diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c132fb1de9957..06041e1865d3a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -32,9 +32,36 @@ env: CODER_RELEASE_NOTES: ${{ inputs.release_notes }} jobs: + # Only allow maintainers/admins to release. + check-perms: + runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} + steps: + - name: Allow only maintainers/admins + uses: actions/github-script@v7.0.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const {data} = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: context.repo.owner, + repo: context.repo.repo, + username: context.actor + }); + const role = data.role_name || data.user?.role_name || data.permission; + const perms = data.user?.permissions || {}; + core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`); + + const allowed = + role === 'admin' || + role === 'maintain' || + perms.admin === true || + perms.maintain === true; + + if (!allowed) core.setFailed('Denied: requires maintain or admin'); + # build-dylib is a separate job to build the dylib on macOS. build-dylib: runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} + needs: check-perms steps: # Harden Runner doesn't work on macOS. - name: Checkout @@ -114,7 +141,7 @@ jobs: release: name: Build and publish - needs: build-dylib + needs: [build-dylib, check-perms] runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} permissions: # Required to publish a release diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go index c964a066c58eb..0e11886765da6 100644 --- a/coderd/database/querier_test.go +++ b/coderd/database/querier_test.go @@ -6009,10 +6009,10 @@ func TestUserSecretsCRUDOperations(t *testing.T) { // Use raw database without dbauthz wrapper for this test db, _ := dbtestutil.NewDB(t) - ctx := testutil.Context(t, testutil.WaitMedium) t.Run("FullCRUDWorkflow", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) // Create a new user for this test testUser := dbgen.User(t, db, database.User{}) @@ -6085,6 +6085,7 @@ func TestUserSecretsCRUDOperations(t *testing.T) { t.Run("UniqueConstraints", func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) // Create a new user for this test testUser := dbgen.User(t, db, database.User{}) @@ -6156,7 +6157,6 @@ func TestUserSecretsAuthorization(t *testing.T) { db, _ := dbtestutil.NewDB(t) authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) authDB := dbauthz.New(db, authorizer, slogtest.Make(t, &slogtest.Options{}), coderdtest.AccessControlStorePointer()) - ctx := testutil.Context(t, testutil.WaitMedium) // Create test users user1 := dbgen.User(t, db, database.User{}) @@ -6234,6 +6234,7 @@ func TestUserSecretsAuthorization(t *testing.T) { tc := tc // capture range variable t.Run(tc.name, func(t *testing.T) { t.Parallel() + ctx := testutil.Context(t, testutil.WaitMedium) authCtx := dbauthz.As(ctx, tc.subject) diff --git a/docs/admin/monitoring/logs.md b/docs/admin/monitoring/logs.md index 02e175795ae1f..8b9f5e747d5fd 100644 --- a/docs/admin/monitoring/logs.md +++ b/docs/admin/monitoring/logs.md @@ -17,7 +17,7 @@ machine/VM. options. - To only display certain types of logs, use the[`CODER_LOG_FILTER`](../../reference/cli/server.md#-l---log-filter) server - config. + config. Using `.*` will result in the `DEBUG` log level being used. Events such as server errors, audit logs, user activities, and SSO & OpenID Connect logs are all captured in the `coderd` logs.