Bumps bundled Terraform from `1.15.2` to `1.15.5` across all pinned
locations:
- `.github/actions/setup-tf/action.yaml`
- `scripts/Dockerfile.base`
- `install.sh`
- `flake.nix` (+ updated SRI hash for the linux_amd64 zip)
- `mise.toml`
- `mise.lock` (+ updated per-platform SHA256 checksums)
- `provisioner/terraform/testdata/version.txt`
-
`provisioner/terraform/testdata/resources/ai-tasks-disabled/ai-tasks-disabled.tfplan.json`
## Why
Terraform 1.15.5 is built with Go 1.25.10, while the 1.15.2 we currently
ship was built with Go 1.25.8. The newer Go runtime addresses recent
stdlib CVEs flagged by security scanners.
Releases included: 1.15.3 (provider install crash fix, nested-module
stack migration fix), 1.15.4 (Linux s390x builds, symlinked provider dir
fix), 1.15.5.
Release notes:
https://github.com/hashicorp/terraform/releases/tag/v1.15.5
## Cherry-pick
#25747 mirrors this PR against `release/2.34`.
Created on behalf of @Shelnutt2
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Splits the dogfood image into two artifacts:
- `ghcr.io/coder/oss-dogfood-base:<distro>-<base-sha>`: Ubuntu base with
apt packages, chrome, rustup, brew, gh, and the mise binary. The
base-sha is a cache key over `Dockerfile.base` and `files/`, so commits
that don't touch those inputs reuse the previous build.
- `codercom/oss-dogfood:<final-sha>-<distro>` and rolling tags
(`:22.04`, `:26.04`, `:latest`, `:<branch>`): produced by `mise oci
build` on top of the base, with one content-addressed OCI layer per mise
tool. The rolling tag scheme is unchanged, so the workspace template
doesn't need updating.
Single-tool version bumps now invalidate only that tool's OCI layer, so
workspaces re-pull just what changed instead of the entire 5-6 GB image
on every recreate.
Also:
- Drops the build-time `pnpm dlx playwright@1.47.0 install --with-deps
chromium` step (~400 MB) and the equivalent `playwright-driver.browsers`
install from `flake.nix`. `@playwright/mcp` (used by the claude-code and
codex MCP servers in `dogfood/coder/main.tf`) does NOT auto-install
browsers, so the existing `install-deps` `coder_script` now runs two
installs on workspace start: `pnpm exec playwright install chromium` for
the site's pinned `@playwright/test`, and `npx
--package=@playwright/mcp@latest playwright-core install --no-shell
chromium` so the MCP servers find their matching browser revision.
Browser revisions coexist under
`~/.cache/ms-playwright/chromium-<rev>/`, which lives on the home volume
so both downloads happen once per workspace recreate and persist across
restarts. Net effect: same MCP behavior as before, +~1-2 min on first
workspace start. Nix devshell users running site e2e tests locally now
need `pnpm exec playwright install` once (instead of getting browsers
via nixpkgs).
- Bumps the pinned mise binary to v2026.5.12 (matching main after
#25521) and adds top-level `min_version = "2026.5.12"` to `mise.toml` so
every consumer (devs, CI, the embedded mise inside the dogfood image,
mise oci builds) fails fast on an older mise.
- Adds bison, flex, libicu-dev, libreadline-dev, uuid-dev, and
zlib1g-dev to both Ubuntu base images for source-build use cases (e.g.,
building Postgres from source).
- Replaces skopeo with crane as the registry client `mise oci push`
shells out to: crane is added to `mise.toml`, the workflow drops its
`apt-get install skopeo` and forces `--tool crane`, and the local
wrapper image stops bundling skopeo. One source of truth for tool
versions, no apt drift, smaller wrapper image, and workspace users get a
registry client on PATH for free via mise oci's tool layers.
- Removes `nix.hash`/`mise.hash` and their Makefile rules. The registry
digest already captures every effective change since CI rebuilds when
any baked-in input moves; the per-file `filesha1()` entries in
`pull_triggers` are redundant.
Supersedes #25400 (the `mise.hash` pull trigger landed there in
`2b612abe7b`; this PR removes it as part of the broader simplification).
> [!NOTE]
> `mise oci build` is experimental and requires `MISE_EXPERIMENTAL=1`
(set at job level in the workflow). The local-only
`scripts/dogfood/mise-oci-wrapper.sh` builds a tiny
`coderdev/mise-oci-wrapper:<version>` Debian image with curl-installed
mise on first invocation (cached by version tag thereafter); we don't
reuse `jdxcode/mise:latest` because that tag lags upstream GitHub
releases by days and would defeat the `min_version` enforcement above.
> [!NOTE]
> `compute-base-sha.sh` and `compute-final-sha.sh` are cache keys, not
strict content addresses: the base Dockerfile still pulls dynamic
resources at build time (gh/buildx `releases/latest`, chrome
`stable_current_amd64.deb`, apt mirror state). Two runs with identical
checked-in files can produce slightly different bytes, which is
acceptable here because the cache-hit savings on irrelevant commits
outweigh that drift.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mise's aqua plugin now templates `{{.Version}}` with the leading `v`, so
the official `get.helm.sh` URLs resolve without the hand-rolled `http:`
workaround that was added when the version-prefix templating was broken.
Drops the templated URL block (and its explanatory comment) in favor of
plain `helm = "3.21.0"`. The regenerated lockfile picks up windows-amd64
(which the old workaround intentionally omitted) and replaces the
locally-computed blake3 checksum with the upstream sha256 sums.
Follow-up to #25520, which bumped the pinned version to 3.21.
---------
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three changes to make mise-managed tooling reach every dogfood workspace
cleanly, with the upstream `devcontainers-cli` module fix as the
original trigger.
## Why the module breaks
The upstream [`devcontainers-cli` coder
module](https://github.com/coder/registry/blob/main/registry/coder/modules/devcontainers-cli/run.sh)
does `npm install -g @devcontainers/cli` and then verifies the binary is
on `PATH`. With mise-managed Node (introduced in #25282), `npm install
-g` lands the binary at `$MISE_DATA_DIR/installs/node/<ver>/bin/`, which
is *not* on `PATH` and which `mise reshim` does not surface as a shim.
The post-install check fails:
```
Installing @devcontainers/cli using npm...
changed 1 package in 661ms
Reshimming mise 26...
Installation completed but 'devcontainer' command not found in PATH
```
Even though nothing the user does is actually broken.
## What this PR does
1. **`mise.toml`** — pre-install `@devcontainers/cli` via mise's `npm:`
backend (`npm:@devcontainers/cli = "0.87.0"`). The mise shim lands at
`$MISE_DATA_DIR/shims/devcontainer`, on `PATH`. The upstream module's
`run.sh` short-circuits on its `command -v devcontainer` check and exits
0 without ever running the broken npm-install path. Strictly redundant
after fix the second point makes `npm i -g` work natively, but kept for
build-time pre-install and pinned-version reasons matching the other
mise-pinned CLIs.
2. **`dogfood/coder/ubuntu-*.04/Dockerfile`** — set
`NPM_CONFIG_PREFIX=/home/coder/.npm-global` and prepend
`/home/coder/.npm-global/bin` to `PATH`. With this, generic `npm install
-g <pkg>` (prettier, biome, anything frontend folks reach for) lands in
a stable home-volume dir that is already on `PATH`, survives node
version bumps, and needs no `mise reshim`. The mise `npm:` backend keeps
using its own `--prefix` internally so the `npm:@devcontainers/cli` pin
still installs under `$MISE_DATA_DIR` as before.
3. **`dogfood/coder/ubuntu-*.04/Dockerfile`** — install image tools into
`/opt/mise/data` at build time (owned by `coder`) and expose them at
runtime via `MISE_SHARED_INSTALL_DIRS=/opt/mise/data/installs`, keeping
`MISE_DATA_DIR=/home/coder/.local/share/mise` for the user's own
installs. This decouples baked tool versions from the home volume's
copy-on-first-mount: fresh and existing workspaces both immediately see
the image's tool set without a `mise install` step, and the user's own
`mise install <tool>` / `mise use --global` still lands on the home
volume. The `/opt/mise/data/shims` dir trails the user shim dir on
`PATH` so a user-installed version wins when both exist.
Pinned to `0.87.0` (current latest) so Renovate/Dependabot can bump
deliberately, matching the policy applied to the other floating tools
during the mise migration (`lazygit`, `doctl`, `jj`, `typos`,
`watchexec`).
---------
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This PR replaces the hand-rolled `curl | tar | go install | cargo
install` chains in the dogfood Ubuntu 22.04 and 26.04 Dockerfiles with a
single `mise install` driven by a new repo-root `mise.toml`.
The previous Dockerfiles installed ~25 CLIs across three multi-stage
builds with versions hardcoded inline. Version bumps were scattered
across the Dockerfiles, the root `mise.toml` (added in #24618 but
otherwise unused at runtime), and CI's setup actions; build-time network
failures came from a dozen distinct endpoints; and `mise` itself sat in
the image with no manifest to install from.
The new flow:
- The repo's `mise.toml` is the single source of truth for image tool
versions. The Dockerfiles `COPY` it to `/etc/mise/config.toml` and run a
single `mise install` as the `coder` user.
- Tools are installed into `/opt/mise/data` rather than the default
`/home/coder/.local/share/mise`, so they live in the image (not on the
persistent home volume) and reach every workspace on recreate.
- Build context moves to the repo root so the Dockerfile can `COPY
mise.toml`; an allowlist `.dockerignore` keeps the transferred context
to ~24 kB.
- Optional `--secret id=github_token` plumbing through the Makefile and
`.github/workflows/dogfood.yaml` lifts aqua's GitHub API quota from
60/hr unauthenticated to 1000/hr with `secrets.GITHUB_TOKEN`.
- `MISE_TRUSTED_CONFIG_PATHS=/home/coder:/etc/mise` is set as an ENV so
users who clone the coder repo into their workspace home aren't prompted
to `mise trust`.
Net diff for the two Ubuntu Dockerfiles: -399 / +244 lines (~200 lines
shorter each). The `FROM rust-utils`, `FROM go`, and `FROM proto`
multi-stage builds are gone; so are the NVM/Node block, the bulk
binary-install block (golangci-lint, helm, kubectx, syft, cosign, bun),
the gh `.deb`/lazygit/doctl tarball installs, the gofmt
`update-alternatives` line, and the `yq`→`yq4` rename
(`scripts/lib.sh:267-275` already auto-detects either name).
Both images were built and smoke-tested with Apple's `container` CLI on
macOS — every migrated tool resolves to the expected pinned version
including outside the cloned coder repo (e.g. `gh` from `/home/coder`,
matching the workspace startup script in `dogfood/coder/main.tf`),
`sqlc` runs (proving `CGO_ENABLED=1` was honoured at install), `yq
--version` reports v4 for `scripts/lib.sh`'s detection, and `gofmt`
resolves via the mise shim.
Follow-ups (out of scope here):
- Commit a multi-platform `mise.lock` so `gh = "latest"` and the other
floating versions resolve deterministically across rebuilds and dev
machines.
- Migrate CI's `setup-go` / `setup-node` actions to consume `mise.toml`
so image and CI versions stop being able to drift.
---------
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Thomas Kosiewski