coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 27 additions & 2 deletions b/‎.github/actions/setup-go/action.yaml
Lines changed: 27 additions & 2 deletions
diff --git a/‎.github/actions/upload-datadog/action.yaml
Lines changed: 41 additions & 2 deletions b/‎.github/actions/upload-datadog/action.yaml
Lines changed: 41 additions & 2 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 15 additions & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 15 additions & 1 deletion
diff --git a/‎agent/agentssh/agentssh_test.go
Lines changed: 5 additions & 1 deletion b/‎agent/agentssh/agentssh_test.go
Lines changed: 5 additions & 1 deletion
diff --git a/‎coderd/workspaceagentsrpc_test.go
Lines changed: 1 addition & 0 deletions b/‎coderd/workspaceagentsrpc_test.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎enterprise/coderd/prebuilds/reconcile.go
Lines changed: 46 additions & 15 deletions b/‎enterprise/coderd/prebuilds/reconcile.go
Lines changed: 46 additions & 15 deletions
@@ -5,17 +5,42 @@ inputs:
   version:
     description: "The Go version to use."
     default: "1.24.2"
+  use-preinstalled-go:
+    description: "Whether to use preinstalled Go."
+    default: "false"
+  use-temp-cache-dirs:
+    description: "Whether to use temporary GOCACHE and GOMODCACHE directories."
+    default: "false"
 runs:
   using: "composite"
   steps:
+    - name: Override GOCACHE and GOMODCACHE
+      shell: bash
+      if: inputs.use-temp-cache-dirs == 'true'
+      run: |
+        # cd to another directory to ensure we're not inside a Go project.
+        # That'd trigger Go to download the toolchain for that project.
+        cd "$RUNNER_TEMP"
+        # RUNNER_TEMP should be backed by a RAM disk on Windows if
+        # coder/setup-ramdisk-action was used
+        export GOCACHE_DIR="$RUNNER_TEMP""\go-cache"
+        export GOMODCACHE_DIR="$RUNNER_TEMP""\go-mod-cache"
+        export GOPATH_DIR="$RUNNER_TEMP""\go-path"
+        mkdir -p "$GOCACHE_DIR"
+        mkdir -p "$GOMODCACHE_DIR"
+        mkdir -p "$GOPATH_DIR"
+        go env -w GOCACHE="$GOCACHE_DIR"
+        go env -w GOMODCACHE="$GOMODCACHE_DIR"
+        go env -w GOPATH="$GOPATH_DIR"
+
     - name: Setup Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: ${{ inputs.version }}
+        go-version: ${{ inputs.use-preinstalled-go == 'false' && inputs.version || '' }}
 
     - name: Install gotestsum
       shell: bash
-      run: go install gotest.tools/gotestsum@latest
+      run: go install gotest.tools/gotestsum@3f7ff0ec4aeb6f95f5d67c998b71f272aa8a8b41 # v1.12.1
 
     # It isn't necessary that we ever do this, but it helps
     # separate the "setup" from the "run" times.
 
@@ -10,6 +10,8 @@ runs:
   steps:
     - shell: bash
       run: |
+        set -e
+
         owner=${{ github.repository_owner	 }}
         echo "owner: $owner"
         if [[  $owner != "coder" ]]; then
@@ -21,8 +23,45 @@ runs:
           echo "No API key provided, skipping..."
           exit 0
         fi
-        npm install -g @datadog/datadog-ci@2.21.0
-        datadog-ci junit upload --service coder ./gotests.xml \
+
+        BINARY_VERSION="v2.48.0"
+        BINARY_HASH_WINDOWS="b7bebb8212403fddb1563bae84ce5e69a70dac11e35eb07a00c9ef7ac9ed65ea"
+        BINARY_HASH_MACOS="e87c808638fddb21a87a5c4584b68ba802965eb0a593d43959c81f67246bd9eb"
+        BINARY_HASH_LINUX="5e700c465728fff8313e77c2d5ba1ce19a736168735137e1ddc7c6346ed48208"
+
+        TMP_DIR=$(mktemp -d)
+
+        if [[ "${{ runner.os }}" == "Windows" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci.exe"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_win-x64"
+        elif [[ "${{ runner.os }}" == "macOS" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_darwin-arm64"
+        elif [[ "${{ runner.os }}" == "Linux" ]]; then
+          BINARY_PATH="${TMP_DIR}/datadog-ci"
+          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_linux-x64"
+        else
+          echo "Unsupported OS: ${{ runner.os }}"
+          exit 1
+        fi
+
+        echo "Downloading DataDog CI binary version ${BINARY_VERSION} for ${{ runner.os }}..."
+        curl -sSL "$BINARY_URL" -o "$BINARY_PATH"
+
+        if [[ "${{ runner.os }}" == "Windows" ]]; then
+          echo "$BINARY_HASH_WINDOWS  $BINARY_PATH" | sha256sum --check
+        elif [[ "${{ runner.os }}" == "macOS" ]]; then
+          echo "$BINARY_HASH_MACOS  $BINARY_PATH" | shasum -a 256 --check
+        elif [[ "${{ runner.os }}" == "Linux" ]]; then
+          echo "$BINARY_HASH_LINUX  $BINARY_PATH" | sha256sum --check
+        fi
+
+        # Make binary executable (not needed for Windows)
+        if [[ "${{ runner.os }}" != "Windows" ]]; then
+          chmod +x "$BINARY_PATH"
+        fi
+
+        "$BINARY_PATH" junit upload --service coder ./gotests.xml \
           --tags os:${{runner.os}} --tags runner_name:${{runner.name}}
       env:
         DATADOG_API_KEY: ${{ inputs.api-key }}
@@ -313,7 +313,7 @@ jobs:
         run: ./scripts/check_unstaged.sh
 
   test-go:
-    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'depot-macos-latest' || matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'windows-latest-16-cores' || matrix.os }}
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'depot-macos-latest' || matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'depot-windows-2022-16' || matrix.os }}
     needs: changes
     if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
     timeout-minutes: 20
@@ -326,17 +326,31 @@ jobs:
           - windows-2022
     steps:
       - name: Harden Runner
+        # Harden Runner is only supported on Ubuntu runners.
+        if: runner.os == 'Linux'
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 
+      # Set up RAM disks to speed up the rest of the job. This action is in
+      # a separate repository to allow its use before actions/checkout.
+      - name: Setup RAM Disks
+        if: runner.os == 'Windows'
+        uses: coder/setup-ramdisk-action@79dacfe70c47ad6d6c0dd7f45412368802641439
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
+        with:
+          # Runners have Go baked-in and Go will automatically
+          # download the toolchain configured in go.mod, so we don't
+          # need to reinstall it. It's faster on Windows runners.
+          use-preinstalled-go: ${{ runner.os == 'Windows' }}
+          use-temp-cache-dirs: ${{ runner.os == 'Windows' }}
 
       - name: Setup Terraform
         uses: ./.github/actions/setup-tf
 
@@ -214,7 +214,11 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 		}
 
 		for _, ch := range waitConns {
-			<-ch
+			select {
+			case <-ctx.Done():
+				t.Fatal("timeout")
+			case <-ch:
+			}
 		}
 
 		return s, wg.Wait
 
@@ -32,6 +32,7 @@ func TestWorkspaceAgentReportStats(t *testing.T) {
 	r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
 		OrganizationID: user.OrganizationID,
 		OwnerID:        user.UserID,
+		LastUsedAt:     dbtime.Now().Add(-time.Minute),
 	}).WithAgent().Do()
 
 	ac := agentsdk.New(client.URL)
 
@@ -40,10 +40,11 @@ type StoreReconciler struct {
 	registerer prometheus.Registerer
 	metrics    *MetricsCollector
 
-	cancelFn context.CancelCauseFunc
-	running  atomic.Bool
-	stopped  atomic.Bool
-	done     chan struct{}
+	cancelFn          context.CancelCauseFunc
+	running           atomic.Bool
+	stopped           atomic.Bool
+	done              chan struct{}
+	provisionNotifyCh chan database.ProvisionerJob
 }
 
 var _ prebuilds.ReconciliationOrchestrator = &StoreReconciler{}
@@ -56,13 +57,14 @@ func NewStoreReconciler(store database.Store,
 	registerer prometheus.Registerer,
 ) *StoreReconciler {
 	reconciler := &StoreReconciler{
-		store:      store,
-		pubsub:     ps,
-		logger:     logger,
-		cfg:        cfg,
-		clock:      clock,
-		registerer: registerer,
-		done:       make(chan struct{}, 1),
+		store:             store,
+		pubsub:            ps,
+		logger:            logger,
+		cfg:               cfg,
+		clock:             clock,
+		registerer:        registerer,
+		done:              make(chan struct{}, 1),
+		provisionNotifyCh: make(chan database.ProvisionerJob, 10),
 	}
 
 	reconciler.metrics = NewMetricsCollector(store, logger, reconciler)
@@ -100,6 +102,29 @@ func (c *StoreReconciler) Run(ctx context.Context) {
 	// NOTE: without this atomic bool, Stop might race with Run for the c.cancelFn above.
 	c.running.Store(true)
 
+	// Publish provisioning jobs outside of database transactions.
+	// A connection is held while a database transaction is active; PGPubsub also tries to acquire a new connection on
+	// Publish, so we can exhaust available connections.
+	//
+	// A single worker dequeues from the channel, which should be sufficient.
+	// If any messages are missed due to congestion or errors, provisionerdserver has a backup polling mechanism which
+	// will periodically pick up any queued jobs (see poll(time.Duration) in coderd/provisionerdserver/acquirer.go).
+	go func() {
+		for {
+			select {
+			case <-c.done:
+				return
+			case <-ctx.Done():
+				return
+			case job := <-c.provisionNotifyCh:
+				err := provisionerjobs.PostJob(c.pubsub, job)
+				if err != nil {
+					c.logger.Error(ctx, "failed to post provisioner job to pubsub", slog.Error(err))
+				}
+			}
+		}
+	}()
+
 	for {
 		select {
 		// TODO: implement pubsub listener to allow reconciling a specific template imperatively once it has been changed,
@@ -576,10 +601,16 @@ func (c *StoreReconciler) provision(
 		return xerrors.Errorf("provision workspace: %w", err)
 	}
 
-	err = provisionerjobs.PostJob(c.pubsub, *provisionerJob)
-	if err != nil {
-		// Client probably doesn't care about this error, so just log it.
-		c.logger.Error(ctx, "failed to post provisioner job to pubsub", slog.Error(err))
+	if provisionerJob == nil {
+		return nil
+	}
+
+	// Publish provisioner job event outside of transaction.
+	select {
+	case c.provisionNotifyCh <- *provisionerJob:
+	default: // channel full, drop the message; provisioner will pick this job up later with its periodic check, though.
+		c.logger.Warn(ctx, "provisioner job notification queue full, dropping",
+			slog.F("job_id", provisionerJob.ID), slog.F("prebuild_id", prebuildID.String()))
 	}
 
 	c.logger.Info(ctx, "prebuild job scheduled", slog.F("transition", transition),
Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,11 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {`
`214`	`214`	`}`
`215`	`215`
`216`	`216`	`for _, ch := range waitConns {`
`217`		`- <-ch`
	`217`	`+ select {`
	`218`	`+ case <-ctx.Done():`
	`219`	`+ t.Fatal("timeout")`
	`220`	`+ case <-ch:`
	`221`	`+ }`
`218`	`222`	`}`
`219`	`223`
`220`	`224`	`return s, wg.Wait`