Add Docker build system and containerized development environment #194
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update CSP for CodeEditor
Move .sagemaker-last-active-timestamp to /tmp/
Add warning message on auto update being turned off; Pull in latest changes on build script
Add sagemaker-open-notebook-extension
feat:enable deeplink for eks notebook
Patch braces and micromatch for 1.4.x
fix:validate region from url params to prevent xss attack
**Description** * Idle endpoint creates metadata file if not exist **Motivation** * Fix the issue of space that has never been opened will not auto shutdown **Testing Done** * Build CE package **Backwards Compatibility Criteria (if any)** * N/A
Idle endpoint creates metadata file if not exist
**Description** * Adding `/api/env` endpoint for the SageMaker Unified Studio user case that fetched the `/opt/ml/metadata/resource-metadata.json` file if present else throw server exception indicating no such file. **Motivation** * SMUS extensions would require this env metadata file. **Testing Done** * Build CE package and ran locally. Tested building the local image using BYOI **Backwards Compatibility Criteria (if any)** * N/A
**Description** * Adding `api/creds` endpoint for the Sagemaker Unified Studio user case that to fetch credentials using DomainExecutionRoleCreds profile. **Motivation** * SMUS extensions would require this creds to fetch the data from S3/RedShift/Glue. **Testing Done** * Build CE package and ran locally. Tested building the local image using BYOI **Backwards Compatibility Criteria (if any)** * N/A
Add SageMaker-UI env and DER creds endpoint patch
Revert "Merge pull request #101 from bharathGuntamadugu/feature/smus"
** Description ** • Add support for redirecting to SMUS portal during VSCode session renewal • Detect SMUS environment using SERVICE_NAME variable • Update metadata handling to support SMUS portal URL construction ** Motivation ** • Enable users to renew VSCode sessions through SMUS portal • Improve session renewal experience for SMUS users ** Testing ** • Verified with local VSCode server • Tested for both SMUS and SageMaker AI with manually cookie population and metadata file creation ** Backward compatibility ** • Maintains existing behavior for non-SMUS environments • Silent failure handling prevents disruption of current flows
**Description** - Adding SageMaker UI Dark Theme system extension - This extension allows the "Default Dark Modern" theme to be enabled in SageMaker Unified Studio by default. - Checks against the SERVICE_NAME=SageMakerUnifiedStudio environment variable to dynamically apply. - If user settings or workspace settings have workbench.colorTheme set, Default Dark Modern does not get applied. - This allows user to set their own theme if they choose. - Provides extension output in Output View in SageMaker Unified Studio (Disabled in SageMaker AI). **Testing Done** - Tested locally with ENV variable SERVICE_NAME=SageMakerUnifiedStudio set and unset. - Confirmed Default Dark Modern theme applies and provides logging output when ENV variable is set. - Confirmed SageMaker AI experience is unaffected.
feat: Add SageMaker UI Dark Theme extension
**Description** - Post-startup script stored in SMD (SageMaker Distribution) enables the required customizations for SMUS applications. - This functionality is currently operational for JupyterLab apps. - We are extending this capability to CodeEditor apps. **Testing Done** - Tested building the local image for these changes and tested on personal LL stack using BYOI - Verified script execution logs file generation at /var/log/apps after app launch
…s-sagemaker-extension
Signed-off-by: austinjang2 <[email protected]>
Fix: Update display-language.patch and series
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/build.yml
Outdated
Comment on lines
23
to
13
| name: Run unit tests | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| # Checkout repository code | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Verify CSP line exists in target TypeScript file | ||
| - name: Check CSP configuration in webClientServer.ts | ||
| shell: sh | ||
| run: | | ||
| TARGET_FILE="patched-vscode/src/vs/server/node/webClientServer.ts" | ||
| REQUIRED_TEXT="'connect-src \'self\' ws: wss: https://main.vscode-cdn.net http://localhost:* https://localhost:* https://login.microsoftonline.com/ https://update.code.visualstudio.com https://*.vscode-unpkg.net/ https://default.exp-tas.com/vscode/ab https://vscode-sync.trafficmanager.net https://vscode-sync-insiders.trafficmanager.net https://*.gallerycdn.vsassets.io https://marketplace.visualstudio.com https://openvsxorg.blob.core.windows.net https://az764295.vo.msecnd.net https://code.visualstudio.com https://*.gallery.vsassets.io https://*.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com https://*.servicebus.windows.net/ https://vscode.blob.core.windows.net https://vscode.search.windows.net https://vsmarketplacebadges.dev https://vscode.download.prss.microsoft.com https://download.visualstudio.microsoft.com https://*.vscode-unpkg.net https://open-vsx.org;'" | ||
|
|
||
| if [ ! -f "$TARGET_FILE" ]; then | ||
| echo "❌ FAIL: Target file $TARGET_FILE does not exist." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if grep -F "$REQUIRED_TEXT" "$TARGET_FILE" > /dev/null; then | ||
| echo "✅ PASS: Required CSP text exists." | ||
| else | ||
| echo "❌ FAIL: Required CSP text NOT found in $TARGET_FILE" | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
||
|
|
||
| # The main job for building the application | ||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this issue, add an explicit permissions block at the root level of .github/workflows/build.yml. This ensures that the GITHUB_TOKEN in all jobs is restricted to only the minimal necessary permissions, adhering to best practices and the principle of least privilege. In this workflow, setting permissions: contents: read is sufficient, as no step performs repository write operations (e.g., pushing commits, creating issues, managing pull requests). Add the following block immediately after the workflow name: definition at the top of the file (after line 2).
Suggested changeset
1
.github/workflows/build.yml
| @@ -1,5 +1,7 @@ | ||
| # Workflow name | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow is triggered on pushes and pull requests to the main branch. | ||
| on: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/build.yml
Outdated
Comment on lines
53
to
111
| name: Build sagemaker-code-editor | ||
| runs-on: ubuntu-22.04 | ||
| # Ensure unit tests pass before building | ||
| needs: run-unit-tests | ||
| timeout-minutes: 60 | ||
| env: | ||
| # Environment variable to optimize the build process | ||
| DISABLE_V8_COMPILE_CACHE: 1 | ||
|
|
||
| steps: | ||
| # Step 1: Check out the repository code, including its submodules. | ||
| - name: Checkout repo with submodules | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| # Step 2: Install system-level dependencies required for the build. | ||
| - name: Install system dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y make gcc g++ libx11-dev xorg-dev libxkbfile-dev libsecret-1-dev libkrb5-dev python3 jq perl gettext automake autoconf quilt | ||
|
|
||
| # Step 3: Set up the Node.js environment. Version 20 is specified. | ||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| # Use npm for caching, not yarn | ||
| cache: 'npm' | ||
| cache-dependency-path: '**/package-lock.json' | ||
|
|
||
| # Step 4: Apply patches from the 'patches' directory if it exists. | ||
| - name: Apply patches (if any) | ||
| run: | | ||
| if [ -d patches ] && [ "$(ls -A patches)" ]; then | ||
| set -e | ||
| quilt push -a | ||
| fi | ||
|
|
||
| # Step 5: Generate a version string for this specific build. | ||
| # It's based on the commit SHA to create a unique identifier. | ||
| - name: Set Development Version | ||
| id: version | ||
| run: | | ||
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) | ||
| VERSION="0.0.0-dev-${SHORT_SHA}" | ||
| echo "VERSION=$VERSION" >> $GITHUB_ENV | ||
| echo "Generated version for this build: $VERSION" | ||
|
|
||
| # Step 6: The main build process for vscode, now using npm. | ||
| - name: Build vscode | ||
| run: | | ||
| cd vscode | ||
| export DISABLE_V8_COMPILE_CACHE=1 | ||
| export UV_THREADPOOL_SIZE=4 | ||
|
|
||
| npm install -g node-gyp | ||
|
|
||
| # Install dependencies using npm, skip optional and native modules | ||
| npm install | ||
|
|
||
| # Run the gulp build task with memory optimizations | ||
| ARCH_ALIAS=linux-x64 | ||
| node --max-old-space-size=32768 --optimize-for-size \ | ||
| ./node_modules/gulp/bin/gulp.js \ | ||
| "vscode-reh-web-${ARCH_ALIAS}-min" | ||
|
|
||
| # Step 7: Find the exact path of the original build output directory. | ||
| - name: Find build output | ||
| id: find_output | ||
| run: | | ||
| BUILD_PATH=$(find . -name "vscode-reh-web-linux-x64" -type d | head -n 1) | ||
| if [ -z "$BUILD_PATH" ]; then | ||
| echo "::error::Build output directory 'vscode-reh-web-linux-x64' not found!" | ||
| exit 1 | ||
| fi | ||
| echo "Build output found at: $BUILD_PATH" | ||
| echo "build_path=$BUILD_PATH" >> $GITHUB_OUTPUT | ||
|
|
||
| # Step 8: Rename the build output directory to sagemaker-code-editor | ||
| - name: Rename build output directory | ||
| id: rename_output | ||
| run: | | ||
| ORIG_PATH="${{ steps.find_output.outputs.build_path }}" | ||
| PARENT_DIR=$(dirname "$ORIG_PATH") | ||
| mv "$ORIG_PATH" "$PARENT_DIR/sagemaker-code-editor" | ||
| echo "Renamed build output directory to: $PARENT_DIR/sagemaker-code-editor" | ||
| echo "build_path=$PARENT_DIR/sagemaker-code-editor" >> $GITHUB_OUTPUT | ||
|
|
||
| # Step 9: Create a compressed tarball of the renamed build output. | ||
| - name: Create tarball archive | ||
| run: | | ||
| TARBALL="sagemaker-code-editor-${{ env.VERSION }}.tar.gz" | ||
| BUILD_DIR_PATH="${{ steps.rename_output.outputs.build_path }}" | ||
| PARENT_DIR=$(dirname "$BUILD_DIR_PATH") | ||
| BUILD_DIR_NAME=$(basename "$BUILD_DIR_PATH") | ||
| echo "Creating '$TARBALL' from '$BUILD_DIR_NAME' in '$PARENT_DIR'" | ||
| tar czf $TARBALL -C "$PARENT_DIR" "$BUILD_DIR_NAME" | ||
|
|
||
| # Step 10: Upload the tarball as a build artifact. | ||
| - name: Upload build artifact | ||
| if: env.ACT == '' | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: npm-package | ||
| path: sagemaker-code-editor-${{ env.VERSION }}.tar.gz | ||
| # Run end-to-end tests after the build is complete | ||
| run-e2e-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this issue, we should add a permissions block to the workflow. The minimal sensible placement is at the workflow (top) level, which will be inherited by all jobs that don't specify their own permissions. Given this workflow's steps—checking out code, running tests, building, uploading artifacts, but not modifying repository contents or creating issues/pull requests—the workflow only requires contents: read, which lets jobs read repository code but not make changes.
To implement the fix:
- In
.github/workflows/build.yml, insert apermissions:block directly below the workflow name (line 2). - Set
contents: read(other permissions may be added if jobs are found to require more, but that’s the minimal starting recommendation). - No further imports or method definitions are required for this change, as it concerns only the workflow YAML.
Suggested changeset
1
.github/workflows/build.yml
| @@ -1,5 +1,7 @@ | ||
| # Workflow name | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow is triggered on pushes and pull requests to the main branch. | ||
| on: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/build.yml
Outdated
Comment on lines
161
to
124
| name: Run e2e tests | ||
| runs-on: ubuntu-22.04 | ||
| needs: build # Ensure e2e tests run after build | ||
| steps: | ||
| # Checkout repository code | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Output placeholder message for e2e tests | ||
| - name: Test of e2e test | ||
| run: echo "Test of e2e test" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To address this issue, add an explicit permissions block to the workflow. Since none of the jobs in the provided snippet require repository write access, the minimal permission contents: read is appropriate. This permission allows reading repository contents during checkout but prevents accidental or malicious writes (such as pushing commits or modifying repository metadata). To apply this permission to all jobs, insert it at the workflow root, just below the name declaration and before the on trigger (between line 1 and 3). No other code or imports are needed, and existing functionality will be preserved.
Suggested changeset
1
.github/workflows/build.yml
| @@ -1,4 +1,6 @@ | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
…iguration validation - Add e2e.yml for end-to-end testing on PR events - Update build.yml workflow - Add Development.md with setup instructions - Add utility scripts for cache cleanup and local testing
arkaprava08
force-pushed
the
feature/docker-build-system
branch
from
3819e20 to
31df0b7
Compare
Refactor the Github Actions Into Separate steps during the PR Build process
arkaprava08
force-pushed
the
feature/docker-build-system
branch
19 times, most recently
from
ea1320d to
50499e7
Compare
- Added docker buildx support to generate local tarball - Added support to run github workflows locally - Added support to run code-editor locally - Updated README with instructions to build and test for different usecases
arkaprava08
force-pushed
the
feature/docker-build-system
branch
from
50499e7 to
05846a2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a comprehensive Docker-based build system and containerized development environment for SageMaker Code Editor.
Changes
Benefits
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.