code-server/.github/workflows/ci.yaml
Asher 21c74802e8
chore: move Code to a submodule (#4990)
* Move Code to a submodule

Closes #4901.

* Base Code cache on hash and re-enable node_modules cache

The current setup appears to only rebuild VS Code if the dependencies
change but we need to rebuild it if anything changes.

I also re-enabled the commented out node_modules caches.  They look like
they should work to me with the submodule method.  I think the problem
occurred because Code itself was being installed in the yarn step.
2022-03-14 21:37:29 -05:00

496 lines
15 KiB
YAML

name: Build
on:
push:
branches:
- main
pull_request:
branches:
- main
# Cancel in-progress runs for pull requests when developers push
# additional changes, and serialize builds in branches.
# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
# Note: if: success() is used in several jobs -
# this ensures that it only executes if all previous jobs succeeded.
# if: steps.cache-yarn.outputs.cache-hit != 'true'
# will skip running `yarn install` if it successfully fetched from cache
jobs:
prebuild:
name: Pre-build checks
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Install helm
uses: azure/setup-helm@v1.1
- name: Fetch dependencies from cache
id: cache-yarn
uses: actions/cache@v2
with:
path: "**/node_modules"
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
yarn-build-
- name: Install dependencies
if: steps.cache-yarn.outputs.cache-hit != 'true'
run: yarn --frozen-lockfile
- name: Run yarn fmt
run: yarn fmt
if: success()
- name: Run yarn lint
run: yarn lint
if: success()
audit-ci:
name: Run audit-ci
needs: prebuild
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Fetch dependencies from cache
id: cache-yarn
uses: actions/cache@v2
with:
path: "**/node_modules"
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
yarn-build-
- name: Install dependencies
if: steps.cache-yarn.outputs.cache-hit != 'true'
run: yarn --frozen-lockfile
- name: Audit for vulnerabilities
run: yarn _audit
if: success()
build:
name: Build
needs: prebuild
runs-on: ubuntu-latest
timeout-minutes: 30
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Fetch dependencies from cache
id: cache-yarn
uses: actions/cache@v2
with:
path: "**/node_modules"
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
yarn-build-
- name: Install dependencies
if: steps.cache-yarn.outputs.cache-hit != 'true'
run: yarn --frozen-lockfile
- name: Build code-server
run: yarn build
# Get Code's git hash. When this changes it means the content is
# different and we need to rebuild. Use VSCODE_CACHE_VERSION to force a
# rebuild.
- name: Get latest lib/vscode rev
id: vscode-rev
run: echo "::set-output name=rev::$(git rev-parse HEAD:./lib/vscode)"
- name: Fetch Code build from cache
id: cache-vscode-2
uses: actions/cache@v2
with:
path: |
lib/vscode/.build
lib/vscode/out-build
lib/vscode/out-vscode-reh-web
lib/vscode/out-vscode-reh-web-min
key: vscode-reh-build-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}
- name: Build vscode
if: steps.cache-vscode-2.outputs.cache-hit != 'true'
run: yarn build:vscode
# Our code imports code from VS Code's `out` directory meaning VS Code
# must be built before running these tests.
# TODO: Move to its own step?
- name: Run code-server unit tests
run: yarn test:unit
if: success()
- name: Upload coverage report to Codecov
run: yarn coverage
if: success()
# The release package does not contain any native modules
# and is neutral to architecture/os/libc version.
- name: Create release package
run: yarn release
if: success()
# https://github.com/actions/upload-artifact/issues/38
- name: Compress release package
run: tar -czf package.tar.gz release
- name: Upload npm package artifact
uses: actions/upload-artifact@v3
with:
name: npm-package
path: ./package.tar.gz
npm:
# the npm-package gets uploaded as an artifact in Build
# so we need that to complete before this runs
needs: build
# This environment "npm" requires someone from
# coder/code-server-reviewers to approve the PR before this job runs.
environment: npm
# Only run if PR comes from base repo
# Reason: forks cannot access secrets and this will always fail
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/download-artifact@v3
id: download
with:
name: "npm-package"
path: release-npm-package
- name: Run ./ci/steps/publish-npm.sh
run: yarn publish:npm
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# NOTE@jsjoeio
# NPM_ENVIRONMENT intentionally not set here.
# Instead, itis determined in publish-npm.sh script
# using GITHUB environment variables
# TODO: cache building yarn --production
# possibly 2m30s of savings(?)
# this requires refactoring our release scripts
package-linux-amd64:
name: x86-64 Linux build
needs: build
runs-on: ubuntu-latest
timeout-minutes: 15
container: "centos:7"
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Install development tools
run: |
yum install -y epel-release centos-release-scl
yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync
- name: Install nfpm and envsubst
run: |
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
curl -L https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
chmod +x envsubst
mv envsubst ~/.local/bin
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Install yarn
run: npm install -g yarn
- name: Download npm package
uses: actions/download-artifact@v3
with:
name: npm-package
- name: Decompress npm package
run: tar -xzf package.tar.gz
# NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
# file when running inside a docker container.
- name: Build standalone release
run: source scl_source enable devtoolset-9 && yarn release:standalone
- name: Sanity test standalone release
run: yarn test:standalone-release
- name: Build packages with nfpm
run: yarn package
- name: Upload release artifacts
uses: actions/upload-artifact@v3
with:
name: release-packages
path: ./release-packages
# NOTE@oxy:
# We use Ubuntu 16.04 here, so that our build is more compatible
# with older libc versions. We used to (Q1'20) use CentOS 7 here,
# but it has a full update EOL of Q4'20 and a 'critical security'
# update EOL of 2024. We're dropping full support a few years before
# the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
# It is not feasible to cross-compile with CentOS.
# Cross-compile notes: To compile native dependencies for arm64,
# we install the aarch64/armv7l cross toolchain and then set it as the default
# compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
# qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
# so we just build with "native"/x86_64 node, then download arm64/armv7l node
# and then put it in our release. We can't smoke test the cross build this way,
# but this means we don't need to maintain a self-hosted runner!
# NOTE@jsjoeio:
# We used to use 16.04 until GitHub deprecated it on September 20, 2021
# See here: https://github.com/actions/virtual-environments/pull/3862/files
package-linux-cross:
name: Linux cross-compile builds
needs: build
runs-on: ubuntu-18.04
timeout-minutes: 15
strategy:
matrix:
include:
- prefix: aarch64-linux-gnu
arch: arm64
- prefix: arm-linux-gnueabihf
arch: armv7l
env:
AR: ${{ format('{0}-ar', matrix.prefix) }}
CC: ${{ format('{0}-gcc', matrix.prefix) }}
CXX: ${{ format('{0}-g++', matrix.prefix) }}
LINK: ${{ format('{0}-g++', matrix.prefix) }}
NPM_CONFIG_ARCH: ${{ matrix.arch }}
NODE_VERSION: v14.17.4
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Install nfpm
run: |
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Install cross-compiler
run: sudo apt update && sudo apt install $PACKAGE
env:
PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
- name: Download npm package
uses: actions/download-artifact@v3
with:
name: npm-package
- name: Decompress npm package
run: tar -xzf package.tar.gz
- name: Build standalone release
run: yarn release:standalone
- name: Replace node with cross-compile equivalent
run: |
wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
mv ./node ./release-standalone/lib/node
- name: Build packages with nfpm
run: yarn package ${NPM_CONFIG_ARCH}
- name: Upload release artifacts
uses: actions/upload-artifact@v3
with:
name: release-packages
path: ./release-packages
package-macos-amd64:
name: x86-64 macOS build
needs: build
runs-on: macos-latest
timeout-minutes: 15
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Install nfpm
run: |
curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b ~/.local/bin v2.3.1
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Download npm package
uses: actions/download-artifact@v3
with:
name: npm-package
- name: Decompress npm package
run: tar -xzf package.tar.gz
- name: Build standalone release
run: yarn release:standalone
- name: Sanity test standalone release
run: yarn test:standalone-release
- name: Build packages with nfpm
run: yarn package
- name: Upload release artifacts
uses: actions/upload-artifact@v3
with:
name: release-packages
path: ./release-packages
test-e2e:
name: End-to-end tests
needs: package-linux-amd64
runs-on: ubuntu-latest
timeout-minutes: 15
env:
# Since we build code-server we might as well run tests from the release
# since VS Code will load faster due to the bundling.
CODE_SERVER_TEST_ENTRY: "./release-packages/code-server-linux-amd64"
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- name: Install Node.js v14
uses: actions/setup-node@v3
with:
node-version: "14"
- name: Fetch dependencies from cache
id: cache-yarn
uses: actions/cache@v2
with:
path: "**/node_modules"
key: yarn-build-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
yarn-build-
- name: Download release packages
uses: actions/download-artifact@v3
with:
name: release-packages
path: ./release-packages
- name: Untar code-server release
run: |
cd release-packages
tar -xzf code-server*-linux-amd64.tar.gz
mv code-server*-linux-amd64 code-server-linux-amd64
- name: Install dependencies
if: steps.cache-yarn.outputs.cache-hit != 'true'
run: yarn --frozen-lockfile
- name: Install Playwright OS dependencies
run: |
./test/node_modules/.bin/playwright install-deps
./test/node_modules/.bin/playwright install
- name: Run end-to-end tests
run: yarn test:e2e
- name: Upload test artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: failed-test-videos
path: ./test/test-results
- name: Remove release packages and test artifacts
run: rm -rf ./release-packages ./test/test-results
trivy-scan-repo:
runs-on: ubuntu-20.04
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
with:
scan-type: "fs"
scan-ref: "."
ignore-unfixed: true
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-repo-results.sarif"
severity: "HIGH,CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-repo-results.sarif"