coder
diff --git a/‎.gitattributes
Lines changed: 1 addition & 0 deletions b/‎.gitattributes
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 6 additions & 5 deletions b/‎.github/workflows/ci.yaml
Lines changed: 6 additions & 5 deletions
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yaml
Lines changed: 6 additions & 5 deletions b/‎.github/workflows/release.yaml
Lines changed: 6 additions & 5 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎Makefile
Lines changed: 6 additions & 1 deletion b/‎Makefile
Lines changed: 6 additions & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 8 additions & 1 deletion b/‎agent/agent.go
Lines changed: 8 additions & 1 deletion
diff --git a/‎agent/agentcontainers/acmock/acmock.go
Lines changed: 57 additions & 0 deletions b/‎agent/agentcontainers/acmock/acmock.go
Lines changed: 57 additions & 0 deletions
diff --git a/‎agent/agentcontainers/acmock/doc.go
Lines changed: 4 additions & 0 deletions b/‎agent/agentcontainers/acmock/doc.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎agent/agentcontainers/containers.go
Lines changed: 142 additions & 0 deletions b/‎agent/agentcontainers/containers.go
Lines changed: 142 additions & 0 deletions
@@ -1,4 +1,5 @@
 # Generated files
+agent/agentcontainers/acmock/acmock.go linguist-generated=true
 coderd/apidoc/docs.go linguist-generated=true
 docs/reference/api/*.md linguist-generated=true
 docs/reference/cli/*.md linguist-generated=true
 
@@ -940,11 +940,7 @@ jobs:
     if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
+      # Harden Runner doesn't work on macOS
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -957,6 +953,11 @@ jobs:
           echo "$(brew --prefix gnu-getopt)/bin" >> $GITHUB_PATH
           echo "$(brew --prefix make)/libexec/gnubin" >> $GITHUB_PATH
 
+      - name: Switch XCode Version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: "16.0.0"
+
       - name: Setup Go
         uses: ./.github/actions/setup-go
 
 
@@ -53,7 +53,7 @@ jobs:
         uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
 
@@ -36,11 +36,7 @@ jobs:
   build-dylib:
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
+      # Harden Runner doesn't work on macOS.
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -61,6 +57,11 @@ jobs:
           echo "$(brew --prefix gnu-getopt)/bin" >> $GITHUB_PATH
           echo "$(brew --prefix make)/libexec/gnubin" >> $GITHUB_PATH
 
+      - name: Switch XCode Version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: "16.0.0"
+
       - name: Setup Go
         uses: ./.github/actions/setup-go
 
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -144,7 +144,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
@@ -563,7 +563,8 @@ GEN_FILES := \
 	site/e2e/provisionerGenerated.ts \
 	examples/examples.gen.json \
 	$(TAILNETTEST_MOCKS) \
-	coderd/database/pubsub/psmock/psmock.go
+	coderd/database/pubsub/psmock/psmock.go \
+	agent/agentcontainers/acmock/acmock.go
 
 
 # all gen targets should be added here and to gen/mark-fresh
@@ -598,6 +599,7 @@ gen/mark-fresh:
 		examples/examples.gen.json \
 		$(TAILNETTEST_MOCKS) \
 		coderd/database/pubsub/psmock/psmock.go \
+		agent/agentcontainers/acmock/acmock.go \
 		"
 
 	for file in $$files; do
@@ -629,6 +631,9 @@ coderd/database/dbmock/dbmock.go: coderd/database/db.go coderd/database/querier.
 coderd/database/pubsub/psmock/psmock.go: coderd/database/pubsub/pubsub.go
 	go generate ./coderd/database/pubsub/psmock
 
+agent/agentcontainers/acmock/acmock.go: agent/agentcontainers/containers.go
+	go generate ./agent/agentcontainers/acmock/
+
 $(TAILNETTEST_MOCKS): tailnet/coordinator.go tailnet/service.go
 	go generate ./tailnet/tailnettest/
 
 
@@ -33,6 +33,7 @@ import (
 	"tailscale.com/util/clientmetric"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/v2/agent/agentcontainers"
 	"github.com/coder/coder/v2/agent/agentexec"
 	"github.com/coder/coder/v2/agent/agentscripts"
 	"github.com/coder/coder/v2/agent/agentssh"
@@ -82,6 +83,7 @@ type Options struct {
 	ServiceBannerRefreshInterval time.Duration
 	BlockFileTransfer            bool
 	Execer                       agentexec.Execer
+	ContainerLister              agentcontainers.Lister
 }
 
 type Client interface {
@@ -122,7 +124,7 @@ func New(options Options) Agent {
 		options.ScriptDataDir = options.TempDir
 	}
 	if options.ExchangeToken == nil {
-		options.ExchangeToken = func(ctx context.Context) (string, error) {
+		options.ExchangeToken = func(_ context.Context) (string, error) {
 			return "", nil
 		}
 	}
@@ -144,6 +146,9 @@ func New(options Options) Agent {
 	if options.Execer == nil {
 		options.Execer = agentexec.DefaultExecer
 	}
+	if options.ContainerLister == nil {
+		options.ContainerLister = agentcontainers.NewDocker(options.Execer)
+	}
 
 	hardCtx, hardCancel := context.WithCancel(context.Background())
 	gracefulCtx, gracefulCancel := context.WithCancel(hardCtx)
@@ -178,6 +183,7 @@ func New(options Options) Agent {
 		prometheusRegistry: prometheusRegistry,
 		metrics:            newAgentMetrics(prometheusRegistry),
 		execer:             options.Execer,
+		lister:             options.ContainerLister,
 	}
 	// Initially, we have a closed channel, reflecting the fact that we are not initially connected.
 	// Each time we connect we replace the channel (while holding the closeMutex) with a new one
@@ -247,6 +253,7 @@ type agent struct {
 	// labeled in Coder with the agent + workspace.
 	metrics *agentMetrics
 	execer  agentexec.Execer
+	lister  agentcontainers.Lister
 }
 
 func (a *agent) TailnetConn() *tailnet.Conn {
 
@@ -0,0 +1,4 @@
+// Package acmock contains a mock implementation of agentcontainers.Lister for use in tests.
+package acmock
+
+//go:generate mockgen -destination ./acmock.go -package acmock .. Lister
@@ -0,0 +1,142 @@
+package agentcontainers
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"slices"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/quartz"
+)
+
+const (
+	defaultGetContainersCacheDuration = 10 * time.Second
+	dockerCreatedAtTimeFormat         = "2006-01-02 15:04:05 -0700 MST"
+	getContainersTimeout              = 5 * time.Second
+)
+
+type devcontainersHandler struct {
+	cacheDuration time.Duration
+	cl            Lister
+	clock         quartz.Clock
+
+	// lockCh protects the below fields. We use a channel instead of a mutex so we
+	// can handle cancellation properly.
+	lockCh     chan struct{}
+	containers *codersdk.WorkspaceAgentListContainersResponse
+	mtime      time.Time
+}
+
+// Option is a functional option for devcontainersHandler.
+type Option func(*devcontainersHandler)
+
+// WithLister sets the agentcontainers.Lister implementation to use.
+// The default implementation uses the Docker CLI to list containers.
+func WithLister(cl Lister) Option {
+	return func(ch *devcontainersHandler) {
+		ch.cl = cl
+	}
+}
+
+// New returns a new devcontainersHandler with the given options applied.
+func New(options ...Option) http.Handler {
+	ch := &devcontainersHandler{
+		lockCh: make(chan struct{}, 1),
+	}
+	for _, opt := range options {
+		opt(ch)
+	}
+	return ch
+}
+
+func (ch *devcontainersHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	select {
+	case <-r.Context().Done():
+		// Client went away.
+		return
+	default:
+		ct, err := ch.getContainers(r.Context())
+		if err != nil {
+			if errors.Is(err, context.Canceled) {
+				httpapi.Write(r.Context(), rw, http.StatusRequestTimeout, codersdk.Response{
+					Message: "Could not get containers.",
+					Detail:  "Took too long to list containers.",
+				})
+				return
+			}
+			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Could not get containers.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+
+		httpapi.Write(r.Context(), rw, http.StatusOK, ct)
+	}
+}
+
+func (ch *devcontainersHandler) getContainers(ctx context.Context) (codersdk.WorkspaceAgentListContainersResponse, error) {
+	select {
+	case <-ctx.Done():
+		return codersdk.WorkspaceAgentListContainersResponse{}, ctx.Err()
+	default:
+		ch.lockCh <- struct{}{}
+	}
+	defer func() {
+		<-ch.lockCh
+	}()
+
+	// make zero-value usable
+	if ch.cacheDuration == 0 {
+		ch.cacheDuration = defaultGetContainersCacheDuration
+	}
+	if ch.cl == nil {
+		ch.cl = &DockerCLILister{}
+	}
+	if ch.containers == nil {
+		ch.containers = &codersdk.WorkspaceAgentListContainersResponse{}
+	}
+	if ch.clock == nil {
+		ch.clock = quartz.NewReal()
+	}
+
+	now := ch.clock.Now()
+	if now.Sub(ch.mtime) < ch.cacheDuration {
+		// Return a copy of the cached data to avoid accidental modification by the caller.
+		cpy := codersdk.WorkspaceAgentListContainersResponse{
+			Containers: slices.Clone(ch.containers.Containers),
+			Warnings:   slices.Clone(ch.containers.Warnings),
+		}
+		return cpy, nil
+	}
+
+	timeoutCtx, timeoutCancel := context.WithTimeout(ctx, getContainersTimeout)
+	defer timeoutCancel()
+	updated, err := ch.cl.List(timeoutCtx)
+	if err != nil {
+		return codersdk.WorkspaceAgentListContainersResponse{}, xerrors.Errorf("get containers: %w", err)
+	}
+	ch.containers = &updated
+	ch.mtime = now
+
+	// Return a copy of the cached data to avoid accidental modification by the
+	// caller.
+	cpy := codersdk.WorkspaceAgentListContainersResponse{
+		Containers: slices.Clone(ch.containers.Containers),
+		Warnings:   slices.Clone(ch.containers.Warnings),
+	}
+	return cpy, nil
+}
+
+// Lister is an interface for listing containers visible to the
+// workspace agent.
+type Lister interface {
+	// List returns a list of containers visible to the workspace agent.
+	// This should include running and stopped containers.
+	List(ctx context.Context) (codersdk.WorkspaceAgentListContainersResponse, error)
+}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`# Generated files`
	`2`	`+agent/agentcontainers/acmock/acmock.go linguist-generated=true`
`2`	`3`	`coderd/apidoc/docs.go linguist-generated=true`
`3`	`4`	`docs/reference/api/*.md linguist-generated=true`
`4`	`5`	`docs/reference/cli/*.md linguist-generated=true`