Merge branch 'coder:main' into master

Author: TinLe

.github/CODEOWNERS

@@ -3,3 +3,5 @@
 ci/helm-chart/ @Matthew-Beckett @alexgorbatchev
 
 docs/install.md @GNUxeava
+
+src/node/i18n/locales/zh-cn.json @zhaozhiming

.github/dependabot.yaml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels: []
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
+      # Ignore major updates to Node.js types, because they need to
+      # correspond to the Node.js engine version
+      - dependency-name: "@types/node"
+        update-types:
+          - version-update:semver-major

.github/workflows/build.yaml

@@ -139,6 +139,18 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         run: yarn lint:ts
 
+  lint-actions:
+    name: Lint GitHub Actions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Check workflow files
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash)
+          ./actionlint -color -shellcheck= -ignore "set-output"
+        shell: bash
+
   test-unit:
     name: Run unit tests
     runs-on: ubuntu-20.04
@@ -271,65 +283,6 @@ jobs:
           name: npm-package
           path: ./package.tar.gz
 
-  npm:
-    name: Publish npm package
-    # the npm-package gets uploaded as an artifact in Build
-    # so we need that to complete before this runs
-    needs: build
-    # This environment "npm" requires someone from
-    # coder/code-server-reviewers to approve the PR before this job runs.
-    environment: npm
-    # Only run if PR comes from base repo or event is not a PR
-    # Reason: forks cannot access secrets and this will always fail
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Download artifact
-        uses: actions/download-artifact@v3
-        id: download
-        with:
-          name: "npm-package"
-          path: release-npm-package
-
-      - name: Run ./ci/steps/publish-npm.sh
-        run: yarn publish:npm
-        env:
-          # NOTE@jsjoeio
-          # This is because npm enforces semantic versioning
-          # so it has to be a valid version. We only use this
-          # to publish dev versions from prs
-          # and beta versions from main.
-          VERSION: "0.0.0"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          # NOTE@jsjoeio
-          # NPM_ENVIRONMENT intentionally not set here.
-          # Instead, itis determined in publish-npm.sh script
-          # using GITHUB environment variables
-
-      - name: Comment npm information
-        uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          GITHUB_TOKEN: ${{ github.token }}
-          header: npm-dev-build
-          message: |
-            ✨ code-server dev build published to npm for PR #${{ github.event.number }}!
-            * _Last publish status_: success
-            * _Commit_: ${{ github.event.pull_request.head.sha }}
-
-            To install in a local project, run:
-            ```shell-session
-            npm install @coder/code-server-pr@${{ github.event.number }}
-            ```
-
-            To install globally, run:
-            ```shell-session
-            npm install -g @coder/code-server-pr@${{ github.event.number }}
-            ```
-
   test-e2e:
     name: Run e2e tests
     needs: build
@@ -443,7 +396,7 @@ jobs:
         if: steps.caddy-cache.outputs.cache-hit != 'true'
         run: |
           gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
-          mkdir -p ~/.cache/caddy 
+          mkdir -p ~/.cache/caddy
           tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
 
       - name: Start Caddy

.github/workflows/docs-preview.yaml

@@ -29,6 +29,12 @@ jobs:
       - name: Checkout code-server
         uses: actions/checkout@v3
 
+      - name: Install Node.js v16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "yarn"
+
       - name: Download npm package from release artifacts
         uses: robinraju/[email protected]
         with:
@@ -141,7 +147,7 @@ jobs:
           VERSION: ${{ env.VERSION }}
         run: |
           git checkout -b update-version-${{ env.VERSION }}
-          git add . 
+          git add .
           git commit -m "chore: updating version to ${{ env.VERSION }}"
           git push -u origin $(git branch --show)
           gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
@@ -186,7 +192,7 @@ jobs:
           out-file-path: "release-packages"
 
       - name: Publish to Docker
-        run: yarn publish:docker
+        run: ./ci/steps/docker-buildx-push.sh
         env:
           VERSION: ${{ env.VERSION }}
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/publish.yaml

@@ -65,7 +65,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        uses: aquasecurity/trivy-action@cff3e9a7f62c41dd51975266d0ae235709e39c41
         with:
           scan-type: "fs"
           scan-ref: "."

.github/workflows/security.yaml

@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        uses: aquasecurity/trivy-action@cff3e9a7f62c41dd51975266d0ae235709e39c41
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true

.github/workflows/trivy-docker.yaml

@@ -20,6 +20,31 @@ Code v99.99.999
 
 -->
 
+## [4.10.1](https://github.com/coder/code-server/releases/tag/v4.10.1) - 2023-03-04
+
+Code v1.75.1
+
+### Security
+
+Added an origin check to web sockets to prevent cross-site hijacking attacks on
+users using older or niche browser that do not support SameSite cookies and
+attacks across sub-domains that share the same root domain.
+
+The check requires the host header to be set so if you use a reverse proxy
+ensure it forwards that information otherwise web sockets will be blocked.
+
+## [4.10.0](https://github.com/coder/code-server/releases/tag/v4.10.0) - 2023-02-15
+
+Code v1.75.1
+
+### Changed
+
+- Updated to Code 1.75.1
+
+### Removed
+
+- Removed `--link` (was deprecated over thirteen months ago in 4.0.1).
+
 ## [4.9.1](https://github.com/coder/code-server/releases/tag/v4.9.1) - 2022-12-15
 
 Code v1.73.1

CHANGELOG.md

@@ -14,22 +14,6 @@ main() {
     sed -i.bak "1s;^;#!/usr/bin/env node\n;" out/node/entry.js && rm out/node/entry.js.bak
     chmod +x out/node/entry.js
   fi
-
-  # for arch; we do not use OS from lib.sh and get our own.
-  # lib.sh normalizes macos to darwin - but cloud-agent's binaries do not
-  source ./ci/lib.sh
-  OS="$(uname | tr '[:upper:]' '[:lower:]')"
-
-  mkdir -p ./lib
-
-  if ! [ -f ./lib/coder-cloud-agent ]; then
-    echo "Downloading the cloud agent..."
-
-    set +e
-    curl -fsSL "https://github.com/coder/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent
-    chmod +x ./lib/coder-cloud-agent
-    set -e
-  fi
 }
 
 main "$@"

ci/build/build-code-server.sh

@@ -63,8 +63,6 @@ EOF
 
   if [ "$KEEP_MODULES" = 1 ]; then
     rsync node_modules/ "$RELEASE_PATH/node_modules"
-    mkdir -p "$RELEASE_PATH/lib"
-    rsync ./lib/coder-cloud-agent "$RELEASE_PATH/lib"
   fi
 }
 

ci/build/build-release.sh

@@ -1,18 +1,8 @@
 #!/usr/bin/env sh
 set -eu
 
-# Copied from ../lib.sh.
-arch() {
-  cpu="$(uname -m)"
-  case "$cpu" in
-    aarch64) cpu=arm64 ;;
-    x86_64) cpu=amd64 ;;
-  esac
-  echo "$cpu"
-}
-
-# Copied from ../lib.sh except we do not rename Darwin since the cloud agent
-# uses "darwin" in the release names and we do not need to detect Alpine.
+# Copied from ../lib.sh except we do not rename Darwin and we do not need to
+# detect Alpine.
 os() {
   osname=$(uname | tr '[:upper:]' '[:lower:]')
   case $osname in
@@ -61,7 +51,6 @@ symlink_bin_script() {
   cd "$oldpwd"
 }
 
-ARCH="${NPM_CONFIG_ARCH:-$(arch)}"
 OS="$(os)"
 
 # This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
@@ -102,14 +91,6 @@ main() {
     ;;
   esac
 
-  mkdir -p ./lib
-
-  if curl -fsSL "https://github.com/coder/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent; then
-    chmod +x ./lib/coder-cloud-agent
-  else
-    echo "Failed to download cloud agent; --link will not work"
-  fi
-
   if ! vscode_install; then
     echo "You may not have the required dependencies to build the native modules."
     echo "Please see https://github.com/coder/code-server/blob/main/docs/npm.md"

ci/build/npm-postinstall.sh

@@ -1,4 +1,4 @@
-import { spawn, fork, ChildProcess } from "child_process"
+import { spawn, ChildProcess } from "child_process"
 import * as path from "path"
 import { onLine, OnLineCallback } from "../../src/node/util"
 
@@ -30,12 +30,13 @@ class Watcher {
 
     // Pass CLI args, save for `node` and the initial script name.
     const args = process.argv.slice(2)
-    this.webServer = fork(path.join(this.rootPath, "out/node/entry.js"), args)
+    this.webServer = spawn("node", [path.join(this.rootPath, "out/node/entry.js"), ...args])
+    onLine(this.webServer, (line) => console.log("[code-server]", line))
     const { pid } = this.webServer
 
-    this.webServer.on("exit", () => console.log("[Code Server]", `Web process ${pid} exited`))
+    this.webServer.on("exit", () => console.log("[code-server]", `Web process ${pid} exited`))
 
-    console.log("\n[Code Server]", `Spawned web server process ${pid}`)
+    console.log("\n[code-server]", `Spawned web server process ${pid}`)
   }
 
   //#endregion
@@ -82,21 +83,21 @@ class Watcher {
   private parseVSCodeLine: OnLineCallback = (strippedLine, originalLine) => {
     if (!strippedLine.length) return
 
-    console.log("[VS Code]", originalLine)
+    console.log("[Code OSS]", originalLine)
 
     if (strippedLine.includes("Finished compilation with")) {
-      console.log("[VS Code] ✨ Finished compiling! ✨", "(Refresh your web browser ♻️)")
+      console.log("[Code OSS] ✨ Finished compiling! ✨", "(Refresh your web browser ♻️)")
       this.reloadWebServer()
     }
   }
 
   private parseCodeServerLine: OnLineCallback = (strippedLine, originalLine) => {
     if (!strippedLine.length) return
 
-    console.log("[Compiler][Code Server]", originalLine)
+    console.log("[Compiler][code-server]", originalLine)
 
     if (strippedLine.includes("Watching for file changes")) {
-      console.log("[Compiler][Code Server]", "Finished compiling!", "(Refresh your web browser ♻️)")
+      console.log("[Compiler][code-server]", "Finished compiling!", "(Refresh your web browser ♻️)")
       this.reloadWebServer()
     }
   }

ci/dev/watch.ts

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.4.1
+version: 3.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.9.1
+appVersion: 4.10.1