coder
diff --git a/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-tf/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 27 additions & 0 deletions b/‎.github/workflows/ci.yaml
Lines changed: 27 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 60 additions & 7 deletions b/‎.github/workflows/release.yaml
Lines changed: 60 additions & 7 deletions
diff --git a/‎agent/agent.go
Lines changed: 39 additions & 12 deletions b/‎agent/agent.go
Lines changed: 39 additions & 12 deletions
diff --git a/‎agent/agentssh/agentssh.go
Lines changed: 3 additions & 1 deletion b/‎agent/agentssh/agentssh.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎agent/agentssh/agentssh_test.go
Lines changed: 11 additions & 2 deletions b/‎agent/agentssh/agentssh_test.go
Lines changed: 11 additions & 2 deletions
diff --git a/‎agent/agentssh/exec_windows.go
Lines changed: 7 additions & 3 deletions b/‎agent/agentssh/exec_windows.go
Lines changed: 7 additions & 3 deletions
diff --git a/‎cli/configssh.go
Lines changed: 26 additions & 2 deletions b/‎cli/configssh.go
Lines changed: 26 additions & 2 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/configssh_test.go
Lines changed: 2 additions & 0 deletions
@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.11.2
+        terraform_version: 1.11.3
         terraform_wrapper: false
@@ -1180,6 +1180,33 @@ jobs:
             done
           fi
 
+      - name: SBOM Generation and Attestation
+        if: github.ref == 'refs/heads/main'
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          set -euxo pipefail
+
+          # Define image base and tags
+          IMAGE_BASE="ghcr.io/coder/coder-preview"
+          TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")
+
+          # Generate and attest SBOM for each tag
+          for tag in "${TAGS[@]}"; do
+            IMAGE="${IMAGE_BASE}:${tag}"
+            SBOM_FILE="coder_sbom_${tag//[:\/]/_}.spdx.json"
+
+            echo "Generating SBOM for image: ${IMAGE}"
+            syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
+
+            echo "Attesting SBOM to image: ${IMAGE}"
+            cosign clean "${IMAGE}"
+            cosign attest --type spdxjson \
+              --predicate "${SBOM_FILE}" \
+              --yes \
+              "${IMAGE}"
+          done
+
       # GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
       # record that these images were built in GitHub Actions with specific inputs and environment.
       # This complements our existing cosign attestations which focus on SBOMs.
 
@@ -496,6 +496,39 @@ jobs:
         env:
           CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
 
+      - name: SBOM Generation and Attestation
+        if: ${{ !inputs.dry_run }}
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          set -euxo pipefail
+
+          # Generate SBOM for multi-arch image with version in filename
+          echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
+          syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json
+
+          # Attest SBOM to multi-arch image
+          echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
+          cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
+          cosign attest --type spdxjson \
+            --predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
+            --yes \
+            "${{ steps.build_docker.outputs.multiarch_image }}"
+
+          # If latest tag was created, also attest it
+          if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
+            latest_tag="$(./scripts/image_tag.sh --version latest)"
+            echo "Generating SBOM for latest image: ${latest_tag}"
+            syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
+
+            echo "Attesting SBOM to latest image: ${latest_tag}"
+            cosign clean "${latest_tag}"
+            cosign attest --type spdxjson \
+              --predicate coder_latest_sbom.spdx.json \
+              --yes \
+              "${latest_tag}"
+          fi
+
       - name: GitHub Attestation for Docker image
         id: attest_main
         if: ${{ !inputs.dry_run }}
@@ -612,16 +645,27 @@ jobs:
           fi
           declare -p publish_args
 
+          # Build the list of files to publish
+          files=(
+            ./build/*_installer.exe
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.tgz
+            ./build/*.apk
+            ./build/*.deb
+            ./build/*.rpm
+            ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
+          )
+
+          # Only include the latest SBOM file if it was created
+          if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
+            files+=(./coder_latest_sbom.spdx.json)
+          fi
+
           ./scripts/release/publish.sh \
             "${publish_args[@]}" \
             --release-notes-file "$CODER_RELEASE_NOTES_FILE" \
-            ./build/*_installer.exe \
-            ./build/*.zip \
-            ./build/*.tar.gz \
-            ./build/*.tgz \
-            ./build/*.apk \
-            ./build/*.deb \
-            ./build/*.rpm
+            "${files[@]}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
@@ -663,6 +707,15 @@ jobs:
             ./build/*.apk
             ./build/*.deb
             ./build/*.rpm
+            ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
+          retention-days: 7
+
+      - name: Upload latest sbom artifact to actions (if dry-run)
+        if: inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: latest-sbom-artifact
+          path: ./coder_latest_sbom.spdx.json
           retention-days: 7
 
       - name: Send repository-dispatch event
 
@@ -907,7 +907,7 @@ func (a *agent) run() (retErr error) {
 	defer func() {
 		cErr := aAPI.DRPCConn().Close()
 		if cErr != nil {
-			a.logger.Debug(a.hardCtx, "error closing drpc connection", slog.Error(err))
+			a.logger.Debug(a.hardCtx, "error closing drpc connection", slog.Error(cErr))
 		}
 	}()
 
@@ -1186,9 +1186,9 @@ func (a *agent) createOrUpdateNetwork(manifestOK, networkOK *checkpoint) func(co
 		network := a.network
 		a.closeMutex.Unlock()
 		if network == nil {
-			keySeed, err := WorkspaceKeySeed(manifest.WorkspaceID, manifest.AgentName)
+			keySeed, err := SSHKeySeed(manifest.OwnerName, manifest.WorkspaceName, manifest.AgentName)
 			if err != nil {
-				return xerrors.Errorf("generate seed from workspace id: %w", err)
+				return xerrors.Errorf("generate SSH key seed: %w", err)
 			}
 			// use the graceful context here, because creating the tailnet is not itself tied to the
 			// agent API.
@@ -1518,14 +1518,11 @@ func (a *agent) runCoordinator(ctx context.Context, tClient tailnetproto.DRPCTai
 	a.logger.Info(ctx, "connected to coordination RPC")
 
 	// This allows the Close() routine to wait for the coordinator to gracefully disconnect.
-	a.closeMutex.Lock()
-	if a.isClosed() {
-		return nil
+	disconnected := a.setCoordDisconnected()
+	if disconnected == nil {
+		return nil // already closed by something else
 	}
-	disconnected := make(chan struct{})
-	a.coordDisconnected = disconnected
 	defer close(disconnected)
-	a.closeMutex.Unlock()
 
 	ctrl := tailnet.NewAgentCoordinationController(a.logger, network)
 	coordination := ctrl.New(coordinate)
@@ -1547,6 +1544,17 @@ func (a *agent) runCoordinator(ctx context.Context, tClient tailnetproto.DRPCTai
 	return <-errCh
 }
 
+func (a *agent) setCoordDisconnected() chan struct{} {
+	a.closeMutex.Lock()
+	defer a.closeMutex.Unlock()
+	if a.isClosed() {
+		return nil
+	}
+	disconnected := make(chan struct{})
+	a.coordDisconnected = disconnected
+	return disconnected
+}
+
 // runDERPMapSubscriber runs a coordinator and returns if a reconnect should occur.
 func (a *agent) runDERPMapSubscriber(ctx context.Context, tClient tailnetproto.DRPCTailnetClient24, network *tailnet.Conn) error {
 	defer a.logger.Debug(ctx, "disconnected from derp map RPC")
@@ -2068,12 +2076,31 @@ func PrometheusMetricsHandler(prometheusRegistry *prometheus.Registry, logger sl
 	})
 }
 
-// WorkspaceKeySeed converts a WorkspaceID UUID and agent name to an int64 hash.
+// SSHKeySeed converts an owner userName, workspaceName and agentName to an int64 hash.
 // This uses the FNV-1a hash algorithm which provides decent distribution and collision
 // resistance for string inputs.
-func WorkspaceKeySeed(workspaceID uuid.UUID, agentName string) (int64, error) {
+//
+// Why owner username, workspace name, and agent name? These are the components that are used in hostnames for the
+// workspace over SSH, and so we want the workspace to have a stable key with respect to these.  We don't use the
+// respective UUIDs.  The workspace UUID would be different if you delete and recreate a workspace with the same name.
+// The agent UUID is regenerated on each build. Since Coder's Tailnet networking is handling the authentication, we
+// should not be showing users warnings about host SSH keys.
+func SSHKeySeed(userName, workspaceName, agentName string) (int64, error) {
 	h := fnv.New64a()
-	_, err := h.Write(workspaceID[:])
+	_, err := h.Write([]byte(userName))
+	if err != nil {
+		return 42, err
+	}
+	// null separators between strings so that (dog, foodstuff) is distinct from (dogfood, stuff)
+	_, err = h.Write([]byte{0})
+	if err != nil {
+		return 42, err
+	}
+	_, err = h.Write([]byte(workspaceName))
+	if err != nil {
+		return 42, err
+	}
+	_, err = h.Write([]byte{0})
 	if err != nil {
 		return 42, err
 	}
 
@@ -1060,8 +1060,10 @@ func (s *Server) Close() error {
 	// Guard against multiple calls to Close and
 	// accepting new connections during close.
 	if s.closing != nil {
+		closing := s.closing
 		s.mu.Unlock()
-		return xerrors.New("server is closing")
+		<-closing
+		return xerrors.New("server is closed")
 	}
 	s.closing = make(chan struct{})
 
 
@@ -153,7 +153,9 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
 		s, err := agentssh.NewServer(ctx, logger, prometheus.NewRegistry(), afero.NewMemMapFs(), agentexec.DefaultExecer, nil)
 		require.NoError(t, err)
-		defer s.Close()
+		t.Cleanup(func() {
+			_ = s.Close()
+		})
 		err = s.UpdateHostSigner(42)
 		assert.NoError(t, err)
 
@@ -190,10 +192,17 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 				}
 				// The 60 seconds here is intended to be longer than the
 				// test. The shutdown should propagate.
-				err = sess.Start("/bin/bash -c 'trap \"sleep 60\" SIGTERM; sleep 60'")
+				if runtime.GOOS == "windows" {
+					// Best effort to at least partially test this in Windows.
+					err = sess.Start("echo start\"ed\" && sleep 60")
+				} else {
+					err = sess.Start("/bin/bash -c 'trap \"sleep 60\" SIGTERM; echo start\"ed\"; sleep 60'")
+				}
 				assert.NoError(t, err)
 
+				pty.ExpectMatchContext(ctx, "started")
 				close(ch)
+
 				err = sess.Wait()
 				assert.Error(t, err)
 			}(waitConns[i])
 
@@ -2,7 +2,6 @@ package agentssh
 
 import (
 	"context"
-	"os"
 	"os/exec"
 	"syscall"
 
@@ -15,7 +14,12 @@ func cmdSysProcAttr() *syscall.SysProcAttr {
 
 func cmdCancel(ctx context.Context, logger slog.Logger, cmd *exec.Cmd) func() error {
 	return func() error {
-		logger.Debug(ctx, "cmdCancel: sending interrupt to process", slog.F("pid", cmd.Process.Pid))
-		return cmd.Process.Signal(os.Interrupt)
+		logger.Debug(ctx, "cmdCancel: killing process", slog.F("pid", cmd.Process.Pid))
+		// Windows doesn't support sending signals to process groups, so we
+		// have to kill the process directly. In the future, we may want to
+		// implement a more sophisticated solution for process groups on
+		// Windows, but for now, this is a simple way to ensure that the
+		// process is terminated when the context is cancelled.
+		return cmd.Process.Kill()
 	}
 }
@@ -45,8 +45,10 @@ const (
 // sshConfigOptions represents options that can be stored and read
 // from the coder config in ~/.ssh/coder.
 type sshConfigOptions struct {
-	waitEnum         string
+	waitEnum string
+	// Deprecated: moving away from prefix to hostnameSuffix
 	userHostPrefix   string
+	hostnameSuffix   string
 	sshOptions       []string
 	disableAutostart bool
 	header           []string
@@ -97,7 +99,11 @@ func (o sshConfigOptions) equal(other sshConfigOptions) bool {
 	if !slicesSortedEqual(o.header, other.header) {
 		return false
 	}
-	return o.waitEnum == other.waitEnum && o.userHostPrefix == other.userHostPrefix && o.disableAutostart == other.disableAutostart && o.headerCommand == other.headerCommand
+	return o.waitEnum == other.waitEnum &&
+		o.userHostPrefix == other.userHostPrefix &&
+		o.disableAutostart == other.disableAutostart &&
+		o.headerCommand == other.headerCommand &&
+		o.hostnameSuffix == other.hostnameSuffix
 }
 
 // slicesSortedEqual compares two slices without side-effects or regard to order.
@@ -119,6 +125,9 @@ func (o sshConfigOptions) asList() (list []string) {
 	if o.userHostPrefix != "" {
 		list = append(list, fmt.Sprintf("ssh-host-prefix: %s", o.userHostPrefix))
 	}
+	if o.hostnameSuffix != "" {
+		list = append(list, fmt.Sprintf("hostname-suffix: %s", o.hostnameSuffix))
+	}
 	if o.disableAutostart {
 		list = append(list, fmt.Sprintf("disable-autostart: %v", o.disableAutostart))
 	}
@@ -314,6 +323,10 @@ func (r *RootCmd) configSSH() *serpent.Command {
 				// Override with user flag.
 				coderdConfig.HostnamePrefix = sshConfigOpts.userHostPrefix
 			}
+			if sshConfigOpts.hostnameSuffix != "" {
+				// Override with user flag.
+				coderdConfig.HostnameSuffix = sshConfigOpts.hostnameSuffix
+			}
 
 			// Write agent configuration.
 			defaultOptions := []string{
@@ -518,6 +531,12 @@ func (r *RootCmd) configSSH() *serpent.Command {
 			Description: "Override the default host prefix.",
 			Value:       serpent.StringOf(&sshConfigOpts.userHostPrefix),
 		},
+		{
+			Flag:        "hostname-suffix",
+			Env:         "CODER_CONFIGSSH_HOSTNAME_SUFFIX",
+			Description: "Override the default hostname suffix.",
+			Value:       serpent.StringOf(&sshConfigOpts.hostnameSuffix),
+		},
 		{
 			Flag:        "wait",
 			Env:         "CODER_CONFIGSSH_WAIT", // Not to be mixed with CODER_SSH_WAIT.
@@ -568,6 +587,9 @@ func sshConfigWriteSectionHeader(w io.Writer, addNewline bool, o sshConfigOption
 	if o.userHostPrefix != "" {
 		_, _ = fmt.Fprintf(&ow, "# :%s=%s\n", "ssh-host-prefix", o.userHostPrefix)
 	}
+	if o.hostnameSuffix != "" {
+		_, _ = fmt.Fprintf(&ow, "# :%s=%s\n", "hostname-suffix", o.hostnameSuffix)
+	}
 	if o.disableAutostart {
 		_, _ = fmt.Fprintf(&ow, "# :%s=%v\n", "disable-autostart", o.disableAutostart)
 	}
@@ -607,6 +629,8 @@ func sshConfigParseLastOptions(r io.Reader) (o sshConfigOptions) {
 				o.waitEnum = parts[1]
 			case "ssh-host-prefix":
 				o.userHostPrefix = parts[1]
+			case "hostname-suffix":
+				o.hostnameSuffix = parts[1]
 			case "ssh-option":
 				o.sshOptions = append(o.sshOptions, parts[1])
 			case "disable-autostart":
 
@@ -432,6 +432,7 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 						"# Last config-ssh options:",
 						"# :wait=yes",
 						"# :ssh-host-prefix=coder-test.",
+						"# :hostname-suffix=coder-suffix",
 						"# :header=X-Test-Header=foo",
 						"# :header=X-Test-Header2=bar",
 						"# :header-command=printf h1=v1 h2=\"v2\" h3='v3'",
@@ -447,6 +448,7 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				"--yes",
 				"--wait=yes",
 				"--ssh-host-prefix", "coder-test.",
+				"--hostname-suffix", "coder-suffix",
 				"--header", "X-Test-Header=foo",
 				"--header", "X-Test-Header2=bar",
 				"--header-command", "printf h1=v1 h2=\"v2\" h3='v3'",