volumeMounts:
+#     - name: data
+#       mountPath: /home/coder
+
 ## Additional code-server secret mounts
 extraSecretMounts: []
  # - name: secret-files
  #   mountPath: /etc/secrets
+  #   subPath: private.key # (optional)
  #   secretName: code-server-secret-files
  #   readOnly: true

@@ -161,3 +197,8 @@ extraConfigmapMounts: []
  #   subPath: certificates.crt # (optional)
  #   configMap: certs-configmap
  #   readOnly: true
+
+extraPorts: []
+  # - name: minecraft
+  #   port: 25565
+  #   protocol: tcp
--- a/ci/lib.sh
+++ b/ci/lib.sh
@@ -2,15 +2,11 @@
 set -euo pipefail

 pushd() {
-  builtin pushd "$@" >/dev/null
+  builtin pushd "$@" > /dev/null
 }

 popd() {
-  builtin popd >/dev/null
-}
-
-pkg_json_version() {
-  jq -r .version package.json
+  builtin popd > /dev/null
 }

 vscode_version() {
@@ -18,84 +14,36 @@ vscode_version() {
 }

 os() {
-  local os
-  os=$(uname | tr '[:upper:]' '[:lower:]')
-  if [[ $os == "linux" ]]; then
-    # Alpine's ldd doesn't have a version flag but if you use an invalid flag
-    # (like --version) it outputs the version to stderr and exits with 1.
-    local ldd_output
-    ldd_output=$(ldd --version 2>&1 || true)
-    if echo "$ldd_output" | grep -iq musl; then
-      os="alpine"
-    fi
-  elif [[ $os == "darwin" ]]; then
-    os="macos"
-  fi
-  echo "$os"
+  osname=$(uname | tr '[:upper:]' '[:lower:]')
+  case $osname in
+    linux)
+      # Alpine's ldd doesn't have a version flag but if you use an invalid flag
+      # (like --version) it outputs the version to stderr and exits with 1.
+      # TODO: Better to check /etc/os-release; see ../install.sh.
+      ldd_output=$(ldd --version 2>&1 || true)
+      if echo "$ldd_output" | grep -iq musl; then
+        osname="alpine"
+      fi
+      ;;
+    darwin) osname="macos" ;;
+    cygwin* | mingw*) osname="windows" ;;
+  esac
+  echo "$osname"
 }

 arch() {
-  case "$(uname -m)" in
-  aarch64)
-    echo arm64
-    ;;
-  x86_64 | amd64)
-    echo amd64
-    ;;
-  *)
-    echo "unknown architecture $(uname -a)"
-    exit 1
-    ;;
+  cpu="$(uname -m)"
+  case "$cpu" in
+    aarch64) cpu=arm64 ;;
+    x86_64) cpu=amd64 ;;
  esac
-}
-
-# Grabs the most recent ci.yaml github workflow run that was triggered from the
-# pull request of the release branch for this version (regardless of whether
-# that run succeeded or failed). The release branch name must be in semver
-# format with a v prepended.
-# This will contain the artifacts we want.
-# https://developer.github.com/v3/actions/workflow-runs/#list-workflow-runs
-get_artifacts_url() {
-  local artifacts_url
-  local workflow_runs_url="repos/:owner/:repo/actions/workflows/ci.yaml/runs?event=pull_request"
-  local version_branch="v$VERSION"
-  artifacts_url=$(gh api "$workflow_runs_url" | jq -r ".workflow_runs[] | select(.head_branch == \"$version_branch\") | .artifacts_url" | head -n 1)
-  if [[ -z "$artifacts_url" ]]; then
-    echo >&2 "ERROR: artifacts_url came back empty"
-    echo >&2 "We looked for a successful run triggered by a pull_request with for code-server version: $code_server_version and a branch named $version_branch"
-    echo >&2 "URL used for gh API call: $workflow_runs_url"
-    exit 1
-  fi
-
-  echo "$artifacts_url"
-}
-
-# Grabs the artifact's download url.
-# https://developer.github.com/v3/actions/artifacts/#list-workflow-run-artifacts
-get_artifact_url() {
-  local artifact_name="$1"
-  gh api "$(get_artifacts_url)" | jq -r ".artifacts[] | select(.name == \"$artifact_name\") | .archive_download_url" | head -n 1
-}
-
-# Uses the above two functions to download a artifact into a directory.
-download_artifact() {
-  local artifact_name="$1"
-  local dst="$2"
-
-  local tmp_file
-  tmp_file="$(mktemp)"
-
-  gh api "$(get_artifact_url "$artifact_name")" >"$tmp_file"
-  unzip -q -o "$tmp_file" -d "$dst"
-  rm "$tmp_file"
+  echo "$cpu"
 }

 rsync() {
  command rsync -a --del "$@"
 }

-VERSION="$(pkg_json_version)"
-export VERSION
 ARCH="$(arch)"
 export ARCH
 OS=$(os)
@@ -104,21 +52,3 @@ export OS
 # RELEASE_PATH is the destination directory for the release from the root.
 # Defaults to release
 RELEASE_PATH="${RELEASE_PATH-release}"
-
-# VS Code bundles some modules into an asar which is an archive format that
-# works like tar. It then seems to get unpacked into node_modules.asar.
-#
-# I don't know why they do this but all the dependencies they bundle already
-# exist in node_modules so just symlink it. We have to do this since not only VS
-# Code itself but also extensions will look specifically in this directory for
-# files (like the ripgrep binary or the oniguruma wasm).
-symlink_asar() {
-  rm -f node_modules.asar
-  if [ "${WINDIR-}" ]; then
-    # mklink takes the link name first.
-    mklink /J node_modules.asar node_modules
-  else
-    # ln takes the link name second.
-    ln -s node_modules node_modules.asar
-  fi
-}
--- a/ci/release-image/Dockerfile
+++ b/ci/release-image/Dockerfile
@@ -1,7 +1,13 @@
-FROM debian:10
+# syntax=docker/dockerfile:experimental
+
+ARG BASE=debian:11
+FROM scratch AS packages
+COPY release-packages/code-server*.deb /tmp/
+
+FROM $BASE

 RUN apt-get update \
- && apt-get install -y \
+  && apt-get install -y \
    curl \
    dumb-init \
    zsh \
@@ -10,11 +16,13 @@ RUN apt-get update \
    man \
    nano \
    git \
+    git-lfs \
    procps \
    openssh-client \
    sudo \
    vim.tiny \
    lsb-release \
+  && git lfs install \
  && rm -rf /var/lib/apt/lists/*

 # https://wiki.debian.org/Locale#Manually
@@ -22,19 +30,22 @@ RUN sed -i "s/# en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen \
  && locale-gen
 ENV LANG=en_US.UTF-8

-RUN adduser --gecos '' --disabled-password coder && \
-  echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+RUN adduser --gecos '' --disabled-password coder \
+  && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd

-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - && \
-    chown root:root /usr/local/bin/fixuid && \
-    chmod 4755 /usr/local/bin/fixuid && \
-    mkdir -p /etc/fixuid && \
-    printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+RUN ARCH="$(dpkg --print-architecture)" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml

-COPY release-packages/code-server*.deb /tmp/
 COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
-RUN dpkg -i /tmp/code-server*$(dpkg --print-architecture).deb && rm /tmp/code-server*.deb
+RUN --mount=from=packages,src=/tmp,dst=/tmp/packages dpkg -i /tmp/packages/code-server*$(dpkg --print-architecture).deb
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+ENV ENTRYPOINTD=${HOME}/entrypoint.d

 EXPOSE 8080
 # This way, if someone sets $DOCKER_USER, docker-exec will still work as
--- a/ci/release-image/build.sh
+++ b/ci/release-image/build.sh
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  docker build -t "codercom/code-server-$ARCH:$VERSION" -f ./ci/release-image/Dockerfile .
-}
-
-main "$@"
--- a/ci/release-image/docker-bake.hcl
+++ b/ci/release-image/docker-bake.hcl
@@ -0,0 +1,68 @@
+# Use this file from the top of the repo, with `-f ci/release-image/docker-bake.hcl`
+
+# Uses env var VERSION if set;
+# normally, this is set by ci/lib.sh
+variable "VERSION" {
+    default = "latest"
+}
+
+variable "DOCKER_REGISTRY" {
+    default = "docker.io/codercom/code-server"
+}
+
+variable "GITHUB_REGISTRY" {
+    default = "ghcr.io/coder/code-server"
+}
+
+group "default" {
+    targets = [
+        "code-server-debian-11", 
+        "code-server-ubuntu-focal",
+    ]
+}
+
+function "prepend_hyphen_if_not_null" {
+    params = [tag]
+    result = notequal("","${tag}") ? "-${tag}" : "${tag}"
+}
+
+# use empty tag (tag="") to generate default tags
+function "gen_tags" {
+    params = [registry, tag]
+    result = notequal("","${registry}") ? [
+        notequal("", "${tag}") ? "${registry}:${tag}" : "${registry}:latest",
+        notequal("latest",VERSION) ? "${registry}:${VERSION}${prepend_hyphen_if_not_null(tag)}" : "",
+    ] : []
+}
+
+# helper function to generate tags for docker registry and github registry.
+# set (DOCKER|GITHUB)_REGISTRY="" to disable corresponding registry
+function "gen_tags_for_docker_and_ghcr" {
+    params = [tag]
+    result = concat(
+        gen_tags("${DOCKER_REGISTRY}", "${tag}"),
+        gen_tags("${GITHUB_REGISTRY}", "${tag}"),
+    )
+}
+
+target "code-server-debian-11" {
+    dockerfile = "ci/release-image/Dockerfile"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr(""),
+        gen_tags_for_docker_and_ghcr("debian"),
+        gen_tags_for_docker_and_ghcr("bullseye"),
+    )
+    platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "code-server-ubuntu-focal" {
+    dockerfile = "ci/release-image/Dockerfile"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr("ubuntu"),
+        gen_tags_for_docker_and_ghcr("focal"),
+    )
+    args = {
+        BASE = "ubuntu:focal"
+    }
+    platforms = ["linux/amd64", "linux/arm64"]
+}
--- a/ci/release-image/entrypoint.sh
+++ b/ci/release-image/entrypoint.sh
@@ -8,7 +8,7 @@ eval "$(fixuid -q)"
 if [ "${DOCKER_USER-}" ]; then
  USER="$DOCKER_USER"
  if [ "$DOCKER_USER" != "$(whoami)" ]; then
-    echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd >/dev/null
+    echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd > /dev/null
    # Unfortunately we cannot change $HOME as we cannot move any bind mounts
    # nor can we bind mount $HOME into a new home as that requires a privileged container.
    sudo usermod --login "$DOCKER_USER" coder
@@ -18,4 +18,10 @@ if [ "${DOCKER_USER-}" ]; then
  fi
 fi

-dumb-init /usr/bin/code-server "$@"
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+if [ -d "${ENTRYPOINTD}" ]; then
+  find "${ENTRYPOINTD}" -type f -executable -print -exec {} \;
+fi
+
+exec dumb-init /usr/bin/code-server "$@"
--- a/ci/steps/brew-bump.sh
+++ b/ci/steps/brew-bump.sh
@@ -2,39 +2,36 @@
 set -euo pipefail

 main() {
-  cd "$(dirname "$0")/../.."
  # Only sourcing this so we get access to $VERSION
  source ./ci/lib.sh
+  source ./ci/steps/steps-lib.sh

-  # NOTE: we need to make sure cdrci/homebrew-core
-  # is up-to-date
-  # otherwise, brew bump-formula-pr will use an
-  # outdated base
-  echo "Cloning cdrci/homebrew-core"
-  git clone https://github.com/cdrci/homebrew-core.git
+  echo "Checking environment variables"

-  echo "Changing into homebrew-core directory"
-  cd homebrew-core && pwd
+  # We need VERSION to bump the brew formula
+  if ! is_env_var_set "VERSION"; then
+    echo "VERSION is not set"
+    exit 1
+  fi

-  echo "Adding Homebrew/homebrew-core as $(upstream)"
-  git remote add upstream https://github.com/Homebrew/homebrew-core.git
-
-  echo "Fetching upstream commits..."
-  git fetch upstream
-
-  echo "Merging in latest changes"
-  git merge upstream/master
-
-  echo "Pushing changes to cdrci/homebrew-core fork on GitHub"
-  git push origin master
+  # We need HOMEBREW_GITHUB_API_TOKEN to push up commits
+  if ! is_env_var_set "HOMEBREW_GITHUB_API_TOKEN"; then
+    echo "HOMEBREW_GITHUB_API_TOKEN is not set"
+    exit 1
+  fi

  # Find the docs for bump-formula-pr here
  # https://github.com/Homebrew/brew/blob/master/Library/Homebrew/dev-cmd/bump-formula-pr.rb#L18
-  brew bump-formula-pr --force --version="${VERSION}" code-server --no-browse --no-audit
-
-  # Clean up and remove homebrew-core
-  cd ..
-  rm -rf homebrew-core
+  local output
+  if ! output=$(brew bump-formula-pr --version="${VERSION}" code-server --no-browse --no-audit --message="PR opened by @${GITHUB_ACTOR}" 2>&1); then
+    if [[ $output == *"Duplicate PRs should not be opened"* ]]; then
+      echo "$VERSION is already submitted"
+      exit 0
+    else
+      echo "$output"
+      exit 1
+    fi
+  fi
 }

 main "$@"
--- a/ci/steps/build-docker-image.sh
+++ b/ci/steps/build-docker-image.sh
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  ./ci/release-image/build.sh
-
-  mkdir -p release-images
-  docker save "codercom/code-server-$ARCH:$VERSION" >"release-images/code-server-$ARCH-$VERSION.tar"
-}
-
-main "$@"
--- a/ci/steps/docker-buildx-push.sh
+++ b/ci/steps/docker-buildx-push.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../.."
+  # NOTE@jsjoeio - this script assumes VERSION exists as an
+  # environment variable.
+
+  # NOTE@jsjoeio - this script assumes that you've downloaded
+  # the release-packages artifact to ./release-packages before
+  # running this docker buildx step
+  docker buildx bake -f ci/release-image/docker-bake.hcl --push
+}
+
+main "$@"
--- a/ci/steps/publish-npm.sh
+++ b/ci/steps/publish-npm.sh
@@ -4,15 +4,150 @@ set -euo pipefail
 main() {
  cd "$(dirname "$0")/../.."
  source ./ci/lib.sh
+  source ./ci/steps/steps-lib.sh

-  if [[ ${CI-} ]]; then
-    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >~/.npmrc
+  ## Authentication tokens
+  # Needed to publish on NPM
+  if ! is_env_var_set "NPM_TOKEN"; then
+    echo "NPM_TOKEN is not set. Cannot publish to npm without credentials."
+    exit 1
  fi

-  download_artifact npm-package ./release-npm-package
+  ## Publishing Information
+  # All the variables below are used to determine how we should publish
+  # the npm package. We also use this information for bumping the version.
+  # This is because npm won't publish your package unless it's a new version.
+  # i.e. for development, we bump the version to <current version>-<pr number>-<commit sha>
+  # example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
+  # We use this to grab the PR_NUMBER
+  if ! is_env_var_set "GITHUB_REF"; then
+    echo "GITHUB_REF is not set. Are you running this locally? We rely on values provided by GitHub."
+    exit 1
+  fi
+
+  # We use this when setting NPM_VERSION
+  if ! is_env_var_set "GITHUB_SHA"; then
+    echo "GITHUB_SHA is not set. Are you running this locally? We rely on values provided by GitHub."
+    exit 1
+  fi
+
+  # We use this to determine the NPM_ENVIRONMENT
+  if ! is_env_var_set "GITHUB_EVENT_NAME"; then
+    echo "GITHUB_EVENT_NAME is not set. Are you running this locally? We rely on values provided by GitHub."
+    exit 1
+  fi
+
+  # Check that we're using at least v7 of npm CLI
+  if ! command -v jq &> /dev/null; then
+    echo "Couldn't find jq"
+    echo "We need this in order to modify the package.json for dev builds."
+    exit 1
+  fi
+
+  # This allows us to publish to npm in CI workflows
+  if [[ ${CI-} ]]; then
+    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+  fi
+
+  ## Environment
+  # This string is used to determine how we should tag the npm release.
+  # Environment can be one of three choices:
+  # "development" - this means we tag with the PR number, allowing
+  # a developer to install this version with `yarn add code-server@<pr-number>`
+  # "staging" - this means we tag with `beta`, allowing
+  # a developer to install this version with `yarn add code-server@beta`
+  # "production" - this means we tag with `latest` (default), allowing
+  # a developer to install this version with `yarn add code-server@latest`
+  if ! is_env_var_set "NPM_ENVIRONMENT"; then
+    echo "NPM_ENVIRONMENT is not set."
+    echo "Determining in script based on GITHUB environment variables."
+
+    if [[ "$GITHUB_EVENT_NAME" == 'push' && "$GITHUB_REF" == 'refs/heads/main' ]]; then
+      NPM_ENVIRONMENT="staging"
+    else
+      NPM_ENVIRONMENT="development"
+    fi
+
+  fi
+
+  # NOTE@jsjoeio - this script assumes we have the artifact downloaded on disk
+  # That happens in CI as a step before we run this.
  # https://github.com/actions/upload-artifact/issues/38
  tar -xzf release-npm-package/package.tar.gz
-  yarn publish --non-interactive release
+
+  # We use this to set the name of the package in the
+  # package.json
+  PACKAGE_NAME="code-server"
+
+  # NOTES:@jsjoeio
+  # We only need to run npm version for "development" and "staging".
+  # This is because our release:prep script automatically bumps the version
+  # in the package.json and we commit it as part of the release PR.
+  if [[ "$NPM_ENVIRONMENT" == "production" ]]; then
+    NPM_VERSION="$VERSION"
+    # This means the npm version will be published as "stable"
+    # and installed when a user runs `yarn install code-server`
+    NPM_TAG="latest"
+  else
+    COMMIT_SHA="$GITHUB_SHA"
+
+    if [[ "$NPM_ENVIRONMENT" == "staging" ]]; then
+      NPM_VERSION="$VERSION-beta-$COMMIT_SHA"
+      # This means the npm version will be tagged with "beta"
+      # and installed when a user runs `yarn install code-server@beta`
+      NPM_TAG="beta"
+      PACKAGE_NAME="@coder/code-server-pr"
+    fi
+
+    if [[ "$NPM_ENVIRONMENT" == "development" ]]; then
+      # Source: https://github.com/actions/checkout/issues/58#issuecomment-614041550
+      PR_NUMBER=$(echo "$GITHUB_REF" | awk 'BEGIN { FS = "/" } ; { print $3 }')
+      NPM_VERSION="$VERSION-$PR_NUMBER-$COMMIT_SHA"
+      PACKAGE_NAME="@coder/code-server-pr"
+      # This means the npm version will be tagged with "<pr number>"
+      # and installed when a user runs `yarn install code-server@<pr number>`
+      NPM_TAG="$PR_NUMBER"
+    fi
+
+    echo "- tag: $NPM_TAG"
+    echo "- version: $NPM_VERSION"
+    echo "- package name: $PACKAGE_NAME"
+    echo "- npm environment: $NPM_ENVIRONMENT"
+
+    # We modify the version in the package.json
+    # to be the current version + the PR number + commit SHA
+    # or we use current version + beta + commit SHA
+    # Example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
+    # Example: "version": "4.0.1-beta-ad7b23cfe6ffd72914e34781ef7721b129a23040"
+    pushd release
+    # NOTE@jsjoeio
+    # I originally tried to use `yarn version` but ran into issues and abandoned it.
+    npm version "$NPM_VERSION"
+    # NOTE@jsjoeio
+    # Use the development package name
+    # This is so we don't clutter the code-server versions on npm
+    # with development versions.
+    # jq can't edit in place so we must store in memory and echo
+    local contents
+    contents="$(jq ".name |= \"$PACKAGE_NAME\"" package.json)"
+    echo "${contents}" > package.json
+    popd
+  fi
+
+  # NOTE@jsjoeio
+  # We need to make sure we haven't already published the version.
+  # If we get error, continue with script because we want to publish
+  # If version is valid, we check if we're publishing the same one
+  local hasVersion
+  if hasVersion=$(npm view "$PACKAGE_NAME@$NPM_VERSION" version 2> /dev/null) && [[ $hasVersion == "$NPM_VERSION" ]]; then
+    echo "$NPM_VERSION is already published under $PACKAGE_NAME"
+    return
+  fi
+
+  # NOTE@jsjoeio
+  # Since the dev builds are scoped to @coder
+  # We pass --access public to ensure npm knows it's not private.
+  yarn publish --non-interactive release --tag "$NPM_TAG" --access public
 }

 main "$@"
--- a/ci/steps/push-docker-manifest.sh
+++ b/ci/steps/push-docker-manifest.sh
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  download_artifact release-images ./release-images
-  if [[ ${CI-} ]]; then
-    echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-  fi
-
-  for img in ./release-images/*; do
-    docker load -i "$img"
-  done
-
-  # We have to ensure the amd64 and arm64 images exist on the remote registry
-  # in order to build the manifest.
-  # We don't put the arch in the tag to avoid polluting the main repository.
-  # These other repositories are private so they don't pollute our organization namespace.
-  docker push "codercom/code-server-amd64:$VERSION"
-  docker push "codercom/code-server-arm64:$VERSION"
-
-  export DOCKER_CLI_EXPERIMENTAL=enabled
-
-  docker manifest create "codercom/code-server:$VERSION" \
-    "codercom/code-server-amd64:$VERSION" \
-    "codercom/code-server-arm64:$VERSION"
-  docker manifest push --purge "codercom/code-server:$VERSION"
-
-  docker manifest create "codercom/code-server:latest" \
-    "codercom/code-server-amd64:$VERSION" \
-    "codercom/code-server-arm64:$VERSION"
-  docker manifest push --purge "codercom/code-server:latest"
-}
-
-main "$@"
--- a/ci/steps/steps-lib.sh
+++ b/ci/steps/steps-lib.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# This is a library which contains functions used inside ci/steps
+#
+# We separated it into it's own file so that we could easily unit test
+# these functions and helpers
+
+# Checks whether and environment variable is set.
+# Source: https://stackoverflow.com/a/62210688/3015595
+is_env_var_set() {
+  local name="${1:-}"
+  if test -n "${!name:-}"; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# Checks whether a directory exists.
+directory_exists() {
+  local dir="${1:-}"
+  if [[ -d "${dir:-}" ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# Checks whether a file exists.
+file_exists() {
+  local file="${1:-}"
+  if test -f "${file:-}"; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# Checks whether a file is executable.
+is_executable() {
+  local file="${1:-}"
+  if [ -f "${file}" ] && [ -r "${file}" ] && [ -x "${file}" ]; then
+    return 0
+  else
+    return 1
+  fi
+}
--- a/docs/CODE_OF_CONDUCT.md
+++ b/docs/CODE_OF_CONDUCT.md
@@ -1,5 +1,18 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+# Contributor Covenant Code of Conduct
+
+- [Contributor Covenant Code of Conduct](#contributor-covenant-code-of-conduct)
+  - [Our Pledge](#our-pledge)
+  - [Our Standards](#our-standards)
+  - [Our Responsibilities](#our-responsibilities)
+  - [Scope](#scope)
+  - [Enforcement](#enforcement)
+  - [Attribution](#attribution)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->

 # Contributor Covenant Code of Conduct

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -1,88 +1,145 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Contributing

- [Pull Requests](#pull-requests)
-  - [Commits](#commits)
 - [Requirements](#requirements)
- [Development Workflow](#development-workflow)
-  - [Updating VS Code](#updating-vs-code)
-    - [Notes about Changes](#notes-about-changes)
- [Build](#build)
+  - [Linux-specific requirements](#linux-specific-requirements)
+- [Creating pull requests](#creating-pull-requests)
+  - [Commits and commit history](#commits-and-commit-history)
+- [Development workflow](#development-workflow)
+  - [Version updates to Code](#version-updates-to-code)
+  - [Patching Code](#patching-code)
+  - [Build](#build)
+    - [Creating a Standalone Release](#creating-a-standalone-release)
+  - [Troubleshooting](#troubleshooting)
+    - [I see "Forbidden access" when I load code-server in the browser](#i-see-forbidden-access-when-i-load-code-server-in-the-browser)
+    - ["Can only have one anonymous define call per script"](#can-only-have-one-anonymous-define-call-per-script)
+  - [Help](#help)
+- [Test](#test)
+  - [Unit tests](#unit-tests)
+  - [Script tests](#script-tests)
+  - [Integration tests](#integration-tests)
+  - [End-to-end tests](#end-to-end-tests)
 - [Structure](#structure)
-  - [Modifications to VS Code](#modifications-to-vs-code)
+  - [Modifications to Code](#modifications-to-code)
  - [Currently Known Issues](#currently-known-issues)

 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->

 - [Detailed CI and build process docs](../ci)

-## Pull Requests
+## Requirements

-Please create a [GitHub Issue](https://github.com/cdr/code-server/issues) for each issue
-you'd like to address unless the proposed fix is minor.
+The prerequisites for contributing to code-server are almost the same as those
+for [VS
+Code](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
+Here is what is needed:

-In your Pull Requests (PR), link to the issue that the PR solves.
+- `node` v16.x
+- `git` v2.x or greater
+- [`git-lfs`](https://git-lfs.github.com)
+- [`yarn`](https://classic.yarnpkg.com/en/)
+  - Used to install JS packages and run scripts
+- [`nfpm`](https://nfpm.goreleaser.com/)
+  - Used to build `.deb` and `.rpm` packages
+- [`jq`](https://stedolan.github.io/jq/)
+  - Used to build code-server releases
+- [`gnupg`](https://gnupg.org/index.html)
+  - All commits must be signed and verified; see GitHub's [Managing commit
+    signature
+    verification](https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification)
+    or follow [this tutorial](https://joeprevite.com/verify-commits-on-github)
+- `quilt`
+  - Used to manage patches to Code
+- `rsync` and `unzip`
+  - Used for code-server releases
+- `bats`
+  - Used to run script unit tests
+
+### Linux-specific requirements
+
+If you're developing code-server on Linux, make sure you have installed or install the following dependencies:
+
+```shell
+sudo apt-get install build-essential g++ libx11-dev libxkbfile-dev libsecret-1-dev python-is-python3
+```
+
+These are required by Code. See [their Wiki](https://github.com/microsoft/vscode/wiki/How-to-Contribute#prerequisites) for more information.
+
+## Creating pull requests
+
+Please create a [GitHub Issue](https://github.com/coder/code-server/issues) that
+includes context for issues that you see. You can skip this if the proposed fix
+is minor.
+
+In your pull requests (PR), link to the issue that the PR solves.

 Please ensure that the base of your PR is the **main** branch.

-### Commits
+### Commits and commit history

-We prefer a clean commit history. This means you should squash all fixups and fixup-type commits before asking for review (cleanup, squash, force-push). If you need help with this, feel free to leave a comment in your PR and we'll guide you.
+We prefer a clean commit history. This means you should squash all fixups and
+fixup-type commits before asking for a review (e.g., clean up, squash, then force
+push). If you need help with this, feel free to leave a comment in your PR, and
+we'll guide you.

-## Requirements
+## Development workflow

-The prerequisites for contributing to code-server are almost the same as those for
-[VS Code](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
-There are several differences, however. Here is what is needed:
+1. `git clone https://github.com/coder/code-server.git` - Clone `code-server`
+2. `git submodule update --init` - Clone `vscode` submodule
+3. `quilt push -a` - Apply patches to the `vscode` submodule.
+4. `yarn` - Install dependencies
+5. `yarn watch` - Launch code-server localhost:8080. code-server will be live
+   reloaded when changes are made; the browser needs to be refreshed manually.

- `node` v12.x or greater
- `git` v2.x or greater
- [`yarn`](https://classic.yarnpkg.com/en/)
-  - used to install JS packages and run scripts
- [`nfpm`](https://classic.yarnpkg.com/en/)
-  - used to build `.deb` and `.rpm` packages
- [`jq`](https://stedolan.github.io/jq/)
-  - used to build code-server releases
- [`gnupg`](https://gnupg.org/index.html)
-  - all commits must be signed and verified
-  - see GitHub's ["Managing commit signature verification"](https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification) or follow [this tutorial](https://joeprevite.com/verify-commits-on-github)
- `build-essential` (Linux)
-  - `apt-get install -y build-essential` - used by VS Code
- `rsync` and `unzip`
-  - used for code-server releases
+When pulling down changes that include modifications to the patches you will
+need to apply them with `quilt`. If you pull down changes that update the
+`vscode` submodule you will need to run `git submodule update --init` and
+re-apply the patches.

-## Development Workflow
+### Version updates to Code
+
+1. Update the `lib/vscode` submodule to the desired upstream version branch.
+   1. `cd lib/vscode && git checkout release/1.66 && cd ../..`
+   2. `git add lib && git commit -m "chore: update Code"`
+2. Apply the patches (`quilt push -a`) or restore your stashed changes. At this
+   stage you may need to resolve conflicts. For example use `quilt push -f`,
+   manually apply the rejected portions, then `quilt refresh`.
+3. From the code-server **project root**, run `yarn install`.
+4. Test code-server locally to make sure everything works.
+5. Check the Node.js version that's used by Electron (which is shipped with VS
+   Code. If necessary, update your version of Node.js to match.
+6. Commit the updated submodule and patches to `code-server`.
+7. Open a PR.
+
+Tip: if you're certain all patches are applied correctly and you simply need to
+refresh, you can use this trick:

 ```shell
-yarn
-yarn watch
-# Visit http://localhost:8080 once the build is completed.
+while quilt push; do quilt refresh; done
 ```

-`yarn watch` will live reload changes to the source.
+[Source](https://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/)

-### Updating VS Code
+### Patching Code

-Updating VS Code requires `git subtree`. On some rpm-based Linux distros, `git subtree` is not included by default, and needs to be installed separately.
-To install, run `dnf install git-subtree` or `yum install git-subtree` as necessary.
+0. You can go through the patch stack with `quilt push` and `quilt pop`.
+1. Create a new patch (`quilt new {name}.diff`) or use an existing patch.
+2. Add the file(s) you are patching (`quilt add [-P patch] {file}`). A file
+   **must** be added before you make changes to it.
+3. Make your changes. Patches do not need to be independent of each other but
+   each patch must result in a working code-server without any broken in-between
+   states otherwise they are difficult to test and modify.
+4. Add your changes to the patch (`quilt refresh`)
+5. Add a comment in the patch about the reason for the patch and how to
+   reproduce the behavior it fixes or adds. Every patch should have an e2e test
+   as well.

-To update VS Code, follow these steps:
+### Build

-1. Run `yarn update:vscode`.
-2. Enter a version. Ex. 1.53
-3. This will open a draft PR for you.
-4. There will be merge conflicts. First commit them.
-   1. We do this because if we don't, it will be impossible to review your PR.
-5. Once they're all fixed, test code-server locally and make sure it all works.
-
-#### Notes about Changes
-
- watch out for updates to `lib/vscode/src/vs/code/browser/workbench/workbench.html`. You may need to make changes to `src/browser/pages/vscode.html`
-
-## Build
-
-You can build using:
+You can build as follows:

 ```shell
 yarn build
@@ -90,11 +147,13 @@ yarn build:vscode
 yarn release
 ```

-Run your build with:
+_NOTE: this does not keep `node_modules`. If you want them to be kept, use `KEEP_MODULES=1 yarn release` (if you're testing in Coder, you'll want to do this)_
+
+Run your build:

 ```shell
 cd release
-yarn --production
+npm install --omit=dev # Skip if you used KEEP_MODULES=1
 # Runs the built JavaScript with Node.
 node .
 ```
@@ -103,59 +162,144 @@ Build the release packages (make sure that you run `yarn release` first):

 ```shell
 yarn release:standalone
-yarn test:standalone-release
+yarn test:integration
 yarn package
 ```

-NOTE: On Linux, the currently running distro will become the minimum supported version.
-In our GitHub Actions CI, we use CentOS 7 for maximum compatibility.
-If you need your builds to support older distros, run the build commands
-inside a Docker container with all the build requirements installed.
+> On Linux, the currently running distro will become the minimum supported
+> version. In our GitHub Actions CI, we use CentOS 7 for maximum compatibility.
+> If you need your builds to support older distros, run the build commands
+> inside a Docker container with all the build requirements installed.
+
+#### Creating a Standalone Release
+
+Part of the build process involves creating standalone releases. At the time of
+writing, we do this for the following platforms/architectures:
+
+- Linux amd64 (.tar.gz, .deb, and .rpm)
+- Linux arm64 (.tar.gz, .deb, and .rpm)
+- Linux arm7l (.tar.gz)
+- Linux armhf.deb
+- Linux armhf.rpm
+- macOS amd64 (Intel-based)
+
+Currently, these are compiled in CI using the `yarn release-standalone` command
+in the `release.yaml` workflow. We then upload them to the draft release and
+distribute via GitHub Releases.
+
+### Troubleshooting
+
+#### I see "Forbidden access" when I load code-server in the browser
+
+This means your patches didn't apply correctly. We have a patch to remove the auth from vanilla Code because we use our own.
+
+Try popping off the patches with `quilt pop -a` and reapplying with `quilt push -a`.
+
+#### "Can only have one anonymous define call per script"
+
+Code might be trying to use a dev or prod HTML in the wrong context. You can try re-running code-server and setting `VSCODE_DEV=1`.
+
+### Help
+
+If you get stuck or need help, you can always start a new GitHub Discussion [here](https://github.com/coder/code-server/discussions). One of the maintainers will respond and help you out.
+
+## Test
+
+There are four kinds of tests in code-server:
+
+1. Unit tests
+2. Script tests
+3. Integration tests
+4. End-to-end tests
+
+### Unit tests
+
+Our unit tests are written in TypeScript and run using
+[Jest](https://jestjs.io/), the testing framework].
+
+These live under [test/unit](../test/unit).
+
+We use unit tests for functions and things that can be tested in isolation. The file structure is modeled closely after `/src` so it's easy for people to know where test files should live.
+
+### Script tests
+
+Our script tests are written in bash and run using [bats](https://github.com/bats-core/bats-core).
+
+These tests live under `test/scripts`.
+
+We use these to test anything related to our scripts (most of which live under `ci`).
+
+### Integration tests
+
+These are a work in progress. We build code-server and run tests with `yarn test:integration`, which ensures that code-server builds work on their respective
+platforms.
+
+Our integration tests look at components that rely on one another. For example,
+testing the CLI requires us to build and package code-server.
+
+### End-to-end tests
+
+The end-to-end (e2e) tests are written in TypeScript and run using
+[Playwright](https://playwright.dev/).
+
+These live under [test/e2e](../test/e2e).
+
+Before the e2e tests run, we run `globalSetup`, which eliminates the need to log
+in before each test by preserving the authentication state.
+
+Take a look at `codeServer.test.ts` to see how you would use it (see
+`test.use`).
+
+We also have a model where you can create helpers to use within tests. See
+[models/CodeServer.ts](../test/e2e/models/CodeServer.ts) for an example.
+
+Generally speaking, e2e means testing code-server while running in the browser
+and interacting with it in a way that's similar to how a user would interact
+with it. When running these tests with `yarn test:e2e`, you must have
+code-server running locally. In CI, this is taken care of for you.

 ## Structure

-The `code-server` script serves an HTTP API for login and starting a remote VS Code process.
+The `code-server` script serves as an HTTP API for login and starting a remote
+Code process.

-The CLI code is in [src/node](../src/node) and the HTTP routes are implemented in
-[src/node/routes](../src/node/routes).
+The CLI code is in [src/node](../src/node) and the HTTP routes are implemented
+in [src/node/routes](../src/node/routes).

-Most of the meaty parts are in the VS Code portion of the codebase under [lib/vscode](../lib/vscode), which we described next.
+Most of the meaty parts are in the Code portion of the codebase under
+[lib/vscode](../lib/vscode), which we describe next.

-### Modifications to VS Code
+### Modifications to Code

-In v1 of code-server, we had a patch of VS Code that split the codebase into a front-end
-and a server. The front-end consisted of all UI code, while the server ran the extensions
-and exposed an API to the front-end for file access and all UI needs.
+Our modifications to Code can be found in the [patches](../patches) directory.
+We pull in Code as a submodule pointing to an upstream release branch.

-Over time, Microsoft added support to VS Code to run it on the web. They have made
-the front-end open source, but not the server. As such, code-server v2 (and later) uses
-the VS Code front-end and implements the server. We do this by using a git subtree to fork and modify VS Code. This code lives under [lib/vscode](../lib/vscode).
+In v1 of code-server, we had Code as a submodule and used a single massive patch
+that split the codebase into a front-end and a server. The front-end consisted
+of the UI code, while the server ran the extensions and exposed an API to the
+front-end for file access and all UI needs.

-Some noteworthy changes in our version of VS Code:
+Over time, Microsoft added support to Code to run it on the web. They had made
+the front-end open source, but not the server. As such, code-server v2 (and
+later) uses the Code front-end and implements the server. We did this by using a
+Git subtree to fork and modify Code.

- Adding our build file, which includes our code and VS Code's web code
- Allowing multiple extension directories (both user and built-in)
- Modifying the loader, websocket, webview, service worker, and asset requests to
-  use the URL of the page as a base (and TLS, if necessary for the websocket)
- Sending client-side telemetry through the server
- Allowing modification of the display language
- Making it possible for us to load code on the client
- Making it possible to install extensions of any kind
- Fixing issue with getting disconnected when your machine sleeps or hibernates
- Adding connection type to web socket query parameters
+Microsoft eventually made the server open source and we were able to reduce our
+changes significantly. Some time later we moved back to a submodule and patches
+(managed by `quilt` this time instead of the mega-patch).

-As the web portion of VS Code matures, we'll be able to shrink and possibly
-eliminate our modifications. In the meantime, upgrading the VS Code version requires
-us to ensure that our changes are still applied and work as intended. In the future,
-we'd like to run VS Code unit tests against our builds to ensure that features
-work as expected.
+As the web portion of Code continues to mature, we'll be able to shrink and
+possibly eliminate our patches. In the meantime, upgrading the Code version
+requires us to ensure that our changes are still applied correctly and work as
+intended. In the future, we'd like to run Code unit tests against our builds to
+ensure that features work as expected.

-**Note**: We have [extension docs](../ci/README.md) on the CI and build system.
+> We have [extension docs](../ci/README.md) on the CI and build system.

-If the functionality you're working on does NOT depend on code from VS Code, please
+If the functionality you're working on does NOT depend on code from Code, please
 move it out and into code-server.

 ### Currently Known Issues

- Creating custom VS Code extensions and debugging them doesn't work
+- Creating custom Code extensions and debugging them doesn't work
 - Extension profiling and tips are currently disabled
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -1,161 +1,149 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # FAQ

 - [Questions?](#questions)
- [iPad Status?](#ipad-status)
- [Community Projects (awesome-code-server)](#community-projects-awesome-code-server)
- [How can I reuse my VS Code configuration?](#how-can-i-reuse-my-vs-code-configuration)
- [Differences compared to VS Code?](#differences-compared-to-vs-code)
-  - [Installing an extension](#installing-an-extension)
- [How can I request a missing extension?](#how-can-i-request-a-missing-extension)
- [Installing an extension manually](#installing-an-extension-manually)
- [How do I configure the marketplace URL?](#how-do-i-configure-the-marketplace-url)
- [Where are extensions stored?](#where-are-extensions-stored)
- [How is this different from VS Code Codespaces?](#how-is-this-different-from-vs-code-codespaces)
 - [How should I expose code-server to the internet?](#how-should-i-expose-code-server-to-the-internet)
- [Can I store my password hashed?](#can-i-store-my-password-hashed)
- [How do I securely access web services?](#how-do-i-securely-access-web-services)
-  - [Sub-paths](#sub-paths)
-  - [Sub-domains](#sub-domains)
- [Why does the code-server proxy strip `/proxy/<port>` from the request path?](#why-does-the-code-server-proxy-strip-proxyport-from-the-request-path)
-  - [Proxying to Create React App](#proxying-to-create-react-app)
- [Multi-tenancy](#multi-tenancy)
- [Docker in code-server container?](#docker-in-code-server-container)
- [How can I disable telemetry?](#how-can-i-disable-telemetry)
- [How does code-server decide what workspace or folder to open?](#how-does-code-server-decide-what-workspace-or-folder-to-open)
- [How do I debug issues with code-server?](#how-do-i-debug-issues-with-code-server)
- [Heartbeat File](#heartbeat-file)
- [Healthz endpoint](#healthz-endpoint)
+- [Can I use code-server on the iPad?](#can-i-use-code-server-on-the-ipad)
 - [How does the config file work?](#how-does-the-config-file-work)
- [Isn't an install script piped into sh insecure?](#isnt-an-install-script-piped-into-sh-insecure)
 - [How do I make my keyboard shortcuts work?](#how-do-i-make-my-keyboard-shortcuts-work)
- [How do I access my Documents/Downloads/Desktop folders in code-server on OSX?](#how-do-i-access-my-documentsdownloadsdesktop-folders-in-code-server-on-osx)
- [Differences compared to Theia?](#differences-compared-to-theia)
- [`$HTTP_PROXY`, `$HTTPS_PROXY`, `$NO_PROXY`](#http_proxy-https_proxy-no_proxy)
- [Enterprise](#enterprise)
+- [Why can't code-server use Microsoft's extension marketplace?](#why-cant-code-server-use-microsofts-extension-marketplace)
+- [How can I request an extension that's missing from the marketplace?](#how-can-i-request-an-extension-thats-missing-from-the-marketplace)
+- [How do I install an extension?](#how-do-i-install-an-extension)
+- [How do I install an extension manually?](#how-do-i-install-an-extension-manually)
+- [How do I use my own extensions marketplace?](#how-do-i-use-my-own-extensions-marketplace)
+- [Where are extensions stored?](#where-are-extensions-stored)
+- [How can I reuse my VS Code configuration?](#how-can-i-reuse-my-vs-code-configuration)
+- [How does code-server decide what workspace or folder to open?](#how-does-code-server-decide-what-workspace-or-folder-to-open)
+- [How do I access my Documents/Downloads/Desktop folders in code-server on macOS?](#how-do-i-access-my-documentsdownloadsdesktop-folders-in-code-server-on-macos)
+- [How do I direct server-side requests through a proxy?](#how-do-i-direct-server-side-requests-through-a-proxy)
+- [How do I debug issues with code-server?](#how-do-i-debug-issues-with-code-server)
+- [What is the healthz endpoint?](#what-is-the-healthz-endpoint)
+- [What is the heartbeat file?](#what-is-the-heartbeat-file)
+- [How do I change the password?](#how-do-i-change-the-password)
+- [Can I store my password hashed?](#can-i-store-my-password-hashed)
+- [Is multi-tenancy possible?](#is-multi-tenancy-possible)
+- [Can I use Docker in a code-server container?](#can-i-use-docker-in-a-code-server-container)
+- [How do I disable telemetry?](#how-do-i-disable-telemetry)
+- [What's the difference between code-server and Coder?](#whats-the-difference-between-code-server-and-coder)
+- [What's the difference between code-server and Theia?](#whats-the-difference-between-code-server-and-theia)
+- [What's the difference between code-server and OpenVSCode-Server?](#whats-the-difference-between-code-server-and-openvscode-server)
+- [What's the difference between code-server and GitHub Codespaces?](#whats-the-difference-between-code-server-and-github-codespaces)
+- [Does code-server have any security login validation?](#does-code-server-have-any-security-login-validation)
+- [Are there community projects involving code-server?](#are-there-community-projects-involving-code-server)
+- [How do I change the port?](#how-do-i-change-the-port)
+- [How do I hide the coder/coder promotion in Help: Getting Started?](#how-do-i-hide-the-codercoder-promotion-in-help-getting-started)
+- [How do I disable file download?](#how-do-i-disable-file-download)

 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->

 ## Questions?

-Please file all questions and support requests at <https://github.com/cdr/code-server/discussions>.
+Please file all questions and support requests at
+<https://github.com/coder/code-server/discussions>.

-## iPad Status?
+## How should I expose code-server to the internet?

-Please see [./ipad.md](./ipad.md).
+Please see [our instructions on exposing code-server safely to the
+internet](./guide.md).

-## Community Projects (awesome-code-server)
+## Can I use code-server on the iPad?

-Visit the [awesome-code-server](https://github.com/cdr/awesome-code-server) repository to view community projects and guides with code-server! Feel free to add your own!
+See [iPad](./ipad.md) for information on using code-server on the iPad.

-## How can I reuse my VS Code configuration?
+## How does the config file work?

-The very popular [Settings Sync](https://marketplace.visualstudio.com/items?itemName=Shan.code-settings-sync) extension works.
+When `code-server` starts up, it creates a default config file in `~/.config/code-server/config.yaml`:

-You can also pass `--user-data-dir ~/.vscode` to reuse your existing VS Code extensions and configuration.
+```yaml
+bind-addr: 127.0.0.1:8080
+auth: password
+password: mew...22 # Randomly generated for each config.yaml
+cert: false
+```

-Or copy `~/.vscode` into `~/.local/share/code-server`.
+The default config defines the following behavior:

-## Differences compared to VS Code?
+- Listen on the loopback IP port 8080
+- Enable password authorization
+- Do not use TLS

-`code-server` takes the open source core of VS Code and allows you to run it in the browser.
-However, it is not entirely equivalent to Microsoft's VS Code.
+Each key in the file maps directly to a `code-server` flag (run `code-server --help` to see a listing of all the flags). Any flags passed to `code-server`
+will take priority over the config file.

-While the core of VS Code is open source, the marketplace and many published Microsoft extensions are not.
+You can change the config file's location using the `--config` flag or
+`$CODE_SERVER_CONFIG` environment variable.

-Furthermore, Microsoft prohibits the use of any non-Microsoft VS Code from accessing their marketplace.
+The default location respects `$XDG_CONFIG_HOME`.

-See the [TOS](https://cdn.vsassets.io/v/M146_20190123.39/_content/Microsoft-Visual-Studio-Marketplace-Terms-of-Use.pdf).
+## How do I make my keyboard shortcuts work?

-> Marketplace Offerings are intended for use only with Visual Studio Products and Services
-> and you may only install and use Marketplace Offerings with Visual Studio Products and Services.
+Many shortcuts will not work by default, since they'll be "caught" by the browser.

-As a result, we cannot offer any extensions on the Microsoft marketplace. Instead,
-we have created our own marketplace for open source extensions.
-It works by scraping GitHub for VS Code extensions and building them. It's not perfect but getting
-better by the day with more and more extensions.
+If you use Chrome, you can work around this by installing the progressive web
+app (PWA):

-These are the closed source extensions presently unavailable:
+1. Start the editor
+2. Click the **plus** icon in the URL toolbar to install the PWA

-1. [Live Share](https://visualstudio.microsoft.com/services/live-share)
-   - We may implement something similar, see [#33](https://github.com/cdr/code-server/issues/33)
-1. [Remote Extensions (SSH, Containers, WSL)](https://github.com/microsoft/vscode-remote-release)
-   - We may reimplement these at some point, see [#1315](https://github.com/cdr/code-server/issues/1315)
+If you use Firefox, you can use the appropriate extension to install PWA.

-For more about the closed source parts of VS Code, see [vscodium/vscodium](https://github.com/VSCodium/vscodium#why-does-this-exist).
+1. Go to the installation [website](https://addons.mozilla.org/en-US/firefox/addon/pwas-for-firefox/) of the add-on
+2. Add the add-on to Firefox
+3. Follow the os-specific instructions on how to install the runtime counterpart

-### Installing an extension
+For other browsers, you'll have to remap keybindings for shortcuts to work.

-Extensions can be installed from the marketplace using the extensions sidebar in
+## Why can't code-server use Microsoft's extension marketplace?
+
+Though code-server takes the open-source core of VS Code and allows you to run
+it in the browser, it is not entirely equivalent to Microsoft's VS Code.
+
+One major difference is in regards to extensions and the marketplace. The core
+of VS code is open source, while the marketplace and many published Microsoft
+extensions are not. Furthermore, Microsoft prohibits the use of any
+non-Microsoft VS Code from accessing their marketplace. Per the [Terms of
+Service](https://cdn.vsassets.io/v/M146_20190123.39/_content/Microsoft-Visual-Studio-Marketplace-Terms-of-Use.pdf):
+
+> Marketplace Offerings are intended for use only with Visual Studio Products
+> and Services, and you may only install and use Marketplace Offerings with
+> Visual Studio Products and Services.
+
+Because of this, we can't offer any extensions on Microsoft's marketplace.
+Instead, we use the [Open-VSX extension gallery](https://open-vsx.org), which is also used by various other forks.
+It isn't perfect, but its getting better by the day with more and more extensions.
+
+We also offer our own marketplace for open source extensions, but plan to
+deprecate it at a future date and completely migrate to Open-VSX.
+
+These are the closed-source extensions that are presently unavailable:
+
+1. [Live Share](https://visualstudio.microsoft.com/services/live-share). We may
+   implement something similar (see
+   [#33](https://github.com/coder/code-server/issues/33))
+1. [Remote Extensions (SSH, Containers,
+   WSL)](https://github.com/microsoft/vscode-remote-release). We may implement
+   these again at some point, see
+   ([#1315](https://github.com/coder/code-server/issues/1315)).
+
+For more about the closed source portions of VS Code, see [vscodium/vscodium](https://github.com/VSCodium/vscodium#why-does-this-exist).
+
+## How can I request an extension that's missing from the marketplace?
+
+To add an extension to Open-VSX, please see [open-vsx/publish-extensions](https://github.com/open-vsx/publish-extensions).
+We no longer plan to add new extensions to our legacy extension gallery.
+
+## How do I install an extension?
+
+You can install extensions from the marketplace using the extensions sidebar in
 code-server or from the command line:

-```shell
+```console
 code-server --install-extension <extension id>
 # example: code-server --install-extension wesbos.theme-cobalt2
-```

-## How can I request a missing extension?
-
-We are currently in the process of transitioning to [Open VSX](https://open-vsx.org/).
-Once <https://github.com/eclipse/openvsx/issues/249>
-is implemented, we can fully make this transition. Therefore, we are no longer
-accepting new requests for extension requests.
-
-Instead, we suggest one of the following:
-
- [Switch to Open VSX](#how-do-i-configure-the-marketplace-url) now
- Download and [install the extension manually](#installing-an-extension-manually)
-
-## Installing an extension manually
-
-If an extension is not available from the marketplace or does not work, you can
-grab its VSIX from its GitHub releases or build it yourself.
-
-Once you have downloaded the VSIX to the remote machine you can either:
-
- Run the `Extensions: Install from VSIX` command in the Command Palette.
- Use `code-server --install-extension <path to vsix>`
-
-You can also download extensions from the command line. For instance, downloading off OpenVSX can be done like this:
-
-```shell
-SERVICE_URL=https://open-vsx.org/vscode/gallery ITEM_URL=https://open-vsx.org/vscode/item code-server --install-extension <extension id>
-```
-
-## How do I configure the marketplace URL?
-
-If you have your own marketplace that implements the VS Code Extension Gallery API, it is possible to
-point code-server to it by setting `$SERVICE_URL` and `$ITEM_URL`. These correspond directly
-to `serviceUrl` and `itemUrl` in VS Code's `product.json`.
-
-e.g. to use [open-vsx.org](https://open-vsx.org):
-
-```bash
-export SERVICE_URL=https://open-vsx.org/vscode/gallery
-export ITEM_URL=https://open-vsx.org/vscode/item
-```
-
-While you can technically use Microsoft's marketplace with these, please do not do so as it
-is against their terms of use. See [above](#differences-compared-to-vs-code) and this
-discussion regarding the use of the Microsoft URLs in forks:
-
-<https://github.com/microsoft/vscode/issues/31168#issue-244533026>
-
-See also [VSCodium's docs](https://github.com/VSCodium/vscodium/blob/master/DOCS.md#extensions--marketplace).
-
-These variables are most valuable to our enterprise customers for whom we have a self hosted marketplace product.
-
-## Where are extensions stored?
-
-Defaults to `~/.local/share/code-server/extensions`.
-
-If the `XDG_DATA_HOME` environment variable is set the data directory will be
-`$XDG_DATA_HOME/code-server/extensions`. In general we try to follow the XDG directory spec.
-
-You can install an extension on the CLI with:
-
-```bash
 # From the Coder extension marketplace
 code-server --install-extension ms-python.python

@@ -163,280 +151,100 @@ code-server --install-extension ms-python.python
 code-server --install-extension downloaded-ms-python.python.vsix
 ```

-## How is this different from VS Code Codespaces?
+## How do I install an extension manually?

-VS Code Codespaces is a closed source and paid service by Microsoft. It also allows you to access
-VS Code via the browser.
+If there's an extension unavailable in the marketplace or an extension that
+doesn't work, you can download the VSIX from its GitHub releases or build it
+yourself.

-However, code-server is free, open source and can be run on any machine without any limitations.
+Once you have downloaded the VSIX to the remote machine, you can either:

-While you can self host environments with VS Code Codespaces, you still need an Azure billing
-account and you have to access VS Code via the Codespaces web dashboard instead of directly
-connecting to your instance.
+- Run the **Extensions: Install from VSIX** command in the Command Palette.
+- Run `code-server --install-extension <path to vsix>` in the terminal

-## How should I expose code-server to the internet?
+You can also download extensions using the command line. For instance,
+downloading from OpenVSX can be done like this:

-Please follow [./guide.md](./guide.md) for our recommendations on setting up and using code-server.
-
-code-server only supports password authentication natively.
-
-**note**: code-server will rate limit password authentication attempts at 2 a minute and 12 an hour.
-
-If you want to use external authentication (i.e sign in with Google) you should handle this
-with a reverse proxy using something like [oauth2_proxy](https://github.com/pusher/oauth2_proxy)
-or [Cloudflare Access](https://teams.cloudflare.com/access).
-
-For HTTPS, you can use a self signed certificate by passing in just `--cert` or
-pass in an existing certificate by providing the path to `--cert` and the path to
-the key with `--cert-key`.
-
-The self signed certificate will be generated into
-`~/.local/share/code-server/self-signed.crt`.
-
-If `code-server` has been passed a certificate it will also respond to HTTPS
-requests and will redirect all HTTP requests to HTTPS.
-
-You can use [Let's Encrypt](https://letsencrypt.org/) to get a TLS certificate
-for free.
-
-Again, please follow [./guide.md](./guide.md) for our recommendations on setting up and using code-server.
-
-## Can I store my password hashed?
-
-Yes you can! Set the value of `hashed-password` instead of `password`. Generate the hash with:
-
-```
-printf "thisismypassword" | sha256sum | cut -d' ' -f1
+```shell
+code-server --install-extension <extension id>
 ```

-Of course replace `thisismypassword` with your actual password.
+## How do I use my own extensions marketplace?

-Example:
+If you own a marketplace that implements the VS Code Extension Gallery API, you
+can point code-server to it by setting `$EXTENSIONS_GALLERY`.
+This corresponds directly with the `extensionsGallery` entry in in VS Code's `product.json`.

-```yaml
-auth: password
-hashed-password: 1da9133ab9dbd11d2937ec8d312e1e2569857059e73cc72df92e670928983ab5 # You got this from the command above
+For example, to use the legacy Coder extensions marketplace:
+
+```bash
+export EXTENSIONS_GALLERY='{"serviceUrl": "https://extensions.coder.com/api"}'
 ```

-## How do I securely access web services?
+Though you can technically use Microsoft's marketplace in this manner, we
+strongly discourage you from doing so since this is [against their Terms of Use](#why-cant-code-server-use-microsofts-extension-marketplace).

-code-server is capable of proxying to any port using either a subdomain or a
-subpath which means you can securely access these services using code-server's
-built-in authentication.
+For further information, see [this
+discussion](https://github.com/microsoft/vscode/issues/31168#issue-244533026)
+regarding the use of the Microsoft URLs in forks, as well as [VSCodium's
+docs](https://github.com/VSCodium/vscodium/blob/master/DOCS.md#extensions--marketplace).

-### Sub-paths
+## Where are extensions stored?

-Just browse to `/proxy/<port>/`.
+Extensions are store, by default, to `~/.local/share/code-server/extensions`.

-### Sub-domains
+If you set the `XDG_DATA_HOME` environment variable, the data directory will be
+`$XDG_DATA_HOME/code-server/extensions`. In general, we try to follow the XDG directory spec.

-You will need a DNS entry that points to your server for each port you want to
-access. You can either set up a wildcard DNS entry for `*.<domain>` if your domain
-name registrar supports it or you can create one for every port you want to
-access (`3000.<domain>`, `8080.<domain>`, etc).
+## How can I reuse my VS Code configuration?

-You should also set up TLS certificates for these subdomains, either using a
-wildcard certificate for `*.<domain>` or individual certificates for each port.
+You can use the [Settings
+Sync](https://marketplace.visualstudio.com/items?itemName=Shan.code-settings-sync)
+extension for this purpose.

-Start code-server with the `--proxy-domain` flag set to your domain.
-
-```
-code-server --proxy-domain <domain>
-```
-
-Now you can browse to `<port>.<domain>`. Note that this uses the host header so
-ensure your reverse proxy forwards that information if you are using one.
-
-## Why does the code-server proxy strip `/proxy/<port>` from the request path?
-
-HTTP servers should strive to use relative URLs to avoid needed to be coupled to the
-absolute path at which they are served. This means you must use trailing slashes on all
-paths with subpaths. See <https://blog.cdivilly.com/2019/02/28/uri-trailing-slashes>
-
-This is really the "correct" way things work and why the striping of the base path is the
-default. If your application uses relative URLs and does not assume the absolute path at
-which it is being served, it will just work no matter what port you decide to serve it off
-or if you put it in behind code-server or any other proxy!
-
-However many people prefer the cleaner aesthetic of no trailing slashes. This couples you
-to the base path as you cannot use relative redirects correctly anymore. See the above
-link.
-
-For users who are ok with this tradeoff, use `/absproxy` instead and the path will be
-passed as is. e.g. `/absproxy/3000/my-app-path`
-
-### Proxying to Create React App
-
-You must use `/absproxy/<port>` with create-react-app.
-See [#2565](https://github.com/cdr/code-server/issues/2565) and
-[#2222](https://github.com/cdr/code-server/issues/2222). You will need to inform
-create-react-app of the path at which you are serving via `$PUBLIC_URL` and webpack
-via `$WDS_SOCKET_PATH`.
-
-e.g.
-
-```sh
-PUBLIC_URL=/absproxy/3000 \
-  WDS_SOCKET_PATH=$PUBLIC_URL/sockjs-node \
-  BROWSER=none yarn start
-```
-
-Then visit `https://my-code-server-address.io/absproxy/3000` to see your app exposed through
-code-server!
-
-Highly recommend using the subdomain approach instead to avoid this class of issue.
-
-## Multi-tenancy
-
-If you want to run multiple code-servers on shared infrastructure, we recommend using virtual
-machines with a VM per user. This will easily allow users to run a docker daemon. If you want
-to use kubernetes, you'll definitely want to use [kubevirt](https://kubevirt.io) or [sysbox](https://github.com/nestybox/sysbox) to give each
-user a VM-like experience instead of just a container.
-
-## Docker in code-server container?
-
-If you'd like to access docker inside of code-server, mount the docker socket in from `/var/run/docker.sock`.
-Install the docker CLI in the code-server container and you should be able to access the daemon!
-
-You can even make volume mounts work. Lets say you want to run a container and mount in
-`/home/coder/myproject` into it from inside the `code-server` container. You need to make sure
-the docker daemon's `/home/coder/myproject` is the same as the one mounted inside the `code-server`
-container and the mount will just work.
-
-## How can I disable telemetry?
-
-Use the `--disable-telemetry` flag to completely disable telemetry. We use the
-data collected only to improve code-server.
+Alternatively, you can also pass `--user-data-dir ~/.vscode` or copy `~/.vscode`
+into `~/.local/share/code-server` to reuse your existing VS Code extensions and
+configuration.

 ## How does code-server decide what workspace or folder to open?

-code-server tries the following in order:
+code-server tries the following in this order:

-1. The `workspace` query parameter.
-2. The `folder` query parameter.
-3. The workspace or directory passed on the command line.
-4. The last opened workspace or directory.
+1. The `workspace` query parameter
+2. The `folder` query parameter
+3. The workspace or directory passed via the command line
+4. The last opened workspace or directory

-## How do I debug issues with code-server?
+## How do I access my Documents/Downloads/Desktop folders in code-server on macOS?

-First run code-server with at least `debug` logging (or `trace` to be really
-thorough) by setting the `--log` flag or the `LOG_LEVEL` environment variable.
-`-vvv` and `--verbose` are aliases for `--log trace`.
+Newer versions of macOS require permission through a non-UNIX mechanism for
+code-server to access the Desktop, Documents, Pictures, Downloads, and other folders.

-```
-code-server --log debug
-```
+You may have to give Node.js full disk access, since it doesn't implement any of the macOS permission request features natively:

-Once this is done, replicate the issue you're having then collect logging
-information from the following places:
-
-1. The most recent files from `~/.local/share/code-server/coder-logs`.
-2. The browser console.
-3. The browser network tab.
-
-Additionally, collecting core dumps (you may need to enable them first) if
-code-server crashes can be helpful.
-
-## Heartbeat File
-
-`code-server` touches `~/.local/share/code-server/heartbeat` once a minute as long
-as there is an active browser connection.
-
-If you want to shutdown `code-server` if there hasn't been an active connection in X minutes
-you can do so by continuously checking the last modified time on the heartbeat file and if it is
-older than X minutes, kill `code-server`.
-
-[#1636](https://github.com/cdr/code-server/issues/1636) will make the experience here better.
-
-## Healthz endpoint
-
-`code-server` exposes an endpoint at `/healthz` which can be used to check
-whether `code-server` is up without triggering a heartbeat. The response will
-include a status (`alive` or `expired`) and a timestamp for the last heartbeat
-(defaults to `0`). This endpoint does not require authentication.
-
-```json
-{
-  "status": "alive",
-  "lastHeartbeat": 1599166210566
-}
-```
-
-## How does the config file work?
-
-When `code-server` starts up, it creates a default config file in `~/.config/code-server/config.yaml` that looks
-like this:
-
-```yaml
-bind-addr: 127.0.0.1:8080
-auth: password
-password: mewkmdasosafuio3422 # This is randomly generated for each config.yaml
-cert: false
-```
-
-Each key in the file maps directly to a `code-server` flag. Run `code-server --help` to see
-a listing of all the flags.
-
-The default config here says to listen on the loopback IP port 8080, enable password authorization
-and no TLS. Any flags passed to `code-server` will take priority over the config file.
-
-The `--config` flag or `$CODE_SERVER_CONFIG` can be used to change the config file's location.
-
-The default location also respects `$XDG_CONFIG_HOME`.
-
-## Isn't an install script piped into sh insecure?
-
-Please give
-[this wonderful blogpost](https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install) by
-[sandstorm.io](https://sandstorm.io) a read.
-
-## How do I make my keyboard shortcuts work?
-
-Many shortcuts will not work by default as they'll be caught by the browser.
-
-If you use Chrome you can get around this by installing the PWA.
-
-Once you've entered the editor, click the "plus" icon present in the URL toolbar area.
-This will install a Chrome PWA and now all keybindings will work!
-
-For other browsers you'll have to remap keybindings unfortunately.
-
-## How do I access my Documents/Downloads/Desktop folders in code-server on OSX?
-
-Newer versions of macOS require permission through a non-UNIX mechanism for access to the Desktop, Documents, Pictures, Downloads, and other folders.
-
-You may have to give Node "full disk access" since it doesn't implement any of the macOS permission request stuff natively.
-
-1. Find where Node is installed on your machine
+1. Find where Node.js is installed on your machine

   ```console
-   ➜ ~ which node
+   $ which node
   /usr/local/bin/node
   ```

-1. Grant Node Full Disk Access:
+2. Grant Node.js full disk access. Open **System Preferences** > **Security &
+   Privacy** > **Privacy** > **Full Disk Access**. Then, click the 🔒 to unlock,
+   click **+**, and select the Node.js binary you located in the previous step.

-Open System Preferences > Security & Privacy > Privacy (horizontal) tab > Full Disk Access (vertical) tab > Click the 🔒 to unlock > Click + and select the Node binary you located.
+See [#2794](https://github.com/coder/code-server/issues/2794) for additional context.

-See [#2794](https://github.com/cdr/code-server/issues/2794) for context on this.
+## How do I direct server-side requests through a proxy?

-## Differences compared to Theia?
+> code-server proxies only server-side requests.

-[Theia](https://github.com/eclipse-theia/theia) is a browser IDE loosely based on VS Code. It uses the same
-text editor library named [Monaco](https://github.com/Microsoft/monaco-editor) and the same
-extension API but everything else is very different. It also uses [open-vsx.org](https://open-vsx.org)
-for extensions which has an order of magnitude less extensions than our marketplace.
-See [#1473](https://github.com/cdr/code-server/issues/1473).
+To direct server-side requests through a proxy, code-server supports the
+following environment variables:

-You can't just use your VS Code config in Theia like you can with code-server.
-
-To summarize, code-server is a patched fork of VS Code to run in the browser whereas
-Theia takes some parts of VS Code but is an entirely different editor.
-
-## `$HTTP_PROXY`, `$HTTPS_PROXY`, `$NO_PROXY`
-
-code-server supports the standard environment variables to allow directing
-server side requests through a proxy.
+- `$HTTP_PROXY`
+- `$HTTPS_PROXY`
+- `$NO_PROXY`

 ```sh
 export HTTP_PROXY=https://134.8.5.4
@@ -446,18 +254,205 @@ export HTTPS_PROXY=https://134.8.5.4
 code-server
 ```

- See [proxy-from-env](https://www.npmjs.com/package/proxy-from-env#environment-variables)
-  for a detailed reference on the various environment variables and their syntax.
-  - code-server only uses the `http` and `https` protocols.
- See [proxy-agent](https://www.npmjs.com/package/proxy-agent) for the various supported
-  proxy protocols.
+- See
+  [proxy-from-env](https://www.npmjs.com/package/proxy-from-env#environment-variables)
+  for a detailed reference on these environment variables and their syntax (note
+  that code-server only uses the `http` and `https` protocols).
+- See [proxy-agent](https://www.npmjs.com/package/proxy-agent) for information
+  on on the supported proxy protocols.

-**note**: Only server side requests will be proxied! This includes fetching extensions,
-requests made from extensions etc. To proxy requests from your browser you need to
-configure your browser separately. Browser requests would cover exploring the extension
-marketplace.
+## How do I debug issues with code-server?

-## Enterprise
+First, run code-server with the `debug` logging (or `trace` to be really
+thorough) by setting the `--log` flag or the `LOG_LEVEL` environment variable.
+`-vvv` and `--verbose` are aliases for `--log trace`.

-Visit [our enterprise page](https://coder.com) for more information about our
-enterprise offerings.
+First, run code-server with `debug` logging (or `trace` logging for more
+thorough messages) by setting the `--log` flag or the `LOG_LEVEL` environment
+variable.
+
+```text
+code-server --log debug
+```
+
+> Note that the `-vvv` and `--verbose` flags are aliases for `--log trace`.
+
+Next, replicate the issue you're having so that you can collect logging
+information from the following places:
+
+1. The most recent files from `~/.local/share/code-server/coder-logs`
+2. The browser console
+3. The browser network tab
+
+Additionally, collecting core dumps (you may need to enable them first) if
+code-server crashes can be helpful.
+
+## What is the healthz endpoint?
+
+You can use the `/healthz` endpoint exposed by code-server to check whether
+code-server is running without triggering a heartbeat. The response includes a
+status (e.g., `alive` or `expired`) and a timestamp for the last heartbeat
+(the default is `0`).
+
+```json
+{
+  "status": "alive",
+  "lastHeartbeat": 1599166210566
+}
+```
+
+This endpoint doesn't require authentication.
+
+## What is the heartbeat file?
+
+As long as there is an active browser connection, code-server touches
+`~/.local/share/code-server/heartbeat` once a minute.
+
+If you want to shutdown code-server if there hasn't been an active connection
+after a predetermined amount of time, you can do so by checking continuously for
+the last modified time on the heartbeat file. If it is older than X minutes (or
+whatever amount of time you'd like), you can kill code-server.
+
+Eventually, [#1636](https://github.com/coder/code-server/issues/1636) will make
+this process better.
+
+## How do I change the password?
+
+Edit the `password` field in the code-server config file at
+`~/.config/code-server/config.yaml`, then restart code-server:
+
+```bash
+sudo systemctl restart code-server@$USER
+```
+
+## Can I store my password hashed?
+
+Yes, you can do so by setting the value of `hashed-password` instead of `password`. Generate the hash with:
+
+```shell
+echo -n "thisismypassword" | npx argon2-cli -e
+$argon2i$v=19$m=4096,t=3,p=1$wst5qhbgk2lu1ih4dmuxvg$ls1alrvdiwtvzhwnzcm1dugg+5dto3dt1d5v9xtlws4
+```
+
+Replace `thisismypassword` with your actual password and **remember to put it
+inside quotes**! For example:
+
+```yaml
+auth: password
+hashed-password: "$argon2i$v=19$m=4096,t=3,p=1$wST5QhBgk2lu1ih4DMuxvg$LS1alrVdIWtvZHwnzCM1DUGg+5DTO3Dt1d5v9XtLws4"
+```
+
+The `hashed-password` field takes precedence over `password`.
+
+## Is multi-tenancy possible?
+
+If you want to run multiple code-servers on shared infrastructure, we recommend
+using virtual machines (provide one VM per user). This will easily allow users
+to run a Docker daemon. If you want to use Kubernetes, you'll want to
+use [kubevirt](https://kubevirt.io) or
+[sysbox](https://github.com/nestybox/sysbox) to give each user a VM-like
+experience instead of just a container.
+
+## Can I use Docker in a code-server container?
+
+If you'd like to access Docker inside of code-server, mount the Docker socket in
+from `/var/run/docker.sock`. Then, install the Docker CLI in the code-server
+container, and you should be able to access the daemon.
+
+You can even make volume mounts work. Let's say you want to run a container and
+mount into `/home/coder/myproject` from inside the `code-server` container. You
+need to make sure the Docker daemon's `/home/coder/myproject` is the same as the
+one mounted inside the `code-server` container, and the mount will work.
+
+## How do I disable telemetry?
+
+Use the `--disable-telemetry` flag to disable telemetry.
+
+> We use the data collected only to improve code-server.
+
+## What's the difference between code-server and Coder?
+
+code-server and Coder are both applications that can be installed on any
+machine. The main difference is who they serve. Out of the box, code-server is
+simply VS Code in the browser while Coder is a tool for provisioning remote
+development environments via Terraform.
+
+code-server was built for individuals while Coder was built for teams. In Coder, you create Workspaces which can have applications like code-server. If you're looking for a team solution, you should reach for [Coder](https://github.com/coder/coder).
+
+## What's the difference between code-server and Theia?
+
+At a high level, code-server is a patched fork of VS Code that runs in the
+browser whereas Theia takes some parts of VS Code but is an entirely different
+editor.
+
+[Theia](https://github.com/eclipse-theia/theia) is a browser IDE loosely based
+on VS Code. It uses the same text editor library
+([Monaco](https://github.com/Microsoft/monaco-editor)) and extension API, but
+everything else is different. Theia also uses [Open VSX](https://open-vsx.org)
+for extensions.
+
+Theia doesn't allow you to reuse your existing VS Code config.
+
+## What's the difference between code-server and OpenVSCode-Server?
+
+code-server and OpenVSCode-Server both allow you to access VS Code via a
+browser. OpenVSCode-Server is a direct fork of VS Code with changes comitted
+directly while code-server pulls VS Code in via a submodule and makes changes
+via patch files.
+
+However, OpenVSCode-Server is scoped at only making VS Code available as-is in
+the web browser. code-server contains additional changes to make the self-hosted
+experience better (see the next section for details).
+
+## What's the difference between code-server and GitHub Codespaces?
+
+Both code-server and GitHub Codespaces allow you to access VS Code via a
+browser. GitHub Codespaces, however, is a closed-source, paid service offered by
+GitHub and Microsoft.
+
+On the other hand, code-server is self-hosted, free, open-source, and can be run
+on any machine with few limitations.
+
+Specific changes include:
+
+- Password authentication
+- The ability to host at sub-paths
+- Self-contained web views that do not call out to Microsoft's servers
+- The ability to use your own marketplace and collect your own telemetry
+- Built-in proxy for accessing ports on the remote machine integrated into
+  VS Code's ports panel
+- Wrapper process that spawns VS Code on-demand and has a separate CLI
+- Notification when updates are available
+- [Some other things](https://github.com/coder/code-server/tree/main/patches)
+
+Some of these changes appear very unlikely to ever be adopted by Microsoft.
+Some may make their way upstream, further closing the gap, but at the moment it
+looks like there will always be some subtle differences.
+
+## Does code-server have any security login validation?
+
+code-server supports setting a single password and limits logins to two per
+minute plus an additional twelve per hour.
+
+## Are there community projects involving code-server?
+
+Visit the [awesome-code-server](https://github.com/coder/awesome-code-server)
+repository to view community projects and guides with code-server! Feel free to
+add your own!
+
+## How do I change the port?
+
+There are two ways to change the port on which code-server runs:
+
+1. with an environment variable e.g. `PORT=3000 code-server`
+2. using the flag `--bind-addr` e.g. `code-server --bind-addr localhost:3000`
+
+## How do I hide the coder/coder promotion in Help: Getting Started?
+
+You can pass the flag `--disable-getting-started-override` to `code-server` or
+you can set the environment variable `CS_DISABLE_GETTING_STARTED_OVERRIDE=1` or
+`CS_DISABLE_GETTING_STARTED_OVERRIDE=true`.
+
+## How do I disable file download?
+
+You can pass the flag `--disable-file-downloads` to `code-server`
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@@ -1,92 +1,224 @@
+<!-- prettier-ignore-start -->
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Maintaining

- [Maintaining](#maintaining)
-  - [Workflow](#workflow)
-    - [Milestones](#milestones)
-    - [Triage](#triage)
-    - [Project Boards](#project-boards)
-  - [Versioning](#versioning)
-  - [Pull Requests](#pull-requests)
-    - [Merge Strategies](#merge-strategies)
-  - [Release](#release)
-    - [Release Manager Rotation](#release-manager-rotation)
+- [Team](#team)
+  - [Onboarding](#onboarding)
+  - [Offboarding](#offboarding)
+- [Workflow](#workflow)
+  - [Milestones](#milestones)
+  - [Triage](#triage)
+- [Versioning](#versioning)
+- [Pull requests](#pull-requests)
+  - [Merge strategies](#merge-strategies)
+  - [Changelog](#changelog)
+- [Releases](#releases)
+  - [Publishing a release](#publishing-a-release)
+    - [Release Candidates](#release-candidates)
+    - [AUR](#aur)
+    - [Docker](#docker)
+    - [Homebrew](#homebrew)
+    - [npm](#npm)
+- [Syncing with upstream Code](#syncing-with-upstream-code)
+- [Testing](#testing)
+- [Documentation](#documentation)
+  - [Troubleshooting](#troubleshooting)

 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
+<!-- prettier-ignore-end -->

-# Maintaining
+This document is meant to serve current and future maintainers of code-server,
+as well as share our workflow for maintaining the project.
+
+## Team

 Current maintainers:

 - @code-asher
- @oxy
 - @jsjoeio

-This document is meant to serve current and future maintainers of code-server, but also share openly our workflow for maintaining the project.
+Occasionally, other Coder employees may step in time to time to assist with code-server.
+
+### Onboarding
+
+To onboard a new maintainer to the project, please make sure to do the following:
+
+- [ ] Add to [coder/code-server](https://github.com/orgs/coder/teams/code-server)
+- [ ] Add as Admin under [Repository Settings > Access](https://github.com/coder/code-server/settings/access)
+- [ ] Add to [npm Coder org](https://www.npmjs.com/org/coder)
+- [ ] Add as [AUR maintainer](https://aur.archlinux.org/packages/code-server/) (talk to Colin)
+- [ ] Introduce to community via Discussion (see [example](https://github.com/coder/code-server/discussions/3955))
+
+### Offboarding
+
+Very similar to Onboarding but Remove maintainer from all teams and revoke access. Please also do the following:
+
+- [ ] Write farewell post via Discussion (see [example](https://github.com/coder/code-server/discussions/3933))

 ## Workflow

-The workflow used by code-server maintainers is one that aims to be easy to understood by the community and easy enough for new maintainers to jump in and start contributing on day one.
+The workflow used by code-server maintainers aims to be easy to understood by
+the community and easy enough for new maintainers to jump in and start
+contributing on day one.

 ### Milestones

-We operate mainly using [milestones](https://github.com/cdr/code-server/milestones). This was heavily inspired by our friends over at [vscode](https://github.com/microsoft/vscode).
+We operate mainly using
+[milestones](https://github.com/coder/code-server/milestones). This was heavily
+inspired by our friends over at [vscode](https://github.com/microsoft/vscode).

 Here are the milestones we use and how we use them:

 - "Backlog" -> Work not yet planned for a specific release.
 - "On Deck" -> Work under consideration for upcoming milestones.
- "Backlog Candidates" -> Work that is not yet accepted for the backlog. We wait for the community to weigh in.
- "<0.0.0>" -> Work to be done for that version.
+- "Backlog Candidates" -> Work that is not yet accepted for the backlog. We wait
+  for the community to weigh in.
+- "<Month>" -> Work to be done for said month.

-With this flow, any un-assigned issues are essentially in triage state and once triaged are either "Backlog" or "Backlog Candidates". They will eventually move to "On Deck" (or be closed). Lastly, they will end up on a version milestone where they will be worked on.
+With this flow, any un-assigned issues are essentially in triage state. Once
+triaged, issues are either "Backlog" or "Backlog Candidates". They will
+eventually move to "On Deck" (or be closed). Lastly, they will end up on a
+version milestone where they will be worked on.

 ### Triage

 We use the following process for triaging GitHub issues:

-1. a submitter creates an issue
-1. add appropriate labels
-   1. if we need to look into it further, add "needs-investigation"
-1. add to milestone
-   1. if it should be fixed soon, add to version milestone or "On Deck"
-   1. if not urgent, add to "Backlog"
-   1. otherwise, add to "Backlog Candidate" if it should be considered
-
-### Project Boards
-
-We use project boards for projects or goals that span multiple milestones.
-
-Think of this as a place to put miscellaneous things (like testing, clean up stuff, etc). As a maintainer, random todos may come up here and there. This gives you a place to add notes temporarily before opening a new issue. Given that our release milestones function off of issues, we believe tasks should have dedicated issues.
-
-It also gives us a way to separate the issue triage from bigger-picture, long-term work.
+1. Create an issue
+1. Add appropriate labels to the issue (including "needs-investigation" if we
+   should look into it further)
+1. Add the issue to a milestone
+   1. If it should be fixed soon, add to version milestone or "On Deck"
+   2. If not urgent, add to "Backlog"
+   3. Otherwise, add to "Backlog Candidate" for future consideration

 ## Versioning

 `<major.minor.patch>`

-The code-server project follows traditional [semantic versioning](https://semver.org/), with the objective of minimizing major changes that break backward compatibility. We increment the patch level for all releases, except when the upstream Visual Studio Code project increments its minor version or we change the plugin API in a backward-compatible manner. In those cases, we increment the minor version rather than the patch level.
+The code-server project follows traditional [semantic
+versioning](https://semver.org/), with the objective of minimizing major changes
+that break backward compatibility. We increment the patch level for all
+releases, except when the upstream Visual Studio Code project increments its
+minor version or we change the plugin API in a backward-compatible manner. In
+those cases, we increment the minor version rather than the patch level.

-## Pull Requests
+## Pull requests

-Ideally, every PR should fix an issue. If it doesn't, make sure it's associated with a version milestone.
+Ideally, every PR should fix an issue. If it doesn't, make sure it's associated
+with a version milestone.

-If a PR does fix an issue, don't add it to the version milestone. Otherwise, the version milestone will have duplicate information: the issue & the PR fixing the issue.
+If a PR does fix an issue, don't add it to the version milestone. Otherwise, the
+version milestone will have duplicate information: the issue and the PR fixing
+the issue.

-### Merge Strategies
+### Merge strategies

-For most things, we recommend "Squash and Merge". If you're updating `lib/vscode`, we suggest using the "Rebase and Merge" strategy. There may be times where "Create a merge commit" makes sense as well. Use your best judgement. If you're unsure, you can always discuss in the PR with the team.
-The code-server project follows traditional [semantic versioning](ttps://semver.org/), with the objective of minimizing major changes that break backward compatibility. We increment the patch level for all releases, except when the upstream Visual Studio Code project increments its minor version or we change the plugin API in a backward-compatible manner. In those cases, we increment the minor version rather than the patch level.
+For most things, we recommend the **squash and merge** strategy. There
+may be times where **creating a merge commit** makes sense as well. Use your
+best judgment. If you're unsure, you can always discuss in the PR with the team.

-## Release
+### Changelog

-### Release Manager Rotation
+To save time when creating a new release for code-server, we keep a running
+changelog at `CHANGELOG.md`.

-With each release, we rotate the role of "release manager" to ensure every maintainer goes through the process. This helps us keep documentation up-to-date and encourages us to continually review and improve the flow with each set of eyes.
+If either the author or reviewer of a PR believes the change should be mentioned
+in the changelog, then it should be added.

-If you're the current release manager, follow these steps:
+If there is not a **Next Version** when you modify `CHANGELOG.md`, please add it
+using the template you see near the top of the changelog.

-1. Create a [release issue](../.github/ISSUE_TEMPLATE/release.md)
-2. Fill out checklist
-3. After release is published, close release milestone
+When writing your changelog item, ask yourself:
+
+1. How do these changes affect code-server users?
+2. What actions do they need to take (if any)?
+
+If you need inspiration, we suggest looking at the [Emacs
+changelog](https://github.com/emacs-mirror/emacs/blob/master/etc/NEWS).
+
+## Releases
+
+### Publishing a release
+
+1. Go to GitHub Actions > Draft release > Run workflow on the commit you want to
+   release. Make sure CI has finished the build workflow on that commit or this
+   will fail.
+2. CI will automatically grab the build artifact on that commit, inject the
+   version into the `package.json`, put together platform-specific packages, and
+   upload those packages to a draft release.
+3. Summarize the major changes in the `CHANGELOG.md`.
+4. Copy the relevant changelog section to the release then publish it.
+5. CI will automatically publish the NPM package, Docker image, and update
+   Homebrew using the published release assets.
+6. Bump the chart version in `Chart.yaml` and merge in the changelog updates.
+
+#### Release Candidates
+
+We prefer to do release candidates so the community can test things before a
+full-blown release. To do this follow the same steps as above but:
+
+1. Add a `-rc.<number>` suffix to the version.
+2. When you publish the release select "pre-release". CI will not automatically
+   publish pre-releases.
+3. Do not update the chart version or merge in the changelog until the final
+   release.
+
+#### AUR
+
+We publish to AUR as a package [here](https://aur.archlinux.org/packages/code-server/). This process is manual and can be done by following the steps in [this repo](https://github.com/coder/code-server-aur).
+
+#### Docker
+
+We publish code-server as a Docker image [here](https://registry.hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.
+
+This is currently automated with the release process.
+
+#### Homebrew
+
+We publish code-server on Homebrew [here](https://github.com/Homebrew/homebrew-core/blob/master/Formula/code-server.rb).
+
+This is currently automated with the release process (but may fail occasionally). If it does, run this locally:
+
+```shell
+# Replace VERSION with version
+brew bump-formula-pr --version="${VERSION}" code-server --no-browse --no-audit
+```
+
+#### npm
+
+We publish code-server as a npm package [here](https://www.npmjs.com/package/code-server/v/latest).
+
+This is currently automated with the release process.
+
+## Syncing with upstream Code
+
+Refer to the [contributing docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#version-updates-to-code) for information on how to update Code within code-server.
+
+## Testing
+
+Our testing structure is laid out under our [Contributing docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#test).
+
+We hope to eventually hit 100% test coverage with our unit tests, and maybe one day our scripts (coverage not tracked currently).
+
+If you're ever looking to add more tests, here are a few ways to get started:
+
+- run `yarn test:unit` and look at the coverage chart. You'll see all the uncovered lines. This is a good place to start.
+- look at `test/scripts` to see which scripts are tested. We can always use more tests there.
+- look at `test/e2e`. We can always use more end-to-end tests.
+
+Otherwise, talk to a current maintainer and ask which part of the codebase is lacking most when it comes to tests.
+
+## Documentation
+
+### Troubleshooting
+
+Our docs are hosted on [Vercel](https://vercel.com/). Vercel only shows logs in realtime, which means you need to have the logs open in one tab and reproduce your error in another tab. Since our logs are private to Coder the organization, you can only follow these steps if you're a Coder employee. Ask a maintainer for help if you need it.
+
+Taking a real scenario, let's say you wanted to troubleshoot [this docs change](https://github.com/coder/code-server/pull/4042). Here is how you would do it:
+
+1. Go to https://vercel.com/codercom/codercom
+2. Click "View Function Logs"
+3. In a separate tab, open the preview link from github-actions-bot
+4. Now look at the function logs and see if there are errors in the logs
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,78 @@
+# code-server
+
+[!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/coder/code-server/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://coder.com/community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq) [![codecov](https://codecov.io/gh/coder/code-server/branch/main/graph/badge.svg?token=5iM9farjnC)](https://codecov.io/gh/coder/code-server) [![See latest](https://img.shields.io/static/v1?label=Docs&message=see%20latest&color=blue)](https://coder.com/docs/code-server/latest)
+
+Run [VS Code](https://github.com/Microsoft/vscode) on any machine anywhere and
+access it in the browser.
+
+![Screenshot](./assets/screenshot.png)
+
+## Highlights
+
+- Code on any device with a consistent development environment
+- Use cloud servers to speed up tests, compilations, downloads, and more
+- Preserve battery life when you're on the go; all intensive tasks run on your
+  server
+
+## Requirements
+
+See [requirements](https://coder.com/docs/code-server/latest/requirements) for minimum specs, as well as instructions
+on how to set up a Google VM on which you can install code-server.
+
+**TL;DR:** Linux machine with WebSockets enabled, 1 GB RAM, and 2 vCPUs
+
+## Getting started
+
+There are four ways to get started:
+
+1. Using the [install
+   script](https://github.com/coder/code-server/blob/main/install.sh), which
+   automates most of the process. The script uses the system package manager if
+   possible.
+2. Manually [installing
+   code-server](https://coder.com/docs/code-server/latest/install)
+3. Deploy code-server to your team with [coder/coder](https://cdr.co/coder-github)
+4. Using our one-click buttons and guides to [deploy code-server to a cloud
+   provider](https://github.com/coder/deploy-code-server) ⚡
+
+If you use the install script, you can preview what occurs during the install
+process:
+
+```bash
+curl -fsSL https://code-server.dev/install.sh | sh -s -- --dry-run
+```
+
+To install, run:
+
+```bash
+curl -fsSL https://code-server.dev/install.sh | sh
+```
+
+When done, the install script prints out instructions for running and starting
+code-server.
+
+> **Note**
+> To manage code-server for a team on your infrastructure, see: [coder/coder](https://cdr.co/coder-github)
+
+We also have an in-depth [setup and
+configuration](https://coder.com/docs/code-server/latest/guide) guide.
+
+## Questions?
+
+See answers to [frequently asked
+questions](https://coder.com/docs/code-server/latest/FAQ).
+
+## Want to help?
+
+See [Contributing](https://coder.com/docs/code-server/latest/CONTRIBUTING) for
+details.
+
+## Hiring
+
+Interested in [working at Coder](https://coder.com/careers)? Check out [our open
+positions](https://coder.com/careers#openings)!
+
+## For Organizations
+
+Want remote development for your organization or enterprise? Visit [our
+website](https://coder.com) to learn more about Coder.
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -1,29 +1,35 @@
 # Security Policy

-The code-server team (and Coder, the organization) care a lot about keeping the project secure and safe for end-users.
+Coder and the code-server team want to keep the code-server project secure and safe for end-users.

 ## Tools

-We use a combination of tools to help us stay on top of vulnerabilities.
+We use the following tools to help us stay on top of vulnerability mitigation.

 - [dependabot](https://dependabot.com/)
-  - Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
+  - Submits pull requests to upgrade dependencies. We use dependabot's version
+    upgrades as well as security updates.
 - code-scanning
  - [CodeQL](https://securitylab.github.com/tools/codeql/)
-    - Semantic code analysis engine that runs on a regular schedule (see `codeql-analysis.yml`)
+    - Semantic code analysis engine that runs on a regular schedule (see
+      `codeql-analysis.yml`)
  - [trivy](https://github.com/aquasecurity/trivy)
-    - Comprehensive vulnerability scanner that runs on PRs into the default branch and scans both our container image and repository code (see `trivy-scan-repo` and `trivy-scan-image` jobs in `ci.yaml`)
+    - Comprehensive vulnerability scanner that runs on PRs into the default
+      branch and scans both our container image and repository code (see
+      `trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
 - [`audit-ci`](https://github.com/IBM/audit-ci)
-  - Audits npm and Yarn dependencies in CI (see "Audit for vulnerabilities" step in `ci.yaml`) on PRs into the default branch and fails CI if moderate or higher vulnerabilities(see the `audit.sh` script) are present.
+  - Audits npm and Yarn dependencies in CI (see `Audit for vulnerabilities` step
+    in `build.yaml`) on PRs into the default branch and fails CI if moderate or
+    higher vulnerabilities (see the `audit.sh` script) are present.

 ## Supported Versions

-Coder sponsors development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report, and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
+Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.

-| Version                                               | Supported          |
-| ----------------------------------------------------- | ------------------ |
-| [Latest](https://github.com/cdr/code-server/releases) | :white_check_mark: |
+| Version                                                 | Supported          |
+| ------------------------------------------------------- | ------------------ |
+| [Latest](https://github.com/coder/code-server/releases) | :white_check_mark: |

 ## Reporting a Vulnerability

-To report a vulnerability, please send an email to security[@]coder.com and our security team will respond to you.
+To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.
--- a/docs/android.md
+++ b/docs/android.md
@@ -0,0 +1,31 @@
+# Running code-server using UserLAnd
+
+1. Install UserLAnd from [Google Play](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US&gl=US)
+2. Install an Ubuntu VM
+3. Start app
+4. Install Node.js and `curl` using `sudo apt install nodejs npm curl -y`
+5. Install `nvm`:
+
+```shell
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
+```
+
+6. Exit the terminal using `exit` and then reopen the terminal
+7. Install and use Node.js 16:
+
+```shell
+nvm install 16
+nvm use 16
+```
+
+8. Install code-server globally on device with: `npm install --global code-server --unsafe-perm`
+9. Run code-server with `code-server`
+10. Access on localhost:8080 in your browser
+
+# Running code-server using Nix-on-Droid
+
+1. Install Nix-on-Droid from [F-Droid](https://f-droid.org/packages/com.termux.nix/)
+2. Start app
+3. Spawn a shell with code-server by running `nix-shell -p code-server`
+4. Run code-server with `code-server`
+5. Access on localhost:8080 in your browser
--- a/docs/assets/images/icons/collab.svg
+++ b/docs/assets/images/icons/collab.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="20" height="20" viewBox="0 0 20 20"> <path d="M12.2 13.4357L9.5 11.4357C10.4 10.7357 11 9.7357 11 8.5357V7.7357C11 5.8357 9.6 4.1357 7.7 4.0357C5.7 3.9357 4 5.5357 4 7.5357V8.5357C4 9.7357 4.6 10.7357 5.5 11.4357L2.8 13.5357C2.3 13.9357 2 14.5357 2 15.1357V17.0357C2 17.6357 2.4 18.0357 3 18.0357H12C12.6 18.0357 13 17.6357 13 17.0357V15.0357C13 14.4357 12.7 13.8357 12.2 13.4357Z"/> <path d="M17.1 8.43436L15.3 7.23436C15.7 6.83436 16 6.23436 16 5.53436V4.63436C16 3.43436 15.1 2.23436 13.9 2.03436C12.7 1.83436 11.7 2.53436 11.2 3.43436C12.3 4.43436 13 5.83436 13 7.43436V8.43436C13 9.33436 12.8 10.2344 12.4 10.9344C12.4 10.9344 13.6 11.8344 13.6 11.9344H17C17.6 11.9344 18 11.5344 18 10.9344V10.1344C18 9.43436 17.7 8.83436 17.1 8.43436Z"/></svg>
--- a/docs/assets/images/icons/contributing.svg
+++ b/docs/assets/images/icons/contributing.svg
@@ -0,0 +1 @@
+<svg width="20" height="20" fill="none" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M5 2.5V12.5" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M15 7.5C16.3807 7.5 17.5 6.38071 17.5 5C17.5 3.61929 16.3807 2.5 15 2.5C13.6193 2.5 12.5 3.61929 12.5 5C12.5 6.38071 13.6193 7.5 15 7.5Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M5 17.5C6.38071 17.5 7.5 16.3807 7.5 15C7.5 13.6193 6.38071 12.5 5 12.5C3.61929 12.5 2.5 13.6193 2.5 15C2.5 16.3807 3.61929 17.5 5 17.5Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M15 7.5C15 9.48912 14.2098 11.3968 12.8033 12.8033C11.3968 14.2098 9.48912 15 7.5 15" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
--- a/docs/assets/images/icons/faq.svg
+++ b/docs/assets/images/icons/faq.svg
@@ -0,0 +1 @@
+<svg width="20" height="20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><path d="M10.0001 18.3333C14.6025 18.3333 18.3334 14.6024 18.3334 10C18.3334 5.39762 14.6025 1.66666 10.0001 1.66666C5.39771 1.66666 1.66675 5.39762 1.66675 10C1.66675 14.6024 5.39771 18.3333 10.0001 18.3333Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M7.57495 7.5C7.77087 6.94306 8.15758 6.47342 8.66658 6.17428C9.17558 5.87513 9.77403 5.76578 10.3559 5.86559C10.9378 5.96541 11.4656 6.26794 11.8458 6.71961C12.2261 7.17128 12.4342 7.74294 12.4333 8.33333C12.4333 10 9.93328 10.8333 9.93328 10.8333" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M10 14.1667H10.0083" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
--- a/docs/assets/images/icons/home.svg
+++ b/docs/assets/images/icons/home.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" viewBox="0 0 16 16" width="16px" xml:space="preserve"><path d="M15.45,7L14,5.551V2c0-0.55-0.45-1-1-1h-1c-0.55,0-1,0.45-1,1v0.553L9,0.555C8.727,0.297,8.477,0,8,0S7.273,0.297,7,0.555  L0.55,7C0.238,7.325,0,7.562,0,8c0,0.563,0.432,1,1,1h1v6c0,0.55,0.45,1,1,1h3v-5c0-0.55,0.45-1,1-1h2c0.55,0,1,0.45,1,1v5h3  c0.55,0,1-0.45,1-1V9h1c0.568,0,1-0.437,1-1C16,7.562,15.762,7.325,15.45,7z"></path></svg>
--- a/docs/assets/images/icons/requirements.svg
+++ b/docs/assets/images/icons/requirements.svg
@@ -0,0 +1 @@
+<svg width="20" height="20" viewBox="0 0 20 20"  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><path d="M6 2V11H2V15C2 16.7 3.3 18 5 18H15C16.7 18 18 16.7 18 15V2H6ZM16 15C16 15.6 15.6 16 15 16H8V4H16V15Z" /><path d="M14 7H10V9H14V7Z" /><path d="M14 11H10V13H14V11Z" /></svg>
--- a/docs/assets/images/icons/upgrade.svg
+++ b/docs/assets/images/icons/upgrade.svg
@@ -0,0 +1 @@
+<svg width="20" height="20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><path d="M17.8049 2.19795C17.7385 2.1311 17.6587 2.07899 17.5708 2.04504C17.4829 2.01108 17.3889 1.99604 17.2948 2.00089C7.89216 2.49153 4.4188 10.8673 4.38528 10.9517C4.33624 11.0736 4.32406 11.2071 4.5.028 11.3358C4.3765 11.4645 4.43995 11.5827 4.53274 11.6756L8.32449 15.4674C8.41787 15.5606 8.53669 15.6242 8.66606 15.6502C8.79543 15.6762 8.92959 15.6634 9.05174 15.6135C9.13552 15.5793 17.4664 12.0671 17.9986 2.7087C18.0039 2.61474 17.9895 2.5207 17.9561 2.4327C17.9227 2.3447 17.8712 2.26471 17.8049 2.19795ZM12.3314 9.56427C12.1439 9.75179 11.9051 9.87951 11.645 9.93126C11.385 9.98302 11.1154 9.9565 10.8704 9.85505C10.6254 9.7536 10.4161 9.58178 10.2687 9.36131C10.1214 9.14085 10.0428 8.88166 10.0428 8.6165C10.0428 8.35135 10.1214 8.09215 10.2687 7.87169C10.4161 7.65123 10.6254 7.47941 10.8704 7.37796C11.1154 7.27651 11.385 7.24998 11.645 7.30174C11.9051 7.3535 12.1439 7.48121 12.3314 7.66873C12.5827 7.92012 12.7239 8.26104 12.7239 8.6165C12.7239 8.97197 12.5827 9.31288 12.3314 9.56427Z"/><path d="M2.74602 14.5444C2.92281 14.3664 3.133 14.2251 3.36454 14.1285C3.59608 14.0319 3.8444 13.9819 4.09529 13.9815C4.34617 13.9811 4.59466 14.0.12 4.82653 14.126C5.05839 14.2218 5.26907 14.3624 5.44647 14.5398C5.62386 14.7172 5.7645 14.9279 5.86031 15.1598C5.95612 15.3916 6.00522 15.6401 6.00479 15.891C6.00437 16.1419 5.95442 16.3902 5.85782 16.6218C5.76122 16.8533 5.61987 17.0635 5.44186 17.2403C4.69719 17.985 2 18.0004 2 18.0004C2 18.0004 2 15.2884 2.74602 14.5444Z"/><path d="M8.9416 3.48269C7.99688 3.31826 7.02645 3.38371 6.11237 3.67352C5.19828 3.96332 4.36741 4.46894 3.68999 5.14765C3.33153 5.50944.5.01988 5.91477 2.76233 6.35415C2.68692 6.4822 2.6562 6.63169 2.67501 6.77911C2.69381 6.92652 2.76108 7.06351 2.86623 7.16853L4.1994 8.50238C5.43822 6.53634 7.04911 4.83119 8.9416 3.48269Z"/><path d="M16.5181 11.0585C16.6825 12.0033 16.6171 12.9737 16.3273 13.8878C16.0375 14.8019 15.5318 15.6327 14.8531 16.3101C14.4914 16.6686 14.086 16.9803 13.6466 17.2378C13.5186 17.3132 13.3691 17.3439 13.2217 17.3251C13.0743 17.3063 12.9373 17.2391 12.8323 17.1339L11.4984 15.8007C13.4645 14.5619 15.1696 12.951 16.5181 11.0585Z"/></svg>
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="20" height="20" viewBox="0 0 20 20"> <path d="M12.2 13.4357L9.5 11.4357C10.4 10.7357 11 9.7357 11 8.5357V7.7357C11 5.8357 9.6 4.1357 7.7 4.0357C5.7 3.9357 4 5.5357 4 7.5357V8.5357C4 9.7357 4.6 10.7357 5.5 11.4357L2.8 13.5357C2.3 13.9357 2 14.5357 2 15.1357V17.0357C2 17.6357 2.4 18.0357 3 18.0357H12C12.6 18.0357 13 17.6357 13 17.0357V15.0357C13 14.4357 12.7 13.8357 12.2 13.4357Z"/> <path d="M17.1 8.43436L15.3 7.23436C15.7 6.83436 16 6.23436 16 5.53436V4.63436C16 3.43436 15.1 2.23436 13.9 2.03436C12.7 1.83436 11.7 2.53436 11.2 3.43436C12.3 4.43436 13 5.83436 13 7.43436V8.43436C13 9.33436 12.8 10.2344 12.4 10.9344C12.4 10.9344 13.6 11.8344 13.6 11.9344H17C17.6 11.9344 18 11.5344 18 10.9344V10.1344C18 9.43436 17.7 8.83436 17.1 8.43436Z"/></svg>
				`@@ -0,0 +1 @@`
				<svg width="20" height="20" fill="none" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"><path d="M5 2.5V12.5" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M15 7.5C16.3807 7.5 17.5 6.38071 17.5 5C17.5 3.61929 16.3807 2.5 15 2.5C13.6193 2.5 12.5 3.61929 12.5 5C12.5 6.38071 13.6193 7.5 15 7.5Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M5 17.5C6.38071 17.5 7.5 16.3807 7.5 15C7.5 13.6193 6.38071 12.5 5 12.5C3.61929 12.5 2.5 13.6193 2.5 15C2.5 16.3807 3.61929 17.5 5 17.5Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M15 7.5C15 9.48912 14.2098 11.3968 12.8033 12.8033C11.3968 14.2098 9.48912 15 7.5 15" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
				`@@ -0,0 +1 @@`
				<svg width="20" height="20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><path d="M10.0001 18.3333C14.6025 18.3333 18.3334 14.6024 18.3334 10C18.3334 5.39762 14.6025 1.66666 10.0001 1.66666C5.39771 1.66666 1.66675 5.39762 1.66675 10C1.66675 14.6024 5.39771 18.3333 10.0001 18.3333Z" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M7.57495 7.5C7.77087 6.94306 8.15758 6.47342 8.66658 6.17428C9.17558 5.87513 9.77403 5.76578 10.3559 5.86559C10.9378 5.96541 11.4656 6.26794 11.8458 6.71961C12.2261 7.17128 12.4342 7.74294 12.4333 8.33333C12.4333 10 9.93328 10.8333 9.93328 10.8333" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M10 14.1667H10.0083" stroke="currentColor" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg>
				`@@ -0,0 +1 @@`
				`<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" viewBox="0 0 16 16" width="16px" xml:space="preserve"><path d="M15.45,7L14,5.551V2c0-0.55-0.45-1-1-1h-1c-0.55,0-1,0.45-1,1v0.553L9,0.555C8.727,0.297,8.477,0,8,0S7.273,0.297,7,0.555 L0.55,7C0.238,7.325,0,7.562,0,8c0,0.563,0.432,1,1,1h1v6c0,0.55,0.45,1,1,1h3v-5c0-0.55,0.45-1,1-1h2c0.55,0,1,0.45,1,1v5h3 c0.55,0,1-0.45,1-1V9h1c0.568,0,1-0.437,1-1C16,7.562,15.762,7.325,15.45,7z"></path></svg>`
				`@@ -0,0 +1 @@`
				`<svg width="20" height="20" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><path d="M6 2V11H2V15C2 16.7 3.3 18 5 18H15C16.7 18 18 16.7 18 15V2H6ZM16 15C16 15.6 15.6 16 15 16H8V4H16V15Z" /><path d="M14 7H10V9H14V7Z" /><path d="M14 11H10V13H14V11Z" /></svg>`