Skip to content

Ability to block extensions installation via CLI and VSIX #617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RomanNikitenko wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Ability to block extensions installation via CLI and VSIX #617

RomanNikitenko wants to merge 8 commits into from

Conversation

@RomanNikitenko
Copy link
Collaborator

@RomanNikitenko RomanNikitenko commented Jan 2, 2026
edited
Loading

Depends on: #605

What does this PR do?

  • Moves default extensions functionality from the che-extension to the VS Code side
  • this ^ is required to fix https://issues.redhat.com/browse/CRW-9626
  • adds ability to block extensions installation using CLI: vscode-editor-configurations ConfigMap => policy.json section => BlockCliExtensionsInstallation property
  • adds ability to block extensions installation using workbench.extensions.command.installFromVSIX API command: vscode-editor-configurations ConfigMap => policy.json section => BlockInstallFromVSIXCommandExtensionsInstallation property
  • adds ability to block default extensions installation: vscode-editor-configurations ConfigMap => policy.json section => BlockDefaultExtensionsInstallation property

What issues does this PR fix?

How to test this PR?

Prerequisites

Add default-extensions ConfigMap to your namespace:

default-extensions ConfigMap 
kind: ConfigMap
apiVersion: v1
metadata:
  name: default-extensions
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: env
data:
  DEFAULT_EXTENSIONS: '/tmp/atlassian.atlascode-3.0.10.vsix;/tmp/snowflake.snowflake-vsc-1.9.1.vsix'

Add vscode-editor-configurations ConfigMap to your namespace:

vscode-editor-configurations ConfigMap 
kind: ConfigMap
apiVersion: v1
metadata:
  name: vscode-editor-configurations
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
data:
  configurations.json: |
    {
      "extensions.install-from-vsix-enabled": false
    }

Use Cases:

1. Default extensions should be installed when "Install from VSIX" is disabled (fix for `CRW-9626`)
  • start workspace: click here
  • open a terminal, run: /checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/redhat.java-1.43.1.vsix
  • open a terminal, run: /checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/vscode-test-extension-0.0.1.vsix
  • F1 => Test 'installFromVSIX'

Expected behavior:

  • Extensions panel => ... => Install from VSIX action is absent
  • Extensions panel => Atlassian, Snowflake and YAML extensions are installed as default extensions
  • Language Support for Java extension is installed using CLI
  • Tools for MicroProfile extension is installed using 'workbench.extensions.command.installFromVSIX API command
image

2. Default extensions should be installed, but installation using CLI should be blocked
  • add the following section to the vscode-editor-configurations ConfigMap
policy.json: |
    {
      "BlockCliExtensionsInstallation": true      
    }
  • delete previous workspace
  • start a new workspace: click here
  • open a terminal, run: /checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/redhat.java-1.43.1.vsix

Expected behavior:

  • Extensions panel => ... => Install from VSIX action is absent
  • Extensions panel => Atlassian, Snowflake and YAML extensions are installed as default extensions
  • Language Support for Java extension installation was failed using CLI
Screenshot 2026-01-08 at 13 34 35
3. Default extensions should be installed, but installation using workbench.extensions.command.installFromVSIX API command should be blocked
  • replace the following section in the vscode-editor-configurations ConfigMap
policy.json: |
    {
      "BlockInstallFromVSIXCommandExtensionsInstallation": true      
    }
  • delete previous workspace
  • start a new workspace: click here
  • open a terminal, run: /checode/checode-linux-libc/ubi9/bin/remote-cli/code-oss --install-extension /projects/web-nodejs-sample/vscode-test-extension-0.0.1.vsix
  • F1 => Test 'installFromVSIX'

Expected behavior:

  • Extensions panel => ... => Install from VSIX action is absent
  • Extensions panel => Atlassian, Snowflake and YAML extensions are installed as default extensions
  • Tools for MicroProfile extension installation was failed using 'workbench.extensions.command.installFromVSIX API command
Screenshot 2026-01-08 at 13 46 50
4. Default extensions installation should be blocked
  • replace the following section in the vscode-editor-configurations ConfigMap
policy.json: |
    {
      "BlockDefaultExtensionsInstallation": true
    }
  • delete previous workspace
  • start a new workspace: click here

Expected behavior:

  • Extensions panel => ... => Install from VSIX action is absent
  • Extensions panel => Atlassian, Snowflake and YAML extensions are NOT installed as default extensions
Screenshot 2026-01-08 at 13 57 02

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@github-actions
Copy link

github-actions bot commented Jan 2, 2026
edited
Loading

Click here to review and test in web IDE: Contribute

@RomanNikitenko RomanNikitenko mentioned this pull request Jan 2, 2026
Merged
3 tasks
@RomanNikitenko RomanNikitenko force-pushed the block-cli-extensions-installation branch 3 times, most recently from f04ba89 to fefec71 Compare January 2, 2026 16:29
@RomanNikitenko RomanNikitenko changed the title Ability to block extensions installation using CLI and VSIX Ability to block extensions installation via CLI and VSIX Jan 2, 2026
@github-actions
Copy link

github-actions bot commented Jan 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-617-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-617-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-617-dev-amd64

@RomanNikitenko RomanNikitenko force-pushed the block-cli-extensions-installation branch 2 times, most recently from 8d51c2d to 437f2a9 Compare January 7, 2026 11:38
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-617-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-617-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-617-dev-amd64

@RomanNikitenko
Remove default extensions functionality from the che-commands extensi…
e98351d 
…on side

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
@RomanNikitenko
Move default extensions functionality to the VS Code side
bf4aa7e 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI
@RomanNikitenko
feat: Add ability to block extensions installation via DEFAULT_EXTENS…
c983584 
…IONS env var

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI
@RomanNikitenko
feat: The ability to block extensions installation via CLI
7ac0d6c 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI
@RomanNikitenko
feat: The ability to block extensions installation via VSIX
ef3e4bc 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI
@RomanNikitenko
chore: Move Che-specific policy keys to the che-package
3d63979 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
Assisted-by: Cursor AI
@RomanNikitenko
chore: Add info about changes that override upstream content
aa8de21 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
@RomanNikitenko
chore: Add rules for automatic rebasing
e794c63 
Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>
@RomanNikitenko RomanNikitenko force-pushed the block-cli-extensions-installation branch from 437f2a9 to e794c63 Compare January 7, 2026 15:57
@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-617-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-617-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-617-dev-amd64

@RomanNikitenko RomanNikitenko marked this pull request as ready for review January 8, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azatsarynnyy azatsarynnyy azatsarynnyy approved these changes

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RomanNikitenko @azatsarynnyy