coder
diff --git a/‎.github/workflows/docker-base.yaml
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/docker-base.yaml
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/nightly-gauntlet.yaml
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/nightly-gauntlet.yaml
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/pr-cleanup.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/pr-cleanup.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/pr-deploy.yaml
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/pr-deploy.yaml
Lines changed: 5 additions & 2 deletions
diff --git a/‎.github/workflows/release-validation.yaml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/release-validation.yaml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 8 additions & 6 deletions b/‎.github/workflows/release.yaml
Lines changed: 8 additions & 6 deletions
diff --git a/‎.github/workflows/stale.yaml
Lines changed: 13 additions & 2 deletions b/‎.github/workflows/stale.yaml
Lines changed: 13 additions & 2 deletions
diff --git a/‎cli/server.go
Lines changed: 8 additions & 2 deletions b/‎cli/server.go
Lines changed: 8 additions & 2 deletions
diff --git a/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion b/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 69 additions & 3 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 69 additions & 3 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 48 additions & 3 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 48 additions & 3 deletions
@@ -22,17 +22,18 @@ on:
 
 permissions:
   contents: read
-  # Necessary to push docker images to ghcr.io.
-  packages: write
-  # Necessary for depot.dev authentication.
-  id-token: write
 
 # Avoid running multiple jobs for the same commit.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-docker-base
 
 jobs:
   build:
+    permissions:
+      # Necessary for depot.dev authentication.
+      id-token: write
+      # Necessary to push docker images to ghcr.io.
+      packages: write
     runs-on: ubuntu-latest
     if: github.repository_owner == 'coder'
     steps:
 
@@ -6,6 +6,10 @@ on:
     # Every day at midnight
     - cron: "0 0 * * *"
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   go-race:
     # While GitHub's toaster runners are likelier to flake, we want consistency
 
@@ -8,12 +8,12 @@ on:
         description: "PR number"
         required: true
 
-permissions:
-  packages: write
-
 jobs:
   cleanup:
     runs-on: "ubuntu-latest"
+    permissions:
+      # Necessary to delete docker images from ghcr.io.
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
 
@@ -30,8 +30,6 @@ env:
 
 permissions:
   contents: read
-  packages: write
-  pull-requests: write # needed for commenting on PRs
 
 jobs:
   check_pr:
@@ -171,6 +169,8 @@ jobs:
     needs: get_info
     if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
     runs-on: "ubuntu-latest"
+    permissions:
+      pull-requests: write # needed for commenting on PRs
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -205,6 +205,9 @@ jobs:
     # Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
     if: needs.get_info.outputs.BUILD == 'true'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    permissions:
+      # Necessary to push docker images to ghcr.io.
+      packages: write
     # This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs chnages.
     concurrency:
       group: build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
 
@@ -5,6 +5,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 jobs:
   network-performance:
     runs-on: ubuntu-latest
 
@@ -18,12 +18,7 @@ on:
         default: false
 
 permissions:
-  # Required to publish a release
-  contents: write
-  # Necessary to push docker images to ghcr.io.
-  packages: write
-  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
-  id-token: write
+  contents: read
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -40,6 +35,13 @@ jobs:
   release:
     name: Build and publish
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    permissions:
+      # Required to publish a release
+      contents: write
+      # Necessary to push docker images to ghcr.io.
+      packages: write
+      # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+      id-token: write
     env:
       # Necessary for Docker manifest
       DOCKER_CLI_EXPERIMENTAL: "enabled"
 
@@ -1,16 +1,21 @@
-name: Stale Issue, Banch and Old Workflows Cleanup
+name: Stale Issue, Branch and Old Workflows Cleanup
 on:
   schedule:
     # Every day at midnight
     - cron: "0 0 * * *"
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   issues:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to close issues.
       issues: write
+      # Needed to close PRs.
       pull-requests: write
-      actions: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -86,6 +91,9 @@ jobs:
 
   branches:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to delete branches.
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -105,6 +113,9 @@ jobs:
           exclude_open_pr_branches: true
   del_runs:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to delete workflow runs.
+      actions: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
 
@@ -212,10 +212,16 @@ func enablePrometheus(
 	options.PrometheusRegistry.MustRegister(collectors.NewGoCollector())
 	options.PrometheusRegistry.MustRegister(collectors.NewProcessCollector(collectors.ProcessCollectorOpts{}))
 
-	closeUsersFunc, err := prometheusmetrics.ActiveUsers(ctx, options.PrometheusRegistry, options.Database, 0)
+	closeActiveUsersFunc, err := prometheusmetrics.ActiveUsers(ctx, options.Logger.Named("active_user_metrics"), options.PrometheusRegistry, options.Database, 0)
 	if err != nil {
 		return nil, xerrors.Errorf("register active users prometheus metric: %w", err)
 	}
+	afterCtx(ctx, closeActiveUsersFunc)
+
+	closeUsersFunc, err := prometheusmetrics.Users(ctx, options.Logger.Named("user_metrics"), quartz.NewReal(), options.PrometheusRegistry, options.Database, 0)
+	if err != nil {
+		return nil, xerrors.Errorf("register users prometheus metric: %w", err)
+	}
 	afterCtx(ctx, closeUsersFunc)
 
 	closeWorkspacesFunc, err := prometheusmetrics.Workspaces(ctx, options.Logger.Named("workspaces_metrics"), options.PrometheusRegistry, options.Database, 0)
@@ -1035,7 +1041,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, logger, autobuildTicker.C, options.NotificationsEnqueuer)
+				ctx, options.Database, options.Pubsub, options.PrometheusRegistry, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, logger, autobuildTicker.C, options.NotificationsEnqueuer)
 			autobuildExecutor.Run()
 
 			hangDetectorTicker := time.NewTicker(vals.JobHangDetectorInterval.Value())
 
@@ -282,7 +282,7 @@ func (pf *templateUploadFlags) stdin(inv *serpent.Invocation) (out bool) {
 		}
 	}()
 	// We let the directory override our isTTY check
-	return pf.directory == "-" || (!isTTYIn(inv) && pf.directory == "")
+	return pf.directory == "-" || (!isTTYIn(inv) && pf.directory == ".")
 }
 
 func (pf *templateUploadFlags) upload(inv *serpent.Invocation, client *codersdk.Client) (*codersdk.UploadResponse, error) {
 
@@ -106,6 +106,58 @@ Use a YAML configuration file when your server launch become unwieldy.
 
           Write out the current server config as YAML to stdout.
 
+EMAIL OPTIONS: 
+Configure how emails are sent.
+
+      --email-force-tls bool, $CODER_EMAIL_FORCE_TLS (default: false)
+          Force a TLS connection to the configured SMTP smarthost.
+
+      --email-from string, $CODER_EMAIL_FROM
+          The sender's address to use.
+
+      --email-hello string, $CODER_EMAIL_HELLO (default: localhost)
+          The hostname identifying the SMTP server.
+
+      --email-smarthost host:port, $CODER_EMAIL_SMARTHOST (default: localhost:587)
+          The intermediary SMTP host through which emails are sent.
+
+EMAIL / EMAIL AUTHENTICATION OPTIONS: 
+Configure SMTP authentication options.
+
+      --email-auth-identity string, $CODER_EMAIL_AUTH_IDENTITY
+          Identity to use with PLAIN authentication.
+
+      --email-auth-password string, $CODER_EMAIL_AUTH_PASSWORD
+          Password to use with PLAIN/LOGIN authentication.
+
+      --email-auth-password-file string, $CODER_EMAIL_AUTH_PASSWORD_FILE
+          File from which to load password for use with PLAIN/LOGIN
+          authentication.
+
+      --email-auth-username string, $CODER_EMAIL_AUTH_USERNAME
+          Username to use with PLAIN/LOGIN authentication.
+
+EMAIL / EMAIL TLS OPTIONS: 
+Configure TLS for your SMTP server target.
+
+      --email-tls-ca-cert-file string, $CODER_EMAIL_TLS_CACERTFILE
+          CA certificate file to use.
+
+      --email-tls-cert-file string, $CODER_EMAIL_TLS_CERTFILE
+          Certificate file to use.
+
+      --email-tls-cert-key-file string, $CODER_EMAIL_TLS_CERTKEYFILE
+          Certificate key file to use.
+
+      --email-tls-server-name string, $CODER_EMAIL_TLS_SERVERNAME
+          Server name to verify against the target certificate.
+
+      --email-tls-skip-verify bool, $CODER_EMAIL_TLS_SKIPVERIFY
+          Skip verification of the target server's certificate (insecure).
+
+      --email-tls-starttls bool, $CODER_EMAIL_TLS_STARTTLS
+          Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+
 INTROSPECTION / HEALTH CHECK OPTIONS: 
       --health-check-refresh duration, $CODER_HEALTH_CHECK_REFRESH (default: 10m0s)
           Refresh interval for healthchecks.
@@ -349,54 +401,68 @@ Configure how notifications are processed and delivered.
 NOTIFICATIONS / EMAIL OPTIONS: 
 Configure how email notifications are sent.
 
-      --notifications-email-force-tls bool, $CODER_NOTIFICATIONS_EMAIL_FORCE_TLS (default: false)
+      --notifications-email-force-tls bool, $CODER_NOTIFICATIONS_EMAIL_FORCE_TLS
           Force a TLS connection to the configured SMTP smarthost.
+          DEPRECATED: Use --email-force-tls instead.
 
       --notifications-email-from string, $CODER_NOTIFICATIONS_EMAIL_FROM
           The sender's address to use.
+          DEPRECATED: Use --email-from instead.
 
-      --notifications-email-hello string, $CODER_NOTIFICATIONS_EMAIL_HELLO (default: localhost)
+      --notifications-email-hello string, $CODER_NOTIFICATIONS_EMAIL_HELLO
           The hostname identifying the SMTP server.
+          DEPRECATED: Use --email-hello instead.
 
-      --notifications-email-smarthost host:port, $CODER_NOTIFICATIONS_EMAIL_SMARTHOST (default: localhost:587)
+      --notifications-email-smarthost host:port, $CODER_NOTIFICATIONS_EMAIL_SMARTHOST
           The intermediary SMTP host through which emails are sent.
+          DEPRECATED: Use --email-smarthost instead.
 
 NOTIFICATIONS / EMAIL / EMAIL AUTHENTICATION OPTIONS: 
 Configure SMTP authentication options.
 
       --notifications-email-auth-identity string, $CODER_NOTIFICATIONS_EMAIL_AUTH_IDENTITY
           Identity to use with PLAIN authentication.
+          DEPRECATED: Use --email-auth-identity instead.
 
       --notifications-email-auth-password string, $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD
           Password to use with PLAIN/LOGIN authentication.
+          DEPRECATED: Use --email-auth-password instead.
 
       --notifications-email-auth-password-file string, $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD_FILE
           File from which to load password for use with PLAIN/LOGIN
           authentication.
+          DEPRECATED: Use --email-auth-password-file instead.
 
       --notifications-email-auth-username string, $CODER_NOTIFICATIONS_EMAIL_AUTH_USERNAME
           Username to use with PLAIN/LOGIN authentication.
+          DEPRECATED: Use --email-auth-username instead.
 
 NOTIFICATIONS / EMAIL / EMAIL TLS OPTIONS: 
 Configure TLS for your SMTP server target.
 
       --notifications-email-tls-ca-cert-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CACERTFILE
           CA certificate file to use.
+          DEPRECATED: Use --email-tls-ca-cert-file instead.
 
       --notifications-email-tls-cert-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CERTFILE
           Certificate file to use.
+          DEPRECATED: Use --email-tls-cert-file instead.
 
       --notifications-email-tls-cert-key-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CERTKEYFILE
           Certificate key file to use.
+          DEPRECATED: Use --email-tls-cert-key-file instead.
 
       --notifications-email-tls-server-name string, $CODER_NOTIFICATIONS_EMAIL_TLS_SERVERNAME
           Server name to verify against the target certificate.
+          DEPRECATED: Use --email-tls-server-name instead.
 
       --notifications-email-tls-skip-verify bool, $CODER_NOTIFICATIONS_EMAIL_TLS_SKIPVERIFY
           Skip verification of the target server's certificate (insecure).
+          DEPRECATED: Use --email-tls-skip-verify instead.
 
       --notifications-email-tls-starttls bool, $CODER_NOTIFICATIONS_EMAIL_TLS_STARTTLS
           Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+          DEPRECATED: Use --email-tls-starttls instead.
 
 NOTIFICATIONS / WEBHOOK OPTIONS: 
       --notifications-webhook-endpoint url, $CODER_NOTIFICATIONS_WEBHOOK_ENDPOINT
 
@@ -518,6 +518,51 @@ userQuietHoursSchedule:
 # compatibility reasons, this will be removed in a future release.
 # (default: false, type: bool)
 allowWorkspaceRenames: false
+# Configure how emails are sent.
+email:
+  # The sender's address to use.
+  # (default: <unset>, type: string)
+  from: ""
+  # The intermediary SMTP host through which emails are sent.
+  # (default: localhost:587, type: host:port)
+  smarthost: localhost:587
+  # The hostname identifying the SMTP server.
+  # (default: localhost, type: string)
+  hello: localhost
+  # Force a TLS connection to the configured SMTP smarthost.
+  # (default: false, type: bool)
+  forceTLS: false
+  # Configure SMTP authentication options.
+  emailAuth:
+    # Identity to use with PLAIN authentication.
+    # (default: <unset>, type: string)
+    identity: ""
+    # Username to use with PLAIN/LOGIN authentication.
+    # (default: <unset>, type: string)
+    username: ""
+    # File from which to load password for use with PLAIN/LOGIN authentication.
+    # (default: <unset>, type: string)
+    passwordFile: ""
+  # Configure TLS for your SMTP server target.
+  emailTLS:
+    # Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+    # (default: <unset>, type: bool)
+    startTLS: false
+    # Server name to verify against the target certificate.
+    # (default: <unset>, type: string)
+    serverName: ""
+    # Skip verification of the target server's certificate (insecure).
+    # (default: <unset>, type: bool)
+    insecureSkipVerify: false
+    # CA certificate file to use.
+    # (default: <unset>, type: string)
+    caCertFile: ""
+    # Certificate file to use.
+    # (default: <unset>, type: string)
+    certFile: ""
+    # Certificate key file to use.
+    # (default: <unset>, type: string)
+    certKeyFile: ""
 # Configure how notifications are processed and delivered.
 notifications:
   # Which delivery method to use (available options: 'smtp', 'webhook').
@@ -532,13 +577,13 @@ notifications:
     # (default: <unset>, type: string)
     from: ""
     # The intermediary SMTP host through which emails are sent.
-    # (default: localhost:587, type: host:port)
+    # (default: <unset>, type: host:port)
     smarthost: localhost:587
     # The hostname identifying the SMTP server.
-    # (default: localhost, type: string)
+    # (default: <unset>, type: string)
     hello: localhost
     # Force a TLS connection to the configured SMTP smarthost.
-    # (default: false, type: bool)
+    # (default: <unset>, type: bool)
     forceTLS: false
     # Configure SMTP authentication options.
     emailAuth:
Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ func (pf templateUploadFlags) stdin(inv serpent.Invocation) (out bool) {`
`282`	`282`	`}`
`283`	`283`	`}()`
`284`	`284`	`// We let the directory override our isTTY check`
`285`		`- return pf.directory == "-" \|\| (!isTTYIn(inv) && pf.directory == "")`
	`285`	`+ return pf.directory == "-" \|\| (!isTTYIn(inv) && pf.directory == ".")`
`286`	`286`	`}`
`287`	`287`
`288`	`288`	`func (pf templateUploadFlags) upload(inv serpent.Invocation, client codersdk.Client) (codersdk.UploadResponse, error) {`