feat: notarize commit id (#1728)

.github/workflows/insider-linux.yml

@@ -6,14 +6,9 @@ on:
       release_version:
         type: string
         description: Forced release version
-      new_release:
-        type: boolean
-        description: Force new Release
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 8 * * *'
   push:
     branches: [ insider ]
     paths-ignore:
@@ -151,7 +146,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: ./check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

.github/workflows/insider-macos.yml

@@ -6,14 +6,9 @@ on:
       release_version:
         type: string
         description: Forced release version
-      new_release:
-        type: boolean
-        description: Force new Release
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 8 * * *'
   push:
     branches: [ insider ]
     paths-ignore:
@@ -74,7 +69,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: . check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

.github/workflows/insider-spearhead.yml

@@ -2,6 +2,10 @@ name: insider-spearhead
 
 on:
   workflow_dispatch:
+    inputs:
+      new_release:
+        type: boolean
+        description: Force new Release
   schedule:
     - cron: '0 7 * * *'
 
@@ -33,6 +37,7 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: . check_tags.sh
 
       - name: Compute cache key
@@ -59,10 +64,39 @@ jobs:
         run: ./build.sh
         if: env.SHOULD_BUILD == 'yes'
 
-      - name: Update insider.json
-        run: ./update_insider.sh
+      - name: Update <quality>.json
+        run: ./update_qualityjson.sh
         env:
           GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.repository_owner }}
         if: env.SHOULD_BUILD == 'yes'
 
+      - name: Prepare assets
+        run: ./prepare_src.sh
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
+          GITHUB_USERNAME: ${{ github.repository_owner }}
+        run: ./release.sh
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch Linux build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'insider-linux'
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch Windows build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'insider-windows'
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch macOS build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'insider-macos'
+        if: env.SHOULD_BUILD == 'yes'
+

.github/workflows/insider-windows.yml

@@ -6,14 +6,9 @@ on:
       release_version:
         type: string
         description: Forced release version
-      new_release:
-        type: boolean
-        description: Force new Release
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 8 * * *'
   push:
     branches: [ insider ]
     paths-ignore:
@@ -81,7 +76,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: ./check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

.github/workflows/stable-linux.yml

@@ -3,17 +3,12 @@ name: stable-linux
 on:
   workflow_dispatch:
     inputs:
-      new_release:
-        type: boolean
-        description: Force new Release
       force_version:
         type: boolean
         description: Force update version
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 18 * * *'
   push:
     branches: [ master ]
     paths-ignore:
@@ -146,7 +141,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: ./check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

.github/workflows/stable-macos.yml

@@ -3,17 +3,12 @@ name: stable-macos
 on:
   workflow_dispatch:
     inputs:
-      new_release:
-        type: boolean
-        description: Force new Release
       force_version:
         type: boolean
         description: Force update version
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 18 * * *'
   push:
     branches: [ master ]
     paths-ignore:
@@ -69,7 +64,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: . check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

.github/workflows/stable-spearhead.yml

@@ -0,0 +1,101 @@
+name: insider-spearhead
+
+on:
+  workflow_dispatch:
+    inputs:
+      new_release:
+        type: boolean
+        description: Force new Release
+  schedule:
+    - cron: '0 18 * * *'
+
+jobs:
+  build:
+    runs-on: [self-hosted, macOS, ARM64]
+    env:
+      APP_NAME: VSCodium
+      ASSETS_REPOSITORY: ${{ github.repository }}
+      VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions
+      OS_NAME: osx
+      VSCODE_ARCH: arm64
+      VSCODE_LATEST: yes
+      VSCODE_QUALITY: stable
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: insider
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Clone VSCode repo
+        run: . get_repo.sh
+
+      - name: Check existing VSCodium tags/releases
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEW_RELEASE: ${{ github.event.inputs.new_release }}
+        run: . check_tags.sh
+
+      - name: Compute cache key
+        id: yarnCacheKey
+        run: echo "value=$(node build/azure-pipelines/computeYarnCacheKey.js)" >> $GITHUB_OUTPUT
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Get yarn cache directory path
+        id: yarnCacheDirPath
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Cache yarn directory
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.yarnCacheDirPath.outputs.dir }}
+          key: ${{ env.OS_NAME }}-${{ env.VSCODE_ARCH }}-yarnCacheDir-${{ steps.yarnCacheKey.outputs.value }}
+          restore-keys: ${{ env.OS_NAME }}-${{ env.VSCODE_ARCH }}-yarnCacheDir-
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Build
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./build.sh
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Update <quality>.json
+        run: ./update_qualityjson.sh
+        env:
+          GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
+          GITHUB_USERNAME: ${{ github.repository_owner }}
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Prepare assets
+        run: ./prepare_src.sh
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.STRONGER_GITHUB_TOKEN }}
+          GITHUB_USERNAME: ${{ github.repository_owner }}
+        run: ./release.sh
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch Linux build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'stable-linux'
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch Windows build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'stable-windows'
+        if: env.SHOULD_BUILD == 'yes'
+
+      - name: Dispatch macOS build
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: 'stable-macos'
+        if: env.SHOULD_BUILD == 'yes'

.github/workflows/stable-windows.yml

@@ -3,17 +3,12 @@ name: stable-windows
 on:
   workflow_dispatch:
     inputs:
-      new_release:
-        type: boolean
-        description: Force new Release
       force_version:
         type: boolean
         description: Force update version
       test_asset_builder:
         type: boolean
         description: Test the assets builder
-  schedule:
-    - cron: '0 18 * * *'
   push:
     branches: [ master ]
     paths-ignore:
@@ -77,7 +72,6 @@ jobs:
       - name: Check existing VSCodium tags/releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_RELEASE: ${{ github.event.inputs.new_release }}
         run: ./check_tags.sh
         if: env.SHOULD_DEPLOY == 'yes'
 

build/build.sh

@@ -102,9 +102,9 @@ if [[ "${SKIP_BUILD}" == "no" ]]; then
 
   . build.sh
 
-  if [[ "${VSCODE_QUALITY}" == "insider" && "${VSCODE_LATEST}" == "yes" ]]; then
-    jsonTmp=$( cat "insider.json" | jq --arg 'tag' "${MS_TAG/\-insider/}" --arg 'commit' "${MS_COMMIT}" '. | .tag=$tag | .commit=$commit' )
-    echo "${jsonTmp}" > "insider.json" && unset jsonTmp
+  if [[ "${VSCODE_LATEST}" == "yes" ]]; then
+    jsonTmp=$( cat "${VSCODE_QUALITY}.json" | jq --arg 'tag' "${MS_TAG/\-insider/}" --arg 'commit' "${MS_COMMIT}" '. | .tag=$tag | .commit=$commit' )
+    echo "${jsonTmp}" > "${VSCODE_QUALITY}.json" && unset jsonTmp
   fi
 fi
 

get_repo.sh

@@ -9,15 +9,11 @@ if [[ "${CI_BUILD}" != "no" ]]; then
 fi
 
 if [[ -z "${RELEASE_VERSION}" ]]; then
-  if [[ "${VSCODE_QUALITY}" == "insider" ]]; then
-    if [[ "${VSCODE_LATEST}" == "yes" ]] || [[ ! -f "insider.json" ]]; then
-      UPDATE_INFO=$( curl --silent --fail https://update.code.visualstudio.com/api/update/darwin/insider/0000000000000000000000000000000000000000 )
-    else
-      MS_COMMIT=$( jq -r '.commit' insider.json )
-      MS_TAG=$( jq -r '.tag' insider.json )
-    fi
+  if [[ "${VSCODE_LATEST}" == "yes" ]] || [[ ! -f "${VSCODE_QUALITY}.json" ]]; then
+    UPDATE_INFO=$( curl --silent --fail "https://update.code.visualstudio.com/api/update/darwin/${VSCODE_QUALITY}/0000000000000000000000000000000000000000" )
   else
-    UPDATE_INFO=$( curl --silent --fail https://update.code.visualstudio.com/api/update/darwin/stable/0000000000000000000000000000000000000000 )
+    MS_COMMIT=$( jq -r '.commit' "${VSCODE_QUALITY}.json" )
+    MS_TAG=$( jq -r '.tag' "${VSCODE_QUALITY}.json" )
   fi
 
   if [[ -z "${MS_COMMIT}" ]]; then
@@ -45,13 +41,6 @@ else
       echo "Error: Bad RELEASE_VERSION: ${RELEASE_VERSION}"
       exit 1
     fi
-
-    if [[ "${MS_TAG}" == "$( jq -r '.tag' insider.json )" ]]; then
-      MS_COMMIT=$( jq -r '.commit' insider.json )
-    else
-      echo "Error: No MS_COMMIT for ${RELEASE_VERSION}"
-      exit 1
-    fi
   else
     if [[ "${RELEASE_VERSION}" =~ ^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$ ]];
     then
@@ -61,6 +50,13 @@ else
       exit 1
     fi
   fi
+
+  if [[ "${MS_TAG}" == "$( jq -r '.tag' "${VSCODE_QUALITY}".json )" ]]; then
+    MS_COMMIT=$( jq -r '.commit' "${VSCODE_QUALITY}".json )
+  else
+    echo "Error: No MS_COMMIT for ${RELEASE_VERSION}"
+    exit 1
+  fi
 fi
 
 echo "RELEASE_VERSION=\"${RELEASE_VERSION}\""
@@ -73,11 +69,7 @@ git remote add origin https://github.com/Microsoft/vscode.git
 
 # figure out latest tag by calling MS update API
 if [[ -z "${MS_TAG}" ]]; then
-  if [[ "${VSCODE_QUALITY}" == "insider" ]]; then
-    UPDATE_INFO=$( curl --silent --fail https://update.code.visualstudio.com/api/update/darwin/insider/0000000000000000000000000000000000000000 )
-  else
-    UPDATE_INFO=$( curl --silent --fail https://update.code.visualstudio.com/api/update/darwin/stable/0000000000000000000000000000000000000000 )
-  fi
+  UPDATE_INFO=$( curl --silent --fail "https://update.code.visualstudio.com/api/update/darwin/${VSCODE_QUALITY}/0000000000000000000000000000000000000000" )
   MS_COMMIT=$( echo "${UPDATE_INFO}" | jq -r '.version' )
   MS_TAG=$( echo "${UPDATE_INFO}" | jq -r '.name' )
 elif [[ -z "${MS_COMMIT}" ]]; then

prepare_src.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1091
+
+set -e
+
+npm install -g checksum
+
+sum_file() {
+  if [[ -f "${1}" ]]; then
+    echo "Calculating checksum for ${1}"
+    checksum -a sha256 "${1}" > "${1}".sha256
+    checksum "${1}" > "${1}".sha1
+  fi
+}
+
+mkdir -p assets
+
+git archive --format tar.gz --output="./assets/${APP_NAME}-${RELEASE_VERSION}-src.tar.gz" HEAD
+git archive --format zip --output="./assets/${APP_NAME}-${RELEASE_VERSION}-src.zip" HEAD
+
+cd assets
+
+for FILE in *; do
+  if [[ -f "${FILE}" ]]; then
+    sum_file "${FILE}"
+  fi
+done
+
+cd ..

stable.json

@@ -0,0 +1,4 @@
+{
+  "tag": "1.84.2",
+  "commit": "1a5daa3a0231a0fbba4f14db7ec463cf99d7768e"
+}

update_insider.sh → update_qualityjson.sh

@@ -8,12 +8,12 @@ if [[ "${SHOULD_BUILD}" != "yes" ]]; then
 fi
 
 if [[ -z "${GITHUB_TOKEN}" ]]; then
-  echo "Will not update insider.json because no GITHUB_TOKEN defined"
+  echo "Will not update ${VSCODE_QUALITY}.json because no GITHUB_TOKEN defined"
   exit 0
 fi
 
-jsonTmp=$( cat "insider.json" | jq --arg 'tag' "${MS_TAG/\-insider/}" --arg 'commit' "${MS_COMMIT}" '. | .tag=$tag | .commit=$commit' )
-echo "${jsonTmp}" > "insider.json" && unset jsonTmp
+jsonTmp=$( cat "${VSCODE_QUALITY}.json" | jq --arg 'tag' "${MS_TAG/\-insider/}" --arg 'commit' "${MS_COMMIT}" '. | .tag=$tag | .commit=$commit' )
+echo "${jsonTmp}" > "${VSCODE_QUALITY}.json" && unset jsonTmp
 
 git config user.email "$( echo "${GITHUB_USERNAME}" | awk '{print tolower($0)}' )-ci@not-real.com"
 git config user.name "${GITHUB_USERNAME} CI"