shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: install dogfood image tooling via mise.toml (#25282)

Browse Source 
This PR replaces the hand-rolled `curl | tar | go install | cargo
install` chains in the dogfood Ubuntu 22.04 and 26.04 Dockerfiles with a
single `mise install` driven by a new repo-root `mise.toml`.

The previous Dockerfiles installed ~25 CLIs across three multi-stage
builds with versions hardcoded inline. Version bumps were scattered
across the Dockerfiles, the root `mise.toml` (added in #24618 but
otherwise unused at runtime), and CI's setup actions; build-time network
failures came from a dozen distinct endpoints; and `mise` itself sat in
the image with no manifest to install from.

The new flow:

- The repo's `mise.toml` is the single source of truth for image tool
versions. The Dockerfiles `COPY` it to `/etc/mise/config.toml` and run a
single `mise install` as the `coder` user.
- Tools are installed into `/opt/mise/data` rather than the default
`/home/coder/.local/share/mise`, so they live in the image (not on the
persistent home volume) and reach every workspace on recreate.
- Build context moves to the repo root so the Dockerfile can `COPY
mise.toml`; an allowlist `.dockerignore` keeps the transferred context
to ~24 kB.
- Optional `--secret id=github_token` plumbing through the Makefile and
`.github/workflows/dogfood.yaml` lifts aqua's GitHub API quota from
60/hr unauthenticated to 1000/hr with `secrets.GITHUB_TOKEN`.
- `MISE_TRUSTED_CONFIG_PATHS=/home/coder:/etc/mise` is set as an ENV so
users who clone the coder repo into their workspace home aren't prompted
to `mise trust`.

Net diff for the two Ubuntu Dockerfiles: -399 / +244 lines (~200 lines
shorter each). The `FROM rust-utils`, `FROM go`, and `FROM proto`
multi-stage builds are gone; so are the NVM/Node block, the bulk
binary-install block (golangci-lint, helm, kubectx, syft, cosign, bun),
the gh `.deb`/lazygit/doctl tarball installs, the gofmt
`update-alternatives` line, and the `yq`→`yq4` rename
(`scripts/lib.sh:267-275` already auto-detects either name).

Both images were built and smoke-tested with Apple's `container` CLI on
macOS — every migrated tool resolves to the expected pinned version
including outside the cloned coder repo (e.g. `gh` from `/home/coder`,
matching the workspace startup script in `dogfood/coder/main.tf`),
`sqlc` runs (proving `CGO_ENABLED=1` was honoured at install), `yq
--version` reports v4 for `scripts/lib.sh`'s detection, and `gofmt`
resolves via the mise shim.

Follow-ups (out of scope here):

- Commit a multi-platform `mise.lock` so `gh = "latest"` and the other
floating versions resolve deterministically across rebuilds and dev
machines.
- Migrate CI's `setup-go` / `setup-node` actions to consume `mise.toml`
so image and CI versions stop being able to drift.

---------

Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Thomas Kosiewski
2026-05-15 11:36:22 +02:00
committed by GitHub
parent 07be354683
commit 5f9b3220b5
11 changed files with 867 additions and 407 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.dockerignore
+28 -4
View File
@@ -1,4 +1,28 @@
# All artifacts of the build processed are dumped here.
# Ignore it for docker context, as all Dockerfiles should build their own
# binaries.
build
# This file controls what docker/BuildKit may send to the daemon when
# the build context is the repository root. Today only the dogfood
# images at dogfood/coder/ubuntu-{22,26}.04/Dockerfile use the repo
# root as context; other docker builds in this repo (scripts/Dockerfile,
# scripts/Dockerfile.base, scripts/ironbank/Dockerfile) cd into a
# temporary directory and have their own contexts.
#
# We use an allowlist so the context stays small and predictable, and
# new top-level files added to the repo do not silently inflate every
# dogfood image build (depot.dev uploads the context over the network).
# Exclude everything by default; only the paths that the dogfood
# Dockerfiles actually consume are re-included below. Re-including a
# file under a directory requires re-including the directory itself.
**
# Re-allow paths the dogfood Dockerfiles consume.
!mise.toml
!mise.lock
!dogfood
!dogfood/coder
!dogfood/coder/ubuntu-22.04
!dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh
!dogfood/coder/ubuntu-22.04/files
!dogfood/coder/ubuntu-22.04/files/**
!dogfood/coder/ubuntu-26.04
!dogfood/coder/ubuntu-26.04/files
!dogfood/coder/ubuntu-26.04/files/**
.github/workflows/ci.yaml
+21 -3
View File
@@ -179,13 +179,20 @@ jobs:
- name: Get golangci-lint cache dir
run: |
linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2)
# mise.toml is the source of truth for tool versions baked into
# the dogfood image; pull the same version for the lint job.
linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver"
dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
- name: golangci-lint cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
# Cache split into restore + conditional save to avoid letting PR
# runs populate a cache that other branches restore from (the
# zizmor `cache-poisoning` concern). Only pushes to the default
# branch may write the cache; PRs may only read it.
- name: Restore golangci-lint cache
id: golangci-lint-cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
${{ env.LINT_CACHE_DIR }}
@@ -231,6 +238,17 @@ jobs:
- name: make lint
run: make --output-sync=line -j lint
- name: Save golangci-lint cache
# Only the default branch is trusted to write the cache, so PR
# runs cannot poison the cache that subsequent runs restore from.
# Skip when the cache already had an exact key hit (no new content).
if: github.ref == 'refs/heads/main' && steps.golangci-lint-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
${{ env.LINT_CACHE_DIR }}
key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }}
- name: Check workflow files
run: |
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4
.github/workflows/dogfood.yaml
+16 -2
View File
@@ -102,7 +102,14 @@ jobs:
project: b4q6ltmpzh
token: ${{ secrets.DEPOT_TOKEN }}
buildx-fallback: true
context: "{{defaultContext}}:dogfood/coder/ubuntu-22.04"
# Context is the repo root so the Dockerfile can COPY the
# project mise.toml that the image installs from. The
# github_token secret raises aqua's GitHub API quota during
# `mise install`.
context: "{{defaultContext}}"
file: dogfood/coder/ubuntu-22.04/Dockerfile
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
pull: true
save: true
push: ${{ github.ref == 'refs/heads/main' }}
@@ -118,7 +125,14 @@ jobs:
project: b4q6ltmpzh
token: ${{ secrets.DEPOT_TOKEN }}
buildx-fallback: true
context: "{{defaultContext}}:dogfood/coder/ubuntu-26.04"
# Context is the repo root so the Dockerfile can COPY the
# project mise.toml that the image installs from. The
# github_token secret raises aqua's GitHub API quota during
# `mise install`.
context: "{{defaultContext}}"
file: dogfood/coder/ubuntu-26.04/Dockerfile
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
pull: true
save: true
push: ${{ github.ref == 'refs/heads/main' }}
.github/zizmor.yml
-3
View File
@@ -1,7 +1,4 @@
rules:
cache-poisoning:
ignore:
- "ci.yaml:188"
dangerous-triggers:
ignore:
# Both workflows use pull_request_target intentionally: they need
Makefile
+1 -1
View File
@@ -745,7 +745,7 @@ lint/ts: site/node_modules/.installed
.PHONY: lint/ts
lint/go:
linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2)
linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run
go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./...
go run ./scripts/intxcheck ./...
dogfood/coder/Makefile
+29 -2
View File
@@ -3,15 +3,42 @@
# tag names.
build_tag ?= $(shell git rev-parse --abbrev-ref HEAD | sed "s/\\//-/")
# The Dockerfiles consume the repo root as build context so they can
# reach the project mise.toml. Each variant still tracks its own
# files/ tree under dogfood/coder/ubuntu-<release>/.
REPO_ROOT := $(shell git rev-parse --show-toplevel)
# Mise's aqua backend exhausts GitHub's unauthenticated API quota
# quickly. Plumb a token through to the mise install layer when one
# is available. Two equivalent ways to supply it:
# GITHUB_TOKEN=ghp_... - taken straight from the environment
# (matches GitHub Actions, where
# secrets.GITHUB_TOKEN is auto-provided)
# GITHUB_TOKEN_FILE=/path - read the token from a file
# If neither is set the build still runs but may hit 403s.
ifneq ($(GITHUB_TOKEN_FILE),)
docker_secret_arg := --secret id=github_token,src="$(GITHUB_TOKEN_FILE)"
else ifneq ($(GITHUB_TOKEN),)
docker_secret_arg := --secret id=github_token,env=GITHUB_TOKEN
endif
build: build-ubuntu-22.04 build-ubuntu-26.04
.PHONY: build
build-ubuntu-22.04:
(cd ubuntu-22.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:22.04-$(build_tag)")
DOCKER_BUILDKIT=1 docker build \
-f dogfood/coder/ubuntu-22.04/Dockerfile \
-t "codercom/oss-dogfood:22.04-$(build_tag)" \
$(docker_secret_arg) \
"$(REPO_ROOT)"
.PHONY: build-ubuntu-22.04
build-ubuntu-26.04:
(cd ubuntu-26.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:26.04-$(build_tag)")
DOCKER_BUILDKIT=1 docker build \
-f dogfood/coder/ubuntu-26.04/Dockerfile \
-t "codercom/oss-dogfood:26.04-$(build_tag)" \
$(docker_secret_arg) \
"$(REPO_ROOT)"
.PHONY: build-ubuntu-26.04
push: push-ubuntu-22.04 push-ubuntu-26.04
dogfood/coder/ubuntu-22.04/Dockerfile
+51 -191
View File
@@ -1,88 +1,3 @@
# 1.93.1
FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils
# Install rust helper programs
ENV CARGO_INSTALL_ROOT=/tmp/
# Use more reliable mirrors for Debian packages
RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \
apt-get update || true
RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential
RUN cargo install jj-cli typos-cli watchexec-cli
FROM ubuntu:jammy@sha256:eb29ed27b0821dca09c2e28b39135e185fc1302036427d5f4d70a41ce8fd7659 AS go
# Install Go manually, so that we can control the version
ARG GO_VERSION=1.26.2
ARG GO_CHECKSUM="990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282"
# Boring Go is needed to build FIPS-compliant binaries.
RUN apt-get update && \
apt-get install --yes curl && \
curl --silent --show-error --location \
"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
-o /usr/local/go.tar.gz && \
echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \
rm -rf /var/lib/apt/lists/*
ENV PATH=$PATH:/usr/local/go/bin
ARG GOPATH="/tmp/"
# Install Go utilities.
RUN apt-get update && \
apt-get install --yes gcc libc6-dev && \
mkdir --parents /usr/local/go && \
tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \
mkdir --parents "$GOPATH" && \
go env -w GOSUMDB=sum.golang.org && \
# swag for Swagger doc generation
go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \
# goimports for updating imports
go install golang.org/x/tools/cmd/goimports@v0.41.0 && \
# protoc-gen-go is needed to build sysbox from source
go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \
# drpc support for v2
go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \
# migrate for migration support for v2
go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \
# Install the latest version of gopls for editors that support
# the language server protocol (v0.21.0+ required for Go 1.25)
go install golang.org/x/tools/gopls@v0.21.0 && \
# gotestsum makes test output more readable
go install gotest.tools/gotestsum@v1.9.0 && \
# sqlc for Go code generation
# Switched to coder/sqlc fork to fix ambiguous column bug, see:
# - https://github.com/coder/sqlc/pull/1
# - https://github.com/sqlc-dev/sqlc/pull/4159
(CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203) && \
# ruleguard for checking custom rules, without needing to run all of
# golangci-lint. Check the go.mod in the release of golangci-lint that
# we're using for the version of go-critic that it embeds, then check
# the version of ruleguard in go-critic for that tag.
go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \
# shfmt for shell script formatting
go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \
# nfpm is used with `make build` to make release packages
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \
# yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh).
go install github.com/mikefarah/yq/v4@v4.44.3 && \
mv /tmp/bin/yq /tmp/bin/yq4 && \
# mockgen for generating mocks (v0.6.0+ required for Go 1.25)
go install go.uber.org/mock/mockgen@v0.6.0 && \
# Reduce image size.
apt-get remove --yes gcc && \
apt-get autoremove --yes && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /usr/local/go && \
rm -rf /tmp/go/pkg && \
rm -rf /tmp/go/src
# alpine:3.18
FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto
WORKDIR /tmp
RUN apk add curl unzip
RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \
unzip protoc.zip && \
rm protoc.zip
FROM ubuntu:jammy@sha256:eb29ed27b0821dca09c2e28b39135e185fc1302036427d5f4d70a41ce8fd7659
SHELL ["/bin/bash", "-c"]
@@ -101,7 +16,7 @@ RUN apt-get update && \
locale-gen && \
yes | unminimize
COPY files /
COPY dogfood/coder/ubuntu-22.04/files /
# We used to copy /etc/sudoers.d/* in from files/ but this causes issues with
# permissions and layer caching. Instead, create the file directly.
@@ -194,7 +109,7 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u
# Docker containers.
# configure-chrome-flags.sh is automatically run after dpkg operations
# by dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags.
COPY configure-chrome-flags.sh /usr/local/bin/configure-chrome-flags.sh
COPY dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh /usr/local/bin/configure-chrome-flags.sh
RUN chmod a+x /usr/local/bin/configure-chrome-flags.sh && \
wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
apt-get install --yes ./google-chrome-stable_current_amd64.deb && \
@@ -208,60 +123,20 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
sh -s -- -y --default-toolchain stable --profile default -c rust-src
ENV PATH=$CARGO_HOME/bin:$PATH
# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.15.2.
# Installing the same version here to match.
RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" && \
unzip /tmp/terraform.zip -d /usr/local/bin && \
rm -f /tmp/terraform.zip && \
chmod +x /usr/local/bin/terraform && \
terraform --version
# Install the docker buildx component.
RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' | sed -E 's/.*"(v[^"]+)".*/\1/') && \
mkdir -p /usr/local/lib/docker/cli-plugins && \
curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \
chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof
# the apt repository is unreliable
# GitHub CLI to /usr/bin/gh. The wrapper at files/usr/local/bin/gh
# execs this for coder external-auth fallback. Apt repo is unreliable:
# https://github.com/cli/cli/issues/6175#issuecomment-1235984381
RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \
curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \
dpkg -i gh.deb && \
rm gh.deb
# Install Lazygit
# See https://github.com/jesseduffield/lazygit#ubuntu
RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v*([^"]+)".*/\1/') && \
curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \
tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \
rm lazygit.tar.gz
# Install doctl
# See https://docs.digitalocean.com/reference/doctl/how-to/install
RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \
curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \
tar xf doctl.tar.gz -C /usr/local/bin doctl && \
rm doctl.tar.gz
ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d
# Install frontend utilities
ENV NVM_DIR=/usr/local/nvm
ENV NODE_VERSION=22.19.0
RUN mkdir -p $NVM_DIR
RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \
echo "${NVM_INSTALL_SHA} nvm_install.sh" | sha256sum -c && \
bash nvm_install.sh && \
rm nvm_install.sh
RUN source $NVM_DIR/nvm.sh && \
nvm install $NODE_VERSION && \
nvm use $NODE_VERSION
ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
RUN corepack enable && \
corepack prepare npm@10.8.1 --activate && \
corepack prepare pnpm@10.33.2 --activate
RUN pnpx playwright@1.47.0 install --with-deps chromium
# Ensure PostgreSQL binaries are in the users $PATH.
RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/16/bin/initdb 100 && \
update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/16/bin/postgres 100
@@ -282,44 +157,6 @@ RUN systemctl enable \
# Workaround for envbuilder cache probing not working unless the filesystem is modified.
touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround
# Install tools with published releases, where that is the
# preferred/recommended installation method.
ARG GOLANGCI_LINT_VERSION=1.64.8 \
HELM_VERSION=3.12.0 \
KUBECTX_VERSION=0.9.4 \
SYFT_VERSION=1.20.0 \
COSIGN_VERSION=2.4.3 \
BUN_VERSION=1.2.15 \
MISE_VERSION=v2026.4.19 \
MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \
MISE_INSTALL_DIR=/opt/mise/bin
RUN \
# golangci-lint performs static code analysis for our Go code
curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \
# Helm is necessary for deploying Coder
curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
# kubens and kubectx for managing Kubernetes namespaces and contexts
curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \
# Anchore Syft for SBOM generation
curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- syft && \
# Sigstore Cosign for artifact signing and attestation
curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
chmod a=rx /usr/local/bin/cosign && \
# Install Bun JavaScript runtime to /usr/local/bin
curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \
unzip -q /tmp/bun.zip -d /tmp && \
mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \
chmod a=rx /usr/local/bin/bun && \
rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \
apt-get clean && rm -rf /var/lib/apt/lists/*
# Add coder user and allow use of docker/sudo
RUN useradd coder \
--create-home \
@@ -328,8 +165,13 @@ RUN useradd coder \
--uid=1000 \
--user-group
# Install mise to a stable path outside /home/coder, but keep its target
# directory writable so `mise self-update` can replace the binary as coder.
# Install mise. Binary at /opt/mise/bin so it survives the home
# volume mount; data dir under ~/.local/share/mise so installs ride
# along on the per-workspace home volume, matching Homebrew's pattern
# (see /home/linuxbrew volume in main.tf).
ARG MISE_VERSION=v2026.4.19 \
MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \
MISE_INSTALL_DIR=/opt/mise/bin
RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_DIR}" && \
curl --silent --show-error --location --fail \
"https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \
@@ -341,6 +183,42 @@ RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_
test -x /usr/local/bin/mise && \
sudo --login --user=coder /bin/bash -lc 'set -euo pipefail && mise_bin="$(readlink --canonicalize /usr/local/bin/mise)" && test -w "$(dirname "$mise_bin")" && /usr/local/bin/mise --version && /usr/local/bin/mise self-update --help >/dev/null && /usr/local/bin/mise upgrade --help >/dev/null'
# Trusted paths skip mise's per-config trust prompt for the baked-in
# system config and the coder repo when cloned at the canonical
# /home/coder/coder location. Other repos a user clones still get
# the one-time `mise trust` prompt; pre-trusting all of /home/coder
# would let any mise.toml under the home dir auto-run [hooks]/[tasks].
ENV MISE_DATA_DIR=/home/coder/.local/share/mise \
MISE_TRUSTED_CONFIG_PATHS=/home/coder/coder:/etc/mise
# Bake the project manifest in as mise's system config and ship
# the lockfile alongside it so mise verifies download checksums
# during install. We do NOT override MISE_GLOBAL_CONFIG_FILE; that
# would re-target `mise use --global` away from the user's
# ~/.config/mise/config.toml (on the home volume) into this
# image-only path, breaking the workflow.
#
# We pre-create /etc/mise as 0755 because COPY's implicitly-created
# parent dirs inherit the --chmod, which would leave /etc/mise
# without the `x` bit and unreachable to the coder user.
RUN install --directory --mode=0755 /etc/mise
COPY --chmod=0644 mise.toml /etc/mise/config.toml
COPY --chmod=0644 mise.lock /etc/mise/mise.lock
# Pre-install image tools as coder so they land on the home volume
# layer. Sudo drops env vars, so MISE_* are re-exported via `env`.
# github_token (optional build secret) authenticates aqua's API
# calls; without it builds may hit GitHub's 60/hr unauth limit.
RUN --mount=type=secret,id=github_token,required=false \
gh_token="$(cat /run/secrets/github_token 2>/dev/null || true)" && \
sudo --user=coder env \
"MISE_DATA_DIR=$MISE_DATA_DIR" \
"MISE_TRUSTED_CONFIG_PATHS=$MISE_TRUSTED_CONFIG_PATHS" \
"GITHUB_TOKEN=$gh_token" \
/usr/local/bin/mise install --yes && \
PATH="$MISE_DATA_DIR/shims:$PATH" pnpm dlx playwright@1.47.0 install --with-deps chromium && \
apt-get clean && rm -rf /var/lib/apt/lists/*
# Install Homebrew as the coder user so the supported Linux prefix remains
# writable after the image build.
RUN sudo --login --user=coder env NONINTERACTIVE=1 CI=1 /bin/bash -lc 'set -euo pipefail && curl --silent --show-error --location --fail https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash' && \
@@ -352,31 +230,13 @@ RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \
echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \
echo "X11UseLocalhost no" >>/etc/ssh/sshd_config
# We avoid copying the extracted directory since COPY slows to minutes when there
# are a lot of small files.
COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz
RUN mkdir /usr/local/go && \
tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
ENV PATH=$PATH:/usr/local/go/bin
RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100
COPY --from=go /tmp/bin /usr/local/bin
COPY --from=rust-utils /tmp/bin /usr/local/bin
COPY --from=proto /tmp/bin /usr/local/bin
COPY --from=proto /tmp/include /usr/local/bin/include
USER coder
# Configure Homebrew and mise for the coder user. mise shims must stay first
# so `command -v` and `mise doctor` resolve mise-managed tools ahead of
# Homebrew and system binaries. Note that no go bins are installed in this
# docker file, as they'd be mounted over by the persistent home volume.
# mise shims must lead so `command -v` and `mise doctor` resolve
# mise-managed tools ahead of Homebrew and system binaries.
ENV HOMEBREW_PREFIX="/home/linuxbrew/.linuxbrew" \
HOMEBREW_CELLAR="/home/linuxbrew/.linuxbrew/Cellar" \
HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" \
MISE_DATA_DIR="/home/coder/.local/share/mise"
HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew"
ENV PATH="${MISE_DATA_DIR}/shims:${HOMEBREW_PREFIX}/bin:${HOMEBREW_PREFIX}/sbin:/home/coder/go/bin:${PATH}"
# Override CARGO_HOME so cargo registry/cache writes go to the coder
dogfood/coder/ubuntu-26.04/Dockerfile
+50 -190
View File
@@ -1,88 +1,3 @@
# 1.93.1
FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils
# Install rust helper programs
ENV CARGO_INSTALL_ROOT=/tmp/
# Use more reliable mirrors for Debian packages
RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \
apt-get update || true
RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential
RUN cargo install jj-cli typos-cli watchexec-cli
FROM ubuntu:26.04@sha256:5e275723f82c67e387ba9e3c24baa0abdcb268917f276a0561c97bef9450d0b4 AS go
# Install Go manually, so that we can control the version
ARG GO_VERSION=1.26.2
ARG GO_CHECKSUM="990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282"
# Boring Go is needed to build FIPS-compliant binaries.
RUN apt-get update && \
apt-get install --yes curl && \
curl --silent --show-error --location \
"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
-o /usr/local/go.tar.gz && \
echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \
rm -rf /var/lib/apt/lists/*
ENV PATH=$PATH:/usr/local/go/bin
ARG GOPATH="/tmp/"
# Install Go utilities.
RUN apt-get update && \
apt-get install --yes build-essential && \
mkdir --parents /usr/local/go && \
tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \
mkdir --parents "$GOPATH" && \
go env -w GOSUMDB=sum.golang.org && \
# swag for Swagger doc generation
go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \
# goimports for updating imports
go install golang.org/x/tools/cmd/goimports@v0.41.0 && \
# protoc-gen-go is needed to build sysbox from source
go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \
# drpc support for v2
go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \
# migrate for migration support for v2
go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \
# Install the latest version of gopls for editors that support
# the language server protocol (v0.21.0+ required for Go 1.25)
go install golang.org/x/tools/gopls@v0.21.0 && \
# gotestsum makes test output more readable
go install gotest.tools/gotestsum@v1.9.0 && \
# sqlc for Go code generation
# Switched to coder/sqlc fork to fix ambiguous column bug, see:
# - https://github.com/coder/sqlc/pull/1
# - https://github.com/sqlc-dev/sqlc/pull/4159
(CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203) && \
# ruleguard for checking custom rules, without needing to run all of
# golangci-lint. Check the go.mod in the release of golangci-lint that
# we're using for the version of go-critic that it embeds, then check
# the version of ruleguard in go-critic for that tag.
go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \
# shfmt for shell script formatting
go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \
# nfpm is used with `make build` to make release packages
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \
# yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh).
go install github.com/mikefarah/yq/v4@v4.44.3 && \
mv /tmp/bin/yq /tmp/bin/yq4 && \
# mockgen for generating mocks (v0.6.0+ required for Go 1.25)
go install go.uber.org/mock/mockgen@v0.6.0 && \
# Reduce image size.
apt-get remove --yes build-essential && \
apt-get autoremove --yes && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /usr/local/go && \
rm -rf /tmp/go/pkg && \
rm -rf /tmp/go/src
# alpine:3.18
FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto
WORKDIR /tmp
RUN apk add curl unzip
RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \
unzip protoc.zip && \
rm protoc.zip
FROM ubuntu:26.04@sha256:5e275723f82c67e387ba9e3c24baa0abdcb268917f276a0561c97bef9450d0b4
SHELL ["/bin/bash", "-c"]
@@ -101,7 +16,7 @@ RUN apt-get update && \
locale-gen && \
yes | unminimize
COPY files /
COPY dogfood/coder/ubuntu-26.04/files /
# We used to copy /etc/sudoers.d/* in from files/ but this causes issues with
# permissions and layer caching. Instead, create the file directly.
@@ -215,60 +130,20 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
sh -s -- -y --default-toolchain stable --profile default -c rust-src
ENV PATH=$CARGO_HOME/bin:$PATH
# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.15.2.
# Installing the same version here to match.
RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" && \
unzip /tmp/terraform.zip -d /usr/local/bin && \
rm -f /tmp/terraform.zip && \
chmod +x /usr/local/bin/terraform && \
terraform --version
# Install the docker buildx component.
RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' | sed -E 's/.*"(v[^"]+)".*/\1/') && \
mkdir -p /usr/local/lib/docker/cli-plugins && \
curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \
chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof
# the apt repository is unreliable
# GitHub CLI to /usr/bin/gh. The wrapper at files/usr/local/bin/gh
# execs this for coder external-auth fallback. Apt repo is unreliable:
# https://github.com/cli/cli/issues/6175#issuecomment-1235984381
RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \
curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \
dpkg -i gh.deb && \
rm gh.deb
# Install Lazygit
# See https://github.com/jesseduffield/lazygit#ubuntu
RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v*([^"]+)".*/\1/') && \
curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \
tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \
rm lazygit.tar.gz
# Install doctl
# See https://docs.digitalocean.com/reference/doctl/how-to/install
RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \
curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \
tar xf doctl.tar.gz -C /usr/local/bin doctl && \
rm doctl.tar.gz
ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d
# Install frontend utilities
ENV NVM_DIR=/usr/local/nvm
ENV NODE_VERSION=22.19.0
RUN mkdir -p $NVM_DIR
RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \
echo "${NVM_INSTALL_SHA} nvm_install.sh" | sha256sum -c && \
bash nvm_install.sh && \
rm nvm_install.sh
RUN source $NVM_DIR/nvm.sh && \
nvm install $NODE_VERSION && \
nvm use $NODE_VERSION
ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
RUN corepack enable && \
corepack prepare npm@10.8.1 --activate && \
corepack prepare pnpm@10.33.2 --activate
RUN pnpx playwright@1.47.0 install --with-deps chromium
# Ensure PostgreSQL binaries are in the users $PATH.
RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/18/bin/initdb 100 && \
update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/18/bin/postgres 100
@@ -289,44 +164,6 @@ RUN systemctl enable \
# Workaround for envbuilder cache probing not working unless the filesystem is modified.
touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround
# Install tools with published releases, where that is the
# preferred/recommended installation method.
ARG GOLANGCI_LINT_VERSION=1.64.8 \
HELM_VERSION=3.12.0 \
KUBECTX_VERSION=0.9.4 \
SYFT_VERSION=1.20.0 \
COSIGN_VERSION=2.4.3 \
BUN_VERSION=1.2.15 \
MISE_VERSION=v2026.4.19 \
MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \
MISE_INSTALL_DIR=/opt/mise/bin
RUN \
# golangci-lint performs static code analysis for our Go code
curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \
# Helm is necessary for deploying Coder
curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
# kubens and kubectx for managing Kubernetes namespaces and contexts
curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \
# Anchore Syft for SBOM generation
curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \
tar --extract --gzip --directory=/usr/local/bin --file=- syft && \
# Sigstore Cosign for artifact signing and attestation
curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
chmod a=rx /usr/local/bin/cosign && \
# Install Bun JavaScript runtime to /usr/local/bin
curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \
unzip -q /tmp/bun.zip -d /tmp && \
mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \
chmod a=rx /usr/local/bin/bun && \
rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \
apt-get clean && rm -rf /var/lib/apt/lists/*
# Add coder user and allow use of docker/sudo.
# Ubuntu 26.04 ships a default "ubuntu" user at UID 1000;
# remove it so we can create "coder" with that UID.
@@ -338,8 +175,13 @@ RUN userdel -r ubuntu && \
--uid=1000 \
--user-group
# Install mise to a stable path outside /home/coder, but keep its target
# directory writable so `mise self-update` can replace the binary as coder.
# Install mise. Binary at /opt/mise/bin so it survives the home
# volume mount; data dir under ~/.local/share/mise so installs ride
# along on the per-workspace home volume, matching Homebrew's pattern
# (see /home/linuxbrew volume in main.tf).
ARG MISE_VERSION=v2026.4.19 \
MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \
MISE_INSTALL_DIR=/opt/mise/bin
RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_DIR}" && \
curl --silent --show-error --location --fail \
"https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \
@@ -351,6 +193,42 @@ RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_
test -x /usr/local/bin/mise && \
sudo --login --user=coder /bin/bash -lc 'set -euo pipefail && mise_bin="$(readlink --canonicalize /usr/local/bin/mise)" && test -w "$(dirname "$mise_bin")" && /usr/local/bin/mise --version && /usr/local/bin/mise self-update --help >/dev/null && /usr/local/bin/mise upgrade --help >/dev/null'
# Trusted paths skip mise's per-config trust prompt for the baked-in
# system config and the coder repo when cloned at the canonical
# /home/coder/coder location. Other repos a user clones still get
# the one-time `mise trust` prompt; pre-trusting all of /home/coder
# would let any mise.toml under the home dir auto-run [hooks]/[tasks].
ENV MISE_DATA_DIR=/home/coder/.local/share/mise \
MISE_TRUSTED_CONFIG_PATHS=/home/coder/coder:/etc/mise
# Bake the project manifest in as mise's system config and ship
# the lockfile alongside it so mise verifies download checksums
# during install. We do NOT override MISE_GLOBAL_CONFIG_FILE; that
# would re-target `mise use --global` away from the user's
# ~/.config/mise/config.toml (on the home volume) into this
# image-only path, breaking the workflow.
#
# We pre-create /etc/mise as 0755 because COPY's implicitly-created
# parent dirs inherit the --chmod, which would leave /etc/mise
# without the `x` bit and unreachable to the coder user.
RUN install --directory --mode=0755 /etc/mise
COPY --chmod=0644 mise.toml /etc/mise/config.toml
COPY --chmod=0644 mise.lock /etc/mise/mise.lock
# Pre-install image tools as coder so they land on the home volume
# layer. Sudo drops env vars, so MISE_* are re-exported via `env`.
# github_token (optional build secret) authenticates aqua's API
# calls; without it builds may hit GitHub's 60/hr unauth limit.
RUN --mount=type=secret,id=github_token,required=false \
gh_token="$(cat /run/secrets/github_token 2>/dev/null || true)" && \
sudo --user=coder env \
"MISE_DATA_DIR=$MISE_DATA_DIR" \
"MISE_TRUSTED_CONFIG_PATHS=$MISE_TRUSTED_CONFIG_PATHS" \
"GITHUB_TOKEN=$gh_token" \
/usr/local/bin/mise install --yes && \
PATH="$MISE_DATA_DIR/shims:$PATH" pnpm dlx playwright@1.47.0 install --with-deps chromium && \
apt-get clean && rm -rf /var/lib/apt/lists/*
# Install Homebrew as the coder user so the supported Linux prefix remains
# writable after the image build.
RUN sudo --login --user=coder env NONINTERACTIVE=1 CI=1 /bin/bash -lc 'set -euo pipefail && curl --silent --show-error --location --fail https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash' && \
@@ -362,31 +240,13 @@ RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \
echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \
echo "X11UseLocalhost no" >>/etc/ssh/sshd_config
# We avoid copying the extracted directory since COPY slows to minutes when there
# are a lot of small files.
COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz
RUN mkdir /usr/local/go && \
tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
ENV PATH=$PATH:/usr/local/go/bin
RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100
COPY --from=go /tmp/bin /usr/local/bin
COPY --from=rust-utils /tmp/bin /usr/local/bin
COPY --from=proto /tmp/bin /usr/local/bin
COPY --from=proto /tmp/include /usr/local/bin/include
USER coder
# Configure Homebrew and mise for the coder user. mise shims must stay first
# so `command -v` and `mise doctor` resolve mise-managed tools ahead of
# Homebrew and system binaries. Note that no go bins are installed in this
# docker file, as they'd be mounted over by the persistent home volume.
# mise shims must lead so `command -v` and `mise doctor` resolve
# mise-managed tools ahead of Homebrew and system binaries.
ENV HOMEBREW_PREFIX="/home/linuxbrew/.linuxbrew" \
HOMEBREW_CELLAR="/home/linuxbrew/.linuxbrew/Cellar" \
HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" \
MISE_DATA_DIR="/home/coder/.local/share/mise"
HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew"
ENV PATH="${MISE_DATA_DIR}/shims:${HOMEBREW_PREFIX}/bin:${HOMEBREW_PREFIX}/sbin:/home/coder/go/bin:${PATH}"
# Override CARGO_HOME so cargo registry/cache writes go to the coder
mise.lock
+598
View File
@@ -0,0 +1,598 @@
# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
[[tools."aqua:ahmetb/kubectx/kubens"]]
version = "0.9.4"
backend = "aqua:ahmetb/kubectx/kubens"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-arm64"]
checksum = "sha256:7c2d0d4d46338bf400ebba1b23947d35b25725b9b4e3e1932bb88b3ec3f96a5a"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_arm64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-arm64-musl"]
checksum = "sha256:7c2d0d4d46338bf400ebba1b23947d35b25725b9b4e3e1932bb88b3ec3f96a5a"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_arm64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-x64"]
checksum = "sha256:8b3672961fb15f8b87d5793af8bd3c1cca52c016596fbf57c46ab4ef39265fcd"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_x86_64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-x64-musl"]
checksum = "sha256:8b3672961fb15f8b87d5793af8bd3c1cca52c016596fbf57c46ab4ef39265fcd"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_x86_64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.macos-arm64"]
checksum = "sha256:dbae919016d4ebfa09780135cacd9d787b2d3882f13c3d5b3c3c883180496209"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_darwin_arm64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.macos-x64"]
checksum = "sha256:ef43ab1217e09ac1b929d4b9dd2c22cbb10540ef277a3a9b484c020820c988b1"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_darwin_x86_64.tar.gz"
[tools."aqua:ahmetb/kubectx/kubens"."platforms.windows-x64"]
checksum = "sha256:eab9ace6e25303b522e7006a1c9e44747b9e9c005e15b1fcf8a9678569ca1c95"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_windows_x86_64.zip"
[[tools."aqua:crate-ci/typos"]]
version = "1.46.1"
backend = "aqua:crate-ci/typos"
[tools."aqua:crate-ci/typos"."platforms.linux-arm64"]
checksum = "sha256:70a8e5a2c6272e25438ed8a9f10c40c9becf79f2800183fd34603a0840162eac"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-unknown-linux-musl.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.linux-arm64-musl"]
checksum = "sha256:70a8e5a2c6272e25438ed8a9f10c40c9becf79f2800183fd34603a0840162eac"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-unknown-linux-musl.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.linux-x64"]
checksum = "sha256:c574fa505596922ba2e7b1027a0a5b2df528f399b86b6915d85748186a65ca44"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-unknown-linux-musl.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.linux-x64-musl"]
checksum = "sha256:c574fa505596922ba2e7b1027a0a5b2df528f399b86b6915d85748186a65ca44"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-unknown-linux-musl.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.macos-arm64"]
checksum = "sha256:bb5e07df5c938f41b95903ca8943d9230eb5a4cfbc8a2ff1f3a029d5370926a8"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-apple-darwin.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.macos-x64"]
checksum = "sha256:bc585c22f2c4f5963ad782df1d4764a91476d3079477a08833ff87dfa416bb72"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-apple-darwin.tar.gz"
[tools."aqua:crate-ci/typos"."platforms.windows-x64"]
checksum = "sha256:a7b042fc79bf7b73b00ece054ec3109858e001136c2642f28004544b571d37a2"
url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-pc-windows-msvc.zip"
[[tools."aqua:jj-vcs/jj"]]
version = "0.41.0"
backend = "aqua:jj-vcs/jj"
[tools."aqua:jj-vcs/jj"."platforms.linux-arm64"]
checksum = "sha256:cd75d0f920b2674147a48eac84ee4594f476fc8f98cd7e358b25750a51622d91"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-unknown-linux-musl.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.linux-arm64-musl"]
checksum = "sha256:cd75d0f920b2674147a48eac84ee4594f476fc8f98cd7e358b25750a51622d91"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-unknown-linux-musl.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.linux-x64"]
checksum = "sha256:42181a80d316ac157874c817c9945e104275114fb461d99e06e2312502f08f99"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-unknown-linux-musl.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.linux-x64-musl"]
checksum = "sha256:42181a80d316ac157874c817c9945e104275114fb461d99e06e2312502f08f99"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-unknown-linux-musl.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.macos-arm64"]
checksum = "sha256:e84883b4fb42d1e0cb665efae95b44f387603c1280c893f8cbc7bbac7149ea30"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-apple-darwin.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.macos-x64"]
checksum = "sha256:b40d238bf9de4379be9bfd629cff92cd3ec14e2d072a8f7f7bbb929dac9d22f6"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-apple-darwin.tar.gz"
[tools."aqua:jj-vcs/jj"."platforms.windows-x64"]
checksum = "sha256:1c5ac3015caf0b15ae81cbafa1d94024dbd17b5dff933204d489787dfb95f835"
url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-pc-windows-msvc.zip"
[[tools."aqua:watchexec/watchexec"]]
version = "2.5.1"
backend = "aqua:watchexec/watchexec"
[tools."aqua:watchexec/watchexec"."platforms.linux-arm64"]
checksum = "sha256:c073887583d502fa0b393a8b847bb4460a111b3b0a199d1f70dafd5d89e71a2f"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-unknown-linux-musl.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.linux-arm64-musl"]
checksum = "sha256:c073887583d502fa0b393a8b847bb4460a111b3b0a199d1f70dafd5d89e71a2f"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-unknown-linux-musl.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.linux-x64"]
checksum = "sha256:9efabd08de720c1ee7e57b487fe11904f0966828e76146e2b5ea5deee90626be"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-unknown-linux-musl.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.linux-x64-musl"]
checksum = "sha256:9efabd08de720c1ee7e57b487fe11904f0966828e76146e2b5ea5deee90626be"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-unknown-linux-musl.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.macos-arm64"]
checksum = "sha256:c5e405dd1109940b2510398d2182990c1be59063b94e11d7ace9c7b435cb1df1"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-apple-darwin.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.macos-x64"]
checksum = "sha256:bb74bf33286ff7f31dd8e763e017fbc0418360d88baefd35bc57d662d28394e2"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-apple-darwin.tar.xz"
[tools."aqua:watchexec/watchexec"."platforms.windows-x64"]
checksum = "sha256:aa448c2704ca1a37ce0f1fc75381d9a411946dd293cf6236293f549426a577f7"
url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-pc-windows-msvc.zip"
[[tools.bun]]
version = "1.2.15"
backend = "core:bun"
[tools.bun."platforms.linux-arm64"]
checksum = "sha256:3c3d006148f37200f967fd8070eefb340468287bacb44524a31cad1ee9d3bb7b"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-aarch64.zip"
[tools.bun."platforms.linux-arm64-musl"]
checksum = "sha256:af882b4fe25c631f0bc6a99e9dcb46d5fb3c43c754b3bd99aee0a36d2a5695ec"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-aarch64-musl.zip"
[tools.bun."platforms.linux-x64"]
checksum = "sha256:a261626367835bb3754a01ae07f884484ed17b0886b01e417b799591fa4d7901"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64.zip"
[tools.bun."platforms.linux-x64-baseline"]
checksum = "sha256:386ca291c7fa98720d0e94daa1133af811e69fa24352558a403c1b9759e7eb98"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-baseline.zip"
[tools.bun."platforms.linux-x64-musl"]
checksum = "sha256:62679ccfeb1e2e62866042c5f52c46f82e1440a28b07ed79208b0f965fb98650"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-musl.zip"
[tools.bun."platforms.linux-x64-musl-baseline"]
checksum = "sha256:9070bb85ebf48d0528f400f29e98eb39afd49378a09d2b6cb24222f9c2890644"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-musl-baseline.zip"
[tools.bun."platforms.macos-arm64"]
checksum = "sha256:ab0cd6fc7fc8d1ee4f8166d99b71086d4793c5aee0d0b5c73fdf9b70fa47ded4"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-aarch64.zip"
[tools.bun."platforms.macos-x64"]
checksum = "sha256:a4d26f5f3c9e066493d7402d45a201defcde8f8f415cc1b54fb874d02d15940f"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-x64.zip"
[tools.bun."platforms.macos-x64-baseline"]
checksum = "sha256:60b324330bb141a87a078ad01baa3f0b8ccfc2896fdcc72c005ab54a79099935"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-x64-baseline.zip"
[tools.bun."platforms.windows-x64"]
checksum = "sha256:3cbfc2668aebd86718b9414fd4a4b4b1ec34a21ca544517310833563a937272f"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-windows-x64.zip"
[tools.bun."platforms.windows-x64-baseline"]
checksum = "sha256:fba7ac11d11e79583440cfd20dbafc7b4d350de006d1ecf4a54a9931c5765af2"
url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-windows-x64-baseline.zip"
[[tools.cosign]]
version = "2.4.3"
backend = "aqua:sigstore/cosign"
[tools.cosign."platforms.linux-arm64"]
checksum = "sha256:bd0f9763bca54de88699c3656ade2f39c9a1c7a2916ff35601caf23a79be0629"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-arm64"
[tools.cosign."platforms.linux-arm64-musl"]
checksum = "sha256:bd0f9763bca54de88699c3656ade2f39c9a1c7a2916ff35601caf23a79be0629"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-arm64"
[tools.cosign."platforms.linux-x64"]
checksum = "sha256:caaad125acef1cb81d58dcdc454a1e429d09a750d1e9e2b3ed1aed8964454708"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-amd64"
[tools.cosign."platforms.linux-x64-musl"]
checksum = "sha256:caaad125acef1cb81d58dcdc454a1e429d09a750d1e9e2b3ed1aed8964454708"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-amd64"
[tools.cosign."platforms.macos-arm64"]
checksum = "sha256:edfc761b27ced77f0f9ca288ff4fac7caa898e1e9db38f4dfdf72160cdf8e638"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-darwin-arm64"
[tools.cosign."platforms.macos-x64"]
checksum = "sha256:98a3bfd691f42c6a5b721880116f89210d8fdff61cc0224cd3ef2f8e55a466fb"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-darwin-amd64"
[tools.cosign."platforms.windows-x64"]
checksum = "sha256:a2ac24e197111c9430cb2a98f10a641164381afb83df036504868e4ea5720800"
url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-windows-amd64.exe"
[[tools.doctl]]
version = "1.158.0"
backend = "aqua:digitalocean/doctl"
[tools.doctl."platforms.linux-arm64"]
checksum = "sha256:6e9dd8aa1cede091f3ec2c848259f042e42798f311a8b2e7c4cb9b72d768c2c5"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-arm64.tar.gz"
[tools.doctl."platforms.linux-arm64-musl"]
checksum = "sha256:6e9dd8aa1cede091f3ec2c848259f042e42798f311a8b2e7c4cb9b72d768c2c5"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-arm64.tar.gz"
[tools.doctl."platforms.linux-x64"]
checksum = "sha256:ef633ccbef39b8060413f1abcda2e33e0f13268570a271d9ba22d974dca74fe2"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-amd64.tar.gz"
[tools.doctl."platforms.linux-x64-musl"]
checksum = "sha256:ef633ccbef39b8060413f1abcda2e33e0f13268570a271d9ba22d974dca74fe2"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-amd64.tar.gz"
[tools.doctl."platforms.macos-arm64"]
checksum = "sha256:bbbc52a64849c6329513b761a517003f321a331c02581fd1aa66d16a01bb4d4b"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-darwin-arm64.tar.gz"
[tools.doctl."platforms.macos-x64"]
checksum = "sha256:3cac266c6b36c69d0836840f6ac549a05b8dbfdd1b2e02ae85949ba0450177e3"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-darwin-amd64.tar.gz"
[tools.doctl."platforms.windows-x64"]
checksum = "sha256:e1245a0a760a45b236e7a25bf118c1defc8447734bdeb4260ea3ec15d1797f05"
url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-windows-amd64.zip"
[[tools.go]]
version = "1.26.2"
backend = "core:go"
[tools.go."platforms.linux-arm64"]
checksum = "sha256:c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23"
url = "https://dl.google.com/go/go1.26.2.linux-arm64.tar.gz"
[tools.go."platforms.linux-arm64-musl"]
checksum = "sha256:c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23"
url = "https://dl.google.com/go/go1.26.2.linux-arm64.tar.gz"
[tools.go."platforms.linux-x64"]
checksum = "sha256:990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282"
url = "https://dl.google.com/go/go1.26.2.linux-amd64.tar.gz"
[tools.go."platforms.linux-x64-musl"]
checksum = "sha256:990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282"
url = "https://dl.google.com/go/go1.26.2.linux-amd64.tar.gz"
[tools.go."platforms.macos-arm64"]
checksum = "sha256:32af1522bf3e3ff3975864780a429cc0b41d190ec7bf90faa661d6d64566e7af"
url = "https://dl.google.com/go/go1.26.2.darwin-arm64.tar.gz"
[tools.go."platforms.macos-x64"]
checksum = "sha256:bc3f1500d9968c36d705442d90ba91addf9271665033748b82532682e90a7966"
url = "https://dl.google.com/go/go1.26.2.darwin-amd64.tar.gz"
[tools.go."platforms.windows-x64"]
checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708"
url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip"
[[tools."go:github.com/coder/sqlc/cmd/sqlc"]]
version = "337309bfb9524f38466a5090e310040fc7af0203"
backend = "go:github.com/coder/sqlc/cmd/sqlc"
[[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]]
version = "v4.19.0"
backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate"
[[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]]
version = "v2.35.1"
backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm"
[[tools."go:github.com/mikefarah/yq/v4"]]
version = "4.44.3"
backend = "go:github.com/mikefarah/yq/v4"
[[tools."go:github.com/quasilyte/go-ruleguard/cmd/ruleguard"]]
version = "v0.3.13"
backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard"
[[tools."go:github.com/swaggo/swag/cmd/swag"]]
version = "v1.16.2"
backend = "go:github.com/swaggo/swag/cmd/swag"
[[tools."go:go.uber.org/mock/mockgen"]]
version = "v0.6.0"
backend = "go:go.uber.org/mock/mockgen"
[[tools."go:golang.org/x/tools/cmd/goimports"]]
version = "v0.41.0"
backend = "go:golang.org/x/tools/cmd/goimports"
[[tools."go:golang.org/x/tools/gopls"]]
version = "0.21.0"
backend = "go:golang.org/x/tools/gopls"
[[tools."go:gotest.tools/gotestsum"]]
version = "1.9.0"
backend = "go:gotest.tools/gotestsum"
[[tools."go:mvdan.cc/sh/v3/cmd/shfmt"]]
version = "v3.12.0"
backend = "go:mvdan.cc/sh/v3/cmd/shfmt"
[[tools."go:storj.io/drpc/cmd/protoc-gen-go-drpc"]]
version = "v0.0.34"
backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc"
[[tools.golangci-lint]]
version = "1.64.8"
backend = "aqua:golangci/golangci-lint"
[tools.golangci-lint."platforms.linux-arm64"]
checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
[tools.golangci-lint."platforms.linux-arm64-musl"]
checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
[tools.golangci-lint."platforms.linux-x64"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.linux-x64-musl"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.macos-arm64"]
checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz"
[tools.golangci-lint."platforms.macos-x64"]
checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz"
[tools.golangci-lint."platforms.windows-x64"]
checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip"
[[tools."http:helm"]]
version = "3.12.0"
backend = "http:helm"
[[tools.kubectx]]
version = "0.9.4"
backend = "aqua:ahmetb/kubectx"
[tools.kubectx."platforms.linux-arm64"]
checksum = "sha256:5fab3c0624a83cf8fff5c34d90f854af6fa8b501ed63306aaf5355303ae884ed"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_arm64.tar.gz"
[tools.kubectx."platforms.linux-arm64-musl"]
checksum = "sha256:5fab3c0624a83cf8fff5c34d90f854af6fa8b501ed63306aaf5355303ae884ed"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_arm64.tar.gz"
[tools.kubectx."platforms.linux-x64"]
checksum = "sha256:db5a48e85ff4d8c6fa947e3021e11ba4376f9588dd5fa779a80ed5c18287db22"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_x86_64.tar.gz"
[tools.kubectx."platforms.linux-x64-musl"]
checksum = "sha256:db5a48e85ff4d8c6fa947e3021e11ba4376f9588dd5fa779a80ed5c18287db22"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_x86_64.tar.gz"
[tools.kubectx."platforms.macos-arm64"]
checksum = "sha256:7adeaf057809ef756b6f290c2e0557e86c1d04718239166a9ef0298db6fe5b27"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_darwin_arm64.tar.gz"
[tools.kubectx."platforms.macos-x64"]
checksum = "sha256:99392d5cc3d174a18b68d9cce6872dc6c7216d58b6913e4f6a51274cffa95583"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_darwin_x86_64.tar.gz"
[tools.kubectx."platforms.windows-x64"]
checksum = "sha256:31a30912ace13fe0a458a253bc76bd106c48f3b0967ac2676cfd8b7fae71e314"
url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_windows_x86_64.zip"
[[tools.lazygit]]
version = "0.61.1"
backend = "aqua:jesseduffield/lazygit"
[tools.lazygit."platforms.linux-arm64"]
checksum = "sha256:20b1abb2bee5dfd46173b9047353eb678bc51a23839e821958d0b1863ab1655e"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_arm64.tar.gz"
[tools.lazygit."platforms.linux-arm64-musl"]
checksum = "sha256:20b1abb2bee5dfd46173b9047353eb678bc51a23839e821958d0b1863ab1655e"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_arm64.tar.gz"
[tools.lazygit."platforms.linux-x64"]
checksum = "sha256:1b91e660700f2332696726b635202576b543e2bc49b639830dccd26bc5160d5d"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_x86_64.tar.gz"
[tools.lazygit."platforms.linux-x64-musl"]
checksum = "sha256:1b91e660700f2332696726b635202576b543e2bc49b639830dccd26bc5160d5d"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_x86_64.tar.gz"
[tools.lazygit."platforms.macos-arm64"]
checksum = "sha256:cb665faec92d1574d398296869c084d2b9686464a42806558b967bb87cd07bc9"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_darwin_arm64.tar.gz"
[tools.lazygit."platforms.macos-x64"]
checksum = "sha256:6efdb97b8ec24b5729156555d6bc05b340776f00084ddd78ab8bdc7f3dd9b727"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_darwin_x86_64.tar.gz"
[tools.lazygit."platforms.windows-x64"]
checksum = "sha256:6024f3094904caaf9b9672b801cba31a65ad36729a0d2c5a03c432f739c0678b"
url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_windows_x86_64.zip"
[[tools.node]]
version = "22.19.0"
backend = "core:node"
[tools.node."platforms.linux-arm64"]
checksum = "sha256:d32817b937219b8f131a28546035183d79e7fd17a86e38ccb8772901a7cd9009"
url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-linux-arm64.tar.gz"
[tools.node."platforms.linux-arm64-musl"]
url = "https://unofficial-builds.nodejs.org/download/release/v22.19.0/node-v22.19.0-linux-arm64-musl.tar.gz"
[tools.node."platforms.linux-x64"]
checksum = "sha256:d36e56998220085782c0ca965f9d51b7726335aed2f5fc7321c6c0ad233aa96d"
url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-linux-x64.tar.gz"
[tools.node."platforms.linux-x64-musl"]
checksum = "sha256:97e0454f54244661a3f0ad743e1537d96adcb7904ff88cf993ddd3957bab7092"
url = "https://unofficial-builds.nodejs.org/download/release/v22.19.0/node-v22.19.0-linux-x64-musl.tar.gz"
[tools.node."platforms.macos-arm64"]
checksum = "sha256:c59006db713c770d6ec63ae16cb3edc11f49ee093b5c415d667bb4f436c6526d"
url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-darwin-arm64.tar.gz"
[tools.node."platforms.macos-x64"]
checksum = "sha256:3cfed4795cd97277559763c5f56e711852d2cc2420bda1cea30c8aa9ac77ce0c"
url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-darwin-x64.tar.gz"
[tools.node."platforms.windows-x64"]
checksum = "sha256:ea3fad0e67a991d8477d8c01344b56e69c676ccb733f065b22436994b1253f86"
url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip"
[[tools.pnpm]]
version = "10.33.2"
backend = "aqua:pnpm/pnpm"
[tools.pnpm."platforms.linux-arm64"]
checksum = "sha256:0828e5ee23be89d22bd53cc36e93c181ce9d5c47d75f9fe9bf4bdc7a65c66322"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-arm64"
[tools.pnpm."platforms.linux-arm64-musl"]
checksum = "sha256:0828e5ee23be89d22bd53cc36e93c181ce9d5c47d75f9fe9bf4bdc7a65c66322"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-arm64"
[tools.pnpm."platforms.linux-x64"]
checksum = "sha256:39d7b6600239712bc9581ea219b17ffef46ba60998779cb717be2e068be029ef"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-x64"
[tools.pnpm."platforms.linux-x64-musl"]
checksum = "sha256:39d7b6600239712bc9581ea219b17ffef46ba60998779cb717be2e068be029ef"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-x64"
[tools.pnpm."platforms.macos-arm64"]
checksum = "sha256:a99a4d5d0e6bd3728949c24ff74a2f2f2d07f73bc48fd308e4eea75d8e72acdc"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-macos-arm64"
[tools.pnpm."platforms.macos-x64"]
checksum = "sha256:3b66abb865f4e7a82393861f0f3784d67a704a31a4021739874d4b7910793dca"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-macos-x64"
[tools.pnpm."platforms.windows-x64"]
checksum = "sha256:3d1af71e9da7081efd58f95942e1f7e2107bf8fcdae03eb2331c0b6cea59510b"
url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-win-x64.exe"
[[tools.protoc]]
version = "23.4"
backend = "aqua:protocolbuffers/protobuf/protoc"
[tools.protoc."platforms.linux-arm64"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-aarch_64.zip"
[tools.protoc."platforms.linux-arm64-musl"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-aarch_64.zip"
[tools.protoc."platforms.linux-x64"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip"
[tools.protoc."platforms.linux-x64-musl"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip"
[tools.protoc."platforms.macos-arm64"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-osx-aarch_64.zip"
[tools.protoc."platforms.macos-x64"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-osx-x86_64.zip"
[tools.protoc."platforms.windows-x64"]
url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-win64.zip"
[[tools.protoc-gen-go]]
version = "1.30.0"
backend = "aqua:protocolbuffers/protobuf-go/protoc-gen-go"
[tools.protoc-gen-go."platforms.linux-arm64"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.arm64.tar.gz"
[tools.protoc-gen-go."platforms.linux-arm64-musl"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.arm64.tar.gz"
[tools.protoc-gen-go."platforms.linux-x64"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.amd64.tar.gz"
[tools.protoc-gen-go."platforms.linux-x64-musl"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.amd64.tar.gz"
[tools.protoc-gen-go."platforms.macos-arm64"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.darwin.arm64.tar.gz"
[tools.protoc-gen-go."platforms.macos-x64"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.darwin.amd64.tar.gz"
[tools.protoc-gen-go."platforms.windows-x64"]
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip"
[[tools.syft]]
version = "1.20.0"
backend = "aqua:anchore/syft"
[tools.syft."platforms.linux-arm64"]
checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
[tools.syft."platforms.linux-arm64-musl"]
checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
[tools.syft."platforms.linux-x64"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
[tools.syft."platforms.linux-x64-musl"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
[tools.syft."platforms.macos-arm64"]
checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz"
[tools.syft."platforms.macos-x64"]
checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz"
[tools.syft."platforms.windows-x64"]
checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip"
[[tools.terraform]]
version = "1.15.2"
backend = "aqua:hashicorp/terraform"
[tools.terraform."platforms.linux-arm64"]
checksum = "sha256:cf27657e96bbdc6116f4c16a0c801d36ae6410d7210183a520ac6b2198fb723e"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_arm64.zip"
[tools.terraform."platforms.linux-arm64-musl"]
checksum = "sha256:cf27657e96bbdc6116f4c16a0c801d36ae6410d7210183a520ac6b2198fb723e"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_arm64.zip"
[tools.terraform."platforms.linux-x64"]
checksum = "sha256:c56ff2bc7e6ce9b3879a50392b03c2ea074b47688bf503ff966c87fb01b2aab8"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip"
[tools.terraform."platforms.linux-x64-musl"]
checksum = "sha256:c56ff2bc7e6ce9b3879a50392b03c2ea074b47688bf503ff966c87fb01b2aab8"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip"
[tools.terraform."platforms.macos-arm64"]
checksum = "sha256:4204bc3450418a7ce423e58451b053e5daed625ad6c6a15de98bc09345269f99"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_darwin_arm64.zip"
[tools.terraform."platforms.macos-x64"]
checksum = "sha256:2bb701bc2db93ed39613df4f4e033ec4c2de9eba1c036d9a2f62cffc988af066"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_darwin_amd64.zip"
[tools.terraform."platforms.windows-x64"]
checksum = "sha256:a7e25570dd85f363581e96cac0b468257c45945ca8875d951413b6606c9b86d4"
url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_windows_amd64.zip"
mise.toml
+68
View File
@@ -0,0 +1,68 @@
[settings]
lockfile = true
[env]
# Required for sqlc (coder fork) to compile against its sqlite dependency.
# Mise applies [env] during `mise install`, but also at runtime when a
# tool from this manifest is invoked. CGO_ENABLED is harmless to leave
# set system-wide on the dogfood image.
CGO_ENABLED = "1"
[tools]
# Languages and runtimes.
bun = "1.2.15"
go = "1.26.2"
node = "22.19.0"
pnpm = "10.33.2"
# Codegen and proto toolchain.
"go:github.com/coder/sqlc/cmd/sqlc" = "337309bfb9524f38466a5090e310040fc7af0203"
"go:go.uber.org/mock/mockgen" = "v0.6.0"
"go:storj.io/drpc/cmd/protoc-gen-go-drpc" = "v0.0.34"
protoc = "23.4"
protoc-gen-go = "1.30.0"
# Go development tools.
"go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0"
"go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1"
"go:github.com/mikefarah/yq/v4" = "v4.44.3"
"go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13"
"go:github.com/swaggo/swag/cmd/swag" = "v1.16.2"
"go:golang.org/x/tools/cmd/goimports" = "v0.41.0"
"go:golang.org/x/tools/gopls" = "v0.21.0"
"go:gotest.tools/gotestsum" = "v1.9.0"
"go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0"
# Infrastructure, release, and lint CLIs.
"aqua:ahmetb/kubectx/kubens" = "0.9.4"
cosign = "2.4.3"
golangci-lint = "1.64.8"
kubectx = "0.9.4"
syft = "1.20.0"
terraform = "1.15.2"
# Developer-environment niceties for the dogfood image. Non-dogfood
# users who run `mise install` here will pull these too; they are
# small, optional conveniences, and mise does nothing without the
# user's explicit `mise install` invocation.
#
# `gh` is intentionally absent from this manifest: the dogfood
# image ships a wrapper at /usr/local/bin/gh that bridges
# `coder external-auth` into `gh`, and a mise shim earlier in
# PATH would bypass it.
"aqua:crate-ci/typos" = "1.46.1"
"aqua:jj-vcs/jj" = "0.41.0"
"aqua:watchexec/watchexec" = "2.5.1"
doctl = "1.158.0"
lazygit = "0.61.1"
# helm publishes binaries at get.helm.sh, not on GitHub. Mise's aqua
# plugin templates the URL without the `v` prefix (404), and the
# github backend can't find the binary (helm only publishes signatures
# on GitHub). The http backend with a templated URL covers
# linux/macos cleanly. Windows is omitted (different extension);
# the dogfood image is linux/amd64-only and nobody on the team runs
# helm via mise on Windows.
[tools."http:helm"]
version = "3.12.0"
url = 'https://get.helm.sh/helm-v{{version}}-{{os(macos="darwin")}}-{{arch(x64="amd64")}}.tar.gz'
scripts/check_go_versions.sh
+5 -11
View File
@@ -3,8 +3,7 @@
# This script ensures that the same version of Go is referenced in all of the
# following files:
# - go.mod
# - dogfood/coder/ubuntu-22.04/Dockerfile
# - dogfood/coder/ubuntu-26.04/Dockerfile
# - mise.toml (the dogfood image installs from this manifest)
# - flake.nix
# - .github/actions/setup-go/action.yml
# The version of Go in go.mod is considered the source of truth.
@@ -19,23 +18,18 @@ cdroot
IGNORE_NIX=${IGNORE_NIX:-false}
GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2)
GO_VERSION_DOCKERFILE_2204=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-22.04/Dockerfile | cut -d'=' -f2)
GO_VERSION_DOCKERFILE_2604=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-26.04/Dockerfile | cut -d'=' -f2)
GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/')
GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml)
GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix)
# Convert to major.minor format.
GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.')
log "INFO : go.mod : $GO_VERSION_GO_MOD"
log "INFO : dogfood/coder/ubuntu-22.04/Dockerfile : $GO_VERSION_DOCKERFILE_2204"
log "INFO : dogfood/coder/ubuntu-26.04/Dockerfile : $GO_VERSION_DOCKERFILE_2604"
log "INFO : mise.toml : $GO_VERSION_MISE_TOML"
log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO"
log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR"
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2204" ]; then
error "Go version mismatch between go.mod and dogfood/coder/ubuntu-22.04/Dockerfile:"
fi
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2604" ]; then
error "Go version mismatch between go.mod and dogfood/coder/ubuntu-26.04/Dockerfile:"
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then
error "Go version mismatch between go.mod and mise.toml"
fi
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then