coder
diff --git a/‎.github/pull_request_template.md
Lines changed: 0 additions & 3 deletions b/‎.github/pull_request_template.md
Lines changed: 0 additions & 3 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/ci.yaml
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/contrib.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/contrib.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/docker-base.yaml
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/docker-base.yaml
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/pr-auto-assign.yaml
Lines changed: 16 additions & 0 deletions b/‎.github/workflows/pr-auto-assign.yaml
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 31 additions & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 31 additions & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 42 additions & 10 deletions b/‎.github/workflows/security.yaml
Lines changed: 42 additions & 10 deletions
diff --git a/‎.gitignore
Lines changed: 2 additions & 0 deletions b/‎.gitignore
Lines changed: 2 additions & 0 deletions
diff --git a/‎.golangci.yaml
Lines changed: 0 additions & 2 deletions b/‎.golangci.yaml
Lines changed: 0 additions & 2 deletions
diff --git a/‎.prettierignore
Lines changed: 2 additions & 0 deletions b/‎.prettierignore
Lines changed: 2 additions & 0 deletions
@@ -41,7 +41,7 @@ jobs:
 
       # Check for any typos!
       - name: Check for typos
-        uses: crate-ci/typos@v1.13.9
+        uses: crate-ci/typos@v1.13.14
         with:
           config: .github/workflows/typos.toml
       - name: Fix the typos
@@ -186,8 +186,9 @@ jobs:
 
       - name: Install Protoc
         run: |
-          # protoc must be in lockstep with our dogfood Dockerfile
-          # or the version in the comments will differ.
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # security.yaml
           set -x
           cd dogfood
           DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
@@ -511,7 +512,7 @@ jobs:
       - name: Install node_modules
         run: ./scripts/yarn_install.sh
 
-      - run: yarn test:ci
+      - run: yarn test:ci --max-workers ${{ steps.cpu-cores.outputs.count }}
         working-directory: site
 
       - uses: codecov/codecov-action@v3
 
@@ -19,7 +19,7 @@ concurrency: pr-${{ github.ref }}
 
 jobs:
   # Dependabot is annoying, but this makes it a bit less so.
-  auto-approve:
+  auto-approve-dependabot:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request_target'
     permissions:
@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.2.1
+        uses: contributor-assistant/github-action@v2.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -53,8 +53,38 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ghcr.io/coder/coder-base:latest
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
@@ -0,0 +1,16 @@
+# Filtering pull requests is much easier when we can reliably guarantee
+# that the "Assignee" field is populated.
+name: PR Auto Assign
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign-author:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: toshimaru/auto-author-assign@v1.6.2
@@ -188,12 +188,42 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ${{ steps.image-base-tag.outputs.tag }}
 
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw "${{ steps.image-base-tag.outputs.tag }}") || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
+
       - name: Build Linux Docker images
         run: |
           set -euxo pipefail
@@ -275,7 +305,7 @@ jobs:
 
       - name: Upload artifacts to actions (if dry-run)
         if: ${{ inputs.dry_run }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release-artifacts
           path: |
 
@@ -6,17 +6,11 @@ permissions:
   security-events: write
 
 on:
-  push:
-    branches: ["main"]
-
-  pull_request:
-    branches: ["main"]
-
   workflow_dispatch:
 
   schedule:
-    # Run every week at 10:24 on Thursday.
-    - cron: "24 10 * * 4"
+    # Run every 6 hours Monday-Friday!
+    - cron: "0 0,6,12,18 * * 1-5"
 
 # Cancel in-progress runs for pull requests when developers push
 # additional changes
@@ -59,6 +53,17 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
 
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
+
   trivy:
     runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
     steps:
@@ -94,6 +99,22 @@ jobs:
 
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.30.6
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # ci.yaml.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
 
       - name: Build Coder linux amd64 Docker image
         id: build
@@ -116,7 +137,7 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
@@ -130,8 +151,19 @@ jobs:
           category: "Trivy"
 
       - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: trivy
           path: trivy-results.sarif
           retention-days: 7
+
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
@@ -27,9 +27,11 @@ site/test-results/*
 site/e2e/test-results/*
 site/e2e/states/*.json
 site/playwright-report/*
+site/.swc
 
 # Make target for updating golden files.
 cli/testdata/.gen-golden
+helm/tests/testdata/.gen-golden
 
 # Build
 /build/
 
@@ -215,7 +215,6 @@ linters:
     - asciicheck
     - bidichk
     - bodyclose
-    - deadcode
     - dogsled
     - errcheck
     - errname
@@ -259,4 +258,3 @@ linters:
     - typecheck
     - unconvert
     - unused
-    - varcheck
@@ -30,9 +30,11 @@ site/test-results/*
 site/e2e/test-results/*
 site/e2e/states/*.json
 site/playwright-report/*
+site/.swc
 
 # Make target for updating golden files.
 cli/testdata/.gen-golden
+helm/tests/testdata/.gen-golden
 
 # Build
 /build/