coder
diff --git a/‎.github/workflows/coder.yaml
+15-4 b/‎.github/workflows/coder.yaml
+15-4
diff --git a/‎.github/workflows/release.yaml
+14-1 b/‎.github/workflows/release.yaml
+14-1
diff --git a/‎.goreleaser.yaml
+58-11 b/‎.goreleaser.yaml
+58-11
diff --git a/‎.vscode/settings.json
+1 b/‎.vscode/settings.json
+1
diff --git a/‎Makefile
+8-4 b/‎Makefile
+8-4
diff --git a/‎agent/agent.go
+21-22 b/‎agent/agent.go
+21-22
diff --git a/‎agent/agent_test.go
+4-6 b/‎agent/agent_test.go
+4-6
@@ -76,6 +76,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
       - name: Install Protoc
         uses: arduino/setup-protoc@v1
         with:
@@ -169,10 +184,6 @@ jobs:
           terraform_version: 1.1.2
           terraform_wrapper: false
 
-      - name: Install socat
-        if: runner.os == 'Linux'
-        run: sudo apt-get install -y socat
-
       - name: Test with Mock Database
         shell: bash
         env:
 
@@ -5,7 +5,7 @@ on:
       - "v*"
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       - uses: actions/checkout@v3
         with:
@@ -14,6 +14,17 @@ jobs:
         with:
           go-version: "~1.18"
 
+      - name: Install Gon
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+      - name: Import Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+
       - name: Echo Go Cache Paths
         id: go-cache-paths
         run: |
@@ -53,3 +64,5 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
@@ -1,13 +1,24 @@
 archives:
-  - id: coder
-    builds:
-      - coder
+  - id: coder-linux
+    builds: [coder-linux]
+    format: tar
+    files:
+      - src: docs/README.md
+        dst: README.md
+
+  - id: coder-darwin
+    builds: [coder-darwin]
+    format: zip
+    files:
+      - src: docs/README.md
+        dst: README.md
+
+  - id: coder-windows
+    builds: [coder-windows]
+    format: zip
     files:
       - src: docs/README.md
         dst: README.md
-    format_overrides:
-      - goos: windows
-        format: zip
 
 before:
   hooks:
@@ -27,15 +38,44 @@ builds:
       post: |
         cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }}
 
-  - id: coder
+  - id: coder-linux
     dir: cmd/coder
-    flags: ["-tags=embed"]
+    flags: [-tags=embed]
     ldflags:
       ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
     env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
+    goos: [linux]
+    goarch: [amd64, arm64]
+
+  - id: coder-windows
+    dir: cmd/coder
+    flags: [-tags=embed]
+    ldflags:
+      ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
+    env: [CGO_ENABLED=0]
+    goos: [windows]
     goarch: [amd64, arm64]
 
+  - id: coder-darwin
+    dir: cmd/coder
+    flags: [-tags=embed]
+    ldflags:
+      ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
+    env: [CGO_ENABLED=0]
+    goos: [darwin]
+    goarch: [amd64, arm64]
+    hooks:
+      # This signs the binary that will be located inside the zip.
+      # MacOS requires the binary to be signed for notarization.
+      # 
+      # If it doesn't successfully sign, the zip sign step will error.
+      post: |
+        sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'
+
+env:
+  # Apple identity for signing!
+  - AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
+
 nfpms:
   - id: packages
     vendor: Coder
@@ -50,7 +90,7 @@ nfpms:
     suggests:
       - postgresql
     builds:
-      - coder
+      - coder-linux
     bindir: /usr/bin
     contents:
       - src: coder.env
@@ -60,7 +100,14 @@ nfpms:
         dst: /usr/lib/systemd/system/coder.service
 
 release:
-  ids: [coder, packages]
+  ids: [coder-linux, coder-darwin, coder-windows, packages]
+
+signs:
+  - ids: [coder-darwin]
+    artifacts: archive
+    cmd: ./scripts/sign_macos.sh
+    args: ["${artifact}"]
+    output: true
 
 snapshot:
   name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"
@@ -57,6 +57,7 @@
     "trimprefix",
     "unconvert",
     "Untar",
+    "VMID",
     "webrtc",
     "xerrors",
     "yamux"
 
@@ -19,6 +19,11 @@ coderd/database/generate: fmt/sql coderd/database/dump.sql $(wildcard coderd/dat
 	coderd/database/generate.sh
 .PHONY: coderd/database/generate
 
+apitypings/generate: site/src/api/types.ts
+	go run scripts/apitypings/main.go > site/src/api/types-generated.ts
+	cd site && yarn run format:types
+.PHONY: apitypings/generate
+
 fmt/prettier:
 	@echo "--- prettier"
 # Avoid writing files in CI to reduce file write activity
@@ -48,7 +53,7 @@ fmt/terraform: $(wildcard *.tf)
 fmt: fmt/prettier fmt/sql fmt/terraform
 .PHONY: fmt
 
-gen: coderd/database/generate peerbroker/proto provisionersdk/proto provisionerd/proto
+gen: coderd/database/generate peerbroker/proto provisionersdk/proto provisionerd/proto apitypings/generate
 .PHONY: gen
 
 install: bin
@@ -88,8 +93,8 @@ provisionersdk/proto: provisionersdk/proto/provisioner.proto
 		./provisionersdk/proto/provisioner.proto
 .PHONY: provisionersdk/proto
 
-release: site/out
-	goreleaser release --snapshot --rm-dist
+release:
+	goreleaser release --snapshot --rm-dist --skip-sign
 .PHONY: release
 
 site/out:
@@ -102,4 +107,3 @@ site/out:
 
 test:
 	gotestsum -- -v -short ./...
-
 
@@ -32,23 +32,23 @@ type Options struct {
 	Logger slog.Logger
 }
 
-type Dialer func(ctx context.Context, options *peer.ConnOptions) (*peerbroker.Listener, error)
+type Dialer func(ctx context.Context, logger slog.Logger) (*peerbroker.Listener, error)
 
-func New(dialer Dialer, options *peer.ConnOptions) io.Closer {
+func New(dialer Dialer, logger slog.Logger) io.Closer {
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	server := &agent{
-		clientDialer: dialer,
-		options:      options,
-		closeCancel:  cancelFunc,
-		closed:       make(chan struct{}),
+		dialer:      dialer,
+		logger:      logger,
+		closeCancel: cancelFunc,
+		closed:      make(chan struct{}),
 	}
 	server.init(ctx)
 	return server
 }
 
 type agent struct {
-	clientDialer Dialer
-	options      *peer.ConnOptions
+	dialer Dialer
+	logger slog.Logger
 
 	connCloseWait sync.WaitGroup
 	closeCancel   context.CancelFunc
@@ -64,18 +64,18 @@ func (a *agent) run(ctx context.Context) {
 	// An exponential back-off occurs when the connection is failing to dial.
 	// This is to prevent server spam in case of a coderd outage.
 	for retrier := retry.New(50*time.Millisecond, 10*time.Second); retrier.Wait(ctx); {
-		peerListener, err = a.clientDialer(ctx, a.options)
+		peerListener, err = a.dialer(ctx, a.logger)
 		if err != nil {
 			if errors.Is(err, context.Canceled) {
 				return
 			}
 			if a.isClosed() {
 				return
 			}
-			a.options.Logger.Warn(context.Background(), "failed to dial", slog.Error(err))
+			a.logger.Warn(context.Background(), "failed to dial", slog.Error(err))
 			continue
 		}
-		a.options.Logger.Info(context.Background(), "connected")
+		a.logger.Info(context.Background(), "connected")
 		break
 	}
 	select {
@@ -90,7 +90,7 @@ func (a *agent) run(ctx context.Context) {
 			if a.isClosed() {
 				return
 			}
-			a.options.Logger.Debug(ctx, "peer listener accept exited; restarting connection", slog.Error(err))
+			a.logger.Debug(ctx, "peer listener accept exited; restarting connection", slog.Error(err))
 			a.run(ctx)
 			return
 		}
@@ -105,10 +105,9 @@ func (a *agent) handlePeerConn(ctx context.Context, conn *peer.Conn) {
 	go func() {
 		select {
 		case <-a.closed:
-			_ = conn.Close()
 		case <-conn.Closed():
 		}
-		<-conn.Closed()
+		_ = conn.Close()
 		a.connCloseWait.Done()
 	}()
 	for {
@@ -117,15 +116,15 @@ func (a *agent) handlePeerConn(ctx context.Context, conn *peer.Conn) {
 			if errors.Is(err, peer.ErrClosed) || a.isClosed() {
 				return
 			}
-			a.options.Logger.Debug(ctx, "accept channel from peer connection", slog.Error(err))
+			a.logger.Debug(ctx, "accept channel from peer connection", slog.Error(err))
 			return
 		}
 
 		switch channel.Protocol() {
 		case "ssh":
 			go a.sshServer.HandleConn(channel.NetConn())
 		default:
-			a.options.Logger.Warn(ctx, "unhandled protocol from channel",
+			a.logger.Warn(ctx, "unhandled protocol from channel",
 				slog.F("protocol", channel.Protocol()),
 				slog.F("label", channel.Label()),
 			)
@@ -145,7 +144,7 @@ func (a *agent) init(ctx context.Context) {
 	if err != nil {
 		panic(err)
 	}
-	sshLogger := a.options.Logger.Named("ssh-server")
+	sshLogger := a.logger.Named("ssh-server")
 	forwardHandler := &ssh.ForwardedTCPHandler{}
 	a.sshServer = &ssh.Server{
 		ChannelHandlers: map[string]ssh.ChannelHandler{
@@ -158,7 +157,7 @@ func (a *agent) init(ctx context.Context) {
 		Handler: func(session ssh.Session) {
 			err := a.handleSSHSession(session)
 			if err != nil {
-				a.options.Logger.Warn(ctx, "ssh session failed", slog.Error(err))
+				a.logger.Warn(ctx, "ssh session failed", slog.Error(err))
 				_ = session.Exit(1)
 				return
 			}
@@ -194,15 +193,15 @@ func (a *agent) init(ctx context.Context) {
 			"sftp": func(session ssh.Session) {
 				server, err := sftp.NewServer(session)
 				if err != nil {
-					a.options.Logger.Debug(session.Context(), "initialize sftp server", slog.Error(err))
+					a.logger.Debug(session.Context(), "initialize sftp server", slog.Error(err))
 					return
 				}
 				defer server.Close()
 				err = server.Serve()
 				if errors.Is(err, io.EOF) {
 					return
 				}
-				a.options.Logger.Debug(session.Context(), "sftp server exited with error", slog.Error(err))
+				a.logger.Debug(session.Context(), "sftp server exited with error", slog.Error(err))
 			},
 		},
 	}
@@ -237,7 +236,7 @@ func (a *agent) handleSSHSession(session ssh.Session) error {
 	if err != nil {
 		return xerrors.Errorf("getting os executable: %w", err)
 	}
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND="%s gitssh --"`, executablePath))
+	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND=%s gitssh --`, executablePath))
 
 	sshPty, windowSize, isPty := session.Pty()
 	if isPty {
@@ -250,7 +249,7 @@ func (a *agent) handleSSHSession(session ssh.Session) error {
 			for win := range windowSize {
 				err = ptty.Resize(uint16(win.Width), uint16(win.Height))
 				if err != nil {
-					a.options.Logger.Warn(context.Background(), "failed to resize tty", slog.Error(err))
+					a.logger.Warn(context.Background(), "failed to resize tty", slog.Error(err))
 				}
 			}
 		}()
 
@@ -57,7 +57,7 @@ func TestAgent(t *testing.T) {
 		}
 		output, err := session.Output(command)
 		require.NoError(t, err)
-		require.Contains(t, string(output), "gitssh --")
+		require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "gitssh --"))
 	})
 
 	t.Run("SessionTTY", func(t *testing.T) {
@@ -170,11 +170,9 @@ func setupSSHSession(t *testing.T) *ssh.Session {
 
 func setupAgent(t *testing.T) *agent.Conn {
 	client, server := provisionersdk.TransportPipe()
-	closer := agent.New(func(ctx context.Context, opts *peer.ConnOptions) (*peerbroker.Listener, error) {
-		return peerbroker.Listen(server, nil, opts)
-	}, &peer.ConnOptions{
-		Logger: slogtest.Make(t, nil).Leveled(slog.LevelDebug),
-	})
+	closer := agent.New(func(ctx context.Context, logger slog.Logger) (*peerbroker.Listener, error) {
+		return peerbroker.Listen(server, nil)
+	}, slogtest.Make(t, nil).Leveled(slog.LevelDebug))
 	t.Cleanup(func() {
 		_ = client.Close()
 		_ = server.Close()