Move SBOM generation and attestation to GitHub workflow
This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:
1. Removes SBOM generation and attestation from the `build_docker.sh` script
2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow
3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable
This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Deprecates `ResourceSystem`. It's a large collection of unrelated things, and violates the principle of least privilege because to get access to low-security stuff like various statistics, you also get access to serious-security stuff like crypto keys.
We should eventually break it up and remove it, but the least we can do for now is not make the problem worse.
Fixes https://github.com/coder/coder/issues/17063
I'm ignoring flake.nix for now.
```
$ IGNORE_NIX=true ./scripts/check_go_versions.sh
INFO : go.mod : 1.24.1
INFO : dogfood/coder/Dockerfile : 1.24.1
INFO : setup-go/action.yaml : 1.24.1
INFO : flake.nix : 1.22
INFO : Ignoring flake.nix, as IGNORE_NIX=true
Go version check passed, all versions are 1.24.1
$ ./scripts/check_go_versions.sh
INFO : go.mod : 1.24.1
INFO : dogfood/coder/Dockerfile : 1.24.1
INFO : setup-go/action.yaml : 1.24.1
INFO : flake.nix : 1.22
ERROR: Go version mismatch between go.mod and flake.nix
```
- Update go.mod to use Go 1.24.1
- Update GitHub Actions setup-go action to use Go 1.24.1
- Fix linting issues with golangci-lint by:
- Updating to golangci-lint v1.57.1 (more compatible with Go 1.24.1)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <claude@anthropic.com>
This change adds support for workspace app auditing.
To avoid audit log spam, we introduce the concept of app audit sessions.
An audit session is unique per workspace app, user, ip, user agent and
http status code. The sessions are stored in a separate table from audit
logs to allow use-case specific optimizations. Sessions are ephemeral
and the table does not function as a log.
The logic for auditing is placed in the DBTokenProvider for workspace
apps so that wsproxies are included.
This is the final change affecting the API fo #15139.
Updates #15139
This PR fixes the SBOM filename generation in the Docker build script to
properly handle image tags that contain slashes. The current
implementation only replaces colons with underscores, but fails when
image tags include slashes (common in registry paths).
The fix updates the string replacement to handle both colons and slashes
in the image tag when generating the SBOM filename.
Change-Id: Ifd7bad6d165393e11202e5bf070a4cb26eaa6a6a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>
This PR fixes an issue in the Docker build script where the SBOM file path used the image tag directly, which could contain colons. Since colons are not valid characters in filenames on many filesystems, this replaces colons with underscores in the output filename.
Change-Id: I887f4fc255d9bfa19b6c5d23ad0a5db7352aa2af
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Niche edge case, assumes access_token is jwt.
Some `access_token`s are JWT's with potential useful claims.
These claims would be nearly equivalent to `user_info` claims.
This is not apart of the oauth spec, so this feature should not be
loudly advertised. If using this feature, alternate solutions are preferred.
Support public OIDC clients
- Enables support for public OIDC clients by only checking for a client
ID being set. This allows for confidential and public clients to be used
with Coder's OIDC authentication.
- Also adds a public client configuration to the development OIDC setup
script.
Fixes#16135
Change-Id: Iadd85d40c2faa595a0498e25d3407a1f94b5c8a8
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Replace Depot build action with Nix for Nix dogfood image builds
The dogfood Nix image is now built using Nix's native container tooling instead of Depot. This change:
- Adds Nix setup steps to the GitHub Actions workflow
- Removes the Dockerfile.nix in favor of a Nix-native container build
- Updates the flake.nix to support building Docker images
- Introduces a hash file to track Nix-related changes
- Updates the vendorHash for Go dependencies
Change-Id: I4e011fe3a19d9a1375fbfd5223c910e59d66a5d9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
The `make -j` output was sometimes emitting non-JSON output from `go
generate`, resulting in errors like the below:
```
++ /home/coder/src/coder/coder/scripts/coder-dev.sh organizations show me -o json
++ jq -r '.[] | select(.is_default) | .name'
parse error: Invalid numeric literal at line 1, column 3
```
This PR modifies `coder-dev.sh` to silence the output of `make` if the
output is not a TTY.
This PR is the second in a series aimed at closing
https://github.com/coder/coder/issues/15109.
## Changes
- adds `scripts/embedded-pg/main.go`, which can start a native Postgres
database. This is used to set up PG on Windows and macOS, as these
platforms don't support Docker in Github Actions.
- runs the `test-go-pg` job on macOS and Windows too
- adds the `test-go-race-go` job, which runs race tests with Postgres on
Linux
- Integrates the `agentexec` pkg into the agent and removes the
legacy system of iterating over the process tree. It adds some linting
rules to hopefully catch future improper uses of `exec.Command` in the package.
Updates `develop.sh` to automatically determine the name of the 'first
org' when pushing the initial template.
Also runs `terraform init` before running `coder templates push` (pet
peeve).
