* [dev] disable npm lifecycle scripts and npx
* Add npm-tools
* update npm-tools
* dev/image/Dockerfile
* update
Co-authored-by: Ona <no-reply@ona.com>
* Bump leeay version to 0.10.6
Co-authored-by: Ona <no-reply@ona.com>
* Fix npx removal to also delete the target script
The symlink at /root/.nvm/.../bin/npx points to npx-cli.js.
Remove both to ensure npx is fully disabled.
Co-authored-by: Ona <no-reply@ona.com>
* Remove gce-github-runner usage from all workflows
Replace self-hosted GCE runner pattern with GitHub-hosted ubuntu-latest runners across all workflows. This removes the three-phase pattern (create-runner, use-runner, delete-runner) and simplifies workflow execution.
Changes:
- Remove create-runner and delete-runner jobs from all workflows
- Replace runs-on: ${{ needs.create-runner.outputs.label }} with runs-on: ubuntu-latest
- Remove create-runner from job dependencies
- Preserve all other job dependencies and concurrency controls
Affected workflows:
- build.yml (8 jobs)
- workspace-integration-tests.yml (4 jobs)
- ide-integration-tests.yml (4 jobs)
- preview-env-check-regressions.yml (4 jobs)
- preview-env-gc.yml (2 jobs)
- jetbrains-auto-update-template.yml (1 job)
- jetbrains-integration-test.yml (1 job)
- code-nightly.yml (1 job)
- preview-env-delete.yml (1 job)
Co-authored-by: Ona <no-reply@ona.com>
* [dev] use ubuntu-latest-16-cores for builds
* Fix container permissions for GitHub-hosted runners
Add 'options: --user root' to all container configurations to resolve EACCES permission errors when GitHub Actions tries to write to internal directories.
GitHub-hosted runners require containers to run as root to allow the Actions runtime to write to /__w/_temp/_runner_file_commands/ and other internal paths.
Affected workflows:
- build.yml (3 container jobs)
- workspace-integration-tests.yml (2 container jobs)
- ide-integration-tests.yml (2 container jobs)
- preview-env-check-regressions.yml (1 container job)
- preview-env-gc.yml (1 container job)
- jetbrains-auto-update-template.yml (1 container job)
- jetbrains-integration-test.yml (1 container job)
- code-nightly.yml (1 container job)
Co-authored-by: Ona <no-reply@ona.com>
* Fix dev/image build by adding leeway dependency for npm-tools
Create leeway generic build for dev/npm-tools and use it as a dependency in dev/image:docker build. This resolves the build error where npm-tools files were not accessible during Docker build.
Changes:
- Add dev/npm-tools/BUILD.yaml with generic package containing package.json and package-lock.json
- Add dev/npm-tools:pkg as dependency in dev/image/BUILD.yaml
- Update Dockerfile to use COPY from leeway dependency path (dev-npm-tools--pkg/)
This follows the established pattern used in other builds like install/installer where dependencies are copied from leeway-generated paths.
Co-authored-by: Ona <no-reply@ona.com>
* Fix npm-tools installation permissions in dev/image
Add chown command to fix EACCES permission error when installing npm-tools. The COPY command creates files owned by root, but npm ci runs as gitpod user and needs write access to create node_modules.
Changes:
- Add 'sudo chown -R gitpod:gitpod /opt/npm-tools' before npm ci
- This ensures the gitpod user can write to /opt/npm-tools/node_modules/
Error fixed:
npm error code EACCES
npm error syscall mkdir
npm error path /opt/npm-tools/node_modules
npm error errno -13
Co-authored-by: Ona <no-reply@ona.com>
* [dev] Split builds into branch and main
Co-authored-by: Ona <no-reply@ona.com>
---------
Co-authored-by: Cornelius Ludmann <cornelius@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
Block new user signups when Classic PAYG sunset is enabled:
- Add isUserSignupBlockedBySunset() function in featureflags.ts
- Checks if sunset is enabled for the installation
- Exempts dedicated installations
- Blocks all signups (new users don't have orgs/roles yet)
- Add signup blocking in generic-auth-provider.ts callback
- Check before createNewUser() is called
- Redirect blocked signups to https://app.ona.com/login
- Log blocked signup attempts
This complements the existing login and workspace operation blocks
from CLC-2032, closing the signup path that was previously unblocked.
Co-authored-by: Ona <no-reply@ona.com>
The original sunset implementation only added checks to the new gRPC API
(WorkspaceServiceAPI) but missed the legacy websocket API (GitpodServerImpl).
This allowed users to bypass the sunset blocking through:
- Gitpod CLI/Local App (uses experimental/v1 API)
- JetBrains Gateway (uses websocket API directly)
- Public API with Personal Access Tokens
- Dashboard when feature flag is disabled
This fix adds the sunset check to both startWorkspace() and createWorkspace()
methods in GitpodServerImpl, using the same isWorkspaceStartBlockedBySunset()
function that's already used in WorkspaceServiceAPI.
The check:
- Blocks installation-owned users (no organizationId)
- Blocks users in non-exempted organizations
- Exempts dedicated installations
- Exempts organizations in the exemptedOrganizations list
Co-authored-by: Ona <no-reply@ona.com>
* [CLC-2032] Block login and workspace operations for Classic PAYG sunset
Implement feature flag-based blocking for Gitpod Classic PAYG users:
Backend:
- Add utility functions to check if user is blocked by sunset
- Block login attempts in /login route handler, redirect to app.ona.com
- Block workspace creation and start operations in workspace-service-api
- Exempt users with roles/permissions and users in exempted organizations
Frontend:
- Update login page to show 'Login with Ona' button when sunset is enabled
- Keep SSO login form visible for exempted organizations
- Hide sunset notice banner when flag is enabled
- Update heading to 'Gitpod Classic has sunset'
Feature flag: classic_payg_sunset_enabled (JSON with enabled boolean and exemptedOrganizations array)
Co-authored-by: Ona <no-reply@ona.com>
* Add oldLogin parameter to show full login UI for exempted orgs
When sunset is enabled on gitpod.io, users now see a simplified UI:
- 'Continue with Ona' button (default)
- Link to show all login options (?oldLogin=true)
With ?oldLogin=true parameter:
- Shows all OAuth provider buttons
- Shows SSO login form
- Full functionality for exempted organizations
The link preserves returnToPath parameter if present.
Co-authored-by: Ona <no-reply@ona.com>
* Refactor backend sunset checks into separate functions
Split sunset blocking logic into two functions:
- isUserLoginBlockedBySunset: checks roles/permissions exemption for login
- isWorkspaceStartBlockedBySunset: checks org-level exemption for workspace ops
Move ClassicPaygSunsetConfig interface to gitpod-protocol for reusability.
Pass organizationId explicitly to workspace blocking checks.
Co-authored-by: Ona <no-reply@ona.com>
* Use typed ClassicPaygSunsetConfig in frontend feature flag
Import ClassicPaygSunsetConfig type from gitpod-protocol and use it
as the default value for classic_payg_sunset_enabled feature flag.
This leverages TypeScript's generic type inference in useFeatureFlag:
- useFeatureFlag<K extends keyof FeatureFlags> returns FeatureFlags[K]
- For classic_payg_sunset_enabled, it now returns ClassicPaygSunsetConfig
- Other flags continue to return their respective types (boolean, string, etc.)
Updated Login.tsx to access .enabled property with type guard to handle
the union type (ClassicPaygSunsetConfig | boolean) during loading state.
This ensures type safety and consistency between frontend and backend.
Co-authored-by: Ona <no-reply@ona.com>
* Parse JSON string for classic_payg_sunset_enabled feature flag
ConfigCat text flags return strings, so we need to parse JSON on both
frontend and backend.
Backend (featureflags.ts):
- Send JSON.stringify(defaultConfig) to ConfigCat
- Parse returned string with JSON.parse()
- Handle errors gracefully with fallback to default
Frontend (featureflag-query.ts):
- Add parseFeatureFlagValue() helper for JSON flags
- Send stringified default for classic_payg_sunset_enabled
- Parse returned string value
- Maintain type safety with generic return types
This allows ConfigCat to store the flag as text while maintaining
the typed object structure in our code.
Co-authored-by: Ona <no-reply@ona.com>
* Exempt dedicated installations from sunset blocking
Add isDedicatedInstallation parameter to sunset check functions.
Dedicated installations always return false (not blocked) regardless
of feature flag state.
Changes:
- isUserLoginBlockedBySunset: add isDedicatedInstallation param
- isWorkspaceStartBlockedBySunset: add isDedicatedInstallation param
- UserController: pass config.isDedicatedInstallation to login check
- WorkspaceServiceAPI: inject Config and pass isDedicatedInstallation
This ensures the sunset only affects gitpod.io (PAYG) and not
dedicated installations.
Co-authored-by: Ona <no-reply@ona.com>
* update login page for Gitpod classic `gitpod.io` users
* fix
* Improve sunset UI: use primary button and remove redundant subheading
Co-authored-by: Ona <no-reply@ona.com>
* Update sunset UI heading to focus on Ona value proposition
Co-authored-by: Ona <no-reply@ona.com>
---------
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Siddhant Khare <siddhant@gitpod.io>
Co-authored-by: Cornelius A. Ludmann <github@cornelius-ludmann.de>
* Remove superfluous security feature flags and always enable protections
- Remove context_env_var_validation feature flag - environment variable validation now always enabled
- Remove enable_nonce_validation feature flag - CSRF protection with nonce validation now always enabled
- Remove enable_strict_authorize_return_to feature flag - strict OAuth returnTo validation now always enabled
- Update tests to reflect permanent security measures
- Simplify code by removing conditional security logic
These security features should be permanently active rather than behind feature flags.
Addresses CLC-1618 by ensuring critical security protections cannot be accidentally disabled.
Co-authored-by: Ona <no-reply@ona.com>
* Fix unused import in envvar-prefix-context-parser.spec.ts
Remove unused Experiments import that was causing TypeScript compilation error.
Co-authored-by: Ona <no-reply@ona.com>
---------
Co-authored-by: Ona <no-reply@ona.com>
* feat: implement CSRF protection for OAuth flows with nonce validation
- Add NonceService for cryptographically secure nonce generation and validation
- Include nonce in JWT state for OAuth authorization requests
- Store nonce in secure httpOnly cookie with SameSite=strict
- Validate nonce matches between state and cookie in auth callback
- Add origin/referer header validation for additional CSRF protection
- Use timing-safe comparison to prevent timing attacks
- Clear nonce cookie after successful validation or on error
This prevents CSRF attacks where malicious sites could initiate OAuth flows
on behalf of users by ensuring authorization requests originate from Gitpod.
Co-authored-by: Ona <no-reply@ona.com>
* refactor: consolidate fragment protection and fix context provider conflict
Co-authored-by: Ona <no-reply@ona.com>
* fix: handle GitHub OAuth api subdomain edge case with secure redirect
Co-authored-by: Ona <no-reply@ona.com>
* fix: simplify api subdomain redirect test to avoid dependency injection complexity
Replace complex Authenticator dependency injection test with simple unit test
that focuses on the core logic without requiring all service dependencies.
This makes the test more reliable and easier to maintain while still validating
the critical api subdomain detection logic for the GitHub OAuth edge case.
Co-authored-by: Ona <no-reply@ona.com>
* docs: update domain examples to use gitpod.io instead of preview domains
Update test examples and documentation to use production-appropriate
domain examples (gitpod.io) instead of specific preview environment
domains for better clarity and maintainability.
Co-authored-by: Ona <no-reply@ona.com>
* fix cookie
Co-authored-by: Ona <no-reply@ona.com>
* Update authenticator.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update authenticator.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* minor stuff
* cleanup old redirect logic
* cleanup
* 1
Co-authored-by: Ona <no-reply@ona.com>
* feat: add feature flags for nonce validation and strict authorize returnTo
Add two feature flags to control security features with safe defaults:
**Feature Flag 1: enable_nonce_validation (default: false)**
- Controls CSRF nonce validation in OAuth flows
- When disabled: Nonce is generated but not validated (future compatibility)
- When enabled: Full CSRF protection with nonce and origin validation
- Nonce cookies are always generated and cleared for consistency
**Feature Flag 2: enable_strict_authorize_return_to (default: false)**
- Controls returnTo validation strictness for /api/authorize endpoint
- When disabled: Falls back to login validation (broader patterns)
- When enabled: Uses strict authorize validation (limited to specific paths)
- /api/login always uses login validation regardless of flag
**Implementation Details:**
- Always generate nonce for consistency and future compatibility
- Only validate nonce when feature flag is enabled
- Always clear nonce cookies regardless of validation state
- Authorize endpoint checks flag and falls back gracefully
- Comprehensive logging for debugging and monitoring
**Backward Compatibility:**
- Default false ensures no breaking changes
- Gradual rollout possible via feature flag configuration
- Existing authentication flows continue to work
- Safe fallback behavior when flags are disabled
Co-authored-by: Ona <no-reply@ona.com>
* fix: validate OAuth callback origin against SCM provider domain
Update NonceService.validateOrigin to check request origin against the
expected SCM provider domain instead of Gitpod's own domain. This fixes
the CSRF protection logic for OAuth callbacks which legitimately come
from external providers (github.com, gitlab.com, etc.).
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* 1
* remove the origin check logic
* update sorry url
* move files
* use safeRedirect for redirect
* 1
* [server] minor refactor/renames
* moah changes
---------
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
Co-authored-by: Claude <noreply@anthropic.com>
* [dev] Use "-ping" in redis-cli, which is compatible with newer versions
* Fix ping invocation
Co-authored-by: iQQBot <tianshi8650@gmail.com>
---------
Co-authored-by: iQQBot <tianshi8650@gmail.com>
* [image-builder] Fix generate.sh
* [image-builder-api] Add use_retry_client to ResolveBaseImageRequest and BuildRequest
* [image-builder] Use req.GetUseRetryClient() instead of feature flag resolved on startup
[image-builder] Drop superfluous imports
[image-builder] Switch to github.com/hashicorp/go-retryablehttp, incl. better unit tests at orchestrator level!
* [server] Pass "useRetryClient" on all requests to image-builder
* [dashboard] Initial infra rollout page, incl. list running workspaces
* [server, db, dashboard] Allow org-owner to stop workspace on all workspaces in the organization
Also, fix maintenanceMode update
* [public-api, db, server, dashboard] Introduce MaintenanceNofitication banner that can be configured per org
* review comments: use mutation instead of callback for state mutation
* Fix workspace start prevention
* Review comments around banners and rendering
- permissions issues
- add banner to /new page
- a bunch of rendering issues and alignments
- renaming some things for clarity (dropped "Scheduled" prefixes)
- only allow up to 255 characters in notification messages
* [dashboard] Only show Admin entry for dedicated
* [server] Fix permissions for setMaintenanceMode to "maintenance"
* [dashboard] Adjusted copy incl. default notification message
* Review coments: re-use and fix styles, and naming
Co-authored-by: Filip Troníček <filip@gitpod.io>
* Minor copy improvements
* [server] Fix bogus permission check in stopWorkspace
---------
Co-authored-by: Filip Troníček <filip@gitpod.io>
Enables the use case of collaborators allowing to use projects with a private default workspace image configured on the org-level. This is enabled by the optional `enableDockerdAuthentication` that was implemented in #20586 - shortly _after_ org-level-env vars was implemented in #20538.
* [server] Move /ready to /startup, and rename code to StartupController (because it's used by the StartupProbe)
Tool: gitpod/catfood.gitpod.cloud
* [server] Introduce special /ready handler that only returns "false" during the shutdown phase
Tool: gitpod/catfood.gitpod.cloud
* [server] Introduce ReadinessController and probe at /ready
Tool: gitpod/catfood.gitpod.cloud
* [server] Move /live and /ready endpoints to a separate express app and port
Tool: gitpod/catfood.gitpod.cloud
* [memory-bank] task-related learnings
Tool: gitpod/catfood.gitpod.cloud
* [server] Introduce `server_readiness_probe` feature flag so we can disable the ReadinessProbe if required
Tool: gitpod/catfood.gitpod.cloud
* docs: formalize Product Requirements Document workflow
- Add PRD workflow to systemPatterns.md as a standardized development process
- Update .clinerules with instructions to follow the PRD workflow
- Update activeContext.md and progress.md to reference the new workflow
This formalizes the process we used for implementing the server readiness probe feature.
Tool: gitpod/catfood.gitpod.cloud
* [server] ReadinessProbe: add redis as dependency
Tool: gitpod/catfood.gitpod.cloud
* review comments
Tool: gitpod/catfood.gitpod.cloud
* [dev] Remove outdated gopls config
Tool: gitpod/catfood.gitpod.cloud
* [server] Fix import
Tool: gitpod/catfood.gitpod.cloud
* [dev] Bump grpc/grpc-js 1.10.8 -> 1.12.6 and authzed/authzed-node 0.15.0 -> 1.2.2
Tool: gitpod/catfood.gitpod.cloud
* [server] Streamline spicedb gRPC client usage and creation options
- instead of doing retries on two levels, rely on the gRPC-level retries
- to mitigate the loss of insights, introduce createDebugLogInterceptor
- client options: use sane defaults derived from the documentation instead of the excessive ones we had in place before
- use "waitForReady" option: it should a) make our calls for responsive on re-connects, while b) - because we keep re-trying on DEADLINE_EXCEEDED - should be as reliable as before
Tool: gitpod/catfood.gitpod.cloud
* [protocol] Centralize grpc.isConnectionAlive
Tool: gitpod/catfood.gitpod.cloud
* [server] SpiceDB client: retry with new client on "Waiting for LB pick" error
Tool: gitpod/catfood.gitpod.cloud
* feat(dashboard): Enhance team onboarding with member avatar and framework selection
- Add OrgMemberAvatarInput component with improved member selection using Popover and Command
- Implement ComboboxDemo for framework selection
- Update Button variant and add cmdk package
- Improve UI components with more flexible selection and filtering
Tool: gitpod/catfood.gitpod.cloud
* fix(orgs): when updating org welcome msg settings, enforce updating `featuredMemberId`
Tool: gitpod/catfood.gitpod.cloud
* A proper fix with existing prebuild list combobox
Tool: gitpod/catfood.gitpod.cloud
* chore: Remove unused cmdk package and related components
- Remove cmdk package from package.json
- Delete Command.tsx component
- Remove unused featuredMemberId state from TeamOnboarding
- Clean up yarn.lock dependencies related to cmdk and radix-ui packages
Tool: gitpod/catfood.gitpod.cloud
* Clean up
Tool: gitpod/catfood.gitpod.cloud
* [docker-up] Minor fixes and add tests
Tool: gitpod/catfood.gitpod.cloud
* [image-builder-bob] Tests&fixes from an experimental PR
Tool: gitpod/catfood.gitpod.cloud
* [supervisor, ws-manager] Write docker credentials into client config file if passed into workspace
Tool: gitpod/catfood.gitpod.cloud
* [server] Introduce project.settings.enableDockerdAuthentication and expose it on the API
Tool: gitpod/catfood.gitpod.cloud
* [dashboard] Add "Docker registry authentication" toggle under projects/env vars
Tool: gitpod/catfood.gitpod.cloud
* [server] Guard project.settings.enableDockerdAuthentication by org write_settings permission
Tool: gitpod/catfood.gitpod.cloud
* review comments with cleanup + small fixes
Tool: gitpod/catfood.gitpod.cloud
* [server] Don't block soft deletion rewinds in `updateDeletionEligibilityTime`
Tool: gitpod/catfood.gitpod.cloud
* Use ISO date strings for comparison
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
---------
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
* [supervisor] Add Gitpod commit annotation
* server and API changes
* [dashboard] add org setting for commit annotation
* Fix things
* Fix label for annotation switch
* Revert accidental rename
* minor docs fixes
* Add a feature flag for the setting: `commit_annotation_setting_enabled`
* Register hook in the cloned repo instead of under /etc/
* don't override existing hooks
* `gp git-commit-message-helper` to use `git interpret-trailers`
* Test it!
* 🧹 indeed
* Update timestamp of DB migration
* UI reorg
* generated stuffs
* Make it woooooooork
* Enterprise workspace list overhaul
Todo:
- [ ] only enable on dedicated installs
- [ ] add org setting for org-wide suggestions
- [ ] possibly adopt `Recommended` badges from figma
- [ ] open configurationId instead of cloneUrl if possible
* Conditionally show top sections
* Refactor PillLabel component usage and improve workspace card layout
* Reduce PR scope
* Behave nicely in dedicated emulated preview envs
* Make Getting started dismissible
* Still show old empty ws page for PAYG
* Use ff to display
* accordions are stylish (and clean u user prefs)
* Approach accordions differently (feat. @geropl)
* Revert things for later
* Get rid of debug logs!
* Use pk colors
* Introduce `max_parallel_running_workspaces` for orgs
* Add migration
* Add UI and org settings server changes
* Rough edges
* Number inputs (:trollface:)
* Move LazyOrganizationService to UBP entitlement service to get rid of circ. dep. errs
* Fix tests
* Update components/gitpod-db/src/typeorm/entity/db-team-settings.ts
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
* Rename `isPaidPlan` to `isPaidOrDedicated` and get rid of `update_max_parallel_running_workspaces`
* Update components/server/src/workspace/workspace-service.ts
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
* Deduplicate instance counting logic
---------
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
* Add WS image metrics to workspace instances
* Update tests
* fix ws-manager-api field description
* [dashboard] Org Insights page
* Pagination, date filters and downloads
* Safety limits for pagination and prettier icons
* UI improvements
* Enhance `from` date to capture whole day
* some more props for the CSVs
* Include git context with workspace responses
* Context url segments in CSV
* ide => editor to align with papi convention
* Remove duplicate fc
* revert route deletion
* Update papi converter tests and revert unecessary changes
* fix error rendering
* partly revert ws api svc changes
* Remove debug lines
* fix proto typo
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
* Remove org member listing from frontend
* Shorter == better 😎
* Move workspace.metadata.context onto a top-level `WorkspaceSession` property
---------
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>
