coder
diff --git a/‎.github/actions/install-cosign/action.yaml
Lines changed: 10 additions & 0 deletions b/‎.github/actions/install-cosign/action.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/actions/install-syft/action.yaml
Lines changed: 10 additions & 0 deletions b/‎.github/actions/install-syft/action.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 8 additions & 12 deletions b/‎.github/workflows/ci.yaml
Lines changed: 8 additions & 12 deletions
diff --git a/‎.github/workflows/docs-ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docs-ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yaml
Lines changed: 5 additions & 9 deletions b/‎.github/workflows/release.yaml
Lines changed: 5 additions & 9 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/scorecard.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/security.yaml
Lines changed: 10 additions & 4 deletions b/‎.github/workflows/security.yaml
Lines changed: 10 additions & 4 deletions
diff --git a/‎.github/workflows/stale.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/stale.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/weekly-docs.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/weekly-docs.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎Makefile
Lines changed: 17 additions & 3 deletions b/‎Makefile
Lines changed: 17 additions & 3 deletions
diff --git a/‎agent/agent.go
Lines changed: 4 additions & 1 deletion b/‎agent/agent.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎agent/agentcontainers/dcspec/gen.sh
Lines changed: 24 additions & 2 deletions b/‎agent/agentcontainers/dcspec/gen.sh
Lines changed: 24 additions & 2 deletions
diff --git a/‎agent/proto/resourcesmonitor/fetcher.go
Lines changed: 39 additions & 7 deletions b/‎agent/proto/resourcesmonitor/fetcher.go
Lines changed: 39 additions & 7 deletions
@@ -0,0 +1,10 @@
+name: "Install cosign"
+description: |
+  Cosign Github Action.
+runs:
+  using: "composite"
+  steps:
+    - name: Install cosign
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      with:
+        cosign-release: "v2.4.3"
@@ -0,0 +1,10 @@
+name: "Install syft"
+description: |
+  Downloads Syft to the Action tool cache and provides a reference.
+runs:
+  using: "composite"
+  steps:
+    - name: Install syft
+      uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+      with:
+        syft-version: "v1.20.0"
@@ -178,7 +178,7 @@ jobs:
           echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
 
       - name: golangci-lint cache
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ${{ env.LINT_CACHE_DIR }}
@@ -730,15 +730,15 @@ jobs:
 
       - name: Upload Playwright Failed Tests
         if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: failed-test-videos${{ matrix.variant.premium && '-premium' || '' }}
           path: ./site/test-results/**/*.webm
           retention-days: 7
 
       - name: Upload pprof dumps
         if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: debug-pprof-dumps${{ matrix.variant.premium && '-premium' || ''  }}
           path: ./site/test-results/**/debug-pprof-*.txt
@@ -997,7 +997,7 @@ jobs:
 
       - name: Upload build artifacts
         if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dylibs
           path: |
@@ -1071,14 +1071,10 @@ jobs:
         run: sudo apt-get install -y zstd
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-        with:
-          cosign-release: "v2.4.3"
+        uses: ./.github/actions/install-cosign
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
-        with:
-          syft-version: "v1.20.0"
+        uses: ./.github/actions/install-syft
 
       - name: Setup Windows EV Signing Certificate
         run: |
@@ -1103,7 +1099,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Download dylibs
-        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: dylibs
           path: ./build
@@ -1330,7 +1326,7 @@ jobs:
 
       - name: Upload build artifacts
         if: github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: coder
           path: |
 
@@ -28,7 +28,7 @@ jobs:
       - name: Setup Node
         uses: ./.github/actions/setup-node
 
-      - uses: tj-actions/changed-files@531f5f7d163941f0c1c04e0ff4d8bb243ac4366f # v45.0.7
+      - uses: tj-actions/changed-files@27ae6b33eaed7bf87272fdeb9f1c54f9facc9d99 # v45.0.7
         id: changed-files
         with:
           files: |
 
@@ -58,7 +58,7 @@ jobs:
 
       - name: Get branch name
         id: branch-name
-        uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1
+        uses: tj-actions/branch-names@f44339b51f74753b57583fbbd124e18a81170ab1 # v8.1.0
 
       - name: "Branch name to Docker tag name"
         id: docker-tag-name
 
@@ -101,7 +101,7 @@ jobs:
           AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dylibs
           path: |
@@ -251,14 +251,10 @@ jobs:
           rm /tmp/rcodesign.tar.gz
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-        with:
-          cosign-release: "v2.4.3"
+        uses: ./.github/actions/install-cosign
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
-        with:
-          syft-version: "v1.20.0"
+        uses: ./.github/actions/install-syft
 
       - name: Setup Apple Developer certificate and API key
         run: |
@@ -300,7 +296,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Download dylibs
-        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: dylibs
           path: ./build
@@ -661,7 +657,7 @@ jobs:
 
       - name: Upload artifacts to actions (if dry-run)
         if: ${{ inputs.dry_run }}
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: release-artifacts
           path: |
 
@@ -39,14 +39,14 @@ jobs:
 
       # Upload the results as artifacts.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -85,6 +85,12 @@ jobs:
       - name: Setup sqlc
         uses: ./.github/actions/setup-sqlc
 
+      - name: Install cosign
+        uses: ./.github/actions/install-cosign
+
+      - name: Install syft
+        uses: ./.github/actions/install-syft
+
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.44.3
       - name: Install mockgen
@@ -144,13 +150,13 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
       - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: trivy
           path: trivy-results.sarif
 
@@ -103,7 +103,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run delete-old-branches-action
-        uses: beatlabs/delete-old-branches-action@6e94df089372a619c01ae2c2f666bf474f890911 # v0.0.10
+        uses: beatlabs/delete-old-branches-action@4eeeb8740ff8b3cb310296ddd6b43c3387734588 # v0.0.11
         with:
           repo_token: ${{ github.token }}
           date: "6 months ago"
 
@@ -29,7 +29,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check Markdown links
-        uses: umbrelladocs/action-linkspector@de84085e0f51452a470558693d7d308fbb2fa261 # v1.2.5
+        uses: umbrelladocs/action-linkspector@49cf4f8da82db70e691bb8284053add5028fa244 # v1.3.2
         id: markdown-link-check
         # checks all markdown files from /docs including all subfolders
         with:
 
@@ -54,6 +54,16 @@ FIND_EXCLUSIONS= \
 	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path '*/out/*' -o -path './coderd/apidoc/*' -o -path '*/.next/*' -o -path '*/.terraform/*' \) -prune \)
 # Source files used for make targets, evaluated on use.
 GO_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.go' -not -name '*_test.go')
+# Same as GO_SRC_FILES but excluding certain files that have problematic
+# Makefile dependencies (e.g. pnpm).
+MOST_GO_SRC_FILES := $(shell \
+	find . \
+		$(FIND_EXCLUSIONS) \
+		-type f \
+		-name '*.go' \
+		-not -name '*_test.go' \
+		-not -wholename './agent/agentcontainers/dcspec/dcspec_gen.go' \
+)
 # All the shell files in the repo, excluding ignored files.
 SHELL_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')
 
@@ -243,7 +253,7 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 	fi
 
 # This task builds Coder Desktop dylibs
-$(CODER_DYLIBS): go.mod go.sum $(GO_SRC_FILES)
+$(CODER_DYLIBS): go.mod go.sum $(MOST_GO_SRC_FILES)
 	@if [ "$(shell uname)" = "Darwin" ]; then
 		$(get-mode-os-arch-ext)
 		./scripts/build_go.sh \
@@ -659,8 +669,12 @@ agent/agentcontainers/acmock/acmock.go: agent/agentcontainers/containers.go
 	go generate ./agent/agentcontainers/acmock/
 	touch "$@"
 
-agent/agentcontainers/dcspec/dcspec_gen.go: agent/agentcontainers/dcspec/devContainer.base.schema.json
-	go generate ./agent/agentcontainers/dcspec/
+agent/agentcontainers/dcspec/dcspec_gen.go: \
+	node_modules/.installed \
+	agent/agentcontainers/dcspec/devContainer.base.schema.json \
+	agent/agentcontainers/dcspec/gen.sh \
+	agent/agentcontainers/dcspec/doc.go
+	DCSPEC_QUIET=true go generate ./agent/agentcontainers/dcspec/
 	touch "$@"
 
 $(TAILNETTEST_MOCKS): tailnet/coordinator.go tailnet/service.go
 
@@ -965,7 +965,10 @@ func (a *agent) run() (retErr error) {
 		if err != nil {
 			return xerrors.Errorf("failed to create resources fetcher: %w", err)
 		}
-		resourcesFetcher := resourcesmonitor.NewFetcher(statfetcher)
+		resourcesFetcher, err := resourcesmonitor.NewFetcher(statfetcher)
+		if err != nil {
+			return xerrors.Errorf("new resource fetcher: %w", err)
+		}
 
 		resourcesmonitor := resourcesmonitor.NewResourcesMonitor(logger, clk, config, resourcesFetcher, aAPI)
 		return resourcesmonitor.Start(ctx)
 
@@ -30,14 +30,36 @@ fi
 
 TMPDIR=$(mktemp -d)
 trap 'rm -rfv "$TMPDIR"' EXIT
-pnpm exec quicktype \
+
+show_stderr=1
+exec 3>&2
+if [[ " $* " == *" --quiet "* ]] || [[ ${DCSPEC_QUIET:-false} == "true" ]]; then
+	# Redirect stderr to log because quicktype can't infer all types and
+	# we don't care right now.
+	show_stderr=0
+	exec 2>"${TMPDIR}/stderr.log"
+fi
+
+if ! pnpm exec quicktype \
 	--src-lang schema \
 	--lang go \
 	--just-types-and-package \
 	--top-level "DevContainer" \
 	--out "${TMPDIR}/${DEST_FILENAME}" \
 	--package "dcspec" \
-	"${SCHEMA_DEST}"
+	"${SCHEMA_DEST}"; then
+	echo "quicktype failed to generate Go code." >&3
+	if [[ "${show_stderr}" -eq 1 ]]; then
+		cat "${TMPDIR}/stderr.log" >&3
+	fi
+	exit 1
+fi
+
+if [[ "${show_stderr}" -eq 0 ]]; then
+	# Restore stderr.
+	exec 2>&3
+fi
+exec 3>&-
 
 # Format the generated code.
 go run mvdan.cc/gofumpt@v0.4.0 -w -l "${TMPDIR}/${DEST_FILENAME}"
 
@@ -6,26 +6,58 @@ import (
 	"github.com/coder/coder/v2/cli/clistat"
 )
 
+type Statter interface {
+	IsContainerized() (bool, error)
+	ContainerMemory(p clistat.Prefix) (*clistat.Result, error)
+	HostMemory(p clistat.Prefix) (*clistat.Result, error)
+	Disk(p clistat.Prefix, path string) (*clistat.Result, error)
+}
+
 type Fetcher interface {
 	FetchMemory() (total int64, used int64, err error)
 	FetchVolume(volume string) (total int64, used int64, err error)
 }
 
 type fetcher struct {
-	*clistat.Statter
+	Statter
+	isContainerized bool
 }
 
 //nolint:revive
-func NewFetcher(f *clistat.Statter) *fetcher {
-	return &fetcher{
-		f,
+func NewFetcher(f Statter) (*fetcher, error) {
+	isContainerized, err := f.IsContainerized()
+	if err != nil {
+		return nil, xerrors.Errorf("check is containerized: %w", err)
 	}
+
+	return &fetcher{f, isContainerized}, nil
 }
 
 func (f *fetcher) FetchMemory() (total int64, used int64, err error) {
-	mem, err := f.HostMemory(clistat.PrefixDefault)
-	if err != nil {
-		return 0, 0, xerrors.Errorf("failed to fetch memory: %w", err)
+	var mem *clistat.Result
+
+	if f.isContainerized {
+		mem, err = f.ContainerMemory(clistat.PrefixDefault)
+		if err != nil {
+			return 0, 0, xerrors.Errorf("fetch container memory: %w", err)
+		}
+
+		// A container might not have a memory limit set. If this
+		// happens we want to fallback to querying the host's memory
+		// to know what the total memory is on the host.
+		if mem.Total == nil {
+			hostMem, err := f.HostMemory(clistat.PrefixDefault)
+			if err != nil {
+				return 0, 0, xerrors.Errorf("fetch host memory: %w", err)
+			}
+
+			mem.Total = hostMem.Total
+		}
+	} else {
+		mem, err = f.HostMemory(clistat.PrefixDefault)
+		if err != nil {
+			return 0, 0, xerrors.Errorf("fetch host memory: %w", err)
+		}
 	}
 
 	if mem.Total == nil {