coder
diff --git a/‎.github/workflows/security.yaml
+41-1 b/‎.github/workflows/security.yaml
+41-1
diff --git a/‎agent/agent.go
+41-7 b/‎agent/agent.go
+41-7
diff --git a/‎agent/agent_test.go
+61-1 b/‎agent/agent_test.go
+61-1
diff --git a/‎coderd/apidoc/docs.go
+12-6 b/‎coderd/apidoc/docs.go
+12-6
diff --git a/‎coderd/apidoc/swagger.json
+12-6 b/‎coderd/apidoc/swagger.json
+12-6
diff --git a/‎coderd/coderd.go
+1-1 b/‎coderd/coderd.go
+1-1
diff --git a/‎coderd/coderdtest/authorize.go
+1-1 b/‎coderd/coderdtest/authorize.go
+1-1
diff --git a/‎coderd/coderdtest/swaggerparser.go
+1-1 b/‎coderd/coderdtest/swaggerparser.go
+1-1
diff --git a/‎coderd/database/dbfake/databasefake.go
+2-1 b/‎coderd/database/dbfake/databasefake.go
+2-1
diff --git a/‎coderd/database/dump.sql
+4-1 b/‎coderd/database/dump.sql
+4-1
@@ -92,6 +92,9 @@ jobs:
           restore-keys: |
             js-${{ runner.os }}-
 
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/[email protected]
+
       - name: Build Coder linux amd64 Docker image
         id: build
         run: |
@@ -112,6 +115,17 @@ jobs:
           make -j "$image_job"
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
+      - name: Build Coder linux amd64 Docker image (ironbank)
+        id: build-ironbank
+        run: |
+          set -euo pipefail
+          # NOTE: This is not a real image tag we publish.
+          image_tag="${{ steps.build.outputs.image }}-ironbank"
+          ./scripts/ironbank/build_ironbank.sh \
+            --target "$image_tag" \
+            "build/coder_$(./scripts/version.sh)_linux_amd64"
+          echo "image=$image_tag" >> $GITHUB_OUTPUT
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
         with:
@@ -124,10 +138,36 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: trivy-results.sarif
+          category: "Trivy"
+
+      - name: Run Trivy vulnerability scanner (ironbank)
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: ${{ steps.build-ironbank.outputs.image }}
+          format: sarif
+          output: trivy-results-ironbank.sarif
+          severity: "CRITICAL,HIGH"
+
+      # Update the tool name field in the ironbank SARIF file so it's not
+      # indistinguishable from findings in the non-ironbank SARIF file in the
+      # GitHub UI. Without this, findings from both scans would show up as
+      # "Trivy".
+      - name: Update tool name in SARIF file (ironbank)
+        run: |
+          set -euo pipefail
+          yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab (ironbank)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results-ironbank.sarif
+          category: "Trivy Ironbank"
 
       - name: Upload Trivy scan results as an artifact
         uses: actions/upload-artifact@v2
         with:
           name: trivy
-          path: trivy-results.sarif
+          path: |
+            trivy-results.sarif
+            trivy-results-ironbank.sarif
           retention-days: 7
@@ -75,7 +75,7 @@ type Client interface {
 	ReportStats(ctx context.Context, log slog.Logger, stats func() *agentsdk.Stats) (io.Closer, error)
 	PostLifecycle(ctx context.Context, state agentsdk.PostLifecycleRequest) error
 	PostAppHealth(ctx context.Context, req agentsdk.PostAppHealthsRequest) error
-	PostVersion(ctx context.Context, version string) error
+	PostStartup(ctx context.Context, req agentsdk.PostStartupRequest) error
 }
 
 func New(options Options) io.Closer {
@@ -236,16 +236,29 @@ func (a *agent) run(ctx context.Context) error {
 	}
 	a.sessionToken.Store(&sessionToken)
 
-	err = a.client.PostVersion(ctx, buildinfo.Version())
-	if err != nil {
-		return xerrors.Errorf("update workspace agent version: %w", err)
-	}
-
 	metadata, err := a.client.Metadata(ctx)
 	if err != nil {
 		return xerrors.Errorf("fetch metadata: %w", err)
 	}
 	a.logger.Info(ctx, "fetched metadata")
+
+	// Expand the directory and send it back to coderd so external
+	// applications that rely on the directory can use it.
+	//
+	// An example is VS Code Remote, which must know the directory
+	// before initializing a connection.
+	metadata.Directory, err = expandDirectory(metadata.Directory)
+	if err != nil {
+		return xerrors.Errorf("expand directory: %w", err)
+	}
+	err = a.client.PostStartup(ctx, agentsdk.PostStartupRequest{
+		Version:           buildinfo.Version(),
+		ExpandedDirectory: metadata.Directory,
+	})
+	if err != nil {
+		return xerrors.Errorf("update workspace agent version: %w", err)
+	}
+
 	oldMetadata := a.metadata.Swap(metadata)
 
 	// The startup script should only execute on the first run!
@@ -803,7 +816,11 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 
 	cmd := exec.CommandContext(ctx, shell, args...)
 	cmd.Dir = metadata.Directory
-	if cmd.Dir == "" {
+
+	// If the metadata directory doesn't exist, we run the command
+	// in the users home directory.
+	_, err = os.Stat(cmd.Dir)
+	if cmd.Dir == "" || err != nil {
 		// Default to user home if a directory is not set.
 		homedir, err := userHomeDir()
 		if err != nil {
@@ -1314,3 +1331,20 @@ func userHomeDir() (string, error) {
 	}
 	return u.HomeDir, nil
 }
+
+// expandDirectory converts a directory path to an absolute path.
+// It primarily resolves the home directory and any environment
+// variables that may be set
+func expandDirectory(dir string) (string, error) {
+	if dir == "" {
+		return "", nil
+	}
+	if dir[0] == '~' {
+		home, err := userHomeDir()
+		if err != nil {
+			return "", err
+		}
+		dir = filepath.Join(home, dir[1:])
+	}
+	return os.ExpandEnv(dir), nil
+}
@@ -787,6 +787,56 @@ func TestAgent_Lifecycle(t *testing.T) {
 	})
 }
 
+func TestAgent_Startup(t *testing.T) {
+	t.Parallel()
+
+	t.Run("EmptyDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		_, client, _, _ := setupAgent(t, agentsdk.Metadata{
+			StartupScript:        "true",
+			StartupScriptTimeout: 30 * time.Second,
+			Directory:            "",
+		}, 0)
+		assert.Eventually(t, func() bool {
+			return client.getStartup().Version != ""
+		}, testutil.WaitShort, testutil.IntervalFast)
+		require.Equal(t, "", client.getStartup().ExpandedDirectory)
+	})
+
+	t.Run("HomeDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		_, client, _, _ := setupAgent(t, agentsdk.Metadata{
+			StartupScript:        "true",
+			StartupScriptTimeout: 30 * time.Second,
+			Directory:            "~",
+		}, 0)
+		assert.Eventually(t, func() bool {
+			return client.getStartup().Version != ""
+		}, testutil.WaitShort, testutil.IntervalFast)
+		homeDir, err := os.UserHomeDir()
+		require.NoError(t, err)
+		require.Equal(t, homeDir, client.getStartup().ExpandedDirectory)
+	})
+
+	t.Run("HomeEnvironmentVariable", func(t *testing.T) {
+		t.Parallel()
+
+		_, client, _, _ := setupAgent(t, agentsdk.Metadata{
+			StartupScript:        "true",
+			StartupScriptTimeout: 30 * time.Second,
+			Directory:            "$HOME",
+		}, 0)
+		assert.Eventually(t, func() bool {
+			return client.getStartup().Version != ""
+		}, testutil.WaitShort, testutil.IntervalFast)
+		homeDir, err := os.UserHomeDir()
+		require.NoError(t, err)
+		require.Equal(t, homeDir, client.getStartup().ExpandedDirectory)
+	})
+}
+
 func TestAgent_ReconnectingPTY(t *testing.T) {
 	t.Parallel()
 	if runtime.GOOS == "windows" {
@@ -1178,6 +1228,7 @@ type client struct {
 
 	mu              sync.Mutex // Protects following.
 	lifecycleStates []codersdk.WorkspaceAgentLifecycle
+	startup         agentsdk.PostStartupRequest
 }
 
 func (c *client) Metadata(_ context.Context) (agentsdk.Metadata, error) {
@@ -1250,7 +1301,16 @@ func (*client) PostAppHealth(_ context.Context, _ agentsdk.PostAppHealthsRequest
 	return nil
 }
 
-func (*client) PostVersion(_ context.Context, _ string) error {
+func (c *client) getStartup() agentsdk.PostStartupRequest {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.startup
+}
+
+func (c *client) PostStartup(_ context.Context, startup agentsdk.PostStartupRequest) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.startup = startup
 	return nil
 }
 
 
@@ -553,7 +553,7 @@ func New(options *Options) *API {
 			r.Route("/me", func(r chi.Router) {
 				r.Use(httpmw.ExtractWorkspaceAgent(options.Database))
 				r.Get("/metadata", api.workspaceAgentMetadata)
-				r.Post("/version", api.postWorkspaceAgentVersion)
+				r.Post("/startup", api.postWorkspaceAgentStartup)
 				r.Post("/app-health", api.postWorkspaceAppHealth)
 				r.Get("/gitauth", api.workspaceAgentsGitAuth)
 				r.Get("/gitsshkey", api.agentGitSSHKey)
 
@@ -73,7 +73,7 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 		"GET:/api/v2/workspaceagents/me/gitsshkey":              {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/me/metadata":               {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/me/coordinate":             {NoAuthorize: true},
-		"POST:/api/v2/workspaceagents/me/version":               {NoAuthorize: true},
+		"POST:/api/v2/workspaceagents/me/startup":               {NoAuthorize: true},
 		"POST:/api/v2/workspaceagents/me/app-health":            {NoAuthorize: true},
 		"POST:/api/v2/workspaceagents/me/report-stats":          {NoAuthorize: true},
 		"POST:/api/v2/workspaceagents/me/report-lifecycle":      {NoAuthorize: true},
 
@@ -344,7 +344,7 @@ func assertProduce(t *testing.T, comment SwaggerComment) {
 		assert.Contains(t, allowedProduceTypes, comment.produce, "@Produce value is limited to specific types: %s", strings.Join(allowedProduceTypes, ","))
 	} else {
 		if (comment.router == "/workspaceagents/me/app-health" && comment.method == "post") ||
-			(comment.router == "/workspaceagents/me/version" && comment.method == "post") ||
+			(comment.router == "/workspaceagents/me/startup" && comment.method == "post") ||
 			(comment.router == "/licenses/{id}" && comment.method == "delete") ||
 			(comment.router == "/debug/coordinator" && comment.method == "get") {
 			return // Exception: HTTP 200 is returned without response entity
 
@@ -3192,7 +3192,7 @@ func (q *fakeQuerier) UpdateWorkspaceAgentConnectionByID(_ context.Context, arg
 	return sql.ErrNoRows
 }
 
-func (q *fakeQuerier) UpdateWorkspaceAgentVersionByID(_ context.Context, arg database.UpdateWorkspaceAgentVersionByIDParams) error {
+func (q *fakeQuerier) UpdateWorkspaceAgentStartupByID(_ context.Context, arg database.UpdateWorkspaceAgentStartupByIDParams) error {
 	if err := validateDatabaseType(arg); err != nil {
 		return err
 	}
@@ -3206,6 +3206,7 @@ func (q *fakeQuerier) UpdateWorkspaceAgentVersionByID(_ context.Context, arg dat
 		}
 
 		agent.Version = arg.Version
+		agent.ExpandedDirectory = arg.ExpandedDirectory
 		q.workspaceAgents[index] = agent
 		return nil
 	}
Original file line number	Diff line number	Diff line change
`@@ -3192,7 +3192,7 @@ func (q *fakeQuerier) UpdateWorkspaceAgentConnectionByID(_ context.Context, arg`
`3192`	`3192`	`return sql.ErrNoRows`
`3193`	`3193`	`}`
`3194`	`3194`
`3195`		`-func (q *fakeQuerier) UpdateWorkspaceAgentVersionByID(_ context.Context, arg database.UpdateWorkspaceAgentVersionByIDParams) error {`
	`3195`	`+func (q *fakeQuerier) UpdateWorkspaceAgentStartupByID(_ context.Context, arg database.UpdateWorkspaceAgentStartupByIDParams) error {`
`3196`	`3196`	`if err := validateDatabaseType(arg); err != nil {`
`3197`	`3197`	`return err`
`3198`	`3198`	`}`
`@@ -3206,6 +3206,7 @@ func (q *fakeQuerier) UpdateWorkspaceAgentVersionByID(_ context.Context, arg dat`
`3206`	`3206`	`}`
`3207`	`3207`
`3208`	`3208`	`agent.Version = arg.Version`
	`3209`	`+ agent.ExpandedDirectory = arg.ExpandedDirectory`
`3209`	`3210`	`q.workspaceAgents[index] = agent`
`3210`	`3211`	`return nil`
`3211`	`3212`	`}`