This PR merges code from `coder/aibridge` repository into `coder/coder`.
It was split into 4 PRs for easier review but stacked PRs will need to
be merged into this PR so all checks pass.
* https://github.com/coder/coder/pull/24190 -> raw code copy (this PR,
before merging PRs on top of it, it was just 1 commit:
https://github.com/coder/coder/commit/70d33f33200c7e77df910957595715f81f9bec24)
* https://github.com/coder/coder/pull/24570 -> update imports in
`coder/coder` to use copied code
* https://github.com/coder/coder/pull/24586 -> linter fixes and CI
integration (also added README.md)
* https://github.com/coder/coder/pull/24571 -> added exclude to
scripts/check_emdash.sh check
Original PR message (before PR squash):
Moves coder/aibridge code into coder/coder repository.
Omitted files:
- `go.mod`, `go.sum`, `.gitignore`, `.github/workflows/ci.yml,`
`Makefile`, `LICENSE`, `README.md` (modified README.md is added later)
- `.github`, `example`, `buildinfo,` `scripts` directories
Simple verification script (will list omitted files)
```
tmp=$(mktemp -d)
echo "$tmp"
git clone --depth=1 https://github.com/coder/aibridge "$tmp/aibridge"
git clone --depth=1 --branch pb/aibridge-code-move https://github.com/coder/coder "$tmp/coder"
diff -rq --exclude=.git "$tmp/aibridge" "$tmp/coder/aibridge"
# rm -rf "$tmp"
```
## What
The `lint-actions` CI job only ran when `.github/workflows/ci.yaml` or
`.github/actions/**` changed. New workflow files like `backport.yaml`
and `cherry-pick.yaml` were never linted by zizmor, allowing several
findings to land undetected.
## Changes
**`.github/workflows/ci.yaml`** — Broaden the `ci` path filter from
`".github/workflows/ci.yaml"` to `".github/workflows/**"` so
`lint-actions` runs when any workflow file changes.
**`.github/workflows/backport.yaml`**:
- Move permissions from workflow-level to job-level (`detect` →
`contents: read`, `backport` → `contents: write` + `pull-requests:
write`) — fixes `excessive-permissions`
- Replace `${{ matrix.branch }}` in `run:` block with `$BRANCH` env var
— fixes `template-injection`
- Add `persist-credentials: false` to both checkouts — fixes
`artipacked`
**`.github/workflows/cherry-pick.yaml`** — Add `persist-credentials:
false` to checkout — fixes `artipacked`
**`.github/zizmor.yml`** — Ignore `dangerous-triggers` for
`backport.yaml` and `cherry-pick.yaml`. Both use `pull_request_target`
intentionally — they only run post-merge (`merged == true`) and don't
check out or execute untrusted PR code.
Relates to https://github.com/coder/dogfood/pull/189
Closes https://github.com/coder/internal/issues/1021
- Adds new script `scripts/should_deploy.sh` which implements the
algorithm in the linked issue
- Changes the `ci.yaml` workflow to run on release branches
- Moves the deployment steps out of `ci.yaml` into a new workflow
`deploy.yaml` for concurrency limiting purposes
- Changes the behavior of image tag pushing slightly:
- Versioned tags will no longer have a `main-` prefix
- `main` branch will still push the `main` and `latest` tags
- `release/x.y` branches will now push `release-x.y` tags
- The deploy job will exit early if `should_deploy.sh` returns false
- The deploy job will now retag whatever image it's about to deploy as
`dogfood`
Paweł Banaszewski