chore: support building Coder Desktop .dylib

ethanndickson · ethanndickson · commit de5c638269f8 · 2024-11-14T11:46:27.000Z
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -806,18 +806,60 @@ jobs:
 
           echo "Required checks have passed"
 
+  # Builds the dylibs and upload it as an artifact so it can be embedded in the main build
+  build-dylib:
+    needs: changes
+    if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Build dylibs
+        run: |
+          set -euxo pipefail
+          go mod download
+
+          make gen/mark-fresh
+          make build/coder-dylib
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: dylibs
+          path: |
+            ./build/*.h
+            ./build/*.dylib
+          retention-days: 7
+
   build:
     # This builds and publishes ghcr.io/coder/coder-preview:main for each commit
     # to main branch.
-    needs: changes
-    if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
+    needs:
+      - changes
+      - build-dylib
+    # TODO: Uncomment
+    # if: github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    permissions:
-      packages: write # Needed to push images to ghcr.io
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    outputs:
-      IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
+    # permissions:
+    #   packages: write # Needed to push images to ghcr.io
+    # env:
+    #   DOCKER_CLI_EXPERIMENTAL: "enabled"
+    # outputs:
+    #   IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -848,6 +890,16 @@ jobs:
       - name: Install zstd
         run: sudo apt-get install -y zstd
 
+      - name: Download dylibs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: dylibs
+          path: ./build
+      - run: |
+          mv ./build/*amd64.dylib ./site/out/bin/coder-amd64.dylib
+          mv ./build/*arm64.dylib ./site/out/bin/coder-arm64.dylib
+          mv ./build/*.h          ./site/out/bin/coder-dylib.h
+
       - name: Build
         run: |
           set -euxo pipefail
@@ -863,60 +915,61 @@ jobs:
             build/coder_"$version"_windows_amd64.zip \
             build/coder_"$version"_linux_amd64.{tar.gz,deb}
 
-      - name: Build Linux Docker images
-        id: build-docker
-        env:
-          CODER_IMAGE_BASE: ghcr.io/coder/coder-preview
-          CODER_IMAGE_TAG_PREFIX: main
-          DOCKER_CLI_EXPERIMENTAL: "enabled"
-        run: |
-          set -euxo pipefail
-
-          # build Docker images for each architecture
-          version="$(./scripts/version.sh)"
-          tag="main-$(echo "$version" | sed 's/+/-/g')"
-          echo "tag=$tag" >> $GITHUB_OUTPUT
-
-          # build images for each architecture
-          # note: omitting the -j argument to avoid race conditions when pushing
-          make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
-
-          # only push if we are on main branch
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            # build and push multi-arch manifest, this depends on the other images
-            # being pushed so will automatically push them
-            # note: omitting the -j argument to avoid race conditions when pushing
-            make push/build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
-
-            # Define specific tags
-            tags=("$tag" "main" "latest")
-
-            # Create and push a multi-arch manifest for each tag
-            # we are adding `latest` tag and keeping `main` for backward
-            # compatibality
-            for t in "${tags[@]}"; do
-                ./scripts/build_docker_multiarch.sh \
-                    --push \
-                    --target "ghcr.io/coder/coder-preview:$t" \
-                    --version $version \
-                    $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
-            done
-          fi
-
-      - name: Prune old images
-        if: github.ref == 'refs/heads/main'
-        uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          organization: coder
-          container: coder-preview
-          keep-younger-than: 7 # days
-          keep-tags: latest
-          keep-tags-regexes: ^pr
-          prune-tags-regexes: |
-            ^main-
-            ^v
-          prune-untagged: true
+      # TODO: Uncomment
+      # - name: Build Linux Docker images
+      #   id: build-docker
+      #   env:
+      #     CODER_IMAGE_BASE: ghcr.io/coder/coder-preview
+      #     CODER_IMAGE_TAG_PREFIX: main
+      #     DOCKER_CLI_EXPERIMENTAL: "enabled"
+      #   run: |
+      #     set -euxo pipefail
+
+      #     # build Docker images for each architecture
+      #     version="$(./scripts/version.sh)"
+      #     tag="main-$(echo "$version" | sed 's/+/-/g')"
+      #     echo "tag=$tag" >> $GITHUB_OUTPUT
+
+      #     # build images for each architecture
+      #     # note: omitting the -j argument to avoid race conditions when pushing
+      #     make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
+      #     # only push if we are on main branch
+      #     if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+      #       # build and push multi-arch manifest, this depends on the other images
+      #       # being pushed so will automatically push them
+      #       # note: omitting the -j argument to avoid race conditions when pushing
+      #       make push/build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
+      #       # Define specific tags
+      #       tags=("$tag" "main" "latest")
+
+      #       # Create and push a multi-arch manifest for each tag
+      #       # we are adding `latest` tag and keeping `main` for backward
+      #       # compatibality
+      #       for t in "${tags[@]}"; do
+      #           ./scripts/build_docker_multiarch.sh \
+      #               --push \
+      #               --target "ghcr.io/coder/coder-preview:$t" \
+      #               --version $version \
+      #               $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
+      #       done
+      #     fi
+
+      # - name: Prune old images
+      #   if: github.ref == 'refs/heads/main'
+      #   uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
+      #   with:
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+      #     organization: coder
+      #     container: coder-preview
+      #     keep-younger-than: 7 # days
+      #     keep-tags: latest
+      #     keep-tags-regexes: ^pr
+      #     prune-tags-regexes: |
+      #       ^main-
+      #       ^v
+      #     prune-untagged: true
 
       - name: Upload build artifacts
         if: github.ref == 'refs/heads/main'
diff --git a/Makefile b/Makefile
@@ -79,8 +79,12 @@ PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
 # All architectures we build Docker images for (Linux only).
 DOCKER_ARCHES := amd64 arm64 armv7
 
+# All ${OS}_${ARCH} combos we build the desktop dylib for.
+DYLIB_ARCHES := darwin_amd64.dylib darwin_arm64.dylib
+
 # Computed variables based on the above.
 CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
+CODER_DYLIBS			 := $(addprefix build/coder-desktop_$(VERSION)_,$(DYLIB_ARCHES))
 CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
 CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
 CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
@@ -128,12 +132,12 @@ release: $(CODER_FAT_BINARIES) $(CODER_ALL_ARCHIVES) $(CODER_ALL_PACKAGES) $(COD
 build/coder-slim_$(VERSION)_checksums.sha1: site/out/bin/coder.sha1
 	cp "$<" "$@"
 
-site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES)
+site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES) $(CODER_DYLIBS)
 	pushd ./site/out/bin
 		openssl dgst -r -sha1 coder-* | tee coder.sha1
 	popd
 
-build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES)
+build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES) $(CODER_DYLIBS)
 	pushd ./site/out/bin
 		tar cf "../../../build/$(@F)" coder-*
 	popd
@@ -238,6 +242,25 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
 	fi
 
+# This task builds Coder Desktop dylibs
+$(CODER_DYLIBS): go.mod go.sum $(GO_SRC_FILES)
+	@if [ "$(shell uname)" = "Darwin" ]; then
+		$(get-mode-os-arch-ext)
+		./scripts/build_go.sh \
+			--os "$$os" \
+			--arch "$$arch" \
+			--version "$(VERSION)" \
+			--output "$@" \
+			--dylib
+
+		cp "$@" "./site/out/bin/coder-desktop-$$os-$$arch.dylib"
+	else
+		echo "Skipping dylib build on non-Darwin OS"
+	fi
+
+# This task builds both dylibs
+build/coder-dylib: $(CODER_DYLIBS)
+
 # This task builds all archives. It parses the target name to get the metadata
 # for the build, so it must be specified in this format:
 #     build/coder_${version}_${os}_${arch}.${format}
diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -2,7 +2,7 @@
 
 # This script builds a single Go binary of Coder with the given parameters.
 #
-# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto]
+# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto] [--dylib]
 #
 # Defaults to linux:amd64 with slim disabled, but can be controlled with GOOS,
 # GOARCH and CODER_SLIM_BUILD=1. If no version is specified, defaults to the
@@ -25,6 +25,9 @@
 #
 # If the --boringcrypto parameter is specified, builds use boringcrypto instead of
 # the standard go crypto libraries.
+#
+# If the --dylib parameter is specified, the Coder Desktop `.dylib` is built
+# instead of the standard binary. This is only supported on macOS arm64 & amd64.
 
 set -euo pipefail
 # shellcheck source=scripts/lib.sh
@@ -40,8 +43,9 @@ output_path=""
 agpl="${CODER_BUILD_AGPL:-0}"
 boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
 debug=0
+dylib=0
 
-args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto,debug -- "$@")"
+args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto,dylib,debug -- "$@")"
 eval set -- "$args"
 while true; do
 	case "$1" in
@@ -78,6 +82,10 @@ while true; do
 		boringcrypto=1
 		shift
 		;;
+	--dylib)
+		dylib=1
+		shift
+		;;
 	--debug)
 		debug=1
 		shift
@@ -168,13 +176,25 @@ if [[ "$agpl" == 1 ]]; then
 fi
 
 cgo=0
+sdk=""
+if [[ "$dylib" == 1 ]]; then
+	if [[ "$os" != "darwin" ]]; then
+		error "dylib builds are not supported on $os"
+	fi
+	cgo=1
+	cmd_path="./vpn/dylib/lib.go"
+	build_args+=("-buildmode=c-shared")
+	sdk="$(xcrun --sdk macosx --show-sdk-path)"
+fi
+
 goexp=""
 if [[ "$boringcrypto" == 1 ]]; then
 	cgo=1
 	goexp="boringcrypto"
 fi
 
-GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
+GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" SDKROOT="$sdk" \
+ 	go build \
 	"${build_args[@]}" \
 	"$cmd_path" 1>&2
 
diff --git a/vpn/dylib/lib.go b/vpn/dylib/lib.go
