Comparing v2.29.17...v2.29.18 · coder/coder · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: coder/coder
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.29.17
Choose a base ref
...
head repository: coder/coder
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.29.18
Choose a head ref
  • 5 commits
  • 37 files changed
  • 8 contributors

Commits on Jun 16, 2026

  1. fix(enterprise/aibridgedserver): check user is active in aibridge auth ( 

    #26173) (#26322)

Backport of #26173 to `release/2.29` (SEC-106 / AIGOV-385).

Conflict resolution: the package lives at `enterprise/aibridgedserver`
on 2.29 (moved to `coderd/` on main); the diff was retargeted. Dropped
the `TestAuthorization_Delegated` cases and `ErrAmbiguousAuth`, since
the delegated KeyId auth path does not exist on this branch.

> 🤖 Backport prepared by Coder Agents on behalf of @f0ssel.

Co-authored-by: Paweł Banaszewski <pawel@coder.com>
    @f0ssel @pawbana
    f0ssel and pawbana authored Jun 16, 2026
    Configuration menu
    Copy the full SHA
    2d2ee9b View commit details
    Browse the repository at this point in the history

Commits on Jun 17, 2026

  1. fix(coderd/httpmw): honor fixed lifetime for CLI API tokens (#26376) (#… 

    …26442)

Backport of #26376

Original PR: #26376 — fix(coderd/httpmw): honor fixed lifetime for CLI
API tokens
Merge commit: 450ddff
Requested by: @jdomeracki-coder

Programmatic API tokens (login type `token`, created via `coder tokens
create`) had their `expires_at` extended to `now + lifetime` on each
authenticated request, so a token used within its lifetime window never
actually expired. This restricts the sliding-window expiry refresh to
interactive login sessions (password / OIDC / GitHub) so programmatic
tokens honor their fixed `expires_at`.

<details>
<summary>Backport note</summary>

#26376 was authored against `main`, where this logic lives in the
refactored `ValidateAPIKey`. On `release/2.29` the equivalent
sliding-window expiry refresh is in `ExtractAPIKey`, so the same
one-line guard (`key.LoginType != database.LoginTypeToken`) and the
`TokenNoExpiryRefresh` regression test were applied there. The resulting
diff is identical in size (+38/-1).
</details>

<details>
<summary>Validation</summary>

- `go build ./coderd/httpmw/...` (clean)
- `gofmt -l` and `go vet ./coderd/httpmw/` (clean)
- `go test ./coderd/httpmw/ -run
'TestAPIKey/(TokenNoExpiryRefresh|ValidUpdateExpiry|NoRefresh)'
-count=1` (all pass)
- Confirmed the new `TokenNoExpiryRefresh` test fails without the
production change and passes with it.
</details>

---
🤖 Generated by Coder Agents on behalf of @jdomeracki-coder.
    @jdomeracki-coder
    jdomeracki-coder authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    fd1be86 View commit details
    Browse the repository at this point in the history

  2. chore: add AWS PRM user-agent attribution for partner revenue tracking ( 

    #23138) (#26473)

Backport of #23138 to `release/2.29`.

Original PR: #23138 — feat: add AWS PRM user-agent attribution for
partner revenue tracking
Merge commit: 5ff1058
Requested by: @matifali (per Slack thread, ESR 2.29 included)

2.29 is outside the auto-backport workflow's scope (latest 3 release
branches), so this was cherry-picked manually. The `provision.go` hunk
auto-merged cleanly. The `provision_test.go` hunk needed a small manual
resolution because 2.29's `TestProvision_SafeEnv` ends right after the
`CODER_` assertion (no `apply` follow-up checks yet on this branch);
only the new `AWS_SDK_UA_APP_ID` assertion was kept.

`go test -run TestProvision_SafeEnv ./provisioner/terraform/` passes
locally.

_Cherry-picked by Coder Agents on behalf of @DevelopmentCats._

---------

Co-authored-by: blinkagent[bot] <237617714+blinkagent[bot]@users.noreply.github.com>
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: Atif Ali <atif@coder.com>
    @DevelopmentCats @blinkagent
    @blink-so @matifali
    4 people authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    a2aef4e View commit details
    Browse the repository at this point in the history

  3. test(coderd/agentapi): fix pre-existing rebind test on release/2.29 (#… 

    …26493)

## Summary

Fixes a pre-existing test failure on `release/2.29`:
`TestSubAgentAPI/CreateSubAgentWithAppRebindRejected` in
`coderd/agentapi`. The branch is currently red because of this test.

## Root cause

The `CreateSubAgentWithAppRebindRejected` case passes apps in the
request, so `SubAgentAPI.CreateSubAgent` (`coderd/agentapi/subagent.go`)
resolves the parent agent's workspace and template — calling
`GetWorkspaceByAgentID` and `GetTemplateByID` — to determine the maximum
app sharing level.

On `release/2.29` the test sets up a `dbmock.MockStore` but does **not**
register expectations for those two calls, so the test aborts with:

```
subagent.go:92: Unexpected call to *dbmock.MockStore.GetWorkspaceByAgentID(...) because: there are no expected calls of the method "GetWorkspaceByAgentID" for that receiver
```

The mocks exist on `main` (added alongside the sub-agent
app-sharing-level work) but were missing from the version that landed on
`release/2.29` (via #26290, the backport of #26103). This change adds
the missing `workspace`/`template` fixtures and the two mock
expectations so the test matches `main`.

## Verification

```
go test ./coderd/agentapi/ -run "TestSubAgentAPI/CreateSubAgentWithAppRebindRejected" -count=1   # ok
go test ./coderd/agentapi/ -run "TestSubAgentAPI" -count=1                                       # ok
gofmt -l coderd/agentapi/subagent_test.go                                                        # clean
```

This is a test-only change; no production code is touched.

## Notes

This also unblocks the `test-go-pg` jobs on #26486 (backport of #26418 +
#26419), which were failing solely on this same pre-existing test.

---

<sub>Opened by Coder Agents on behalf of @f0ssel.</sub>
    @f0ssel
    f0ssel authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    df5d1d5 View commit details
    Browse the repository at this point in the history

  4. feat: backport OIDC auth link repair to 2.29 (#26418, #26419) (#26486) 

    Backports #26418 and #26419 to `release/2.29` as a single PR (both carry
the `backport` label). 2.29 was not covered by the automatic backports
(only 2.32/2.33/2.34 were).

- #26418: adds the `coderd/authlink` package and the `coder server
fix-oidc-links` CLI command for analyzing/repairing OIDC linked IDs.
- #26419: adds the `CODER_OIDC_REPAIR_LINKS` deployment flag (default
`true`, opt-out) that auto-repairs mismatched OIDC links on server
startup.

## Cherry-picks

- `feat: implement package and cli tool for repairing oidc links
(#26418)` — merge commit `1d03e63`
- `feat: deployment flag to auto handle changed oidc providers (#26419)`
— merge commit `0e45ded`

<details>
<summary>2.29 adaptation notes (decision log)</summary>

The cherry-picks needed adaptation to build on `release/2.29`:

- **slog**: 2.29 predates the `cdr.dev/slog/v3` migration, so imports
were reverted to `cdr.dev/slog` (v2). The slog API used (`AppendSinks`,
`Leveled`, `LevelDebug`, `sloghuman.Sink`, `slogtest.Make`) is identical
across versions.
- **CLI test**: `testutil/expecter` does not exist in 2.29;
`TestFixOIDCLinks` was rewritten to use `pty/ptytest`
(`ExpectMatchContext`), the established pattern in this branch.
- **OIDC init relocation**: #26419 moves OIDC initialization to after
database/deployment-id setup so the repair call has `options.Database`.
The same relocation was applied in 2.29's `cli/server.go` (the
surrounding AI-bridge code from main does not exist in 2.29 and was
excluded).
- **`RedirectURL` excluded**: `OIDCConfig.RedirectURL` / the
`oidc-redirect-url` option exist on `main` but not on 2.29 and are
unrelated to these PRs. Only `AutoRepairLinks` was backported.
- **Generated code**: the DB layer (`querier.go`, `queries.sql.go`,
`dbmock.go`, `querymetrics.go`) was regenerated with the pinned
`coder/sqlc` fork; golden files, `typesGenerated.ts`, and the CLI/API
docs were regenerated with 2.29 tooling. No DB migration is involved.

**Validation**: `go build ./...`, `go vet`, and `golangci-lint` pass.
The OIDC unit tests pass: `TestFixOIDCLinks`, `TestOIDCAuthLinks`, the
`coderd/authlink` suite, and the `dbauthz` `TestMethodTestSuite`
(including the two new methods).
</details>

---
*Opened by Coder Agents on behalf of @f0ssel.*

---------

Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
    @f0ssel @Emyrk
    f0ssel and Emyrk authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    a3e71ed View commit details
    Browse the repository at this point in the history
Loading