coder
diff --git a/‎.gitattributes
Lines changed: 3 additions & 0 deletions b/‎.gitattributes
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/actions/setup-node/action.yaml
Lines changed: 8 additions & 2 deletions b/‎.github/actions/setup-node/action.yaml
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/actions/setup-sqlc/action.yaml
Lines changed: 10 additions & 0 deletions b/‎.github/actions/setup-sqlc/action.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 70 additions & 5 deletions b/‎.github/workflows/ci.yaml
Lines changed: 70 additions & 5 deletions
diff --git a/‎.github/workflows/pr-deploy.yaml
Lines changed: 14 additions & 7 deletions b/‎.github/workflows/pr-deploy.yaml
Lines changed: 14 additions & 7 deletions
diff --git a/‎.github/workflows/security.yaml
Lines changed: 1 addition & 3 deletions b/‎.github/workflows/security.yaml
Lines changed: 1 addition & 3 deletions
diff --git a/‎Makefile
Lines changed: 6 additions & 1 deletion b/‎Makefile
Lines changed: 6 additions & 1 deletion
diff --git a/‎cli/dotfiles.go
Lines changed: 12 additions & 0 deletions b/‎cli/dotfiles.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎cli/portforward.go
Lines changed: 1 addition & 1 deletion b/‎cli/portforward.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 3 additions & 0 deletions b/‎cli/server.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/testdata/coder_--help.golden
Lines changed: 1 addition & 2 deletions b/‎cli/testdata/coder_--help.golden
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/testdata/coder_port-forward_--help.golden
Lines changed: 2 additions & 2 deletions b/‎cli/testdata/coder_port-forward_--help.golden
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions
diff --git a/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions b/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 14 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 14 additions & 0 deletions
@@ -1,5 +1,7 @@
 # Generated files
 coderd/apidoc/docs.go linguist-generated=true
+docs/api/*.md linguist-generated=true
+docs/cli/*.md linguist-generated=true
 coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
@@ -9,3 +11,4 @@ provisionersdk/proto/*.go linguist-generated=true
 *.tfstate.json linguist-generated=true
 *.tfstate.dot linguist-generated=true
 *.tfplan.dot linguist-generated=true
+
@@ -1,6 +1,12 @@
 name: "Setup Node"
 description: |
   Sets up the node environment for tests, builds, etc.
+inputs:
+  directory:
+    description: |
+      The directory to run the setup in.
+    required: false
+    default: "site"
 runs:
   using: "composite"
   steps:
@@ -10,8 +16,8 @@ runs:
         node-version: 16.20.1
         # See https://github.com/actions/setup-node#caching-global-packages-data
         cache: "yarn"
-        cache-dependency-path: "site/yarn.lock"
+        cache-dependency-path: ${{ inputs.directory }}/yarn.lock
     - name: Install node_modules
       shell: bash
       run: ../scripts/yarn_install.sh
-      working-directory: site
+      working-directory: ${{ inputs.directory }}
@@ -0,0 +1,10 @@
+name: Setup sqlc
+description: |
+  Sets up the sqlc environment for tests, builds, etc.
+runs:
+  using: "composite"
+  steps:
+    - name: Setup sqlc
+      uses: sqlc-dev/setup-sqlc@v3
+      with:
+        sqlc-version: "1.19.1"
@@ -35,6 +35,8 @@ jobs:
       ts: ${{ steps.filter.outputs.ts }}
       k8s: ${{ steps.filter.outputs.k8s }}
       ci: ${{ steps.filter.outputs.ci }}
+      offlinedocs-only: ${{ steps.filter.outputs.offlinedocs_count == steps.filter.outputs.all_count }}
+      offlinedocs: ${{ steps.filter.outputs.offlinedocs }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -85,7 +87,6 @@ jobs:
             ts:
               - "site/**"
               - "Makefile"
-              - "offlinedocs/**"
             k8s:
               - "helm/**"
               - "scripts/Dockerfile"
@@ -94,11 +95,16 @@ jobs:
             ci:
               - ".github/actions/**"
               - ".github/workflows/ci.yaml"
+            offlinedocs:
+              - "offlinedocs/**"
+
       - id: debug
         run: |
           echo "${{ toJSON(steps.filter )}}"
 
   lint:
+    needs: changes
+    if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     steps:
       - name: Checkout
@@ -164,9 +170,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: go install tools
         run: |
@@ -196,6 +200,8 @@ jobs:
         run: ./scripts/check_unstaged.sh
 
   fmt:
+    needs: changes
+    if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
     timeout-minutes: 5
     steps:
@@ -592,9 +598,68 @@ jobs:
           projectToken: 695c25b6cb65
           workingDir: "./site"
 
+  offlinedocs:
+    name: offlinedocs
+    needs: changes
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    if: needs.changes.outputs.offlinedocs == 'true' || needs.changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+        with:
+          directory: offlinedocs
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Install go tools
+        run: |
+          go install github.com/golang/mock/mockgen@v1.6.0
+
+      - name: Setup sqlc
+        uses: sqlc-dev/setup-sqlc@v3
+        with:
+          sqlc-version: "1.19.1"
+
+      - name: Install dependencies
+        run: |
+          cd offlinedocs
+          yarn
+          # Install prettier globally
+          prettier_version=$(jq -r '.devDependencies.prettier' < package.json)
+          yarn global add "prettier@${prettier_version}"
+
+      - name: Format
+        run: |
+          cd offlinedocs
+          yarn format:check
+
+      - name: Lint
+        run: |
+          cd offlinedocs
+          yarn lint
+
+      - name: Build
+        run: |
+          version="$(./scripts/version.sh)"
+          make -j build/coder_docs_"$version".tgz
+
   required:
     runs-on: ubuntu-latest
-    needs: [fmt, lint, gen, test-go, test-go-pg, test-go-race, test-js]
+    needs:
+      - fmt
+      - lint
+      - gen
+      - test-go
+      - test-go-pg
+      - test-go-race
+      - test-js
+      - offlinedocs
     # Allow this job to run even if the needed jobs fail, are skipped or
     # cancelled.
     if: always()
 
@@ -2,6 +2,7 @@
 name: Deploy PR
 on:
   issue_comment:
+    types: [created, edited]
   workflow_dispatch:
     inputs:
       pr_number:
@@ -97,9 +98,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: GHCR Login
         uses: docker/login-action@v2
@@ -137,32 +136,33 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: "Set up kubeconfig"
+      - name: Set up kubeconfig
         run: |
           set -euxo pipefail
           mkdir -p ~/.kube
           echo "${{ secrets.DELIVERYBOT_KUBECONFIG }}" > ~/.kube/config
           export KUBECONFIG=~/.kube/config
 
-      - name: "Create PR namespace"
+      - name: Create PR namespace
         run: |
           set -euxo pipefail
           # try to delete the namespace, but don't fail if it doesn't exist
           kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
           kubectl create namespace "pr${{ env.PR_NUMBER }}"
 
-      - name: "Install Helm chart"
+      - name: Install Helm chart
         run: |
           helm upgrade --install pr${{ env.PR_NUMBER }}  ./helm \
           --namespace "pr${{ env.PR_NUMBER }}" \
           --set coder.image.repo=${{ env.REPO }} \
           --set coder.image.tag=pr${{ env.PR_NUMBER }} \
           --set coder.service.type=ClusterIP \
+          --set coder.serviceAccount.enableDeployments=true \
           --set coder.env[0].name=CODER_ACCESS_URL \
           --set coder.env[0].value="" \
           --force
 
-      - name: "Get deployment URL"
+      - name: Get deployment URL
         id: deployment_url
         run: |
           set -euo pipefail
@@ -172,6 +172,13 @@ jobs:
           echo "::add-mask::$CODER_ACCESS_URL"
           echo "CODER_ACCESS_URL=$CODER_ACCESS_URL" >> $GITHUB_OUTPUT
 
+      - name: Install coder-logstream-kube
+        run: |
+          helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
+          helm install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
+            --namespace "pr${{ env.PR_NUMBER }}" \
+            --set url="${{ steps.deployment_url.outputs.CODER_ACCESS_URL }}"
+
       - name: Send Slack notification
         run: |
           curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
 
@@ -81,9 +81,7 @@ jobs:
             js-${{ runner.os }}-
 
       - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v3
-        with:
-          sqlc-version: "1.19.1"
+        uses: ./.github/actions/setup-sqlc
 
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.30.6
 
@@ -410,9 +410,14 @@ else
 endif
 .PHONY: fmt/shfmt
 
-lint: lint/shellcheck lint/go lint/ts lint/helm
+lint: lint/shellcheck lint/go lint/ts lint/helm lint/site-icons
 .PHONY: lint
 
+lint/site-icons:
+	./scripts/check_site_icons.sh
+
+.PHONY: lint/site-icons
+
 lint/ts:
 	cd site
 	yarn && yarn lint
 
@@ -193,6 +193,18 @@ func (r *RootCmd) dotfiles() *clibase.Cmd {
 				}
 
 				_, _ = fmt.Fprintf(inv.Stdout, "Running %s...\n", script)
+
+				// Check if the script is executable and notify on error
+				scriptPath := filepath.Join(dotfilesDir, script)
+				fi, err := os.Stat(scriptPath)
+				if err != nil {
+					return xerrors.Errorf("stat %s: %w", scriptPath, err)
+				}
+
+				if fi.Mode()&0o111 == 0 {
+					return xerrors.Errorf("script %q is not executable. See https://coder.com/docs/v2/latest/dotfiles for information on how to resolve the issue.", script)
+				}
+
 				// it is safe to use a variable command here because it's from
 				// a filtered list of pre-approved install scripts
 				// nolint:gosec
 
@@ -32,7 +32,7 @@ func (r *RootCmd) portForward() *clibase.Cmd {
 	client := new(codersdk.Client)
 	cmd := &clibase.Cmd{
 		Use:     "port-forward <workspace>",
-		Short:   `Forward ports from a workspace to the local machine. Forward ports from a workspace to the local machine. For reverse port forwarding, use "coder ssh -R".`,
+		Short:   `Forward ports from a workspace to the local machine. For reverse port forwarding, use "coder ssh -R".`,
 		Aliases: []string{"tunnel"},
 		Long: formatExamples(
 			example{
 
@@ -596,6 +596,9 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					IgnoreUserInfo:      cfg.OIDC.IgnoreUserInfo.Value(),
 					GroupField:          cfg.OIDC.GroupField.String(),
 					GroupMapping:        cfg.OIDC.GroupMapping.Value,
+					UserRoleField:       cfg.OIDC.UserRoleField.String(),
+					UserRoleMapping:     cfg.OIDC.UserRoleMapping.Value,
+					UserRolesDefault:    cfg.OIDC.UserRolesDefault.GetSlice(),
 					SignInText:          cfg.OIDC.SignInText.String(),
 					IconURL:             cfg.OIDC.IconURL.String(),
 					IgnoreEmailVerified: cfg.OIDC.IgnoreEmailVerified.Value(),
 
@@ -1095,6 +1095,8 @@ func TestServer(t *testing.T) {
 			require.False(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupMapping.Value)
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleField.Value())
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleMapping.Value)
 			require.Equal(t, "OpenID Connect", deploymentConfig.Values.OIDC.SignInText.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.IconURL.Value())
 		})
 
@@ -21,8 +21,7 @@ Coder v0.0.0-devel — A tool for provisioning self-hosted development environme
     logout            Unauthenticate your local session
     netcheck          Print network debug information for DERP and STUN
     ping              Ping a workspace
-    port-forward      Forward ports from a workspace to the local machine.
-                      Forward ports from a workspace to the local machine. For
+    port-forward      Forward ports from a workspace to the local machine. For
                       reverse port forwarding, use "coder ssh -R".
     publickey         Output your Coder public key used for Git operations
     rename            Rename a workspace
 
@@ -1,7 +1,7 @@
 Usage: coder port-forward [flags] <workspace>
 
-Forward ports from a workspace to the local machine. Forward ports from a
-workspace to the local machine. For reverse port forwarding, use "coder ssh -R".
+Forward ports from a workspace to the local machine. For reverse port
+forwarding, use "coder ssh -R".
 
 Aliases: tunnel
 
 
@@ -337,6 +337,20 @@ can safely ignore these settings.
       --oidc-scopes string-array, $CODER_OIDC_SCOPES (default: openid,profile,email)
           Scopes to grant when authenticating with OIDC.
 
+      --oidc-user-role-default string-array, $CODER_OIDC_USER_ROLE_DEFAULT
+          If user role sync is enabled, these roles are always included for all
+          authenticated users. The 'member' role is always assigned.
+
+      --oidc-user-role-field string, $CODER_OIDC_USER_ROLE_FIELD
+          This field must be set if using the user roles sync feature. Set this
+          to the name of the claim used to store the user's role. The roles
+          should be sent as an array of strings.
+
+      --oidc-user-role-mapping struct[map[string][]string], $CODER_OIDC_USER_ROLE_MAPPING (default: {})
+          A map of the OIDC passed in user roles and the groups in Coder it
+          should map to. This is useful if the group names do not match. If
+          mapped to the empty string, the role will ignored.
+
       --oidc-username-field string, $CODER_OIDC_USERNAME_FIELD (default: preferred_username)
           OIDC claim field to use as the username.
 
 
@@ -15,7 +15,8 @@
         "display_name": "Owner"
       }
     ],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   },
   {
     "id": "[second user ID]",
@@ -28,6 +29,7 @@
       "[first org ID]"
     ],
     "roles": [],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   }
 ]
@@ -268,6 +268,20 @@ oidc:
   # for when OIDC providers only return group IDs.
   # (default: {}, type: struct[map[string]string])
   groupMapping: {}
+  # This field must be set if using the user roles sync feature. Set this to the
+  # name of the claim used to store the user's role. The roles should be sent as an
+  # array of strings.
+  # (default: <unset>, type: string)
+  userRoleField: ""
+  # A map of the OIDC passed in user roles and the groups in Coder it should map to.
+  # This is useful if the group names do not match. If mapped to the empty string,
+  # the role will ignored.
+  # (default: {}, type: struct[map[string][]string])
+  userRoleMapping: {}
+  # If user role sync is enabled, these roles are always included for all
+  # authenticated users. The 'member' role is always assigned.
+  # (default: <unset>, type: string-array)
+  userRoleDefault: []
   # The text to show on the OpenID Connect sign in button.
   # (default: OpenID Connect, type: string)
   signInText: OpenID Connect
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@`
`15`	`15`	`"display_name": "Owner"`
`16`	`16`	`}`
`17`	`17`	`],`
`18`		`- "avatar_url": ""`
	`18`	`+ "avatar_url": "",`
	`19`	`+ "login_type": "password"`
`19`	`20`	`},`
`20`	`21`	`{`
`21`	`22`	`"id": "[second user ID]",`
`@@ -28,6 +29,7 @@`
`28`	`29`	`"[first org ID]"`
`29`	`30`	`],`
`30`	`31`	`"roles": [],`
`31`		`- "avatar_url": ""`
	`32`	`+ "avatar_url": "",`
	`33`	`+ "login_type": "password"`
`32`	`34`	`}`
`33`	`35`	`]`