ci(code-server): disable git credentials persistence in checkout #75
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build vendored artifacts | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "23 3 * * *" | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - ".github/workflows/code-server-artifacts.yaml" | |
| - ".gitmodules" | |
| - "README.md" | |
| - "scripts/**" | |
| - "packages/code-server/**" | |
| - "packages/omniroute/**" | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - ".github/workflows/code-server-artifacts.yaml" | |
| - ".gitmodules" | |
| - "README.md" | |
| - "scripts/**" | |
| - "packages/code-server/**" | |
| - "packages/omniroute/**" | |
| permissions: | |
| contents: read | |
| jobs: | |
| prepare_release: | |
| name: prepare-release | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| tag: ${{ steps.version.outputs.tag }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| - name: Resolve shared release version | |
| id: version | |
| run: node ./scripts/versioning.mjs >> "$GITHUB_OUTPUT" | |
| create_github_release: | |
| name: create-github-release | |
| needs: prepare_release | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ format('vendered-github-release-{0}', needs.prepare_release.outputs.tag) }} | |
| cancel-in-progress: false | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| - name: Create or update GitHub release metadata | |
| if: >- | |
| ${{ | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| github.event_name == 'workflow_dispatch' | |
| }} | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| node ./scripts/github-release.mjs --create-only --tag "${{ needs.prepare_release.outputs.tag }}" --name "${{ needs.prepare_release.outputs.version }}" --target-commitish "${{ github.sha }}" | |
| build_verify_publish_code_server: | |
| name: ${{ matrix.name }} | |
| needs: | |
| - prepare_release | |
| - create_github_release | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ format('vendered-release-{0}-{1}', needs.prepare_release.outputs.tag, matrix.artifact_name) }} | |
| cancel-in-progress: false | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: code-server Linux | |
| runner: ubuntu-22.04 | |
| artifact_name: code-server-linux | |
| bash_path: bash | |
| - name: code-server macOS | |
| runner: macos-latest | |
| artifact_name: code-server-macos | |
| bash_path: bash | |
| - name: code-server Windows | |
| runner: windows-latest | |
| artifact_name: code-server-windows | |
| bash_path: bash | |
| env: | |
| CI: true | |
| GITHUB_TOKEN: ${{ github.token }} | |
| ELECTRON_SKIP_BINARY_DOWNLOAD: 1 | |
| PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 | |
| npm_config_build_from_source: true | |
| BASH_PATH: ${{ matrix.bash_path }} | |
| NPM_CONFIG_SCRIPT_SHELL: ${{ matrix.bash_path }} | |
| VERSION: ${{ needs.prepare_release.outputs.version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| submodules: recursive | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version-file: packages/code-server/upstream/.node-version | |
| cache: npm | |
| cache-dependency-path: | | |
| packages/code-server/upstream/package-lock.json | |
| packages/code-server/upstream/test/package-lock.json | |
| - name: Setup Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.11" | |
| - name: Install Linux prerequisites | |
| if: runner.os == 'Linux' | |
| run: sudo apt-get update && sudo apt-get install -y jq rsync quilt libkrb5-dev | |
| - name: Install macOS prerequisites | |
| if: runner.os == 'macOS' | |
| run: brew install jq rsync quilt python-setuptools | |
| - name: Setup MSYS2 | |
| if: runner.os == 'Windows' | |
| uses: msys2/setup-msys2@v2 | |
| with: | |
| msystem: MSYS | |
| path-type: inherit | |
| # Keep the Windows helper toolchain that the upstream build/release | |
| # scripts expect, but avoid a full `-Syuu` because flaky mirror syncs | |
| # can fail the job before our build even starts. | |
| update: false | |
| install: >- | |
| diffutils jq patch quilt rsync unzip zip | |
| - name: Configure Windows shell paths | |
| if: runner.os == 'Windows' | |
| shell: pwsh | |
| run: | | |
| Add-Content -Path $env:GITHUB_ENV -Value 'NPM_CONFIG_SCRIPT_SHELL=/usr/bin/bash' | |
| Add-Content -Path $env:GITHUB_ENV -Value ("MSYS2_CMD={0}\\setup-msys2\\msys2.cmd" -f $env:RUNNER_TEMP) | |
| - name: Install PM2 | |
| run: npm install --global pm2 | |
| - name: Build artifacts | |
| run: node ./packages/code-server/scripts/build-artifacts.mjs | |
| - name: Verify built release can start | |
| env: | |
| ARTIFACTS_DOWNLOAD_DIR: artifacts/code-server | |
| run: node ./packages/code-server/scripts/verify-startup.mjs | |
| - name: Upload verified build to GitHub release | |
| if: >- | |
| ${{ | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| github.event_name == 'workflow_dispatch' | |
| }} | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| node ./scripts/github-release.mjs --artifacts-dir artifacts/code-server --tag "${{ needs.prepare_release.outputs.tag }}" --name "${{ needs.prepare_release.outputs.version }}" --target-commitish "${{ github.sha }}" --preserve-release-metadata | |
| build_verify_publish_omniroute: | |
| name: ${{ matrix.name }} | |
| needs: | |
| - prepare_release | |
| - create_github_release | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ format('vendered-release-{0}-{1}', needs.prepare_release.outputs.tag, matrix.artifact_name) }} | |
| cancel-in-progress: false | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: omniroute Linux x64 | |
| runner: ubuntu-22.04 | |
| artifact_name: omniroute-linux-amd64 | |
| platform: linux | |
| arch: amd64 | |
| - name: omniroute macOS x64 | |
| runner: macos-15-intel | |
| artifact_name: omniroute-macos-amd64 | |
| platform: macos | |
| arch: amd64 | |
| - name: omniroute macOS arm64 | |
| runner: macos-14 | |
| artifact_name: omniroute-macos-arm64 | |
| platform: macos | |
| arch: arm64 | |
| - name: omniroute Windows x64 | |
| runner: windows-latest | |
| artifact_name: omniroute-windows-amd64 | |
| platform: windows | |
| arch: amd64 | |
| env: | |
| CI: true | |
| VERSION: ${{ needs.prepare_release.outputs.version }} | |
| BUILD_ARTIFACTS_PLATFORM: ${{ matrix.platform }} | |
| ARCH: ${{ matrix.arch }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| submodules: recursive | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| cache-dependency-path: packages/omniroute/upstream/package-lock.json | |
| - name: Install PM2 | |
| run: npm install --global pm2 | |
| - name: Build artifacts | |
| run: node ./packages/omniroute/scripts/build-artifacts.mjs | |
| - name: Verify built release | |
| env: | |
| ARTIFACTS_DOWNLOAD_DIR: artifacts/omniroute | |
| run: node ./packages/omniroute/scripts/verify-startup.mjs | |
| - name: Upload verified build to GitHub release | |
| if: >- | |
| ${{ | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| github.event_name == 'workflow_dispatch' | |
| }} | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| node ./scripts/github-release.mjs --artifacts-dir artifacts/omniroute --tag "${{ needs.prepare_release.outputs.tag }}" --name "${{ needs.prepare_release.outputs.version }}" --target-commitish "${{ github.sha }}" --preserve-release-metadata |