Merge remote-tracking branch 'origin/main' into ssncferreira/feat-cli-schedule-prebuild

ssncferreira · ssncferreira · commit ae6e17f9f68e · 2025-08-13T09:08:44.000Z
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -32,9 +32,36 @@ env:
   CODER_RELEASE_NOTES: ${{ inputs.release_notes }}
 
 jobs:
+  # Only allow maintainers/admins to release.
+  check-perms:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    steps:
+      - name: Allow only maintainers/admins
+        uses: actions/github-script@v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const {data} = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.actor
+            });
+            const role = data.role_name || data.user?.role_name || data.permission;
+            const perms = data.user?.permissions || {};
+            core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`);
+
+            const allowed =
+              role === 'admin' ||
+              role === 'maintain' ||
+              perms.admin === true ||
+              perms.maintain === true;
+
+            if (!allowed) core.setFailed('Denied: requires maintain or admin');
+
   # build-dylib is a separate job to build the dylib on macOS.
   build-dylib:
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
+    needs: check-perms
     steps:
       # Harden Runner doesn't work on macOS.
       - name: Checkout
@@ -114,7 +141,7 @@ jobs:
 
   release:
     name: Build and publish
-    needs: build-dylib
+    needs: [build-dylib, check-perms]
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     permissions:
       # Required to publish a release
diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go
@@ -6009,10 +6009,10 @@ func TestUserSecretsCRUDOperations(t *testing.T) {
 
 	// Use raw database without dbauthz wrapper for this test
 	db, _ := dbtestutil.NewDB(t)
-	ctx := testutil.Context(t, testutil.WaitMedium)
 
 	t.Run("FullCRUDWorkflow", func(t *testing.T) {
 		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitMedium)
 
 		// Create a new user for this test
 		testUser := dbgen.User(t, db, database.User{})
@@ -6085,6 +6085,7 @@ func TestUserSecretsCRUDOperations(t *testing.T) {
 
 	t.Run("UniqueConstraints", func(t *testing.T) {
 		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitMedium)
 
 		// Create a new user for this test
 		testUser := dbgen.User(t, db, database.User{})
@@ -6156,7 +6157,6 @@ func TestUserSecretsAuthorization(t *testing.T) {
 	db, _ := dbtestutil.NewDB(t)
 	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 	authDB := dbauthz.New(db, authorizer, slogtest.Make(t, &slogtest.Options{}), coderdtest.AccessControlStorePointer())
-	ctx := testutil.Context(t, testutil.WaitMedium)
 
 	// Create test users
 	user1 := dbgen.User(t, db, database.User{})
@@ -6234,6 +6234,7 @@ func TestUserSecretsAuthorization(t *testing.T) {
 		tc := tc // capture range variable
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
+			ctx := testutil.Context(t, testutil.WaitMedium)
 
 			authCtx := dbauthz.As(ctx, tc.subject)
 
diff --git a/docs/admin/monitoring/logs.md b/docs/admin/monitoring/logs.md
@@ -17,7 +17,7 @@ machine/VM.
   options.
 - To only display certain types of logs, use
   the[`CODER_LOG_FILTER`](../../reference/cli/server.md#-l---log-filter) server
-  config.
+  config. Using `.*` will result in the `DEBUG` log level being used.
 
 Events such as server errors, audit logs, user activities, and SSO & OpenID
 Connect logs are all captured in the `coderd` logs.
diff --git a/docs/admin/users/oidc-auth/google.md b/docs/admin/users/oidc-auth/google.md
@@ -0,0 +1,62 @@
+# Google authentication (OIDC)
+
+This guide shows how to configure Coder to authenticate users with Google using OpenID Connect (OIDC).
+
+## Prerequisites
+
+- A Google Cloud project with the OAuth consent screen configured
+- Permission to create OAuth 2.0 Client IDs in Google Cloud
+
+## Step 1: Create an OAuth client in Google Cloud
+
+1. Open Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
+2. Application type: Web application.
+3. Authorized redirect URIs: add your Coder callback URL:
+   - `https://coder.example.com/api/v2/users/oidc/callback`
+4. Save and note the Client ID and Client secret.
+
+## Step 2: Configure Coder OIDC for Google
+
+Set the following environment variables on your Coder deployment and restart Coder:
+
+```env
+CODER_OIDC_ISSUER_URL=https://accounts.google.com
+CODER_OIDC_CLIENT_ID=<client id>
+CODER_OIDC_CLIENT_SECRET=<client secret>
+# Restrict to one or more email domains (comma-separated)
+CODER_OIDC_EMAIL_DOMAIN="example.com"
+# Standard OIDC scopes for Google
+CODER_OIDC_SCOPES=openid,profile,email
+# Optional: customize the login button
+CODER_OIDC_SIGN_IN_TEXT="Sign in with Google"
+CODER_OIDC_ICON_URL=/icon/google.svg
+```
+
+> [!NOTE]
+> The redirect URI must exactly match what you configured in Google Cloud.
+
+## Enable refresh tokens (recommended)
+
+Google uses auth URL parameters to issue refresh tokens. Configure:
+
+```env
+# Keep standard scopes
+CODER_OIDC_SCOPES=openid,profile,email
+# Add Google-specific auth URL params
+CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
+```
+
+After changing settings, users must log out and back in once to obtain refresh tokens.
+
+Learn more in [Configure OIDC refresh tokens](./refresh-tokens.md).
+
+## Troubleshooting
+
+- "invalid redirect_uri": ensure the redirect URI in Google Cloud matches `https://<your-coder-host>/api/v2/users/oidc/callback`.
+- Domain restriction: if users from unexpected domains can log in, verify `CODER_OIDC_EMAIL_DOMAIN`.
+- Claims: to inspect claims returned by Google, see guidance in the [OIDC overview](./index.md#oidc-claims).
+
+## See also
+
+- [OIDC overview](./index.md)
+- [Configure OIDC refresh tokens](./refresh-tokens.md)
diff --git a/docs/manifest.json b/docs/manifest.json
@@ -416,6 +416,11 @@
 							"description": "Configure OpenID Connect authentication with identity providers like Okta or Active Directory",
 							"path": "./admin/users/oidc-auth/index.md",
 							"children": [
+								{
+									"title": "Google",
+									"description": "Configure Google as an OIDC provider",
+									"path": "./admin/users/oidc-auth/google.md"
+								},
 								{
 									"title": "Configure OIDC refresh tokens",
 									"description": "How to configure OIDC refresh tokens",
diff --git a/site/src/components/ActiveUserChart/ActiveUserChart.tsx b/site/src/components/ActiveUserChart/ActiveUserChart.tsx
@@ -113,7 +113,7 @@ type ActiveUsersTitleProps = {
 
 export const ActiveUsersTitle: FC<ActiveUsersTitleProps> = ({ interval }) => {
 	return (
-		<div css={{ display: "flex", alignItems: "center", gap: 8 }}>
+		<div className="flex items-center gap-2">
 			{interval === "day" ? "Daily" : "Weekly"} Active Users
 			<HelpTooltip>
 				<HelpTooltipTrigger size="small" />
