From fe257666d7709192fca7b1a80019d7d019915c71 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Mon, 1 Jun 2026 15:55:19 +0200 Subject: [PATCH] ci: refactor CI to use mise for shared tool setup (#25727) --- .github/actions/go-cache/action.yml | 76 ++++++ .github/actions/install-cosign/action.yaml | 10 - .github/actions/install-syft/action.yaml | 10 - .github/actions/pnpm-install/action.yml | 59 ++++ .github/actions/setup-go-tools/action.yaml | 12 - .github/actions/setup-go/action.yaml | 32 --- .github/actions/setup-mise/action.yml | 168 ++++++++++++ .github/actions/setup-mise/checksums.toml | 9 + .github/actions/setup-node/action.yaml | 44 --- .github/actions/setup-sqlc/action.yaml | 17 -- .github/actions/setup-tf/action.yaml | 11 - .github/workflows/ci.yaml | 304 +++++++++++---------- .github/workflows/dogfood.yaml | 57 +--- .github/workflows/flake-go.yaml | 20 +- .github/workflows/nightly-gauntlet.yaml | 13 +- .github/workflows/pr-deploy.yaml | 17 +- .github/workflows/release.yaml | 29 +- .github/workflows/security.yaml | 9 +- .github/workflows/weekly-docs.yaml | 61 ++++- Makefile | 50 ++-- docs/about/contributing/CONTRIBUTING.md | 6 +- flake.nix | 41 +++ go.mod | 5 - go.sum | 6 - mise.lock | 219 ++++++++++----- mise.toml | 22 +- scripts/check_go_versions.sh | 7 - scripts/check_mise_versions.sh | 150 ++++++++++ scripts/mise_checksum.sh | 30 ++ scripts/should_deploy.sh | 66 +---- scripts/zizmor.sh | 46 ---- 31 files changed, 995 insertions(+), 611 deletions(-) create mode 100644 .github/actions/go-cache/action.yml delete mode 100644 .github/actions/install-cosign/action.yaml delete mode 100644 .github/actions/install-syft/action.yaml create mode 100644 .github/actions/pnpm-install/action.yml delete mode 100644 .github/actions/setup-go-tools/action.yaml delete mode 100644 .github/actions/setup-go/action.yaml create mode 100644 .github/actions/setup-mise/action.yml create mode 100644 .github/actions/setup-mise/checksums.toml delete mode 100644 .github/actions/setup-node/action.yaml delete mode 100644 .github/actions/setup-sqlc/action.yaml delete mode 100644 .github/actions/setup-tf/action.yaml create mode 100755 scripts/check_mise_versions.sh create mode 100755 scripts/mise_checksum.sh delete mode 100755 scripts/zizmor.sh diff --git a/.github/actions/go-cache/action.yml b/.github/actions/go-cache/action.yml new file mode 100644 index 0000000000..d77abaedec --- /dev/null +++ b/.github/actions/go-cache/action.yml @@ -0,0 +1,76 @@ +name: "Go cache" +description: Restore and save Go build and module caches. +inputs: + cache-path: + description: "Optional newline-delimited cache paths. Defaults to go env GOCACHE and GOMODCACHE." + required: false + default: "" + key-prefix: + description: "Prefix for the cache key." + required: false + default: "go" + download-modules: + description: "Whether to run go mod download after restoring cache." + required: false + default: "true" +runs: + using: "composite" + steps: + - name: Compute Go cache key + id: go-cache + shell: bash + run: | + set -euo pipefail + + if [[ -n "${INPUT_CACHE_PATH}" ]]; then + paths="${INPUT_CACHE_PATH}" + else + paths="$(printf '%s\n%s' "$(go env GOCACHE)" "$(go env GOMODCACHE)")" + fi + + go_version="$(go env GOVERSION)" + paths_hash="$(printf '%s\n' "${paths}" | git hash-object --stdin)" + hash="$( + { + printf '%s\n' "${go_version}" + for file in go.mod go.sum; do + if [[ -f "${file}" ]]; then + git hash-object "${file}" + fi + done + } | git hash-object --stdin + )" + + { + echo "path<> "$GITHUB_OUTPUT" + env: + INPUT_CACHE_PATH: ${{ inputs.cache-path }} + INPUT_KEY_PREFIX: ${{ inputs.key-prefix }} + + - name: Restore Go cache, save on main + if: ${{ github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.go-cache.outputs.path }} + key: ${{ steps.go-cache.outputs.key }} + restore-keys: | + ${{ steps.go-cache.outputs.restore-key }} + + - name: Restore Go cache read-only + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.go-cache.outputs.path }} + key: ${{ steps.go-cache.outputs.key }} + restore-keys: | + ${{ steps.go-cache.outputs.restore-key }} + + - name: Download Go modules + if: ${{ inputs.download-modules == 'true' }} + shell: bash + run: ./.github/scripts/retry.sh -- go mod download -x diff --git a/.github/actions/install-cosign/action.yaml b/.github/actions/install-cosign/action.yaml deleted file mode 100644 index acaf7ba1a7..0000000000 --- a/.github/actions/install-cosign/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Install cosign" -description: | - Cosign Github Action. -runs: - using: "composite" - steps: - - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 - with: - cosign-release: "v2.4.3" diff --git a/.github/actions/install-syft/action.yaml b/.github/actions/install-syft/action.yaml deleted file mode 100644 index 0f8a440801..0000000000 --- a/.github/actions/install-syft/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: "Install syft" -description: | - Downloads Syft to the Action tool cache and provides a reference. -runs: - using: "composite" - steps: - - name: Install syft - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - with: - syft-version: "v1.26.1" diff --git a/.github/actions/pnpm-install/action.yml b/.github/actions/pnpm-install/action.yml new file mode 100644 index 0000000000..8ba01f6a32 --- /dev/null +++ b/.github/actions/pnpm-install/action.yml @@ -0,0 +1,59 @@ +name: "pnpm install" +description: Restore pnpm store cache and install root plus workspace dependencies. +inputs: + directory: + description: "Workspace directory to install after the repository root." + required: false + default: "site" +runs: + using: "composite" + steps: + - name: Compute pnpm cache key + id: pnpm-cache + shell: bash + run: | + set -euo pipefail + + store_path="$(pnpm store path --silent)" + hash="$( + for file in pnpm-lock.yaml "${INPUT_DIRECTORY}/pnpm-lock.yaml"; do + if [[ -f "${file}" ]]; then + git hash-object "${file}" + fi + done | git hash-object --stdin + )" + + { + echo "store-path=${store_path}" + echo "key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-${hash}" + echo "restore-key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-" + } >> "$GITHUB_OUTPUT" + env: + INPUT_DIRECTORY: ${{ inputs.directory }} + + - name: Restore and save pnpm cache + if: ${{ github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.pnpm-cache.outputs.store-path }} + key: ${{ steps.pnpm-cache.outputs.key }} + restore-keys: | + ${{ steps.pnpm-cache.outputs.restore-key }} + + - name: Restore pnpm cache + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ${{ steps.pnpm-cache.outputs.store-path }} + key: ${{ steps.pnpm-cache.outputs.key }} + restore-keys: | + ${{ steps.pnpm-cache.outputs.restore-key }} + + - name: Install root node_modules + shell: bash + run: ./scripts/pnpm_install.sh + + - name: Install node_modules + shell: bash + run: "${GITHUB_WORKSPACE}/scripts/pnpm_install.sh" + working-directory: ${{ github.workspace }}/${{ inputs.directory }} diff --git a/.github/actions/setup-go-tools/action.yaml b/.github/actions/setup-go-tools/action.yaml deleted file mode 100644 index c8e600d656..0000000000 --- a/.github/actions/setup-go-tools/action.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: "Setup Go tools" -description: | - Set up tools for `make gen`, `offlinedocs` and Schmoder CI. -runs: - using: "composite" - steps: - - name: go install tools - shell: bash - run: | - ./.github/scripts/retry.sh -- go install tool - # NOTE: protoc-gen-go cannot be installed with `go get` - ./.github/scripts/retry.sh -- go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30 diff --git a/.github/actions/setup-go/action.yaml b/.github/actions/setup-go/action.yaml deleted file mode 100644 index ee7f17a40e..0000000000 --- a/.github/actions/setup-go/action.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: "Setup Go" -description: | - Sets up the Go environment for tests, builds, etc. -inputs: - version: - description: "The Go version to use." - default: "1.26.2" - use-cache: - description: "Whether to use the cache." - default: "true" -runs: - using: "composite" - steps: - - name: Setup Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 - with: - go-version: ${{ inputs.version }} - cache: ${{ inputs.use-cache }} - - - name: Install gotestsum - shell: bash - run: ./.github/scripts/retry.sh -- go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d # main as of 2025-05-15 - - - name: Install mtimehash - shell: bash - run: ./.github/scripts/retry.sh -- go install github.com/slsyy/mtimehash/cmd/mtimehash@a6b5da4ed2c4a40e7b805534b004e9fde7b53ce0 # v1.0.0 - - # It isn't necessary that we ever do this, but it helps - # separate the "setup" from the "run" times. - - name: go mod download - shell: bash - run: ./.github/scripts/retry.sh -- go mod download -x diff --git a/.github/actions/setup-mise/action.yml b/.github/actions/setup-mise/action.yml new file mode 100644 index 0000000000..847eb6ef51 --- /dev/null +++ b/.github/actions/setup-mise/action.yml @@ -0,0 +1,168 @@ +name: Setup mise +description: Install mise tools from SHA256-pinned binaries, with CI-layer caching. +inputs: + install-args: + description: Tool names or extra arguments passed to mise install. --locked is added by default. + required: false + default: "" + locked: + description: Whether to pass --locked to mise install. + required: false + default: "true" + cache-key-prefix: + description: Prefix for mise tool cache keys. + required: false + default: mise-ci-v1 + mise-version: + description: mise version to install. + required: false + default: "2026.5.12" + mise-sha256: + description: SHA256 checksum for the mise binary. + required: false + default: "" + use-cache: + description: Whether to restore and save mise tool caches. + required: false + default: "true" +runs: + using: composite + steps: + - name: Compute mise cache key + id: cache-key + shell: bash + env: + CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }} + INPUT_INSTALL_ARGS: ${{ inputs.install-args }} + INPUT_LOCKED: ${{ inputs.locked }} + MISE_VERSION: ${{ inputs.mise-version }} + RUNNER_ARCH: ${{ runner.arch }} + RUNNER_OS: ${{ runner.os }} + run: | + set -euo pipefail + + case "${INPUT_LOCKED}" in + true) + if [[ -n "${INPUT_INSTALL_ARGS}" ]]; then + install_args="--locked ${INPUT_INSTALL_ARGS}" + else + install_args="--locked" + fi + ;; + false) + install_args="${INPUT_INSTALL_ARGS}" + ;; + *) + echo "::error::locked must be true or false." + exit 1 + ;; + esac + + install_args_hash="$(printf '%s' "$install_args" | git hash-object --stdin)" + files_hash="$(git hash-object mise.toml mise.lock | git hash-object --stdin)" + key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-${files_hash}" + restore_key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-" + + { + echo "install-args<> "$GITHUB_OUTPUT" + + - name: Select mise checksum + id: checksum + shell: bash + env: + CHECKSUMS_FILE: ${{ github.action_path }}/checksums.toml + INPUT_MISE_SHA256: ${{ inputs.mise-sha256 }} + MISE_CHECKSUM_SCRIPT: ${{ github.workspace }}/scripts/mise_checksum.sh + MISE_VERSION: ${{ inputs.mise-version }} + RUNNER_ARCH: ${{ runner.arch }} + RUNNER_OS: ${{ runner.os }} + run: | + set -euo pipefail + + checksum="${INPUT_MISE_SHA256}" + if [[ -z "${checksum}" ]]; then + case "${RUNNER_OS}-${RUNNER_ARCH}" in + Linux-X64) + target="linux-x64" + ;; + Linux-ARM64) + target="linux-arm64" + ;; + macOS-X64) + target="macos-x64" + ;; + macOS-ARM64) + target="macos-arm64" + ;; + Windows-X64) + target="windows-x64" + ;; + *) + echo "::error::No mise checksum is pinned for ${RUNNER_OS}-${RUNNER_ARCH}." + exit 1 + ;; + esac + + checksum="$("${MISE_CHECKSUM_SCRIPT}" "${CHECKSUMS_FILE}" "${MISE_VERSION}" "${target}")" + if [[ -z "${checksum}" ]]; then + echo "::error::No mise checksum is pinned for mise ${MISE_VERSION} on ${target}." + exit 1 + fi + fi + + echo "sha256=${checksum}" >> "$GITHUB_OUTPUT" + + - name: Configure mise data directory + id: mise-data-dir + shell: bash + env: + RUNNER_OS: ${{ runner.os }} + run: | # zizmor: ignore[github-env] MISE_DATA_DIR uses only runner-provided paths. + set -euo pipefail + + if [[ "${RUNNER_OS}" == "Windows" ]]; then + data_dir="${LOCALAPPDATA:-${USERPROFILE}\\AppData\\Local}\\mise" + else + data_dir="${RUNNER_TEMP}/mise-data" + fi + + { + printf 'path=%s\n' "${data_dir}" + } >> "$GITHUB_OUTPUT" + printf 'MISE_DATA_DIR=%s\n' "${data_dir}" >> "$GITHUB_ENV" + + - name: Cache mise tools + if: ${{ inputs.use-cache == 'true' && github.ref == 'refs/heads/main' }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + ~/.cache/mise + ${{ steps.mise-data-dir.outputs.path }} + key: ${{ steps.cache-key.outputs.key }} + restore-keys: | + ${{ steps.cache-key.outputs.restore-key }} + + - name: Restore mise tools + if: ${{ inputs.use-cache == 'true' && github.ref != 'refs/heads/main' }} + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + ~/.cache/mise + ${{ steps.mise-data-dir.outputs.path }} + key: ${{ steps.cache-key.outputs.key }} + restore-keys: | + ${{ steps.cache-key.outputs.restore-key }} + + - name: Install mise tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: ${{ inputs.mise-version }} + sha256: ${{ steps.checksum.outputs.sha256 }} + mise_dir: ${{ steps.mise-data-dir.outputs.path }} + install_args: ${{ steps.cache-key.outputs.install-args }} + cache: "false" diff --git a/.github/actions/setup-mise/checksums.toml b/.github/actions/setup-mise/checksums.toml new file mode 100644 index 0000000000..046a08492d --- /dev/null +++ b/.github/actions/setup-mise/checksums.toml @@ -0,0 +1,9 @@ +# SHA256 hashes of the extracted mise binary verified by jdx/mise-action. +# Keys use the GitHub runner target for each release artifact. + +["2026.5.12"] +linux-x64 = "a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48" +linux-arm64 = "fd2d5227a8ad0b1e359c70527a8345a9ada72077f8dcbb559371653c3d95464f" +macos-x64 = "de57e8dc82bbd880a69c9bc8aee06b9dcc578184b3e5cf86fcef80635d6a90b4" +macos-arm64 = "e777070540ffe22cf8b2b9f88aed88b461d0887d940c4f1c1a97359463cde6e1" +windows-x64 = "adf1b4c9f51e7d15cff723056fcd8fd51f40ebacadcca97fd5758c44d469d5ea" diff --git a/.github/actions/setup-node/action.yaml b/.github/actions/setup-node/action.yaml deleted file mode 100644 index 0c276f0ab8..0000000000 --- a/.github/actions/setup-node/action.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: "Setup Node" -description: | - Sets up the node environment for tests, builds, etc. -inputs: - directory: - description: | - The directory to run the setup in. - required: false - default: "site" -runs: - using: "composite" - steps: - - name: Install pnpm - uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7 - - - name: Setup Node - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - with: - node-version: 22.19.0 - # See https://github.com/actions/setup-node#caching-global-packages-data - cache: "pnpm" - cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml - - - name: Verify Node - shell: bash - run: | - set -euo pipefail - - expected="v22.19.0" - actual="$(node --version)" - if [[ "$actual" != "$expected" ]]; then - echo "::error::Expected Node.js $expected, but got $actual from $(command -v node)." - exit 1 - fi - echo "Node.js $actual is active at $(command -v node)." - - - name: Install root node_modules - shell: bash - run: ./scripts/pnpm_install.sh - - - name: Install node_modules - shell: bash - run: ../scripts/pnpm_install.sh - working-directory: ${{ inputs.directory }} diff --git a/.github/actions/setup-sqlc/action.yaml b/.github/actions/setup-sqlc/action.yaml deleted file mode 100644 index 029a3f5fe4..0000000000 --- a/.github/actions/setup-sqlc/action.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: Setup sqlc -description: | - Sets up the sqlc environment for tests, builds, etc. -runs: - using: "composite" - steps: - - name: Setup sqlc - # uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0 - # with: - # sqlc-version: "1.30.0" - - # Switched to coder/sqlc fork to fix ambiguous column bug, see: - # - https://github.com/coder/sqlc/pull/1 - # - https://github.com/sqlc-dev/sqlc/pull/4159 - shell: bash - run: | - ./.github/scripts/retry.sh -- env CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@337309bfb9524f38466a5090e310040fc7af0203 diff --git a/.github/actions/setup-tf/action.yaml b/.github/actions/setup-tf/action.yaml deleted file mode 100644 index 22c7253050..0000000000 --- a/.github/actions/setup-tf/action.yaml +++ /dev/null @@ -1,11 +0,0 @@ -name: "Setup Terraform" -description: | - Sets up Terraform for tests, builds, etc. -runs: - using: "composite" - steps: - - name: Install Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 - with: - terraform_version: 1.15.5 - terraform_wrapper: false diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 78d6aba61a..63fd8f4359 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -151,8 +151,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - name: Check docs run: pnpm check-docs @@ -171,8 +176,10 @@ jobs: # # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs # token: ${{ secrets.CDRCI_GITHUB_TOKEN }} - # - name: Setup Go - # uses: ./.github/actions/setup-go + # - name: Set up mise tools + # uses: ./.github/actions/setup-mise + # with: + # install-args: "go" # - name: Update Nix Flake SRI Hash # run: ./scripts/update-flake.sh @@ -208,18 +215,22 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm helm actionlint aqua:crate-ci/typos" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/golangci/golangci-lint/cmd/golangci-lint go:github.com/coder/paralleltestctx/cmd/paralleltestctx - name: Get golangci-lint cache dir run: | - # mise.toml is the source of truth for tool versions baked into - # the dogfood image; pull the same version for the lint job. - linter_ver=$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') - ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver" dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }') echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV" @@ -239,35 +250,13 @@ jobs: # Check for any typos - name: Check for typos - uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 - with: - config: .github/workflows/typos.toml + run: typos --config .github/workflows/typos.toml - name: Fix the typos if: ${{ failure() }} run: | echo "::notice:: you can automatically fix typos from your CLI: - cargo install typos-cli - typos -c .github/workflows/typos.toml -w" - - # Needed for helm chart linting - - name: Install helm - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - with: - version: v3.9.2 - continue-on-error: true - id: setup-helm - - - name: Install helm (fallback) - if: steps.setup-helm.outcome == 'failure' - # Fallback to Buildkite's apt repository if get.helm.sh is down. - # See: https://github.com/coder/internal/issues/1109 - run: | - set -euo pipefail - curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list - sudo apt-get update - sudo apt-get install -y helm=3.9.2-1 + mise exec aqua:crate-ci/typos -- typos -c .github/workflows/typos.toml -w" - name: Verify helm version run: helm version --short @@ -287,15 +276,11 @@ jobs: key: ${{ steps.golangci-lint-cache.outputs.cache-primary-key }} - name: Check workflow files - run: | - bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4 - ./actionlint -color -shellcheck= -ignore "set-output" + run: actionlint -color -shellcheck= -ignore "set-output" shell: bash - name: Check for unstaged files - run: | - rm -f ./actionlint ./typos - ./scripts/check_unstaged.sh + run: ./scripts/check_unstaged.sh shell: bash lint-actions: @@ -303,7 +288,7 @@ jobs: # Only run this job if changes to CI workflow files are detected. This job # can flake as it reaches out to GitHub to check referenced actions. if: needs.changes.outputs.ci == 'true' - runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} + runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-24.04-8' || 'ubuntu-24.04' }} steps: - name: Harden Runner uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 @@ -316,8 +301,10 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "actionlint zizmor" - name: make lint/actions run: make --output-sync=line -j lint/actions @@ -341,30 +328,19 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm terraform protoc protoc-gen-go" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Setup Terraform - uses: ./.github/actions/setup-tf - - - name: go install tools - uses: ./.github/actions/setup-go-tools - - - name: Install Protoc - run: | - mkdir -p /tmp/proto - pushd /tmp/proto - curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip - unzip protoc.zip - sudo cp -r ./bin/* /usr/local/bin - sudo cp -r ./include /usr/local/bin/include - popd + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc - name: make gen timeout-minutes: 8 @@ -396,24 +372,26 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node - - name: Check Go version run: IGNORE_NIX=true ./scripts/check_go_versions.sh - # Use default Go version - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm terraform" - - name: Install shfmt - run: ./.github/scripts/retry.sh -- go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0 + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:mvdan.cc/sh/v3/cmd/shfmt - name: make fmt timeout-minutes: 7 - run: | - PATH="${PATH}:$(go env GOPATH)/bin" \ - make --output-sync -j -B fmt + run: make --output-sync -j -B fmt - name: Check for unstaged files run: ./scripts/check_unstaged.sh @@ -476,13 +454,18 @@ jobs: - name: Setup GNU tools (macOS) uses: ./.github/actions/setup-gnu-tools - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: true + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + with: + cache-path: ${{ steps.go-paths.outputs.cached-dirs }} + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum go:github.com/slsyy/mtimehash/cmd/mtimehash - name: Download Test Cache id: download-cache @@ -651,11 +634,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Download Test Cache id: download-cache @@ -720,11 +708,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Download Test Cache id: download-cache @@ -799,8 +792,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" + + - name: Restore Go cache + uses: ./.github/actions/go-cache # Used by some integration tests. - name: Install Nginx @@ -826,8 +824,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - run: pnpm test:ci --max-workers "$(nproc)" working-directory: site @@ -859,11 +862,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache # Assume that the checked-in versions are up-to-date - run: make gen/mark-fresh @@ -951,8 +959,13 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node pnpm" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install # This step is not meant for mainline because any detected changes to # storybook snapshots will require manual approval/review in order for @@ -1030,29 +1043,21 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm protoc protoc-gen-go" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install with: directory: offlinedocs - - name: Install Protoc - run: | - mkdir -p /tmp/proto - pushd /tmp/proto - curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip - unzip protoc.zip - sudo cp -r ./bin/* /usr/local/bin - sudo cp -r ./include /usr/local/bin/include - popd + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Setup Go - uses: ./.github/actions/setup-go - - - name: Install go tools - uses: ./.github/actions/setup-go-tools - - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:storj.io/drpc/cmd/protoc-gen-go-drpc go:github.com/coder/sqlc/cmd/sqlc - name: Format run: | @@ -1144,17 +1149,19 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 + - name: Restore Go cache + uses: ./.github/actions/go-cache - - name: Install nfpm - run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm - name: Install zstd run: sudo apt-get install -y zstd @@ -1205,13 +1212,19 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Setup Node - uses: ./.github/actions/setup-node - - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: false + install-args: "go node pnpm cosign syft" + + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm - name: Install rcodesign run: | @@ -1241,21 +1254,9 @@ jobs: distribution: "zulu" java-version: "11.0" - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 - - - name: Install nfpm - run: ./.github/scripts/retry.sh -- go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 - - name: Install zstd run: sudo apt-get install -y zstd - - name: Install cosign - uses: ./.github/actions/install-cosign - - - name: Install syft - uses: ./.github/actions/install-syft - - name: Setup Windows EV Signing Certificate run: | set -euo pipefail @@ -1579,11 +1580,16 @@ jobs: with: fetch-depth: 1 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc - name: Setup and run sqlc vet run: | diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index 9dcd853f79..c87b48b5ee 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -71,9 +71,6 @@ jobs: packages: write # push the dogfood base image to ghcr.io/coder/oss-dogfood-base env: # MISE_EXPERIMENTAL opts into the experimental `oci` subcommand. - # Trust is set via a config file (see the Install mise step - # below) rather than MISE_TRUSTED_CONFIG_PATHS so the workspace - # template can keep parity with the same file-based approach. MISE_EXPERIMENTAL: "1" steps: - name: Harden Runner @@ -135,32 +132,9 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 if: matrix.image-version != 'nix' - - name: Install mise - if: matrix.image-version != 'nix' - # MISE_VERSION + MISE_SHA256 match dogfood/coder/ubuntu-*/Dockerfile.base - # so the mise binary baking the image is the same one a workspace - # ships with. `min_version` in mise.toml catches downgrades. - # Write trust config to ~/.config/mise/conf.d/ instead of using - # MISE_TRUSTED_CONFIG_PATHS so the same file-based approach - # works in workspaces (where the user owns the file). - env: - MISE_VERSION: v2026.5.12 - MISE_SHA256: a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48 - WORKSPACE: ${{ github.workspace }} - run: | - set -euo pipefail - curl --silent --show-error --location --fail \ - "https://github.com/jdx/mise/releases/download/${MISE_VERSION}/mise-${MISE_VERSION}-linux-x64" \ - --output /tmp/mise - echo "${MISE_SHA256} /tmp/mise" | sha256sum -c - sudo install -m 0755 /tmp/mise /usr/local/bin/mise - rm /tmp/mise - mise --version - mkdir -p "$HOME/.config/mise/conf.d" - cat > "$HOME/.config/mise/conf.d/00-ci-trust.toml" <> "$GITHUB_PATH" - - name: Build mise oci layer if: matrix.image-version != 'nix' && !github.event.pull_request.head.repo.fork env: @@ -360,8 +315,10 @@ jobs: with: persist-credentials: false - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "terraform" - name: Authenticate to Google Cloud uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 diff --git a/.github/workflows/flake-go.yaml b/.github/workflows/flake-go.yaml index 1c7eb96dd0..e416519216 100644 --- a/.github/workflows/flake-go.yaml +++ b/.github/workflows/flake-go.yaml @@ -39,12 +39,16 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up Go + uses: ./.github/actions/setup-mise + with: + install-args: "go" - - name: Install whichtests - shell: bash - run: ./.github/scripts/retry.sh -- go install github.com/coder/whichtests@ec33bab1ec04cd86beb7a61a069db4463dba63f5 + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/whichtests - name: Select changed tests id: selector @@ -57,9 +61,11 @@ jobs: --coalesce \ --out-matrix "$RUNNER_TEMP/flake-matrix.json" - - name: Setup Terraform + - name: Set up Terraform if: ${{ fromJSON(steps.selector.outputs.matrix).include[0] != null }} - uses: ./.github/actions/setup-tf + uses: ./.github/actions/setup-mise + with: + install-args: "terraform" - name: Run targeted Go flake checks id: flake_check diff --git a/.github/workflows/nightly-gauntlet.yaml b/.github/workflows/nightly-gauntlet.yaml index 4d72ece76a..63aa8728e2 100644 --- a/.github/workflows/nightly-gauntlet.yaml +++ b/.github/workflows/nightly-gauntlet.yaml @@ -62,11 +62,16 @@ jobs: - name: Setup GNU tools (macOS) uses: ./.github/actions/setup-gnu-tools - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go terraform" - - name: Setup Terraform - uses: ./.github/actions/setup-tf + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:gotest.tools/gotestsum - name: Setup Embedded Postgres Cache Paths id: embedded-pg-cache diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index df2d24007f..47b80e29c3 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -238,14 +238,19 @@ jobs: fetch-depth: 0 persist-credentials: false - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go node pnpm" - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install - - name: Setup sqlc - uses: ./.github/actions/setup-sqlc + - name: Restore Go cache + uses: ./.github/actions/go-cache + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/coder/sqlc/cmd/sqlc - name: GHCR Login uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d7ef868576..2427e3586f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -172,13 +172,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise with: - use-cache: false + install-args: "go node pnpm helm cosign syft" - - name: Setup Node - uses: ./.github/actions/setup-node + - name: Install pnpm dependencies + uses: ./.github/actions/pnpm-install + + - name: Install Go mise tools + run: ./.github/scripts/retry.sh -- mise install --locked go:github.com/tc-hib/go-winres go:github.com/goreleaser/nfpm/v2/cmd/nfpm # Necessary for signing Windows binaries. - name: Setup Java @@ -187,19 +190,9 @@ jobs: distribution: "zulu" java-version: "11.0" - - name: Install go-winres - run: ./.github/scripts/retry.sh -- go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3 - - name: Install nsis and zstd run: sudo apt-get install -y nsis zstd - - name: Install nfpm - run: | - set -euo pipefail - wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.35.1/nfpm_2.35.1_amd64.deb - sudo dpkg -i /tmp/nfpm.deb - rm /tmp/nfpm.deb - - name: Install rcodesign run: | set -euo pipefail @@ -210,12 +203,6 @@ jobs: apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign rm /tmp/rcodesign.tar.gz - - name: Install cosign - uses: ./.github/actions/install-cosign - - - name: Install syft - uses: ./.github/actions/install-syft - - name: Setup Apple Developer certificate and API key run: | set -euo pipefail diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 72eee31d2d..6787e32c19 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -36,8 +36,13 @@ jobs: with: persist-credentials: false - - name: Setup Go - uses: ./.github/actions/setup-go + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "go" + + - name: Restore Go cache + uses: ./.github/actions/go-cache - name: Initialize CodeQL uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml index 505c8522de..85a14d8b6a 100644 --- a/.github/workflows/weekly-docs.yaml +++ b/.github/workflows/weekly-docs.yaml @@ -14,7 +14,54 @@ permissions: contents: read jobs: + prepare-linkspector-browser: + # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action + runs-on: ubuntu-22.04 + permissions: + contents: read + env: + CHROME_BUILD_ID: "145.0.7632.77" + outputs: + browser-cache-key: ${{ steps.browser-versions.outputs.cache-key }} + chrome-path: ${{ steps.install-chrome.outputs.path }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Set up mise tools + uses: ./.github/actions/setup-mise + with: + install-args: "node npm:@puppeteer/browsers" + + - name: Get browser versions + id: browser-versions + run: | + set -euo pipefail + installer_version="$(mise current npm:@puppeteer/browsers)" + echo "cache-key=puppeteer-${RUNNER_OS}-${RUNNER_ARCH}-browsers-${installer_version}-chrome-${CHROME_BUILD_ID}" >> "$GITHUB_OUTPUT" + + - name: Restore Puppeteer browser cache + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.cache/puppeteer + key: ${{ steps.browser-versions.outputs.cache-key }} + + - name: Install Linkspector Chrome + id: install-chrome + run: | + set -euo pipefail + chrome_path="$(browsers install "chrome@${CHROME_BUILD_ID}" --path "${HOME}/.cache/puppeteer" --format '{{path}}')" + echo "path=${chrome_path}" >> "$GITHUB_OUTPUT" + check-docs: + needs: prepare-linkspector-browser # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action runs-on: ubuntu-22.04 permissions: @@ -54,15 +101,21 @@ jobs: corepack enable pnpm mkdir -p "$(pnpm store path --silent)" + - name: Restore Puppeteer browser cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.cache/puppeteer + key: ${{ needs.prepare-linkspector-browser.outputs.browser-cache-key }} + - name: Check Markdown links uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2 id: markdown-link-check # checks all markdown files from /docs including all subfolders env: - # Use the runner-provided Chrome instead of letting linkspector's - # puppeteer download a specific version that may not match the - # runner's puppeteer cache. See: https://github.com/UmbrellaDocs/action-linkspector/issues/62 - PUPPETEER_EXECUTABLE_PATH: /usr/bin/google-chrome + # Use the Chrome build prepared from mise-pinned Puppeteer instead + # of letting linkspector download a mutable browser at runtime. + # See: https://github.com/UmbrellaDocs/action-linkspector/issues/62 + PUPPETEER_EXECUTABLE_PATH: ${{ needs.prepare-linkspector-browser.outputs.chrome-path }} with: reporter: github-pr-review config_file: ".github/.linkspector.yml" diff --git a/Makefile b/Makefile index b58f80eb68..be1992cb21 100644 --- a/Makefile +++ b/Makefile @@ -728,11 +728,11 @@ endif # GitHub Actions linters are run in a separate CI job (lint-actions) that only # triggers when workflow files change, so we skip them here when CI=true. LINT_ACTIONS_TARGETS := $(if $(CI),,lint/actions/actionlint) -lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents $(LINT_ACTIONS_TARGETS) +lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown lint/check-scopes lint/migrations lint/bootstrap lint/architecture lint/emdash lint/agents lint/mise-versions $(LINT_ACTIONS_TARGETS) .PHONY: lint -# Subset of lint that does not require Go or Node toolchains. -lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash +# Fast lint subset for lightweight hooks. Some targets use mise-managed tools. +lint-light: lint/shellcheck lint/markdown lint/helm lint/bootstrap lint/migrations lint/actions/actionlint lint/typos lint/emdash lint/mise-versions .PHONY: lint-light lint/site-icons: @@ -745,9 +745,8 @@ lint/ts: site/node_modules/.installed .PHONY: lint/ts lint/go: - linter_ver=$$(grep -Eo '^golangci-lint = "[^"]+"' mise.toml | sed -E 's/.*"([^"]+)"/\1/') - go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run - go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./... + golangci-lint run + paralleltestctx -custom-funcs="testutil.Context,chatdTestContext" ./... go run ./scripts/intxcheck ./... .PHONY: lint/go @@ -790,16 +789,27 @@ lint/actions: lint/actions/actionlint lint/actions/zizmor .PHONY: lint/actions lint/actions/actionlint: - go tool github.com/rhysd/actionlint/cmd/actionlint + mise exec actionlint -- actionlint .PHONY: lint/actions/actionlint +# zizmor uses GH_TOKEN to fetch imported workflows from GitHub; without it, +# external action references are skipped silently. lint/actions/zizmor: - ./scripts/zizmor.sh \ + @set -euo pipefail; \ + if [ -z "$${GH_TOKEN:-}" ] && command -v gh >/dev/null 2>&1; then \ + GH_TOKEN="$$(gh auth token 2>/dev/null || true)"; \ + export GH_TOKEN; \ + fi; \ + mise exec zizmor -- zizmor \ --strict-collection \ --persona=regular \ . .PHONY: lint/actions/zizmor +lint/mise-versions: + ./scripts/check_mise_versions.sh +.PHONY: lint/mise-versions + # Verify api_key_scope enum contains all RBAC : values. lint/check-scopes: coderd/database/dump.sql | _gen/bin/check-scopes _gen/bin/check-scopes @@ -811,28 +821,8 @@ lint/migrations: ./scripts/check_pg_schema.sh "Fixtures" $(FIXTURE_FILES) .PHONY: lint/migrations -TYPOS_VERSION := $(shell grep -oP 'crate-ci/typos@\S+\s+\#\s+v\K[0-9.]+' .github/workflows/ci.yaml) - -# Map uname values to typos release asset names. -TYPOS_ARCH := $(shell uname -m) -# typos release assets use aarch64, but macOS ARM reports arm64 via uname -m. -ifeq ($(TYPOS_ARCH),arm64) -TYPOS_ARCH := aarch64 -endif -ifeq ($(shell uname -s),Darwin) -TYPOS_OS := apple-darwin -else -TYPOS_OS := unknown-linux-musl -endif - -build/typos-$(TYPOS_VERSION): - mkdir -p build/ - curl -sSfL "https://github.com/crate-ci/typos/releases/download/v$(TYPOS_VERSION)/typos-v$(TYPOS_VERSION)-$(TYPOS_ARCH)-$(TYPOS_OS).tar.gz" \ - | tar -xzf - -C build/ ./typos - mv build/typos "$@" - -lint/typos: build/typos-$(TYPOS_VERSION) - build/typos-$(TYPOS_VERSION) --config .github/workflows/typos.toml +lint/typos: + typos --config .github/workflows/typos.toml .PHONY: lint/typos # pre-commit and pre-push mirror CI checks locally. diff --git a/docs/about/contributing/CONTRIBUTING.md b/docs/about/contributing/CONTRIBUTING.md index 164d52df24..16795b188a 100644 --- a/docs/about/contributing/CONTRIBUTING.md +++ b/docs/about/contributing/CONTRIBUTING.md @@ -58,7 +58,11 @@ Learn more [how Nix works](https://nixos.org/guides/how-nix-works). If you're not using the Nix environment, you can launch a local [DevContainer](https://github.com/coder/coder/tree/main/.devcontainer) to get a fully configured development environment. -DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, and `make`. +DevContainers are supported in tools like **VS Code** and **GitHub Codespaces**, and come preloaded with all required dependencies: Docker, Go, Node.js with `pnpm`, `mise`, and `make`. + +For manual setup outside Nix and DevContainers, install Docker, `mise`, and +`make`. Run `mise install` from the repository root to install Go, Node.js +with `pnpm`, and development tools at the versions pinned in `mise.toml`. diff --git a/flake.nix b/flake.nix index e47b078777..5b92eb07ce 100644 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,30 @@ inherit nodejs; # Ensure it points to the above nodejs version }; + mise = pkgs.stdenvNoCC.mkDerivation rec { + pname = "mise"; + version = "2026.5.12"; + target = { + x86_64-linux = "linux-x64"; + aarch64-linux = "linux-arm64"; + x86_64-darwin = "macos-x64"; + aarch64-darwin = "macos-arm64"; + }.${system}; + src = pkgs.fetchurl { + url = "https://github.com/jdx/mise/releases/download/v${version}/mise-v${version}-${target}"; + hash = { + x86_64-linux = "sha256-ojiXKjFi1xC4WyjDJDculspOS0hsgf54aVAA2fvHfEg="; + aarch64-linux = "sha256-/S1SJ6itCx41nHBSeoNFqa2nIHf43LtVk3FlPD2VRk8="; + x86_64-darwin = "sha256-3lfo3IK72ICmnJvIruBrncxXgYSz5c+G/O+AY11qkLQ="; + aarch64-darwin = "sha256-53cHBUD/4iz4srn4iu2ItGHQiH2UDE8cGpc1lGPN5uE="; + }.${system}; + }; + dontUnpack = true; + installPhase = '' + install -Dm755 "$src" "$out/bin/mise" + ''; + }; + # Check in https://search.nixos.org/packages to find new packages. # Use `nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update` # to update the lock file if packages are out-of-date. @@ -109,6 +133,21 @@ vendorHash = "sha256-4Cb15MhKyhRvYVKfMqBwuC3WBBIJE6AinJt02+TSMVY="; }; + paralleltestctx = unstablePkgs.buildGo126Module { + pname = "paralleltestctx"; + version = "0.0.2"; + + src = pkgs.fetchFromGitHub { + owner = "coder"; + repo = "paralleltestctx"; + rev = "v0.0.2"; + sha256 = "sha256-qFQ4LZR2IwqscypD0URSZKXTlhUcz/axDb8NTH5CxLw="; + }; + + subPackages = [ "cmd/paralleltestctx" ]; + vendorHash = "sha256-OuQWmZmofdJKq1hvk43RPkILQwAuFzqhmB22Xf6Z3lA="; + }; + # Keep Terraform aligned with provisioner/terraform/testdata/version.txt # so `make gen` remains deterministic in Nix shells. terraform_1_15_5 = @@ -188,6 +227,7 @@ lazydocker lazygit less + mise unstablePkgs.mockgen moreutils nfpm @@ -195,6 +235,7 @@ nodejs openssh openssl + paralleltestctx pango pixman pkg-config diff --git a/go.mod b/go.mod index e13cebfcf3..d4ea36cb27 100644 --- a/go.mod +++ b/go.mod @@ -571,7 +571,6 @@ require ( github.com/clipperhouse/displaywidth v0.10.0 // indirect github.com/clipperhouse/uax29/v2 v2.6.0 // indirect github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect - github.com/coder/paralleltestctx v0.0.2 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect @@ -618,7 +617,6 @@ require ( github.com/lestrrat-go/httprc/v3 v3.0.5 // indirect github.com/lestrrat-go/jwx/v3 v3.1.1 // indirect github.com/lestrrat-go/option/v2 v2.0.0 // indirect - github.com/mattn/go-shellwords v1.0.12 // indirect github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 // indirect github.com/moby/moby/api v1.54.0 // indirect github.com/moby/moby/client v0.3.0 // indirect @@ -632,7 +630,6 @@ require ( github.com/pb33f/ordered-map/v2 v2.3.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect - github.com/rhysd/actionlint v1.7.10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/samber/lo v1.52.0 // indirect github.com/segmentio/asm v1.2.1 // indirect @@ -664,9 +661,7 @@ require ( ) tool ( - github.com/coder/paralleltestctx/cmd/paralleltestctx github.com/daixiang0/gci - github.com/rhysd/actionlint/cmd/actionlint github.com/swaggo/swag/cmd/swag go.uber.org/mock/mockgen golang.org/x/tools/cmd/goimports diff --git a/go.sum b/go.sum index e639f168f3..5840cb7bf5 100644 --- a/go.sum +++ b/go.sum @@ -334,8 +334,6 @@ github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136 h1:0RgB61LcNs github.com/coder/go-scim/pkg/v2 v2.0.0-20230221055123-1d63c1222136/go.mod h1:VkD1P761nykiq75dz+4iFqIQIZka189tx1BQLOp0Skc= github.com/coder/guts v1.7.0 h1:TaZ/PR9wgN8dlbcckaWV1MxkkuEFZRwSRwBBEm8dYXs= github.com/coder/guts v1.7.0/go.mod h1:30SShdvpmsauNlsNjECRB5AppScjYk08rf2ZVpH3MFg= -github.com/coder/paralleltestctx v0.0.2 h1:0akzA1oSV0LOl7loR8Mmoq/mu7qGDaFV8DpojotmXiE= -github.com/coder/paralleltestctx v0.0.2/go.mod h1:q/wi6cmlBOhrJKjUtouTn4J9xZlRhK0MbgHvJNdGW3w= github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151 h1:YAxwg3lraGNRwoQ18H7R7n+wsCqNve7Brdvj0F1rDnU= github.com/coder/pq v1.10.5-0.20250807075151-6ad9b0a25151/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs= @@ -881,8 +879,6 @@ github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+Ei github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw= github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= -github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= -github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw= @@ -1063,8 +1059,6 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuM github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM= -github.com/rhysd/actionlint v1.7.10/go.mod h1:ZHX/hrmknlsJN73InPTKsKdXpAv9wVdrJy8h8HAwFHg= github.com/riandyrn/otelchi v0.5.1 h1:0/45omeqpP7f/cvdL16GddQBfAEmZvUyl2QzLSE6uYo= github.com/riandyrn/otelchi v0.5.1/go.mod h1:ZxVxNEl+jQ9uHseRYIxKWRb3OY8YXFEu+EkNiiSNUEA= github.com/richardartoul/molecule v1.0.1-0.20240531184615-7ca0df43c0b3 h1:4+LEVOB87y175cLJC/mbsgKmoDOjrBldtXvioEy96WY= diff --git a/mise.lock b/mise.lock index babc55e498..9acd58a7c9 100644 --- a/mise.lock +++ b/mise.lock @@ -1,5 +1,53 @@ # @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html +[[tools.actionlint]] +version = "1.7.10" +backend = "aqua:rhysd/actionlint" + +[tools.actionlint."platforms.linux-arm64"] +checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz" + +[tools.actionlint."platforms.linux-arm64-musl"] +checksum = "sha256:cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_arm64.tar.gz" + +[tools.actionlint."platforms.linux-x64"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-baseline"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-musl"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.linux-x64-musl-baseline"] +checksum = "sha256:f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_linux_amd64.tar.gz" + +[tools.actionlint."platforms.macos-arm64"] +checksum = "sha256:004ca87b367b37f4d75c55ab6cf80f9b8c043adbfbd440f31c604d417939c442" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_arm64.tar.gz" + +[tools.actionlint."platforms.macos-x64"] +checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz" + +[tools.actionlint."platforms.macos-x64-baseline"] +checksum = "sha256:16782c41f2af264db80f855ee5d09164ca98fc78edf3bcd0f46eecff279682ba" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_darwin_amd64.tar.gz" + +[tools.actionlint."platforms.windows-x64"] +checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip" + +[tools.actionlint."platforms.windows-x64-baseline"] +checksum = "sha256:283467f9d6202a8cb8c00ad8dd0ee4e685b71fb86a6a56c68fcbb9ae8ed91237" +url = "https://github.com/rhysd/actionlint/releases/download/v1.7.10/actionlint_1.7.10_windows_amd64.zip" + [[tools."aqua:ahmetb/kubectx/kubens"]] version = "0.9.4" backend = "aqua:ahmetb/kubectx/kubens" @@ -432,14 +480,26 @@ url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip" checksum = "sha256:98eb3570bade15cb826b0909338df6cc6d2cf590bc39c471142002db3832b708" url = "https://dl.google.com/go/go1.26.2.windows-amd64.zip" +[[tools."go:github.com/coder/paralleltestctx/cmd/paralleltestctx"]] +version = "0.0.2" +backend = "go:github.com/coder/paralleltestctx/cmd/paralleltestctx" + [[tools."go:github.com/coder/sqlc/cmd/sqlc"]] version = "337309bfb9524f38466a5090e310040fc7af0203" backend = "go:github.com/coder/sqlc/cmd/sqlc" +[[tools."go:github.com/coder/whichtests"]] +version = "ec33bab1ec04cd86beb7a61a069db4463dba63f5" +backend = "go:github.com/coder/whichtests" + [[tools."go:github.com/golang-migrate/migrate/v4/cmd/migrate"]] version = "v4.19.0" backend = "go:github.com/golang-migrate/migrate/v4/cmd/migrate" +[[tools."go:github.com/golangci/golangci-lint/cmd/golangci-lint"]] +version = "1.64.8" +backend = "go:github.com/golangci/golangci-lint/cmd/golangci-lint" + [[tools."go:github.com/goreleaser/nfpm/v2/cmd/nfpm"]] version = "v2.35.1" backend = "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" @@ -452,10 +512,18 @@ backend = "go:github.com/mikefarah/yq/v4" version = "v0.3.13" backend = "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" +[[tools."go:github.com/slsyy/mtimehash/cmd/mtimehash"]] +version = "1.0.0" +backend = "go:github.com/slsyy/mtimehash/cmd/mtimehash" + [[tools."go:github.com/swaggo/swag/cmd/swag"]] version = "v1.16.2" backend = "go:github.com/swaggo/swag/cmd/swag" +[[tools."go:github.com/tc-hib/go-winres"]] +version = "0.3.3" +backend = "go:github.com/tc-hib/go-winres" + [[tools."go:go.uber.org/mock/mockgen"]] version = "v0.6.0" backend = "go:go.uber.org/mock/mockgen" @@ -480,54 +548,6 @@ backend = "go:mvdan.cc/sh/v3/cmd/shfmt" version = "v0.0.34" backend = "go:storj.io/drpc/cmd/protoc-gen-go-drpc" -[[tools.golangci-lint]] -version = "1.64.8" -backend = "aqua:golangci/golangci-lint" - -[tools.golangci-lint."platforms.linux-arm64"] -checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" - -[tools.golangci-lint."platforms.linux-arm64-musl"] -checksum = "sha256:a6ab58ebcb1c48572622146cdaec2956f56871038a54ed1149f1386e287789a5" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-arm64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-baseline"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-musl"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.linux-x64-musl-baseline"] -checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz" - -[tools.golangci-lint."platforms.macos-arm64"] -checksum = "sha256:70543d21e5b02a94079be8aa11267a5b060865583e337fe768d39b5d3e2faf1f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-arm64.tar.gz" - -[tools.golangci-lint."platforms.macos-x64"] -checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz" - -[tools.golangci-lint."platforms.macos-x64-baseline"] -checksum = "sha256:b52aebb8cb51e00bfd5976099083fbe2c43ef556cef9c87e58a8ae656e740444" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-darwin-amd64.tar.gz" - -[tools.golangci-lint."platforms.windows-x64"] -checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip" - -[tools.golangci-lint."platforms.windows-x64-baseline"] -checksum = "sha256:54c2ed3a6b4f2f5da1056fb6e83d6b73b592e06684b65a5999174fabbb251a8f" -url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-windows-amd64.zip" - [[tools.helm]] version = "3.21.0" backend = "aqua:helm/helm" @@ -723,6 +743,10 @@ url = "https://nodejs.org/dist/v22.19.0/node-v22.19.0-win-x64.zip" version = "0.87.0" backend = "npm:@devcontainers/cli" +[[tools."npm:@puppeteer/browsers"]] +version = "2.13.0" +backend = "npm:@puppeteer/browsers" + [[tools.pnpm]] version = "10.33.2" backend = "aqua:pnpm/pnpm" @@ -848,52 +872,52 @@ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/ url = "https://github.com/protocolbuffers/protobuf-go/releases/download/v1.30.0/protoc-gen-go.v1.30.0.windows.amd64.zip" [[tools.syft]] -version = "1.20.0" +version = "1.26.1" backend = "aqua:anchore/syft" [tools.syft."platforms.linux-arm64"] -checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" +checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz" [tools.syft."platforms.linux-arm64-musl"] -checksum = "sha256:53f76737ddbf425c89240d5b0be0990b1a71e66890b44f19743221b17e6ee635" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_arm64.tar.gz" +checksum = "sha256:ed3915cbc9c039f0501cb49d4485125befbd729acc263e767f70a18de3fec10d" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_arm64.tar.gz" [tools.syft."platforms.linux-x64"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-baseline"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-musl"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.linux-x64-musl-baseline"] -checksum = "sha256:689e12c5cbf67521ce61b9c126068f9eaabe1223e77971b2fede50033ff6b5cc" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz" +checksum = "sha256:4f3e84f9467080c876deb0fa968da54309c6d21fb8c00fd3a4e547eb9f006835" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_linux_amd64.tar.gz" [tools.syft."platforms.macos-arm64"] -checksum = "sha256:91365712a06af0c0dcd06f5e87fc8791c4332831b3dd6f5474acaaf803d71d82" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_arm64.tar.gz" +checksum = "sha256:00435a3fe2ae940203708ee2eae9976d1719982c628d30b2b78aacd36133ec6b" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_arm64.tar.gz" [tools.syft."platforms.macos-x64"] -checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz" +checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz" [tools.syft."platforms.macos-x64-baseline"] -checksum = "sha256:5fdf7afd0f1bfdbb2a1a575eacef8e10edfcb4783631baaa7572a9f4a4d86441" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_darwin_amd64.tar.gz" +checksum = "sha256:2eae0b76a208c5916cf02847b94e861024c7a5a6c1e2e606f5436f97747b1f76" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_darwin_amd64.tar.gz" [tools.syft."platforms.windows-x64"] -checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip" +checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip" [tools.syft."platforms.windows-x64-baseline"] -checksum = "sha256:b8bfdedb261de2a69768097422a73bc72273ee92136ff676a20c3161e658881f" -url = "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_windows_amd64.zip" +checksum = "sha256:7af7acb9f81bdddbc343855cb3a42e1d38ae9a1b044bfcd9b975a118d107849e" +url = "https://github.com/anchore/syft/releases/download/v1.26.1/syft_1.26.1_windows_amd64.zip" [[tools.terraform]] version = "1.15.5" @@ -942,3 +966,56 @@ url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_ [tools.terraform."platforms.windows-x64-baseline"] checksum = "sha256:2f652dd854af7b7fbb51301afc55b5ef1d3f6e287be7889d4cc3818df891cd38" url = "https://releases.hashicorp.com/terraform/1.15.5/terraform_1.15.5_windows_amd64.zip" + +[[tools.zizmor]] +version = "1.11.0" +backend = "aqua:zizmorcore/zizmor" + +[tools.zizmor."platforms.linux-arm64"] +checksum = "sha256:ce6d71e796b7d3663449151b08cee7c659f89bf36095c432e25169c857f479f0" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-arm64-musl"] +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64"] +checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-baseline"] +checksum = "sha256:da35e666827cbb1e6ca98b18b7969657b9f186467bfebfa25e730aac527c36f8" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-unknown-linux-gnu.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-musl"] +provenance = "github-attestations" + +[tools.zizmor."platforms.linux-x64-musl-baseline"] +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-arm64"] +checksum = "sha256:7cf59f08cb50f539ab9ddc6be1d463c81e31f5b189d148fc6f786adf9fc42a5f" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-aarch64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-x64"] +checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.macos-x64-baseline"] +checksum = "sha256:a1f60dd09527ce546ff86e49ebfa1ab4a6c5d16365662e6932f8d0f46fbb18b2" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-apple-darwin.tar.gz" +provenance = "github-attestations" + +[tools.zizmor."platforms.windows-x64"] +checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip" +provenance = "github-attestations" + +[tools.zizmor."platforms.windows-x64-baseline"] +checksum = "sha256:35e038bdbde6fcfdf947c947c7c3fc83c5043e0ded0e5b0d59c30c8eda97fd3a" +url = "https://github.com/zizmorcore/zizmor/releases/download/v1.11.0/zizmor-x86_64-pc-windows-msvc.zip" +provenance = "github-attestations" diff --git a/mise.toml b/mise.toml index b148fe41c6..4ce58d3c86 100644 --- a/mise.toml +++ b/mise.toml @@ -1,5 +1,6 @@ -# Keep in lockstep with MISE_VERSION in dogfood/coder/ubuntu-*/Dockerfile.base, -# .github/workflows/dogfood.yaml, and scripts/dogfood/mise-oci-wrapper.sh. +# Keep in lockstep with .github/actions/setup-mise/action.yml, +# .github/actions/setup-mise/checksums.toml, flake.nix, +# dogfood/coder/ubuntu-*/Dockerfile.base, and scripts/dogfood/mise-oci-wrapper.sh. min_version = "2026.5.12" [settings] @@ -19,8 +20,17 @@ protoc = "23.4" protoc-gen-go = "1.30.0" # Go development tools. +"go:github.com/coder/paralleltestctx/cmd/paralleltestctx" = "v0.0.2" +"go:github.com/coder/whichtests" = "ec33bab1ec04cd86beb7a61a069db4463dba63f5" +# Keep golangci-lint on the Go backend while pinned to v1. The upstream +# precompiled v1 binary is built with an older Go toolchain and cannot lint +# this module's Go version. Upgrading to v2 should let us use the native +# golangci-lint mise/aqua backend and GitHub release binaries. +"go:github.com/golangci/golangci-lint/cmd/golangci-lint" = "v1.64.8" "go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0" "go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1" +"go:github.com/slsyy/mtimehash/cmd/mtimehash" = "v1.0.0" +"go:github.com/tc-hib/go-winres" = "v0.3.3" "go:github.com/mikefarah/yq/v4" = "v4.44.3" "go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13" "go:github.com/swaggo/swag/cmd/swag" = "v1.16.2" @@ -30,17 +40,18 @@ protoc-gen-go = "1.30.0" "go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0" # Infrastructure, release, and lint CLIs. +actionlint = "1.7.10" "aqua:ahmetb/kubectx/kubens" = "0.9.4" cosign = "2.4.3" # crane is the registry client `mise oci push` shells out to. Sourced # here so it travels with the rest of the mise toolset (one source of # truth, deterministic version, no apt drift across CI / wrapper). crane = "0.21.6" -golangci-lint = "1.64.8" helm = "3.21.0" kubectx = "0.9.4" -syft = "1.20.0" +syft = "1.26.1" terraform = "1.15.5" +zizmor = "1.11.0" # Developer-environment niceties for the dogfood image. Non-dogfood # users who run `mise install` here will pull these too; they are @@ -60,6 +71,9 @@ lazygit = "0.61.1" # Pre-installs the binary so the upstream devcontainers-cli coder # module's `command -v devcontainer` short-circuit fires "npm:@devcontainers/cli" = "0.87.0" +# weekly-docs uses this pinned Puppeteer browser installer to install Chrome for +# action-linkspector without resolving mutable npm metadata at runtime. +"npm:@puppeteer/browsers" = "2.13.0" # sqlc (coder fork) bundles sqlite via cgo, so the `go install` build # needs CGO_ENABLED=1. Scope it with `install_env` so it only applies diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh index fb811838a6..5cbd9c5fb9 100755 --- a/scripts/check_go_versions.sh +++ b/scripts/check_go_versions.sh @@ -5,7 +5,6 @@ # - go.mod # - mise.toml (the dogfood image installs from this manifest) # - flake.nix -# - .github/actions/setup-go/action.yml # The version of Go in go.mod is considered the source of truth. set -euo pipefail @@ -19,23 +18,17 @@ IGNORE_NIX=${IGNORE_NIX:-false} GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2) GO_VERSION_MISE_TOML=$(grep -Eo '^go = "[0-9]+\.[0-9]+\.[0-9]+"' ./mise.toml | sed -E 's/.*"([^"]+)"/\1/') -GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml) GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix) # Convert to major.minor format. GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.') log "INFO : go.mod : $GO_VERSION_GO_MOD" log "INFO : mise.toml : $GO_VERSION_MISE_TOML" -log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO" log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR" if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_MISE_TOML" ]; then error "Go version mismatch between go.mod and mise.toml" fi -if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then - error "Go version mismatch between go.mod and .github/actions/setup-go/action.yaml" -fi - # At the time of writing, Nix only constrains the major.minor version. # We need to check that specifically. if [ "$IGNORE_NIX" = "false" ]; then diff --git a/scripts/check_mise_versions.sh b/scripts/check_mise_versions.sh new file mode 100755 index 0000000000..20ad1bc929 --- /dev/null +++ b/scripts/check_mise_versions.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env bash + +# This script checks the mise values used by CI and dogfood images: +# - mise.toml min_version is the source of truth for the mise version. +# - .github/actions/setup-mise/checksums.toml stores pinned binary checksums. +# - .github/actions/setup-mise/action.yml +# - flake.nix +# - scripts/dogfood/mise-oci-wrapper.sh +# - dogfood/coder/ubuntu-*/Dockerfile.base + +set -euo pipefail +# shellcheck source=scripts/lib.sh +source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" +cdroot + +check_not_empty() { + local label="$1" + local value="$2" + + log "INFO : ${label}: ${value}" + if [[ -z "${value}" ]]; then + error "Missing mise value for ${label}" + fi +} + +check_equal() { + local label="$1" + local actual="$2" + local expected="$3" + + check_not_empty "${label}" "${actual}" + if [[ "${actual}" != "${expected}" ]]; then + error "Mise mismatch for ${label}: expected ${expected}, got ${actual}" + fi +} + +check_sha256_format() { + local label="$1" + local value="$2" + + if [[ -z "${value}" ]]; then + error "Missing mise value for ${label}" + fi + if [[ ! "${value}" =~ ^[a-f0-9]{64}$ ]]; then + error "Expected 64-character lowercase SHA256 for ${label}: ${value}" + fi +} + +mise_version="$(sed -n 's/^min_version = "\([^"]*\)"/\1/p' mise.toml)" +check_not_empty "mise.toml min_version" "${mise_version}" + +action_version="$( + awk ' + $1 == "mise-version:" { in_input = 1; next } + in_input && /^ [A-Za-z0-9_-]+:/ { exit } + in_input && $1 == "default:" { + gsub(/"/, "", $2) + print $2 + exit + } + ' .github/actions/setup-mise/action.yml +)" +check_equal ".github/actions/setup-mise/action.yml" "${action_version}" "${mise_version}" + +checksum_version="$( + awk -v version="${mise_version}" ' + $0 == "[\"" version "\"]" { + print version + exit + } + ' .github/actions/setup-mise/checksums.toml +)" +check_equal ".github/actions/setup-mise/checksums.toml" "${checksum_version}" "${mise_version}" + +declare -A setup_mise_checksums=() +for target in linux-x64 linux-arm64 macos-x64 macos-arm64 windows-x64; do + checksum="$(./scripts/mise_checksum.sh .github/actions/setup-mise/checksums.toml "${mise_version}" "${target}")" + check_not_empty ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}" + check_sha256_format ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}" + setup_mise_checksums["${target}"]="${checksum}" +done +linux_x64_checksum="${setup_mise_checksums["linux-x64"]}" + +sri_sha256_to_hex() { + local label="$1" + local sri="$2" + + if [[ "${sri}" != sha256-* ]]; then + error "Expected SRI SHA256 hash for ${label}: ${sri}" + fi + + printf '%s' "${sri#sha256-}" | openssl base64 -A -d | od -An -tx1 -v | tr -d ' \n' +} + +flake_version="$( + awk ' + /^[[:space:]]*mise = / { in_mise = 1; next } + in_mise && /^[[:space:]]*version = / { + gsub(/[";]/, "", $3) + print $3 + exit + } + in_mise && /^[[:space:]]*};/ { exit } + ' flake.nix +)" +check_equal "flake.nix" "${flake_version}" "${mise_version}" + +declare -A flake_targets=( + ["x86_64-linux"]="linux-x64" + ["aarch64-linux"]="linux-arm64" + ["x86_64-darwin"]="macos-x64" + ["aarch64-darwin"]="macos-arm64" +) +for system in "${!flake_targets[@]}"; do + target="${flake_targets[${system}]}" + expected_checksum="${setup_mise_checksums[${target}]}" + + flake_hash="$( + awk -v nix_system="${system}" ' + /^[[:space:]]*hash = \{/ { in_hash = 1; next } + in_hash && $1 == nix_system { + gsub(/[";]/, "", $3) + print $3 + exit + } + in_hash && /^[[:space:]]*};/ { exit } + ' flake.nix + )" + check_not_empty "flake.nix ${system} hash" "${flake_hash}" + + actual_checksum="$(sri_sha256_to_hex "flake.nix ${system}" "${flake_hash}")" + check_equal "flake.nix ${system} sha256" "${actual_checksum}" "${expected_checksum}" +done + +wrapper_version="$(sed -n 's/^MISE_VERSION="v\([^"]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)" +check_equal "scripts/dogfood/mise-oci-wrapper.sh" "${wrapper_version}" "${mise_version}" +wrapper_checksum="$(sed -n 's/^MISE_SHA256="\([a-f0-9]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)" +check_equal "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" "${linux_x64_checksum}" +check_sha256_format "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" + +for dockerfile in dogfood/coder/ubuntu-*/Dockerfile.base; do + dockerfile_version="$(sed -n 's/.*MISE_VERSION=v\([0-9.]*\).*/\1/p' "${dockerfile}" | head -n 1)" + check_equal "${dockerfile}" "${dockerfile_version}" "${mise_version}" + + dockerfile_checksum="$(sed -n 's/.*MISE_SHA256=\([a-f0-9]*\).*/\1/p' "${dockerfile}" | head -n 1)" + check_equal "${dockerfile} sha256" "${dockerfile_checksum}" "${linux_x64_checksum}" + check_sha256_format "${dockerfile} sha256" "${dockerfile_checksum}" +done + +log "Mise version check passed, all versions are ${mise_version}" diff --git a/scripts/mise_checksum.sh b/scripts/mise_checksum.sh new file mode 100755 index 0000000000..52fcc73aa1 --- /dev/null +++ b/scripts/mise_checksum.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Print the pinned mise SHA256 checksum for a version and release target. + +set -euo pipefail + +if [[ "$#" -ne 3 ]]; then + echo "usage: $0 " >&2 + exit 1 +fi + +checksums_file="$1" +mise_version="$2" +target="$3" + +awk -F= -v version="${mise_version}" -v target="${target}" ' + $0 == "[\"" version "\"]" { in_table = 1; next } + /^\[/ { in_table = 0 } + in_table { + key = $1 + gsub(/^[[:space:]]+|[[:space:]]+$/, "", key) + if (key == target) { + value = $2 + gsub(/^[[:space:]]+|[[:space:]]+$/, "", value) + gsub(/^"|"$/, "", value) + print value + exit + } + } +' "${checksums_file}" diff --git a/scripts/should_deploy.sh b/scripts/should_deploy.sh index 003828b411..a23d3293d6 100755 --- a/scripts/should_deploy.sh +++ b/scripts/should_deploy.sh @@ -1,7 +1,6 @@ #!/usr/bin/env bash -# This script determines if a commit in either the main branch or a -# `release/x.y` branch should be deployed to dogfood. +# This script determines if the current branch should be deployed to dogfood. # # To avoid masking unrelated failures, this script will return 0 in either case, # and will print `DEPLOY` or `NOOP` to stdout. @@ -11,73 +10,16 @@ set -euo pipefail source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" cdroot -deploy_branch=main - -# Determine the current branch name and check that it is one of the supported -# branch names. branch_name=$(git branch --show-current) -# Short circuit: we no longer deploy release branches to dogfood, and instead -# test them on the stable deployment. +# We no longer deploy release branches to dogfood, and instead test them on the +# stable deployment. # TODO: once we're happy with the new deployment process, we can remove this -# script and the related github workflow stuff. +# script and the related GitHub workflow. if [[ "$branch_name" == "main" ]]; then log "VERDICT: DEPLOY" echo "DEPLOY" # stdout - exit 0 else log "VERDICT: NOOP" echo "NOOP" # stdout - exit 0 -fi - -if [[ "$branch_name" != "main" && ! "$branch_name" =~ ^release/[0-9]+\.[0-9]+$ ]]; then - error "Current branch '$branch_name' is not a supported branch name for dogfood, must be 'main' or 'release/x.y'" -fi -log "Current branch '$branch_name'" - -# Determine the remote name -remote=$(git remote -v | grep coder/coder | awk '{print $1}' | head -n1) -if [[ -z "${remote}" ]]; then - error "Could not find remote for coder/coder" -fi -log "Using remote '$remote'" - -# Step 1: List all release branches and sort them by major/minor so we can find -# the latest release branch. -release_branches=$( - git branch -r --format='%(refname:short)' | - grep -E "${remote}/release/[0-9]+\.[0-9]+$" | - sed "s|${remote}/||" | - sort -V -) - -# As a sanity check, release/2.26 should exist. -if ! echo "$release_branches" | grep "release/2.26" >/dev/null; then - error "Could not find existing release branches. Did you run 'git fetch -ap ${remote}'?" -fi - -latest_release_branch=$(echo "$release_branches" | tail -n 1) -latest_release_branch_version=${latest_release_branch#release/} -log "Latest release branch: $latest_release_branch" -log "Latest release branch version: $latest_release_branch_version" - -# Step 2: check if a matching tag `v.0` exists. If it does not, we will -# use the release branch as the deploy branch. -if ! git rev-parse "refs/tags/v${latest_release_branch_version}.0" >/dev/null 2>&1; then - log "Tag 'v${latest_release_branch_version}.0' does not exist, using release branch as deploy branch" - deploy_branch=$latest_release_branch -else - log "Matching tag 'v${latest_release_branch_version}.0' exists, using main as deploy branch" -fi -log "Deploy branch: $deploy_branch" - -# Finally, check if the current branch is the deploy branch. -log -if [[ "$branch_name" != "$deploy_branch" ]]; then - log "VERDICT: DO NOT DEPLOY" - echo "NOOP" # stdout -else - log "VERDICT: DEPLOY" - echo "DEPLOY" # stdout fi diff --git a/scripts/zizmor.sh b/scripts/zizmor.sh deleted file mode 100755 index a9326e2ee0..0000000000 --- a/scripts/zizmor.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash - -# Usage: ./zizmor.sh [args...] -# -# This script is a wrapper around the zizmor Docker image. Zizmor lints GitHub -# actions workflows. -# -# We use Docker to run zizmor since it's written in Rust and is difficult to -# install on Ubuntu runners without building it with a Rust toolchain, which -# takes a long time. -# -# The repo is mounted at /repo and the working directory is set to /repo. - -set -euo pipefail -# shellcheck source=scripts/lib.sh -source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" - -cdroot - -image_tag="ghcr.io/zizmorcore/zizmor:1.11.0" -docker_args=( - "--rm" - "--volume" "$(pwd):/repo" - "--workdir" "/repo" - "--network" "host" -) - -if [[ -t 0 ]]; then - docker_args+=("-it") -fi - -# If no GH_TOKEN is set, try to get one from `gh auth token`. -if [[ "${GH_TOKEN:-}" == "" ]] && command -v gh &>/dev/null; then - set +e - GH_TOKEN="$(gh auth token)" - export GH_TOKEN - set -e -fi - -# Pass through the GitHub token if it's set, which allows zizmor to scan -# imported workflows too. -if [[ "${GH_TOKEN:-}" != "" ]]; then - docker_args+=("--env" "GH_TOKEN") -fi - -logrun exec docker run "${docker_args[@]}" "$image_tag" "$@"