gitpod/WORKSPACE.yaml at main · gitpod-io/gitpod · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# this file makes this a leeway workspace
defaultTarget: components:all
defaultArgs:
  imageRepoBase: "eu.gcr.io/gitpod-dev-artifact/build"
  coreYarnLockBase: ../..
  npmPublishTrigger: false
  publishToNPM: false
  publishToJBMarketplace: false
  localAppVersion: unknown
  codeCommit: ad8e28e2ea7b21673c6ade4f2fbde7ddfa23dc98
  codeVersion: 1.111.0
  codeQuality: stable
  codeWebExtensionCommit: 3953e8160fffa97dd4a4509542b4bf7ff9b704cd
  xtermCommit: d547d4ff4590b66c3ea24342fc62e3afcf6b77bc
  noVerifyJBPlugin: false
  intellijDownloadUrl: "https://download.jetbrains.com/idea/ideaIU-2025.1.1.1.tar.gz"
  golandDownloadUrl: "https://download.jetbrains.com/go/goland-2025.1.1.tar.gz"
  pycharmDownloadUrl: "https://download.jetbrains.com/python/pycharm-2025.1.1.1.tar.gz"
  phpstormDownloadUrl: "https://download.jetbrains.com/webide/PhpStorm-2025.1.1.tar.gz"
  rubymineDownloadUrl: "https://download.jetbrains.com/ruby/RubyMine-2025.1.1.tar.gz"
  webstormDownloadUrl: "https://download.jetbrains.com/webstorm/WebStorm-2025.1.1.tar.gz"
  riderDownloadUrl: "https://download.jetbrains.com/rider/JetBrains.Rider-2024.1.4.tar.gz"
  clionDownloadUrl: "https://download.jetbrains.com/cpp/CLion-2025.1.1.tar.gz"
  rustroverDownloadUrl: "https://download.jetbrains.com/rustrover/RustRover-2025.1.2.tar.gz"
  jbBackendVersion: "latest"
  dockerVersion: "27.5.1"
  dockerComposeVersion: "2.34.0-gitpod.1"
  ipfsKuboVersion: "v0.18.0"
  ipfsClusterVersion: "v1.0.8"
  schedulerExtenderVersion: "c1925d8"
provenance:
  enabled: true
  slsa: true
sbom:
  enabled: true
  ignoreVulnerabilities:
    - vulnerability: GHSA-fx4w-v43j-vc45
      reason: |
        This vulnerability in TypeORM's findOne / findOneOrFail functions can improperly interpret a crafted JSON object
        and concatenate it into raw SQL, potentially allowing SQL injection attacks.

        In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
        the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
        injecting malicious JSON into a query, rendering the vulnerability non-exploitable.
    - vulnerability: GHSA-2jcg-qqmg-46q6
      reason: |
        This is a false positive. See https://github.com/browserify/resolve/issues/303
environmentManifest:
  - name: "go"
    command: ["sh", "-c", "go version | sed s/arm/amd/"]
  - name: "arch"
    command: ["sh", "-c", "echo amd64"]
defaultVariant:
  env:
    - GOARCH=amd64
    - DOCKER_DEFAULT_PLATFORM=linux/amd64
    - NODE_OPTIONS=--max_old_space_size=8192
    - LEEWAY_BUILD=true
  srcs:
    exclude:
      # Make sure we don't include node_modules/**/*.ts by accident
      - "**/node_modules/**"
  config:
    go:
      lintCommand:
        [
          "sh",
          "-c",
          "golangci-lint run --disable govet,errcheck,staticcheck --allow-parallel-runners --timeout 15m",
        ]