Merge branch 'main' into jsjoeio/nfpm-fix

* refactor: remove keytar dep in cross-compile

* refactor: try other keytar package

* refactor: remove keytar step in cross-compile

* fix: manually remove keytar

* try this first

* I think this is it

* Revert "I think this is it"

This reverts commit 5c566b0c01.

* okay this is it

* fixup

* try legacy peer

* remove keytar before standalone

* wrong path

* maybe

* revert: change *npm* back to npm*

* revert: don't uninstall keytar

* fix: use npm run standalone-release

* fixup formatting

* Revert "refactor: remove yarn.lock steps (#5850)"

This reverts commit 907747d394.

* fixup: remove the --exclude

* refactor: remove yarn.lock check

* try ddd in postinstall

* refactor: cache before release:standalone

* refactor: add os to cache key in release

* chore: formatting

* Update ci/build/npm-postinstall.sh

* fixup: formatting

.github/workflows/build.yaml

@@ -24,7 +24,7 @@ concurrency:
 jobs:
   prettier:
     name: Format with Prettier
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 5
     steps:
       - name: Checkout repo
@@ -37,7 +37,7 @@ jobs:
 
   doctoc:
     name: Doctoc markdown files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 5
     steps:
       - name: Checkout repo
@@ -66,7 +66,7 @@ jobs:
 
   lint-helm:
     name: Lint Helm chart
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 5
     steps:
       - name: Checkout repo
@@ -97,7 +97,7 @@ jobs:
 
   lint-ts:
     name: Lint TypeScript files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 5
     steps:
       - name: Checkout repo
@@ -141,7 +141,7 @@ jobs:
 
   build:
     name: Build code-server
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 30
     env:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -244,7 +244,7 @@ jobs:
     # Only run if PR comes from base repo or event is not a PR
     # Reason: forks cannot access secrets and this will always fail
     if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -295,63 +295,7 @@ jobs:
   test-e2e:
     name: Run e2e tests
     needs: build
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Install Node.js v16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
-        with:
-          name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Install release package dependencies
-        run: cd release && yarn install
-
-      - name: Install dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Install Playwright OS dependencies
-        run: |
-          ./test/node_modules/.bin/playwright install-deps
-          ./test/node_modules/.bin/playwright install
-
-      - name: Run end-to-end tests
-        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e --global-timeout 840000
-
-      - name: Upload test artifacts
-        if: always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: failed-test-videos
-          path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release ./test/test-results
-
-  test-e2e-proxy:
-    name: Run e2e tests behind proxy
-    needs: build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     timeout-minutes: 25
     steps:
       - name: Checkout repo
@@ -380,7 +324,63 @@ jobs:
         run: tar -xzf package.tar.gz
 
       - name: Install release package dependencies
-        run: cd release && yarn install
+        run: cd release && npm install --unsafe-perm --omit=dev
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+      - name: Install Playwright OS dependencies
+        run: |
+          ./test/node_modules/.bin/playwright install-deps
+          ./test/node_modules/.bin/playwright install
+
+      - name: Run end-to-end tests
+        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e --global-timeout 840000
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./test/test-results
+
+      - name: Remove release packages and test artifacts
+        run: rm -rf ./release ./test/test-results
+
+  test-e2e-proxy:
+    name: Run e2e tests behind proxy
+    needs: build
+    runs-on: ubuntu-20.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+
+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
+      - name: Download npm package
+        uses: actions/download-artifact@v3
+        with:
+          name: npm-package
+
+      - name: Decompress npm package
+        run: tar -xzf package.tar.gz
+
+      - name: Install release package dependencies
+        run: cd release && npm install --unsafe-perm --omit=dev
 
       - name: Install dependencies
         if: steps.cache-node-modules.outputs.cache-hit != 'true'

.github/workflows/publish.yaml

@@ -127,6 +127,8 @@ jobs:
 
       - name: Validate package
         uses: hapakaien/archlinux-package-action@v2
+        env:
+          VERSION: ${{ env.VERSION }}
         with:
           pkgver: ${{ env.VERSION }}
           updpkgsums: true

.github/workflows/release.yaml

@@ -44,11 +44,13 @@ jobs:
         run: |
           yum install -y epel-release centos-release-scl make
           yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync python3
+          # for keytar
+          yum install -y libsecret-devel
 
       - name: Install nfpm and envsubst
         run: |
           mkdir -p ~/.local/bin
-          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.22.2/nfpm_2.22.2_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
           curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
           chmod +x envsubst
           mv envsubst ~/.local/bin
@@ -68,19 +70,9 @@ jobs:
       # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
       # file when running inside a docker container.
       - name: Build standalone release
-        run: source scl_source enable devtoolset-9 && yarn release:standalone
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
+        run: source scl_source enable devtoolset-9 && npm run release:standalone
 
       - name: Install test dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
 
       - name: Run integration tests on standalone release
@@ -127,11 +119,11 @@ jobs:
   # but this means we don't need to maintain a self-hosted runner!
 
   # NOTE@jsjoeio:
-  # We used to use 16.04 until GitHub deprecated it on September 20, 2021
-  # See here: https://github.com/actions/virtual-environments/pull/3862/files
+  # We used to use 18.04 until GitHub browned it out on December 15, 2022
+  # See here: https://github.com/actions/runner-images/issues/6002
   package-linux-cross:
     name: Linux cross-compile builds
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     timeout-minutes: 15
     needs: npm-version
     strategy:
@@ -178,6 +170,8 @@ jobs:
       - name: Decompress npm package
         run: tar -xzf package.tar.gz
 
+      # NOTE@jsjoeio - npm fails here
+      # so use yarn
       - name: Build standalone release
         run: yarn release:standalone
 
@@ -234,19 +228,9 @@ jobs:
         run: tar -xzf package.tar.gz
 
       - name: Build standalone release
-        run: yarn release:standalone
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
+        run: npm run release:standalone
 
       - name: Install test dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: SKIP_SUBMODULE_DEPS=1 yarn install
 
       - name: Run native module tests on standalone release
@@ -299,8 +283,9 @@ jobs:
           branch: ${{ github.ref }}
           workflow: build.yaml
           workflow_conclusion: completed
-          check_artifacts: true
           name: npm-package
+          check_artifacts: false
+          if_no_artifact_found: fail
 
       - name: Decompress npm package
         run: tar -xzf package.tar.gz
@@ -321,7 +306,9 @@ jobs:
 
           echo "Updating version in lib/vscode/product.json"
           tmp=$(mktemp) 
-          jq '.codeServerVersion = "$VERSION"' release/lib/vscode/product.json > "$tmp" && mv "$tmp" release/lib/vscode/product.json
+          jq ".codeServerVersion = \"$VERSION\"" release/lib/vscode/product.json > "$tmp" && mv "$tmp" release/lib/vscode/product.json
+          # Ensure it has the same permissions as before
+          chmod 644 release/lib/vscode/product.json
 
       - name: Compress release package
         run: tar -czf package.tar.gz release

.prettierignore

@@ -1,6 +1,7 @@
 lib/vscode
 lib/vscode-reh-web-linux-x64
 release-standalone
+release-packages
 release
 helm-chart
 test/scripts

CHANGELOG.md

@@ -20,6 +20,28 @@ Code v99.99.999
 
 -->
 
+## [4.9.0](https://github.com/coder/code-server/releases/tag/v4.9.0) - 2022-12-06
+
+Code v1.73.1
+
+### Changed
+
+- Upgraded to Code 1.73.1
+
+### Added
+
+- `/security.txt` added as a route with info on our security policy information thanks to @ghuntley
+
+### Fixed
+
+- Installing on majaro images should now work thanks to @MrPeacockNLB for
+  adding the `--noconfirm` flag in `install.sh`
+
+### Known Issues
+
+- `--cert` on Ubuntu 22.04: OpenSSL v3 is used which breaks `pem` meaning the
+  `--cert` feature will not work. [Reference](https://github.com/adobe/fetch/pull/318#issuecomment-1306070259)
+
 ## [4.8.3](https://github.com/coder/code-server/releases/tag/v4.8.3) - 2022-11-07
 
 Code v1.72.1

ci/build/nfpm.yaml

@@ -22,4 +22,4 @@ contents:
     dst: /usr/lib/systemd/user/code-server.service
 
   - src: ./release-standalone/*
-    dst: /usr/lib/code-server/
+    dst: /usr/lib/code-server

ci/build/npm-postinstall.sh

@@ -124,27 +124,18 @@ main() {
 }
 
 install_with_yarn_or_npm() {
+  echo "User agent: ${npm_config_user_agent-none}"
   # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
   # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
   case "${npm_config_user_agent-}" in
-    yarn*)
-      if [ -f "yarn.lock" ]; then
-        yarn --production --frozen-lockfile --no-default-rc
-      else
-        echo "yarn.lock file not present, not running in development mode. use npm to install code-server!"
-        exit 1
-      fi
-      ;;
     npm*)
-      if [ -f "yarn.lock" ]; then
-        echo "yarn.lock file present, running in development mode. use yarn to install code-server!"
-        exit 1
-      else
-        # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
-        # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
-        # See https://github.com//pull/5071
-        npm install --unsafe-perm --legacy-peer-deps --omit=dev
-      fi
+      # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
+      # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
+      # See https://github.com//pull/5071
+      npm install --unsafe-perm --legacy-peer-deps --omit=dev
+      ;;
+    yarn*)
+      yarn --production --frozen-lockfile --no-default-rc
       ;;
     *)
       echo "Could not determine which package manager is being used to install code-server"

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.3.3
+version: 3.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.8.3
+appVersion: 4.9.0

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.8.3'
+  tag: '4.9.0'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

install.sh

@@ -387,7 +387,7 @@ install_aur() {
   if [ ! "${DRY_RUN-}" ]; then
     cd "$CACHE_DIR/code-server-aur"
   fi
-  sh_c makepkg -si
+  sh_c makepkg -si --noconfirm
 
   echo_systemd_postinstall AUR
 }

package.json

@@ -83,7 +83,8 @@
     "nanoid": "^3.1.31",
     "minimist": "npm:minimist-lite@2.2.1",
     "glob-parent": "^6.0.1",
-    "@types/node": "^16.0.0"
+    "@types/node": "^16.0.0",
+    "qs": "^6.7.3"
   },
   "dependencies": {
     "@coder/logger": "^3.0.0",
@@ -116,7 +117,8 @@
     "ide",
     "coder",
     "vscode-remote",
-    "browser-ide"
+    "browser-ide",
+    "remote-development"
   ],
   "engines": {
     "node": "16"

src/browser/security.txt

@@ -0,0 +1,6 @@
+Contact: mailto:security@coder.com
+Acknowledgments: https://coder.com/security/thanks
+Preferred-Languages: en-US
+Canonical: https://coder.com/.well-known/security.txt
+Policy: https://coder.com/security/policy
+Hiring: https://coder.com/careers

src/node/routes/index.ts

@@ -81,6 +81,13 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
       return res.redirect(`https://${req.headers.host}${req.originalUrl}`)
     }
 
+    // Return security.txt.
+    if (req.originalUrl === "/security.txt" || req.originalUrl === "/.well-known/security.txt") {
+      const resourcePath = path.resolve(rootPath, "src/browser/security.txt")
+      res.set("Content-Type", getMediaMime(resourcePath))
+      return res.send(await fs.readFile(resourcePath))
+    }
+
     // Return robots.txt.
     if (req.originalUrl === "/robots.txt") {
       const resourcePath = path.resolve(rootPath, "src/browser/robots.txt")

src/node/wrapper.ts

@@ -147,7 +147,7 @@ abstract class Process {
  * Child process that will clean up after itself if the parent goes away and can
  * perform a handshake with the parent and ask it to relaunch.
  */
-class ChildProcess extends Process {
+export class ChildProcess extends Process {
   public logger = logger.named(`child:${process.pid}`)
 
   public constructor(private readonly parentPid: number) {

test/unit/node/wrapper.test.ts

@@ -0,0 +1,14 @@
+import { ChildProcess, ParentProcess, isChild } from "../../../src/node/wrapper"
+
+describe("wrapper", () => {
+  describe("isChild", () => {
+    it("should return false for parent process", () => {
+      const p = new ParentProcess("1")
+      expect(isChild(p)).toBe(false)
+    })
+  })
+  it("should return false for parent process", () => {
+    const childProc = new ChildProcess(1)
+    expect(isChild(childProc)).toBe(true)
+  })
+})

yarn.lock

@@ -2812,18 +2812,13 @@ punycode@^2.1.0:
   resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.1.1.tgz#b58b010ac40c22c5657616c8d2c2c02c7bf479ec"
   integrity sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==
 
-qs@6.11.0:
+qs@6.11.0, qs@6.7.0, qs@^6.7.3:
   version "6.11.0"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a"
   integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==
   dependencies:
     side-channel "^1.0.4"
 
-qs@6.7.0:
-  version "6.7.0"
-  resolved "https://registry.yarnpkg.com/qs/-/qs-6.7.0.tgz#41dc1a015e3d581f1621776be31afb2876a9b1bc"
-  integrity sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ==
-
 queue-microtask@^1.2.2:
   version "1.2.2"
   resolved "https://registry.yarnpkg.com/queue-microtask/-/queue-microtask-1.2.2.tgz#abf64491e6ecf0f38a6502403d4cda04f372dfd3"