Skip to content

Simplify build infra #21169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geropl merged 6 commits into from
Dec 5, 2025
Merged

Simplify build infra #21169

geropl merged 6 commits into from
Dec 5, 2025

Conversation

@geropl
Copy link
Member

@geropl geropl commented Dec 4, 2025

Description

Related Issue(s)

Fixes #

How to test

Documentation

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@geropl geropl force-pushed the gpl/clu/npm-security-hardening branch 2 times, most recently from 2a397c8 to c9df6d8 Compare December 4, 2025 18:08
@geropl geropl mentioned this pull request Dec 5, 2025
Merged
geropl and others added 6 commits December 5, 2025 15:18
@geropl @ona-agent
Remove gce-github-runner usage from all workflows
bd5fc22 
Replace self-hosted GCE runner pattern with GitHub-hosted ubuntu-latest runners across all workflows. This removes the three-phase pattern (create-runner, use-runner, delete-runner) and simplifies workflow execution.

Changes:
- Remove create-runner and delete-runner jobs from all workflows
- Replace runs-on: ${{ needs.create-runner.outputs.label }} with runs-on: ubuntu-latest
- Remove create-runner from job dependencies
- Preserve all other job dependencies and concurrency controls

Affected workflows:
- build.yml (8 jobs)
- workspace-integration-tests.yml (4 jobs)
- ide-integration-tests.yml (4 jobs)
- preview-env-check-regressions.yml (4 jobs)
- preview-env-gc.yml (2 jobs)
- jetbrains-auto-update-template.yml (1 job)
- jetbrains-integration-test.yml (1 job)
- code-nightly.yml (1 job)
- preview-env-delete.yml (1 job)

Co-authored-by: Ona <no-reply@ona.com>
@geropl
[dev] use ubuntu-latest-16-cores for builds
f09f454
@geropl @ona-agent
Fix container permissions for GitHub-hosted runners
2410316 
Add 'options: --user root' to all container configurations to resolve EACCES permission errors when GitHub Actions tries to write to internal directories.

GitHub-hosted runners require containers to run as root to allow the Actions runtime to write to /__w/_temp/_runner_file_commands/ and other internal paths.

Affected workflows:
- build.yml (3 container jobs)
- workspace-integration-tests.yml (2 container jobs)
- ide-integration-tests.yml (2 container jobs)
- preview-env-check-regressions.yml (1 container job)
- preview-env-gc.yml (1 container job)
- jetbrains-auto-update-template.yml (1 container job)
- jetbrains-integration-test.yml (1 container job)
- code-nightly.yml (1 container job)

Co-authored-by: Ona <no-reply@ona.com>
@geropl @ona-agent
Fix dev/image build by adding leeway dependency for npm-tools
dfdd0ae 
Create leeway generic build for dev/npm-tools and use it as a dependency in dev/image:docker build. This resolves the build error where npm-tools files were not accessible during Docker build.

Changes:
- Add dev/npm-tools/BUILD.yaml with generic package containing package.json and package-lock.json
- Add dev/npm-tools:pkg as dependency in dev/image/BUILD.yaml
- Update Dockerfile to use COPY from leeway dependency path (dev-npm-tools--pkg/)

This follows the established pattern used in other builds like install/installer where dependencies are copied from leeway-generated paths.

Co-authored-by: Ona <no-reply@ona.com>
@geropl @ona-agent
Fix npm-tools installation permissions in dev/image
6ac2d65 
Add chown command to fix EACCES permission error when installing npm-tools. The COPY command creates files owned by root, but npm ci runs as gitpod user and needs write access to create node_modules.

Changes:
- Add 'sudo chown -R gitpod:gitpod /opt/npm-tools' before npm ci
- This ensures the gitpod user can write to /opt/npm-tools/node_modules/

Error fixed:
  npm error code EACCES
  npm error syscall mkdir
  npm error path /opt/npm-tools/node_modules
  npm error errno -13

Co-authored-by: Ona <no-reply@ona.com>
@geropl @ona-agent
[dev] Split builds into branch and main
048db9f 
Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl force-pushed the gpl/clu/npm-security-hardening branch from 5efd095 to 048db9f Compare December 5, 2025 15:19
@geropl geropl marked this pull request as ready for review December 5, 2025 15:19
@geropl geropl requested a review from a team as a code owner December 5, 2025 15:19
@geropl geropl merged commit fae8573 into clu/npm-security-hardening Dec 5, 2025
8 of 9 checks passed
@geropl geropl deleted the gpl/clu/npm-security-hardening branch December 5, 2025 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geropl