Compare commits

..

5 Commits

Author SHA1 Message Date
cdrci
77baee7fe0 Update Code to 1.129.0 (#7897) 2026-07-17 07:05:13 +00:00
Asher
3e76a04b1b Fix automatic CSP hash update
The problem was that whenever the hashe needed an update, the current
patch would create a conflict which cannot be easily auto-resolved.

Instead, put the hashes in a separate patch that is deleted and
regenerated each time, avoiding the conflicts.

Also the web worker iframe hash was not being updated.
2026-07-16 12:41:14 -08:00
cdrci
421e7eb084 Update Helm chart and changelog with 4.128.0 (#7891) 2026-07-13 08:56:29 -08:00
cdrci
cb22f74650 Update Code to 1.128.0 (#7889) 2026-07-10 12:08:44 -08:00
Asher
d103d5057a Fix update script using old Node version
It needs to parse the version *after* the VS Code update, otherwise it
is just pulling whatever the previous version was.

That means we cannot use it in the step title without some refactoring;
opted to just omit it for now.
2026-07-09 22:58:44 -08:00
13 changed files with 116 additions and 99 deletions

View File

@@ -1 +1 @@
24.15.0
24.18.0

View File

@@ -22,6 +22,20 @@ Code v99.99.999
## Unreleased
Code v1.129.0
### Changed
- Update to Code 1.129.0
## [4.128.0](https://github.com/coder/code-server/releases/tag/v4.128.0) - 2026-07-11
Code v1.128.0
### Changed
- Update to Code 1.128.0
## [4.127.0](https://github.com/coder/code-server/releases/tag/v4.127.0) - 2026-07-02
Code v1.127.0

View File

@@ -4,7 +4,7 @@ set -Eeuo pipefail
function unapply_patches() {
local -i exit_code=0
quiet quilt pop -af || exit_code=$?
quiet quilt pop -af 2>&1 || exit_code=$?
case $exit_code in
# Sucessfully unapplied.
0) ;;
@@ -15,6 +15,19 @@ function unapply_patches() {
esac
}
function apply_patches() {
local -i exit_code=0
quiet quilt push -a 2>&1 || exit_code=$?
case $exit_code in
# Sucessfully applied.
0) ;;
# No more patches to apply.
2) ;;
# Some error.
*) return $exit_code ;;
esac
}
function update_vscode() {
pushd lib/vscode
if ! git checkout 2>&1 "$target_vscode_version" ; then
@@ -28,8 +41,8 @@ function update_vscode() {
function refresh_patches() {
local -i exit_code=0
while quiet quilt push ; ! (( exit_code=$? )) ; do
quilt refresh
while quiet quilt push 2>&1 ; ! (( exit_code=$? )) ; do
quilt refresh 2>&1
done
case $exit_code in
# No more patches to apply.
@@ -42,6 +55,8 @@ function refresh_patches() {
function update_node() {
local node_version
node_version=$(cat .node-version)
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
if [[ $node_version == "$target_node_version" ]] ; then
echo "Already set to $target_node_version"
else
@@ -54,50 +69,41 @@ function get-webview-script-hash() {
local html
html=$(<"$1")
local start_tag='<script async type="module">'
if [[ $file == */webWorkerExtensionHostIframe.html ]] ; then
start_tag='<script>'
fi
local end_tag="</script>"
html=${html##*"$start_tag"}
html=${html%%"$end_tag"*}
echo -n "$html" | openssl sha256 -binary | openssl base64
}
function delete_csp() {
quilt delete csp-hashes.diff
}
function update_csp() {
local current
current=$(quilt top 2>/dev/null || echo "")
local patch_action=""
echo "Currently at ${current:-base}"
if [[ $current != */webview.diff ]] ; then
echo "Moving to patches/webview.diff..."
local -i exit_code=0
if quilt applied 2>/dev/null | grep --quiet webview.diff ; then
quiet quilt pop webview || exit_code=$?
patch_action=pop
else
quiet quilt push webview || exit_code=$?
patch_action=push
fi
case $exit_code in
# Successfully moved.
0) ;;
# Some error.
*) return $exit_code ;;
esac
fi
apply_patches
local files=(
./lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
./lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
)
quilt new csp-hashes.diff
local file
for file in "${files[@]}" ; do
quilt add "$file"
local hash
hash=$(get-webview-script-hash "$file")
echo "Calculated hash as $hash"
# Use octothorpe as a delimiter since the hash may contain a slash.
sed -i.bak "s#'sha256-[^']\+'#'sha256-$hash'#" "$file"
done
local file=lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
local hash
hash=$(get-webview-script-hash "$file")
echo "Calculated hash as $hash"
# Use octothorpe as a delimiter since the hash may contain a slash.
sed -i.bak "s#script-src 'sha256-[^']\+'#script-src 'sha256-$hash'#" "$file"
quilt refresh
if [[ $patch_action != "" ]] ; then
echo "Moving back to ${current:-base}..."
case $patch_action in
pop) quiet quilt push "$current" ;;
push) quiet quilt pop "${current:--a}" ;;
esac
fi
}
function add_changelog() {
@@ -116,11 +122,11 @@ function main() {
source ./ci/lib.sh
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
declare -a steps
# Hashes are always regenerated to avoid having to resolve conflicts..
steps+=("Revert CSP hashes" "delete_csp")
# If version is not set, assume we are already at the target version and the
# user is just trying to resolve conflics.
local target_vscode_version
@@ -141,8 +147,8 @@ function main() {
fi
steps+=(
"Set Node version to $target_node_version" "update_node"
"Update CSP webview hash" "update_csp"
"Update Node version" "update_node"
"Regenerate CSP hashes" "update_csp"
"Add changelog note" "add_changelog"
)

View File

@@ -15,9 +15,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 3.42.0
version: 3.43.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 4.127.0
appVersion: 4.128.0

View File

@@ -6,7 +6,7 @@ replicaCount: 1
image:
repository: codercom/code-server
tag: '4.127.0'
tag: '4.128.0'
pullPolicy: Always
# Specifies one or more secrets to be used when pulling images from a

View File

@@ -85,18 +85,20 @@ run-steps() {
while (( $# )) ; do
local name=$1 ; shift
local fn=$1 ; shift
echo "$name..."
# Only run if an earlier step has not failed.
# For all failed steps, write out an empty checkbox.
if [[ $failed == 0 ]] ; then
echo "$name..."
if $fn | indent ; then
echo "- [X] $name" >> .cache/checklist
else
((failed++))
echo "- [-] $name" >> .cache/checklist
echo "Failed" | indent
fi
fi
# For all failed steps, write out an empty checkbox.
if [[ $failed != 0 ]] ; then
else
echo "- [ ] $name" >> .cache/checklist
echo "Skipped" | indent
fi
done
if [[ $failed != 0 ]] ; then

8
package-lock.json generated
View File

@@ -61,7 +61,7 @@
"prettier": "3.8.3",
"prettier-plugin-sh": "^0.18.0",
"ts-node": "^10.9.1",
"typescript": "^6.0.3",
"typescript": "^5.6.2",
"typescript-eslint": "^8.8.0"
},
"engines": {
@@ -6219,9 +6219,9 @@
}
},
"node_modules/typescript": {
"version": "6.0.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
"integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
"version": "5.9.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
"devOptional": true,
"license": "Apache-2.0",
"bin": {

View File

@@ -62,7 +62,7 @@
"prettier": "3.8.3",
"prettier-plugin-sh": "^0.18.0",
"ts-node": "^10.9.1",
"typescript": "^6.0.3",
"typescript": "^5.6.2",
"typescript-eslint": "^8.8.0"
},
"dependencies": {

26
patches/csp-hashes.diff Normal file
View File

@@ -0,0 +1,26 @@
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-daEgfo2VIXpx2Np71KqCCbkeQwv+68vPrx54XRcbdcs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-gfjiOVjAlxqrivZAfTq2d83mOaz0fnAxbGaFpj5IjD8=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>

View File

@@ -10,18 +10,17 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extens
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
@@ -321,10 +321,7 @@ function extensionDescriptionArrayToMap(
@@ -324,6 +324,10 @@ function extensionDescriptionArrayToMap(
}
export function isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
- if (!extension.enabledApiProposals) {
- return false;
- }
- return true;// extension.enabledApiProposals.includes(proposal);
+ return true
}
export function checkProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): void {
+ return true;
+}
+
+export function _isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
if (!extension.enabledApiProposals) {
return false;
}
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts

View File

@@ -24,3 +24,4 @@ trusted-domains.diff
signature-verification.diff
copilot.diff
app-name.diff
csp-hashes.diff

View File

@@ -3,9 +3,6 @@ Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication
@@ -20,16 +17,6 @@ webview host is separate by default but we serve on the same host).
To test, open a few types of webviews (images, markdown, extension details, etc).
Make sure to update the hash. To do so:
1. run code-server
2. open any webview (i.e. preview Markdown)
3. see error in console and copy hash
That will test the hash change in pre/index.html
Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
which also requires a hash change.
parentOriginHash changes
This fixes webviews from not working properly due to a change upstream.
@@ -66,15 +53,6 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
@@ -253,7 +253,7 @@
}
@@ -101,17 +79,8 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWor
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-yhZXuB8LS6t73dvNg6rtLX8y4PHLnqRm5+6DdOGkOcw=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>
@@ -25,6 +25,13 @@
// validation not requested
@@ -34,6 +34,13 @@
}
return start();
}
+