From ddf1059d9d0995120c8f90790da5499bd1a50968 Mon Sep 17 00:00:00 2001 From: Baptiste Augrain Date: Sat, 18 Apr 2026 02:56:46 +0200 Subject: [PATCH] ci: split build and publish workflows (#2795) --- .github/dependabot.yml | 13 +- .github/workflows/ci-build-linux.yml | 370 ++++++++++++++++++ .github/workflows/ci-build-macos.yml | 94 +++++ .github/workflows/ci-build-windows.yml | 163 ++++++++ .github/workflows/lint-zizmor.yml | 30 ++ .github/workflows/lock.yml | 17 - .github/workflows/mod-lock-closed-threads.yml | 22 ++ .github/workflows/mod-stale-issue-pr.yml | 24 ++ ...er-linux.yml => publish-insider-linux.yml} | 204 ++++------ ...er-macos.yml => publish-insider-macos.yml} | 62 +-- ...head.yml => publish-insider-spearhead.yml} | 18 +- ...indows.yml => publish-insider-windows.yml} | 131 ++----- ...ble-linux.yml => publish-stable-linux.yml} | 212 ++++------ ...ble-macos.yml => publish-stable-macos.yml} | 63 +-- ...rhead.yml => publish-stable-spearhead.yml} | 25 +- ...windows.yml => publish-stable-windows.yml} | 128 ++---- .github/workflows/stale.yml | 25 -- justfile | 10 + 18 files changed, 1019 insertions(+), 592 deletions(-) create mode 100644 .github/workflows/ci-build-linux.yml create mode 100644 .github/workflows/ci-build-macos.yml create mode 100644 .github/workflows/ci-build-windows.yml create mode 100644 .github/workflows/lint-zizmor.yml delete mode 100644 .github/workflows/lock.yml create mode 100644 .github/workflows/mod-lock-closed-threads.yml create mode 100644 .github/workflows/mod-stale-issue-pr.yml rename .github/workflows/{insider-linux.yml => publish-insider-linux.yml} (73%) rename .github/workflows/{insider-macos.yml => publish-insider-macos.yml} (61%) rename .github/workflows/{insider-spearhead.yml => publish-insider-spearhead.yml} (82%) rename .github/workflows/{insider-windows.yml => publish-insider-windows.yml} (66%) rename .github/workflows/{stable-linux.yml => publish-stable-linux.yml} (73%) rename .github/workflows/{stable-macos.yml => publish-stable-macos.yml} (61%) rename .github/workflows/{stable-spearhead.yml => publish-stable-spearhead.yml} (75%) rename .github/workflows/{stable-windows.yml => publish-stable-windows.yml} (66%) delete mode 100644 .github/workflows/stale.yml create mode 100644 justfile diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 42e1f84..4f56e13 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,12 +1,9 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / target-branch: insider schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/ci-build-linux.yml b/.github/workflows/ci-build-linux.yml new file mode 100644 index 0000000..32ee97f --- /dev/null +++ b/.github/workflows/ci-build-linux.yml @@ -0,0 +1,370 @@ +name: CI - Build - Linux + +on: + workflow_dispatch: + inputs: + generate_assets: + type: boolean + description: Generate assets + checkout_pr: + type: string + description: Checkout PR + push: + branches: + - master + - insider + paths-ignore: + - "**/*.md" + pull_request: + branches: + - "**" + paths-ignore: + - "**/*.md" + +env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true + APP_NAME: VSCodium + VSCODE_QUALITY: ${{ (github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'insider' || 'stable' }} + BINARY_NAME: ${{ env.VSCODE_QUALITY == 'insider' && 'codium-insiders' || 'codium' }} + DISABLE_UPDATE: yes + GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.head }} + ORG_NAME: ${{ github.repository_owner }} + OS_NAME: linux + +permissions: {} + +jobs: + compile: + runs-on: ubuntu-22.04 + env: + VSCODE_ARCH: x64 + outputs: + BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} + MS_COMMIT: ${{ env.MS_COMMIT }} + MS_TAG: ${{ env.MS_TAG }} + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + + - name: Setup GCC + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 + with: + version: 10 + platform: x64 + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: .nvmrc + + - name: Setup Python 3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.11" + + - name: Install libkrb5-dev + run: sudo apt-get update -y && sudo apt-get install -y libkrb5-dev + + - name: Clone VSCode repo + run: ./get_repo.sh + + - name: Build + env: + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no + run: ./build.sh + + - name: Compress vscode artifact + run: | + find vscode -type f -not -path "*/node_modules/*" -not -path "vscode/.build/node/*" -not -path "vscode/.git/*" > vscode.txt + echo "vscode/.build/extensions/node_modules" >> vscode.txt + echo "vscode/.git" >> vscode.txt + tar -czf vscode.tar.gz -T vscode.txt + + - name: Upload vscode artifact + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: vscode + path: ./vscode.tar.gz + retention-days: 1 + + build: + needs: + - compile + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - slug: X64 + vscode_arch: x64 + npm_arch: x64 + image: vscodium/vscodium-linux-build-agent:focal-x64 + - slug: ARM64 + vscode_arch: arm64 + npm_arch: arm64 + image: vscodium/vscodium-linux-build-agent:focal-arm64 + - slug: ARM32 + vscode_arch: armhf + npm_arch: arm + image: vscodium/vscodium-linux-build-agent:focal-armhf + - slug: RISCV64 + vscode_arch: riscv64 + npm_arch: riscv64 + image: vscodium/vscodium-linux-build-agent:focal-riscv64 + - slug: LOONG64 + vscode_arch: loong64 + npm_arch: loong64 + image: vscodium/vscodium-linux-build-agent:crimson-loong64 + - slug: PPC64 + vscode_arch: ppc64le + npm_arch: ppc64 + image: vscodium/vscodium-linux-build-agent:focal-ppc64le + container: + image: ${{ matrix.image }} + env: + BUILD_SOURCEVERSION: ${{ needs.compile.outputs.BUILD_SOURCEVERSION }} + DISABLED: ${{ vars[format('DISABLE_{0}_LINUX_APP_{1}', toUpper(env.VSCODE_QUALITY), matrix.slug)] }} + MS_COMMIT: ${{ needs.compile.outputs.MS_COMMIT }} + MS_TAG: ${{ needs.compile.outputs.MS_TAG }} + RELEASE_VERSION: ${{ needs.compile.outputs.RELEASE_VERSION }} + VSCODE_ARCH: ${{ matrix.vscode_arch }} + outputs: + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + if: env.DISABLED != 'yes' + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + if: env.DISABLED != 'yes' + + - name: Install GH + run: ./build/linux/install_gh.sh + if: env.DISABLED != 'yes' + + - name: Install dependencies + run: ./build/linux/deps.sh + if: env.DISABLED != 'yes' + + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + if: env.DISABLED != 'yes' + + - name: Download vscode artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: vscode + if: env.DISABLED != 'yes' + + - name: Build + id: build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + npm_config_arch: ${{ matrix.npm_arch }} + run: ./build/linux/package_bin.sh + if: env.DISABLED != 'yes' + + - name: Prepare assets + env: + SHOULD_BUILD_APPIMAGE: ${{ (vars[format('DISABLE_{0}_APPIMAGE', toUpper(env.VSCODE_QUALITY)] == 'yes') && 'no' || 'yes' }} + SHOULD_BUILD_REH: 'no' + SHOULD_BUILD_REH_WEB: 'no' + VSCODE_SYSROOT_REPOSITORY: ${{ steps.build.outputs.VSCODE_SYSROOT_REPOSITORY }} + VSCODE_SYSROOT_VERSION: ${{ steps.build.outputs.VSCODE_SYSROOT_VERSION }} + VSCODE_SYSROOT_PREFIX: ${{ steps.build.outputs.VSCODE_SYSROOT_PREFIX }} + run: ./prepare_assets.sh + if: env.DISABLED != 'yes' && github.event.inputs.generate_assets == 'true' + + - name: Upload assets + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: bin-${{ matrix.vscode_arch }} + path: assets/ + retention-days: 3 + if: env.DISABLED != 'yes' && github.event.inputs.generate_assets == 'true' + + reh_linux: + needs: + - compile + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + include: + - slug: X64 + vscode_arch: x64 + npm_arch: x64 + - slug: ARM64 + vscode_arch: arm64 + npm_arch: arm64 + - slug: ARM32 + vscode_arch: armhf + npm_arch: arm + - slug: PPC64 + vscode_arch: ppc64le + npm_arch: ppc64 + - slug: RISCV64 + vscode_arch: riscv64 + npm_arch: riscv64 + - slug: LOONG64 + vscode_arch: loong64 + npm_arch: loong64 + - slug: S390X + vscode_arch: s390x + npm_arch: s390x + env: + BUILD_SOURCEVERSION: ${{ needs.compile.outputs.BUILD_SOURCEVERSION }} + DISABLED: ${{ vars[format('DISABLE_{0}_LINUX_REH_{1}', toUpper(env.VSCODE_QUALITY), matrix.slug)] }} + MS_COMMIT: ${{ needs.compile.outputs.MS_COMMIT }} + MS_TAG: ${{ needs.compile.outputs.MS_TAG }} + RELEASE_VERSION: ${{ needs.compile.outputs.RELEASE_VERSION }} + VSCODE_ARCH: ${{ matrix.vscode_arch }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + if: env.DISABLED != 'yes' + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + if: env.DISABLED != 'yes' + + - name: Setup GCC + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 + with: + version: 10 + platform: x64 + if: env.DISABLED != 'yes' + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.nvmrc' + if: env.DISABLED != 'yes' + + - name: Setup Python 3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.11' + if: env.DISABLED != 'yes' + + - name: Install libkrb5-dev + run: sudo apt-get update -y && sudo apt-get install -y libkrb5-dev + if: env.DISABLED != 'yes' + + - name: Install GH + run: ./build/linux/install_gh.sh + if: env.DISABLED != 'yes' + + - name: Download vscode artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: vscode + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + + - name: Build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + npm_config_arch: ${{ matrix.npm_arch }} + run: ./build/linux/package_reh.sh + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + + - name: Upload assets + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: reh-linux-${{ matrix.vscode_arch }} + path: assets/ + retention-days: 3 + if: env.DISABLED != 'yes' && github.event.inputs.generate_assets == 'true' + + reh_alpine: + needs: + - compile + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + include: + - slug: X64 + vscode_arch: x64 + npm_arch: x64 + - slug: ARM64 + vscode_arch: arm64 + npm_arch: arm64 + env: + BUILD_SOURCEVERSION: ${{ needs.compile.outputs.BUILD_SOURCEVERSION }} + DISABLED: ${{ vars[format('DISABLE_{0}_ALPINE_REH_{1}', toUpper(env.VSCODE_QUALITY), matrix.slug)] }} + MS_COMMIT: ${{ needs.compile.outputs.MS_COMMIT }} + MS_TAG: ${{ needs.compile.outputs.MS_TAG }} + OS_NAME: alpine + RELEASE_VERSION: ${{ needs.compile.outputs.RELEASE_VERSION }} + VSCODE_ARCH: ${{ matrix.vscode_arch }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + + - name: Setup GCC + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 + with: + version: 10 + platform: x64 + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.nvmrc' + + - name: Install GH + run: ./build/linux/install_gh.sh + + - name: Install libkrb5-dev + run: sudo apt-get update -y && sudo apt-get install -y libkrb5-dev + + - name: Download vscode artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: vscode + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + + - name: Build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + npm_config_arch: ${{ matrix.npm_arch }} + run: ./build/alpine/package_reh.sh + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + + - name: Upload assets + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: reh-alpine-${{ matrix.vscode_arch }} + path: assets/ + retention-days: 3 + if: env.DISABLED != 'yes' && github.event.inputs.generate_assets == 'true' diff --git a/.github/workflows/ci-build-macos.yml b/.github/workflows/ci-build-macos.yml new file mode 100644 index 0000000..30c5363 --- /dev/null +++ b/.github/workflows/ci-build-macos.yml @@ -0,0 +1,94 @@ +name: CI - Build - macOS + +on: + workflow_dispatch: + inputs: + generate_assets: + type: boolean + description: Generate assets + checkout_pr: + type: string + description: Checkout PR + push: + branches: + - master + - insider + paths-ignore: + - "**/*.md" + pull_request: + branches: + - "**" + paths-ignore: + - "**/*.md" + +env: + APP_NAME: VSCodium + VSCODE_QUALITY: ${{ (github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'insider' || 'stable' }} + BINARY_NAME: ${{ env.VSCODE_QUALITY == 'insider' && 'codium-insiders' || 'codium' }} + GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.head }} + ORG_NAME: ${{ github.repository_owner }} + OS_NAME: osx + +permissions: {} + +jobs: + build: + runs-on: ${{ matrix.runner }} + env: + VSCODE_ARCH: ${{ matrix.vscode_arch }} + strategy: + fail-fast: false + matrix: + include: + - runner: macos-15-intel + vscode_arch: x64 + - runner: [self-hosted, macOS, ARM64] + vscode_arch: arm64 + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: . get_pr.sh + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.nvmrc' + + - name: Setup Python 3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.11' + if: env.VSCODE_ARCH == 'x64' + + - name: Clone VSCode repo + run: . get_repo.sh + + - name: Check existing VSCodium tags/releases + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: . check_tags.sh + + - name: Build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: ./build.sh + + - name: Prepare assets + run: ./prepare_assets.sh + if: env.SHOULD_BUILD == 'yes' && github.event.inputs.generate_assets == 'true' + + - name: Upload assets + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: bin-${{ matrix.vscode_arch }} + path: assets/ + retention-days: 3 + if: env.SHOULD_BUILD == 'yes' && github.event.inputs.generate_assets == 'true' diff --git a/.github/workflows/ci-build-windows.yml b/.github/workflows/ci-build-windows.yml new file mode 100644 index 0000000..fc843b5 --- /dev/null +++ b/.github/workflows/ci-build-windows.yml @@ -0,0 +1,163 @@ +name: CI - Build - Windows + +on: + workflow_dispatch: + inputs: + generate_assets: + type: boolean + description: Generate assets + checkout_pr: + type: string + description: Checkout PR + push: + branches: + - master + - insider + paths-ignore: + - "**/*.md" + pull_request: + branches: + - "**" + paths-ignore: + - "**/*.md" + +env: + APP_NAME: VSCodium + VSCODE_QUALITY: ${{ (github.ref == 'refs/heads/insider' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'insider')) && 'insider' || 'stable' }} + BINARY_NAME: ${{ env.VSCODE_QUALITY == 'insider' && 'codium-insiders' || 'codium' }} + GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.head }} + ORG_NAME: ${{ github.repository_owner }} + OS_NAME: windows + +permissions: {} + +jobs: + compile: + runs-on: windows-2022 + defaults: + run: + shell: bash + env: + VSCODE_ARCH: 'x64' + outputs: + BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} + MS_COMMIT: ${{ env.MS_COMMIT }} + MS_TAG: ${{ env.MS_TAG }} + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.nvmrc' + + - name: Setup Python 3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.11' + + - name: Clone VSCode repo + run: ./get_repo.sh + + - name: Build + env: + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no + run: ./build.sh + + - name: Compress vscode artifact + run: | + find vscode -type f -not -path "*/node_modules/*" -not -path "vscode/.build/node/*" -not -path "vscode/.git/*" > vscode.txt + echo "vscode/.build/extensions/node_modules" >> vscode.txt + echo "vscode/.git" >> vscode.txt + tar -czf vscode.tar.gz -T vscode.txt + + - name: Upload vscode artifact + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: vscode + path: ./vscode.tar.gz + retention-days: 1 + + build: + needs: + - compile + runs-on: windows-2022 + strategy: + fail-fast: false + matrix: + vscode_arch: + - x64 + - arm64 + defaults: + run: + shell: bash + env: + BUILD_SOURCEVERSION: ${{ needs.compile.outputs.BUILD_SOURCEVERSION }} + MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} + MS_TAG: ${{ needs.check.outputs.MS_TAG }} + RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} + VSCODE_ARCH: ${{ matrix.vscode_arch }} + outputs: + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false + + - name: Switch to relevant branch + env: + PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} + run: ./get_pr.sh + + - name: Setup Node.js environment + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version-file: '.nvmrc' + + - name: Setup Python 3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.11' + + - name: Download vscode artifact + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: vscode + + - name: Build + env: + DISABLE_MSI: ${{ vars[format('DISABLE_{0}_MSI', toUpper(env.VSCODE_QUALITY)] }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + npm_config_arch: ${{ matrix.vscode_arch }} + npm_config_target_arch: ${{ matrix.vscode_arch }} + run: ./build/windows/package.sh + + - name: Prepare assets + run: ./prepare_assets.sh + if: github.event.inputs.generate_assets == 'true' + + - name: Prepare checksums + run: ./prepare_checksums.sh + if: github.event.inputs.generate_assets == 'true' + + - name: Upload assets + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: bin-${{ matrix.vscode_arch }} + path: assets/ + retention-days: 3 + if: github.event.inputs.generate_assets == 'true' diff --git a/.github/workflows/lint-zizmor.yml b/.github/workflows/lint-zizmor.yml new file mode 100644 index 0000000..d26de7c --- /dev/null +++ b/.github/workflows/lint-zizmor.yml @@ -0,0 +1,30 @@ +name: Lint - zizmor + +on: + push: + branches: + - master + - insider + paths-ignore: + - "**/*.md" + pull_request: + branches: + - "**" + paths-ignore: + - "**/*.md" + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml deleted file mode 100644 index 05a1c3c..0000000 --- a/.github/workflows/lock.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Lock Closed Threads - -on: - schedule: - - cron: '0 2 * * *' - -jobs: - lock: - runs-on: ubuntu-latest - steps: - - uses: dessant/lock-threads@v6 - with: - github-token: ${{ github.token }} - issue-inactive-days: '90' - pr-inactive-days: '90' - discussion-inactive-days: '90' - log-output: true diff --git a/.github/workflows/mod-lock-closed-threads.yml b/.github/workflows/mod-lock-closed-threads.yml new file mode 100644 index 0000000..a9a4084 --- /dev/null +++ b/.github/workflows/mod-lock-closed-threads.yml @@ -0,0 +1,22 @@ +name: Moderation - Lock Closed Threads + +on: + schedule: + - cron: 0 2 * * * + +permissions: + issues: write + pull-requests: write + discussions: write + +jobs: + lock: + runs-on: ubuntu-latest + steps: + - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0 + with: + github-token: ${{ github.token }} + issue-inactive-days: "90" + pr-inactive-days: "90" + discussion-inactive-days: "90" + log-output: true diff --git a/.github/workflows/mod-stale-issue-pr.yml b/.github/workflows/mod-stale-issue-pr.yml new file mode 100644 index 0000000..a2bb6b5 --- /dev/null +++ b/.github/workflows/mod-stale-issue-pr.yml @@ -0,0 +1,24 @@ +name: Moderation - Stale Issues & PR + +on: + schedule: + - cron: 0 1 * * * + +permissions: + issues: write + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + with: + days-before-stale: 90 + days-before-close: 30 + operations-per-run: 1024 + stale-issue-message: This issue has been automatically marked as stale. **If this issue is still affecting you, please leave any comment**, and we'll keep it open. If you have any new additional information, please include it with your comment! + close-issue-message: This issue has been closed due to inactivity, and will not be monitored. If this is a bug and you can reproduce this issue, please open a new issue. + exempt-issue-labels: discussion,never-stale + stale-pr-message: This PR has been automatically marked as stale. + close-pr-message: This PR has been closed due to inactivity, and will not be monitored. + only-pr-labels: needs-information diff --git a/.github/workflows/insider-linux.yml b/.github/workflows/publish-insider-linux.yml similarity index 73% rename from .github/workflows/insider-linux.yml rename to .github/workflows/publish-insider-linux.yml index 2c17da8..37a7845 100644 --- a/.github/workflows/insider-linux.yml +++ b/.github/workflows/publish-insider-linux.yml @@ -1,37 +1,19 @@ -name: insider-linux +name: Publish - Insider - Linux on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [insider] - push: - branches: [ insider ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ insider ] - paths-ignore: - - '**/*.md' + types: + - publish-insider env: ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }}-insiders BINARY_NAME: codium-insiders - DISABLE_UPDATE: 'yes' + DISABLE_UPDATE: yes GH_REPO_PATH: ${{ github.repository }} - GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || 'insider' }} + GITHUB_BRANCH: insider ORG_NAME: ${{ github.repository_owner }} OS_NAME: linux VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -40,6 +22,10 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: {} + env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes outputs: MS_COMMIT: ${{ env.MS_COMMIT }} MS_TAG: ${{ env.MS_TAG }} @@ -48,69 +34,58 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Clone VSCode repo run: ./get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: ./check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHECK_ALL: 'yes' + CHECK_ALL: yes run: ./check_tags.sh compile: needs: - check runs-on: ubuntu-22.04 + permissions: {} env: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} - VSCODE_ARCH: 'x64' + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} + VSCODE_ARCH: x64 outputs: BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh - - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 + if: env.SHOULD_BUILD == 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.SHOULD_BUILD == 'yes' - name: Install libkrb5-dev @@ -123,8 +98,8 @@ jobs: - name: Build env: - SHOULD_BUILD_REH: 'no' - SHOULD_BUILD_REH_WEB: 'no' + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no run: ./build.sh if: env.SHOULD_BUILD == 'yes' @@ -137,7 +112,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Upload vscode artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: vscode path: ./vscode.tar.gz @@ -149,6 +124,8 @@ jobs: - check - compile runs-on: ubuntu-latest + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -185,7 +162,7 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} outputs: @@ -194,15 +171,10 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - name: Install GH @@ -221,11 +193,11 @@ jobs: run: ./build/linux/deps.sh if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - - uses: actions-rust-lang/setup-rust-toolchain@v1 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' @@ -246,9 +218,11 @@ jobs: VSCODE_SYSROOT_VERSION: ${{ steps.build.outputs.VSCODE_SYSROOT_VERSION }} VSCODE_SYSROOT_PREFIX: ${{ steps.build.outputs.VSCODE_SYSROOT_PREFIX }} run: ./prepare_assets.sh - if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} @@ -257,25 +231,18 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - reh_linux: needs: - check - compile runs-on: ubuntu-22.04 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -310,35 +277,30 @@ jobs: SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} - if: needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true' + if: needs.check.outputs.SHOULD_BUILD == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.DISABLED != 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.DISABLED != 'yes' - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 if: env.DISABLED != 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' if: env.DISABLED != 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' if: env.DISABLED != 'yes' @@ -359,38 +321,34 @@ jobs: if: env.DISABLED != 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Build env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} npm_config_arch: ${{ matrix.npm_arch }} run: ./build/linux/package_reh.sh - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./release.sh if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: reh-linux-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - reh_alpine: needs: - check - compile runs-on: ubuntu-22.04 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -411,26 +369,22 @@ jobs: SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} - if: needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true' + if: needs.check.outputs.SHOULD_BUILD == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' @@ -449,45 +403,41 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Build env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} npm_config_arch: ${{ matrix.npm_arch }} run: ./build/alpine/package_reh.sh - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./release.sh if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: reh-alpine-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - aur: needs: - check - build runs-on: ubuntu-latest + environment: publish + permissions: {} strategy: fail-fast: false matrix: include: - package_name: vscodium-insiders-bin - package_name: vscodium-insiders - if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && github.event.inputs.generate_assets != 'true' + if: needs.check.outputs.SHOULD_DEPLOY == 'yes' steps: - name: Get version @@ -496,7 +446,7 @@ jobs: run: echo "PACKAGE_VERSION=${RELEASE_VERSION/-*/}" >> "${GITHUB_ENV}" - name: Publish ${{ matrix.package_name }} - uses: zokugun/github-actions-aur-releaser@v1 + uses: zokugun/github-actions-aur-releaser@4348c8a4124434a85d0a5e7457d0ef4079dab490 # v1 with: package_name: ${{ matrix.package_name }} package_version: ${{ env.PACKAGE_VERSION }} @@ -509,6 +459,8 @@ jobs: - check - build runs-on: ubuntu-latest + environment: publish + permissions: {} env: RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} SNAP_NAME: codium-insiders @@ -521,18 +473,14 @@ jobs: if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && needs.check.outputs.SHOULD_BUILD_SNAP != 'no' && vars.DISABLE_INSIDER_SNAP != 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - - uses: docker/setup-qemu-action@v4 - - - uses: diddlesnaps/snapcraft-multiarch-action@v1 + - uses: diddlesnaps/snapcraft-multiarch-action@cfd7a246fad6bea65bb92f69a1c8d07898c231e5 # v1.9.0 with: path: stores/snapcraft/insider architecture: ${{ matrix.platform }} @@ -543,7 +491,9 @@ jobs: # snap: ${{ steps.build.outputs.snap }} # isClassic: 'true' - - uses: svenstaro/upload-release-action@v2 + - uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest + permissions: + contents: write with: repo_name: ${{ env.ASSETS_REPOSITORY }} repo_token: ${{ secrets.STRONGER_GITHUB_TOKEN }} @@ -555,11 +505,13 @@ jobs: - check - build runs-on: ubuntu-latest - if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && github.event.inputs.generate_assets != 'true' + environment: publish + permissions: {} + if: needs.check.outputs.SHOULD_DEPLOY == 'yes' steps: - name: Trigger repository rebuild - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.STRONGER_GITHUB_TOKEN }} repository: VSCodium/repositories-linux diff --git a/.github/workflows/insider-macos.yml b/.github/workflows/publish-insider-macos.yml similarity index 61% rename from .github/workflows/insider-macos.yml rename to .github/workflows/publish-insider-macos.yml index 79828c1..ec05dab 100644 --- a/.github/workflows/insider-macos.yml +++ b/.github/workflows/publish-insider-macos.yml @@ -1,35 +1,17 @@ -name: insider-macos +name: Publish - Insider - macOS on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [insider] - push: - branches: [ insider ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ insider ] - paths-ignore: - - '**/*.md' + types: + - publish-insider env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }}-insiders BINARY_NAME: codium-insiders - GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || 'insider' }} GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: insider ORG_NAME: ${{ github.repository_owner }} OS_NAME: osx VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -38,7 +20,11 @@ env: jobs: build: runs-on: ${{ matrix.runner }} + environment: publish + permissions: {} env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes VSCODE_ARCH: ${{ matrix.vscode_arch }} strategy: fail-fast: false @@ -50,34 +36,25 @@ jobs: vscode_arch: arm64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: . get_pr.sh + persist-credentials: false - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.VSCODE_ARCH == 'x64' - name: Clone VSCode repo run: . get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: . check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -98,7 +75,7 @@ jobs: CERTIFICATE_OSX_P12_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_P12_PASSWORD }} CERTIFICATE_OSX_TEAM_ID: ${{ secrets.CERTIFICATE_OSX_NEW_TEAM_ID }} run: ./prepare_assets.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release env: @@ -109,20 +86,11 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - - name: Clean up keychain if: always() run: | diff --git a/.github/workflows/insider-spearhead.yml b/.github/workflows/publish-insider-spearhead.yml similarity index 82% rename from .github/workflows/insider-spearhead.yml rename to .github/workflows/publish-insider-spearhead.yml index f18c68b..e823083 100644 --- a/.github/workflows/insider-spearhead.yml +++ b/.github/workflows/publish-insider-spearhead.yml @@ -1,4 +1,4 @@ -name: insider-spearhead +name: Publish - Insider - Spearhead on: workflow_dispatch: @@ -16,11 +16,14 @@ on: type: boolean description: Disable dispatch schedule: - - cron: '0 7 * * *' + - cron: 0 7 * * * jobs: build: runs-on: macos-15 + environment: publish + permissions: + contents: write # Release env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }}-insiders @@ -35,12 +38,13 @@ jobs: VSCODE_QUALITY: insider steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: insider + persist-credentials: false - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' @@ -61,7 +65,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} @@ -92,7 +96,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Dispatch builds - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: - event-type: insider + event-type: publish-insider if: github.event.inputs.dont_dispatch != 'true' && (env.SHOULD_BUILD == 'yes' || github.event.inputs.force_dispatch == 'true') diff --git a/.github/workflows/insider-windows.yml b/.github/workflows/publish-insider-windows.yml similarity index 66% rename from .github/workflows/insider-windows.yml rename to .github/workflows/publish-insider-windows.yml index 367f7f1..a4a92ea 100644 --- a/.github/workflows/insider-windows.yml +++ b/.github/workflows/publish-insider-windows.yml @@ -1,35 +1,17 @@ -name: insider-windows +name: Publish - Insider - Windows on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [insider] - push: - branches: [ insider ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ insider ] - paths-ignore: - - '**/*.md' + types: + - publish-insider env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }}-insiders BINARY_NAME: codium-insiders - GITHUB_BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || 'insider' }} GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: insider ORG_NAME: ${{ github.repository_owner }} OS_NAME: windows VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -38,6 +20,10 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: {} + env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes outputs: MS_COMMIT: ${{ env.MS_COMMIT }} MS_TAG: ${{ env.MS_TAG }} @@ -46,33 +32,25 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Clone VSCode repo run: ./get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: ./check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHECK_ALL: 'yes' + CHECK_ALL: yes run: ./check_tags.sh compile: needs: - check runs-on: windows-2022 + permissions: {} defaults: run: shell: bash @@ -80,52 +58,38 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} - VSCODE_ARCH: 'x64' + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} + VSCODE_ARCH: x64 outputs: BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh - - # - name: Setup GCC - # uses: egor-tensin/setup-gcc@v1 - # with: - # version: 10 - # platform: x64 - - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.SHOULD_BUILD == 'yes' - # - name: Install libkrb5-dev - # run: sudo apt-get update -y && sudo apt-get install -y libkrb5-dev - # if: env.SHOULD_BUILD == 'yes' - - name: Clone VSCode repo run: ./get_repo.sh if: env.SHOULD_BUILD == 'yes' - name: Build env: - SHOULD_BUILD_REH: 'no' - SHOULD_BUILD_REH_WEB: 'no' + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no run: ./build.sh if: env.SHOULD_BUILD == 'yes' @@ -138,7 +102,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Upload vscode artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: vscode path: ./vscode.tar.gz @@ -150,6 +114,8 @@ jobs: - check - compile runs-on: windows-2022 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -164,7 +130,7 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} outputs: @@ -172,25 +138,20 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.SHOULD_BUILD == 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' if: env.SHOULD_BUILD == 'yes' @@ -203,7 +164,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode if: env.SHOULD_BUILD == 'yes' @@ -218,21 +179,21 @@ jobs: - name: Prepare assets run: ./prepare_assets.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Upload unsigned artifacts id: upload-unsigned-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: unsigned-${{ matrix.vscode_arch }} path: | assets/*.exe assets/*.msi retention-days: 1 - if: env.SHOULD_BUILD == 'yes' && vars.DISABLE_INSIDER_WINDOWS_SIGNING != 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && vars.DISABLE_INSIDER_WINDOWS_SIGNING != 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Signing - uses: signpath/github-action-submit-signing-request@v2 + uses: signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd # v2.2 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} @@ -242,13 +203,13 @@ jobs: artifact-configuration-slug: ${{ matrix.vscode_arch }} wait-for-completion: true # 3h to manually approve the request - wait-for-completion-timeout-in-seconds: 10800 + wait-for-completion-timeout-in-seconds: 28800 output-artifact-directory: assets/ - if: env.SHOULD_BUILD == 'yes' && vars.DISABLE_INSIDER_WINDOWS_SIGNING != 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && vars.DISABLE_INSIDER_WINDOWS_SIGNING != 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Prepare checksums run: ./prepare_checksums.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release env: @@ -259,23 +220,16 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - winget: needs: build runs-on: windows-2022 + environment: publish + permissions: {} defaults: run: shell: bash @@ -285,9 +239,10 @@ jobs: if: needs.build.outputs.SHOULD_DEPLOY == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false - name: Check version run: ./stores/winget/check_version.sh @@ -295,7 +250,7 @@ jobs: RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} - name: Release to WinGet - uses: vedantmgoyal9/winget-releaser@main + uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e with: identifier: ${{ env.APP_IDENTIFIER }} version: ${{ env.RELEASE_VERSION }} diff --git a/.github/workflows/stable-linux.yml b/.github/workflows/publish-stable-linux.yml similarity index 73% rename from .github/workflows/stable-linux.yml rename to .github/workflows/publish-stable-linux.yml index ea2ebfd..f97eb6c 100644 --- a/.github/workflows/stable-linux.yml +++ b/.github/workflows/publish-stable-linux.yml @@ -1,39 +1,19 @@ -name: stable-linux +name: Publish - Stable - Linux on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - force_snap: - type: boolean - description: Force Snap - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [stable] - push: - branches: [ master ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ master ] - paths-ignore: - - '**/*.md' + types: + - publish-stable env: ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }} BINARY_NAME: codium - DISABLE_UPDATE: 'yes' + DISABLE_UPDATE: yes GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: master ORG_NAME: ${{ github.repository_owner }} OS_NAME: linux VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -42,6 +22,10 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: {} + env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes outputs: MS_COMMIT: ${{ env.MS_COMMIT }} MS_TAG: ${{ env.MS_TAG }} @@ -50,27 +34,18 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Clone VSCode repo run: ./get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: ./check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHECK_ALL: 'yes' + CHECK_ALL: yes FORCE_LINUX_SNAP: ${{ github.event.inputs.force_snap }} run: ./check_tags.sh @@ -78,44 +53,40 @@ jobs: needs: - check runs-on: ubuntu-22.04 + permissions: {} env: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} - VSCODE_ARCH: 'x64' + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} + VSCODE_ARCH: x64 outputs: BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.SHOULD_BUILD == 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 if: env.SHOULD_BUILD == 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.SHOULD_BUILD == 'yes' - name: Install libkrb5-dev @@ -128,8 +99,8 @@ jobs: - name: Build env: - SHOULD_BUILD_REH: 'no' - SHOULD_BUILD_REH_WEB: 'no' + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no run: ./build.sh if: env.SHOULD_BUILD == 'yes' @@ -142,7 +113,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Upload vscode artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: vscode path: ./vscode.tar.gz @@ -154,6 +125,8 @@ jobs: - check - compile runs-on: ubuntu-latest + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -190,7 +163,7 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} outputs: @@ -199,17 +172,12 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh - if: env.DISABLED != 'yes' - - name: Install GH run: ./build/linux/install_gh.sh if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' @@ -226,11 +194,11 @@ jobs: run: ./build/linux/deps.sh if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - - uses: actions-rust-lang/setup-rust-toolchain@v1 + - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' @@ -251,9 +219,11 @@ jobs: VSCODE_SYSROOT_VERSION: ${{ steps.build.outputs.VSCODE_SYSROOT_VERSION }} VSCODE_SYSROOT_PREFIX: ${{ steps.build.outputs.VSCODE_SYSROOT_PREFIX }} run: ./prepare_assets.sh - if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} @@ -262,25 +232,18 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - reh_linux: needs: - check - compile runs-on: ubuntu-22.04 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -315,35 +278,30 @@ jobs: SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} - if: needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true' + if: needs.check.outputs.SHOULD_BUILD == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.DISABLED != 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.DISABLED != 'yes' - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 if: env.DISABLED != 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' if: env.DISABLED != 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' if: env.DISABLED != 'yes' @@ -364,38 +322,34 @@ jobs: if: env.DISABLED != 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Build env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} npm_config_arch: ${{ matrix.npm_arch }} run: ./build/linux/package_reh.sh - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./release.sh if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: reh-linux-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - reh_alpine: needs: - check - compile runs-on: ubuntu-22.04 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -416,26 +370,22 @@ jobs: SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} - if: needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true' + if: needs.check.outputs.SHOULD_BUILD == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Setup GCC - uses: egor-tensin/setup-gcc@v2 + uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0 with: version: 10 platform: x64 - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' @@ -454,51 +404,45 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Build env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} npm_config_arch: ${{ matrix.npm_arch }} run: ./build/alpine/package_reh.sh - if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no' || github.event.inputs.generate_assets == 'true') + if: env.DISABLED != 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - name: Release + permissions: + contents: write env: GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./release.sh if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'yes' && (env.SHOULD_BUILD_REH != 'no' || env.SHOULD_BUILD_REH_WEB != 'no') - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: reh-alpine-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.DISABLED != 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - aur: needs: - check - build runs-on: ubuntu-latest + environment: publish + permissions: {} strategy: fail-fast: false matrix: include: - package_name: vscodium package_type: stable - # - package_name: vscodium-git - # package_type: rolling if: needs.check.outputs.SHOULD_DEPLOY == 'yes' steps: - name: Publish ${{ matrix.package_name }} - uses: zokugun/github-actions-aur-releaser@v1 + uses: zokugun/github-actions-aur-releaser@4348c8a4124434a85d0a5e7457d0ef4079dab490 # v1 with: package_name: ${{ matrix.package_name }} package_type: ${{ matrix.package_type }} @@ -511,6 +455,8 @@ jobs: - check - build runs-on: ubuntu-latest + environment: publish + permissions: {} env: RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} SNAP_NAME: codium @@ -524,14 +470,10 @@ jobs: if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && needs.check.outputs.SHOULD_BUILD_SNAP != 'no' && vars.DISABLE_STABLE_SNAP != 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Check version env: @@ -541,23 +483,23 @@ jobs: SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAP_STORE_LOGIN }} run: ./stores/snapcraft/check_version.sh - - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 if: env.SHOULD_BUILD == 'yes' - - uses: diddlesnaps/snapcraft-multiarch-action@v1 + - uses: diddlesnaps/snapcraft-multiarch-action@cfd7a246fad6bea65bb92f69a1c8d07898c231e5 # v1.9.0 with: path: stores/snapcraft/stable architecture: ${{ matrix.platform }} id: build if: env.SHOULD_BUILD == 'yes' - - uses: diddlesnaps/snapcraft-review-action@v1 + - uses: diddlesnaps/snapcraft-review-action@40554b42331cf84dab19ef98c382620427f13482 # v1.3.1 with: snap: ${{ steps.build.outputs.snap }} isClassic: 'true' if: env.SHOULD_DEPLOY_TO_RELEASE == 'yes' || env.SHOULD_DEPLOY_TO_STORE == 'yes' - - uses: svenstaro/upload-release-action@v2 + - uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest with: repo_name: ${{ env.ASSETS_REPOSITORY }} repo_token: ${{ secrets.STRONGER_GITHUB_TOKEN }} @@ -565,7 +507,7 @@ jobs: tag: ${{ env.RELEASE_VERSION }} if: env.SHOULD_DEPLOY_TO_RELEASE == 'yes' - - uses: snapcore/action-publish@master + - uses: snapcore/action-publish@214b86e5ca036ead1668c79afb81e550e6c54d40 env: SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAP_STORE_LOGIN }} with: @@ -578,7 +520,9 @@ jobs: - check - build runs-on: ubuntu-latest - if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && github.event.inputs.generate_assets != 'true' + environment: publish + permissions: {} + if: needs.check.outputs.SHOULD_DEPLOY == 'yes' steps: - name: Trigger repository rebuild @@ -591,11 +535,13 @@ jobs: - check - build runs-on: ubuntu-latest - if: needs.check.outputs.SHOULD_DEPLOY == 'yes' && github.event.inputs.generate_assets != 'true' + environment: publish + permissions: {} + if: needs.check.outputs.SHOULD_DEPLOY == 'yes' steps: - name: Trigger repository rebuild - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.STRONGER_GITHUB_TOKEN }} repository: VSCodium/repositories-linux diff --git a/.github/workflows/stable-macos.yml b/.github/workflows/publish-stable-macos.yml similarity index 61% rename from .github/workflows/stable-macos.yml rename to .github/workflows/publish-stable-macos.yml index 1c370d9..4afd993 100644 --- a/.github/workflows/stable-macos.yml +++ b/.github/workflows/publish-stable-macos.yml @@ -1,34 +1,17 @@ -name: stable-macos +name: Publish - Stable - macOS on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [stable] - push: - branches: [ master ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ master ] - paths-ignore: - - '**/*.md' + types: + - publish-stable env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }} BINARY_NAME: codium GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: master ORG_NAME: ${{ github.repository_owner }} OS_NAME: osx VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -37,7 +20,11 @@ env: jobs: build: runs-on: ${{ matrix.runner }} + environment: publish + permissions: {} env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes VSCODE_ARCH: ${{ matrix.vscode_arch }} strategy: fail-fast: false @@ -49,34 +36,25 @@ jobs: vscode_arch: arm64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: . get_pr.sh + persist-credentials: false - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.VSCODE_ARCH == 'x64' - name: Clone VSCode repo run: . get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: . check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -97,7 +75,7 @@ jobs: CERTIFICATE_OSX_P12_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_P12_PASSWORD }} CERTIFICATE_OSX_TEAM_ID: ${{ secrets.CERTIFICATE_OSX_NEW_TEAM_ID }} run: ./prepare_assets.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release env: @@ -107,19 +85,10 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh - if: env.SHOULD_DEPLOY == 'yes' - - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Clean up keychain if: always() diff --git a/.github/workflows/stable-spearhead.yml b/.github/workflows/publish-stable-spearhead.yml similarity index 75% rename from .github/workflows/stable-spearhead.yml rename to .github/workflows/publish-stable-spearhead.yml index 4acaee4..ba2b441 100644 --- a/.github/workflows/stable-spearhead.yml +++ b/.github/workflows/publish-stable-spearhead.yml @@ -1,4 +1,4 @@ -name: stable-spearhead +name: Publish - Stable - Spearhead on: workflow_dispatch: @@ -12,12 +12,18 @@ on: dont_update: type: boolean description: Don't update VSCode + dont_dispatch: + type: boolean + description: Disable dispatch schedule: - - cron: '0 18 * * *' + - cron: 0 18 * * * jobs: build: runs-on: macos-15 + environment: publish + permissions: + contents: write # Release env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }} @@ -32,10 +38,13 @@ jobs: VSCODE_QUALITY: stable steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: master + persist-credentials: false - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' @@ -56,7 +65,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} @@ -87,7 +96,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Dispatch builds - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: - event-type: stable - if: env.SHOULD_BUILD == 'yes' || github.event.inputs.force_dispatch == 'true' + event-type: publish-stable + if: github.event.inputs.dont_dispatch != 'true' && (env.SHOULD_BUILD == 'yes' || github.event.inputs.force_dispatch == 'true') diff --git a/.github/workflows/stable-windows.yml b/.github/workflows/publish-stable-windows.yml similarity index 66% rename from .github/workflows/stable-windows.yml rename to .github/workflows/publish-stable-windows.yml index 8bea37f..f92d333 100644 --- a/.github/workflows/stable-windows.yml +++ b/.github/workflows/publish-stable-windows.yml @@ -1,34 +1,17 @@ -name: stable-windows +name: Publish - Stable - Windows on: workflow_dispatch: - inputs: - force_version: - type: boolean - description: Force update version - generate_assets: - type: boolean - description: Generate assets - checkout_pr: - type: string - description: Checkout PR repository_dispatch: - types: [stable] - push: - branches: [ master ] - paths-ignore: - - '**/*.md' - - 'upstream/*.json' - pull_request: - branches: [ master ] - paths-ignore: - - '**/*.md' + types: + - publish-stable env: APP_NAME: VSCodium ASSETS_REPOSITORY: ${{ github.repository }} BINARY_NAME: codium GH_REPO_PATH: ${{ github.repository }} + GITHUB_BRANCH: master ORG_NAME: ${{ github.repository_owner }} OS_NAME: windows VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions @@ -37,6 +20,10 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: {} + env: + SHOULD_BUILD: yes + SHOULD_DEPLOY: yes outputs: MS_COMMIT: ${{ env.MS_COMMIT }} MS_TAG: ${{ env.MS_TAG }} @@ -45,33 +32,25 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false - name: Clone VSCode repo run: ./get_repo.sh - - name: Check PR or cron - env: - GENERATE_ASSETS: ${{ github.event.inputs.generate_assets }} - run: ./check_cron_or_pr.sh - - name: Check existing VSCodium tags/releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHECK_ALL: 'yes' + CHECK_ALL: yes run: ./check_tags.sh compile: needs: - check runs-on: windows-2022 + permissions: {} defaults: run: shell: bash @@ -79,52 +58,38 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} - VSCODE_ARCH: 'x64' + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} + VSCODE_ARCH: x64 outputs: BUILD_SOURCEVERSION: ${{ env.BUILD_SOURCEVERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh - - # - name: Setup GCC - # uses: egor-tensin/setup-gcc@v1 - # with: - # version: 10 - # platform: x64 - - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version-file: '.nvmrc' + node-version-file: .nvmrc if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" if: env.SHOULD_BUILD == 'yes' - # - name: Install libkrb5-dev - # run: sudo apt-get update -y && sudo apt-get install -y libkrb5-dev - # if: env.SHOULD_BUILD == 'yes' - - name: Clone VSCode repo run: ./get_repo.sh if: env.SHOULD_BUILD == 'yes' - name: Build env: - SHOULD_BUILD_REH: 'no' - SHOULD_BUILD_REH_WEB: 'no' + SHOULD_BUILD_REH: no + SHOULD_BUILD_REH_WEB: no run: ./build.sh if: env.SHOULD_BUILD == 'yes' @@ -137,7 +102,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Upload vscode artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: vscode path: ./vscode.tar.gz @@ -149,6 +114,8 @@ jobs: - check - compile runs-on: windows-2022 + environment: publish + permissions: {} strategy: fail-fast: false matrix: @@ -163,7 +130,7 @@ jobs: MS_COMMIT: ${{ needs.check.outputs.MS_COMMIT }} MS_TAG: ${{ needs.check.outputs.MS_TAG }} RELEASE_VERSION: ${{ needs.check.outputs.RELEASE_VERSION }} - SHOULD_BUILD: ${{ (needs.check.outputs.SHOULD_BUILD == 'yes' || github.event.inputs.generate_assets == 'true') && 'yes' || 'no' }} + SHOULD_BUILD: ${{ needs.check.outputs.SHOULD_BUILD }} SHOULD_DEPLOY: ${{ needs.check.outputs.SHOULD_DEPLOY }} VSCODE_ARCH: ${{ matrix.vscode_arch }} outputs: @@ -171,25 +138,20 @@ jobs: SHOULD_DEPLOY: ${{ env.SHOULD_DEPLOY }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} - if: env.SHOULD_BUILD == 'yes' - - - name: Switch to relevant branch - env: - PULL_REQUEST_ID: ${{ github.event.inputs.checkout_pr }} - run: ./get_pr.sh + persist-credentials: false if: env.SHOULD_BUILD == 'yes' - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' if: env.SHOULD_BUILD == 'yes' - name: Setup Python 3 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' if: env.SHOULD_BUILD == 'yes' @@ -202,7 +164,7 @@ jobs: if: env.SHOULD_BUILD == 'yes' - name: Download vscode artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: vscode if: env.SHOULD_BUILD == 'yes' @@ -217,21 +179,21 @@ jobs: - name: Prepare assets run: ./prepare_assets.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Upload unsigned artifacts id: upload-unsigned-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: unsigned-${{ matrix.vscode_arch }} path: | assets/*.exe assets/*.msi retention-days: 1 - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Signing - uses: signpath/github-action-submit-signing-request@v2 + uses: signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd # v2.2 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} @@ -243,11 +205,11 @@ jobs: # 8h to manually approve the request wait-for-completion-timeout-in-seconds: 28800 output-artifact-directory: assets/ - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Prepare checksums run: ./prepare_checksums.sh - if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - name: Release env: @@ -257,23 +219,16 @@ jobs: - name: Update versions repo env: - FORCE_UPDATE: ${{ github.event.inputs.force_version }} GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.repository_owner }} run: ./update_version.sh if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'yes' - - name: Upload assets - uses: actions/upload-artifact@v7 - with: - name: bin-${{ matrix.vscode_arch }} - path: assets/ - retention-days: 3 - if: env.SHOULD_BUILD == 'yes' && env.SHOULD_DEPLOY == 'no' && github.event.inputs.generate_assets == 'true' - winget: needs: build runs-on: windows-2022 + environment: publish + permissions: {} defaults: run: shell: bash @@ -282,9 +237,10 @@ jobs: if: needs.build.outputs.SHOULD_DEPLOY == 'yes' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.GITHUB_BRANCH }} + persist-credentials: false - name: Check version run: ./stores/winget/check_version.sh @@ -292,7 +248,7 @@ jobs: RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} - name: Release to WinGet - uses: vedantmgoyal9/winget-releaser@main + uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e with: identifier: ${{ env.APP_IDENTIFIER }} version: ${{ env.RELEASE_VERSION }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index d339109..0000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Stale Issues - -on: - schedule: - - cron: '0 1 * * *' - -permissions: - issues: write - -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v10 - with: - days-before-stale: 180 - days-before-close: 30 - stale-issue-label: stale - operations-per-run: 1024 - stale-issue-message: > - This issue has been automatically marked as stale. **If this issue is still affecting you, please leave any comment**, and we'll keep it open. If you have any new additional information, please include it with your comment! - close-issue-message: > - This issue has been closed due to inactivity, and will not be monitored. If this is a bug and you can reproduce this issue, please open a new issue. - exempt-issue-labels: discussion,never-stale - only-pr-labels: needs-information diff --git a/justfile b/justfile new file mode 100644 index 0000000..2d63008 --- /dev/null +++ b/justfile @@ -0,0 +1,10 @@ +set shell := ["bash", "-uc"] + +ci-lint: + zizmor . + +ci-lint-fix: + zizmor . --fix=all + +ci-update: + PINACT_MIN_AGE=7 pinact run