Add Docker build system and containerized development environment #194
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update CSP for CodeEditor
Move .sagemaker-last-active-timestamp to /tmp/
Add warning message on auto update being turned off; Pull in latest changes on build script
Add sagemaker-open-notebook-extension
feat:enable deeplink for eks notebook
Patch braces and micromatch for 1.4.x
fix:validate region from url params to prevent xss attack
**Description** * Idle endpoint creates metadata file if not exist **Motivation** * Fix the issue of space that has never been opened will not auto shutdown **Testing Done** * Build CE package **Backwards Compatibility Criteria (if any)** * N/A
Idle endpoint creates metadata file if not exist
**Description** * Adding `/api/env` endpoint for the SageMaker Unified Studio user case that fetched the `/opt/ml/metadata/resource-metadata.json` file if present else throw server exception indicating no such file. **Motivation** * SMUS extensions would require this env metadata file. **Testing Done** * Build CE package and ran locally. Tested building the local image using BYOI **Backwards Compatibility Criteria (if any)** * N/A
**Description** * Adding `api/creds` endpoint for the Sagemaker Unified Studio user case that to fetch credentials using DomainExecutionRoleCreds profile. **Motivation** * SMUS extensions would require this creds to fetch the data from S3/RedShift/Glue. **Testing Done** * Build CE package and ran locally. Tested building the local image using BYOI **Backwards Compatibility Criteria (if any)** * N/A
Add SageMaker-UI env and DER creds endpoint patch
Revert "Merge pull request #101 from bharathGuntamadugu/feature/smus"
** Description ** • Add support for redirecting to SMUS portal during VSCode session renewal • Detect SMUS environment using SERVICE_NAME variable • Update metadata handling to support SMUS portal URL construction ** Motivation ** • Enable users to renew VSCode sessions through SMUS portal • Improve session renewal experience for SMUS users ** Testing ** • Verified with local VSCode server • Tested for both SMUS and SageMaker AI with manually cookie population and metadata file creation ** Backward compatibility ** • Maintains existing behavior for non-SMUS environments • Silent failure handling prevents disruption of current flows
**Description** - Adding SageMaker UI Dark Theme system extension - This extension allows the "Default Dark Modern" theme to be enabled in SageMaker Unified Studio by default. - Checks against the SERVICE_NAME=SageMakerUnifiedStudio environment variable to dynamically apply. - If user settings or workspace settings have workbench.colorTheme set, Default Dark Modern does not get applied. - This allows user to set their own theme if they choose. - Provides extension output in Output View in SageMaker Unified Studio (Disabled in SageMaker AI). **Testing Done** - Tested locally with ENV variable SERVICE_NAME=SageMakerUnifiedStudio set and unset. - Confirmed Default Dark Modern theme applies and provides logging output when ENV variable is set. - Confirmed SageMaker AI experience is unaffected.
feat: Add SageMaker UI Dark Theme extension
**Description** - Post-startup script stored in SMD (SageMaker Distribution) enables the required customizations for SMUS applications. - This functionality is currently operational for JupyterLab apps. - We are extending this capability to CodeEditor apps. **Testing Done** - Tested building the local image for these changes and tested on personal LL stack using BYOI - Verified script execution logs file generation at /var/log/apps after app launch
…s-sagemaker-extension
- Maps --base-path parameter to --server-base-path internally - Maintains backward compatibility for existing BYOI customers - Leverages VS Code's native base path support - Replaces complex 500+ line patch with minimal 10-line solution
Add base-path compatibility patch for VS Code 1.100.2
Add unit test(check the file) and e2e test to the workflow
The base-path-compatibility.diff patch was failing to apply during installation with: 'patch: **** malformed patch at line 12' Root cause: - Outdated import paths (missing .js extensions) - Incorrect line numbers after VS Code updates - Patch format incompatible with current VS Code structure Fix: - Updated import paths to match VS Code 1.100.2 structure - Corrected line numbers and context - Regenerated patch using proper diff format - Patch now applies cleanly during ./scripts/install.sh Validation: - Added patched file showing expected result - All functionality tests pass (base-path option, interface, constructor, mapping logic) - patch --dry-run succeeds - Install script completes successfully
Fix base-path-compatibility patch for VS Code 1.100.2
Merge 1.7 Changes to 1.8
- CVE-2025-7783: form-data 4.0.0 → 4.0.4 (CRITICAL) - CVE-2024-37890: ws 7.4.6 → 8.17.1 (HIGH)
Security patch: Fix CVEs in sagemaker-code-editor v1.8
…add custom-extensions-marketplace.patch to series file
Update series to remove the custom-extensions-marketplace.patch to test the sagemaker-idle-extension.patch Signed-off-by: SriAakash mandavilli <[email protected]>
Update code oss version to 1.101.2
…f , and also added to the series file
- Fix Custom Extension Patch and add to series for 1.101.2 - Add the Signature verification fix which was failing for open VSIX extensions for 1.101.2
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+23
to
+52
| name: Run unit tests | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| # Checkout repository code | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Verify CSP line exists in target TypeScript file | ||
| - name: Check CSP configuration in webClientServer.ts | ||
| shell: sh | ||
| run: | | ||
| TARGET_FILE="patched-vscode/src/vs/server/node/webClientServer.ts" | ||
| REQUIRED_TEXT="'connect-src \'self\' ws: wss: https://main.vscode-cdn.net http://localhost:* https://localhost:* https://login.microsoftonline.com/ https://update.code.visualstudio.com https://*.vscode-unpkg.net/ https://default.exp-tas.com/vscode/ab https://vscode-sync.trafficmanager.net https://vscode-sync-insiders.trafficmanager.net https://*.gallerycdn.vsassets.io https://marketplace.visualstudio.com https://openvsxorg.blob.core.windows.net https://az764295.vo.msecnd.net https://code.visualstudio.com https://*.gallery.vsassets.io https://*.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com https://*.servicebus.windows.net/ https://vscode.blob.core.windows.net https://vscode.search.windows.net https://vsmarketplacebadges.dev https://vscode.download.prss.microsoft.com https://download.visualstudio.microsoft.com https://*.vscode-unpkg.net https://open-vsx.org;'" | ||
|
|
||
| if [ ! -f "$TARGET_FILE" ]; then | ||
| echo "❌ FAIL: Target file $TARGET_FILE does not exist." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if grep -F "$REQUIRED_TEXT" "$TARGET_FILE" > /dev/null; then | ||
| echo "✅ PASS: Required CSP text exists." | ||
| else | ||
| echo "❌ FAIL: Required CSP text NOT found in $TARGET_FILE" | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
||
|
|
||
| # The main job for building the application | ||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix this issue, add an explicit permissions block at the root level of .github/workflows/build.yml. This ensures that the GITHUB_TOKEN in all jobs is restricted to only the minimal necessary permissions, adhering to best practices and the principle of least privilege. In this workflow, setting permissions: contents: read is sufficient, as no step performs repository write operations (e.g., pushing commits, creating issues, managing pull requests). Add the following block immediately after the workflow name: definition at the top of the file (after line 2).
Suggested changeset
1
.github/workflows/build.yml
| @@ -1,5 +1,7 @@ | ||
| # Workflow name | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow is triggered on pushes and pull requests to the main branch. | ||
| on: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/build.yml
Outdated
Comment on lines
53
to
160
|
|
||
| steps: | ||
| # Step 1: Check out the repository code, including its submodules. | ||
| - name: Checkout repo with submodules | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| # Step 2: Install system-level dependencies required for the build. | ||
| - name: Install system dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y make gcc g++ libx11-dev xorg-dev libxkbfile-dev libsecret-1-dev libkrb5-dev python3 jq perl gettext automake autoconf quilt | ||
|
|
||
| # Step 3: Set up the Node.js environment. Version 20 is specified. | ||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| # Use npm for caching, not yarn | ||
| cache: 'npm' | ||
| cache-dependency-path: '**/package-lock.json' | ||
|
|
||
| # Step 4: Apply patches from the 'patches' directory if it exists. | ||
| - name: Apply patches (if any) | ||
| run: | | ||
| if [ -d patches ] && [ "$(ls -A patches)" ]; then | ||
| set -e | ||
| quilt push -a | ||
| fi | ||
|
|
||
| # Step 5: Generate a version string for this specific build. | ||
| # It's based on the commit SHA to create a unique identifier. | ||
| - name: Set Development Version | ||
| id: version | ||
| run: | | ||
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) | ||
| VERSION="0.0.0-dev-${SHORT_SHA}" | ||
| echo "VERSION=$VERSION" >> $GITHUB_ENV | ||
| echo "Generated version for this build: $VERSION" | ||
|
|
||
| # Step 6: The main build process for vscode, now using npm. | ||
| - name: Build vscode | ||
| run: | | ||
| cd vscode | ||
| export DISABLE_V8_COMPILE_CACHE=1 | ||
| export UV_THREADPOOL_SIZE=4 | ||
|
|
||
| npm install -g node-gyp | ||
|
|
||
| # Install dependencies using npm, skip optional and native modules | ||
| npm install | ||
|
|
||
| # Run the gulp build task with memory optimizations | ||
| ARCH_ALIAS=linux-x64 | ||
| node --max-old-space-size=32768 --optimize-for-size \ | ||
| ./node_modules/gulp/bin/gulp.js \ | ||
| "vscode-reh-web-${ARCH_ALIAS}-min" | ||
|
|
||
| # Step 7: Find the exact path of the original build output directory. | ||
| - name: Find build output | ||
| id: find_output | ||
| run: | | ||
| BUILD_PATH=$(find . -name "vscode-reh-web-linux-x64" -type d | head -n 1) | ||
| if [ -z "$BUILD_PATH" ]; then | ||
| echo "::error::Build output directory 'vscode-reh-web-linux-x64' not found!" | ||
| exit 1 | ||
| fi | ||
| echo "Build output found at: $BUILD_PATH" | ||
| echo "build_path=$BUILD_PATH" >> $GITHUB_OUTPUT | ||
|
|
||
| # Step 8: Rename the build output directory to sagemaker-code-editor | ||
| - name: Rename build output directory | ||
| id: rename_output | ||
| run: | | ||
| ORIG_PATH="${{ steps.find_output.outputs.build_path }}" | ||
| PARENT_DIR=$(dirname "$ORIG_PATH") | ||
| mv "$ORIG_PATH" "$PARENT_DIR/sagemaker-code-editor" | ||
| echo "Renamed build output directory to: $PARENT_DIR/sagemaker-code-editor" | ||
| echo "build_path=$PARENT_DIR/sagemaker-code-editor" >> $GITHUB_OUTPUT | ||
|
|
||
| # Step 9: Create a compressed tarball of the renamed build output. | ||
| - name: Create tarball archive | ||
| run: | | ||
| TARBALL="sagemaker-code-editor-${{ env.VERSION }}.tar.gz" | ||
| BUILD_DIR_PATH="${{ steps.rename_output.outputs.build_path }}" | ||
| PARENT_DIR=$(dirname "$BUILD_DIR_PATH") | ||
| BUILD_DIR_NAME=$(basename "$BUILD_DIR_PATH") | ||
| echo "Creating '$TARBALL' from '$BUILD_DIR_NAME' in '$PARENT_DIR'" | ||
| tar czf $TARBALL -C "$PARENT_DIR" "$BUILD_DIR_NAME" | ||
|
|
||
| # Step 10: Upload the tarball as a build artifact. | ||
| - name: Upload build artifact | ||
| if: env.ACT == '' | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: npm-package | ||
| path: sagemaker-code-editor-${{ env.VERSION }}.tar.gz | ||
| # Run end-to-end tests after the build is complete | ||
| run-e2e-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix this issue, we should add a permissions block to the workflow. The minimal sensible placement is at the workflow (top) level, which will be inherited by all jobs that don't specify their own permissions. Given this workflow's steps—checking out code, running tests, building, uploading artifacts, but not modifying repository contents or creating issues/pull requests—the workflow only requires contents: read, which lets jobs read repository code but not make changes.
To implement the fix:
- In
.github/workflows/build.yml, insert apermissions:block directly below the workflow name (line 2). - Set
contents: read(other permissions may be added if jobs are found to require more, but that’s the minimal starting recommendation). - No further imports or method definitions are required for this change, as it concerns only the workflow YAML.
Suggested changeset
1
.github/workflows/build.yml
| @@ -1,5 +1,7 @@ | ||
| # Workflow name | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow is triggered on pushes and pull requests to the main branch. | ||
| on: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines
+161
to
+171
| name: Run e2e tests | ||
| runs-on: ubuntu-22.04 | ||
| needs: build # Ensure e2e tests run after build | ||
| steps: | ||
| # Checkout repository code | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Output placeholder message for e2e tests | ||
| - name: Test of e2e test | ||
| run: echo "Test of e2e test" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To address the issue, add a permissions block to the run-e2e-tests job, setting it to the minimum privilege needed. Since the only actions in this job are code checkout and a shell echo (neither of which require anything more than reading repository contents), the least privilege required is:
permissions:
contents: readThis block should be added at the same indentation level just below name: Run e2e tests in the run-e2e-tests job (line 162), before runs-on: ubuntu-22.04.
No new methods, imports, or additional definitions are required.
Suggested changeset
1
.github/workflows/build.yml
| @@ -159,6 +159,8 @@ | ||
| # Run end-to-end tests after the build is complete | ||
| run-e2e-tests: | ||
| name: Run e2e tests | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-22.04 | ||
| needs: build # Ensure e2e tests run after build | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
arkaprava08
force-pushed
the
feature/docker-build-system
branch
2 times, most recently
from
31df0b7 to
24bd3f5
Compare
arkaprava08
force-pushed
the
feature/docker-build-system
branch
from
24bd3f5 to
0eb9dac
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a comprehensive Docker-based build system and containerized development environment for SageMaker Code Editor.
Changes
Benefits
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.