coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/release.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎Makefile
Lines changed: 7 additions & 1 deletion b/‎Makefile
Lines changed: 7 additions & 1 deletion
diff --git a/‎agent/agent_test.go
Lines changed: 2 additions & 3 deletions b/‎agent/agent_test.go
Lines changed: 2 additions & 3 deletions
diff --git a/‎agent/agentscripts/agentscripts_test.go
Lines changed: 4 additions & 1 deletion b/‎agent/agentscripts/agentscripts_test.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎cli/agent.go
Lines changed: 10 additions & 5 deletions b/‎cli/agent.go
Lines changed: 10 additions & 5 deletions
diff --git a/‎cli/configssh.go
Lines changed: 25 additions & 3 deletions b/‎cli/configssh.go
Lines changed: 25 additions & 3 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 27 additions & 0 deletions b/‎cli/configssh_test.go
Lines changed: 27 additions & 0 deletions
diff --git a/‎cli/server.go
Lines changed: 0 additions & 1 deletion b/‎cli/server.go
Lines changed: 0 additions & 1 deletion
@@ -1182,6 +1182,7 @@ jobs:
 
       - name: SBOM Generation and Attestation
         if: github.ref == 'refs/heads/main'
+        continue-on-error: true
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
@@ -1200,7 +1201,7 @@ jobs:
             syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
 
             echo "Attesting SBOM to image: ${IMAGE}"
-            cosign clean "${IMAGE}"
+            cosign clean --force=true "${IMAGE}"
             cosign attest --type spdxjson \
               --predicate "${SBOM_FILE}" \
               --yes \
 
@@ -509,7 +509,7 @@ jobs:
 
           # Attest SBOM to multi-arch image
           echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
-          cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
+          cosign clean --force=true "${{ steps.build_docker.outputs.multiarch_image }}"
           cosign attest --type spdxjson \
             --predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
             --yes \
@@ -522,7 +522,7 @@ jobs:
             syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
 
             echo "Attesting SBOM to latest image: ${latest_tag}"
-            cosign clean "${latest_tag}"
+            cosign clean --force=true "${latest_tag}"
             cosign attest --type spdxjson \
               --predicate coder_latest_sbom.spdx.json \
               --yes \
 
@@ -581,7 +581,8 @@ GEN_FILES := \
 	$(TAILNETTEST_MOCKS) \
 	coderd/database/pubsub/psmock/psmock.go \
 	agent/agentcontainers/acmock/acmock.go \
-	agent/agentcontainers/dcspec/dcspec_gen.go
+	agent/agentcontainers/dcspec/dcspec_gen.go \
+	coderd/httpmw/loggermock/loggermock.go
 
 # all gen targets should be added here and to gen/mark-fresh
 gen: gen/db gen/golden-files $(GEN_FILES)
@@ -630,6 +631,7 @@ gen/mark-fresh:
 		coderd/database/pubsub/psmock/psmock.go \
 		agent/agentcontainers/acmock/acmock.go \
 		agent/agentcontainers/dcspec/dcspec_gen.go \
+		coderd/httpmw/loggermock/loggermock.go \
 		"
 
 	for file in $$files; do
@@ -669,6 +671,10 @@ agent/agentcontainers/acmock/acmock.go: agent/agentcontainers/containers.go
 	go generate ./agent/agentcontainers/acmock/
 	touch "$@"
 
+coderd/httpmw/loggermock/loggermock.go: coderd/httpmw/logger.go
+	go generate ./coderd/httpmw/loggermock/
+	touch "$@"
+
 agent/agentcontainers/dcspec/dcspec_gen.go: \
 	node_modules/.installed \
 	agent/agentcontainers/dcspec/devContainer.base.schema.json \
 
@@ -190,7 +190,7 @@ func TestAgent_Stats_Magic(t *testing.T) {
 			s, ok := <-stats
 			t.Logf("got stats: ok=%t, ConnectionCount=%d, RxBytes=%d, TxBytes=%d, SessionCountVSCode=%d, ConnectionMedianLatencyMS=%f",
 				ok, s.ConnectionCount, s.RxBytes, s.TxBytes, s.SessionCountVscode, s.ConnectionMedianLatencyMs)
-			return ok && s.ConnectionCount > 0 && s.RxBytes > 0 && s.TxBytes > 0 &&
+			return ok &&
 				// Ensure that the connection didn't count as a "normal" SSH session.
 				// This was a special one, so it should be labeled specially in the stats!
 				s.SessionCountVscode == 1 &&
@@ -258,8 +258,7 @@ func TestAgent_Stats_Magic(t *testing.T) {
 			s, ok := <-stats
 			t.Logf("got stats with conn open: ok=%t, ConnectionCount=%d, SessionCountJetBrains=%d",
 				ok, s.ConnectionCount, s.SessionCountJetbrains)
-			return ok && s.ConnectionCount > 0 &&
-				s.SessionCountJetbrains == 1
+			return ok && s.SessionCountJetbrains == 1
 		}, testutil.WaitLong, testutil.IntervalFast,
 			"never saw stats with conn open",
 		)
 
@@ -102,13 +102,16 @@ func TestEnv(t *testing.T) {
 
 func TestTimeout(t *testing.T) {
 	t.Parallel()
+	if runtime.GOOS == "darwin" {
+		t.Skip("this test is flaky on macOS, see https://github.com/coder/internal/issues/329")
+	}
 	runner := setup(t, nil)
 	defer runner.Close()
 	aAPI := agenttest.NewFakeAgentAPI(t, testutil.Logger(t), nil, nil)
 	err := runner.Init([]codersdk.WorkspaceAgentScript{{
 		LogSourceID: uuid.New(),
 		Script:      "sleep infinity",
-		Timeout:     time.Millisecond,
+		Timeout:     100 * time.Millisecond,
 	}}, aAPI.ScriptCompleted)
 	require.NoError(t, err)
 	require.ErrorIs(t, runner.Execute(context.Background(), agentscripts.ExecuteAllScripts), agentscripts.ErrTimeout)
 
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/http/pprof"
 	"net/url"
@@ -491,8 +492,6 @@ func (r *RootCmd) workspaceAgent() *serpent.Command {
 }
 
 func ServeHandler(ctx context.Context, logger slog.Logger, handler http.Handler, addr, name string) (closeFunc func()) {
-	logger.Debug(ctx, "http server listening", slog.F("addr", addr), slog.F("name", name))
-
 	// ReadHeaderTimeout is purposefully not enabled. It caused some issues with
 	// websockets over the dev tunnel.
 	// See: https://github.com/coder/coder/pull/3730
@@ -502,9 +501,15 @@ func ServeHandler(ctx context.Context, logger slog.Logger, handler http.Handler,
 		Handler: handler,
 	}
 	go func() {
-		err := srv.ListenAndServe()
-		if err != nil && !xerrors.Is(err, http.ErrServerClosed) {
-			logger.Error(ctx, "http server listen", slog.F("name", name), slog.Error(err))
+		ln, err := net.Listen("tcp", addr)
+		if err != nil {
+			logger.Error(ctx, "http server listen", slog.F("name", name), slog.F("addr", addr), slog.Error(err))
+			return
+		}
+		defer ln.Close()
+		logger.Info(ctx, "http server listening", slog.F("addr", ln.Addr()), slog.F("name", name))
+		if err := srv.Serve(ln); err != nil && !xerrors.Is(err, http.ErrServerClosed) {
+			logger.Error(ctx, "http server serve", slog.F("addr", ln.Addr()), slog.F("name", name), slog.Error(err))
 		}
 	}()
 
 
@@ -356,9 +356,15 @@ func (r *RootCmd) configSSH() *serpent.Command {
 				if sshConfigOpts.disableAutostart {
 					flags += " --disable-autostart=true"
 				}
+				if coderdConfig.HostnamePrefix != "" {
+					flags += " --ssh-host-prefix " + coderdConfig.HostnamePrefix
+				}
+				if coderdConfig.HostnameSuffix != "" {
+					flags += " --hostname-suffix " + coderdConfig.HostnameSuffix
+				}
 				defaultOptions = append(defaultOptions, fmt.Sprintf(
-					"ProxyCommand %s %s ssh --stdio%s --ssh-host-prefix %s %%h",
-					escapedCoderBinary, rootFlags, flags, coderdConfig.HostnamePrefix,
+					"ProxyCommand %s %s ssh --stdio%s %%h",
+					escapedCoderBinary, rootFlags, flags,
 				))
 			}
 
@@ -391,7 +397,7 @@ func (r *RootCmd) configSSH() *serpent.Command {
 			}
 
 			hostBlock := []string{
-				"Host " + coderdConfig.HostnamePrefix + "*",
+				sshConfigHostLinePatterns(coderdConfig),
 			}
 			// Prefix with '\t'
 			for _, v := range configOptions.sshOptions {
@@ -837,3 +843,19 @@ func diffBytes(name string, b1, b2 []byte, color bool) ([]byte, error) {
 	}
 	return b, nil
 }
+
+func sshConfigHostLinePatterns(config codersdk.SSHConfigResponse) string {
+	builder := strings.Builder{}
+	// by inspection, WriteString always returns nil error
+	_, _ = builder.WriteString("Host")
+	if config.HostnamePrefix != "" {
+		_, _ = builder.WriteString(" ")
+		_, _ = builder.WriteString(config.HostnamePrefix)
+		_, _ = builder.WriteString("*")
+	}
+	if config.HostnameSuffix != "" {
+		_, _ = builder.WriteString(" *.")
+		_, _ = builder.WriteString(config.HostnameSuffix)
+	}
+	return builder.String()
+}
@@ -611,6 +611,33 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				regexMatch: "RemoteForward 2222 192.168.11.1:2222.*\n.*RemoteForward 2223 192.168.11.1:2223",
 			},
 		},
+		{
+			name: "Hostname Suffix",
+			args: []string{
+				"--yes",
+				"--hostname-suffix", "testy",
+			},
+			wantErr:  false,
+			hasAgent: true,
+			wantConfig: wantConfig{
+				ssh:        []string{"Host coder.* *.testy"},
+				regexMatch: `ProxyCommand .* ssh .* --hostname-suffix testy %h`,
+			},
+		},
+		{
+			name: "Hostname Prefix and Suffix",
+			args: []string{
+				"--yes",
+				"--ssh-host-prefix", "presto.",
+				"--hostname-suffix", "testy",
+			},
+			wantErr:  false,
+			hasAgent: true,
+			wantConfig: wantConfig{
+				ssh:        []string{"Host presto.* *.testy"},
+				regexMatch: `ProxyCommand .* ssh .* --ssh-host-prefix presto\. --hostname-suffix testy %h`,
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
 
@@ -641,7 +641,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				GoogleTokenValidator:        googleTokenValidator,
 				ExternalAuthConfigs:         externalAuthConfigs,
 				RealIPConfig:                realIPConfig,
-				SecureAuthCookie:            vals.SecureAuthCookie.Value(),
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,
 				Telemetry:                   telemetry.NewNoop(),