docs: add deprecation warning for login-type none (#24594)

The `--login-type none` option for `coder users create` is deprecated.
This adds deprecation warnings to all docs that reference it and updates
the CI/CD tutorial to recommend the replacement flows.

Refs DEVEX-224

<details>
<summary>Changes</summary>

- `cli/usercreate.go`: Append deprecation notice to `--login-type` flag
description.
- `docs/tutorials/testing-templates.md`: Replace `--login-type none`
example with separate Premium (`--service-account`) and OSS
(`--login-type password`) examples.
- `docs/reference/cli/users_create.md`: Regenerated from CLI source.
- `cli/testdata/coder_users_create_--help.golden`: Updated golden
snapshot.

</details>

> [!NOTE]
> Generated by Coder Agents.

cli/testdata/coder_users_create_--help.golden

@@ -19,7 +19,9 @@ OPTIONS:
           Optionally specify the login type for the user. Valid values are:
           password, none, github, oidc. Using 'none' prevents the user from
           authenticating and requires an API key/token to be generated by an
-          admin.
+          admin. Deprecated: 'none' is deprecated. Use service accounts
+          (requires Premium) for machine-to-machine access, or
+          password/github/oidc login types for regular user accounts.
 
   -p, --password string
           Specifies a password for the new user.

cli/usercreate.go

@@ -207,7 +207,9 @@ Create a workspace  `+pretty.Sprint(cliui.DefaultStyles.Code, "coder create")+`!
 		{
 			Flag: "login-type",
 			Description: fmt.Sprintf("Optionally specify the login type for the user. Valid values are: %s. "+
-				"Using 'none' prevents the user from authenticating and requires an API key/token to be generated by an admin.",
+				"Using 'none' prevents the user from authenticating and requires an API key/token to be generated by an admin. "+
+				"Deprecated: 'none' is deprecated. Use service accounts (requires Premium) for machine-to-machine access, "+
+				"or password/github/oidc login types for regular user accounts.",
 				strings.Join([]string{
 					string(codersdk.LoginTypePassword), string(codersdk.LoginTypeNone), string(codersdk.LoginTypeGithub), string(codersdk.LoginTypeOIDC),
 				}, ", ",

codersdk/apikey.go

@@ -35,10 +35,13 @@ const (
 	LoginTypeGithub   LoginType = "github"
 	LoginTypeOIDC     LoginType = "oidc"
 	LoginTypeToken    LoginType = "token"
-	// LoginTypeNone is used if no login method is available for this user.
-	// If this is set, the user has no method of logging in.
+	// LoginTypeNone is used if no login method is available for this
+	// user. If this is set, the user has no method of logging in.
 	// API keys can still be created by an owner and used by the user.
 	// These keys would use the `LoginTypeToken` type.
+	//
+	// Deprecated: Use service accounts (Premium) for headless/machine
+	// access, or password/github/oidc login types for regular users.
 	LoginTypeNone LoginType = "none"
 )
 

docs/reference/cli/users_create.md

@@ -49,7 +49,7 @@ Specifies a password for the new user.
 |------|---------------------|
 | Type | <code>string</code> |
 
-Optionally specify the login type for the user. Valid values are: password, none, github, oidc. Using 'none' prevents the user from authenticating and requires an API key/token to be generated by an admin.
+Optionally specify the login type for the user. Valid values are: password, none, github, oidc. Using 'none' prevents the user from authenticating and requires an API key/token to be generated by an admin. Deprecated: 'none' is deprecated. Use service accounts (requires Premium) for machine-to-machine access, or password/github/oidc login types for regular user accounts.
 
 ### --service-account
 

docs/tutorials/testing-templates.md

@@ -26,11 +26,31 @@ ensures your templates are validated, tested, and promoted seamlessly.
 
 ## Creating the headless user
 
+> [!WARNING]
+> Creating users with `--login-type none` is deprecated.
+> For [Premium](https://coder.com/pricing) deployments, use
+> [service accounts](../admin/users/headless-auth.md) instead.
+> For OSS deployments, use a regular account with password, GitHub, or OIDC
+> authentication.
+
+For Premium deployments, create a service account:
+
+```shell
+coder users create \
+  --username machine-user \
+  --service-account
+
+coder tokens create --user machine-user --lifetime 8760h
+# Copy the token and store it in a secret in your CI environment with the name `CODER_SESSION_TOKEN`
+```
+
+For OSS deployments, create a regular user:
+
 ```shell
 coder users create \
   --username machine-user \
   --email machine-user@example.com \
-  --login-type none
+  --login-type password
 
 coder tokens create --user machine-user --lifetime 8760h
 # Copy the token and store it in a secret in your CI environment with the name `CODER_SESSION_TOKEN`