coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 10 additions & 6 deletions b/‎.github/workflows/ci.yaml
Lines changed: 10 additions & 6 deletions
diff --git a/‎.github/workflows/pr-deploy.yaml
Lines changed: 0 additions & 10 deletions b/‎.github/workflows/pr-deploy.yaml
Lines changed: 0 additions & 10 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 17 additions & 17 deletions b/‎.github/workflows/security.yaml
Lines changed: 17 additions & 17 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions b/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile
Lines changed: 1 addition & 1 deletion b/‎Makefile
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 8 additions & 0 deletions b/‎agent/agent.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/fileszip.go renamed to ‎archive/archive.go
Lines changed: 14 additions & 11 deletions b/‎coderd/fileszip.go renamed to ‎archive/archive.go
Lines changed: 14 additions & 11 deletions
@@ -4,7 +4,7 @@ description: |
 inputs:
   version:
     description: "The Go version to use."
-    default: "1.22.6"
+    default: "1.22.8"
 runs:
   using: "composite"
   steps:
 
@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.9.2
+        terraform_version: 1.9.8
         terraform_wrapper: false
@@ -90,6 +90,7 @@ jobs:
               - "coderd/**"
               - "enterprise/**"
               - "examples/*"
+              - "helm/**"
               - "provisioner/**"
               - "provisionerd/**"
               - "provisionersdk/**"
@@ -196,7 +197,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@6802cc60d4e7f78b9d5454f6cf3935c042d5e1e3 # v1.26.0
+        uses: crate-ci/typos@0d9e0c2c1bd7f770f6eb90f87780848ca02fc12c # v1.26.8
         with:
           config: .github/workflows/typos.toml
 
@@ -232,8 +233,7 @@ jobs:
   gen:
     timeout-minutes: 8
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    needs: changes
-    if: needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    if: always()
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -466,7 +466,7 @@ jobs:
           api-key: ${{ secrets.DATADOG_API_KEY }}
 
   test-go-race:
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
     needs: changes
     if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     timeout-minutes: 25
@@ -487,9 +487,13 @@ jobs:
       - name: Setup Terraform
         uses: ./.github/actions/setup-tf
 
+      # We run race tests with reduced parallelism because they use more CPU and we were finding
+      # instances where tests appear to hang for multiple seconds, resulting in flaky tests when
+      # short timeouts are used.
+      # c.f. discussion on https://github.com/coder/coder/pull/15106
       - name: Run Tests
         run: |
-          gotestsum --junitfile="gotests.xml" -- -race ./...
+          gotestsum --junitfile="gotests.xml" -- -race -parallel 4 -p 4 ./...
 
       - name: Upload test stats to Datadog
         timeout-minutes: 1
@@ -966,7 +970,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
 
       - name: Set up Flux CLI
-        uses: fluxcd/flux2/action@9b3958825a314eb79495c6993ef397ddbf87f32f # v2.2.1
+        uses: fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0
         with:
           # Keep this and the github action up to date with the version of flux installed in dogfood cluster
           version: "2.2.1"
 
@@ -44,16 +44,6 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: results.sarif
@@ -3,7 +3,6 @@ name: "security"
 permissions:
   actions: read
   contents: read
-  security-events: write
 
 on:
   workflow_dispatch:
@@ -23,6 +22,8 @@ concurrency:
 
 jobs:
   codeql:
+    permissions:
+      security-events: write
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
@@ -37,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           languages: go, javascript
 
@@ -47,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -61,6 +62,8 @@ jobs:
             "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
 
   trivy:
+    permissions:
+      security-events: write
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
@@ -95,13 +98,20 @@ jobs:
           # protoc must be in lockstep with our dogfood Dockerfile or the
           # version in the comments will differ. This is also defined in
           # ci.yaml.
-          set -x
-          cd dogfood
+          set -euxo pipefail
+          cd dogfood/contents
+          mkdir -p /usr/local/bin
+          mkdir -p /usr/local/include
+
           DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
           protoc_path=/usr/local/bin/protoc
           docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
           chmod +x $protoc_path
           protoc --version
+          # Copy the generated files to the include directory.
+          docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/
+          ls -la /usr/local/include/google/protobuf/
+          stat /usr/local/include/google/protobuf/timestamp.proto
 
       - name: Build Coder linux amd64 Docker image
         id: build
@@ -124,15 +134,15 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
           output: trivy-results.sarif
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
@@ -144,16 +154,6 @@ jobs:
           path: trivy-results.sarif
           retention-days: 7
 
-      # Prisma cloud scan runs last because it fails the entire job if it
-      # detects vulnerabilities. :|
-      - name: Run Prisma Cloud image scan
-        uses: PaloAltoNetworks/prisma-cloud-scan@1f38c94d789ff9b01a4e80070b442294ebd3e362 # v1.4.0
-        with:
-          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
-          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
-          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
-          image_name: ${{ steps.build.outputs.image }}
-
       - name: Send Slack notification on failure
         if: ${{ failure() }}
         run: |
 
@@ -175,6 +175,7 @@
 		"unauthenticate",
 		"unconvert",
 		"untar",
+		"userauth",
 		"userspace",
 		"VMID",
 		"walkthrough",
 
@@ -817,7 +817,7 @@ test-postgres-docker:
 
 # Make sure to keep this in sync with test-go-race from .github/workflows/ci.yaml.
 test-race:
-	$(GIT_FLAGS) gotestsum --junitfile="gotests.xml" -- -race -count=1 ./...
+	$(GIT_FLAGS) gotestsum --junitfile="gotests.xml" -- -race -count=1 -parallel 4 -p 4 ./...
 .PHONY: test-race
 
 test-tailnet-integration:
 
@@ -1134,11 +1134,19 @@ func (a *agent) trackGoroutine(fn func()) error {
 }
 
 func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, derpForceWebSockets, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
+	// Inject `CODER_AGENT_HEADER` into the DERP header.
+	var header http.Header
+	if client, ok := a.client.(*agentsdk.Client); ok {
+		if headerTransport, ok := client.SDK.HTTPClient.Transport.(*codersdk.HeaderTransport); ok {
+			header = headerTransport.Header
+		}
+	}
 	network, err := tailnet.NewConn(&tailnet.Options{
 		ID:                  agentID,
 		Addresses:           a.wireguardAddresses(agentID),
 		DERPMap:             derpMap,
 		DERPForceWebSockets: derpForceWebSockets,
+		DERPHeader:          &header,
 		Logger:              a.logger.Named("net.tailnet"),
 		ListenPort:          a.tailnetListenPort,
 		BlockEndpoints:      disableDirectConnections,
 
@@ -1,4 +1,4 @@
-package coderd
+package archive
 
 import (
 	"archive/tar"
@@ -10,29 +10,30 @@ import (
 	"strings"
 )
 
-func CreateTarFromZip(zipReader *zip.Reader) ([]byte, error) {
+// CreateTarFromZip converts the given zipReader to a tar archive.
+func CreateTarFromZip(zipReader *zip.Reader, maxSize int64) ([]byte, error) {
 	var tarBuffer bytes.Buffer
-	err := writeTarArchive(&tarBuffer, zipReader)
+	err := writeTarArchive(&tarBuffer, zipReader, maxSize)
 	if err != nil {
 		return nil, err
 	}
 	return tarBuffer.Bytes(), nil
 }
 
-func writeTarArchive(w io.Writer, zipReader *zip.Reader) error {
+func writeTarArchive(w io.Writer, zipReader *zip.Reader, maxSize int64) error {
 	tarWriter := tar.NewWriter(w)
 	defer tarWriter.Close()
 
 	for _, file := range zipReader.File {
-		err := processFileInZipArchive(file, tarWriter)
+		err := processFileInZipArchive(file, tarWriter, maxSize)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-func processFileInZipArchive(file *zip.File, tarWriter *tar.Writer) error {
+func processFileInZipArchive(file *zip.File, tarWriter *tar.Writer, maxSize int64) error {
 	fileReader, err := file.Open()
 	if err != nil {
 		return err
@@ -52,24 +53,26 @@ func processFileInZipArchive(file *zip.File, tarWriter *tar.Writer) error {
 		return err
 	}
 
-	n, err := io.CopyN(tarWriter, fileReader, httpFileMaxBytes)
+	n, err := io.CopyN(tarWriter, fileReader, maxSize)
 	log.Println(file.Name, n, err)
 	if errors.Is(err, io.EOF) {
 		err = nil
 	}
 	return err
 }
 
-func CreateZipFromTar(tarReader *tar.Reader) ([]byte, error) {
+// CreateZipFromTar converts the given tarReader to a zip archive.
+func CreateZipFromTar(tarReader *tar.Reader, maxSize int64) ([]byte, error) {
 	var zipBuffer bytes.Buffer
-	err := WriteZipArchive(&zipBuffer, tarReader)
+	err := WriteZip(&zipBuffer, tarReader, maxSize)
 	if err != nil {
 		return nil, err
 	}
 	return zipBuffer.Bytes(), nil
 }
 
-func WriteZipArchive(w io.Writer, tarReader *tar.Reader) error {
+// WriteZip writes the given tarReader to w.
+func WriteZip(w io.Writer, tarReader *tar.Reader, maxSize int64) error {
 	zipWriter := zip.NewWriter(w)
 	defer zipWriter.Close()
 
@@ -100,7 +103,7 @@ func WriteZipArchive(w io.Writer, tarReader *tar.Reader) error {
 			return err
 		}
 
-		_, err = io.CopyN(zipEntry, tarReader, httpFileMaxBytes)
+		_, err = io.CopyN(zipEntry, tarReader, maxSize)
 		if errors.Is(err, io.EOF) {
 			err = nil
 		}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package coderd`
	`1`	`+package archive`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"archive/tar"`
`@@ -10,29 +10,30 @@ import (`
`10`	`10`	`"strings"`
`11`	`11`	`)`
`12`	`12`
`13`		`-func CreateTarFromZip(zipReader *zip.Reader) ([]byte, error) {`
	`13`	`+// CreateTarFromZip converts the given zipReader to a tar archive.`
	`14`	`+func CreateTarFromZip(zipReader *zip.Reader, maxSize int64) ([]byte, error) {`
`14`	`15`	`var tarBuffer bytes.Buffer`
`15`		`- err := writeTarArchive(&tarBuffer, zipReader)`
	`16`	`+ err := writeTarArchive(&tarBuffer, zipReader, maxSize)`
`16`	`17`	`if err != nil {`
`17`	`18`	`return nil, err`
`18`	`19`	`}`
`19`	`20`	`return tarBuffer.Bytes(), nil`
`20`	`21`	`}`
`21`	`22`
`22`		`-func writeTarArchive(w io.Writer, zipReader *zip.Reader) error {`
	`23`	`+func writeTarArchive(w io.Writer, zipReader *zip.Reader, maxSize int64) error {`
`23`	`24`	`tarWriter := tar.NewWriter(w)`
`24`	`25`	`defer tarWriter.Close()`
`25`	`26`
`26`	`27`	`for _, file := range zipReader.File {`
`27`		`- err := processFileInZipArchive(file, tarWriter)`
	`28`	`+ err := processFileInZipArchive(file, tarWriter, maxSize)`
`28`	`29`	`if err != nil {`
`29`	`30`	`return err`
`30`	`31`	`}`
`31`	`32`	`}`
`32`	`33`	`return nil`
`33`	`34`	`}`
`34`	`35`
`35`		`-func processFileInZipArchive(file zip.File, tarWriter tar.Writer) error {`
	`36`	`+func processFileInZipArchive(file zip.File, tarWriter tar.Writer, maxSize int64) error {`
`36`	`37`	`fileReader, err := file.Open()`
`37`	`38`	`if err != nil {`
`38`	`39`	`return err`
`@@ -52,24 +53,26 @@ func processFileInZipArchive(file zip.File, tarWriter tar.Writer) error {`
`52`	`53`	`return err`
`53`	`54`	`}`
`54`	`55`
`55`		`- n, err := io.CopyN(tarWriter, fileReader, httpFileMaxBytes)`
	`56`	`+ n, err := io.CopyN(tarWriter, fileReader, maxSize)`
`56`	`57`	`log.Println(file.Name, n, err)`
`57`	`58`	`if errors.Is(err, io.EOF) {`
`58`	`59`	`err = nil`
`59`	`60`	`}`
`60`	`61`	`return err`
`61`	`62`	`}`
`62`	`63`
`63`		`-func CreateZipFromTar(tarReader *tar.Reader) ([]byte, error) {`
	`64`	`+// CreateZipFromTar converts the given tarReader to a zip archive.`
	`65`	`+func CreateZipFromTar(tarReader *tar.Reader, maxSize int64) ([]byte, error) {`
`64`	`66`	`var zipBuffer bytes.Buffer`
`65`		`- err := WriteZipArchive(&zipBuffer, tarReader)`
	`67`	`+ err := WriteZip(&zipBuffer, tarReader, maxSize)`
`66`	`68`	`if err != nil {`
`67`	`69`	`return nil, err`
`68`	`70`	`}`
`69`	`71`	`return zipBuffer.Bytes(), nil`
`70`	`72`	`}`
`71`	`73`
`72`		`-func WriteZipArchive(w io.Writer, tarReader *tar.Reader) error {`
	`74`	`+// WriteZip writes the given tarReader to w.`
	`75`	`+func WriteZip(w io.Writer, tarReader *tar.Reader, maxSize int64) error {`
`73`	`76`	`zipWriter := zip.NewWriter(w)`
`74`	`77`	`defer zipWriter.Close()`
`75`	`78`
`@@ -100,7 +103,7 @@ func WriteZipArchive(w io.Writer, tarReader *tar.Reader) error {`
`100`	`103`	`return err`
`101`	`104`	`}`
`102`	`105`
`103`		`- _, err = io.CopyN(zipEntry, tarReader, httpFileMaxBytes)`
	`106`	`+ _, err = io.CopyN(zipEntry, tarReader, maxSize)`
`104`	`107`	`if errors.Is(err, io.EOF) {`
`105`	`108`	`err = nil`
`106`	`109`	`}`