coder
diff --git a/‎.github/workflows/release.yaml
Lines changed: 28 additions & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 28 additions & 1 deletion
diff --git a/‎cli/schedule.go
Lines changed: 22 additions & 1 deletion b/‎cli/schedule.go
Lines changed: 22 additions & 1 deletion
diff --git a/‎cli/testdata/coder_schedule_extend_--help.golden
Lines changed: 2 additions & 1 deletion b/‎cli/testdata/coder_schedule_extend_--help.golden
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/autobuild/lifecycle_executor_test.go
Lines changed: 26 additions & 9 deletions b/‎coderd/autobuild/lifecycle_executor_test.go
Lines changed: 26 additions & 9 deletions
@@ -32,9 +32,36 @@ env:
   CODER_RELEASE_NOTES: ${{ inputs.release_notes }}
 
 jobs:
+  # Only allow maintainers/admins to release.
+  check-perms:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
+    steps:
+      - name: Allow only maintainers/admins
+        uses: actions/github-script@v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const {data} = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.actor
+            });
+            const role = data.role_name || data.user?.role_name || data.permission;
+            const perms = data.user?.permissions || {};
+            core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`);
+
+            const allowed =
+              role === 'admin' ||
+              role === 'maintain' ||
+              perms.admin === true ||
+              perms.maintain === true;
+
+            if (!allowed) core.setFailed('Denied: requires maintain or admin');
+
   # build-dylib is a separate job to build the dylib on macOS.
   build-dylib:
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
+    needs: check-perms
     steps:
       # Harden Runner doesn't work on macOS.
       - name: Checkout
@@ -114,7 +141,7 @@ jobs:
 
   release:
     name: Build and publish
-    needs: build-dylib
+    needs: [build-dylib, check-perms]
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
     permissions:
       # Required to publish a release
 
@@ -46,7 +46,7 @@ When enabling scheduled stop, enter a duration in one of the following formats:
   * 2m   (2 minutes)
   * 2    (2 minutes)
 `
-	scheduleExtendDescriptionLong = `
+	scheduleExtendDescriptionLong = `Extends the workspace deadline.
   * The new stop time is calculated from *now*.
   * The new stop time must be at least 30 minutes in the future.
   * The workspace template may restrict the maximum workspace runtime.
@@ -157,6 +157,13 @@ func (r *RootCmd) scheduleStart() *serpent.Command {
 				return err
 			}
 
+			// Autostart configuration is not supported for prebuilt workspaces.
+			// Prebuild lifecycle is managed by the reconciliation loop, with scheduling behavior
+			// defined per preset at the template level, not per workspace.
+			if workspace.IsPrebuild {
+				return xerrors.Errorf("autostart configuration is not supported for prebuilt workspaces")
+			}
+
 			var schedStr *string
 			if inv.Args[1] != "manual" {
 				sched, err := parseCLISchedule(inv.Args[1:]...)
@@ -205,6 +212,13 @@ func (r *RootCmd) scheduleStop() *serpent.Command {
 				return err
 			}
 
+			// Autostop configuration is not supported for prebuilt workspaces.
+			// Prebuild lifecycle is managed by the reconciliation loop, with scheduling behavior
+			// defined per preset at the template level, not per workspace.
+			if workspace.IsPrebuild {
+				return xerrors.Errorf("autostop configuration is not supported for prebuilt workspaces")
+			}
+
 			var durMillis *int64
 			if inv.Args[1] != "manual" {
 				dur, err := parseDuration(inv.Args[1])
@@ -255,6 +269,13 @@ func (r *RootCmd) scheduleExtend() *serpent.Command {
 				return xerrors.Errorf("get workspace: %w", err)
 			}
 
+			// Deadline extensions are not supported for prebuilt workspaces.
+			// Prebuild lifecycle is managed by the reconciliation loop, with TTL behavior
+			// defined per preset at the template level, not per workspace.
+			if workspace.IsPrebuild {
+				return xerrors.Errorf("extend configuration is not supported for prebuilt workspaces")
+			}
+
 			loc, err := tz.TimezoneIANA()
 			if err != nil {
 				loc = time.UTC // best effort
 
@@ -7,7 +7,8 @@ USAGE:
 
   Aliases: override-stop
 
-      * The new stop time is calculated from *now*.
+  Extends the workspace deadline.
+    * The new stop time is calculated from *now*.
     * The new stop time must be at least 30 minutes in the future.
     * The workspace template may restrict the maximum workspace runtime.
 
 
@@ -1251,15 +1251,23 @@ func TestExecutorPrebuilds(t *testing.T) {
 		}()
 
 		// Then: the prebuilt workspace should remain in a start transition
-		prebuildStats := <-statsCh
+		prebuildStats := testutil.RequireReceive(ctx, t, statsCh)
 		require.Len(t, prebuildStats.Errors, 0)
 		require.Len(t, prebuildStats.Transitions, 0)
 		require.Equal(t, codersdk.WorkspaceTransitionStart, prebuild.LatestBuild.Transition)
 		prebuild = coderdtest.MustWorkspace(t, client, prebuild.ID)
 		require.Equal(t, codersdk.BuildReasonInitiator, prebuild.LatestBuild.Reason)
 
 		// Given: a user claims the prebuilt workspace
-		dbWorkspace := dbgen.ClaimPrebuild(t, db, user.ID, "claimedWorkspace-autostop", preset.ID)
+		dbWorkspace := dbgen.ClaimPrebuild(
+			t, db,
+			clock.Now(),
+			user.ID,
+			"claimedWorkspace-autostop",
+			preset.ID,
+			sql.NullString{},
+			sql.NullTime{},
+			sql.NullInt64{})
 		workspace := coderdtest.MustWorkspace(t, client, dbWorkspace.ID)
 
 		// When: the autobuild executor ticks *after* the deadline:
@@ -1269,7 +1277,7 @@ func TestExecutorPrebuilds(t *testing.T) {
 		}()
 
 		// Then: the workspace should be stopped
-		workspaceStats := <-statsCh
+		workspaceStats := testutil.RequireReceive(ctx, t, statsCh)
 		require.Len(t, workspaceStats.Errors, 0)
 		require.Len(t, workspaceStats.Transitions, 1)
 		require.Contains(t, workspaceStats.Transitions, workspace.ID)
@@ -1336,7 +1344,7 @@ func TestExecutorPrebuilds(t *testing.T) {
 		}()
 
 		// Then: the prebuilt workspace should remain in a stop transition
-		prebuildStats := <-statsCh
+		prebuildStats := testutil.RequireReceive(ctx, t, statsCh)
 		require.Len(t, prebuildStats.Errors, 0)
 		require.Len(t, prebuildStats.Transitions, 0)
 		require.Equal(t, codersdk.WorkspaceTransitionStop, prebuild.LatestBuild.Transition)
@@ -1353,7 +1361,15 @@ func TestExecutorPrebuilds(t *testing.T) {
 			database.WorkspaceTransitionStart)
 
 		// Given: a user claims the prebuilt workspace
-		dbWorkspace := dbgen.ClaimPrebuild(t, db, user.ID, "claimedWorkspace-autostart", preset.ID)
+		dbWorkspace := dbgen.ClaimPrebuild(
+			t, db,
+			clock.Now(),
+			user.ID,
+			"claimedWorkspace-autostart",
+			preset.ID,
+			autostartSched,
+			sql.NullTime{},
+			sql.NullInt64{})
 		workspace := coderdtest.MustWorkspace(t, client, dbWorkspace.ID)
 
 		// Given: the prebuilt workspace goes to a stop status
@@ -1374,7 +1390,7 @@ func TestExecutorPrebuilds(t *testing.T) {
 		}()
 
 		// Then: the workspace should eventually be started
-		workspaceStats := <-statsCh
+		workspaceStats := testutil.RequireReceive(ctx, t, statsCh)
 		require.Len(t, workspaceStats.Errors, 0)
 		require.Len(t, workspaceStats.Transitions, 1)
 		require.Contains(t, workspaceStats.Transitions, workspace.ID)
@@ -1486,8 +1502,8 @@ func setupTestDBWorkspaceBuild(
 		Architecture:    "i386",
 		OperatingSystem: "linux",
 		LifecycleState:  database.WorkspaceAgentLifecycleStateReady,
-		StartedAt:       sql.NullTime{Time: time.Now().Add(time.Hour), Valid: true},
-		ReadyAt:         sql.NullTime{Time: time.Now().Add(-1 * time.Hour), Valid: true},
+		StartedAt:       sql.NullTime{Time: clock.Now().Add(time.Hour), Valid: true},
+		ReadyAt:         sql.NullTime{Time: clock.Now().Add(-1 * time.Hour), Valid: true},
 		APIKeyScope:     database.AgentKeyScopeEnumAll,
 	})
 
@@ -1524,8 +1540,9 @@ func setupTestDBPrebuiltWorkspace(
 		OrganizationID:    orgID,
 		OwnerID:           database.PrebuildsSystemUserID,
 		Deleted:           false,
-		CreatedAt:         time.Now().Add(-time.Hour * 2),
+		CreatedAt:         clock.Now().Add(-time.Hour * 2),
 		AutostartSchedule: options.AutostartSchedule,
+		LastUsedAt:        clock.Now(),
 	})
 	setupTestDBWorkspaceBuild(ctx, t, clock, db, ps, orgID, workspace.ID, templateVersionID, presetID, buildTransition)