coder

mirror of https://github.com/coder/coder.git synced 2026-06-03 04:58:23 +00:00

Files

T

Seth Shelnutt fcd45a93fb fix(scripts/ironbank): build Terraform from source with Go 1.25.9+ (#25259 )

## Summary

Fixes the bundled Terraform binary in IronBank images being compiled
with an older Go toolchain that exposes 9 CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9.

## Problem

No upstream Terraform release is yet compiled with Go 1.25.9+:
- Terraform 1.14.5 (used by provisioner): compiled with **Go 1.25.6**
- Terraform 1.15.2 (latest stable): compiled with **Go 1.25.8**
- The previous IronBank manifest referenced Terraform 1.3.7, compiled
with Go ~1.19

## Fix

The IronBank build script now compiles Terraform **from source** using
the same Go toolchain as Coder (>= 1.25.9), ensuring all CVEs in the Go
stdlib are addressed.

### Changes

**`scripts/ironbank/build_ironbank.sh`**:
- Builds Terraform 1.14.5 from source instead of downloading a
precompiled binary
- Adds `go`, `zip`, and `git` as build dependencies
- Reads `TERRAFORM_VERSION` from `hardening_manifest.yaml`

**`scripts/ironbank/hardening_manifest.yaml`**:
- Updated all versions to match release/2.32 (was severely outdated):
  - Coder: 0.15.3 -> 2.32.1
  - Terraform: 1.3.7 -> 1.14.5 (built from source)
  - Provider: 0.6.10 -> 2.15.0
- Replaced precompiled Terraform binary URL with source tarball
reference
- Added `TERRAFORM_VERSION` build arg for the build script

<details>
<summary>Decision log</summary>

- **Why build from source?** Neither the latest Terraform 1.14.5 (Go
1.25.6) nor 1.15.2 (Go 1.25.8) is compiled with Go 1.25.9+. Building
from source with our Go toolchain is the only way to address the CVEs
without waiting for an upstream release.
- **Why not bump to Terraform 1.15.x?** The provisioner on release/2.32
has `maxTerraformVersion = 1.14.9`. Bumping to 1.15.x would require
provisioner changes, which is risky on a release branch.
- **Why update the entire manifest?** The manifest was pinned to Coder
0.15.3, Terraform 1.3.7, and provider 0.6.10, all severely outdated and
inconsistent with the release/2.32 branch.

</details>

> Generated by Coder Agents. [Issue
ENT-23](https://linear.app/codercom/issue/ENT-23)

2026-05-18 13:03:02 -04:00

apidocgen

refactor: replace sort.Strings with slices.Sort (#23457 )

2026-03-23 23:19:23 +02:00

apikeyscopesgen

refactor: add wildcard scope entries for API key scopes (#20032 )

2025-10-06 12:08:17 +02:00

apitypings

refactor: make ChatMessagePart a discriminated union in TypeScript (#23168 )

2026-03-18 09:27:51 +00:00

atomicwrite

build(Makefile): enable parallel make -j gen with correct dependency graph (#22612 )

2026-03-05 11:58:10 +00:00

auditdocgen

refactor: deduplicate utility helpers across the codebase (#23338 )

2026-03-20 15:12:41 +00:00

audittypegen

fix: fix slog to always use array of Fields (#21426 )

2026-01-08 10:29:41 +04:00

check-scopes

refactor: replace sort.Strings with slices.Sort (#23457 )

2026-03-23 23:19:23 +02:00

clidocgen

build(Makefile): enable parallel make -j gen with correct dependency graph (#22612 )

2026-03-05 11:58:10 +00:00

dbgen

build(Makefile): enable parallel make -j gen with correct dependency graph (#22612 )

2026-03-05 11:58:10 +00:00

develop

feat: add automatic database migration recovery to scripts/develop (#23466 )

2026-03-24 22:04:56 +02:00

docker-dev

chore: add compose alternative to develop.sh (#22157 )

2026-02-19 09:28:52 +00:00

echoserver

chore: update golang to 1.24.1 (#17035 )

2025-03-26 01:56:39 -05:00

embedded-pg

ci: cache embedded postgres downloaded binaries (#18477 )

2025-06-25 12:00:20 +01:00

examplegen

chore: move docker-chat-sandbox under templates/x (#23777 )

2026-03-30 15:17:55 +02:00

gensite

build(Makefile): enable parallel make -j gen with correct dependency graph (#22612 )

2026-03-05 11:58:10 +00:00

githooks

feat: smart file-based target selection for scripts/githooks (#23358 )

2026-03-20 17:05:44 +02:00

ironbank

fix(scripts/ironbank): build Terraform from source with Go 1.25.9+ (#25259 )

2026-05-18 13:03:02 -04:00

lib

build(scripts/lib): allow MAKE_TIMED=1 to show last 20 lines of failed jobs (#22985 )

2026-03-13 17:41:33 +00:00

linux-pkg

chore: update docs links (#14221 )

2024-08-17 11:51:13 +00:00

metricsdocgen

fix(scripts/metricsdocgen): shush the prometheus scanner in CI (#23642 )

2026-03-26 12:58:02 +00:00

migrate-ci

chore: add /v2 to import module path (#9072 )

2023-08-18 18:55:43 +00:00

migrate-test

fix: correct spurious edits made during the lint fixing slog (#17113 )

2025-03-27 01:13:21 -05:00

modeloptionsgen

feat: polish model config form UI (#24047 )

2026-04-06 10:49:42 -04:00

oauth2

feat: implement RFC 6750 Bearer token authentication (#18644 )

2025-07-02 19:14:54 +02:00

rbac-authz

chore: improve rbac and add benchmark tooling (#18584 )

2025-06-27 12:05:34 +01:00

release

feat: add release candidate (RC) support to release tooling (#23600 )

2026-04-01 16:00:49 -04:00

releasemigrations

chore: arrange imports in a standard way (#21452 )

2026-01-08 15:24:11 +04:00

releaser

chore: tag RCs on main, cut release branch only for releases (#24001 )

2026-04-07 15:21:22 -04:00

telemetry-server

fix(scripts): handle ignored enc.Encode error in telemetry server (#22855 )

2026-03-09 19:03:06 +02:00

testidp

chore: arrange imports in a standard way (#21452 )

2026-01-08 15:24:11 +04:00

typegen

refactor: deduplicate utility helpers across the codebase (#23338 )

2026-03-20 15:12:41 +00:00

win-installer

fix: do not truncate system PATH in win installer (#5243 )

2022-12-02 09:56:49 +10:00

workspace-runtime-audit

chore(coderd/database/dbfake): add support for provisioner job timestamp control (#21944 )

2026-02-06 09:44:40 +00:00

archive.sh

chore: build releases on a single Linux runner (switch to rcodesign) (#3890 )

2022-09-07 18:56:46 +00:00

atomic_protoc.sh

build(Makefile): use atomic writes for remaining gen targets (#22670 )

2026-03-05 22:32:18 +02:00

backport-pr.sh

feat: use -x option in backport script to improve tracability (#23984 )

2026-04-02 10:23:31 -06:00

biome_format.sh

build(Makefile): use atomic writes for remaining gen targets (#22670 )

2026-03-05 22:32:18 +02:00

build_docker_multiarch.sh

chore: parallel makefile attempt 3 (#3926 )

2022-09-08 02:40:17 +10:00

build_docker.sh

feat: add SBOM generation and attestation to GitHub workflow (#17277 )

2025-04-07 17:54:05 +02:00

build_go.sh

fix(scripts): fix Windows version format for RC builds (#23542 )

2026-03-24 18:59:44 -04:00

build_windows_installer.sh

chore: sign the windows installer (#14353 )

2024-08-19 20:33:37 -04:00

check_bootstrap_quotes.sh

ci: add lint check to prevent single quotes in bootstrap scripts (#22664 )

2026-03-06 13:09:56 +01:00

check_codersdk_imports.sh

chore: add lint for codersdk dependencies (#14638 )

2024-09-12 15:34:03 +10:00

check_enterprise_imports.sh

chore(scripts/rules.go): broaden scope of testingWithOwnerUser linter (#10548 )

2023-11-08 14:54:48 +00:00

check_go_versions.sh

ci: check go versions are consistent (#17149 )

2025-04-01 09:03:54 +01:00

check_pg_schema.sh

fix: remove unreachable exit after error call in check_pg_schema.sh (#21530 )

2026-01-16 10:48:20 +02:00

check_site_icons.sh

fix: return error if agent init script fails to download valid binary (#13280 )

2024-05-30 13:33:00 +02:00

check_unstaged.sh

fix(scripts/check_unstaged.sh): modify shebang (#19419 )

2025-08-19 19:24:20 +01:00

coder-dev.sh

fix(scripts): allow graceful shutdown when --debug/dlv is used in develop.sh (#23023 )

2026-03-13 15:40:53 +02:00

deploy-pr.sh

chore(scripts): auto authenticate gh CLI in scripts on dogfood (#13107 )

2024-04-30 19:36:12 +03:00

dev-oidc.sh

feat(cli/server.go): allow the use of public OIDC clients (#16489 )

2025-02-07 14:06:38 +01:00

develop.sh

refactor: rewrite develop.sh orchestrator in Go (#23054 )

2026-03-16 16:13:57 +02:00

Dockerfile

chore: fix depot build (#6057 )

2023-02-06 16:49:33 +00:00

Dockerfile.base

chore: bump bundled terraform to 1.14.5 (#22167 )

2026-02-18 12:18:38 +01:00

fixtures.sh

feat(scripts): add fixtures.sh to add license to dev deployment (#19374 )

2025-08-18 17:32:53 +01:00

format_go_file.sh

chore: manage tool versions in go.mod (#21455 )

2026-01-08 16:25:28 +00:00

helm.sh

chore(site): regenerate provisioner stub (#9151 )

2023-08-18 10:50:43 +02:00

image_tag.sh

chore: pin dogfood to release branch during release freeze (#20028 )

2025-10-02 12:12:29 +10:00

lib.sh

fix(scripts): allow docs_update_experiments.sh to be run on macOS (#14658 )

2024-09-12 21:28:07 +00:00

list_dependencies.sh

chore: add lint for codersdk dependencies (#14638 )

2024-09-12 15:34:03 +10:00

normalize_path.sh

chore: run test-go-pg on macOS and Windows in regular CI (#17853 )

2025-05-22 15:53:37 +02:00

notarize_darwin.sh

feat: add git to Docker image (#6034 )

2023-02-07 02:30:35 +10:00

package.sh

Revert "chore: fix build ci (#13164 )" (#13180 )

2024-05-06 13:13:24 +00:00

pnpm_install.sh

chore: only run pnpm when node_modules are out of date in Makefile (#16017 )

2025-01-03 18:37:25 +05:00

release_promote_stable.sh

chore(scripts): fix stable release promote script (#13204 )

2024-05-17 08:25:10 +00:00

release.sh

chore: add new interactive release package (#22624 )

2026-03-18 12:19:54 -04:00

remote_playwright.sh

chore(site): update @playwright/test to version 1.47.2 (#14912 )

2024-10-01 13:59:49 +00:00

rules.go

fix: fix slog to always use array of Fields (#21426 )

2026-01-08 10:29:41 +04:00

should_deploy.sh

chore: revert force deploying main (#23290 ) (#24072 ) (#24166 )

2026-04-08 14:31:50 -04:00

sign_darwin.sh

ci: remove dylib build pipeline (#22592 )

2026-03-05 01:50:50 +11:00

sign_windows.sh

feat: sign windows binaries (#13086 )

2024-04-29 10:43:27 -05:00

sign_with_gpg.sh

fix: explicitly trust our own GPG key (#23556 )

2026-03-25 10:24:31 +01:00

traiage.sh

ci: assign tasks to triggering username in ai triage workflow (#20022 )

2025-09-30 09:51:28 +01:00

update-flake.sh

chore(dogfood): include multiple templates under dogfood/ (#16846 )

2025-03-11 13:17:40 +00:00

update-release-calendar.sh

chore: fix release calendar and script (#17745 )

2025-05-14 00:04:37 +05:00

version.sh

fix: fix shallow clones not retrieving a valid semver (#13609 )

2024-06-22 00:02:12 +10:00

which-release.sh

chore: add which-release script (#18657 )

2025-07-01 08:05:44 +00:00

zizmor.sh

chore: add actionlint and zizmor linters (#19459 )

2025-08-21 22:14:43 +10:00