Check for updates on a schedule

For now it is manually triggered.

.github/workflows/security.yaml

@@ -51,7 +51,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # latest
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           scan-type: "fs"
           scan-ref: "."

.github/workflows/trivy-docker.yaml

@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # latest
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true

.github/workflows/update.yaml

@@ -0,0 +1,72 @@
+name: Update code-server
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        required: true
+  schedule:
+    - cron: "23 * * * *"
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    env:
+      TAG: ${{ inputs.version }}
+      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+
+    steps:
+      - name: Fetch latest tag
+        if: env.TAG == ''
+        run: |
+          tag=$(curl -fsSLI -o /dev/null -w "%{url_effective}" https://github.com/microsoft/vscode/releases/latest)
+          tag="${tag#https://github.com/microsoft/vscode/releases/tag/}"
+          echo "TAG=$tag" >> $GITHUB_ENV
+
+      - name: Remove leading v from tag
+        run: |
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: true
+
+      - name: Check current version
+        id: check
+        run: |
+          commit="$(git -C lib/vscode rev-parse HEAD)"
+          if [[ $(git -C lib/vscode ls-remote --tags | grep "$commit") == */"$VERSION" ]] ; then
+            echo "$VERSION update has already been merged into $(git rev-parse --abbrev-ref HEAD)"
+            echo done=true >> $GITHUB_OUTPUT
+          elif git ls-remote --exit-code --heads origin "update/$VERSION" ; then
+            echo "There is already a PR for updating to $VERSION"
+            echo done=true >> $GITHUB_OUTPUT
+          else
+            echo "$VERSION update has not started yet"
+            echo done=false >> $GITHUB_OUTPUT
+          fi
+
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+        if: steps.check.outputs.done == 'false'
+        with:
+          packages: quilt
+          version: 1.0
+
+      - run: ./ci/build/update-vscode.sh
+        if: steps.check.outputs.done == 'false'
+
+      - name: Open PR
+        if: steps.check.outputs.done == 'false'
+        run: |
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+          git checkout -b "update/$VERSION"
+          git add .
+          git commit -m "Update VS Code to $VERSION"
+          git push -u origin "$(git branch --show)"
+          gh pr create \
+            --repo coder/code-server \
+            --title "Update VS Code to $VERSION" \
+            --body-file .cache/checklist \
+            --draft

.gitignore

@@ -11,6 +11,7 @@ node_modules
 .home
 coverage
 **/.DS_Store
+*.bak
 
 # Code packages itself here.
 /lib/vscode-reh-web-*

CHANGELOG.md

@@ -22,6 +22,14 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.119.0](https://github.com/coder/code-server/releases/tag/v4.119.0) - 2026-05-07
+
+Code v1.119.0
+
+### Changed
+
+- Update to Code 1.119.0
+
 ## [4.118.0](https://github.com/coder/code-server/releases/tag/v4.118.0) - 2026-05-06
 
 Code v1.118.0

ci/build/update-vscode.sh

@@ -17,10 +17,10 @@ function remove_patches() {
 
 function update_vscode() {
   pushd lib/vscode
-  if ! git checkout "$VERSION" ; then
+  if ! git checkout "$target_vscode_version" ; then
-    echo "$VERSION does not exist locally, fetching..."
+    echo "$target_vscode_version does not exist locally, fetching..."
     git fetch --all --prune
-    git checkout "$VERSION"
+    git checkout "$target_vscode_version"
   fi
   popd
 }
@@ -42,7 +42,7 @@ function refresh_patches() {
 function update_node() {
   local node_version
   node_version=$(cat .node-version)
-  if [[ $node_version == $target_node_version ]] ; then
+  if [[ $node_version == "$target_node_version" ]] ; then
     echo "$node_version already matches $target_node_version"
   else
     echo "Updating from $node_version to $target_node_version..."
@@ -52,11 +52,11 @@ function update_node() {
 
 function get-webview-script-hash() {
   local html
-  html=$(<$1)
+  html=$(<"$1")
   local start_tag='<script async type="module">'
   local end_tag="</script>"
-  html=${html##*$start_tag}
+  html=${html##*"$start_tag"}
-  html=${html%%$end_tag*}
+  html=${html%%"$end_tag"*}
   echo -n "$html" | openssl sha256 -binary | openssl base64
 }
 
@@ -110,12 +110,12 @@ function run() {
 
 function add_changelog() {
   local file=CHANGELOG.md
-  if grep "Code $VERSION" "$file" ; then
+  if grep "Code $target_vscode_version" "$file" ; then
-    echo "Changelog for $VERSION already exists"
+    echo "Changelog for $target_vscode_version already exists"
   else
     # TODO: This is not exactly robust.  In particular, it needs to handle if
     # there is already a "changed" section.
-    sed -i.bak "s/## Unreleased/## Unreleased\n\nCode v$VERSION\n\n### Changed\n\n- Update to Code $VERSION/" "$file"
+    sed -i.bak "s/## Unreleased/## Unreleased\n\nCode v$target_vscode_version\n\n### Changed\n\n- Update to Code $target_vscode_version/" "$file"
   fi
 }
 
@@ -127,6 +127,9 @@ function main() {
   local target_node_version
   target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
 
+  local target_vscode_version
+  target_vscode_version="${VERSION#v}"
+
   declare -a steps
   # Removing patches only needs to be done locally; in CI we start from a fresh
   # clone each time.
@@ -135,7 +138,7 @@ function main() {
   fi
 
   steps+=(
-    "Update VS Code to $VERSION" "update_vscode"
+    "Update VS Code to $target_vscode_version" "update_vscode"
     "Refresh VS Code patches" "refresh_patches"
     "Set Node version to $target_node_version" "update_node"
     "Update CSP webview hash" "update_csp"