@@ -178,7 +178,7 @@ jobs:
178178 echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
179179
180180name : golangci-lint cache
181- uses : actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
181+ uses : actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
182182 with :
183183 path : |
184184 ${{ env.LINT_CACHE_DIR }}
@@ -188,7 +188,7 @@ jobs:
188188
189189# Check for any typos
190190 - name : Check for typos
191- uses : crate-ci/typos@212923e4ff05b7fc2294a204405eec047b807138 # v1.29.9
191+ uses : crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10
192192 with :
193193 config : .github/workflows/typos.toml
194194
@@ -1021,7 +1021,10 @@ jobs:
10211021 if : github.ref == 'refs/heads/main' && needs.changes.outputs.docs-only == 'false' && !github.event.pull_request.head.repo.fork
10221022 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-22.04' }}
10231023 permissions :
1024- packages : write # Needed to push images to ghcr.io
1024+ # Necessary to push docker images to ghcr.io.
1025+ packages : write
1026+ # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
1027+ id-token : write
10251028 env :
10261029 DOCKER_CLI_EXPERIMENTAL : " enabled"
10271030 outputs :
@@ -1050,14 +1053,46 @@ jobs:
10501053 - name : Setup Go
10511054 uses : ./.github/actions/setup-go
10521055
1056+ # Necessary for signing Windows binaries.
1057+ - name : Setup Java
1058+ uses : actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
1059+ with :
1060+ distribution : " zulu"
1061+ java-version : " 11.0"
1062+
1063+ - name : Install go-winres
1064+ run : go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
1065+
10531066 - name : Install nfpm
10541067 run : go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1
10551068
10561069 - name : Install zstd
10571070 run : sudo apt-get install -y zstd
10581071
1072+ - name : Setup Windows EV Signing Certificate
1073+ run : |
1074+ set -euo pipefail
1075+ touch /tmp/ev_cert.pem
1076+ chmod 600 /tmp/ev_cert.pem
1077+ echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
1078+ wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
1079+ env :
1080+ EV_SIGNING_CERT : ${{ secrets.EV_SIGNING_CERT }}
1081+
1082+ # Setup GCloud for signing Windows binaries.
1083+ - name : Authenticate to Google Cloud
1084+ id : gcloud_auth
1085+ uses : google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
1086+ with :
1087+ workload_identity_provider : ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
1088+ service_account : ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
1089+ token_format : " access_token"
1090+
1091+ - name : Setup GCloud SDK
1092+ uses : google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
1093+
10591094 - name : Download dylibs
1060- uses : actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
1095+ uses : actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
10611096 with :
10621097 name : dylibs
10631098 path : ./build
@@ -1082,6 +1117,18 @@ jobs:
10821117 build/coder_linux_{amd64,arm64,armv7} \
10831118 build/coder_"$version"_windows_amd64.zip \
10841119 build/coder_"$version"_linux_amd64.{tar.gz,deb}
1120+ env :
1121+ # The Windows slim binary must be signed for Coder Desktop to accept
1122+ # it. The darwin executables don't need to be signed, but the dylibs
1123+ # do (see above).
1124+ CODER_SIGN_WINDOWS : " 1"
1125+ CODER_WINDOWS_RESOURCES : " 1"
1126+ EV_KEY : ${{ secrets.EV_KEY }}
1127+ EV_KEYSTORE : ${{ secrets.EV_KEYSTORE }}
1128+ EV_TSA_URL : ${{ secrets.EV_TSA_URL }}
1129+ EV_CERTIFICATE_PATH : /tmp/ev_cert.pem
1130+ GCLOUD_ACCESS_TOKEN : ${{ steps.gcloud_auth.outputs.access_token }}
1131+ JSIGN_PATH : /tmp/jsign-6.0.jar
10851132
10861133 - name : Build Linux Docker images
10871134 id : build-docker
@@ -1183,13 +1230,13 @@ jobs:
11831230 uses : google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
11841231
11851232 - name : Set up Flux CLI
1186- uses : fluxcd/flux2/action@af67405ee43a6cd66e0b73f4b3802e8583f9d961 # v2.5.0
1233+ uses : fluxcd/flux2/action@8d5f40dca5aa5d3c0fc3414457dda15a0ac92fa4 # v2.5.1
11871234 with :
11881235 # Keep this and the github action up to date with the version of flux installed in dogfood cluster
1189- version : " 2.2 .1"
1236+ version : " 2.5 .1"
11901237
11911238 - name : Get Cluster Credentials
1192- uses : google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1 # v2.3.1
1239+ uses : google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
11931240 with :
11941241 cluster_name : dogfood-v2
11951242 location : us-central1-a
@@ -1219,6 +1266,8 @@ jobs:
12191266 kubectl --namespace coder rollout status deployment/coder
12201267 kubectl --namespace coder rollout restart deployment/coder-provisioner
12211268 kubectl --namespace coder rollout status deployment/coder-provisioner
1269+ kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged
1270+ kubectl --namespace coder rollout status deployment/coder-provisioner-tagged
12221271
12231272deploy-wsproxies :
12241273 runs-on : ubuntu-latest
0 commit comments