coder
diff --git a/‎.gitattributes
Lines changed: 3 additions & 0 deletions b/‎.gitattributes
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/actions/setup-node/action.yaml
Lines changed: 8 additions & 2 deletions b/‎.github/actions/setup-node/action.yaml
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/actions/setup-sqlc/action.yaml
Lines changed: 10 additions & 0 deletions b/‎.github/actions/setup-sqlc/action.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 70 additions & 5 deletions b/‎.github/workflows/ci.yaml
Lines changed: 70 additions & 5 deletions
diff --git a/‎.github/workflows/pr-deploy.yaml
Lines changed: 14 additions & 7 deletions b/‎.github/workflows/pr-deploy.yaml
Lines changed: 14 additions & 7 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 1 addition & 3 deletions b/‎.github/workflows/security.yaml
Lines changed: 1 addition & 3 deletions
diff --git a/‎Makefile
Lines changed: 6 additions & 1 deletion b/‎Makefile
Lines changed: 6 additions & 1 deletion
diff --git a/‎cli/clistat/cgroup.go
Lines changed: 1 addition & 1 deletion b/‎cli/clistat/cgroup.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/clistat/container.go
Lines changed: 11 additions & 2 deletions b/‎cli/clistat/container.go
Lines changed: 11 additions & 2 deletions
diff --git a/‎cli/dotfiles.go
Lines changed: 12 additions & 0 deletions b/‎cli/dotfiles.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎cli/server.go
Lines changed: 3 additions & 0 deletions b/‎cli/server.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions
diff --git a/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions b/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions
@@ -1,5 +1,7 @@
 # Generated files
 coderd/apidoc/docs.go linguist-generated=true
+docs/api/*.md linguist-generated=true
+docs/cli/*.md linguist-generated=true
 coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
@@ -9,3 +11,4 @@ provisionersdk/proto/*.go linguist-generated=true
 *.tfstate.json linguist-generated=true
 *.tfstate.dot linguist-generated=true
 *.tfplan.dot linguist-generated=true
+
@@ -1,6 +1,12 @@
 name: "Setup Node"
 description: |
   Sets up the node environment for tests, builds, etc.
+inputs:
+  directory:
+    description: |
+      The directory to run the setup in.
+    required: false
+    default: "site"
 runs:
   using: "composite"
   steps:
@@ -10,8 +16,8 @@ runs:
         node-version: 16.20.1
         # See https://github.com/actions/setup-node#caching-global-packages-data
         cache: "yarn"
-        cache-dependency-path: "site/yarn.lock"
+        cache-dependency-path: ${{ inputs.directory }}/yarn.lock
     - name: Install node_modules
       shell: bash
       run: ../scripts/yarn_install.sh
-      working-directory: site
+      working-directory: ${{ inputs.directory }}
@@ -0,0 +1,10 @@
+name: Setup sqlc
+description: |
+  Sets up the sqlc environment for tests, builds, etc.
+runs:
+  using: "composite"
+  steps:
+    - name: Setup sqlc
+      uses: sqlc-dev/setup-sqlc@v3
+      with:
+        sqlc-version: "1.19.1"
@@ -35,6 +35,8 @@ jobs:
       ts: ${{ steps.filter.outputs.ts }}
       k8s: ${{ steps.filter.outputs.k8s }}
       ci: ${{ steps.filter.outputs.ci }}
+      offlinedocs-only: ${{ steps.filter.outputs.offlinedocs_count == steps.filter.outputs.all_count }}
+      offlinedocs: ${{ steps.filter.outputs.offlinedocs }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -85,7 +87,6 @@ jobs:
             ts:
               - "site/**"
               - "Makefile"
-              - "offlinedocs/**"
             k8s:
               - "helm/**"
               - "scripts/Dockerfile"
@@ -94,11 +95,16 @@ jobs:
             ci:
               - ".github/actions/**"
               - ".github/workflows/ci.yaml"
+            offlinedocs:
+              - "offlinedocs/**"
+
       - id: debug
         run: |
           echo "${{ toJSON(steps.filter )}}"
 
   lint:
+    needs: changes
+    if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     steps:
       - name: Checkout
@@ -164,9 +170,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: go install tools
         run: |
@@ -196,6 +200,8 @@ jobs:
         run: ./scripts/check_unstaged.sh
 
   fmt:
+    needs: changes
+    if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     timeout-minutes: 5
     steps:
@@ -592,9 +598,68 @@ jobs:
           projectToken: 695c25b6cb65
           workingDir: "./site"
 
+  offlinedocs:
+    name: offlinedocs
+    needs: changes
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    if: needs.changes.outputs.offlinedocs == 'true' || needs.changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+        with:
+          directory: offlinedocs
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Install go tools
+        run: |
+          go install github.com/golang/mock/mockgen@v1.6.0
+
+      - name: Setup sqlc
+        uses: sqlc-dev/setup-sqlc@v3
+        with:
+          sqlc-version: "1.19.1"
+
+      - name: Install dependencies
+        run: |
+          cd offlinedocs
+          yarn
+          # Install prettier globally
+          prettier_version=$(jq -r '.devDependencies.prettier' < package.json)
+          yarn global add "prettier@${prettier_version}"
+
+      - name: Format
+        run: |
+          cd offlinedocs
+          yarn format:check
+
+      - name: Lint
+        run: |
+          cd offlinedocs
+          yarn lint
+
+      - name: Build
+        run: |
+          version="$(./scripts/version.sh)"
+          make -j build/coder_docs_"$version".tgz
+
   required:
     runs-on: ubuntu-latest
-    needs: [fmt, lint, gen, test-go, test-go-pg, test-go-race, test-js]
+    needs:
+      - fmt
+      - lint
+      - gen
+      - test-go
+      - test-go-pg
+      - test-go-race
+      - test-js
+      - offlinedocs
     # Allow this job to run even if the needed jobs fail, are skipped or
     # cancelled.
     if: always()
 
@@ -2,6 +2,7 @@
 name: Deploy PR
 on:
   issue_comment:
+    types: [created, edited]
   workflow_dispatch:
     inputs:
       pr_number:
@@ -97,9 +98,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: GHCR Login
         uses: docker/login-action@v2
@@ -137,32 +136,33 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: "Set up kubeconfig"
+      - name: Set up kubeconfig
         run: |
           set -euxo pipefail
           mkdir -p ~/.kube
           echo "${{ secrets.DELIVERYBOT_KUBECONFIG }}" > ~/.kube/config
           export KUBECONFIG=~/.kube/config
 
-      - name: "Create PR namespace"
+      - name: Create PR namespace
         run: |
           set -euxo pipefail
           # try to delete the namespace, but don't fail if it doesn't exist
           kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
           kubectl create namespace "pr${{ env.PR_NUMBER }}"
 
-      - name: "Install Helm chart"
+      - name: Install Helm chart
         run: |
           helm upgrade --install pr${{ env.PR_NUMBER }}  ./helm \
           --namespace "pr${{ env.PR_NUMBER }}" \
           --set coder.image.repo=${{ env.REPO }} \
           --set coder.image.tag=pr${{ env.PR_NUMBER }} \
           --set coder.service.type=ClusterIP \
+          --set coder.serviceAccount.enableDeployments=true \
           --set coder.env[0].name=CODER_ACCESS_URL \
           --set coder.env[0].value="" \
           --force
 
-      - name: "Get deployment URL"
+      - name: Get deployment URL
         id: deployment_url
         run: |
           set -euo pipefail
@@ -172,6 +172,13 @@ jobs:
           echo "::add-mask::$CODER_ACCESS_URL"
           echo "CODER_ACCESS_URL=$CODER_ACCESS_URL" >> $GITHUB_OUTPUT
 
+      - name: Install coder-logstream-kube
+        run: |
+          helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
+          helm install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
+            --namespace "pr${{ env.PR_NUMBER }}" \
+            --set url="${{ steps.deployment_url.outputs.CODER_ACCESS_URL }}"
+
       - name: Send Slack notification
         run: |
           curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
 
@@ -76,7 +76,7 @@ jobs:
           set -euo pipefail
           ref=HEAD
           old_version="$(git describe --abbrev=0 "$ref^1")"
-          version="$(./scripts/version.sh)"
+          version="v$(./scripts/version.sh)"
 
           # Generate notes.
           release_notes_file="$(mktemp -t release_notes.XXXXXX)"
 
@@ -81,9 +81,7 @@ jobs:
             js-${{ runner.os }}-
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.30.6
 
@@ -410,9 +410,14 @@ else
 endif
 .PHONY: fmt/shfmt
 
-lint: lint/shellcheck lint/go lint/ts lint/helm
+lint: lint/shellcheck lint/go lint/ts lint/helm lint/site-icons
 .PHONY: lint
 
+lint/site-icons:
+	./scripts/check_site_icons.sh
+
+.PHONY: lint/site-icons
+
 lint/ts:
 	cd site
 	yarn && yarn lint
 
@@ -338,7 +338,7 @@ func readInt64Prefix(fs afero.Fs, path, prefix string) (int64, error) {
 
 	scn := bufio.NewScanner(bytes.NewReader(data))
 	for scn.Scan() {
-		line := scn.Text()
+		line := strings.TrimSpace(scn.Text())
 		if !strings.HasPrefix(line, prefix) {
 			continue
 		}
 
@@ -10,8 +10,9 @@ import (
 )
 
 const (
-	procMounts    = "/proc/mounts"
-	procOneCgroup = "/proc/1/cgroup"
+	procMounts                           = "/proc/mounts"
+	procOneCgroup                        = "/proc/1/cgroup"
+	kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
 )
 
 // IsContainerized returns whether the host is containerized.
@@ -38,6 +39,14 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {
 		}
 	}
 
+	// Sometimes the above method of sniffing /proc/1/cgroup isn't reliable.
+	// If a Kubernetes service account token is present, that's
+	// also a good indication that we are in a container.
+	_, err = afero.ReadFile(fs, kubernetesDefaultServiceAccountToken)
+	if err == nil {
+		return true, nil
+	}
+
 	// Last-ditch effort to detect Sysbox containers.
 	// Check if we have anything mounted as type sysboxfs in /proc/mounts
 	mountsData, err := afero.ReadFile(fs, procMounts)
 
@@ -193,6 +193,18 @@ func (r *RootCmd) dotfiles() *clibase.Cmd {
 				}
 
 				_, _ = fmt.Fprintf(inv.Stdout, "Running %s...\n", script)
+
+				// Check if the script is executable and notify on error
+				scriptPath := filepath.Join(dotfilesDir, script)
+				fi, err := os.Stat(scriptPath)
+				if err != nil {
+					return xerrors.Errorf("stat %s: %w", scriptPath, err)
+				}
+
+				if fi.Mode()&0o111 == 0 {
+					return xerrors.Errorf("script %q is not executable. See https://coder.com/docs/v2/latest/dotfiles for information on how to resolve the issue.", script)
+				}
+
 				// it is safe to use a variable command here because it's from
 				// a filtered list of pre-approved install scripts
 				// nolint:gosec
 
@@ -596,6 +596,9 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					IgnoreUserInfo:      cfg.OIDC.IgnoreUserInfo.Value(),
 					GroupField:          cfg.OIDC.GroupField.String(),
 					GroupMapping:        cfg.OIDC.GroupMapping.Value,
+					UserRoleField:       cfg.OIDC.UserRoleField.String(),
+					UserRoleMapping:     cfg.OIDC.UserRoleMapping.Value,
+					UserRolesDefault:    cfg.OIDC.UserRolesDefault.GetSlice(),
 					SignInText:          cfg.OIDC.SignInText.String(),
 					IconURL:             cfg.OIDC.IconURL.String(),
 					IgnoreEmailVerified: cfg.OIDC.IgnoreEmailVerified.Value(),
 
@@ -1095,6 +1095,8 @@ func TestServer(t *testing.T) {
 			require.False(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupMapping.Value)
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleField.Value())
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleMapping.Value)
 			require.Equal(t, "OpenID Connect", deploymentConfig.Values.OIDC.SignInText.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.IconURL.Value())
 		})
 
@@ -337,6 +337,20 @@ can safely ignore these settings.
       --oidc-scopes string-array, $CODER_OIDC_SCOPES (default: openid,profile,email)
           Scopes to grant when authenticating with OIDC.
 
+      --oidc-user-role-default string-array, $CODER_OIDC_USER_ROLE_DEFAULT
+          If user role sync is enabled, these roles are always included for all
+          authenticated users. The 'member' role is always assigned.
+
+      --oidc-user-role-field string, $CODER_OIDC_USER_ROLE_FIELD
+          This field must be set if using the user roles sync feature. Set this
+          to the name of the claim used to store the user's role. The roles
+          should be sent as an array of strings.
+
+      --oidc-user-role-mapping struct[map[string][]string], $CODER_OIDC_USER_ROLE_MAPPING (default: {})
+          A map of the OIDC passed in user roles and the groups in Coder it
+          should map to. This is useful if the group names do not match. If
+          mapped to the empty string, the role will ignored.
+
       --oidc-username-field string, $CODER_OIDC_USERNAME_FIELD (default: preferred_username)
           OIDC claim field to use as the username.
 
 
@@ -15,7 +15,8 @@
         "display_name": "Owner"
       }
     ],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   },
   {
     "id": "[second user ID]",
@@ -28,6 +29,7 @@
       "[first org ID]"
     ],
     "roles": [],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   }
 ]
Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ func readInt64Prefix(fs afero.Fs, path, prefix string) (int64, error) {`
`338`	`338`
`339`	`339`	`scn := bufio.NewScanner(bytes.NewReader(data))`
`340`	`340`	`for scn.Scan() {`
`341`		`- line := scn.Text()`
	`341`	`+ line := strings.TrimSpace(scn.Text())`
`342`	`342`	`if !strings.HasPrefix(line, prefix) {`
`343`	`343`	`continue`
`344`	`344`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,9 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`const (`
`13`		`- procMounts = "/proc/mounts"`
`14`		`- procOneCgroup = "/proc/1/cgroup"`
	`13`	`+ procMounts = "/proc/mounts"`
	`14`	`+ procOneCgroup = "/proc/1/cgroup"`
	`15`	`+ kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`// IsContainerized returns whether the host is containerized.`
`@@ -38,6 +39,14 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {`
`38`	`39`	`}`
`39`	`40`	`}`
`40`	`41`
	`42`	`+ // Sometimes the above method of sniffing /proc/1/cgroup isn't reliable.`
	`43`	`+ // If a Kubernetes service account token is present, that's`
	`44`	`+ // also a good indication that we are in a container.`
	`45`	`+ _, err = afero.ReadFile(fs, kubernetesDefaultServiceAccountToken)`
	`46`	`+ if err == nil {`
	`47`	`+ return true, nil`
	`48`	`+ }`
	`49`	`+`
`41`	`50`	`// Last-ditch effort to detect Sysbox containers.`
`42`	`51`	`// Check if we have anything mounted as type sysboxfs in /proc/mounts`
`43`	`52`	`mountsData, err := afero.ReadFile(fs, procMounts)`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@`
`15`	`15`	`"display_name": "Owner"`
`16`	`16`	`}`
`17`	`17`	`],`
`18`		`- "avatar_url": ""`
	`18`	`+ "avatar_url": "",`
	`19`	`+ "login_type": "password"`
`19`	`20`	`},`
`20`	`21`	`{`
`21`	`22`	`"id": "[second user ID]",`
`@@ -28,6 +29,7 @@`
`28`	`29`	`"[first org ID]"`
`29`	`30`	`],`
`30`	`31`	`"roles": [],`
`31`		`- "avatar_url": ""`
	`32`	`+ "avatar_url": "",`
	`33`	`+ "login_type": "password"`
`32`	`34`	`}`
`33`	`35`	`]`