coder
diff --git a/‎.github/workflows/coder.yaml
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/coder.yaml
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yaml
Lines changed: 23 additions & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 23 additions & 1 deletion
diff --git a/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎.gitignore
Lines changed: 3 additions & 0 deletions b/‎.gitignore
Lines changed: 3 additions & 0 deletions
diff --git a/‎Makefile
Lines changed: 9 additions & 0 deletions b/‎Makefile
Lines changed: 9 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 37 additions & 11 deletions b/‎agent/agent.go
Lines changed: 37 additions & 11 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 14 additions & 5 deletions b/‎agent/agent_test.go
Lines changed: 14 additions & 5 deletions
diff --git a/‎agent/apphealth.go
Lines changed: 6 additions & 6 deletions b/‎agent/apphealth.go
Lines changed: 6 additions & 6 deletions
@@ -34,7 +34,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
       - name: typos-action
-        uses: crate-ci/typos@v1.12.8
+        uses: crate-ci/typos@v1.12.12
         with:
           config: .github/workflows/typos.toml
       - name: Fix Helper
@@ -89,14 +89,14 @@ jobs:
   style-lint-golangci:
     name: style/lint/golangci
     timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
           go-version: "~1.19"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.2.0
+        uses: golangci/golangci-lint-action@v3.3.0
         with:
           version: v1.48.0
 
@@ -171,7 +171,7 @@ jobs:
   gen:
     name: "style/gen"
     timeout-minutes: 8
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     needs: changes
     if: needs.changes.outputs.docs-only == 'false'
     steps:
@@ -276,7 +276,7 @@ jobs:
 
   test-go:
     name: "test/go"
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || matrix.os }}
     timeout-minutes: 20
     strategy:
       matrix:
@@ -356,7 +356,7 @@ jobs:
 
   test-go-postgres:
     name: "test/go/postgres"
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     # This timeout must be greater than the timeout set by `go test` in
     # `make test-postgres` to ensure we receive a trace of running
     # goroutines. Setting this to the timeout +5m should work quite well
@@ -417,7 +417,7 @@ jobs:
 
   deploy:
     name: "deploy"
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     timeout-minutes: 30
     needs: changes
     if: |
 
@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Get branch name
         id: branch-name
-        uses: tj-actions/branch-names@v6.1
+        uses: tj-actions/branch-names@v6.2
 
       - name: "Branch name to Docker tag name"
         id: docker-tag-name
 
@@ -20,13 +20,15 @@ permissions:
   contents: write
   # Necessary to push docker images to ghcr.io.
   packages: write
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write
 
 env:
   CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     env:
       # Necessary for Docker manifest
       DOCKER_CLI_EXPERIMENTAL: "enabled"
@@ -167,6 +169,26 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup GCloud SDK
+        uses: 'google-github-actions/setup-gcloud@v0'
+
+      - name: Publish Helm Chart
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          mkdir -p build/helm
+          cp "build/coder_helm_${version}.tgz" build/helm
+          gsutil cp gs://helm.coder.com/v2/index.yaml build/helm/index.yaml
+          helm repo index build/helm --url https://helm.coder.com/v2 --merge build/helm/index.yaml
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/coder_helm_${version}.tgz gs://helm.coder.com/v2
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/index.yaml gs://helm.coder.com/v2
+
       - name: Upload artifacts to actions (if dry-run or snapshot)
         if: ${{ github.event.inputs.dry_run || github.event.inputs.snapshot }}
         uses: actions/upload-artifact@v2
 
@@ -7,6 +7,7 @@ MacOS = "macOS"
 [default.extend-words]
 # do as sudo replacement
 doas = "doas"
+darcula = "darcula"
 
 [files]
 extend-exclude = [
 
@@ -18,6 +18,9 @@ gotests.coverage
 .gitpod.yml
 .DS_Store
 
+# Make target for updating golden files.
+cli/testdata/.gen-golden
+
 # Front-end ignore
 .next/
 site/.eslintcache
 
@@ -443,6 +443,15 @@ site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find codersdk
 	cd site
 	yarn run format:types
 
+update-golden-files: cli/testdata/.gen-golden
+.PHONY: update-golden-files
+
+cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) \
+	$(shell find . -not -path './vendor/*' -type f -name '*.go')
+
+	go test ./cli -run=TestCommandHelp -update
+	touch "$@"
+
 test: test-clean
 	gotestsum -- -v -short ./...
 .PHONY: test
 
@@ -56,7 +56,7 @@ const (
 
 type Options struct {
 	Filesystem             afero.Fs
-	ExchangeToken          func(ctx context.Context) error
+	ExchangeToken          func(ctx context.Context) (string, error)
 	Client                 Client
 	ReconnectingPTYTimeout time.Duration
 	EnvironmentVariables   map[string]string
@@ -78,6 +78,11 @@ func New(options Options) io.Closer {
 	if options.Filesystem == nil {
 		options.Filesystem = afero.NewOsFs()
 	}
+	if options.ExchangeToken == nil {
+		options.ExchangeToken = func(ctx context.Context) (string, error) {
+			return "", nil
+		}
+	}
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	server := &agent{
 		reconnectingPTYTimeout: options.ReconnectingPTYTimeout,
@@ -97,7 +102,7 @@ func New(options Options) io.Closer {
 type agent struct {
 	logger        slog.Logger
 	client        Client
-	exchangeToken func(ctx context.Context) error
+	exchangeToken func(ctx context.Context) (string, error)
 	filesystem    afero.Fs
 
 	reconnectingPTYs       sync.Map
@@ -110,8 +115,9 @@ type agent struct {
 
 	envVars map[string]string
 	// metadata is atomic because values can change after reconnection.
-	metadata  atomic.Value
-	sshServer *ssh.Server
+	metadata     atomic.Value
+	sessionToken atomic.Pointer[string]
+	sshServer    *ssh.Server
 
 	network *tailnet.Conn
 	stats   *Stats
@@ -147,14 +153,13 @@ func (a *agent) run(ctx context.Context) error {
 	// This allows the agent to refresh it's token if necessary.
 	// For instance identity this is required, since the instance
 	// may not have re-provisioned, but a new agent ID was created.
-	if a.exchangeToken != nil {
-		err := a.exchangeToken(ctx)
-		if err != nil {
-			return xerrors.Errorf("exchange token: %w", err)
-		}
+	sessionToken, err := a.exchangeToken(ctx)
+	if err != nil {
+		return xerrors.Errorf("exchange token: %w", err)
 	}
+	a.sessionToken.Store(&sessionToken)
 
-	err := a.client.PostWorkspaceAgentVersion(ctx, buildinfo.Version())
+	err = a.client.PostWorkspaceAgentVersion(ctx, buildinfo.Version())
 	if err != nil {
 		return xerrors.Errorf("update workspace agent version: %w", err)
 	}
@@ -221,12 +226,18 @@ func (a *agent) run(ctx context.Context) error {
 }
 
 func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (*tailnet.Conn, error) {
+	a.closeMutex.Lock()
+	if a.isClosed() {
+		a.closeMutex.Unlock()
+		return nil, xerrors.New("closed")
+	}
 	network, err := tailnet.NewConn(&tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(codersdk.TailnetIP, 128)},
 		DERPMap:   derpMap,
 		Logger:    a.logger.Named("tailnet"),
 	})
 	if err != nil {
+		a.closeMutex.Unlock()
 		return nil, xerrors.Errorf("create tailnet: %w", err)
 	}
 	a.network = network
@@ -237,12 +248,15 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (*t
 		}
 		return a.stats.wrapConn(conn)
 	})
+	a.connCloseWait.Add(4)
+	a.closeMutex.Unlock()
 
 	sshListener, err := network.Listen("tcp", ":"+strconv.Itoa(codersdk.TailnetSSHPort))
 	if err != nil {
 		return nil, xerrors.Errorf("listen on the ssh port: %w", err)
 	}
 	go func() {
+		defer a.connCloseWait.Done()
 		for {
 			conn, err := sshListener.Accept()
 			if err != nil {
@@ -257,6 +271,7 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (*t
 		return nil, xerrors.Errorf("listen for reconnecting pty: %w", err)
 	}
 	go func() {
+		defer a.connCloseWait.Done()
 		for {
 			conn, err := reconnectingPTYListener.Accept()
 			if err != nil {
@@ -291,6 +306,7 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (*t
 		return nil, xerrors.Errorf("listen for speedtest: %w", err)
 	}
 	go func() {
+		defer a.connCloseWait.Done()
 		for {
 			conn, err := speedtestListener.Accept()
 			if err != nil {
@@ -312,6 +328,7 @@ func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (*t
 		return nil, xerrors.Errorf("listen for statistics: %w", err)
 	}
 	go func() {
+		defer a.connCloseWait.Done()
 		defer statisticsListener.Close()
 		server := &http.Server{
 			Handler:           a.statisticsHandler(),
@@ -553,13 +570,15 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 	// Set environment variables reliable detection of being inside a
 	// Coder workspace.
 	cmd.Env = append(cmd.Env, "CODER=true")
-
 	cmd.Env = append(cmd.Env, fmt.Sprintf("USER=%s", username))
 	// Git on Windows resolves with UNIX-style paths.
 	// If using backslashes, it's unable to find the executable.
 	unixExecutablePath := strings.ReplaceAll(executablePath, "\\", "/")
 	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND=%s gitssh --`, unixExecutablePath))
 
+	// Specific Coder subcommands require the agent token exposed!
+	cmd.Env = append(cmd.Env, fmt.Sprintf("CODER_AGENT_TOKEN=%s", *a.sessionToken.Load()))
+
 	// Set SSH connection environment variables (these are also set by OpenSSH
 	// and thus expected to be present by SSH clients). Since the agent does
 	// networking in-memory, trying to provide accurate values here would be
@@ -569,6 +588,13 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CLIENT=%s %s %s", srcAddr, srcPort, dstPort))
 	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CONNECTION=%s %s %s %s", srcAddr, srcPort, dstAddr, dstPort))
 
+	// This adds the ports dialog to code-server that enables
+	// proxying a port dynamically.
+	cmd.Env = append(cmd.Env, fmt.Sprintf("VSCODE_PROXY_URI=%s", metadata.VSCodePortProxyURI))
+
+	// Hide Coder message on code-server's "Getting Started" page
+	cmd.Env = append(cmd.Env, "CS_DISABLE_GETTING_STARTED_OVERRIDE=true")
+
 	// Load environment variables passed via the agent.
 	// These should override all variables we manually specify.
 	for envKey, value := range metadata.EnvironmentVariables {
 
@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/exec"
 	"os/user"
+	"path"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -22,6 +23,7 @@ import (
 
 	"golang.org/x/xerrors"
 	"tailscale.com/net/speedtest"
+	"tailscale.com/tailcfg"
 
 	scp "github.com/bramvdbogaerde/go-scp"
 	"github.com/google/uuid"
@@ -231,7 +233,13 @@ func TestAgent(t *testing.T) {
 		require.NoError(t, err, "get working directory")
 		require.Equal(t, home, wd, "working directory should be home user home")
 		tempFile := filepath.Join(t.TempDir(), "sftp")
-		file, err := client.Create(tempFile)
+		// SFTP only accepts unix-y paths.
+		remoteFile := filepath.ToSlash(tempFile)
+		if !path.IsAbs(remoteFile) {
+			// On Windows, e.g. "/C:/Users/...".
+			remoteFile = path.Join("/", remoteFile)
+		}
+		file, err := client.Create(remoteFile)
 		require.NoError(t, err)
 		err = file.Close()
 		require.NoError(t, err)
@@ -525,9 +533,9 @@ func TestAgent(t *testing.T) {
 		}
 		initialized := atomic.Int32{}
 		closer := agent.New(agent.Options{
-			ExchangeToken: func(ctx context.Context) error {
+			ExchangeToken: func(ctx context.Context) (string, error) {
 				initialized.Add(1)
-				return nil
+				return "", nil
 			},
 			Client: client,
 			Logger: slogtest.Make(t, nil).Leveled(slog.LevelInfo),
@@ -552,14 +560,15 @@ func TestAgent(t *testing.T) {
 			agentID: uuid.New(),
 			metadata: codersdk.WorkspaceAgentMetadata{
 				GitAuthConfigs: 1,
+				DERPMap:        &tailcfg.DERPMap{},
 			},
 			statsChan:   make(chan *codersdk.AgentStats),
 			coordinator: tailnet.NewCoordinator(),
 		}
 		filesystem := afero.NewMemMapFs()
 		closer := agent.New(agent.Options{
-			ExchangeToken: func(ctx context.Context) error {
-				return nil
+			ExchangeToken: func(ctx context.Context) (string, error) {
+				return "", nil
 			},
 			Client:     client,
 			Logger:     slogtest.Make(t, nil).Leveled(slog.LevelInfo),
 
@@ -33,7 +33,7 @@ func NewWorkspaceAppHealthReporter(logger slog.Logger, apps []codersdk.Workspace
 		hasHealthchecksEnabled := false
 		health := make(map[string]codersdk.WorkspaceAppHealth, 0)
 		for _, app := range apps {
-			health[app.Name] = app.Health
+			health[app.DisplayName] = app.Health
 			if !hasHealthchecksEnabled && app.Health != codersdk.WorkspaceAppHealthDisabled {
 				hasHealthchecksEnabled = true
 			}
@@ -85,21 +85,21 @@ func NewWorkspaceAppHealthReporter(logger slog.Logger, apps []codersdk.Workspace
 					}()
 					if err != nil {
 						mu.Lock()
-						if failures[app.Name] < int(app.Healthcheck.Threshold) {
+						if failures[app.DisplayName] < int(app.Healthcheck.Threshold) {
 							// increment the failure count and keep status the same.
 							// we will change it when we hit the threshold.
-							failures[app.Name]++
+							failures[app.DisplayName]++
 						} else {
 							// set to unhealthy if we hit the failure threshold.
 							// we stop incrementing at the threshold to prevent the failure value from increasing forever.
-							health[app.Name] = codersdk.WorkspaceAppHealthUnhealthy
+							health[app.DisplayName] = codersdk.WorkspaceAppHealthUnhealthy
 						}
 						mu.Unlock()
 					} else {
 						mu.Lock()
 						// we only need one successful health check to be considered healthy.
-						health[app.Name] = codersdk.WorkspaceAppHealthHealthy
-						failures[app.Name] = 0
+						health[app.DisplayName] = codersdk.WorkspaceAppHealthHealthy
+						failures[app.DisplayName] = 0
 						mu.Unlock()
 					}