coder
diff --git a/‎.github/workflows/ci.yaml
+1-1 b/‎.github/workflows/ci.yaml
+1-1
diff --git a/‎.github/workflows/contrib.yaml
+1-1 b/‎.github/workflows/contrib.yaml
+1-1
diff --git a/‎.github/workflows/docker-base.yaml
+30 b/‎.github/workflows/docker-base.yaml
+30
diff --git a/‎.github/workflows/pr-auto-assign.yaml
+16 b/‎.github/workflows/pr-auto-assign.yaml
+16
diff --git a/‎.github/workflows/release.yaml
+31-1 b/‎.github/workflows/release.yaml
+31-1
diff --git a/‎.github/workflows/security.yaml
+2-2 b/‎.github/workflows/security.yaml
+2-2
diff --git a/‎.vscode/settings.json
+1 b/‎.vscode/settings.json
+1
diff --git a/‎Makefile
+3-3 b/‎Makefile
+3-3
@@ -41,7 +41,7 @@ jobs:
 
       # Check for any typos!
       - name: Check for typos
-        uses: crate-ci/typos@v1.13.9
+        uses: crate-ci/typos@v1.13.14
         with:
           config: .github/workflows/typos.toml
       - name: Fix the typos
 
@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.2.1
+        uses: contributor-assistant/github-action@v2.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -53,8 +53,38 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ghcr.io/coder/coder-base:latest
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
@@ -0,0 +1,16 @@
+# Filtering pull requests is much easier when we can reliably guarantee
+# that the "Assignee" field is populated.
+name: PR Auto Assign
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign-author:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: toshimaru/auto-author-assign@v1.6.2
@@ -188,12 +188,42 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ${{ steps.image-base-tag.outputs.tag }}
 
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw "${{ steps.image-base-tag.outputs.tag }}") || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
+
       - name: Build Linux Docker images
         run: |
           set -euxo pipefail
@@ -275,7 +305,7 @@ jobs:
 
       - name: Upload artifacts to actions (if dry-run)
         if: ${{ inputs.dry_run }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release-artifacts
           path: |
 
@@ -116,7 +116,7 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
@@ -130,7 +130,7 @@ jobs:
           category: "Trivy"
 
       - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: trivy
           path: trivy-results.sarif
 
@@ -4,6 +4,7 @@
     "agentsdk",
     "apps",
     "ASKPASS",
+    "authcheck",
     "autostop",
     "awsidentity",
     "bodyclose",
 
@@ -424,7 +424,7 @@ gen: \
 	provisionerd/proto/provisionerd.pb.go \
 	site/src/api/typesGenerated.ts \
 	docs/admin/prometheus.md \
-	docs/cli/coder.md \
+	docs/cli.md \
 	docs/admin/audit-logs.md \
 	coderd/apidoc/swagger.json \
 	.prettierignore.include \
@@ -444,7 +444,7 @@ gen/mark-fresh:
 		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
 		docs/admin/prometheus.md \
-		docs/cli/coder.md \
+		docs/cli.md \
 		docs/admin/audit-logs.md \
 		coderd/apidoc/swagger.json \
 		.prettierignore.include \
@@ -500,7 +500,7 @@ docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/me
 	cd site
 	yarn run format:write:only ../docs/admin/prometheus.md
 
-docs/cli/coder.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
+docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
 	rm -rf ./docs/cli/*.md
 	BASE_PATH="." go run ./scripts/clidocgen
 	cd site