From d23a6959fc7426895342bb6add3076abc758dcc2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kayla=20=E3=81=AF=E3=81=AA?= <mckayla@hey.com>
Date: Wed, 15 Apr 2026 15:02:47 -0600
Subject: [PATCH] chore: upgrade to ubuntu 26.04 (#24267)

---
 .github/workflows/ci.yaml                     |   2 +-
 .github/workflows/dogfood.yaml                |  37 +-
 .gitignore                                    |   1 -
 Makefile                                      |   2 +-
 dogfood/coder/Makefile                        |  39 +-
 dogfood/coder/main.tf                         |  16 +-
 dogfood/coder/{ => ubuntu-22.04}/Dockerfile   |   0
 .../configure-chrome-flags.sh                 |   0
 .../files/etc/apt/apt.conf.d/80-no-recommends |   0
 .../files/etc/apt/apt.conf.d/80-retries       |   0
 .../files/etc/apt/apt.conf.d/99-chrome-flags  |   0
 .../files/etc/apt/preferences.d/containerd    |   0
 .../files/etc/apt/preferences.d/docker        |   0
 .../files/etc/apt/preferences.d/github-cli    |   0
 .../files/etc/apt/preferences.d/google-cloud  |   0
 .../files/etc/apt/preferences.d/hashicorp     |   0
 .../files/etc/apt/preferences.d/ppa           |   0
 .../files/etc/apt/sources.list.d/docker.list  |   0
 .../etc/apt/sources.list.d/google-cloud.list  |   0
 .../etc/apt/sources.list.d/hashicorp.list     |   0
 .../etc/apt/sources.list.d/postgresql.list    |   0
 .../files/etc/apt/sources.list.d/ppa.list     |   0
 .../files/etc/docker/daemon.json              |   0
 .../{ => ubuntu-22.04}/files/usr/local/bin/gh |   0
 .../files/usr/share/keyrings/ansible.gpg      | Bin
 .../files/usr/share/keyrings/docker.gpg       | Bin
 .../files/usr/share/keyrings/fish-shell.gpg   | Bin
 .../files/usr/share/keyrings/git-core.gpg     | Bin
 .../files/usr/share/keyrings/github-cli.gpg   | Bin
 .../files/usr/share/keyrings/google-cloud.gpg | Bin
 .../files/usr/share/keyrings/hashicorp.gpg    | Bin
 .../files/usr/share/keyrings/helix.gpg        | Bin
 .../files/usr/share/keyrings/neovim.gpg       | Bin
 .../files/usr/share/keyrings/postgresql.gpg   | Bin
 .../coder/{ => ubuntu-22.04}/update-keys.sh   |  25 +-
 dogfood/coder/ubuntu-26.04/Dockerfile         | 368 ++++++++++++++++++
 .../files/etc/apt/apt.conf.d/80-no-recommends |   6 +
 .../files/etc/apt/apt.conf.d/80-retries       |   1 +
 .../files/etc/apt/apt.conf.d/99-chrome-flags  |   3 +
 .../files/etc/apt/preferences.d/containerd    |   6 +
 .../files/etc/apt/preferences.d/docker        |  23 ++
 .../files/etc/apt/preferences.d/github-cli    |   8 +
 .../files/etc/apt/preferences.d/google-cloud  |  19 +
 .../files/etc/apt/preferences.d/hashicorp     |  14 +
 .../files/etc/apt/sources.list.d/docker.list  |   1 +
 .../etc/apt/sources.list.d/google-cloud.list  |   1 +
 .../etc/apt/sources.list.d/hashicorp.list     |   1 +
 .../etc/apt/sources.list.d/postgresql.list    |   1 +
 .../ubuntu-26.04/files/etc/docker/daemon.json |   3 +
 .../files/opt/configure-chrome-flags.sh       |  31 ++
 .../coder/ubuntu-26.04/files/usr/local/bin/gh |  32 ++
 .../files/usr/share/keyrings/docker.gpg       | Bin 0 -> 2760 bytes
 .../files/usr/share/keyrings/github-cli.gpg   | Bin 0 -> 2270 bytes
 .../files/usr/share/keyrings/google-cloud.gpg | Bin 0 -> 1905 bytes
 .../files/usr/share/keyrings/hashicorp.gpg    | Bin 0 -> 2879 bytes
 .../files/usr/share/keyrings/postgresql.gpg   | Bin 0 -> 3494 bytes
 dogfood/coder/ubuntu-26.04/update-keys.sh     |  40 ++
 scripts/check_go_versions.sh                  |  16 +-
 58 files changed, 654 insertions(+), 42 deletions(-)
 rename dogfood/coder/{ => ubuntu-22.04}/Dockerfile (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/configure-chrome-flags.sh (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/apt.conf.d/80-no-recommends (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/apt.conf.d/80-retries (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/apt.conf.d/99-chrome-flags (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/containerd (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/docker (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/github-cli (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/google-cloud (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/hashicorp (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/preferences.d/ppa (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/sources.list.d/docker.list (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/sources.list.d/google-cloud.list (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/sources.list.d/hashicorp.list (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/sources.list.d/postgresql.list (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/apt/sources.list.d/ppa.list (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/etc/docker/daemon.json (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/local/bin/gh (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/ansible.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/docker.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/fish-shell.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/git-core.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/github-cli.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/google-cloud.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/hashicorp.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/helix.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/neovim.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/files/usr/share/keyrings/postgresql.gpg (100%)
 rename dogfood/coder/{ => ubuntu-22.04}/update-keys.sh (66%)
 create mode 100644 dogfood/coder/ubuntu-26.04/Dockerfile
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list
 create mode 100644 dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json
 create mode 100644 dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh
 create mode 100755 dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh
 create mode 100644 dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg
 create mode 100644 dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg
 create mode 100644 dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg
 create mode 100644 dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg
 create mode 100644 dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg
 create mode 100755 dogfood/coder/ubuntu-26.04/update-keys.sh

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index cfb40c9c9d..0d63f842df 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -178,7 +178,7 @@ jobs:
 
       - name: Get golangci-lint cache dir
         run: |
-          linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2)
+          linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2)
           ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver"
           dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
           echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV"
diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml
index a2dce9553d..370530d53c 100644
--- a/.github/workflows/dogfood.yaml
+++ b/.github/workflows/dogfood.yaml
@@ -22,6 +22,11 @@ permissions:
 
 jobs:
   build_image:
+    strategy:
+      fail-fast: false
+      matrix:
+        image-version: ["22.04", "26.04", "nix"]
+
     if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
     steps:
@@ -41,6 +46,7 @@ jobs:
           # Pinning to 2.28 here, as Nix gets a "error: [json.exception.type_error.302] type must be array, but is string"
           # on version 2.29 and above.
           nix_version: "2.28.5"
+        if: matrix.image-version == 'nix'
 
       - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7.0.2
         with:
@@ -60,10 +66,12 @@ jobs:
           purge-created: 0
           # except the version with the `primary-key`, if it exists
           purge-primary-key: never
+        if: matrix.image-version == 'nix'
 
       - name: Get branch name
         id: branch-name
         uses: tj-actions/branch-names@5250492686b253f06fa55861556d1027b067aeb5 # v9.0.2
+        if: matrix.image-version != 'nix'
 
       - name: "Branch name to Docker tag name"
         id: docker-tag-name
@@ -73,12 +81,15 @@ jobs:
           echo "tag=${tag}" >> "$GITHUB_OUTPUT"
         env:
           BRANCH_NAME: ${{ steps.branch-name.outputs.current_branch }}
+        if: matrix.image-version != 'nix'
 
       - name: Set up Depot CLI
         uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        if: matrix.image-version != 'nix'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        if: matrix.image-version != 'nix'
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
@@ -87,23 +98,41 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Build and push Non-Nix image
+      - name: Build and push Ubuntu 22.04 image
         uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
         with:
           project: b4q6ltmpzh
           token: ${{ secrets.DEPOT_TOKEN }}
           buildx-fallback: true
-          context: "{{defaultContext}}:dogfood/coder"
+          context: "{{defaultContext}}:dogfood/coder/ubuntu-22.04"
           pull: true
           save: true
           push: ${{ github.ref == 'refs/heads/main' }}
-          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          # TODO: move the `latest` tag to 26.04 soon. we don't want to transition
+          # it immediately because that would make workspaces switch to it
+          # automatically without any grace period.
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:22.04,codercom/oss-dogfood:latest"
+        if: matrix.image-version == '22.04'
+
+      - name: Build and push Ubuntu 26.04 image
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        with:
+          project: b4q6ltmpzh
+          token: ${{ secrets.DEPOT_TOKEN }}
+          buildx-fallback: true
+          context: "{{defaultContext}}:dogfood/coder/ubuntu-26.04"
+          pull: true
+          save: true
+          push: ${{ github.ref == 'refs/heads/main' }}
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:26.04"
+        if: matrix.image-version == '26.04'
 
       - name: Build Nix image
         run: nix build .#dev_image
+        if: matrix.image-version == 'nix'
 
       - name: Push Nix image
-        if: github.ref == 'refs/heads/main'
+        if: matrix.image-version == 'nix' && github.ref == 'refs/heads/main'
         run: |
           docker load -i result
 
diff --git a/.gitignore b/.gitignore
index abf76379f9..f94151d621 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,7 +42,6 @@ site/.swc
 .gen-golden
 
 # Build
-bin/
 build/
 dist/
 out/
diff --git a/Makefile b/Makefile
index 1e51438858..a1afce77eb 100644
--- a/Makefile
+++ b/Makefile
@@ -718,7 +718,7 @@ lint/ts: site/node_modules/.installed
 lint/go:
 	./scripts/check_enterprise_imports.sh
 	./scripts/check_codersdk_imports.sh
-	linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2)
+	linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2)
 	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run
 	go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context" ./...
 .PHONY: lint/go
diff --git a/dogfood/coder/Makefile b/dogfood/coder/Makefile
index 061530f50d..2403fae04c 100644
--- a/dogfood/coder/Makefile
+++ b/dogfood/coder/Makefile
@@ -1,10 +1,37 @@
-.PHONY: docker-build docker-push
+# Use the branch name to differentiate test builds from actual pulled images,
+# replacing forward slashes with hyphens, as forward slashes are not valid in
+# tag names.
+build_tag ?= $(shell git rev-parse --abbrev-ref HEAD | sed "s/\\//-/")
 
-branch=$(shell git rev-parse --abbrev-ref HEAD)
-build_tag=codercom/oss-dogfood:${branch}
+build: build-ubuntu-22.04 build-ubuntu-26.04
+.PHONY: build
 
-build:
-	DOCKER_BUILDKIT=1 docker build . -t ${build_tag}
+build-ubuntu-22.04:
+	(cd ubuntu-22.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:22.04-$(build_tag)")
+.PHONY: build-ubuntu-22.04
 
-push: build
+build-ubuntu-26.04:
+	(cd ubuntu-26.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:26.04-$(build_tag)")
+.PHONY: build-ubuntu-26.04
+
+push: push-ubuntu-22.04 push-ubuntu-26.04
+.PHONY: push
+
+push-ubuntu-22.04: build-ubuntu-22.04
 	docker push ${build_tag}
+.PHONY: push-ubuntu-22.04
+
+push-ubuntu-26.04: build-ubuntu-26.04
+	docker push ${build_tag}
+.PHONY: push-ubuntu-26.04
+
+update-keys: update-keys-ubuntu-22.04 update-keys-ubuntu-26.04
+.PHONY: update-keys
+
+update-keys-ubuntu-22.04:
+	./ubuntu-22.04/update-keys.sh
+.PHONY: update-keys-ubuntu-22.04
+
+update-keys-ubuntu-26.04:
+	./ubuntu-26.04/update-keys.sh
+.PHONY: update-keys-ubuntu-26.04
diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf
index cf807684d8..665b16515e 100644
--- a/dogfood/coder/main.tf
+++ b/dogfood/coder/main.tf
@@ -124,12 +124,17 @@ data "coder_parameter" "repo_base_dir" {
 data "coder_parameter" "image_type" {
   type        = "string"
   name        = "Coder Image"
-  default     = "codercom/oss-dogfood:latest"
-  description = "The Docker image used to run your workspace. Choose between nix and non-nix images."
+  default     = "codercom/oss-dogfood:26.04"
+  description = "The Docker image used to run your workspace."
   option {
     icon  = "/icon/coder.svg"
-    name  = "Dogfood (Default)"
-    value = "codercom/oss-dogfood:latest"
+    name  = "Ubuntu 26.04"
+    value = "codercom/oss-dogfood:26.04"
+  }
+  option {
+    icon  = "/icon/coder.svg"
+    name  = "Ubuntu 22.04"
+    value = "codercom/oss-dogfood:22.04"
   }
   option {
     icon  = "/icon/nix.svg"
@@ -770,7 +775,8 @@ resource "docker_image" "dogfood" {
   pull_triggers = [
     data.docker_registry_image.dogfood.sha256_digest,
     sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])),
-    filesha1("Dockerfile"),
+    filesha1("ubuntu-22.04/Dockerfile"),
+    filesha1("ubuntu-26.04/Dockerfile"),
     filesha1("nix.hash"),
   ]
   keep_locally = true
diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/ubuntu-22.04/Dockerfile
similarity index 100%
rename from dogfood/coder/Dockerfile
rename to dogfood/coder/ubuntu-22.04/Dockerfile
diff --git a/dogfood/coder/configure-chrome-flags.sh b/dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh
similarity index 100%
rename from dogfood/coder/configure-chrome-flags.sh
rename to dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh
diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/80-no-recommends b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-no-recommends
similarity index 100%
rename from dogfood/coder/files/etc/apt/apt.conf.d/80-no-recommends
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-no-recommends
diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/80-retries b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-retries
similarity index 100%
rename from dogfood/coder/files/etc/apt/apt.conf.d/80-retries
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-retries
diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/99-chrome-flags
similarity index 100%
rename from dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/99-chrome-flags
diff --git a/dogfood/coder/files/etc/apt/preferences.d/containerd b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/containerd
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/containerd
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/containerd
diff --git a/dogfood/coder/files/etc/apt/preferences.d/docker b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/docker
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/docker
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/docker
diff --git a/dogfood/coder/files/etc/apt/preferences.d/github-cli b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/github-cli
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/github-cli
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/github-cli
diff --git a/dogfood/coder/files/etc/apt/preferences.d/google-cloud b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/google-cloud
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/google-cloud
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/google-cloud
diff --git a/dogfood/coder/files/etc/apt/preferences.d/hashicorp b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/hashicorp
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/hashicorp
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/hashicorp
diff --git a/dogfood/coder/files/etc/apt/preferences.d/ppa b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/ppa
similarity index 100%
rename from dogfood/coder/files/etc/apt/preferences.d/ppa
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/ppa
diff --git a/dogfood/coder/files/etc/apt/sources.list.d/docker.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/docker.list
similarity index 100%
rename from dogfood/coder/files/etc/apt/sources.list.d/docker.list
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/docker.list
diff --git a/dogfood/coder/files/etc/apt/sources.list.d/google-cloud.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/google-cloud.list
similarity index 100%
rename from dogfood/coder/files/etc/apt/sources.list.d/google-cloud.list
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/google-cloud.list
diff --git a/dogfood/coder/files/etc/apt/sources.list.d/hashicorp.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/hashicorp.list
similarity index 100%
rename from dogfood/coder/files/etc/apt/sources.list.d/hashicorp.list
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/hashicorp.list
diff --git a/dogfood/coder/files/etc/apt/sources.list.d/postgresql.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/postgresql.list
similarity index 100%
rename from dogfood/coder/files/etc/apt/sources.list.d/postgresql.list
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/postgresql.list
diff --git a/dogfood/coder/files/etc/apt/sources.list.d/ppa.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/ppa.list
similarity index 100%
rename from dogfood/coder/files/etc/apt/sources.list.d/ppa.list
rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/ppa.list
diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/ubuntu-22.04/files/etc/docker/daemon.json
similarity index 100%
rename from dogfood/coder/files/etc/docker/daemon.json
rename to dogfood/coder/ubuntu-22.04/files/etc/docker/daemon.json
diff --git a/dogfood/coder/files/usr/local/bin/gh b/dogfood/coder/ubuntu-22.04/files/usr/local/bin/gh
similarity index 100%
rename from dogfood/coder/files/usr/local/bin/gh
rename to dogfood/coder/ubuntu-22.04/files/usr/local/bin/gh
diff --git a/dogfood/coder/files/usr/share/keyrings/ansible.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/ansible.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/ansible.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/ansible.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/docker.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/docker.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/docker.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/docker.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/fish-shell.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/fish-shell.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/fish-shell.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/fish-shell.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/git-core.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/git-core.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/git-core.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/git-core.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/github-cli.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/github-cli.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/github-cli.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/github-cli.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/google-cloud.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/google-cloud.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/google-cloud.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/google-cloud.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/hashicorp.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/hashicorp.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/hashicorp.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/hashicorp.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/helix.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/helix.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/helix.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/helix.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/neovim.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/neovim.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/neovim.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/neovim.gpg
diff --git a/dogfood/coder/files/usr/share/keyrings/postgresql.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/postgresql.gpg
similarity index 100%
rename from dogfood/coder/files/usr/share/keyrings/postgresql.gpg
rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/postgresql.gpg
diff --git a/dogfood/coder/update-keys.sh b/dogfood/coder/ubuntu-22.04/update-keys.sh
similarity index 66%
rename from dogfood/coder/update-keys.sh
rename to dogfood/coder/ubuntu-22.04/update-keys.sh
index 4d45f348bf..8ccdc3a5c0 100755
--- a/dogfood/coder/update-keys.sh
+++ b/dogfood/coder/ubuntu-22.04/update-keys.sh
@@ -15,11 +15,14 @@ gpg_flags=(
 	--yes
 )
 
-pushd "$PROJECT_ROOT/dogfood/coder/files/usr/share/keyrings"
+pushd "$PROJECT_ROOT/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings"
 
 # Ansible PPA signing key
-curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0X6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" |
-	gpg "${gpg_flags[@]}" --output="ansible.gpg"
+# This curl command is now resulting in a 404, causing the script to fail.
+# Rather than fix, we're just upgrading to Ubuntu 26.04 which removed the
+# dependency on this PPA.
+# curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0X6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" |
+# 	gpg "${gpg_flags[@]}" --output="ansible.gpg"
 
 # Upstream Docker signing key
 curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" |
@@ -37,10 +40,6 @@ curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0
 curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" |
 	gpg "${gpg_flags[@]}" --output="github-cli.gpg"
 
-# Google Linux Software repository signing key (Chrome)
-curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" |
-	gpg "${gpg_flags[@]}" --output="google-chrome.gpg"
-
 # Google Cloud signing key
 curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" |
 	gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
@@ -53,24 +52,12 @@ curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" |
 curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x27642B9FD7F1A161FC2524E3355A4FA515D7C855" |
 	gpg "${gpg_flags[@]}" --output="helix.gpg"
 
-# Microsoft repository signing key (Edge)
-curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" |
-	gpg "${gpg_flags[@]}" --output="microsoft.gpg"
-
 # Neovim signing key
 curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9DBB0BE9366964F134855E2255F96FCF8231B6DD" |
 	gpg "${gpg_flags[@]}" --output="neovim.gpg"
 
-# NodeSource signing key
-curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key" |
-	gpg "${gpg_flags[@]}" --output="nodesource.gpg"
-
 # Upstream PostgreSQL signing key
 curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" |
 	gpg "${gpg_flags[@]}" --output="postgresql.gpg"
 
-# Yarnpkg signing key
-curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" |
-	gpg "${gpg_flags[@]}" --output="yarnpkg.gpg"
-
 popd
diff --git a/dogfood/coder/ubuntu-26.04/Dockerfile b/dogfood/coder/ubuntu-26.04/Dockerfile
new file mode 100644
index 0000000000..4955d8ec46
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/Dockerfile
@@ -0,0 +1,368 @@
+# 1.93.1
+FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils
+# Install rust helper programs
+ENV CARGO_INSTALL_ROOT=/tmp/
+# Use more reliable mirrors for Debian packages
+RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \
+	apt-get update || true
+RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential
+RUN cargo install jj-cli typos-cli watchexec-cli
+
+FROM ubuntu:resolute@sha256:cc925e589b7543b910fea57a240468940003fbfc0515245a495dd0ad8fe7cef1 AS go
+
+# Install Go manually, so that we can control the version
+ARG GO_VERSION=1.25.9
+ARG GO_CHECKSUM="00859d7bd6defe8bf84d9db9e57b9a4467b2887c18cd93ae7460e713db774bc1"
+
+# Boring Go is needed to build FIPS-compliant binaries.
+RUN apt-get update && \
+	apt-get install --yes curl && \
+	curl --silent --show-error --location \
+	"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
+	-o /usr/local/go.tar.gz && \
+	echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \
+	rm -rf /var/lib/apt/lists/*
+
+ENV PATH=$PATH:/usr/local/go/bin
+ARG GOPATH="/tmp/"
+# Install Go utilities.
+RUN apt-get update && \
+	apt-get install --yes gcc && \
+	mkdir --parents /usr/local/go && \
+	tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \
+	mkdir --parents "$GOPATH" && \
+	go env -w GOSUMDB=sum.golang.org && \
+	# swag for Swagger doc generation
+	go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \
+	# goimports for updating imports
+	go install golang.org/x/tools/cmd/goimports@v0.41.0 && \
+	# protoc-gen-go is needed to build sysbox from source
+	go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \
+	# drpc support for v2
+	go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \
+	# migrate for migration support for v2
+	go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \
+	# Install the latest version of gopls for editors that support
+	# the language server protocol (v0.21.0+ required for Go 1.25)
+	go install golang.org/x/tools/gopls@v0.21.0 && \
+	# gotestsum makes test output more readable
+	go install gotest.tools/gotestsum@v1.9.0 && \
+	# sqlc for Go code generation
+	# Switched to coder/sqlc fork to fix ambiguous column bug, see:
+	# - https://github.com/coder/sqlc/pull/1
+	# - https://github.com/sqlc-dev/sqlc/pull/4159
+	(CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@aab4e865a51df0c43e1839f81a9d349b41d14f05) && \
+	# ruleguard for checking custom rules, without needing to run all of
+	# golangci-lint. Check the go.mod in the release of golangci-lint that
+	# we're using for the version of go-critic that it embeds, then check
+	# the version of ruleguard in go-critic for that tag.
+	go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \
+	# shfmt for shell script formatting
+	go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \
+	# nfpm is used with `make build` to make release packages
+	go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \
+	# yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh).
+	go install github.com/mikefarah/yq/v4@v4.44.3 && \
+	mv /tmp/bin/yq /tmp/bin/yq4 && \
+	# mockgen for generating mocks (v0.6.0+ required for Go 1.25)
+	go install go.uber.org/mock/mockgen@v0.6.0 && \
+	# Reduce image size.
+	apt-get remove --yes gcc && \
+	apt-get autoremove --yes && \
+	apt-get clean && \
+	rm -rf /var/lib/apt/lists/* && \
+	rm -rf /usr/local/go && \
+	rm -rf /tmp/go/pkg && \
+	rm -rf /tmp/go/src
+
+# alpine:3.18
+FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto
+WORKDIR /tmp
+RUN apk add curl unzip
+RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \
+	unzip protoc.zip && \
+	rm protoc.zip
+
+FROM ubuntu:resolute@sha256:cc925e589b7543b910fea57a240468940003fbfc0515245a495dd0ad8fe7cef1
+
+SHELL ["/bin/bash", "-c"]
+
+# Install packages from apt repositories
+ARG DEBIAN_FRONTEND="noninteractive"
+
+# Updated certificates are necessary to use the teraswitch mirror.
+# This must be ran before copying in configuration since the config replaces
+# the default mirror with teraswitch.
+# Also enable the en_US.UTF-8 locale so that we don't generate multiple locales
+# and unminimize to include man pages.
+RUN apt-get update && \
+	apt-get install --yes ca-certificates locales unminimize && \
+	echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && \
+	locale-gen && \
+	yes | unminimize
+
+COPY files /
+
+# We used to copy /etc/sudoers.d/* in from files/ but this causes issues with
+# permissions and layer caching. Instead, create the file directly.
+RUN mkdir -p /etc/sudoers.d && \
+	echo 'coder ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd && \
+	chmod 750 /etc/sudoers.d/ && \
+	chmod 640 /etc/sudoers.d/nopasswd
+
+# Use more reliable mirrors for Ubuntu packages
+RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/ubuntu/|g; s|http://security.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/ubuntu/|g' /etc/apt/sources.list.d/ubuntu.sources && \
+	apt-get update --quiet && apt-get install --yes \
+	ansible \
+	apt-transport-https \
+	apt-utils \
+	asciinema \
+	bash \
+	bash-completion \
+	bat \
+	bats \
+	bind9-dnsutils \
+	build-essential \
+	ca-certificates \
+	containerd.io \
+	crypto-policies \
+	curl \
+	docker-ce \
+	docker-ce-cli \
+	docker-compose-plugin \
+	eza \
+	fd-find \
+	file \
+	fish \
+	gettext-base \
+	git \
+	gnupg \
+	google-cloud-sdk \
+	hx \
+	htop \
+	httpie \
+	inetutils-tools \
+	iproute2 \
+	iputils-ping \
+	iputils-tracepath \
+	jq \
+	kubectl \
+	language-pack-en \
+	less \
+	libgbm-dev \
+	libssl-dev \
+	lsb-release \
+	lsof \
+	man \
+	meld \
+	ncdu \
+	neovim \
+	net-tools \
+	openjdk-11-jdk-headless \
+	openssh-server \
+	openssl \
+	pkg-config \
+	postgresql-18 \
+	python3 \
+	python3-pip \
+	ripgrep \
+	rsync \
+	screen \
+	shellcheck \
+	strace \
+	sudo \
+	tcptraceroute \
+	termshark \
+	tmux \
+	traceroute \
+	unzip \
+	vim \
+	wget \
+	xauth \
+	zip \
+	zsh \
+	zstd && \
+	# Delete package cache to avoid consuming space in layer
+	apt-get clean && \
+	# Configure FIPS-compliant policies
+	update-crypto-policies --set FIPS
+
+# Install Google Chrome directly from Google. Ubuntu 26.04 ships
+# chromium-browser as a snap-only package, which does not work in
+# Docker containers.
+# configure-chrome-flags.sh is automatically run after dpkg operations
+# by dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags.
+RUN chmod a+x /opt/configure-chrome-flags.sh && \
+	wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
+	apt-get install --yes ./google-chrome-stable_current_amd64.deb && \
+	rm google-chrome-stable_current_amd64.deb
+
+# Install Rust via rustup. Using rustup ensures we get a current stable
+# toolchain.
+ENV RUSTUP_HOME=/usr/local/rustup \
+	CARGO_HOME=/usr/local/cargo
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+	sh -s -- -y --default-toolchain stable --profile minimal
+ENV PATH=$CARGO_HOME/bin:$PATH
+
+# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.14.5.
+# Installing the same version here to match.
+RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" && \
+	unzip /tmp/terraform.zip -d /usr/local/bin && \
+	rm -f /tmp/terraform.zip && \
+	chmod +x /usr/local/bin/terraform && \
+	terraform --version
+
+# Install the docker buildx component.
+RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"(v[^"]+)".*/\1/') && \
+	mkdir -p /usr/local/lib/docker/cli-plugins && \
+	curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \
+	chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
+
+# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof
+# the apt repository is unreliable
+RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v([^"]+)".*/\1/') && \
+	curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \
+	dpkg -i gh.deb && \
+	rm gh.deb
+
+# Install Lazygit
+# See https://github.com/jesseduffield/lazygit#ubuntu
+RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v*([^"]+)".*/\1/') && \
+	curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \
+	tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \
+	rm lazygit.tar.gz
+
+# Install doctl
+# See https://docs.digitalocean.com/reference/doctl/how-to/install
+RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \
+	curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \
+	tar xf doctl.tar.gz -C /usr/local/bin doctl && \
+	rm doctl.tar.gz
+
+ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d
+# Install frontend utilities
+ENV NVM_DIR=/usr/local/nvm
+ENV NODE_VERSION=22.19.0
+RUN mkdir -p $NVM_DIR
+RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \
+	echo "${NVM_INSTALL_SHA}  nvm_install.sh" | sha256sum -c && \
+	bash nvm_install.sh && \
+	rm nvm_install.sh
+RUN source $NVM_DIR/nvm.sh && \
+	nvm install $NODE_VERSION && \
+	nvm use $NODE_VERSION
+ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+RUN corepack enable && \
+	corepack prepare npm@10.8.1 --activate && \
+	corepack prepare pnpm@10.14.0 --activate
+
+RUN pnpx playwright@1.47.0 install --with-deps chromium
+
+# Ensure PostgreSQL binaries are in the users $PATH.
+RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/18/bin/initdb 100 && \
+	update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/18/bin/postgres 100
+
+# Create links for injected dependencies
+RUN ln --symbolic /var/tmp/coder/coder-cli/coder /usr/local/bin/coder && \
+	ln --symbolic /var/tmp/coder/code-server/bin/code-server /usr/local/bin/code-server
+
+# Disable the PostgreSQL systemd service.
+# Coder uses a custom timescale container to test the database instead.
+RUN systemctl disable \
+	postgresql
+
+# Configure systemd services for CVMs
+RUN systemctl enable \
+	docker \
+	ssh && \
+	# Workaround for envbuilder cache probing not working unless the filesystem is modified.
+	touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround
+
+# Install tools with published releases, where that is the
+# preferred/recommended installation method.
+ARG GOLANGCI_LINT_VERSION=1.64.8 \
+	HELM_VERSION=3.12.0 \
+	KUBECTX_VERSION=0.9.4 \
+	SYFT_VERSION=1.20.0 \
+	COSIGN_VERSION=2.4.3 \
+	BUN_VERSION=1.2.15
+
+RUN \
+	# golangci-lint performs static code analysis for our Go code
+	curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \
+	# Helm is necessary for deploying Coder
+	curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
+	# kubens and kubectx for managing Kubernetes namespaces and contexts
+	curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
+	curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \
+	# Anchore Syft for SBOM generation
+	curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- syft && \
+	# Sigstore Cosign for artifact signing and attestation
+	curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
+	chmod a=rx /usr/local/bin/cosign && \
+	# Install Bun JavaScript runtime to /usr/local/bin
+	curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \
+	unzip -q /tmp/bun.zip -d /tmp && \
+	mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \
+	chmod a=rx /usr/local/bin/bun && \
+	rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \
+	apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Add coder user and allow use of docker/sudo.
+# Ubuntu 26.04 ships a default "ubuntu" user at UID 1000;
+# remove it so we can create "coder" with that UID.
+RUN userdel -r ubuntu && \
+	useradd coder \
+	--create-home \
+	--shell=/bin/bash \
+	--groups=docker \
+	--uid=1000 \
+	--user-group
+
+# Adjust OpenSSH config
+RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \
+	echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \
+	echo "X11UseLocalhost no" >>/etc/ssh/sshd_config
+
+# We avoid copying the extracted directory since COPY slows to minutes when there
+# are a lot of small files.
+COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz
+RUN mkdir /usr/local/go && \
+	tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
+
+ENV PATH=$PATH:/usr/local/go/bin
+
+RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100
+
+COPY --from=go /tmp/bin /usr/local/bin
+COPY --from=rust-utils /tmp/bin /usr/local/bin
+COPY --from=proto /tmp/bin /usr/local/bin
+COPY --from=proto /tmp/include /usr/local/bin/include
+
+USER coder
+
+# Ensure go bins are in the 'coder' user's path. Note that no go bins are
+# installed in this docker file, as they'd be mounted over by the persistent
+# home volume.
+ENV PATH="/home/coder/go/bin:${PATH}"
+
+# Override CARGO_HOME so cargo registry/cache writes go to the coder
+# user's home directory instead of the root-owned /usr/local/cargo.
+# The rustup-installed binaries remain on PATH via /usr/local/cargo/bin.
+ENV CARGO_HOME="/home/coder/.cargo"
+
+# This setting prevents Go from using the public checksum database for
+# our module path prefixes. It is required because these are in private
+# repositories that require authentication.
+#
+# For details, see: https://golang.org/ref/mod#private-modules
+ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
+
+# Increase memory allocation to NodeJS
+ENV NODE_OPTIONS="--max-old-space-size=8192"
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends
new file mode 100644
index 0000000000..8cb79c9638
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends
@@ -0,0 +1,6 @@
+// Do not install recommended packages by default
+APT::Install-Recommends "0";
+
+// Do not install suggested packages by default (this is already
+// the Ubuntu default)
+APT::Install-Suggests "0";
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries
new file mode 100644
index 0000000000..d7ee518525
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries
@@ -0,0 +1 @@
+APT::Acquire::Retries "3";
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags
new file mode 100644
index 0000000000..7d02aded16
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags
@@ -0,0 +1,3 @@
+// Re-apply Chrome desktop-file flags after any package operation so
+// that a google-chrome-stable upgrade does not silently drop them.
+DPkg::Post-Invoke { "/opt/configure-chrome-flags.sh 2>/dev/null || true"; };
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd
new file mode 100644
index 0000000000..ab0b8f9891
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd
@@ -0,0 +1,6 @@
+# Ref: https://github.com/nestybox/sysbox/issues/879
+# We need to pin containerd to a specific version to avoid breaking
+# Docker-in-Docker.
+Package: containerd.io
+Pin: version 1.7.23-1
+Pin-Priority: 1001
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
new file mode 100644
index 0000000000..8bf06ea2ee
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
@@ -0,0 +1,23 @@
+# Ignore all packages from this repository by default
+Package: *
+Pin: origin download.docker.com
+Pin-Priority: 1
+
+# Docker Community Edition
+# We need to pin docker-ce to a specific version because containerd is pinned
+# to an older version. Newer major versions of docker-ce require a version of
+# containerd.io greater than our pinned version.
+Package: docker-ce
+Pin: origin download.docker.com
+Pin: version 5:29.*
+Pin-Priority: 500
+
+# Docker command-line tool
+Package: docker-ce-cli
+Pin: origin download.docker.com
+Pin-Priority: 500
+
+# containerd runtime
+Package: containerd.io
+Pin: origin download.docker.com
+Pin-Priority: 500
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli
new file mode 100644
index 0000000000..d2dce9f5f3
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli
@@ -0,0 +1,8 @@
+# Ignore all packages from this repository by default
+Package: *
+Pin: origin cli.github.com
+Pin-Priority: 1
+
+Package: gh
+Pin: origin cli.github.com
+Pin-Priority: 500
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud
new file mode 100644
index 0000000000..637b0e9bb3
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud
@@ -0,0 +1,19 @@
+# Ignore all packages from this repository by default
+Package: *
+Pin: origin packages.cloud.google.com
+Pin-Priority: 1
+
+# Google Cloud SDK for gcloud and gsutil CLI tools
+Package: google-cloud-sdk
+Pin: origin packages.cloud.google.com
+Pin-Priority: 500
+
+# Datastore emulator for working with the licensor
+Package: google-cloud-sdk-datastore-emulator
+Pin: origin packages.cloud.google.com
+Pin-Priority: 500
+
+# Kubectl for working with Kubernetes (GKE)
+Package: kubectl
+Pin: origin packages.cloud.google.com
+Pin-Priority: 500
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp
new file mode 100644
index 0000000000..4323f331cc
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp
@@ -0,0 +1,14 @@
+# Ignore all packages from this repository by default
+Package: *
+Pin: origin apt.releases.hashicorp.com
+Pin-Priority: 1
+
+# Packer for creating virtual machine disk images
+Package: packer
+Pin: origin apt.releases.hashicorp.com
+Pin-Priority: 500
+
+# Terraform for managing infrastructure
+Package: terraform
+Pin: origin apt.releases.hashicorp.com
+Pin-Priority: 500
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
new file mode 100644
index 0000000000..76fa2962d1
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu resolute stable
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list
new file mode 100644
index 0000000000..24df98effe
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list
@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/google-cloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list
new file mode 100644
index 0000000000..5658e0df72
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list
@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com noble main
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list
new file mode 100644
index 0000000000..28aa067cf4
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list
@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt resolute-pgdg main
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json b/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json
new file mode 100644
index 0000000000..c2cbc52c3c
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json
@@ -0,0 +1,3 @@
+{
+	"registry-mirrors": ["https://mirror.gcr.io"]
+}
diff --git a/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh b/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh
new file mode 100644
index 0000000000..ee2e9bbaef
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# Adds launch flags to all Google Chrome .desktop files so that Chrome
+# works correctly in headless / GPU-less environments (e.g. Coder
+# workspaces running inside Docker containers).
+#
+# This script is idempotent.
+
+set -euo pipefail
+
+CHROME_FLAGS=(
+	--use-gl=angle
+	--use-angle=swiftshader
+	--disable-dev-shm-usage
+	--no-first-run
+	--no-default-browser-check
+	--disable-background-networking
+	--disable-sync
+	--start-maximized
+)
+
+FLAGS_STR="${CHROME_FLAGS[*]}"
+
+for desktop_file in /usr/share/applications/google-chrome*.desktop /usr/share/applications/com.google.Chrome*.desktop; do
+	[ -f "$desktop_file" ] || continue
+	# Skip if flags are already present.
+	if grep -q -- '--use-gl=angle' "$desktop_file"; then
+		continue
+	fi
+	# Insert flags after the binary path on every Exec= line.
+	sed -i "s|Exec=/usr/bin/google-chrome-stable|Exec=/usr/bin/google-chrome-stable ${FLAGS_STR}|" "$desktop_file"
+done
diff --git a/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh b/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh
new file mode 100755
index 0000000000..8d8168c70b
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# Wrapper for the GitHub CLI (`gh`) that ensures authentication via
+# `coder external-auth` when no other credentials are available.
+#
+# Precedence:
+#   1. GH_TOKEN / GITHUB_TOKEN already set in environment
+#   2. Existing `gh auth` login (e.g. `gh auth login`)
+#   3. Fresh token from `coder external-auth access-token github`
+
+REAL_GH="/usr/bin/gh"
+
+# If GH_TOKEN or GITHUB_TOKEN is already set, defer to the real gh.
+if [ -n "${GH_TOKEN:-}" ] || [ -n "${GITHUB_TOKEN:-}" ]; then
+  exec "$REAL_GH" "$@"
+fi
+
+# If the user has manually logged in via `gh auth login`, use that.
+if "$REAL_GH" auth status >/dev/null 2>&1; then
+  exec "$REAL_GH" "$@"
+fi
+
+# Fall back to Coder's external auth for a fresh token (only in a workspace).
+if [ "${CODER:-}" = "true" ]; then
+  TOKEN=$(coder external-auth access-token github 2>/dev/null)
+  if [ -n "$TOKEN" ]; then
+    GITHUB_TOKEN="$TOKEN" exec "$REAL_GH" "$@"
+  fi
+fi
+
+# Nothing worked; run gh anyway and let it show its own auth error.
+exec "$REAL_GH" "$@"
diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..e5dc8cfda8e5d37f69956520048140c9baab9803
GIT binary patch
literal 2760
zcmV;(3ODtc0u2OMt=cL95CGv?mVEyU+3FP&iF2?(b<6@*g&o7k_7E+vfpyDoj$zjA
zGV5WMs<5X`yaKG4`1D^?%Ti#*<GBm2<-D>f9W@2In1<xHj@po#SlRuuZ(gb9iB;j>
z#V#$cv(vuM$1G5W?m=#;?M(Cxek`gIB|ZeE>e*?4HA0Yo?Le89KO(!1UAgKnfVKJp
ze7*UXLf?I!keb9u+BFqeeB``A$gwvu)M9q}dT8YU+=NzEb9$;fT&a6fycOmt+QBrl
zSljK4NaNyiOYqwZ!pA8r^c00OKI|6ITnqr2;lfcg2)^}~s|^iuXkp-Z9zw?u9f%Gl
zIKx%?805>Gz6o0*0IGj52V2<jnG*P^vl)-(^<IaM64-5$?i(QkbzhV8?ekX7SQ<pW
zS>W@R3^r4ggg+8qe2>{F;knjCB39B|n)&}Ia))TWmVOS1zJD$Q<&mo|g~V`#5B$6N
zxLlw5L@k&9cvMyuB<WrP{}%URoq#zZO~k_+w=}eg6%eCTtB)Jqq&nc!nL%#fRyXJ?
z0U31aj}yI*YmQ^BobOOvQl;39lWSRBi=-Yoal}XgbT7%>!wfYMH5Y?I18^yQU0Cn<
zQ+Vm-4&d0rzki{yJhx4HVp!v=n%$Eu4}XG1@@3Rpmx4E2z!ZF5gVt7hXhF3JhQ)dC
z^v|>E6|i%rp_>2^0RRECD@1Q&Yh`jEQe|vqVRL05C__acWMyJ0AUtGmV{2t{KxA)Y
zYh`jSV{dIfi2^qS69EbUAq4_ht>?f38!rV52?z%R1r-Vj2nz)k0s{d60v-VZ7k~f?
z2@s8efIJSr&4{we5B?+>qpu&7G$uCr{9l#Rccf8iLHFK8*j}rX=-CG)$dc?$piG&n
zyvm)ljwUsM!bnCjBbuvmg?VD7{XegYqwDC-jwi9@5G?Wk0W>(My&0lUwT?!h+_)r;
ziSkkZTf)_`7M(d9Eygf&;f2K#dl0cev@e`hmk(<eEU2#@ou5y{8$@TB`Q7H}`kZ%>
zZtk3Hs%->NGPyLrr#y%lgx{LEI^lyjO4KBwd}kap{2xYFqV-F2>Yq<t5{Q*)*R?(>
zG-gdq-7QDsOB?=ysoxG@7KH&vE_?hnRc?txWkz9<=VtFx@Ut8hfLi2;JwF@<K<Fyz
z5Xud;em<noPmu*N<aL_3+>%ZMK$zRb;~8!vOdFX75Fk8*e>XpOrG|YsSZ2f#t_(HJ
z+2iiq+kTKEd{!m%PjyDuMW8T;FZ!)Cg>O6x2SR3fyfZ=kBSDUz=aV8M^lA(&u0B2M
z-aM5?LcHpf3Iqah6nv_W(wZrA8IAR4qXOaf%g7n?TNrw7a0Kc^OVl3Z8#a2R3m+9$
z8(5MM+x77e+YoN$TgPo5x1IH2GV6I8ege0YQtX?0EQiH**C+5Ml4{T8)OO+-<Y05X
z7ys6n$Mt^*LT}Pi9`XbFxH=XT@)_;kuOH=WqpWUNL87?EqRw`y*r-{WnIL}Zau#Z3
zhf6w=e5Sbq4Fp)N+A0AM0OxqWQub~yg-zR)q+?Y@GAFkGsW{wADQ^gVS5Quo+E1L2
zMq_*f89cg9`};*RVn`&w_(~_rxh?T>PfE3sg1Paga|nw;9NrvW?<GR3EIv_ALt@)}
zoxNsYK09$k;L}f5T%WLOKvp^y3DKcNNXH9Z!&b~=|2?k3U`w1ZxWN*4bT&nZ8|*`c
zI+^anr&{f1q*?w5hH-hG!&n$KS|EJsilC+X<lBE&sR}yIl#JwOc6VY<LNoN@7c=C~
zX-m(~T%<n~_}fCU_Mlm3<9B5@j5eu&f4iLt!VzjwI^5bQak`WZ>0Q{d=P|r_7drn!
z8&M^%eloEvv)?t~lG>1q+=qlCndr6=1Yy(%>dfgbh&%TXeRWyM$f8?S{8ygGsA8pS
zM?IBQwFu-HaGRib&`sVMSJXjhuE(AOvYeGL$vD)^dqADy%5oai-WdX=OaMym$#l_A
z7d>5VEn*PN1N}x~{PYrGX`90HOmI4|Rc$_R*_6<i=>1pBoGZVu(m<g47->O4MgBSA
z3G&qBk^c}(l#fx^d_Tr93{<%g;efsvX)qQ8<7p74rQ;AUmvbi*yka|wYGA+9!(&uJ
z3tZ#|GLLIrw5-@~{uvdM_93`x8jgYT%ZPhr3MqBNEu`I@f@nl~3G(!ilEW9!nGG{5
zNIRRPhlryvj{p$?00D^vJ_Hy62mlEM0$8ouDgqk<0x1a)je&qX4!_Na!CfE(8370Y
z1_c6Gt=cL83JDN?psB<1bNtxVU=ROn3Hco$6RNCn?dy%AGv~v}na?1gs^YJhXA)JR
zJ_hRT#t5-)YKUBmhDT{(!zP43W=13FLVlQQY&Uywe9iI|Dk@tr8RUEXt!L9asCk14
z$moeFun}{2z@`Y8KUEy#Y?ttc*0nt%%r%bCd4pClxDY!t`M2qFddF+NHq%TDA5Z73
zoZ<)UWl<6+4{!S>HvV2YFUNmbNfe7l7outUhag5HvTFpov<ZFt7)B51?`y26seeBA
zUGuvnfwMTKWtKMo57bxw4(CO%r~7d&AG~Li<jVh@9=JlV@go$2UOTXq+@%Sx=}g&h
z&Iy3M2W)jhqBVF6`ehKj40X^8I9HfMG~$1&3`F<-+%%){`r9IS!h|jIIJ~s!y8YOp
zXq#TdB0Yiu${wq=4~8wMqUHg>{9)%SU3wB^qK~XMv`AX!x<6%-nu+;S&pdG~rCcpO
z05M&Fwf!q>>kU>E8(Zk`CG@{MMFpYoH>2^}r{N(ze}#nyK^=2d^FwnaCSIuyoty8V
z$MgLSEc6&fC;Zgt2oP+BME)7IvYQ`*`)m(a>t+0)T%TWxv;Hw42=h!wN&j`JBw0E>
z50`dHHM+RTjBnAsX^_gE8Q9$kh)YxA+2aP#nvkSPSGK0POS-qBfqQ0U`6_z!bL?8k
zW-GmuFEE@S55O+}&SbUnxDWqc+d9(t{vtC%96$nq3|U&n$e6E6Na09qb+{@cv1jZ|
z3ANPz<FdPmFRfY3#T64~jNJL7<ZqVr2N~zVCi_*aR&W<}M1TFWCWk8gz`w@TgSA(3
zL?tv`#>BC8hPZX%fd!AicAGHUi1CEtQTkg6rlJ&izkT=Qe0t#FL~*@%Q@afty20kH
zP@b&1>Szr#R<^(R$ZDQ+tX1BmAvCn7XbkFG{bvJsln04BkS2;}7+r)m!j=C|-@2Mb
zZaVA|!c_0vpuO@|Zgh7CYc|rUFc^1cmciEIZ-OsoUfh8=!gs&KS$I6fh;IjUD`52-
z$hYta7J<<pbiPx+O;4z_DE!MJVBfRE`$k%FxW_nA`#gdSp!WU1d#4TE<TAy=x5Gyp
z2MZzobPayMI=b(@AG2X?=s_|TC#2SLtbD?oJeQHHutW-|39*7VDHBHvF0a@U<5bWy
z%PbFA#f9UEe|Sy~c?whE%8v69I$c96yxo|$P0S5kzSc+naDw!s<JUhB3y#vqADvB<
zvEbuChX&I8vv)p%t)IfrjgL(~+k;q-lUa(cOJzPNaO(s)Y=Vr#ZqLq)EL@~K&6#>u
zKyfV{PWt21mmL1oc+`{DV3Y`cYIUjP(OqJCF?#$b(-lq(eagmRKXj;3eca9O(@<N)
O|AZlpzxLROJ-XfM=roc5

literal 0
HcmV?d00001

diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..eddea90bd75df1a43698f0735174f72222e9992f
GIT binary patch
literal 2270
zcmV<42qE{G0u2OX7cPnc5CG4Z9|nEjWG<-)DsU${OHipCBaG#XO%;895s#Kjl|U!o
zhV5Jb9;qyR0{zZeL>-v*AlJpV04RH>15hu-d0gn>T!}yoq)jq_0kXKsg4`@J7)|Q^
zDDOG%eA#MagF<!{I!1{Ng8nN4wnxOURClt6)%`5O1-po00Xa^wgaPq%`Y|EKW>ANd
zdqy65SW2nr1~YT_@-0VQK|8{6A8j7(Mjt*2q7@a7+r$F=ve;|<m~SX!Q7hcHol*M|
z^cW=AW{Nk-Qyb+JN?(>lz>JOUg*BozUJg2!M`kgS_a#f~DzmR>8^={7wt+%CwK#i~
zvfpjM2D7BD_&w;T7TX(_p32`UA_jgy8>H)hjrvW8{`$-wZl>gPv@74L#o=DIx{-%P
z3LY3kB));25usaDw%9uVdqKM}3gA5$m>8-aoY;31*`RKJoH{q*k)ASLLDza|{FSl*
zk;T}a!$a;d89iqXj*OKUxwgdm(;BaihD8wc*`Y3+&$Bh2H!}mE{&o28;!FZVVFa9r
zf}&suGl4c&vijKuG)jrOdNys)@)#N5f%|l5RZz7u#8j^9<;>GcNxSldEX=~~=Gq%5
zPotZ>R5W0yfibkPC$F;dRN_4a^1ef%*GM8Or%~|)EFb=FOHv-Xle>XTzC<q};#=ye
zq55$+Tw2Tvg+Txj0RRECCP!&>NOfW$Lrh5^Ja2GiZgX#Sa${vHV{B<aXK8e3bz&}K
zZ*4w_0#pPO0SEv-79j*IVFn->g|-fCddPDl^VI5fabQ^m0%I30iUJ!01qlPgwlxI{
z2?z%Q1{Dek2nzxP76JnS0v-VZ7k~f?2@oUm)arF{U|H*p5CF;U7+w)&dmEsC8#og8
z5_2=?)^EXR9c!3F?n!}$o07sQjYGJ%p0Jh<6LZfxh~tc@MG|B)L;Vnun~)_zv0cB+
zu}s0+M8(1umItr%ra^|kdG(!ilHe0rt;(jdrmB+qV=X$Vz(nO)AdJU#jh5MZV++<&
z&nmrb%!n{()|Xtfl&=gga-ZCL1=?71_=2ZfR#!sblX7$gCswgZ!+KQ-7YB6T3`?cm
zT3m<m<8S)C5Xfe{w@aFO6>O9e(~XFl9!v-u2-zu(=N-Mi7O61PmxVehEf9}e<08`r
zk1x{*Jxv^-*9~)2tg(!<91uR;yx)i2EMOl%nM>M-Qe0BVf5B*1Rv#45?90`ZhZ!tZ
zB|8Uap0K?P^ob8VCVHz1Mwh&0H+K%%n4+$IngUwO%%XkmT|E|Ao&7N5gJiSBykJP(
zE{0Ke2dK$IV??<FJi{IwiRnk4-UF!GWl&kkRvDh_S99DL^d0Nhk5;1H(NI9|X^5?L
zB1{tj7gcWTXn6LR%3^c<ykZ<>I^{x%NLeEF*cK2EmOBCm-QTA76-y=b2qHcFZMAoT
z)(cvZOlX0FKSAd***#Kt#98^iJ`}dO$pLreyzu(-t?L7fz3Y@eBkSU7Cm_w0UT)o{
zN1<BzHPlDUY}oo+vtWZm0PDpKD>ra9HHL-2<Wji;4FqEsE{XvV0QlloMlPl6%pDHZ
z_XLKHcHlZ;OgFHs3e>0doWO|{IHK(1u~#KSAr_)JX?U}y+lHN=vMqZY^G&vqEevUh
z02}4RMH=qdn6HAqpI-&)*M>=BYJJY>JQ{B9@MrzSanDQx@2YO)%U$81ggp8kBr%s{
z()PfUzZ_7b!+u>nXwCH~x9+wX<&>~SV-O_n7{zXXIWiNuRHG6Inc3aBFNfL^L_C%m
zWxMiT)5+(xAX+GBwNRfO9O>=-gtU3t5>JFi4)tLStA74u2U1(zb|(K20Yfv(y`W&I
z`4}35I1lrycfTu{rJcg2W*s#9(%TD|w-kEulDzQ<Zk<2{g<Abt*~`^~=BsOs6~g|$
zP57-Gg&n+CYM00kLIfkw*Duk_HXvo_lfendi=U5QZ#`4rO4?^{Ou|^ddx1jTe?hyG
zp^N0Y21NP$7Q%t{rdWQMZ>;x^L85-;^0nD24@+{kkzkCl<!d3)H0TS%`l|r*pP*d9
z(D#T*J;8<r!0l~oDRF3HQT|nJTg^E+&7!Wx(;%BTxugc&QH^0)7$C4Y!`G7B$?}~e
z(dPuzPvxlOsH07?cMnrWQZu^H(P?P49gav>+~X=amxsdqY&&K@YDOVLj0hTMI-AER
zwOOJDY&*Qbd{##mLzM%8R_;bC`64LxDc{~vP3kZbUjPvS00D^tJOmg42mmG)Ap|U8
z1|S)QwhnB1$a5p})arF{U|9tMV;3%p0vikk2?N8nH2?|;5F_){>UD8oSr!}*{ycRS
zrJh#FkClGa{<=F4uNSP<VdbYfe{q*@68DQ<LN_~*I3!^i()t6_;c&)uL$4!A6MO04
zP5MmzDC6U~D?dFL6m%E5IFQ$UcXL>OAF;ZkzPKWuF7Qo{cGeR6?3%ZgaY0&CSOA%~
z*OF*d8q0N1h4xs<_<hg>Y_%~3a+0-2H(x%{tj(hE6?spdG9)V~tF|VG2z3YHlb2BM
z#+XfkoU<rhNJj8jb&(iy^A6={JIskb<K#}*H|}hJW=dGbK7UV@KSu>JFRVS-05s$9
zc6KAOl~vnZ=7V=*=y%SXo^W@ZL?M=+A>E75&3|P3$KwOg?f+dn)G>5z${Oj9JCbye
z5)otPqv`51z_B5|#?*!jI8=UFw1sVOPP?KcFk6u&J2Fg@{1#<#_|9f`l`i<Zp+nJz
z2E|sSJ<#=;j=RX4_*>?p;?B2RwXp3pcKeTrl;Td-b2q6H8rV6E`jrVuKM3B*nLzX$
zoTKZDG<cct!z<{nH9|su=1K2hfRVx?!70M21~<&Y5%S#vEQVR-C99B{UDX4qIPlIn
zt*0Syx<@X#f2MNBH1Ab+_iArvkgGZD>Y4)TUxW$~Hg}wi7PR++UHHxOyHwfd=cQU{
sZP_ZaFT{IF`p$Ndo-}Rtf(Sc1oxsL`tTUqvGA4#k*w>jgJntA|!*H)MKmY&$

literal 0
HcmV?d00001

diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..3b28500f95359dcefbaba0bb120ba0f4b735b81b
GIT binary patch
literal 1905
zcmZXUdpHyNAIG=Zuq~3y$aUfnHm#+|{W?ZTj#MsXX31?do4Zm{hJ&55!_rhlA#xYT
zHFC>+t|^kc$vwxlpHAmIzdz3NeE)bq&-eA$`}2NYDL?_RYjg<*$PegG&S-bTA#R6N
zjySf8#b3o$XcZG3#>C6dCY9B(oXWb=mn>Eo);((`Gs-t)R8!5E-QAVNQiAHSmlX^@
zhxxImZC>3jNRtl1Em(qY+>jL>b!cn!BVuAkSJ|mPM@H>Bo@5T)ZE$>Gm!_fhDnRuD
zs8qC|ylx6QS@@cfkWxs+XX!diyHYbGvg=Jmmdm=RshKvCn6wG@8-e@6Szqkh_{|n%
z>c+n5(%23OSI>r?=o54x%cnk2NNSA?|GqS4xx#tcD1EK9zbbNAb51vj+A(qsBGKpF
zWL=ey$YG47YbPh3_Uw9u5|>w0r?ur;LNjk~A0kCniee}e4QhZxKmf4#ye+|xN~4gF
zMl`Cg4}t1IME>gGPWB+XBdtim$fHDWUz!`5@)JV)|NKIGk%G}!3>J&VoIqnV(HO0(
znB)6T-H+y~LI)lJi|qG{fPj894HYWUYZee$ScHJ2ctD4N06^UfzVBg%A{NMxU4weV
zo|2=CYF6W?;P>1^Jwx*`<L93&&zzc5(@xA^e;$Wj1Mv4{ylZP|FbX@3Ta8ju0Llh_
z78<{!@u?JB8tV-^W-y_2%CY>)VW;<5FtSGQ<q~Js!+DyXvkc=MX*Ns21DheZR<SC9
zZ&#WL_@pdJiqA@SW;Ll4P%hSNA~R|EM-T7~_n;z%QBQU!H6|-lYS;(h8AbzCwAJD<
z?ZQaO>TcJxKG(Gq1dnQpb!4@D($(ii(>8AE&SiM0a?9^f$gfi?AMEBC*t~Myer%ic
zg}1iPZs8tS=6tDdzg}1tTR6fupw@ZbAN%za*Y%)bqJrs0|6=o-|L?FFQ}1lntf4Qp
z{g>)cXV`g>I>*jhfz6267_h9IVL0>X^6wZ({yc%tSWWxud?nANEw7ITS%#qy_53;f
z_2`Dsuc)O&Q?Y7b!yk3v?YrJ?1!Q$WU1M^ce&Ct<Gr}Ev5pl*a?;}sOkY^-Alrh|M
z8!`|s6E+Vr0rY2POTeNKiWMA_EbE8y+_|)8@+KCZUKB7&Y8=J=Q1DSWY3I&rRj#?u
zjp~h!?iHO7o^jw9<+JOXhqG0Lk7<3$waamHA$Se)NM6r0h11>rc2{-YR(E8!MLB{k
zzr0j)#iwhxxVQe&vH0R?UR)V4=*%=Dng*wzpzd1Z$mGmm<-d1G2g-pZ_D3V~-_aZZ
z0PxBDfGClP-EQKdJ!jW+AkRpVl-jVC%DMgWd+7+{)s;kVdqc2v+Bj2z*PsxUtNEeb
zU?(XrH~aW7w;|_}v(v_7Qwj(-Lqlj%dtx0-xV+-Q5{q$@4r+C?o*|`_UA)H0r}jYG
zy{0Jn8RbXvLVvOYrOn^XaUyJZwwR4h(J{*{wKD6yicM<CTgIDFci~H)Uc}w?>z!zq
z@G(=nYZj>5e=A05RTPlUvo}ywzn%Ub!NOmAnKJZ_#UaL3H#eH!^Ca2pfVzAv_eLWz
z?E`dL{Z4q!ChDN*1FPpPlOOAmuqE5XLX^ce!nd=4Q`F)<&h(Qy*qgap<=4XZ4DQmN
zvcDJ?Mp@B*NfR!NCL<Vpt|!NF<wMF^I8%3<Ud3_<(NbLKQ-QbD>psM6dG7u)fSFxh
zIk|NEdQrxXjf)1pTT$Gq53YRaqG?S>M9UB`c2Hn4AntJMYY;d<z9!Tmb7>FpE!+N=
z&ZnpH8c*v5njdGH%ZB26`tczeDpQ&(HKb~-jueBD@@b_6sL8p$!CPy#I$Zh=9DBS=
zZIk&n7$UP40FB<T=%wSX6Ey~#-(tgVvgjk*>Oo~wH}lc<C4Bx*;o;O^3;heU61jql
ziA}Oi>Cja2`pKep6{~5!I>_e}3vwL_TKN(zd!ruzz=cEsDkE~Z)Hy0)GReo1zt1kY
zJ*hh7r@8EmC{&MY1R@n_OLF({r&5CVgP*Uz2i12!{*V}ng48Aa1EDGZK>Oie=x?2o
zD2DF7zV6;6b)v72J{@SiFE1EC3n33aS@EPupIyXUPko_PTj4Y{LKI7ffPUOy-((Ot
zl%Eg8D+Yt|!$DvKhzAIg1%kvQ05GV~zwp*ken1^zM!VLfDf`>Ip*}{%6CSk~ntYI(
zlyFw%9EHd5!(q12lDjt|8)D4W62!hF7!xx)$nR%HrgGeU4Pa#r==h+7t0t%~=c*nD
ziLRpdI+f^px(w^%J)_9tT-)HdLh;112#$`$ATT_}b~0X`*5dJaef_`-)2?%bJkQRG
zKdk=bLrv+fMa+eThJdES4$1o8S17!%=H$}El0ds~?l4(=ui1xGdkGHgUZ~{dOaz+E
zV|4J~*?aJte+>b%&4rhK^HQ2#n{AyuHHL$kx-cFU%h<(eRsd~7dUDcmD>`ELc(=))
emv@}Kh8UuImE0mZ$J5RBz?bcG>xz~tvHt<DHh%2@

literal 0
HcmV?d00001

diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..674dd40c4219e7f397ea58978a945ccf952b79ff
GIT binary patch
literal 2879
zcmaLXcRUn~9|!PrHizTv6%kUQG9r7Om7G0`jyrptkv)>Vg|b5;GS3|{I@vtp?3qn=
zgskJ~>GgYF&wsyvKi}`?^XEGgNJ9c|X<8-%1J)pu&6U}KU5t*M&8s9XGK2nkr#mWq
zE47K;_lyiJS!FtclVU8=ncE*{1#LHRnz0KPmObz`ViQ`6D)>6v&)?Yx%RcjfO0CEJ
z%pu{3F|eLx^Xtl6F*~zxBzsQVu>5QTc{tP!F+YhD@^VrrV{UU6+wCGHFi(}_sK5E*
z(;7e%IsN=cEl36-*>$DuTf}?5n$ro`;9aqgw2kT0oQcl`Ntz-9#CzmQx6o$hBG-Bh
zi#_*_1Lo9TpJAe}-pFt9=rc_I+G-Do6K;*r9wO8p;<w+9I?3id@`%2f!ZiXHW0*+u
ztuvXJd_mJ^=qST2+Jm-d#M*yYe6_C2gdl(2zS2CrlL#+}fOF?C*5M9K0wlP3aj?4X
zlQl_!k7l5~XBKV6!_{#q#}Ob#EWQ3<V$w?aXvyxcjVYV?ASa0ssW8sOLVc^yc%IU_
zN=!Z<{k;D`!vu%ir{D>+El8&sAKtE3P2@v%89`oG)Z+r?s-O^)Vz_ddrqiJIR=Ip2
z=+2LnA5Qvqq8e$cQ}le43Z=2*0SRl0%p1mYvqcJ|E%(mk7G{CWk{K^Tv^uhXq#G?s
zhMF?}vhQLFxR_5Q1@zzDYTFNZY&j}xyGZ`pB{HJ+g3m-!tF%K_0K2`!=@Cc+-x4QI
zP^wvQT8=_A;Y*cFHFh3yW7C4m0rW%wqB@v{ji<eXiW|zE$G{HmjdJkv;}QBV)3bp)
z*&ywB3>=WI4z9?XJhGnu`?}@+=kz;NwEt%U{(C|M?&cyN12iOo5K#c+fgHr7)RYwD
zKr$vON(yQq2{VwG2*^zYWC>;FCGm^hw$rs_QjSkl-YsLkXnxPTPDBcXw=~O<Qc@y_
zrU6ux;D7Tue=y)1+2}&bm}*PEFaGY;A?h9UVD>Uvr(*Mr5jH1`<Q6Pq|9L2|<es=9
zGP}G;m)ObT!_e4{8}<@0axUzpNl?v^Mi?Y}xAEGtM^e4Lc0)ht5YpN)?+IygxK?p1
zVoTS}e;T_rR7(z|H2Fj$RdF;n)*M5N=DTHp)weKiWkq6~>k||jxdr+*-W_3-SfTy`
z^osJ1SD)O%Y)xSy^A}ws<vrVBtX8?F^>WukMPB5%e^wU4c?c&b(!Z-nJLcHu7`Uyo
zF5r)@WNJ+4xe#Qa*8I*V;WEe!gl7xzbE;jRK@kNzea3z%8+8^=fz%0UJM%q<ZNLoH
zG>0Gka<!aZt8}t{peQiHK*w)lv!tNZ^;FnMl3BApOQcAh2l`guxz}0DZ;6I1m4~4H
z!sh-u_(Tt+3*S$HqQ(pFqD{ms@Ct#6$qVu$l^4@m-M))jDUt@0Ax7XO(Vz3X)E#_~
zQJwPi6$PeJir0mww#y_@6JFx0^Hw|*yRlxyovp;ipD9E&5#2)vT;E+{dSi@Z$?2}!
zafeElJE`UADFKWJez|^{uA(awg}R!Ksfiu6XnYST<8=&|U#U<YNtnz0i_NxUc9+z<
zqPnt+yXE7HjU-};+Ud7^1_^pGA|H#@Z9QeAtl8^^%jy`dShc<@Czy*SH8d^sF{AIw
zyl-@C{3BO0<hNYITLIC9%g60GC7JXbmqw>@fL9KZY_~q{(Qzl6`fhckQ;hN4&e9(E
zYD0DdM@f1nt9kGeYrYRAJN>Q{c<wce*taO5It~orqSs@kC0tAP1rR2@pa$bW>Z!FT
zZ>l@Pj%rga4_PO0v=oHH9)}KG#iKC`vVzI|FtC2*C1eaJKJ#Fm*2<^iAy`_z=xu%H
zu<z9Q@C^5Z2K*VaoD2ABLZms{f8%`Nj+sm%>-+kKb2iR)N33Zy3J?0$MAw2120oKn
zY`@BH{n@2Q;qnZo&hmcPud%kV3Vioo!Iy$fT#iG+xy~$!Rj3(nS`hT)m%w{(S1ieZ
z5c1yn_*KRpKC$X#J0p12j0!Ohxw?-jaP?Hzgf?@hT&y#sd*o7U=Bq6cxzFrM>Mu&*
z6pzjZyf&mFQ?0FK7ec!DQwAFbJ2H;}QsK%7kdMSuuM*7?eFZ*tbYS<Y8)oxU3uKw?
z>!_ESv%tHD)=UHw*4`@5MI-PvF4fuyvs)n$ljz7VSW32OXn$#4@n_-_p_(#rh+hex
z5NA)dZ?I?lH-`}x_Z;<&8iCUh2HSAdi&UBH!_FFOWmUyo!;(v)6%UL%A#=|Tv)9^P
zurqU~!~sq<Al$f=cA6zQC5A>6Ph0?L&?f|uCrwh<Dg7@WtXW;+CBlZGZ;Mi%!7NhE
zRsP5oLxLh<{mqQP|FZ-F<N*HRBowIlA17^IJS1$tt6aaUTU19&nVJq}ZkbW??yiV%
z2VBI)ABG_R0Q7G%2m=FRpNWH+Ey{ADN~kRSV(S%zc*g4Ouj}c-%tbIo-s#*crFK88
zL&6ja8b-JYqNFIoQThRKle@$jon@X7+9DDKmF4)zn7sDa{h0)5l)2ufKtz1>Sw3K0
zg4l$-V1|)j;s)^}_&9nbGJ)Zkhx%!nA0E+C9aU2Nt4YnGgpRZ^oVNA=*_7Mshpj%m
zJrD)sl*x_huVP7x5hERK3mTTey-XfE)0+J7Et<I!###PNeW+6ROnY0}+VB<<i<r2B
zQNA$V+oJJ+yFaY(6S{h|js{#O^5_#I`08&N(SMl)G0o66EflwWm`bP2`@X%=j_RJE
zmD{SxgEpT4GFmgoyD9qbXE#gtUN0Ai6`(zoa@|BZ=L(M@ZPJDS*P-}`vE~gq!|4!u
zRvY}*l5G`+u)TupU6+>)_BUKq**yBL^6;e`Jxzcv)W{6a^;NVIke)$|l!Jq5RzKRi
zxr#>zGV(wEP;*lo*zd!^U_#rs$@}Ke`mt#`C^BT6uOClC&h9GD(D}kEI3MsMKo{2j
zQ!acvIYLB8jmAkj1B+^e(;oXDAa1|~&~b7d6`>hS&wui&dilN-c{?(`P~-{|%gYbH
z-M@6IN{&s{7YgWmKz;mG<)-JcV2c%y;RZ|Z`uzkcsI#hXU}0-u9`s5hIQTEw?9sd0
zr5tOD5`6qsbXS%%M@3g7#*dAwtB>esT~>XR3$EpBuX^qaQsW3#mxm<MZXFg<@v1I<
z)Y?|#Cf%Qj`&tO`Qmb+P{y{p30Ae!|&RDqcvGgdA|EUA>DsUH$YI9rcipeY5CQDmd
zqyMIgIcX()j=9&$sw4vn*?*cnzw<#cj!7nu(92t8LZ!`^o2*ZaSz}vO%<8<u%szC$
zAY7Lb60Btjs#~((q>PPbSKc0UOr}gIX2YGn()Dx(H|Sotn{XTkPx(+MTa5_XT_Hf*
z$o@(MLRYA7q;h9rxpj(P_pu|Z>_ZSHFBQ^1`s9qPnC?!<E8EJTiV?A{ImMl@3~89L
zplwpkV@y=_?W?Qq$vI+CId>7ypph1nXPQ3`?b)WD$d|GYo)}xHWVvE3KON1l#20Mp
znA4=!S2rgXCT7tiG*)Y6Y@x7J*e<F{Hw7u$RiVwR;uI_4`Y3JggKkY{>cQS!!IOAY
zcmkMJ19R?QXs%;4J4h+BPC*r)AfA*?s&J@OQR1Sd$dWr*qF9}5+HfM~Kwc{zHw0c?
z;~B4dozFzq@@7gN!l*9mt?{yh?50+f1&-l3_%pE}<n>l()W*&{OU;j`U+`p-j(Bge
zDCL?^&tSJnGE0sHbClD<Xfi8&Nt5)Ecz}-`PLax(H+%01b^aLc+Dk00`~+a_1!yO>
F;BR8aVf_FA

literal 0
HcmV?d00001

diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..afa15cb1087de3aaad67e6d95989eb21b7501377
GIT binary patch
literal 3494
zcma*nXEYlO!^ZIlDq_VdY816<&k`zP@2$0}t)NBiL<yp1?7jD_y6J5^R%6#zyV{x+
zTg|E&Gw=I6=e+0KpWgF)y*^x@e&?S9q#-lP((WOF05VY0X|vuG-{Paj(Cn)|cS#bL
zd|0Oj5=RY(2pvt`Lkx+*3iD=l8vOQS+k`Lt$ZTux5uRw-h?PRy`FuTr+?mT+o`!~m
zKSdEnQd3C@e5fYh4rca}^rV0+m%S?Pl+*>-=9GfZ@+Xn&R_lzyYq^^jnS2d*%!PjR
z2g1^bzvXBziWS@{+O>q`Kd-UCH(&ZZTSg1Iwg5j2l~4M<g-WZQss=^!8oo9>t@~1?
z8;^e3LduJLEtOb;EA+*D#PS;|%(9oOhS@agx%J;Rhvq-0>Ur$CTJGAx=0xtN*;dqC
zKG?%kfZ{l@tCUQW|C`iIG?@JHXH(@9`A2b)nd4G0(+(<6L#w;*R|OYznjba%kmcvW
z!jz}JhKr|mbuB}0C1ha7{>U;uYX2tYtobtK>s>#e47llH?Ax7i*$7|!+D$s?C15rA
z{hT`w5}VK*zb1rcPT)YRPpmwN>%`B9GP^l%M}%Hif*9!<ZM#<u!sInUL`9R!KgpY{
z?a44+PiK9r)5BeFVVy~Rfv@7CiR!kkzfj<7$(|}G#10v(>0tEnOhXI8+M|U`{pJ?y
zxY<ilX8Oa@@Y>MLiH1WAx_CG}I!Rjm-1@hsVhp|V`deV7k8`RQG}ReZ5x6Z8M@Qml
z(B3EfmW~Q4qz&AqpLYK?eh6n;$rnfN0_aHqB#j&<o=DVdA18BD18xl`gp0igx0#cd
zC(;Gw>4S~|8j&%QfB*_Wc2aUGN)QDpIWw3NL`8lVNJ;_#a*+U8LhkaA;R3<eRrj<H
zHI6ij-;H9lK8_j?$bnYwAQb?Z67qiw85IPOHWGKSD1lbG^v5(chAw6<1eqg?T;-h!
zD)U1Je&PbO17d9{Q@ztl{Zg7)qHZQlZiQ9FQ|*t6G0yy4TOjY!KV^(w5)*}2vrm{p
zMN<H*DHgxTc;oG4NyVy;kB?Az^-Z6f)yQ^|ONG~8)Wt_0yuvQ=Rl^g)(9a|VpG;``
zP24C~>>P3XyrEluJc8<7VN_Zjo@}E~Zp+;B(VuE!&~v*Pc#&$uoGffEV5pI<YlKNu
zh1i4h?K28;gW+^cvCS^leJw{^J9C8^qI<SzqdwI$kp_tFNzJVWa!(CUr98&xfAw*+
z=c+RWJMeK=9|MNgO0Oi!>OE@~>a|+a2XFB#o;z#@s1f?TD*!%oPdHPz7uE)No_%jj
zB+-&N)YMWbkRnZYPoj&@-phG{N(|Y>y<~)YjxLLjAMwjlv?>nU67qU_A$YYIuIfEZ
zU|zg+{rdU4eMtFWTMX!UJILI`!lXZ-A$xA4n8tkH>JU~68rLDVX$IwoU~l#H#|w<=
zcx;-SR`!~|U2?EyRf;mb+hkJA=qtFTF6ZqMJe8|PGExT2T{6czF;o!zzPx$Wq@lpC
zOGDegs==H;R*BWy>pcZED$F>NU={+w74i{y#*Lx!2Y>o}5AW5QcA1gKZ>hb|!L9{k
z@AHjN*_xY#MQ$<sI~eCb3y;<!gV2KjcgTT8Svm***3n<<r)OnKWmAy^C_Xj%c7Y6J
zoA?=-wDbkxnkRS1m;fl!5$}w=+DHnm&(Ycb{^73@i(hz(7$653<bPrQ=SY|8-$w>E
zZ>kx-eyAb;Lr3%y6mJ0!ZfOc>SeAvWf}E-^#ncMp#mmcEYTWC^aHSMW9Su@AW43YL
zi#3RF(nK|%i1)gs|Fl!(L02ICud(RnoZW){nrPgt7hm{?Z++6qnPXDi&2>%>zk3*b
zThc&K`A11qVJ)}lYT~p*JI|Ih>-&cFB@}dL6I&~Ris=F{P18KnnGH<vTbE<W<?{9V
zLA77G-gd(N4sHD1Y8GmwwYw$ere|#_Nla6loBQY@4|gSIL`RqZ0Br)TqBw+Gd%rsa
z=W%2IS?c}`3!bR8mb->R>pjL8@u(qUf|a0;?b!X`Zd{OHUxY@sLjb*-m+h>za8_Bs
zOPlwi3|BXmnfY@m)cPvk^Ufy$n)RQ?yCR(G`6q*~@X(J@?_sZ%o<LX>rKN0icb_AB
z97*|MCL?XNwXc)ynK2}RK`no72V_Mxlk+zsU-^TTf0W8RxPs49S;iVE?+P}=Wa7=v
z*~a(QlIS%CMigkcC8fb4?JUtAqGxHYS*=<--U^@R0zxt}Kl+t!<Tq`r&WBqfIS}eZ
z=__{|&O<`cVJY`B()Nf4SuHPfln>ThFGtub>p3R{IgNK3E?(75tIY8jW5ft=)jY1C
zu-aPUT<bGvDPhiHKd*#=qvPP~`6tM7aVI-5*@dao;w<0*W+8L$Z{srs!qg(%S(4=j
z5d&2IPqzgBpKg%@P0%8u<dmenck%zslm{gp5e}NtAq`VEtjdA&rl?dHaOF8K-%HgJ
z-dS0I9PB9PNGuzV5|BfJ@tpaL&vilgj_GHP5S2llH|y#gcl=_74%b#0Q1Aa5=V20%
z<C~78R)!j0{Ge>Hrw{}5PMPh$Fi57lrphs;xS@YoGHm<wktuPj<TEC^Z<YVK3mc#8
zzkFT<u3LXKlL2&z?vM1|Q2)Ho+o&Y)J2a>_-pH2^I*&?WW(|aG_czh=Ur<jj!d0xe
z0KCfIOBwE@yu?2?X|VK@b^=8dN^+f%;K~D8I5m^&q^xJ&1RjUIOm<7$B0Jm3pN?IA
zXf?J@{2pB9J*-D^fek*yDYO`FYp{@>1}zS4@-sDMx%bx_VH^Y<ssCcQ8<&H043F<k
z4pyku7d<^eQG=LVZ)_Ga1l_g?Fd&(_SW$>i)aQF@Bkr6#A*q?p(l&kmlj;+QE3N7z
z_*`jgOw;DutA6A4y+1`&a}UWYu;ee?1+-oEShN>ftY6%(G2V^xNMlL4H<QV;W|J&Q
zn5qLPyn{ij7}-p8X8|!mO@=ZB6AV%Nu7{GQ;Ud~UQB~Kh7(8L;lm8BlW=)qFQ%^SI
zLM?YHH*FuuPk_sBD`%V$#a0@WRfWa$uINR}s#>bnkHRI2L0m$<uWluc^*Bp+N8}it
zTPKb^{3#4yWQ)^D+J`0EVHzBM|95^&h21mADM63ARsZQnQ;Lpg3%M^e=%N#%TpZFh
zbVx+yS`n9zO4r^erYK5pQI8yokipBCCB5PZH*(<$U%dG6VSL!N=lx@d^Bd^9bc5ZU
zRZ-q$z%GFL(I8z+>1#!X0sc3?9Odni><TV+XPOv&@e0=2MYFi8Xv_QSLAYM82g*k^
z+KV#{)J3C_a`wo)SOIhVFnTlh9l4MMn}ujcgG2rK1!X<hPJ9Q?+-WO=Qne32430ge
zchGRYj;Pk|0_Kw%*7Zm)iTRr6)%tE^fFm=$F^@^egs&~@&@_--D?U~RWX4*hvSqht
zUX<PT<h44GtHq3}IuxmmGB%eVsRxyqjOo8&z$wQzEq&sS3+O(IZP&#Tg(j0Fa*+U`
z)fL$%BDypcSKfjw?JMtKCn3I_5KopP1QGI+=&LS!21|STX}>pNN&<rH?p|{J6v?s}
zc9l8O>|H#dL~;_N$oAY5pEL$hE&5T6AeDMWV`}=!W{g&^HO$rXo)<JyGof~`G0spw
z-Yr**KMJ8BIj0Iy{J_*CrFYVcbkAQ}b+Y03EOUMqkHO%ytMa1f!@%rIyq*GxPW1-2
zpRey@H|oHCa#uy1(I(WI@D#H1NPWG6t@1l*HaB}*oj<il%!bu46(NV=w0BP!IPyuA
z#{XEk)uWkaxx;T-3#EEMODA=KL8ESZ@NffU`G4ofY@3;loRT&|Q0$+6#vSR1uL`&p
za-Vftwt2P4B39m<C40`M@=3^S9;4Thz>5C&xx;FARzxn#gG=%zQm=U?V^xlr_;1V5
z%Q7@ECtemEALdqY3lB831Uv53QH!|HFlVaW53f(}MICpBW-BFBJ1HKVih+rL^{W)0
za_V=QFN^Z6>7zR<zoc{X`pv)%j9))Qn0fz<%_?1S^nLlH^<T2(PAV5vKE6G03D|R|
z_6_%lB<qHXx%AYzo?URiA(Kpqd)U6&JM<R+=gn~u-a)dC$DjKMAUdniRP@ByLUW_A
z<8*sW#;=+W406MPV&H`pR)JNL`be761}p`jpO<ASZ62GMEjC&16SffyxOMFWADyR)
zAm+zE8J$lzmZG%279QgQWu9jnEgS#vZ5$txJl`y?vR`J|eiVA;;-4J#q>><Hr}DGJ
zN#Eq}goHf1#asic1X{L`{-T%Noz!##r4hxB<A|NR!Xtv+IQUH(nc=T{X&%c=z@ie$
zS6uQT*GE0G<yL<0i)Up^gV}Cpzlawbu`r((rkI!v;zgjeh7#0WhB0oO=%yl#r^h9X
z@_sx?#}hV6yvO?Jk{$2kR}ET`9_OjUW~$qdo29EM4gw;PA3Q_n87$^lm3p@*t7{lB
ut6E3*7SEA_I;HGmN;8=0{f;PYEaZ_`+^4IYl6A88fF4V__91BA+y4Q3m}%7j

literal 0
HcmV?d00001

diff --git a/dogfood/coder/ubuntu-26.04/update-keys.sh b/dogfood/coder/ubuntu-26.04/update-keys.sh
new file mode 100755
index 0000000000..5d0b687eb2
--- /dev/null
+++ b/dogfood/coder/ubuntu-26.04/update-keys.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+
+curl_flags=(
+	--silent
+	--show-error
+	--location
+)
+
+gpg_flags=(
+	--dearmor
+	--yes
+)
+
+pushd "$PROJECT_ROOT/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings"
+
+# Upstream Docker signing key
+curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" |
+	gpg "${gpg_flags[@]}" --output="docker.gpg"
+
+# GitHub CLI signing key
+curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" |
+	gpg "${gpg_flags[@]}" --output="github-cli.gpg"
+
+# Google Cloud signing key
+curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" |
+	gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
+
+# Hashicorp signing key
+curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" |
+	gpg "${gpg_flags[@]}" --output="hashicorp.gpg"
+
+# Upstream PostgreSQL signing key
+curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" |
+	gpg "${gpg_flags[@]}" --output="postgresql.gpg"
+
+popd
diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh
index 8349960bd5..b48153858c 100755
--- a/scripts/check_go_versions.sh
+++ b/scripts/check_go_versions.sh
@@ -3,7 +3,8 @@
 # This script ensures that the same version of Go is referenced in all of the
 # following files:
 # - go.mod
-# - dogfood/coder/Dockerfile
+# - dogfood/coder/ubuntu-22.04/Dockerfile
+# - dogfood/coder/ubuntu-26.04/Dockerfile
 # - flake.nix
 # - .github/actions/setup-go/action.yml
 # The version of Go in go.mod is considered the source of truth.
@@ -18,18 +19,23 @@ cdroot
 IGNORE_NIX=${IGNORE_NIX:-false}
 
 GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2)
-GO_VERSION_DOCKERFILE=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/Dockerfile | cut -d'=' -f2)
+GO_VERSION_DOCKERFILE_2204=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-22.04/Dockerfile | cut -d'=' -f2)
+GO_VERSION_DOCKERFILE_2604=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-26.04/Dockerfile | cut -d'=' -f2)
 GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml)
 GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix)
 # Convert to major.minor format.
 GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.')
 log "INFO : go.mod                   : $GO_VERSION_GO_MOD"
-log "INFO : dogfood/coder/Dockerfile : $GO_VERSION_DOCKERFILE"
+log "INFO : dogfood/coder/ubuntu-22.04/Dockerfile : $GO_VERSION_DOCKERFILE_2204"
+log "INFO : dogfood/coder/ubuntu-26.04/Dockerfile : $GO_VERSION_DOCKERFILE_2604"
 log "INFO : setup-go/action.yaml     : $GO_VERSION_SETUP_GO"
 log "INFO : flake.nix                : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR"
 
-if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE" ]; then
-	error "Go version mismatch between go.mod and dogfood/coder/Dockerfile:"
+if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2204" ]; then
+	error "Go version mismatch between go.mod and dogfood/coder/ubuntu-22.04/Dockerfile:"
+fi
+if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2604" ]; then
+	error "Go version mismatch between go.mod and dogfood/coder/ubuntu-26.04/Dockerfile:"
 fi
 
 if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then