Compare commits

..

9 Commits

Author SHA1 Message Date
cdrci
ffd58e0c36 Update Helm chart and changelog with 4.129.0 2026-07-17 09:57:04 +00:00
cdrci
77baee7fe0 Update Code to 1.129.0 (#7897) 2026-07-17 07:05:13 +00:00
Asher
3e76a04b1b Fix automatic CSP hash update
The problem was that whenever the hashe needed an update, the current
patch would create a conflict which cannot be easily auto-resolved.

Instead, put the hashes in a separate patch that is deleted and
regenerated each time, avoiding the conflicts.

Also the web worker iframe hash was not being updated.
2026-07-16 12:41:14 -08:00
cdrci
421e7eb084 Update Helm chart and changelog with 4.128.0 (#7891) 2026-07-13 08:56:29 -08:00
cdrci
cb22f74650 Update Code to 1.128.0 (#7889) 2026-07-10 12:08:44 -08:00
Asher
d103d5057a Fix update script using old Node version
It needs to parse the version *after* the VS Code update, otherwise it
is just pulling whatever the previous version was.

That means we cannot use it in the step title without some refactoring;
opted to just omit it for now.
2026-07-09 22:58:44 -08:00
Asher
aed61bf6ab Remove @schemastore/package
Providing our own type is trivial.
2026-07-02 12:29:55 -08:00
cdrci
1e160477be Update Helm chart and changelog with 4.127.0 (#7882) 2026-07-02 12:05:31 -08:00
cdrci
1e6ed874e3 Update Code to 1.127.0 (#7880)
There is a new use of parsedArgs so we have to pass that in since we
parse on demand instead of globally.
2026-07-01 13:01:48 -08:00
20 changed files with 154 additions and 114 deletions

View File

@@ -90,7 +90,7 @@ jobs:
if: needs.changes.outputs.helm == 'true'
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: azure/setup-helm@9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 # v5.0.1
- uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: "v3.19.2"

View File

@@ -1 +1 @@
24.15.0
24.18.0

View File

@@ -22,6 +22,30 @@ Code v99.99.999
## Unreleased
## [4.129.0](https://github.com/coder/code-server/releases/tag/v4.129.0) - 2026-07-17
Code v1.129.0
### Changed
- Update to Code 1.129.0
## [4.128.0](https://github.com/coder/code-server/releases/tag/v4.128.0) - 2026-07-11
Code v1.128.0
### Changed
- Update to Code 1.128.0
## [4.127.0](https://github.com/coder/code-server/releases/tag/v4.127.0) - 2026-07-02
Code v1.127.0
### Changed
- Update to Code 1.127.0
## [4.126.0](https://github.com/coder/code-server/releases/tag/v4.126.0) - 2026-06-24
Code v1.126.0

View File

@@ -4,7 +4,7 @@ set -Eeuo pipefail
function unapply_patches() {
local -i exit_code=0
quiet quilt pop -af || exit_code=$?
quiet quilt pop -af 2>&1 || exit_code=$?
case $exit_code in
# Sucessfully unapplied.
0) ;;
@@ -15,6 +15,19 @@ function unapply_patches() {
esac
}
function apply_patches() {
local -i exit_code=0
quiet quilt push -a 2>&1 || exit_code=$?
case $exit_code in
# Sucessfully applied.
0) ;;
# No more patches to apply.
2) ;;
# Some error.
*) return $exit_code ;;
esac
}
function update_vscode() {
pushd lib/vscode
if ! git checkout 2>&1 "$target_vscode_version" ; then
@@ -28,8 +41,8 @@ function update_vscode() {
function refresh_patches() {
local -i exit_code=0
while quiet quilt push ; ! (( exit_code=$? )) ; do
quilt refresh
while quiet quilt push 2>&1 ; ! (( exit_code=$? )) ; do
quilt refresh 2>&1
done
case $exit_code in
# No more patches to apply.
@@ -42,6 +55,8 @@ function refresh_patches() {
function update_node() {
local node_version
node_version=$(cat .node-version)
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
if [[ $node_version == "$target_node_version" ]] ; then
echo "Already set to $target_node_version"
else
@@ -54,50 +69,41 @@ function get-webview-script-hash() {
local html
html=$(<"$1")
local start_tag='<script async type="module">'
if [[ $file == */webWorkerExtensionHostIframe.html ]] ; then
start_tag='<script>'
fi
local end_tag="</script>"
html=${html##*"$start_tag"}
html=${html%%"$end_tag"*}
echo -n "$html" | openssl sha256 -binary | openssl base64
}
function update_csp() {
local current
current=$(quilt top 2>/dev/null || echo "")
local patch_action=""
echo "Currently at ${current:-base}"
if [[ $current != */webview.diff ]] ; then
echo "Moving to patches/webview.diff..."
local -i exit_code=0
if quilt applied 2>/dev/null | grep --quiet webview.diff ; then
quiet quilt pop webview || exit_code=$?
patch_action=pop
else
quiet quilt push webview || exit_code=$?
patch_action=push
fi
case $exit_code in
# Successfully moved.
0) ;;
# Some error.
*) return $exit_code ;;
esac
fi
function delete_csp() {
quilt delete csp-hashes.diff
}
function update_csp() {
apply_patches
local files=(
./lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
./lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
)
quilt new csp-hashes.diff
local file
for file in "${files[@]}" ; do
quilt add "$file"
local file=lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
local hash
hash=$(get-webview-script-hash "$file")
echo "Calculated hash as $hash"
# Use octothorpe as a delimiter since the hash may contain a slash.
sed -i.bak "s#script-src 'sha256-[^']\+'#script-src 'sha256-$hash'#" "$file"
quilt refresh
sed -i.bak "s#'sha256-[^']\+'#'sha256-$hash'#" "$file"
done
if [[ $patch_action != "" ]] ; then
echo "Moving back to ${current:-base}..."
case $patch_action in
pop) quiet quilt push "$current" ;;
push) quiet quilt pop "${current:--a}" ;;
esac
fi
quilt refresh
}
function add_changelog() {
@@ -116,11 +122,11 @@ function main() {
source ./ci/lib.sh
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
declare -a steps
# Hashes are always regenerated to avoid having to resolve conflicts..
steps+=("Revert CSP hashes" "delete_csp")
# If version is not set, assume we are already at the target version and the
# user is just trying to resolve conflics.
local target_vscode_version
@@ -141,8 +147,8 @@ function main() {
fi
steps+=(
"Set Node version to $target_node_version" "update_node"
"Update CSP webview hash" "update_csp"
"Update Node version" "update_node"
"Regenerate CSP hashes" "update_csp"
"Add changelog note" "add_changelog"
)

View File

@@ -15,9 +15,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 3.41.0
version: 3.44.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 4.126.0
appVersion: 4.129.0

View File

@@ -6,7 +6,7 @@ replicaCount: 1
image:
repository: codercom/code-server
tag: '4.126.0'
tag: '4.129.0'
pullPolicy: Always
# Specifies one or more secrets to be used when pulling images from a

View File

@@ -85,18 +85,20 @@ run-steps() {
while (( $# )) ; do
local name=$1 ; shift
local fn=$1 ; shift
# Only run if an earlier step has not failed.
if [[ $failed == 0 ]] ; then
echo "$name..."
# Only run if an earlier step has not failed.
# For all failed steps, write out an empty checkbox.
if [[ $failed == 0 ]] ; then
if $fn | indent ; then
echo "- [X] $name" >> .cache/checklist
else
((failed++))
echo "- [-] $name" >> .cache/checklist
echo "Failed" | indent
fi
fi
# For all failed steps, write out an empty checkbox.
if [[ $failed != 0 ]] ; then
else
echo "- [ ] $name" >> .cache/checklist
echo "Skipped" | indent
fi
done
if [[ $failed != 0 ]] ; then

8
package-lock.json generated
View File

@@ -38,7 +38,6 @@
"@eslint/compat": "^1.2.0",
"@eslint/eslintrc": "^3.1.0",
"@eslint/js": "^9.12.0",
"@schemastore/package": "^0.0.10",
"@types/compression": "^1.7.3",
"@types/cookie-parser": "^1.4.4",
"@types/eslint__js": "^8.42.3",
@@ -438,13 +437,6 @@
"dev": true,
"license": "MIT"
},
"node_modules/@schemastore/package": {
"version": "0.0.10",
"resolved": "https://registry.npmjs.org/@schemastore/package/-/package-0.0.10.tgz",
"integrity": "sha512-D3LxMCnkgsb4LO5sDKf6E+yahM2SqpEHmkqMPDSJis5Cy/j2MgWo/g/iq0lECK0mrPWfx3hqKm2ZJlqxwbRJQA==",
"dev": true,
"license": "MIT"
},
"node_modules/@textlint/ast-node-types": {
"version": "15.7.1",
"resolved": "https://registry.npmjs.org/@textlint/ast-node-types/-/ast-node-types-15.7.1.tgz",

View File

@@ -39,7 +39,6 @@
"@eslint/compat": "^1.2.0",
"@eslint/eslintrc": "^3.1.0",
"@eslint/js": "^9.12.0",
"@schemastore/package": "^0.0.10",
"@types/compression": "^1.7.3",
"@types/cookie-parser": "^1.4.4",
"@types/eslint__js": "^8.42.3",

26
patches/csp-hashes.diff Normal file
View File

@@ -0,0 +1,26 @@
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-daEgfo2VIXpx2Np71KqCCbkeQwv+68vPrx54XRcbdcs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-gfjiOVjAlxqrivZAfTq2d83mOaz0fnAxbGaFpj5IjD8=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>

View File

@@ -18,7 +18,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
import { ProtocolConstants } from '../../base/parts/ipc/common/ipc.net.js';
import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
import { ConfigurationService } from '../../platform/configuration/common/configurationService.js';
@@ -359,6 +359,9 @@ export async function setupServerService
@@ -358,6 +358,9 @@ export async function setupServerService
socketServer.registerChannel('mcpManagement', new McpManagementChannel(mcpManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority)));

View File

@@ -147,7 +147,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
@IProductService private readonly productService: IProductService,
@IEditorGroupsService private readonly editorGroupService: IEditorGroupsService,
@IEditorService private readonly editorService: IEditorService,
@@ -201,6 +201,10 @@ export class WorkbenchContextKeysHandler
@@ -202,6 +202,10 @@ export class WorkbenchContextKeysHandler
this.auxiliaryBarMaximizedContext = AuxiliaryBarMaximizedContext.bindTo(this.contextKeyService);
this.auxiliaryBarMaximizedContext.set(this.layoutService.isAuxiliaryBarMaximized());

View File

@@ -222,7 +222,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from '../services/editor/common/editorGroupsService.js';
import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
import { IBrowserWorkbenchEnvironmentService } from '../services/environment/browser/environmentService.js';
@@ -204,6 +204,7 @@ export class WorkbenchContextKeysHandler
@@ -205,6 +205,7 @@ export class WorkbenchContextKeysHandler
// code-server
IsEnabledFileDownloads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileDownloads ?? true)
IsEnabledFileUploads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileUploads ?? true)

View File

@@ -263,7 +263,7 @@ Index: code-server/lib/vscode/src/server-main.ts
===================================================================
--- code-server.orig/lib/vscode/src/server-main.ts
+++ code-server/lib/vscode/src/server-main.ts
@@ -22,6 +22,9 @@ import { IServerAPI } from './vs/server/
@@ -23,6 +23,9 @@ import { IServerAPI } from './vs/server/
perf.mark('code/server/start');
(globalThis as { vscodeServerStartTime?: number }).vscodeServerStartTime = performance.now();
@@ -273,7 +273,16 @@ Index: code-server/lib/vscode/src/server-main.ts
// Do a quick parse to determine if a server or the cli needs to be started
const parsedArgs = minimist(process.argv.slice(2), {
boolean: ['start-server', 'list-extensions', 'print-ip-address', 'help', 'version', 'accept-server-license-terms', 'update-extensions'],
@@ -150,6 +153,7 @@ if (shouldSpawnCli) {
@@ -50,7 +53,7 @@ if (shouldSpawnCli) {
mod.spawnCli();
});
} else {
- installServerProcessExitDiagnostics();
+ installServerProcessExitDiagnostics(parsedArgs);
let _remoteExtensionHostAgentServer: IServerAPI | null = null;
let _remoteExtensionHostAgentServerPromise: Promise<IServerAPI> | null = null;
@@ -153,6 +156,7 @@ if (shouldSpawnCli) {
}
});
}
@@ -281,7 +290,16 @@ Index: code-server/lib/vscode/src/server-main.ts
function sanitizeStringArg(val: unknown): string | undefined {
if (Array.isArray(val)) { // if an argument is passed multiple times, minimist creates an array
@@ -283,3 +287,22 @@ function prompt(question: string): Promi
@@ -173,7 +177,7 @@ function sanitizeStringArg(val: unknown)
* provided) so they survive process teardown (an async stdio write from an
* `exit` handler does not).
*/
-function installServerProcessExitDiagnostics(): void {
+function installServerProcessExitDiagnostics(parsedArgs: minimist.ParsedArgs): void {
if (!process.env['VSCODE_SERVER_EXIT_DIAGNOSTICS']) {
return;
}
@@ -406,3 +410,22 @@ function prompt(question: string): Promi
});
});
}

View File

@@ -10,18 +10,17 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extens
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
@@ -321,10 +321,7 @@ function extensionDescriptionArrayToMap(
@@ -324,6 +324,10 @@ function extensionDescriptionArrayToMap(
}
export function isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
- if (!extension.enabledApiProposals) {
- return false;
- }
- return true;// extension.enabledApiProposals.includes(proposal);
+ return true
+ return true;
+}
+
+export function _isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
if (!extension.enabledApiProposals) {
return false;
}
export function checkProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): void {
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts

View File

@@ -24,3 +24,4 @@ trusted-domains.diff
signature-verification.diff
copilot.diff
app-name.diff
csp-hashes.diff

View File

@@ -6,7 +6,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
===================================================================
--- code-server.orig/lib/vscode/build/gulpfile.reh.ts
+++ code-server/lib/vscode/build/gulpfile.reh.ts
@@ -297,10 +297,15 @@ function packageTask(type: string, platf
@@ -344,10 +344,15 @@ function packageTask(type: string, platf
const destination = path.join(BUILD_ROOT, destinationFolderName);
return () => {

View File

@@ -3,9 +3,6 @@ Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication
@@ -20,16 +17,6 @@ webview host is separate by default but we serve on the same host).
To test, open a few types of webviews (images, markdown, extension details, etc).
Make sure to update the hash. To do so:
1. run code-server
2. open any webview (i.e. preview Markdown)
3. see error in console and copy hash
That will test the hash change in pre/index.html
Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
which also requires a hash change.
parentOriginHash changes
This fixes webviews from not working properly due to a change upstream.
@@ -66,15 +53,6 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
@@ -253,7 +253,7 @@
}
@@ -101,17 +79,8 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWor
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-yhZXuB8LS6t73dvNg6rtLX8y4PHLnqRm5+6DdOGkOcw=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>
@@ -25,6 +25,13 @@
// validation not requested
@@ -34,6 +34,13 @@
}
return start();
}
+

View File

@@ -1,9 +1,13 @@
import { logger } from "@coder/logger"
import type { JSONSchemaForNPMPackageJsonFiles } from "@schemastore/package"
import * as os from "os"
import * as path from "path"
export function getPackageJson(relativePath: string): JSONSchemaForNPMPackageJsonFiles {
type PackageJson = {
version: string
commit: string
}
export function getPackageJson(relativePath: string): PackageJson {
let pkg = {}
try {
pkg = require(relativePath)
@@ -11,7 +15,7 @@ export function getPackageJson(relativePath: string): JSONSchemaForNPMPackageJso
logger.warn(error.message)
}
return pkg
return pkg as PackageJson
}
export const rootPath = path.resolve(__dirname, "../..")