From 5f9b3220b5e6b4248dd01cded9ab3cc621308a31 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Fri, 15 May 2026 11:36:22 +0200 Subject: [PATCH] chore: install dogfood image tooling via mise.toml (#25282) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR replaces the hand-rolled `curl | tar | go install | cargo install` chains in the dogfood Ubuntu 22.04 and 26.04 Dockerfiles with a single `mise install` driven by a new repo-root `mise.toml`. The previous Dockerfiles installed ~25 CLIs across three multi-stage builds with versions hardcoded inline. Version bumps were scattered across the Dockerfiles, the root `mise.toml` (added in #24618 but otherwise unused at runtime), and CI's setup actions; build-time network failures came from a dozen distinct endpoints; and `mise` itself sat in the image with no manifest to install from. The new flow: - The repo's `mise.toml` is the single source of truth for image tool versions. The Dockerfiles `COPY` it to `/etc/mise/config.toml` and run a single `mise install` as the `coder` user. - Tools are installed into `/opt/mise/data` rather than the default `/home/coder/.local/share/mise`, so they live in the image (not on the persistent home volume) and reach every workspace on recreate. - Build context moves to the repo root so the Dockerfile can `COPY mise.toml`; an allowlist `.dockerignore` keeps the transferred context to ~24 kB. - Optional `--secret id=github_token` plumbing through the Makefile and `.github/workflows/dogfood.yaml` lifts aqua's GitHub API quota from 60/hr unauthenticated to 1000/hr with `secrets.GITHUB_TOKEN`. - `MISE_TRUSTED_CONFIG_PATHS=/home/coder:/etc/mise` is set as an ENV so users who clone the coder repo into their workspace home aren't prompted to `mise trust`. Net diff for the two Ubuntu Dockerfiles: -399 / +244 lines (~200 lines shorter each). The `FROM rust-utils`, `FROM go`, and `FROM proto` multi-stage builds are gone; so are the NVM/Node block, the bulk binary-install block (golangci-lint, helm, kubectx, syft, cosign, bun), the gh `.deb`/lazygit/doctl tarball installs, the gofmt `update-alternatives` line, and the `yq`→`yq4` rename (`scripts/lib.sh:267-275` already auto-detects either name). Both images were built and smoke-tested with Apple's `container` CLI on macOS — every migrated tool resolves to the expected pinned version including outside the cloned coder repo (e.g. `gh` from `/home/coder`, matching the workspace startup script in `dogfood/coder/main.tf`), `sqlc` runs (proving `CGO_ENABLED=1` was honoured at install), `yq --version` reports v4 for `scripts/lib.sh`'s detection, and `gofmt` resolves via the mise shim. Follow-ups (out of scope here): - Commit a multi-platform `mise.lock` so `gh = "latest"` and the other floating versions resolve deterministically across rebuilds and dev machines. - Migrate CI's `setup-go` / `setup-node` actions to consume `mise.toml` so image and CI versions stop being able to drift. --------- Signed-off-by: Thomas Kosiewski Co-authored-by: Claude Opus 4.7 (1M context) --- .dockerignore | 32 +- .github/workflows/ci.yaml | 24 +- .github/workflows/dogfood.yaml | 18 +- .github/zizmor.yml | 3 - Makefile | 2 +- dogfood/coder/Makefile | 31 +- dogfood/coder/ubuntu-22.04/Dockerfile | 242 +++-------- dogfood/coder/ubuntu-26.04/Dockerfile | 240 +++-------- mise.lock | 598 ++++++++++++++++++++++++++ mise.toml | 68 +++ scripts/check_go_versions.sh | 16 +- 11 files changed, 867 insertions(+), 407 deletions(-) create mode 100644 mise.lock create mode 100644 mise.toml diff --git a/.dockerignore b/.dockerignore index 264fd311a7..9b4d2a5997 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,28 @@ -# All artifacts of the build processed are dumped here. -# Ignore it for docker context, as all Dockerfiles should build their own -# binaries. -build +# This file controls what docker/BuildKit may send to the daemon when +# the build context is the repository root. Today only the dogfood +# images at dogfood/coder/ubuntu-{22,26}.04/Dockerfile use the repo +# root as context; other docker builds in this repo (scripts/Dockerfile, +# scripts/Dockerfile.base, scripts/ironbank/Dockerfile) cd into a +# temporary directory and have their own contexts. +# +# We use an allowlist so the context stays small and predictable, and +# new top-level files added to the repo do not silently inflate every +# dogfood image build (depot.dev uploads the context over the network). + +# Exclude everything by default; only the paths that the dogfood +# Dockerfiles actually consume are re-included below. Re-including a +# file under a directory requires re-including the directory itself. +** + +# Re-allow paths the dogfood Dockerfiles consume. +!mise.toml +!mise.lock +!dogfood +!dogfood/coder +!dogfood/coder/ubuntu-22.04 +!dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh +!dogfood/coder/ubuntu-22.04/files +!dogfood/coder/ubuntu-22.04/files/** +!dogfood/coder/ubuntu-26.04 +!dogfood/coder/ubuntu-26.04/files +!dogfood/coder/ubuntu-26.04/files/** diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6afc09a5b4..b52d46dd10 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -179,13 +179,20 @@ jobs: - name: Get golangci-lint cache dir run: | - linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2) + # mise.toml is the source of truth for tool versions baked into + # the dogfood image; pull the same version for the lint job. + linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver" dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }') echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV" - - name: golangci-lint cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + # Cache split into restore + conditional save to avoid letting PR + # runs populate a cache that other branches restore from (the + # zizmor `cache-poisoning` concern). Only pushes to the default + # branch may write the cache; PRs may only read it. + - name: Restore golangci-lint cache + id: golangci-lint-cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ env.LINT_CACHE_DIR }} @@ -231,6 +238,17 @@ jobs: - name: make lint run: make --output-sync=line -j lint + - name: Save golangci-lint cache + # Only the default branch is trusted to write the cache, so PR + # runs cannot poison the cache that subsequent runs restore from. + # Skip when the cache already had an exact key hit (no new content). + if: github.ref == 'refs/heads/main' && steps.golangci-lint-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + ${{ env.LINT_CACHE_DIR }} + key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }} + - name: Check workflow files run: | bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4 diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index 7031f95b3d..ce629a4ed1 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -102,7 +102,14 @@ jobs: project: b4q6ltmpzh token: ${{ secrets.DEPOT_TOKEN }} buildx-fallback: true - context: "{{defaultContext}}:dogfood/coder/ubuntu-22.04" + # Context is the repo root so the Dockerfile can COPY the + # project mise.toml that the image installs from. The + # github_token secret raises aqua's GitHub API quota during + # `mise install`. + context: "{{defaultContext}}" + file: dogfood/coder/ubuntu-22.04/Dockerfile + secrets: | + github_token=${{ secrets.GITHUB_TOKEN }} pull: true save: true push: ${{ github.ref == 'refs/heads/main' }} @@ -118,7 +125,14 @@ jobs: project: b4q6ltmpzh token: ${{ secrets.DEPOT_TOKEN }} buildx-fallback: true - context: "{{defaultContext}}:dogfood/coder/ubuntu-26.04" + # Context is the repo root so the Dockerfile can COPY the + # project mise.toml that the image installs from. The + # github_token secret raises aqua's GitHub API quota during + # `mise install`. + context: "{{defaultContext}}" + file: dogfood/coder/ubuntu-26.04/Dockerfile + secrets: | + github_token=${{ secrets.GITHUB_TOKEN }} pull: true save: true push: ${{ github.ref == 'refs/heads/main' }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a11ea20f94..c90e7cb3fe 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,7 +1,4 @@ rules: - cache-poisoning: - ignore: - - "ci.yaml:188" dangerous-triggers: ignore: # Both workflows use pull_request_target intentionally: they need diff --git a/Makefile b/Makefile index 5f02824d7f..16ba9239ce 100644 --- a/Makefile +++ b/Makefile @@ -745,7 +745,7 @@ lint/ts: site/node_modules/.installed .PHONY: lint/ts lint/go: - linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2) + linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./... go run ./scripts/intxcheck ./... diff --git a/dogfood/coder/Makefile b/dogfood/coder/Makefile index 2403fae04c..48693019fc 100644 --- a/dogfood/coder/Makefile +++ b/dogfood/coder/Makefile @@ -3,15 +3,42 @@ # tag names. build_tag ?= $(shell git rev-parse --abbrev-ref HEAD | sed "s/\\//-/") +# The Dockerfiles consume the repo root as build context so they can +# reach the project mise.toml. Each variant still tracks its own +# files/ tree under dogfood/coder/ubuntu-/. +REPO_ROOT := $(shell git rev-parse --show-toplevel) + +# Mise's aqua backend exhausts GitHub's unauthenticated API quota +# quickly. Plumb a token through to the mise install layer when one +# is available. Two equivalent ways to supply it: +# GITHUB_TOKEN=ghp_... - taken straight from the environment +# (matches GitHub Actions, where +# secrets.GITHUB_TOKEN is auto-provided) +# GITHUB_TOKEN_FILE=/path - read the token from a file +# If neither is set the build still runs but may hit 403s. +ifneq ($(GITHUB_TOKEN_FILE),) +docker_secret_arg := --secret id=github_token,src="$(GITHUB_TOKEN_FILE)" +else ifneq ($(GITHUB_TOKEN),) +docker_secret_arg := --secret id=github_token,env=GITHUB_TOKEN +endif + build: build-ubuntu-22.04 build-ubuntu-26.04 .PHONY: build build-ubuntu-22.04: - (cd ubuntu-22.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:22.04-$(build_tag)") + DOCKER_BUILDKIT=1 docker build \ + -f dogfood/coder/ubuntu-22.04/Dockerfile \ + -t "codercom/oss-dogfood:22.04-$(build_tag)" \ + $(docker_secret_arg) \ + "$(REPO_ROOT)" .PHONY: build-ubuntu-22.04 build-ubuntu-26.04: - (cd ubuntu-26.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:26.04-$(build_tag)") + DOCKER_BUILDKIT=1 docker build \ + -f dogfood/coder/ubuntu-26.04/Dockerfile \ + -t "codercom/oss-dogfood:26.04-$(build_tag)" \ + $(docker_secret_arg) \ + "$(REPO_ROOT)" .PHONY: build-ubuntu-26.04 push: push-ubuntu-22.04 push-ubuntu-26.04 diff --git a/dogfood/coder/ubuntu-22.04/Dockerfile b/dogfood/coder/ubuntu-22.04/Dockerfile index add2d5a4ba..1f74333c92 100644 --- a/dogfood/coder/ubuntu-22.04/Dockerfile +++ b/dogfood/coder/ubuntu-22.04/Dockerfile @@ -1,88 +1,3 @@ -# 1.93.1 -FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils -# Install rust helper programs -ENV CARGO_INSTALL_ROOT=/tmp/ -# Use more reliable mirrors for Debian packages -RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \ - apt-get update || true -RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential -RUN cargo install jj-cli typos-cli watchexec-cli - -FROM ubuntu:jammy@sha256:eb29ed27b0821dca09c2e28b39135e185fc1302036427d5f4d70a41ce8fd7659 AS go - -# Install Go manually, so that we can control the version -ARG GO_VERSION=1.26.2 -ARG GO_CHECKSUM="990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282" - -# Boring Go is needed to build FIPS-compliant binaries. -RUN apt-get update && \ - apt-get install --yes curl && \ - curl --silent --show-error --location \ - "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \ - -o /usr/local/go.tar.gz && \ - echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \ - rm -rf /var/lib/apt/lists/* - -ENV PATH=$PATH:/usr/local/go/bin -ARG GOPATH="/tmp/" -# Install Go utilities. -RUN apt-get update && \ - apt-get install --yes gcc libc6-dev && \ - mkdir --parents /usr/local/go && \ - tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \ - mkdir --parents "$GOPATH" && \ - go env -w GOSUMDB=sum.golang.org && \ - # swag for Swagger doc generation - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - # goimports for updating imports - go install golang.org/x/tools/cmd/goimports@v0.41.0 && \ - # protoc-gen-go is needed to build sysbox from source - go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \ - # drpc support for v2 - go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \ - # migrate for migration support for v2 - go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \ - # Install the latest version of gopls for editors that support - # the language server protocol (v0.21.0+ required for Go 1.25) - go install golang.org/x/tools/gopls@v0.21.0 && \ - # gotestsum makes test output more readable - go install gotest.tools/gotestsum@v1.9.0 && \ - # sqlc for Go code generation - # Switched to coder/sqlc fork to fix ambiguous column bug, see: - # - https://github.com/coder/sqlc/pull/1 - # - https://github.com/sqlc-dev/sqlc/pull/4159 - (CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203) && \ - # ruleguard for checking custom rules, without needing to run all of - # golangci-lint. Check the go.mod in the release of golangci-lint that - # we're using for the version of go-critic that it embeds, then check - # the version of ruleguard in go-critic for that tag. - go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \ - # shfmt for shell script formatting - go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \ - # nfpm is used with `make build` to make release packages - go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \ - # yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh). - go install github.com/mikefarah/yq/v4@v4.44.3 && \ - mv /tmp/bin/yq /tmp/bin/yq4 && \ - # mockgen for generating mocks (v0.6.0+ required for Go 1.25) - go install go.uber.org/mock/mockgen@v0.6.0 && \ - # Reduce image size. - apt-get remove --yes gcc && \ - apt-get autoremove --yes && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - rm -rf /usr/local/go && \ - rm -rf /tmp/go/pkg && \ - rm -rf /tmp/go/src - -# alpine:3.18 -FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto -WORKDIR /tmp -RUN apk add curl unzip -RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \ - unzip protoc.zip && \ - rm protoc.zip - FROM ubuntu:jammy@sha256:eb29ed27b0821dca09c2e28b39135e185fc1302036427d5f4d70a41ce8fd7659 SHELL ["/bin/bash", "-c"] @@ -101,7 +16,7 @@ RUN apt-get update && \ locale-gen && \ yes | unminimize -COPY files / +COPY dogfood/coder/ubuntu-22.04/files / # We used to copy /etc/sudoers.d/* in from files/ but this causes issues with # permissions and layer caching. Instead, create the file directly. @@ -194,7 +109,7 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u # Docker containers. # configure-chrome-flags.sh is automatically run after dpkg operations # by dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags. -COPY configure-chrome-flags.sh /usr/local/bin/configure-chrome-flags.sh +COPY dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh /usr/local/bin/configure-chrome-flags.sh RUN chmod a+x /usr/local/bin/configure-chrome-flags.sh && \ wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \ apt-get install --yes ./google-chrome-stable_current_amd64.deb && \ @@ -208,60 +123,20 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ sh -s -- -y --default-toolchain stable --profile default -c rust-src ENV PATH=$CARGO_HOME/bin:$PATH -# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.15.2. -# Installing the same version here to match. -RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" && \ - unzip /tmp/terraform.zip -d /usr/local/bin && \ - rm -f /tmp/terraform.zip && \ - chmod +x /usr/local/bin/terraform && \ - terraform --version - # Install the docker buildx component. RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' | sed -E 's/.*"(v[^"]+)".*/\1/') && \ mkdir -p /usr/local/lib/docker/cli-plugins && \ curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \ chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx -# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof -# the apt repository is unreliable +# GitHub CLI to /usr/bin/gh. The wrapper at files/usr/local/bin/gh +# execs this for coder external-auth fallback. Apt repo is unreliable: +# https://github.com/cli/cli/issues/6175#issuecomment-1235984381 RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \ dpkg -i gh.deb && \ rm gh.deb -# Install Lazygit -# See https://github.com/jesseduffield/lazygit#ubuntu -RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v*([^"]+)".*/\1/') && \ - curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \ - tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \ - rm lazygit.tar.gz - -# Install doctl -# See https://docs.digitalocean.com/reference/doctl/how-to/install -RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ - curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \ - tar xf doctl.tar.gz -C /usr/local/bin doctl && \ - rm doctl.tar.gz - -ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d -# Install frontend utilities -ENV NVM_DIR=/usr/local/nvm -ENV NODE_VERSION=22.19.0 -RUN mkdir -p $NVM_DIR -RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \ - echo "${NVM_INSTALL_SHA} nvm_install.sh" | sha256sum -c && \ - bash nvm_install.sh && \ - rm nvm_install.sh -RUN source $NVM_DIR/nvm.sh && \ - nvm install $NODE_VERSION && \ - nvm use $NODE_VERSION -ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH -RUN corepack enable && \ - corepack prepare npm@10.8.1 --activate && \ - corepack prepare pnpm@10.33.2 --activate - -RUN pnpx playwright@1.47.0 install --with-deps chromium - # Ensure PostgreSQL binaries are in the users $PATH. RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/16/bin/initdb 100 && \ update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/16/bin/postgres 100 @@ -282,44 +157,6 @@ RUN systemctl enable \ # Workaround for envbuilder cache probing not working unless the filesystem is modified. touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround -# Install tools with published releases, where that is the -# preferred/recommended installation method. -ARG GOLANGCI_LINT_VERSION=1.64.8 \ - HELM_VERSION=3.12.0 \ - KUBECTX_VERSION=0.9.4 \ - SYFT_VERSION=1.20.0 \ - COSIGN_VERSION=2.4.3 \ - BUN_VERSION=1.2.15 \ - MISE_VERSION=v2026.4.19 \ - MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \ - MISE_INSTALL_DIR=/opt/mise/bin - -RUN \ - # golangci-lint performs static code analysis for our Go code - curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \ - # Helm is necessary for deploying Coder - curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \ - # kubens and kubectx for managing Kubernetes namespaces and contexts - curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \ - curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \ - # Anchore Syft for SBOM generation - curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- syft && \ - # Sigstore Cosign for artifact signing and attestation - curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \ - chmod a=rx /usr/local/bin/cosign && \ - # Install Bun JavaScript runtime to /usr/local/bin - curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \ - unzip -q /tmp/bun.zip -d /tmp && \ - mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \ - chmod a=rx /usr/local/bin/bun && \ - rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \ - apt-get clean && rm -rf /var/lib/apt/lists/* - # Add coder user and allow use of docker/sudo RUN useradd coder \ --create-home \ @@ -328,8 +165,13 @@ RUN useradd coder \ --uid=1000 \ --user-group -# Install mise to a stable path outside /home/coder, but keep its target -# directory writable so `mise self-update` can replace the binary as coder. +# Install mise. Binary at /opt/mise/bin so it survives the home +# volume mount; data dir under ~/.local/share/mise so installs ride +# along on the per-workspace home volume, matching Homebrew's pattern +# (see /home/linuxbrew volume in main.tf). +ARG MISE_VERSION=v2026.4.19 \ + MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \ + MISE_INSTALL_DIR=/opt/mise/bin RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_DIR}" && \ curl --silent --show-error --location --fail \ "https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \ @@ -341,6 +183,42 @@ RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_ test -x /usr/local/bin/mise && \ sudo --login --user=coder /bin/bash -lc 'set -euo pipefail && mise_bin="$(readlink --canonicalize /usr/local/bin/mise)" && test -w "$(dirname "$mise_bin")" && /usr/local/bin/mise --version && /usr/local/bin/mise self-update --help >/dev/null && /usr/local/bin/mise upgrade --help >/dev/null' +# Trusted paths skip mise's per-config trust prompt for the baked-in +# system config and the coder repo when cloned at the canonical +# /home/coder/coder location. Other repos a user clones still get +# the one-time `mise trust` prompt; pre-trusting all of /home/coder +# would let any mise.toml under the home dir auto-run [hooks]/[tasks]. +ENV MISE_DATA_DIR=/home/coder/.local/share/mise \ + MISE_TRUSTED_CONFIG_PATHS=/home/coder/coder:/etc/mise + +# Bake the project manifest in as mise's system config and ship +# the lockfile alongside it so mise verifies download checksums +# during install. We do NOT override MISE_GLOBAL_CONFIG_FILE; that +# would re-target `mise use --global` away from the user's +# ~/.config/mise/config.toml (on the home volume) into this +# image-only path, breaking the workflow. +# +# We pre-create /etc/mise as 0755 because COPY's implicitly-created +# parent dirs inherit the --chmod, which would leave /etc/mise +# without the `x` bit and unreachable to the coder user. +RUN install --directory --mode=0755 /etc/mise +COPY --chmod=0644 mise.toml /etc/mise/config.toml +COPY --chmod=0644 mise.lock /etc/mise/mise.lock + +# Pre-install image tools as coder so they land on the home volume +# layer. Sudo drops env vars, so MISE_* are re-exported via `env`. +# github_token (optional build secret) authenticates aqua's API +# calls; without it builds may hit GitHub's 60/hr unauth limit. +RUN --mount=type=secret,id=github_token,required=false \ + gh_token="$(cat /run/secrets/github_token 2>/dev/null || true)" && \ + sudo --user=coder env \ + "MISE_DATA_DIR=$MISE_DATA_DIR" \ + "MISE_TRUSTED_CONFIG_PATHS=$MISE_TRUSTED_CONFIG_PATHS" \ + "GITHUB_TOKEN=$gh_token" \ + /usr/local/bin/mise install --yes && \ + PATH="$MISE_DATA_DIR/shims:$PATH" pnpm dlx playwright@1.47.0 install --with-deps chromium && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + # Install Homebrew as the coder user so the supported Linux prefix remains # writable after the image build. RUN sudo --login --user=coder env NONINTERACTIVE=1 CI=1 /bin/bash -lc 'set -euo pipefail && curl --silent --show-error --location --fail https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash' && \ @@ -352,31 +230,13 @@ RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \ echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \ echo "X11UseLocalhost no" >>/etc/ssh/sshd_config -# We avoid copying the extracted directory since COPY slows to minutes when there -# are a lot of small files. -COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz -RUN mkdir /usr/local/go && \ - tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 - -ENV PATH=$PATH:/usr/local/go/bin - -RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100 - -COPY --from=go /tmp/bin /usr/local/bin -COPY --from=rust-utils /tmp/bin /usr/local/bin -COPY --from=proto /tmp/bin /usr/local/bin -COPY --from=proto /tmp/include /usr/local/bin/include - USER coder -# Configure Homebrew and mise for the coder user. mise shims must stay first -# so `command -v` and `mise doctor` resolve mise-managed tools ahead of -# Homebrew and system binaries. Note that no go bins are installed in this -# docker file, as they'd be mounted over by the persistent home volume. +# mise shims must lead so `command -v` and `mise doctor` resolve +# mise-managed tools ahead of Homebrew and system binaries. ENV HOMEBREW_PREFIX="/home/linuxbrew/.linuxbrew" \ HOMEBREW_CELLAR="/home/linuxbrew/.linuxbrew/Cellar" \ - HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" \ - MISE_DATA_DIR="/home/coder/.local/share/mise" + HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" ENV PATH="${MISE_DATA_DIR}/shims:${HOMEBREW_PREFIX}/bin:${HOMEBREW_PREFIX}/sbin:/home/coder/go/bin:${PATH}" # Override CARGO_HOME so cargo registry/cache writes go to the coder diff --git a/dogfood/coder/ubuntu-26.04/Dockerfile b/dogfood/coder/ubuntu-26.04/Dockerfile index 8a59d4a426..abf31f6235 100644 --- a/dogfood/coder/ubuntu-26.04/Dockerfile +++ b/dogfood/coder/ubuntu-26.04/Dockerfile @@ -1,88 +1,3 @@ -# 1.93.1 -FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils -# Install rust helper programs -ENV CARGO_INSTALL_ROOT=/tmp/ -# Use more reliable mirrors for Debian packages -RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \ - apt-get update || true -RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential -RUN cargo install jj-cli typos-cli watchexec-cli - -FROM ubuntu:26.04@sha256:5e275723f82c67e387ba9e3c24baa0abdcb268917f276a0561c97bef9450d0b4 AS go - -# Install Go manually, so that we can control the version -ARG GO_VERSION=1.26.2 -ARG GO_CHECKSUM="990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282" - -# Boring Go is needed to build FIPS-compliant binaries. -RUN apt-get update && \ - apt-get install --yes curl && \ - curl --silent --show-error --location \ - "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \ - -o /usr/local/go.tar.gz && \ - echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \ - rm -rf /var/lib/apt/lists/* - -ENV PATH=$PATH:/usr/local/go/bin -ARG GOPATH="/tmp/" -# Install Go utilities. -RUN apt-get update && \ - apt-get install --yes build-essential && \ - mkdir --parents /usr/local/go && \ - tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \ - mkdir --parents "$GOPATH" && \ - go env -w GOSUMDB=sum.golang.org && \ - # swag for Swagger doc generation - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - # goimports for updating imports - go install golang.org/x/tools/cmd/goimports@v0.41.0 && \ - # protoc-gen-go is needed to build sysbox from source - go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \ - # drpc support for v2 - go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \ - # migrate for migration support for v2 - go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \ - # Install the latest version of gopls for editors that support - # the language server protocol (v0.21.0+ required for Go 1.25) - go install golang.org/x/tools/gopls@v0.21.0 && \ - # gotestsum makes test output more readable - go install gotest.tools/gotestsum@v1.9.0 && \ - # sqlc for Go code generation - # Switched to coder/sqlc fork to fix ambiguous column bug, see: - # - https://github.com/coder/sqlc/pull/1 - # - https://github.com/sqlc-dev/sqlc/pull/4159 - (CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203) && \ - # ruleguard for checking custom rules, without needing to run all of - # golangci-lint. Check the go.mod in the release of golangci-lint that - # we're using for the version of go-critic that it embeds, then check - # the version of ruleguard in go-critic for that tag. - go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \ - # shfmt for shell script formatting - go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \ - # nfpm is used with `make build` to make release packages - go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \ - # yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh). - go install github.com/mikefarah/yq/v4@v4.44.3 && \ - mv /tmp/bin/yq /tmp/bin/yq4 && \ - # mockgen for generating mocks (v0.6.0+ required for Go 1.25) - go install go.uber.org/mock/mockgen@v0.6.0 && \ - # Reduce image size. - apt-get remove --yes build-essential && \ - apt-get autoremove --yes && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - rm -rf /usr/local/go && \ - rm -rf /tmp/go/pkg && \ - rm -rf /tmp/go/src - -# alpine:3.18 -FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto -WORKDIR /tmp -RUN apk add curl unzip -RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \ - unzip protoc.zip && \ - rm protoc.zip - FROM ubuntu:26.04@sha256:5e275723f82c67e387ba9e3c24baa0abdcb268917f276a0561c97bef9450d0b4 SHELL ["/bin/bash", "-c"] @@ -101,7 +16,7 @@ RUN apt-get update && \ locale-gen && \ yes | unminimize -COPY files / +COPY dogfood/coder/ubuntu-26.04/files / # We used to copy /etc/sudoers.d/* in from files/ but this causes issues with # permissions and layer caching. Instead, create the file directly. @@ -215,60 +130,20 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ sh -s -- -y --default-toolchain stable --profile default -c rust-src ENV PATH=$CARGO_HOME/bin:$PATH -# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.15.2. -# Installing the same version here to match. -RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" && \ - unzip /tmp/terraform.zip -d /usr/local/bin && \ - rm -f /tmp/terraform.zip && \ - chmod +x /usr/local/bin/terraform && \ - terraform --version - # Install the docker buildx component. RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' | sed -E 's/.*"(v[^"]+)".*/\1/') && \ mkdir -p /usr/local/lib/docker/cli-plugins && \ curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \ chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx -# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof -# the apt repository is unreliable +# GitHub CLI to /usr/bin/gh. The wrapper at files/usr/local/bin/gh +# execs this for coder external-auth fallback. Apt repo is unreliable: +# https://github.com/cli/cli/issues/6175#issuecomment-1235984381 RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \ dpkg -i gh.deb && \ rm gh.deb -# Install Lazygit -# See https://github.com/jesseduffield/lazygit#ubuntu -RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v*([^"]+)".*/\1/') && \ - curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \ - tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \ - rm lazygit.tar.gz - -# Install doctl -# See https://docs.digitalocean.com/reference/doctl/how-to/install -RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ - curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \ - tar xf doctl.tar.gz -C /usr/local/bin doctl && \ - rm doctl.tar.gz - -ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d -# Install frontend utilities -ENV NVM_DIR=/usr/local/nvm -ENV NODE_VERSION=22.19.0 -RUN mkdir -p $NVM_DIR -RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \ - echo "${NVM_INSTALL_SHA} nvm_install.sh" | sha256sum -c && \ - bash nvm_install.sh && \ - rm nvm_install.sh -RUN source $NVM_DIR/nvm.sh && \ - nvm install $NODE_VERSION && \ - nvm use $NODE_VERSION -ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH -RUN corepack enable && \ - corepack prepare npm@10.8.1 --activate && \ - corepack prepare pnpm@10.33.2 --activate - -RUN pnpx playwright@1.47.0 install --with-deps chromium - # Ensure PostgreSQL binaries are in the users $PATH. RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/18/bin/initdb 100 && \ update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/18/bin/postgres 100 @@ -289,44 +164,6 @@ RUN systemctl enable \ # Workaround for envbuilder cache probing not working unless the filesystem is modified. touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround -# Install tools with published releases, where that is the -# preferred/recommended installation method. -ARG GOLANGCI_LINT_VERSION=1.64.8 \ - HELM_VERSION=3.12.0 \ - KUBECTX_VERSION=0.9.4 \ - SYFT_VERSION=1.20.0 \ - COSIGN_VERSION=2.4.3 \ - BUN_VERSION=1.2.15 \ - MISE_VERSION=v2026.4.19 \ - MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \ - MISE_INSTALL_DIR=/opt/mise/bin - -RUN \ - # golangci-lint performs static code analysis for our Go code - curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \ - # Helm is necessary for deploying Coder - curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \ - # kubens and kubectx for managing Kubernetes namespaces and contexts - curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \ - curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \ - # Anchore Syft for SBOM generation - curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- syft && \ - # Sigstore Cosign for artifact signing and attestation - curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \ - chmod a=rx /usr/local/bin/cosign && \ - # Install Bun JavaScript runtime to /usr/local/bin - curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \ - unzip -q /tmp/bun.zip -d /tmp && \ - mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \ - chmod a=rx /usr/local/bin/bun && \ - rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \ - apt-get clean && rm -rf /var/lib/apt/lists/* - # Add coder user and allow use of docker/sudo. # Ubuntu 26.04 ships a default "ubuntu" user at UID 1000; # remove it so we can create "coder" with that UID. @@ -338,8 +175,13 @@ RUN userdel -r ubuntu && \ --uid=1000 \ --user-group -# Install mise to a stable path outside /home/coder, but keep its target -# directory writable so `mise self-update` can replace the binary as coder. +# Install mise. Binary at /opt/mise/bin so it survives the home +# volume mount; data dir under ~/.local/share/mise so installs ride +# along on the per-workspace home volume, matching Homebrew's pattern +# (see /home/linuxbrew volume in main.tf). +ARG MISE_VERSION=v2026.4.19 \ + MISE_SHA256=6b58ff5f1e1ce98ed2b7e5372c344ea48182c460e5b6df12d9e0def35aad4438 \ + MISE_INSTALL_DIR=/opt/mise/bin RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_DIR}" && \ curl --silent --show-error --location --fail \ "https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \ @@ -351,6 +193,42 @@ RUN install --directory --owner=coder --group=coder --mode=0755 "${MISE_INSTALL_ test -x /usr/local/bin/mise && \ sudo --login --user=coder /bin/bash -lc 'set -euo pipefail && mise_bin="$(readlink --canonicalize /usr/local/bin/mise)" && test -w "$(dirname "$mise_bin")" && /usr/local/bin/mise --version && /usr/local/bin/mise self-update --help >/dev/null && /usr/local/bin/mise upgrade --help >/dev/null' +# Trusted paths skip mise's per-config trust prompt for the baked-in +# system config and the coder repo when cloned at the canonical +# /home/coder/coder location. Other repos a user clones still get +# the one-time `mise trust` prompt; pre-trusting all of /home/coder +# would let any mise.toml under the home dir auto-run [hooks]/[tasks]. +ENV MISE_DATA_DIR=/home/coder/.local/share/mise \ + MISE_TRUSTED_CONFIG_PATHS=/home/coder/coder:/etc/mise + +# Bake the project manifest in as mise's system config and ship +# the lockfile alongside it so mise verifies download checksums +# during install. We do NOT override MISE_GLOBAL_CONFIG_FILE; that +# would re-target `mise use --global` away from the user's +# ~/.config/mise/config.toml (on the home volume) into this +# image-only path, breaking the workflow. +# +# We pre-create /etc/mise as 0755 because COPY's implicitly-created +# parent dirs inherit the --chmod, which would leave /etc/mise +# without the `x` bit and unreachable to the coder user. +RUN install --directory --mode=0755 /etc/mise +COPY --chmod=0644 mise.toml /etc/mise/config.toml +COPY --chmod=0644 mise.lock /etc/mise/mise.lock + +# Pre-install image tools as coder so they land on the home volume +# layer. Sudo drops env vars, so MISE_* are re-exported via `env`. +# github_token (optional build secret) authenticates aqua's API +# calls; without it builds may hit GitHub's 60/hr unauth limit. +RUN --mount=type=secret,id=github_token,required=false \ + gh_token="$(cat /run/secrets/github_token 2>/dev/null || true)" && \ + sudo --user=coder env \ + "MISE_DATA_DIR=$MISE_DATA_DIR" \ + "MISE_TRUSTED_CONFIG_PATHS=$MISE_TRUSTED_CONFIG_PATHS" \ + "GITHUB_TOKEN=$gh_token" \ + /usr/local/bin/mise install --yes && \ + PATH="$MISE_DATA_DIR/shims:$PATH" pnpm dlx playwright@1.47.0 install --with-deps chromium && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + # Install Homebrew as the coder user so the supported Linux prefix remains # writable after the image build. RUN sudo --login --user=coder env NONINTERACTIVE=1 CI=1 /bin/bash -lc 'set -euo pipefail && curl --silent --show-error --location --fail https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash' && \ @@ -362,31 +240,13 @@ RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \ echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \ echo "X11UseLocalhost no" >>/etc/ssh/sshd_config -# We avoid copying the extracted directory since COPY slows to minutes when there -# are a lot of small files. -COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz -RUN mkdir /usr/local/go && \ - tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 - -ENV PATH=$PATH:/usr/local/go/bin - -RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100 - -COPY --from=go /tmp/bin /usr/local/bin -COPY --from=rust-utils /tmp/bin /usr/local/bin -COPY --from=proto /tmp/bin /usr/local/bin -COPY --from=proto /tmp/include /usr/local/bin/include - USER coder -# Configure Homebrew and mise for the coder user. mise shims must stay first -# so `command -v` and `mise doctor` resolve mise-managed tools ahead of -# Homebrew and system binaries. Note that no go bins are installed in this -# docker file, as they'd be mounted over by the persistent home volume. +# mise shims must lead so `command -v` and `mise doctor` resolve +# mise-managed tools ahead of Homebrew and system binaries. ENV HOMEBREW_PREFIX="/home/linuxbrew/.linuxbrew" \ HOMEBREW_CELLAR="/home/linuxbrew/.linuxbrew/Cellar" \ - HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" \ - MISE_DATA_DIR="/home/coder/.local/share/mise" + HOMEBREW_REPOSITORY="/home/linuxbrew/.linuxbrew/Homebrew" ENV PATH="${MISE_DATA_DIR}/shims:${HOMEBREW_PREFIX}/bin:${HOMEBREW_PREFIX}/sbin:/home/coder/go/bin:${PATH}" # Override CARGO_HOME so cargo registry/cache writes go to the coder diff --git a/mise.lock b/mise.lock new file mode 100644 index 0000000000..d3d7d86487 --- /dev/null +++ b/mise.lock @@ -0,0 +1,598 @@ +# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html + +[[tools."aqua:ahmetb/kubectx/kubens"]] +version = "0.9.4" +backend = "aqua:ahmetb/kubectx/kubens" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-arm64"] +checksum = "sha256:7c2d0d4d46338bf400ebba1b23947d35b25725b9b4e3e1932bb88b3ec3f96a5a" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_arm64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-arm64-musl"] +checksum = "sha256:7c2d0d4d46338bf400ebba1b23947d35b25725b9b4e3e1932bb88b3ec3f96a5a" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_arm64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-x64"] +checksum = "sha256:8b3672961fb15f8b87d5793af8bd3c1cca52c016596fbf57c46ab4ef39265fcd" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_x86_64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.linux-x64-musl"] +checksum = "sha256:8b3672961fb15f8b87d5793af8bd3c1cca52c016596fbf57c46ab4ef39265fcd" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_linux_x86_64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.macos-arm64"] +checksum = "sha256:dbae919016d4ebfa09780135cacd9d787b2d3882f13c3d5b3c3c883180496209" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_darwin_arm64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.macos-x64"] +checksum = "sha256:ef43ab1217e09ac1b929d4b9dd2c22cbb10540ef277a3a9b484c020820c988b1" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_darwin_x86_64.tar.gz" + +[tools."aqua:ahmetb/kubectx/kubens"."platforms.windows-x64"] +checksum = "sha256:eab9ace6e25303b522e7006a1c9e44747b9e9c005e15b1fcf8a9678569ca1c95" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens_v0.9.4_windows_x86_64.zip" + +[[tools."aqua:crate-ci/typos"]] +version = "1.46.1" +backend = "aqua:crate-ci/typos" + +[tools."aqua:crate-ci/typos"."platforms.linux-arm64"] +checksum = "sha256:70a8e5a2c6272e25438ed8a9f10c40c9becf79f2800183fd34603a0840162eac" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-unknown-linux-musl.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.linux-arm64-musl"] +checksum = "sha256:70a8e5a2c6272e25438ed8a9f10c40c9becf79f2800183fd34603a0840162eac" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-unknown-linux-musl.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.linux-x64"] +checksum = "sha256:c574fa505596922ba2e7b1027a0a5b2df528f399b86b6915d85748186a65ca44" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-unknown-linux-musl.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.linux-x64-musl"] +checksum = "sha256:c574fa505596922ba2e7b1027a0a5b2df528f399b86b6915d85748186a65ca44" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-unknown-linux-musl.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.macos-arm64"] +checksum = "sha256:bb5e07df5c938f41b95903ca8943d9230eb5a4cfbc8a2ff1f3a029d5370926a8" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-aarch64-apple-darwin.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.macos-x64"] +checksum = "sha256:bc585c22f2c4f5963ad782df1d4764a91476d3079477a08833ff87dfa416bb72" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-apple-darwin.tar.gz" + +[tools."aqua:crate-ci/typos"."platforms.windows-x64"] +checksum = "sha256:a7b042fc79bf7b73b00ece054ec3109858e001136c2642f28004544b571d37a2" +url = "https://github.com/crate-ci/typos/releases/download/v1.46.1/typos-v1.46.1-x86_64-pc-windows-msvc.zip" + +[[tools."aqua:jj-vcs/jj"]] +version = "0.41.0" +backend = "aqua:jj-vcs/jj" + +[tools."aqua:jj-vcs/jj"."platforms.linux-arm64"] +checksum = "sha256:cd75d0f920b2674147a48eac84ee4594f476fc8f98cd7e358b25750a51622d91" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-unknown-linux-musl.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.linux-arm64-musl"] +checksum = "sha256:cd75d0f920b2674147a48eac84ee4594f476fc8f98cd7e358b25750a51622d91" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-unknown-linux-musl.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.linux-x64"] +checksum = "sha256:42181a80d316ac157874c817c9945e104275114fb461d99e06e2312502f08f99" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-unknown-linux-musl.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.linux-x64-musl"] +checksum = "sha256:42181a80d316ac157874c817c9945e104275114fb461d99e06e2312502f08f99" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-unknown-linux-musl.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.macos-arm64"] +checksum = "sha256:e84883b4fb42d1e0cb665efae95b44f387603c1280c893f8cbc7bbac7149ea30" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-aarch64-apple-darwin.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.macos-x64"] +checksum = "sha256:b40d238bf9de4379be9bfd629cff92cd3ec14e2d072a8f7f7bbb929dac9d22f6" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-apple-darwin.tar.gz" + +[tools."aqua:jj-vcs/jj"."platforms.windows-x64"] +checksum = "sha256:1c5ac3015caf0b15ae81cbafa1d94024dbd17b5dff933204d489787dfb95f835" +url = "https://github.com/jj-vcs/jj/releases/download/v0.41.0/jj-v0.41.0-x86_64-pc-windows-msvc.zip" + +[[tools."aqua:watchexec/watchexec"]] +version = "2.5.1" +backend = "aqua:watchexec/watchexec" + +[tools."aqua:watchexec/watchexec"."platforms.linux-arm64"] +checksum = "sha256:c073887583d502fa0b393a8b847bb4460a111b3b0a199d1f70dafd5d89e71a2f" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-unknown-linux-musl.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.linux-arm64-musl"] +checksum = "sha256:c073887583d502fa0b393a8b847bb4460a111b3b0a199d1f70dafd5d89e71a2f" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-unknown-linux-musl.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.linux-x64"] +checksum = "sha256:9efabd08de720c1ee7e57b487fe11904f0966828e76146e2b5ea5deee90626be" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-unknown-linux-musl.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.linux-x64-musl"] +checksum = "sha256:9efabd08de720c1ee7e57b487fe11904f0966828e76146e2b5ea5deee90626be" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-unknown-linux-musl.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.macos-arm64"] +checksum = "sha256:c5e405dd1109940b2510398d2182990c1be59063b94e11d7ace9c7b435cb1df1" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-aarch64-apple-darwin.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.macos-x64"] +checksum = "sha256:bb74bf33286ff7f31dd8e763e017fbc0418360d88baefd35bc57d662d28394e2" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-apple-darwin.tar.xz" + +[tools."aqua:watchexec/watchexec"."platforms.windows-x64"] +checksum = "sha256:aa448c2704ca1a37ce0f1fc75381d9a411946dd293cf6236293f549426a577f7" +url = "https://github.com/watchexec/watchexec/releases/download/v2.5.1/watchexec-2.5.1-x86_64-pc-windows-msvc.zip" + +[[tools.bun]] +version = "1.2.15" +backend = "core:bun" + +[tools.bun."platforms.linux-arm64"] +checksum = "sha256:3c3d006148f37200f967fd8070eefb340468287bacb44524a31cad1ee9d3bb7b" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-aarch64.zip" + +[tools.bun."platforms.linux-arm64-musl"] +checksum = "sha256:af882b4fe25c631f0bc6a99e9dcb46d5fb3c43c754b3bd99aee0a36d2a5695ec" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-aarch64-musl.zip" + +[tools.bun."platforms.linux-x64"] +checksum = "sha256:a261626367835bb3754a01ae07f884484ed17b0886b01e417b799591fa4d7901" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64.zip" + +[tools.bun."platforms.linux-x64-baseline"] +checksum = "sha256:386ca291c7fa98720d0e94daa1133af811e69fa24352558a403c1b9759e7eb98" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-baseline.zip" + +[tools.bun."platforms.linux-x64-musl"] +checksum = "sha256:62679ccfeb1e2e62866042c5f52c46f82e1440a28b07ed79208b0f965fb98650" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-musl.zip" + +[tools.bun."platforms.linux-x64-musl-baseline"] +checksum = "sha256:9070bb85ebf48d0528f400f29e98eb39afd49378a09d2b6cb24222f9c2890644" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-linux-x64-musl-baseline.zip" + +[tools.bun."platforms.macos-arm64"] +checksum = "sha256:ab0cd6fc7fc8d1ee4f8166d99b71086d4793c5aee0d0b5c73fdf9b70fa47ded4" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-aarch64.zip" + +[tools.bun."platforms.macos-x64"] +checksum = "sha256:a4d26f5f3c9e066493d7402d45a201defcde8f8f415cc1b54fb874d02d15940f" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-x64.zip" + +[tools.bun."platforms.macos-x64-baseline"] +checksum = "sha256:60b324330bb141a87a078ad01baa3f0b8ccfc2896fdcc72c005ab54a79099935" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-darwin-x64-baseline.zip" + +[tools.bun."platforms.windows-x64"] +checksum = "sha256:3cbfc2668aebd86718b9414fd4a4b4b1ec34a21ca544517310833563a937272f" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-windows-x64.zip" + +[tools.bun."platforms.windows-x64-baseline"] +checksum = "sha256:fba7ac11d11e79583440cfd20dbafc7b4d350de006d1ecf4a54a9931c5765af2" +url = "https://github.com/oven-sh/bun/releases/download/bun-v1.2.15/bun-windows-x64-baseline.zip" + +[[tools.cosign]] +version = "2.4.3" +backend = "aqua:sigstore/cosign" + +[tools.cosign."platforms.linux-arm64"] +checksum = "sha256:bd0f9763bca54de88699c3656ade2f39c9a1c7a2916ff35601caf23a79be0629" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-arm64" + +[tools.cosign."platforms.linux-arm64-musl"] +checksum = "sha256:bd0f9763bca54de88699c3656ade2f39c9a1c7a2916ff35601caf23a79be0629" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-arm64" + +[tools.cosign."platforms.linux-x64"] +checksum = "sha256:caaad125acef1cb81d58dcdc454a1e429d09a750d1e9e2b3ed1aed8964454708" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-amd64" + +[tools.cosign."platforms.linux-x64-musl"] +checksum = "sha256:caaad125acef1cb81d58dcdc454a1e429d09a750d1e9e2b3ed1aed8964454708" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-amd64" + +[tools.cosign."platforms.macos-arm64"] +checksum = "sha256:edfc761b27ced77f0f9ca288ff4fac7caa898e1e9db38f4dfdf72160cdf8e638" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-darwin-arm64" + +[tools.cosign."platforms.macos-x64"] +checksum = "sha256:98a3bfd691f42c6a5b721880116f89210d8fdff61cc0224cd3ef2f8e55a466fb" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-darwin-amd64" + +[tools.cosign."platforms.windows-x64"] +checksum = "sha256:a2ac24e197111c9430cb2a98f10a641164381afb83df036504868e4ea5720800" +url = "https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-windows-amd64.exe" + +[[tools.doctl]] +version = "1.158.0" +backend = "aqua:digitalocean/doctl" + +[tools.doctl."platforms.linux-arm64"] +checksum = "sha256:6e9dd8aa1cede091f3ec2c848259f042e42798f311a8b2e7c4cb9b72d768c2c5" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-arm64.tar.gz" + +[tools.doctl."platforms.linux-arm64-musl"] +checksum = "sha256:6e9dd8aa1cede091f3ec2c848259f042e42798f311a8b2e7c4cb9b72d768c2c5" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-arm64.tar.gz" + +[tools.doctl."platforms.linux-x64"] +checksum = "sha256:ef633ccbef39b8060413f1abcda2e33e0f13268570a271d9ba22d974dca74fe2" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-amd64.tar.gz" + +[tools.doctl."platforms.linux-x64-musl"] +checksum = "sha256:ef633ccbef39b8060413f1abcda2e33e0f13268570a271d9ba22d974dca74fe2" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-linux-amd64.tar.gz" + +[tools.doctl."platforms.macos-arm64"] +checksum = "sha256:bbbc52a64849c6329513b761a517003f321a331c02581fd1aa66d16a01bb4d4b" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-darwin-arm64.tar.gz" + +[tools.doctl."platforms.macos-x64"] +checksum = "sha256:3cac266c6b36c69d0836840f6ac549a05b8dbfdd1b2e02ae85949ba0450177e3" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-darwin-amd64.tar.gz" + +[tools.doctl."platforms.windows-x64"] +checksum = "sha256:e1245a0a760a45b236e7a25bf118c1defc8447734bdeb4260ea3ec15d1797f05" +url = "https://github.com/digitalocean/doctl/releases/download/v1.158.0/doctl-1.158.0-windows-amd64.zip" + +[[tools.go]] +version = "1.26.2" +backend = "core:go" + +[tools.go."platforms.linux-arm64"] +checksum = "sha256:c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23" +url = "https://dl.google.com/go/go1.26.2.linux-arm64.tar.gz" + +[tools.go."platforms.linux-arm64-musl"] +checksum = "sha256:c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23" +url = "https://dl.google.com/go/go1.26.2.linux-arm64.tar.gz" + +[tools.go."platforms.linux-x64"] +checksum = "sha256:990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282" +url = "https://dl.google.com/go/go1.26.2.linux-amd64.tar.gz" + +[tools.go."platforms.linux-x64-musl"] +checksum = "sha256:990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282" +url = "https://dl.google.com/go/go1.26.2.linux-amd64.tar.gz" + +[tools.go."platforms.macos-arm64"] +checksum = "sha256:32af1522bf3e3ff3975864780a429cc0b41d190ec7bf90faa661d6d64566e7af" +url = "https://dl.google.com/go/go1.26.2.darwin-arm64.tar.gz" + +[tools.go."platforms.macos-x64"] +checksum = "sha256:bc3f1500d9968c36d705442d90ba91addf9271665033748b82532682e90a7966" +url = "https://dl.google.com/go/go1.26.2.darwin-amd64.tar.gz" + +[tools.go."platforms.windows-x64"] +checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708" +url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip" + +[[tools."go:github.com/coder/sqlc/cmd/sqlc"]] +version = "337309bfb9524f38466a5090e310040fc7af0203" +backend = "go:github.com/coder/sqlc/cmd/sqlc" + +[[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]] +version = "v4.19.0" +backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate" + +[[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]] +version = "v2.35.1" +backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" + +[[tools."go:github.com/mikefarah/yq/v4"]] +version = "4.44.3" +backend = "go:github.com/mikefarah/yq/v4" + +[[tools."go:github.com/quasilyte/go-ruleguard/cmd/ruleguard"]] +version = "v0.3.13" +backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" + +[[tools."go:github.com/swaggo/swag/cmd/swag"]] +version = "v1.16.2" +backend = "go:github.com/swaggo/swag/cmd/swag" + +[[tools."go:go.uber.org/mock/mockgen"]] +version = "v0.6.0" +backend = "go:go.uber.org/mock/mockgen" + +[[tools."go:golang.org/x/tools/cmd/goimports"]] +version = "v0.41.0" +backend = "go:golang.org/x/tools/cmd/goimports" + +[[tools."go:golang.org/x/tools/gopls"]] +version = "0.21.0" +backend = "go:golang.org/x/tools/gopls" + +[[tools."go:gotest.tools/gotestsum"]] +version = "1.9.0" +backend = "go:gotest.tools/gotestsum" + +[[tools."go:mvdan.cc/sh/v3/cmd/shfmt"]] +version = "v3.12.0" +backend = "go:mvdan.cc/sh/v3/cmd/shfmt" + +[[tools."go:storj.io/drpc/cmd/protoc-gen-go-drpc"]] +version = "v0.0.34" +backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc" + +[[tools.golangci-lint]] +version = "1.64.8" +backend = "aqua:golangci/golangci-lint" + +[tools.golangci-lint."platforms.linux-arm64"] +checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" + +[tools.golangci-lint."platforms.linux-arm64-musl"] +checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" + +[tools.golangci-lint."platforms.linux-x64"] +checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" + +[tools.golangci-lint."platforms.linux-x64-musl"] +checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" + +[tools.golangci-lint."platforms.macos-arm64"] +checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz" + +[tools.golangci-lint."platforms.macos-x64"] +checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz" + +[tools.golangci-lint."platforms.windows-x64"] +checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f" +url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip" + +[[tools."http:helm"]] +version = "3.12.0" +backend = "http:helm" + +[[tools.kubectx]] +version = "0.9.4" +backend = "aqua:ahmetb/kubectx" + +[tools.kubectx."platforms.linux-arm64"] +checksum = "sha256:5fab3c0624a83cf8fff5c34d90f854af6fa8b501ed63306aaf5355303ae884ed" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_arm64.tar.gz" + +[tools.kubectx."platforms.linux-arm64-musl"] +checksum = "sha256:5fab3c0624a83cf8fff5c34d90f854af6fa8b501ed63306aaf5355303ae884ed" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_arm64.tar.gz" + +[tools.kubectx."platforms.linux-x64"] +checksum = "sha256:db5a48e85ff4d8c6fa947e3021e11ba4376f9588dd5fa779a80ed5c18287db22" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_x86_64.tar.gz" + +[tools.kubectx."platforms.linux-x64-musl"] +checksum = "sha256:db5a48e85ff4d8c6fa947e3021e11ba4376f9588dd5fa779a80ed5c18287db22" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_linux_x86_64.tar.gz" + +[tools.kubectx."platforms.macos-arm64"] +checksum = "sha256:7adeaf057809ef756b6f290c2e0557e86c1d04718239166a9ef0298db6fe5b27" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_darwin_arm64.tar.gz" + +[tools.kubectx."platforms.macos-x64"] +checksum = "sha256:99392d5cc3d174a18b68d9cce6872dc6c7216d58b6913e4f6a51274cffa95583" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_darwin_x86_64.tar.gz" + +[tools.kubectx."platforms.windows-x64"] +checksum = "sha256:31a30912ace13fe0a458a253bc76bd106c48f3b0967ac2676cfd8b7fae71e314" +url = "https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubectx_v0.9.4_windows_x86_64.zip" + +[[tools.lazygit]] +version = "0.61.1" +backend = "aqua:jesseduffield/lazygit" + +[tools.lazygit."platforms.linux-arm64"] +checksum = "sha256:20b1abb2bee5dfd46173b9047353eb678bc51a23839e821958d0b1863ab1655e" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_arm64.tar.gz" + +[tools.lazygit."platforms.linux-arm64-musl"] +checksum = "sha256:20b1abb2bee5dfd46173b9047353eb678bc51a23839e821958d0b1863ab1655e" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_arm64.tar.gz" + +[tools.lazygit."platforms.linux-x64"] +checksum = "sha256:1b91e660700f2332696726b635202576b543e2bc49b639830dccd26bc5160d5d" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_x86_64.tar.gz" + +[tools.lazygit."platforms.linux-x64-musl"] +checksum = "sha256:1b91e660700f2332696726b635202576b543e2bc49b639830dccd26bc5160d5d" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_linux_x86_64.tar.gz" + +[tools.lazygit."platforms.macos-arm64"] +checksum = "sha256:cb665faec92d1574d398296869c084d2b9686464a42806558b967bb87cd07bc9" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_darwin_arm64.tar.gz" + +[tools.lazygit."platforms.macos-x64"] +checksum = "sha256:6efdb97b8ec24b5729156555d6bc05b340776f00084ddd78ab8bdc7f3dd9b727" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_darwin_x86_64.tar.gz" + +[tools.lazygit."platforms.windows-x64"] +checksum = "sha256:6024f3094904caaf9b9672b801cba31a65ad36729a0d2c5a03c432f739c0678b" +url = "https://github.com/jesseduffield/lazygit/releases/download/v0.61.1/lazygit_0.61.1_windows_x86_64.zip" + +[[tools.node]] +version = "22.19.0" +backend = "core:node" + +[tools.node."platforms.linux-arm64"] +checksum = "sha256:d32817b937219b8f131a28546035183d79e7fd17a86e38ccb8772901a7cd9009" +url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-linux-arm64.tar.gz" + +[tools.node."platforms.linux-arm64-musl"] +url = "https://unofficial-builds.nodejs.org/download/release/v22.19.0/node-v22.19.0-linux-arm64-musl.tar.gz" + +[tools.node."platforms.linux-x64"] +checksum = "sha256:d36e56998220085782c0ca965f9d51b7726335aed2f5fc7321c6c0ad233aa96d" +url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-linux-x64.tar.gz" + +[tools.node."platforms.linux-x64-musl"] +checksum = "sha256:97e0454f54244661a3f0ad743e1537d96adcb7904ff88cf993ddd3957bab7092" +url = "https://unofficial-builds.nodejs.org/download/release/v22.19.0/node-v22.19.0-linux-x64-musl.tar.gz" + +[tools.node."platforms.macos-arm64"] +checksum = "sha256:c59006db713c770d6ec63ae16cb3edc11f49ee093b5c415d667bb4f436c6526d" +url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-darwin-arm64.tar.gz" + +[tools.node."platforms.macos-x64"] +checksum = "sha256:3cfed4795cd97277559763c5f56e711852d2cc2420bda1cea30c8aa9ac77ce0c" +url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-darwin-x64.tar.gz" + +[tools.node."platforms.windows-x64"] +checksum = "sha256:ea3fad0e67a991d8477d8c01344b56e69c676ccb733f065b22436994b1253f86" +url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip" + +[[tools.pnpm]] +version = "10.33.2" +backend = "aqua:pnpm/pnpm" + +[tools.pnpm."platforms.linux-arm64"] +checksum = "sha256:0828e5ee23be89d22bd53cc36e93c181ce9d5c47d75f9fe9bf4bdc7a65c66322" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-arm64" + +[tools.pnpm."platforms.linux-arm64-musl"] +checksum = "sha256:0828e5ee23be89d22bd53cc36e93c181ce9d5c47d75f9fe9bf4bdc7a65c66322" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-arm64" + +[tools.pnpm."platforms.linux-x64"] +checksum = "sha256:39d7b6600239712bc9581ea219b17ffef46ba60998779cb717be2e068be029ef" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-x64" + +[tools.pnpm."platforms.linux-x64-musl"] +checksum = "sha256:39d7b6600239712bc9581ea219b17ffef46ba60998779cb717be2e068be029ef" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-linux-x64" + +[tools.pnpm."platforms.macos-arm64"] +checksum = "sha256:a99a4d5d0e6bd3728949c24ff74a2f2f2d07f73bc48fd308e4eea75d8e72acdc" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-macos-arm64" + +[tools.pnpm."platforms.macos-x64"] +checksum = "sha256:3b66abb865f4e7a82393861f0f3784d67a704a31a4021739874d4b7910793dca" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-macos-x64" + +[tools.pnpm."platforms.windows-x64"] +checksum = "sha256:3d1af71e9da7081efd58f95942e1f7e2107bf8fcdae03eb2331c0b6cea59510b" +url = "https://github.com/pnpm/pnpm/releases/download/v10.33.2/pnpm-win-x64.exe" + +[[tools.protoc]] +version = "23.4" +backend = "aqua:protocolbuffers/protobuf/protoc" + +[tools.protoc."platforms.linux-arm64"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-aarch_64.zip" + +[tools.protoc."platforms.linux-arm64-musl"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-aarch_64.zip" + +[tools.protoc."platforms.linux-x64"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip" + +[tools.protoc."platforms.linux-x64-musl"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip" + +[tools.protoc."platforms.macos-arm64"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-osx-aarch_64.zip" + +[tools.protoc."platforms.macos-x64"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-osx-x86_64.zip" + +[tools.protoc."platforms.windows-x64"] +url = "https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-win64.zip" + +[[tools.protoc-gen-go]] +version = "1.30.0" +backend = "aqua:protocolbuffers/protobuf-go/protoc-gen-go" + +[tools.protoc-gen-go."platforms.linux-arm64"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.arm64.tar.gz" + +[tools.protoc-gen-go."platforms.linux-arm64-musl"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.arm64.tar.gz" + +[tools.protoc-gen-go."platforms.linux-x64"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.amd64.tar.gz" + +[tools.protoc-gen-go."platforms.linux-x64-musl"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.linux.amd64.tar.gz" + +[tools.protoc-gen-go."platforms.macos-arm64"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.darwin.arm64.tar.gz" + +[tools.protoc-gen-go."platforms.macos-x64"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.darwin.amd64.tar.gz" + +[tools.protoc-gen-go."platforms.windows-x64"] +url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip" + +[[tools.syft]] +version = "1.20.0" +backend = "aqua:anchore/syft" + +[tools.syft."platforms.linux-arm64"] +checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" + +[tools.syft."platforms.linux-arm64-musl"] +checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" + +[tools.syft."platforms.linux-x64"] +checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" + +[tools.syft."platforms.linux-x64-musl"] +checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" + +[tools.syft."platforms.macos-arm64"] +checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz" + +[tools.syft."platforms.macos-x64"] +checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz" + +[tools.syft."platforms.windows-x64"] +checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f" +url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip" + +[[tools.terraform]] +version = "1.15.2" +backend = "aqua:hashicorp/terraform" + +[tools.terraform."platforms.linux-arm64"] +checksum = "sha256:cf27657e96bbdc6116f4c16a0c801d36ae6410d7210183a520ac6b2198fb723e" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_arm64.zip" + +[tools.terraform."platforms.linux-arm64-musl"] +checksum = "sha256:cf27657e96bbdc6116f4c16a0c801d36ae6410d7210183a520ac6b2198fb723e" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_arm64.zip" + +[tools.terraform."platforms.linux-x64"] +checksum = "sha256:c56ff2bc7e6ce9b3879a50392b03c2ea074b47688bf503ff966c87fb01b2aab8" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" + +[tools.terraform."platforms.linux-x64-musl"] +checksum = "sha256:c56ff2bc7e6ce9b3879a50392b03c2ea074b47688bf503ff966c87fb01b2aab8" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_linux_amd64.zip" + +[tools.terraform."platforms.macos-arm64"] +checksum = "sha256:4204bc3450418a7ce423e58451b053e5daed625ad6c6a15de98bc09345269f99" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_darwin_arm64.zip" + +[tools.terraform."platforms.macos-x64"] +checksum = "sha256:2bb701bc2db93ed39613df4f4e033ec4c2de9eba1c036d9a2f62cffc988af066" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_darwin_amd64.zip" + +[tools.terraform."platforms.windows-x64"] +checksum = "sha256:a7e25570dd85f363581e96cac0b468257c45945ca8875d951413b6606c9b86d4" +url = "https://releases.hashicorp.com/terraform/1.15.2/terraform_1.15.2_windows_amd64.zip" diff --git a/mise.toml b/mise.toml new file mode 100644 index 0000000000..fc9c3b99cd --- /dev/null +++ b/mise.toml @@ -0,0 +1,68 @@ +[settings] +lockfile = true + +[env] +# Required for sqlc (coder fork) to compile against its sqlite dependency. +# Mise applies [env] during `mise install`, but also at runtime when a +# tool from this manifest is invoked. CGO_ENABLED is harmless to leave +# set system-wide on the dogfood image. +CGO_ENABLED = "1" + +[tools] +# Languages and runtimes. +bun = "1.2.15" +go = "1.26.2" +node = "22.19.0" +pnpm = "10.33.2" + +# Codegen and proto toolchain. +"go:github.com/coder/sqlc/cmd/sqlc" = "337309bfb9524f38466a5090e310040fc7af0203" +"go:go.uber.org/mock/mockgen" = "v0.6.0" +"go:storj.io/drpc/cmd/protoc-gen-go-drpc" = "v0.0.34" +protoc = "23.4" +protoc-gen-go = "1.30.0" + +# Go development tools. +"go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0" +"go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1" +"go:github.com/mikefarah/yq/v4" = "v4.44.3" +"go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13" +"go:github.com/swaggo/swag/cmd/swag" = "v1.16.2" +"go:golang.org/x/tools/cmd/goimports" = "v0.41.0" +"go:golang.org/x/tools/gopls" = "v0.21.0" +"go:gotest.tools/gotestsum" = "v1.9.0" +"go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0" + +# Infrastructure, release, and lint CLIs. +"aqua:ahmetb/kubectx/kubens" = "0.9.4" +cosign = "2.4.3" +golangci-lint = "1.64.8" +kubectx = "0.9.4" +syft = "1.20.0" +terraform = "1.15.2" + +# Developer-environment niceties for the dogfood image. Non-dogfood +# users who run `mise install` here will pull these too; they are +# small, optional conveniences, and mise does nothing without the +# user's explicit `mise install` invocation. +# +# `gh` is intentionally absent from this manifest: the dogfood +# image ships a wrapper at /usr/local/bin/gh that bridges +# `coder external-auth` into `gh`, and a mise shim earlier in +# PATH would bypass it. +"aqua:crate-ci/typos" = "1.46.1" +"aqua:jj-vcs/jj" = "0.41.0" +"aqua:watchexec/watchexec" = "2.5.1" +doctl = "1.158.0" +lazygit = "0.61.1" + +# helm publishes binaries at get.helm.sh, not on GitHub. Mise's aqua +# plugin templates the URL without the `v` prefix (404), and the +# github backend can't find the binary (helm only publishes signatures +# on GitHub). The http backend with a templated URL covers +# linux/macos cleanly. Windows is omitted (different extension); +# the dogfood image is linux/amd64-only and nobody on the team runs +# helm via mise on Windows. +[tools."http:helm"] +version = "3.12.0" +url = 'https://get.helm.sh/helm-v{{version}}-{{os(macos="darwin")}}-{{arch(x64="amd64")}}.tar.gz' diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh index b48153858c..fb811838a6 100755 --- a/scripts/check_go_versions.sh +++ b/scripts/check_go_versions.sh @@ -3,8 +3,7 @@ # This script ensures that the same version of Go is referenced in all of the # following files: # - go.mod -# - dogfood/coder/ubuntu-22.04/Dockerfile -# - dogfood/coder/ubuntu-26.04/Dockerfile +# - mise.toml (the dogfood image installs from this manifest) # - flake.nix # - .github/actions/setup-go/action.yml # The version of Go in go.mod is considered the source of truth. @@ -19,23 +18,18 @@ cdroot IGNORE_NIX=${IGNORE_NIX:-false} GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2) -GO_VERSION_DOCKERFILE_2204=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-22.04/Dockerfile | cut -d'=' -f2) -GO_VERSION_DOCKERFILE_2604=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-26.04/Dockerfile | cut -d'=' -f2) +GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/') GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml) GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix) # Convert to major.minor format. GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.') log "INFO : go.mod : $GO_VERSION_GO_MOD" -log "INFO : dogfood/coder/ubuntu-22.04/Dockerfile : $GO_VERSION_DOCKERFILE_2204" -log "INFO : dogfood/coder/ubuntu-26.04/Dockerfile : $GO_VERSION_DOCKERFILE_2604" +log "INFO : mise.toml : $GO_VERSION_MISE_TOML" log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO" log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR" -if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2204" ]; then - error "Go version mismatch between go.mod and dogfood/coder/ubuntu-22.04/Dockerfile:" -fi -if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2604" ]; then - error "Go version mismatch between go.mod and dogfood/coder/ubuntu-26.04/Dockerfile:" +if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then + error "Go version mismatch between go.mod and mise.toml" fi if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then