@@ -178,7 +178,7 @@ jobs:
178178 echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
179179
180180name : golangci-lint cache
181- uses : actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
181+ uses : actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
182182 with :
183183 path : |
184184 ${{ env.LINT_CACHE_DIR }}
@@ -188,7 +188,7 @@ jobs:
188188
189189# Check for any typos
190190 - name : Check for typos
191- uses : crate-ci/typos@51f257b946f503b768e522781f56e9b7b5570d48 # v1.29.7
191+ uses : crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10
192192 with :
193193 config : .github/workflows/typos.toml
194194
@@ -201,7 +201,7 @@ jobs:
201201
202202# Needed for helm chart linting
203203 - name : Install helm
204- uses : azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2 .0
204+ uses : azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3 .0
205205 with :
206206 version : v3.9.2
207207
@@ -733,15 +733,15 @@ jobs:
733733
734734 - name : Upload Playwright Failed Tests
735735 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
736- uses : actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
736+ uses : actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
737737 with :
738738 name : failed-test-videos${{ matrix.variant.premium && '-premium' || '' }}
739739 path : ./site/test-results/**/*.webm
740740 retention-days : 7
741741
742742 - name : Upload pprof dumps
743743 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
744- uses : actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
744+ uses : actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
745745 with :
746746 name : debug-pprof-dumps${{ matrix.variant.premium && '-premium' || '' }}
747747 path : ./site/test-results/**/debug-pprof-*.txt
@@ -1000,7 +1000,7 @@ jobs:
10001000
10011001 - name : Upload build artifacts
10021002 if : ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
1003- uses : actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
1003+ uses : actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
10041004 with :
10051005 name : dylibs
10061006 path : |
@@ -1021,7 +1021,10 @@ jobs:
10211021 if : github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
10221022 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }}
10231023 permissions :
1024- packages : write # Needed to push images to ghcr.io
1024+ # Necessary to push docker images to ghcr.io.
1025+ packages : write
1026+ # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
1027+ id-token : write
10251028 env :
10261029 DOCKER_CLI_EXPERIMENTAL : " enabled"
10271030 outputs :
@@ -1050,14 +1053,46 @@ jobs:
10501053 - name : Setup Go
10511054 uses : ./.github/actions/setup-go
10521055
1056+ # Necessary for signing Windows binaries.
1057+ - name : Setup Java
1058+ uses : actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
1059+ with :
1060+ distribution : " zulu"
1061+ java-version : " 11.0"
1062+
1063+ - name : Install go-winres
1064+ run : go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
1065+
10531066 - name : Install nfpm
10541067 run : go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
10551068
10561069 - name : Install zstd
10571070 run : sudo apt-get install -y zstd
10581071
1072+ - name : Setup Windows EV Signing Certificate
1073+ run : |
1074+ set -euo pipefail
1075+ touch /tmp/ev_cert.pem
1076+ chmod 600 /tmp/ev_cert.pem
1077+ echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
1078+ wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
1079+ env :
1080+ EV_SIGNING_CERT : ${{ secrets.EV_SIGNING_CERT }}
1081+
1082+ # Setup GCloud for signing Windows binaries.
1083+ - name : Authenticate to Google Cloud
1084+ id : gcloud_auth
1085+ uses : google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
1086+ with :
1087+ workload_identity_provider : ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
1088+ service_account : ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
1089+ token_format : " access_token"
1090+
1091+ - name : Setup GCloud SDK
1092+ uses : google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
1093+
10591094 - name : Download dylibs
1060- uses : actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
1095+ uses : actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
10611096 with :
10621097 name : dylibs
10631098 path : ./build
@@ -1082,6 +1117,18 @@ jobs:
10821117 build/coder_linux_{amd64,arm64,armv7} \
10831118 build/coder_"$version"_windows_amd64.zip \
10841119 build/coder_"$version"_linux_amd64.{tar.gz,deb}
1120+ env :
1121+ # The Windows slim binary must be signed for Coder Desktop to accept
1122+ # it. The darwin executables don't need to be signed, but the dylibs
1123+ # do (see above).
1124+ CODER_SIGN_WINDOWS : " 1"
1125+ CODER_WINDOWS_RESOURCES : " 1"
1126+ EV_KEY : ${{ secrets.EV_KEY }}
1127+ EV_KEYSTORE : ${{ secrets.EV_KEYSTORE }}
1128+ EV_TSA_URL : ${{ secrets.EV_TSA_URL }}
1129+ EV_CERTIFICATE_PATH : /tmp/ev_cert.pem
1130+ GCLOUD_ACCESS_TOKEN : ${{ steps.gcloud_auth.outputs.access_token }}
1131+ JSIGN_PATH : /tmp/jsign-6.0.jar
10851132
10861133 - name : Build Linux Docker images
10871134 id : build-docker
@@ -1140,7 +1187,7 @@ jobs:
11401187
11411188 - name : Upload build artifacts
11421189 if : github.ref == 'refs/heads/main'
1143- uses : actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
1190+ uses : actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
11441191 with :
11451192 name : coder
11461193 path : |
@@ -1183,13 +1230,13 @@ jobs:
11831230 uses : google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
11841231
11851232 - name : Set up Flux CLI
1186- uses : fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0
1233+ uses : fluxcd/flux2/action@8d5f40dca5aa5d3c0fc3414457dda15a0ac92fa4 # v2.5.1
11871234 with :
11881235 # Keep this and the github action up to date with the version of flux installed in dogfood cluster
1189- version : " 2.2 .1"
1236+ version : " 2.5 .1"
11901237
11911238 - name : Get Cluster Credentials
1192- uses : google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1 # v2.3.1
1239+ uses : google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
11931240 with :
11941241 cluster_name : dogfood-v2
11951242 location : us-central1-a
@@ -1219,6 +1266,8 @@ jobs:
12191266 kubectl --namespace coder rollout status deployment/coder
12201267 kubectl --namespace coder rollout restart deployment/coder-provisioner
12211268 kubectl --namespace coder rollout status deployment/coder-provisioner
1269+ kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged
1270+ kubectl --namespace coder rollout status deployment/coder-provisioner-tagged
12221271
12231272deploy-wsproxies :
12241273 runs-on : ubuntu-latest
0 commit comments