Bumps [github.com/go-chi/httprate](https://github.com/go-chi/httprate)
from 0.14.1 to 0.15.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-chi/httprate/releases">github.com/go-chi/httprate's
releases</a>.</em></p>
<blockquote>
<h2>v0.15.0</h2>
<ul>
<li>upgrade to xxhash v3</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c0b6272bca"><code>c0b6272</code></a>
upgrade to xxh3 hashing pkg (<a
href="https://redirect.github.com/go-chi/httprate/issues/54">#54</a>)</li>
<li><a
href="9d627fb3c8"><code>9d627fb</code></a>
Update README.md: add missing 'time' import in code example (<a
href="https://redirect.github.com/go-chi/httprate/issues/49">#49</a>)</li>
<li><a
href="24ebb38d02"><code>24ebb38</code></a>
Try to fix Github action access issue (<a
href="https://redirect.github.com/go-chi/httprate/issues/51">#51</a>)</li>
<li>See full diff in <a
href="https://github.com/go-chi/httprate/compare/v0.14.1...v0.15.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR makes the SBOM generation and attestation process more resilient
by:
1. Adding `continue-on-error: true` to the SBOM generation steps in both
CI and release workflows
2. Adding `--force=true` flag to all `cosign clean` commands to ensure
they don't fail if in a non-interactive shell (which is the case for CI)
Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>
If tracing is enabled, propagate the trace information to the terraform
provisioner via environment variables. This sets the `TRACEPARENT`
environment variable using the default W3C trace propagators. Users can
choose to continue the trace by adding new spans in the provisioner by
reading from the environment like:
ctx := env.ContextWithRemoteSpanContext(context.Background(),
os.Environ())
---------
Co-authored-by: Spike Curtis <spike@spikecurtis.com>
Wires up `config-ssh` command to use a hostname suffix if configured.
part of: #16828
e.g. `coder config-ssh --hostname-suffix spiketest` gives:
```
# ------------START-CODER-----------
# This section is managed by coder. DO NOT EDIT.
#
# You should not hand-edit this section unless you are removing it, all
# changes will be lost when running "coder config-ssh".
#
# Last config-ssh options:
# :hostname-suffix=spiketest
#
Host coder.* *.spiketest
ConnectTimeout=0
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
LogLevel ERROR
ProxyCommand /home/coder/repos/coder/build/coder_config_ssh --global-config /home/coder/.config/coderv2 ssh --stdio --ssh-host-prefix coder. --hostname-suffix spiketest %h
# ------------END-CODER------------
```
Adds `hostname-suffix` flag to `coder ssh` command for use in SSH Config ProxyCommands.
Also enforces that Coder server doesn't start the suffix with a dot.
part of: #16828
Move SBOM generation and attestation to GitHub workflow
This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:
1. Removes SBOM generation and attestation from the `build_docker.sh` script
2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow
3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable
This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Fixes an issue where old ssh configs that use the
`owner--workspace--agent` format will fail to properly use the `coder
ssh` command since we migrated off the `coder vscodessh` command.
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc)
from 3.13.0 to 3.14.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/coreos/go-oidc/releases">github.com/coreos/go-oidc/v3's
releases</a>.</em></p>
<blockquote>
<h2>v3.14.1</h2>
<h2>What's Changed</h2>
<ul>
<li>oidctest: fix import by <a
href="https://github.com/ericchiang"><code>@ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/457">coreos/go-oidc#457</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coreos/go-oidc/compare/v3.14.0...v3.14.1">https://github.com/coreos/go-oidc/compare/v3.14.0...v3.14.1</a></p>
<h2>v3.14.0</h2>
<h2>What's Changed</h2>
<ul>
<li>oidc/oidctest: add new package by <a
href="https://github.com/ericchiang"><code>@ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/400">coreos/go-oidc#400</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.0">https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a7c457eacb"><code>a7c457e</code></a>
oidctest: fix import</li>
<li><a
href="aba1ce200a"><code>aba1ce2</code></a>
oidc/oidctest: add new package</li>
<li>See full diff in <a
href="https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the x group with 3 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/oauth2](https://github.com/golang/oauth2).
Updates `golang.org/x/crypto` from 0.36.0 to 0.37.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="959f8f3db0"><code>959f8f3</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="769bcd6997"><code>769bcd6</code></a>
ssh: use the configured rand in kex init</li>
<li><a
href="d0a798f774"><code>d0a798f</code></a>
cryptobyte: fix typo 'octects' into 'octets' for asn1.go</li>
<li><a
href="acbcbef23f"><code>acbcbef</code></a>
acme: remove unnecessary []byte conversion</li>
<li><a
href="376eb14006"><code>376eb14</code></a>
x509roots: support constrained roots</li>
<li><a
href="b369b723c8"><code>b369b72</code></a>
crypto/internal/poly1305: implement function update in assembly on
loong64</li>
<li><a
href="6b853fbea3"><code>6b853fb</code></a>
ssh/knownhosts: check more than one key</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.36.0...v0.37.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/net` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1fcd82abb"><code>e1fcd82</code></a>
html: properly handle trailing solidus in unquoted attribute value in
foreign...</li>
<li><a
href="ebed060e8f"><code>ebed060</code></a>
internal/http3: fix build of tests with GOEXPERIMENT=nosynctest</li>
<li><a
href="1f1fa29e0a"><code>1f1fa29</code></a>
publicsuffix: regenerate table</li>
<li><a
href="12150816f7"><code>1215081</code></a>
http2: improve error when server sends HTTP/1</li>
<li><a
href="312450e473"><code>312450e</code></a>
html: ensure <search> tag closes <p> and update tests</li>
<li><a
href="09731f9bf9"><code>09731f9</code></a>
http2: improve handling of lost PING in Server</li>
<li><a
href="55989e24b9"><code>55989e2</code></a>
http2/h2c: use ResponseController for hijacking connections</li>
<li><a
href="2914f46773"><code>2914f46</code></a>
websocket: re-recommend gorilla/websocket</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/oauth2` from 0.28.0 to 0.29.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="65c15a3514"><code>65c15a3</code></a>
oauth2: remove extra period</li>
<li><a
href="ce56909505"><code>ce56909</code></a>
jws: improve fix for CVE-2025-22868</li>
<li>See full diff in <a
href="https://github.com/golang/oauth2/compare/v0.28.0...v0.29.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sync` from 0.12.0 to 0.13.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="396f3a06ea"><code>396f3a0</code></a>
errgroup: document calling Go before Wait</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.12.0...v0.13.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sys` from 0.31.0 to 0.32.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="01aaa8342f"><code>01aaa83</code></a>
all: simplify code by using modern Go constructs</li>
<li><a
href="1b2bd6bb49"><code>1b2bd6b</code></a>
windows: replace all StringToUTF16 calls with UTF16FromString</li>
<li><a
href="1c3b72f1c1"><code>1c3b72f</code></a>
unix: update Linux kernel to 6.14</li>
<li><a
href="c175b6ba67"><code>c175b6b</code></a>
windows: add cmsghdr and pktinfo structures</li>
<li><a
href="3330b5e756"><code>3330b5e</code></a>
unix: support Readv, Preadv, Writev and Pwritev for darwin</li>
<li><a
href="7401cce313"><code>7401cce</code></a>
cpu: replace specific instructions with WORD in the function get_cpucfg
on lo...</li>
<li><a
href="b8f7da6c5a"><code>b8f7da6</code></a>
cpu: add support for detecting cpu features on loong64</li>
<li><a
href="f2ce62c21a"><code>f2ce62c</code></a>
windows: add constants for PMTUD socket options</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.31.0...v0.32.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/term` from 0.30.0 to 0.31.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5d2308b09d"><code>5d2308b</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e770dddbf5"><code>e770ddd</code></a>
x/term: disabling auto-completion around GetPassword()</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.30.0...v0.31.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds `hostname-suffix` as a Config SSH option that we get from Coderd, and also accept via a CLI flag.
It doesn't actually do anything with this value --- that's for PRs up the stack, since we need the `coder ssh` command to be updated to understand the suffix first.
Adds deployment option `CODER_WORKSPACE_HOSTNAME_SUFFIX`. This will eventually replace `CODER_SSH_HOSTNAME_PREFIX`, but we will do this slowly and support both for `coder ssh` for some time.
Note that the name is changed to "workspace" hostname, since this suffix will also be used for Coder Connect on Coder Desktop, which is not limited to SSH.
## Issue
Closes#16824
Document that the default GitHub authentication app provided by Coder
requires device flow, and that this behavior cannot be overridden.
## Changes Made
Claude updated the GitHub authentication documentation to:
1. Add a prominent warning in the Default Configuration section
explaining that the default GitHub app requires device flow and ignores
the `CODER_OAUTH2_GITHUB_DEVICE_FLOW` setting
2. Clarify the Device Flow section to indicate that:
- Device flow is always enabled for the default GitHub app
- Device flow is optional for custom GitHub OAuth apps
- The `CODER_OAUTH2_GITHUB_DEVICE_FLOW` setting is ignored when using
the default app
[preview](https://coder.com/docs/@16824-github-device-flow/admin/users/github-auth)
<sub>🤖 Generated with [Claude Code](https://claude.ai/code)</sub>
---------
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: M Atif Ali <atif@coder.com>
Changes the SSH host key seeding to use the owner username, workspace name, and agent name. This prevents SSH from complaining about a mismatched host key if you use Coder Desktop to connect, and delete and recreate your workspace with the same name. Previously this would generate a different key because the workspace ID changed.
We also include the owner's username in anticipation of using Coder Desktop to access shared workspaces (or as a superuser) down the road, so that workspaces with the same name owned by different users will not have the same key.
This change is **BREAKING** in a limited sense that early access users of Coder Desktop will see their SSH clients complain about host keys changing the first time each workspace is rebuilt with this code. It can be resolved by clearing your `.ssh/known_hosts` file of the Coder workspaces you access this way.
The purpose of the PR is to make a copy of the CreateWorkspacePage and
create an experimental version that will use when the dynamic-parameters
experiment is enabled.
The Figma designs for this page are still in progress but this first PR
will start to move to the new designs.
Figma design:
https://www.figma.com/design/SMg6H8VKXnPSkE6h9KPoAD/UX-Presets?node-id=2121-2383&t=CtgPUz8eNsTI5b1t-1
Much of the existing code will be left behind and will slowly migrated
over the course of several PRs to make sure no existing functionality is
forgotten in the migration to dynamic paramaters.
This fixes the permissions check when creating a workspace by setting
the owner_id to the current user's id. This was originally setting
owner_id to *
```
createWorkspace: {
object: {
resource_type: "workspace",
organization_id: organizationId,
owner_id: userId,
},
action: "create",
},
```
Fix hanging workspace shutdowns caused by orphaned SSH child processes.
Key changes:
- Create process groups for non-PTY SSH sessions
- Send SIGHUP to entire process group for proper termination
- Add 5-second timeout to prevent indefinite blocking
Fixes#17108
