shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: refactor CI to use mise for shared tool setup (#25727)

Browse Source
This commit is contained in:
Thomas Kosiewski
2026-06-01 15:55:19 +02:00
committed by GitHub
parent 644820cb28
commit fe257666d7
31 changed files with 995 additions and 611 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/actions/go-cache/action.yml
+76
View File
@@ -0,0 +1,76 @@
name: "Go cache"
description: Restore and save Go build and module caches.
inputs:
cache-path:
description: "Optional newline-delimited cache paths. Defaults to go env GOCACHE and GOMODCACHE."
required: false
default: ""
key-prefix:
description: "Prefix for the cache key."
required: false
default: "go"
download-modules:
description: "Whether to run go mod download after restoring cache."
required: false
default: "true"
runs:
using: "composite"
steps:
- name: Compute Go cache key
id: go-cache
shell: bash
run: |
set -euo pipefail
if [[ -n "${INPUT_CACHE_PATH}" ]]; then
paths="${INPUT_CACHE_PATH}"
else
paths="$(printf '%s\n%s' "$(go env GOCACHE)" "$(go env GOMODCACHE)")"
fi
go_version="$(go env GOVERSION)"
paths_hash="$(printf '%s\n' "${paths}" | git hash-object --stdin)"
hash="$(
{
printf '%s\n' "${go_version}"
for file in go.mod go.sum; do
if [[ -f "${file}" ]]; then
git hash-object "${file}"
fi
done
} | git hash-object --stdin
)"
{
echo "path<<EOF"
echo "${paths}"
echo "EOF"
echo "key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-${hash}"
echo "restore-key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-"
} >> "$GITHUB_OUTPUT"
env:
INPUT_CACHE_PATH: ${{ inputs.cache-path }}
INPUT_KEY_PREFIX: ${{ inputs.key-prefix }}
- name: Restore Go cache, save on main
if: ${{ github.ref == 'refs/heads/main' }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.go-cache.outputs.path }}
key: ${{ steps.go-cache.outputs.key }}
restore-keys: |
${{ steps.go-cache.outputs.restore-key }}
- name: Restore Go cache read-only
if: ${{ github.ref != 'refs/heads/main' }}
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.go-cache.outputs.path }}
key: ${{ steps.go-cache.outputs.key }}
restore-keys: |
${{ steps.go-cache.outputs.restore-key }}
- name: Download Go modules
if: ${{ inputs.download-modules == 'true' }}
shell: bash
run: ./.github/scripts/retry.sh -- go mod download -x
.github/actions/install-cosign/action.yaml
-10
View File
@@ -1,10 +0,0 @@
name: "Install cosign"
description: |
Cosign Github Action.
runs:
using: "composite"
steps:
- name: Install cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
with:
cosign-release: "v2.4.3"
.github/actions/install-syft/action.yaml
-10
View File
@@ -1,10 +0,0 @@
name: "Install syft"
description: |
Downloads Syft to the Action tool cache and provides a reference.
runs:
using: "composite"
steps:
- name: Install syft
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
syft-version: "v1.26.1"
.github/actions/pnpm-install/action.yml
+59
View File
@@ -0,0 +1,59 @@
name: "pnpm install"
description: Restore pnpm store cache and install root plus workspace dependencies.
inputs:
directory:
description: "Workspace directory to install after the repository root."
required: false
default: "site"
runs:
using: "composite"
steps:
- name: Compute pnpm cache key
id: pnpm-cache
shell: bash
run: |
set -euo pipefail
store_path="$(pnpm store path --silent)"
hash="$(
for file in pnpm-lock.yaml "${INPUT_DIRECTORY}/pnpm-lock.yaml"; do
if [[ -f "${file}" ]]; then
git hash-object "${file}"
fi
done | git hash-object --stdin
)"
{
echo "store-path=${store_path}"
echo "key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-${hash}"
echo "restore-key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-"
} >> "$GITHUB_OUTPUT"
env:
INPUT_DIRECTORY: ${{ inputs.directory }}
- name: Restore and save pnpm cache
if: ${{ github.ref == 'refs/heads/main' }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.pnpm-cache.outputs.store-path }}
key: ${{ steps.pnpm-cache.outputs.key }}
restore-keys: |
${{ steps.pnpm-cache.outputs.restore-key }}
- name: Restore pnpm cache
if: ${{ github.ref != 'refs/heads/main' }}
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.pnpm-cache.outputs.store-path }}
key: ${{ steps.pnpm-cache.outputs.key }}
restore-keys: |
${{ steps.pnpm-cache.outputs.restore-key }}
- name: Install root node_modules
shell: bash
run: ./scripts/pnpm_install.sh
- name: Install node_modules
shell: bash
run: "${GITHUB_WORKSPACE}/scripts/pnpm_install.sh"
working-directory: ${{ github.workspace }}/${{ inputs.directory }}
.github/actions/setup-go-tools/action.yaml
-12
View File
@@ -1,12 +0,0 @@
name: "Setup Go tools"
description: |
Set up tools for `make gen`, `offlinedocs` and Schmoder CI.
runs:
using: "composite"
steps:
- name: go install tools
shell: bash
run: |
./.github/scripts/retry.sh -- go install tool
# NOTE: protoc-gen-go cannot be installed with `go get`
./.github/scripts/retry.sh -- go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
.github/actions/setup-go/action.yaml
-32
View File
@@ -1,32 +0,0 @@
name: "Setup Go"
description: |
Sets up the Go environment for tests, builds, etc.
inputs:
version:
description: "The Go version to use."
default: "1.26.2"
use-cache:
description: "Whether to use the cache."
default: "true"
runs:
using: "composite"
steps:
- name: Setup Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version: ${{ inputs.version }}
cache: ${{ inputs.use-cache }}
- name: Install gotestsum
shell: bash
run: ./.github/scripts/retry.sh -- go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d # main as of 2025-05-15
- name: Install mtimehash
shell: bash
run: ./.github/scripts/retry.sh -- go install github.com/slsyy/mtimehash/cmd/mtimehash@a6b5da4ed2c4a40e7b805534b004e9fde7b53ce0 # v1.0.0
# It isn't necessary that we ever do this, but it helps
# separate the "setup" from the "run" times.
- name: go mod download
shell: bash
run: ./.github/scripts/retry.sh -- go mod download -x
.github/actions/setup-mise/action.yml
+168
View File
@@ -0,0 +1,168 @@
name: Setup mise
description: Install mise tools from SHA256-pinned binaries, with CI-layer caching.
inputs:
install-args:
description: Tool names or extra arguments passed to mise install. --locked is added by default.
required: false
default: ""
locked:
description: Whether to pass --locked to mise install.
required: false
default: "true"
cache-key-prefix:
description: Prefix for mise tool cache keys.
required: false
default: mise-ci-v1
mise-version:
description: mise version to install.
required: false
default: "2026.5.12"
mise-sha256:
description: SHA256 checksum for the mise binary.
required: false
default: ""
use-cache:
description: Whether to restore and save mise tool caches.
required: false
default: "true"
runs:
using: composite
steps:
- name: Compute mise cache key
id: cache-key
shell: bash
env:
CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}
INPUT_INSTALL_ARGS: ${{ inputs.install-args }}
INPUT_LOCKED: ${{ inputs.locked }}
MISE_VERSION: ${{ inputs.mise-version }}
RUNNER_ARCH: ${{ runner.arch }}
RUNNER_OS: ${{ runner.os }}
run: |
set -euo pipefail
case "${INPUT_LOCKED}" in
true)
if [[ -n "${INPUT_INSTALL_ARGS}" ]]; then
install_args="--locked ${INPUT_INSTALL_ARGS}"
else
install_args="--locked"
fi
;;
false)
install_args="${INPUT_INSTALL_ARGS}"
;;
*)
echo "::error::locked must be true or false."
exit 1
;;
esac
install_args_hash="$(printf '%s' "$install_args" | git hash-object --stdin)"
files_hash="$(git hash-object mise.toml mise.lock | git hash-object --stdin)"
key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-${files_hash}"
restore_key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-"
{
echo "install-args<<EOF"
echo "${install_args}"
echo "EOF"
echo "key=$key"
echo "restore-key=$restore_key"
} >> "$GITHUB_OUTPUT"
- name: Select mise checksum
id: checksum
shell: bash
env:
CHECKSUMS_FILE: ${{ github.action_path }}/checksums.toml
INPUT_MISE_SHA256: ${{ inputs.mise-sha256 }}
MISE_CHECKSUM_SCRIPT: ${{ github.workspace }}/scripts/mise_checksum.sh
MISE_VERSION: ${{ inputs.mise-version }}
RUNNER_ARCH: ${{ runner.arch }}
RUNNER_OS: ${{ runner.os }}
run: |
set -euo pipefail
checksum="${INPUT_MISE_SHA256}"
if [[ -z "${checksum}" ]]; then
case "${RUNNER_OS}-${RUNNER_ARCH}" in
Linux-X64)
target="linux-x64"
;;
Linux-ARM64)
target="linux-arm64"
;;
macOS-X64)
target="macos-x64"
;;
macOS-ARM64)
target="macos-arm64"
;;
Windows-X64)
target="windows-x64"
;;
*)
echo "::error::No mise checksum is pinned for ${RUNNER_OS}-${RUNNER_ARCH}."
exit 1
;;
esac
checksum="$("${MISE_CHECKSUM_SCRIPT}" "${CHECKSUMS_FILE}" "${MISE_VERSION}" "${target}")"
if [[ -z "${checksum}" ]]; then
echo "::error::No mise checksum is pinned for mise ${MISE_VERSION} on ${target}."
exit 1
fi
fi
echo "sha256=${checksum}" >> "$GITHUB_OUTPUT"
- name: Configure mise data directory
id: mise-data-dir
shell: bash
env:
RUNNER_OS: ${{ runner.os }}
run: | # zizmor: ignore[github-env] MISE_DATA_DIR uses only runner-provided paths.
set -euo pipefail
if [[ "${RUNNER_OS}" == "Windows" ]]; then
data_dir="${LOCALAPPDATA:-${USERPROFILE}\\AppData\\Local}\\mise"
else
data_dir="${RUNNER_TEMP}/mise-data"
fi
{
printf 'path=%s\n' "${data_dir}"
} >> "$GITHUB_OUTPUT"
printf 'MISE_DATA_DIR=%s\n' "${data_dir}" >> "$GITHUB_ENV"
- name: Cache mise tools
if: ${{ inputs.use-cache == 'true' && github.ref == 'refs/heads/main' }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/mise
${{ steps.mise-data-dir.outputs.path }}
key: ${{ steps.cache-key.outputs.key }}
restore-keys: |
${{ steps.cache-key.outputs.restore-key }}
- name: Restore mise tools
if: ${{ inputs.use-cache == 'true' && github.ref != 'refs/heads/main' }}
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/mise
${{ steps.mise-data-dir.outputs.path }}
key: ${{ steps.cache-key.outputs.key }}
restore-keys: |
${{ steps.cache-key.outputs.restore-key }}
- name: Install mise tools
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
version: ${{ inputs.mise-version }}
sha256: ${{ steps.checksum.outputs.sha256 }}
mise_dir: ${{ steps.mise-data-dir.outputs.path }}
install_args: ${{ steps.cache-key.outputs.install-args }}
cache: "false"
.github/actions/setup-mise/checksums.toml
+9
View File
@@ -0,0 +1,9 @@
# SHA256 hashes of the extracted mise binary verified by jdx/mise-action.
# Keys use the GitHub runner target for each release artifact.
["2026.5.12"]
linux-x64 = "a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48"
linux-arm64 = "fd2d5227a8ad0b1e359c70527a8345a9ada72077f8dcbb559371653c3d95464f"
macos-x64 = "de57e8dc82bbd880a69c9bc8aee06b9dcc578184b3e5cf86fcef80635d6a90b4"
macos-arm64 = "e777070540ffe22cf8b2b9f88aed88b461d0887d940c4f1c1a97359463cde6e1"
windows-x64 = "adf1b4c9f51e7d15cff723056fcd8fd51f40ebacadcca97fd5758c44d469d5ea"
.github/actions/setup-node/action.yaml
-44
View File
@@ -1,44 +0,0 @@
name: "Setup Node"
description: |
Sets up the node environment for tests, builds, etc.
inputs:
directory:
description: |
The directory to run the setup in.
required: false
default: "site"
runs:
using: "composite"
steps:
- name: Install pnpm
uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22.19.0
# See https://github.com/actions/setup-node#caching-global-packages-data
cache: "pnpm"
cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml
- name: Verify Node
shell: bash
run: |
set -euo pipefail
expected="v22.19.0"
actual="$(node --version)"
if [[ "$actual" != "$expected" ]]; then
echo "::error::Expected Node.js $expected, but got $actual from $(command -v node)."
exit 1
fi
echo "Node.js $actual is active at $(command -v node)."
- name: Install root node_modules
shell: bash
run: ./scripts/pnpm_install.sh
- name: Install node_modules
shell: bash
run: ../scripts/pnpm_install.sh
working-directory: ${{ inputs.directory }}
.github/actions/setup-sqlc/action.yaml
-17
View File
@@ -1,17 +0,0 @@
name: Setup sqlc
description: |
Sets up the sqlc environment for tests, builds, etc.
runs:
using: "composite"
steps:
- name: Setup sqlc
# uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0
# with:
# sqlc-version: "1.30.0"
# Switched to coder/sqlc fork to fix ambiguous column bug, see:
# - https://github.com/coder/sqlc/pull/1
# - https://github.com/sqlc-dev/sqlc/pull/4159
shell: bash
run: |
./.github/scripts/retry.sh -- env CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203
.github/actions/setup-tf/action.yaml
-11
View File
@@ -1,11 +0,0 @@
name: "Setup Terraform"
description: |
Sets up Terraform for tests, builds, etc.
runs:
using: "composite"
steps:
- name: Install Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: 1.15.5
terraform_wrapper: false
.github/workflows/ci.yaml
+155 -149
View File
@@ -151,8 +151,13 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "node pnpm"
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Check docs
run: pnpm check-docs
@@ -171,8 +176,10 @@ jobs:
# # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
# token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
# - name: Setup Go
# uses: ./.github/actions/setup-go
# - name: Set up mise tools
# uses: ./.github/actions/setup-mise
# with:
# install-args: "go"
# - name: Update Nix Flake SRI Hash
# run: ./scripts/update-flake.sh
@@ -208,18 +215,22 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm helm actionlint aqua:crate-ci/typos"
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/golangci/golangci-lint/cmd/golangci-lint go:github.com/coder/paralleltestctx/cmd/paralleltestctx
- name: Get golangci-lint cache dir
run: |
# mise.toml is the source of truth for tool versions baked into
# the dogfood image; pull the same version for the lint job.
linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver"
dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
@@ -239,35 +250,13 @@ jobs:
# Check for any typos
- name: Check for typos
uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
with:
config: .github/workflows/typos.toml
run: typos --config .github/workflows/typos.toml
- name: Fix the typos
if: ${{ failure() }}
run: |
echo "::notice:: you can automatically fix typos from your CLI:
cargo install typos-cli
typos -c .github/workflows/typos.toml -w"
# Needed for helm chart linting
- name: Install helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
with:
version: v3.9.2
continue-on-error: true
id: setup-helm
- name: Install helm (fallback)
if: steps.setup-helm.outcome == 'failure'
# Fallback to Buildkite's apt repository if get.helm.sh is down.
# See: https://github.com/coder/internal/issues/1109
run: |
set -euo pipefail
curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install -y helm=3.9.2-1
mise exec aqua:crate-ci/typos -- typos -c .github/workflows/typos.toml -w"
- name: Verify helm version
run: helm version --short
@@ -287,15 +276,11 @@ jobs:
key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }}
- name: Check workflow files
run: |
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4
./actionlint -color -shellcheck= -ignore "set-output"
run: actionlint -color -shellcheck= -ignore "set-output"
shell: bash
- name: Check for unstaged files
run: |
rm -f ./actionlint ./typos
./scripts/check_unstaged.sh
run: ./scripts/check_unstaged.sh
shell: bash
lint-actions:
@@ -303,7 +288,7 @@ jobs:
# Only run this job if changes to CI workflow files are detected. This job
# can flake as it reaches out to GitHub to check referenced actions.
if: needs.changes.outputs.ci == 'true'
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-24.04-8' || 'ubuntu-24.04' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
@@ -316,8 +301,10 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "actionlint zizmor"
- name: make lint/actions
run: make --output-sync=line -j lint/actions
@@ -341,30 +328,19 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm terraform protoc protoc-gen-go"
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: go install tools
uses: ./.github/actions/setup-go-tools
- name: Install Protoc
run: |
mkdir -p /tmp/proto
pushd /tmp/proto
curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip
unzip protoc.zip
sudo cp -r ./bin/* /usr/local/bin
sudo cp -r ./include /usr/local/bin/include
popd
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc
- name: make gen
timeout-minutes: 8
@@ -396,24 +372,26 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Check Go version
run: IGNORE_NIX=true ./scripts/check_go_versions.sh
# Use default Go version
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm terraform"
- name: Install shfmt
run: ./.github/scripts/retry.sh -- go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:mvdan.cc/sh/v3/cmd/shfmt
- name: make fmt
timeout-minutes: 7
run: |
PATH="${PATH}:$(go env GOPATH)/bin" \
make --output-sync -j -B fmt
run: make --output-sync -j -B fmt
- name: Check for unstaged files
run: ./scripts/check_unstaged.sh
@@ -476,13 +454,18 @@ jobs:
- name: Setup GNU tools (macOS)
uses: ./.github/actions/setup-gnu-tools
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
use-cache: true
install-args: "go terraform"
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: Restore Go cache
uses: ./.github/actions/go-cache
with:
cache-path: ${{ steps.go-paths.outputs.cached-dirs }}
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum go:github.com/slsyy/mtimehash/cmd/mtimehash
- name: Download Test Cache
id: download-cache
@@ -651,11 +634,16 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go terraform"
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
- name: Download Test Cache
id: download-cache
@@ -720,11 +708,16 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go terraform"
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
- name: Download Test Cache
id: download-cache
@@ -799,8 +792,13 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go"
- name: Restore Go cache
uses: ./.github/actions/go-cache
# Used by some integration tests.
- name: Install Nginx
@@ -826,8 +824,13 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "node pnpm"
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- run: pnpm test:ci --max-workers "$(nproc)"
working-directory: site
@@ -859,11 +862,16 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm"
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Restore Go cache
uses: ./.github/actions/go-cache
# Assume that the checked-in versions are up-to-date
- run: make gen/mark-fresh
@@ -951,8 +959,13 @@ jobs:
ref: ${{ github.event.pull_request.head.ref }}
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "node pnpm"
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
# This step is not meant for mainline because any detected changes to
# storybook snapshots will require manual approval/review in order for
@@ -1030,29 +1043,21 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm protoc protoc-gen-go"
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
with:
directory: offlinedocs
- name: Install Protoc
run: |
mkdir -p /tmp/proto
pushd /tmp/proto
curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip
unzip protoc.zip
sudo cp -r ./bin/* /usr/local/bin
sudo cp -r ./include /usr/local/bin/include
popd
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install go tools
uses: ./.github/actions/setup-go-tools
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc
- name: Format
run: |
@@ -1144,17 +1149,19 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm"
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Install go-winres
run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install nfpm
run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
- name: Install zstd
run: sudo apt-get install -y zstd
@@ -1205,13 +1212,19 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
use-cache: false
install-args: "go node pnpm cosign syft"
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
- name: Install rcodesign
run: |
@@ -1241,21 +1254,9 @@ jobs:
distribution: "zulu"
java-version: "11.0"
- name: Install go-winres
run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
- name: Install nfpm
run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
- name: Install zstd
run: sudo apt-get install -y zstd
- name: Install cosign
uses: ./.github/actions/install-cosign
- name: Install syft
uses: ./.github/actions/install-syft
- name: Setup Windows EV Signing Certificate
run: |
set -euo pipefail
@@ -1579,11 +1580,16 @@ jobs:
with:
fetch-depth: 1
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go"
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc
- name: Setup and run sqlc vet
run: |
.github/workflows/dogfood.yaml
+7 -50
View File
@@ -71,9 +71,6 @@ jobs:
packages: write # push the dogfood base image to ghcr.io/coder/oss-dogfood-base
env:
# MISE_EXPERIMENTAL opts into the experimental `oci` subcommand.
# Trust is set via a config file (see the Install mise step
# below) rather than MISE_TRUSTED_CONFIG_PATHS so the workspace
# template can keep parity with the same file-based approach.
MISE_EXPERIMENTAL: "1"
steps:
- name: Harden Runner
@@ -135,32 +132,9 @@ jobs:
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
if: matrix.image-version != 'nix'
- name: Install mise
if: matrix.image-version != 'nix'
# MISE_VERSION + MISE_SHA256 match dogfood/coder/ubuntu-*/Dockerfile.base
# so the mise binary baking the image is the same one a workspace
# ships with. `min_version` in mise.toml catches downgrades.
# Write trust config to ~/.config/mise/conf.d/ instead of using
# MISE_TRUSTED_CONFIG_PATHS so the same file-based approach
# works in workspaces (where the user owns the file).
env:
MISE_VERSION: v2026.5.12
MISE_SHA256: a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48
WORKSPACE: ${{ github.workspace }}
run: |
set -euo pipefail
curl --silent --show-error --location --fail \
"https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \
--output /tmp/mise
echo "${MISE_SHA256} /tmp/mise" | sha256sum -c
sudo install -m 0755 /tmp/mise /usr/local/bin/mise
rm /tmp/mise
mise --version
mkdir -p "$HOME/.config/mise/conf.d"
cat > "$HOME/.config/mise/conf.d/00-ci-trust.toml" <<EOF
[settings]
trusted_config_paths = ["$WORKSPACE"]
EOF
- name: Set up mise tools
if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
uses: ./.github/actions/setup-mise
- name: Compute image SHAs
# Match the fork guard on the downstream consumers of these
@@ -216,25 +190,6 @@ jobs:
ghcr.io/coder/oss-dogfood-base:${{ matrix.image-version }}-${{ steps.shas.outputs.base_sha }}
ghcr.io/coder/oss-dogfood-base:${{ matrix.image-version }}-${{ steps.docker-tag-name.outputs.tag }}
- name: Install mise tools
if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
# `mise oci build` packages already-installed tools into OCI
# layers; it does not install them. Run `mise install` first so
# the tools land in MISE_DATA_DIR on the runner.
# github_token raises aqua's API quota during tool installs.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# --locked refuses to resolve URLs at install time and forces
# the runner to consume what mise.lock already committed,
# so a forgotten lockfile entry fails CI instead of silently
# being added on next run.
mise install --yes --locked
# Put mise's shims dir on PATH for subsequent steps so
# `mise oci push --tool crane` can find crane (and any other
# mise-managed binary it shells out to).
echo "$HOME/.local/share/mise/shims" >> "$GITHUB_PATH"
- name: Build mise oci layer
if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork
env:
@@ -360,8 +315,10 @@ jobs:
with:
persist-credentials: false
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "terraform"
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
.github/workflows/flake-go.yaml
+13 -7
View File
@@ -39,12 +39,16 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up Go
uses: ./.github/actions/setup-mise
with:
install-args: "go"
- name: Install whichtests
shell: bash
run: ./.github/scripts/retry.sh -- go install github.com/coder/whichtests@ec33bab1ec04cd86beb7a61a069db4463dba63f5
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/whichtests
- name: Select changed tests
id: selector
@@ -57,9 +61,11 @@ jobs:
--coalesce \
--out-matrix "$RUNNER_TEMP/flake-matrix.json"
- name: Setup Terraform
- name: Set up Terraform
if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }}
uses: ./.github/actions/setup-tf
uses: ./.github/actions/setup-mise
with:
install-args: "terraform"
- name: Run targeted Go flake checks
id: flake_check
.github/workflows/nightly-gauntlet.yaml
+9 -4
View File
@@ -62,11 +62,16 @@ jobs:
- name: Setup GNU tools (macOS)
uses: ./.github/actions/setup-gnu-tools
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go terraform"
- name: Setup Terraform
uses: ./.github/actions/setup-tf
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum
- name: Setup Embedded Postgres Cache Paths
id: embedded-pg-cache
.github/workflows/pr-deploy.yaml
+11 -6
View File
@@ -238,14 +238,19 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go node pnpm"
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc
- name: GHCR Login
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
.github/workflows/release.yaml
+8 -21
View File
@@ -172,13 +172,16 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
use-cache: false
install-args: "go node pnpm helm cosign syft"
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Install pnpm dependencies
uses: ./.github/actions/pnpm-install
- name: Install Go mise tools
run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm
# Necessary for signing Windows binaries.
- name: Setup Java
@@ -187,19 +190,9 @@ jobs:
distribution: "zulu"
java-version: "11.0"
- name: Install go-winres
run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
- name: Install nsis and zstd
run: sudo apt-get install -y nsis zstd
- name: Install nfpm
run: |
set -euo pipefail
wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.35.1/nfpm_2.35.1_amd64.deb
sudo dpkg -i /tmp/nfpm.deb
rm /tmp/nfpm.deb
- name: Install rcodesign
run: |
set -euo pipefail
@@ -210,12 +203,6 @@ jobs:
apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
rm /tmp/rcodesign.tar.gz
- name: Install cosign
uses: ./.github/actions/install-cosign
- name: Install syft
uses: ./.github/actions/install-syft
- name: Setup Apple Developer certificate and API key
run: |
set -euo pipefail
.github/workflows/security.yaml
+7 -2
View File
@@ -36,8 +36,13 @@ jobs:
with:
persist-credentials: false
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go"
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
.github/workflows/weekly-docs.yaml
+57 -4
View File
@@ -14,7 +14,54 @@ permissions:
contents: read
jobs:
prepare-linkspector-browser:
# later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action
runs-on: ubuntu-22.04
permissions:
contents: read
env:
CHROME_BUILD_ID: "145.0.7632.77"
outputs:
browser-cache-key: ${{ steps.browser-versions.outputs.cache-key }}
chrome-path: ${{ steps.install-chrome.outputs.path }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "node npm:@puppeteer/browsers"
- name: Get browser versions
id: browser-versions
run: |
set -euo pipefail
installer_version="$(mise current npm:@puppeteer/browsers)"
echo "cache-key=puppeteer-${RUNNER_OS}-${RUNNER_ARCH}-browsers-${installer_version}-chrome-${CHROME_BUILD_ID}" >> "$GITHUB_OUTPUT"
- name: Restore Puppeteer browser cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.cache/puppeteer
key: ${{ steps.browser-versions.outputs.cache-key }}
- name: Install Linkspector Chrome
id: install-chrome
run: |
set -euo pipefail
chrome_path="$(browsers install "chrome@${CHROME_BUILD_ID}" --path "${HOME}/.cache/puppeteer" --format '{{path}}')"
echo "path=${chrome_path}" >> "$GITHUB_OUTPUT"
check-docs:
needs: prepare-linkspector-browser
# later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action
runs-on: ubuntu-22.04
permissions:
@@ -54,15 +101,21 @@ jobs:
corepack enable pnpm
mkdir -p "$(pnpm store path --silent)"
- name: Restore Puppeteer browser cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.cache/puppeteer
key: ${{ needs.prepare-linkspector-browser.outputs.browser-cache-key }}
- name: Check Markdown links
uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2
id: markdown-link-check
# checks all markdown files from /docs including all subfolders
env:
# Use the runner-provided Chrome instead of letting linkspector's
# puppeteer download a specific version that may not match the
# runner's puppeteer cache. See: https://github.com/UmbrellaDocs/action-linkspector/issues/62
PUPPETEER_EXECUTABLE_PATH: /usr/bin/google-chrome
# Use the Chrome build prepared from mise-pinned Puppeteer instead
# of letting linkspector download a mutable browser at runtime.
# See: https://github.com/UmbrellaDocs/action-linkspector/issues/62
PUPPETEER_EXECUTABLE_PATH: ${{ needs.prepare-linkspector-browser.outputs.chrome-path }}
with:
reporter: github-pr-review
config_file: ".github/.linkspector.yml"
Makefile
+20 -30
View File
@@ -728,11 +728,11 @@ endif
# GitHub Actions linters are run in a separate CI job (lint-actions) that only
# triggers when workflow files change, so we skip them here when CI=true.
LINT_ACTIONS_TARGETS := $(if $(CI),,lint/actions/actionlint)
lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents $(LINT_ACTIONS_TARGETS)
lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents lint/mise-versions $(LINT_ACTIONS_TARGETS)
.PHONY: lint
# Subset of lint that does not require Go or Node toolchains.
lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash
# Fast lint subset for lightweight hooks. Some targets use mise-managed tools.
lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash lint/mise-versions
.PHONY: lint-light
lint/site-icons:
@@ -745,9 +745,8 @@ lint/ts: site/node_modules/.installed
.PHONY: lint/ts
lint/go:
linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/')
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run
go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./...
golangci-lint run
paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./...
go run ./scripts/intxcheck ./...
.PHONY: lint/go
@@ -790,16 +789,27 @@ lint/actions: lint/actions/actionlint lint/actions/zizmor
.PHONY: lint/actions
lint/actions/actionlint:
go tool github.com/rhysd/actionlint/cmd/actionlint
mise exec actionlint -- actionlint
.PHONY: lint/actions/actionlint
# zizmor uses GH_TOKEN to fetch imported workflows from GitHub; without it,
# external action references are skipped silently.
lint/actions/zizmor:
./scripts/zizmor.sh \
@set -euo pipefail; \
if [ -z "$${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then \
GH_TOKEN="$$(gh auth token 2>/dev/null || true)"; \
export GH_TOKEN; \
fi; \
mise exec zizmor -- zizmor \
--strict-collection \
--persona=regular \
.
.PHONY: lint/actions/zizmor
lint/mise-versions:
./scripts/check_mise_versions.sh
.PHONY: lint/mise-versions
# Verify api_key_scope enum contains all RBAC <resource>:<action> values.
lint/check-scopes: coderd/database/dump.sql | _gen/bin/check-scopes
_gen/bin/check-scopes
@@ -811,28 +821,8 @@ lint/migrations:
./scripts/check_pg_schema.sh "Fixtures" $(FIXTURE_FILES)
.PHONY: lint/migrations
TYPOS_VERSION := $(shell grep -oP 'crate-ci/typos@\S+\s+\#\s+v\K[0-9.]+' .github/workflows/ci.yaml)
# Map uname values to typos release asset names.
TYPOS_ARCH := $(shell uname -m)
# typos release assets use aarch64, but macOS ARM reports arm64 via uname -m.
ifeq ($(TYPOS_ARCH),arm64)
TYPOS_ARCH := aarch64
endif
ifeq ($(shell uname -s),Darwin)
TYPOS_OS := apple-darwin
else
TYPOS_OS := unknown-linux-musl
endif
build/typos-$(TYPOS_VERSION):
mkdir -p build/
curl -sSfL "https://github.com/crate-ci/typos/releases/download/v$(TYPOS_VERSION)/typos-v$(TYPOS_VERSION)-$(TYPOS_ARCH)-$(TYPOS_OS).tar.gz" \
| tar -xzf - -C build/ ./typos
mv build/typos "$@"
lint/typos: build/typos-$(TYPOS_VERSION)
build/typos-$(TYPOS_VERSION) --config .github/workflows/typos.toml
lint/typos:
typos --config .github/workflows/typos.toml
.PHONY: lint/typos
# pre-commit and pre-push mirror CI checks locally.
docs/about/contributing/CONTRIBUTING.md
+5 -1
View File
@@ -58,7 +58,11 @@ Learn more [how Nix works](https://nixos.org/guides/how-nix-works).
If you're not using the Nix environment, you can launch a local [DevContainer](https://github.com/coder/coder/tree/main/.devcontainer) to get a fully configured development environment.
DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, and `make`.
DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, `mise`, and `make`.
For manual setup outside Nix and DevContainers, install Docker, `mise`, and
`make`. Run `mise install` from the repository root to install Go, Node.js
with `pnpm`, and development tools at the versions pinned in `mise.toml`.
</div>
flake.nix
+41
View File
@@ -61,6 +61,30 @@
inherit nodejs; # Ensure it points to the above nodejs version
};
mise = pkgs.stdenvNoCC.mkDerivation rec {
pname = "mise";
version = "2026.5.12";
target = {
x86_64-linux = "linux-x64";
aarch64-linux = "linux-arm64";
x86_64-darwin = "macos-x64";
aarch64-darwin = "macos-arm64";
}.${system};
src = pkgs.fetchurl {
url = "https://github.com/jdx/mise/releases/download/v${version}/mise-v${version}-${target}";
hash = {
x86_64-linux = "sha256-ojiXKjFi1xC4WyjDJDculspOS0hsgf54aVAA2fvHfEg=";
aarch64-linux = "sha256-/S1SJ6itCx41nHBSeoNFqa2nIHf43LtVk3FlPD2VRk8=";
x86_64-darwin = "sha256-3lfo3IK72ICmnJvIruBrncxXgYSz5c+G/O+AY11qkLQ=";
aarch64-darwin = "sha256-53cHBUD/4iz4srn4iu2ItGHQiH2UDE8cGpc1lGPN5uE=";
}.${system};
};
dontUnpack = true;
installPhase = ''
install -Dm755 "$src" "$out/bin/mise"
'';
};
# Check in https://search.nixos.org/packages to find new packages.
# Use `nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update`
# to update the lock file if packages are out-of-date.
@@ -109,6 +133,21 @@
vendorHash = "sha256-4Cb15MhKyhRvYVKfMqBwuC3WBBIJE6AinJt02+TSMVY=";
};
paralleltestctx = unstablePkgs.buildGo126Module {
pname = "paralleltestctx";
version = "0.0.2";
src = pkgs.fetchFromGitHub {
owner = "coder";
repo = "paralleltestctx";
rev = "v0.0.2";
sha256 = "sha256-qFQ4LZR2IwqscypD0URSZKXTlhUcz/axDb8NTH5CxLw=";
};
subPackages = [ "cmd/paralleltestctx" ];
vendorHash = "sha256-OuQWmZmofdJKq1hvk43RPkILQwAuFzqhmB22Xf6Z3lA=";
};
# Keep Terraform aligned with provisioner/terraform/testdata/version.txt
# so `make gen` remains deterministic in Nix shells.
terraform_1_15_5 =
@@ -188,6 +227,7 @@
lazydocker
lazygit
less
mise
unstablePkgs.mockgen
moreutils
nfpm
@@ -195,6 +235,7 @@
nodejs
openssh
openssl
paralleltestctx
pango
pixman
pkg-config
go.mod
-5
View File
@@ -571,7 +571,6 @@ require (
github.com/clipperhouse/displaywidth v0.10.0 // indirect
github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect
github.com/coder/paralleltestctx v0.0.2 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -618,7 +617,6 @@ require (
github.com/lestrrat-go/httprc/v3 v3.0.5 // indirect
github.com/lestrrat-go/jwx/v3 v3.1.1 // indirect
github.com/lestrrat-go/option/v2 v2.0.0 // indirect
github.com/mattn/go-shellwords v1.0.12 // indirect
github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 // indirect
github.com/moby/moby/api v1.54.0 // indirect
github.com/moby/moby/client v0.3.0 // indirect
@@ -632,7 +630,6 @@ require (
github.com/pb33f/ordered-map/v2 v2.3.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
github.com/rhysd/actionlint v1.7.10 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/samber/lo v1.52.0 // indirect
github.com/segmentio/asm v1.2.1 // indirect
@@ -664,9 +661,7 @@ require (
)
tool (
github.com/coder/paralleltestctx/cmd/paralleltestctx
github.com/daixiang0/gci
github.com/rhysd/actionlint/cmd/actionlint
github.com/swaggo/swag/cmd/swag
go.uber.org/mock/mockgen
golang.org/x/tools/cmd/goimports
go.sum
-6
View File
@@ -334,8 +334,6 @@ github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136 h1:0RgB61LcNs
github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136/go.mod h1:VkD1P761nykiq75dz+4iFqIQIZka189tx1BQLOp0Skc=
github.com/coder/guts v1.7.0 h1:TaZ/PR9wgN8dlbcckaWV1MxkkuEFZRwSRwBBEm8dYXs=
github.com/coder/guts v1.7.0/go.mod h1:30SShdvpmsauNlsNjECRB5AppScjYk08rf2ZVpH3MFg=
github.com/coder/paralleltestctx v0.0.2 h1:0akzA1oSV0LOl7loR8Mmoq/mu7qGDaFV8DpojotmXiE=
github.com/coder/paralleltestctx v0.0.2/go.mod h1:q/wi6cmlBOhrJKjUtouTn4J9xZlRhK0MbgHvJNdGW3w=
github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151 h1:YAxwg3lraGNRwoQ18H7R7n+wsCqNve7Brdvj0F1rDnU=
github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs=
@@ -881,8 +879,6 @@ github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+Ei
github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
@@ -1063,8 +1059,6 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuM
github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM=
github.com/rhysd/actionlint v1.7.10/go.mod h1:ZHX/hrmknlsJN73InPTKsKdXpAv9wVdrJy8h8HAwFHg=
github.com/riandyrn/otelchi v0.5.1 h1:0/45omeqpP7f/cvdL16GddQBfAEmZvUyl2QzLSE6uYo=
github.com/riandyrn/otelchi v0.5.1/go.mod h1:ZxVxNEl+jQ9uHseRYIxKWRb3OY8YXFEu+EkNiiSNUEA=
github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY=
mise.lock
+148 -71
View File
@@ -1,5 +1,53 @@
# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
[[tools.actionlint]]
version = "1.7.10"
backend = "aqua:rhysd/actionlint"
[tools.actionlint."platforms.linux-arm64"]
checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz"
[tools.actionlint."platforms.linux-arm64-musl"]
checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz"
[tools.actionlint."platforms.linux-x64"]
checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
[tools.actionlint."platforms.linux-x64-baseline"]
checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
[tools.actionlint."platforms.linux-x64-musl"]
checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
[tools.actionlint."platforms.linux-x64-musl-baseline"]
checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz"
[tools.actionlint."platforms.macos-arm64"]
checksum = "sha256:004ca87b367b37f4d75c55ab6cf80f9b8c043adbfbd440f31c604d417939c442"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_arm64.tar.gz"
[tools.actionlint."platforms.macos-x64"]
checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz"
[tools.actionlint."platforms.macos-x64-baseline"]
checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz"
[tools.actionlint."platforms.windows-x64"]
checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip"
[tools.actionlint."platforms.windows-x64-baseline"]
checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237"
url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip"
[[tools."aqua:ahmetb/kubectx/kubens"]]
version = "0.9.4"
backend = "aqua:ahmetb/kubectx/kubens"
@@ -432,14 +480,26 @@ url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip"
checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708"
url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip"
[[tools."go:github.com/coder/paralleltestctx/cmd/paralleltestctx"]]
version = "0.0.2"
backend = "go:github.com/coder/paralleltestctx/cmd/paralleltestctx"
[[tools."go:github.com/coder/sqlc/cmd/sqlc"]]
version = "337309bfb9524f38466a5090e310040fc7af0203"
backend = "go:github.com/coder/sqlc/cmd/sqlc"
[[tools."go:github.com/coder/whichtests"]]
version = "ec33bab1ec04cd86beb7a61a069db4463dba63f5"
backend = "go:github.com/coder/whichtests"
[[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]]
version = "v4.19.0"
backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate"
[[tools."go:github.com/golangci/golangci-lint/cmd/golangci-lint"]]
version = "1.64.8"
backend = "go:github.com/golangci/golangci-lint/cmd/golangci-lint"
[[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]]
version = "v2.35.1"
backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm"
@@ -452,10 +512,18 @@ backend = "go:github.com/mikefarah/yq/v4"
version = "v0.3.13"
backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard"
[[tools."go:github.com/slsyy/mtimehash/cmd/mtimehash"]]
version = "1.0.0"
backend = "go:github.com/slsyy/mtimehash/cmd/mtimehash"
[[tools."go:github.com/swaggo/swag/cmd/swag"]]
version = "v1.16.2"
backend = "go:github.com/swaggo/swag/cmd/swag"
[[tools."go:github.com/tc-hib/go-winres"]]
version = "0.3.3"
backend = "go:github.com/tc-hib/go-winres"
[[tools."go:go.uber.org/mock/mockgen"]]
version = "v0.6.0"
backend = "go:go.uber.org/mock/mockgen"
@@ -480,54 +548,6 @@ backend = "go:mvdan.cc/sh/v3/cmd/shfmt"
version = "v0.0.34"
backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc"
[[tools.golangci-lint]]
version = "1.64.8"
backend = "aqua:golangci/golangci-lint"
[tools.golangci-lint."platforms.linux-arm64"]
checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
[tools.golangci-lint."platforms.linux-arm64-musl"]
checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz"
[tools.golangci-lint."platforms.linux-x64"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.linux-x64-baseline"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.linux-x64-musl"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.linux-x64-musl-baseline"]
checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
[tools.golangci-lint."platforms.macos-arm64"]
checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz"
[tools.golangci-lint."platforms.macos-x64"]
checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz"
[tools.golangci-lint."platforms.macos-x64-baseline"]
checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz"
[tools.golangci-lint."platforms.windows-x64"]
checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip"
[tools.golangci-lint."platforms.windows-x64-baseline"]
checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f"
url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip"
[[tools.helm]]
version = "3.21.0"
backend = "aqua:helm/helm"
@@ -723,6 +743,10 @@ url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip"
version = "0.87.0"
backend = "npm:@devcontainers/cli"
[[tools."npm:@puppeteer/browsers"]]
version = "2.13.0"
backend = "npm:@puppeteer/browsers"
[[tools.pnpm]]
version = "10.33.2"
backend = "aqua:pnpm/pnpm"
@@ -848,52 +872,52 @@ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/
url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip"
[[tools.syft]]
version = "1.20.0"
version = "1.26.1"
backend = "aqua:anchore/syft"
[tools.syft."platforms.linux-arm64"]
checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz"
[tools.syft."platforms.linux-arm64-musl"]
checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz"
checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz"
[tools.syft."platforms.linux-x64"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
[tools.syft."platforms.linux-x64-baseline"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
[tools.syft."platforms.linux-x64-musl"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
[tools.syft."platforms.linux-x64-musl-baseline"]
checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz"
[tools.syft."platforms.macos-arm64"]
checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz"
checksum = "sha256:00435a3fe2ae940203708ee2eae9976d1719982c628d30b2b78aacd36133ec6b"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_arm64.tar.gz"
[tools.syft."platforms.macos-x64"]
checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz"
checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz"
[tools.syft."platforms.macos-x64-baseline"]
checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz"
checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz"
[tools.syft."platforms.windows-x64"]
checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip"
checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip"
[tools.syft."platforms.windows-x64-baseline"]
checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f"
url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip"
checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e"
url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip"
[[tools.terraform]]
version = "1.15.5"
@@ -942,3 +966,56 @@ url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_
[tools.terraform."platforms.windows-x64-baseline"]
checksum = "sha256:2f652dd854af7b7fbb51301afc55b5ef1d3f6e287be7889d4cc3818df891cd38"
url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_amd64.zip"
[[tools.zizmor]]
version = "1.11.0"
backend = "aqua:zizmorcore/zizmor"
[tools.zizmor."platforms.linux-arm64"]
checksum = "sha256:ce6d71e796b7d3663449151b08cee7c659f89bf36095c432e25169c857f479f0"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-unknown-linux-gnu.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.linux-arm64-musl"]
provenance = "github-attestations"
[tools.zizmor."platforms.linux-x64"]
checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.linux-x64-baseline"]
checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.linux-x64-musl"]
provenance = "github-attestations"
[tools.zizmor."platforms.linux-x64-musl-baseline"]
provenance = "github-attestations"
[tools.zizmor."platforms.macos-arm64"]
checksum = "sha256:7cf59f08cb50f539ab9ddc6be1d463c81e31f5b189d148fc6f786adf9fc42a5f"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-apple-darwin.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.macos-x64"]
checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.macos-x64-baseline"]
checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz"
provenance = "github-attestations"
[tools.zizmor."platforms.windows-x64"]
checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip"
provenance = "github-attestations"
[tools.zizmor."platforms.windows-x64-baseline"]
checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a"
url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip"
provenance = "github-attestations"
mise.toml
+18 -4
View File
@@ -1,5 +1,6 @@
# Keep in lockstep with MISE_VERSION in dogfood/coder/ubuntu-*/Dockerfile.base,
# .github/workflows/dogfood.yaml, and scripts/dogfood/mise-oci-wrapper.sh.
# Keep in lockstep with .github/actions/setup-mise/action.yml,
# .github/actions/setup-mise/checksums.toml, flake.nix,
# dogfood/coder/ubuntu-*/Dockerfile.base, and scripts/dogfood/mise-oci-wrapper.sh.
min_version = "2026.5.12"
[settings]
@@ -19,8 +20,17 @@ protoc = "23.4"
protoc-gen-go = "1.30.0"
# Go development tools.
"go:github.com/coder/paralleltestctx/cmd/paralleltestctx" = "v0.0.2"
"go:github.com/coder/whichtests" = "ec33bab1ec04cd86beb7a61a069db4463dba63f5"
# Keep golangci-lint on the Go backend while pinned to v1. The upstream
# precompiled v1 binary is built with an older Go toolchain and cannot lint
# this module's Go version. Upgrading to v2 should let us use the native
# golangci-lint mise/aqua backend and GitHub release binaries.
"go:github.com/golangci/golangci-lint/cmd/golangci-lint" = "v1.64.8"
"go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0"
"go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1"
"go:github.com/slsyy/mtimehash/cmd/mtimehash" = "v1.0.0"
"go:github.com/tc-hib/go-winres" = "v0.3.3"
"go:github.com/mikefarah/yq/v4" = "v4.44.3"
"go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13"
"go:github.com/swaggo/swag/cmd/swag" = "v1.16.2"
@@ -30,17 +40,18 @@ protoc-gen-go = "1.30.0"
"go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0"
# Infrastructure, release, and lint CLIs.
actionlint = "1.7.10"
"aqua:ahmetb/kubectx/kubens" = "0.9.4"
cosign = "2.4.3"
# crane is the registry client `mise oci push` shells out to. Sourced
# here so it travels with the rest of the mise toolset (one source of
# truth, deterministic version, no apt drift across CI / wrapper).
crane = "0.21.6"
golangci-lint = "1.64.8"
helm = "3.21.0"
kubectx = "0.9.4"
syft = "1.20.0"
syft = "1.26.1"
terraform = "1.15.5"
zizmor = "1.11.0"
# Developer-environment niceties for the dogfood image. Non-dogfood
# users who run `mise install` here will pull these too; they are
@@ -60,6 +71,9 @@ lazygit = "0.61.1"
# Pre-installs the binary so the upstream devcontainers-cli coder
# module's `command -v devcontainer` short-circuit fires
"npm:@devcontainers/cli" = "0.87.0"
# weekly-docs uses this pinned Puppeteer browser installer to install Chrome for
# action-linkspector without resolving mutable npm metadata at runtime.
"npm:@puppeteer/browsers" = "2.13.0"
# sqlc (coder fork) bundles sqlite via cgo, so the `go install` build
# needs CGO_ENABLED=1. Scope it with `install_env` so it only applies
scripts/check_go_versions.sh
-7
View File
@@ -5,7 +5,6 @@
# - go.mod
# - mise.toml (the dogfood image installs from this manifest)
# - flake.nix
# - .github/actions/setup-go/action.yml
# The version of Go in go.mod is considered the source of truth.
set -euo pipefail
@@ -19,23 +18,17 @@ IGNORE_NIX=${IGNORE_NIX:-false}
GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2)
GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/')
GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml)
GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix)
# Convert to major.minor format.
GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.')
log "INFO : go.mod : $GO_VERSION_GO_MOD"
log "INFO : mise.toml : $GO_VERSION_MISE_TOML"
log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO"
log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR"
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then
error "Go version mismatch between go.mod and mise.toml"
fi
if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then
error "Go version mismatch between go.mod and .github/actions/setup-go/action.yaml"
fi
# At the time of writing, Nix only constrains the major.minor version.
# We need to check that specifically.
if [ "$IGNORE_NIX" = "false" ]; then
scripts/check_mise_versions.sh
Executable
+150
View File
@@ -0,0 +1,150 @@
#!/usr/bin/env bash
# This script checks the mise values used by CI and dogfood images:
# - mise.toml min_version is the source of truth for the mise version.
# - .github/actions/setup-mise/checksums.toml stores pinned binary checksums.
# - .github/actions/setup-mise/action.yml
# - flake.nix
# - scripts/dogfood/mise-oci-wrapper.sh
# - dogfood/coder/ubuntu-*/Dockerfile.base
set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
cdroot
check_not_empty() {
local label="$1"
local value="$2"
log "INFO : ${label}: ${value}"
if [[ -z "${value}" ]]; then
error "Missing mise value for ${label}"
fi
}
check_equal() {
local label="$1"
local actual="$2"
local expected="$3"
check_not_empty "${label}" "${actual}"
if [[ "${actual}" != "${expected}" ]]; then
error "Mise mismatch for ${label}: expected ${expected}, got ${actual}"
fi
}
check_sha256_format() {
local label="$1"
local value="$2"
if [[ -z "${value}" ]]; then
error "Missing mise value for ${label}"
fi
if [[ ! "${value}" =~ ^[a-f0-9]{64}$ ]]; then
error "Expected 64-character lowercase SHA256 for ${label}: ${value}"
fi
}
mise_version="$(sed -n 's/^min_version = "\([^"]*\)"/\1/p' mise.toml)"
check_not_empty "mise.toml min_version" "${mise_version}"
action_version="$(
awk '
$1 == "mise-version:" { in_input = 1; next }
in_input && /^ [A-Za-z0-9_-]+:/ { exit }
in_input && $1 == "default:" {
gsub(/"/, "", $2)
print $2
exit
}
' .github/actions/setup-mise/action.yml
)"
check_equal ".github/actions/setup-mise/action.yml" "${action_version}" "${mise_version}"
checksum_version="$(
awk -v version="${mise_version}" '
$0 == "[\"" version "\"]" {
print version
exit
}
' .github/actions/setup-mise/checksums.toml
)"
check_equal ".github/actions/setup-mise/checksums.toml" "${checksum_version}" "${mise_version}"
declare -A setup_mise_checksums=()
for target in linux-x64 linux-arm64 macos-x64 macos-arm64 windows-x64; do
checksum="$(./scripts/mise_checksum.sh .github/actions/setup-mise/checksums.toml "${mise_version}" "${target}")"
check_not_empty ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
check_sha256_format ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
setup_mise_checksums["${target}"]="${checksum}"
done
linux_x64_checksum="${setup_mise_checksums["linux-x64"]}"
sri_sha256_to_hex() {
local label="$1"
local sri="$2"
if [[ "${sri}" != sha256-* ]]; then
error "Expected SRI SHA256 hash for ${label}: ${sri}"
fi
printf '%s' "${sri#sha256-}" | openssl base64 -A -d | od -An -tx1 -v | tr -d ' \n'
}
flake_version="$(
awk '
/^[[:space:]]*mise = / { in_mise = 1; next }
in_mise && /^[[:space:]]*version = / {
gsub(/[";]/, "", $3)
print $3
exit
}
in_mise && /^[[:space:]]*};/ { exit }
' flake.nix
)"
check_equal "flake.nix" "${flake_version}" "${mise_version}"
declare -A flake_targets=(
["x86_64-linux"]="linux-x64"
["aarch64-linux"]="linux-arm64"
["x86_64-darwin"]="macos-x64"
["aarch64-darwin"]="macos-arm64"
)
for system in "${!flake_targets[@]}"; do
target="${flake_targets[${system}]}"
expected_checksum="${setup_mise_checksums[${target}]}"
flake_hash="$(
awk -v nix_system="${system}" '
/^[[:space:]]*hash = \{/ { in_hash = 1; next }
in_hash && $1 == nix_system {
gsub(/[";]/, "", $3)
print $3
exit
}
in_hash && /^[[:space:]]*};/ { exit }
' flake.nix
)"
check_not_empty "flake.nix ${system} hash" "${flake_hash}"
actual_checksum="$(sri_sha256_to_hex "flake.nix ${system}" "${flake_hash}")"
check_equal "flake.nix ${system} sha256" "${actual_checksum}" "${expected_checksum}"
done
wrapper_version="$(sed -n 's/^MISE_VERSION="v\([^"]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
check_equal "scripts/dogfood/mise-oci-wrapper.sh" "${wrapper_version}" "${mise_version}"
wrapper_checksum="$(sed -n 's/^MISE_SHA256="\([a-f0-9]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
check_equal "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" "${linux_x64_checksum}"
check_sha256_format "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}"
for dockerfile in dogfood/coder/ubuntu-*/Dockerfile.base; do
dockerfile_version="$(sed -n 's/.*MISE_VERSION=v\([0-9.]*\).*/\1/p' "${dockerfile}" | head -n 1)"
check_equal "${dockerfile}" "${dockerfile_version}" "${mise_version}"
dockerfile_checksum="$(sed -n 's/.*MISE_SHA256=\([a-f0-9]*\).*/\1/p' "${dockerfile}" | head -n 1)"
check_equal "${dockerfile} sha256" "${dockerfile_checksum}" "${linux_x64_checksum}"
check_sha256_format "${dockerfile} sha256" "${dockerfile_checksum}"
done
log "Mise version check passed, all versions are ${mise_version}"
scripts/mise_checksum.sh
Executable
+30
View File
@@ -0,0 +1,30 @@
#!/usr/bin/env bash
# Print the pinned mise SHA256 checksum for a version and release target.
set -euo pipefail
if [[ "$#" -ne 3 ]]; then
echo "usage: $0 <checksums.toml> <mise-version> <target>" >&2
exit 1
fi
checksums_file="$1"
mise_version="$2"
target="$3"
awk -F= -v version="${mise_version}" -v target="${target}" '
$0 == "[\"" version "\"]" { in_table = 1; next }
/^\[/ { in_table = 0 }
in_table {
key = $1
gsub(/^[[:space:]]+|[[:space:]]+$/, "", key)
if (key == target) {
value = $2
gsub(/^[[:space:]]+|[[:space:]]+$/, "", value)
gsub(/^"|"$/, "", value)
print value
exit
}
}
' "${checksums_file}"
scripts/should_deploy.sh
+4 -62
View File
@@ -1,7 +1,6 @@
#!/usr/bin/env bash
# This script determines if a commit in either the main branch or a
# `release/x.y` branch should be deployed to dogfood.
# This script determines if the current branch should be deployed to dogfood.
#
# To avoid masking unrelated failures, this script will return 0 in either case,
# and will print `DEPLOY` or `NOOP` to stdout.
@@ -11,73 +10,16 @@ set -euo pipefail
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
cdroot
deploy_branch=main
# Determine the current branch name and check that it is one of the supported
# branch names.
branch_name=$(git branch --show-current)
# Short circuit: we no longer deploy release branches to dogfood, and instead
# test them on the stable deployment.
# We no longer deploy release branches to dogfood, and instead test them on the
# stable deployment.
# TODO: once we're happy with the new deployment process, we can remove this
# script and the related github workflow stuff.
# script and the related GitHub workflow.
if [[ "$branch_name" == "main" ]]; then
log "VERDICT: DEPLOY"
echo "DEPLOY" # stdout
exit 0
else
log "VERDICT: NOOP"
echo "NOOP" # stdout
exit 0
fi
if [[ "$branch_name" != "main" && ! "$branch_name" =~ ^release/[0-9]+\.[0-9]+$ ]]; then
error "Current branch '$branch_name' is not a supported branch name for dogfood, must be 'main' or 'release/x.y'"
fi
log "Current branch '$branch_name'"
# Determine the remote name
remote=$(git remote -v | grep coder/coder | awk '{print $1}' | head -n1)
if [[ -z "${remote}" ]]; then
error "Could not find remote for coder/coder"
fi
log "Using remote '$remote'"
# Step 1: List all release branches and sort them by major/minor so we can find
# the latest release branch.
release_branches=$(
git branch -r --format='%(refname:short)' |
grep -E "${remote}/release/[0-9]+\.[0-9]+$" |
sed "s|${remote}/||" |
sort -V
)
# As a sanity check, release/2.26 should exist.
if ! echo "$release_branches" | grep "release/2.26" >/dev/null; then
error "Could not find existing release branches. Did you run 'git fetch -ap ${remote}'?"
fi
latest_release_branch=$(echo "$release_branches" | tail -n 1)
latest_release_branch_version=${latest_release_branch#release/}
log "Latest release branch: $latest_release_branch"
log "Latest release branch version: $latest_release_branch_version"
# Step 2: check if a matching tag `v<x.y>.0` exists. If it does not, we will
# use the release branch as the deploy branch.
if ! git rev-parse "refs/tags/v${latest_release_branch_version}.0" >/dev/null 2>&1; then
log "Tag 'v${latest_release_branch_version}.0' does not exist, using release branch as deploy branch"
deploy_branch=$latest_release_branch
else
log "Matching tag 'v${latest_release_branch_version}.0' exists, using main as deploy branch"
fi
log "Deploy branch: $deploy_branch"
# Finally, check if the current branch is the deploy branch.
log
if [[ "$branch_name" != "$deploy_branch" ]]; then
log "VERDICT: DO NOT DEPLOY"
echo "NOOP" # stdout
else
log "VERDICT: DEPLOY"
echo "DEPLOY" # stdout
fi
scripts/zizmor.sh
-46
View File
@@ -1,46 +0,0 @@
#!/usr/bin/env bash
# Usage: ./zizmor.sh [args...]
#
# This script is a wrapper around the zizmor Docker image. Zizmor lints GitHub
# actions workflows.
#
# We use Docker to run zizmor since it's written in Rust and is difficult to
# install on Ubuntu runners without building it with a Rust toolchain, which
# takes a long time.
#
# The repo is mounted at /repo and the working directory is set to /repo.
set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
cdroot
image_tag="ghcr.io/zizmorcore/zizmor:1.11.0"
docker_args=(
"--rm"
"--volume" "$(pwd):/repo"
"--workdir" "/repo"
"--network" "host"
)
if [[ -t 0 ]]; then
docker_args+=("-it")
fi
# If no GH_TOKEN is set, try to get one from `gh auth token`.
if [[ "${GH_TOKEN:-}" == "" ]] && command -v gh &>/dev/null; then
set +e
GH_TOKEN="$(gh auth token)"
export GH_TOKEN
set -e
fi
# Pass through the GitHub token if it's set, which allows zizmor to scan
# imported workflows too.
if [[ "${GH_TOKEN:-}" != "" ]]; then
docker_args+=("--env" "GH_TOKEN")
fi
logrun exec docker run "${docker_args[@]}" "$image_tag" "$@"