chore(deps): bump crate-ci/typos from 1.46.3 to 1.47.0 in the github-actions group (#906)

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/ci.yaml

@@ -37,7 +37,7 @@ jobs:
             all:
               - '**'
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@34584e909bbe6f501fb2cbdc994325b4d3f9e2ef # v2.32.0
+        uses: coder/coder/.github/actions/setup-tf@b98577cb911ff8a748dd6a57f5d49e4797a3c789 # v2.33.6
       - name: Set up Bun
         uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
@@ -87,13 +87,13 @@ jobs:
           bun-version: latest
       # Need Terraform for its formatter
       - name: Install Terraform
-        uses: coder/coder/.github/actions/setup-tf@34584e909bbe6f501fb2cbdc994325b4d3f9e2ef # v2.32.0
+        uses: coder/coder/.github/actions/setup-tf@b98577cb911ff8a748dd6a57f5d49e4797a3c789 # v2.33.6
       - name: Install dependencies
         run: bun install
       - name: Validate formatting
         run: bun fmt:ci
       - name: Check for typos
-        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
+        uses: crate-ci/typos@f8a58b6b53f2279f71eb605f03a4ae4d10608f45 # v1.47.0
         with:
           config: .github/typos.toml
   validate-readme-files:

.github/workflows/deploy-registry.yaml

@@ -9,11 +9,12 @@ on:
       # Matches release/<namespace>/<resource_name>/<semantic_version>
       # (e.g., "release/whizus/exoscale-zone/v1.0.13")
       - "release/*/*/v*.*.*"
-    branches: # Templates get released when merged to main
+    branches: # Templates and skills get released when merged to main
       - main
     paths:
       - ".github/workflows/deploy-registry.yaml"
       - "registry/**/templates/**"
+      - "registry/**/skills/**"
       - "registry/**/README.md"
       - ".icons/**"
 

.github/workflows/golangci-lint.yml

@@ -19,6 +19,6 @@ jobs:
         with:
           go-version: stable
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
         with:
           version: v2.1

.github/workflows/release.yml

@@ -33,6 +33,7 @@ jobs:
           echo "namespace=$NAMESPACE" >> $GITHUB_OUTPUT
           echo "module=$MODULE" >> $GITHUB_OUTPUT
           echo "version=$VERSION" >> $GITHUB_OUTPUT
+
           echo "module_path=registry/$NAMESPACE/modules/$MODULE" >> $GITHUB_OUTPUT
 
           RELEASE_TITLE="$NAMESPACE/$MODULE $VERSION"

.github/workflows/version-bump.yaml

@@ -31,7 +31,7 @@ jobs:
           bun-version: latest
 
       - name: Set up Terraform
-        uses: coder/coder/.github/actions/setup-tf@34584e909bbe6f501fb2cbdc994325b4d3f9e2ef # v2.32.0
+        uses: coder/coder/.github/actions/setup-tf@b98577cb911ff8a748dd6a57f5d49e4797a3c789 # v2.33.6
 
       - name: Install dependencies
         run: bun install

.github/workflows/zizmor.yaml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor (blocking, HIGH only)
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           advanced-security: false
           annotations: true
@@ -49,7 +49,7 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor (SARIF)
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           inputs: |
             .github/workflows

.icons/coder-modules.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+  <rect width="7" height="7" x="14" y="3" rx="1"/>
+  <path d="M10 21V8a1 1 0 0 0-1-1H4a1 1 0 0 0-1 1v12a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1v-5a1 1 0 0 0-1-1H3"/>
+</svg>

.icons/coder-templates.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+  <rect width="18" height="7" x="3" y="3" rx="1"/>
+  <rect width="9" height="7" x="3" y="14" rx="1"/>
+  <rect width="5" height="7" x="16" y="14" rx="1"/>
+</svg>

cmd/readmevalidation/coderskills.go

@@ -0,0 +1,339 @@
+package main
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"os"
+	"path"
+	"regexp"
+	"slices"
+	"strings"
+
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+)
+
+// skillsRepoSpecRe matches the "owner/repo" or "owner/repo@ref" format used
+// in the skills README sources frontmatter. Owners and repo names allow
+// alphanumerics, hyphens, underscores, and dots. Refs allow the same plus
+// forward slashes for paths like refs/heads/main.
+var skillsRepoSpecRe = regexp.MustCompile(`^[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+(@[a-zA-Z0-9_./-]+)?$`)
+
+// skillsIconPrefix is the relative path prefix from a skills README to the
+// repo-level .icons directory. The skills README lives at depth 3
+// (registry/<namespace>/skills/README.md), so the prefix is three levels up.
+// This is distinct from modules and templates, which live at depth 4 and use
+// "../../../../.icons/".
+const skillsIconPrefix = "../../../.icons/"
+
+// skillOverride holds per-skill presentation metadata defined in the
+// registry README. All fields are optional.
+type skillOverride struct {
+	DisplayName string   `yaml:"display_name"`
+	Description string   `yaml:"description"`
+	Icon        string   `yaml:"icon"`
+	Tags        []string `yaml:"tags"`
+}
+
+// skillSource is one entry in the sources list, describing a single source
+// repo and optional per-skill overrides.
+type skillSource struct {
+	Repo   string                   `yaml:"repo"`
+	Skills map[string]skillOverride `yaml:"skills"`
+}
+
+// coderSkillsFrontmatter is the YAML frontmatter schema for
+// registry/<namespace>/skills/README.md.
+type coderSkillsFrontmatter struct {
+	Icon    string        `yaml:"icon"`
+	Sources []skillSource `yaml:"sources"`
+}
+
+// supportedSkillsTopLevelKeys lists the keys allowed at the root of the
+// skills README frontmatter. Nested keys under sources are validated
+// separately because the typed unmarshal handles them.
+var supportedSkillsTopLevelKeys = []string{"icon", "sources"}
+
+// coderSkillsReadme represents a parsed skills README file.
+type coderSkillsReadme struct {
+	filePath    string
+	body        string
+	frontmatter coderSkillsFrontmatter
+}
+
+// separateSkillsFrontmatter is like separateFrontmatter but preserves
+// indentation in the frontmatter block. The skills README uses nested YAML
+// (per-skill metadata under each source), which the indentation-trimming
+// behavior of the shared separateFrontmatter helper destroys.
+func separateSkillsFrontmatter(readmeText string) (frontmatter string, body string, err error) {
+	if readmeText == "" {
+		return "", "", xerrors.New("README is empty")
+	}
+
+	const fence = "---"
+	var fmBuilder strings.Builder
+	var bodyBuilder strings.Builder
+	fenceCount := 0
+
+	lineScanner := bufio.NewScanner(strings.NewReader(strings.TrimSpace(readmeText)))
+	for lineScanner.Scan() {
+		nextLine := lineScanner.Text()
+		if fenceCount < 2 && strings.TrimSpace(nextLine) == fence {
+			fenceCount++
+			continue
+		}
+		if fenceCount == 0 {
+			break
+		}
+		if fenceCount >= 2 {
+			bodyBuilder.WriteString(nextLine)
+			bodyBuilder.WriteString("\n")
+		} else {
+			fmBuilder.WriteString(nextLine)
+			fmBuilder.WriteString("\n")
+		}
+	}
+	if fenceCount < 2 {
+		return "", "", xerrors.New("README does not have two sets of frontmatter fences")
+	}
+	if strings.TrimSpace(fmBuilder.String()) == "" {
+		return "", "", xerrors.New("readme has frontmatter fences but no frontmatter content")
+	}
+
+	return fmBuilder.String(), strings.TrimSpace(bodyBuilder.String()), nil
+}
+
+// isPermittedSkillsIconURL validates that an icon URL references the
+// repo-level .icons directory using the 3-deep prefix appropriate for
+// skills READMEs, and that the file exists on disk.
+func isPermittedSkillsIconURL(checkURL string, readmeFilePath string) error {
+	if !strings.HasPrefix(checkURL, skillsIconPrefix) {
+		return xerrors.Errorf("icon URL %q must reference the top-level .icons directory using %q", checkURL, skillsIconPrefix)
+	}
+
+	readmeDir := path.Dir(readmeFilePath)
+	resolvedPath := path.Join(readmeDir, checkURL)
+
+	if _, err := os.Stat(resolvedPath); err != nil {
+		if os.IsNotExist(err) {
+			return xerrors.Errorf("icon file does not exist at resolved path %q (referenced as %q)", resolvedPath, checkURL)
+		}
+		return xerrors.Errorf("error checking icon file at %q: %v", resolvedPath, err)
+	}
+
+	return nil
+}
+
+func validateSkillsIconURL(iconURL string, filePath string) []error {
+	if iconURL == "" {
+		return nil
+	}
+
+	var errs []error
+	if strings.HasPrefix(iconURL, "http://") || strings.HasPrefix(iconURL, "https://") {
+		errs = append(errs, xerrors.Errorf("icon URL must reference the top-level .icons directory, not an absolute URL %q", iconURL))
+		return errs
+	}
+
+	if err := isPermittedSkillsIconURL(iconURL, filePath); err != nil {
+		errs = append(errs, err)
+	}
+	return errs
+}
+
+// validateSkillsTopLevelKeys parses the (indentation-preserved) frontmatter
+// as a YAML map and verifies that every top-level key is in the supported
+// set. This catches typos like "source:" vs "sources:".
+func validateSkillsTopLevelKeys(fm string) []error {
+	var rawKeys map[string]any
+	if err := yaml.Unmarshal([]byte(fm), &rawKeys); err != nil {
+		return []error{xerrors.Errorf("failed to parse frontmatter as YAML map: %v", err)}
+	}
+
+	var errs []error
+	for key := range rawKeys {
+		if !slices.Contains(supportedSkillsTopLevelKeys, key) {
+			errs = append(errs, xerrors.Errorf("detected unknown top-level key %q (allowed: %s)", key, strings.Join(supportedSkillsTopLevelKeys, ", ")))
+		}
+	}
+	return errs
+}
+
+func validateSkillsSources(sources []skillSource, filePath string) []error {
+	if len(sources) == 0 {
+		return []error{xerrors.New("at least one source repo is required under 'sources'")}
+	}
+
+	var errs []error
+	for i, src := range sources {
+		if src.Repo == "" {
+			errs = append(errs, xerrors.Errorf("sources[%d]: missing required 'repo' field", i))
+			continue
+		}
+		if !skillsRepoSpecRe.MatchString(src.Repo) {
+			errs = append(errs, xerrors.Errorf("sources[%d]: repo %q is not a valid owner/repo or owner/repo@ref spec", i, src.Repo))
+		}
+
+		for slug, override := range src.Skills {
+			if !validNameRe.MatchString(slug) {
+				errs = append(errs, xerrors.Errorf("sources[%d]: skill slug %q contains invalid characters (only alphanumeric and hyphens allowed)", i, slug))
+			}
+
+			for _, iconErr := range validateSkillsIconURL(override.Icon, filePath) {
+				errs = append(errs, xerrors.Errorf("sources[%d].skills[%q]: %v", i, slug, iconErr))
+			}
+
+			// validateCoderResourceTags returns an error for nil tags, which is
+			// fine for modules/templates that require tags but not for skills
+			// where tags are an optional override.
+			if override.Tags != nil {
+				if err := validateCoderResourceTags(override.Tags); err != nil {
+					errs = append(errs, xerrors.Errorf("sources[%d].skills[%q]: %v", i, slug, err))
+				}
+			}
+		}
+	}
+	return errs
+}
+
+func validateCoderSkillsFrontmatter(filePath string, fm coderSkillsFrontmatter) []error {
+	var errs []error
+
+	for _, err := range validateSkillsIconURL(fm.Icon, filePath) {
+		errs = append(errs, addFilePathToError(filePath, err))
+	}
+
+	for _, err := range validateSkillsSources(fm.Sources, filePath) {
+		errs = append(errs, addFilePathToError(filePath, err))
+	}
+
+	return errs
+}
+
+func parseCoderSkillsReadme(rm readme) (coderSkillsReadme, []error) {
+	fm, body, err := separateSkillsFrontmatter(rm.rawText)
+	if err != nil {
+		return coderSkillsReadme{}, []error{xerrors.Errorf("%q: failed to parse frontmatter: %v", rm.filePath, err)}
+	}
+
+	keyErrs := validateSkillsTopLevelKeys(fm)
+	if len(keyErrs) != 0 {
+		var remapped []error
+		for _, e := range keyErrs {
+			remapped = append(remapped, addFilePathToError(rm.filePath, e))
+		}
+		return coderSkillsReadme{}, remapped
+	}
+
+	yml := coderSkillsFrontmatter{}
+	if err := yaml.Unmarshal([]byte(fm), &yml); err != nil {
+		return coderSkillsReadme{}, []error{xerrors.Errorf("%q: failed to parse: %v", rm.filePath, err)}
+	}
+
+	return coderSkillsReadme{
+		filePath:    rm.filePath,
+		body:        body,
+		frontmatter: yml,
+	}, nil
+}
+
+func parseCoderSkillsReadmeFiles(rms []readme) ([]coderSkillsReadme, error) {
+	var parsed []coderSkillsReadme
+	var parsingErrs []error
+	for _, rm := range rms {
+		p, errs := parseCoderSkillsReadme(rm)
+		if len(errs) != 0 {
+			parsingErrs = append(parsingErrs, errs...)
+			continue
+		}
+		parsed = append(parsed, p)
+	}
+	if len(parsingErrs) != 0 {
+		return nil, validationPhaseError{
+			phase:  validationPhaseReadme,
+			errors: parsingErrs,
+		}
+	}
+	return parsed, nil
+}
+
+func validateAllCoderSkillsReadmes(readmes []coderSkillsReadme) error {
+	var validationErrs []error
+	for _, rm := range readmes {
+		errs := validateCoderSkillsFrontmatter(rm.filePath, rm.frontmatter)
+		if len(errs) > 0 {
+			validationErrs = append(validationErrs, errs...)
+		}
+	}
+	if len(validationErrs) != 0 {
+		return validationPhaseError{
+			phase:  validationPhaseReadme,
+			errors: validationErrs,
+		}
+	}
+	return nil
+}
+
+// aggregateSkillsReadmeFiles walks registry/<namespace>/skills/README.md
+// entries, skipping namespaces that do not have a skills directory.
+func aggregateSkillsReadmeFiles() ([]readme, error) {
+	namespaceDirs, err := os.ReadDir(rootRegistryPath)
+	if err != nil {
+		return nil, err
+	}
+
+	var allReadmeFiles []readme
+	var errs []error
+	for _, nDir := range namespaceDirs {
+		if !nDir.IsDir() {
+			continue
+		}
+
+		skillsReadmePath := path.Join(rootRegistryPath, nDir.Name(), "skills", "README.md")
+		rmBytes, err := os.ReadFile(skillsReadmePath)
+		if err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				continue
+			}
+			errs = append(errs, err)
+			continue
+		}
+		allReadmeFiles = append(allReadmeFiles, readme{
+			filePath: skillsReadmePath,
+			rawText:  string(rmBytes),
+		})
+	}
+
+	if len(errs) != 0 {
+		return nil, validationPhaseError{
+			phase:  validationPhaseFile,
+			errors: errs,
+		}
+	}
+	return allReadmeFiles, nil
+}
+
+func validateAllCoderSkills() error {
+	allReadmeFiles, err := aggregateSkillsReadmeFiles()
+	if err != nil {
+		return err
+	}
+
+	logger.Info(context.Background(), "processing skills README files", "num_files", len(allReadmeFiles))
+	if len(allReadmeFiles) == 0 {
+		return nil
+	}
+
+	readmes, err := parseCoderSkillsReadmeFiles(allReadmeFiles)
+	if err != nil {
+		return err
+	}
+
+	if err := validateAllCoderSkillsReadmes(readmes); err != nil {
+		return err
+	}
+
+	logger.Info(context.Background(), "processed all skills README files", "num_files", len(readmes))
+	return nil
+}

cmd/readmevalidation/main.go

@@ -39,6 +39,10 @@ func main() {
 	if err != nil {
 		errs = append(errs, err)
 	}
+	err = validateAllCoderSkills()
+	if err != nil {
+		errs = append(errs, err)
+	}
 
 	if len(errs) == 0 {
 		logger.Info(context.Background(), "processed all READMEs in directory", "dir", rootRegistryPath)

cmd/readmevalidation/repostructure.go

@@ -11,7 +11,7 @@ import (
 	"golang.org/x/xerrors"
 )
 
-var supportedUserNameSpaceDirectories = append(supportedResourceTypes, ".images")
+var supportedUserNameSpaceDirectories = append(supportedResourceTypes, ".images", "skills")
 
 // validNameRe validates that names contain only alphanumeric characters and hyphens
 var validNameRe = regexp.MustCompile(`^[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$`)

registry/coder/modules/dotfiles/README.md

@@ -18,7 +18,7 @@ Under the hood, this module uses the [coder dotfiles](https://coder.com/docs/v2/
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
   agent_id = coder_agent.example.id
 }
 ```
@@ -31,7 +31,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
   agent_id = coder_agent.example.id
 }
 ```
@@ -42,7 +42,7 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
   agent_id = coder_agent.example.id
   user     = "root"
 }
@@ -54,14 +54,14 @@ module "dotfiles" {
 module "dotfiles" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/dotfiles/coder"
-  version  = "1.4.1"
+  version  = "1.4.2"
   agent_id = coder_agent.example.id
 }
 
 module "dotfiles-root" {
   count        = data.coder_workspace.me.start_count
   source       = "registry.coder.com/coder/dotfiles/coder"
-  version      = "1.4.1"
+  version      = "1.4.2"
   agent_id     = coder_agent.example.id
   user         = "root"
   dotfiles_uri = module.dotfiles.dotfiles_uri
@@ -90,7 +90,7 @@ You can set a default dotfiles repository for all users by setting the `default_
 module "dotfiles" {
   count                = data.coder_workspace.me.start_count
   source               = "registry.coder.com/coder/dotfiles/coder"
-  version              = "1.4.1"
+  version              = "1.4.2"
   agent_id             = coder_agent.example.id
   default_dotfiles_uri = "https://github.com/coder/dotfiles"
 }

registry/coder/modules/dotfiles/main.test.ts

@@ -1,9 +1,11 @@
 import { describe, expect, it } from "bun:test";
 import {
+  findResourceInstance,
   runTerraformApply,
   runTerraformInit,
   testRequiredVariables,
 } from "~test";
+import { readableStreamToText, spawn } from "bun";
 
 describe("dotfiles", async () => {
   await runTerraformInit(import.meta.dir);
@@ -34,6 +36,24 @@ describe("dotfiles", async () => {
         dotfiles_uri: url,
       });
       expect(state.outputs.dotfiles_uri.value).toBe(url);
+
+      // Run the rendered shell script to verify the shell-side URI
+      // validation also accepts the URL. The script will fail later
+      // (no coder binary available), but it must not fail at the
+      // URI validation step.
+      const instance = findResourceInstance(state, "coder_script");
+      const proc = spawn(["bash", "-c", instance.script], {
+        stdout: "pipe",
+        stderr: "pipe",
+      });
+      const stderr = await readableStreamToText(proc.stderr);
+      await proc.exited;
+      expect(stderr).not.toContain(
+        "ERROR: DOTFILES_URI contains invalid characters",
+      );
+      expect(stderr).not.toContain(
+        "ERROR: DOTFILES_URI must be a valid repository URL",
+      );
     }
   });
 

registry/coder/modules/dotfiles/run.sh

@@ -9,7 +9,7 @@ DOTFILES_BRANCH="${DOTFILES_BRANCH}"
 # Validate DOTFILES_URI to prevent command injection (defense in depth)
 if [ -n "$DOTFILES_URI" ]; then
   # shellcheck disable=SC2250
-  if [[ "$DOTFILES_URI" =~ [^a-zA-Z0-9._/:@-] ]]; then
+  if [[ "$DOTFILES_URI" =~ [^a-zA-Z0-9._/:@~-] ]]; then
     echo "ERROR: DOTFILES_URI contains invalid characters" >&2
     exit 1
   fi

registry/coder/modules/git-clone/README.md

@@ -14,7 +14,7 @@ This module allows you to automatically clone a repository by URL and skip if it
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://github.com/coder/coder"
 }
@@ -28,7 +28,7 @@ module "git-clone" {
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://github.com/coder/coder"
   base_dir = "~/projects/coder"
@@ -43,7 +43,7 @@ To use with [Git Authentication](https://coder.com/docs/v2/latest/admin/git-prov
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://github.com/coder/coder"
 }
@@ -70,7 +70,7 @@ data "coder_parameter" "git_repo" {
 module "git_clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = data.coder_parameter.git_repo.value
 }
@@ -105,7 +105,7 @@ Configuring `git-clone` for a self-hosted GitHub Enterprise Server running at `g
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://github.example.com/coder/coder/tree/feat/example"
   git_providers = {
@@ -125,7 +125,7 @@ To GitLab clone with a specific branch like `feat/example`
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://gitlab.com/coder/coder/-/tree/feat/example"
 }
@@ -137,7 +137,7 @@ Configuring `git-clone` for a self-hosted GitLab running at `gitlab.example.com`
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://gitlab.example.com/coder/coder/-/tree/feat/example"
   git_providers = {
@@ -159,7 +159,7 @@ For example, to clone the `feat/example` branch:
 module "git-clone" {
   count       = data.coder_workspace.me.start_count
   source      = "registry.coder.com/coder/git-clone/coder"
-  version     = "1.3.0"
+  version     = "2.0.1"
   agent_id    = coder_agent.example.id
   url         = "https://github.com/coder/coder"
   branch_name = "feat/example"
@@ -177,7 +177,7 @@ For example, this will clone into the `~/projects/coder/coder-dev` folder:
 module "git-clone" {
   count       = data.coder_workspace.me.start_count
   source      = "registry.coder.com/coder/git-clone/coder"
-  version     = "1.3.0"
+  version     = "2.0.1"
   agent_id    = coder_agent.example.id
   url         = "https://github.com/coder/coder"
   folder_name = "coder-dev"
@@ -185,21 +185,32 @@ module "git-clone" {
 }
 ```
 
-## Git shallow clone
+## Extra `git clone` arguments
 
-Limit the clone history to speed-up workspace startup by setting `depth`.
+> [!NOTE]
+> **Upgrading from v1.x?** The `depth` variable was removed in v2.0.0. Use `extra_args = ["--depth=1"]` instead.
+> Do not pass `-b` or `--branch` in `extra_args` when `branch_name` is
+> already set (or extracted from the URL). Git silently accepts the last
+> `-b` flag, so the two values would conflict.
 
-When `depth` is greater than `0` the module runs `git clone --depth <depth>`.
-If not defined, the default, `0`, performs a full clone.
+Pass any additional flags through `extra_args` (one element per argument).
+This lets you enable anything `git clone` supports without the module having
+to expose it explicitly, for example a shallow clone, submodules, parallel
+fetches, or partial clones.
 
 ```tf
 module "git-clone" {
   count    = data.coder_workspace.me.start_count
   source   = "registry.coder.com/coder/git-clone/coder"
-  version  = "1.3.0"
+  version  = "2.0.1"
   agent_id = coder_agent.example.id
   url      = "https://github.com/coder/coder"
-  depth    = 1
+  extra_args = [
+    "--depth=1",
+    "--recurse-submodules",
+    "--jobs=8",
+    "--filter=blob:none",
+  ]
 }
 ```
 
@@ -212,7 +223,7 @@ This is useful for preparing the environment or validating prerequisites before
 module "git-clone" {
   count            = data.coder_workspace.me.start_count
   source           = "registry.coder.com/coder/git-clone/coder"
-  version          = "1.3.0"
+  version          = "2.0.1"
   agent_id         = coder_agent.example.id
   url              = "https://github.com/coder/coder"
   pre_clone_script = <<-EOT
@@ -235,7 +246,7 @@ This is useful for running initialization tasks like installing dependencies or
 module "git-clone" {
   count             = data.coder_workspace.me.start_count
   source            = "registry.coder.com/coder/git-clone/coder"
-  version           = "1.3.0"
+  version           = "2.0.1"
   agent_id          = coder_agent.example.id
   url               = "https://github.com/coder/coder"
   post_clone_script = <<-EOT
@@ -248,3 +259,7 @@ module "git-clone" {
   EOT
 }
 ```
+
+## Troubleshooting
+
+Logs and scripts for `clone`, `pre_clone`, and `post_clone` are written to `~/.coder-modules/coder/git-clone/<folder_name>/logs/` and `~/.coder-modules/coder/git-clone/<folder_name>/scripts/` respectively.

registry/coder/modules/git-clone/main.test.ts

@@ -1,11 +1,48 @@
 import { describe, expect, it } from "bun:test";
 import {
-  executeScriptInContainer,
+  execContainer,
+  findResourceInstance,
+  runContainer,
   runTerraformApply,
   runTerraformInit,
   testRequiredVariables,
+  type scriptOutput,
+  type TerraformState,
 } from "~test";
 
+const executeScriptInContainer = async (
+  state: TerraformState,
+  image: string,
+  before?: string,
+): Promise<scriptOutput> => {
+  const instance = findResourceInstance(state, "coder_script");
+  const id = await runContainer(image);
+  await execContainer(id, ["sh", "-c", "apk add --no-cache bash >/dev/null"]);
+  if (before) {
+    await execContainer(id, ["sh", "-c", before]);
+  }
+  const resp = await execContainer(id, ["bash", "-c", instance.script]);
+  return {
+    exitCode: resp.exitCode,
+    stdout: resp.stdout.trim().split("\n"),
+    stderr: resp.stderr.trim().split("\n"),
+  };
+};
+
+// Drops a fake `git` onto PATH that prints each argv entry on its own line.
+// Lets tests prove that arguments (including ones with embedded spaces) reach
+// `git clone` as single argv tokens, which the echo line cannot show because
+// it joins with spaces.
+const installFakeGit = [
+  "cat > /usr/local/bin/git <<'SHIM'",
+  "#!/bin/sh",
+  'for arg in "$@"; do',
+  '  printf "argv:%s\\n" "$arg"',
+  "done",
+  "SHIM",
+  "chmod +x /usr/local/bin/git",
+].join("\n");
+
 describe("git-clone", async () => {
   await runTerraformInit(import.meta.dir);
 
@@ -30,12 +67,11 @@ describe("git-clone", async () => {
       url: "fake-url",
     });
     const output = await executeScriptInContainer(state, "alpine/git");
-    expect(output.stdout).toEqual([
-      "Creating directory ~/fake-url...",
-      "Cloning fake-url to ~/fake-url...",
-    ]);
-    expect(output.stderr.join(" ")).toContain("fatal");
-    expect(output.stderr.join(" ")).toContain("fake-url");
+    expect(output.stdout).toContain("Creating directory /root/fake-url...");
+    expect(output.stdout).toContain("Cloning fake-url to /root/fake-url...");
+    expect(output.exitCode).not.toBe(0);
+    expect(output.stdout.join(" ")).toContain("fatal");
+    expect(output.stdout.join(" ")).toContain("fake-url");
   });
 
   it("repo_dir should match repo name for https", async () => {
@@ -206,10 +242,12 @@ describe("git-clone", async () => {
     });
     const output = await executeScriptInContainer(state, "alpine/git");
     expect(output.exitCode).toBe(0);
-    expect(output.stdout).toEqual([
-      "Creating directory ~/repo-tests.log...",
-      "Cloning https://github.com/michaelbrewer/repo-tests.log to ~/repo-tests.log on branch feat/branch...",
-    ]);
+    expect(output.stdout).toContain(
+      "Creating directory /root/repo-tests.log...",
+    );
+    expect(output.stdout).toContain(
+      "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...",
+    );
   });
 
   it("runs with gitlab clone with switch to feat/branch", async () => {
@@ -219,10 +257,12 @@ describe("git-clone", async () => {
     });
     const output = await executeScriptInContainer(state, "alpine/git");
     expect(output.exitCode).toBe(0);
-    expect(output.stdout).toEqual([
-      "Creating directory ~/repo-tests.log...",
-      "Cloning https://gitlab.com/mike.brew/repo-tests.log to ~/repo-tests.log on branch feat/branch...",
-    ]);
+    expect(output.stdout).toContain(
+      "Creating directory /root/repo-tests.log...",
+    );
+    expect(output.stdout).toContain(
+      "Cloning https://gitlab.com/mike.brew/repo-tests.log to /root/repo-tests.log on branch feat/branch...",
+    );
   });
 
   it("runs with github clone with branch_name set to feat/branch", async () => {
@@ -240,23 +280,25 @@ describe("git-clone", async () => {
 
     const output = await executeScriptInContainer(state, "alpine/git");
     expect(output.exitCode).toBe(0);
-    expect(output.stdout).toEqual([
-      "Creating directory ~/repo-tests.log...",
-      "Cloning https://github.com/michaelbrewer/repo-tests.log to ~/repo-tests.log on branch feat/branch...",
-    ]);
+    expect(output.stdout).toContain(
+      "Creating directory /root/repo-tests.log...",
+    );
+    expect(output.stdout).toContain(
+      "Cloning https://github.com/michaelbrewer/repo-tests.log to /root/repo-tests.log on branch feat/branch...",
+    );
   });
 
   it("runs post-clone script", async () => {
     const state = await runTerraformApply(import.meta.dir, {
       agent_id: "foo",
       url: "fake-url",
+      base_dir: "/tmp",
       post_clone_script: "echo 'Post-clone script executed'",
     });
     const output = await executeScriptInContainer(
       state,
       "alpine/git",
-      "sh",
-      "mkdir -p ~/fake-url && echo 'existing' > ~/fake-url/file.txt",
+      "mkdir -p /tmp/fake-url && echo 'existing' > /tmp/fake-url/file.txt",
     );
     expect(output.stdout).toContain("Running post-clone script...");
     expect(output.stdout).toContain("Post-clone script executed");
@@ -271,6 +313,133 @@ describe("git-clone", async () => {
     const output = await executeScriptInContainer(state, "alpine/git");
     expect(output.stdout).toContain("Running pre-clone script...");
     expect(output.stdout).toContain("Pre-clone script executed");
-    expect(output.stdout).toContain("Cloning fake-url to ~/fake-url...");
+    expect(output.stdout).toContain("Cloning fake-url to /root/fake-url...");
+  });
+
+  it("fails when pre-clone script fails", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+      pre_clone_script: "echo 'Pre-clone script failed'; exit 42",
+    });
+    const output = await executeScriptInContainer(state, "alpine/git");
+    expect(output.exitCode).toBe(42);
+    expect(output.stdout).toContain("Running pre-clone script...");
+    expect(output.stdout).toContain("Pre-clone script failed");
+    expect(output.stdout).not.toContain(
+      "Cloning fake-url to /root/fake-url...",
+    );
+  });
+
+  it("defaults extra_args to empty", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+    });
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/git",
+      installFakeGit,
+    );
+    // With no extra_args the only argv tokens should be clone, url, path.
+    expect(output.stdout.join("\n")).toContain(
+      ["argv:clone", "argv:fake-url", "argv:/root/fake-url"].join("\n"),
+    );
+  });
+
+  it("passes extra_args to git clone", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+      extra_args: JSON.stringify([
+        "--recurse-submodules",
+        "--jobs=8",
+        "--config=user.name=Coder User",
+        "-c",
+        "core.sshCommand=ssh -i /tmp/key",
+      ]),
+    });
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/git",
+      installFakeGit,
+    );
+    expect(output.exitCode).toBe(0);
+    expect(output.stdout.join("\n")).toContain(
+      [
+        "argv:clone",
+        "argv:--recurse-submodules",
+        "argv:--jobs=8",
+        "argv:--config=user.name=Coder User",
+        "argv:-c",
+        "argv:core.sshCommand=ssh -i /tmp/key",
+        "argv:fake-url",
+        "argv:/root/fake-url",
+      ].join("\n"),
+    );
+  });
+
+  it("passes extra_args alongside branch_name in the correct order", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+      branch_name: "feat/branch",
+      extra_args: JSON.stringify([
+        "--recurse-submodules",
+        "--config=user.name=Coder User",
+      ]),
+    });
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/git",
+      installFakeGit,
+    );
+    expect(output.exitCode).toBe(0);
+    expect(output.stdout.join("\n")).toContain(
+      [
+        "argv:clone",
+        "argv:--recurse-submodules",
+        "argv:--config=user.name=Coder User",
+        "argv:-b",
+        "argv:feat/branch",
+        "argv:fake-url",
+        "argv:/root/fake-url",
+      ].join("\n"),
+    );
+  });
+
+  it("writes output to logs/clone.log under module directory", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+    });
+    const instance = findResourceInstance(state, "coder_script");
+    const id = await runContainer("alpine/git");
+    await execContainer(id, ["sh", "-c", "apk add --no-cache bash >/dev/null"]);
+    await execContainer(id, ["bash", "-c", instance.script]);
+    const log = await execContainer(id, [
+      "bash",
+      "-c",
+      "cat /root/.coder-modules/coder/git-clone/*/logs/clone.log",
+    ]);
+    expect(log.exitCode).toBe(0);
+    expect(log.stdout).toContain("Cloning fake-url to /root/fake-url...");
+  });
+
+  it("fails when post-clone script fails", async () => {
+    const state = await runTerraformApply(import.meta.dir, {
+      agent_id: "foo",
+      url: "fake-url",
+      base_dir: "/tmp",
+      post_clone_script: "echo 'Post-clone script failed'; exit 43",
+    });
+    const output = await executeScriptInContainer(
+      state,
+      "alpine/git",
+      "mkdir -p /tmp/fake-url && echo 'existing' > /tmp/fake-url/file.txt",
+    );
+    expect(output.exitCode).toBe(43);
+    expect(output.stdout).toContain("Running post-clone script...");
+    expect(output.stdout).toContain("Post-clone script failed");
   });
 });

registry/coder/modules/git-clone/main.tf

@@ -56,10 +56,10 @@ variable "folder_name" {
   default     = ""
 }
 
-variable "depth" {
-  description = "If > 0, perform a shallow clone using this depth."
-  type        = number
-  default     = 0
+variable "extra_args" {
+  description = "Extra arguments to pass to `git clone`, one element per argument (e.g. `[\"--recurse-submodules\", \"--jobs=8\", \"--filter=blob:none\"]`)."
+  type        = list(string)
+  default     = []
 }
 
 variable "post_clone_script" {
@@ -97,6 +97,30 @@ locals {
   encoded_post_clone_script = var.post_clone_script != null ? base64encode(var.post_clone_script) : ""
   # Encode the pre_clone_script for passing to the shell script
   encoded_pre_clone_script = var.pre_clone_script != null ? base64encode(var.pre_clone_script) : ""
+  encoded_extra_args       = base64encode(join("\n", var.extra_args))
+
+  # Module directory paths (matches coder-utils convention)
+  # Use folder_name so two git-clone instances in the same template get
+  # separate script and log directories.
+  module_dir          = "$HOME/.coder-modules/coder/git-clone/${local.folder_name}"
+  scripts_directory   = "${local.module_dir}/scripts"
+  log_directory       = "${local.module_dir}/logs"
+  clone_script_path   = "${local.scripts_directory}/clone.sh"
+  clone_log_path      = "${local.log_directory}/clone.log"
+  pre_clone_log_path  = "${local.log_directory}/pre_clone.log"
+  post_clone_log_path = "${local.log_directory}/post_clone.log"
+
+  encoded_clone_script = base64encode(templatefile("${path.module}/run.sh", {
+    CLONE_PATH          = local.clone_path,
+    REPO_URL            = local.clone_url,
+    BRANCH_NAME         = local.branch_name,
+    EXTRA_ARGS          = local.encoded_extra_args,
+    POST_CLONE_SCRIPT   = local.encoded_post_clone_script,
+    PRE_CLONE_SCRIPT    = local.encoded_pre_clone_script,
+    SCRIPTS_DIR         = local.scripts_directory,
+    PRE_CLONE_LOG_PATH  = local.pre_clone_log_path,
+    POST_CLONE_LOG_PATH = local.post_clone_log_path,
+  }))
 }
 
 output "repo_dir" {
@@ -130,15 +154,21 @@ output "branch_name" {
 }
 
 resource "coder_script" "git_clone" {
-  agent_id = var.agent_id
-  script = templatefile("${path.module}/run.sh", {
-    CLONE_PATH = local.clone_path,
-    REPO_URL : local.clone_url,
-    BRANCH_NAME : local.branch_name,
-    DEPTH = var.depth,
-    POST_CLONE_SCRIPT : local.encoded_post_clone_script,
-    PRE_CLONE_SCRIPT : local.encoded_pre_clone_script,
-  })
+  agent_id           = var.agent_id
+  script             = <<-EOT
+    #!/bin/bash
+    set -o errexit
+    set -o pipefail
+
+    mkdir -p "${local.module_dir}"
+    mkdir -p "${local.scripts_directory}"
+    mkdir -p "${local.log_directory}"
+
+    echo -n '${local.encoded_clone_script}' | base64 -d > "${local.clone_script_path}"
+    chmod +x "${local.clone_script_path}"
+
+    "${local.clone_script_path}" 2>&1 | tee "${local.clone_log_path}"
+  EOT
   display_name       = "Git Clone"
   icon               = "/icon/git.svg"
   run_on_start       = true

registry/coder/modules/git-clone/run.sh

@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 REPO_URL="${REPO_URL}"
 CLONE_PATH="${CLONE_PATH}"
 BRANCH_NAME="${BRANCH_NAME}"
 # Expand home if it's specified!
 CLONE_PATH="$${CLONE_PATH/#\~/$${HOME}}"
-DEPTH="${DEPTH}"
+EXTRA_ARGS="${EXTRA_ARGS}"
 POST_CLONE_SCRIPT="${POST_CLONE_SCRIPT}"
 PRE_CLONE_SCRIPT="${PRE_CLONE_SCRIPT}"
+SCRIPTS_DIR="${SCRIPTS_DIR}"
+PRE_CLONE_LOG_PATH="${PRE_CLONE_LOG_PATH}"
+POST_CLONE_LOG_PATH="${POST_CLONE_LOG_PATH}"
 
 # Check if the variable is empty...
 if [ -z "$REPO_URL" ]; then
@@ -37,11 +42,18 @@ fi
 # Run pre-clone script if provided
 if [ -n "$PRE_CLONE_SCRIPT" ]; then
   echo "Running pre-clone script..."
-  PRE_CLONE_TMP=$(mktemp)
-  echo "$PRE_CLONE_SCRIPT" | base64 -d > "$PRE_CLONE_TMP"
-  chmod +x "$PRE_CLONE_TMP"
-  $PRE_CLONE_TMP
-  rm "$PRE_CLONE_TMP"
+  PRE_CLONE_PATH="$SCRIPTS_DIR/pre_clone.sh"
+  echo "$PRE_CLONE_SCRIPT" | base64 -d > "$PRE_CLONE_PATH"
+  chmod +x "$PRE_CLONE_PATH"
+  "$PRE_CLONE_PATH" 2>&1 | tee "$PRE_CLONE_LOG_PATH"
+fi
+
+# Build optional git clone flags
+extra_args=()
+if [ -n "$EXTRA_ARGS" ]; then
+  while IFS= read -r arg || [ -n "$arg" ]; do
+    [ -n "$arg" ] && extra_args+=("$arg")
+  done < <(echo "$EXTRA_ARGS" | base64 -d)
 fi
 
 # Check if the directory is empty
@@ -49,18 +61,10 @@ fi
 if [ -z "$(ls -A "$CLONE_PATH")" ]; then
   if [ -z "$BRANCH_NAME" ]; then
     echo "Cloning $REPO_URL to $CLONE_PATH..."
-    if [ "$DEPTH" -gt 0 ]; then
-      git clone --depth "$DEPTH" "$REPO_URL" "$CLONE_PATH"
-    else
-      git clone "$REPO_URL" "$CLONE_PATH"
-    fi
+    git clone $${extra_args[@]+"$${extra_args[@]}"} "$REPO_URL" "$CLONE_PATH"
   else
     echo "Cloning $REPO_URL to $CLONE_PATH on branch $BRANCH_NAME..."
-    if [ "$DEPTH" -gt 0 ]; then
-      git clone --depth "$DEPTH" -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH"
-    else
-      git clone "$REPO_URL" -b "$BRANCH_NAME" "$CLONE_PATH"
-    fi
+    git clone $${extra_args[@]+"$${extra_args[@]}"} -b "$BRANCH_NAME" "$REPO_URL" "$CLONE_PATH"
   fi
 else
   echo "$CLONE_PATH already exists and isn't empty, skipping clone!"
@@ -69,10 +73,9 @@ fi
 # Run post-clone script if provided
 if [ -n "$POST_CLONE_SCRIPT" ]; then
   echo "Running post-clone script..."
-  POST_CLONE_TMP=$(mktemp)
-  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_TMP"
-  chmod +x "$POST_CLONE_TMP"
+  POST_CLONE_PATH="$SCRIPTS_DIR/post_clone.sh"
+  echo "$POST_CLONE_SCRIPT" | base64 -d > "$POST_CLONE_PATH"
+  chmod +x "$POST_CLONE_PATH"
   cd "$CLONE_PATH" || exit
-  $POST_CLONE_TMP
-  rm "$POST_CLONE_TMP"
+  "$POST_CLONE_PATH" 2>&1 | tee "$POST_CLONE_LOG_PATH"
 fi

registry/coder/skills/README.md

@@ -0,0 +1,35 @@
+---
+icon: ../../../.icons/coder.svg
+sources:
+  - repo: coder/skills@main
+    skills:
+      setup:
+        display_name: Coder Setup
+        icon: ../../../.icons/coder.svg
+        tags: [coder, deployment, configuration]
+      modules:
+        display_name: Coder Modules
+        icon: ../../../.icons/coder-modules.svg
+        tags: [coder, terraform, modules]
+      templates:
+        display_name: Coder Templates
+        icon: ../../../.icons/coder-templates.svg
+        tags: [coder, terraform, templates]
+---
+
+# Coder Skills
+
+Agent skills maintained by [Coder](https://coder.com) for installing,
+configuring, and developing with the Coder platform.
+
+Skills are sourced from [coder/skills](https://github.com/coder/skills)
+and served through the registry's API, MCP tools, and
+[well-known discovery endpoint](https://agentskills.io/specification).
+
+## Available Skills
+
+| Skill                                                                | Description                                                                                                                                                                                   |
+| -------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Coder Setup](https://registry.coder.com/skills/coder/setup)         | Install, deploy, or bootstrap a new Coder deployment end-to-end. Covers Docker, Kubernetes/Helm, VM, cloud, HTTPS/domain setup, first admin creation, starter templates, and first workspace. |
+| [Coder Modules](https://registry.coder.com/skills/coder/modules)     | Add or update Coder modules (from registry.coder.com/modules) inside an existing Coder template. Covers IDEs, AI agents, secrets, dev environment tools, and cloud regions.                   |
+| [Coder Templates](https://registry.coder.com/skills/coder/templates) | Author, edit, push, or version a Coder template. Covers starter selection, template anatomy, parameters, validation, push, and first-workspace verification.                                  |