chore: bump docker/login-action from 3.7.0 to 4.1.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](c94ce9fb46...4907a6ddec)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/build.yaml

@@ -25,8 +25,8 @@ jobs:
       docs: ${{ steps.filter.outputs.docs }}
       helm: ${{ steps.filter.outputs.helm }}
     steps:
-      - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
         id: filter
         with:
           filters: |
@@ -55,8 +55,8 @@ jobs:
     name: Run prettier check
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -72,8 +72,8 @@ jobs:
     needs: changes
     if: needs.changes.outputs.docs == 'true'
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -89,10 +89,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.helm == 'true'
     steps:
-      - uses: actions/checkout@v6
-      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          version: "v3.19.2"
       - run: helm plugin install https://github.com/instrumenta/helm-kubeval
       - run: helm kubeval ci/helm-chart
 
@@ -102,8 +103,8 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -120,7 +121,7 @@ jobs:
     if: needs.changes.outputs.ci == 'true'
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Check workflow files
         run: |
           bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.9
@@ -133,8 +134,8 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -143,7 +144,7 @@ jobs:
             test/package-lock.json
       - run: SKIP_SUBMODULE_DEPS=1 npm ci
       - run: npm run test:unit
-      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+      - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
         if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -167,11 +168,11 @@ jobs:
           packages: quilt
           version: 1.0
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: true
       - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -190,7 +191,7 @@ jobs:
       # embedded into the code).  Use VSCODE_CACHE_VERSION to force a rebuild.
       - name: Fetch prebuilt linux-x64 Code package from cache
         id: cache-vscode
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: lib/vscode-reh-web-linux-x64
           key: vscode-linux-x64-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
@@ -204,7 +205,7 @@ jobs:
       # Push up an artifact containing the linux-x64 release.
       - run: KEEP_MODULES=1 npm run release
       - run: tar -czf package.tar.gz release
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: linux-x64-package
           path: ./package.tar.gz
@@ -212,12 +213,14 @@ jobs:
   test-e2e:
     name: Run e2e tests
     runs-on: ubuntu-22.04
+    env:
+      LOG_LEVEL: debug
     needs: [changes, build]
     if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -230,13 +233,13 @@ jobs:
           ./test/node_modules/.bin/playwright install-deps
           ./test/node_modules/.bin/playwright install
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: linux-x64-package
       - run: tar -xzf package.tar.gz
 
       - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: always()
         with:
           name: failed-test-videos
@@ -247,12 +250,13 @@ jobs:
     runs-on: ubuntu-22.04
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      LOG_LEVEL: debug
     needs: [changes, build]
     if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'
 
     steps:
       - name: Cache Caddy
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         id: caddy-cache
         with:
           path: |
@@ -265,8 +269,8 @@ jobs:
           mkdir -p ~/.cache/caddy
           tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
 
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -279,7 +283,7 @@ jobs:
           ./test/node_modules/.bin/playwright install-deps
           ./test/node_modules/.bin/playwright install
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: linux-x64-package
       - run: tar -xzf package.tar.gz
@@ -288,7 +292,7 @@ jobs:
       - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e:proxy
       - run: ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
         if: always()
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: always()
         with:
           name: failed-test-videos-proxy

.github/workflows/installer.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install code-server
         run: ./install.sh
@@ -44,7 +44,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install curl
         run: apk add curl
@@ -67,7 +67,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install code-server
         run: ./install.sh

.github/workflows/publish.yaml

@@ -33,8 +33,8 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
 
@@ -64,17 +64,18 @@ jobs:
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
       - name: Checkout code-server-aur repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: "cdrci/code-server-aur"
           token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
           ref: "master"
 
-      - name: Merge in master
+      - name: Fetch and reset master
         run: |
           git remote add upstream https://github.com/coder/code-server-aur.git
           git fetch upstream
-          git merge upstream/master
+          git reset --hard upstream/master
+          git push --force
 
       - name: Configure git
         run: |
@@ -107,15 +108,15 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v6
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/release.yaml

@@ -68,11 +68,11 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: true
       - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm
@@ -148,11 +148,11 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: true
       - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
           cache: npm

.github/workflows/scripts.yaml

@@ -41,7 +41,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install test utilities
         run: apk add bats checkbashisms
@@ -58,7 +58,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install lint utilities
         run: sudo apt install shellcheck

.github/workflows/security.yaml

@@ -25,12 +25,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
 
@@ -46,12 +46,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           scan-type: "fs"
           scan-ref: "."
@@ -62,7 +62,7 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           sarif_file: "trivy-repo-results.sarif"
 
@@ -76,17 +76,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           config-file: ./.github/codeql-config.yml
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

.github/workflows/trivy-docker.yaml

@@ -48,10 +48,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true
@@ -60,6 +60,6 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           sarif_file: "trivy-image-results.sarif"

CHANGELOG.md

@@ -22,6 +22,71 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.118.0](https://github.com/coder/code-server/releases/tag/v4.118.0) - 2026-05-06
+
+Code v1.118.0
+
+### Changed
+
+- Update to Code 1.118.0
+
+## [4.117.0](https://github.com/coder/code-server/releases/tag/v4.117.0) - 2026-04-22
+
+Code v1.117.0
+
+### Changed
+
+- Update to Code 1.117.0
+
+## [4.116.0](https://github.com/coder/code-server/releases/tag/v4.116.0) - 2026-04-16
+
+Code v1.116.0
+
+### Changed
+
+- Update to Code 1.116.0
+
+## [4.115.0](https://github.com/coder/code-server/releases/tag/v4.115.0) - 2026-04-08
+
+Code v1.115.0
+
+### Changed
+
+- Update to Code 1.115.0
+
+## [4.114.1](https://github.com/coder/code-server/releases/tag/v4.114.1) - 2026-04-06
+
+Code v1.114.0
+
+### Changed
+
+- Ensure native modules are built from source so they use the correct version of
+  glibc. This should bring down the requirement from 2.34 back down to 2.28.
+
+## [4.114.0](https://github.com/coder/code-server/releases/tag/v4.114.0) - 2026-04-04
+
+Code v1.114.0
+
+### Changed
+
+- Update to Code 1.114.0.
+
+## [4.113.1](https://github.com/coder/code-server/releases/tag/v4.113.1) - 2026-04-03
+
+Code v1.113.0
+
+This is a re-release of v4.113.0 but with the correct Node binaries for arm64
+and armv7l. Previously they were packaging the amd64 Node binary due to a
+mistake while refactoring CI to use more of the upstream build scripts.
+
+## [4.113.0](https://github.com/coder/code-server/releases/tag/v4.113.0) - 2026-04-02
+
+Code v1.113.0
+
+### Changed
+
+- Update to Code 1.113.0
+
 ## [4.112.0](https://github.com/coder/code-server/releases/tag/v4.112.0) - 2026-03-19
 
 Code v1.112.0

ci/build/build-release.sh

@@ -79,7 +79,7 @@ EOF
   mv npm-shrinkwrap.json "$RELEASE_PATH"
 
   if [ "$KEEP_MODULES" = 1 ]; then
-    local rsync_opts=()
+    local rsync_opts=(-a)
     if [[ ${DEBUG-} = 1 ]]; then
       rsync_opts+=(-vh)
     fi
@@ -100,7 +100,7 @@ EOF
 bundle_vscode() {
   mkdir -p "$VSCODE_OUT_PATH"
 
-  local rsync_opts=()
+  local rsync_opts=(-a)
   if [[ ${DEBUG-} = 1 ]]; then
     rsync_opts+=(-vh)
   fi

ci/build/build-vscode.sh

@@ -107,6 +107,9 @@ main() {
 EOF
   ) > product.json
 
+
+  VSCODE_QUALITY=stable npm run gulp compile-copilot-extension-full-build
+
   npm run gulp core-ci
   npm run gulp "vscode-reh-web-$VSCODE_TARGET${MINIFY:+-min}-ci"
 

ci/build/update-vscode.sh

@@ -0,0 +1,151 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+function remove_patches() {
+  local -i exit_code=0
+  quilt pop -af || exit_code=$?
+  case $exit_code in
+    # Sucessfully removed.
+    0) ;;
+    # No more patches to remove.
+    2) ;;
+    # Some error.
+    *) return $exit_code ;;
+  esac
+}
+
+function update_vscode() {
+  pushd lib/vscode
+  if ! git checkout "$VERSION" ; then
+    echo "$VERSION does not exist locally, fetching..."
+    git fetch --all --prune
+    git checkout "$VERSION"
+  fi
+  popd
+}
+
+function refresh_patches() {
+  local -i exit_code=0
+  while quilt push ; ! (( exit_code=$? )) ; do
+    quilt refresh
+    echo # Extra new line for separation.
+  done
+  case $exit_code in
+    # No more patches to apply.
+    2) ;;
+    # Some error.
+    *) return $exit_code ;;
+  esac
+}
+
+function update_node() {
+  local node_version
+  node_version=$(cat .node-version)
+  if [[ $node_version == $target_node_version ]] ; then
+    echo "$node_version already matches $target_node_version"
+  else
+    echo "Updating from $node_version to $target_node_version..."
+    echo "$target_node_version" > .node-version
+  fi
+}
+
+function get-webview-script-hash() {
+  local html
+  html=$(<$1)
+  local start_tag='<script async type="module">'
+  local end_tag="</script>"
+  html=${html##*$start_tag}
+  html=${html%%$end_tag*}
+  echo -n "$html" | openssl sha256 -binary | openssl base64
+}
+
+function update_csp() {
+  local -i exit_code=0
+  # Move back to the webview patch so it can be refreshed.
+  quilt pop webview || exit_code=$?
+  case $exit_code in
+    # Successfully moved.
+    0) ;;
+    # Already at the patch.
+    2) ;;
+    # Some error.
+    *) return $exit_code ;;
+  esac
+  local file=lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+  local hash
+  hash=$(get-webview-script-hash "$file")
+  echo "Calculated hash as $hash"
+  # Use octothorpe as a delimiter since the hash may contain a slash.
+  sed -i.bak "s#script-src 'sha256-[^']\+'#script-src 'sha256-$hash'#" "$file"
+  quilt refresh
+  # Get patched back up.
+  quilt push -a
+}
+
+function run() {
+  local -i failed=0
+  rm -f .cache/checklist
+  while (( $# )) ; do
+    local name=$1 ; shift
+    local fn=$1 ; shift
+    # Only run if an earlier step has not failed.
+    if [[ $failed == 0 ]] ; then
+      echo "[+] $name..."
+      if $fn ; then
+        echo "- [X] $name" >> .cache/checklist
+      else
+        ((failed++))
+      fi
+    fi
+    # For all failed steps, write out an empty checkbox.
+    if [[ $failed != 0 ]] ; then
+      echo "- [ ] $name" >> .cache/checklist
+    fi
+  done
+  if [[ $failed != 0 ]] ; then
+    return 1
+  fi
+}
+
+function add_changelog() {
+  local file=CHANGELOG.md
+  if grep "Code $VERSION" "$file" ; then
+    echo "Changelog for $VERSION already exists"
+  else
+    # TODO: This is not exactly robust.  In particular, it needs to handle if
+    # there is already a "changed" section.
+    sed -i.bak "s/## Unreleased/## Unreleased\n\nCode v$VERSION\n\n### Changed\n\n- Update to Code $VERSION/" "$file"
+  fi
+}
+
+function main() {
+  cd "$(dirname "${0}")/../.."
+
+  source ./ci/lib.sh
+
+  local target_node_version
+  target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
+
+  declare -a steps
+  # Removing patches only needs to be done locally; in CI we start from a fresh
+  # clone each time.
+  if [[ ! ${CI-} ]] ; then
+    steps+=("Remove patches" "remove_patches")
+  fi
+
+  steps+=(
+    "Update VS Code to $VERSION" "update_vscode"
+    "Refresh VS Code patches" "refresh_patches"
+    "Set Node version to $target_node_version" "update_node"
+    "Update CSP webview hash" "update_csp"
+    "Add changelog note" "add_changelog"
+  )
+
+  run "${steps[@]}"
+
+  # This step is always manual.
+  echo "- [ ] Verify changelog" >> .cache/checklist
+}
+
+main "$@"

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.33.0
+version: 3.35.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.109.5
+appVersion: 4.116.0

ci/helm-chart/templates/deployment.yaml

@@ -8,7 +8,9 @@ metadata:
   annotations: {{- toYaml .Values.annotations | nindent 4 }}
   {{- end }}
 spec:
-  replicas: {{ .Values.replicaCount | default 1 }}
+  {{- if ne .Values.replicaCount nil }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
   strategy:
     type: Recreate
   selector:

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.109.5'
+  tag: '4.116.0'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

ci/release-image/docker-bake.hcl

@@ -20,6 +20,7 @@ group "default" {
         "code-server-debian-12",
         "code-server-ubuntu-focal",
         "code-server-ubuntu-noble",
+        "code-server-ubuntu-resolute",
         "code-server-fedora-39",
         "code-server-opensuse-tumbleweed",
     ]
@@ -73,7 +74,6 @@ target "code-server-debian-12" {
 target "code-server-ubuntu-focal" {
     dockerfile = "ci/release-image/Dockerfile"
     tags = concat(
-        gen_tags_for_docker_and_ghcr("ubuntu"),
         gen_tags_for_docker_and_ghcr("focal"),
     )
     args = {
@@ -86,6 +86,7 @@ target "code-server-ubuntu-noble" {
     dockerfile = "ci/release-image/Dockerfile"
     tags = concat(
         gen_tags_for_docker_and_ghcr("noble"),
+        gen_tags_for_docker_and_ghcr("ubuntu"),
     )
     args = {
         BASE = "ubuntu:noble"
@@ -93,6 +94,17 @@ target "code-server-ubuntu-noble" {
     platforms = ["linux/amd64", "linux/arm64"]
 }
 
+target "code-server-ubuntu-resolute" {
+    dockerfile = "ci/release-image/Dockerfile"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr("resolute"),
+    )
+    args = {
+        BASE = "ubuntu:resolute"
+    }
+    platforms = ["linux/amd64", "linux/arm64"]
+}
+
 target "code-server-fedora-39" {
     dockerfile = "ci/release-image/Dockerfile.fedora"
     tags = concat(

package-lock.json

@@ -968,9 +968,9 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1639,9 +1639,9 @@
       "license": "MIT"
     },
     "node_modules/basic-ftp": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
-      "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
+      "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
@@ -1672,9 +1672,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3102,9 +3102,9 @@
       "license": "ISC"
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.11",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
-      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
       "funding": [
         {
           "type": "individual",
@@ -5042,9 +5042,9 @@
       "license": "MIT"
     },
     "node_modules/path-to-regexp": {
-      "version": "8.3.0",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
-      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+      "version": "8.4.2",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.2.tgz",
+      "integrity": "sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==",
       "license": "MIT",
       "funding": {
         "type": "opencollective",

patches/clipboard.diff

@@ -78,7 +78,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
-@@ -144,6 +144,7 @@ export interface NativeParsedArgs {
+@@ -149,6 +149,7 @@ export interface NativeParsedArgs {
  	'disable-chromium-sandbox'?: boolean;
  	sandbox?: boolean;
  	'enable-coi'?: boolean;

patches/copilot.diff

@@ -0,0 +1,163 @@
+Index: code-server/lib/vscode/build/gulpfile.extensions.ts
+===================================================================
+--- code-server.orig/lib/vscode/build/gulpfile.extensions.ts
++++ code-server/lib/vscode/build/gulpfile.extensions.ts
+@@ -294,6 +294,29 @@ export const compileCopilotExtensionBuil
+ gulp.task(compileCopilotExtensionBuildTask);
+ 
+ /**
++ * Compiles the built-in copilot extension with proper `.vscodeignore` filtering
++ * and materializes native dependency shims (`node-pty`, `ripgrep`).
++ * Produces output equivalent to what CI ships from the pre-built VSIX.
++ *
++ * The result is placed in `.build/extensions/copilot/` and can be copied
++ * directly into a VS Code Insiders installation at:
++ *   `<insiders>/resources/app/extensions/copilot/`
++ */
++export const compileCopilotExtensionFullBuildTask = task.define('compile-copilot-extension-full-build', task.series(
++	// Step 1: Clean previous copilot build output
++	task.define('clean-copilot-build', util.rimraf('.build/extensions/copilot')),
++	// Step 2: Build and package with proper `.vscodeignore` filtering
++	task.define('package-copilot-extension-full', () => ext.packageCopilotExtensionFullStream().pipe(gulp.dest('.build'))),
++	// Step 3: Materialize native dependency shims (`node-pty`, `ripgrep`)
++	task.define('copilot-extension-native-shims', () => {
++		const copilotExtDir = path.join(root, '.build', 'extensions', 'copilot');
++		ext.prepareCopilotExtensionNativeShims(copilotExtDir);
++		return Promise.resolve();
++	})
++));
++gulp.task(compileCopilotExtensionFullBuildTask);
++
++/**
+  * Compiles the extensions for the build.
+  * This is essentially a helper task that combines {@link cleanExtensionsBuildTask}, {@link compileNonNativeExtensionsBuildTask} and {@link compileNativeExtensionsBuildTask}
+  */
+Index: code-server/lib/vscode/build/lib/extensions.ts
+===================================================================
+--- code-server.orig/lib/vscode/build/lib/extensions.ts
++++ code-server/lib/vscode/build/lib/extensions.ts
+@@ -24,6 +24,7 @@ import { getProductionDependencies } fro
+ import { type IExtensionDefinition, getExtensionStream } from './builtInExtensions.ts';
+ import { fetchUrls, fetchGithub } from './fetch.ts';
+ import { createTsgoStream, spawnTsgo } from './tsgo.ts';
++import { prepareBuiltInCopilotRipgrepShim } from './copilot.ts';
+ import vzip from 'gulp-vinyl-zip';
+ 
+ import { createRequire } from 'module';
+@@ -487,6 +488,116 @@ export function packageCopilotExtensionS
+ 	).pipe(util2.setExecutableBit(['**/*.sh']));
+ }
+ 
++/**
++ * Package the built-in copilot extension as a properly filtered VSIX-equivalent.
++ * Unlike {@link packageCopilotExtensionStream}, this uses vsce.listFiles with
++ * PackageManager.Npm so that .vscodeignore is respected for dependency filtering,
++ * producing output equivalent to what CI ships from the pre-built VSIX.
++ */
++export function packageCopilotExtensionFullStream(): Stream {
++	const vsce = require('@vscode/vsce') as typeof import('@vscode/vsce');
++	const extensionPath = path.join(root, 'extensions', 'copilot');
++	if (!fs.existsSync(extensionPath)) {
++		return es.readArray([]);
++	}
++
++	const esbuildConfigFileName = '.esbuild.mts';
++	const esbuildScript = path.join(extensionPath, esbuildConfigFileName);
++	if (!fs.existsSync(esbuildScript)) {
++		throw new Error(`Copilot esbuild script not found at ${esbuildScript}`);
++	}
++
++	const result = es.through();
++
++	// Step 1: Run esbuild to compile the extension
++	new Promise<void>((resolve, reject) => {
++		const proc = cp.execFile(process.argv[0], [esbuildScript], { cwd: extensionPath }, (error, _stdout, stderr) => {
++			if (error) {
++				return reject(error);
++			}
++			const matches = (stderr || '').match(/\> (.+): error: (.+)?/g);
++			fancyLog(`Bundled extension: ${ansiColors.yellow(path.join('copilot', esbuildConfigFileName))} with ${matches ? matches.length : 0} errors.`);
++			for (const match of matches || []) {
++				fancyLog.error(match);
++			}
++			return resolve();
++		});
++		proc.stdout!.on('data', (data) => {
++			fancyLog(`${ansiColors.green('esbuilding copilot')}: ${data.toString('utf8')}`);
++		});
++	}).then(() => {
++		// Step 2: Use `vsce.listFiles` with Npm package manager so `.vscodeignore`
++		// is applied to both source files AND `node_modules` dependencies.
++		// This is the key difference from `packageCopilotExtensionStream` which
++		// uses `PackageManager.None` and then blindly merges all production deps.
++		return vsce.listFiles({ cwd: extensionPath, packageManager: vsce.PackageManager.Npm });
++	}).then(fileNames => {
++		const files = fileNames
++			.map(fileName => path.join(extensionPath, fileName))
++			.map(filePath => new File({
++				path: filePath,
++				stat: fs.statSync(filePath),
++				base: extensionPath,
++				contents: fs.createReadStream(filePath)
++			}));
++
++		es.readArray(files).pipe(result);
++	}).catch(err => {
++		console.error('Failed to package copilot extension:', err);
++		result.emit('error', err);
++	});
++
++	// Apply the same package.json cleanup as bundled extensions get
++	const cleaned = updateExtensionPackageJSON(
++		result.pipe(rename(p => p.dirname = `extensions/copilot/${p.dirname}`)),
++		(data: any) => {
++			delete data.scripts;
++			delete data.dependencies;
++			delete data.devDependencies;
++			if (data.main) {
++				data.main = data.main.replace('/out/', '/dist/');
++			}
++			return data;
++		}
++	);
++
++	return minifyExtensionResources(cleaned)
++		.pipe(util2.setExecutableBit(['**/*.sh']));
++}
++
++/**
++ * Materializes native dependency shims (`node-pty`, `ripgrep`) into the copilot
++ * extension output at {@link outputDir}. Uses the root `node_modules` as the
++ * source for native binaries, targeting the current platform/arch.
++ *
++ * This is the equivalent of what {@link copyCopilotNativeDepsTask} in
++ * `gulpfile.vscode.ts` does during a full product build, but scoped to
++ * just the standalone copilot extension output.
++ *
++ * Failures are logged as warnings rather than throwing, since the copilot
++ * extension can still create shims at runtime if they are missing.
++ */
++export function prepareCopilotExtensionNativeShims(outputDir: string): void {
++	const platform = process.platform;
++	const arch = process.arch;
++	const appNodeModulesDir = path.join(root, 'node_modules');
++
++	if (!fs.existsSync(outputDir)) {
++		fancyLog.warn('[prepareCopilotExtensionNativeShims] Copilot extension not found at', outputDir, '- skipping shims');
++		return;
++	}
++
++	try {
++		prepareBuiltInCopilotRipgrepShim(platform, arch, outputDir, appNodeModulesDir);
++		fancyLog(`[prepareCopilotExtensionNativeShims] Materialized native shims for ${platform}-${arch}`);
++	} catch (err) {
++		// Downgrade to a warning for local builds since the extension
++		// can still function without shims (it creates them at runtime).
++		fancyLog.warn(`[prepareCopilotExtensionNativeShims] Failed to materialize shims: ${err}`);
++		fancyLog.warn('[prepareCopilotExtensionNativeShims] The extension will still work but will create shims at runtime.');
++	}
++}
++
+ export function packageMarketplaceExtensionsStream(forWeb: boolean): Stream {
+ 	const marketplaceExtensionsDescriptions = [
+ 		...builtInExtensions.filter(({ name }) => (forWeb ? !marketplaceWebExtensionsExclude.has(name) : true)),

patches/disable-builtin-ext-update.diff

@@ -8,7 +8,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 @@ -342,6 +342,10 @@ export class Extension implements IExten
- 			if (this.type === ExtensionType.System && this.productService.quality === 'stable') {
+ 			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
  				return false;
  			}
 +			// Do not update builtin extensions.

patches/display-language.diff

@@ -32,7 +32,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/common/environmentServ
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/environmentService.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/environmentService.ts
-@@ -98,7 +98,7 @@ export abstract class AbstractNativeEnvi
+@@ -112,7 +112,7 @@ export abstract class AbstractNativeEnvi
  			return URI.file(join(vscodePortable, 'argv.json'));
  		}
  
@@ -291,7 +291,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
  		}
  
  		// Prefers to run on UI
-@@ -2072,17 +2069,6 @@ export class SetLanguageAction extends E
+@@ -2284,17 +2281,6 @@ export class SetLanguageAction extends E
  	update(): void {
  		this.enabled = false;
  		this.class = SetLanguageAction.DisabledClass;
@@ -309,7 +309,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
  	}
  
  	override async run(): Promise<any> {
-@@ -2099,7 +2085,6 @@ export class ClearLanguageAction extends
+@@ -2311,7 +2297,6 @@ export class ClearLanguageAction extends
  	private static readonly DisabledClass = `${this.EnabledClass} disabled`;
  
  	constructor(
@@ -317,7 +317,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
  		@ILocaleService private readonly localeService: ILocaleService,
  	) {
  		super(ClearLanguageAction.ID, ClearLanguageAction.TITLE.value, ClearLanguageAction.DisabledClass, false);
-@@ -2109,17 +2094,6 @@ export class ClearLanguageAction extends
+@@ -2321,17 +2306,6 @@ export class ClearLanguageAction extends
  	update(): void {
  		this.enabled = false;
  		this.class = ClearLanguageAction.DisabledClass;

patches/external-file-actions.diff

@@ -27,7 +27,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -303,6 +303,16 @@ export interface IWorkbenchConstructionO
+@@ -312,6 +312,16 @@ export interface IWorkbenchConstructionO
  	 */
  	readonly userDataPath?: string
  
@@ -166,8 +166,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions
  import { AutoSaveAfterShortDelayContext } from '../../../services/filesConfiguration/common/filesConfigurationService.js';
  import { WorkbenchListDoubleSelection } from '../../../../platform/list/browser/listService.js';
  import { Schemas } from '../../../../base/common/network.js';
--import { DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
-+import { IsEnabledFileDownloads, IsEnabledFileUploads, DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
+-import { DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsSessionsWindowContext, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
++import { IsEnabledFileDownloads, IsEnabledFileUploads, DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsSessionsWindowContext, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
  import { IsWebContext } from '../../../../platform/contextkey/common/contextkeys.js';
  import { ServicesAccessor } from '../../../../platform/instantiation/common/instantiation.js';
  import { ThemeIcon } from '../../../../base/common/themables.js';

patches/getting-started.diff

@@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
  import { IEditorOpenContext, IEditorSerializer } from '../../../common/editor.js';
  import { IWebviewElement, IWebviewService } from '../../webview/browser/webview.js';
  import './gettingStartedColors.js';
-@@ -924,6 +924,72 @@ export class GettingStartedPage extends
+@@ -925,6 +925,72 @@ export class GettingStartedPage extends
  			$('p.subtitle.description', {}, localize({ key: 'gettingStarted.editingEvolved', comment: ['Shown as subtitle on the Welcome page.'] }, "Editing evolved"))
  		);
  
@@ -101,7 +101,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
  		const leftColumn = $('.categories-column.categories-column-left', {},);
  		const rightColumn = $('.categories-column.categories-column-right', {},);
  
-@@ -959,6 +1025,9 @@ export class GettingStartedPage extends
+@@ -974,6 +1040,9 @@ export class GettingStartedPage extends
  				recentList.setLimit(5);
  				reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
  			}
@@ -135,7 +135,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -313,6 +313,11 @@ export interface IWorkbenchConstructionO
+@@ -322,6 +322,11 @@ export interface IWorkbenchConstructionO
  	 */
  	readonly isEnabledFileUploads?: boolean
  

patches/local-storage.diff

@@ -30,7 +30,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -298,6 +298,11 @@ export interface IWorkbenchConstructionO
+@@ -307,6 +307,11 @@ export interface IWorkbenchConstructionO
  	 */
  	readonly configurationDefaults?: Record<string, unknown>;
  

patches/series

@@ -22,3 +22,4 @@ clipboard.diff
 display-language.diff
 trusted-domains.diff
 signature-verification.diff
+copilot.diff

patches/sourcemaps.diff

@@ -1,43 +1,25 @@
-Make sourcemaps self-hosted
+Remove sourcemaps URL
 
-Normally source maps get removed as part of the build process so prevent that
-from happening.  Also avoid using the windows.net host since obviously we can
-not host our source maps there and want them to be self-hosted even if we could.
-
-To test try debugging/browsing the source of a build in a browser.
+These will not work since we patch VS Code.
 
 Index: code-server/lib/vscode/build/gulpfile.reh.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.ts
 +++ code-server/lib/vscode/build/gulpfile.reh.ts
-@@ -263,8 +263,7 @@ function packageTask(type: string, platf
+@@ -261,10 +261,15 @@ function packageTask(type: string, platf
+ 	const destination = path.join(BUILD_ROOT, destinationFolderName);
+ 
  	return () => {
++		const jsFilterMain = util.filter(data => !data.isDirectory() && /\.js$/.test(data.path));
++
  		const src = gulp.src(sourceFolderName + '/**', { base: '.' })
  			.pipe(rename(function (path) { path.dirname = path.dirname!.replace(new RegExp('^' + sourceFolderName), 'out'); }))
--			.pipe(util.setExecutableBit(['**/*.sh']))
+ 			.pipe(util.setExecutableBit(['**/*.sh']))
 -			.pipe(filter(['**', '!**/*.{js,css}.map']));
-+			.pipe(util.setExecutableBit(['**/*.sh']));
++			.pipe(filter(['**', '!**/*.{js,css}.map']))
++			.pipe(jsFilterMain)
++			.pipe(util.stripSourceMappingURL())
++			.pipe(jsFilterMain.restore);
  
  		const workspaceExtensionPoints = ['debuggers', 'jsonValidation'];
  		const isUIExtension = (manifest: { extensionKind?: string; main?: string; contributes?: Record<string, unknown> }) => {
-@@ -304,9 +303,9 @@ function packageTask(type: string, platf
- 			.map(name => `.build/extensions/${name}/**`);
- 
- 		const extensions = gulp.src(extensionPaths, { base: '.build', dot: true });
--		const extensionsCommonDependencies = gulp.src('.build/extensions/node_modules/**', { base: '.build', dot: true });
--		const sources = es.merge(src, extensions, extensionsCommonDependencies)
-+		const extensionsCommonDependencies = gulp.src('.build/extensions/node_modules/**', { base: '.build', dot: true })
- 			.pipe(filter(['**', '!**/*.{js,css}.map'], { dot: true }));
-+		const sources = es.merge(src, extensions, extensionsCommonDependencies);
- 
- 		let version = packageJson.version;
- 		const quality = (product as typeof product & { quality?: string }).quality;
-@@ -501,7 +500,7 @@ function tweakProductForServerWeb(produc
- 	const minifyTask = task.define(`minify-vscode-${type}`, task.series(
- 		bundleTask,
- 		util.rimraf(`out-vscode-${type}-min`),
--		optimize.minifyTask(`out-vscode-${type}`, `https://main.vscode-cdn.net/sourcemaps/${commit}/core`)
-+		optimize.minifyTask(`out-vscode-${type}`, ``)
- 	));
- 	gulp.task(minifyTask);
- 

patches/store-socket.diff

@@ -31,7 +31,7 @@ Index: code-server/lib/vscode/src/vs/workbench/api/node/extHostExtensionService.
  import { ExtHostDiskFileSystemProvider } from './extHostDiskFileSystemProvider.js';
  import nodeModule from 'node:module';
  import { assertType } from '../../../base/common/types.js';
-@@ -226,6 +228,52 @@ export class ExtHostExtensionService ext
+@@ -175,6 +177,52 @@ export class ExtHostExtensionService ext
  
  		performance.mark('code/extHost/didInitAPI');
  

patches/unique-db.diff

@@ -21,7 +21,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/storage/browser/storageS
  
  export class BrowserStorageService extends AbstractStorageService {
  
-@@ -300,7 +301,11 @@ export class IndexedDBStorageDatabase ex
+@@ -328,7 +329,11 @@ export class IndexedDBStorageDatabase ex
  	}
  
  	static async createWorkspaceStorage(workspaceId: string, logService: ILogService): Promise<IIndexedDBStorageDatabase> {

patches/update-check.diff

@@ -101,7 +101,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
  
  	readonly version: string;
  	readonly date?: string;
-@@ -115,6 +116,7 @@ export interface IProductConfiguration {
+@@ -119,6 +120,7 @@ export interface IProductConfiguration {
  		readonly resourceUrlTemplate: string;
  		readonly nlsBaseUrl: string;
  		readonly accessSKUs?: string[];

patches/webview.diff

@@ -70,21 +70,21 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
  	<meta charset="UTF-8">
  
  	<meta http-equiv="Content-Security-Policy"
--		content="default-src 'none'; script-src 'sha256-TaWGDzV7c9rUH2q/5ygOyYUHSyHIqBMYfucPh3lnKvU=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-nQZh+9dHKZP2cHbhYlCbWDtqxxJtGjRGBx57zNP2DZM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
++		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
  
  	<!-- Disable pinch zooming -->
  	<meta name="viewport"
-@@ -256,7 +256,7 @@
+@@ -253,7 +253,7 @@
  			}
  
  			const swPath = encodeURI(`service-worker.js?v=${expectedWorkerVersion}&vscode-resource-base-authority=${searchParams.get('vscode-resource-base-authority')}&remoteAuthority=${searchParams.get('remoteAuthority') ?? ''}`);
--			navigator.serviceWorker.register(swPath, { type: 'module' })
+-			navigator.serviceWorker.register(swPath, { type: 'module', updateViaCache: 'none' })
 +			navigator.serviceWorker.register(swPath)
  				.then(async registration => {
- 					/**
- 					 * @param {MessageEvent} event
-@@ -370,6 +370,12 @@
+ 					if (navigator.serviceWorker.controller) {
+ 						// A previous SW is already controlling. Force an update
+@@ -332,6 +332,12 @@
  
  				const hostname = location.hostname;
  

test/e2e/models/CodeServer.ts

@@ -77,11 +77,14 @@ export class CodeServer {
    */
   private async createWorkspace(): Promise<string> {
     const dir = await this.workspaceDir
-    await fs.mkdir(path.join(dir, "Machine"), { recursive: true })
+    await fs.mkdir(path.join(dir, "User"), { recursive: true })
     await fs.writeFile(
-      path.join(dir, "Machine/settings.json"),
+      path.join(dir, "User/settings.json"),
       JSON.stringify({
         "workbench.startupEditor": "none",
+        // Disable the welcome popup so we can avoid having to click through it
+        // on every test.
+        "workbench.welcomePage.experimentalOnboarding": false,
       }),
       "utf8",
     )

test/package-lock.json

@@ -18,7 +18,7 @@
         "jest-fetch-mock": "^3.0.3",
         "jsdom": "^16.4.0",
         "node-fetch": "^2.6.7",
-        "playwright": "^1.56.1",
+        "playwright": "^1.59.1",
         "ts-jest": "^27.0.7",
         "wtfnode": "^0.9.1"
       }
@@ -1013,6 +1013,53 @@
         "node": ">=18"
       }
     },
+    "node_modules/@playwright/test/node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/@playwright/test/node_modules/playwright": {
+      "version": "1.56.1",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz",
+      "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.56.1"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/@playwright/test/node_modules/playwright-core": {
+      "version": "1.56.1",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
+      "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@sinonjs/commons": {
       "version": "1.8.6",
       "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.6.tgz",
@@ -3645,9 +3692,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "dev": true,
       "license": "MIT"
     },
@@ -4067,13 +4114,13 @@
       }
     },
     "node_modules/playwright": {
-      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz",
-      "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==",
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.59.1.tgz",
+      "integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright-core": "1.56.1"
+        "playwright-core": "1.59.1"
       },
       "bin": {
         "playwright": "cli.js"
@@ -4086,9 +4133,9 @@
       }
     },
     "node_modules/playwright-core": {
-      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
-      "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.59.1.tgz",
+      "integrity": "sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {

test/package.json

@@ -14,7 +14,7 @@
     "jest-fetch-mock": "^3.0.3",
     "jsdom": "^16.4.0",
     "node-fetch": "^2.6.7",
-    "playwright": "^1.56.1",
+    "playwright": "^1.59.1",
     "ts-jest": "^27.0.7",
     "wtfnode": "^0.9.1"
   },

test/playwright.config.ts

@@ -33,10 +33,12 @@ const config: PlaywrightTestConfig = {
     //   name: "Firefox",
     //   use: { browserName: "firefox" },
     // },
-    {
-      name: "WebKit",
-      use: { browserName: "webkit" },
-    },
+    // Keeps failing with "Underlying ArrayBuffer has been detached from the view or out-of-bounds"
+    // Not sure what we can do about it...so skip for now.
+    // {
+    //   name: "WebKit",
+    //   use: { browserName: "webkit" },
+    // },
   ],
 }