Commits on Apr 23, 2026

1. feat: plumb user secrets through provisioner chain to terraform …

   Passes user secrets from coderd to the Terraform process at workspace
   build time so the `data.coder_secret` data source in
   terraform-provider-coder can resolve values at plan time.
   
   Secrets traverse two proto hops: `provisionerdserver` fetches them via
   `ListUserSecretsWithValues`, attaches them to
   `AcquiredJob.WorkspaceBuild.user_secrets` on `provisionerd.proto`;
   `runner.go` forwards into `PlanRequest.user_secrets` on
   `provisioner.proto`; the Terraform provisioner encodes each as
   `CODER_SECRET_ENV_<name>` or `CODER_SECRET_FILE_<hex(path)>` before
   invoking `terraform plan`. Only plan requests carry secrets; apply runs
   with `nil` because values are baked into plan state.
   
   Fetch is gated on `WorkspaceTransitionStart`: stop and delete
   transitions never carry secrets, so revoking or deleting a stored
   secret cannot make a workspace unstoppable. DB errors on the fetch
   fail the job outright rather than silently continuing with an empty
   secret set.

   

   zedkipp committed Apr 23, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 744abcf
   • Browse repository at this point

   Copy the full SHA

   744abcf View commit details

   Browse the repository at this point in the history

2. Update provisionerd version

   

   zedkipp committed Apr 23, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for fec0e97
   • Browse repository at this point

   Copy the full SHA

   fec0e97 View commit details

   Browse the repository at this point in the history