Merge remote-tracking branch 'origin/main' into connor4312/sampling-2

Author: connor4312

.github/workflows/no-package-lock-changes.yml

@@ -8,26 +8,44 @@ jobs:
     name: Prevent package-lock.json changes in PRs
     runs-on: ubuntu-latest
     steps:
+      - name: Get file changes
+        uses: trilom/file-changes-action@ce38c8ce2459ca3c303415eec8cb0409857b4272
+        id: file_changes
+      - name: Check if lockfiles were modified
+        id: lockfile_check
+        run: |
+          if cat $HOME/files.json | jq -e 'any(test("package-lock\\.json$|Cargo\\.lock$"))' > /dev/null; then
+            echo "lockfiles_modified=true" >> $GITHUB_OUTPUT
+            echo "Lockfiles were modified in this PR"
+          else
+            echo "lockfiles_modified=false" >> $GITHUB_OUTPUT
+            echo "No lockfiles were modified in this PR"
+          fi
+      - name: Prevent Copilot from modifying lockfiles
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login == 'Copilot' }}
+        run: |
+          echo "Copilot is not allowed to modify package-lock.json or Cargo.lock files."
+          echo "If you need to update dependencies, please do so manually or through authorized means."
+          exit 1
       - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         id: get_permissions
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
         with:
           route: GET /repos/microsoft/vscode/collaborators/{username}/permission
           username: ${{ github.event.pull_request.user.login }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set control output variable
         id: control
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
         run: |
           echo "user: ${{ github.event.pull_request.user.login }}"
           echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}"
           echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}"
           echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}"
           echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT
-      - name: Get file changes
-        uses: trilom/file-changes-action@ce38c8ce2459ca3c303415eec8cb0409857b4272
-        if: ${{ steps.control.outputs.should_run == 'true' }}
       - name: Check for lockfile changes
-        if: ${{ steps.control.outputs.should_run == 'true' }}
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && steps.control.outputs.should_run == 'true' }}
         run: |
-          cat $HOME/files.json | jq -e 'any(test("package-lock\\.json$|Cargo\\.lock$")) | not' \
-            || (echo "Changes to package-lock.json/Cargo.lock files aren't allowed in PRs." && exit 1)
+          echo "Changes to package-lock.json/Cargo.lock files aren't allowed in PRs."
+          exit 1

.github/workflows/no-yarn-lock-changes.yml

@@ -8,26 +8,44 @@ jobs:
     name: Prevent yarn.lock changes in PRs
     runs-on: ubuntu-latest
     steps:
+      - name: Get file changes
+        uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
+        id: file_changes
+      - name: Check if lockfiles were modified
+        id: lockfile_check
+        run: |
+          if cat $HOME/files.json | jq -e 'any(test("yarn\\.lock$|Cargo\\.lock$"))' > /dev/null; then
+            echo "lockfiles_modified=true" >> $GITHUB_OUTPUT
+            echo "Lockfiles were modified in this PR"
+          else
+            echo "lockfiles_modified=false" >> $GITHUB_OUTPUT
+            echo "No lockfiles were modified in this PR"
+          fi
+      - name: Prevent Copilot from modifying lockfiles
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login == 'Copilot' }}
+        run: |
+          echo "Copilot is not allowed to modify yarn.lock or Cargo.lock files."
+          echo "If you need to update dependencies, please do so manually or through authorized means."
+          exit 1
       - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         id: get_permissions
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
         with:
           route: GET /repos/microsoft/vscode/collaborators/{username}/permission
           username: ${{ github.event.pull_request.user.login }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set control output variable
         id: control
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
         run: |
           echo "user: ${{ github.event.pull_request.user.login }}"
           echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}"
           echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}"
           echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}"
           echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT
-      - name: Get file changes
-        uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
-        if: ${{ steps.control.outputs.should_run == 'true' }}
       - name: Check for lockfile changes
-        if: ${{ steps.control.outputs.should_run == 'true' }}
+        if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && steps.control.outputs.should_run == 'true' }}
         run: |
-          cat $HOME/files.json | jq -e 'any(test("yarn\\.lock$|Cargo\\.lock$")) | not' \
-            || (echo "Changes to yarn.lock/Cargo.lock files aren't allowed in PRs." && exit 1)
+          echo "Changes to yarn.lock/Cargo.lock files aren't allowed in PRs."
+          exit 1

build/azure-pipelines/product-build.yml

@@ -296,7 +296,7 @@ extends:
             - ${{ if eq(parameters.VSCODE_BUILD_WIN32, true) }}:
               - job: CLIWindowsX64
                 pool:
-                  name: 1es-windows-2019-x64
+                  name: 1es-windows-2022-x64
                   os: windows
                 steps:
                   - template: build/azure-pipelines/win32/cli-build-win32.yml@self
@@ -308,7 +308,7 @@ extends:
             - ${{ if and(eq(variables['VSCODE_CIBUILD'], false), eq(parameters.VSCODE_BUILD_WIN32_ARM64, true)) }}:
               - job: CLIWindowsARM64
                 pool:
-                  name: 1es-windows-2019-x64
+                  name: 1es-windows-2022-x64
                   os: windows
                 steps:
                   - template: build/azure-pipelines/win32/cli-build-win32.yml@self
@@ -320,7 +320,7 @@ extends:
         - stage: APIScan
           dependsOn: []
           pool:
-            name: 1es-windows-2019-x64
+            name: 1es-windows-2022-x64
             os: windows
           jobs:
             - job: WindowsAPIScan
@@ -669,7 +669,7 @@ extends:
         - stage: Publish
           dependsOn: []
           pool:
-            name: 1es-windows-2019-x64
+            name: 1es-windows-2022-x64
             os: windows
           variables:
             - name: BUILDS_API_URL

extensions/git/src/api/api1.ts

@@ -7,7 +7,7 @@
 
 import { Model } from '../model';
 import { Repository as BaseRepository, Resource } from '../repository';
-import { InputBox, Git, API, Repository, Remote, RepositoryState, Branch, ForcePushMode, Ref, Submodule, Commit, Change, RepositoryUIState, Status, LogOptions, APIState, CommitOptions, RefType, CredentialsProvider, BranchQuery, PushErrorHandler, PublishEvent, FetchOptions, RemoteSourceProvider, RemoteSourcePublisher, PostCommitCommandsProvider, RefQuery, BranchProtectionProvider, InitOptions, SourceControlHistoryItemDetailsProvider } from './git';
+import { InputBox, Git, API, Repository, Remote, RepositoryState, Branch, ForcePushMode, Ref, Submodule, Commit, Change, RepositoryUIState, Status, LogOptions, APIState, CommitOptions, RefType, CredentialsProvider, BranchQuery, PushErrorHandler, PublishEvent, FetchOptions, RemoteSourceProvider, RemoteSourcePublisher, PostCommitCommandsProvider, RefQuery, BranchProtectionProvider, InitOptions, SourceControlHistoryItemDetailsProvider, GitErrorCodes } from './git';
 import { Event, SourceControlInputBox, Uri, SourceControl, Disposable, commands, CancellationToken } from 'vscode';
 import { combinedDisposable, filterEvent, mapEvent } from '../util';
 import { toGitUri } from '../uri';
@@ -371,6 +371,27 @@ export class ApiImpl implements API {
 		return result ? new ApiRepository(result) : null;
 	}
 
+	async getRepositoryRoot(uri: Uri): Promise<Uri | null> {
+		const repository = this.getRepository(uri);
+		if (repository) {
+			return repository.rootUri;
+		}
+
+		try {
+			const root = await this.#model.git.getRepositoryRoot(uri.fsPath);
+			return Uri.file(root);
+		} catch (err) {
+			if (
+				err.gitErrorCode === GitErrorCodes.NotAGitRepository ||
+				err.gitErrorCode === GitErrorCodes.NotASafeGitRepository
+			) {
+				return null;
+			}
+
+			throw err;
+		}
+	}
+
 	async init(root: Uri, options?: InitOptions): Promise<Repository | null> {
 		const path = root.fsPath;
 		await this.#model.git.init(path, options);

extensions/git/src/api/git.d.ts

@@ -364,6 +364,7 @@ export interface API {
 
 	toGitUri(uri: Uri, ref: string): Uri;
 	getRepository(uri: Uri): Repository | null;
+	getRepositoryRoot(uri: Uri): Promise<Uri | null>;
 	init(root: Uri, options?: InitOptions): Promise<Repository | null>;
 	openRepository(root: Uri): Promise<Repository | null>
 
@@ -402,6 +403,7 @@ export const enum GitErrorCodes {
 	NoUserEmailConfigured = 'NoUserEmailConfigured',
 	NoRemoteRepositorySpecified = 'NoRemoteRepositorySpecified',
 	NotAGitRepository = 'NotAGitRepository',
+	NotASafeGitRepository = 'NotASafeGitRepository',
 	NotAtRepositoryRoot = 'NotAtRepositoryRoot',
 	Conflict = 'Conflict',
 	StashConflict = 'StashConflict',

extensions/git/src/askpass-main.ts

@@ -29,38 +29,15 @@ function main(argv: string[]): void {
 		return fatal('Skip silent fetch commands');
 	}
 
-	const output = process.env['VSCODE_GIT_ASKPASS_PIPE'] as string;
+	const output = process.env['VSCODE_GIT_ASKPASS_PIPE'];
 	const askpassType = process.env['VSCODE_GIT_ASKPASS_TYPE'] as 'https' | 'ssh';
 
-	// HTTPS (username | password), SSH (passphrase | authenticity)
-	const request = askpassType === 'https' ? argv[2] : argv[3];
-
-	let host: string | undefined,
-		file: string | undefined,
-		fingerprint: string | undefined;
-
-	if (askpassType === 'https') {
-		host = argv[4].replace(/^["']+|["':]+$/g, '');
-	}
-
-	if (askpassType === 'ssh') {
-		if (/passphrase/i.test(request)) {
-			// passphrase
-			// Commit signing - Enter passphrase:
-			// Git operation  - Enter passphrase for key '/c/Users/<username>/.ssh/id_ed25519':
-			file = argv[6]?.replace(/^["']+|["':]+$/g, '');
-		} else {
-			// authenticity
-			host = argv[6].replace(/^["']+|["':]+$/g, '');
-			fingerprint = argv[15];
-		}
-	}
-
 	const ipcClient = new IPCClient('askpass');
-	ipcClient.call({ askpassType, request, host, file, fingerprint }).then(res => {
-		fs.writeFileSync(output, res + '\n');
-		setTimeout(() => process.exit(0), 0);
-	}).catch(err => fatal(err));
+	ipcClient.call({ askpassType, argv })
+		.then(res => {
+			fs.writeFileSync(output, res + '\n');
+			setTimeout(() => process.exit(0), 0);
+		}).catch(err => fatal(err));
 }
 
 main(process.argv);

extensions/git/src/askpass.ts

@@ -3,7 +3,7 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { window, InputBoxOptions, Uri, Disposable, workspace, QuickPickOptions, l10n } from 'vscode';
+import { window, InputBoxOptions, Uri, Disposable, workspace, QuickPickOptions, l10n, LogOutputChannel } from 'vscode';
 import { IDisposable, EmptyDisposable, toDisposable } from './util';
 import * as path from 'path';
 import { IIPCHandler, IIPCServer } from './ipc/ipcServer';
@@ -20,7 +20,7 @@ export class Askpass implements IIPCHandler, ITerminalEnvironmentProvider {
 
 	readonly featureDescription = 'git auth provider';
 
-	constructor(private ipc?: IIPCServer) {
+	constructor(private ipc: IIPCServer | undefined, private readonly logger: LogOutputChannel) {
 		if (ipc) {
 			this.disposable = ipc.registerHandler('askpass', this);
 		}
@@ -31,37 +31,41 @@ export class Askpass implements IIPCHandler, ITerminalEnvironmentProvider {
 			// VSCODE_GIT_ASKPASS
 			VSCODE_GIT_ASKPASS_NODE: process.execPath,
 			VSCODE_GIT_ASKPASS_EXTRA_ARGS: '',
-			VSCODE_GIT_ASKPASS_MAIN: path.join(__dirname, 'askpass-main.js'),
+			VSCODE_GIT_ASKPASS_MAIN: path.join(__dirname, 'askpass-main.js')
 		};
 
 		this.sshEnv = {
 			// SSH_ASKPASS
 			SSH_ASKPASS: path.join(__dirname, this.ipc ? 'ssh-askpass.sh' : 'ssh-askpass-empty.sh'),
-			SSH_ASKPASS_REQUIRE: 'force',
+			SSH_ASKPASS_REQUIRE: 'force'
 		};
 	}
 
-	async handle(payload:
-		{ askpassType: 'https'; request: string; host: string } |
-		{ askpassType: 'ssh'; request: string; host?: string; file?: string; fingerprint?: string }
-	): Promise<string> {
+	async handle(payload: { askpassType: 'https' | 'ssh'; argv: string[] }): Promise<string> {
+		this.logger.trace(`[Askpass][handle] ${JSON.stringify(payload)}`);
+
 		const config = workspace.getConfiguration('git', null);
 		const enabled = config.get<boolean>('enabled');
 
 		if (!enabled) {
+			this.logger.trace(`[Askpass][handle] Git is disabled`);
 			return '';
 		}
 
-		// https
-		if (payload.askpassType === 'https') {
-			return await this.handleAskpass(payload.request, payload.host);
-		}
-
-		// ssh
-		return await this.handleSSHAskpass(payload.request, payload.host, payload.file, payload.fingerprint);
+		return payload.askpassType === 'https'
+			? await this.handleAskpass(payload.argv)
+			: await this.handleSSHAskpass(payload.argv);
 	}
 
-	async handleAskpass(request: string, host: string): Promise<string> {
+	async handleAskpass(argv: string[]): Promise<string> {
+		// HTTPS (username | password)
+		// Username for 'https://github.com':
+		// Password for 'https://github.com':
+		const request = argv[2];
+		const host = argv[4].replace(/^["']+|["':]+$/g, '');
+
+		this.logger.trace(`[Askpass][handleAskpass] request: ${request}, host: ${host}`);
+
 		const uri = Uri.parse(host);
 		const authority = uri.authority.replace(/^.*@/, '');
 		const password = /password/i.test(request);
@@ -96,9 +100,18 @@ export class Askpass implements IIPCHandler, ITerminalEnvironmentProvider {
 		return await window.showInputBox(options) || '';
 	}
 
-	async handleSSHAskpass(request: string, host?: string, file?: string, fingerprint?: string): Promise<string> {
+	async handleSSHAskpass(argv: string[]): Promise<string> {
+		// SSH (passphrase | authenticity)
+		const request = argv[3];
+
 		// passphrase
 		if (/passphrase/i.test(request)) {
+			// Commit signing - Enter passphrase:
+			// Git operation  - Enter passphrase for key '/c/Users/<username>/.ssh/id_ed25519':
+			const file = argv[6]?.replace(/^["']+|["':]+$/g, '');
+
+			this.logger.trace(`[Askpass][handleSSHAskpass] request: ${request}, file: ${file}`);
+
 			const options: InputBoxOptions = {
 				password: true,
 				placeHolder: l10n.t('Passphrase'),
@@ -110,6 +123,11 @@ export class Askpass implements IIPCHandler, ITerminalEnvironmentProvider {
 		}
 
 		// authenticity
+		const host = argv[6].replace(/^["']+|["':]+$/g, '');
+		const fingerprint = argv[15];
+
+		this.logger.trace(`[Askpass][handleSSHAskpass] request: ${request}, host: ${host}, fingerprint: ${fingerprint}`);
+
 		const options: QuickPickOptions = {
 			canPickMany: false,
 			ignoreFocusOut: true,

extensions/git/src/git.ts

@@ -342,6 +342,8 @@ function getGitErrorCode(stderr: string): string | undefined {
 		return GitErrorCodes.InvalidBranchName;
 	} else if (/Please,? commit your changes or stash them/.test(stderr)) {
 		return GitErrorCodes.DirtyWorkTree;
+	} else if (/detected dubious ownership in repository at/.test(stderr)) {
+		return GitErrorCodes.NotASafeGitRepository;
 	}
 
 	return undefined;

extensions/git/src/main.ts

@@ -70,7 +70,7 @@ async function createModel(context: ExtensionContext, logger: LogOutputChannel,
 		logger.error(`[main] Failed to create git IPC: ${err}`);
 	}
 
-	const askpass = new Askpass(ipcServer);
+	const askpass = new Askpass(ipcServer, logger);
 	disposables.push(askpass);
 
 	const gitEditor = new GitEditor(ipcServer);

extensions/theme-defaults/themes/dark_modern.json

@@ -19,8 +19,8 @@
 		"button.secondaryBackground": "#313131",
 		"button.secondaryForeground": "#CCCCCC",
 		"button.secondaryHoverBackground": "#3C3C3C",
-		"chat.slashCommandBackground": "#34414B",
-		"chat.slashCommandForeground": "#40A6FF",
+		"chat.slashCommandBackground": "#26477866",
+		"chat.slashCommandForeground": "#85B6FF",
 		"chat.editedFileForeground": "#E2C08D",
 		"checkbox.background": "#313131",
 		"checkbox.border": "#3C3C3C",

extensions/theme-defaults/themes/light_modern.json

@@ -19,8 +19,8 @@
 		"button.secondaryBackground": "#E5E5E5",
 		"button.secondaryForeground": "#3B3B3B",
 		"button.secondaryHoverBackground": "#CCCCCC",
-		"chat.slashCommandBackground": "#D2ECFF",
-		"chat.slashCommandForeground": "#306CA2",
+		"chat.slashCommandBackground": "#ADCEFF7A",
+		"chat.slashCommandForeground": "#26569E",
 		"chat.editedFileForeground": "#895503",
 		"checkbox.background": "#F8F8F8",
 		"checkbox.border": "#CECECE",

package.json

@@ -1,7 +1,7 @@
 {
   "name": "code-oss-dev",
   "version": "1.101.0",
-  "distro": "ba782a84e32786e63185b7946c791bf89cb8da7a",
+  "distro": "a4a51f792a6f0ce2060af18f27dcb4ae0895851d",
   "author": {
     "name": "Microsoft Corporation"
   },