fix: add exp backoff to validate fresh git auth tokens (#8956 )

A customer using GitHub in Australia reported that validating immediately after refreshing the token would intermittently fail with a 401. Waiting a few milliseconds with the exact same token on the exact same request would resolve the issue. It seems likely that the write is not propagating to the read replica in time.
chore: fix release and security pipelines
2023-08-08 05:09:28 +00:00 · 2023-08-03 23:36:22 +00:00
9633 changed files with 218110 additions and 703356 deletions
@@ -1,218 +0,0 @@
-# Database Development Patterns
-
-## Database Work Overview
-
-### Database Generation Process
-
-1. Modify SQL files in `coderd/database/queries/`
-2. Run `make gen`
-3. If errors about audit table, update `enterprise/audit/table.go`
-4. Run `make gen` again
-5. Run `make lint` to catch any remaining issues
-
-## Migration Guidelines
-
-### Creating Migration Files
-
-**Location**: `coderd/database/migrations/`
-**Format**: `{number}_{description}.{up|down}.sql`
-
- Number must be unique and sequential
- Always include both up and down migrations
-
-### Helper Scripts
-
-| Script                                                              | Purpose                                 |
-|---------------------------------------------------------------------|-----------------------------------------|
-| `./coderd/database/migrations/create_migration.sh "migration name"` | Creates new migration files             |
-| `./coderd/database/migrations/fix_migration_numbers.sh`             | Renumbers migrations to avoid conflicts |
-| `./coderd/database/migrations/create_fixture.sh "fixture name"`     | Creates test fixtures for migrations    |
-
-### Database Query Organization
-
- **MUST DO**: Any changes to database - adding queries, modifying queries should be done in the `coderd/database/queries/*.sql` files
- **MUST DO**: Queries are grouped in files relating to context - e.g. `prebuilds.sql`, `users.sql`, `oauth2.sql`
- After making changes to any `coderd/database/queries/*.sql` files you must run `make gen` to generate respective ORM changes
-
-## Handling Nullable Fields
-
-Use `sql.NullString`, `sql.NullBool`, etc. for optional database fields:
-
-```go
-CodeChallenge: sql.NullString{
-    String: params.codeChallenge,
-    Valid:  params.codeChallenge != "",
-}
-```
-
-Set `.Valid = true` when providing values.
-
-## Audit Table Updates
-
-If adding fields to auditable types:
-
-1. Update `enterprise/audit/table.go`
-2. Add each new field with appropriate action:
-   - `ActionTrack`: Field should be tracked in audit logs
-   - `ActionIgnore`: Field should be ignored in audit logs
-   - `ActionSecret`: Field contains sensitive data
-3. Run `make gen` to verify no audit errors
-
-## Database Architecture
-
-### Core Components
-
- **PostgreSQL 13+** recommended for production
- **Migrations** managed with `migrate`
- **Database authorization** through `dbauthz` package
-
-### Authorization Patterns
-
-```go
-// Public endpoints needing system access (OAuth2 registration)
-app, err := api.Database.GetOAuth2ProviderAppByClientID(dbauthz.AsSystemRestricted(ctx), clientID)
-
-// Authenticated endpoints with user context
-app, err := api.Database.GetOAuth2ProviderAppByClientID(ctx, clientID)
-
-// System operations in middleware
-roles, err := db.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), userID)
-```
-
-## Common Database Issues
-
-### Migration Issues
-
-1. **Migration conflicts**: Use `fix_migration_numbers.sh` to renumber
-2. **Missing down migration**: Always create both up and down files
-3. **Schema inconsistencies**: Verify against existing schema
-
-### Field Handling Issues
-
-1. **Nullable field errors**: Use `sql.Null*` types consistently
-2. **Missing audit entries**: Update `enterprise/audit/table.go`
-
-### Query Issues
-
-1. **Query organization**: Group related queries in appropriate files
-2. **Generated code errors**: Run `make gen` after query changes
-3. **Performance issues**: Add appropriate indexes in migrations
-
-## Database Testing
-
-### Test Database Setup
-
-```go
-func TestDatabaseFunction(t *testing.T) {
-    db := dbtestutil.NewDB(t)
-
-    // Test with real database
-    result, err := db.GetSomething(ctx, param)
-    require.NoError(t, err)
-    require.Equal(t, expected, result)
-}
-```
-
-## Best Practices
-
-### Schema Design
-
-1. **Use appropriate data types**: VARCHAR for strings, TIMESTAMP for times
-2. **Add constraints**: NOT NULL, UNIQUE, FOREIGN KEY as appropriate
-3. **Create indexes**: For frequently queried columns
-4. **Consider performance**: Normalize appropriately but avoid over-normalization
-
-### Query Writing
-
-1. **Use parameterized queries**: Prevent SQL injection
-2. **Handle errors appropriately**: Check for specific error types
-3. **Use transactions**: For related operations that must succeed together
-4. **Optimize queries**: Use EXPLAIN to understand query performance
-
-### Migration Writing
-
-1. **Make migrations reversible**: Always include down migration
-2. **Test migrations**: On copy of production data if possible
-3. **Keep migrations small**: One logical change per migration
-4. **Document complex changes**: Add comments explaining rationale
-
-## Advanced Patterns
-
-### Complex Queries
-
-```sql
-- Example: Complex join with aggregation
-SELECT
-    u.id,
-    u.username,
-    COUNT(w.id) as workspace_count
-FROM users u
-LEFT JOIN workspaces w ON u.id = w.owner_id
-WHERE u.created_at > $1
-GROUP BY u.id, u.username
-ORDER BY workspace_count DESC;
-```
-
-### Conditional Queries
-
-```sql
-- Example: Dynamic filtering
-SELECT * FROM oauth2_provider_apps
-WHERE
-    ($1::text IS NULL OR name ILIKE '%' || $1 || '%')
-    AND ($2::uuid IS NULL OR organization_id = $2)
-ORDER BY created_at DESC;
-```
-
-### Audit Patterns
-
-```go
-// Example: Auditable database operation
-func (q *sqlQuerier) UpdateUser(ctx context.Context, arg UpdateUserParams) (User, error) {
-    // Implementation here
-
-    // Audit the change
-    if auditor := audit.FromContext(ctx); auditor != nil {
-        auditor.Record(audit.UserUpdate{
-            UserID: arg.ID,
-            Old:    oldUser,
-            New:    newUser,
-        })
-    }
-
-    return newUser, nil
-}
-```
-
-## Debugging Database Issues
-
-### Common Debug Commands
-
-```bash
-# Check database connection
-make test-postgres
-
-# Run specific database tests
-go test ./coderd/database/... -run TestSpecificFunction
-
-# Check query generation
-make gen
-
-# Verify audit table
-make lint
-```
-
-### Debug Techniques
-
-1. **Enable query logging**: Set appropriate log levels
-2. **Use database tools**: pgAdmin, psql for direct inspection
-3. **Check constraints**: UNIQUE, FOREIGN KEY violations
-4. **Analyze performance**: Use EXPLAIN ANALYZE for slow queries
-
-### Troubleshooting Checklist
-
- [ ] Migration files exist (both up and down)
- [ ] `make gen` run after query changes
- [ ] Audit table updated for new fields
- [ ] Nullable fields use `sql.Null*` types
- [ ] Authorization context appropriate for endpoint type
@@ -1,157 +0,0 @@
-# OAuth2 Development Guide
-
-## RFC Compliance Development
-
-### Implementing Standard Protocols
-
-When implementing standard protocols (OAuth2, OpenID Connect, etc.):
-
-1. **Fetch and Analyze Official RFCs**:
-   - Always read the actual RFC specifications before implementation
-   - Use WebFetch tool to get current RFC content for compliance verification
-   - Document RFC requirements in code comments
-
-2. **Default Values Matter**:
-   - Pay close attention to RFC-specified default values
-   - Example: RFC 7591 specifies `client_secret_basic` as default, not `client_secret_post`
-   - Ensure consistency between database migrations and application code
-
-3. **Security Requirements**:
-   - Follow RFC security considerations precisely
-   - Example: RFC 7592 prohibits returning registration access tokens in GET responses
-   - Implement proper error responses per protocol specifications
-
-4. **Validation Compliance**:
-   - Implement comprehensive validation per RFC requirements
-   - Support protocol-specific features (e.g., custom schemes for native OAuth2 apps)
-   - Test edge cases defined in specifications
-
-## OAuth2 Provider Implementation
-
-### OAuth2 Spec Compliance
-
-1. **Follow RFC 6749 for token responses**
-   - Use `expires_in` (seconds) not `expiry` (timestamp) in token responses
-   - Return proper OAuth2 error format: `{"error": "code", "error_description": "details"}`
-
-2. **Error Response Format**
-   - Create OAuth2-compliant error responses for token endpoint
-   - Use standard error codes: `invalid_client`, `invalid_grant`, `invalid_request`
-   - Avoid generic error responses for OAuth2 endpoints
-
-### PKCE Implementation
-
- Support both with and without PKCE for backward compatibility
- Use S256 method for code challenge
- Properly validate code_verifier against stored code_challenge
-
-### UI Authorization Flow
-
- Use POST requests for consent, not GET with links
- Avoid dependency on referer headers for security decisions
- Support proper state parameter validation
-
-### RFC 8707 Resource Indicators
-
- Store resource parameters in database for server-side validation (opaque tokens)
- Validate resource consistency between authorization and token requests
- Support audience validation in refresh token flows
- Resource parameter is optional but must be consistent when provided
-
-## OAuth2 Error Handling Pattern
-
-```go
-// Define specific OAuth2 errors
-var (
-    errInvalidPKCE = xerrors.New("invalid code_verifier")
-)
-
-// Use OAuth2-compliant error responses
-type OAuth2Error struct {
-    Error            string `json:"error"`
-    ErrorDescription string `json:"error_description,omitempty"`
-}
-
-// Return proper OAuth2 errors
-if errors.Is(err, errInvalidPKCE) {
-    writeOAuth2Error(ctx, rw, http.StatusBadRequest, "invalid_grant", "The PKCE code verifier is invalid")
-    return
-}
-```
-
-## Testing OAuth2 Features
-
-### Test Scripts
-
-Located in `./scripts/oauth2/`:
-
- `test-mcp-oauth2.sh` - Full automated test suite
- `setup-test-app.sh` - Create test OAuth2 app
- `cleanup-test-app.sh` - Remove test app
- `generate-pkce.sh` - Generate PKCE parameters
- `test-manual-flow.sh` - Manual browser testing
-
-Always run the full test suite after OAuth2 changes:
-
-```bash
-./scripts/oauth2/test-mcp-oauth2.sh
-```
-
-### RFC Protocol Testing
-
-1. **Compliance Test Coverage**:
-   - Test all RFC-defined error codes and responses
-   - Validate proper HTTP status codes for different scenarios
-   - Test protocol-specific edge cases (URI formats, token formats, etc.)
-
-2. **Security Boundary Testing**:
-   - Test client isolation and privilege separation
-   - Verify information disclosure protections
-   - Test token security and proper invalidation
-
-## Common OAuth2 Issues
-
-1. **OAuth2 endpoints returning wrong error format** - Ensure OAuth2 endpoints return RFC 6749 compliant errors
-2. **Resource indicator validation failing** - Ensure database stores and retrieves resource parameters correctly
-3. **PKCE tests failing** - Verify both authorization code storage and token exchange handle PKCE fields
-4. **RFC compliance failures** - Verify against actual RFC specifications, not assumptions
-5. **Authorization context errors in public endpoints** - Use `dbauthz.AsSystemRestricted(ctx)` pattern
-6. **Default value mismatches** - Ensure database migrations match application code defaults
-7. **Bearer token authentication issues** - Check token extraction precedence and format validation
-8. **URI validation failures** - Support both standard schemes and custom schemes per protocol requirements
-
-## Authorization Context Patterns
-
-```go
-// Public endpoints needing system access (OAuth2 registration)
-app, err := api.Database.GetOAuth2ProviderAppByClientID(dbauthz.AsSystemRestricted(ctx), clientID)
-
-// Authenticated endpoints with user context
-app, err := api.Database.GetOAuth2ProviderAppByClientID(ctx, clientID)
-
-// System operations in middleware
-roles, err := db.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), userID)
-```
-
-## OAuth2/Authentication Work Patterns
-
- Types go in `codersdk/oauth2.go` or similar
- Handlers go in `coderd/oauth2.go` or `coderd/identityprovider/`
- Database fields need migration + audit table updates
- Always support backward compatibility
-
-## Protocol Implementation Checklist
-
-Before completing OAuth2 or authentication feature work:
-
- [ ] Verify RFC compliance by reading actual specifications
- [ ] Implement proper error response formats per protocol
- [ ] Add comprehensive validation for all protocol fields
- [ ] Test security boundaries and token handling
- [ ] Update RBAC permissions for new resources
- [ ] Add audit logging support if applicable
- [ ] Create database migrations with proper defaults
- [ ] Add comprehensive test coverage including edge cases
- [ ] Verify linting compliance
- [ ] Test both positive and negative scenarios
- [ ] Document protocol-specific patterns and requirements
@@ -1,212 +0,0 @@
-# Testing Patterns and Best Practices
-
-## Testing Best Practices
-
-### Avoiding Race Conditions
-
-1. **Unique Test Identifiers**:
-   - Never use hardcoded names in concurrent tests
-   - Use `time.Now().UnixNano()` or similar for unique identifiers
-   - Example: `fmt.Sprintf("test-client-%s-%d", t.Name(), time.Now().UnixNano())`
-
-2. **Database Constraint Awareness**:
-   - Understand unique constraints that can cause test conflicts
-   - Generate unique values for all constrained fields
-   - Test name isolation prevents cross-test interference
-
-### Testing Patterns
-
- Use table-driven tests for comprehensive coverage
- Mock external dependencies
- Test both positive and negative cases
- Use `testutil.WaitLong` for timeouts in tests
-
-### Test Package Naming
-
- **Test packages**: Use `package_test` naming (e.g., `identityprovider_test`) for black-box testing
-
-## RFC Protocol Testing
-
-### Compliance Test Coverage
-
-1. **Test all RFC-defined error codes and responses**
-2. **Validate proper HTTP status codes for different scenarios**
-3. **Test protocol-specific edge cases** (URI formats, token formats, etc.)
-
-### Security Boundary Testing
-
-1. **Test client isolation and privilege separation**
-2. **Verify information disclosure protections**
-3. **Test token security and proper invalidation**
-
-## Test Organization
-
-### Test File Structure
-
-```
-coderd/
-├── oauth2.go                    # Implementation
-├── oauth2_test.go              # Main tests
-├── oauth2_test_helpers.go      # Test utilities
-└── oauth2_validation.go        # Validation logic
-```
-
-### Test Categories
-
-1. **Unit Tests**: Test individual functions in isolation
-2. **Integration Tests**: Test API endpoints with database
-3. **End-to-End Tests**: Full workflow testing
-4. **Race Tests**: Concurrent access testing
-
-## Test Commands
-
-### Running Tests
-
-| Command | Purpose |
-|---------|---------|
-| `make test` | Run all Go tests |
-| `make test RUN=TestFunctionName` | Run specific test |
-| `go test -v ./path/to/package -run TestFunctionName` | Run test with verbose output |
-| `make test-postgres` | Run tests with Postgres database |
-| `make test-race` | Run tests with Go race detector |
-| `make test-e2e` | Run end-to-end tests |
-
-### Frontend Testing
-
-| Command | Purpose |
-|---------|---------|
-| `pnpm test` | Run frontend tests |
-| `pnpm check` | Run code checks |
-
-## Common Testing Issues
-
-### Database-Related
-
-1. **SQL type errors** - Use `sql.Null*` types for nullable fields
-2. **Race conditions in tests** - Use unique identifiers instead of hardcoded names
-
-### OAuth2 Testing
-
-1. **PKCE tests failing** - Verify both authorization code storage and token exchange handle PKCE fields
-2. **Resource indicator validation failing** - Ensure database stores and retrieves resource parameters correctly
-
-### General Issues
-
-1. **Missing newlines** - Ensure files end with newline character
-2. **Package naming errors** - Use `package_test` naming for test files
-3. **Log message formatting errors** - Use lowercase, descriptive messages without special characters
-
-## Systematic Testing Approach
-
-### Multi-Issue Problem Solving
-
-When facing multiple failing tests or complex integration issues:
-
-1. **Identify Root Causes**:
-   - Run failing tests individually to isolate issues
-   - Use LSP tools to trace through call chains
-   - Check both compilation and runtime errors
-
-2. **Fix in Logical Order**:
-   - Address compilation issues first (imports, syntax)
-   - Fix authorization and RBAC issues next
-   - Resolve business logic and validation issues
-   - Handle edge cases and race conditions last
-
-3. **Verification Strategy**:
-   - Test each fix individually before moving to next issue
-   - Use `make lint` and `make gen` after database changes
-   - Verify RFC compliance with actual specifications
-   - Run comprehensive test suites before considering complete
-
-## Test Data Management
-
-### Unique Test Data
-
-```go
-// Good: Unique identifiers prevent conflicts
-clientName := fmt.Sprintf("test-client-%s-%d", t.Name(), time.Now().UnixNano())
-
-// Bad: Hardcoded names cause race conditions
-clientName := "test-client"
-```
-
-### Test Cleanup
-
-```go
-func TestSomething(t *testing.T) {
-    // Setup
-    client := coderdtest.New(t, nil)
-
-    // Test code here
-
-    // Cleanup happens automatically via t.Cleanup() in coderdtest
-}
-```
-
-## Test Utilities
-
-### Common Test Patterns
-
-```go
-// Table-driven tests
-tests := []struct {
-    name     string
-    input    InputType
-    expected OutputType
-    wantErr  bool
-}{
-    {
-        name:     "valid input",
-        input:    validInput,
-        expected: expectedOutput,
-        wantErr:  false,
-    },
-    // ... more test cases
-}
-
-for _, tt := range tests {
-    t.Run(tt.name, func(t *testing.T) {
-        result, err := functionUnderTest(tt.input)
-        if tt.wantErr {
-            require.Error(t, err)
-            return
-        }
-        require.NoError(t, err)
-        require.Equal(t, tt.expected, result)
-    })
-}
-```
-
-### Test Assertions
-
-```go
-// Use testify/require for assertions
-require.NoError(t, err)
-require.Equal(t, expected, actual)
-require.NotNil(t, result)
-require.True(t, condition)
-```
-
-## Performance Testing
-
-### Load Testing
-
- Use `scaletest/` directory for load testing scenarios
- Run `./scaletest/scaletest.sh` for performance testing
-
-### Benchmarking
-
-```go
-func BenchmarkFunction(b *testing.B) {
-    for i := 0; i < b.N; i++ {
-        // Function call to benchmark
-        _ = functionUnderTest(input)
-    }
-}
-```
-
-Run benchmarks with:
-```bash
-go test -bench=. -benchmem ./package/path
-```
@@ -1,231 +0,0 @@
-# Troubleshooting Guide
-
-## Common Issues
-
-### Database Issues
-
-1. **"Audit table entry missing action"**
-   - **Solution**: Update `enterprise/audit/table.go`
-   - Add each new field with appropriate action (ActionTrack, ActionIgnore, ActionSecret)
-   - Run `make gen` to verify no audit errors
-
-2. **SQL type errors**
-   - **Solution**: Use `sql.Null*` types for nullable fields
-   - Set `.Valid = true` when providing values
-   - Example:
-
-     ```go
-     CodeChallenge: sql.NullString{
-         String: params.codeChallenge,
-         Valid:  params.codeChallenge != "",
-     }
-     ```
-
-### Testing Issues
-
-3. **"package should be X_test"**
-   - **Solution**: Use `package_test` naming for test files
-   - Example: `identityprovider_test` for black-box testing
-
-4. **Race conditions in tests**
-   - **Solution**: Use unique identifiers instead of hardcoded names
-   - Example: `fmt.Sprintf("test-client-%s-%d", t.Name(), time.Now().UnixNano())`
-   - Never use hardcoded names in concurrent tests
-
-5. **Missing newlines**
-   - **Solution**: Ensure files end with newline character
-   - Most editors can be configured to add this automatically
-
-### OAuth2 Issues
-
-6. **OAuth2 endpoints returning wrong error format**
-   - **Solution**: Ensure OAuth2 endpoints return RFC 6749 compliant errors
-   - Use standard error codes: `invalid_client`, `invalid_grant`, `invalid_request`
-   - Format: `{"error": "code", "error_description": "details"}`
-
-7. **Resource indicator validation failing**
-   - **Solution**: Ensure database stores and retrieves resource parameters correctly
-   - Check both authorization code storage and token exchange handling
-
-8. **PKCE tests failing**
-    - **Solution**: Verify both authorization code storage and token exchange handle PKCE fields
-    - Check `CodeChallenge` and `CodeChallengeMethod` field handling
-
-### RFC Compliance Issues
-
-9. **RFC compliance failures**
-    - **Solution**: Verify against actual RFC specifications, not assumptions
-    - Use WebFetch tool to get current RFC content for compliance verification
-    - Read the actual RFC specifications before implementation
-
-10. **Default value mismatches**
-    - **Solution**: Ensure database migrations match application code defaults
-    - Example: RFC 7591 specifies `client_secret_basic` as default, not `client_secret_post`
-
-### Authorization Issues
-
-11. **Authorization context errors in public endpoints**
-    - **Solution**: Use `dbauthz.AsSystemRestricted(ctx)` pattern
-    - Example:
-
-      ```go
-      // Public endpoints needing system access
-      app, err := api.Database.GetOAuth2ProviderAppByClientID(dbauthz.AsSystemRestricted(ctx), clientID)
-      ```
-
-### Authentication Issues
-
-12. **Bearer token authentication issues**
-    - **Solution**: Check token extraction precedence and format validation
-    - Ensure proper RFC 6750 Bearer Token Support implementation
-
-13. **URI validation failures**
-    - **Solution**: Support both standard schemes and custom schemes per protocol requirements
-    - Native OAuth2 apps may use custom schemes
-
-### General Development Issues
-
-14. **Log message formatting errors**
-    - **Solution**: Use lowercase, descriptive messages without special characters
-    - Follow Go logging conventions
-
-## Systematic Debugging Approach
-
-### Multi-Issue Problem Solving
-
-When facing multiple failing tests or complex integration issues:
-
-1. **Identify Root Causes**:
-   - Run failing tests individually to isolate issues
-   - Use LSP tools to trace through call chains
-   - Check both compilation and runtime errors
-
-2. **Fix in Logical Order**:
-   - Address compilation issues first (imports, syntax)
-   - Fix authorization and RBAC issues next
-   - Resolve business logic and validation issues
-   - Handle edge cases and race conditions last
-
-3. **Verification Strategy**:
-   - Test each fix individually before moving to next issue
-   - Use `make lint` and `make gen` after database changes
-   - Verify RFC compliance with actual specifications
-   - Run comprehensive test suites before considering complete
-
-## Debug Commands
-
-### Useful Debug Commands
-
-| Command                                      | Purpose                               |
-|----------------------------------------------|---------------------------------------|
-| `make lint`                                  | Run all linters                       |
-| `make gen`                                   | Generate mocks, database queries      |
-| `go test -v ./path/to/package -run TestName` | Run specific test with verbose output |
-| `go test -race ./...`                        | Run tests with race detector          |
-
-### LSP Debugging
-
-#### Go LSP (Backend)
-
-| Command                                            | Purpose                      |
-|----------------------------------------------------|------------------------------|
-| `mcp__go-language-server__definition symbolName`   | Find function definition     |
-| `mcp__go-language-server__references symbolName`   | Find all references          |
-| `mcp__go-language-server__diagnostics filePath`    | Check for compilation errors |
-| `mcp__go-language-server__hover filePath line col` | Get type information         |
-
-#### TypeScript LSP (Frontend)
-
-| Command                                                                    | Purpose                            |
-|----------------------------------------------------------------------------|------------------------------------|
-| `mcp__typescript-language-server__definition symbolName`                   | Find component/function definition |
-| `mcp__typescript-language-server__references symbolName`                   | Find all component/type usages     |
-| `mcp__typescript-language-server__diagnostics filePath`                    | Check for TypeScript errors        |
-| `mcp__typescript-language-server__hover filePath line col`                 | Get type information               |
-| `mcp__typescript-language-server__rename_symbol filePath line col newName` | Rename across codebase             |
-
-## Common Error Messages
-
-### Database Errors
-
-**Error**: `pq: relation "oauth2_provider_app_codes" does not exist`
-
- **Cause**: Missing database migration
- **Solution**: Run database migrations, check migration files
-
-**Error**: `audit table entry missing action for field X`
-
- **Cause**: New field added without audit table update
- **Solution**: Update `enterprise/audit/table.go`
-
-### Go Compilation Errors
-
-**Error**: `package should be identityprovider_test`
-
- **Cause**: Test package naming convention violation
- **Solution**: Use `package_test` naming for black-box tests
-
-**Error**: `cannot use X (type Y) as type Z`
-
- **Cause**: Type mismatch, often with nullable fields
- **Solution**: Use appropriate `sql.Null*` types
-
-### OAuth2 Errors
-
-**Error**: `invalid_client` but client exists
-
- **Cause**: Authorization context issue
- **Solution**: Use `dbauthz.AsSystemRestricted(ctx)` for public endpoints
-
-**Error**: PKCE validation failing
-
- **Cause**: Missing PKCE fields in database operations
- **Solution**: Ensure `CodeChallenge` and `CodeChallengeMethod` are handled
-
-## Prevention Strategies
-
-### Before Making Changes
-
-1. **Read the relevant documentation**
-2. **Check if similar patterns exist in codebase**
-3. **Understand the authorization context requirements**
-4. **Plan database changes carefully**
-
-### During Development
-
-1. **Run tests frequently**: `make test`
-2. **Use LSP tools for navigation**: Avoid manual searching
-3. **Follow RFC specifications precisely**
-4. **Update audit tables when adding database fields**
-
-### Before Committing
-
-1. **Run full test suite**: `make test`
-2. **Check linting**: `make lint`
-3. **Test with race detector**: `make test-race`
-
-## Getting Help
-
-### Internal Resources
-
- Check existing similar implementations in codebase
- Use LSP tools to understand code relationships
-  - For Go code: Use `mcp__go-language-server__*` commands
-  - For TypeScript/React code: Use `mcp__typescript-language-server__*` commands
- Read related test files for expected behavior
-
-### External Resources
-
- Official RFC specifications for protocol compliance
- Go documentation for language features
- PostgreSQL documentation for database issues
-
-### Debug Information Collection
-
-When reporting issues, include:
-
-1. **Exact error message**
-2. **Steps to reproduce**
-3. **Relevant code snippets**
-4. **Test output (if applicable)**
-5. **Environment information** (OS, Go version, etc.)
@@ -1,223 +0,0 @@
-# Development Workflows and Guidelines
-
-## Quick Start Checklist for New Features
-
-### Before Starting
-
- [ ] Run `git pull` to ensure you're on latest code
- [ ] Check if feature touches database - you'll need migrations
- [ ] Check if feature touches audit logs - update `enterprise/audit/table.go`
-
-## Development Server
-
-### Starting Development Mode
-
- **Use `./scripts/develop.sh` to start Coder in development mode**
- This automatically builds and runs with `--dev` flag and proper access URL
- **⚠️ Do NOT manually run `make build && ./coder server --dev` - use the script instead**
-
-### Development Workflow
-
-1. **Always start with the development script**: `./scripts/develop.sh`
-2. **Make changes** to your code
-3. **The script will automatically rebuild** and restart as needed
-4. **Access the development server** at the URL provided by the script
-
-## Code Style Guidelines
-
-### Go Style
-
- Follow [Effective Go](https://go.dev/doc/effective_go) and [Go's Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments)
- Create packages when used during implementation
- Validate abstractions against implementations
- **Test packages**: Use `package_test` naming (e.g., `identityprovider_test`) for black-box testing
-
-### Error Handling
-
- Use descriptive error messages
- Wrap errors with context
- Propagate errors appropriately
- Use proper error types
- Pattern: `xerrors.Errorf("failed to X: %w", err)`
-
-### Naming Conventions
-
- Use clear, descriptive names
- Abbreviate only when obvious
- Follow Go and TypeScript naming conventions
-
-### Comments
-
- Document exported functions, types, and non-obvious logic
- Follow JSDoc format for TypeScript
- Use godoc format for Go code
-
-## Database Migration Workflows
-
-### Migration Guidelines
-
-1. **Create migration files**:
-   - Location: `coderd/database/migrations/`
-   - Format: `{number}_{description}.{up|down}.sql`
-   - Number must be unique and sequential
-   - Always include both up and down migrations
-
-2. **Use helper scripts**:
-   - `./coderd/database/migrations/create_migration.sh "migration name"` - Creates new migration files
-   - `./coderd/database/migrations/fix_migration_numbers.sh` - Renumbers migrations to avoid conflicts
-   - `./coderd/database/migrations/create_fixture.sh "fixture name"` - Creates test fixtures for migrations
-
-3. **Update database queries**:
-   - **MUST DO**: Any changes to database - adding queries, modifying queries should be done in the `coderd/database/queries/*.sql` files
-   - **MUST DO**: Queries are grouped in files relating to context - e.g. `prebuilds.sql`, `users.sql`, `oauth2.sql`
-   - After making changes to any `coderd/database/queries/*.sql` files you must run `make gen` to generate respective ORM changes
-
-4. **Handle nullable fields**:
-   - Use `sql.NullString`, `sql.NullBool`, etc. for optional database fields
-   - Set `.Valid = true` when providing values
-
-5. **Audit table updates**:
-   - If adding fields to auditable types, update `enterprise/audit/table.go`
-   - Add each new field with appropriate action (ActionTrack, ActionIgnore, ActionSecret)
-   - Run `make gen` to verify no audit errors
-
-### Database Generation Process
-
-1. Modify SQL files in `coderd/database/queries/`
-2. Run `make gen`
-3. If errors about audit table, update `enterprise/audit/table.go`
-4. Run `make gen` again
-5. Run `make lint` to catch any remaining issues
-
-## API Development Workflow
-
-### Adding New API Endpoints
-
-1. **Define types** in `codersdk/` package
-2. **Add handler** in appropriate `coderd/` file
-3. **Register route** in `coderd/coderd.go`
-4. **Add tests** in `coderd/*_test.go` files
-5. **Update OpenAPI** by running `make gen`
-
-## Testing Workflows
-
-### Test Execution
-
- Run full test suite: `make test`
- Run specific test: `make test RUN=TestFunctionName`
- Run with Postgres: `make test-postgres`
- Run with race detector: `make test-race`
- Run end-to-end tests: `make test-e2e`
-
-### Test Development
-
- Use table-driven tests for comprehensive coverage
- Mock external dependencies
- Test both positive and negative cases
- Use `testutil.WaitLong` for timeouts in tests
- Always use `t.Parallel()` in tests
-
-## Commit Style
-
- Follow [Conventional Commits 1.0.0](https://www.conventionalcommits.org/en/v1.0.0/)
- Format: `type(scope): message`
- Types: `feat`, `fix`, `docs`, `style`, `refactor`, `test`, `chore`
- Keep message titles concise (~70 characters)
- Use imperative, present tense in commit titles
-
-## Code Navigation and Investigation
-
-### Using LSP Tools (STRONGLY RECOMMENDED)
-
-**IMPORTANT**: Always use LSP tools for code navigation and understanding. These tools provide accurate, real-time analysis of the codebase and should be your first choice for code investigation.
-
-#### Go LSP Tools (for backend code)
-
-1. **Find function definitions** (USE THIS FREQUENTLY):
-   - `mcp__go-language-server__definition symbolName`
-   - Example: `mcp__go-language-server__definition getOAuth2ProviderAppAuthorize`
-   - Quickly jump to function implementations across packages
-
-2. **Find symbol references** (ESSENTIAL FOR UNDERSTANDING IMPACT):
-   - `mcp__go-language-server__references symbolName`
-   - Locate all usages of functions, types, or variables
-   - Critical for refactoring and understanding data flow
-
-3. **Get symbol information**:
-   - `mcp__go-language-server__hover filePath line column`
-   - Get type information and documentation at specific positions
-
-#### TypeScript LSP Tools (for frontend code in site/)
-
-1. **Find component/function definitions** (USE THIS FREQUENTLY):
-   - `mcp__typescript-language-server__definition symbolName`
-   - Example: `mcp__typescript-language-server__definition LoginPage`
-   - Quickly navigate to React components, hooks, and utility functions
-
-2. **Find symbol references** (ESSENTIAL FOR UNDERSTANDING IMPACT):
-   - `mcp__typescript-language-server__references symbolName`
-   - Locate all usages of components, types, or functions
-   - Critical for refactoring React components and understanding prop usage
-
-3. **Get type information**:
-   - `mcp__typescript-language-server__hover filePath line column`
-   - Get TypeScript type information and JSDoc documentation
-
-4. **Rename symbols safely**:
-   - `mcp__typescript-language-server__rename_symbol filePath line column newName`
-   - Rename components, props, or functions across the entire codebase
-
-5. **Check for TypeScript errors**:
-   - `mcp__typescript-language-server__diagnostics filePath`
-   - Get compilation errors and warnings for a specific file
-
-### Investigation Strategy (LSP-First Approach)
-
-#### Backend Investigation (Go)
-
-1. **Start with route registration** in `coderd/coderd.go` to understand API endpoints
-2. **Use Go LSP `definition` lookup** to trace from route handlers to actual implementations
-3. **Use Go LSP `references`** to understand how functions are called throughout the codebase
-4. **Follow the middleware chain** using LSP tools to understand request processing flow
-5. **Check test files** for expected behavior and error patterns
-
-#### Frontend Investigation (TypeScript/React)
-
-1. **Start with route definitions** in `site/src/App.tsx` or router configuration
-2. **Use TypeScript LSP `definition`** to navigate to React components and hooks
-3. **Use TypeScript LSP `references`** to find all component usages and prop drilling
-4. **Follow the component hierarchy** using LSP tools to understand data flow
-5. **Check for TypeScript errors** with `diagnostics` before making changes
-6. **Examine test files** (`.test.tsx`) for component behavior and expected props
-
-## Troubleshooting Development Issues
-
-### Common Issues
-
-1. **Development server won't start** - Use `./scripts/develop.sh` instead of manual commands
-2. **Database migration errors** - Check migration file format and use helper scripts
-3. **Audit table errors** - Update `enterprise/audit/table.go` with new fields
-4. **OAuth2 compliance issues** - Ensure RFC-compliant error responses
-
-### Debug Commands
-
- Check linting: `make lint`
- Generate code: `make gen`
- Clean build: `make clean`
-
-## Development Environment Setup
-
-### Prerequisites
-
- Go (version specified in go.mod)
- Node.js and pnpm for frontend development
- PostgreSQL for database testing
- Docker for containerized testing
-
-### First Time Setup
-
-1. Clone the repository
-2. Run `./scripts/develop.sh` to start development server
-3. Access the development URL provided
-4. Create admin user as prompted
-5. Begin development
@@ -1,133 +0,0 @@
-#!/bin/bash
-
-# Claude Code hook script for file formatting
-# This script integrates with the centralized Makefile formatting targets
-# and supports the Claude Code hooks system for automatic file formatting.
-
-set -euo pipefail
-
-# A variable to memoize the command for canonicalizing paths.
-_CANONICALIZE_CMD=""
-
-# canonicalize_path resolves a path to its absolute, canonical form.
-# It tries 'realpath' and 'readlink -f' in order.
-# The chosen command is memoized to avoid repeated checks.
-# If none of these are available, it returns an empty string.
-canonicalize_path() {
-	local path_to_resolve="$1"
-
-	# If we haven't determined a command yet, find one.
-	if [[ -z "$_CANONICALIZE_CMD" ]]; then
-		if command -v realpath >/dev/null 2>&1; then
-			_CANONICALIZE_CMD="realpath"
-		elif command -v readlink >/dev/null 2>&1 && readlink -f . >/dev/null 2>&1; then
-			_CANONICALIZE_CMD="readlink"
-		else
-			# No command found, so we can't resolve.
-			# We set a "none" value to prevent re-checking.
-			_CANONICALIZE_CMD="none"
-		fi
-	fi
-
-	# Now, execute the command.
-	case "$_CANONICALIZE_CMD" in
-	realpath)
-		realpath "$path_to_resolve" 2>/dev/null
-		;;
-	readlink)
-		readlink -f "$path_to_resolve" 2>/dev/null
-		;;
-	*)
-		# This handles the "none" case or any unexpected error.
-		echo ""
-		;;
-	esac
-}
-
-# Read JSON input from stdin
-input=$(cat)
-
-# Extract the file path from the JSON input
-# Expected format: {"tool_input": {"file_path": "/absolute/path/to/file"}} or {"tool_response": {"filePath": "/absolute/path/to/file"}}
-file_path=$(echo "$input" | jq -r '.tool_input.file_path // .tool_response.filePath // empty')
-
-# Secure path canonicalization to prevent path traversal attacks
-# Resolve repo root to an absolute, canonical path.
-repo_root_raw="$(cd "$(dirname "$0")/../.." && pwd)"
-repo_root="$(canonicalize_path "$repo_root_raw")"
-if [[ -z "$repo_root" ]]; then
-	# Fallback if canonicalization fails
-	repo_root="$repo_root_raw"
-fi
-
-# Resolve the input path to an absolute path
-if [[ "$file_path" = /* ]]; then
-	# Already absolute
-	abs_file_path="$file_path"
-else
-	# Make relative paths absolute from repo root
-	abs_file_path="$repo_root/$file_path"
-fi
-
-# Canonicalize the path (resolve symlinks and ".." segments)
-canonical_file_path="$(canonicalize_path "$abs_file_path")"
-
-# Check if canonicalization failed or if the resolved path is outside the repo
-if [[ -z "$canonical_file_path" ]] || { [[ "$canonical_file_path" != "$repo_root" ]] && [[ "$canonical_file_path" != "$repo_root"/* ]]; }; then
-	echo "Error: File path is outside repository or invalid: $file_path" >&2
-	exit 1
-fi
-
-# Handle the case where the file path is the repository root itself.
-if [[ "$canonical_file_path" == "$repo_root" ]]; then
-	echo "Warning: Formatting the repository root is not a supported operation. Skipping." >&2
-	exit 0
-fi
-
-# Convert back to relative path from repo root for consistency
-file_path="${canonical_file_path#"$repo_root"/}"
-
-if [[ -z "$file_path" ]]; then
-	echo "Error: No file path provided in input" >&2
-	exit 1
-fi
-
-# Check if file exists
-if [[ ! -f "$file_path" ]]; then
-	echo "Error: File does not exist: $file_path" >&2
-	exit 1
-fi
-
-# Get the file extension to determine the appropriate formatter
-file_ext="${file_path##*.}"
-
-# Change to the project root directory (where the Makefile is located)
-cd "$(dirname "$0")/../.."
-
-# Call the appropriate Makefile target based on file extension
-case "$file_ext" in
-go)
-	make fmt/go FILE="$file_path"
-	echo "✓ Formatted Go file: $file_path"
-	;;
-js | jsx | ts | tsx)
-	make fmt/ts FILE="$file_path"
-	echo "✓ Formatted TypeScript/JavaScript file: $file_path"
-	;;
-tf | tfvars)
-	make fmt/terraform FILE="$file_path"
-	echo "✓ Formatted Terraform file: $file_path"
-	;;
-sh)
-	make fmt/shfmt FILE="$file_path"
-	echo "✓ Formatted shell script: $file_path"
-	;;
-md)
-	make fmt/markdown FILE="$file_path"
-	echo "✓ Formatted Markdown file: $file_path"
-	;;
-*)
-	echo "No formatter available for file extension: $file_ext"
-	exit 0
-	;;
-esac
@@ -1,15 +0,0 @@
-{
-	"hooks": {
-		"PostToolUse": [
-			{
-				"matcher": "Edit|Write|MultiEdit",
-				"hooks": [
-					{
-						"type": "command",
-						"command": ".claude/scripts/format.sh"
-					}
-				]
-			}
-		]
-	}
-}
@@ -1,28 +0,0 @@
-# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
-
-# CodeRabbit Configuration
-# This configuration disables automatic reviews entirely
-
-language: "en-US"
-early_access: false
-
-reviews:
-  # Disable automatic reviews for new PRs, but allow incremental reviews
-  auto_review:
-    enabled: false # Disable automatic review of new/updated PRs
-    drafts: false # Don't review draft PRs automatically
-
-  # Other review settings (only apply if manually requested)
-  profile: "chill"
-  request_changes_workflow: false
-  high_level_summary: false
-  poem: false
-  review_status: false
-  collapse_walkthrough: true
-  high_level_summary_in_walkthrough: true
-
-chat:
-  auto_reply: true # Allow automatic chat replies
-
-# Note: With auto_review.enabled: false, CodeRabbit will only perform initial
-# reviews when manually requested, but incremental reviews and chat replies remain enabled
@@ -1,124 +0,0 @@
-# Cursor Rules
-
-This project is called "Coder" - an application for managing remote development environments.
-
-Coder provides a platform for creating, managing, and using remote development environments (also known as Cloud Development Environments or CDEs). It leverages Terraform to define and provision these environments, which are referred to as "workspaces" within the project. The system is designed to be extensible, secure, and provide developers with a seamless remote development experience.
-
-## Core Architecture
-
-The heart of Coder is a control plane that orchestrates the creation and management of workspaces. This control plane interacts with separate Provisioner processes over gRPC to handle workspace builds. The Provisioners consume workspace definitions and use Terraform to create the actual infrastructure.
-
-The CLI package serves dual purposes - it can be used to launch the control plane itself and also provides client functionality for users to interact with an existing control plane instance. All user-facing frontend code is developed in TypeScript using React and lives in the `site/` directory.
-
-The database layer uses PostgreSQL with SQLC for generating type-safe database code. Database migrations are carefully managed to ensure both forward and backward compatibility through paired `.up.sql` and `.down.sql` files.
-
-## API Design
-
-Coder's API architecture combines REST and gRPC approaches. The REST API is defined in `coderd/coderd.go` and uses Chi for HTTP routing. This provides the primary interface for the frontend and external integrations.
-
-Internal communication with Provisioners occurs over gRPC, with service definitions maintained in `.proto` files. This separation allows for efficient binary communication with the components responsible for infrastructure management while providing a standard REST interface for human-facing applications.
-
-## Network Architecture
-
-Coder implements a secure networking layer based on Tailscale's Wireguard implementation. The `tailnet` package provides connectivity between workspace agents and clients through DERP (Designated Encrypted Relay for Packets) servers when direct connections aren't possible. This creates a secure overlay network allowing access to workspaces regardless of network topology, firewalls, or NAT configurations.
-
-### Tailnet and DERP System
-
-The networking system has three key components:
-
-1. **Tailnet**: An overlay network implemented in the `tailnet` package that provides secure, end-to-end encrypted connections between clients, the Coder server, and workspace agents.
-
-2. **DERP Servers**: These relay traffic when direct connections aren't possible. Coder provides several options:
-   - A built-in DERP server that runs on the Coder control plane
-   - Integration with Tailscale's global DERP infrastructure
-   - Support for custom DERP servers for lower latency or offline deployments
-
-3. **Direct Connections**: When possible, the system establishes peer-to-peer connections between clients and workspaces using STUN for NAT traversal. This requires both endpoints to send UDP traffic on ephemeral ports.
-
-### Workspace Proxies
-
-Workspace proxies (in the Enterprise edition) provide regional relay points for browser-based connections, reducing latency for geo-distributed teams. Key characteristics:
-
- Deployed as independent servers that authenticate with the Coder control plane
- Relay connections for SSH, workspace apps, port forwarding, and web terminals
- Do not make direct database connections
- Managed through the `coder wsproxy` commands
- Implemented primarily in the `enterprise/wsproxy/` package
-
-## Agent System
-
-The workspace agent runs within each provisioned workspace and provides core functionality including:
-
- SSH access to workspaces via the `agentssh` package
- Port forwarding
- Terminal connectivity via the `pty` package for pseudo-terminal support
- Application serving
- Healthcheck monitoring
- Resource usage reporting
-
-Agents communicate with the control plane using the tailnet system and authenticate using secure tokens.
-
-## Workspace Applications
-
-Workspace applications (or "apps") provide browser-based access to services running within workspaces. The system supports:
-
- HTTP(S) and WebSocket connections
- Path-based or subdomain-based access URLs
- Health checks to monitor application availability
- Different sharing levels (owner-only, authenticated users, or public)
- Custom icons and display settings
-
-The implementation is primarily in the `coderd/workspaceapps/` directory with components for URL generation, proxying connections, and managing application state.
-
-## Implementation Details
-
-The project structure separates frontend and backend concerns. React components and pages are organized in the `site/src/` directory, with Jest used for testing. The backend is primarily written in Go, with a strong emphasis on error handling patterns and test coverage.
-
-Database interactions are carefully managed through migrations in `coderd/database/migrations/` and queries in `coderd/database/queries/`. All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.
-
-## Authorization System
-
-The database authorization (dbauthz) system enforces fine-grained access control across all database operations. It uses role-based access control (RBAC) to validate user permissions before executing database operations. The `dbauthz` package wraps the database store and performs authorization checks before returning data. All database operations must pass through this layer to ensure security.
-
-## Testing Framework
-
-The codebase has a comprehensive testing approach with several key components:
-
-1. **Parallel Testing**: All tests must use `t.Parallel()` to run concurrently, which improves test suite performance and helps identify race conditions.
-
-2. **coderdtest Package**: This package in `coderd/coderdtest/` provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.
-
-3. **Integration Tests**: Tests often span multiple components to verify system behavior, such as template creation, workspace provisioning, and agent connectivity.
-
-4. **Enterprise Testing**: Enterprise features have dedicated test utilities in the `coderdenttest` package.
-
-## Open Source and Enterprise Components
-
-The repository contains both open source and enterprise components:
-
- Enterprise code lives primarily in the `enterprise/` directory
- Enterprise features focus on governance, scalability (high availability), and advanced deployment options like workspace proxies
- The boundary between open source and enterprise is managed through a licensing system
- The same core codebase supports both editions, with enterprise features conditionally enabled
-
-## Development Philosophy
-
-Coder emphasizes clear error handling, with specific patterns required:
-
- Concise error messages that avoid phrases like "failed to"
- Wrapping errors with `%w` to maintain error chains
- Using sentinel errors with the "err" prefix (e.g., `errNotFound`)
-
-All tests should run in parallel using `t.Parallel()` to ensure efficient testing and expose potential race conditions. The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
-
-Git contributions follow a standard format with commit messages structured as `type: <message>`, where type is one of `feat`, `fix`, or `chore`.
-
-## Development Workflow
-
-Development can be initiated using `scripts/develop.sh` to start the application after making changes. Database schema updates should be performed through the migration system using `create_migration.sh <name>` to generate migration files, with each `.up.sql` migration paired with a corresponding `.down.sql` that properly reverts all changes.
-
-If the development database gets into a bad state, it can be completely reset by removing the PostgreSQL data directory with `rm -rf .coderv2/postgres`. This will destroy all data in the development database, requiring you to recreate any test users, templates, or workspaces after restarting the application.
-
-Code generation for the database layer uses `coderd/database/generate.sh`, and developers should refer to `sqlc.yaml` for the appropriate style and patterns to follow when creating new queries or tables.
-
-The focus should always be on maintaining security through proper database authorization, clean error handling, and comprehensive test coverage to ensure the platform remains robust and reliable.
@@ -1,82 +1,12 @@
 {
-	"name": "Development environments on your infrastructure",
-	"image": "codercom/oss-dogfood:latest",
-	"features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {
-			"moby": "false"
-		},
-		"ghcr.io/coder/devcontainer-features/code-server:1": {
-			"auth": "none",
-			"port": 13337
-		},
-		"./filebrowser": {
-			"folder": "${containerWorkspaceFolder}"
-		}
-	},
-	// SYS_PTRACE to enable go debugging
-	"runArgs": ["--cap-add=SYS_PTRACE"],
-	"customizations": {
-		"vscode": {
-			"extensions": ["biomejs.biome"]
-		},
-		"coder": {
-			"apps": [
-				{
-					"slug": "cursor",
-					"displayName": "Cursor Desktop",
-					"url": "cursor://coder.coder-remote/openDevContainer?owner=${localEnv:CODER_WORKSPACE_OWNER_NAME}&workspace=${localEnv:CODER_WORKSPACE_NAME}&agent=${localEnv:CODER_WORKSPACE_PARENT_AGENT_NAME}&url=${localEnv:CODER_URL}&token=$SESSION_TOKEN&devContainerName=${localEnv:CONTAINER_ID}&devContainerFolder=${containerWorkspaceFolder}&localWorkspaceFolder=${localWorkspaceFolder}",
-					"external": true,
-					"icon": "/icon/cursor.svg",
-					"order": 1
-				},
-				{
-					"slug": "windsurf",
-					"displayName": "Windsurf Editor",
-					"url": "windsurf://coder.coder-remote/openDevContainer?owner=${localEnv:CODER_WORKSPACE_OWNER_NAME}&workspace=${localEnv:CODER_WORKSPACE_NAME}&agent=${localEnv:CODER_WORKSPACE_PARENT_AGENT_NAME}&url=${localEnv:CODER_URL}&token=$SESSION_TOKEN&devContainerName=${localEnv:CONTAINER_ID}&devContainerFolder=${containerWorkspaceFolder}&localWorkspaceFolder=${localWorkspaceFolder}",
-					"external": true,
-					"icon": "/icon/windsurf.svg",
-					"order": 4
-				},
-				{
-					"slug": "zed",
-					"displayName": "Zed Editor",
-					"url": "zed://ssh/${localEnv:CODER_WORKSPACE_AGENT_NAME}.${localEnv:CODER_WORKSPACE_NAME}.${localEnv:CODER_WORKSPACE_OWNER_NAME}.coder${containerWorkspaceFolder}",
-					"external": true,
-					"icon": "/icon/zed.svg",
-					"order": 5
-				},
-				// Reproduce `code-server` app here from the code-server
-				// feature so that we can set the correct folder and order.
-				// Currently, the order cannot be specified via option because
-				// we parse it as a number whereas variable interpolation
-				// results in a string. Additionally we set health check which
-				// is not yet set in the feature.
-				{
-					"slug": "code-server",
-					"displayName": "code-server",
-					"url": "http://${localEnv:FEATURE_CODE_SERVER_OPTION_HOST:127.0.0.1}:${localEnv:FEATURE_CODE_SERVER_OPTION_PORT:8080}/?folder=${containerWorkspaceFolder}",
-					"openIn": "${localEnv:FEATURE_CODE_SERVER_OPTION_APPOPENIN:slim-window}",
-					"share": "${localEnv:FEATURE_CODE_SERVER_OPTION_APPSHARE:owner}",
-					"icon": "/icon/code.svg",
-					"group": "${localEnv:FEATURE_CODE_SERVER_OPTION_APPGROUP:Web Editors}",
-					"order": 3,
-					"healthCheck": {
-						"url": "http://${localEnv:FEATURE_CODE_SERVER_OPTION_HOST:127.0.0.1}:${localEnv:FEATURE_CODE_SERVER_OPTION_PORT:8080}/healthz",
-						"interval": 5,
-						"threshold": 2
-					}
-				}
-			]
-		}
-	},
-	"mounts": [
-		// Add a volume for the Coder home directory to persist shell history,
-		// and speed up dotfiles init and/or personalization.
-		"source=coder-coder-devcontainer-home,target=/home/coder,type=volume",
-		// Mount the entire home because conditional mounts are not supported.
-		// See: https://github.com/devcontainers/spec/issues/132
-		"source=${localEnv:HOME},target=/mnt/home/coder,type=bind,readonly"
-	],
-	"postCreateCommand": ["./.devcontainer/scripts/post_create.sh"],
-	"postStartCommand": ["./.devcontainer/scripts/post_start.sh"]
+  "name": "Development environments on your infrastructure",
+  "image": "codercom/oss-dogfood:latest",
+
+  "features": {
+    // See all possible options here https://github.com/devcontainers/features/tree/main/src/docker-in-docker
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {}
+  },
+  // SYS_PTRACE to enable go debugging
+  // without --priviliged the Github Codespace build fails (not required otherwise)
+  "runArgs": ["--cap-add=SYS_PTRACE", "--privileged"]
 }
@@ -1,46 +0,0 @@
-{
-	"id": "filebrowser",
-	"version": "0.0.1",
-	"name": "File Browser",
-	"description": "A web-based file browser for your development container",
-	"options": {
-		"port": {
-			"type": "string",
-			"default": "13339",
-			"description": "The port to run filebrowser on"
-		},
-		"folder": {
-			"type": "string",
-			"default": "",
-			"description": "The root directory for filebrowser to serve"
-		},
-		"baseUrl": {
-			"type": "string",
-			"default": "",
-			"description": "The base URL for filebrowser (e.g., /filebrowser)"
-		}
-	},
-	"entrypoint": "/usr/local/bin/filebrowser-entrypoint",
-	"dependsOn": {
-		"ghcr.io/devcontainers/features/common-utils:2": {}
-	},
-	"customizations": {
-		"coder": {
-			"apps": [
-				{
-					"slug": "filebrowser",
-					"displayName": "File Browser",
-					"url": "http://localhost:${localEnv:FEATURE_FILEBROWSER_OPTION_PORT:13339}",
-					"icon": "/icon/filebrowser.svg",
-					"order": 3,
-					"subdomain": true,
-					"healthcheck": {
-						"url": "http://localhost:${localEnv:FEATURE_FILEBROWSER_OPTION_PORT:13339}/health",
-						"interval": 5,
-						"threshold": 2
-					}
-				}
-			]
-		}
-	}
-}
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-BOLD='\033[0;1m'
-
-printf "%sInstalling filebrowser\n\n" "${BOLD}"
-
-# Check if filebrowser is installed.
-if ! command -v filebrowser &>/dev/null; then
-	curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash
-fi
-
-# Create entrypoint.
-cat >/usr/local/bin/filebrowser-entrypoint <<EOF
-#!/usr/bin/env bash
-
-PORT="${PORT}"
-FOLDER="${FOLDER:-}"
-FOLDER="\${FOLDER:-\$(pwd)}"
-BASEURL="${BASEURL:-}"
-LOG_PATH=/tmp/filebrowser.log
-export FB_DATABASE="\${HOME}/.filebrowser.db"
-
-printf "🛠️ Configuring filebrowser\n\n"
-
-# Check if filebrowser db exists.
-if [[ ! -f "\${FB_DATABASE}" ]]; then
-	filebrowser config init >>\${LOG_PATH} 2>&1
-	filebrowser users add admin "" --perm.admin=true --viewMode=mosaic >>\${LOG_PATH} 2>&1
-fi
-
-filebrowser config set --baseurl=\${BASEURL} --port=\${PORT} --auth.method=noauth --root=\${FOLDER} >>\${LOG_PATH} 2>&1
-
-printf "👷 Starting filebrowser...\n\n"
-
-printf "📂 Serving \${FOLDER} at http://localhost:\${PORT}\n\n"
-
-filebrowser >>\${LOG_PATH} 2>&1 &
-
-printf "📝 Logs at \${LOG_PATH}\n\n"
-EOF
-
-chmod +x /usr/local/bin/filebrowser-entrypoint
-
-printf "🥳 Installation complete!\n\n"
@@ -1,59 +0,0 @@
-#!/bin/sh
-
-install_devcontainer_cli() {
-	npm install -g @devcontainers/cli
-}
-
-install_ssh_config() {
-	echo "🔑 Installing SSH configuration..."
-	rsync -a /mnt/home/coder/.ssh/ ~/.ssh/
-	chmod 0700 ~/.ssh
-}
-
-install_git_config() {
-	echo "📂 Installing Git configuration..."
-	if [ -f /mnt/home/coder/git/config ]; then
-		rsync -a /mnt/home/coder/git/ ~/.config/git/
-	elif [ -d /mnt/home/coder/.gitconfig ]; then
-		rsync -a /mnt/home/coder/.gitconfig ~/.gitconfig
-	else
-		echo "⚠️ Git configuration directory not found."
-	fi
-}
-
-install_dotfiles() {
-	if [ ! -d /mnt/home/coder/.config/coderv2/dotfiles ]; then
-		echo "⚠️ Dotfiles directory not found."
-		return
-	fi
-
-	cd /mnt/home/coder/.config/coderv2/dotfiles || return
-	for script in install.sh install bootstrap.sh bootstrap script/bootstrap setup.sh setup script/setup; do
-		if [ -x $script ]; then
-			echo "📦 Installing dotfiles..."
-			./$script || {
-				echo "❌ Error running $script. Please check the script for issues."
-				return
-			}
-			echo "✅ Dotfiles installed successfully."
-			return
-		fi
-	done
-	echo "⚠️ No install script found in dotfiles directory."
-}
-
-personalize() {
-	# Allow script to continue as Coder dogfood utilizes a hack to
-	# synchronize startup script execution.
-	touch /tmp/.coder-startup-script.done
-
-	if [ -x /mnt/home/coder/personalize ]; then
-		echo "🎨 Personalizing environment..."
-		/mnt/home/coder/personalize
-	fi
-}
-
-install_devcontainer_cli
-install_ssh_config
-install_dotfiles
-personalize
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-# Start Docker service if not already running.
-sudo service docker start
@@ -7,11 +7,7 @@ trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = tab

-[*.{yaml,yml,tf,tfvars,nix}]
-indent_style = space
-indent_size = 2
-
-[*.proto]
+[*.{md,json,yaml,yml,tf,tfvars,nix}]
 indent_style = space
 indent_size = 2

@@ -1,7 +0,0 @@
-# If you would like `git blame` to ignore commits from this file, run...
-#   git config blame.ignoreRevsFile .git-blame-ignore-revs
-
-# chore: format code with semicolons when using prettier (#9555)
-988c9af0153561397686c119da9d1336d2433fdd
-# chore: use tabs for prettier and biome (#14283)
-95a7c0c4f087744a22c2e88dd3c5d30024d5fb02
@@ -1,22 +1,14 @@
 # Generated files
-agent/agentcontainers/acmock/acmock.go linguist-generated=true
-agent/agentcontainers/dcspec/dcspec_gen.go linguist-generated=true
-agent/agentcontainers/testdata/devcontainercli/*/*.log linguist-generated=true
 coderd/apidoc/docs.go linguist-generated=true
-docs/reference/api/*.md linguist-generated=true
-docs/reference/cli/*.md linguist-generated=true
+docs/api/*.md linguist-generated=true
+docs/cli/*.md linguist-generated=true
 coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
-provisionerd/proto/version.go linguist-generated=false
 provisionersdk/proto/*.go linguist-generated=true
 *.tfplan.json linguist-generated=true
 *.tfstate.json linguist-generated=true
 *.tfstate.dot linguist-generated=true
 *.tfplan.dot linguist-generated=true
-site/e2e/google/protobuf/timestampGenerated.ts
-site/e2e/provisionerGenerated.ts linguist-generated=true
-site/src/api/countriesGenerated.tsx linguist-generated=true
-site/src/api/rbacresourcesGenerated.tsx linguist-generated=true
 site/src/api/typesGenerated.ts linguist-generated=true
@@ -1,30 +0,0 @@
-dirs:
-  - docs
-excludedDirs:
-  # Downstream bug in linkspector means large markdown files fail to parse
-  # but these are autogenerated and shouldn't need checking
-  - docs/reference
-  # Older changelogs may contain broken links
-  - docs/changelogs
-ignorePatterns:
-  - pattern: "localhost"
-  - pattern: "example.com"
-  - pattern: "mailto:"
-  - pattern: "127.0.0.1"
-  - pattern: "0.0.0.0"
-  - pattern: "JFROG_URL"
-  - pattern: "coder.company.org"
-  # These real sites were blocking the linkspector action / GitHub runner IPs(?)
-  - pattern: "i.imgur.com"
-  - pattern: "code.visualstudio.com"
-  - pattern: "www.emacswiki.org"
-  - pattern: "linux.die.net/man"
-  - pattern: "www.gnu.org"
-  - pattern: "wiki.ubuntu.com"
-  - pattern: "mutagen.io"
-  - pattern: "docs.github.com"
-  - pattern: "claude.ai"
-  - pattern: "splunk.com"
-  - pattern: "stackoverflow.com/questions"
-aliveStatusCodes:
-  - 200
@@ -1,79 +0,0 @@
-name: "🐞 Bug"
-description: "File a bug report."
-title: "bug: "
-labels: ["needs-triage"]
-type: "Bug"
-body:
-  - type: checkboxes
-    id: existing_issues
-    attributes:
-      label: "Is there an existing issue for this?"
-      description: "Please search to see if an issue already exists for the bug you encountered."
-      options:
-        - label: "I have searched the existing issues"
-          required: true
-
-  - type: textarea
-    id: issue
-    attributes:
-      label: "Current Behavior"
-      description: "A concise description of what you're experiencing."
-      placeholder: "Tell us what you see!"
-    validations:
-      required: false
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: "Relevant Log Output"
-      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
-      render: shell
-
-  - type: textarea
-    id: expected
-    attributes:
-      label: "Expected Behavior"
-      description: "A concise description of what you expected to happen."
-    validations:
-      required: false
-
-  - type: textarea
-    id: steps_to_reproduce
-    attributes:
-      label: "Steps to Reproduce"
-      description: "Provide step-by-step instructions to reproduce the issue."
-      placeholder: |
-        1. First step
-        2. Second step
-        3. Another step
-        4. Issue occurs
-    validations:
-      required: true
-
-  - type: textarea
-    id: environment
-    attributes:
-      label: "Environment"
-      description: |
-        Provide details about your environment:
-        - **Host OS**: (e.g., Ubuntu 24.04, Debian 12)
-        - **Coder Version**: (e.g., v2.18.4)
-      placeholder: |
-        Run `coder version` to get Coder version
-      value: |
-        - Host OS:
-        - Coder version:
-    validations:
-      required: false
-
-  - type: dropdown
-    id: additional_info
-    attributes:
-      label: "Additional Context"
-      description: "Select any applicable options:"
-      multiple: true
-      options:
-        - "The issue occurs consistently"
-        - "The issue is new (previously worked fine)"
-        - "The issue happens on multiple deployments"
-        - "I have tested this on the latest version"
@@ -1,10 +0,0 @@
-contact_links:
-  - name: Questions, suggestion or feature requests?
-    url: https://github.com/coder/coder/discussions/new/choose
-    about: Our preferred starting point if you have any questions or suggestions about configuration, features or unexpected behavior.
-  - name: Coder Docs
-    url: https://coder.com/docs
-    about: Check our docs.
-  - name: Coder Discord Community
-    url: https://discord.gg/coder
-    about: Get in touch with the Coder developers and community for support.
@@ -1,47 +0,0 @@
-name: "Download Embedded Postgres Cache"
-description: |
-  Downloads the embedded postgres cache and outputs today's cache key.
-  A PR job can use a cache if it was created by its base branch, its current
-  branch, or the default branch.
-  https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
-outputs:
-  cache-key:
-    description: "Today's cache key"
-    value: ${{ steps.vars.outputs.cache-key }}
-inputs:
-  key-prefix:
-    description: "Prefix for the cache key"
-    required: true
-  cache-path:
-    description: "Path to the cache directory"
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Get date values and cache key
-      id: vars
-      shell: bash
-      run: |
-        export YEAR_MONTH=$(date +'%Y-%m')
-        export PREV_YEAR_MONTH=$(date -d 'last month' +'%Y-%m')
-        export DAY=$(date +'%d')
-        echo "year-month=$YEAR_MONTH" >> $GITHUB_OUTPUT
-        echo "prev-year-month=$PREV_YEAR_MONTH" >> $GITHUB_OUTPUT
-        echo "cache-key=${{ inputs.key-prefix }}-${YEAR_MONTH}-${DAY}" >> $GITHUB_OUTPUT
-
-    # By default, depot keeps caches for 14 days. This is plenty for embedded
-    # postgres, which changes infrequently.
-    # https://depot.dev/docs/github-actions/overview#cache-retention-policy
-    - name: Download embedded Postgres cache
-      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-      with:
-        path: ${{ inputs.cache-path }}
-        key: ${{ steps.vars.outputs.cache-key }}
-        # > If there are multiple partial matches for a restore key, the action returns the most recently created cache.
-        # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#matching-a-cache-key
-        # The second restore key allows non-main branches to use the cache from the previous month.
-        # This prevents PRs from rebuilding the cache on the first day of the month.
-        # It also makes sure that once a month, the cache is fully reset.
-        restore-keys: |
-          ${{ inputs.key-prefix }}-${{ steps.vars.outputs.year-month }}-
-          ${{ github.ref != 'refs/heads/main' && format('{0}-{1}-', inputs.key-prefix, steps.vars.outputs.prev-year-month) || '' }}
@@ -1,18 +0,0 @@
-name: "Upload Embedded Postgres Cache"
-description: Uploads the embedded Postgres cache. This only runs on the main branch.
-inputs:
-  cache-key:
-    description: "Cache key"
-    required: true
-  cache-path:
-    description: "Path to the cache directory"
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Upload Embedded Postgres cache
-      if: ${{ github.ref == 'refs/heads/main' }}
-      uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-      with:
-        path: ${{ inputs.cache-path }}
-        key: ${{ inputs.cache-key }}
@@ -1,10 +0,0 @@
-name: "Install cosign"
-description: |
-  Cosign Github Action.
-runs:
-  using: "composite"
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-      with:
-        cosign-release: "v2.4.3"
@@ -1,10 +0,0 @@
-name: "Install syft"
-description: |
-  Downloads Syft to the Action tool cache and provides a reference.
-runs:
-  using: "composite"
-  steps:
-    - name: Install syft
-      uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
-      with:
-        syft-version: "v1.20.0"
@@ -1,33 +0,0 @@
-name: "Setup Embedded Postgres Cache Paths"
-description: Sets up a path for cached embedded postgres binaries.
-outputs:
-  embedded-pg-cache:
-    description: "Value of EMBEDDED_PG_CACHE_DIR"
-    value: ${{ steps.paths.outputs.embedded-pg-cache }}
-  cached-dirs:
-    description: "directories that should be cached between CI runs"
-    value: ${{ steps.paths.outputs.cached-dirs }}
-runs:
-  using: "composite"
-  steps:
-    - name: Override Go paths
-      id: paths
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
-      with:
-        script: |
-          const path = require('path');
-
-          // RUNNER_TEMP should be backed by a RAM disk on Windows if
-          // coder/setup-ramdisk-action was used
-          const runnerTemp = process.env.RUNNER_TEMP;
-          const embeddedPgCacheDir = path.join(runnerTemp, 'embedded-pg-cache');
-          core.exportVariable('EMBEDDED_PG_CACHE_DIR', embeddedPgCacheDir);
-          core.setOutput('embedded-pg-cache', embeddedPgCacheDir);
-          const cachedDirs = `${embeddedPgCacheDir}`;
-          core.setOutput('cached-dirs', cachedDirs);
-
-    - name: Create directories
-      shell: bash
-      run: |
-        set -e
-        mkdir -p "$EMBEDDED_PG_CACHE_DIR"
@@ -1,57 +0,0 @@
-name: "Setup Go Paths"
-description: Overrides Go paths like GOCACHE and GOMODCACHE to use temporary directories.
-outputs:
-  gocache:
-    description: "Value of GOCACHE"
-    value: ${{ steps.paths.outputs.gocache }}
-  gomodcache:
-    description: "Value of GOMODCACHE"
-    value: ${{ steps.paths.outputs.gomodcache }}
-  gopath:
-    description: "Value of GOPATH"
-    value: ${{ steps.paths.outputs.gopath }}
-  gotmp:
-    description: "Value of GOTMPDIR"
-    value: ${{ steps.paths.outputs.gotmp }}
-  cached-dirs:
-    description: "Go directories that should be cached between CI runs"
-    value: ${{ steps.paths.outputs.cached-dirs }}
-runs:
-  using: "composite"
-  steps:
-    - name: Override Go paths
-      id: paths
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
-      with:
-        script: |
-          const path = require('path');
-
-          // RUNNER_TEMP should be backed by a RAM disk on Windows if
-          // coder/setup-ramdisk-action was used
-          const runnerTemp = process.env.RUNNER_TEMP;
-          const gocacheDir = path.join(runnerTemp, 'go-cache');
-          const gomodcacheDir = path.join(runnerTemp, 'go-mod-cache');
-          const gopathDir = path.join(runnerTemp, 'go-path');
-          const gotmpDir = path.join(runnerTemp, 'go-tmp');
-
-          core.exportVariable('GOCACHE', gocacheDir);
-          core.exportVariable('GOMODCACHE', gomodcacheDir);
-          core.exportVariable('GOPATH', gopathDir);
-          core.exportVariable('GOTMPDIR', gotmpDir);
-
-          core.setOutput('gocache', gocacheDir);
-          core.setOutput('gomodcache', gomodcacheDir);
-          core.setOutput('gopath', gopathDir);
-          core.setOutput('gotmp', gotmpDir);
-
-          const cachedDirs = `${gocacheDir}\n${gomodcacheDir}`;
-          core.setOutput('cached-dirs', cachedDirs);
-
-    - name: Create directories
-      shell: bash
-      run: |
-        set -e
-        mkdir -p "$GOCACHE"
-        mkdir -p "$GOMODCACHE"
-        mkdir -p "$GOPATH"
-        mkdir -p "$GOTMPDIR"
@@ -1,14 +0,0 @@
-name: "Setup Go tools"
-description: |
-  Set up tools for `make gen`, `offlinedocs` and Schmoder CI.
-runs:
-  using: "composite"
-  steps:
-    - name: go install tools
-      shell: bash
-      run: |
-          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
-          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34
-          go install golang.org/x/tools/cmd/goimports@v0.31.0
-          go install github.com/mikefarah/yq/v4@v4.44.3
-          go install go.uber.org/mock/mockgen@v0.5.0
@@ -4,29 +4,64 @@ description: |
 inputs:
  version:
    description: "The Go version to use."
-    default: "1.24.6"
-  use-preinstalled-go:
-    description: "Whether to use preinstalled Go."
-    default: "false"
-  use-cache:
-    description: "Whether to use the cache."
-    default: "true"
+    default: "1.20.6"
 runs:
  using: "composite"
  steps:
-    - name: Setup Go
-      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+    - name: Cache go toolchain
+      uses: buildjet/cache@v3
      with:
-        go-version: ${{ inputs.use-preinstalled-go == 'false' && inputs.version || '' }}
-        cache: ${{ inputs.use-cache }}
+        path: |
+          ${{ runner.tool_cache }}/go/${{ inputs.version }}
+        key: gotoolchain-${{ runner.os }}-${{ inputs.version }}
+        restore-keys: |
+          gotoolchain-${{ runner.os }}-
+
+    - name: Setup Go
+      uses: buildjet/setup-go@v4
+      with:
+        # We do our own caching for implementation clarity.
+        cache: false
+        go-version: ${{ inputs.version }}
+
+    - name: Get cache dirs
+      shell: bash
+      run: |
+        set -x
+        echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
+        echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
+
+    # We split up GOMODCACHE from GOCACHE because the latter must be invalidated
+    # on code change, but the former can be kept.
+    - name: Cache $GOMODCACHE
+      uses: buildjet/cache@v3
+      with:
+        path: |
+          ${{ env.GOMODCACHE }}
+        key: gomodcache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}
+        # restore-keys aren't used because it causes the cache to grow
+        # infinitely. go.sum changes very infrequently, so rebuilding from
+        # scratch every now and then isn't terrible.
+
+    - name: Cache $GOCACHE
+      uses: buildjet/cache@v3
+      with:
+        path: |
+          ${{ env.GOCACHE }}
+        # Job name must be included in the key for effective test cache reuse.
+        # The key format is intentionally different than GOMODCACHE, because any
+        # time a Go file changes we invalidate this cache, whereas GOMODCACHE is
+        # only invalidated when go.sum changes.
+        # The number in the key is incremented when the cache gets too large,
+        # since this technically grows without bound.
+        key: gocache2-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/*.go', 'go.**') }}
+        restore-keys: |
+          gocache2-${{ runner.os }}-${{ github.job }}-
+          gocache2-${{ runner.os }}-

    - name: Install gotestsum
      shell: bash
-      run: go install gotest.tools/gotestsum@0d9599e513d70e5792bb9334869f82f6e8b53d4d # main as of 2025-05-15
-
-    - name: Install mtimehash
-      shell: bash
-      run: go install github.com/slsyy/mtimehash/cmd/mtimehash@a6b5da4ed2c4a40e7b805534b004e9fde7b53ce0 # v1.0.0
+      run: go install gotest.tools/gotestsum@latest

    # It isn't necessary that we ever do this, but it helps
    # separate the "setup" from the "run" times.
@@ -11,16 +11,16 @@ runs:
  using: "composite"
  steps:
    - name: Install pnpm
-      uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
-
-    - name: Setup Node
-      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      uses: pnpm/action-setup@v2
      with:
-        node-version: 20.16.0
+        version: 8
+    - name: Setup Node
+      uses: buildjet/setup-node@v3
+      with:
+        node-version: 18.17.0
        # See https://github.com/actions/setup-node#caching-global-packages-data
        cache: "pnpm"
        cache-dependency-path: ${{ inputs.directory }}/pnpm-lock.yaml
-
    - name: Install root node_modules
      shell: bash
      run: ./scripts/pnpm_install.sh
@@ -5,6 +5,6 @@ runs:
  using: "composite"
  steps:
    - name: Setup sqlc
-      uses: sqlc-dev/setup-sqlc@c0209b9199cd1cce6a14fc27cabcec491b651761 # v4.0.0
+      uses: sqlc-dev/setup-sqlc@v3
      with:
-        sqlc-version: "1.27.0"
+        sqlc-version: "1.19.1"
@@ -5,7 +5,7 @@ runs:
  using: "composite"
  steps:
    - name: Install Terraform
-      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      uses: hashicorp/setup-terraform@v2
      with:
-        terraform_version: 1.12.2
+        terraform_version: ~1.5
        terraform_wrapper: false
@@ -1,50 +0,0 @@
-name: "Download Test Cache"
-description: |
-  Downloads the test cache and outputs today's cache key.
-  A PR job can use a cache if it was created by its base branch, its current
-  branch, or the default branch.
-  https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
-outputs:
-  cache-key:
-    description: "Today's cache key"
-    value: ${{ steps.vars.outputs.cache-key }}
-inputs:
-  key-prefix:
-    description: "Prefix for the cache key"
-    required: true
-  cache-path:
-    description: "Path to the cache directory"
-    required: true
-    # This path is defined in testutil/cache.go
-    default: "~/.cache/coderv2-test"
-runs:
-  using: "composite"
-  steps:
-    - name: Get date values and cache key
-      id: vars
-      shell: bash
-      run: |
-        export YEAR_MONTH=$(date +'%Y-%m')
-        export PREV_YEAR_MONTH=$(date -d 'last month' +'%Y-%m')
-        export DAY=$(date +'%d')
-        echo "year-month=$YEAR_MONTH" >> $GITHUB_OUTPUT
-        echo "prev-year-month=$PREV_YEAR_MONTH" >> $GITHUB_OUTPUT
-        echo "cache-key=${{ inputs.key-prefix }}-${YEAR_MONTH}-${DAY}" >> $GITHUB_OUTPUT
-
-    # TODO: As a cost optimization, we could remove caches that are older than
-    # a day or two. By default, depot keeps caches for 14 days, which isn't
-    # necessary for the test cache.
-    # https://depot.dev/docs/github-actions/overview#cache-retention-policy
-    - name: Download test cache
-      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-      with:
-        path: ${{ inputs.cache-path }}
-        key: ${{ steps.vars.outputs.cache-key }}
-        # > If there are multiple partial matches for a restore key, the action returns the most recently created cache.
-        # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#matching-a-cache-key
-        # The second restore key allows non-main branches to use the cache from the previous month.
-        # This prevents PRs from rebuilding the cache on the first day of the month.
-        # It also makes sure that once a month, the cache is fully reset.
-        restore-keys: |
-          ${{ inputs.key-prefix }}-${{ steps.vars.outputs.year-month }}-
-          ${{ github.ref != 'refs/heads/main' && format('{0}-{1}-', inputs.key-prefix, steps.vars.outputs.prev-year-month) || '' }}
@@ -1,20 +0,0 @@
-name: "Upload Test Cache"
-description: Uploads the test cache. Only works on the main branch.
-inputs:
-  cache-key:
-    description: "Cache key"
-    required: true
-  cache-path:
-    description: "Path to the cache directory"
-    required: true
-    # This path is defined in testutil/cache.go
-    default: "~/.cache/coderv2-test"
-runs:
-  using: "composite"
-  steps:
-    - name: Upload test cache
-      if: ${{ github.ref == 'refs/heads/main' }}
-      uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-      with:
-        path: ${{ inputs.cache-path }}
-        key: ${{ inputs.cache-key }}
@@ -1,6 +1,5 @@
 name: Upload tests to datadog
-description: |
-  Uploads the test results to datadog.
+if: always()
 inputs:
  api-key:
    description: "Datadog API key"
@@ -10,8 +9,6 @@ runs:
  steps:
    - shell: bash
      run: |
-        set -e
-
        owner=${{ github.repository_owner	 }}
        echo "owner: $owner"
        if [[  $owner != "coder" ]]; then
@@ -23,45 +20,8 @@ runs:
          echo "No API key provided, skipping..."
          exit 0
        fi
-
-        BINARY_VERSION="v2.48.0"
-        BINARY_HASH_WINDOWS="b7bebb8212403fddb1563bae84ce5e69a70dac11e35eb07a00c9ef7ac9ed65ea"
-        BINARY_HASH_MACOS="e87c808638fddb21a87a5c4584b68ba802965eb0a593d43959c81f67246bd9eb"
-        BINARY_HASH_LINUX="5e700c465728fff8313e77c2d5ba1ce19a736168735137e1ddc7c6346ed48208"
-
-        TMP_DIR=$(mktemp -d)
-
-        if [[ "${{ runner.os }}" == "Windows" ]]; then
-          BINARY_PATH="${TMP_DIR}/datadog-ci.exe"
-          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_win-x64"
-        elif [[ "${{ runner.os }}" == "macOS" ]]; then
-          BINARY_PATH="${TMP_DIR}/datadog-ci"
-          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_darwin-arm64"
-        elif [[ "${{ runner.os }}" == "Linux" ]]; then
-          BINARY_PATH="${TMP_DIR}/datadog-ci"
-          BINARY_URL="https://github.com/DataDog/datadog-ci/releases/download/${BINARY_VERSION}/datadog-ci_linux-x64"
-        else
-          echo "Unsupported OS: ${{ runner.os }}"
-          exit 1
-        fi
-
-        echo "Downloading DataDog CI binary version ${BINARY_VERSION} for ${{ runner.os }}..."
-        curl -sSL "$BINARY_URL" -o "$BINARY_PATH"
-
-        if [[ "${{ runner.os }}" == "Windows" ]]; then
-          echo "$BINARY_HASH_WINDOWS  $BINARY_PATH" | sha256sum --check
-        elif [[ "${{ runner.os }}" == "macOS" ]]; then
-          echo "$BINARY_HASH_MACOS  $BINARY_PATH" | shasum -a 256 --check
-        elif [[ "${{ runner.os }}" == "Linux" ]]; then
-          echo "$BINARY_HASH_LINUX  $BINARY_PATH" | sha256sum --check
-        fi
-
-        # Make binary executable (not needed for Windows)
-        if [[ "${{ runner.os }}" != "Windows" ]]; then
-          chmod +x "$BINARY_PATH"
-        fi
-
-        "$BINARY_PATH" junit upload --service coder ./gotests.xml \
+        npm install -g @datadog/datadog-ci@2.10.0
+        datadog-ci junit upload --service coder ./gotests.xml \
          --tags os:${{runner.os}} --tags runner_name:${{runner.name}}
      env:
        DATADOG_API_KEY: ${{ inputs.api-key }}
@@ -1,2 +0,0 @@
-enabled: true
-preservePullRequestTitle: true
@@ -0,0 +1,43 @@
+codecov:
+  require_ci_to_pass: false
+  notify:
+    after_n_builds: 5
+
+comment: false
+
+github_checks:
+  annotations: false
+
+coverage:
+  range: 50..75
+  round: down
+  precision: 2
+  status:
+    patch:
+      default:
+        informational: yes
+    project:
+      default:
+        target: 65%
+        informational: true
+
+ignore:
+  # This is generated code.
+  - coderd/database/models.go
+  - coderd/database/queries.sql.go
+  - coderd/database/databasefake
+  # These are generated or don't require tests.
+  - cmd
+  - coderd/tunnel
+  - coderd/database/dump
+  - coderd/database/postgres
+  - peerbroker/proto
+  - provisionerd/proto
+  - provisionersdk/proto
+  - scripts
+  - site/.storybook
+  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest
@@ -8,7 +8,22 @@ updates:
      timezone: "America/Chicago"
    labels: []
    commit-message:
-      prefix: "ci"
+      prefix: "chore"
+    ignore:
+      # These actions deliver the latest versions by updating the major
+      # release tag, so ignore minor and patch versions
+      - dependency-name: "actions/*"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
+      - dependency-name: "Apple-Actions/import-codesign-certs"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
+      - dependency-name: "marocchino/sticky-pull-request-comment"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
    groups:
      github-actions:
        patterns:
@@ -23,27 +38,23 @@ updates:
    commit-message:
      prefix: "chore"
    labels: []
-    open-pull-requests-limit: 15
-    groups:
-      x:
-        patterns:
-          - "golang.org/x/*"
    ignore:
      # Ignore patch updates for all dependencies
      - dependency-name: "*"
        update-types:
          - version-update:semver-patch
+    groups:
+      otel:
+        patterns:
+          - "go.nhat.io/otelsql"
+          - "go.opentelemetry.io/otel*"
+      golang-x:
+        patterns:
+          - "golang.org/x/*"

  # Update our Dockerfile.
  - package-ecosystem: "docker"
-    directories:
-      - "/dogfood/coder"
-      - "/dogfood/coder-envbuilder"
-      - "/scripts"
-      - "/examples/templates/docker/build"
-      - "/examples/parameters/build"
-      - "/scaletest/templates/scaletest-runner"
-      - "/scripts/ironbank"
+    directory: "/scripts/"
    schedule:
      interval: "weekly"
      time: "06:00"
@@ -55,14 +66,13 @@ updates:
      # We need to coordinate terraform updates with the version hardcoded in
      # our Go code.
      - dependency-name: "terraform"
+    groups:
+      scripts-docker:
+        patterns:
+          - "*"

  - package-ecosystem: "npm"
-    directories:
-      - "/site"
-      - "/offlinedocs"
-      - "/scripts"
-      - "/scripts/apidocgen"
-
+    directory: "/site/"
    schedule:
      interval: "monthly"
      time: "06:00"
@@ -72,53 +82,93 @@ updates:
    commit-message:
      prefix: "chore"
    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
+      # Ignore major updates to Node.js types, because they need to
+      # correspond to the Node.js engine version
+      - dependency-name: "@types/node"
+        update-types:
+          - version-update:semver-major
    groups:
+      react:
+        patterns:
+          - "react*"
+          - "@types/react*"
      xterm:
        patterns:
-          - "@xterm*"
+          - "xterm*"
+      xstate:
+        patterns:
+          - "xstate"
+          - "@xstate*"
      mui:
        patterns:
          - "@mui*"
-      react:
+      storybook:
        patterns:
-          - "react"
-          - "react-dom"
-          - "@types/react"
-          - "@types/react-dom"
-      emotion:
+          - "@storybook*"
+          - "storybook*"
+      eslint:
        patterns:
-          - "@emotion*"
-        exclude-patterns:
-          - "jest-runner-eslint"
+          - "eslint*"
+          - "@eslint*"
+          - "@typescript-eslint/eslint-plugin"
+          - "@typescript-eslint/parser"
      jest:
        patterns:
-          - "jest"
+          - "jest*"
+          - "@swc/jest"
          - "@types/jest"
-      vite:
-        patterns:
-          - "vite*"
-          - "@vitejs/plugin-react"
-    ignore:
-      # Ignore major version updates to avoid breaking changes
-      - dependency-name: "*"
-        update-types:
-          - version-update:semver-major
-    open-pull-requests-limit: 15

-  - package-ecosystem: "terraform"
-    directories:
-      - "dogfood/*/"
-      - "examples/templates/*/"
+  - package-ecosystem: "npm"
+    directory: "/offlinedocs/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    reviewers:
+      - "coder/ts"
    commit-message:
      prefix: "chore"
-    groups:
-      coder:
-        patterns:
-          - "registry.coder.com/coder/*/coder"
    labels: []
    ignore:
+      # Ignore patch updates for all dependencies
      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
+      # Ignore major updates to Node.js types, because they need to
+      # correspond to the Node.js engine version
+      - dependency-name: "@types/node"
        update-types:
          - version-update:semver-major
+
+  # Update dogfood.
+  - package-ecosystem: "docker"
+    directory: "/dogfood/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    groups:
+      dogfood-docker:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "terraform"
+    directory: "/dogfood/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # We likely want to update this ourselves.
+      - dependency-name: "coder/coder"
@@ -1,34 +0,0 @@
-app = "jnb-coder"
-primary_region = "jnb"
-
-[experimental]
-  entrypoint = ["/bin/sh", "-c", "CODER_DERP_SERVER_RELAY_URL=\"http://[${FLY_PRIVATE_IP}]:3000\" /opt/coder wsproxy server"]
-  auto_rollback = true
-
-[build]
-  image = "ghcr.io/coder/coder-preview:main"
-
-[env]
-  CODER_ACCESS_URL = "https://jnb.fly.dev.coder.com"
-  CODER_HTTP_ADDRESS = "0.0.0.0:3000"
-  CODER_PRIMARY_ACCESS_URL = "https://dev.coder.com"
-  CODER_WILDCARD_ACCESS_URL = "*--apps.jnb.fly.dev.coder.com"
-  CODER_VERBOSE = "true"
-
-[http_service]
-  internal_port = 3000
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 0
-
-# Ref: https://fly.io/docs/reference/configuration/#http_service-concurrency
-[http_service.concurrency]
-  type = "requests"
-  soft_limit = 50
-  hard_limit = 100
-
-[[vm]]
-  cpu_kind = "shared"
-  cpus = 2
-  memory_mb = 512
@@ -1,34 +0,0 @@
-app = "paris-coder"
-primary_region = "cdg"
-
-[experimental]
-  entrypoint = ["/bin/sh", "-c", "CODER_DERP_SERVER_RELAY_URL=\"http://[${FLY_PRIVATE_IP}]:3000\" /opt/coder wsproxy server"]
-  auto_rollback = true
-
-[build]
-  image = "ghcr.io/coder/coder-preview:main"
-
-[env]
-  CODER_ACCESS_URL = "https://paris.fly.dev.coder.com"
-  CODER_HTTP_ADDRESS = "0.0.0.0:3000"
-  CODER_PRIMARY_ACCESS_URL = "https://dev.coder.com"
-  CODER_WILDCARD_ACCESS_URL = "*--apps.paris.fly.dev.coder.com"
-  CODER_VERBOSE = "true"
-
-[http_service]
-  internal_port = 3000
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 0
-
-# Ref: https://fly.io/docs/reference/configuration/#http_service-concurrency
-[http_service.concurrency]
-  type = "requests"
-  soft_limit = 50
-  hard_limit = 100
-
-[[vm]]
-  cpu_kind = "shared"
-  cpus = 2
-  memory_mb = 512
@@ -1,34 +0,0 @@
-app = "sao-paulo-coder"
-primary_region = "gru"
-
-[experimental]
-  entrypoint = ["/bin/sh", "-c", "CODER_DERP_SERVER_RELAY_URL=\"http://[${FLY_PRIVATE_IP}]:3000\" /opt/coder wsproxy server"]
-  auto_rollback = true
-
-[build]
-  image = "ghcr.io/coder/coder-preview:main"
-
-[env]
-  CODER_ACCESS_URL = "https://sao-paulo.fly.dev.coder.com"
-  CODER_HTTP_ADDRESS = "0.0.0.0:3000"
-  CODER_PRIMARY_ACCESS_URL = "https://dev.coder.com"
-  CODER_WILDCARD_ACCESS_URL = "*--apps.sao-paulo.fly.dev.coder.com"
-  CODER_VERBOSE = "true"
-
-[http_service]
-  internal_port = 3000
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 0
-
-# Ref: https://fly.io/docs/reference/configuration/#http_service-concurrency
-[http_service.concurrency]
-  type = "requests"
-  soft_limit = 50
-  hard_limit = 100
-
-[[vm]]
-  cpu_kind = "shared"
-  cpus = 2
-  memory_mb = 512
@@ -1,34 +0,0 @@
-app = "sydney-coder"
-primary_region = "syd"
-
-[experimental]
-  entrypoint = ["/bin/sh", "-c", "CODER_DERP_SERVER_RELAY_URL=\"http://[${FLY_PRIVATE_IP}]:3000\" /opt/coder wsproxy server"]
-  auto_rollback = true
-
-[build]
-  image = "ghcr.io/coder/coder-preview:main"
-
-[env]
-  CODER_ACCESS_URL = "https://sydney.fly.dev.coder.com"
-  CODER_HTTP_ADDRESS = "0.0.0.0:3000"
-  CODER_PRIMARY_ACCESS_URL = "https://dev.coder.com"
-  CODER_WILDCARD_ACCESS_URL = "*--apps.sydney.fly.dev.coder.com"
-  CODER_VERBOSE = "true"
-
-[http_service]
-  internal_port = 3000
-  force_https = true
-  auto_stop_machines = true
-  auto_start_machines = true
-  min_machines_running = 0
-
-# Ref: https://fly.io/docs/reference/configuration/#http_service-concurrency
-[http_service.concurrency]
-  type = "requests"
-  soft_limit = 50
-  hard_limit = 100
-
-[[vm]]
-  cpu_kind = "shared"
-  cpus = 2
-  memory_mb = 512
@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: pr${PR_NUMBER}-tls
-  namespace: pr-deployment-certs
-spec:
-  secretName: pr${PR_NUMBER}-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - "${PR_HOSTNAME}"
-    - "*.${PR_HOSTNAME}"
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: coder-workspace-pr${PR_NUMBER}
-  namespace: pr${PR_NUMBER}
-subjects:
-  - kind: ServiceAccount
-    name: coder-workspace-pr${PR_NUMBER}
-    namespace: pr${PR_NUMBER}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: coder-workspace-pr${PR_NUMBER}
@@ -1,314 +0,0 @@
-terraform {
-  required_providers {
-    coder = {
-      source = "coder/coder"
-    }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-    }
-  }
-}
-
-provider "coder" {
-}
-
-variable "namespace" {
-  type        = string
-  description = "The Kubernetes namespace to create workspaces in (must exist prior to creating workspaces)"
-}
-
-data "coder_parameter" "cpu" {
-  name         = "cpu"
-  display_name = "CPU"
-  description  = "The number of CPU cores"
-  default      = "2"
-  icon         = "/icon/memory.svg"
-  mutable      = true
-  option {
-    name  = "2 Cores"
-    value = "2"
-  }
-  option {
-    name  = "4 Cores"
-    value = "4"
-  }
-  option {
-    name  = "6 Cores"
-    value = "6"
-  }
-  option {
-    name  = "8 Cores"
-    value = "8"
-  }
-}
-
-data "coder_parameter" "memory" {
-  name         = "memory"
-  display_name = "Memory"
-  description  = "The amount of memory in GB"
-  default      = "2"
-  icon         = "/icon/memory.svg"
-  mutable      = true
-  option {
-    name  = "2 GB"
-    value = "2"
-  }
-  option {
-    name  = "4 GB"
-    value = "4"
-  }
-  option {
-    name  = "6 GB"
-    value = "6"
-  }
-  option {
-    name  = "8 GB"
-    value = "8"
-  }
-}
-
-data "coder_parameter" "home_disk_size" {
-  name         = "home_disk_size"
-  display_name = "Home disk size"
-  description  = "The size of the home disk in GB"
-  default      = "10"
-  type         = "number"
-  icon         = "/emojis/1f4be.png"
-  mutable      = false
-  validation {
-    min = 1
-    max = 99999
-  }
-}
-
-provider "kubernetes" {
-  config_path = null
-}
-
-data "coder_workspace" "me" {}
-data "coder_workspace_owner" "me" {}
-
-resource "coder_agent" "main" {
-  os             = "linux"
-  arch           = "amd64"
-  startup_script = <<-EOT
-    set -e
-
-    # install and start code-server
-    curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/tmp/code-server
-    /tmp/code-server/bin/code-server --auth none --port 13337 >/tmp/code-server.log 2>&1 &
-
-  EOT
-
-  # The following metadata blocks are optional. They are used to display
-  # information about your workspace in the dashboard. You can remove them
-  # if you don't want to display any information.
-  # For basic resources, you can use the `coder stat` command.
-  # If you need more control, you can write your own script.
-  metadata {
-    display_name = "CPU Usage"
-    key          = "0_cpu_usage"
-    script       = "coder stat cpu"
-    interval     = 10
-    timeout      = 1
-  }
-
-  metadata {
-    display_name = "RAM Usage"
-    key          = "1_ram_usage"
-    script       = "coder stat mem"
-    interval     = 10
-    timeout      = 1
-  }
-
-  metadata {
-    display_name = "Home Disk"
-    key          = "3_home_disk"
-    script       = "coder stat disk --path $${HOME}"
-    interval     = 60
-    timeout      = 1
-  }
-
-  metadata {
-    display_name = "CPU Usage (Host)"
-    key          = "4_cpu_usage_host"
-    script       = "coder stat cpu --host"
-    interval     = 10
-    timeout      = 1
-  }
-
-  metadata {
-    display_name = "Memory Usage (Host)"
-    key          = "5_mem_usage_host"
-    script       = "coder stat mem --host"
-    interval     = 10
-    timeout      = 1
-  }
-
-  metadata {
-    display_name = "Load Average (Host)"
-    key          = "6_load_host"
-    # get load avg scaled by number of cores
-    script   = <<EOT
-      echo "`cat /proc/loadavg | awk '{ print $1 }'` `nproc`" | awk '{ printf "%0.2f", $1/$2 }'
-    EOT
-    interval = 60
-    timeout  = 1
-  }
-}
-
-# code-server
-resource "coder_app" "code-server" {
-  agent_id     = coder_agent.main.id
-  slug         = "code-server"
-  display_name = "code-server"
-  icon         = "/icon/code.svg"
-  url          = "http://localhost:13337?folder=/home/coder"
-  subdomain    = false
-  share        = "owner"
-
-  healthcheck {
-    url       = "http://localhost:13337/healthz"
-    interval  = 3
-    threshold = 10
-  }
-}
-
-resource "kubernetes_persistent_volume_claim" "home" {
-  metadata {
-    name      = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}-home"
-    namespace = var.namespace
-    labels = {
-      "app.kubernetes.io/name"     = "coder-pvc"
-      "app.kubernetes.io/instance" = "coder-pvc-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
-      "app.kubernetes.io/part-of"  = "coder"
-      //Coder-specific labels.
-      "com.coder.resource"       = "true"
-      "com.coder.workspace.id"   = data.coder_workspace.me.id
-      "com.coder.workspace.name" = data.coder_workspace.me.name
-      "com.coder.user.id"        = data.coder_workspace_owner.me.id
-      "com.coder.user.username"  = data.coder_workspace_owner.me.name
-    }
-    annotations = {
-      "com.coder.user.email" = data.coder_workspace_owner.me.email
-    }
-  }
-  wait_until_bound = false
-  spec {
-    access_modes = ["ReadWriteOnce"]
-    resources {
-      requests = {
-        storage = "${data.coder_parameter.home_disk_size.value}Gi"
-      }
-    }
-  }
-}
-
-resource "kubernetes_deployment" "main" {
-  count = data.coder_workspace.me.start_count
-  depends_on = [
-    kubernetes_persistent_volume_claim.home
-  ]
-  wait_for_rollout = false
-  metadata {
-    name      = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
-    namespace = var.namespace
-    labels = {
-      "app.kubernetes.io/name"     = "coder-workspace"
-      "app.kubernetes.io/instance" = "coder-workspace-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
-      "app.kubernetes.io/part-of"  = "coder"
-      "com.coder.resource"         = "true"
-      "com.coder.workspace.id"     = data.coder_workspace.me.id
-      "com.coder.workspace.name"   = data.coder_workspace.me.name
-      "com.coder.user.id"          = data.coder_workspace_owner.me.id
-      "com.coder.user.username"    = data.coder_workspace_owner.me.name
-    }
-    annotations = {
-      "com.coder.user.email" = data.coder_workspace_owner.me.email
-    }
-  }
-
-  spec {
-    replicas = 1
-    selector {
-      match_labels = {
-        "app.kubernetes.io/name" = "coder-workspace"
-      }
-    }
-    strategy {
-      type = "Recreate"
-    }
-
-    template {
-      metadata {
-        labels = {
-          "app.kubernetes.io/name" = "coder-workspace"
-        }
-      }
-      spec {
-        security_context {
-          run_as_user = 1000
-          fs_group    = 1000
-        }
-
-        service_account_name = "coder-workspace-${var.namespace}"
-        container {
-          name              = "dev"
-          image             = "bencdr/devops-tools"
-          image_pull_policy = "Always"
-          command           = ["sh", "-c", coder_agent.main.init_script]
-          security_context {
-            run_as_user = "1000"
-          }
-          env {
-            name  = "CODER_AGENT_TOKEN"
-            value = coder_agent.main.token
-          }
-          resources {
-            requests = {
-              "cpu"    = "250m"
-              "memory" = "512Mi"
-            }
-            limits = {
-              "cpu"    = "${data.coder_parameter.cpu.value}"
-              "memory" = "${data.coder_parameter.memory.value}Gi"
-            }
-          }
-          volume_mount {
-            mount_path = "/home/coder"
-            name       = "home"
-            read_only  = false
-          }
-        }
-
-        volume {
-          name = "home"
-          persistent_volume_claim {
-            claim_name = kubernetes_persistent_volume_claim.home.metadata.0.name
-            read_only  = false
-          }
-        }
-
-        affinity {
-          // This affinity attempts to spread out all workspace pods evenly across
-          // nodes.
-          pod_anti_affinity {
-            preferred_during_scheduling_ignored_during_execution {
-              weight = 1
-              pod_affinity_term {
-                topology_key = "kubernetes.io/hostname"
-                label_selector {
-                  match_expressions {
-                    key      = "app.kubernetes.io/name"
-                    operator = "In"
-                    values   = ["coder-workspace"]
-                  }
-                }
-              }
-            }
-          }
-        }
-      }
-    }
-  }
-}
@@ -1,38 +0,0 @@
-coder:
-  image:
-    repo: "${REPO}"
-    tag: "pr${PR_NUMBER}"
-    pullPolicy: Always
-  service:
-    type: ClusterIP
-  ingress:
-    enable: true
-    className: traefik
-    host: "${PR_HOSTNAME}"
-    wildcardHost: "*.${PR_HOSTNAME}"
-    tls:
-      enable: true
-      secretName: "pr${PR_NUMBER}-tls"
-      wildcardSecretName: "pr${PR_NUMBER}-tls"
-  env:
-    - name: "CODER_ACCESS_URL"
-      value: "https://${PR_HOSTNAME}"
-    - name: "CODER_WILDCARD_ACCESS_URL"
-      value: "*.${PR_HOSTNAME}"
-    - name: "CODER_EXPERIMENTS"
-      value: "${EXPERIMENTS}"
-    - name: CODER_PG_CONNECTION_URL
-      valueFrom:
-        secretKeyRef:
-          name: coder-db-url
-          key: url
-    - name: "CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS"
-      value: "true"
-    - name: "CODER_OAUTH2_GITHUB_CLIENT_ID"
-      value: "${PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID}"
-    - name: "CODER_OAUTH2_GITHUB_CLIENT_SECRET"
-      value: "${PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET}"
-    - name: "CODER_OAUTH2_GITHUB_ALLOWED_ORGS"
-      value: "coder"
-    - name: "CODER_DERP_CONFIG_URL"
-      value: "https://controlplane.tailscale.com/derpmap/default"
@@ -2,7 +2,7 @@ name: contrib

 on:
  issue_comment:
-    types: [created, edited]
+    types: [created]
  pull_request_target:
    types:
      - opened
@@ -10,30 +10,35 @@ on:
      - synchronize
      - labeled
      - unlabeled
+      - opened
      - reopened
      - edited
-      # For jobs that don't run on draft PRs.
-      - ready_for_review
-
-permissions:
-  contents: read

 # Only run one instance per PR to ensure in-order execution.
 concurrency: pr-${{ github.ref }}

 jobs:
-  cla:
+  # Dependabot is annoying, but this makes it a bit less so.
+  auto-approve-dependabot:
    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
    permissions:
      pull-requests: write
+    steps:
+      - name: auto-approve dependabot
+        uses: hmarr/auto-approve-action@v3
+        if: github.actor == 'dependabot[bot]'
+
+  cla:
+    runs-on: ubuntu-latest
    steps:
      - name: cla
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
+        uses: contributor-assistant/github-action@v2.3.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # the below token should have repo scope and must be manually added by you in the repository's secret
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCI2_GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCOMMUNITY_GITHUB_TOKEN }}
        with:
          remote-organization-name: "coder"
          remote-repository-name: "cla"
@@ -41,18 +46,15 @@ jobs:
          path-to-document: "https://github.com/coder/cla/blob/main/README.md"
          # branch should not be protected
          branch: "main"
-          # Some users have signed a corporate CLA with Coder so are exempt from signing our community one.
-          allowlist: "coryb,aaronlehmann,dependabot*,blink-so*"
+          allowlist: dependabot*

  release-labels:
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
    # Skip tagging for draft PRs.
-    if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
+    if: ${{ github.event_name == 'pull_request_target' && success() && !github.event.pull_request.draft }}
    steps:
      - name: release-labels
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v6
        with:
          # This script ensures PR title and labels are in sync:
          #
@@ -84,7 +86,7 @@ jobs:
              repo: context.repo.repo,
            }

-            if (action === "opened" || action === "reopened" || action === "ready_for_review") {
+            if (action === "opened" || action === "reopened") {
              if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
                console.log('Add "%s" label', releaseLabels.breaking)
                await github.rest.issues.addLabels({
@@ -1,88 +0,0 @@
-name: dependabot
-
-on:
-  pull_request:
-    types:
-      - opened
-
-permissions:
-  contents: read
-
-jobs:
-  dependabot-automerge:
-    runs-on: ubuntu-latest
-    if: >
-      github.event_name == 'pull_request' &&
-      github.event.action == 'opened' &&
-      github.event.pull_request.user.login == 'dependabot[bot]' &&
-      github.actor_id == 49699333 &&
-      github.repository == 'coder/coder'
-    permissions:
-      pull-requests: write
-      contents: write
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      - name: Approve the PR
-        run: |
-          echo "Approving $PR_URL"
-          gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Enable auto-merge
-        run: |
-          echo "Enabling auto-merge for $PR_URL"
-          gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Send Slack notification
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          PR_TITLE: ${{github.event.pull_request.title}}
-          PR_NUMBER: ${{github.event.pull_request.number}}
-        run: |
-          curl -X POST -H 'Content-type: application/json' \
-          --data '{
-            "username": "dependabot",
-            "icon_url": "https://avatars.githubusercontent.com/u/27347476",
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": ":pr-merged: Auto merge enabled for Dependabot PR #${{ env.PR_NUMBER }}",
-                  "emoji": true
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "${{ env.PR_TITLE }}"
-                  }
-                ]
-              },
-              {
-                "type": "actions",
-                "elements": [
-                  {
-                    "type": "button",
-                    "text": {
-                      "type": "plain_text",
-                      "text": "View PR"
-                    },
-                    "url": "${{ env.PR_URL }}"
-                  }
-                ]
-              }
-            ]
-          }' ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}
@@ -8,11 +8,6 @@ on:
      - scripts/Dockerfile.base
      - scripts/Dockerfile

-  pull_request:
-    paths:
-      - scripts/Dockerfile.base
-      - .github/workflows/docker-base.yaml
-
  schedule:
    # Run every week at 09:43 on Monday, Wednesday and Friday. We build this
    # frequently to ensure that packages are up-to-date.
@@ -22,6 +17,10 @@ on:

 permissions:
  contents: read
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for depot.dev authentication.
+  id-token: write

 # Avoid running multiple jobs for the same commit.
 concurrency:
@@ -29,24 +28,14 @@ concurrency:

 jobs:
  build:
-    permissions:
-      # Necessary for depot.dev authentication.
-      id-token: write
-      # Necessary to push docker images to ghcr.io.
-      packages: write
    runs-on: ubuntu-latest
    if: github.repository_owner == 'coder'
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3

      - name: Docker login
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -56,25 +45,23 @@ jobs:
        run: mkdir base-build-context

      - name: Install depot.dev CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+        uses: depot/setup-action@v1

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
-        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
+        uses: depot/build-push-action@v1
        with:
          project: wl5hnrrkns
          context: base-build-context
          file: scripts/Dockerfile.base
          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          provenance: true
          pull: true
          no-cache: true
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
          tags: |
            ghcr.io/coder/coder-base:latest

      - name: Verify that images are pushed properly
-        if: github.event_name != 'pull_request'
        run: |
          # retry 10 times with a 5 second delay as the images may not be
          # available immediately
@@ -1,48 +0,0 @@
-name: Docs CI
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "docs/**"
-      - "**.md"
-      - ".github/workflows/docs-ci.yaml"
-
-  pull_request:
-    paths:
-      - "docs/**"
-      - "**.md"
-      - ".github/workflows/docs-ci.yaml"
-
-permissions:
-  contents: read
-
-jobs:
-  docs:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
-      - uses: tj-actions/changed-files@055970845dd036d7345da7399b7e89f2e10f2b04 # v45.0.7
-        id: changed-files
-        with:
-          files: |
-            docs/**
-            **.md
-          separator: ","
-
-      - name: lint
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-          pnpm exec markdownlint-cli2 ${{ steps.changed-files.outputs.all_changed_files }}
-
-      - name: fmt
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-          # markdown-table-formatter requires a space separated list of files
-          echo ${{ steps.changed-files.outputs.all_changed_files }} | tr ',' '\n' | pnpm exec markdown-table-formatter --check
@@ -7,62 +7,20 @@ on:
    paths:
      - "dogfood/**"
      - ".github/workflows/dogfood.yaml"
-      - "flake.lock"
-      - "flake.nix"
-  pull_request:
-    paths:
-      - "dogfood/**"
-      - ".github/workflows/dogfood.yaml"
-      - "flake.lock"
-      - "flake.nix"
+  # Uncomment these lines when testing with CI.
+  # pull_request:
+  #   paths:
+  #     - "dogfood/**"
+  #     - ".github/workflows/dogfood.yaml"
  workflow_dispatch:

-permissions:
-  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
-  id-token: write
-
 jobs:
-  build_image:
-    if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
+  deploy_image:
+    runs-on: buildjet-4vcpu-ubuntu-2204
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup Nix
-        uses: nixbuild/nix-quick-install-action@63ca48f939ee3b8d835f4126562537df0fee5b91 # v32
-        with:
-          # Pinning to 2.28 here, as Nix gets a "error: [json.exception.type_error.302] type must be array, but is string"
-          # on version 2.29 and above.
-          nix_version: "2.28.4"
-
-      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
-        with:
-          # restore and save a cache using this key
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
-          # if there's no cache hit, restore a cache by this prefix
-          restore-prefixes-first-match: nix-${{ runner.os }}-
-          # collect garbage until Nix store size (in bytes) is at most this number
-          # before trying to save a new cache
-          # 1G = 1073741824
-          gc-max-store-size-linux: 5G
-          # do purge caches
-          purge: true
-          # purge all versions of the cache
-          purge-prefixes: nix-${{ runner.os }}-
-          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
-          purge-created: 0
-          # except the version with the `primary-key`, if it exists
-          purge-primary-key: never
-
      - name: Get branch name
        id: branch-name
-        uses: tj-actions/branch-names@dde14ac574a8b9b1cedc59a1cf312788af43d8d8 # v8.2.1
+        uses: tj-actions/branch-names@v6.5

      - name: "Branch name to Docker tag name"
        id: docker-tag-name
@@ -72,105 +30,57 @@ jobs:
          tag=${tag//\//--}
          echo "tag=${tag}" >> $GITHUB_OUTPUT

-      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@v2

      - name: Login to DockerHub
-        if: github.ref == 'refs/heads/main'
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

-      - name: Build and push Non-Nix image
-        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
+      - name: Build and push
+        uses: docker/build-push-action@v4
        with:
-          project: b4q6ltmpzh
-          token: ${{ secrets.DEPOT_TOKEN }}
-          buildx-fallback: true
-          context: "{{defaultContext}}:dogfood/coder"
+          context: "{{defaultContext}}:dogfood"
          pull: true
-          save: true
-          push: ${{ github.ref == 'refs/heads/main' }}
+          push: true
          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
-
-      - name: Build Nix image
-        run: nix build .#dev_image
-
-      - name: Push Nix image
-        if: github.ref == 'refs/heads/main'
-        run: |
-          docker load -i result
-
-          CURRENT_SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
-
-          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}
-          docker image push codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}
-
-          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:latest
-          docker image push codercom/oss-dogfood-nix:latest
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline

  deploy_template:
-    needs: build_image
+    needs: deploy_image
    runs-on: ubuntu-latest
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup Terraform
-        uses: ./.github/actions/setup-tf
-
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11
-        with:
-          workload_identity_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }}
-          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
-
-      - name: Terraform init and validate
-        run: |
-          pushd dogfood/
-          terraform init
-          terraform validate
-          popd
-          pushd dogfood/coder
-          terraform init
-          terraform validate
-          popd
-          pushd dogfood/coder-envbuilder
-          terraform init
-          terraform validate
-          popd
+        uses: actions/checkout@v3

      - name: Get short commit SHA
-        if: github.ref == 'refs/heads/main'
        id: vars
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Get latest commit title
-        if: github.ref == 'refs/heads/main'
        id: message
        run: echo "pr_title=$(git log --format=%s -n 1 ${{ github.sha }})" >> $GITHUB_OUTPUT

-      - name: "Push template"
-        if: github.ref == 'refs/heads/main'
+      - name: "Get latest Coder binary from the server"
        run: |
-          cd dogfood
-          terraform apply -auto-approve
+          curl -fsSL "https://dev.coder.com/bin/coder-linux-amd64" -o "./coder"
+          chmod +x "./coder"
+
+      - name: "Push template"
+        run: |
+          ./coder templates push $CODER_TEMPLATE_NAME --directory $CODER_TEMPLATE_DIR --yes --name=$CODER_TEMPLATE_VERSION --message="$CODER_TEMPLATE_MESSAGE"
        env:
-          # Consumed by coderd provider
+          # Consumed by Coder CLI
          CODER_URL: https://dev.coder.com
          CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
          # Template source & details
-          TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
-          TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
-          TF_VAR_CODER_TEMPLATE_DIR: ./coder
-          TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
-          TF_LOG: info
+          CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
+          CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
+          CODER_TEMPLATE_DIR: ./dogfood
+          CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
@@ -0,0 +1,23 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "://localhost"
+    },
+    {
+      "pattern": "://.*.?example\\.com"
+    },
+    {
+      "pattern": "developer.github.com"
+    },
+    {
+      "pattern": "docs.github.com"
+    },
+    {
+      "pattern": "support.google.com"
+    },
+    {
+      "pattern": "tailscale.com"
+    }
+  ],
+  "aliveStatusCodes": [200, 0]
+}
@@ -3,201 +3,58 @@
 name: nightly-gauntlet
 on:
  schedule:
-    # Every day at 4AM
-    - cron: "0 4 * * 1-5"
+    # Every day at midnight
+    - cron: "0 0 * * *"
  workflow_dispatch:
-
-permissions:
-  contents: read
-
 jobs:
-  test-go-pg:
-    # make sure to adjust NUM_PARALLEL_PACKAGES and NUM_PARALLEL_TESTS below
-    # when changing runner sizes
-    runs-on: ${{ matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'depot-macos-latest' || matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'depot-windows-2022-16' || matrix.os }}
-    # This timeout must be greater than the timeout set by `go test` in
-    # `make test-postgres` to ensure we receive a trace of running
-    # goroutines. Setting this to the timeout +5m should work quite well
-    # even if some of the preceding steps are slow.
-    timeout-minutes: 25
-    strategy:
-      matrix:
-        os:
-          - macos-latest
-          - windows-2022
+  go-race:
+    # While GitHub's toaster runners are likelier to flake, we want consistency
+    # between this environment and the regular test environment for DataDog
+    # statistics and to only show real workflow threats.
+    runs-on: "buildjet-8vcpu-ubuntu-2204"
+    # This runner costs 0.016 USD per minute,
+    # so 0.016 * 240 = 3.84 USD per run.
+    timeout-minutes: 240
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
-        with:
-          egress-policy: audit
-
-      # macOS indexes all new files in the background. Our Postgres tests
-      # create and destroy thousands of databases on disk, and Spotlight
-      # tries to index all of them, seriously slowing down the tests.
-      - name: Disable Spotlight Indexing
-        if: runner.os == 'macOS'
-        run: |
-          sudo mdutil -a -i off
-          sudo mdutil -X /
-          sudo launchctl bootout system /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
-
-      # Set up RAM disks to speed up the rest of the job. This action is in
-      # a separate repository to allow its use before actions/checkout.
-      - name: Setup RAM Disks
-        if: runner.os == 'Windows'
-        uses: coder/setup-ramdisk-action@e1100847ab2d7bcd9d14bcda8f2d1b0f07b36f1b
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 1
+        uses: actions/checkout@v3

      - name: Setup Go
        uses: ./.github/actions/setup-go
-        with:
-          # Runners have Go baked-in and Go will automatically
-          # download the toolchain configured in go.mod, so we don't
-          # need to reinstall it. It's faster on Windows runners.
-          use-preinstalled-go: ${{ runner.os == 'Windows' }}

      - name: Setup Terraform
        uses: ./.github/actions/setup-tf

-      - name: Setup Embedded Postgres Cache Paths
-        id: embedded-pg-cache
-        uses: ./.github/actions/setup-embedded-pg-cache-paths
-
-      - name: Download Embedded Postgres Cache
-        id: download-embedded-pg-cache
-        uses: ./.github/actions/embedded-pg-cache/download
-        with:
-          key-prefix: embedded-pg-${{ runner.os }}-${{ runner.arch }}
-          cache-path: ${{ steps.embedded-pg-cache.outputs.cached-dirs }}
-
-      - name: Test with PostgreSQL Database
-        env:
-          POSTGRES_VERSION: "13"
-          TS_DEBUG_DISCO: "true"
-          LC_CTYPE: "en_US.UTF-8"
-          LC_ALL: "en_US.UTF-8"
-        shell: bash
+      - name: Run Tests
        run: |
-          set -o errexit
-          set -o pipefail
+          # -race is likeliest to catch flaky tests
+          # due to correctness detection and its performance
+          # impact.
+          gotestsum --junitfile="gotests.xml" -- -timeout=240m -count=10 -race ./...

-          if [ "${{ runner.os }}" == "Windows" ]; then
-            # Create a temp dir on the R: ramdisk drive for Windows. The default
-            # C: drive is extremely slow: https://github.com/actions/runner-images/issues/8755
-            mkdir -p "R:/temp/embedded-pg"
-            go run scripts/embedded-pg/main.go -path "R:/temp/embedded-pg" -cache "${EMBEDDED_PG_CACHE_DIR}"
-          elif [ "${{ runner.os }}" == "macOS" ]; then
-            # Postgres runs faster on a ramdisk on macOS too
-            mkdir -p /tmp/tmpfs
-            sudo mount_tmpfs -o noowners -s 8g /tmp/tmpfs
-            go run scripts/embedded-pg/main.go -path /tmp/tmpfs/embedded-pg -cache "${EMBEDDED_PG_CACHE_DIR}"
-          elif [ "${{ runner.os }}" == "Linux" ]; then
-            make test-postgres-docker
-          fi
-
-          # if macOS, install google-chrome for scaletests
-          # As another concern, should we really have this kind of external dependency
-          # requirement on standard CI?
-          if [ "${{ matrix.os }}" == "macos-latest" ]; then
-            brew install google-chrome
-          fi
-
-          # macOS will output "The default interactive shell is now zsh"
-          # intermittently in CI...
-          if [ "${{ matrix.os }}" == "macos-latest" ]; then
-            touch ~/.bash_profile && echo "export BASH_SILENCE_DEPRECATION_WARNING=1" >> ~/.bash_profile
-          fi
-
-          if [ "${{ runner.os }}" == "Windows" ]; then
-            # Our Windows runners have 16 cores.
-            # On Windows Postgres chokes up when we have 16x16=256 tests
-            # running in parallel, and dbtestutil.NewDB starts to take more than
-            # 10s to complete sometimes causing test timeouts. With 16x8=128 tests
-            # Postgres tends not to choke.
-            NUM_PARALLEL_PACKAGES=8
-            NUM_PARALLEL_TESTS=16
-          elif [ "${{ runner.os }}" == "macOS" ]; then
-            # Our macOS runners have 8 cores. We set NUM_PARALLEL_TESTS to 16
-            # because the tests complete faster and Postgres doesn't choke. It seems
-            # that macOS's tmpfs is faster than the one on Windows.
-            NUM_PARALLEL_PACKAGES=8
-            NUM_PARALLEL_TESTS=16
-          elif [ "${{ runner.os }}" == "Linux" ]; then
-            # Our Linux runners have 8 cores.
-            NUM_PARALLEL_PACKAGES=8
-            NUM_PARALLEL_TESTS=8
-          fi
-
-          # run tests without cache
-          TESTCOUNT="-count=1"
-
-          DB=ci gotestsum \
-            --format standard-quiet --packages "./..." \
-            -- -timeout=20m -v -p $NUM_PARALLEL_PACKAGES -parallel=$NUM_PARALLEL_TESTS $TESTCOUNT
-
-      - name: Upload Embedded Postgres Cache
-        uses: ./.github/actions/embedded-pg-cache/upload
-        # We only use the embedded Postgres cache on macOS and Windows runners.
-        if: runner.OS == 'macOS' || runner.OS == 'Windows'
-        with:
-          cache-key: ${{ steps.download-embedded-pg-cache.outputs.cache-key }}
-          cache-path: "${{ steps.embedded-pg-cache.outputs.embedded-pg-cache }}"
-
-      - name: Upload test stats to Datadog
-        timeout-minutes: 1
-        continue-on-error: true
+      - name: Upload test results to DataDog
        uses: ./.github/actions/upload-datadog
-        if: success() || failure()
+        if: always()
        with:
          api-key: ${{ secrets.DATADOG_API_KEY }}

-  notify-slack-on-failure:
-    needs:
-      - test-go-pg
-    runs-on: ubuntu-latest
-    if: failure() && github.ref == 'refs/heads/main'
-
+  go-timing:
+    # We run these tests with p=1 so we don't need a lot of compute.
+    runs-on: "buildjet-2vcpu-ubuntu-2204"
+    timeout-minutes: 10
    steps:
-      - name: Send Slack notification
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
+      - name: Run Tests
        run: |
-          curl -X POST -H 'Content-type: application/json' \
-          --data '{
-            "blocks": [
-              {
-                "type": "header",
-                "text": {
-                  "type": "plain_text",
-                  "text": "❌ Nightly gauntlet failed",
-                  "emoji": true
-                }
-              },
-              {
-                "type": "section",
-                "fields": [
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Workflow:*\n${{ github.workflow }}"
-                  },
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Committer:*\n${{ github.actor }}"
-                  },
-                  {
-                    "type": "mrkdwn",
-                    "text": "*Commit:*\n${{ github.sha }}"
-                  }
-                ]
-              },
-              {
-                "type": "section",
-                "text": {
-                  "type": "mrkdwn",
-                  "text": "*View failure:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Click here>"
-                }
-              }
-            ]
-          }' ${{ secrets.CI_FAILURE_SLACK_WEBHOOK }}
+          gotestsum --junitfile="gotests.xml" -- --tags="timing" -p=1 -run='_Timing/' ./...
+
+      - name: Upload test results to DataDog
+        uses: ./.github/actions/upload-datadog
+        if: always()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -13,10 +13,5 @@ jobs:
  assign-author:
    runs-on: ubuntu-latest
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Assign author
-        uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1
+        uses: toshimaru/auto-author-assign@v1.6.2
@@ -1,4 +1,4 @@
-name: pr-cleanup
+name: Cleanup PR deployment and image
 on:
  pull_request:
    types: closed
@@ -9,20 +9,12 @@ on:
        required: true

 permissions:
-  contents: read
+  packages: write

 jobs:
  cleanup:
    runs-on: "ubuntu-latest"
-    permissions:
-      # Necessary to delete docker images from ghcr.io.
-      packages: write
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Get PR number
        id: pr_number
        run: |
@@ -34,7 +26,7 @@ jobs:

      - name: Delete image
        continue-on-error: true
-        uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0
+        uses: bots-house/ghcr-delete-image-action@v1.1.0
        with:
          owner: coder
          name: coder-preview
@@ -43,14 +35,14 @@ jobs:

      - name: Set up kubeconfig
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          mkdir -p ~/.kube
          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG }}" > ~/.kube/config
          export KUBECONFIG=~/.kube/config

      - name: Delete helm release
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          helm delete --namespace "pr${{ steps.pr_number.outputs.PR_NUMBER }}" "pr${{ steps.pr_number.outputs.PR_NUMBER }}" || echo "helm release not found"

      - name: "Remove PR namespace"
@@ -59,7 +51,7 @@ jobs:

      - name: "Remove DNS records"
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          # Get identifier for the record
          record_id=$(curl -X GET "https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records?name=%2A.pr${{ steps.pr_number.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}" \
          -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
@@ -4,102 +4,68 @@
 # 3. when a PR is updated
 name: Deploy PR
 on:
-  push:
-    branches-ignore:
-      - main
-      - "temp-cherry-pick-*"
+  pull_request:
+    types: synchronize
  workflow_dispatch:
    inputs:
+      pr_number:
+        description: "PR number"
+        type: number
+        required: true
+      skip_build:
+        description: "Skip build job"
+        required: false
+        type: boolean
+        default: false
      experiments:
        description: "Experiments to enable"
        required: false
        type: string
        default: "*"
-      build:
-        description: "Force new build"
-        required: false
-        type: boolean
-        default: false
-      deploy:
-        description: "Force new deployment"
-        required: false
-        type: boolean
-        default: false

 env:
  REPO: ghcr.io/coder/coder-preview

 permissions:
  contents: read
+  packages: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-PR-${{ github.event.pull_request.number || github.event.inputs.pr_number }}
+  cancel-in-progress: true

 jobs:
-  check_pr:
-    runs-on: ubuntu-latest
-    outputs:
-      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Check if PR is open
-        id: check_pr
-        run: |
-          set -euo pipefail
-          pr_open=true
-          if [[ "$(gh pr view --json state | jq -r '.state')" != "OPEN" ]]; then
-            echo "PR doesn't exist or is closed."
-            pr_open=false
-          fi
-          echo "pr_open=$pr_open" >> $GITHUB_OUTPUT
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
  get_info:
-    needs: check_pr
-    if: ${{ needs.check_pr.outputs.PR_OPEN == 'true' }}
+    if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request'
    outputs:
      PR_NUMBER: ${{ steps.pr_info.outputs.PR_NUMBER }}
      PR_TITLE: ${{ steps.pr_info.outputs.PR_TITLE }}
      PR_URL: ${{ steps.pr_info.outputs.PR_URL }}
+      PR_BRANCH: ${{ steps.pr_info.outputs.PR_BRANCH }}
      CODER_BASE_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_BASE_IMAGE_TAG }}
      CODER_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_IMAGE_TAG }}
-      NEW: ${{ steps.check_deployment.outputs.NEW }}
-      BUILD: ${{ steps.build_conditionals.outputs.first_or_force_build == 'true' || steps.build_conditionals.outputs.automatic_rebuild == 'true' }}
+      NEW: ${{ steps.check_deployment.outputs.new }}
+      BUILD: ${{ steps.filter.outputs.all_count > steps.filter.outputs.ignored_count || steps.check_deployment.outputs.new }}

    runs-on: "ubuntu-latest"
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
      - name: Get PR number, title, and branch name
        id: pr_info
        run: |
-          set -euo pipefail
-          PR_NUMBER=$(gh pr view --json number | jq -r '.number')
-          PR_TITLE=$(gh pr view --json title | jq -r '.title')
-          PR_URL=$(gh pr view --json url | jq -r '.url')
-          echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
+          set -euxo pipefail
+          PR_NUMBER=${{ github.event.inputs.pr_number || github.event.pull_request.number }}
+          PR_TITLE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/coder/coder/pulls/$PR_NUMBER | jq -r '.title')
+          PR_BRANCH=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/coder/coder/pulls/$PR_NUMBER | jq -r '.head.ref')
+          echo "PR_URL=https://github.com/coder/coder/pull/$PR_NUMBER" >> $GITHUB_OUTPUT
          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
          echo "PR_TITLE=$PR_TITLE" >> $GITHUB_OUTPUT
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          echo "PR_BRANCH=$PR_BRANCH" >> $GITHUB_OUTPUT

      - name: Set required tags
        id: set_tags
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> $GITHUB_OUTPUT
          echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> $GITHUB_OUTPUT
        env:
@@ -108,30 +74,61 @@ jobs:

      - name: Set up kubeconfig
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          mkdir -p ~/.kube
-          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
-          chmod 600 ~/.kube/config
+          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG }}" > ~/.kube/config
          export KUBECONFIG=~/.kube/config

      - name: Check if the helm deployment already exists
        id: check_deployment
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          if helm status "pr${{ steps.pr_info.outputs.PR_NUMBER }}" --namespace "pr${{ steps.pr_info.outputs.PR_NUMBER }}" > /dev/null 2>&1; then
            echo "Deployment already exists. Skipping deployment."
-            NEW=false
+            new=false
          else
            echo "Deployment doesn't exist."
-            NEW=true
+            new=true
          fi
-          echo "NEW=$NEW" >> $GITHUB_OUTPUT
+          echo "new=$new" >> $GITHUB_OUTPUT
+
+      - name: Find Comment
+        uses: peter-evans/find-comment@v2
+        if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
+        id: fc
+        with:
+          issue-number: ${{ steps.pr_info.outputs.PR_NUMBER }}
+          comment-author: "github-actions[bot]"
+          body-includes: ":rocket:"
+          direction: last
+
+      - name: Comment on PR
+        id: comment_id
+        if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ steps.pr_info.outputs.PR_NUMBER }}
+          edit-mode: replace
+          body: |
+            ---
+            :rocket: Deploying PR ${{ steps.pr_info.outputs.PR_NUMBER }} ...
+            ---
+          reactions: eyes
+          reactions-edit-mode: replace
+
+      - name: Checkout
+        if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.pr_info.outputs.PR_BRANCH }}
+          fetch-depth: 0

      - name: Check changed files
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
+        uses: dorny/paths-filter@v2
        id: filter
        with:
-          base: ${{ github.ref }}
          filters: |
            all:
              - "**"
@@ -152,100 +149,57 @@ jobs:
              - "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e][.][b][^a][^s][^e]*"

      - name: Print number of changed files
+        if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          echo "Total number of changed files: ${{ steps.filter.outputs.all_count }}"
          echo "Number of ignored files: ${{ steps.filter.outputs.ignored_count }}"

-      - name: Build conditionals
-        id: build_conditionals
-        run: |
-          set -euo pipefail
-          # build if the workflow is manually triggered and the deployment doesn't exist (first build or force rebuild)
-          echo "first_or_force_build=${{ (github.event_name == 'workflow_dispatch' && steps.check_deployment.outputs.NEW == 'true') || github.event.inputs.build == 'true' }}" >> $GITHUB_OUTPUT
-          # build if the deployment already exist and there are changes in the files that we care about (automatic updates)
-          echo "automatic_rebuild=${{ steps.check_deployment.outputs.NEW == 'false' && steps.filter.outputs.all_count > steps.filter.outputs.ignored_count }}" >> $GITHUB_OUTPUT
-
-  comment-pr:
-    needs: get_info
-    if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
-    runs-on: "ubuntu-latest"
-    permissions:
-      pull-requests: write # needed for commenting on PRs
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Find Comment
-        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
-        id: fc
-        with:
-          issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
-          comment-author: "github-actions[bot]"
-          body-includes: ":rocket:"
-          direction: last
-
-      - name: Comment on PR
-        id: comment_id
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
-          edit-mode: replace
-          body: |
-            ---
-            :rocket: Deploying PR ${{ needs.get_info.outputs.PR_NUMBER }} ...
-            ---
-          reactions: eyes
-          reactions-edit-mode: replace
-
  build:
    needs: get_info
-    # Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
-    if: needs.get_info.outputs.BUILD == 'true'
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    permissions:
-      # Necessary to push docker images to ghcr.io.
-      packages: write
-    # This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs changes.
-    concurrency:
-      group: build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
-      cancel-in-progress: true
+    # Skips the build job if the workflow was triggered by a workflow_dispatch event and the skip_build input is set to true
+    # or if the workflow was triggered by an issue_comment event and the comment body contains --skip-build
+    # always run the build job if a pull_request event triggered the workflow
+    if: |
+      (github.event_name == 'workflow_dispatch' && github.event.inputs.skip_build == 'false') ||
+      (github.event_name == 'pull_request' && needs.get_info.result == 'success' && needs.get_info.outputs.NEW == 'false')
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
+      PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
+      PR_BRANCH: ${{ needs.get_info.outputs.PR_BRANCH }}
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
        with:
+          ref: ${{ env.PR_BRANCH }}
          fetch-depth: 0

      - name: Setup Node
+        if: needs.get_info.outputs.BUILD == 'true'
        uses: ./.github/actions/setup-node

      - name: Setup Go
+        if: needs.get_info.outputs.BUILD == 'true'
        uses: ./.github/actions/setup-go

      - name: Setup sqlc
+        if: needs.get_info.outputs.BUILD == 'true'
        uses: ./.github/actions/setup-sqlc

      - name: GHCR Login
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        if: needs.get_info.outputs.BUILD == 'true'
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Linux amd64 Docker image
+        if: needs.get_info.outputs.BUILD == 'true'
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          go mod download
          make gen/mark-fresh
          export DOCKER_IMAGE_NO_PREREQUISITES=true
@@ -263,50 +217,35 @@ jobs:
    needs: [build, get_info]
    # Run deploy job only if build job was successful or skipped
    if: |
-      always() && (needs.build.result == 'success' || needs.build.result == 'skipped') &&
-      (needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true')
+      always() && (needs.build.result == 'success' || needs.build.result == 'skipped') && 
+      (github.event_name == 'workflow_dispatch' || needs.get_info.outputs.NEW == 'false')
    runs-on: "ubuntu-latest"
-    permissions:
-      pull-requests: write # needed for commenting on PRs
    env:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
      PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
      PR_TITLE: ${{ needs.get_info.outputs.PR_TITLE }}
      PR_URL: ${{ needs.get_info.outputs.PR_URL }}
-      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
+      PR_BRANCH: ${{ needs.get_info.outputs.PR_BRANCH }}
+      PR_DEPLOYMENT_ACCESS_URL: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Set up kubeconfig
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          mkdir -p ~/.kube
-          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
-          chmod 600 ~/.kube/config
+          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG }}" > ~/.kube/config
          export KUBECONFIG=~/.kube/config

      - name: Check if image exists
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
-          set -euo pipefail
-          foundTag=$(
-            gh api /orgs/coder/packages/container/coder-preview/versions |
-            jq -r --arg tag "pr${{ env.PR_NUMBER }}" '.[] |
-            select(.metadata.container.tags == [$tag]) |
-            .metadata.container.tags[0]'
-          )
+          set -euxo pipefail
+          foundTag=$(curl -fsSL https://github.com/coder/coder/pkgs/container/coder-preview | grep -o ${{ env.CODER_IMAGE_TAG }} | head -n 1)
          if [ -z "$foundTag" ]; then
            echo "Image not found"
            echo "${{ env.CODER_IMAGE_TAG }} not found in ghcr.io/coder/coder-preview"
+            echo "Please remove --skip-build from the comment and try again"
            exit 1
-          else
-            echo "Image found"
-            echo "$foundTag tag found in ghcr.io/coder/coder-preview"
          fi
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Add DNS record to Cloudflare
        if: needs.get_info.outputs.NEW == 'true'
@@ -314,27 +253,43 @@ jobs:
          curl -X POST "https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records" \
            -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
            -H "Content-Type:application/json" \
-            --data '{"type":"CNAME","name":"*.${{ env.PR_HOSTNAME }}","content":"${{ env.PR_HOSTNAME }}","ttl":1,"proxied":false}'
+            --data '{"type":"CNAME","name":"*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}","content":"${{ env.PR_DEPLOYMENT_ACCESS_URL }}","ttl":1,"proxied":false}'
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.PR_BRANCH }}

      - name: Create PR namespace
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
-          set -euo pipefail
+          set -euxo pipefail
          # try to delete the namespace, but don't fail if it doesn't exist
          kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
          kubectl create namespace "pr${{ env.PR_NUMBER }}"

-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
      - name: Check and Create Certificate
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
          # Using kubectl to check if a Certificate resource already exists
          # we are doing this to avoid letsenrypt rate limits
          if ! kubectl get certificate pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs > /dev/null 2>&1; then
            echo "Certificate doesn't exist. Creating a new one."
-            envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
+            cat <<EOF | kubectl apply -f -
+            apiVersion: cert-manager.io/v1
+            kind: Certificate
+            metadata:
+              name: pr${{ env.PR_NUMBER }}-tls
+              namespace: pr-deployment-certs
+            spec:
+              secretName: pr${{ env.PR_NUMBER }}-tls
+              issuerRef:
+                name: letsencrypt
+                kind: ClusterIssuer
+              dnsNames:
+              - "${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
+              - "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
+          EOF
          else
            echo "Certificate exists. Skipping certificate creation."
          fi
@@ -351,7 +306,7 @@ jobs:
          )

      - name: Set up PostgreSQL database
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
          helm repo add bitnami https://charts.bitnami.com/bitnami
          helm install coder-db bitnami/postgresql \
@@ -363,46 +318,82 @@ jobs:
          kubectl create secret generic coder-db-url -n pr${{ env.PR_NUMBER }} \
            --from-literal=url="postgres://coder:coder@coder-db-postgresql.pr${{ env.PR_NUMBER }}.svc.cluster.local:5432/coder?sslmode=disable"

-      - name: Create a service account, role, and rolebinding for the PR namespace
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
-        run: |
-          set -euo pipefail
-          # Create service account, role, rolebinding
-          envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -
-
      - name: Create values.yaml
-        env:
-          EXPERIMENTS: ${{ github.event.inputs.experiments }}
-          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
-          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
+        if: github.event_name == 'workflow_dispatch'
        run: |
-          set -euo pipefail
-          envsubst < ./.github/pr-deployments/values.yaml > ./pr-deploy-values.yaml
+          cat <<EOF > pr-deploy-values.yaml
+          coder:
+            image:
+              repo: ${{ env.REPO }}
+              tag: pr${{ env.PR_NUMBER }}
+              pullPolicy: Always
+            service:
+              type: ClusterIP
+            ingress:
+              enable: true
+              className: traefik
+              host: ${{ env.PR_DEPLOYMENT_ACCESS_URL }}
+              wildcardHost: "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
+              tls:
+                enable: true
+                secretName: pr${{ env.PR_NUMBER }}-tls
+                wildcardSecretName: pr${{ env.PR_NUMBER }}-tls
+            env:
+              - name: "CODER_ACCESS_URL"
+                value: "https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
+              - name: "CODER_WILDCARD_ACCESS_URL"
+                value: "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
+              - name: "CODER_EXPERIMENTS"
+                value: "${{ github.event.inputs.experiments }}"
+              - name: CODER_PG_CONNECTION_URL
+                valueFrom:
+                  secretKeyRef:
+                    name: coder-db-url
+                    key: url
+              - name: "CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS"
+                value: "true"
+              - name: "CODER_OAUTH2_GITHUB_CLIENT_ID"
+                value: "${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}"
+              - name: "CODER_OAUTH2_GITHUB_CLIENT_SECRET"
+                value: "${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}"
+              - name: "CODER_OAUTH2_GITHUB_ALLOWED_ORGS"
+                value: "coder"
+          EOF

      - name: Install/Upgrade Helm chart
        run: |
-          set -euo pipefail
-          helm dependency update --skip-refresh ./helm/coder
-          helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm/coder \
-          --namespace "pr${{ env.PR_NUMBER }}" \
-          --values ./pr-deploy-values.yaml \
-          --force
+          set -euxo pipefail
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm \
+            --namespace "pr${{ env.PR_NUMBER }}" \
+            --values ./pr-deploy-values.yaml \
+            --force
+          else
+            if [[ ${{ needs.get_info.outputs.BUILD }} == "true" ]]; then
+              helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm \
+              --namespace "pr${{ env.PR_NUMBER }}" \
+              --reuse-values \
+              --force
+            else
+              echo "Skipping helm upgrade, as there is no new image to deploy"
+            fi
+          fi

      - name: Install coder-logstream-kube
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
          helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
          helm upgrade --install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
            --namespace "pr${{ env.PR_NUMBER }}" \
-            --set url="https://${{ env.PR_HOSTNAME }}"
+            --set url="https://pr${{ env.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"

      - name: Get Coder binary
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
-          set -euo pipefail
+          set -euxo pipefail

          DEST="${HOME}/coder"
-          URL="https://${{ env.PR_HOSTNAME }}/bin/coder-linux-amd64"
+          URL="https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}/bin/coder-linux-amd64"

          mkdir -p "$(dirname ${DEST})"

@@ -420,15 +411,15 @@ jobs:
          curl -fsSL "$URL" -o "${DEST}"
          chmod +x "${DEST}"
          "${DEST}" version
-          sudo mv "${DEST}" /usr/local/bin/coder
+          mv "${DEST}" /usr/local/bin/coder

-      - name: Create first user
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+      - name: Create first user, template and workspace
+        if: needs.get_info.outputs.NEW == 'true'
        id: setup_deployment
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          set -euo pipefail
+          set -euxo pipefail
+
+          # Create first user

          # create a masked random password 12 characters long
          password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12)
@@ -438,25 +429,28 @@ jobs:
          echo "password=$password" >> $GITHUB_OUTPUT

          coder login \
-            --first-user-username pr${{ env.PR_NUMBER }}-admin \
+            --first-user-username test \
            --first-user-email pr${{ env.PR_NUMBER }}@coder.com \
            --first-user-password $password \
-            --first-user-trial=false \
+            --first-user-trial \
            --use-token-as-session \
-            https://${{ env.PR_HOSTNAME }}
+            https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}

-          # Create a user for the github.actor
-          # TODO: update once https://github.com/coder/coder/issues/15466 is resolved
-          # coder users create \
-          #   --username ${{ github.actor }} \
-          #   --login-type github
+          # Create template
+          coder templates init --id kubernetes && cd ./kubernetes/ && coder templates create -y --variable namespace=pr${{ env.PR_NUMBER }}

-          # promote the user to admin role
-          # coder org members edit-role ${{ github.actor }} organization-admin
-          # TODO: update once https://github.com/coder/internal/issues/207 is resolved
+          # Create workspace
+          cat <<EOF > workspace.yaml
+          cpu: "2"
+          memory: "4"
+          home_disk_size: "2"
+          EOF
+
+          coder create --template="kubernetes" test --rich-parameter-file ./workspace.yaml -y
+          coder stop test -y

      - name: Send Slack notification
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
+        if: needs.get_info.outputs.NEW == 'true'
        run: |
          curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
            -d \
@@ -464,8 +458,8 @@ jobs:
              "pr_number": "'"${{ env.PR_NUMBER }}"'",
              "pr_url": "'"${{ env.PR_URL }}"'",
              "pr_title": "'"${{ env.PR_TITLE }}"'",
-              "pr_access_url": "'"https://${{ env.PR_HOSTNAME }}"'",
-              "pr_username": "'"pr${{ env.PR_NUMBER }}-admin"'",
+              "pr_access_url": "'"https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}"'",
+              "pr_username": "'"test"'",
              "pr_email": "'"pr${{ env.PR_NUMBER }}@coder.com"'",
              "pr_password": "'"${{ steps.setup_deployment.outputs.password }}"'",
              "pr_actor": "'"${{ github.actor }}"'"
@@ -474,7 +468,7 @@ jobs:
          echo "Slack notification sent"

      - name: Find Comment
-        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+        uses: peter-evans/find-comment@v2
        id: fc
        with:
          issue-number: ${{ env.PR_NUMBER }}
@@ -483,7 +477,7 @@ jobs:
          direction: last

      - name: Comment on PR
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@v3
        env:
          STATUS: ${{ needs.get_info.outputs.NEW == 'true' && 'Created' || 'Updated' }}
        with:
@@ -498,14 +492,3 @@ jobs:
            cc: @${{ github.actor }}
          reactions: rocket
          reactions-edit-mode: replace
-
-      - name: Create template and workspace
-        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
-        run: |
-          set -euo pipefail
-          cd .github/pr-deployments/template
-          coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes
-
-          # Create workspace
-          coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
-          coder stop kube -y
@@ -1,28 +0,0 @@
-name: release-validation
-
-on:
-  push:
-    tags:
-      - "v*"
-
-permissions:
-  contents: read
-
-jobs:
-  network-performance:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Run Schmoder CI
-        uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4
-        with:
-          workflow: ci.yaml
-          repo: coder/schmoder
-          inputs: '{ "num_releases": "3", "commit": "${{ github.sha }}" }'
-          token: ${{ secrets.CDRCI_SCHMODER_ACTIONS_TOKEN }}
-          ref: main
@@ -1,16 +1,11 @@
 # GitHub release workflow.
 name: Release
 on:
+  push:
+    tags:
+      - "v*"
  workflow_dispatch:
    inputs:
-      release_channel:
-        type: choice
-        description: Release channel
-        options:
-          - mainline
-          - stable
-      release_notes:
-        description: Release notes for the publishing the release. This is required to create a release.
      dry_run:
        description: Perform a dry-run release (devel). Note that ref must be an annotated tag when run without dry-run.
        type: boolean
@@ -18,7 +13,12 @@ on:
        default: false

 permissions:
-  contents: read
+  # Required to publish a release
+  contents: write
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write

 concurrency: ${{ github.workflow }}-${{ github.ref }}

@@ -28,118 +28,23 @@ env:
  # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/
  CODER_RELEASE: ${{ !inputs.dry_run }}
  CODER_DRY_RUN: ${{ inputs.dry_run }}
-  CODER_RELEASE_CHANNEL: ${{ inputs.release_channel }}
-  CODER_RELEASE_NOTES: ${{ inputs.release_notes }}
+  # For some reason, setup-go won't actually pick up a new patch version if
+  # it has an old one cached. We need to manually specify the versions so we
+  # can get the latest release. Never use "~1.xx" here!
+  CODER_GO_VERSION: "1.20.6"

 jobs:
-  # build-dylib is a separate job to build the dylib on macOS.
-  build-dylib:
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
-    steps:
-      # Harden Runner doesn't work on macOS.
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      # If the event that triggered the build was an annotated tag (which our
-      # tags are supposed to be), actions/checkout has a bug where the tag in
-      # question is only a lightweight tag and not a full annotated tag. This
-      # command seems to fix it.
-      # https://github.com/actions/checkout/issues/290
-      - name: Fetch git tags
-        run: git fetch --tags --force
-
-      - name: Setup build tools
-        run: |
-          brew install bash gnu-getopt make
-          echo "$(brew --prefix bash)/bin" >> $GITHUB_PATH
-          echo "$(brew --prefix gnu-getopt)/bin" >> $GITHUB_PATH
-          echo "$(brew --prefix make)/libexec/gnubin" >> $GITHUB_PATH
-
-      - name: Switch XCode Version
-        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
-        with:
-          xcode-version: "16.1.0"
-
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Install rcodesign
-        run: |
-          set -euo pipefail
-          wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz
-          sudo tar -xzf /tmp/rcodesign.tar.gz \
-            -C /usr/local/bin \
-            --strip-components=1 \
-            apple-codesign-0.22.0-macos-universal/rcodesign
-          rm /tmp/rcodesign.tar.gz
-
-      - name: Setup Apple Developer certificate and API key
-        run: |
-          set -euo pipefail
-          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
-          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
-          echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12
-          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
-          echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8
-        env:
-          AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
-          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
-          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
-
-      - name: Build dylibs
-        run: |
-          set -euxo pipefail
-          go mod download
-
-          make gen/mark-fresh
-          make build/coder-dylib
-        env:
-          CODER_SIGN_DARWIN: 1
-          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
-          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
-
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: dylibs
-          path: |
-            ./build/*.h
-            ./build/*.dylib
-          retention-days: 7
-
-      - name: Delete Apple Developer certificate and API key
-        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
-
  release:
    name: Build and publish
-    needs: build-dylib
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    permissions:
-      # Required to publish a release
-      contents: write
-      # Necessary to push docker images to ghcr.io.
-      packages: write
-      # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
-      # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
-      # And for GitHub Actions attestation
-      id-token: write
-      # Required for GitHub Actions attestation
-      attestations: write
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
    env:
      # Necessary for Docker manifest
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0

@@ -161,45 +66,21 @@ jobs:
          echo "CODER_FORCE_VERSION=$version" >> $GITHUB_ENV
          echo "$version"

-      # Verify that all expectations for a release are met.
-      - name: Verify release input
-        if: ${{ !inputs.dry_run }}
-        run: |
-          set -euo pipefail
-
-          if [[ "${GITHUB_REF}" != "refs/tags/v"* ]]; then
-            echo "Ref must be a semver tag when creating a release, did you use scripts/release.sh?"
-            exit 1
-          fi
-
-          # 2.10.2 -> release/2.10
-          version="$(./scripts/version.sh)"
-          release_branch=release/${version%.*}
-          branch_contains_tag=$(git branch --remotes --contains "${GITHUB_REF}" --list "*/${release_branch}" --format='%(refname)')
-          if [[ -z "${branch_contains_tag}" ]]; then
-            echo "Ref tag must exist in a branch named ${release_branch} when creating a release, did you use scripts/release.sh?"
-            exit 1
-          fi
-
-          if [[ -z "${CODER_RELEASE_NOTES}" ]]; then
-            echo "Release notes are required to create a release, did you use scripts/release.sh?"
-            exit 1
-          fi
-
-          echo "Release inputs verified:"
-          echo
-          echo "- Ref: ${GITHUB_REF}"
-          echo "- Version: ${version}"
-          echo "- Release channel: ${CODER_RELEASE_CHANNEL}"
-          echo "- Release branch: ${release_branch}"
-          echo "- Release notes: true"
-
-      - name: Create release notes file
+      - name: Create release notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # We always have to set this since there might be commits on
+          # main that didn't have a PR.
+          CODER_IGNORE_MISSING_COMMIT_METADATA: "1"
        run: |
          set -euo pipefail
+          ref=HEAD
+          old_version="$(git describe --abbrev=0 "$ref^1")"
+          version="v$(./scripts/version.sh)"

+          # Generate notes.
          release_notes_file="$(mktemp -t release_notes.XXXXXX)"
-          echo "$CODER_RELEASE_NOTES" > "$release_notes_file"
+          ./scripts/release/generate_release_notes.sh --check-for-changelog --old-version "$old_version" --new-version "$version" --ref "$ref" >> "$release_notes_file"
          echo CODER_RELEASE_NOTES_FILE="$release_notes_file" >> $GITHUB_ENV

      - name: Show release notes
@@ -208,7 +89,7 @@ jobs:
          cat "$CODER_RELEASE_NOTES_FILE"

      - name: Docker Login
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -220,23 +101,13 @@ jobs:
      - name: Setup Node
        uses: ./.github/actions/setup-node

-      # Necessary for signing Windows binaries.
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: "zulu"
-          java-version: "11.0"
-
-      - name: Install go-winres
-        run: go install github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e # v0.3.3
-
      - name: Install nsis and zstd
        run: sudo apt-get install -y nsis zstd

      - name: Install nfpm
        run: |
          set -euo pipefail
-          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.35.1/nfpm_2.35.1_amd64.deb
+          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
          sudo dpkg -i /tmp/nfpm.deb
          rm /tmp/nfpm.deb

@@ -250,12 +121,6 @@ jobs:
            apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
          rm /tmp/rcodesign.tar.gz

-      - name: Install cosign
-        uses: ./.github/actions/install-cosign
-
-      - name: Install syft
-        uses: ./.github/actions/install-syft
-
      - name: Setup Apple Developer certificate and API key
        run: |
          set -euo pipefail
@@ -269,44 +134,6 @@ jobs:
          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}

-      - name: Setup Windows EV Signing Certificate
-        run: |
-          set -euo pipefail
-          touch /tmp/ev_cert.pem
-          chmod 600 /tmp/ev_cert.pem
-          echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
-          wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
-        env:
-          EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
-
-      - name: Test migrations from current ref to main
-        run: |
-          POSTGRES_VERSION=13 make test-migrations
-
-      # Setup GCloud for signing Windows binaries.
-      - name: Authenticate to Google Cloud
-        id: gcloud_auth
-        uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11
-        with:
-          workload_identity_provider: ${{ vars.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
-          service_account: ${{ vars.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
-          token_format: "access_token"
-
-      - name: Setup GCloud SDK
-        uses: google-github-actions/setup-gcloud@6a7c903a70c8625ed6700fa299f5ddb4ca6022e9 # v2.1.5
-
-      - name: Download dylibs
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: dylibs
-          path: ./build
-
-      - name: Insert dylibs
-        run: |
-          mv ./build/*amd64.dylib ./site/out/bin/coder-vpn-darwin-amd64.dylib
-          mv ./build/*arm64.dylib ./site/out/bin/coder-vpn-darwin-arm64.dylib
-          mv ./build/*arm64.h     ./site/out/bin/coder-vpn-darwin-dylib.h
-
      - name: Build binaries
        run: |
          set -euo pipefail
@@ -318,32 +145,18 @@ jobs:
            build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
            build/coder_"$version"_windows_amd64_installer.exe \
-            build/coder_helm_"$version".tgz \
-            build/provisioner_helm_"$version".tgz
+            build/coder_helm_"$version".tgz
        env:
-          CODER_SIGN_WINDOWS: "1"
          CODER_SIGN_DARWIN: "1"
-          CODER_SIGN_GPG: "1"
-          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
-          CODER_WINDOWS_RESOURCES: "1"
          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
          AC_APIKEY_FILE: /tmp/apple_apikey.p8
-          EV_KEY: ${{ secrets.EV_KEY }}
-          EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
-          EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
-          EV_CERTIFICATE_PATH: /tmp/ev_cert.pem
-          GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
-          JSIGN_PATH: /tmp/jsign-6.0.jar

      - name: Delete Apple Developer certificate and API key
        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}

-      - name: Delete Windows EV Signing Cert
-        run: rm /tmp/ev_cert.pem
-
      - name: Determine base image tag
        id: image-base-tag
        run: |
@@ -361,19 +174,17 @@ jobs:

      - name: Install depot.dev CLI
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+        uses: depot/setup-action@v1

      # This uses OIDC authentication, so no auth variables are required.
      - name: Build base Docker image via depot.dev
        if: steps.image-base-tag.outputs.tag != ''
-        uses: depot/build-push-action@2583627a84956d07561420dcc1d0eb1f2af3fac0 # v1.15.0
+        uses: depot/build-push-action@v1
        with:
          project: wl5hnrrkns
          context: base-build-context
          file: scripts/Dockerfile.base
          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          provenance: true
-          sbom: true
          pull: true
          no-cache: true
          push: true
@@ -381,7 +192,6 @@ jobs:
            ${{ steps.image-base-tag.outputs.tag }}

      - name: Verify that images are pushed properly
-        if: steps.image-base-tag.outputs.tag != ''
        run: |
          # retry 10 times with a 5 second delay as the images may not be
          # available immediately
@@ -410,55 +220,14 @@ jobs:
          echo "$manifests" | grep -q linux/arm64
          echo "$manifests" | grep -q linux/arm/v7

-      # GitHub attestation provides SLSA provenance for Docker images, establishing a verifiable
-      # record that these images were built in GitHub Actions with specific inputs and environment.
-      # This complements our existing cosign attestations (which focus on SBOMs) by adding
-      # GitHub-specific build provenance to enhance our supply chain security.
-      #
-      # TODO: Consider refactoring these attestation steps to use a matrix strategy or composite action
-      # to reduce duplication while maintaining the required functionality for each distinct image tag.
-      - name: GitHub Attestation for Base Docker image
-        id: attest_base
-        if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }}
-        continue-on-error: true
-        uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0
-        with:
-          subject-name: ${{ steps.image-base-tag.outputs.tag }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
-          push-to-registry: true
-
      - name: Build Linux Docker images
-        id: build_docker
        run: |
          set -euxo pipefail

+          # build Docker images for each architecture
+          version="$(./scripts/version.sh)"
+          make -j build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
          # we can't build multi-arch if the images aren't pushed, so quit now
          # if dry-running
          if [[ "$CODER_RELEASE" != *t* ]]; then
@@ -466,166 +235,22 @@ jobs:
            exit 0
          fi

-          # build Docker images for each architecture
-          version="$(./scripts/version.sh)"
-          make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
-
          # build and push multi-arch manifest, this depends on the other images
          # being pushed so will automatically push them.
-          make push/build/coder_"$version"_linux.tag
-
-          # Save multiarch image tag for attestation
-          multiarch_image="$(./scripts/image_tag.sh)"
-          echo "multiarch_image=${multiarch_image}" >> $GITHUB_OUTPUT
-
-          # For debugging, print all docker image tags
-          docker images
+          make -j push/build/coder_"$version"_linux.tag

          # if the current version is equal to the highest (according to semver)
          # version in the repo, also create a multi-arch image as ":latest" and
          # push it
-          created_latest_tag=false
          if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then
            ./scripts/build_docker_multiarch.sh \
              --push \
              --target "$(./scripts/image_tag.sh --version latest)" \
              $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
-            created_latest_tag=true
-            echo "created_latest_tag=true" >> $GITHUB_OUTPUT
-          else
-            echo "created_latest_tag=false" >> $GITHUB_OUTPUT
          fi
        env:
          CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}

-      - name: SBOM Generation and Attestation
-        if: ${{ !inputs.dry_run }}
-        env:
-          COSIGN_EXPERIMENTAL: "1"
-        run: |
-          set -euxo pipefail
-
-          # Generate SBOM for multi-arch image with version in filename
-          echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
-          syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json
-
-          # Attest SBOM to multi-arch image
-          echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
-          cosign clean --force=true "${{ steps.build_docker.outputs.multiarch_image }}"
-          cosign attest --type spdxjson \
-            --predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
-            --yes \
-            "${{ steps.build_docker.outputs.multiarch_image }}"
-
-          # If latest tag was created, also attest it
-          if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
-            latest_tag="$(./scripts/image_tag.sh --version latest)"
-            echo "Generating SBOM for latest image: ${latest_tag}"
-            syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
-
-            echo "Attesting SBOM to latest image: ${latest_tag}"
-            cosign clean --force=true "${latest_tag}"
-            cosign attest --type spdxjson \
-              --predicate coder_latest_sbom.spdx.json \
-              --yes \
-              "${latest_tag}"
-          fi
-
-      - name: GitHub Attestation for Docker image
-        id: attest_main
-        if: ${{ !inputs.dry_run }}
-        continue-on-error: true
-        uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0
-        with:
-          subject-name: ${{ steps.build_docker.outputs.multiarch_image }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
-          push-to-registry: true
-
-      # Get the latest tag name for attestation
-      - name: Get latest tag name
-        id: latest_tag
-        if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }}
-        run: echo "tag=$(./scripts/image_tag.sh --version latest)" >> $GITHUB_OUTPUT
-
-      # If this is the highest version according to semver, also attest the "latest" tag
-      - name: GitHub Attestation for "latest" Docker image
-        id: attest_latest
-        if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }}
-        continue-on-error: true
-        uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0
-        with:
-          subject-name: ${{ steps.latest_tag.outputs.tag }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
-          push-to-registry: true
-
-      # Report attestation failures but don't fail the workflow
-      - name: Check attestation status
-        if: ${{ !inputs.dry_run }}
-        run: |
-          if [[ "${{ steps.attest_base.outcome }}" == "failure" && "${{ steps.attest_base.conclusion }}" != "skipped" ]]; then
-            echo "::warning::GitHub attestation for base image failed"
-          fi
-          if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then
-            echo "::warning::GitHub attestation for main image failed"
-          fi
-          if [[ "${{ steps.attest_latest.outcome }}" == "failure" && "${{ steps.attest_latest.conclusion }}" != "skipped" ]]; then
-            echo "::warning::GitHub attestation for latest image failed"
-          fi
-
      - name: Generate offline docs
        run: |
          version="$(./scripts/version.sh)"
@@ -634,76 +259,38 @@ jobs:
      - name: ls build
        run: ls -lh build

-      - name: Publish Coder CLI binaries and detached signatures to GCS
-        if: ${{ !inputs.dry_run && github.ref == 'refs/heads/main' && github.repository_owner == 'coder'}}
-        run: |
-          set -euxo pipefail
-
-          version="$(./scripts/version.sh)"
-
-          # Source array of slim binaries
-          declare -A binaries
-          binaries["coder-darwin-amd64"]="coder-slim_${version}_darwin_amd64"
-          binaries["coder-darwin-arm64"]="coder-slim_${version}_darwin_arm64"
-          binaries["coder-linux-amd64"]="coder-slim_${version}_linux_amd64"
-          binaries["coder-linux-arm64"]="coder-slim_${version}_linux_arm64"
-          binaries["coder-linux-armv7"]="coder-slim_${version}_linux_armv7"
-          binaries["coder-windows-amd64.exe"]="coder-slim_${version}_windows_amd64.exe"
-          binaries["coder-windows-arm64.exe"]="coder-slim_${version}_windows_arm64.exe"
-
-          for cli_name in "${!binaries[@]}"; do
-            slim_binary="${binaries[$cli_name]}"
-            detached_signature="${slim_binary}.asc"
-            gcloud storage cp "./build/${slim_binary}" "gs://releases.coder.com/coder-cli/${version}/${cli_name}"
-            gcloud storage cp "./build/${detached_signature}" "gs://releases.coder.com/coder-cli/${version}/${cli_name}.asc"
-          done
-
      - name: Publish release
        run: |
          set -euo pipefail

          publish_args=()
-          if [[ $CODER_RELEASE_CHANNEL == "stable" ]]; then
-            publish_args+=(--stable)
-          fi
          if [[ $CODER_DRY_RUN == *t* ]]; then
            publish_args+=(--dry-run)
          fi
          declare -p publish_args

-          # Build the list of files to publish
-          files=(
-            ./build/*_installer.exe
-            ./build/*.zip
-            ./build/*.tar.gz
-            ./build/*.tgz
-            ./build/*.apk
-            ./build/*.deb
-            ./build/*.rpm
-            ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
-          )
-
-          # Only include the latest SBOM file if it was created
-          if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
-            files+=(./coder_latest_sbom.spdx.json)
-          fi
-
          ./scripts/release/publish.sh \
            "${publish_args[@]}" \
            --release-notes-file "$CODER_RELEASE_NOTES_FILE" \
-            "${files[@]}"
+            ./build/*_installer.exe \
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}

      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11
+        uses: google-github-actions/auth@v1
        with:
-          workload_identity_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }}
-          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Setup GCloud SDK
-        uses: google-github-actions/setup-gcloud@6a7c903a70c8625ed6700fa299f5ddb4ca6022e9 # 2.1.5
+        uses: "google-github-actions/setup-gcloud@v1"

      - name: Publish Helm Chart
        if: ${{ !inputs.dry_run }}
@@ -712,19 +299,15 @@ jobs:
          version="$(./scripts/version.sh)"
          mkdir -p build/helm
          cp "build/coder_helm_${version}.tgz" build/helm
-          cp "build/provisioner_helm_${version}.tgz" build/helm
          gsutil cp gs://helm.coder.com/v2/index.yaml build/helm/index.yaml
          helm repo index build/helm --url https://helm.coder.com/v2 --merge build/helm/index.yaml
          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/coder_helm_${version}.tgz gs://helm.coder.com/v2
-          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/provisioner_helm_${version}.tgz gs://helm.coder.com/v2
          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/index.yaml gs://helm.coder.com/v2
          gsutil -h "Cache-Control:no-cache,max-age=0" cp helm/artifacthub-repo.yml gs://helm.coder.com/v2
-          helm push build/coder_helm_${version}.tgz oci://ghcr.io/coder/chart
-          helm push build/provisioner_helm_${version}.tgz oci://ghcr.io/coder/chart

      - name: Upload artifacts to actions (if dry-run)
        if: ${{ inputs.dry_run }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@v3
        with:
          name: release-artifacts
          path: |
@@ -735,123 +318,24 @@ jobs:
            ./build/*.apk
            ./build/*.deb
            ./build/*.rpm
-            ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
          retention-days: 7

-      - name: Upload latest sbom artifact to actions (if dry-run)
-        if: inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: latest-sbom-artifact
-          path: ./coder_latest_sbom.spdx.json
-          retention-days: 7
-
-      - name: Send repository-dispatch event
+      - name: Start Packer builds
        if: ${{ !inputs.dry_run }}
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        uses: peter-evans/repository-dispatch@v2
        with:
          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
          repository: coder/packages
          event-type: coder-release
-          client-payload: '{"coder_version": "${{ steps.version.outputs.version }}", "release_channel": "${{ inputs.release_channel }}"}'
-
-  publish-homebrew:
-    name: Publish to Homebrew tap
-    runs-on: ubuntu-latest
-    needs: release
-    if: ${{ !inputs.dry_run }}
-
-    steps:
-      # TODO: skip this if it's not a new release (i.e. a backport). This is
-      #       fine right now because it just makes a PR that we can close.
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Update homebrew
-        env:
-          # Variables used by the `gh` command
-          GH_REPO: coder/homebrew-coder
-          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-        run: |
-          # Keep version number around for reference, removing any potential leading v
-          coder_version="$(echo "${{ needs.release.outputs.version }}" | tr -d v)"
-
-          set -euxo pipefail
-
-          # Setup Git
-          git config --global user.email "ci@coder.com"
-          git config --global user.name "Coder CI"
-          git config --global credential.helper "store"
-
-          temp_dir="$(mktemp -d)"
-          cd "$temp_dir"
-
-          # Download checksums
-          checksums_url="$(gh release view --repo coder/coder "v$coder_version" --json assets \
-            | jq -r ".assets | map(.url) | .[]" \
-            | grep -e ".checksums.txt\$")"
-          wget "$checksums_url" -O checksums.txt
-
-          # Get the SHAs
-          darwin_arm_sha="$(cat checksums.txt | grep "darwin_arm64.zip" | awk '{ print $1 }')"
-          darwin_intel_sha="$(cat checksums.txt | grep "darwin_amd64.zip" | awk '{ print $1 }')"
-          linux_sha="$(cat checksums.txt | grep "linux_amd64.tar.gz" | awk '{ print $1 }')"
-
-          echo "macOS arm64: $darwin_arm_sha"
-          echo "macOS amd64: $darwin_intel_sha"
-          echo "Linux amd64: $linux_sha"
-
-          # Check out the homebrew repo
-          git clone "https://github.com/$GH_REPO" homebrew-coder
-          brew_branch="auto-release/$coder_version"
-          cd homebrew-coder
-
-          # Check if a PR already exists.
-          pr_count="$(gh pr list --search "head:$brew_branch" --json id,closed | jq -r ".[] | select(.closed == false) | .id" | wc -l)"
-          if [[ "$pr_count" > 0 ]]; then
-            echo "Bailing out as PR already exists" 2>&1
-            exit 0
-          fi
-
-          # Set up cdrci credentials for pushing to homebrew-coder
-          echo "https://x-access-token:$GH_TOKEN@github.com" >> ~/.git-credentials
-          # Update the formulae and push
-          git checkout -b "$brew_branch"
-          ./scripts/update-v2.sh "$coder_version" "$darwin_arm_sha" "$darwin_intel_sha" "$linux_sha"
-          git add .
-          git commit -m "coder $coder_version"
-          git push -u origin -f "$brew_branch"
-
-          # Create PR
-          gh pr create \
-            -B master -H "$brew_branch" \
-            -t "coder $coder_version" \
-            -b "" \
-            -r "${{ github.actor }}" \
-            -a "${{ github.actor }}" \
-            -b "This automatic PR was triggered by the release of Coder v$coder_version"
+          client-payload: '{"coder_version": "${{ steps.version.outputs.version }}"}'

  publish-winget:
    name: Publish to winget-pkgs
    runs-on: windows-latest
    needs: release
-    if: ${{ !inputs.dry_run }}
-
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Sync fork
-        run: gh repo sync cdrci/winget-pkgs -b master
-        env:
-          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0

@@ -876,26 +360,33 @@ jobs:

          $release_assets = gh release view --repo coder/coder "v${version}" --json assets | `
            ConvertFrom-Json
-          # Get the installer URLs from the release assets.
-          $amd64_installer_url = $release_assets.assets | `
+          # Get the installer URL from the release assets.
+          $installer_url = $release_assets.assets | `
            Where-Object name -Match ".*_windows_amd64_installer.exe$" | `
            Select -ExpandProperty url
-          $amd64_zip_url = $release_assets.assets | `
-            Where-Object name -Match ".*_windows_amd64.zip$" | `
-            Select -ExpandProperty url
-          $arm64_zip_url = $release_assets.assets | `
-            Where-Object name -Match ".*_windows_arm64.zip$" | `
-            Select -ExpandProperty url

-          echo "amd64 Installer URL: ${amd64_installer_url}"
-          echo "amd64 zip URL: ${amd64_zip_url}"
-          echo "arm64 zip URL: ${arm64_zip_url}"
+          echo "Installer URL: ${installer_url}"
          echo "Package version: ${version}"

+          # Bail if dry-run.
+          if ($env:CODER_DRY_RUN -match "t") {
+            echo "Skipping submission due to dry-run."
+            exit 0
+          }
+
+          # The URL "|X64" suffix forces the architecture as it cannot be
+          # sniffed properly from the URL. wingetcreate checks both the URL and
+          # binary magic bytes for the architecture and they need to both match,
+          # but they only check for `x64`, `win64` and `_64` in the URL. Our URL
+          # contains `amd64` which doesn't match sadly.
+          #
+          # wingetcreate will still do the binary magic bytes check, so if we
+          # accidentally change the architecture of the installer, it will fail
+          # submission.
          .\wingetcreate.exe update Coder.Coder `
            --submit `
            --version "${version}" `
-            --urls "${amd64_installer_url}" "${amd64_zip_url}" "${arm64_zip_url}" `
+            --urls "${installer_url}|X64" `
            --token "$env:WINGET_GH_TOKEN"

        env:
@@ -906,6 +397,7 @@ jobs:
          WINGET_GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}

      - name: Comment on PR
+        if: ${{ !inputs.dry_run }}
        run: |
          # wait 30 seconds
          Start-Sleep -Seconds 30.0
@@ -921,34 +413,3 @@ jobs:
          # For gh CLI. We need a real token since we're commenting on a PR in a
          # different repo.
          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
-
-  # publish-sqlc pushes the latest schema to sqlc cloud.
-  # At present these pushes cannot be tagged, so the last push is always the latest.
-  publish-sqlc:
-    name: "Publish to schema sqlc cloud"
-    runs-on: "ubuntu-latest"
-    needs: release
-    if: ${{ !inputs.dry_run }}
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 1
-
-      # We need golang to run the migration main.go
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
-
-      - name: Push schema to sqlc cloud
-        # Don't block a release on this
-        continue-on-error: true
-        run: |
-          make sqlc-push
@@ -1,52 +0,0 @@
-name: OpenSSF Scorecard
-on:
-  branch_protection_rule:
-  schedule:
-    - cron: "27 7 * * 3" # A random time to run weekly
-  push:
-    branches: ["main"]
-
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_results: true
-
-      # Upload the results as artifacts.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
-        with:
-          sarif_file: results.sarif
@@ -3,6 +3,7 @@ name: "security"
 permissions:
  actions: read
  contents: read
+  security-events: write

 on:
  workflow_dispatch:
@@ -20,35 +21,31 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-security
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

+env:
+  CODER_GO_VERSION: "1.20.6"
+
 jobs:
  codeql:
-    permissions:
-      security-events: write
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go, javascript

      - name: Setup Go
        uses: ./.github/actions/setup-go

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
-        with:
-          languages: go, javascript
-
      # Workaround to prevent CodeQL from building the dashboard.
      - name: Remove Makefile
        run: |
          rm Makefile

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
+        uses: github/codeql-action/analyze@v2

      - name: Send Slack notification on failure
        if: ${{ failure() }}
@@ -62,17 +59,10 @@ jobs:
            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"

  trivy:
-    permissions:
-      security-events: write
-    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0

@@ -85,39 +75,26 @@ jobs:
      - name: Setup sqlc
        uses: ./.github/actions/setup-sqlc

-      - name: Install cosign
-        uses: ./.github/actions/install-cosign
-
-      - name: Install syft
-        uses: ./.github/actions/install-syft
-
      - name: Install yq
-        run: go run github.com/mikefarah/yq/v4@v4.44.3
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
      - name: Install mockgen
-        run: go install go.uber.org/mock/mockgen@v0.5.0
+        run: go install github.com/golang/mock/mockgen@v1.6.0
      - name: Install protoc-gen-go
        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
      - name: Install protoc-gen-go-drpc
-        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
      - name: Install Protoc
        run: |
          # protoc must be in lockstep with our dogfood Dockerfile or the
          # version in the comments will differ. This is also defined in
          # ci.yaml.
-          set -euxo pipefail
-          cd dogfood/coder
-          mkdir -p /usr/local/bin
-          mkdir -p /usr/local/include
-
+          set -x
+          cd dogfood
          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
          protoc_path=/usr/local/bin/protoc
          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
          chmod +x $protoc_path
          protoc --version
-          # Copy the generated files to the include directory.
-          docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/
-          ls -la /usr/local/include/google/protobuf/
-          stat /usr/local/include/google/protobuf/timestamp.proto

      - name: Build Coder linux amd64 Docker image
        id: build
@@ -136,13 +113,19 @@ jobs:
          # the registry.
          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"

-          # We would like to use make -j here, but it doesn't work with the some recent additions
-          # to our code generation.
-          make "$image_job"
+          make -j "$image_job"
          echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT

+      - name: Run Prisma Cloud image scan
+        uses: PaloAltoNetworks/prisma-cloud-scan@v1
+        with:
+          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
+          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+          image_name: ${{ steps.build.outputs.image }}
+
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
        with:
          image-ref: ${{ steps.build.outputs.image }}
          format: sarif
@@ -150,13 +133,13 @@ jobs:
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
+        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif
          category: "Trivy"

      - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@v3
        with:
          name: trivy
          path: trivy-results.sarif
@@ -1,36 +1,23 @@
-name: Stale Issue, Branch and Old Workflows Cleanup
+name: Stale Issue, Banch and Old Workflows Cleanup
 on:
  schedule:
    # Every day at midnight
    - cron: "0 0 * * *"
  workflow_dispatch:
-
-permissions:
-  contents: read
-
 jobs:
  issues:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to close issues.
      issues: write
-      # Needed to close PRs.
      pull-requests: write
+      actions: write
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: stale
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@v8.0.0
        with:
          stale-issue-label: "stale"
          stale-pr-label: "stale"
-          # days-before-stale: 180
-          # essentially disabled for now while we work through polish issues
-          days-before-stale: 3650
-
+          days-before-stale: 180
          # Pull Requests become stale more quickly due to merge conflicts.
          # Also, we promote minimizing WIP.
          days-before-pr-stale: 7
@@ -43,67 +30,13 @@ jobs:
          operations-per-run: 60
          # Start with the oldest issues, always.
          ascending: true
-      - name: "Close old issues labeled likely-no"
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const thirtyDaysAgo = new Date(new Date().setDate(new Date().getDate() - 30));
-            console.log(`Looking for issues labeled with 'likely-no' more than 30 days ago, which is after ${thirtyDaysAgo.toISOString()}`);
-
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              labels: 'likely-no',
-              state: 'open',
-            });
-
-            console.log(`Found ${issues.data.length} open issues labeled with 'likely-no'`);
-
-            for (const issue of issues.data) {
-              console.log(`Checking issue #${issue.number} created at ${issue.created_at}`);
-
-              const timeline = await github.rest.issues.listEventsForTimeline({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: issue.number,
-              });
-
-              const labelEvent = timeline.data.find(event => event.event === 'labeled' && event.label.name === 'likely-no');
-
-              if (labelEvent) {
-                console.log(`Issue #${issue.number} was labeled with 'likely-no' at ${labelEvent.created_at}`);
-
-                if (new Date(labelEvent.created_at) < thirtyDaysAgo) {
-                  console.log(`Issue #${issue.number} is older than 30 days with 'likely-no' label, closing issue.`);
-                  await github.rest.issues.update({
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    issue_number: issue.number,
-                    state: 'closed',
-                    state_reason: 'not_planned'
-                  });
-                }
-              } else {
-                console.log(`Issue #${issue.number} does not have a 'likely-no' label event in its timeline.`);
-              }
-            }
-
  branches:
    runs-on: ubuntu-latest
-    permissions:
-      # Needed to delete branches.
-      contents: write
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v3
      - name: Run delete-old-branches-action
-        uses: beatlabs/delete-old-branches-action@4eeeb8740ff8b3cb310296ddd6b43c3387734588 # v0.0.11
+        uses: beatlabs/delete-old-branches-action@v0.0.10
        with:
          repo_token: ${{ github.token }}
          date: "6 months ago"
@@ -113,29 +46,22 @@ jobs:
          exclude_open_pr_branches: true
  del_runs:
    runs-on: ubuntu-latest
-    permissions:
-      # Needed to delete workflow runs.
-      actions: write
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Delete PR Cleanup workflow runs
-        uses: Mattraks/delete-workflow-runs@39f0bbed25d76b34de5594dceab824811479e5de # v2.0.6
+        uses: Mattraks/delete-workflow-runs@v2
        with:
          token: ${{ github.token }}
          repository: ${{ github.repository }}
-          retain_days: 30
-          keep_minimum_runs: 30
+          retain_days: 1
+          keep_minimum_runs: 1
          delete_workflow_pattern: pr-cleanup.yaml

      - name: Delete PR Deploy workflow skipped runs
-        uses: Mattraks/delete-workflow-runs@39f0bbed25d76b34de5594dceab824811479e5de # v2.0.6
+        uses: Mattraks/delete-workflow-runs@v2
        with:
          token: ${{ github.token }}
          repository: ${{ github.repository }}
-          retain_days: 30
-          keep_minimum_runs: 30
+          retain_days: 0
+          keep_minimum_runs: 0
+          delete_run_by_conclusion_pattern: skipped
          delete_workflow_pattern: pr-deploy.yaml
@@ -1,35 +0,0 @@
-name: Start Workspace On Issue Creation or Comment
-
-on:
-  issues:
-    types: [opened]
-  issue_comment:
-    types: [created]
-
-permissions:
-  issues: write
-
-jobs:
-  comment:
-    runs-on: ubuntu-latest
-    if: >-
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@coder')) || 
-      (github.event_name == 'issues' && contains(github.event.issue.body, '@coder'))
-    environment: dev.coder.com
-    timeout-minutes: 5
-    steps:
-      - name: Start Coder workspace
-        uses: coder/start-workspace-action@f97a681b4cc7985c9eef9963750c7cc6ebc93a19
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          github-username: >-
-            ${{
-              (github.event_name == 'issue_comment' && github.event.comment.user.login) || 
-              (github.event_name == 'issues' && github.event.issue.user.login)
-            }}
-          coder-url: ${{ secrets.CODER_URL }}
-          coder-token: ${{ secrets.CODER_TOKEN }}
-          template-name: ${{ secrets.CODER_TEMPLATE_NAME }}
-          parameters: |-
-            AI Prompt: "Use the gh CLI tool to read the details of issue https://github.com/${{ github.repository }}/issues/${{ github.event.issue.number }} and then address it."
-            Region: us-pittsburgh
@@ -1,6 +1,3 @@
-[default]
-extend-ignore-identifiers-re = ["gho_.*"]
-
 [default.extend-identifiers]
 alog = "alog"
 Jetbrains = "JetBrains"
@@ -17,17 +14,6 @@ darcula = "darcula"
 Hashi = "Hashi"
 trialer = "trialer"
 encrypter = "encrypter"
-# as in helsinki
-hel = "hel"
-# this is used as proto node
-pn = "pn"
-# typos doesn't like the EDE in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-EDE = "EDE"
-# HELO is an SMTP command
-HELO = "HELO"
-LKE = "LKE"
-byt = "byt"
-typ = "typ"

 [files]
 extend-exclude = [
@@ -39,13 +25,8 @@ extend-exclude = [
 	# These files contain base64 strings that confuse the detector
 	"**XService**.ts",
 	"**identity.go",
+	"scripts/ci-report/testdata/**",
 	"**/*_test.go",
 	"**/*.test.tsx",
 	"**/pnpm-lock.yaml",
-	"tailnet/testdata/**",
-	"site/src/pages/SetupPage/countries.tsx",
-	"provisioner/terraform/testdata/**",
-	# notifications' golden files confuse the detector because of quoted-printable encoding
-	"coderd/notifications/testdata/**",
-	"agent/agentcontainers/testdata/devcontainercli/**"
 ]
@@ -4,42 +4,27 @@ on:
  schedule:
    - cron: "0 9 * * 1"
  workflow_dispatch: # allows to run manually for testing
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "docs/**"
-
-permissions:
-  contents: read

 jobs:
  check-docs:
-    # later versions of Ubuntu have disabled unprivileged user namespaces, which are required by the action
-    runs-on: ubuntu-22.04
-    permissions:
-      pull-requests: write # required to post PR review comments by the action
+    runs-on: ubuntu-latest
    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@master

      - name: Check Markdown links
-        uses: umbrelladocs/action-linkspector@874d01cae9fd488e3077b08952093235bd626977 # v1.3.7
+        uses: gaurav-nelson/github-action-markdown-link-check@v1
        id: markdown-link-check
        # checks all markdown files from /docs including all subfolders
        with:
-          reporter: github-pr-review
-          config_file: ".github/.linkspector.yml"
-          fail_on_error: "true"
-          filter_mode: "file"
+          use-quiet-mode: "yes"
+          use-verbose-mode: "yes"
+          config-file: ".github/workflows/mlc_config.json"
+          folder-path: "docs/"
+          file-path: "./README.md"

      - name: Send Slack notification
-        if: failure() && github.event_name == 'schedule'
+        if: failure()
        run: |
          curl -X POST -H 'Content-type: application/json' -d '{"msg":"Broken links found in the documentation. Please check the logs at ${{ env.LOGS_URL }}"}' ${{ secrets.DOCS_LINK_SLACK_WEBHOOK }}
          echo "Sent Slack notification"
@@ -17,11 +17,10 @@ yarn-error.log
 # Allow VSCode recommendations and default settings in project root.
 !/.vscode/extensions.json
 !/.vscode/settings.json
-# Allow code snippets
-!/.vscode/*.code-snippets

 # Front-end ignore patterns.
 .next/
+site/**/*.typegen.ts
 site/build-storybook.log
 site/coverage/
 site/storybook-static/
@@ -31,16 +30,15 @@ site/e2e/states/*.json
 site/e2e/.auth.json
 site/playwright-report/*
 site/.swc
+site/dist/

-# Make target for updating generated/golden files (any dir).
-.gen
+# Make target for updating golden files (any dir).
 .gen-golden

 # Build
-bin/
-build/
-dist/
-out/
+/build/
+/dist/
+site/out/

 # Bundle analysis
 site/stats/
@@ -50,15 +48,12 @@ site/stats/
 *.tfplan
 *.lock.hcl
 .terraform/
-!coderd/testdata/parameters/modules/.terraform/
-!provisioner/terraform/testdata/modules-source-caching/.terraform/

 **/.coderv2/*
 **/__debug_bin

 # direnv
 .envrc
-.direnv
 *.test

 # Loadtesting
@@ -66,23 +61,3 @@ site/stats/
 ./scaletest/terraform/.terraform.lock.hcl
 scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
-
-# Nix
-result
-
-# Data dumps from unit tests
-**/*.test.sql
-
-# Filebrowser.db
-**/filebrowser.db
-
-# pnpm
-.pnpm-store/
-
-# Zed
-.zed_server
-
-# dlv debug binaries for go tests
-__debug_bin*
-
-**/.claude/settings.local.json
@@ -2,19 +2,12 @@
 # Over time we should try tightening some of these.

 linters-settings:
-  dupl:
-    # goal: 100
-    threshold: 412
-
  exhaustruct:
    include:
      # Gradually extend to cover more of the codebase.
      - 'httpmw\.\w+'
-      # We want to enforce all values are specified when inserting or updating
-      # a database row. Ref: #9936
-      - 'github.com/coder/coder/v2/coderd/database\.[^G][^e][^t]\w+Params'
  gocognit:
-    min-complexity: 300
+    min-complexity: 46 # Min code complexity (def 30).

  goconst:
    min-len: 4 # Min length of string consts (def 3).
@@ -24,19 +17,30 @@ linters-settings:
    enabled-checks:
      # - appendAssign
      # - appendCombine
+      - argOrder
      # - assignOp
      # - badCall
+      - badCond
      - badLock
      - badRegexp
      - boolExprSimplify
      # - builtinShadow
      - builtinShadowDecl
+      - captLocal
+      - caseOrder
+      - codegenComment
      # - commentedOutCode
      - commentedOutImport
+      - commentFormatting
+      - defaultCaseOrder
      - deferUnlambda
      # - deprecatedComment
      # - docStub
+      - dupArg
+      - dupBranchBody
+      - dupCase
      - dupImport
+      - dupSubExpr
      # - elseif
      - emptyFallthrough
      # - emptyStringTest
@@ -45,6 +49,8 @@ linters-settings:
      # - exitAfterDefer
      # - exposedSyncMutex
      # - filepathJoin
+      - flagDeref
+      - flagName
      - hexLiteral
      # - httpNoBody
      # - hugeParam
@@ -52,36 +58,47 @@ linters-settings:
      # - importShadow
      - indexAlloc
      - initClause
+      - mapKey
      - methodExprCall
      # - nestingReduce
+      - newDeref
      - nilValReturn
      # - octalLiteral
+      - offBy1
      # - paramTypeCombine
      # - preferStringWriter
      # - preferWriteByte
      # - ptrToRefParam
      # - rangeExprCopy
      # - rangeValCopy
+      - regexpMust
      - regexpPattern
      # - regexpSimplify
      - ruleguard
+      - singleCaseSwitch
+      - sloppyLen
      # - sloppyReassign
+      - sloppyTypeAssert
      - sortSlice
      - sprintfQuotedString
      - sqlQuery
      # - stringConcatSimplify
      # - stringXbytes
      # - suspiciousSorting
+      - switchTrue
      - truncateCmp
      - typeAssertChain
      # - typeDefFirst
+      - typeSwitchVar
      # - typeUnparen
+      - underef
      # - unlabelStmt
      # - unlambda
      # - unnamedResult
      # - unnecessaryBlock
      # - unnecessaryDefer
      # - unslice
+      - valSwap
      - weakCond
      # - whyNoLint
      # - wrapperFunc
@@ -101,6 +118,10 @@ linters-settings:
  goimports:
    local-prefixes: coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder

+  gocyclo:
+    # goal: 30
+    min-complexity: 47
+
  importas:
    no-unaliased: true

@@ -110,8 +131,7 @@ linters-settings:
      - trialer

  nestif:
-    # goal: 10
-    min-complexity: 20
+    min-complexity: 4 # Min complexity of if statements (def 5, goal 4)

  revive:
    # see https://github.com/mgechev/revive#available-rules for details.
@@ -151,6 +171,8 @@ linters-settings:
      - name: modifies-value-receiver
      - name: package-comments
      - name: range
+      - name: range-val-address
+      - name: range-val-in-closure
      - name: receiver-naming
      - name: redefines-builtin-id
      - name: string-of-int
@@ -164,29 +186,12 @@ linters-settings:
      - name: unnecessary-stmt
      - name: unreachable-code
      - name: unused-parameter
-        exclude: "**/*_test.go"
      - name: unused-receiver
      - name: var-declaration
      - name: var-naming
      - name: waitgroup-by-value

-  # irrelevant as of Go v1.22: https://go.dev/blog/loopvar-preview
-  govet:
-    disable:
-      - loopclosure
-  gosec:
-    excludes:
-      # Implicit memory aliasing of items from a range statement (irrelevant as of Go v1.22)
-      - G601
-
 issues:
-  exclude-dirs:
-    - node_modules
-    - .git
-
-  exclude-files:
-    - scripts/rules.go
-
  # Rules listed here: https://github.com/securego/gosec#available-rules
  exclude-rules:
    - path: _test\.go
@@ -198,15 +203,16 @@ issues:
    - path: scripts/*
      linters:
        - exhaustruct
-    - path: scripts/rules.go
-      linters:
-        - ALL

  fix: true
  max-issues-per-linter: 0
  max-same-issues: 0

 run:
+  skip-dirs:
+    - node_modules
+  skip-files:
+    - scripts/rules.go
  timeout: 10m

 # Over time, add more and more linters from
@@ -222,14 +228,10 @@ linters:
    - errname
    - errorlint
    - exhaustruct
+    - exportloopref
    - forcetypeassert
    - gocritic
-    # gocyclo is may be useful in the future when we start caring
-    # about testing complexity, but for the time being we should
-    # create a good culture around cognitive complexity.
-    # - gocyclo
-    - gocognit
-    - nestif
+    - gocyclo
    - goimports
    - gomodguard
    - gosec
@@ -265,4 +267,3 @@ linters:
    - typecheck
    - unconvert
    - unused
-    - dupl
@@ -1,31 +0,0 @@
-// Example markdownlint configuration with all properties set to their default value
-{
-	"MD010": { "spaces_per_tab": 4}, // No hard tabs: we use 4 spaces per tab
-
-	"MD013": false, // Line length: we are not following a strict line lnegth in markdown files
-
-	"MD024": { "siblings_only": true }, // Multiple headings with the same content:
-
-	"MD033": false, // Inline HTML: we use it in some places
-
-	"MD034": false, // Bare URL: we use it in some places in generated docs e.g.
-	// codersdk/deployment.go L597, L1177, L2287, L2495, L2533
-	// codersdk/workspaceproxy.go L196, L200-L201
-	// coderd/tracing/exporter.go L26
-	// cli/exp_scaletest.go L-9
-
-	"MD041": false, // First line in file should be a top level heading: All of our changelogs do not start with a top level heading
-	// TODO: We need to update /home/coder/repos/coder/coder/scripts/release/generate_release_notes.sh to generate changelogs that follow this rule
-
-	"MD052": false, // Image reference: Not a valid reference in generated docs
-	// docs/reference/cli/server.md L628
-
-	"MD055": false, // Table pipe style: Some of the generated tables do not have ending pipes
-	// docs/reference/api/schema.md
-	// docs/reference/api/templates.md
-	// docs/reference/cli/server.md
-
-	"MD056": false // Table column count: Some of the auto-generated tables have issues. TODO: This is probably because of splitting cell content to multiple lines.
-	// docs/reference/api/schema.md
-	// docs/reference/api/templates.md
-}
@@ -1,36 +0,0 @@
-{
-  "mcpServers": {
-    "go-language-server": {
-      "type": "stdio",
-      "command": "go",
-      "args": [
-        "run",
-        "github.com/isaacphi/mcp-language-server@latest",
-        "-workspace",
-        "./",
-        "-lsp",
-        "go",
-        "--",
-        "run",
-        "golang.org/x/tools/gopls@latest"
-      ],
-      "env": {}
-    },
-    "typescript-language-server": {
-      "type": "stdio",
-      "command": "go",
-      "args": [
-        "run",
-        "github.com/isaacphi/mcp-language-server@latest",
-        "-workspace",
-        "./site/",
-        "-lsp",
-        "pnpx",
-        "--",
-        "typescript-language-server",
-        "--stdio"
-      ],
-      "env": {}
-    }
-  }
-}
@@ -0,0 +1,82 @@
+# Code generated by Makefile (.gitignore .prettierignore.include). DO NOT EDIT.
+
+# .gitignore:
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
+.eslintcache
+.gitpod.yml
+.idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotests_stats.json
+gotests.json
+node_modules/
+vendor/
+yarn-error.log
+
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
+.next/
+site/**/*.typegen.ts
+site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/states/*.json
+site/e2e/.auth.json
+site/playwright-report/*
+site/.swc
+site/dist/
+
+# Make target for updating golden files (any dir).
+.gen-golden
+
+# Build
+/build/
+/dist/
+site/out/
+
+# Bundle analysis
+site/stats/
+
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.lock.hcl
+.terraform/
+
+**/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
+*.test
+
+# Loadtesting
+./scaletest/terraform/.terraform
+./scaletest/terraform/.terraform.lock.hcl
+scaletest/terraform/secrets.tfvars
+.terraform.tfstate.*
+# .prettierignore.include:
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
+
+# Generated files shouldn't be formatted.
+site/e2e/provisionerGenerated.ts
+
+**/pnpm-lock.yaml
@@ -0,0 +1,15 @@
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
+
+# Generated files shouldn't be formatted.
+site/e2e/provisionerGenerated.ts
+
+**/pnpm-lock.yaml
@@ -1,18 +1,18 @@
 # This config file is used in conjunction with `.editorconfig` to specify
 # formatting for prettier-supported files. See `.editorconfig` and
-# `site/.editorconfig` for whitespace formatting options.
+# `site/.editorconfig`for whitespace formatting options.
 printWidth: 80
-proseWrap: always
+semi: false
 trailingComma: all
-useTabs: true
+useTabs: false
 tabWidth: 2
 overrides:
  - files:
      - README.md
-      - docs/reference/api/**/*.md
-      - docs/reference/cli/**/*.md
-      - docs/changelogs/*.md
-      - .github/**/*.{yaml,yml,toml}
-      - scripts/**/*.{yaml,yml,toml}
    options:
      proseWrap: preserve
+  - files:
+      - "site/**/*.yaml"
+      - "site/**/*.yml"
+    options:
+      proseWrap: always
@@ -1,8 +1,8 @@
 // Replace all NullTime with string
-replace github.com/coder/coder/v2/codersdk.NullTime string
+replace github.com/coder/coder/codersdk.NullTime string
 // Prevent swaggo from rendering enums for time.Duration
 replace time.Duration int64
 // Do not expose "echo" provider
-replace github.com/coder/coder/v2/codersdk.ProvisionerType string
+replace github.com/coder/coder/codersdk.ProvisionerType string
 // Do not render netip.Addr
 replace netip.Addr string
@@ -1,16 +1,15 @@
 {
-	"recommendations": [
-		"biomejs.biome",
-		"bradlc.vscode-tailwindcss",
-		"DavidAnson.vscode-markdownlint",
-		"EditorConfig.EditorConfig",
-		"emeraldwalk.runonsave",
-		"foxundermoon.shell-format",
-		"github.vscode-codeql",
-		"golang.go",
-		"hashicorp.terraform",
-		"redhat.vscode-yaml",
-		"tekumara.typos-vscode",
-		"zxh404.vscode-proto3"
-	]
+  "recommendations": [
+    "github.vscode-codeql",
+    "golang.go",
+    "hashicorp.terraform",
+    "esbenp.prettier-vscode",
+    "foxundermoon.shell-format",
+    "emeraldwalk.runonsave",
+    "zxh404.vscode-proto3",
+    "redhat.vscode-yaml",
+    "streetsidesoftware.code-spell-checker",
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig"
+  ]
 }
@@ -1,45 +0,0 @@
-{
-	// For info about snippets, visit https://code.visualstudio.com/docs/editor/userdefinedsnippets
-    // https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts
-
-	"alert": {
-        "prefix": "#alert",
-        "body": [
-            "> [!${1|CAUTION,IMPORTANT,NOTE,TIP,WARNING|}]",
-            "> ${TM_SELECTED_TEXT:${2:add info here}}\n"
-        ],
-        "description": "callout admonition caution important note tip warning"
-    },
-	"fenced code block": {
-		"prefix": "#codeblock",
-		"body": ["```${1|apache,bash,console,diff,Dockerfile,env,go,hcl,ini,json,lisp,md,powershell,shell,sql,text,tf,tsx,yaml|}", "${TM_SELECTED_TEXT}$0", "```"],
-		"description": "fenced code block"
-	},
-	"image": {
-		"prefix": "#image",
-		"body": "![${TM_SELECTED_TEXT:${1:alt}}](${2:url})$0",
-		"description": "image"
-	},
-	"premium-feature": {
-		"prefix": "#premium-feature",
-		"body": [
-			"> [!NOTE]\n",
-			"> ${1:feature} ${2|is,are|} an Enterprise and Premium feature. [Learn more](https://coder.com/pricing#compare-plans).\n"
-		]
-	},
-	"tabs": {
-		"prefix": "#tabs",
-		"body": [
-			"<div class=\"tabs\">\n",
-			"${1:optional description}\n",
-			"## ${2:tab title}\n",
-			"${TM_SELECTED_TEXT:${3:first tab content}}\n",
-			"## ${4:tab title}\n",
-			"${5:second tab content}\n",
-			"## ${6:tab title}\n",
-			"${7:third tab content}\n",
-			"</div>\n"
-		],
-		"description": "tabs"
-	}
-}
@@ -1,64 +1,215 @@
 {
-	"emeraldwalk.runonsave": {
-		"commands": [
-			{
-				"match": "database/queries/*.sql",
-				"cmd": "make gen"
-			},
-			{
-				"match": "provisionerd/proto/provisionerd.proto",
-				"cmd": "make provisionerd/proto/provisionerd.pb.go"
-			}
-		]
-	},
-	"search.exclude": {
-		"**.pb.go": true,
-		"**/*.gen.json": true,
-		"**/testdata/*": true,
-		"coderd/apidoc/**": true,
-		"docs/reference/api/*.md": true,
-		"docs/reference/cli/*.md": true,
-		"docs/templates/*.md": true,
-		"LICENSE": true,
-		"scripts/metricsdocgen/metrics": true,
-		"site/out/**": true,
-		"site/storybook-static/**": true,
-		"**.map": true,
-		"pnpm-lock.yaml": true
-	},
-	// Ensure files always have a newline.
-	"files.insertFinalNewline": true,
-	"go.lintTool": "golangci-lint",
-	"go.lintFlags": ["--fast"],
-	"go.coverageDecorator": {
-		"type": "gutter",
-		"coveredGutterStyle": "blockgreen",
-		"uncoveredGutterStyle": "blockred"
-	},
-	// The codersdk is used by coderd another other packages extensively.
-	// To reduce redundancy in tests, it's covered by other packages.
-	// Since package coverage pairing can't be defined, all packages cover
-	// all other packages.
-	"go.testFlags": ["-short", "-coverpkg=./..."],
-	// We often use a version of TypeScript that's ahead of the version shipped
-	// with VS Code.
-	"typescript.tsdk": "./site/node_modules/typescript/lib",
-	// Playwright tests in VSCode will open a browser to live "view" the test.
-	"playwright.reuseBrowser": true,
-
-	"[javascript][javascriptreact][json][jsonc][typescript][typescriptreact]": {
-		"editor.defaultFormatter": "biomejs.biome",
-		"editor.codeActionsOnSave": {
-			"quickfix.biome": "explicit"
-			//   "source.organizeImports.biome": "explicit"
-		}
-	},
-
-	"[css][html][markdown][yaml]": {
-		"editor.defaultFormatter": "esbenp.prettier-vscode"
-	},
-	"typos.config": ".github/workflows/typos.toml",
-	"[markdown]": {
-		"editor.defaultFormatter": "DavidAnson.vscode-markdownlint"
-	}
+  "cSpell.words": [
+    "afero",
+    "agentsdk",
+    "apps",
+    "ASKPASS",
+    "authcheck",
+    "autostop",
+    "awsidentity",
+    "bodyclose",
+    "buildinfo",
+    "buildname",
+    "circbuf",
+    "cliflag",
+    "cliui",
+    "codecov",
+    "coderd",
+    "coderdenttest",
+    "coderdtest",
+    "codersdk",
+    "cronstrue",
+    "databasefake",
+    "dbfake",
+    "dbgen",
+    "dbtype",
+    "DERP",
+    "derphttp",
+    "derpmap",
+    "devel",
+    "devtunnel",
+    "dflags",
+    "drpc",
+    "drpcconn",
+    "drpcmux",
+    "drpcserver",
+    "Dsts",
+    "embeddedpostgres",
+    "enablements",
+    "enterprisemeta",
+    "errgroup",
+    "eventsourcemock",
+    "Failf",
+    "fatih",
+    "Formik",
+    "gitauth",
+    "gitsshkey",
+    "goarch",
+    "gographviz",
+    "goleak",
+    "gonet",
+    "gossh",
+    "gsyslog",
+    "GTTY",
+    "hashicorp",
+    "hclsyntax",
+    "httpapi",
+    "httpmw",
+    "idtoken",
+    "Iflag",
+    "incpatch",
+    "ipnstate",
+    "isatty",
+    "Jobf",
+    "Keygen",
+    "kirsle",
+    "Kubernetes",
+    "ldflags",
+    "magicsock",
+    "manifoldco",
+    "mapstructure",
+    "mattn",
+    "mitchellh",
+    "moby",
+    "namesgenerator",
+    "namespacing",
+    "netaddr",
+    "netip",
+    "netmap",
+    "netns",
+    "netstack",
+    "nettype",
+    "nfpms",
+    "nhooyr",
+    "nmcfg",
+    "nolint",
+    "nosec",
+    "ntqry",
+    "OIDC",
+    "oneof",
+    "opty",
+    "paralleltest",
+    "parameterscopeid",
+    "pqtype",
+    "prometheusmetrics",
+    "promhttp",
+    "protobuf",
+    "provisionerd",
+    "provisionerdserver",
+    "provisionersdk",
+    "ptty",
+    "ptys",
+    "ptytest",
+    "quickstart",
+    "reconfig",
+    "replicasync",
+    "retrier",
+    "rpty",
+    "SCIM",
+    "sdkproto",
+    "sdktrace",
+    "Signup",
+    "slogtest",
+    "sourcemapped",
+    "Srcs",
+    "stdbuf",
+    "stretchr",
+    "STTY",
+    "stuntest",
+    "tanstack",
+    "tailbroker",
+    "tailcfg",
+    "tailexchange",
+    "tailnet",
+    "tailnettest",
+    "Tailscale",
+    "tbody",
+    "TCGETS",
+    "tcpip",
+    "TCSETS",
+    "templateversions",
+    "testdata",
+    "testid",
+    "testutil",
+    "tfexec",
+    "tfjson",
+    "tfplan",
+    "tfstate",
+    "thead",
+    "tios",
+    "tmpdir",
+    "tokenconfig",
+    "tparallel",
+    "trialer",
+    "trimprefix",
+    "tsdial",
+    "tslogger",
+    "tstun",
+    "turnconn",
+    "typegen",
+    "typesafe",
+    "unconvert",
+    "Untar",
+    "Userspace",
+    "VMID",
+    "walkthrough",
+    "weblinks",
+    "webrtc",
+    "wgcfg",
+    "wgconfig",
+    "wgengine",
+    "wgmonitor",
+    "wgnet",
+    "workspaceagent",
+    "workspaceagents",
+    "workspaceapp",
+    "workspaceapps",
+    "workspacebuilds",
+    "workspacename",
+    "wsconncache",
+    "wsjson",
+    "xerrors",
+    "xstate",
+    "yamux"
+  ],
+  "cSpell.ignorePaths": ["site/package.json", ".vscode/settings.json"],
+  "emeraldwalk.runonsave": {
+    "commands": [
+      {
+        "match": "database/queries/*.sql",
+        "cmd": "make gen"
+      },
+      {
+        "match": "provisionerd/proto/provisionerd.proto",
+        "cmd": "make provisionerd/proto/provisionerd.pb.go"
+      }
+    ]
+  },
+  "eslint.workingDirectories": ["./site"],
+  "files.exclude": {
+    "**/node_modules": true
+  },
+  "search.exclude": {
+    "scripts/metricsdocgen/metrics": true,
+    "docs/api/*.md": true
+  },
+  // Ensure files always have a newline.
+  "files.insertFinalNewline": true,
+  "go.lintTool": "golangci-lint",
+  "go.lintFlags": ["--fast"],
+  "go.lintOnSave": "package",
+  "go.coverOnSave": true,
+  "go.coverageDecorator": {
+    "type": "gutter",
+    "coveredGutterStyle": "blockgreen",
+    "uncoveredGutterStyle": "blockred"
+  },
+  // The codersdk is used by coderd another other packages extensively.
+  // To reduce redundancy in tests, it's covered by other packages.
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": ["-short", "-coverpkg=./..."],
+  // We often use a version of TypeScript that's ahead of the version shipped
+  // with VS Code.
+  "typescript.tsdk": "./site/node_modules/typescript/lib"
 }
@@ -1,138 +0,0 @@
-# Coder Development Guidelines
-
-@.claude/docs/WORKFLOWS.md
-@.cursorrules
-@README.md
-@package.json
-
-## 🚀 Essential Commands
-
-| Task              | Command                  | Notes                            |
-|-------------------|--------------------------|----------------------------------|
-| **Development**   | `./scripts/develop.sh`   | ⚠️ Don't use manual build        |
-| **Build**         | `make build`             | Fat binaries (includes server)   |
-| **Build Slim**    | `make build-slim`        | Slim binaries                    |
-| **Test**          | `make test`              | Full test suite                  |
-| **Test Single**   | `make test RUN=TestName` | Faster than full suite           |
-| **Test Postgres** | `make test-postgres`     | Run tests with Postgres database |
-| **Test Race**     | `make test-race`         | Run tests with Go race detector  |
-| **Lint**          | `make lint`              | Always run after changes         |
-| **Generate**      | `make gen`               | After database changes           |
-| **Format**        | `make fmt`               | Auto-format code                 |
-| **Clean**         | `make clean`             | Clean build artifacts            |
-
-### Frontend Commands (site directory)
-
- `pnpm build` - Build frontend
- `pnpm dev` - Run development server
- `pnpm check` - Run code checks
- `pnpm format` - Format frontend code
- `pnpm lint` - Lint frontend code
- `pnpm test` - Run frontend tests
-
-### Documentation Commands
-
- `pnpm run format-docs` - Format markdown tables in docs
- `pnpm run lint-docs` - Lint and fix markdown files
- `pnpm run storybook` - Run Storybook (from site directory)
-
-## 🔧 Critical Patterns
-
-### Database Changes (ALWAYS FOLLOW)
-
-1. Modify `coderd/database/queries/*.sql` files
-2. Run `make gen`
-3. If audit errors: update `enterprise/audit/table.go`
-4. Run `make gen` again
-
-### LSP Navigation (USE FIRST)
-
-#### Go LSP (for backend code)
-
- **Find definitions**: `mcp__go-language-server__definition symbolName`
- **Find references**: `mcp__go-language-server__references symbolName`
- **Get type info**: `mcp__go-language-server__hover filePath line column`
- **Rename symbol**: `mcp__go-language-server__rename_symbol filePath line column newName`
-
-#### TypeScript LSP (for frontend code in site/)
-
- **Find definitions**: `mcp__typescript-language-server__definition symbolName`
- **Find references**: `mcp__typescript-language-server__references symbolName`
- **Get type info**: `mcp__typescript-language-server__hover filePath line column`
- **Rename symbol**: `mcp__typescript-language-server__rename_symbol filePath line column newName`
-
-### OAuth2 Error Handling
-
-```go
-// OAuth2-compliant error responses
-writeOAuth2Error(ctx, rw, http.StatusBadRequest, "invalid_grant", "description")
-```
-
-### Authorization Context
-
-```go
-// Public endpoints needing system access
-app, err := api.Database.GetOAuth2ProviderAppByClientID(dbauthz.AsSystemRestricted(ctx), clientID)
-
-// Authenticated endpoints with user context
-app, err := api.Database.GetOAuth2ProviderAppByClientID(ctx, clientID)
-```
-
-## 📋 Quick Reference
-
-### Full workflows available in imported WORKFLOWS.md
-
-### New Feature Checklist
-
- [ ] Run `git pull` to ensure latest code
- [ ] Check if feature touches database - you'll need migrations
- [ ] Check if feature touches audit logs - update `enterprise/audit/table.go`
-
-## 🏗️ Architecture
-
- **coderd**: Main API service
- **provisionerd**: Infrastructure provisioning
- **Agents**: Workspace services (SSH, port forwarding)
- **Database**: PostgreSQL with `dbauthz` authorization
-
-## 🧪 Testing
-
-### Race Condition Prevention
-
- Use unique identifiers: `fmt.Sprintf("test-client-%s-%d", t.Name(), time.Now().UnixNano())`
- Never use hardcoded names in concurrent tests
-
-### OAuth2 Testing
-
- Full suite: `./scripts/oauth2/test-mcp-oauth2.sh`
- Manual testing: `./scripts/oauth2/test-manual-flow.sh`
-
-### Timing Issues
-
-NEVER use `time.Sleep` to mitigate timing issues. If an issue
-seems like it should use `time.Sleep`, read through https://github.com/coder/quartz and specifically the [README](https://github.com/coder/quartz/blob/main/README.md) to better understand how to handle timing issues.
-
-## 🎯 Code Style
-
-### Detailed guidelines in imported WORKFLOWS.md
-
- Follow [Uber Go Style Guide](https://github.com/uber-go/guide/blob/master/style.md)
- Commit format: `type(scope): message`
-
-## 📚 Detailed Development Guides
-
-@.claude/docs/OAUTH2.md
-@.claude/docs/TESTING.md
-@.claude/docs/TROUBLESHOOTING.md
-@.claude/docs/DATABASE.md
-
-## 🚨 Common Pitfalls
-
-1. **Audit table errors** → Update `enterprise/audit/table.go`
-2. **OAuth2 errors** → Return RFC-compliant format
-3. **Race conditions** → Use unique test identifiers
-4. **Missing newlines** → Ensure files end with newline
-
---
-
-*This file stays lean and actionable. Detailed workflows and explanations are imported automatically.*
@@ -1,31 +0,0 @@
-# These APIs are versioned, so any changes need to be carefully reviewed for
-# whether to bump API major or minor versions.
-agent/proto/ @spikecurtis @johnstcn
-provisionerd/proto/ @spikecurtis @johnstcn
-provisionersdk/proto/ @spikecurtis @johnstcn
-tailnet/proto/ @spikecurtis @johnstcn
-vpn/vpn.proto @spikecurtis @johnstcn
-vpn/version.go @spikecurtis @johnstcn
-
-
-# This caching code is particularly tricky, and one must be very careful when
-# altering it.
-coderd/files/ @aslilac
-
-coderd/dynamicparameters/ @Emyrk
-coderd/rbac/ @Emyrk
-
-# Mainly dependent on coder/guts, which is maintained by @Emyrk
-scripts/apitypings/ @Emyrk
-scripts/gensite/ @aslilac
-
-site/ @aslilac
-site/src/hooks/ @Parkreiner
-# These rules intentionally do not specify any owners. More specific rules
-# override less specific rules, so these files are "ignored" by the site/ rule.
-site/e2e/google/protobuf/timestampGenerated.ts
-site/e2e/provisionerGenerated.ts
-site/src/api/countriesGenerated.ts
-site/src/api/rbacresourcesGenerated.ts
-site/src/api/typesGenerated.ts
-site/CLAUDE.md
@@ -1,2 +0,0 @@
-<!-- markdownlint-disable MD041 -->
-[https://coder.com/docs/about/contributing/CODE_OF_CONDUCT](https://coder.com/docs/about/contributing/CODE_OF_CONDUCT)
@@ -1,2 +0,0 @@
-<!-- markdownlint-disable MD041 -->
-[https://coder.com/docs/CONTRIBUTING](https://coder.com/docs/CONTRIBUTING)
@@ -37,9 +37,6 @@ GOARCH       := $(shell go env GOARCH)
 GOOS_BIN_EXT := $(if $(filter windows, $(GOOS)),.exe,)
 VERSION      := $(shell ./scripts/version.sh)

-POSTGRES_VERSION ?= 17
-POSTGRES_IMAGE   ?= us-docker.pkg.dev/coder-v2-images-public/public/postgres:$(POSTGRES_VERSION)
-
 # Use the highest ZSTD compression level in CI.
 ifdef CI
 ZSTDFLAGS := -22 --ultra
@@ -53,25 +50,12 @@ endif
 # Note, all find statements should be written with `.` or `./path` as
 # the search path so that these exclusions match.
 FIND_EXCLUSIONS= \
-	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path '*/out/*' -o -path './coderd/apidoc/*' -o -path '*/.next/*' -o -path '*/.terraform/*' \) -prune \)
+	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path '*/out/*' -o -path './coderd/apidoc/*' -o -path '*/.next/*' \) -prune \)
 # Source files used for make targets, evaluated on use.
 GO_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.go' -not -name '*_test.go')
-# Same as GO_SRC_FILES but excluding certain files that have problematic
-# Makefile dependencies (e.g. pnpm).
-MOST_GO_SRC_FILES := $(shell \
-	find . \
-		$(FIND_EXCLUSIONS) \
-		-type f \
-		-name '*.go' \
-		-not -name '*_test.go' \
-		-not -wholename './agent/agentcontainers/dcspec/dcspec_gen.go' \
-)
 # All the shell files in the repo, excluding ignored files.
 SHELL_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')

-# Ensure we don't use the user's git configs which might cause side-effects
-GIT_FLAGS = GIT_CONFIG_GLOBAL=/dev/null GIT_CONFIG_SYSTEM=/dev/null
-
 # All ${OS}_${ARCH} combos we build for. Windows binaries have the .exe suffix.
 OS_ARCHES := \
 	linux_amd64 linux_arm64 linux_armv7 \
@@ -91,12 +75,8 @@ PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
 # All architectures we build Docker images for (Linux only).
 DOCKER_ARCHES := amd64 arm64 armv7

-# All ${OS}_${ARCH} combos we build the desktop dylib for.
-DYLIB_ARCHES := darwin_amd64 darwin_arm64
-
 # Computed variables based on the above.
 CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
-CODER_DYLIBS             := $(foreach os_arch, $(DYLIB_ARCHES), build/coder-vpn_$(VERSION)_$(os_arch).dylib)
 CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
 CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
 CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
@@ -127,9 +107,9 @@ endif


 clean:
-	rm -rf build/ site/build/ site/out/
-	mkdir -p build/
-	git restore site/out/
+	rm -rf build site/out
+	mkdir -p build site/out/bin
+	git restore site/out
 .PHONY: clean

 build-slim: $(CODER_SLIM_BINARIES)
@@ -220,8 +200,7 @@ endef
 # calling this manually.
 $(CODER_ALL_BINARIES): go.mod go.sum \
 	$(GO_SRC_FILES) \
-	$(shell find ./examples/templates) \
-	site/static/error.html
+	$(shell find ./examples/templates)

 	$(get-mode-os-arch-ext)
 	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
@@ -252,32 +231,8 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 		fi

 		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
-
-		if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then
-			cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc"
-		fi
 	fi

-# This task builds Coder Desktop dylibs
-$(CODER_DYLIBS): go.mod go.sum $(MOST_GO_SRC_FILES)
-	@if [ "$(shell uname)" = "Darwin" ]; then
-		$(get-mode-os-arch-ext)
-		./scripts/build_go.sh \
-			--os "$$os" \
-			--arch "$$arch" \
-			--version "$(VERSION)" \
-			--output "$@" \
-			--dylib
-
-	else
-		echo "ERROR: Can't build dylib on non-Darwin OS" 1>&2
-		exit 1
-	fi
-
-# This task builds both dylibs
-build/coder-dylib: $(CODER_DYLIBS)
-.PHONY: build/coder-dylib
-
 # This task builds all archives. It parses the target name to get the metadata
 # for the build, so it must be specified in this format:
 #     build/coder_${version}_${os}_${arch}.${format}
@@ -389,55 +344,24 @@ push/$(CODER_MAIN_IMAGE): $(CODER_MAIN_IMAGE)
 	docker manifest push "$$image_tag"
 .PHONY: push/$(CODER_MAIN_IMAGE)

-# Helm charts that are available
-charts = coder provisioner
-
 # Shortcut for Helm chart package.
-$(foreach chart,$(charts),build/$(chart)_helm.tgz): build/%_helm.tgz: build/%_helm_$(VERSION).tgz
+build/coder_helm.tgz: build/coder_helm_$(VERSION).tgz
 	rm -f "$@"
 	ln "$<" "$@"

 # Helm chart package.
-$(foreach chart,$(charts),build/$(chart)_helm_$(VERSION).tgz): build/%_helm_$(VERSION).tgz:
+build/coder_helm_$(VERSION).tgz:
 	./scripts/helm.sh \
 		--version "$(VERSION)" \
-		--chart $* \
 		--output "$@"

-node_modules/.installed: package.json pnpm-lock.yaml
-	./scripts/pnpm_install.sh
-	touch "$@"
-
-offlinedocs/node_modules/.installed: offlinedocs/package.json offlinedocs/pnpm-lock.yaml
-	(cd offlinedocs/ && ../scripts/pnpm_install.sh)
-	touch "$@"
-
-site/node_modules/.installed: site/package.json site/pnpm-lock.yaml
-	(cd site/ && ../scripts/pnpm_install.sh)
-	touch "$@"
-
-scripts/apidocgen/node_modules/.installed: scripts/apidocgen/package.json scripts/apidocgen/pnpm-lock.yaml
-	(cd scripts/apidocgen && ../../scripts/pnpm_install.sh)
-	touch "$@"
-
-SITE_GEN_FILES := \
-	site/src/api/typesGenerated.ts \
-	site/src/api/rbacresourcesGenerated.ts \
-	site/src/api/countriesGenerated.ts \
-	site/src/theme/icons.json
-
-site/out/index.html: \
-	site/node_modules/.installed \
-	site/static/install.sh \
-	$(SITE_GEN_FILES) \
-	$(shell find ./site $(FIND_EXCLUSIONS) -type f \( -name '*.ts' -o -name '*.tsx' \))
-	cd site/
-	# prevents this directory from getting to big, and causing "too much data" errors
-	rm -rf out/assets/
+site/out/index.html: site/package.json $(shell find ./site $(FIND_EXCLUSIONS) -type f \( -name '*.ts' -o -name '*.tsx' \))
+	cd site
+	../scripts/pnpm_install.sh
 	pnpm build

-offlinedocs/out/index.html: offlinedocs/node_modules/.installed $(shell find ./offlinedocs $(FIND_EXCLUSIONS) -type f) $(shell find ./docs $(FIND_EXCLUSIONS) -type f | sed 's: :\\ :g')
-	cd offlinedocs/
+offlinedocs/out/index.html: $(shell find ./offlinedocs $(FIND_EXCLUSIONS) -type f) $(shell find ./docs $(FIND_EXCLUSIONS) -type f | sed 's: :\\ :g')
+	cd offlinedocs
 	../scripts/pnpm_install.sh
 	pnpm export

@@ -452,136 +376,59 @@ install: build/coder_$(VERSION)_$(GOOS)_$(GOARCH)$(GOOS_BIN_EXT)
 	cp "$<" "$$output_file"
 .PHONY: install

-BOLD := $(shell tput bold 2>/dev/null)
-GREEN := $(shell tput setaf 2 2>/dev/null)
-RESET := $(shell tput sgr0 2>/dev/null)
-
-fmt: fmt/ts fmt/go fmt/terraform fmt/shfmt fmt/biome fmt/markdown
+fmt: fmt/prettier fmt/terraform fmt/shfmt fmt/go
 .PHONY: fmt

 fmt/go:
-ifdef FILE
-	# Format single file
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.go ]] && ! grep -q "DO NOT EDIT" "$(FILE)"; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/go$(RESET) $(FILE)"; \
-		go run mvdan.cc/gofumpt@v0.8.0 -w -l "$(FILE)"; \
-	fi
-else
-	go mod tidy
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/go$(RESET)"
 	# VS Code users should check out
 	# https://github.com/mvdan/gofumpt#visual-studio-code
-	find . $(FIND_EXCLUSIONS) -type f -name '*.go' -print0 | \
-		xargs -0 grep -E --null -L '^// Code generated .* DO NOT EDIT\.$$' | \
-		xargs -0 go run mvdan.cc/gofumpt@v0.8.0 -w -l
-endif
+	go run mvdan.cc/gofumpt@v0.4.0 -w -l .
 .PHONY: fmt/go

-fmt/ts: site/node_modules/.installed
-ifdef FILE
-	# Format single TypeScript/JavaScript file
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.ts ]] || [[ "$(FILE)" == *.tsx ]] || [[ "$(FILE)" == *.js ]] || [[ "$(FILE)" == *.jsx ]]; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/ts$(RESET) $(FILE)"; \
-		(cd site/ && pnpm exec biome format --write "../$(FILE)"); \
-	fi
-else
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/ts$(RESET)"
+fmt/prettier:
+	echo "--- prettier"
 	cd site
 # Avoid writing files in CI to reduce file write activity
-ifdef CI
-	pnpm run check --linter-enabled=false
-else
-	pnpm run check:fix
-endif
-endif
-.PHONY: fmt/ts
-
-fmt/biome: site/node_modules/.installed
-ifdef FILE
-	# Format single file with biome
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.ts ]] || [[ "$(FILE)" == *.tsx ]] || [[ "$(FILE)" == *.js ]] || [[ "$(FILE)" == *.jsx ]]; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/biome$(RESET) $(FILE)"; \
-		(cd site/ && pnpm exec biome format --write "../$(FILE)"); \
-	fi
-else
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/biome$(RESET)"
-	cd site/
-# Avoid writing files in CI to reduce file write activity
 ifdef CI
 	pnpm run format:check
 else
-	pnpm run format
+	pnpm run format:write
 endif
-endif
-.PHONY: fmt/biome
+.PHONY: fmt/prettier

 fmt/terraform: $(wildcard *.tf)
-ifdef FILE
-	# Format single Terraform file
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.tf ]] || [[ "$(FILE)" == *.tfvars ]]; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/terraform$(RESET) $(FILE)"; \
-		terraform fmt "$(FILE)"; \
-	fi
-else
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/terraform$(RESET)"
 	terraform fmt -recursive
-endif
 .PHONY: fmt/terraform

 fmt/shfmt: $(SHELL_SRC_FILES)
-ifdef FILE
-	# Format single shell script
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.sh ]]; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/shfmt$(RESET) $(FILE)"; \
-		shfmt -w "$(FILE)"; \
-	fi
-else
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/shfmt$(RESET)"
+	echo "--- shfmt"
 # Only do diff check in CI, errors on diff.
 ifdef CI
 	shfmt -d $(SHELL_SRC_FILES)
 else
 	shfmt -w $(SHELL_SRC_FILES)
 endif
-endif
 .PHONY: fmt/shfmt

-fmt/markdown: node_modules/.installed
-ifdef FILE
-	# Format single markdown file
-	if [[ -f "$(FILE)" ]] && [[ "$(FILE)" == *.md ]]; then \
-		echo "$(GREEN)==>$(RESET) $(BOLD)fmt/markdown$(RESET) $(FILE)"; \
-		pnpm exec markdown-table-formatter "$(FILE)"; \
-	fi
-else
-	echo "$(GREEN)==>$(RESET) $(BOLD)fmt/markdown$(RESET)"
-	pnpm format-docs
-endif
-.PHONY: fmt/markdown
-
-lint: lint/shellcheck lint/go lint/ts lint/examples lint/helm lint/site-icons lint/markdown
+lint: lint/shellcheck lint/go lint/ts lint/helm lint/site-icons
 .PHONY: lint

 lint/site-icons:
 	./scripts/check_site_icons.sh
+
 .PHONY: lint/site-icons

-lint/ts: site/node_modules/.installed
-	cd site/
-	pnpm lint
+lint/ts:
+	cd site
+	pnpm i && pnpm lint
 .PHONY: lint/ts

 lint/go:
 	./scripts/check_enterprise_imports.sh
-	./scripts/check_codersdk_imports.sh
-	linter_ver=$(shell egrep -o 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2)
-	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.2
+	golangci-lint run
 .PHONY: lint/go

-lint/examples:
-	go run ./scripts/examplegen/main.go -lint
-.PHONY: lint/examples
-
 # Use shfmt to determine the shell files, takes editorconfig into consideration.
 lint/shellcheck: $(SHELL_SRC_FILES)
 	echo "--- shellcheck"
@@ -589,104 +436,59 @@ lint/shellcheck: $(SHELL_SRC_FILES)
 .PHONY: lint/shellcheck

 lint/helm:
-	cd helm/
+	cd helm
 	make lint
 .PHONY: lint/helm

-lint/markdown: node_modules/.installed
-	pnpm lint-docs
-.PHONY: lint/markdown
-
 # All files generated by the database should be added here, and this can be used
 # as a target for jobs that need to run after the database is generated.
 DB_GEN_FILES := \
-	coderd/database/dump.sql \
 	coderd/database/querier.go \
 	coderd/database/unique_constraint.go \
+	coderd/database/dbfake/dbfake.go \
 	coderd/database/dbmetrics/dbmetrics.go \
 	coderd/database/dbauthz/dbauthz.go \
 	coderd/database/dbmock/dbmock.go

-TAILNETTEST_MOCKS := \
-	tailnet/tailnettest/coordinatormock.go \
-	tailnet/tailnettest/coordinateemock.go \
-	tailnet/tailnettest/workspaceupdatesprovidermock.go \
-	tailnet/tailnettest/subscriptionmock.go
-
-GEN_FILES := \
-	tailnet/proto/tailnet.pb.go \
-	agent/proto/agent.pb.go \
+# all gen targets should be added here and to gen/mark-fresh
+gen: \
+	coderd/database/dump.sql \
+	$(DB_GEN_FILES) \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
-	vpn/vpn.pb.go \
-	$(DB_GEN_FILES) \
-	$(SITE_GEN_FILES) \
+	site/src/api/typesGenerated.ts \
 	coderd/rbac/object_gen.go \
-	codersdk/rbacresources_gen.go \
-	docs/admin/integrations/prometheus.md \
-	docs/reference/cli/index.md \
-	docs/admin/security/audit-logs.md \
+	docs/admin/prometheus.md \
+	docs/cli.md \
+	docs/admin/audit-logs.md \
 	coderd/apidoc/swagger.json \
-	docs/manifest.json \
-	provisioner/terraform/testdata/version \
-	site/e2e/provisionerGenerated.ts \
-	examples/examples.gen.json \
-	$(TAILNETTEST_MOCKS) \
-	coderd/database/pubsub/psmock/psmock.go \
-	agent/agentcontainers/acmock/acmock.go \
-	agent/agentcontainers/dcspec/dcspec_gen.go \
-	coderd/httpmw/loggermw/loggermock/loggermock.go
-
-# all gen targets should be added here and to gen/mark-fresh
-gen: gen/db gen/golden-files $(GEN_FILES)
+	.prettierignore.include \
+	.prettierignore \
+	site/.prettierrc.yaml \
+	site/.prettierignore \
+	site/.eslintignore
 .PHONY: gen

-gen/db: $(DB_GEN_FILES)
-.PHONY: gen/db
-
-gen/golden-files: \
-	cli/testdata/.gen-golden \
-	coderd/.gen-golden \
-	coderd/notifications/.gen-golden \
-	enterprise/cli/testdata/.gen-golden \
-	enterprise/tailnet/testdata/.gen-golden \
-	helm/coder/tests/testdata/.gen-golden \
-	helm/provisioner/tests/testdata/.gen-golden \
-	provisioner/terraform/testdata/.gen-golden \
-	tailnet/testdata/.gen-golden
-.PHONY: gen/golden-files
-
 # Mark all generated files as fresh so make thinks they're up-to-date. This is
 # used during releases so we don't run generation scripts.
 gen/mark-fresh:
 	files="\
-		tailnet/proto/tailnet.pb.go \
-		agent/proto/agent.pb.go \
-		provisionersdk/proto/provisioner.pb.go \
-		provisionerd/proto/provisionerd.pb.go \
-		vpn/vpn.pb.go \
 		coderd/database/dump.sql \
 		$(DB_GEN_FILES) \
+		provisionersdk/proto/provisioner.pb.go \
+		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
 		coderd/rbac/object_gen.go \
-		codersdk/rbacresources_gen.go \
-		site/src/api/rbacresourcesGenerated.ts \
-		site/src/api/countriesGenerated.ts \
-		docs/admin/integrations/prometheus.md \
-		docs/reference/cli/index.md \
-		docs/admin/security/audit-logs.md \
+		docs/admin/prometheus.md \
+		docs/cli.md \
+		docs/admin/audit-logs.md \
 		coderd/apidoc/swagger.json \
-		docs/manifest.json \
-		site/e2e/provisionerGenerated.ts \
-		site/src/theme/icons.json \
-		examples/examples.gen.json \
-		$(TAILNETTEST_MOCKS) \
-		coderd/database/pubsub/psmock/psmock.go \
-		agent/agentcontainers/acmock/acmock.go \
-		agent/agentcontainers/dcspec/dcspec_gen.go \
-		coderd/httpmw/loggermw/loggermock/loggermock.go \
-		"
-
+		.prettierignore.include \
+		.prettierignore \
+		site/.prettierrc.yaml \
+		site/.prettierignore \
+		site/.eslintignore \
+	"
 	for file in $$files; do
 		echo "$$file"
 		if [ ! -f "$$file" ]; then
@@ -695,7 +497,7 @@ gen/mark-fresh:
 		fi

 		# touch sets the mtime of the file to the current time
-		touch "$$file"
+		touch $$file
 	done
 .PHONY: gen/mark-fresh

@@ -703,58 +505,13 @@ gen/mark-fresh:
 # applied.
 coderd/database/dump.sql: coderd/database/gen/dump/main.go $(wildcard coderd/database/migrations/*.sql)
 	go run ./coderd/database/gen/dump/main.go
-	touch "$@"

 # Generates Go code for querying the database.
-# coderd/database/queries.sql.go
-# coderd/database/models.go
 coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
 	./coderd/database/generate.sh
-	touch "$@"

 coderd/database/dbmock/dbmock.go: coderd/database/db.go coderd/database/querier.go
 	go generate ./coderd/database/dbmock/
-	touch "$@"
-
-coderd/database/pubsub/psmock/psmock.go: coderd/database/pubsub/pubsub.go
-	go generate ./coderd/database/pubsub/psmock
-	touch "$@"
-
-agent/agentcontainers/acmock/acmock.go: agent/agentcontainers/containers.go
-	go generate ./agent/agentcontainers/acmock/
-	touch "$@"
-
-coderd/httpmw/loggermw/loggermock/loggermock.go: coderd/httpmw/loggermw/logger.go
-	go generate ./coderd/httpmw/loggermw/loggermock/
-	touch "$@"
-
-agent/agentcontainers/dcspec/dcspec_gen.go: \
-	node_modules/.installed \
-	agent/agentcontainers/dcspec/devContainer.base.schema.json \
-	agent/agentcontainers/dcspec/gen.sh \
-	agent/agentcontainers/dcspec/doc.go
-	DCSPEC_QUIET=true go generate ./agent/agentcontainers/dcspec/
-	touch "$@"
-
-$(TAILNETTEST_MOCKS): tailnet/coordinator.go tailnet/service.go
-	go generate ./tailnet/tailnettest/
-	touch "$@"
-
-tailnet/proto/tailnet.pb.go: tailnet/proto/tailnet.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./tailnet/proto/tailnet.proto
-
-agent/proto/agent.pb.go: agent/proto/agent.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./agent/proto/agent.proto

 provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
@@ -772,258 +529,130 @@ provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
 		--go-drpc_opt=paths=source_relative \
 		./provisionerd/proto/provisionerd.proto

-vpn/vpn.pb.go: vpn/vpn.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		./vpn/vpn.proto
+site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
+	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
+	cd site
+	pnpm run format:types

-site/src/api/typesGenerated.ts: site/node_modules/.installed $(wildcard scripts/apitypings/*) $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
-	# -C sets the directory for the go run command
-	go run -C ./scripts/apitypings main.go > $@
-	(cd site/ && pnpm exec biome format --write src/api/typesGenerated.ts)
-	touch "$@"
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go

-site/e2e/provisionerGenerated.ts: site/node_modules/.installed provisionerd/proto/provisionerd.pb.go provisionersdk/proto/provisioner.pb.go
-	(cd site/ && pnpm run gen:provisioner)
-	touch "$@"
-
-site/src/theme/icons.json: site/node_modules/.installed $(wildcard scripts/gensite/*) $(wildcard site/static/icon/*)
-	go run ./scripts/gensite/ -icons "$@"
-	(cd site/ && pnpm exec biome format --write src/theme/icons.json)
-	touch "$@"
-
-examples/examples.gen.json: scripts/examplegen/main.go examples/examples.go $(shell find ./examples/templates)
-	go run ./scripts/examplegen/main.go > examples/examples.gen.json
-	touch "$@"
-
-coderd/rbac/object_gen.go: scripts/typegen/rbacobject.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
-	tempdir=$(shell mktemp -d /tmp/typegen_rbac_object.XXXXXX)
-	go run ./scripts/typegen/main.go rbac object > "$$tempdir/object_gen.go"
-	mv -v "$$tempdir/object_gen.go" coderd/rbac/object_gen.go
-	rmdir -v "$$tempdir"
-	touch "$@"
-
-codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
-	# Do no overwrite codersdk/rbacresources_gen.go directly, as it would make the file empty, breaking
- 	# the `codersdk` package and any parallel build targets.
-	go run scripts/typegen/main.go rbac codersdk > /tmp/rbacresources_gen.go
-	mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go
-	touch "$@"
-
-site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
-	go run scripts/typegen/main.go rbac typescript > "$@"
-	(cd site/ && pnpm exec biome format --write src/api/rbacresourcesGenerated.ts)
-	touch "$@"
-
-site/src/api/countriesGenerated.ts: site/node_modules/.installed scripts/typegen/countries.tstmpl scripts/typegen/main.go codersdk/countries.go
-	go run scripts/typegen/main.go countries > "$@"
-	(cd site/ && pnpm exec biome format --write src/api/countriesGenerated.ts)
-	touch "$@"
-
-docs/admin/integrations/prometheus.md: node_modules/.installed scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
-	pnpm exec markdownlint-cli2 --fix ./docs/admin/integrations/prometheus.md
-	pnpm exec markdown-table-formatter ./docs/admin/integrations/prometheus.md
-	touch "$@"
+	pnpm run format:write:only ./docs/admin/prometheus.md

-docs/reference/cli/index.md: node_modules/.installed scripts/clidocgen/main.go examples/examples.gen.json $(GO_SRC_FILES)
-	CI=true BASE_PATH="." go run ./scripts/clidocgen
-	pnpm exec markdownlint-cli2 --fix ./docs/reference/cli/*.md
-	pnpm exec markdown-table-formatter ./docs/reference/cli/*.md
-	touch "$@"
+docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES)
+	BASE_PATH="." go run ./scripts/clidocgen
+	pnpm run format:write:only ./docs/cli.md ./docs/cli/*.md ./docs/manifest.json

-docs/admin/security/audit-logs.md: node_modules/.installed coderd/database/querier.go scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
-	pnpm exec markdownlint-cli2 --fix ./docs/admin/security/audit-logs.md
-	pnpm exec markdown-table-formatter ./docs/admin/security/audit-logs.md
-	touch "$@"
+	pnpm run format:write:only ./docs/admin/audit-logs.md

-coderd/apidoc/.gen: \
-	node_modules/.installed \
-	scripts/apidocgen/node_modules/.installed \
-	$(wildcard coderd/*.go) \
-	$(wildcard enterprise/coderd/*.go) \
-	$(wildcard codersdk/*.go) \
-	$(wildcard enterprise/wsproxy/wsproxysdk/*.go) \
-	$(DB_GEN_FILES) \
-	coderd/rbac/object_gen.go \
-	.swaggo \
-	scripts/apidocgen/generate.sh \
-	$(wildcard scripts/apidocgen/postprocess/*) \
-	$(wildcard scripts/apidocgen/markdown-template/*)
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) $(wildcard enterprise/wsproxy/wsproxysdk/*.go) $(DB_GEN_FILES) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
-	pnpm exec markdownlint-cli2 --fix ./docs/reference/api/*.md
-	pnpm exec markdown-table-formatter ./docs/reference/api/*.md
-	touch "$@"
+	pnpm run format:write:only ./docs/api ./docs/manifest.json ./coderd/apidoc/swagger.json

-docs/manifest.json: site/node_modules/.installed coderd/apidoc/.gen docs/reference/cli/index.md
-	(cd site/ && pnpm exec biome format --write ../docs/manifest.json)
-	touch "$@"
-
-coderd/apidoc/swagger.json: site/node_modules/.installed coderd/apidoc/.gen
-	(cd site/ && pnpm exec biome format --write ../coderd/apidoc/swagger.json)
-	touch "$@"
-
-update-golden-files:
-	echo 'WARNING: This target is deprecated. Use "make gen/golden-files" instead.' >&2
-	echo 'Running "make gen/golden-files"' >&2
-	make gen/golden-files
+update-golden-files: cli/testdata/.gen-golden helm/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden
 .PHONY: update-golden-files

-clean/golden-files:
-	find . -type f -name '.gen-golden' -delete
-	find \
-		cli/testdata \
-		coderd/notifications/testdata \
-		coderd/testdata \
-		enterprise/cli/testdata \
-		enterprise/tailnet/testdata \
-		helm/coder/tests/testdata \
-		helm/provisioner/tests/testdata \
-		provisioner/terraform/testdata \
-		tailnet/testdata \
-		-type f -name '*.golden' -delete
-.PHONY: clean/golden-files
-
 cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES) $(wildcard cli/*_test.go)
-	TZ=UTC go test ./cli -run="Test(CommandHelp|ServerYAML|ErrorExamples|.*Golden)" -update
+	go test ./cli -run="Test(CommandHelp|ServerYAML)" -update
 	touch "$@"

 enterprise/cli/testdata/.gen-golden: $(wildcard enterprise/cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES) $(wildcard enterprise/cli/*_test.go)
-	TZ=UTC go test ./enterprise/cli -run="TestEnterpriseCommandHelp" -update
+	go test ./enterprise/cli -run="TestEnterpriseCommandHelp" -update
 	touch "$@"

-tailnet/testdata/.gen-golden: $(wildcard tailnet/testdata/*.golden.html) $(GO_SRC_FILES) $(wildcard tailnet/*_test.go)
-	TZ=UTC go test ./tailnet -run="TestDebugTemplate" -update
+helm/tests/testdata/.gen-golden: $(wildcard helm/tests/testdata/*.yaml) $(wildcard helm/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/tests/*_test.go)
+	go test ./helm/tests -run=TestUpdateGoldenFiles -update
 	touch "$@"

-enterprise/tailnet/testdata/.gen-golden: $(wildcard enterprise/tailnet/testdata/*.golden.html) $(GO_SRC_FILES) $(wildcard enterprise/tailnet/*_test.go)
-	TZ=UTC go test ./enterprise/tailnet -run="TestDebugTemplate" -update
+scripts/ci-report/testdata/.gen-golden: $(wildcard scripts/ci-report/testdata/*) $(wildcard scripts/ci-report/*.go)
+	go test ./scripts/ci-report -run=TestOutputMatchesGoldenFile -update
 	touch "$@"

-helm/coder/tests/testdata/.gen-golden: $(wildcard helm/coder/tests/testdata/*.yaml) $(wildcard helm/coder/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/coder/tests/*_test.go)
-	TZ=UTC go test ./helm/coder/tests -run=TestUpdateGoldenFiles -update
+# Generate a prettierrc for the site package that uses relative paths for
+# overrides. This allows us to share the same prettier config between the
+# site and the root of the repo.
+site/.prettierrc.yaml: .prettierrc.yaml
+	. ./scripts/lib.sh
+	dependencies yq
+
+	echo "# Code generated by Makefile (../$<). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+
+	# Replace all listed override files with relative paths inside site/.
+	# - ./ -> ../
+	# - ./site -> ./
+	yq \
+		'.overrides[].files |= map(. | sub("^./"; "") | sub("^"; "../") | sub("../site/"; "./"))' \
+		"$<" >> "$@"
+
+# Combine .gitignore with .prettierignore.include to generate .prettierignore.
+.prettierignore: .gitignore .prettierignore.include
+	echo "# Code generated by Makefile ($^). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+	for f in $^; do
+		echo "# $${f}:" >> "$@"
+		cat "$$f" >> "$@"
+	done
+
+# Generate ignore files based on gitignore into the site directory. We turn all
+# rules into relative paths for the `site/` directory (where applicable),
+# following the pattern format defined by git:
+# https://git-scm.com/docs/gitignore#_pattern_format
+#
+# This is done for compatibility reasons, see:
+# https://github.com/prettier/prettier/issues/8048
+# https://github.com/prettier/prettier/issues/8506
+# https://github.com/prettier/prettier/issues/8679
+site/.eslintignore site/.prettierignore: .prettierignore Makefile
+	rm -f "$@"
 	touch "$@"
-
-helm/provisioner/tests/testdata/.gen-golden: $(wildcard helm/provisioner/tests/testdata/*.yaml) $(wildcard helm/provisioner/tests/testdata/*.golden) $(GO_SRC_FILES) $(wildcard helm/provisioner/tests/*_test.go)
-	TZ=UTC go test ./helm/provisioner/tests -run=TestUpdateGoldenFiles -update
-	touch "$@"
-
-coderd/.gen-golden: $(wildcard coderd/testdata/*/*.golden) $(GO_SRC_FILES) $(wildcard coderd/*_test.go)
-	TZ=UTC go test ./coderd -run="Test.*Golden$$" -update
-	touch "$@"
-
-coderd/notifications/.gen-golden: $(wildcard coderd/notifications/testdata/*/*.golden) $(GO_SRC_FILES) $(wildcard coderd/notifications/*_test.go)
-	TZ=UTC go test ./coderd/notifications -run="Test.*Golden$$" -update
-	touch "$@"
-
-provisioner/terraform/testdata/.gen-golden: $(wildcard provisioner/terraform/testdata/*/*.golden) $(GO_SRC_FILES) $(wildcard provisioner/terraform/*_test.go)
-	TZ=UTC go test ./provisioner/terraform -run="Test.*Golden$$" -update
-	touch "$@"
-
-provisioner/terraform/testdata/version:
-	if [[ "$(shell cat provisioner/terraform/testdata/version.txt)" != "$(shell terraform version -json | jq -r '.terraform_version')" ]]; then
-		./provisioner/terraform/testdata/generate.sh
-	fi
-.PHONY: provisioner/terraform/testdata/version
-
-# Set the retry flags if TEST_RETRIES is set
-ifdef TEST_RETRIES
-GOTESTSUM_RETRY_FLAGS := --rerun-fails=$(TEST_RETRIES)
-else
-GOTESTSUM_RETRY_FLAGS :=
-endif
+	# Skip generated by header, inherit `.prettierignore` header as-is.
+	while read -r rule; do
+		# Remove leading ! if present to simplify rule, added back at the end.
+		tmp="$${rule#!}"
+		ignore="$${rule%"$$tmp"}"
+		rule="$$tmp"
+		case "$$rule" in
+			# Comments or empty lines (include).
+			\#*|'') ;;
+			# Generic rules (include).
+			\*\**) ;;
+			# Site prefixed rules (include).
+			site/*) rule="$${rule#site/}";;
+			./site/*) rule="$${rule#./site/}";;
+			# Rules that are non-generic and don't start with site (rewrite).
+			/*) rule=.."$$rule";;
+			*/?*) rule=../"$$rule";;
+			*) ;;
+		esac
+		echo "$${ignore}$${rule}" >> "$@"
+	done < "$<"

 test:
-	$(GIT_FLAGS) gotestsum --format standard-quiet $(GOTESTSUM_RETRY_FLAGS) --packages="./..." -- -v -short -count=1 $(if $(RUN),-run $(RUN))
+	gotestsum --format standard-quiet -- -v -short -count=1 ./...
 .PHONY: test

-test-cli:
-	$(GIT_FLAGS) gotestsum --format standard-quiet $(GOTESTSUM_RETRY_FLAGS) --packages="./cli/..." -- -v -short -count=1
-.PHONY: test-cli
-
-# sqlc-cloud-is-setup will fail if no SQLc auth token is set. Use this as a
-# dependency for any sqlc-cloud related targets.
-sqlc-cloud-is-setup:
-	if [[ "$(SQLC_AUTH_TOKEN)" == "" ]]; then
-		echo "ERROR: 'SQLC_AUTH_TOKEN' must be set to auth with sqlc cloud before running verify." 1>&2
-		exit 1
-	fi
-.PHONY: sqlc-cloud-is-setup
-
-sqlc-push: sqlc-cloud-is-setup test-postgres-docker
-	echo "--- sqlc push"
-	SQLC_DATABASE_URL="postgresql://postgres:postgres@localhost:5432/$(shell go run scripts/migrate-ci/main.go)" \
-	sqlc push -f coderd/database/sqlc.yaml && echo "Passed sqlc push"
-.PHONY: sqlc-push
-
-sqlc-verify: sqlc-cloud-is-setup test-postgres-docker
-	echo "--- sqlc verify"
-	SQLC_DATABASE_URL="postgresql://postgres:postgres@localhost:5432/$(shell go run scripts/migrate-ci/main.go)" \
-	sqlc verify -f coderd/database/sqlc.yaml && echo "Passed sqlc verify"
-.PHONY: sqlc-verify
-
-sqlc-vet: test-postgres-docker
-	echo "--- sqlc vet"
-	SQLC_DATABASE_URL="postgresql://postgres:postgres@localhost:5432/$(shell go run scripts/migrate-ci/main.go)" \
-	sqlc vet -f coderd/database/sqlc.yaml && echo "Passed sqlc vet"
-.PHONY: sqlc-vet
-
 # When updating -timeout for this test, keep in sync with
 # test-go-postgres (.github/workflows/coder.yaml).
 # Do add coverage flags so that test caching works.
 test-postgres: test-postgres-docker
 	# The postgres test is prone to failure, so we limit parallelism for
 	# more consistent execution.
-	$(GIT_FLAGS)  gotestsum \
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum \
 		--junitfile="gotests.xml" \
 		--jsonfile="gotests.json" \
-		$(GOTESTSUM_RETRY_FLAGS) \
 		--packages="./..." -- \
 		-timeout=20m \
+		-failfast \
 		-count=1
 .PHONY: test-postgres

-test-migrations: test-postgres-docker
-	echo "--- test migrations"
-	set -euo pipefail
-	COMMIT_FROM=$(shell git log -1 --format='%h' HEAD)
-	echo "COMMIT_FROM=$${COMMIT_FROM}"
-	COMMIT_TO=$(shell git log -1 --format='%h' origin/main)
-	echo "COMMIT_TO=$${COMMIT_TO}"
-	if [[ "$${COMMIT_FROM}" == "$${COMMIT_TO}" ]]; then echo "Nothing to do!"; exit 0; fi
-	echo "DROP DATABASE IF EXISTS migrate_test_$${COMMIT_FROM}; CREATE DATABASE migrate_test_$${COMMIT_FROM};" | psql 'postgresql://postgres:postgres@localhost:5432/postgres?sslmode=disable'
-	go run ./scripts/migrate-test/main.go --from="$$COMMIT_FROM" --to="$$COMMIT_TO" --postgres-url="postgresql://postgres:postgres@localhost:5432/migrate_test_$${COMMIT_FROM}?sslmode=disable"
-.PHONY: test-migrations
-
-# NOTE: we set --memory to the same size as a GitHub runner.
 test-postgres-docker:
-	docker rm -f test-postgres-docker-${POSTGRES_VERSION} || true
-
-	# Try pulling up to three times to avoid CI flakes.
-	docker pull ${POSTGRES_IMAGE} || {
-		retries=2
-		for try in $(seq 1 ${retries}); do
-			echo "Failed to pull image, retrying (${try}/${retries})..."
-			sleep 1
-			if docker pull ${POSTGRES_IMAGE}; then
-				break
-			fi
-		done
-	}
-
-	# Make sure to not overallocate work_mem and max_connections as each
-	# connection will be allowed to use this much memory. Try adjusting
-	# shared_buffers instead, if needed.
-	#
-	# - work_mem=8MB * max_connections=1000 = 8GB
-	# - shared_buffers=2GB + effective_cache_size=1GB = 3GB
-	#
-	# This leaves 5GB for the rest of the system _and_ storing the
-	# database in memory (--tmpfs).
-	#
-	# https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-WORK-MEM
+	docker rm -f test-postgres-docker || true
 	docker run \
 		--env POSTGRES_PASSWORD=postgres \
 		--env POSTGRES_USER=postgres \
@@ -1031,14 +660,13 @@ test-postgres-docker:
 		--env PGDATA=/tmp \
 		--tmpfs /tmp \
 		--publish 5432:5432 \
-		--name test-postgres-docker-${POSTGRES_VERSION} \
+		--name test-postgres-docker \
 		--restart no \
 		--detach \
-		--memory 16GB \
-		${POSTGRES_IMAGE} \
-		-c shared_buffers=2GB \
+		gcr.io/coder-dev-1/postgres:13 \
+		-c shared_buffers=1GB \
+		-c work_mem=1GB \
 		-c effective_cache_size=1GB \
-		-c work_mem=8MB \
 		-c max_connections=1000 \
 		-c fsync=off \
 		-c synchronous_commit=off \
@@ -1053,42 +681,12 @@ test-postgres-docker:

 # Make sure to keep this in sync with test-go-race from .github/workflows/ci.yaml.
 test-race:
-	$(GIT_FLAGS) gotestsum --junitfile="gotests.xml" -- -race -count=1 -parallel 4 -p 4 ./...
+	gotestsum --junitfile="gotests.xml" -- -race -count=1 ./...
 .PHONY: test-race

-test-tailnet-integration:
-	env \
-		CODER_TAILNET_TESTS=true \
-		CODER_MAGICSOCK_DEBUG_LOGGING=true \
-		TS_DEBUG_NETCHECK=true \
-		GOTRACEBACK=single \
-		go test \
-			-exec "sudo -E" \
-			-timeout=5m \
-			-count=1 \
-			./tailnet/test/integration
-.PHONY: test-tailnet-integration
-
 # Note: we used to add this to the test target, but it's not necessary and we can
 # achieve the desired result by specifying -count=1 in the go test invocation
 # instead. Keeping it here for convenience.
 test-clean:
 	go clean -testcache
 .PHONY: test-clean
-
-site/e2e/bin/coder: go.mod go.sum $(GO_SRC_FILES)
-	go build -o $@ \
-		-tags ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube \
-		./enterprise/cmd/coder
-
-test-e2e: site/e2e/bin/coder site/node_modules/.installed site/out/index.html
-	cd site/
-ifdef CI
-	DEBUG=pw:api pnpm playwright:test --forbid-only --workers 1
-else
-	pnpm playwright:test
-endif
-.PHONY: test-e2e
-
-dogfood/coder/nix.hash: flake.nix flake.lock
-	sha256sum flake.nix flake.lock >./dogfood/coder/nix.hash
@@ -1,62 +1,60 @@
-<!-- markdownlint-disable MD041 -->
 <div align="center">
  <a href="https://coder.com#gh-light-mode-only">
-    <img src="./docs/images/logo-black.png" alt="Coder Logo Light" style="width: 128px">
+    <img src="./docs/images/logo-black.png" style="width: 128px">
  </a>
  <a href="https://coder.com#gh-dark-mode-only">
-    <img src="./docs/images/logo-white.png" alt="Coder Logo Dark" style="width: 128px">
+    <img src="./docs/images/logo-white.png" style="width: 128px">
  </a>

  <h1>
-  Self-Hosted Cloud Development Environments
+  Self-Hosted Remote Development Environments
  </h1>

  <a href="https://coder.com#gh-light-mode-only">
-    <img src="./docs/images/banner-black.png" alt="Coder Banner Light" style="width: 650px">
+    <img src="./docs/images/banner-black.png" style="width: 650px">
  </a>
  <a href="https://coder.com#gh-dark-mode-only">
-    <img src="./docs/images/banner-white.png" alt="Coder Banner Dark" style="width: 650px">
+    <img src="./docs/images/banner-white.png" style="width: 650px">
  </a>

  <br>
  <br>

-[Quickstart](#quickstart) | [Docs](https://coder.com/docs) | [Why Coder](https://coder.com/why) | [Premium](https://coder.com/pricing#compare-plans)
+[Quickstart](#quickstart) | [Docs](https://coder.com/docs) | [Why Coder](https://coder.com/why) | [Enterprise](https://coder.com/docs/v2/latest/enterprise)

 [![discord](https://img.shields.io/discord/747933592273027093?label=discord)](https://discord.gg/coder)
+[![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
 [![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
 [![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
-[![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder/v2)](https://goreportcard.com/report/github.com/coder/coder/v2)
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9511/badge)](https://www.bestpractices.dev/projects/9511)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/coder/coder/badge)](https://scorecard.dev/viewer/?uri=github.com%2Fcoder%2Fcoder)
+[![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder)](https://goreportcard.com/report/github.com/coder/coder)
 [![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)

 </div>

-[Coder](https://coder.com) enables organizations to set up development environments in their public or private cloud infrastructure. Cloud development environments are defined with Terraform, connected through a secure high-speed Wireguard® tunnel, and automatically shut down when not used to save on costs. Coder gives engineering teams the flexibility to use the cloud for workloads most beneficial to them.
+[Coder](https://coder.com) enables organizations to set up development environments in the cloud. Environments are defined with Terraform, connected through a secure high-speed Wireguard® tunnel, and are automatically shut down when not in use to save on costs. Coder gives engineering teams the flexibility to use the cloud for workloads that are most beneficial to them.

- Define cloud development environments in Terraform
+- Define development environments in Terraform
  - EC2 VMs, Kubernetes Pods, Docker Containers, etc.
 - Automatically shutdown idle resources to save on costs
 - Onboard developers in seconds instead of days

 <p align="center">
-  <img src="./docs/images/hero-image.png" alt="Coder Hero Image">
+  <img src="./docs/images/hero-image.png">
 </p>

 ## Quickstart

-The most convenient way to try Coder is to install it on your local machine and experiment with provisioning cloud development environments using Docker (works on Linux, macOS, and Windows).
+The most convenient way to try Coder is to install it on your local machine and experiment with provisioning development environments using Docker (works on Linux, macOS, and Windows).

-```shell
+```
 # First, install Coder
 curl -L https://coder.com/install.sh | sh

 # Start the Coder server (caches data in ~/.cache/coder)
 coder server

-# Navigate to http://localhost:3000 to create your initial user,
-# create a Docker template and provision a workspace
+# Navigate to http://localhost:3000 to create your initial user
+# Create a Docker template, and provision a workspace
 ```

 ## Install
@@ -66,17 +64,17 @@ The easiest way to install Coder is to use our
 and macOS. For Windows, use the latest `..._installer.exe` file from GitHub
 Releases.

-```shell
+```bash
 curl -L https://coder.com/install.sh | sh
 ```

-You can run the install script with `--dry-run` to see the commands that will be used to install without executing them. Run the install script with `--help` for additional flags.
+You can run the install script with `--dry-run` to see the commands that will be used to install without executing them. You can modify the installation process by including flags. Run the install script with `--help` for reference.

-> See [install](https://coder.com/docs/install) for additional methods.
+> See [install](docs/install) for additional methods.

-Once installed, you can start a production deployment with a single command:
+Once installed, you can start a production deployment<sup>1</sup> with a single command:

-```shell
+```console
 # Automatically sets up an external access URL on *.try.coder.app
 coder server

@@ -84,50 +82,44 @@ coder server
 coder server --postgres-url <url> --access-url <url>
 ```

-Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/install) for a complete walkthrough.
+> <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
+
+Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/install) for a full walkthrough.

 ## Documentation

-Browse our docs [here](https://coder.com/docs) or visit a specific section below:
+Browse our docs [here](https://coder.com/docs/v2) or visit a specific section below:

- [**Templates**](https://coder.com/docs/templates): Templates are written in Terraform and describe the infrastructure for workspaces
- [**Workspaces**](https://coder.com/docs/workspaces): Workspaces contain the IDEs, dependencies, and configuration information needed for software development
- [**IDEs**](https://coder.com/docs/ides): Connect your existing editor to a workspace
- [**Administration**](https://coder.com/docs/admin): Learn how to operate Coder
- [**Premium**](https://coder.com/pricing#compare-plans): Learn about our paid features built for large teams
+- [**Templates**](https://coder.com/docs/v2/latest/templates): Templates are written in Terraform and describe the infrastructure for workspaces
+- [**Workspaces**](https://coder.com/docs/v2/latest/workspaces): Workspaces contain the IDEs, dependencies, and configuration information needed for software development
+- [**IDEs**](https://coder.com/docs/v2/latest/ides): Connect your existing editor to a workspace
+- [**Administration**](https://coder.com/docs/v2/latest/admin): Learn how to operate Coder
+- [**Enterprise**](https://coder.com/docs/v2/latest/enterprise): Learn about our paid features built for large teams

-## Support
+## Community and Support

 Feel free to [open an issue](https://github.com/coder/coder/issues/new) if you have questions, run into bugs, or have a feature request.

-[Join our Discord](https://discord.gg/coder) to provide feedback on in-progress features and chat with the community using Coder!
+[Join our Discord](https://discord.gg/coder) to provide feedback on in-progress features, and chat with the community using Coder!

-## Integrations
+## Contributing

-We are always working on new integrations. Please feel free to open an issue and ask for an integration. Contributions are welcome in any official or community repositories.
+Contributions are welcome! Read the [contributing docs](https://coder.com/docs/v2/latest/CONTRIBUTING) to get started.
+
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).
+
+## Related
+
+We are always working on new integrations. Feel free to open an issue to request an integration. Contributions are welcome in any official or community repositories.

 ### Official

 - [**VS Code Extension**](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote): Open any Coder workspace in VS Code with a single click
- [**JetBrains Toolbox Plugin**](https://plugins.jetbrains.com/plugin/26968-coder): Open any Coder workspace from JetBrains Toolbox with a single click
- [**JetBrains Gateway Plugin**](https://plugins.jetbrains.com/plugin/19620-coder): Open any Coder workspace in JetBrains Gateway with a single click
- [**Dev Container Builder**](https://github.com/coder/envbuilder): Build development environments using `devcontainer.json` on Docker, Kubernetes, and OpenShift
- [**Coder Registry**](https://registry.coder.com): Build and extend development environments with common use-cases
- [**Kubernetes Log Stream**](https://github.com/coder/coder-logstream-kube): Stream Kubernetes Pod events to the Coder startup logs
+- [**JetBrains Gateway Extension**](https://plugins.jetbrains.com/plugin/19620-coder): Open any Coder workspace in JetBrains Gateway with a single click
 - [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
- [**Setup Coder**](https://github.com/marketplace/actions/setup-coder): An action to setup coder CLI in GitHub workflows.

 ### Community

 - [**Provision Coder with Terraform**](https://github.com/ElliotG/coder-oss-tf): Provision Coder on Google GKE, Azure AKS, AWS EKS, DigitalOcean DOKS, IBMCloud K8s, OVHCloud K8s, and Scaleway K8s Kapsule with Terraform
- [**Coder Template GitHub Action**](https://github.com/marketplace/actions/update-coder-template): A GitHub Action that updates Coder templates
-
-## Contributing
-
-We are always happy to see new contributors to Coder. If you are new to the Coder codebase, we have
-[a guide on how to get started](https://coder.com/docs/CONTRIBUTING). We'd love to see your
-contributions!
-
-## Hiring
-
-Apply [here](https://jobs.ashbyhq.com/coder?utm_source=github&utm_medium=readme&utm_campaign=unknown) if you're interested in joining our team.
+- [**Coder GitHub Action**](https://github.com/marketplace/actions/update-coder-template): A GitHub Action that updates Coder templates
+- [**Various Templates**](./examples/templates/community-templates.md): Hetzner Cloud, Docker in Docker, and other templates the community has built.
@@ -1,81 +1,73 @@
 # Coder Security

-Coder welcomes feedback from security researchers and the general public to help
-improve our security. If you believe you have discovered a vulnerability,
+Coder welcomes feedback from security researchers and the general public
+to help improve our security. If you believe you have discovered a vulnerability,
 privacy issue, exposed data, or other security issues in any of our assets, we
 want to hear from you. This policy outlines steps for reporting vulnerabilities
 to us, what we expect, what you can expect from us.

 You can see the pretty version [here](https://coder.com/security/policy)

-## Why Coder's security matters
+# Why Coder's security matters

-If an attacker could fully compromise a Coder installation, they could spin up
-expensive workstations, steal valuable credentials, or steal proprietary source
-code. We take this risk very seriously and employ routine pen testing,
-vulnerability scanning, and code reviews. We also welcome the contributions from
-the community that helped make this product possible.
+If an attacker could fully compromise a Coder installation, they could spin
+up expensive workstations, steal valuable credentials, or steal proprietary
+source code. We take this risk very seriously and employ routine pen testing,
+vulnerability scanning, and code reviews. We also welcome the contributions
+from the community that helped make this product possible.

-## Where should I report security issues?
+# Where should I report security issues?

-Please report security issues to <security@coder.com>, providing all relevant
-information. The more details you provide, the easier it will be for us to
-triage and fix the issue.
+Please report security issues to security@coder.com, providing
+all relevant information. The more details you provide, the easier it will be
+for us to triage and fix the issue.

-## Out of Scope
+# Out of Scope

-Our primary concern is around an abuse of the Coder application that allows an
-attacker to gain access to another users workspace, or spin up unwanted
+Our primary concern is around an abuse of the Coder application that allows
+an attacker to gain access to another users workspace, or spin up unwanted
 workspaces.

 - DOS/DDOS attacks affecting availability --> While we do support rate limiting
-  of requests, we primarily leave this to the owner of the Coder installation.
-  Our rationale is that a DOS attack only affecting availability is not a
-  valuable target for attackers.
+  of requests, we primarily leave this to the owner of the Coder installation. Our
+  rationale is that a DOS attack only affecting availability is not a valuable
+  target for attackers.
 - Abuse of a compromised user credential --> If a user credential is compromised
-  outside of the Coder ecosystem, then we consider it beyond the scope of our
-  application. However, if an unprivileged user could escalate their permissions
-  or gain access to another workspace, that is a cause for concern.
+  outside of the Coder ecosystem, then we consider it beyond the scope of our application.
+  However, if an unprivileged user could escalate their permissions or gain access
+  to another workspace, that is a cause for concern.
 - Vulnerabilities in third party systems --> Vulnerabilities discovered in
-  out-of-scope systems should be reported to the appropriate vendor or
-  applicable authority.
+  out-of-scope systems should be reported to the appropriate vendor or applicable authority.

-## Our Commitments
+# Our Commitments

 When working with us, according to this policy, you can expect us to:

- Respond to your report promptly, and work with you to understand and validate
-  your report;
- Strive to keep you informed about the progress of a vulnerability as it is
-  processed;
- Work to remediate discovered vulnerabilities in a timely manner, within our
-  operational constraints; and
- Extend Safe Harbor for your vulnerability research that is related to this
-  policy.
+- Respond to your report promptly, and work with you to understand and validate your report;
+- Strive to keep you informed about the progress of a vulnerability as it is processed;
+- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
+- Extend Safe Harbor for your vulnerability research that is related to this policy.

-## Our Expectations
+# Our Expectations

-In participating in our vulnerability disclosure program in good faith, we ask
-that you:
+In participating in our vulnerability disclosure program in good faith, we ask that you:

- Play by the rules, including following this policy and any other relevant
-  agreements. If there is any inconsistency between this policy and any other
-  applicable terms, the terms of this policy will prevail;
+- Play by the rules, including following this policy and any other relevant agreements.
+  If there is any inconsistency between this policy and any other applicable terms, the
+  terms of this policy will prevail;
 - Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying
-  data, and/or harming user experience;
+- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or
+  harming user experience;
 - Use only the Official Channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time (at least 90 days from the initial
-  report) to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities
-  which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of
-  data you access to the minimum required for effectively demonstrating a Proof
-  of Concept; and cease testing and submit a report immediately if you encounter
-  any user data during testing, such as Personally Identifiable Information
-  (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
-  information;
- You should only interact with test accounts you own or with explicit
-  permission from
+- Provide us a reasonable amount of time (at least 90 days from the initial report) to
+  resolve the issue before you disclose it publicly;
+- Perform testing only on in-scope systems, and respect systems and activities which
+  are out-of-scope;
+- If a vulnerability provides unintended access to data: Limit the amount of data you
+  access to the minimum required for effectively demonstrating a Proof of Concept; and
+  cease testing and submit a report immediately if you encounter any user data during testing,
+  such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI),
+  credit card data, or proprietary information;
+- You should only interact with test accounts you own or with explicit permission from
 - the account holder; and
 - Do not engage in extortion.
@@ -1,190 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: .. (interfaces: ContainerCLI,DevcontainerCLI)
-//
-// Generated by this command:
-//
-//	mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI
-//
-
-// Package acmock is a generated GoMock package.
-package acmock
-
-import (
-	context "context"
-	reflect "reflect"
-
-	agentcontainers "github.com/coder/coder/v2/agent/agentcontainers"
-	codersdk "github.com/coder/coder/v2/codersdk"
-	gomock "go.uber.org/mock/gomock"
-)
-
-// MockContainerCLI is a mock of ContainerCLI interface.
-type MockContainerCLI struct {
-	ctrl     *gomock.Controller
-	recorder *MockContainerCLIMockRecorder
-	isgomock struct{}
-}
-
-// MockContainerCLIMockRecorder is the mock recorder for MockContainerCLI.
-type MockContainerCLIMockRecorder struct {
-	mock *MockContainerCLI
-}
-
-// NewMockContainerCLI creates a new mock instance.
-func NewMockContainerCLI(ctrl *gomock.Controller) *MockContainerCLI {
-	mock := &MockContainerCLI{ctrl: ctrl}
-	mock.recorder = &MockContainerCLIMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockContainerCLI) EXPECT() *MockContainerCLIMockRecorder {
-	return m.recorder
-}
-
-// Copy mocks base method.
-func (m *MockContainerCLI) Copy(ctx context.Context, containerName, src, dst string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Copy", ctx, containerName, src, dst)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Copy indicates an expected call of Copy.
-func (mr *MockContainerCLIMockRecorder) Copy(ctx, containerName, src, dst any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Copy", reflect.TypeOf((*MockContainerCLI)(nil).Copy), ctx, containerName, src, dst)
-}
-
-// DetectArchitecture mocks base method.
-func (m *MockContainerCLI) DetectArchitecture(ctx context.Context, containerName string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DetectArchitecture", ctx, containerName)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DetectArchitecture indicates an expected call of DetectArchitecture.
-func (mr *MockContainerCLIMockRecorder) DetectArchitecture(ctx, containerName any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DetectArchitecture", reflect.TypeOf((*MockContainerCLI)(nil).DetectArchitecture), ctx, containerName)
-}
-
-// ExecAs mocks base method.
-func (m *MockContainerCLI) ExecAs(ctx context.Context, containerName, user string, args ...string) ([]byte, error) {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, containerName, user}
-	for _, a := range args {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ExecAs", varargs...)
-	ret0, _ := ret[0].([]byte)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ExecAs indicates an expected call of ExecAs.
-func (mr *MockContainerCLIMockRecorder) ExecAs(ctx, containerName, user any, args ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, containerName, user}, args...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecAs", reflect.TypeOf((*MockContainerCLI)(nil).ExecAs), varargs...)
-}
-
-// List mocks base method.
-func (m *MockContainerCLI) List(ctx context.Context) (codersdk.WorkspaceAgentListContainersResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "List", ctx)
-	ret0, _ := ret[0].(codersdk.WorkspaceAgentListContainersResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// List indicates an expected call of List.
-func (mr *MockContainerCLIMockRecorder) List(ctx any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockContainerCLI)(nil).List), ctx)
-}
-
-// MockDevcontainerCLI is a mock of DevcontainerCLI interface.
-type MockDevcontainerCLI struct {
-	ctrl     *gomock.Controller
-	recorder *MockDevcontainerCLIMockRecorder
-	isgomock struct{}
-}
-
-// MockDevcontainerCLIMockRecorder is the mock recorder for MockDevcontainerCLI.
-type MockDevcontainerCLIMockRecorder struct {
-	mock *MockDevcontainerCLI
-}
-
-// NewMockDevcontainerCLI creates a new mock instance.
-func NewMockDevcontainerCLI(ctrl *gomock.Controller) *MockDevcontainerCLI {
-	mock := &MockDevcontainerCLI{ctrl: ctrl}
-	mock.recorder = &MockDevcontainerCLIMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockDevcontainerCLI) EXPECT() *MockDevcontainerCLIMockRecorder {
-	return m.recorder
-}
-
-// Exec mocks base method.
-func (m *MockDevcontainerCLI) Exec(ctx context.Context, workspaceFolder, configPath, cmd string, cmdArgs []string, opts ...agentcontainers.DevcontainerCLIExecOptions) error {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, workspaceFolder, configPath, cmd, cmdArgs}
-	for _, a := range opts {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Exec", varargs...)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Exec indicates an expected call of Exec.
-func (mr *MockDevcontainerCLIMockRecorder) Exec(ctx, workspaceFolder, configPath, cmd, cmdArgs any, opts ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, workspaceFolder, configPath, cmd, cmdArgs}, opts...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exec", reflect.TypeOf((*MockDevcontainerCLI)(nil).Exec), varargs...)
-}
-
-// ReadConfig mocks base method.
-func (m *MockDevcontainerCLI) ReadConfig(ctx context.Context, workspaceFolder, configPath string, env []string, opts ...agentcontainers.DevcontainerCLIReadConfigOptions) (agentcontainers.DevcontainerConfig, error) {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, workspaceFolder, configPath, env}
-	for _, a := range opts {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReadConfig", varargs...)
-	ret0, _ := ret[0].(agentcontainers.DevcontainerConfig)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadConfig indicates an expected call of ReadConfig.
-func (mr *MockDevcontainerCLIMockRecorder) ReadConfig(ctx, workspaceFolder, configPath, env any, opts ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, workspaceFolder, configPath, env}, opts...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadConfig", reflect.TypeOf((*MockDevcontainerCLI)(nil).ReadConfig), varargs...)
-}
-
-// Up mocks base method.
-func (m *MockDevcontainerCLI) Up(ctx context.Context, workspaceFolder, configPath string, opts ...agentcontainers.DevcontainerCLIUpOptions) (string, error) {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, workspaceFolder, configPath}
-	for _, a := range opts {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Up", varargs...)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Up indicates an expected call of Up.
-func (mr *MockDevcontainerCLIMockRecorder) Up(ctx, workspaceFolder, configPath any, opts ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, workspaceFolder, configPath}, opts...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Up", reflect.TypeOf((*MockDevcontainerCLI)(nil).Up), varargs...)
-}
@@ -1,4 +0,0 @@
-// Package acmock contains a mock implementation of agentcontainers.Lister for use in tests.
-package acmock
-
-//go:generate mockgen -destination ./acmock.go -package acmock .. ContainerCLI,DevcontainerCLI
@@ -1,358 +0,0 @@
-package agentcontainers
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/coder/coder/v2/provisioner"
-)
-
-func TestSafeAgentName(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name       string
-		folderName string
-		expected   string
-		fallback   bool
-	}{
-		// Basic valid names
-		{
-			folderName: "simple",
-			expected:   "simple",
-		},
-		{
-			folderName: "with-hyphens",
-			expected:   "with-hyphens",
-		},
-		{
-			folderName: "123numbers",
-			expected:   "123numbers",
-		},
-		{
-			folderName: "mixed123",
-			expected:   "mixed123",
-		},
-
-		// Names that need transformation
-		{
-			folderName: "With_Underscores",
-			expected:   "with-underscores",
-		},
-		{
-			folderName: "With Spaces",
-			expected:   "with-spaces",
-		},
-		{
-			folderName: "UPPERCASE",
-			expected:   "uppercase",
-		},
-		{
-			folderName: "Mixed_Case-Name",
-			expected:   "mixed-case-name",
-		},
-
-		// Names with special characters that get replaced
-		{
-			folderName: "special@#$chars",
-			expected:   "special-chars",
-		},
-		{
-			folderName: "dots.and.more",
-			expected:   "dots-and-more",
-		},
-		{
-			folderName: "multiple___underscores",
-			expected:   "multiple-underscores",
-		},
-		{
-			folderName: "multiple---hyphens",
-			expected:   "multiple-hyphens",
-		},
-
-		// Edge cases with leading/trailing special chars
-		{
-			folderName: "-leading-hyphen",
-			expected:   "leading-hyphen",
-		},
-		{
-			folderName: "trailing-hyphen-",
-			expected:   "trailing-hyphen",
-		},
-		{
-			folderName: "_leading_underscore",
-			expected:   "leading-underscore",
-		},
-		{
-			folderName: "trailing_underscore_",
-			expected:   "trailing-underscore",
-		},
-		{
-			folderName: "---multiple-leading",
-			expected:   "multiple-leading",
-		},
-		{
-			folderName: "trailing-multiple---",
-			expected:   "trailing-multiple",
-		},
-
-		// Complex transformation cases
-		{
-			folderName: "___very---complex@@@name___",
-			expected:   "very-complex-name",
-		},
-		{
-			folderName: "my.project-folder_v2",
-			expected:   "my-project-folder-v2",
-		},
-
-		// Empty and fallback cases - now correctly uses friendlyName fallback
-		{
-			folderName: "",
-			expected:   "friendly-fallback",
-			fallback:   true,
-		},
-		{
-			folderName: "---",
-			expected:   "friendly-fallback",
-			fallback:   true,
-		},
-		{
-			folderName: "___",
-			expected:   "friendly-fallback",
-			fallback:   true,
-		},
-		{
-			folderName: "@#$",
-			expected:   "friendly-fallback",
-			fallback:   true,
-		},
-
-		// Additional edge cases
-		{
-			folderName: "a",
-			expected:   "a",
-		},
-		{
-			folderName: "1",
-			expected:   "1",
-		},
-		{
-			folderName: "a1b2c3",
-			expected:   "a1b2c3",
-		},
-		{
-			folderName: "CamelCase",
-			expected:   "camelcase",
-		},
-		{
-			folderName: "snake_case_name",
-			expected:   "snake-case-name",
-		},
-		{
-			folderName: "kebab-case-name",
-			expected:   "kebab-case-name",
-		},
-		{
-			folderName: "mix3d_C4s3-N4m3",
-			expected:   "mix3d-c4s3-n4m3",
-		},
-		{
-			folderName: "123-456-789",
-			expected:   "123-456-789",
-		},
-		{
-			folderName: "abc123def456",
-			expected:   "abc123def456",
-		},
-		{
-			folderName: "   spaces   everywhere   ",
-			expected:   "spaces-everywhere",
-		},
-		{
-			folderName: "unicode-café-naïve",
-			expected:   "unicode-caf-na-ve",
-		},
-		{
-			folderName: "path/with/slashes",
-			expected:   "path-with-slashes",
-		},
-		{
-			folderName: "file.tar.gz",
-			expected:   "file-tar-gz",
-		},
-		{
-			folderName: "version-1.2.3-alpha",
-			expected:   "version-1-2-3-alpha",
-		},
-
-		// Truncation test for names exceeding 64 characters
-		{
-			folderName: "this-is-a-very-long-folder-name-that-exceeds-sixty-four-characters-limit-and-should-be-truncated",
-			expected:   "this-is-a-very-long-folder-name-that-exceeds-sixty-four-characte",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.folderName, func(t *testing.T) {
-			t.Parallel()
-			name, usingWorkspaceFolder := safeAgentName(tt.folderName, "friendly-fallback")
-
-			assert.Equal(t, tt.expected, name)
-			assert.True(t, provisioner.AgentNameRegex.Match([]byte(name)))
-			assert.Equal(t, tt.fallback, !usingWorkspaceFolder)
-		})
-	}
-}
-
-func TestExpandedAgentName(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name            string
-		workspaceFolder string
-		friendlyName    string
-		depth           int
-		expected        string
-		fallback        bool
-	}{
-		{
-			name:            "simple path depth 1",
-			workspaceFolder: "/home/coder/project",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "project",
-		},
-		{
-			name:            "simple path depth 2",
-			workspaceFolder: "/home/coder/project",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "coder-project",
-		},
-		{
-			name:            "simple path depth 3",
-			workspaceFolder: "/home/coder/project",
-			friendlyName:    "friendly-fallback",
-			depth:           2,
-			expected:        "home-coder-project",
-		},
-		{
-			name:            "simple path depth exceeds available",
-			workspaceFolder: "/home/coder/project",
-			friendlyName:    "friendly-fallback",
-			depth:           9,
-			expected:        "home-coder-project",
-		},
-		// Cases with special characters that need sanitization
-		{
-			name:            "path with spaces and special chars",
-			workspaceFolder: "/home/coder/My Project_v2",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "coder-my-project-v2",
-		},
-		{
-			name:            "path with dots and underscores",
-			workspaceFolder: "/home/user.name/project_folder.git",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "user-name-project-folder-git",
-		},
-		// Edge cases
-		{
-			name:            "empty path",
-			workspaceFolder: "",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "friendly-fallback",
-			fallback:        true,
-		},
-		{
-			name:            "root path",
-			workspaceFolder: "/",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "friendly-fallback",
-			fallback:        true,
-		},
-		{
-			name:            "single component",
-			workspaceFolder: "project",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "project",
-		},
-		{
-			name:            "single component with depth 2",
-			workspaceFolder: "project",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "project",
-		},
-		// Collision simulation cases
-		{
-			name:            "foo/project depth 1",
-			workspaceFolder: "/home/coder/foo/project",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "project",
-		},
-		{
-			name:            "foo/project depth 2",
-			workspaceFolder: "/home/coder/foo/project",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "foo-project",
-		},
-		{
-			name:            "bar/project depth 1",
-			workspaceFolder: "/home/coder/bar/project",
-			friendlyName:    "friendly-fallback",
-			depth:           0,
-			expected:        "project",
-		},
-		{
-			name:            "bar/project depth 2",
-			workspaceFolder: "/home/coder/bar/project",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "bar-project",
-		},
-		// Path with trailing slashes
-		{
-			name:            "path with trailing slash",
-			workspaceFolder: "/home/coder/project/",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "coder-project",
-		},
-		{
-			name:            "path with multiple trailing slashes",
-			workspaceFolder: "/home/coder/project///",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "coder-project",
-		},
-		// Path with leading slashes
-		{
-			name:            "path with multiple leading slashes",
-			workspaceFolder: "///home/coder/project",
-			friendlyName:    "friendly-fallback",
-			depth:           1,
-			expected:        "coder-project",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			name, usingWorkspaceFolder := expandedAgentName(tt.workspaceFolder, tt.friendlyName, tt.depth)
-
-			assert.Equal(t, tt.expected, name)
-			assert.True(t, provisioner.AgentNameRegex.Match([]byte(name)))
-			assert.Equal(t, tt.fallback, !usingWorkspaceFolder)
-		})
-	}
-}
@@ -1,37 +0,0 @@
-package agentcontainers
-
-import (
-	"context"
-
-	"github.com/coder/coder/v2/codersdk"
-)
-
-// ContainerCLI is an interface for interacting with containers in a workspace.
-type ContainerCLI interface {
-	// List returns a list of containers visible to the workspace agent.
-	// This should include running and stopped containers.
-	List(ctx context.Context) (codersdk.WorkspaceAgentListContainersResponse, error)
-	// DetectArchitecture detects the architecture of a container.
-	DetectArchitecture(ctx context.Context, containerName string) (string, error)
-	// Copy copies a file from the host to a container.
-	Copy(ctx context.Context, containerName, src, dst string) error
-	// ExecAs executes a command in a container as a specific user.
-	ExecAs(ctx context.Context, containerName, user string, args ...string) ([]byte, error)
-}
-
-// noopContainerCLI is a ContainerCLI that does nothing.
-type noopContainerCLI struct{}
-
-var _ ContainerCLI = noopContainerCLI{}
-
-func (noopContainerCLI) List(_ context.Context) (codersdk.WorkspaceAgentListContainersResponse, error) {
-	return codersdk.WorkspaceAgentListContainersResponse{}, nil
-}
-
-func (noopContainerCLI) DetectArchitecture(_ context.Context, _ string) (string, error) {
-	return "<none>", nil
-}
-func (noopContainerCLI) Copy(_ context.Context, _ string, _ string, _ string) error { return nil }
-func (noopContainerCLI) ExecAs(_ context.Context, _ string, _ string, _ ...string) ([]byte, error) {
-	return nil, nil
-}
@@ -1,597 +0,0 @@
-package agentcontainers
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"os/user"
-	"slices"
-	"sort"
-	"strconv"
-	"strings"
-	"time"
-
-	"golang.org/x/exp/maps"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/v2/agent/agentcontainers/dcspec"
-	"github.com/coder/coder/v2/agent/agentexec"
-	"github.com/coder/coder/v2/agent/usershell"
-	"github.com/coder/coder/v2/coderd/util/ptr"
-	"github.com/coder/coder/v2/codersdk"
-)
-
-// DockerEnvInfoer is an implementation of agentssh.EnvInfoer that returns
-// information about a container.
-type DockerEnvInfoer struct {
-	usershell.SystemEnvInfo
-	container string
-	user      *user.User
-	userShell string
-	env       []string
-}
-
-// EnvInfo returns information about the environment of a container.
-func EnvInfo(ctx context.Context, execer agentexec.Execer, container, containerUser string) (*DockerEnvInfoer, error) {
-	var dei DockerEnvInfoer
-	dei.container = container
-
-	if containerUser == "" {
-		// Get the "default" user of the container if no user is specified.
-		// TODO: handle different container runtimes.
-		cmd, args := wrapDockerExec(container, "", "whoami")
-		stdout, stderr, err := run(ctx, execer, cmd, args...)
-		if err != nil {
-			return nil, xerrors.Errorf("get container user: run whoami: %w: %s", err, stderr)
-		}
-		if len(stdout) == 0 {
-			return nil, xerrors.Errorf("get container user: run whoami: empty output")
-		}
-		containerUser = stdout
-	}
-	// Now that we know the username, get the required info from the container.
-	// We can't assume the presence of `getent` so we'll just have to sniff /etc/passwd.
-	cmd, args := wrapDockerExec(container, containerUser, "cat", "/etc/passwd")
-	stdout, stderr, err := run(ctx, execer, cmd, args...)
-	if err != nil {
-		return nil, xerrors.Errorf("get container user: read /etc/passwd: %w: %q", err, stderr)
-	}
-
-	scanner := bufio.NewScanner(strings.NewReader(stdout))
-	var foundLine string
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if !strings.HasPrefix(line, containerUser+":") {
-			continue
-		}
-		foundLine = line
-		break
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, xerrors.Errorf("get container user: scan /etc/passwd: %w", err)
-	}
-	if foundLine == "" {
-		return nil, xerrors.Errorf("get container user: no matching entry for %q found in /etc/passwd", containerUser)
-	}
-
-	// Parse the output of /etc/passwd. It looks like this:
-	// postgres:x:999:999::/var/lib/postgresql:/bin/bash
-	passwdFields := strings.Split(foundLine, ":")
-	if len(passwdFields) != 7 {
-		return nil, xerrors.Errorf("get container user: invalid line in /etc/passwd: %q", foundLine)
-	}
-
-	// The fifth entry in /etc/passwd contains GECOS information, which is a
-	// comma-separated list of fields. The first field is the user's full name.
-	gecos := strings.Split(passwdFields[4], ",")
-	fullName := ""
-	if len(gecos) > 1 {
-		fullName = gecos[0]
-	}
-
-	dei.user = &user.User{
-		Gid:      passwdFields[3],
-		HomeDir:  passwdFields[5],
-		Name:     fullName,
-		Uid:      passwdFields[2],
-		Username: containerUser,
-	}
-	dei.userShell = passwdFields[6]
-
-	// We need to inspect the container labels for remoteEnv and append these to
-	// the resulting docker exec command.
-	// ref: https://code.visualstudio.com/docs/devcontainers/attach-container
-	env, err := devcontainerEnv(ctx, execer, container)
-	if err != nil { // best effort.
-		return nil, xerrors.Errorf("read devcontainer remoteEnv: %w", err)
-	}
-	dei.env = env
-
-	return &dei, nil
-}
-
-func (dei *DockerEnvInfoer) User() (*user.User, error) {
-	// Clone the user so that the caller can't modify it
-	u := *dei.user
-	return &u, nil
-}
-
-func (dei *DockerEnvInfoer) Shell(string) (string, error) {
-	return dei.userShell, nil
-}
-
-func (dei *DockerEnvInfoer) ModifyCommand(cmd string, args ...string) (string, []string) {
-	// Wrap the command with `docker exec` and run it as the container user.
-	// There is some additional munging here regarding the container user and environment.
-	dockerArgs := []string{
-		"exec",
-		// The assumption is that this command will be a shell command, so allocate a PTY.
-		"--interactive",
-		"--tty",
-		// Run the command as the user in the container.
-		"--user",
-		dei.user.Username,
-		// Set the working directory to the user's home directory as a sane default.
-		"--workdir",
-		dei.user.HomeDir,
-	}
-
-	// Append the environment variables from the container.
-	for _, e := range dei.env {
-		dockerArgs = append(dockerArgs, "--env", e)
-	}
-
-	// Append the container name and the command.
-	dockerArgs = append(dockerArgs, dei.container, cmd)
-	return "docker", append(dockerArgs, args...)
-}
-
-// devcontainerEnv is a helper function that inspects the container labels to
-// find the required environment variables for running a command in the container.
-func devcontainerEnv(ctx context.Context, execer agentexec.Execer, container string) ([]string, error) {
-	stdout, stderr, err := runDockerInspect(ctx, execer, container)
-	if err != nil {
-		return nil, xerrors.Errorf("inspect container: %w: %q", err, stderr)
-	}
-
-	ins, _, err := convertDockerInspect(stdout)
-	if err != nil {
-		return nil, xerrors.Errorf("inspect container: %w", err)
-	}
-
-	if len(ins) != 1 {
-		return nil, xerrors.Errorf("inspect container: expected 1 container, got %d", len(ins))
-	}
-
-	in := ins[0]
-	if in.Labels == nil {
-		return nil, nil
-	}
-
-	// We want to look for the devcontainer metadata, which is in the
-	// value of the label `devcontainer.metadata`.
-	rawMeta, ok := in.Labels["devcontainer.metadata"]
-	if !ok {
-		return nil, nil
-	}
-
-	meta := make([]dcspec.DevContainer, 0)
-	if err := json.Unmarshal([]byte(rawMeta), &meta); err != nil {
-		return nil, xerrors.Errorf("unmarshal devcontainer.metadata: %w", err)
-	}
-
-	// The environment variables are stored in the `remoteEnv` key.
-	env := make([]string, 0)
-	for _, m := range meta {
-		for k, v := range m.RemoteEnv {
-			if v == nil { // *string per spec
-				// devcontainer-cli will set this to the string "null" if the value is
-				// not set. Explicitly setting to an empty string here as this would be
-				// more expected here.
-				v = ptr.Ref("")
-			}
-			env = append(env, fmt.Sprintf("%s=%s", k, *v))
-		}
-	}
-	slices.Sort(env)
-	return env, nil
-}
-
-// wrapDockerExec is a helper function that wraps the given command and arguments
-// with a docker exec command that runs as the given user in the given
-// container. This is used to fetch information about a container prior to
-// running the actual command.
-func wrapDockerExec(containerName, userName, cmd string, args ...string) (string, []string) {
-	dockerArgs := []string{"exec", "--interactive"}
-	if userName != "" {
-		dockerArgs = append(dockerArgs, "--user", userName)
-	}
-	dockerArgs = append(dockerArgs, containerName, cmd)
-	return "docker", append(dockerArgs, args...)
-}
-
-// Helper function to run a command and return its stdout and stderr.
-// We want to differentiate stdout and stderr instead of using CombinedOutput.
-// We also want to differentiate between a command running successfully with
-// output to stderr and a non-zero exit code.
-func run(ctx context.Context, execer agentexec.Execer, cmd string, args ...string) (stdout, stderr string, err error) {
-	var stdoutBuf, stderrBuf strings.Builder
-	execCmd := execer.CommandContext(ctx, cmd, args...)
-	execCmd.Stdout = &stdoutBuf
-	execCmd.Stderr = &stderrBuf
-	err = execCmd.Run()
-	stdout = strings.TrimSpace(stdoutBuf.String())
-	stderr = strings.TrimSpace(stderrBuf.String())
-	return stdout, stderr, err
-}
-
-// dockerCLI is an implementation for Docker CLI that lists containers.
-type dockerCLI struct {
-	execer agentexec.Execer
-}
-
-var _ ContainerCLI = (*dockerCLI)(nil)
-
-func NewDockerCLI(execer agentexec.Execer) ContainerCLI {
-	return &dockerCLI{
-		execer: execer,
-	}
-}
-
-func (dcli *dockerCLI) List(ctx context.Context) (codersdk.WorkspaceAgentListContainersResponse, error) {
-	var stdoutBuf, stderrBuf bytes.Buffer
-	// List all container IDs, one per line, with no truncation
-	cmd := dcli.execer.CommandContext(ctx, "docker", "ps", "--all", "--quiet", "--no-trunc")
-	cmd.Stdout = &stdoutBuf
-	cmd.Stderr = &stderrBuf
-	if err := cmd.Run(); err != nil {
-		// TODO(Cian): detect specific errors:
-		// - docker not installed
-		// - docker not running
-		// - no permissions to talk to docker
-		return codersdk.WorkspaceAgentListContainersResponse{}, xerrors.Errorf("run docker ps: %w: %q", err, strings.TrimSpace(stderrBuf.String()))
-	}
-
-	ids := make([]string, 0)
-	scanner := bufio.NewScanner(&stdoutBuf)
-	for scanner.Scan() {
-		tmp := strings.TrimSpace(scanner.Text())
-		if tmp == "" {
-			continue
-		}
-		ids = append(ids, tmp)
-	}
-	if err := scanner.Err(); err != nil {
-		return codersdk.WorkspaceAgentListContainersResponse{}, xerrors.Errorf("scan docker ps output: %w", err)
-	}
-
-	res := codersdk.WorkspaceAgentListContainersResponse{
-		Containers: make([]codersdk.WorkspaceAgentContainer, 0, len(ids)),
-		Warnings:   make([]string, 0),
-	}
-	dockerPsStderr := strings.TrimSpace(stderrBuf.String())
-	if dockerPsStderr != "" {
-		res.Warnings = append(res.Warnings, dockerPsStderr)
-	}
-	if len(ids) == 0 {
-		return res, nil
-	}
-
-	// now we can get the detailed information for each container
-	// Run `docker inspect` on each container ID.
-	// NOTE: There is an unavoidable potential race condition where a
-	// container is removed between `docker ps` and `docker inspect`.
-	// In this case, stderr will contain an error message but stdout
-	// will still contain valid JSON. We will just end up missing
-	// information about the removed container. We could potentially
-	// log this error, but I'm not sure it's worth it.
-	dockerInspectStdout, dockerInspectStderr, err := runDockerInspect(ctx, dcli.execer, ids...)
-	if err != nil {
-		return codersdk.WorkspaceAgentListContainersResponse{}, xerrors.Errorf("run docker inspect: %w: %s", err, dockerInspectStderr)
-	}
-
-	if len(dockerInspectStderr) > 0 {
-		res.Warnings = append(res.Warnings, string(dockerInspectStderr))
-	}
-
-	outs, warns, err := convertDockerInspect(dockerInspectStdout)
-	if err != nil {
-		return codersdk.WorkspaceAgentListContainersResponse{}, xerrors.Errorf("convert docker inspect output: %w", err)
-	}
-	res.Warnings = append(res.Warnings, warns...)
-	res.Containers = append(res.Containers, outs...)
-
-	return res, nil
-}
-
-// runDockerInspect is a helper function that runs `docker inspect` on the given
-// container IDs and returns the parsed output.
-// The stderr output is also returned for logging purposes.
-func runDockerInspect(ctx context.Context, execer agentexec.Execer, ids ...string) (stdout, stderr []byte, err error) {
-	if ctx.Err() != nil {
-		// If the context is done, we don't want to run the command.
-		return []byte{}, []byte{}, ctx.Err()
-	}
-	var stdoutBuf, stderrBuf bytes.Buffer
-	cmd := execer.CommandContext(ctx, "docker", append([]string{"inspect"}, ids...)...)
-	cmd.Stdout = &stdoutBuf
-	cmd.Stderr = &stderrBuf
-	err = cmd.Run()
-	stdout = bytes.TrimSpace(stdoutBuf.Bytes())
-	stderr = bytes.TrimSpace(stderrBuf.Bytes())
-	if err != nil {
-		if ctx.Err() != nil {
-			// If the context was canceled while running the command,
-			// return the context error instead of the command error,
-			// which is likely to be "signal: killed".
-			return stdout, stderr, ctx.Err()
-		}
-		if bytes.Contains(stderr, []byte("No such object:")) {
-			// This can happen if a container is deleted between the time we check for its existence and the time we inspect it.
-			return stdout, stderr, nil
-		}
-		return stdout, stderr, err
-	}
-	return stdout, stderr, nil
-}
-
-// To avoid a direct dependency on the Docker API, we use the docker CLI
-// to fetch information about containers.
-type dockerInspect struct {
-	ID              string                       `json:"Id"`
-	Created         time.Time                    `json:"Created"`
-	Config          dockerInspectConfig          `json:"Config"`
-	Name            string                       `json:"Name"`
-	Mounts          []dockerInspectMount         `json:"Mounts"`
-	State           dockerInspectState           `json:"State"`
-	NetworkSettings dockerInspectNetworkSettings `json:"NetworkSettings"`
-}
-
-type dockerInspectConfig struct {
-	Image  string            `json:"Image"`
-	Labels map[string]string `json:"Labels"`
-}
-
-type dockerInspectPort struct {
-	HostIP   string `json:"HostIp"`
-	HostPort string `json:"HostPort"`
-}
-
-type dockerInspectMount struct {
-	Source      string `json:"Source"`
-	Destination string `json:"Destination"`
-	Type        string `json:"Type"`
-}
-
-type dockerInspectState struct {
-	Running  bool   `json:"Running"`
-	ExitCode int    `json:"ExitCode"`
-	Error    string `json:"Error"`
-}
-
-type dockerInspectNetworkSettings struct {
-	Ports map[string][]dockerInspectPort `json:"Ports"`
-}
-
-func (dis dockerInspectState) String() string {
-	if dis.Running {
-		return "running"
-	}
-	var sb strings.Builder
-	_, _ = sb.WriteString("exited")
-	if dis.ExitCode != 0 {
-		_, _ = sb.WriteString(fmt.Sprintf(" with code %d", dis.ExitCode))
-	} else {
-		_, _ = sb.WriteString(" successfully")
-	}
-	if dis.Error != "" {
-		_, _ = sb.WriteString(fmt.Sprintf(": %s", dis.Error))
-	}
-	return sb.String()
-}
-
-func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []string, error) {
-	var warns []string
-	var ins []dockerInspect
-	if err := json.NewDecoder(bytes.NewReader(raw)).Decode(&ins); err != nil {
-		return nil, nil, xerrors.Errorf("decode docker inspect output: %w", err)
-	}
-	outs := make([]codersdk.WorkspaceAgentContainer, 0, len(ins))
-
-	// Say you have two containers:
-	//  - Container A with Host IP 127.0.0.1:8000 mapped to container port 8001
-	//  - Container B with Host IP [::1]:8000 mapped to container port 8001
-	// A request to localhost:8000 may be routed to either container.
-	// We don't know which one for sure, so we need to surface this to the user.
-	// Keep track of all host ports we see. If we see the same host port
-	// mapped to multiple containers on different host IPs, we need to
-	// warn the user about this.
-	// Note that we only do this for loopback or unspecified IPs.
-	// We'll assume that the user knows what they're doing if they bind to
-	// a specific IP address.
-	hostPortContainers := make(map[int][]string)
-
-	for _, in := range ins {
-		out := codersdk.WorkspaceAgentContainer{
-			CreatedAt: in.Created,
-			// Remove the leading slash from the container name
-			FriendlyName: strings.TrimPrefix(in.Name, "/"),
-			ID:           in.ID,
-			Image:        in.Config.Image,
-			Labels:       in.Config.Labels,
-			Ports:        make([]codersdk.WorkspaceAgentContainerPort, 0),
-			Running:      in.State.Running,
-			Status:       in.State.String(),
-			Volumes:      make(map[string]string, len(in.Mounts)),
-		}
-
-		if in.NetworkSettings.Ports == nil {
-			in.NetworkSettings.Ports = make(map[string][]dockerInspectPort)
-		}
-		portKeys := maps.Keys(in.NetworkSettings.Ports)
-		// Sort the ports for deterministic output.
-		sort.Strings(portKeys)
-		// If we see the same port bound to both ipv4 and ipv6 loopback or unspecified
-		// interfaces to the same container port, there is no point in adding it multiple times.
-		loopbackHostPortContainerPorts := make(map[int]uint16, 0)
-		for _, pk := range portKeys {
-			for _, p := range in.NetworkSettings.Ports[pk] {
-				cp, network, err := convertDockerPort(pk)
-				if err != nil {
-					warns = append(warns, fmt.Sprintf("convert docker port: %s", err.Error()))
-					// Default network to "tcp" if we can't parse it.
-					network = "tcp"
-				}
-				hp, err := strconv.Atoi(p.HostPort)
-				if err != nil {
-					warns = append(warns, fmt.Sprintf("convert docker host port: %s", err.Error()))
-					continue
-				}
-				if hp > 65535 || hp < 1 { // invalid port
-					warns = append(warns, fmt.Sprintf("convert docker host port: invalid host port %d", hp))
-					continue
-				}
-
-				// Deduplicate host ports for loopback and unspecified IPs.
-				if isLoopbackOrUnspecified(p.HostIP) {
-					if found, ok := loopbackHostPortContainerPorts[hp]; ok && found == cp {
-						// We've already seen this port, so skip it.
-						continue
-					}
-					loopbackHostPortContainerPorts[hp] = cp
-					// Also keep track of the host port and the container ID.
-					hostPortContainers[hp] = append(hostPortContainers[hp], in.ID)
-				}
-				out.Ports = append(out.Ports, codersdk.WorkspaceAgentContainerPort{
-					Network: network,
-					Port:    cp,
-					// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
-					HostPort: uint16(hp),
-					HostIP:   p.HostIP,
-				})
-			}
-		}
-
-		if in.Mounts == nil {
-			in.Mounts = []dockerInspectMount{}
-		}
-		// Sort the mounts for deterministic output.
-		sort.Slice(in.Mounts, func(i, j int) bool {
-			return in.Mounts[i].Source < in.Mounts[j].Source
-		})
-		for _, k := range in.Mounts {
-			out.Volumes[k.Source] = k.Destination
-		}
-		outs = append(outs, out)
-	}
-
-	// Check if any host ports are mapped to multiple containers.
-	for hp, ids := range hostPortContainers {
-		if len(ids) > 1 {
-			warns = append(warns, fmt.Sprintf("host port %d is mapped to multiple containers on different interfaces: %s", hp, strings.Join(ids, ", ")))
-		}
-	}
-
-	return outs, warns, nil
-}
-
-// convertDockerPort converts a Docker port string to a port number and network
-// example: "8080/tcp" -> 8080, "tcp"
-//
-//	"8080" -> 8080, "tcp"
-func convertDockerPort(in string) (uint16, string, error) {
-	parts := strings.Split(in, "/")
-	p, err := strconv.ParseUint(parts[0], 10, 16)
-	if err != nil {
-		return 0, "", xerrors.Errorf("invalid port format: %s", in)
-	}
-	switch len(parts) {
-	case 1:
-		// assume it's a TCP port
-		return uint16(p), "tcp", nil
-	case 2:
-		return uint16(p), parts[1], nil
-	default:
-		return 0, "", xerrors.Errorf("invalid port format: %s", in)
-	}
-}
-
-// convenience function to check if an IP address is loopback or unspecified
-func isLoopbackOrUnspecified(ips string) bool {
-	nip := net.ParseIP(ips)
-	if nip == nil {
-		return false // technically correct, I suppose
-	}
-	return nip.IsLoopback() || nip.IsUnspecified()
-}
-
-// DetectArchitecture detects the architecture of a container by inspecting its
-// image.
-func (dcli *dockerCLI) DetectArchitecture(ctx context.Context, containerName string) (string, error) {
-	// Inspect the container to get the image name, which contains the architecture.
-	stdout, stderr, err := runCmd(ctx, dcli.execer, "docker", "inspect", "--format", "{{.Config.Image}}", containerName)
-	if err != nil {
-		return "", xerrors.Errorf("inspect container %s: %w: %s", containerName, err, stderr)
-	}
-	imageName := string(stdout)
-	if imageName == "" {
-		return "", xerrors.Errorf("no image found for container %s", containerName)
-	}
-
-	stdout, stderr, err = runCmd(ctx, dcli.execer, "docker", "inspect", "--format", "{{.Architecture}}", imageName)
-	if err != nil {
-		return "", xerrors.Errorf("inspect image %s: %w: %s", imageName, err, stderr)
-	}
-	arch := string(stdout)
-	if arch == "" {
-		return "", xerrors.Errorf("no architecture found for image %s", imageName)
-	}
-	return arch, nil
-}
-
-// Copy copies a file from the host to a container.
-func (dcli *dockerCLI) Copy(ctx context.Context, containerName, src, dst string) error {
-	_, stderr, err := runCmd(ctx, dcli.execer, "docker", "cp", src, containerName+":"+dst)
-	if err != nil {
-		return xerrors.Errorf("copy %s to %s:%s: %w: %s", src, containerName, dst, err, stderr)
-	}
-	return nil
-}
-
-// ExecAs executes a command in a container as a specific user.
-func (dcli *dockerCLI) ExecAs(ctx context.Context, containerName, uid string, args ...string) ([]byte, error) {
-	execArgs := []string{"exec"}
-	if uid != "" {
-		altUID := uid
-		if uid == "root" {
-			// UID 0 is more portable than the name root, so we use that
-			// because  some containers may not have a user named "root".
-			altUID = "0"
-		}
-		execArgs = append(execArgs, "--user", altUID)
-	}
-	execArgs = append(execArgs, containerName)
-	execArgs = append(execArgs, args...)
-
-	stdout, stderr, err := runCmd(ctx, dcli.execer, "docker", execArgs...)
-	if err != nil {
-		return nil, xerrors.Errorf("exec in container %s as user %s: %w: %s", containerName, uid, err, stderr)
-	}
-	return stdout, nil
-}
-
-// runCmd is a helper function that runs a command with the given
-// arguments and returns the stdout and stderr output.
-func runCmd(ctx context.Context, execer agentexec.Execer, cmd string, args ...string) (stdout, stderr []byte, err error) {
-	var stdoutBuf, stderrBuf bytes.Buffer
-	c := execer.CommandContext(ctx, cmd, args...)
-	c.Stdout = &stdoutBuf
-	c.Stderr = &stderrBuf
-	err = c.Run()
-	stdout = bytes.TrimSpace(stdoutBuf.Bytes())
-	stderr = bytes.TrimSpace(stderrBuf.Bytes())
-	return stdout, stderr, err
-}
@@ -1,126 +0,0 @@
-package agentcontainers_test
-
-import (
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/agent/agentcontainers"
-	"github.com/coder/coder/v2/agent/agentexec"
-	"github.com/coder/coder/v2/testutil"
-)
-
-// TestIntegrationDockerCLI tests the DetectArchitecture, Copy, and
-// ExecAs methods using a real Docker container. All tests share a
-// single container to avoid setup overhead.
-//
-// Run manually with: CODER_TEST_USE_DOCKER=1 go test ./agent/agentcontainers -run TestIntegrationDockerCLI
-//
-//nolint:tparallel,paralleltest // Docker integration tests don't run in parallel to avoid flakiness.
-func TestIntegrationDockerCLI(t *testing.T) {
-	if ctud, ok := os.LookupEnv("CODER_TEST_USE_DOCKER"); !ok || ctud != "1" {
-		t.Skip("Set CODER_TEST_USE_DOCKER=1 to run this test")
-	}
-
-	pool, err := dockertest.NewPool("")
-	require.NoError(t, err, "Could not connect to docker")
-
-	// Start a simple busybox container for all subtests to share.
-	ct, err := pool.RunWithOptions(&dockertest.RunOptions{
-		Repository: "busybox",
-		Tag:        "latest",
-		Cmd:        []string{"sleep", "infinity"},
-	}, func(config *docker.HostConfig) {
-		config.AutoRemove = true
-		config.RestartPolicy = docker.RestartPolicy{Name: "no"}
-	})
-	require.NoError(t, err, "Could not start test docker container")
-	t.Logf("Created container %q", ct.Container.Name)
-	t.Cleanup(func() {
-		assert.NoError(t, pool.Purge(ct), "Could not purge resource %q", ct.Container.Name)
-		t.Logf("Purged container %q", ct.Container.Name)
-	})
-
-	// Wait for container to start.
-	require.Eventually(t, func() bool {
-		ct, ok := pool.ContainerByName(ct.Container.Name)
-		return ok && ct.Container.State.Running
-	}, testutil.WaitShort, testutil.IntervalSlow, "Container did not start in time")
-
-	dcli := agentcontainers.NewDockerCLI(agentexec.DefaultExecer)
-	ctx := testutil.Context(t, testutil.WaitMedium) // Longer timeout for multiple subtests
-	containerName := strings.TrimPrefix(ct.Container.Name, "/")
-
-	t.Run("DetectArchitecture", func(t *testing.T) {
-		t.Parallel()
-
-		arch, err := dcli.DetectArchitecture(ctx, containerName)
-		require.NoError(t, err, "DetectArchitecture failed")
-		require.NotEmpty(t, arch, "arch has no content")
-		require.Equal(t, runtime.GOARCH, arch, "architecture does not match runtime, did you run this test with a remote Docker socket?")
-
-		t.Logf("Detected architecture: %s", arch)
-	})
-
-	t.Run("Copy", func(t *testing.T) {
-		t.Parallel()
-
-		want := "Help, I'm trapped!"
-		tempFile := filepath.Join(t.TempDir(), "test-file.txt")
-		err := os.WriteFile(tempFile, []byte(want), 0o600)
-		require.NoError(t, err, "create test file failed")
-
-		destPath := "/tmp/copied-file.txt"
-		err = dcli.Copy(ctx, containerName, tempFile, destPath)
-		require.NoError(t, err, "Copy failed")
-
-		got, err := dcli.ExecAs(ctx, containerName, "", "cat", destPath)
-		require.NoError(t, err, "ExecAs failed after Copy")
-		require.Equal(t, want, string(got), "copied file content did not match original")
-
-		t.Logf("Successfully copied file from %s to container %s:%s", tempFile, containerName, destPath)
-	})
-
-	t.Run("ExecAs", func(t *testing.T) {
-		t.Parallel()
-
-		// Test ExecAs without specifying user (should use container's default).
-		want := "root"
-		got, err := dcli.ExecAs(ctx, containerName, "", "whoami")
-		require.NoError(t, err, "ExecAs without user should succeed")
-		require.Equal(t, want, string(got), "ExecAs without user should output expected string")
-
-		// Test ExecAs with numeric UID (non root).
-		want = "1000"
-		_, err = dcli.ExecAs(ctx, containerName, want, "whoami")
-		require.Error(t, err, "ExecAs with UID 1000 should fail as user does not exist in busybox")
-		require.Contains(t, err.Error(), "whoami: unknown uid 1000", "ExecAs with UID 1000 should return 'unknown uid' error")
-
-		// Test ExecAs with root user (should convert "root" to "0", which still outputs root due to passwd).
-		want = "root"
-		got, err = dcli.ExecAs(ctx, containerName, "root", "whoami")
-		require.NoError(t, err, "ExecAs with root user should succeed")
-		require.Equal(t, want, string(got), "ExecAs with root user should output expected string")
-
-		// Test ExecAs with numeric UID.
-		want = "root"
-		got, err = dcli.ExecAs(ctx, containerName, "0", "whoami")
-		require.NoError(t, err, "ExecAs with UID 0 should succeed")
-		require.Equal(t, want, string(got), "ExecAs with UID 0 should output expected string")
-
-		// Test ExecAs with multiple arguments.
-		want = "multiple args test"
-		got, err = dcli.ExecAs(ctx, containerName, "", "sh", "-c", "echo '"+want+"'")
-		require.NoError(t, err, "ExecAs with multiple arguments should succeed")
-		require.Equal(t, want, string(got), "ExecAs with multiple arguments should output expected string")
-
-		t.Logf("Successfully executed commands in container %s", containerName)
-	})
-}
@@ -1,414 +0,0 @@
-package agentcontainers
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/codersdk"
-)
-
-func TestWrapDockerExec(t *testing.T) {
-	t.Parallel()
-	tests := []struct {
-		name          string
-		containerUser string
-		cmdArgs       []string
-		wantCmd       []string
-	}{
-		{
-			name:          "cmd with no args",
-			containerUser: "my-user",
-			cmdArgs:       []string{"my-cmd"},
-			wantCmd:       []string{"docker", "exec", "--interactive", "--user", "my-user", "my-container", "my-cmd"},
-		},
-		{
-			name:          "cmd with args",
-			containerUser: "my-user",
-			cmdArgs:       []string{"my-cmd", "arg1", "--arg2", "arg3", "--arg4"},
-			wantCmd:       []string{"docker", "exec", "--interactive", "--user", "my-user", "my-container", "my-cmd", "arg1", "--arg2", "arg3", "--arg4"},
-		},
-		{
-			name:          "no user specified",
-			containerUser: "",
-			cmdArgs:       []string{"my-cmd"},
-			wantCmd:       []string{"docker", "exec", "--interactive", "my-container", "my-cmd"},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			actualCmd, actualArgs := wrapDockerExec("my-container", tt.containerUser, tt.cmdArgs[0], tt.cmdArgs[1:]...)
-			assert.Equal(t, tt.wantCmd[0], actualCmd)
-			assert.Equal(t, tt.wantCmd[1:], actualArgs)
-		})
-	}
-}
-
-func TestConvertDockerPort(t *testing.T) {
-	t.Parallel()
-
-	for _, tc := range []struct {
-		name          string
-		in            string
-		expectPort    uint16
-		expectNetwork string
-		expectError   string
-	}{
-		{
-			name:        "empty port",
-			in:          "",
-			expectError: "invalid port",
-		},
-		{
-			name:          "valid tcp port",
-			in:            "8080/tcp",
-			expectPort:    8080,
-			expectNetwork: "tcp",
-		},
-		{
-			name:          "valid udp port",
-			in:            "8080/udp",
-			expectPort:    8080,
-			expectNetwork: "udp",
-		},
-		{
-			name:          "valid port no network",
-			in:            "8080",
-			expectPort:    8080,
-			expectNetwork: "tcp",
-		},
-		{
-			name:        "invalid port",
-			in:          "invalid/tcp",
-			expectError: "invalid port",
-		},
-		{
-			name:        "invalid port no network",
-			in:          "invalid",
-			expectError: "invalid port",
-		},
-		{
-			name:        "multiple network",
-			in:          "8080/tcp/udp",
-			expectError: "invalid port",
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			actualPort, actualNetwork, actualErr := convertDockerPort(tc.in)
-			if tc.expectError != "" {
-				assert.Zero(t, actualPort, "expected no port")
-				assert.Empty(t, actualNetwork, "expected no network")
-				assert.ErrorContains(t, actualErr, tc.expectError)
-			} else {
-				assert.NoError(t, actualErr, "expected no error")
-				assert.Equal(t, tc.expectPort, actualPort, "expected port to match")
-				assert.Equal(t, tc.expectNetwork, actualNetwork, "expected network to match")
-			}
-		})
-	}
-}
-
-func TestConvertDockerVolume(t *testing.T) {
-	t.Parallel()
-
-	for _, tc := range []struct {
-		name                string
-		in                  string
-		expectHostPath      string
-		expectContainerPath string
-		expectError         string
-	}{
-		{
-			name:        "empty volume",
-			in:          "",
-			expectError: "invalid volume",
-		},
-		{
-			name:                "length 1 volume",
-			in:                  "/path/to/something",
-			expectHostPath:      "/path/to/something",
-			expectContainerPath: "/path/to/something",
-		},
-		{
-			name:                "length 2 volume",
-			in:                  "/path/to/something=/path/to/something/else",
-			expectHostPath:      "/path/to/something",
-			expectContainerPath: "/path/to/something/else",
-		},
-		{
-			name:        "invalid length volume",
-			in:          "/path/to/something=/path/to/something/else=/path/to/something/else/else",
-			expectError: "invalid volume",
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-		})
-	}
-}
-
-// TestConvertDockerInspect tests the convertDockerInspect function using
-// fixtures from ./testdata.
-func TestConvertDockerInspect(t *testing.T) {
-	t.Parallel()
-
-	//nolint:paralleltest // variable recapture no longer required
-	for _, tt := range []struct {
-		name        string
-		expect      []codersdk.WorkspaceAgentContainer
-		expectWarns []string
-		expectError string
-	}{
-		{
-			name: "container_simple",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 55, 58, 91280203, time.UTC),
-					ID:           "6b539b8c60f5230b8b0fde2502cd2332d31c0d526a3e6eb6eef1cc39439b3286",
-					FriendlyName: "eloquent_kowalevski",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentContainerPort{},
-					Volumes:      map[string]string{},
-				},
-			},
-		},
-		{
-			name: "container_labels",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 20, 3, 28, 71706536, time.UTC),
-					ID:           "bd8818e670230fc6f36145b21cf8d6d35580355662aa4d9fe5ae1b188a4c905f",
-					FriendlyName: "fervent_bardeen",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{"baz": "zap", "foo": "bar"},
-					Running:      true,
-					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentContainerPort{},
-					Volumes:      map[string]string{},
-				},
-			},
-		},
-		{
-			name: "container_binds",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 58, 43, 522505027, time.UTC),
-					ID:           "fdc75ebefdc0243c0fce959e7685931691ac7aede278664a0e2c23af8a1e8d6a",
-					FriendlyName: "silly_beaver",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentContainerPort{},
-					Volumes: map[string]string{
-						"/tmp/test/a": "/var/coder/a",
-						"/tmp/test/b": "/var/coder/b",
-					},
-				},
-			},
-		},
-		{
-			name: "container_sameport",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 56, 34, 842164541, time.UTC),
-					ID:           "4eac5ce199d27b2329d0ff0ce1a6fc595612ced48eba3669aadb6c57ebef3fa2",
-					FriendlyName: "modest_varahamihira",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentContainerPort{
-						{
-							Network:  "tcp",
-							Port:     12345,
-							HostPort: 12345,
-							HostIP:   "0.0.0.0",
-						},
-					},
-					Volumes: map[string]string{},
-				},
-			},
-		},
-		{
-			name: "container_differentport",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 57, 8, 862545133, time.UTC),
-					ID:           "3090de8b72b1224758a94a11b827c82ba2b09c45524f1263dc4a2d83e19625ea",
-					FriendlyName: "boring_ellis",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentContainerPort{
-						{
-							Network:  "tcp",
-							Port:     23456,
-							HostPort: 12345,
-							HostIP:   "0.0.0.0",
-						},
-					},
-					Volumes: map[string]string{},
-				},
-			},
-		},
-		{
-			name: "container_sameportdiffip",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 56, 34, 842164541, time.UTC),
-					ID:           "a",
-					FriendlyName: "a",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentContainerPort{
-						{
-							Network:  "tcp",
-							Port:     8001,
-							HostPort: 8000,
-							HostIP:   "0.0.0.0",
-						},
-					},
-					Volumes: map[string]string{},
-				},
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 56, 34, 842164541, time.UTC),
-					ID:           "b",
-					FriendlyName: "b",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentContainerPort{
-						{
-							Network:  "tcp",
-							Port:     8001,
-							HostPort: 8000,
-							HostIP:   "::",
-						},
-					},
-					Volumes: map[string]string{},
-				},
-			},
-			expectWarns: []string{"host port 8000 is mapped to multiple containers on different interfaces: a, b"},
-		},
-		{
-			name: "container_volume",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 59, 42, 39484134, time.UTC),
-					ID:           "b3688d98c007f53402a55e46d803f2f3ba9181d8e3f71a2eb19b392cf0377b4e",
-					FriendlyName: "upbeat_carver",
-					Image:        "debian:bookworm",
-					Labels:       map[string]string{},
-					Running:      true,
-					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentContainerPort{},
-					Volumes: map[string]string{
-						"/var/lib/docker/volumes/testvol/_data": "/testvol",
-					},
-				},
-			},
-		},
-		{
-			name: "devcontainer_simple",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 1, 5, 751972661, time.UTC),
-					ID:           "0b2a9fcf5727d9562943ce47d445019f4520e37a2aa7c6d9346d01af4f4f9aed",
-					FriendlyName: "optimistic_hopper",
-					Image:        "debian:bookworm",
-					Labels: map[string]string{
-						"devcontainer.config_file": "/home/coder/src/coder/coder/agent/agentcontainers/testdata/devcontainer_simple.json",
-						"devcontainer.metadata":    "[]",
-					},
-					Running: true,
-					Status:  "running",
-					Ports:   []codersdk.WorkspaceAgentContainerPort{},
-					Volumes: map[string]string{},
-				},
-			},
-		},
-		{
-			name: "devcontainer_forwardport",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 3, 55, 22053072, time.UTC),
-					ID:           "4a16af2293fb75dc827a6949a3905dd57ea28cc008823218ce24fab1cb66c067",
-					FriendlyName: "serene_khayyam",
-					Image:        "debian:bookworm",
-					Labels: map[string]string{
-						"devcontainer.config_file": "/home/coder/src/coder/coder/agent/agentcontainers/testdata/devcontainer_forwardport.json",
-						"devcontainer.metadata":    "[]",
-					},
-					Running: true,
-					Status:  "running",
-					Ports:   []codersdk.WorkspaceAgentContainerPort{},
-					Volumes: map[string]string{},
-				},
-			},
-		},
-		{
-			name: "devcontainer_appport",
-			expect: []codersdk.WorkspaceAgentContainer{
-				{
-					CreatedAt:    time.Date(2025, 3, 11, 17, 2, 42, 613747761, time.UTC),
-					ID:           "52d23691f4b954d083f117358ea763e20f69af584e1c08f479c5752629ee0be3",
-					FriendlyName: "suspicious_margulis",
-					Image:        "debian:bookworm",
-					Labels: map[string]string{
-						"devcontainer.config_file": "/home/coder/src/coder/coder/agent/agentcontainers/testdata/devcontainer_appport.json",
-						"devcontainer.metadata":    "[]",
-					},
-					Running: true,
-					Status:  "running",
-					Ports: []codersdk.WorkspaceAgentContainerPort{
-						{
-							Network:  "tcp",
-							Port:     8080,
-							HostPort: 32768,
-							HostIP:   "0.0.0.0",
-						},
-					},
-					Volumes: map[string]string{},
-				},
-			},
-		},
-	} {
-		// nolint:paralleltest // variable recapture no longer required
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			bs, err := os.ReadFile(filepath.Join("testdata", tt.name, "docker_inspect.json"))
-			require.NoError(t, err, "failed to read testdata file")
-			actual, warns, err := convertDockerInspect(bs)
-			if len(tt.expectWarns) > 0 {
-				assert.Len(t, warns, len(tt.expectWarns), "expected warnings")
-				for _, warn := range tt.expectWarns {
-					assert.Contains(t, warns, warn)
-				}
-			}
-			if tt.expectError != "" {
-				assert.Empty(t, actual, "expected no data")
-				assert.ErrorContains(t, err, tt.expectError)
-				return
-			}
-			require.NoError(t, err, "expected no error")
-			if diff := cmp.Diff(tt.expect, actual); diff != "" {
-				t.Errorf("unexpected diff (-want +got):\n%s", diff)
-			}
-		})
-	}
-}
@@ -1,296 +0,0 @@
-package agentcontainers_test
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"slices"
-	"strconv"
-	"strings"
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/agent/agentcontainers"
-	"github.com/coder/coder/v2/agent/agentexec"
-	"github.com/coder/coder/v2/pty"
-	"github.com/coder/coder/v2/testutil"
-)
-
-// TestIntegrationDocker tests agentcontainers functionality using a real
-// Docker container. It starts a container with a known
-// label, lists the containers, and verifies that the expected container is
-// returned. It also executes a sample command inside the container.
-// The container is deleted after the test is complete.
-// As this test creates containers, it is skipped by default.
-// It can be run manually as follows:
-//
-// CODER_TEST_USE_DOCKER=1 go test ./agent/agentcontainers -run TestDockerCLIContainerLister
-//
-//nolint:paralleltest // This test tends to flake when lots of containers start and stop in parallel.
-func TestIntegrationDocker(t *testing.T) {
-	if ctud, ok := os.LookupEnv("CODER_TEST_USE_DOCKER"); !ok || ctud != "1" {
-		t.Skip("Set CODER_TEST_USE_DOCKER=1 to run this test")
-	}
-
-	pool, err := dockertest.NewPool("")
-	require.NoError(t, err, "Could not connect to docker")
-	testLabelValue := uuid.New().String()
-	// Create a temporary directory to validate that we surface mounts correctly.
-	testTempDir := t.TempDir()
-	// Pick a random port to expose for testing port bindings.
-	testRandPort := testutil.RandomPortNoListen(t)
-	ct, err := pool.RunWithOptions(&dockertest.RunOptions{
-		Repository: "busybox",
-		Tag:        "latest",
-		Cmd:        []string{"sleep", "infnity"},
-		Labels: map[string]string{
-			"com.coder.test":        testLabelValue,
-			"devcontainer.metadata": `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`,
-		},
-		Mounts:       []string{testTempDir + ":" + testTempDir},
-		ExposedPorts: []string{fmt.Sprintf("%d/tcp", testRandPort)},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			docker.Port(fmt.Sprintf("%d/tcp", testRandPort)): {
-				{
-					HostIP:   "0.0.0.0",
-					HostPort: strconv.FormatInt(int64(testRandPort), 10),
-				},
-			},
-		},
-	}, func(config *docker.HostConfig) {
-		config.AutoRemove = true
-		config.RestartPolicy = docker.RestartPolicy{Name: "no"}
-	})
-	require.NoError(t, err, "Could not start test docker container")
-	t.Logf("Created container %q", ct.Container.Name)
-	t.Cleanup(func() {
-		assert.NoError(t, pool.Purge(ct), "Could not purge resource %q", ct.Container.Name)
-		t.Logf("Purged container %q", ct.Container.Name)
-	})
-	// Wait for container to start
-	require.Eventually(t, func() bool {
-		ct, ok := pool.ContainerByName(ct.Container.Name)
-		return ok && ct.Container.State.Running
-	}, testutil.WaitShort, testutil.IntervalSlow, "Container did not start in time")
-
-	dcl := agentcontainers.NewDockerCLI(agentexec.DefaultExecer)
-	ctx := testutil.Context(t, testutil.WaitShort)
-	actual, err := dcl.List(ctx)
-	require.NoError(t, err, "Could not list containers")
-	require.Empty(t, actual.Warnings, "Expected no warnings")
-	var found bool
-	for _, foundContainer := range actual.Containers {
-		if foundContainer.ID == ct.Container.ID {
-			found = true
-			assert.Equal(t, ct.Container.Created, foundContainer.CreatedAt)
-			// ory/dockertest pre-pends a forward slash to the container name.
-			assert.Equal(t, strings.TrimPrefix(ct.Container.Name, "/"), foundContainer.FriendlyName)
-			// ory/dockertest returns the sha256 digest of the image.
-			assert.Equal(t, "busybox:latest", foundContainer.Image)
-			assert.Equal(t, ct.Container.Config.Labels, foundContainer.Labels)
-			assert.True(t, foundContainer.Running)
-			assert.Equal(t, "running", foundContainer.Status)
-			if assert.Len(t, foundContainer.Ports, 1) {
-				assert.Equal(t, testRandPort, foundContainer.Ports[0].Port)
-				assert.Equal(t, "tcp", foundContainer.Ports[0].Network)
-			}
-			if assert.Len(t, foundContainer.Volumes, 1) {
-				assert.Equal(t, testTempDir, foundContainer.Volumes[testTempDir])
-			}
-			// Test that EnvInfo is able to correctly modify a command to be
-			// executed inside the container.
-			dei, err := agentcontainers.EnvInfo(ctx, agentexec.DefaultExecer, ct.Container.ID, "")
-			require.NoError(t, err, "Expected no error from DockerEnvInfo()")
-			ptyWrappedCmd, ptyWrappedArgs := dei.ModifyCommand("/bin/sh", "--norc")
-			ptyCmd, ptyPs, err := pty.Start(agentexec.DefaultExecer.PTYCommandContext(ctx, ptyWrappedCmd, ptyWrappedArgs...))
-			require.NoError(t, err, "failed to start pty command")
-			t.Cleanup(func() {
-				_ = ptyPs.Kill()
-				_ = ptyCmd.Close()
-			})
-			tr := testutil.NewTerminalReader(t, ptyCmd.OutputReader())
-			matchPrompt := func(line string) bool {
-				return strings.Contains(line, "#")
-			}
-			matchHostnameCmd := func(line string) bool {
-				return strings.Contains(strings.TrimSpace(line), "hostname")
-			}
-			matchHostnameOuput := func(line string) bool {
-				return strings.Contains(strings.TrimSpace(line), ct.Container.Config.Hostname)
-			}
-			matchEnvCmd := func(line string) bool {
-				return strings.Contains(strings.TrimSpace(line), "env")
-			}
-			matchEnvOutput := func(line string) bool {
-				return strings.Contains(line, "FOO=bar") || strings.Contains(line, "MULTILINE=foo")
-			}
-			require.NoError(t, tr.ReadUntil(ctx, matchPrompt), "failed to match prompt")
-			t.Logf("Matched prompt")
-			_, err = ptyCmd.InputWriter().Write([]byte("hostname\r\n"))
-			require.NoError(t, err, "failed to write to pty")
-			t.Logf("Wrote hostname command")
-			require.NoError(t, tr.ReadUntil(ctx, matchHostnameCmd), "failed to match hostname command")
-			t.Logf("Matched hostname command")
-			require.NoError(t, tr.ReadUntil(ctx, matchHostnameOuput), "failed to match hostname output")
-			t.Logf("Matched hostname output")
-			_, err = ptyCmd.InputWriter().Write([]byte("env\r\n"))
-			require.NoError(t, err, "failed to write to pty")
-			t.Logf("Wrote env command")
-			require.NoError(t, tr.ReadUntil(ctx, matchEnvCmd), "failed to match env command")
-			t.Logf("Matched env command")
-			require.NoError(t, tr.ReadUntil(ctx, matchEnvOutput), "failed to match env output")
-			t.Logf("Matched env output")
-			break
-		}
-	}
-	assert.True(t, found, "Expected to find container with label 'com.coder.test=%s'", testLabelValue)
-}
-
-// TestDockerEnvInfoer tests the ability of EnvInfo to extract information from
-// running containers. Containers are deleted after the test is complete.
-// As this test creates containers, it is skipped by default.
-// It can be run manually as follows:
-//
-// CODER_TEST_USE_DOCKER=1 go test ./agent/agentcontainers -run TestDockerEnvInfoer
-//
-//nolint:paralleltest // This test tends to flake when lots of containers start and stop in parallel.
-func TestDockerEnvInfoer(t *testing.T) {
-	if ctud, ok := os.LookupEnv("CODER_TEST_USE_DOCKER"); !ok || ctud != "1" {
-		t.Skip("Set CODER_TEST_USE_DOCKER=1 to run this test")
-	}
-
-	pool, err := dockertest.NewPool("")
-	require.NoError(t, err, "Could not connect to docker")
-	// nolint:paralleltest // variable recapture no longer required
-	for idx, tt := range []struct {
-		image             string
-		labels            map[string]string
-		expectedEnv       []string
-		containerUser     string
-		expectedUsername  string
-		expectedUserShell string
-	}{
-		{
-			image:  "busybox:latest",
-			labels: map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
-
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			expectedUsername:  "root",
-			expectedUserShell: "/bin/sh",
-		},
-		{
-			image:             "busybox:latest",
-			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			containerUser:     "root",
-			expectedUsername:  "root",
-			expectedUserShell: "/bin/sh",
-		},
-		{
-			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			expectedUsername:  "coder",
-			expectedUserShell: "/bin/bash",
-		},
-		{
-			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			containerUser:     "coder",
-			expectedUsername:  "coder",
-			expectedUserShell: "/bin/bash",
-		},
-		{
-			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			containerUser:     "root",
-			expectedUsername:  "root",
-			expectedUserShell: "/bin/bash",
-		},
-		{
-			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar"}},{"remoteEnv": {"MULTILINE": "foo\nbar\nbaz"}}]`},
-			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
-			containerUser:     "root",
-			expectedUsername:  "root",
-			expectedUserShell: "/bin/bash",
-		},
-	} {
-		//nolint:paralleltest // variable recapture no longer required
-		t.Run(fmt.Sprintf("#%d", idx), func(t *testing.T) {
-			// Start a container with the given image
-			// and environment variables
-			image := strings.Split(tt.image, ":")[0]
-			tag := strings.Split(tt.image, ":")[1]
-			ct, err := pool.RunWithOptions(&dockertest.RunOptions{
-				Repository: image,
-				Tag:        tag,
-				Cmd:        []string{"sleep", "infinity"},
-				Labels:     tt.labels,
-			}, func(config *docker.HostConfig) {
-				config.AutoRemove = true
-				config.RestartPolicy = docker.RestartPolicy{Name: "no"}
-			})
-			require.NoError(t, err, "Could not start test docker container")
-			t.Logf("Created container %q", ct.Container.Name)
-			t.Cleanup(func() {
-				assert.NoError(t, pool.Purge(ct), "Could not purge resource %q", ct.Container.Name)
-				t.Logf("Purged container %q", ct.Container.Name)
-			})
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			dei, err := agentcontainers.EnvInfo(ctx, agentexec.DefaultExecer, ct.Container.ID, tt.containerUser)
-			require.NoError(t, err, "Expected no error from DockerEnvInfo()")
-
-			u, err := dei.User()
-			require.NoError(t, err, "Expected no error from CurrentUser()")
-			require.Equal(t, tt.expectedUsername, u.Username, "Expected username to match")
-
-			hd, err := dei.HomeDir()
-			require.NoError(t, err, "Expected no error from UserHomeDir()")
-			require.NotEmpty(t, hd, "Expected user homedir to be non-empty")
-
-			sh, err := dei.Shell(tt.containerUser)
-			require.NoError(t, err, "Expected no error from UserShell()")
-			require.Equal(t, tt.expectedUserShell, sh, "Expected user shell to match")
-
-			// We don't need to test the actual environment variables here.
-			environ := dei.Environ()
-			require.NotEmpty(t, environ, "Expected environ to be non-empty")
-
-			// Test that the environment variables are present in modified command
-			// output.
-			envCmd, envArgs := dei.ModifyCommand("env")
-			for _, env := range tt.expectedEnv {
-				require.Subset(t, envArgs, []string{"--env", env})
-			}
-			// Run the command in the container and check the output
-			// HACK: we remove the --tty argument because we're not running in a tty
-			envArgs = slices.DeleteFunc(envArgs, func(s string) bool { return s == "--tty" })
-			stdout, stderr, err := run(ctx, agentexec.DefaultExecer, envCmd, envArgs...)
-			require.Empty(t, stderr, "Expected no stderr output")
-			require.NoError(t, err, "Expected no error from running command")
-			for _, env := range tt.expectedEnv {
-				require.Contains(t, stdout, env)
-			}
-		})
-	}
-}
-
-func run(ctx context.Context, execer agentexec.Execer, cmd string, args ...string) (stdout, stderr string, err error) {
-	var stdoutBuf, stderrBuf strings.Builder
-	execCmd := execer.CommandContext(ctx, cmd, args...)
-	execCmd.Stdout = &stdoutBuf
-	execCmd.Stderr = &stderrBuf
-	err = execCmd.Run()
-	stdout = strings.TrimSpace(stdoutBuf.String())
-	stderr = strings.TrimSpace(stderrBuf.String())
-	return stdout, stderr, err
-}
@@ -1,601 +0,0 @@
-// Code generated by dcspec/gen.sh. DO NOT EDIT.
-//
-// This file was generated from JSON Schema using quicktype, do not modify it directly.
-// To parse and unparse this JSON data, add this code to your project and do:
-//
-//    devContainer, err := UnmarshalDevContainer(bytes)
-//    bytes, err = devContainer.Marshal()
-
-package dcspec
-
-import (
-	"bytes"
-	"errors"
-)
-
-import "encoding/json"
-
-func UnmarshalDevContainer(data []byte) (DevContainer, error) {
-	var r DevContainer
-	err := json.Unmarshal(data, &r)
-	return r, err
-}
-
-func (r *DevContainer) Marshal() ([]byte, error) {
-	return json.Marshal(r)
-}
-
-// Defines a dev container
-type DevContainer struct {
-	// Docker build-related options.
-	Build *BuildOptions `json:"build,omitempty"`
-	// The location of the context folder for building the Docker image. The path is relative to
-	// the folder containing the `devcontainer.json` file.
-	Context *string `json:"context,omitempty"`
-	// The location of the Dockerfile that defines the contents of the container. The path is
-	// relative to the folder containing the `devcontainer.json` file.
-	DockerFile *string `json:"dockerFile,omitempty"`
-	// The docker image that will be used to create the container.
-	Image *string `json:"image,omitempty"`
-	// Application ports that are exposed by the container. This can be a single port or an
-	// array of ports. Each port can be a number or a string. A number is mapped to the same
-	// port on the host. A string is passed to Docker unchanged and can be used to map ports
-	// differently, e.g. "8000:8010".
-	AppPort *DevContainerAppPort `json:"appPort"`
-	// Whether to overwrite the command specified in the image. The default is true.
-	//
-	// Whether to overwrite the command specified in the image. The default is false.
-	OverrideCommand *bool `json:"overrideCommand,omitempty"`
-	// The arguments required when starting in the container.
-	RunArgs []string `json:"runArgs,omitempty"`
-	// Action to take when the user disconnects from the container in their editor. The default
-	// is to stop the container.
-	//
-	// Action to take when the user disconnects from the primary container in their editor. The
-	// default is to stop all of the compose containers.
-	ShutdownAction *ShutdownAction `json:"shutdownAction,omitempty"`
-	// The path of the workspace folder inside the container.
-	//
-	// The path of the workspace folder inside the container. This is typically the target path
-	// of a volume mount in the docker-compose.yml.
-	WorkspaceFolder *string `json:"workspaceFolder,omitempty"`
-	// The --mount parameter for docker run. The default is to mount the project folder at
-	// /workspaces/$project.
-	WorkspaceMount *string `json:"workspaceMount,omitempty"`
-	// The name of the docker-compose file(s) used to start the services.
-	DockerComposeFile *CacheFrom `json:"dockerComposeFile"`
-	// An array of services that should be started and stopped.
-	RunServices []string `json:"runServices,omitempty"`
-	// The service you want to work on. This is considered the primary container for your dev
-	// environment which your editor will connect to.
-	Service *string `json:"service,omitempty"`
-	// The JSON schema of the `devcontainer.json` file.
-	Schema               *string                `json:"$schema,omitempty"`
-	AdditionalProperties map[string]interface{} `json:"additionalProperties,omitempty"`
-	// Passes docker capabilities to include when creating the dev container.
-	CapAdd []string `json:"capAdd,omitempty"`
-	// Container environment variables.
-	ContainerEnv map[string]string `json:"containerEnv,omitempty"`
-	// The user the container will be started with. The default is the user on the Docker image.
-	ContainerUser *string `json:"containerUser,omitempty"`
-	// Tool-specific configuration. Each tool should use a JSON object subproperty with a unique
-	// name to group its customizations.
-	Customizations map[string]interface{} `json:"customizations,omitempty"`
-	// Features to add to the dev container.
-	Features *Features `json:"features,omitempty"`
-	// Ports that are forwarded from the container to the local machine. Can be an integer port
-	// number, or a string of the format "host:port_number".
-	ForwardPorts []ForwardPort `json:"forwardPorts,omitempty"`
-	// Host hardware requirements.
-	HostRequirements *HostRequirements `json:"hostRequirements,omitempty"`
-	// Passes the --init flag when creating the dev container.
-	Init *bool `json:"init,omitempty"`
-	// A command to run locally (i.e Your host machine, cloud VM) before anything else. This
-	// command is run before "onCreateCommand". If this is a single string, it will be run in a
-	// shell. If this is an array of strings, it will be run as a single command without shell.
-	// If this is an object, each provided command will be run in parallel.
-	InitializeCommand *Command `json:"initializeCommand"`
-	// Mount points to set up when creating the container. See Docker's documentation for the
-	// --mount option for the supported syntax.
-	Mounts []MountElement `json:"mounts,omitempty"`
-	// A name for the dev container which can be displayed to the user.
-	Name *string `json:"name,omitempty"`
-	// A command to run when creating the container. This command is run after
-	// "initializeCommand" and before "updateContentCommand". If this is a single string, it
-	// will be run in a shell. If this is an array of strings, it will be run as a single
-	// command without shell. If this is an object, each provided command will be run in
-	// parallel.
-	OnCreateCommand      *Command              `json:"onCreateCommand"`
-	OtherPortsAttributes *OtherPortsAttributes `json:"otherPortsAttributes,omitempty"`
-	// Array consisting of the Feature id (without the semantic version) of Features in the
-	// order the user wants them to be installed.
-	OverrideFeatureInstallOrder []string         `json:"overrideFeatureInstallOrder,omitempty"`
-	PortsAttributes             *PortsAttributes `json:"portsAttributes,omitempty"`
-	// A command to run when attaching to the container. This command is run after
-	// "postStartCommand". If this is a single string, it will be run in a shell. If this is an
-	// array of strings, it will be run as a single command without shell. If this is an object,
-	// each provided command will be run in parallel.
-	PostAttachCommand *Command `json:"postAttachCommand"`
-	// A command to run after creating the container. This command is run after
-	// "updateContentCommand" and before "postStartCommand". If this is a single string, it will
-	// be run in a shell. If this is an array of strings, it will be run as a single command
-	// without shell. If this is an object, each provided command will be run in parallel.
-	PostCreateCommand *Command `json:"postCreateCommand"`
-	// A command to run after starting the container. This command is run after
-	// "postCreateCommand" and before "postAttachCommand". If this is a single string, it will
-	// be run in a shell. If this is an array of strings, it will be run as a single command
-	// without shell. If this is an object, each provided command will be run in parallel.
-	PostStartCommand *Command `json:"postStartCommand"`
-	// Passes the --privileged flag when creating the dev container.
-	Privileged *bool `json:"privileged,omitempty"`
-	// Remote environment variables to set for processes spawned in the container including
-	// lifecycle scripts and any remote editor/IDE server process.
-	RemoteEnv map[string]*string `json:"remoteEnv,omitempty"`
-	// The username to use for spawning processes in the container including lifecycle scripts
-	// and any remote editor/IDE server process. The default is the same user as the container.
-	RemoteUser *string `json:"remoteUser,omitempty"`
-	// Recommended secrets for this dev container. Recommendations are provided as environment
-	// variable keys with optional metadata.
-	Secrets *Secrets `json:"secrets,omitempty"`
-	// Passes docker security options to include when creating the dev container.
-	SecurityOpt []string `json:"securityOpt,omitempty"`
-	// A command to run when creating the container and rerun when the workspace content was
-	// updated while creating the container. This command is run after "onCreateCommand" and
-	// before "postCreateCommand". If this is a single string, it will be run in a shell. If
-	// this is an array of strings, it will be run as a single command without shell. If this is
-	// an object, each provided command will be run in parallel.
-	UpdateContentCommand *Command `json:"updateContentCommand"`
-	// Controls whether on Linux the container's user should be updated with the local user's
-	// UID and GID. On by default when opening from a local folder.
-	UpdateRemoteUserUID *bool `json:"updateRemoteUserUID,omitempty"`
-	// User environment probe to run. The default is "loginInteractiveShell".
-	UserEnvProbe *UserEnvProbe `json:"userEnvProbe,omitempty"`
-	// The user command to wait for before continuing execution in the background while the UI
-	// is starting up. The default is "updateContentCommand".
-	WaitFor *WaitFor `json:"waitFor,omitempty"`
-}
-
-// Docker build-related options.
-type BuildOptions struct {
-	// The location of the context folder for building the Docker image. The path is relative to
-	// the folder containing the `devcontainer.json` file.
-	Context *string `json:"context,omitempty"`
-	// The location of the Dockerfile that defines the contents of the container. The path is
-	// relative to the folder containing the `devcontainer.json` file.
-	Dockerfile *string `json:"dockerfile,omitempty"`
-	// Build arguments.
-	Args map[string]string `json:"args,omitempty"`
-	// The image to consider as a cache. Use an array to specify multiple images.
-	CacheFrom *CacheFrom `json:"cacheFrom"`
-	// Additional arguments passed to the build command.
-	Options []string `json:"options,omitempty"`
-	// Target stage in a multi-stage build.
-	Target *string `json:"target,omitempty"`
-}
-
-// Features to add to the dev container.
-type Features struct {
-	Fish       interface{} `json:"fish"`
-	Gradle     interface{} `json:"gradle"`
-	Homebrew   interface{} `json:"homebrew"`
-	Jupyterlab interface{} `json:"jupyterlab"`
-	Maven      interface{} `json:"maven"`
-}
-
-// Host hardware requirements.
-type HostRequirements struct {
-	// Number of required CPUs.
-	Cpus *int64    `json:"cpus,omitempty"`
-	GPU  *GPUUnion `json:"gpu"`
-	// Amount of required RAM in bytes. Supports units tb, gb, mb and kb.
-	Memory *string `json:"memory,omitempty"`
-	// Amount of required disk space in bytes. Supports units tb, gb, mb and kb.
-	Storage *string `json:"storage,omitempty"`
-}
-
-// Indicates whether a GPU is required. The string "optional" indicates that a GPU is
-// optional. An object value can be used to configure more detailed requirements.
-type GPUClass struct {
-	// Number of required cores.
-	Cores *int64 `json:"cores,omitempty"`
-	// Amount of required RAM in bytes. Supports units tb, gb, mb and kb.
-	Memory *string `json:"memory,omitempty"`
-}
-
-type Mount struct {
-	// Mount source.
-	Source *string `json:"source,omitempty"`
-	// Mount target.
-	Target string `json:"target"`
-	// Mount type.
-	Type Type `json:"type"`
-}
-
-type OtherPortsAttributes struct {
-	// Automatically prompt for elevation (if needed) when this port is forwarded. Elevate is
-	// required if the local port is a privileged port.
-	ElevateIfNeeded *bool `json:"elevateIfNeeded,omitempty"`
-	// Label that will be shown in the UI for this port.
-	Label *string `json:"label,omitempty"`
-	// Defines the action that occurs when the port is discovered for automatic forwarding
-	OnAutoForward *OnAutoForward `json:"onAutoForward,omitempty"`
-	// The protocol to use when forwarding this port.
-	Protocol         *Protocol `json:"protocol,omitempty"`
-	RequireLocalPort *bool     `json:"requireLocalPort,omitempty"`
-}
-
-type PortsAttributes struct{}
-
-// Recommended secrets for this dev container. Recommendations are provided as environment
-// variable keys with optional metadata.
-type Secrets struct{}
-
-type GPUEnum string
-
-const (
-	Optional GPUEnum = "optional"
-)
-
-// Mount type.
-type Type string
-
-const (
-	Bind   Type = "bind"
-	Volume Type = "volume"
-)
-
-// Defines the action that occurs when the port is discovered for automatic forwarding
-type OnAutoForward string
-
-const (
-	Ignore      OnAutoForward = "ignore"
-	Notify      OnAutoForward = "notify"
-	OpenBrowser OnAutoForward = "openBrowser"
-	OpenPreview OnAutoForward = "openPreview"
-	Silent      OnAutoForward = "silent"
-)
-
-// The protocol to use when forwarding this port.
-type Protocol string
-
-const (
-	HTTP  Protocol = "http"
-	HTTPS Protocol = "https"
-)
-
-// Action to take when the user disconnects from the container in their editor. The default
-// is to stop the container.
-//
-// Action to take when the user disconnects from the primary container in their editor. The
-// default is to stop all of the compose containers.
-type ShutdownAction string
-
-const (
-	ShutdownActionNone ShutdownAction = "none"
-	StopCompose        ShutdownAction = "stopCompose"
-	StopContainer      ShutdownAction = "stopContainer"
-)
-
-// User environment probe to run. The default is "loginInteractiveShell".
-type UserEnvProbe string
-
-const (
-	InteractiveShell      UserEnvProbe = "interactiveShell"
-	LoginInteractiveShell UserEnvProbe = "loginInteractiveShell"
-	LoginShell            UserEnvProbe = "loginShell"
-	UserEnvProbeNone      UserEnvProbe = "none"
-)
-
-// The user command to wait for before continuing execution in the background while the UI
-// is starting up. The default is "updateContentCommand".
-type WaitFor string
-
-const (
-	InitializeCommand    WaitFor = "initializeCommand"
-	OnCreateCommand      WaitFor = "onCreateCommand"
-	PostCreateCommand    WaitFor = "postCreateCommand"
-	PostStartCommand     WaitFor = "postStartCommand"
-	UpdateContentCommand WaitFor = "updateContentCommand"
-)
-
-// Application ports that are exposed by the container. This can be a single port or an
-// array of ports. Each port can be a number or a string. A number is mapped to the same
-// port on the host. A string is passed to Docker unchanged and can be used to map ports
-// differently, e.g. "8000:8010".
-type DevContainerAppPort struct {
-	Integer    *int64
-	String     *string
-	UnionArray []AppPortElement
-}
-
-func (x *DevContainerAppPort) UnmarshalJSON(data []byte) error {
-	x.UnionArray = nil
-	object, err := unmarshalUnion(data, &x.Integer, nil, nil, &x.String, true, &x.UnionArray, false, nil, false, nil, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-	}
-	return nil
-}
-
-func (x *DevContainerAppPort) MarshalJSON() ([]byte, error) {
-	return marshalUnion(x.Integer, nil, nil, x.String, x.UnionArray != nil, x.UnionArray, false, nil, false, nil, false, nil, false)
-}
-
-// Application ports that are exposed by the container. This can be a single port or an
-// array of ports. Each port can be a number or a string. A number is mapped to the same
-// port on the host. A string is passed to Docker unchanged and can be used to map ports
-// differently, e.g. "8000:8010".
-type AppPortElement struct {
-	Integer *int64
-	String  *string
-}
-
-func (x *AppPortElement) UnmarshalJSON(data []byte) error {
-	object, err := unmarshalUnion(data, &x.Integer, nil, nil, &x.String, false, nil, false, nil, false, nil, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-	}
-	return nil
-}
-
-func (x *AppPortElement) MarshalJSON() ([]byte, error) {
-	return marshalUnion(x.Integer, nil, nil, x.String, false, nil, false, nil, false, nil, false, nil, false)
-}
-
-// The image to consider as a cache. Use an array to specify multiple images.
-//
-// The name of the docker-compose file(s) used to start the services.
-type CacheFrom struct {
-	String      *string
-	StringArray []string
-}
-
-func (x *CacheFrom) UnmarshalJSON(data []byte) error {
-	x.StringArray = nil
-	object, err := unmarshalUnion(data, nil, nil, nil, &x.String, true, &x.StringArray, false, nil, false, nil, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-	}
-	return nil
-}
-
-func (x *CacheFrom) MarshalJSON() ([]byte, error) {
-	return marshalUnion(nil, nil, nil, x.String, x.StringArray != nil, x.StringArray, false, nil, false, nil, false, nil, false)
-}
-
-type ForwardPort struct {
-	Integer *int64
-	String  *string
-}
-
-func (x *ForwardPort) UnmarshalJSON(data []byte) error {
-	object, err := unmarshalUnion(data, &x.Integer, nil, nil, &x.String, false, nil, false, nil, false, nil, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-	}
-	return nil
-}
-
-func (x *ForwardPort) MarshalJSON() ([]byte, error) {
-	return marshalUnion(x.Integer, nil, nil, x.String, false, nil, false, nil, false, nil, false, nil, false)
-}
-
-type GPUUnion struct {
-	Bool     *bool
-	Enum     *GPUEnum
-	GPUClass *GPUClass
-}
-
-func (x *GPUUnion) UnmarshalJSON(data []byte) error {
-	x.GPUClass = nil
-	x.Enum = nil
-	var c GPUClass
-	object, err := unmarshalUnion(data, nil, nil, &x.Bool, nil, false, nil, true, &c, false, nil, true, &x.Enum, false)
-	if err != nil {
-		return err
-	}
-	if object {
-		x.GPUClass = &c
-	}
-	return nil
-}
-
-func (x *GPUUnion) MarshalJSON() ([]byte, error) {
-	return marshalUnion(nil, nil, x.Bool, nil, false, nil, x.GPUClass != nil, x.GPUClass, false, nil, x.Enum != nil, x.Enum, false)
-}
-
-// A command to run locally (i.e Your host machine, cloud VM) before anything else. This
-// command is run before "onCreateCommand". If this is a single string, it will be run in a
-// shell. If this is an array of strings, it will be run as a single command without shell.
-// If this is an object, each provided command will be run in parallel.
-//
-// A command to run when creating the container. This command is run after
-// "initializeCommand" and before "updateContentCommand". If this is a single string, it
-// will be run in a shell. If this is an array of strings, it will be run as a single
-// command without shell. If this is an object, each provided command will be run in
-// parallel.
-//
-// A command to run when attaching to the container. This command is run after
-// "postStartCommand". If this is a single string, it will be run in a shell. If this is an
-// array of strings, it will be run as a single command without shell. If this is an object,
-// each provided command will be run in parallel.
-//
-// A command to run after creating the container. This command is run after
-// "updateContentCommand" and before "postStartCommand". If this is a single string, it will
-// be run in a shell. If this is an array of strings, it will be run as a single command
-// without shell. If this is an object, each provided command will be run in parallel.
-//
-// A command to run after starting the container. This command is run after
-// "postCreateCommand" and before "postAttachCommand". If this is a single string, it will
-// be run in a shell. If this is an array of strings, it will be run as a single command
-// without shell. If this is an object, each provided command will be run in parallel.
-//
-// A command to run when creating the container and rerun when the workspace content was
-// updated while creating the container. This command is run after "onCreateCommand" and
-// before "postCreateCommand". If this is a single string, it will be run in a shell. If
-// this is an array of strings, it will be run as a single command without shell. If this is
-// an object, each provided command will be run in parallel.
-type Command struct {
-	String      *string
-	StringArray []string
-	UnionMap    map[string]*CacheFrom
-}
-
-func (x *Command) UnmarshalJSON(data []byte) error {
-	x.StringArray = nil
-	x.UnionMap = nil
-	object, err := unmarshalUnion(data, nil, nil, nil, &x.String, true, &x.StringArray, false, nil, true, &x.UnionMap, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-	}
-	return nil
-}
-
-func (x *Command) MarshalJSON() ([]byte, error) {
-	return marshalUnion(nil, nil, nil, x.String, x.StringArray != nil, x.StringArray, false, nil, x.UnionMap != nil, x.UnionMap, false, nil, false)
-}
-
-type MountElement struct {
-	Mount  *Mount
-	String *string
-}
-
-func (x *MountElement) UnmarshalJSON(data []byte) error {
-	x.Mount = nil
-	var c Mount
-	object, err := unmarshalUnion(data, nil, nil, nil, &x.String, false, nil, true, &c, false, nil, false, nil, false)
-	if err != nil {
-		return err
-	}
-	if object {
-		x.Mount = &c
-	}
-	return nil
-}
-
-func (x *MountElement) MarshalJSON() ([]byte, error) {
-	return marshalUnion(nil, nil, nil, x.String, false, nil, x.Mount != nil, x.Mount, false, nil, false, nil, false)
-}
-
-func unmarshalUnion(data []byte, pi **int64, pf **float64, pb **bool, ps **string, haveArray bool, pa interface{}, haveObject bool, pc interface{}, haveMap bool, pm interface{}, haveEnum bool, pe interface{}, nullable bool) (bool, error) {
-	if pi != nil {
-		*pi = nil
-	}
-	if pf != nil {
-		*pf = nil
-	}
-	if pb != nil {
-		*pb = nil
-	}
-	if ps != nil {
-		*ps = nil
-	}
-
-	dec := json.NewDecoder(bytes.NewReader(data))
-	dec.UseNumber()
-	tok, err := dec.Token()
-	if err != nil {
-		return false, err
-	}
-
-	switch v := tok.(type) {
-	case json.Number:
-		if pi != nil {
-			i, err := v.Int64()
-			if err == nil {
-				*pi = &i
-				return false, nil
-			}
-		}
-		if pf != nil {
-			f, err := v.Float64()
-			if err == nil {
-				*pf = &f
-				return false, nil
-			}
-			return false, errors.New("Unparsable number")
-		}
-		return false, errors.New("Union does not contain number")
-	case float64:
-		return false, errors.New("Decoder should not return float64")
-	case bool:
-		if pb != nil {
-			*pb = &v
-			return false, nil
-		}
-		return false, errors.New("Union does not contain bool")
-	case string:
-		if haveEnum {
-			return false, json.Unmarshal(data, pe)
-		}
-		if ps != nil {
-			*ps = &v
-			return false, nil
-		}
-		return false, errors.New("Union does not contain string")
-	case nil:
-		if nullable {
-			return false, nil
-		}
-		return false, errors.New("Union does not contain null")
-	case json.Delim:
-		if v == '{' {
-			if haveObject {
-				return true, json.Unmarshal(data, pc)
-			}
-			if haveMap {
-				return false, json.Unmarshal(data, pm)
-			}
-			return false, errors.New("Union does not contain object")
-		}
-		if v == '[' {
-			if haveArray {
-				return false, json.Unmarshal(data, pa)
-			}
-			return false, errors.New("Union does not contain array")
-		}
-		return false, errors.New("Cannot handle delimiter")
-	}
-	return false, errors.New("Cannot unmarshal union")
-}
-
-func marshalUnion(pi *int64, pf *float64, pb *bool, ps *string, haveArray bool, pa interface{}, haveObject bool, pc interface{}, haveMap bool, pm interface{}, haveEnum bool, pe interface{}, nullable bool) ([]byte, error) {
-	if pi != nil {
-		return json.Marshal(*pi)
-	}
-	if pf != nil {
-		return json.Marshal(*pf)
-	}
-	if pb != nil {
-		return json.Marshal(*pb)
-	}
-	if ps != nil {
-		return json.Marshal(*ps)
-	}
-	if haveArray {
-		return json.Marshal(pa)
-	}
-	if haveObject {
-		return json.Marshal(pc)
-	}
-	if haveMap {
-		return json.Marshal(pm)
-	}
-	if haveEnum {
-		return json.Marshal(pe)
-	}
-	if nullable {
-		return json.Marshal(nil)
-	}
-	return nil, errors.New("Union must not be null")
-}
@@ -1,148 +0,0 @@
-package dcspec_test
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"slices"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/v2/agent/agentcontainers/dcspec"
-	"github.com/coder/coder/v2/coderd/util/ptr"
-)
-
-func TestUnmarshalDevContainer(t *testing.T) {
-	t.Parallel()
-
-	type testCase struct {
-		name    string
-		file    string
-		wantErr bool
-		want    dcspec.DevContainer
-	}
-	tests := []testCase{
-		{
-			name: "minimal",
-			file: filepath.Join("testdata", "minimal.json"),
-			want: dcspec.DevContainer{
-				Image: ptr.Ref("test-image"),
-			},
-		},
-		{
-			name: "arrays",
-			file: filepath.Join("testdata", "arrays.json"),
-			want: dcspec.DevContainer{
-				Image:   ptr.Ref("test-image"),
-				RunArgs: []string{"--network=host", "--privileged"},
-				ForwardPorts: []dcspec.ForwardPort{
-					{
-						Integer: ptr.Ref[int64](8080),
-					},
-					{
-						String: ptr.Ref("3000:3000"),
-					},
-				},
-			},
-		},
-		{
-			name:    "devcontainers/template-starter",
-			file:    filepath.Join("testdata", "devcontainers-template-starter.json"),
-			wantErr: false,
-			want: dcspec.DevContainer{
-				Image:    ptr.Ref("mcr.microsoft.com/devcontainers/javascript-node:1-18-bullseye"),
-				Features: &dcspec.Features{},
-				Customizations: map[string]interface{}{
-					"vscode": map[string]interface{}{
-						"extensions": []interface{}{
-							"mads-hartmann.bash-ide-vscode",
-							"dbaeumer.vscode-eslint",
-						},
-					},
-				},
-				PostCreateCommand: &dcspec.Command{
-					String: ptr.Ref("npm install -g @devcontainers/cli"),
-				},
-			},
-		},
-	}
-
-	var missingTests []string
-	files, err := filepath.Glob("testdata/*.json")
-	require.NoError(t, err, "glob test files failed")
-	for _, file := range files {
-		if !slices.ContainsFunc(tests, func(tt testCase) bool {
-			return tt.file == file
-		}) {
-			missingTests = append(missingTests, file)
-		}
-	}
-	require.Empty(t, missingTests, "missing tests case for files: %v", missingTests)
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			data, err := os.ReadFile(tt.file)
-			require.NoError(t, err, "read test file failed")
-
-			got, err := dcspec.UnmarshalDevContainer(data)
-			if tt.wantErr {
-				require.Error(t, err, "want error but got nil")
-				return
-			}
-			require.NoError(t, err, "unmarshal DevContainer failed")
-
-			// Compare the unmarshaled data with the expected data.
-			if diff := cmp.Diff(tt.want, got); diff != "" {
-				require.Empty(t, diff, "UnmarshalDevContainer() mismatch (-want +got):\n%s", diff)
-			}
-
-			// Test that marshaling works (without comparing to original).
-			marshaled, err := got.Marshal()
-			require.NoError(t, err, "marshal DevContainer back to JSON failed")
-			require.NotEmpty(t, marshaled, "marshaled JSON should not be empty")
-
-			// Verify the marshaled JSON can be unmarshaled back.
-			var unmarshaled interface{}
-			err = json.Unmarshal(marshaled, &unmarshaled)
-			require.NoError(t, err, "unmarshal marshaled JSON failed")
-		})
-	}
-}
-
-func TestUnmarshalDevContainer_EdgeCases(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		json    string
-		wantErr bool
-	}{
-		{
-			name:    "empty JSON",
-			json:    "{}",
-			wantErr: false,
-		},
-		{
-			name:    "invalid JSON",
-			json:    "{not valid json",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			_, err := dcspec.UnmarshalDevContainer([]byte(tt.json))
-			if tt.wantErr {
-				require.Error(t, err, "want error but got nil")
-				return
-			}
-			require.NoError(t, err, "unmarshal DevContainer failed")
-		})
-	}
-}
@@ -1,771 +0,0 @@
-{
-	"$schema": "https://json-schema.org/draft/2019-09/schema",
-	"description": "Defines a dev container",
-	"allowComments": true,
-	"allowTrailingCommas": false,
-	"definitions": {
-		"devContainerCommon": {
-			"type": "object",
-			"properties": {
-				"$schema": {
-					"type": "string",
-					"format": "uri",
-					"description": "The JSON schema of the `devcontainer.json` file."
-				},
-				"name": {
-					"type": "string",
-					"description": "A name for the dev container which can be displayed to the user."
-				},
-				"features": {
-					"type": "object",
-					"description": "Features to add to the dev container.",
-					"properties": {
-						"fish": {
-							"deprecated": true,
-							"deprecationMessage": "Legacy feature not supported. Please check https://containers.dev/features for replacements."
-						},
-						"maven": {
-							"deprecated": true,
-							"deprecationMessage": "Legacy feature will be removed in the future. Please check https://containers.dev/features for replacements. E.g., `ghcr.io/devcontainers/features/java` has an option to install Maven."
-						},
-						"gradle": {
-							"deprecated": true,
-							"deprecationMessage": "Legacy feature will be removed in the future. Please check https://containers.dev/features for replacements. E.g., `ghcr.io/devcontainers/features/java` has an option to install Gradle."
-						},
-						"homebrew": {
-							"deprecated": true,
-							"deprecationMessage": "Legacy feature not supported. Please check https://containers.dev/features for replacements."
-						},
-						"jupyterlab": {
-							"deprecated": true,
-							"deprecationMessage": "Legacy feature will be removed in the future. Please check https://containers.dev/features for replacements. E.g., `ghcr.io/devcontainers/features/python` has an option to install JupyterLab."
-						}
-					},
-					"additionalProperties": true
-				},
-				"overrideFeatureInstallOrder": {
-					"type": "array",
-					"description": "Array consisting of the Feature id (without the semantic version) of Features in the order the user wants them to be installed.",
-					"items": {
-						"type": "string"
-					}
-				},
-				"secrets": {
-					"type": "object",
-					"description": "Recommended secrets for this dev container. Recommendations are provided as environment variable keys with optional metadata.",
-					"patternProperties": {
-						"^[a-zA-Z_][a-zA-Z0-9_]*$": {
-							"type": "object",
-							"description": "Environment variable keys following unix-style naming conventions. eg: ^[a-zA-Z_][a-zA-Z0-9_]*$",
-							"properties": {
-								"description": {
-									"type": "string",
-									"description": "A description of the secret."
-								},
-								"documentationUrl": {
-									"type": "string",
-									"format": "uri",
-									"description": "A URL to documentation about the secret."
-								}
-							},
-							"additionalProperties": false
-						},
-						"additionalProperties": false
-					},
-					"additionalProperties": false
-				},
-				"forwardPorts": {
-					"type": "array",
-					"description": "Ports that are forwarded from the container to the local machine. Can be an integer port number, or a string of the format \"host:port_number\".",
-					"items": {
-						"oneOf": [
-							{
-								"type": "integer",
-								"maximum": 65535,
-								"minimum": 0
-							},
-							{
-								"type": "string",
-								"pattern": "^([a-z0-9-]+):(\\d{1,5})$"
-							}
-						]
-					}
-				},
-				"portsAttributes": {
-					"type": "object",
-					"patternProperties": {
-						"(^\\d+(-\\d+)?$)|(.+)": {
-							"type": "object",
-							"description": "A port, range of ports (ex. \"40000-55000\"), or regular expression (ex. \".+\\\\/server.js\").  For a port number or range, the attributes will apply to that port number or range of port numbers. Attributes which use a regular expression will apply to ports whose associated process command line matches the expression.",
-							"properties": {
-								"onAutoForward": {
-									"type": "string",
-									"enum": [
-										"notify",
-										"openBrowser",
-										"openBrowserOnce",
-										"openPreview",
-										"silent",
-										"ignore"
-									],
-									"enumDescriptions": [
-										"Shows a notification when a port is automatically forwarded.",
-										"Opens the browser when the port is automatically forwarded. Depending on your settings, this could open an embedded browser.",
-										"Opens the browser when the port is automatically forwarded, but only the first time the port is forward during a session. Depending on your settings, this could open an embedded browser.",
-										"Opens a preview in the same window when the port is automatically forwarded.",
-										"Shows no notification and takes no action when this port is automatically forwarded.",
-										"This port will not be automatically forwarded."
-									],
-									"description": "Defines the action that occurs when the port is discovered for automatic forwarding",
-									"default": "notify"
-								},
-								"elevateIfNeeded": {
-									"type": "boolean",
-									"description": "Automatically prompt for elevation (if needed) when this port is forwarded. Elevate is required if the local port is a privileged port.",
-									"default": false
-								},
-								"label": {
-									"type": "string",
-									"description": "Label that will be shown in the UI for this port.",
-									"default": "Application"
-								},
-								"requireLocalPort": {
-									"type": "boolean",
-									"markdownDescription": "When true, a modal dialog will show if the chosen local port isn't used for forwarding.",
-									"default": false
-								},
-								"protocol": {
-									"type": "string",
-									"enum": [
-										"http",
-										"https"
-									],
-									"description": "The protocol to use when forwarding this port."
-								}
-							},
-							"default": {
-								"label": "Application",
-								"onAutoForward": "notify"
-							}
-						}
-					},
-					"markdownDescription": "Set default properties that are applied when a specific port number is forwarded. For example:\n\n```\n\"3000\": {\n  \"label\": \"Application\"\n},\n\"40000-55000\": {\n  \"onAutoForward\": \"ignore\"\n},\n\".+\\\\/server.js\": {\n \"onAutoForward\": \"openPreview\"\n}\n```",
-					"defaultSnippets": [
-						{
-							"body": {
-								"${1:3000}": {
-									"label": "${2:Application}",
-									"onAutoForward": "notify"
-								}
-							}
-						}
-					],
-					"additionalProperties": false
-				},
-				"otherPortsAttributes": {
-					"type": "object",
-					"properties": {
-						"onAutoForward": {
-							"type": "string",
-							"enum": [
-								"notify",
-								"openBrowser",
-								"openPreview",
-								"silent",
-								"ignore"
-							],
-							"enumDescriptions": [
-								"Shows a notification when a port is automatically forwarded.",
-								"Opens the browser when the port is automatically forwarded. Depending on your settings, this could open an embedded browser.",
-								"Opens a preview in the same window when the port is automatically forwarded.",
-								"Shows no notification and takes no action when this port is automatically forwarded.",
-								"This port will not be automatically forwarded."
-							],
-							"description": "Defines the action that occurs when the port is discovered for automatic forwarding",
-							"default": "notify"
-						},
-						"elevateIfNeeded": {
-							"type": "boolean",
-							"description": "Automatically prompt for elevation (if needed) when this port is forwarded. Elevate is required if the local port is a privileged port.",
-							"default": false
-						},
-						"label": {
-							"type": "string",
-							"description": "Label that will be shown in the UI for this port.",
-							"default": "Application"
-						},
-						"requireLocalPort": {
-							"type": "boolean",
-							"markdownDescription": "When true, a modal dialog will show if the chosen local port isn't used for forwarding.",
-							"default": false
-						},
-						"protocol": {
-							"type": "string",
-							"enum": [
-								"http",
-								"https"
-							],
-							"description": "The protocol to use when forwarding this port."
-						}
-					},
-					"defaultSnippets": [
-						{
-							"body": {
-								"onAutoForward": "ignore"
-							}
-						}
-					],
-					"markdownDescription": "Set default properties that are applied to all ports that don't get properties from the setting `remote.portsAttributes`. For example:\n\n```\n{\n  \"onAutoForward\": \"ignore\"\n}\n```",
-					"additionalProperties": false
-				},
-				"updateRemoteUserUID": {
-					"type": "boolean",
-					"description": "Controls whether on Linux the container's user should be updated with the local user's UID and GID. On by default when opening from a local folder."
-				},
-				"containerEnv": {
-					"type": "object",
-					"additionalProperties": {
-						"type": "string"
-					},
-					"description": "Container environment variables."
-				},
-				"containerUser": {
-					"type": "string",
-					"description": "The user the container will be started with. The default is the user on the Docker image."
-				},
-				"mounts": {
-					"type": "array",
-					"description": "Mount points to set up when creating the container. See Docker's documentation for the --mount option for the supported syntax.",
-					"items": {
-						"anyOf": [
-							{
-								"$ref": "#/definitions/Mount"
-							},
-							{
-								"type": "string"
-							}
-						]
-					}
-				},
-				"init": {
-					"type": "boolean",
-					"description": "Passes the --init flag when creating the dev container."
-				},
-				"privileged": {
-					"type": "boolean",
-					"description": "Passes the --privileged flag when creating the dev container."
-				},
-				"capAdd": {
-					"type": "array",
-					"description": "Passes docker capabilities to include when creating the dev container.",
-					"examples": [
-						"SYS_PTRACE"
-					],
-					"items": {
-						"type": "string"
-					}
-				},
-				"securityOpt": {
-					"type": "array",
-					"description": "Passes docker security options to include when creating the dev container.",
-					"examples": [
-						"seccomp=unconfined"
-					],
-					"items": {
-						"type": "string"
-					}
-				},
-				"remoteEnv": {
-					"type": "object",
-					"additionalProperties": {
-						"type": [
-							"string",
-							"null"
-						]
-					},
-					"description": "Remote environment variables to set for processes spawned in the container including lifecycle scripts and any remote editor/IDE server process."
-				},
-				"remoteUser": {
-					"type": "string",
-					"description": "The username to use for spawning processes in the container including lifecycle scripts and any remote editor/IDE server process. The default is the same user as the container."
-				},
-				"initializeCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run locally (i.e Your host machine, cloud VM) before anything else. This command is run before \"onCreateCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"onCreateCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run when creating the container. This command is run after \"initializeCommand\" and before \"updateContentCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"updateContentCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run when creating the container and rerun when the workspace content was updated while creating the container. This command is run after \"onCreateCommand\" and before \"postCreateCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"postCreateCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run after creating the container. This command is run after \"updateContentCommand\" and before \"postStartCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"postStartCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run after starting the container. This command is run after \"postCreateCommand\" and before \"postAttachCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"postAttachCommand": {
-					"type": [
-						"string",
-						"array",
-						"object"
-					],
-					"description": "A command to run when attaching to the container. This command is run after \"postStartCommand\". If this is a single string, it will be run in a shell. If this is an array of strings, it will be run as a single command without shell. If this is an object, each provided command will be run in parallel.",
-					"items": {
-						"type": "string"
-					},
-					"additionalProperties": {
-						"type": [
-							"string",
-							"array"
-						],
-						"items": {
-							"type": "string"
-						}
-					}
-				},
-				"waitFor": {
-					"type": "string",
-					"enum": [
-						"initializeCommand",
-						"onCreateCommand",
-						"updateContentCommand",
-						"postCreateCommand",
-						"postStartCommand"
-					],
-					"description": "The user command to wait for before continuing execution in the background while the UI is starting up. The default is \"updateContentCommand\"."
-				},
-				"userEnvProbe": {
-					"type": "string",
-					"enum": [
-						"none",
-						"loginShell",
-						"loginInteractiveShell",
-						"interactiveShell"
-					],
-					"description": "User environment probe to run. The default is \"loginInteractiveShell\"."
-				},
-				"hostRequirements": {
-					"type": "object",
-					"description": "Host hardware requirements.",
-					"properties": {
-						"cpus": {
-							"type": "integer",
-							"minimum": 1,
-							"description": "Number of required CPUs."
-						},
-						"memory": {
-							"type": "string",
-							"pattern": "^\\d+([tgmk]b)?$",
-							"description": "Amount of required RAM in bytes. Supports units tb, gb, mb and kb."
-						},
-						"storage": {
-							"type": "string",
-							"pattern": "^\\d+([tgmk]b)?$",
-							"description": "Amount of required disk space in bytes. Supports units tb, gb, mb and kb."
-						},
-						"gpu": {
-							"oneOf": [
-								{
-									"type": [
-										"boolean",
-										"string"
-									],
-									"enum": [
-										true,
-										false,
-										"optional"
-									],
-									"description": "Indicates whether a GPU is required. The string \"optional\" indicates that a GPU is optional. An object value can be used to configure more detailed requirements."
-								},
-								{
-									"type": "object",
-									"properties": {
-										"cores": {
-											"type": "integer",
-											"minimum": 1,
-											"description": "Number of required cores."
-										},
-										"memory": {
-											"type": "string",
-											"pattern": "^\\d+([tgmk]b)?$",
-											"description": "Amount of required RAM in bytes. Supports units tb, gb, mb and kb."
-										}
-									},
-									"description": "Indicates whether a GPU is required. The string \"optional\" indicates that a GPU is optional. An object value can be used to configure more detailed requirements.",
-									"additionalProperties": false
-								}
-							]
-						}
-					},
-					"unevaluatedProperties": false
-				},
-				"customizations": {
-					"type": "object",
-					"description": "Tool-specific configuration. Each tool should use a JSON object subproperty with a unique name to group its customizations."
-				},
-				"additionalProperties": {
-					"type": "object",
-					"additionalProperties": true
-				}
-			}
-		},
-		"nonComposeBase": {
-			"type": "object",
-			"properties": {
-				"appPort": {
-					"type": [
-						"integer",
-						"string",
-						"array"
-					],
-					"description": "Application ports that are exposed by the container. This can be a single port or an array of ports. Each port can be a number or a string. A number is mapped to the same port on the host. A string is passed to Docker unchanged and can be used to map ports differently, e.g. \"8000:8010\".",
-					"items": {
-						"type": [
-							"integer",
-							"string"
-						]
-					}
-				},
-				"runArgs": {
-					"type": "array",
-					"description": "The arguments required when starting in the container.",
-					"items": {
-						"type": "string"
-					}
-				},
-				"shutdownAction": {
-					"type": "string",
-					"enum": [
-						"none",
-						"stopContainer"
-					],
-					"description": "Action to take when the user disconnects from the container in their editor. The default is to stop the container."
-				},
-				"overrideCommand": {
-					"type": "boolean",
-					"description": "Whether to overwrite the command specified in the image. The default is true."
-				},
-				"workspaceFolder": {
-					"type": "string",
-					"description": "The path of the workspace folder inside the container."
-				},
-				"workspaceMount": {
-					"type": "string",
-					"description": "The --mount parameter for docker run. The default is to mount the project folder at /workspaces/$project."
-				}
-			}
-		},
-		"dockerfileContainer": {
-			"oneOf": [
-				{
-					"type": "object",
-					"properties": {
-						"build": {
-							"type": "object",
-							"description": "Docker build-related options.",
-							"allOf": [
-								{
-									"type": "object",
-									"properties": {
-										"dockerfile": {
-											"type": "string",
-											"description": "The location of the Dockerfile that defines the contents of the container. The path is relative to the folder containing the `devcontainer.json` file."
-										},
-										"context": {
-											"type": "string",
-											"description": "The location of the context folder for building the Docker image. The path is relative to the folder containing the `devcontainer.json` file."
-										}
-									},
-									"required": [
-										"dockerfile"
-									]
-								},
-								{
-									"$ref": "#/definitions/buildOptions"
-								}
-							],
-							"unevaluatedProperties": false
-						}
-					},
-					"required": [
-						"build"
-					]
-				},
-				{
-					"allOf": [
-						{
-							"type": "object",
-							"properties": {
-								"dockerFile": {
-									"type": "string",
-									"description": "The location of the Dockerfile that defines the contents of the container. The path is relative to the folder containing the `devcontainer.json` file."
-								},
-								"context": {
-									"type": "string",
-									"description": "The location of the context folder for building the Docker image. The path is relative to the folder containing the `devcontainer.json` file."
-								}
-							},
-							"required": [
-								"dockerFile"
-							]
-						},
-						{
-							"type": "object",
-							"properties": {
-								"build": {
-									"description": "Docker build-related options.",
-									"$ref": "#/definitions/buildOptions"
-								}
-							}
-						}
-					]
-				}
-			]
-		},
-		"buildOptions": {
-			"type": "object",
-			"properties": {
-				"target": {
-					"type": "string",
-					"description": "Target stage in a multi-stage build."
-				},
-				"args": {
-					"type": "object",
-					"additionalProperties": {
-						"type": [
-							"string"
-						]
-					},
-					"description": "Build arguments."
-				},
-				"cacheFrom": {
-					"type": [
-						"string",
-						"array"
-					],
-					"description": "The image to consider as a cache. Use an array to specify multiple images.",
-					"items": {
-						"type": "string"
-					}
-				},
-				"options": {
-					"type": "array",
-					"description": "Additional arguments passed to the build command.",
-					"items": {
-						"type": "string"
-					}
-				}
-			}
-		},
-		"imageContainer": {
-			"type": "object",
-			"properties": {
-				"image": {
-					"type": "string",
-					"description": "The docker image that will be used to create the container."
-				}
-			},
-			"required": [
-				"image"
-			]
-		},
-		"composeContainer": {
-			"type": "object",
-			"properties": {
-				"dockerComposeFile": {
-					"type": [
-						"string",
-						"array"
-					],
-					"description": "The name of the docker-compose file(s) used to start the services.",
-					"items": {
-						"type": "string"
-					}
-				},
-				"service": {
-					"type": "string",
-					"description": "The service you want to work on. This is considered the primary container for your dev environment which your editor will connect to."
-				},
-				"runServices": {
-					"type": "array",
-					"description": "An array of services that should be started and stopped.",
-					"items": {
-						"type": "string"
-					}
-				},
-				"workspaceFolder": {
-					"type": "string",
-					"description": "The path of the workspace folder inside the container. This is typically the target path of a volume mount in the docker-compose.yml."
-				},
-				"shutdownAction": {
-					"type": "string",
-					"enum": [
-						"none",
-						"stopCompose"
-					],
-					"description": "Action to take when the user disconnects from the primary container in their editor. The default is to stop all of the compose containers."
-				},
-				"overrideCommand": {
-					"type": "boolean",
-					"description": "Whether to overwrite the command specified in the image. The default is false."
-				}
-			},
-			"required": [
-				"dockerComposeFile",
-				"service",
-				"workspaceFolder"
-			]
-		},
-		"Mount": {
-			"type": "object",
-			"properties": {
-				"type": {
-					"type": "string",
-					"enum": [
-						"bind",
-						"volume"
-					],
-					"description": "Mount type."
-				},
-				"source": {
-					"type": "string",
-					"description": "Mount source."
-				},
-				"target": {
-					"type": "string",
-					"description": "Mount target."
-				}
-			},
-			"required": [
-				"type",
-				"target"
-			],
-			"additionalProperties": false
-		}
-	},
-	"oneOf": [
-		{
-			"allOf": [
-				{
-					"oneOf": [
-						{
-							"allOf": [
-								{
-									"oneOf": [
-										{
-											"$ref": "#/definitions/dockerfileContainer"
-										},
-										{
-											"$ref": "#/definitions/imageContainer"
-										}
-									]
-								},
-								{
-									"$ref": "#/definitions/nonComposeBase"
-								}
-							]
-						},
-						{
-							"$ref": "#/definitions/composeContainer"
-						}
-					]
-				},
-				{
-					"$ref": "#/definitions/devContainerCommon"
-				}
-			]
-		},
-		{
-			"type": "object",
-			"$ref": "#/definitions/devContainerCommon",
-			"additionalProperties": false
-		}
-	],
-	"unevaluatedProperties": false
-}
@@ -1,5 +0,0 @@
-// Package dcspec contains an automatically generated Devcontainer
-// specification.
-package dcspec
-
-//go:generate ./gen.sh
@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# This script requires quicktype to be installed.
-# While you can install it using npm, we have it in our devDependencies
-# in ${PROJECT_ROOT}/package.json.
-PROJECT_ROOT="$(git rev-parse --show-toplevel)"
-if ! pnpm list | grep quicktype &>/dev/null; then
-	echo "quicktype is required to run this script!"
-	echo "Ensure that it is present in the devDependencies of ${PROJECT_ROOT}/package.json and then run pnpm install."
-	exit 1
-fi
-
-DEST_FILENAME="dcspec_gen.go"
-SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
-DEST_PATH="${SCRIPT_DIR}/${DEST_FILENAME}"
-
-# Location of the JSON schema for the devcontainer specification.
-SCHEMA_SRC="https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.base.schema.json"
-SCHEMA_DEST="${SCRIPT_DIR}/devContainer.base.schema.json"
-
-UPDATE_SCHEMA="${UPDATE_SCHEMA:-false}"
-if [[ "${UPDATE_SCHEMA}" = true || ! -f "${SCHEMA_DEST}" ]]; then
-	# Download the latest schema.
-	echo "Updating schema..."
-	curl --fail --silent --show-error --location --output "${SCHEMA_DEST}" "${SCHEMA_SRC}"
-else
-	echo "Using existing schema..."
-fi
-
-TMPDIR=$(mktemp -d)
-trap 'rm -rfv "$TMPDIR"' EXIT
-
-show_stderr=1
-exec 3>&2
-if [[ " $* " == *" --quiet "* ]] || [[ ${DCSPEC_QUIET:-false} == "true" ]]; then
-	# Redirect stderr to log because quicktype can't infer all types and
-	# we don't care right now.
-	show_stderr=0
-	exec 2>"${TMPDIR}/stderr.log"
-fi
-
-if ! pnpm exec quicktype \
-	--src-lang schema \
-	--lang go \
-	--top-level "DevContainer" \
-	--out "${TMPDIR}/${DEST_FILENAME}" \
-	--package "dcspec" \
-	"${SCHEMA_DEST}"; then
-	echo "quicktype failed to generate Go code." >&3
-	if [[ "${show_stderr}" -eq 1 ]]; then
-		cat "${TMPDIR}/stderr.log" >&3
-	fi
-	exit 1
-fi
-
-if [[ "${show_stderr}" -eq 0 ]]; then
-	# Restore stderr.
-	exec 2>&3
-fi
-exec 3>&-
-
-# Format the generated code.
-go run mvdan.cc/gofumpt@v0.8.0 -w -l "${TMPDIR}/${DEST_FILENAME}"
-
-# Add a header so that Go recognizes this as a generated file.
-if grep -q -- "\[-i extension\]" < <(sed -h 2>&1); then
-	# darwin sed
-	sed -i '' '1s/^/\/\/ Code generated by dcspec\/gen.sh. DO NOT EDIT.\n\/\/\n/' "${TMPDIR}/${DEST_FILENAME}"
-else
-	sed -i'' '1s/^/\/\/ Code generated by dcspec\/gen.sh. DO NOT EDIT.\n\/\/\n/' "${TMPDIR}/${DEST_FILENAME}"
-fi
-
-mv -v "${TMPDIR}/${DEST_FILENAME}" "${DEST_PATH}"
@@ -1,5 +0,0 @@
-{
-	"image": "test-image",
-	"runArgs": ["--network=host", "--privileged"],
-	"forwardPorts": [8080, "3000:3000"]
-}
--- a/Show More
+++ b/Show More