jango-blockchained · pull · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -32,9 +32,36 @@ env:
   CODER_RELEASE_NOTES: ${{ inputs.release_notes }}
 
 jobs:
+  # Only allow maintainers/admins to release.
+  check-perms:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    steps:
+      - name: Allow only maintainers/admins
+        uses: actions/github-script@v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const {data} = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.actor
+            });
+            const role = data.role_name || data.user?.role_name || data.permission;
+            const perms = data.user?.permissions || {};
+            core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`);
+
+            const allowed =
+              role === 'admin' ||
+              role === 'maintain' ||
+              perms.admin === true ||
+              perms.maintain === true;
+
+            if (!allowed) core.setFailed('Denied: requires maintain or admin');
+
   # build-dylib is a separate job to build the dylib on macOS.
   build-dylib:
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
+    needs: check-perms
     steps:
       # Harden Runner doesn't work on macOS.
       - name: Checkout
@@ -114,7 +141,7 @@ jobs:
 
   release:
     name: Build and publish
-    needs: build-dylib
+    needs: [build-dylib, check-perms]
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     permissions:
       # Required to publish a release

diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go
@@ -6009,10 +6009,10 @@ func TestUserSecretsCRUDOperations(t *testing.T) {
 
 	// Use raw database without dbauthz wrapper for this test
 	db, _ := dbtestutil.NewDB(t)
-	ctx := testutil.Context(t, testutil.WaitMedium)
 
 	t.Run("FullCRUDWorkflow", func(t *testing.T) {
 		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitMedium)
 
 		// Create a new user for this test
 		testUser := dbgen.User(t, db, database.User{})
@@ -6085,6 +6085,7 @@ func TestUserSecretsCRUDOperations(t *testing.T) {
 
 	t.Run("UniqueConstraints", func(t *testing.T) {
 		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitMedium)
 
 		// Create a new user for this test
 		testUser := dbgen.User(t, db, database.User{})
@@ -6156,7 +6157,6 @@ func TestUserSecretsAuthorization(t *testing.T) {
 	db, _ := dbtestutil.NewDB(t)
 	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 	authDB := dbauthz.New(db, authorizer, slogtest.Make(t, &slogtest.Options{}), coderdtest.AccessControlStorePointer())
-	ctx := testutil.Context(t, testutil.WaitMedium)
 
 	// Create test users
 	user1 := dbgen.User(t, db, database.User{})
@@ -6234,6 +6234,7 @@ func TestUserSecretsAuthorization(t *testing.T) {
 		tc := tc // capture range variable
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
+			ctx := testutil.Context(t, testutil.WaitMedium)
 
 			authCtx := dbauthz.As(ctx, tc.subject)
 

diff --git a/docs/admin/monitoring/logs.md b/docs/admin/monitoring/logs.md
@@ -17,7 +17,7 @@ machine/VM.
   options.
 - To only display certain types of logs, use
   the[`CODER_LOG_FILTER`](../../reference/cli/server.md#-l---log-filter) server
-  config.
+  config. Using `.*` will result in the `DEBUG` log level being used.
 
 Events such as server errors, audit logs, user activities, and SSO & OpenID
 Connect logs are all captured in the `coderd` logs.