coder
diff --git a/‎.editorconfig
Lines changed: 1 addition & 1 deletion b/‎.editorconfig
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 35 additions & 33 deletions b/‎.github/workflows/ci.yaml
Lines changed: 35 additions & 33 deletions
diff --git a/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 12 additions & 1 deletion b/‎.github/workflows/dogfood.yaml
Lines changed: 12 additions & 1 deletion
diff --git a/‎.github/workflows/meticulous.yaml
Lines changed: 0 additions & 46 deletions b/‎.github/workflows/meticulous.yaml
Lines changed: 0 additions & 46 deletions
diff --git a/‎agent/agent.go
Lines changed: 1 addition & 1 deletion b/‎agent/agent.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agentssh/agentssh.go
Lines changed: 8 additions & 7 deletions b/‎agent/agentssh/agentssh.go
Lines changed: 8 additions & 7 deletions
@@ -7,7 +7,7 @@ trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = tab
 
-[*.{md,yaml,yml,tf,tfvars,nix}]
+[*.{yaml,yml,tf,tfvars,nix}]
 indent_style = space
 indent_size = 2
 
 
@@ -117,38 +117,40 @@ jobs:
         run: |
           echo "${{ toJSON(steps.filter )}}"
 
-  update-flake:
-    needs: changes
-    if: needs.changes.outputs.gomod == 'true'
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
-          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Update Nix Flake SRI Hash
-        run: ./scripts/update-flake.sh
-
-      # auto update flake for dependabot
-      - uses: stefanzweifel/git-auto-commit-action@v5
-        if: github.actor == 'dependabot[bot]'
-        with:
-          # Allows dependabot to still rebase!
-          commit_message: "[dependabot skip] Update Nix Flake SRI Hash"
-          commit_user_name: "dependabot[bot]"
-          commit_user_email: "49699333+dependabot[bot]@users.noreply.github.com>"
-          commit_author: "dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>"
-
-      # require everyone else to update it themselves
-      - name: Ensure No Changes
-        if: github.actor != 'dependabot[bot]'
-        run: git diff --exit-code
+  # Disabled due to instability. See: https://github.com/coder/coder/issues/14553
+  # Re-enable once the flake hash calculation is stable.
+  # update-flake:
+  #   needs: changes
+  #   if: needs.changes.outputs.gomod == 'true'
+  #   runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+  #       with:
+  #         fetch-depth: 1
+  #         # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
+  #         token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+
+  #     - name: Setup Go
+  #       uses: ./.github/actions/setup-go
+
+  #     - name: Update Nix Flake SRI Hash
+  #       run: ./scripts/update-flake.sh
+
+  #     # auto update flake for dependabot
+  #     - uses: stefanzweifel/git-auto-commit-action@v5
+  #       if: github.actor == 'dependabot[bot]'
+  #       with:
+  #         # Allows dependabot to still rebase!
+  #         commit_message: "[dependabot skip] Update Nix Flake SRI Hash"
+  #         commit_user_name: "dependabot[bot]"
+  #         commit_user_email: "49699333+dependabot[bot]@users.noreply.github.com>"
+  #         commit_author: "dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>"
+
+  #     # require everyone else to update it themselves
+  #     - name: Ensure No Changes
+  #       if: github.actor != 'dependabot[bot]'
+  #       run: git diff --exit-code
 
   lint:
     needs: changes
@@ -184,7 +186,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@v1.23.6
+        uses: crate-ci/typos@v1.24.3
         with:
           config: .github/workflows/typos.toml
 
 
@@ -34,7 +34,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.4.0
+        uses: contributor-assistant/github-action@v2.5.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -17,6 +17,10 @@ on:
       - "flake.nix"
   workflow_dispatch:
 
+permissions:
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write
+
 jobs:
   build_image:
     if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
@@ -85,6 +89,12 @@ jobs:
       - name: Setup Terraform
         uses: ./.github/actions/setup-tf
 
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
+          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
+
       - name: Terraform init and validate
         run: |
           cd dogfood
@@ -110,11 +120,12 @@ jobs:
           cd dogfood
           terraform apply -auto-approve
         env:
-          # Consumed by Coder CLI
+          # Consumed by coderd provider
           CODER_URL: https://dev.coder.com
           CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
           # Template source & details
           TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
           TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
           TF_VAR_CODER_TEMPLATE_DIR: ./contents
           TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
+          TF_LOG: info
@@ -1787,7 +1787,7 @@ func (a *agent) HandleHTTPDebugLogs(w http.ResponseWriter, r *http.Request) {
 	}
 	defer f.Close()
 
-	// Limit to 10MB.
+	// Limit to 10MiB.
 	w.WriteHeader(http.StatusOK)
 	_, err = io.Copy(w, io.LimitReader(f, 10*1024*1024))
 	if err != nil && !errors.Is(err, io.EOF) {
 
@@ -79,9 +79,9 @@ type Config struct {
 	// where users will land when they connect via SSH. Default is the home
 	// directory of the user.
 	WorkingDirectory func() string
-	// X11SocketDir is the directory where X11 sockets are created. Default is
-	// /tmp/.X11-unix.
-	X11SocketDir string
+	// X11DisplayOffset is the offset to add to the X11 display number.
+	// Default is 10.
+	X11DisplayOffset *int
 	// BlockFileTransfer restricts use of file transfer applications.
 	BlockFileTransfer bool
 }
@@ -124,8 +124,9 @@ func NewServer(ctx context.Context, logger slog.Logger, prometheusRegistry *prom
 	if config == nil {
 		config = &Config{}
 	}
-	if config.X11SocketDir == "" {
-		config.X11SocketDir = filepath.Join(os.TempDir(), ".X11-unix")
+	if config.X11DisplayOffset == nil {
+		offset := X11DefaultDisplayOffset
+		config.X11DisplayOffset = &offset
 	}
 	if config.UpdateEnv == nil {
 		config.UpdateEnv = func(current []string) ([]string, error) { return current, nil }
@@ -273,13 +274,13 @@ func (s *Server) sessionHandler(session ssh.Session) {
 	extraEnv := make([]string, 0)
 	x11, hasX11 := session.X11()
 	if hasX11 {
-		handled := s.x11Handler(session.Context(), x11)
+		display, handled := s.x11Handler(session.Context(), x11)
 		if !handled {
 			_ = session.Exit(1)
 			logger.Error(ctx, "x11 handler failed")
 			return
 		}
-		extraEnv = append(extraEnv, fmt.Sprintf("DISPLAY=:%d.0", x11.ScreenNumber))
+		extraEnv = append(extraEnv, fmt.Sprintf("DISPLAY=localhost:%d.%d", display, x11.ScreenNumber))
 	}
 
 	if s.fileTransferBlocked(session) {
Original file line number	Diff line number	Diff line change
`@@ -1787,7 +1787,7 @@ func (a agent) HandleHTTPDebugLogs(w http.ResponseWriter, r http.Request) {`
`1787`	`1787`	`}`
`1788`	`1788`	`defer f.Close()`
`1789`	`1789`
`1790`		`- // Limit to 10MB.`
	`1790`	`+ // Limit to 10MiB.`
`1791`	`1791`	`w.WriteHeader(http.StatusOK)`
`1792`	`1792`	`_, err = io.Copy(w, io.LimitReader(f, 1010241024))`
`1793`	`1793`	`if err != nil && !errors.Is(err, io.EOF) {`