This change implements an interface for running `@devcontainers/cli up`
and an API endpoint on the agent for triggering recreate for a running
devcontainer.
A couple of limitations:
1. Synchronous HTTP request, meaning the browser might choose to time it
out before it's done => no result/error (and devcontainer cli command
probably gets killed via ctx cancel).
2. Logs are only written to agent logs via slog, not as a "script" in
the UI.
Both 1 and 2 will be improved in future refactors.
Fixescoder/internal#481Fixescoder/internal#482
Closes https://github.com/coder/coder/issues/16759
## Changes made
- Replaced all instances of `Array.prototype.toSorted` with
`Array.prototype.sort` to provide better support for older browsers
- Updated all `Array.prototype.sort` calls where necessary to remove
risks of mutation render bugs
- Refactored some code (moved things around, added comments) to make it
more clear that certain `.sort` calls are harmless and don't have any
risks
## Issue
Closes#16875
Clarify how Coder authentication works with Git providers, particularly
the order of authentication methods used.
## Changes Made
I've updated the External Authentication documentation to:
1. Clarify that Coder first attempts to use external auth provider
tokens when available, and only defaults to SSH authentication if no
tokens are available
2. Add more detailed explanations about both authentication methods
3. Improve the description of how the `coder gitssh` command works with
existing and Coder-generated SSH keys
## Verification
Claude verified that this accurately describes the behavior of the
codebase by reviewing the `gitssh.go` implementation, which shows how
Coder handles SSH authentication as a fallback when external auth is not
available.
[preview](https://coder.com/docs/@16875-git-workspace-auth/admin/external-auth)
<sub>🤖 Generated with https://claude.ai/code</sub>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Ben Potter <me@bpmct.net>
Co-authored-by: M Atif Ali <atif@coder.com>
Co-authored-by: Bruno Quaresma <bruno@coder.com>
Co-authored-by: Kyle Carberry <kyle@coder.com>
Co-authored-by: Cian Johnston <cian@coder.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jon Ayers <jon@coder.com>
Co-authored-by: Hugo Dutka <hugo@coder.com>
Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com>
Co-authored-by: Michael Smith <throwawayclover@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>
fixescoder/internal#565
Fixes the ordering of creating the HTTP cache temp dir with respect to
starting the Coderd HTTP server, so that they are cleaned up in the
correct (reverse) order.
Fixes https://github.com/coder/internal/issues/272
* Increases healthcheck timeout in tests. This seems to be the most
usual cause of test failures.
* Adds a non-nilness check before caching a healthcheck report.
* Modifies the HTTP response code to 503 (was 404) when no healthcheck
report is available. 503 seems to be a better indicator of the server
state in this case, whereas 404 could be misinterpreted as a typo in the
healthcheck URL.
Should hopefully fix https://github.com/coder/internal/issues/282
Instead of picking a random port for the prometheus server, listen on
`:0` and read the port from the CLI stdout.
#15896 Mentions ability to add support for filtering by login type
The issue mentions that backend API support exists but the backend did
not seem to have the support for this filter. So I have added the
ability to filter it.
I also added a corresponding update to readme file to make sure the docs
will correctly showcase this feature
Fixes https://github.com/coder/internal/issues/329
This was due to a race between the process starting and the timeout of
the agent startup script executor. I'm taking the 'lazy' route here and
increasing the timeout to 100ms. This does technically mean that this
makes the test 100 times longer to execute. However, if it takes more
than 100ms to run a `sleep infinity` command on our test runner, I think
we have other issues.
Fixes https://github.com/coder/internal/issues/564
The test is asserting too much, including stats guages that are not directly related to the thing we are trying to test: ConnectionCount, RxBytes, and TxBytes. I think the author assumed that these are counts that only go up, but they are guages and eventually zero back out, so there are race condtions where not all of them are non-zero at the same time.
Bumps [github.com/go-chi/httprate](https://github.com/go-chi/httprate)
from 0.14.1 to 0.15.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-chi/httprate/releases">github.com/go-chi/httprate's
releases</a>.</em></p>
<blockquote>
<h2>v0.15.0</h2>
<ul>
<li>upgrade to xxhash v3</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c0b6272bca"><code>c0b6272</code></a>
upgrade to xxh3 hashing pkg (<a
href="https://redirect.github.com/go-chi/httprate/issues/54">#54</a>)</li>
<li><a
href="9d627fb3c8"><code>9d627fb</code></a>
Update README.md: add missing 'time' import in code example (<a
href="https://redirect.github.com/go-chi/httprate/issues/49">#49</a>)</li>
<li><a
href="24ebb38d02"><code>24ebb38</code></a>
Try to fix Github action access issue (<a
href="https://redirect.github.com/go-chi/httprate/issues/51">#51</a>)</li>
<li>See full diff in <a
href="https://github.com/go-chi/httprate/compare/v0.14.1...v0.15.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR makes the SBOM generation and attestation process more resilient
by:
1. Adding `continue-on-error: true` to the SBOM generation steps in both
CI and release workflows
2. Adding `--force=true` flag to all `cosign clean` commands to ensure
they don't fail if in a non-interactive shell (which is the case for CI)
Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>
If tracing is enabled, propagate the trace information to the terraform
provisioner via environment variables. This sets the `TRACEPARENT`
environment variable using the default W3C trace propagators. Users can
choose to continue the trace by adding new spans in the provisioner by
reading from the environment like:
ctx := env.ContextWithRemoteSpanContext(context.Background(),
os.Environ())
---------
Co-authored-by: Spike Curtis <spike@spikecurtis.com>
Wires up `config-ssh` command to use a hostname suffix if configured.
part of: #16828
e.g. `coder config-ssh --hostname-suffix spiketest` gives:
```
# ------------START-CODER-----------
# This section is managed by coder. DO NOT EDIT.
#
# You should not hand-edit this section unless you are removing it, all
# changes will be lost when running "coder config-ssh".
#
# Last config-ssh options:
# :hostname-suffix=spiketest
#
Host coder.* *.spiketest
ConnectTimeout=0
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
LogLevel ERROR
ProxyCommand /home/coder/repos/coder/build/coder_config_ssh --global-config /home/coder/.config/coderv2 ssh --stdio --ssh-host-prefix coder. --hostname-suffix spiketest %h
# ------------END-CODER------------
```
Adds `hostname-suffix` flag to `coder ssh` command for use in SSH Config ProxyCommands.
Also enforces that Coder server doesn't start the suffix with a dot.
part of: #16828
Move SBOM generation and attestation to GitHub workflow
This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:
1. Removes SBOM generation and attestation from the `build_docker.sh` script
2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow
3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable
This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Fixes an issue where old ssh configs that use the
`owner--workspace--agent` format will fail to properly use the `coder
ssh` command since we migrated off the `coder vscodessh` command.
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc)
from 3.13.0 to 3.14.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/coreos/go-oidc/releases">github.com/coreos/go-oidc/v3's
releases</a>.</em></p>
<blockquote>
<h2>v3.14.1</h2>
<h2>What's Changed</h2>
<ul>
<li>oidctest: fix import by <a
href="https://github.com/ericchiang"><code>@ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/457">coreos/go-oidc#457</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coreos/go-oidc/compare/v3.14.0...v3.14.1">https://github.com/coreos/go-oidc/compare/v3.14.0...v3.14.1</a></p>
<h2>v3.14.0</h2>
<h2>What's Changed</h2>
<ul>
<li>oidc/oidctest: add new package by <a
href="https://github.com/ericchiang"><code>@ericchiang</code></a> in <a
href="https://redirect.github.com/coreos/go-oidc/pull/400">coreos/go-oidc#400</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.0">https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a7c457eacb"><code>a7c457e</code></a>
oidctest: fix import</li>
<li><a
href="aba1ce200a"><code>aba1ce2</code></a>
oidc/oidctest: add new package</li>
<li>See full diff in <a
href="https://github.com/coreos/go-oidc/compare/v3.13.0...v3.14.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the x group with 3 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/net](https://github.com/golang/net) and
[golang.org/x/oauth2](https://github.com/golang/oauth2).
Updates `golang.org/x/crypto` from 0.36.0 to 0.37.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="959f8f3db0"><code>959f8f3</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="769bcd6997"><code>769bcd6</code></a>
ssh: use the configured rand in kex init</li>
<li><a
href="d0a798f774"><code>d0a798f</code></a>
cryptobyte: fix typo 'octects' into 'octets' for asn1.go</li>
<li><a
href="acbcbef23f"><code>acbcbef</code></a>
acme: remove unnecessary []byte conversion</li>
<li><a
href="376eb14006"><code>376eb14</code></a>
x509roots: support constrained roots</li>
<li><a
href="b369b723c8"><code>b369b72</code></a>
crypto/internal/poly1305: implement function update in assembly on
loong64</li>
<li><a
href="6b853fbea3"><code>6b853fb</code></a>
ssh/knownhosts: check more than one key</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.36.0...v0.37.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/net` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1fcd82abb"><code>e1fcd82</code></a>
html: properly handle trailing solidus in unquoted attribute value in
foreign...</li>
<li><a
href="ebed060e8f"><code>ebed060</code></a>
internal/http3: fix build of tests with GOEXPERIMENT=nosynctest</li>
<li><a
href="1f1fa29e0a"><code>1f1fa29</code></a>
publicsuffix: regenerate table</li>
<li><a
href="12150816f7"><code>1215081</code></a>
http2: improve error when server sends HTTP/1</li>
<li><a
href="312450e473"><code>312450e</code></a>
html: ensure <search> tag closes <p> and update tests</li>
<li><a
href="09731f9bf9"><code>09731f9</code></a>
http2: improve handling of lost PING in Server</li>
<li><a
href="55989e24b9"><code>55989e2</code></a>
http2/h2c: use ResponseController for hijacking connections</li>
<li><a
href="2914f46773"><code>2914f46</code></a>
websocket: re-recommend gorilla/websocket</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/oauth2` from 0.28.0 to 0.29.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="65c15a3514"><code>65c15a3</code></a>
oauth2: remove extra period</li>
<li><a
href="ce56909505"><code>ce56909</code></a>
jws: improve fix for CVE-2025-22868</li>
<li>See full diff in <a
href="https://github.com/golang/oauth2/compare/v0.28.0...v0.29.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sync` from 0.12.0 to 0.13.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="396f3a06ea"><code>396f3a0</code></a>
errgroup: document calling Go before Wait</li>
<li>See full diff in <a
href="https://github.com/golang/sync/compare/v0.12.0...v0.13.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/sys` from 0.31.0 to 0.32.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="01aaa8342f"><code>01aaa83</code></a>
all: simplify code by using modern Go constructs</li>
<li><a
href="1b2bd6bb49"><code>1b2bd6b</code></a>
windows: replace all StringToUTF16 calls with UTF16FromString</li>
<li><a
href="1c3b72f1c1"><code>1c3b72f</code></a>
unix: update Linux kernel to 6.14</li>
<li><a
href="c175b6ba67"><code>c175b6b</code></a>
windows: add cmsghdr and pktinfo structures</li>
<li><a
href="3330b5e756"><code>3330b5e</code></a>
unix: support Readv, Preadv, Writev and Pwritev for darwin</li>
<li><a
href="7401cce313"><code>7401cce</code></a>
cpu: replace specific instructions with WORD in the function get_cpucfg
on lo...</li>
<li><a
href="b8f7da6c5a"><code>b8f7da6</code></a>
cpu: add support for detecting cpu features on loong64</li>
<li><a
href="f2ce62c21a"><code>f2ce62c</code></a>
windows: add constants for PMTUD socket options</li>
<li>See full diff in <a
href="https://github.com/golang/sys/compare/v0.31.0...v0.32.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/term` from 0.30.0 to 0.31.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5d2308b09d"><code>5d2308b</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e770dddbf5"><code>e770ddd</code></a>
x/term: disabling auto-completion around GetPassword()</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.30.0...v0.31.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
