coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/ci.yaml
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 40 additions & 8 deletions b/‎.github/workflows/security.yaml
Lines changed: 40 additions & 8 deletions
@@ -186,8 +186,9 @@ jobs:
 
       - name: Install Protoc
         run: |
-          # protoc must be in lockstep with our dogfood Dockerfile
-          # or the version in the comments will differ.
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # security.yaml
           set -x
           cd dogfood
           DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
 
@@ -19,7 +19,7 @@ concurrency: pr-${{ github.ref }}
 
 jobs:
   # Dependabot is annoying, but this makes it a bit less so.
-  auto-approve:
+  auto-approve-dependabot:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request_target'
     permissions:
 
@@ -6,17 +6,11 @@ permissions:
   security-events: write
 
 on:
-  push:
-    branches: ["main"]
-
-  pull_request:
-    branches: ["main"]
-
   workflow_dispatch:
 
   schedule:
-    # Run every week at 10:24 on Thursday.
-    - cron: "24 10 * * 4"
+    # Run every 6 hours Monday-Friday!
+    - cron: "0 0,6,12,18 * * 1-5"
 
 # Cancel in-progress runs for pull requests when developers push
 # additional changes
@@ -59,6 +53,17 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
 
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
+
   trivy:
     runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
     steps:
@@ -94,6 +99,22 @@ jobs:
 
       - name: Install yq
         run: go run github.com/mikefarah/yq/[email protected]
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/[email protected]
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/[email protected]
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # ci.yaml.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
 
       - name: Build Coder linux amd64 Docker image
         id: build
@@ -135,3 +156,14 @@ jobs:
           name: trivy
           path: trivy-results.sarif
           retention-days: 7
+
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"