coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 47 additions & 0 deletions b/‎.github/workflows/scorecard.yml
Lines changed: 47 additions & 0 deletions
diff --git a/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/typos.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 23 additions & 2 deletions b/‎.vscode/settings.json
Lines changed: 23 additions & 2 deletions
diff --git a/‎Makefile
Lines changed: 18 additions & 15 deletions b/‎Makefile
Lines changed: 18 additions & 15 deletions
diff --git a/‎README.md
Lines changed: 3 additions & 0 deletions b/‎README.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 7 additions & 11 deletions b/‎agent/agent.go
Lines changed: 7 additions & 11 deletions
@@ -186,7 +186,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@v1.24.6
+        uses: crate-ci/typos@v1.26.0
         with:
           config: .github/workflows/typos.toml
 
 
@@ -0,0 +1,47 @@
+name: OpenSSF Scorecard
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "27 7 * * 3" # A random time to run weekly
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        with:
+          sarif_file: results.sarif
@@ -114,7 +114,7 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
 
@@ -22,6 +22,7 @@ pn = "pn"
 EDE = "EDE"
 # HELO is an SMTP command
 HELO = "HELO"
+LKE = "LKE"
 
 [files]
 extend-exclude = [
 
@@ -6,30 +6,37 @@
 		"ASKPASS",
 		"authcheck",
 		"autostop",
+		"autoupdate",
 		"awsidentity",
 		"bodyclose",
 		"buildinfo",
 		"buildname",
+		"Caddyfile",
 		"circbuf",
 		"cliflag",
 		"cliui",
 		"codecov",
+		"codercom",
 		"coderd",
 		"coderdenttest",
 		"coderdtest",
 		"codersdk",
 		"contravariance",
 		"cronstrue",
 		"databasefake",
+		"dbcrypt",
 		"dbgen",
 		"dbmem",
 		"dbtype",
 		"DERP",
 		"derphttp",
 		"derpmap",
+		"devcontainers",
 		"devel",
 		"devtunnel",
 		"dflags",
+		"dogfood",
+		"dotfiles",
 		"drpc",
 		"drpcconn",
 		"drpcmux",
@@ -38,18 +45,22 @@
 		"embeddedpostgres",
 		"enablements",
 		"enterprisemeta",
+		"Entra",
 		"errgroup",
 		"eventsourcemock",
 		"externalauth",
 		"Failf",
 		"fatih",
+		"filebrowser",
 		"Formik",
 		"gitauth",
+		"Gitea",
 		"gitsshkey",
 		"goarch",
 		"gographviz",
 		"goleak",
 		"gonet",
+		"googleclouddns",
 		"gossh",
 		"gsyslog",
 		"GTTY",
@@ -63,9 +74,11 @@
 		"initialisms",
 		"ipnstate",
 		"isatty",
+		"jetbrains",
 		"Jobf",
 		"Keygen",
 		"kirsle",
+		"knowledgebase",
 		"Kubernetes",
 		"ldflags",
 		"magicsock",
@@ -77,6 +90,7 @@
 		"namesgenerator",
 		"namespacing",
 		"netaddr",
+		"netcheck",
 		"netip",
 		"netmap",
 		"netns",
@@ -93,13 +107,16 @@
 		"opty",
 		"paralleltest",
 		"parameterscopeid",
+		"portsharing",
 		"pqtype",
 		"prometheusmetrics",
 		"promhttp",
 		"protobuf",
 		"provisionerd",
 		"provisionerdserver",
 		"provisionersdk",
+		"psql",
+		"ptrace",
 		"ptty",
 		"ptys",
 		"ptytest",
@@ -114,6 +131,7 @@
 		"Signup",
 		"slogtest",
 		"sourcemapped",
+		"speedtest",
 		"spinbutton",
 		"Srcs",
 		"stdbuf",
@@ -154,13 +172,15 @@
 		"turnconn",
 		"typegen",
 		"typesafe",
+		"unauthenticate",
 		"unconvert",
-		"Untar",
-		"Userspace",
+		"untar",
+		"userspace",
 		"VMID",
 		"walkthrough",
 		"weblinks",
 		"webrtc",
+		"websockets",
 		"wgcfg",
 		"wgconfig",
 		"wgengine",
@@ -172,6 +192,7 @@
 		"workspaceapps",
 		"workspacebuilds",
 		"workspacename",
+		"workspaceproxies",
 		"wsjson",
 		"xerrors",
 		"xlarge",
 
@@ -495,9 +495,9 @@ gen: \
 	coderd/rbac/object_gen.go \
 	codersdk/rbacresources_gen.go \
 	site/src/api/rbacresourcesGenerated.ts \
-	docs/admin/prometheus.md \
-	docs/reference/cli/README.md \
-	docs/admin/audit-logs.md \
+	docs/admin/integrations/prometheus.md \
+	docs/reference/cli/index.md \
+	docs/admin/security/audit-logs.md \
 	coderd/apidoc/swagger.json \
 	.prettierignore.include \
 	.prettierignore \
@@ -525,9 +525,9 @@ gen/mark-fresh:
 		coderd/rbac/object_gen.go \
 		codersdk/rbacresources_gen.go \
 		site/src/api/rbacresourcesGenerated.ts \
-		docs/admin/prometheus.md \
-		docs/reference/cli/README.md \
-		docs/admin/audit-logs.md \
+		docs/admin/integrations/prometheus.md \
+		docs/reference/cli/index.md \
+		docs/admin/security/audit-logs.md \
 		coderd/apidoc/swagger.json \
 		.prettierignore.include \
 		.prettierignore \
@@ -537,7 +537,8 @@ gen/mark-fresh:
 		tailnet/tailnettest/coordinatormock.go \
 		tailnet/tailnettest/coordinateemock.go \
 		tailnet/tailnettest/multiagentmock.go \
-	"
+		"
+
 	for file in $$files; do
 		echo "$$file"
 		if [ ! -f "$$file" ]; then
@@ -629,26 +630,28 @@ coderd/rbac/object_gen.go: scripts/rbacgen/rbacobject.gotmpl scripts/rbacgen/mai
 	go run scripts/rbacgen/main.go rbac > coderd/rbac/object_gen.go
 
 codersdk/rbacresources_gen.go: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
-	go run scripts/rbacgen/main.go codersdk > codersdk/rbacresources_gen.go
+	# Do no overwrite codersdk/rbacresources_gen.go directly, as it would make the file empty, breaking
+ 	# the `codersdk` package and any parallel build targets.
+	go run scripts/rbacgen/main.go codersdk > /tmp/rbacresources_gen.go
+	mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go
 
 site/src/api/rbacresourcesGenerated.ts: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 	go run scripts/rbacgen/main.go typescript > "$@"
 
-
-docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+docs/admin/integrations/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/admin/prometheus.md
+	pnpm exec prettier --write ./docs/admin/integrations/prometheus.md
 
-docs/reference/cli/README.md: scripts/clidocgen/main.go examples/examples.gen.json $(GO_SRC_FILES)
+docs/reference/cli/index.md: scripts/clidocgen/main.go examples/examples.gen.json $(GO_SRC_FILES)
 	CI=true BASE_PATH="." go run ./scripts/clidocgen
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/reference/cli/README.md ./docs/reference/cli/*.md ./docs/manifest.json
+	pnpm exec prettier --write ./docs/reference/cli/index.md ./docs/reference/cli/*.md ./docs/manifest.json
 
-docs/admin/audit-logs.md: coderd/database/querier.go scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
+docs/admin/security/audit-logs.md: coderd/database/querier.go scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	./scripts/pnpm_install.sh
-	pnpm exec prettier --write ./docs/admin/audit-logs.md
+	pnpm exec prettier --write ./docs/admin/security/audit-logs.md
 
 coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) $(wildcard enterprise/wsproxy/wsproxysdk/*.go) $(DB_GEN_FILES) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 
@@ -26,6 +26,8 @@
 [![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
 [![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
 [![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder/v2)](https://goreportcard.com/report/github.com/coder/coder/v2)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9511/badge)](https://www.bestpractices.dev/projects/9511)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/coder/coder/badge)](https://api.securityscorecards.dev/projects/github.com/coder/coder)
 [![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)
 
 </div>
@@ -111,6 +113,7 @@ We are always working on new integrations. Please feel free to open an issue and
 - [**Module Registry**](https://registry.coder.com): Extend development environments with common use-cases
 - [**Kubernetes Log Stream**](https://github.com/coder/coder-logstream-kube): Stream Kubernetes Pod events to the Coder startup logs
 - [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
+- [**Setup Coder**](https://github.com/marketplace/actions/setup-coder): An action to setup coder CLI in GitHub workflows.
 
 ### Community
 
 
@@ -82,7 +82,6 @@ type Options struct {
 	SSHMaxTimeout                time.Duration
 	TailnetListenPort            uint16
 	Subsystems                   []codersdk.AgentSubsystem
-	Addresses                    []netip.Prefix
 	PrometheusRegistry           *prometheus.Registry
 	ReportMetadataInterval       time.Duration
 	ServiceBannerRefreshInterval time.Duration
@@ -180,7 +179,6 @@ func New(options Options) Agent {
 		announcementBannersRefreshInterval: options.ServiceBannerRefreshInterval,
 		sshMaxTimeout:                      options.SSHMaxTimeout,
 		subsystems:                         options.Subsystems,
-		addresses:                          options.Addresses,
 		syscaller:                          options.Syscaller,
 		modifiedProcs:                      options.ModifiedProcesses,
 		processManagementTick:              options.ProcessManagementTick,
@@ -250,7 +248,6 @@ type agent struct {
 	lifecycleLastReportedIndex int // Keeps track of the last lifecycle state we successfully reported.
 
 	network       *tailnet.Conn
-	addresses     []netip.Prefix
 	statsReporter *statsReporter
 	logSender     *agentsdk.LogSender
 
@@ -1112,15 +1109,14 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)
 	return updated, nil
 }
 
-func (a *agent) wireguardAddresses(agentID uuid.UUID) []netip.Prefix {
-	if len(a.addresses) == 0 {
-		return []netip.Prefix{
-			// This is the IP that should be used primarily.
-			netip.PrefixFrom(tailnet.IPFromUUID(agentID), 128),
-		}
+func (*agent) wireguardAddresses(agentID uuid.UUID) []netip.Prefix {
+	return []netip.Prefix{
+		// This is the IP that should be used primarily.
+		tailnet.TailscaleServicePrefix.PrefixFromUUID(agentID),
+		// We'll need this address for CoderVPN, but aren't using it from clients until that feature
+		// is ready
+		tailnet.CoderServicePrefix.PrefixFromUUID(agentID),
 	}
-
-	return a.addresses
 }
 
 func (a *agent) trackGoroutine(fn func()) error {