coder
diff --git a/‎.github/actions/setup-node/action.yaml
+1-1 b/‎.github/actions/setup-node/action.yaml
+1-1
diff --git a/‎.github/workflows/ci.yaml
+12-23 b/‎.github/workflows/ci.yaml
+12-23
diff --git a/‎.github/workflows/dogfood.yaml
+1 b/‎.github/workflows/dogfood.yaml
+1
diff --git a/‎.github/workflows/meticulous.yaml
+46 b/‎.github/workflows/meticulous.yaml
+46
diff --git a/‎coderd/audit.go
+43-43 b/‎coderd/audit.go
+43-43
@@ -13,7 +13,7 @@ runs:
     - name: Install pnpm
       uses: pnpm/action-setup@v3
       with:
-        version: 8
+        version: 9
     - name: Setup Node
       uses: actions/setup-node@v4.0.1
       with:
 
@@ -121,25 +121,34 @@ jobs:
     needs: changes
     if: needs.changes.outputs.gomod == 'true'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    permissions:
-      # Give the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
-      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          # See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
+          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
 
       - name: Update Nix Flake SRI Hash
         run: ./scripts/update-flake.sh
 
+      # auto update flake for dependabot
       - uses: stefanzweifel/git-auto-commit-action@v5
+        if: github.actor == 'dependabot[bot]'
         with:
           # Allows dependabot to still rebase!
           commit_message: "[dependabot skip] Update Nix Flake SRI Hash"
+          commit_user_name: "dependabot[bot]"
+          commit_user_email: "49699333+dependabot[bot]@users.noreply.github.com>"
+          commit_author: "dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>"
+
+      # require everyone else to update it themselves
+      - name: Ensure No Changes
+        if: github.actor != 'dependabot[bot]'
+        run: git diff --exit-code
 
   lint:
     needs: changes
@@ -999,23 +1008,3 @@ jobs:
             fi
           done
           echo "No incompatible licenses detected"
-  meticulous:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Checkout Repository"
-        uses: actions/checkout@v4
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-      - name: Build
-        working-directory: ./site
-        run: pnpm build
-      - name: Serve
-        working-directory: ./site
-        run: |
-          pnpm vite preview &
-          sleep 5
-      - name: Run Meticulous tests
-        uses: alwaysmeticulous/report-diffs-action/cloud-compute@v1
-        with:
-          api-token: ${{ secrets.METICULOUS_API_TOKEN }}
-          app-url: "http://127.0.0.1:4173/"
@@ -19,6 +19,7 @@ on:
 
 jobs:
   build_image:
+    if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
 
@@ -0,0 +1,46 @@
+# Workflow for serving the webapp locally & running Meticulous tests against it.
+
+name: Meticulous
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "site/**"
+  pull_request:
+    paths:
+      - "site/**"
+  # Meticulous needs the workflow to be triggered on workflow_dispatch events,
+  # so that Meticulous can run the workflow on the base commit to compare
+  # against if an existing workflow hasn't run.
+  workflow_dispatch:
+
+permissions:
+  actions: write
+  contents: read
+  issues: write
+  pull-requests: write
+  statuses: read
+
+jobs:
+  meticulous:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+      - name: Build
+        working-directory: ./site
+        run: pnpm build
+      - name: Serve
+        working-directory: ./site
+        run: |
+          pnpm vite preview &
+          sleep 5
+      - name: Run Meticulous tests
+        uses: alwaysmeticulous/report-diffs-action/cloud-compute@v1
+        with:
+          api-token: ${{ secrets.METICULOUS_API_TOKEN }}
+          app-url: "http://127.0.0.1:4173/"
@@ -182,17 +182,17 @@ func (api *API) convertAuditLogs(ctx context.Context, dblogs []database.GetAudit
 }
 
 func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogsOffsetRow) codersdk.AuditLog {
-	ip, _ := netip.AddrFromSlice(dblog.Ip.IPNet.IP)
+	ip, _ := netip.AddrFromSlice(dblog.AuditLog.Ip.IPNet.IP)
 
 	diff := codersdk.AuditDiff{}
-	_ = json.Unmarshal(dblog.Diff, &diff)
+	_ = json.Unmarshal(dblog.AuditLog.Diff, &diff)
 
 	var user *codersdk.User
 	if dblog.UserUsername.Valid {
 		// Leaving the organization IDs blank for now; not sure they are useful for
 		// the audit query anyway?
 		sdkUser := db2sdk.User(database.User{
-			ID:                 dblog.UserID,
+			ID:                 dblog.AuditLog.UserID,
 			Email:              dblog.UserEmail.String,
 			Username:           dblog.UserUsername.String,
 			CreatedAt:          dblog.UserCreatedAt.Time,
@@ -211,7 +211,7 @@ func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogs
 	}
 
 	var (
-		additionalFieldsBytes = []byte(dblog.AdditionalFields)
+		additionalFieldsBytes = []byte(dblog.AuditLog.AdditionalFields)
 		additionalFields      audit.AdditionalFields
 		err                   = json.Unmarshal(additionalFieldsBytes, &additionalFields)
 	)
@@ -224,7 +224,7 @@ func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogs
 			WorkspaceOwner: "unknown",
 		}
 
-		dblog.AdditionalFields, err = json.Marshal(resourceInfo)
+		dblog.AuditLog.AdditionalFields, err = json.Marshal(resourceInfo)
 		api.Logger.Error(ctx, "marshal additional fields", slog.Error(err))
 	}
 
@@ -239,30 +239,30 @@ func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogs
 	}
 
 	alog := codersdk.AuditLog{
-		ID:        dblog.ID,
-		RequestID: dblog.RequestID,
-		Time:      dblog.Time,
+		ID:        dblog.AuditLog.ID,
+		RequestID: dblog.AuditLog.RequestID,
+		Time:      dblog.AuditLog.Time,
 		// OrganizationID is deprecated.
-		OrganizationID:   dblog.OrganizationID,
+		OrganizationID:   dblog.AuditLog.OrganizationID,
 		IP:               ip,
-		UserAgent:        dblog.UserAgent.String,
-		ResourceType:     codersdk.ResourceType(dblog.ResourceType),
-		ResourceID:       dblog.ResourceID,
-		ResourceTarget:   dblog.ResourceTarget,
-		ResourceIcon:     dblog.ResourceIcon,
-		Action:           codersdk.AuditAction(dblog.Action),
+		UserAgent:        dblog.AuditLog.UserAgent.String,
+		ResourceType:     codersdk.ResourceType(dblog.AuditLog.ResourceType),
+		ResourceID:       dblog.AuditLog.ResourceID,
+		ResourceTarget:   dblog.AuditLog.ResourceTarget,
+		ResourceIcon:     dblog.AuditLog.ResourceIcon,
+		Action:           codersdk.AuditAction(dblog.AuditLog.Action),
 		Diff:             diff,
-		StatusCode:       dblog.StatusCode,
-		AdditionalFields: dblog.AdditionalFields,
+		StatusCode:       dblog.AuditLog.StatusCode,
+		AdditionalFields: dblog.AuditLog.AdditionalFields,
 		User:             user,
 		Description:      auditLogDescription(dblog),
 		ResourceLink:     resourceLink,
 		IsDeleted:        isDeleted,
 	}
 
-	if dblog.OrganizationID != uuid.Nil {
+	if dblog.AuditLog.OrganizationID != uuid.Nil {
 		alog.Organization = &codersdk.MinimalOrganization{
-			ID:          dblog.OrganizationID,
+			ID:          dblog.AuditLog.OrganizationID,
 			Name:        dblog.OrganizationName,
 			DisplayName: dblog.OrganizationDisplayName,
 			Icon:        dblog.OrganizationIcon,
@@ -276,32 +276,32 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
 	b := strings.Builder{}
 	// NOTE: WriteString always returns a nil error, so we never check it
 	_, _ = b.WriteString("{user} ")
-	if alog.StatusCode >= 400 {
+	if alog.AuditLog.StatusCode >= 400 {
 		_, _ = b.WriteString("unsuccessfully attempted to ")
-		_, _ = b.WriteString(string(alog.Action))
+		_, _ = b.WriteString(string(alog.AuditLog.Action))
 	} else {
-		_, _ = b.WriteString(codersdk.AuditAction(alog.Action).Friendly())
+		_, _ = b.WriteString(codersdk.AuditAction(alog.AuditLog.Action).Friendly())
 	}
 
 	// API Key resources (used for authentication) do not have targets and follow the below format:
 	// "User {logged in | logged out | registered}"
-	if alog.ResourceType == database.ResourceTypeApiKey &&
-		(alog.Action == database.AuditActionLogin || alog.Action == database.AuditActionLogout || alog.Action == database.AuditActionRegister) {
+	if alog.AuditLog.ResourceType == database.ResourceTypeApiKey &&
+		(alog.AuditLog.Action == database.AuditActionLogin || alog.AuditLog.Action == database.AuditActionLogout || alog.AuditLog.Action == database.AuditActionRegister) {
 		return b.String()
 	}
 
 	// We don't display the name (target) for git ssh keys. It's fairly long and doesn't
 	// make too much sense to display.
-	if alog.ResourceType == database.ResourceTypeGitSshKey {
+	if alog.AuditLog.ResourceType == database.ResourceTypeGitSshKey {
 		_, _ = b.WriteString(" the ")
-		_, _ = b.WriteString(codersdk.ResourceType(alog.ResourceType).FriendlyString())
+		_, _ = b.WriteString(codersdk.ResourceType(alog.AuditLog.ResourceType).FriendlyString())
 		return b.String()
 	}
 
 	_, _ = b.WriteString(" ")
-	_, _ = b.WriteString(codersdk.ResourceType(alog.ResourceType).FriendlyString())
+	_, _ = b.WriteString(codersdk.ResourceType(alog.AuditLog.ResourceType).FriendlyString())
 
-	if alog.ResourceType == database.ResourceTypeConvertLogin {
+	if alog.AuditLog.ResourceType == database.ResourceTypeConvertLogin {
 		_, _ = b.WriteString(" to")
 	}
 
@@ -311,9 +311,9 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
 }
 
 func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.GetAuditLogsOffsetRow) bool {
-	switch alog.ResourceType {
+	switch alog.AuditLog.ResourceType {
 	case database.ResourceTypeTemplate:
-		template, err := api.Database.GetTemplateByID(ctx, alog.ResourceID)
+		template, err := api.Database.GetTemplateByID(ctx, alog.AuditLog.ResourceID)
 		if err != nil {
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
@@ -322,7 +322,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 		}
 		return template.Deleted
 	case database.ResourceTypeUser:
-		user, err := api.Database.GetUserByID(ctx, alog.ResourceID)
+		user, err := api.Database.GetUserByID(ctx, alog.AuditLog.ResourceID)
 		if err != nil {
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
@@ -331,7 +331,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 		}
 		return user.Deleted
 	case database.ResourceTypeWorkspace:
-		workspace, err := api.Database.GetWorkspaceByID(ctx, alog.ResourceID)
+		workspace, err := api.Database.GetWorkspaceByID(ctx, alog.AuditLog.ResourceID)
 		if err != nil {
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
@@ -340,7 +340,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 		}
 		return workspace.Deleted
 	case database.ResourceTypeWorkspaceBuild:
-		workspaceBuild, err := api.Database.GetWorkspaceBuildByID(ctx, alog.ResourceID)
+		workspaceBuild, err := api.Database.GetWorkspaceBuildByID(ctx, alog.AuditLog.ResourceID)
 		if err != nil {
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
@@ -357,15 +357,15 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 		}
 		return workspace.Deleted
 	case database.ResourceTypeOauth2ProviderApp:
-		_, err := api.Database.GetOAuth2ProviderAppByID(ctx, alog.ResourceID)
+		_, err := api.Database.GetOAuth2ProviderAppByID(ctx, alog.AuditLog.ResourceID)
 		if xerrors.Is(err, sql.ErrNoRows) {
 			return true
 		} else if err != nil {
 			api.Logger.Error(ctx, "unable to fetch oauth2 app", slog.Error(err))
 		}
 		return false
 	case database.ResourceTypeOauth2ProviderAppSecret:
-		_, err := api.Database.GetOAuth2ProviderAppSecretByID(ctx, alog.ResourceID)
+		_, err := api.Database.GetOAuth2ProviderAppSecretByID(ctx, alog.AuditLog.ResourceID)
 		if xerrors.Is(err, sql.ErrNoRows) {
 			return true
 		} else if err != nil {
@@ -378,17 +378,17 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 }
 
 func (api *API) auditLogResourceLink(ctx context.Context, alog database.GetAuditLogsOffsetRow, additionalFields audit.AdditionalFields) string {
-	switch alog.ResourceType {
+	switch alog.AuditLog.ResourceType {
 	case database.ResourceTypeTemplate:
 		return fmt.Sprintf("/templates/%s",
-			alog.ResourceTarget)
+			alog.AuditLog.ResourceTarget)
 
 	case database.ResourceTypeUser:
 		return fmt.Sprintf("/users?filter=%s",
-			alog.ResourceTarget)
+			alog.AuditLog.ResourceTarget)
 
 	case database.ResourceTypeWorkspace:
-		workspace, getWorkspaceErr := api.Database.GetWorkspaceByID(ctx, alog.ResourceID)
+		workspace, getWorkspaceErr := api.Database.GetWorkspaceByID(ctx, alog.AuditLog.ResourceID)
 		if getWorkspaceErr != nil {
 			return ""
 		}
@@ -397,13 +397,13 @@ func (api *API) auditLogResourceLink(ctx context.Context, alog database.GetAudit
 			return ""
 		}
 		return fmt.Sprintf("/@%s/%s",
-			workspaceOwner.Username, alog.ResourceTarget)
+			workspaceOwner.Username, alog.AuditLog.ResourceTarget)
 
 	case database.ResourceTypeWorkspaceBuild:
 		if len(additionalFields.WorkspaceName) == 0 || len(additionalFields.BuildNumber) == 0 {
 			return ""
 		}
-		workspaceBuild, getWorkspaceBuildErr := api.Database.GetWorkspaceBuildByID(ctx, alog.ResourceID)
+		workspaceBuild, getWorkspaceBuildErr := api.Database.GetWorkspaceBuildByID(ctx, alog.AuditLog.ResourceID)
 		if getWorkspaceBuildErr != nil {
 			return ""
 		}
@@ -419,10 +419,10 @@ func (api *API) auditLogResourceLink(ctx context.Context, alog database.GetAudit
 			workspaceOwner.Username, additionalFields.WorkspaceName, additionalFields.BuildNumber)
 
 	case database.ResourceTypeOauth2ProviderApp:
-		return fmt.Sprintf("/deployment/oauth2-provider/apps/%s", alog.ResourceID)
+		return fmt.Sprintf("/deployment/oauth2-provider/apps/%s", alog.AuditLog.ResourceID)
 
 	case database.ResourceTypeOauth2ProviderAppSecret:
-		secret, err := api.Database.GetOAuth2ProviderAppSecretByID(ctx, alog.ResourceID)
+		secret, err := api.Database.GetOAuth2ProviderAppSecretByID(ctx, alog.AuditLog.ResourceID)
 		if err != nil {
 			return ""
 		}