From 6275520348fbd8bb8d98d4c96d0f16c715d005ca Mon Sep 17 00:00:00 2001 From: Asher Date: Wed, 27 Sep 2023 19:17:47 -0800 Subject: [PATCH] Fix incorrect argon2 target in arm builds (#6453) * Fix building from source on arm Not building from source causes argon2 to pull the wrong arch, so we have to build from source. But building from source is causing the new Kerberos module to fail on arm64 and keytar to fail on both. The latter has been very difficult to debug because the GitHub image provides a different result to containers based on Ubuntu 20.04. Because of this, use a container instead. Use debian:buster as the container because it is easier to set up the architecture sources (no need to modify the sources) and because it seems to come with glibc 2.28 rather than 2.31. Also use the exact version of Node (18.15.0) for reproducibility. * Set owner and group during tar to zero Otherwise you get IDs that can cause (benign) errors while extracting, which might be confusing. At the very least, I did not see these errors from previous tars (although they seem to use 1001). There is no guarantee what IDs might exist so 0 seems the most reasonable. --- .github/workflows/release.yaml | 59 +++++++++++++++------------- ci/build/build-packages.sh | 2 +- ci/build/build-standalone-release.sh | 8 ++-- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 572316830..4971789a8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,7 +38,7 @@ jobs: - name: Install Node.js v18 uses: actions/setup-node@v3 with: - node-version: "18" + node-version: "18.15.0" - name: Install development tools run: | @@ -100,27 +100,37 @@ jobs: discussion_category_name: "📣 Announcements" files: ./release-packages/* - # TODO: We should use the same CentOS image to cross-compile if possible? package-linux-cross: name: Linux cross-compile builds - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest timeout-minutes: 15 needs: npm-version + container: "debian:buster" strategy: matrix: include: - prefix: aarch64-linux-gnu - arch: arm64 + npm_arch: arm64 + apt_arch: arm64 - prefix: arm-linux-gnueabihf - arch: armv7l + npm_arch: armv7l + apt_arch: armhf env: AR: ${{ format('{0}-ar', matrix.prefix) }} + AS: ${{ format('{0}-as', matrix.prefix) }} CC: ${{ format('{0}-gcc', matrix.prefix) }} + CPP: ${{ format('{0}-cpp', matrix.prefix) }} CXX: ${{ format('{0}-g++', matrix.prefix) }} - LINK: ${{ format('{0}-g++', matrix.prefix) }} - npm_config_arch: ${{ matrix.arch }} + FC: ${{ format('{0}-gfortran', matrix.prefix) }} + LD: ${{ format('{0}-ld', matrix.prefix) }} + STRIP: ${{ format('{0}-strip', matrix.prefix) }} + PKG_CONFIG_PATH: ${{ format('/usr/lib/{0}/pkgconfig', matrix.prefix) }} + TARGET_ARCH: ${{ matrix.apt_arch }} + npm_config_arch: ${{ matrix.npm_arch }} NODE_VERSION: v18.15.0 + # Not building from source results in an x86_64 argon2, as if + # npm_config_arch is being ignored. npm_config_build_from_source: true steps: @@ -132,30 +142,25 @@ jobs: with: node-version: "18.15.0" + - name: Install cross-compiler and system dependencies + run: | + dpkg --add-architecture $TARGET_ARCH + apt-get update && apt-get install -y --no-install-recommends \ + crossbuild-essential-$TARGET_ARCH \ + libx11-dev:$TARGET_ARCH \ + libx11-xcb-dev:$TARGET_ARCH \ + libxkbfile-dev:$TARGET_ARCH \ + libsecret-1-dev:$TARGET_ARCH \ + libkrb5-dev:$TARGET_ARCH \ + ca-certificates \ + curl wget rsync gettext-base + - name: Install nfpm run: | mkdir -p ~/.local/bin curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Install cross-compiler and system dependencies (arm64) - if: ${{ matrix.arch != 'armv7l' }} - run: sudo apt update && sudo apt install -y $PACKAGE libkrb5-dev - env: - PACKAGE: ${{ format('g++-{0}', matrix.prefix) }} - - - name: Install cross-compiler and system dependencies (armv7l) - if: ${{ matrix.arch == 'armv7l' }} - run: | - sudo sed -i "s/^deb/deb [arch=amd64,i386]/g" /etc/apt/sources.list - echo "deb [arch=arm64,armhf] http://ports.ubuntu.com/ $(lsb_release -s -c) main universe multiverse restricted" | sudo tee -a /etc/apt/sources.list - echo "deb [arch=arm64,armhf] http://ports.ubuntu.com/ $(lsb_release -s -c)-updates main universe multiverse restricted" | sudo tee -a /etc/apt/sources.list - sudo dpkg --add-architecture armhf - sudo apt update - sudo apt install -y $PACKAGE libkrb5-dev:armhf - env: - PACKAGE: ${{ format('g++-{0}', matrix.prefix) }} - - name: Download npm package uses: actions/download-artifact@v3 with: @@ -183,7 +188,7 @@ jobs: - name: Build packages with nfpm env: VERSION: ${{ env.VERSION }} - run: yarn package ${npm_config_arch} + run: npm run package ${npm_config_arch} - uses: softprops/action-gh-release@v1 with: @@ -203,7 +208,7 @@ jobs: - name: Install Node.js v18 uses: actions/setup-node@v3 with: - node-version: "18" + node-version: "18.15.0" - name: Install nfpm run: | diff --git a/ci/build/build-packages.sh b/ci/build/build-packages.sh index 6c85ccd33..1844dc741 100755 --- a/ci/build/build-packages.sh +++ b/ci/build/build-packages.sh @@ -27,7 +27,7 @@ main() { release_archive() { local release_name="code-server-$VERSION-$OS-$ARCH" if [[ $OS == "linux" ]]; then - tar -czf "release-packages/$release_name.tar.gz" --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone + tar -czf "release-packages/$release_name.tar.gz" --owner=0 --group=0 --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone else tar -czf "release-packages/$release_name.tar.gz" -s "/^release-standalone/$release_name/" release-standalone fi diff --git a/ci/build/build-standalone-release.sh b/ci/build/build-standalone-release.sh index c06b19653..aed25ee3f 100755 --- a/ci/build/build-standalone-release.sh +++ b/ci/build/build-standalone-release.sh @@ -9,11 +9,11 @@ main() { rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone" RELEASE_PATH+=-standalone - # We cannot find the path to node from $PATH because yarn shims a script to ensure - # we use the same version it's using so we instead run a script with yarn that - # will print the path to node. + # We cannot get the path to Node from $PATH (for example via `which node`) + # because Yarn shims a script called `node` and we would end up just copying + # that script. Instead we run Node and have it print its actual path. local node_path - node_path="$(yarn -s node <<< 'console.info(process.execPath)')" + node_path="$(node <<< 'console.info(process.execPath)')" mkdir -p "$RELEASE_PATH/bin" mkdir -p "$RELEASE_PATH/lib"