Jul 31, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025
diff --git a/cli/testdata/coder_list_--output_json.golden b/cli/testdata/coder_list_--output_json.golden
          "template_name": "",
          "template_display_name": "",
          "template_icon": ""
        }
        },
        "logs_overflowed": false
      },
      "reason": "initiator",
      "resources": [],
diff --git a/cli/testdata/coder_provisioner_jobs_list_--help.golden b/cli/testdata/coder_provisioner_jobs_list_--help.golden
  -O, --org string, $CODER_ORGANIZATION
          Select which organization (uuid or name) to use.

  -c, --column [id|created at|started at|completed at|canceled at|error|error code|status|worker id|worker name|file id|tags|queue position|queue size|organization id|template version id|workspace build id|type|available workers|template version name|template id|template name|template display name|template icon|workspace id|workspace name|organization|queue] (default: created at,id,type,template display name,status,queue,tags)
  -c, --column [id|created at|started at|completed at|canceled at|error|error code|status|worker id|worker name|file id|tags|queue position|queue size|organization id|template version id|workspace build id|type|available workers|template version name|template id|template name|template display name|template icon|workspace id|workspace name|logs overflowed|organization|queue] (default: created at,id,type,template display name,status,queue,tags)
          Columns to display in table output.

  -l, --limit int, $CODER_PROVISIONER_JOB_LIST_LIMIT (default: 50)
diff --git a/cli/testdata/coder_provisioner_jobs_list_--output_json.golden b/cli/testdata/coder_provisioner_jobs_list_--output_json.golden
      "template_display_name": "",
      "template_icon": ""
    },
    "logs_overflowed": false,
    "organization_name": "Coder"
  },
  {
      "workspace_id": "===========[workspace ID]===========",
      "workspace_name": "test-workspace"
    },
    "logs_overflowed": false,
    "organization_name": "Coder"
  }
 ]
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
 return q.db.UpdateProvisionerJobByID(ctx, arg)
 }

 func (q *querier) UpdateProvisionerJobLogsLength(ctx context.Context, arg database.UpdateProvisionerJobLogsLengthParams) error {
 // Not sure what the rbac should be here, going with this for now
 if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
 return err
 }
 return q.db.UpdateProvisionerJobLogsLength(ctx, arg)
 }

 func (q *querier) UpdateProvisionerJobLogsOverflowed(ctx context.Context, arg database.UpdateProvisionerJobLogsOverflowedParams) error {
 // Not sure what the rbac should be here, going with this for now
 if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
 return err
 }
 return q.db.UpdateProvisionerJobLogsOverflowed(ctx, arg)
 }

 func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg database.UpdateProvisionerJobWithCancelByIDParams) error {
 // TODO: Remove this once we have a proper rbac check for provisioner jobs.
 // Details in https://github.com/coder/coder/issues/16160
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
 UpdatedAt: time.Now(),
 }).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
 }))
 s.Run("UpdateProvisionerJobLogsLength", s.Subtest(func(db database.Store, check *expects) {
 j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
 check.Args(database.UpdateProvisionerJobLogsLengthParams{
 ID:         j.ID,
 LogsLength: 100,
 }).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
 }))
 s.Run("UpdateProvisionerJobLogsOverflowed", s.Subtest(func(db database.Store, check *expects) {
 j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
 check.Args(database.UpdateProvisionerJobLogsOverflowedParams{
 ID:             j.ID,
 LogsOverflowed: true,
 }).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
 }))
 s.Run("InsertProvisionerJob", s.Subtest(func(db database.Store, check *expects) {
 dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 check.Args(database.InsertProvisionerJobParams{
diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go
 Input:          payload,
 Tags:           map[string]string{},
 TraceMetadata:  pqtype.NullRawMessage{},
 LogsOverflowed: false,
 })
 require.NoError(b.t, err, "insert job")

diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
 Input:          takeFirstSlice(orig.Input, []byte("{}")),
 Tags:           tags,
 TraceMetadata:  pqtype.NullRawMessage{},
 LogsOverflowed: false,
 })
 require.NoError(t, err, "insert job")
 if ps != nil {
diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/errors.go b/coderd/database/errors.go

 return false
 }

 func IsProvisionerJobLogsLimitError(err error) bool {
 var pqErr *pq.Error
 if errors.As(err, &pqErr) {
 return pqErr.Constraint == "max_provisioner_logs_length" && pqErr.Table == "provisioner_jobs"
 }
 return false
 }
diff --git a/coderd/database/migrations/000355_add_provisioner_logs_overflowed.down.sql b/coderd/database/migrations/000355_add_provisioner_logs_overflowed.down.sql
 ALTER TABLE provisioner_jobs DROP COLUMN logs_length;
 ALTER TABLE provisioner_jobs DROP COLUMN logs_overflowed;
diff --git a/coderd/database/migrations/000355_add_provisioner_logs_overflowed.up.sql b/coderd/database/migrations/000355_add_provisioner_logs_overflowed.up.sql
 -- Add logs length tracking and overflow flag, similar to workspace agents
  ALTER TABLE provisioner_jobs ADD COLUMN logs_length integer NOT NULL DEFAULT 0 CONSTRAINT max_provisioner_logs_length CHECK (logs_length <= 1048576);
  ALTER TABLE provisioner_jobs ADD COLUMN logs_overflowed boolean NOT NULL DEFAULT false;

  COMMENT ON COLUMN provisioner_jobs.logs_length IS 'Total length of provisioner logs';
  COMMENT ON COLUMN provisioner_jobs.logs_overflowed IS 'Whether the provisioner logs overflowed in length';
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
Original file line number	Diff line number	Diff line change
Expand Up		@@ -55,7 +55,8 @@
		"template_name": "",
		"template_display_name": "",
		"template_icon": ""
		}
		},
		"logs_overflowed": false
		},
		"reason": "initiator",
		"resources": [],
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,7 +11,7 @@ OPTIONS:
		-O, --org string, $CODER_ORGANIZATION
		Select which organization (uuid or name) to use.

		-c, --column [id\|created at\|started at\|completed at\|canceled at\|error\|error code\|status\|worker id\|worker name\|file id\|tags\|queue position\|queue size\|organization id\|template version id\|workspace build id\|type\|available workers\|template version name\|template id\|template name\|template display name\|template icon\|workspace id\|workspace name\|organization\|queue] (default: created at,id,type,template display name,status,queue,tags)
		-c, --column [id\|created at\|started at\|completed at\|canceled at\|error\|error code\|status\|worker id\|worker name\|file id\|tags\|queue position\|queue size\|organization id\|template version id\|workspace build id\|type\|available workers\|template version name\|template id\|template name\|template display name\|template icon\|workspace id\|workspace name\|logs overflowed\|organization\|queue] (default: created at,id,type,template display name,status,queue,tags)
		Columns to display in table output.

		-l, --limit int, $CODER_PROVISIONER_JOB_LIST_LIMIT (default: 50)
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,6 +26,7 @@
		"template_display_name": "",
		"template_icon": ""
		},
		"logs_overflowed": false,
		"organization_name": "Coder"
		},
		{
Expand DownExpand Up		@@ -57,6 +58,7 @@
		"workspace_id": "===========[workspace ID]===========",
		"workspace_name": "test-workspace"
		},
		"logs_overflowed": false,
		"organization_name": "Coder"
		}
		]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4489,6 +4489,22 @@ func (q *querier) UpdateProvisionerJobByID(ctx context.Context, arg database.Upd
		return q.db.UpdateProvisionerJobByID(ctx, arg)
		}

		func (q *querier) UpdateProvisionerJobLogsLength(ctx context.Context, arg database.UpdateProvisionerJobLogsLengthParams) error {
		// Not sure what the rbac should be here, going with this for now
Copy link Contributor cstyanJul 30, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. This is the only bit I'm unsure of, maybe include the same comment as the other provisioner related functions have? `// TODO: Remove this once we have a proper rbac check for provisioner jobs.// Details in https://github.com/coder/coder/issues/16160` or ask@mafredri since he opened that issue? Copy link ContributorAuthor bcpeinhardtJul 30, 2025• edited Loading Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Our manual testing was actually from the admin account, we should look at this again before merging I think. Edit: I tested with a member account and everything works fine. I could be way off here but I think the action.Update on the ResourceProvisionerJob is coming from the template admin? Copy link ContributorAuthor bcpeinhardtJul 31, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. There are several other queries which perform the same rbac check we do to update fields on the ProvisionerJobs table, so I feel comfortable merging this and revisiting the provisioner jobs rbac in the future.
		if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
		return err
		}
		return q.db.UpdateProvisionerJobLogsLength(ctx, arg)
		}

		func (q *querier) UpdateProvisionerJobLogsOverflowed(ctx context.Context, arg database.UpdateProvisionerJobLogsOverflowedParams) error {
		// Not sure what the rbac should be here, going with this for now
		if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
		return err
		}
		return q.db.UpdateProvisionerJobLogsOverflowed(ctx, arg)
		}

		func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg database.UpdateProvisionerJobWithCancelByIDParams) error {
		// TODO: Remove this once we have a proper rbac check for provisioner jobs.
		// Details in https://github.com/coder/coder/issues/16160
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4341,6 +4341,20 @@ func (s *MethodTestSuite) TestSystemFunctions() {
		UpdatedAt: time.Now(),
		}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
		}))
		s.Run("UpdateProvisionerJobLogsLength", s.Subtest(func(db database.Store, check *expects) {
		j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
		check.Args(database.UpdateProvisionerJobLogsLengthParams{
		ID: j.ID,
		LogsLength: 100,
		}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
		}))
		s.Run("UpdateProvisionerJobLogsOverflowed", s.Subtest(func(db database.Store, check *expects) {
		j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
		check.Args(database.UpdateProvisionerJobLogsOverflowedParams{
		ID: j.ID,
		LogsOverflowed: true,
		}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
		}))
		s.Run("InsertProvisionerJob", s.Subtest(func(db database.Store, check *expects) {
		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
		check.Args(database.InsertProvisionerJobParams{
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -179,6 +179,7 @@ func (b WorkspaceBuildBuilder) Do() WorkspaceResponse {
		Input: payload,
		Tags: map[string]string{},
		TraceMetadata: pqtype.NullRawMessage{},
		LogsOverflowed: false,
		})
		require.NoError(b.t, err, "insert job")

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -775,6 +775,7 @@ func ProvisionerJob(t testing.TB, db database.Store, ps pubsub.Pubsub, orig data
		Input: takeFirstSlice(orig.Input, []byte("{}")),
		Tags: tags,
		TraceMetadata: pqtype.NullRawMessage{},
		LogsOverflowed: false,
		})
		require.NoError(t, err, "insert job")
		if ps != nil {
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -79,3 +79,11 @@ func IsWorkspaceAgentLogsLimitError(err error) bool {

		return false
		}

		func IsProvisionerJobLogsLimitError(err error) bool {
		var pqErr *pq.Error
		if errors.As(err, &pqErr) {
		return pqErr.Constraint == "max_provisioner_logs_length" && pqErr.Table == "provisioner_jobs"
		}
		return false
		}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE provisioner_jobs DROP COLUMN logs_length;
		ALTER TABLE provisioner_jobs DROP COLUMN logs_overflowed;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,6 @@
		-- Add logs length tracking and overflow flag, similar to workspace agents
		ALTER TABLE provisioner_jobs ADD COLUMN logs_length integer NOT NULL DEFAULT 0 CONSTRAINT max_provisioner_logs_length CHECK (logs_length <= 1048576);
		ALTER TABLE provisioner_jobs ADD COLUMN logs_overflowed boolean NOT NULL DEFAULT false;

		COMMENT ON COLUMN provisioner_jobs.logs_length IS 'Total length of provisioner logs';
		COMMENT ON COLUMN provisioner_jobs.logs_overflowed IS 'Whether the provisioner logs overflowed in length';