coder
diff --git a/‎.github/workflows/ci.yaml
+2-2 b/‎.github/workflows/ci.yaml
+2-2
diff --git a/‎.github/workflows/pr-deploy.yaml
+26-13 b/‎.github/workflows/pr-deploy.yaml
+26-13
diff --git a/‎.github/workflows/scorecard.yml
+1-1 b/‎.github/workflows/scorecard.yml
+1-1
diff --git a/‎.github/workflows/security.yaml
+3-3 b/‎.github/workflows/security.yaml
+3-3
diff --git a/‎.github/workflows/weekly-docs.yaml
+5-5 b/‎.github/workflows/weekly-docs.yaml
+5-5
diff --git a/‎agent/reconnectingpty/screen.go
+2-2 b/‎agent/reconnectingpty/screen.go
+2-2
diff --git a/‎cli/cliui/agent.go
+2-1 b/‎cli/cliui/agent.go
+2-1
diff --git a/‎cli/ping.go
+25-5 b/‎cli/ping.go
+25-5
diff --git a/‎cli/testdata/coder_server_--help.golden
-13 b/‎cli/testdata/coder_server_--help.golden
-13
@@ -188,7 +188,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@d01f29c66d1bf1a08730750f61d86c210b0d039d # v1.27.0
+        uses: crate-ci/typos@b74202f74b4346efdbce7801d187ec57b266bac8 # v1.27.3
         with:
           config: .github/workflows/typos.toml
 
@@ -211,7 +211,7 @@ jobs:
 
       - name: Check workflow files
         run: |
-          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.22
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4
           ./actionlint -color -shellcheck= -ignore "set-output"
         shell: bash
 
 
@@ -110,7 +110,7 @@ jobs:
           set -euo pipefail
           mkdir -p ~/.kube
           echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
-          chmod 644 ~/.kube/config
+          chmod 600 ~/.kube/config
           export KUBECONFIG=~/.kube/config
 
       - name: Check if the helm deployment already exists
@@ -284,7 +284,7 @@ jobs:
           set -euo pipefail
           mkdir -p ~/.kube
           echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
-          chmod 644 ~/.kube/config
+          chmod 600 ~/.kube/config
           export KUBECONFIG=~/.kube/config
 
       - name: Check if image exists
@@ -421,14 +421,14 @@ jobs:
           "${DEST}" version
           mv "${DEST}" /usr/local/bin/coder
 
-      - name: Create first user, template and workspace
+      - name: Create first user
         if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
         id: setup_deployment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
 
-          # Create first user
-
           # create a masked random password 12 characters long
           password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12)
 
@@ -437,20 +437,22 @@ jobs:
           echo "password=$password" >> $GITHUB_OUTPUT
 
           coder login \
-            --first-user-username coder \
+            --first-user-username pr${{ env.PR_NUMBER }}-admin \
             --first-user-email pr${{ env.PR_NUMBER }}@coder.com \
             --first-user-password $password \
             --first-user-trial=false \
             --use-token-as-session \
             https://${{ env.PR_HOSTNAME }}
 
-          # Create template
-          cd ./.github/pr-deployments/template
-          coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes
+          # Create a user for the github.actor
+          # TODO: update once https://github.com/coder/coder/issues/15466 is resolved
+          # coder users create \
+          #   --username ${{ github.actor }} \
+          #   --login-type github
 
-          # Create workspace
-          coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
-          coder stop kube -y
+          # promote the user to admin role
+          # coder org members edit-role ${{ github.actor }} organization-admin
+          # TODO: update once https://github.com/coder/internal/issues/207 is resolved
 
       - name: Send Slack notification
         if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
@@ -462,7 +464,7 @@ jobs:
               "pr_url": "'"${{ env.PR_URL }}"'",
               "pr_title": "'"${{ env.PR_TITLE }}"'",
               "pr_access_url": "'"https://${{ env.PR_HOSTNAME }}"'",
-              "pr_username": "'"test"'",
+              "pr_username": "'"pr${{ env.PR_NUMBER }}-admin"'",
               "pr_email": "'"pr${{ env.PR_NUMBER }}@coder.com"'",
               "pr_password": "'"${{ steps.setup_deployment.outputs.password }}"'",
               "pr_actor": "'"${{ github.actor }}"'"
@@ -495,3 +497,14 @@ jobs:
             cc: @${{ github.actor }}
           reactions: rocket
           reactions-edit-mode: replace
+
+      - name: Create template and workspace
+        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        run: |
+          set -euo pipefail
+          cd .github/pr-deployments/template
+          coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes
+
+          # Create workspace
+          coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
+          coder stop kube -y
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -142,7 +142,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
@@ -4,11 +4,11 @@ on:
   schedule:
     - cron: "0 9 * * 1"
   workflow_dispatch: # allows to run manually for testing
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "docs/**"
+  # pull_request:
+  #   branches:
+  #     - main
+  #   paths:
+  #     - "docs/**"
 
 permissions:
   contents: read
 
@@ -67,8 +67,6 @@ func newScreen(ctx context.Context, cmd *pty.Cmd, options *Options, logger slog.
 		timeout: options.Timeout,
 	}
 
-	go rpty.lifecycle(ctx, logger)
-
 	// Socket paths are limited to around 100 characters on Linux and macOS which
 	// depending on the temporary directory can be a problem.  To give more leeway
 	// use a short ID.
@@ -80,6 +78,8 @@ func newScreen(ctx context.Context, cmd *pty.Cmd, options *Options, logger slog.
 	}
 	rpty.id = hex.EncodeToString(buf)
 
+	go rpty.lifecycle(ctx, logger)
+
 	settings := []string{
 		// Disable the startup message that appears for five seconds.
 		"startup_message off",
 
@@ -411,7 +411,8 @@ func (d ConnDiags) splitDiagnostics() (general, client, agent []string) {
 	}
 
 	if d.DisableDirect {
-		general = append(general, "❗ Direct connections are disabled locally, by `--disable-direct` or `CODER_DISABLE_DIRECT`")
+		general = append(general, "❗ Direct connections are disabled locally, by `--disable-direct-connections` or `CODER_DISABLE_DIRECT_CONNECTIONS`.\n"+
+			"   They may still be established over a private network.")
 		if !d.Verbose {
 			return general, client, agent
 		}
 
@@ -118,6 +118,7 @@ func (r *RootCmd) ping() *serpent.Command {
 				workspaceName,
 			)
 			if err != nil {
+				spin.Stop()
 				return err
 			}
 
@@ -128,7 +129,6 @@ func (r *RootCmd) ping() *serpent.Command {
 			}
 
 			if r.disableDirect {
-				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
 				opts.BlockEndpoints = true
 			}
 			if !r.disableNetworkTelemetry {
@@ -137,6 +137,7 @@ func (r *RootCmd) ping() *serpent.Command {
 			wsClient := workspacesdk.New(client)
 			conn, err := wsClient.DialAgent(ctx, workspaceAgent.ID, opts)
 			if err != nil {
+				spin.Stop()
 				return err
 			}
 			defer conn.Close()
@@ -168,6 +169,7 @@ func (r *RootCmd) ping() *serpent.Command {
 
 			connInfo, err := wsClient.AgentConnectionInfoGeneric(diagCtx)
 			if err != nil || connInfo.DERPMap == nil {
+				spin.Stop()
 				return xerrors.Errorf("Failed to retrieve connection info from server: %w\n", err)
 			}
 			connDiags.ConnInfo = connInfo
@@ -197,6 +199,11 @@ func (r *RootCmd) ping() *serpent.Command {
 			results := &pingSummary{
 				Workspace: workspaceName,
 			}
+			var (
+				pong *ipnstate.PingResult
+				dur  time.Duration
+				p2p  bool
+			)
 			n := 0
 			start := time.Now()
 		pingLoop:
@@ -207,7 +214,7 @@ func (r *RootCmd) ping() *serpent.Command {
 				n++
 
 				ctx, cancel := context.WithTimeout(ctx, pingTimeout)
-				dur, p2p, pong, err := conn.Ping(ctx)
+				dur, p2p, pong, err = conn.Ping(ctx)
 				cancel()
 				results.addResult(pong)
 				if err != nil {
@@ -275,10 +282,15 @@ func (r *RootCmd) ping() *serpent.Command {
 				}
 			}
 
-			if didP2p {
-				_, _ = fmt.Fprintf(inv.Stderr, "✔ You are connected directly (p2p)\n")
+			if p2p {
+				msg := "✔ You are connected directly (p2p)"
+				if pong != nil && isPrivateEndpoint(pong.Endpoint) {
+					msg += ", over a private network"
+				}
+				_, _ = fmt.Fprintln(inv.Stderr, msg)
 			} else {
-				_, _ = fmt.Fprintf(inv.Stderr, "❗ You are connected via a DERP relay, not directly (p2p)\n%s#common-problems-with-direct-connections\n", connDiags.TroubleshootingURL)
+				_, _ = fmt.Fprintf(inv.Stderr, "❗ You are connected via a DERP relay, not directly (p2p)\n"+
+					"   %s#common-problems-with-direct-connections\n", connDiags.TroubleshootingURL)
 			}
 
 			results.Write(inv.Stdout)
@@ -329,3 +341,11 @@ func isAWSIP(awsRanges *cliutil.AWSIPRanges, ni *tailcfg.NetInfo) bool {
 	}
 	return false
 }
+
+func isPrivateEndpoint(endpoint string) bool {
+	ip, err := netip.ParseAddrPort(endpoint)
+	if err != nil {
+		return false
+	}
+	return ip.Addr().IsPrivate()
+}
@@ -506,11 +506,6 @@ OIDC OPTIONS:
           groups. This filter is applied after the group mapping and before the
           regex filter.
 
-      --oidc-organization-assign-default bool, $CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT (default: true)
-          If set to true, users will always be added to the default
-          organization. If organization sync is enabled, then the default org is
-          always added to the user's set of expectedorganizations.
-
       --oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
           OIDC auth URL parameters to pass to the upstream provider.
 
@@ -557,14 +552,6 @@ OIDC OPTIONS:
       --oidc-name-field string, $CODER_OIDC_NAME_FIELD (default: name)
           OIDC claim field to use as the name.
 
-      --oidc-organization-field string, $CODER_OIDC_ORGANIZATION_FIELD
-          This field must be set if using the organization sync feature. Set to
-          the claim to be used for organizations.
-
-      --oidc-organization-mapping struct[map[string][]uuid.UUID], $CODER_OIDC_ORGANIZATION_MAPPING (default: {})
-          A map of OIDC claims and the organizations in Coder it should map to.
-          This is required because organization IDs must be used within Coder.
-
       --oidc-group-regex-filter regexp, $CODER_OIDC_GROUP_REGEX_FILTER (default: .*)
           If provided any group name not matching the regex is ignored. This
           allows for filtering out groups that are not needed. This filter is
Original file line number	Diff line number	Diff line change
`@@ -411,7 +411,8 @@ func (d ConnDiags) splitDiagnostics() (general, client, agent []string) {`
`411`	`411`	`}`
`412`	`412`
`413`	`413`	`if d.DisableDirect {`
`414`		- general = append(general, "❗ Direct connections are disabled locally, by `--disable-direct` or `CODER_DISABLE_DIRECT`")
	`414`	+ general = append(general, "❗ Direct connections are disabled locally, by `--disable-direct-connections` or `CODER_DISABLE_DIRECT_CONNECTIONS`.\n"+
	`415`	`+ " They may still be established over a private network.")`
`415`	`416`	`if !d.Verbose {`
`416`	`417`	`return general, client, agent`
`417`	`418`	`}`