coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/docker-base.yaml
Lines changed: 60 additions & 0 deletions b/‎.github/workflows/docker-base.yaml
Lines changed: 60 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 50 additions & 15 deletions b/‎.github/workflows/release.yaml
Lines changed: 50 additions & 15 deletions
diff --git a/‎.github/workflows/security.yaml
Lines changed: 14 additions & 2 deletions b/‎.github/workflows/security.yaml
Lines changed: 14 additions & 2 deletions
diff --git a/‎.github/workflows/stale.yaml
Lines changed: 16 additions & 2 deletions b/‎.github/workflows/stale.yaml
Lines changed: 16 additions & 2 deletions
diff --git a/‎Makefile
Lines changed: 2 additions & 1 deletion b/‎Makefile
Lines changed: 2 additions & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 5 additions & 2 deletions b/‎agent/agent.go
Lines changed: 5 additions & 2 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 5 additions & 5 deletions b/‎agent/agent_test.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 2 additions & 2 deletions b/‎cli/configssh_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/create_test.go
Lines changed: 1 addition & 1 deletion b/‎cli/create_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/delete_test.go
Lines changed: 1 addition & 1 deletion b/‎cli/delete_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/deployment/config.go
Lines changed: 19 additions & 1 deletion b/‎cli/deployment/config.go
Lines changed: 19 additions & 1 deletion
@@ -121,7 +121,8 @@ jobs:
               - 'site/**'
             k8s:
               - 'helm/**'
-              - Dockerfile
+              - scripts/Dockerfile
+              - scripts/Dockerfile.base
               - scripts/helm.sh
       - id: debug
         run: |
 
@@ -0,0 +1,60 @@
+name: docker-base
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - scripts/Dockerfile.base
+      - scripts/Dockerfile
+
+  schedule:
+    # Run every week at 09:43 on Monday, Wednesday and Friday. We build this
+    # frequently to ensure that packages are up-to-date.
+    - cron: "43 9 * * 1,3,5"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for depot.dev authentication.
+  id-token: write
+
+# Avoid running multiple jobs for the same commit.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-docker-base
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'coder'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create empty base-build-context directory
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        uses: depot/build-push-action@v1
+        with:
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ghcr.io/coder/coder-base:latest
@@ -112,17 +112,17 @@ jobs:
           set -euo pipefail
           wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
           sudo dpkg -i /tmp/nfpm.deb
+          rm /tmp/nfpm.deb
 
       - name: Install rcodesign
         run: |
           set -euo pipefail
-
-          # Install a prebuilt binary of rcodesign for linux amd64. Once the
-          # following PR is merged and released upstream, we can download
-          # directly from GitHub releases instead:
-          #   https://github.com/indygreg/PyOxidizer/pull/635
-          wget -O /tmp/rcodesign https://cdn.discordapp.com/attachments/283356472258199552/1016767245717872700/rcodesign
-          sudo install --mode 755 /tmp/rcodesign /usr/local/bin/rcodesign
+          wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-x86_64-unknown-linux-musl.tar.gz
+          sudo tar -xzf /tmp/rcodesign.tar.gz \
+            -C /usr/bin \
+            --strip-components=1 \
+            apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
+          rm /tmp/rcodesign.tar.gz
 
       - name: Setup Apple Developer certificate and API key
         run: |
@@ -160,6 +160,39 @@ jobs:
       - name: Delete Apple Developer certificate and API key
         run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
 
+      - name: Determine base image tag
+        id: image-base-tag
+        run: |
+          set -euo pipefail
+          if [[ "${CODER_RELEASE:-}" != *t* ]] || [[ "${CODER_DRY_RUN:-}" == *t* ]]; then
+            # Empty value means use the default and avoid building a fresh one.
+            echo "tag=" >> $GITHUB_OUTPUT
+          else
+            echo "tag=$(CODER_IMAGE_BASE=ghcr.io/coder/coder-base ./scripts/image_tag.sh)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create empty base-build-context directory
+        if: steps.image-base-tag.outputs.tag != ''
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/build-push-action@v1
+        with:
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ${{ steps.image-base-tag.outputs.tag }}
+
       - name: Build Linux Docker images
         run: |
           set -euxo pipefail
@@ -188,6 +221,8 @@ jobs:
               --target "$(./scripts/image_tag.sh --version latest)" \
               $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
           fi
+        env:
+          CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
 
       - name: ls build
         run: ls -lh build
@@ -252,6 +287,14 @@ jobs:
             ./build/*.rpm
           retention-days: 7
 
+      - name: Start Packer builds
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+          repository: coder/packages
+          event-type: coder-release
+          client-payload: '{"coder_version": "${{ steps.version.outputs.version }}"}'
+
   publish-winget:
     name: Publish to winget-pkgs
     runs-on: windows-latest
@@ -333,11 +376,3 @@ jobs:
           # For gh CLI. We need a real token since we're commenting on a PR in a
           # different repo.
           GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-
-      - name: Start Packer builds
-        uses: peter-evans/repository-dispatch@v2
-        with:
-          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-          repository: coder/packages
-          event-type: coder-release
-          client-payload: '{"coder_version": "${{ needs.release.outputs.version }}"}'
 
@@ -96,8 +96,20 @@ jobs:
         id: build
         run: |
           set -euo pipefail
-          image_job="build/coder_$(./scripts/version.sh)_linux_amd64.tag"
-          DOCKER_IMAGE_NO_PREREQUISITES=true make -j "$image_job"
+
+          version="$(./scripts/version.sh)"
+          image_job="build/coder_${version}_linux_amd64.tag"
+
+          # This environment variable force make to not build packages and
+          # archives (which the Docker image depends on due to technical reasons
+          # related to concurrent FS writes).
+          export DOCKER_IMAGE_NO_PREREQUISITES=true
+          # This environment variables forces scripts/build_docker.sh to build
+          # the base image tag locally instead of using the cached version from
+          # the registry.
+          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
+
+          make -j "$image_job"
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
 
@@ -1,11 +1,11 @@
-name: Stale Issue Cron
+name: Stale Issue and Branch Cleanup
 on:
   schedule:
     # Every day at midnight
     - cron: "0 0 * * *"
   workflow_dispatch:
 jobs:
-  stale:
+  issues:
     runs-on: ubuntu-latest
     permissions:
       issues: write
@@ -32,3 +32,17 @@ jobs:
           operations-per-run: 60
           # Start with the oldest issues, always.
           ascending: true
+  branches:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Run delete-old-branches-action
+        uses: beatlabs/delete-old-branches-action@v0.0.9
+        with:
+          repo_token: ${{ github.token }}
+          date: "6 months ago"
+          dry_run: false
+          delete_tags: false
+          # extra_protected_branch_regex: ^(foo|bar)$
+          exclude_open_pr_branches: true
@@ -610,7 +610,8 @@ test-postgres-docker:
 		-c max_connections=1000 \
 		-c fsync=off \
 		-c synchronous_commit=off \
-		-c full_page_writes=off
+		-c full_page_writes=off \
+		-c log_statement=all
 	while ! pg_isready -h 127.0.0.1
 	do
 		echo "$(date) - waiting for database to start"
 
@@ -268,10 +268,13 @@ func (a *agent) run(ctx context.Context) error {
 
 		scriptDone := make(chan error, 1)
 		scriptStart := time.Now()
-		go func() {
+		err := a.trackConnGoroutine(func() {
 			defer close(scriptDone)
 			scriptDone <- a.runStartupScript(ctx, metadata.StartupScript)
-		}()
+		})
+		if err != nil {
+			return xerrors.Errorf("track startup script: %w", err)
+		}
 		go func() {
 			var timeout <-chan time.Time
 			// If timeout is zero, an older version of the coder
 
@@ -305,7 +305,7 @@ func TestAgent_TCPLocalForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, remotePort)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, remotePort)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -372,7 +372,7 @@ func TestAgent_TCPRemoteForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("127.0.0.1:%d:127.0.0.1:%d", randomPort, localPort)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("127.0.0.1:%d:127.0.0.1:%d", randomPort, localPort)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -437,7 +437,7 @@ func TestAgent_UnixLocalForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%s:%s", localSocketPath, remoteSocketPath)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-L", fmt.Sprintf("%s:%s", localSocketPath, remoteSocketPath)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -495,7 +495,7 @@ func TestAgent_UnixRemoteForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"sleep", "10"})
+	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"sleep", "5"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
@@ -703,7 +703,7 @@ func TestAgent_Lifecycle(t *testing.T) {
 		t.Parallel()
 
 		_, client, _, _ := setupAgent(t, agentsdk.Metadata{
-			StartupScript:        "sleep 10",
+			StartupScript:        "sleep 5",
 			StartupScriptTimeout: time.Nanosecond,
 		}, 0)
 
 
@@ -532,7 +532,7 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 		{
 			name:    "Start/End out of order",
 			matches: []match{
-				//{match: "Continue?", write: "yes"},
+				// {match: "Continue?", write: "yes"},
 			},
 			writeConfig: writeConfig{
 				ssh: strings.Join([]string{
@@ -547,7 +547,7 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 		{
 			name:    "Multiple sections",
 			matches: []match{
-				//{match: "Continue?", write: "yes"},
+				// {match: "Continue?", write: "yes"},
 			},
 			writeConfig: writeConfig{
 				ssh: strings.Join([]string{
 
@@ -87,7 +87,7 @@ func TestCreate(t *testing.T) {
 		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		cmd, root := clitest.New(t, "create", "my-workspace", "-y")
 
-		member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		member, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 		clitest.SetupConfig(t, member, root)
 		cmdCtx, done := context.WithTimeout(context.Background(), testutil.WaitLong)
 		go func() {
 
@@ -77,7 +77,7 @@ func TestDelete(t *testing.T) {
 		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		adminUser := coderdtest.CreateFirstUser(t, adminClient)
 		orgID := adminUser.OrganizationID
-		client := coderdtest.CreateAnotherUser(t, adminClient, orgID)
+		client, _ := coderdtest.CreateAnotherUser(t, adminClient, orgID)
 		user, err := client.User(context.Background(), codersdk.Me)
 		require.NoError(t, err)
 
 
@@ -486,7 +486,7 @@ func newConfig() *codersdk.DeploymentConfig {
 		},
 		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
 			Name:    "Max Token Lifetime",
-			Usage:   "The maximum lifetime duration for any user creating a token.",
+			Usage:   "The maximum lifetime duration users can specify when creating an API token.",
 			Flag:    "max-token-lifetime",
 			Default: 24 * 30 * time.Hour,
 		},
@@ -538,6 +538,24 @@ func newConfig() *codersdk.DeploymentConfig {
 			Flag:    "disable-path-apps",
 			Default: false,
 		},
+		SessionDuration: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Session Duration",
+			Usage:   "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
+			Flag:    "session-duration",
+			Default: 24 * time.Hour,
+		},
+		DisableSessionExpiryRefresh: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Session Expiry Refresh",
+			Usage:   "Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.",
+			Flag:    "disable-session-expiry-refresh",
+			Default: false,
+		},
+		DisablePasswordAuth: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Password Authentication",
+			Usage:   "Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the `coder server create-admin` command to create a new admin user directly in the database.",
+			Flag:    "disable-password-auth",
+			Default: false,
+		},
 	}
 }