coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 27 additions & 2 deletions b/‎.github/actions/setup-go/action.yaml
Lines changed: 27 additions & 2 deletions
diff --git a/‎.github/actions/upload-datadog/action.yaml
Lines changed: 41 additions & 2 deletions b/‎.github/actions/upload-datadog/action.yaml
Lines changed: 41 additions & 2 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 15 additions & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 15 additions & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 89 additions & 0 deletions b/‎cli/server.go
Lines changed: 89 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions
@@ -5,17 +5,42 @@ inputs:
   version:
     description: "The Go version to use."
     default: "1.24.2"
+  use-preinstalled-go:
+    description: "Whether to use preinstalled Go."
+    default: "false"
+  use-temp-cache-dirs:
+    description: "Whether to use temporary GOCACHE and GOMODCACHE directories."
+    default: "false"
 runs:
   using: "composite"
   steps:
+    - name: Override GOCACHE and GOMODCACHE
+      shell: bash
+      if: inputs.use-temp-cache-dirs == 'true'
+      run: |
+        # cd to another directory to ensure we're not inside a Go project.
+        # That'd trigger Go to download the toolchain for that project.
+        cd "$RUNNER_TEMP"
+        # RUNNER_TEMP should be backed by a RAM disk on Windows if
+        # coder/setup-ramdisk-action was used
+        export GOCACHE_DIR="$RUNNER_TEMP""\go-cache"
+        export GOMODCACHE_DIR="$RUNNER_TEMP""\go-mod-cache"
+        export GOPATH_DIR="$RUNNER_TEMP""\go-path"
+        mkdir -p "$GOCACHE_DIR"
+        mkdir -p "$GOMODCACHE_DIR"
+        mkdir -p "$GOPATH_DIR"
+        go env -w GOCACHE="$GOCACHE_DIR"
+        go env -w GOMODCACHE="$GOMODCACHE_DIR"
+        go env -w GOPATH="$GOPATH_DIR"
+
     - name: Setup Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: ${{ inputs.version }}
+        go-version: ${{ inputs.use-preinstalled-go == 'false' && inputs.version || '' }}
 
     - name: Install gotestsum
       shell: bash
-      run: go install gotest.tools/gotestsum@latest
+      run: go install gotest.tools/gotestsum@3f7ff0ec4aeb6f95f5d67c998b71f272aa8a8b41 # v1.12.1
 
     # It isn't necessary that we ever do this, but it helps
     # separate the "setup" from the "run" times.
 
@@ -10,6 +10,8 @@ runs:
   steps:
     - shell: bash
       run: |
+        set -e
+
         owner=${{ github.repository_owner	 }}
         echo "owner: $owner"
         if [[  $owner != "coder" ]]; then
@@ -21,8 +23,45 @@ runs:
           echo "No API key provided, skipping..."
           exit 0
         fi
-        npm install -g @datadog/datadog-ci@2.21.0
-        datadog-ci junit upload --service coder ./gotests.xml \
+
+        BINARY_VERSION="v2.48.0"
+        BINARY_HASH_WINDOWS="b7bebb8212403fddb1563bae84ce5e69a70dac11e35eb07a00c9ef7ac9ed65ea"
+        BINARY_HASH_MACOS="e87c808638fddb21a87a5c4584b68ba802965eb0a593d43959c81f67246bd9eb"
+        BINARY_HASH_LINUX="5e700c465728fff8313e77c2d5ba1ce19a736168735137e1ddc7c6346ed48208"
+
+        TMP_DIR=$(mktemp -d)
+
+        if [[ "${{ runner.os }}" == "Windows" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci.exe"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_win-x64"
+        elif [[ "${{ runner.os }}" == "macOS" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_darwin-arm64"
+        elif [[ "${{ runner.os }}" == "Linux" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_linux-x64"
+        else
+          echo "Unsupported OS: ${{ runner.os }}"
+          exit 1
+        fi
+
+        echo "Downloading DataDog CI binary version ${BINARY_VERSION} for ${{ runner.os }}..."
+        curl -sSL "$BINARY_URL" -o "$BINARY_PATH"
+
+        if [[ "${{ runner.os }}" == "Windows" ]]; then
+          echo "$BINARY_HASH_WINDOWS  $BINARY_PATH" | sha256sum --check
+        elif [[ "${{ runner.os }}" == "macOS" ]]; then
+          echo "$BINARY_HASH_MACOS  $BINARY_PATH" | shasum -a 256 --check
+        elif [[ "${{ runner.os }}" == "Linux" ]]; then
+          echo "$BINARY_HASH_LINUX  $BINARY_PATH" | sha256sum --check
+        fi
+
+        # Make binary executable (not needed for Windows)
+        if [[ "${{ runner.os }}" != "Windows" ]]; then
+          chmod +x "$BINARY_PATH"
+        fi
+
+        "$BINARY_PATH" junit upload --service coder ./gotests.xml \
           --tags os:${{runner.os}} --tags runner_name:${{runner.name}}
       env:
         DATADOG_API_KEY: ${{ inputs.api-key }}
@@ -313,7 +313,7 @@ jobs:
         run: ./scripts/check_unstaged.sh
 
   test-go:
-    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'depot-macos-latest' || matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'windows-latest-16-cores' || matrix.os }}
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'depot-macos-latest' || matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'depot-windows-2022-16' || matrix.os }}
     needs: changes
     if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     timeout-minutes: 20
@@ -326,17 +326,31 @@ jobs:
           - windows-2022
     steps:
       - name: Harden Runner
+        # Harden Runner is only supported on Ubuntu runners.
+        if: runner.os == 'Linux'
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 
+      # Set up RAM disks to speed up the rest of the job. This action is in
+      # a separate repository to allow its use before actions/checkout.
+      - name: Setup RAM Disks
+        if: runner.os == 'Windows'
+        uses: coder/setup-ramdisk-action@79dacfe70c47ad6d6c0dd7f45412368802641439
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
+        with:
+          # Runners have Go baked-in and Go will automatically
+          # download the toolchain configured in go.mod, so we don't
+          # need to reinstall it. It's faster on Windows runners.
+          use-preinstalled-go: ${{ runner.os == 'Windows' }}
+          use-temp-cache-dirs: ${{ runner.os == 'Windows' }}
 
       - name: Setup Terraform
         uses: ./.github/actions/setup-tf
 
@@ -61,6 +61,7 @@ import (
 	"github.com/coder/serpent"
 	"github.com/coder/wgtunnel/tunnelsdk"
 
+	"github.com/coder/coder/v2/coderd/ai"
 	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/coder/v2/coderd/notifications/reports"
 	"github.com/coder/coder/v2/coderd/runtimeconfig"
@@ -610,6 +611,22 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				)
 			}
 
+			aiProviders, err := ReadAIProvidersFromEnv(os.Environ())
+			if err != nil {
+				return xerrors.Errorf("read ai providers from env: %w", err)
+			}
+			vals.AI.Value.Providers = append(vals.AI.Value.Providers, aiProviders...)
+			for _, provider := range aiProviders {
+				logger.Debug(
+					ctx, "loaded ai provider",
+					slog.F("type", provider.Type),
+				)
+			}
+			languageModels, err := ai.ModelsFromConfig(ctx, vals.AI.Value.Providers)
+			if err != nil {
+				return xerrors.Errorf("create language models: %w", err)
+			}
+
 			realIPConfig, err := httpmw.ParseRealIPConfig(vals.ProxyTrustedHeaders, vals.ProxyTrustedOrigins)
 			if err != nil {
 				return xerrors.Errorf("parse real ip config: %w", err)
@@ -640,6 +657,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				CacheDir:                    cacheDir,
 				GoogleTokenValidator:        googleTokenValidator,
 				ExternalAuthConfigs:         externalAuthConfigs,
+				LanguageModels:              languageModels,
 				RealIPConfig:                realIPConfig,
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,
@@ -2621,6 +2639,77 @@ func redirectHTTPToHTTPSDeprecation(ctx context.Context, logger slog.Logger, inv
 	}
 }
 
+func ReadAIProvidersFromEnv(environ []string) ([]codersdk.AIProviderConfig, error) {
+	// The index numbers must be in-order.
+	sort.Strings(environ)
+
+	var providers []codersdk.AIProviderConfig
+	for _, v := range serpent.ParseEnviron(environ, "CODER_AI_PROVIDER_") {
+		tokens := strings.SplitN(v.Name, "_", 2)
+		if len(tokens) != 2 {
+			return nil, xerrors.Errorf("invalid env var: %s", v.Name)
+		}
+
+		providerNum, err := strconv.Atoi(tokens[0])
+		if err != nil {
+			return nil, xerrors.Errorf("parse number: %s", v.Name)
+		}
+
+		var provider codersdk.AIProviderConfig
+		switch {
+		case len(providers) < providerNum:
+			return nil, xerrors.Errorf(
+				"provider num %v skipped: %s",
+				len(providers),
+				v.Name,
+			)
+		case len(providers) == providerNum:
+			// At the next next provider.
+			providers = append(providers, provider)
+		case len(providers) == providerNum+1:
+			// At the current provider.
+			provider = providers[providerNum]
+		}
+
+		key := tokens[1]
+		switch key {
+		case "TYPE":
+			provider.Type = v.Value
+		case "API_KEY":
+			provider.APIKey = v.Value
+		case "BASE_URL":
+			provider.BaseURL = v.Value
+		case "MODELS":
+			provider.Models = strings.Split(v.Value, ",")
+		}
+		providers[providerNum] = provider
+	}
+	for _, envVar := range environ {
+		tokens := strings.SplitN(envVar, "=", 2)
+		if len(tokens) != 2 {
+			continue
+		}
+		switch tokens[0] {
+		case "OPENAI_API_KEY":
+			providers = append(providers, codersdk.AIProviderConfig{
+				Type:   "openai",
+				APIKey: tokens[1],
+			})
+		case "ANTHROPIC_API_KEY":
+			providers = append(providers, codersdk.AIProviderConfig{
+				Type:   "anthropic",
+				APIKey: tokens[1],
+			})
+		case "GOOGLE_API_KEY":
+			providers = append(providers, codersdk.AIProviderConfig{
+				Type:   "google",
+				APIKey: tokens[1],
+			})
+		}
+	}
+	return providers, nil
+}
+
 // ReadExternalAuthProvidersFromEnv is provided for compatibility purposes with
 // the viper CLI.
 func ReadExternalAuthProvidersFromEnv(environ []string) ([]codersdk.ExternalAuthConfig, error) {
 
@@ -519,6 +519,9 @@ client:
 # Support links to display in the top right drop down menu.
 # (default: <unset>, type: struct[[]codersdk.LinkConfig])
 supportLinks: []
+# Configure AI providers.
+# (default: <unset>, type: struct[codersdk.AIConfig])
+ai: {}
 # External Authentication providers.
 # (default: <unset>, type: struct[[]codersdk.ExternalAuthConfig])
 externalAuthProviders: []