4242 offlinedocs : ${{ steps.filter.outputs.offlinedocs }}
4343 tailnet-integration : ${{ steps.filter.outputs.tailnet-integration }}
4444 steps :
45+ - name : Harden Runner
46+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
47+ with :
48+ egress-policy : audit
49+
4550 - name : Checkout
4651 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4752 with :
@@ -157,6 +162,11 @@ jobs:
157162 if : needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
158163 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
159164 steps :
165+ - name : Harden Runner
166+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
167+ with :
168+ egress-policy : audit
169+
160170 - name : Checkout
161171 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
162172 with :
@@ -213,12 +223,23 @@ jobs:
213223 ./actionlint -color -shellcheck= -ignore "set-output"
214224shell : bash
215225
226+ - name : Check for unstaged files
227+ run : |
228+ rm -f ./actionlint ./typos
229+ ./scripts/check_unstaged.sh
230+ shell : bash
231+
216232 gen :
217233 timeout-minutes : 8
218234 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
219235 needs : changes
220236 if : needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
221237 steps :
238+ - name : Harden Runner
239+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
240+ with :
241+ egress-policy : audit
242+
222243 - name : Checkout
223244 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
224245 with :
@@ -268,6 +289,11 @@ jobs:
268289 runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
269290 timeout-minutes : 7
270291 steps :
292+ - name : Harden Runner
293+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
294+ with :
295+ egress-policy : audit
296+
271297 - name : Checkout
272298 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
273299 with :
@@ -304,6 +330,11 @@ jobs:
304330 - macos-latest
305331 - windows-2022
306332 steps :
333+ - name : Harden Runner
334+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
335+ with :
336+ egress-policy : audit
337+
307338 - name : Checkout
308339 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
309340 with :
@@ -358,6 +389,11 @@ jobs:
358389 # even if some of the preceding steps are slow.
359390 timeout-minutes : 25
360391 steps :
392+ - name : Harden Runner
393+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
394+ with :
395+ egress-policy : audit
396+
361397 - name : Checkout
362398 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
363399 with :
@@ -398,6 +434,11 @@ jobs:
398434 # even if some of the preceding steps are slow.
399435 timeout-minutes : 25
400436 steps :
437+ - name : Harden Runner
438+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
439+ with :
440+ egress-policy : audit
441+
401442 - name : Checkout
402443 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
403444 with :
@@ -425,11 +466,16 @@ jobs:
425466 api-key : ${{ secrets.DATADOG_API_KEY }}
426467
427468 test-go-race :
428- runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8 ' || 'ubuntu-latest' }}
469+ runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16 ' || 'ubuntu-latest' }}
429470 needs : changes
430471 if : needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
431472 timeout-minutes : 25
432473 steps :
474+ - name : Harden Runner
475+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
476+ with :
477+ egress-policy : audit
478+
433479 - name : Checkout
434480 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
435481 with :
@@ -441,9 +487,13 @@ jobs:
441487 - name : Setup Terraform
442488 uses : ./.github/actions/setup-tf
443489
490+ # We run race tests with reduced parallelism because they use more CPU and we were finding
491+ # instances where tests appear to hang for multiple seconds, resulting in flaky tests when
492+ # short timeouts are used.
493+ # c.f. discussion on https://github.com/coder/coder/pull/15106
444494 - name : Run Tests
445495 run : |
446- gotestsum --junitfile="gotests.xml" -- -race ./...
496+ gotestsum --junitfile="gotests.xml" -- -race -parallel 4 -p 4 ./...
447497
448498name : Upload test stats to Datadog
449499 timeout-minutes : 1
@@ -466,6 +516,11 @@ jobs:
466516 if : needs.changes.outputs.tailnet-integration == 'true' || needs.changes.outputs.ci == 'true'
467517 timeout-minutes : 20
468518 steps :
519+ - name : Harden Runner
520+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
521+ with :
522+ egress-policy : audit
523+
469524 - name : Checkout
470525 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
471526 with :
@@ -487,6 +542,11 @@ jobs:
487542 if : needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
488543 timeout-minutes : 20
489544 steps :
545+ - name : Harden Runner
546+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
547+ with :
548+ egress-policy : audit
549+
490550 - name : Checkout
491551 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
492552 with :
@@ -499,21 +559,26 @@ jobs:
499559 working-directory : site
500560
501561 test-e2e :
502- runs-on : ${{ github.repository_owner == 'coder' && (matrix.variant.enterprise && 'depot-ubuntu-22.04' || 'depot-ubuntu-22.04-4') || 'ubuntu-latest' }}
503562 # test-e2e fails on 2-core 8GB runners, so we use the 4-core 16GB runner
563+ runs-on : ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
504564 needs : changes
505565 if : needs.changes.outputs.go == 'true' || needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
506566 timeout-minutes : 20
507567 strategy :
508568 fail-fast : false
509569 matrix :
510570 variant :
511- - enterprise : false
571+ - premium : false
512572 name : test-e2e
513- - enterprise : true
514- name : test-e2e-enterprise
573+ - premium : true
574+ name : test-e2e-premium
515575 name : ${{ matrix.variant.name }}
516576 steps :
577+ - name : Harden Runner
578+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
579+ with :
580+ egress-policy : audit
581+
517582 - name : Checkout
518583 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
519584 with :
@@ -535,38 +600,35 @@ jobs:
535600 - run : pnpm playwright:install
536601 working-directory : site
537602
538- # Run tests that don't require an enterprise license without an enterprise license
603+ # Run tests that don't require a premium license without a premium license
539604 - run : pnpm playwright:test --forbid-only --workers 1
540- if : ${{ !matrix.variant.enterprise }}
605+ if : ${{ !matrix.variant.premium }}
541606 env :
542607 DEBUG : pw:api
543608 working-directory : site
544609
545- # Run all of the tests with an enterprise license
610+ # Run all of the tests with a premium license
546611 - run : pnpm playwright:test --forbid-only --workers 1
547- if : ${{ matrix.variant.enterprise }}
612+ if : ${{ matrix.variant.premium }}
548613 env :
549614 DEBUG : pw:api
550- CODER_E2E_ENTERPRISE_LICENSE : ${{ secrets.CODER_E2E_ENTERPRISE_LICENSE }}
551- CODER_E2E_REQUIRE_ENTERPRISE_TESTS : " 1"
615+ CODER_E2E_LICENSE : ${{ secrets.CODER_E2E_LICENSE }}
616+ CODER_E2E_REQUIRE_PREMIUM_TESTS : " 1"
552617 working-directory : site
553- # Temporarily allow these to fail so that I can gather data about which
554- # tests are failing.
555- continue-on-error : true
556618
557619 - name : Upload Playwright Failed Tests
558620 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
559621 uses : actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
560622 with :
561- name : failed-test-videos${{ matrix.variant.enterprise && '-enterprise ' || '-agpl ' }}
623+ name : failed-test-videos${{ matrix.variant.premium && '-premium ' || '' }}
562624 path : ./site/test-results/**/*.webm
563625 retention-days : 7
564626
565627 - name : Upload pprof dumps
566628 if : always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
567629 uses : actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
568630 with :
569- name : debug-pprof-dumps${{ matrix.variant.enterprise && '-enterprise ' || '-agpl ' }}
631+ name : debug-pprof-dumps${{ matrix.variant.premium && '-premium ' || '' }}
570632 path : ./site/test-results/**/debug-pprof-*.txt
571633 retention-days : 7
572634
@@ -576,6 +638,11 @@ jobs:
576638 needs : changes
577639 if : needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true'
578640 steps :
641+ - name : Harden Runner
642+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
643+ with :
644+ egress-policy : audit
645+
579646 - name : Checkout
580647 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
581648 with :
@@ -648,6 +715,11 @@ jobs:
648715 if : needs.changes.outputs.offlinedocs == 'true' || needs.changes.outputs.ci == 'true' || needs.changes.outputs.docs == 'true'
649716
650717 steps :
718+ - name : Harden Runner
719+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
720+ with :
721+ egress-policy : audit
722+
651723 - name : Checkout
652724 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
653725 with :
@@ -716,6 +788,11 @@ jobs:
716788 # cancelled.
717789 if : always()
718790 steps :
791+ - name : Harden Runner
792+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
793+ with :
794+ egress-policy : audit
795+
719796 - name : Ensure required checks
720797 run : |
721798 echo "Checking required checks"
@@ -749,6 +826,11 @@ jobs:
749826 outputs :
750827 IMAGE : ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
751828 steps :
829+ - name : Harden Runner
830+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
831+ with :
832+ egress-policy : audit
833+
752834 - name : Checkout
753835 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
754836 with :
@@ -868,6 +950,11 @@ jobs:
868950 contents : read
869951 id-token : write
870952 steps :
953+ - name : Harden Runner
954+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
955+ with :
956+ egress-policy : audit
957+
871958 - name : Checkout
872959 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
873960 with :
@@ -925,6 +1012,11 @@ jobs:
9251012 needs : build
9261013 if : github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
9271014 steps :
1015+ - name : Harden Runner
1016+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
1017+ with :
1018+ egress-policy : audit
1019+
9281020 - name : Checkout
9291021 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
9301022 with :
@@ -955,6 +1047,11 @@ jobs:
9551047 needs : changes
9561048 if : needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
9571049 steps :
1050+ - name : Harden Runner
1051+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
1052+ with :
1053+ egress-policy : audit
1054+
9581055 - name : Checkout
9591056 uses : actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
9601057 with :
0 commit comments