Navigation Menu
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Comparing changes
Open a pull request
base repository: coder/coder
base: v2.34.3
head repository: coder/coder
compare: v2.34.4
- 9 commits
- 29 files changed
- 12 contributors
Commits on Jun 23, 2026
-
chore: skip failing azureidentity test while under investigation (#26545
) (#26620) Backport of #26545 Original PR: #26545 — chore: skip failing azureidentity test while under investigation Merge commit: a12b051 Requested by: @ethanndickson Co-authored-by: Cian Johnston <cian@coder.com>
Configuration menu - View commit details
-
Copy full SHA for d607e1f - Browse repository at this point
Copy the full SHA d607e1fView commit details
Commits on Jun 27, 2026
-
fix: pin workspace agent API client to intended agent (#26600) (#26611)
Backport of #26600 to `release/2.34`. Original PR: #26600 - fix: pin workspace agent API client to intended agent Merge commit: eeb2624 Requested by: @ethanndickson ## What this fixes The workspace agent API client followed HTTP redirects and trusted the redirected host, letting a malicious agent bounce a coderd request onto a different agent's unauthenticated port-4 API (cross-tenant file read/write and RCE, Cure53 CODAGT-668). `apiClient` now refuses redirects and pins every dial to the intended agent address, and the task-app / scaletest clients share `AppHTTPClient`, which blocks redirects too. ## Conflict resolution The automatic cherry-pick conflicted because #26600 was built on a separate request-context refactor of `apiClient` that is not present on this release branch. The redirect block and agent-address pinning are applied to the existing `apiClient()` here, and the request-context-bounded dial test (which depends on that refactor) is omitted. This branch had no `agentconn_test.go`, so the redirect tests are added as a new `agentconn_test.go`. The two redirect regression tests added by #26600 are included. Co-authored-by: Ethan Dickson <ethan@coder.com>
Configuration menu - View commit details
-
Copy full SHA for ec3ba84 - Browse repository at this point
Copy the full SHA ec3ba84View commit details -
fix(site): set external auth provider polling status individually (#2…
Configuration menu - View commit details
-
Copy full SHA for c1d261c - Browse repository at this point
Copy the full SHA c1d261cView commit details -
fix(coderd): only send prebuild claim reinit for the claim build (#26644
) backport of #26548 for 2.34 ## Problem #23108 made prebuild claim delivery durable: when an agent connects to `/api/v2/workspaceagents/me/reinit?wait=true`, the handler checks whether the workspace's first build was created by the prebuilds system user and whether its latest build succeeded, and if so pre-seeds a `prebuild_claimed` reinitialization event in case the original pubsub event was missed. The check does not verify that the latest build is the claim build, so it keeps firing for the rest of the workspace's life. Any workspace that was claimed from a prebuild receives a spurious "prebuild claimed" reinit every time its agent (re)opens the `/reinit` connection: after every agent restart, every coderd deploy or replica restart, and every dropped SSE connection. Each one shuts the agent down and reinitializes it, killing SSH/IDE sessions and re-running startup scripts. In our deployment, where most workspaces are claimed from prebuilds, this caused fleet-wide "agent disconnected" blips whenever a coderd replica restarted, and a few workspaces whose container exits when the agent restarts went into a restart loop every 15-60 minutes. The agent-side dedup (`lastOwnerID` in `cli/agent.go`) only suppresses the second event within one agent process, so every new agent process takes at least one spurious restart. ## Fix Only seed the reinitialization event while the latest build is the claim build itself, determined from the build job's input (`prebuilt_workspace_stage`), the same signal `provisionerdserver` uses when publishing the claim event: - Latest build is the claim build: behavior unchanged (seed when the job succeeded, 409 when it failed permanently, wait on pubsub while it is in progress). - Latest build is still a prebuilds-initiated build (claim build not created yet): fall through to the pubsub subscription, which delivers the claim event when the claim build completes. - Latest build is any later user-initiated build: the claim was already handled, so return 409 and the agent stops polling, the same as a regular workspace. `dbfake` gains a `MarkPrebuiltWorkspaceClaim()` builder option so tests can model claim builds' job input, and the existing `TestReinit` claim subtests now use it. A new subtest covers the long-claimed workspace case. One deliberate behavior change worth calling out: if a claim build fails and the owner retries with another start build, the handler now returns 409 for that retry build rather than seeding a reinit. This matches the existing treatment of failed claim builds as terminal for the reinit poller. ## Verification - `go test ./coderd/ -run TestReinit` against Postgres 17: all subtests pass, including the new `workspace claimed in the past gets 409` case. - `gofmt`, `go vet`, and `golangci-lint` (v1.64.8) are clean on the touched packages. - The fix mirrors behavior validated by hand against an affected deployment: for a long-claimed workspace, `/reinit?wait=true` returned the seeded `prebuild_claimed` event on every connection before the change and a 409 afterwards. Note: this branch was prepared in an environment without the full local toolchain, so the repo's pre-commit hook (`make pre-commit`) was not run locally; relying on CI for the full gen/fmt/lint suite. Opening as a draft mainly to report the issue and propose a fix; happy to rework it to the maintainers' preferred approach. Co-authored-by: Leon Zhang <leonzh@anthropic.com> Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for ea21e3b - Browse repository at this point
Copy the full SHA ea21e3bView commit details -
fix(coderd): let admins change their own workspace sharing role (#26559…
Configuration menu - View commit details
-
Copy full SHA for 7fdfc7e - Browse repository at this point
Copy the full SHA 7fdfc7eView commit details -
fix(site): add bottom padding to create workspace page (#26431) (#26721)
Configuration menu - View commit details
-
Copy full SHA for f770406 - Browse repository at this point
Copy the full SHA f770406View commit details -
fix(aibridge): support Bedrock Opus 4.8 adaptive thinking (#26691) (#…
…26708) Bedrock rejects legacy `thinking.type=enabled` requests for Claude Opus 4.8 because the model requires adaptive thinking. The AI Bridge Bedrock shim only recognized Opus 4.7 as adaptive-only, so Opus 4.8 requests could fall through and produce Bedrock 400 responses. Add Opus 4.8 to the adaptive-only model detection and cover the regional Bedrock model ID form with a regression test. <details> <summary>Coder Agents disclosure</summary> This PR was generated by Coder Agents on behalf of @ericpaulsen. </details> (cherry picked from commit 96aecd8) <!-- If you have used AI to produce some or all of this PR, please ensure you have read our [AI Contribution guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING) before submitting. --> Co-authored-by: Eric Paulsen <ericpaulsen@coder.com>
Configuration menu - View commit details
-
Copy full SHA for 1c08896 - Browse repository at this point
Copy the full SHA 1c08896View commit details -
fix(enterprise/aibridgeproxyd): stop injecting default port into forw…
…arded Host header (#26656) (#26663) Backport of #26656 Original PR: #26656 — fix(enterprise/aibridgeproxyd): stop injecting default port into forwarded Host header Merge commit: c41d219 Requested by: @ssncferreira Co-authored-by: Susana Ferreira <susana@coder.com> Co-authored-by: Garrett Delfosse <delfossegarrett@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e436efc - Browse repository at this point
Copy the full SHA e436efcView commit details -
fix(site): keep TemplateVersionEditor file tree in sync (#25068) (#26770
Configuration menu - View commit details
-
Copy full SHA for 19d9274 - Browse repository at this point
Copy the full SHA 19d9274View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v2.34.3...v2.34.4
