chore(deps): bump the github-actions group across 1 directory with 3 updates

[dependabot]

Bumps the github-actions group with 3 updates in the / directory: coder/coder, crate-ci/typos and zizmorcore/zizmor-action.

Updates coder/coder from 2.29.2 to 2.30.0

Release notes

Sourced from coder/coder's releases.

v2.30.0

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• feat!: Cached Terraform Modules speed up workspace startup (#21398, 60b3fd078) (@​Emyrk)

  Terraform modules are now downloaded once per template version and reused on every workspace start. Modules are fetched and pinned when the template version is created, then cached and reused across all workspace starts. This prevents upstream module changes from breaking workspace restarts and reduces repeated downloads and startup time.

• feat!: implement AI Bridge heading to /deployment/observability (#20791, ab4366f5c) (@​jakehwll)

  The experimental AI Bridge API endpoints /api/experimental/aibridge/* have been removed. AI Bridge API was promoted to stable in v2.29.0, and all clients, scripts, or integrations must now use the stable /api/v2/aibridge/* routes instead. This follows standard deprecation practice—experimental endpoints are removed once the feature reaches general availability.

• feat!: support PKCE in the oauth2 client's auth/exchange flow (#21215, 8fefd91e4) (@​Emyrk)

  This PR adds PKCE (Proof Key for Code Exchange) support to Coder's OAuth2 client flow when authenticating with external identity providers. Unknown external OAuth providers now default to using PKCE, which will cause authentication failures if the provider doesn't actually support it. To resolve this, set CODER_EXTERNAL_AUTH__PKCE_METHODS=none in your environment configuration to disable PKCE for incompatible providers.

• fix(agent/agentssh)!: use configured directory for SFTP connections (#21194, 6bea82baf) (@​mafredri)

  If your workspace agent has a custom dir configured in Terraform, SFTP and SCP connections will now land there instead of $HOME. Previously, only SSH and rsync respected this setting, which caused confusing behavior where scp file.txt coder:. and rsync file.txt coder:. would put files in different places. If you have scripts that relied on SFTP/SCP always using $HOME regardless of agent configuration, you may need to use explicit paths instead.

Other Major Callouts

This release includes the GA of Coder AI Bridge and Agent Boundaries through Coder's AI Governance Add-On. A future release of Coder will require the add-on license in order to continue using these features.

• Agent Boundaries goes GA:

  • Observability and monitoring — You can now analyze AI agent HTTP requests with centralized machine-parsable logs
  • New mode (landjail) - This form of Agent Boundaries requires no changes to permissions to be granted in order to use and supports a wider range of environments
  • Rules engine documentation — Admins can self-serve on writing granular network policies without guesswork

• AI Bridge goes GA:

  • Responses API: AI Bridge can now intercept requests to OpenAI's Responses API, supported by most popular tools
  • Proxy Mode: For tools which don't support Base URL overrides, we have now introduced a new AI Bridge Proxy which can intercept HTTP traffic and pass it through to AI Bridge transparently
  • Expanded client support: With the introduction of Proxy Mode, AI Bridge can now intercept GitHub Copilot requests from both the CLI and VS Code / JetBrains plugins
  • Structured Logging: AI Bridge's observability data can now be logged & exported to external SIEM services
  • Detailed Client Config Docs: We now publish detailed client config docs for AI Bridge

• Shared Workspaces is Early Access:

  • You can now allow a workspace owner to securely share access to an existing Coder workspace with another trusted user or group
  • Shared users authenticate with their existing Coder account
  • Access is role-based and auditable; ownership does not transfer
  • Shared workspaces with Coder Tasks is still being developed. Stay tuned for more updates

• Starting in v2.30, the PostgreSQL connection pool is now configurable; see the Connection pool tuning docs for additional guidance

Features

... (truncated)

Commits

• 43e67d1 perf: update AIBridge for improved memory use at scale (#21896)
• 94cf95a fix: disable task sharing (#21901)
• 5e2f845 fix: support authentication for upstream proxy (#21841) (#21849)
• 3d5dc93 docs: reorganize AI Bridge client documentation (#21873)
• 6e1fe14 fix(helm): allow overriding CODER_PPROF_ADDRESS and CODER_PROMETHEUS_ADDRESS ...
• c0b939f fix: use existing transaction to claim prebuild (#21862) (#21868)
• 1fd77bc chore: cherry-pick fixes (#21864)
• 37c3476 fix: handle boundary usage across snapshots and prevent race (cherry-pick) (#...
• 26a3f82 chore(helm): disable liveness probes by default, allow all probe settings (#2...
• ea6b114 feat: add time window fields to telemetry boundary usage (cherry-pick) (#21775)
• Additional commits viewable in compare view

Updates crate-ci/typos from 1.42.1 to 1.43.3

Release notes

Sourced from crate-ci/typos's releases.

v1.43.3

[1.43.3] - 2026-02-06

Fixes

• (action) Adjust how typos are reported to github

v1.43.2

[1.43.2] - 2026-02-05

Fixes

• Don't correct certifi in Python

v1.43.1

[1.43.1] - 2026-02-03

Fixes

• Don't correct consts

v1.43.0

[1.43.0] - 2026-02-02

Features

• Updated the dictionary with the January 2026 changes

v1.42.3

[1.42.3] - 2026-01-27

Fixes

• Don't correct loosing

v1.42.2

[1.42.2] - 2026-01-26

Fixes

• Don't correct substituters

Changelog

Sourced from crate-ci/typos's changelog.

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased] - ReleaseDate

[1.43.3] - 2026-02-06

Fixes

• (action) Adjust how typos are reported to github

[1.43.2] - 2026-02-05

Fixes

• Don't correct certifi in Python

[1.43.1] - 2026-02-03

Fixes

• Don't correct consts

[1.43.0] - 2026-02-02

Compatibility

• Bumped MSRV to 1.91

Features

• Updated the dictionary with the January 2026 changes

[1.42.3] - 2026-01-27

Fixes

• Don't correct loosing

[1.42.2] - 2026-01-26

Fixes

• Don't correct substituters

[1.42.1] - 2026-01-19

... (truncated)

Commits

• 9066e99 chore: Release
• 3bebc2a docs: Update changelog
• adf71f7 Merge pull request #1496 from adangel/fix-action-annotations
• ad3053d chore: Release
• a23d8be docs: Update changelog
• 63b278c Merge pull request #1497 from epage/certifi
• 5775fa1 feat(config): Don't correct certifi in Python
• 67e0ce7 fix(gh): Fix col offset (1-based)
• 7f369e0 fix(gh): Relativize file paths against GITHUB_WORKSPACE
• 3141b83 docs: Add msrv entry
• Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.4.1 to 0.5.0

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.0

What's Changed

• Expose output-file as an output when advanced-security: true by @​unlobito in zizmorcore/zizmor-action#87

New Contributors

• @​unlobito made their first contribution in zizmorcore/zizmor-action#87

Full Changelog: zizmorcore/zizmor-action@v0.4.1...v0.5.0

Commits

• 0dce257 chore(deps): bump peter-evans/create-pull-request (#88)
• fb94974 Expose output-file as an output when advanced-security: true (#87)
• 867562a chore(deps): bump the github-actions group with 2 updates (#85)
• 7462f07 Bump pins in README (#84)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[DevelopmentCats]

LGTM but @jdomeracki-coder can you take a look when you get a chance since this requires your review before merging?