Compare commits

..

8 Commits

Author SHA1 Message Date
cdrci
ffd58e0c36 Update Helm chart and changelog with 4.129.0 2026-07-17 09:57:04 +00:00
cdrci
77baee7fe0 Update Code to 1.129.0 (#7897) 2026-07-17 07:05:13 +00:00
Asher
3e76a04b1b Fix automatic CSP hash update
The problem was that whenever the hashe needed an update, the current
patch would create a conflict which cannot be easily auto-resolved.

Instead, put the hashes in a separate patch that is deleted and
regenerated each time, avoiding the conflicts.

Also the web worker iframe hash was not being updated.
2026-07-16 12:41:14 -08:00
cdrci
421e7eb084 Update Helm chart and changelog with 4.128.0 (#7891) 2026-07-13 08:56:29 -08:00
cdrci
cb22f74650 Update Code to 1.128.0 (#7889) 2026-07-10 12:08:44 -08:00
Asher
d103d5057a Fix update script using old Node version
It needs to parse the version *after* the VS Code update, otherwise it
is just pulling whatever the previous version was.

That means we cannot use it in the step title without some refactoring;
opted to just omit it for now.
2026-07-09 22:58:44 -08:00
Asher
aed61bf6ab Remove @schemastore/package
Providing our own type is trivial.
2026-07-02 12:29:55 -08:00
cdrci
1e160477be Update Helm chart and changelog with 4.127.0 (#7882) 2026-07-02 12:05:31 -08:00
14 changed files with 122 additions and 106 deletions

View File

@@ -1 +1 @@
24.15.0 24.18.0

View File

@@ -22,6 +22,24 @@ Code v99.99.999
## Unreleased ## Unreleased
## [4.129.0](https://github.com/coder/code-server/releases/tag/v4.129.0) - 2026-07-17
Code v1.129.0
### Changed
- Update to Code 1.129.0
## [4.128.0](https://github.com/coder/code-server/releases/tag/v4.128.0) - 2026-07-11
Code v1.128.0
### Changed
- Update to Code 1.128.0
## [4.127.0](https://github.com/coder/code-server/releases/tag/v4.127.0) - 2026-07-02
Code v1.127.0 Code v1.127.0
### Changed ### Changed

View File

@@ -4,7 +4,7 @@ set -Eeuo pipefail
function unapply_patches() { function unapply_patches() {
local -i exit_code=0 local -i exit_code=0
quiet quilt pop -af || exit_code=$? quiet quilt pop -af 2>&1 || exit_code=$?
case $exit_code in case $exit_code in
# Sucessfully unapplied. # Sucessfully unapplied.
0) ;; 0) ;;
@@ -15,6 +15,19 @@ function unapply_patches() {
esac esac
} }
function apply_patches() {
local -i exit_code=0
quiet quilt push -a 2>&1 || exit_code=$?
case $exit_code in
# Sucessfully applied.
0) ;;
# No more patches to apply.
2) ;;
# Some error.
*) return $exit_code ;;
esac
}
function update_vscode() { function update_vscode() {
pushd lib/vscode pushd lib/vscode
if ! git checkout 2>&1 "$target_vscode_version" ; then if ! git checkout 2>&1 "$target_vscode_version" ; then
@@ -28,8 +41,8 @@ function update_vscode() {
function refresh_patches() { function refresh_patches() {
local -i exit_code=0 local -i exit_code=0
while quiet quilt push ; ! (( exit_code=$? )) ; do while quiet quilt push 2>&1 ; ! (( exit_code=$? )) ; do
quilt refresh quilt refresh 2>&1
done done
case $exit_code in case $exit_code in
# No more patches to apply. # No more patches to apply.
@@ -42,6 +55,8 @@ function refresh_patches() {
function update_node() { function update_node() {
local node_version local node_version
node_version=$(cat .node-version) node_version=$(cat .node-version)
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
if [[ $node_version == "$target_node_version" ]] ; then if [[ $node_version == "$target_node_version" ]] ; then
echo "Already set to $target_node_version" echo "Already set to $target_node_version"
else else
@@ -54,50 +69,41 @@ function get-webview-script-hash() {
local html local html
html=$(<"$1") html=$(<"$1")
local start_tag='<script async type="module">' local start_tag='<script async type="module">'
if [[ $file == */webWorkerExtensionHostIframe.html ]] ; then
start_tag='<script>'
fi
local end_tag="</script>" local end_tag="</script>"
html=${html##*"$start_tag"} html=${html##*"$start_tag"}
html=${html%%"$end_tag"*} html=${html%%"$end_tag"*}
echo -n "$html" | openssl sha256 -binary | openssl base64 echo -n "$html" | openssl sha256 -binary | openssl base64
} }
function delete_csp() {
quilt delete csp-hashes.diff
}
function update_csp() { function update_csp() {
local current apply_patches
current=$(quilt top 2>/dev/null || echo "")
local patch_action="" local files=(
echo "Currently at ${current:-base}" ./lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
if [[ $current != */webview.diff ]] ; then ./lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
echo "Moving to patches/webview.diff..." )
local -i exit_code=0
if quilt applied 2>/dev/null | grep --quiet webview.diff ; then quilt new csp-hashes.diff
quiet quilt pop webview || exit_code=$?
patch_action=pop local file
else for file in "${files[@]}" ; do
quiet quilt push webview || exit_code=$? quilt add "$file"
patch_action=push
fi local hash
case $exit_code in hash=$(get-webview-script-hash "$file")
# Successfully moved. echo "Calculated hash as $hash"
0) ;; # Use octothorpe as a delimiter since the hash may contain a slash.
# Some error. sed -i.bak "s#'sha256-[^']\+'#'sha256-$hash'#" "$file"
*) return $exit_code ;; done
esac
fi
local file=lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
local hash
hash=$(get-webview-script-hash "$file")
echo "Calculated hash as $hash"
# Use octothorpe as a delimiter since the hash may contain a slash.
sed -i.bak "s#script-src 'sha256-[^']\+'#script-src 'sha256-$hash'#" "$file"
quilt refresh quilt refresh
if [[ $patch_action != "" ]] ; then
echo "Moving back to ${current:-base}..."
case $patch_action in
pop) quiet quilt push "$current" ;;
push) quiet quilt pop "${current:--a}" ;;
esac
fi
} }
function add_changelog() { function add_changelog() {
@@ -116,11 +122,11 @@ function main() {
source ./ci/lib.sh source ./ci/lib.sh
local target_node_version
target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
declare -a steps declare -a steps
# Hashes are always regenerated to avoid having to resolve conflicts..
steps+=("Revert CSP hashes" "delete_csp")
# If version is not set, assume we are already at the target version and the # If version is not set, assume we are already at the target version and the
# user is just trying to resolve conflics. # user is just trying to resolve conflics.
local target_vscode_version local target_vscode_version
@@ -141,8 +147,8 @@ function main() {
fi fi
steps+=( steps+=(
"Set Node version to $target_node_version" "update_node" "Update Node version" "update_node"
"Update CSP webview hash" "update_csp" "Regenerate CSP hashes" "update_csp"
"Add changelog note" "add_changelog" "Add changelog note" "add_changelog"
) )

View File

@@ -15,9 +15,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 3.41.0 version: 3.44.0
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to # incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using. # follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 4.126.0 appVersion: 4.129.0

View File

@@ -6,7 +6,7 @@ replicaCount: 1
image: image:
repository: codercom/code-server repository: codercom/code-server
tag: '4.126.0' tag: '4.129.0'
pullPolicy: Always pullPolicy: Always
# Specifies one or more secrets to be used when pulling images from a # Specifies one or more secrets to be used when pulling images from a

View File

@@ -85,18 +85,20 @@ run-steps() {
while (( $# )) ; do while (( $# )) ; do
local name=$1 ; shift local name=$1 ; shift
local fn=$1 ; shift local fn=$1 ; shift
echo "$name..."
# Only run if an earlier step has not failed. # Only run if an earlier step has not failed.
# For all failed steps, write out an empty checkbox.
if [[ $failed == 0 ]] ; then if [[ $failed == 0 ]] ; then
echo "$name..."
if $fn | indent ; then if $fn | indent ; then
echo "- [X] $name" >> .cache/checklist echo "- [X] $name" >> .cache/checklist
else else
((failed++)) ((failed++))
echo "- [-] $name" >> .cache/checklist
echo "Failed" | indent
fi fi
fi else
# For all failed steps, write out an empty checkbox.
if [[ $failed != 0 ]] ; then
echo "- [ ] $name" >> .cache/checklist echo "- [ ] $name" >> .cache/checklist
echo "Skipped" | indent
fi fi
done done
if [[ $failed != 0 ]] ; then if [[ $failed != 0 ]] ; then

8
package-lock.json generated
View File

@@ -38,7 +38,6 @@
"@eslint/compat": "^1.2.0", "@eslint/compat": "^1.2.0",
"@eslint/eslintrc": "^3.1.0", "@eslint/eslintrc": "^3.1.0",
"@eslint/js": "^9.12.0", "@eslint/js": "^9.12.0",
"@schemastore/package": "^0.0.10",
"@types/compression": "^1.7.3", "@types/compression": "^1.7.3",
"@types/cookie-parser": "^1.4.4", "@types/cookie-parser": "^1.4.4",
"@types/eslint__js": "^8.42.3", "@types/eslint__js": "^8.42.3",
@@ -438,13 +437,6 @@
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },
"node_modules/@schemastore/package": {
"version": "0.0.10",
"resolved": "https://registry.npmjs.org/@schemastore/package/-/package-0.0.10.tgz",
"integrity": "sha512-D3LxMCnkgsb4LO5sDKf6E+yahM2SqpEHmkqMPDSJis5Cy/j2MgWo/g/iq0lECK0mrPWfx3hqKm2ZJlqxwbRJQA==",
"dev": true,
"license": "MIT"
},
"node_modules/@textlint/ast-node-types": { "node_modules/@textlint/ast-node-types": {
"version": "15.7.1", "version": "15.7.1",
"resolved": "https://registry.npmjs.org/@textlint/ast-node-types/-/ast-node-types-15.7.1.tgz", "resolved": "https://registry.npmjs.org/@textlint/ast-node-types/-/ast-node-types-15.7.1.tgz",

View File

@@ -39,7 +39,6 @@
"@eslint/compat": "^1.2.0", "@eslint/compat": "^1.2.0",
"@eslint/eslintrc": "^3.1.0", "@eslint/eslintrc": "^3.1.0",
"@eslint/js": "^9.12.0", "@eslint/js": "^9.12.0",
"@schemastore/package": "^0.0.10",
"@types/compression": "^1.7.3", "@types/compression": "^1.7.3",
"@types/cookie-parser": "^1.4.4", "@types/cookie-parser": "^1.4.4",
"@types/eslint__js": "^8.42.3", "@types/eslint__js": "^8.42.3",

26
patches/csp-hashes.diff Normal file
View File

@@ -0,0 +1,26 @@
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-daEgfo2VIXpx2Np71KqCCbkeQwv+68vPrx54XRcbdcs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-gfjiOVjAlxqrivZAfTq2d83mOaz0fnAxbGaFpj5IjD8=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>

View File

@@ -10,18 +10,17 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extens
=================================================================== ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts +++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
@@ -321,10 +321,7 @@ function extensionDescriptionArrayToMap( @@ -324,6 +324,10 @@ function extensionDescriptionArrayToMap(
} }
export function isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean { export function isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
- if (!extension.enabledApiProposals) { + return true;
- return false; +}
- } +
- return true;// extension.enabledApiProposals.includes(proposal); +export function _isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
+ return true if (!extension.enabledApiProposals) {
} return false;
}
export function checkProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): void {
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
=================================================================== ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts

View File

@@ -24,3 +24,4 @@ trusted-domains.diff
signature-verification.diff signature-verification.diff
copilot.diff copilot.diff
app-name.diff app-name.diff
csp-hashes.diff

View File

@@ -3,9 +3,6 @@ Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted. self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
Additionally the service worker defaults to handling *all* requests made to the Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication webview HTML itself which means these requests will fail since the communication
@@ -20,16 +17,6 @@ webview host is separate by default but we serve on the same host).
To test, open a few types of webviews (images, markdown, extension details, etc). To test, open a few types of webviews (images, markdown, extension details, etc).
Make sure to update the hash. To do so:
1. run code-server
2. open any webview (i.e. preview Markdown)
3. see error in console and copy hash
That will test the hash change in pre/index.html
Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
which also requires a hash change.
parentOriginHash changes parentOriginHash changes
This fixes webviews from not working properly due to a change upstream. This fixes webviews from not working properly due to a change upstream.
@@ -66,15 +53,6 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
=================================================================== ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html --- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html +++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
@@ -253,7 +253,7 @@ @@ -253,7 +253,7 @@
} }
@@ -101,17 +79,8 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWor
=================================================================== ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html +++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@ @@ -34,6 +34,13 @@
<meta http-equiv="Content-Security-Policy" content=" }
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
+ script-src 'self' 'unsafe-eval' 'sha256-yhZXuB8LS6t73dvNg6rtLX8y4PHLnqRm5+6DdOGkOcw=' https: http://localhost:* blob:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>
@@ -25,6 +25,13 @@
// validation not requested
return start(); return start();
} }
+ +

View File

@@ -1,9 +1,13 @@
import { logger } from "@coder/logger" import { logger } from "@coder/logger"
import type { JSONSchemaForNPMPackageJsonFiles } from "@schemastore/package"
import * as os from "os" import * as os from "os"
import * as path from "path" import * as path from "path"
export function getPackageJson(relativePath: string): JSONSchemaForNPMPackageJsonFiles { type PackageJson = {
version: string
commit: string
}
export function getPackageJson(relativePath: string): PackageJson {
let pkg = {} let pkg = {}
try { try {
pkg = require(relativePath) pkg = require(relativePath)
@@ -11,7 +15,7 @@ export function getPackageJson(relativePath: string): JSONSchemaForNPMPackageJso
logger.warn(error.message) logger.warn(error.message)
} }
return pkg return pkg as PackageJson
} }
export const rootPath = path.resolve(__dirname, "../..") export const rootPath = path.resolve(__dirname, "../..")