Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Update dogfood-policy-updater-latest-safari.sh (#38133)

Browse source 
This pull request simplifies and improves the automation for updating
Safari version policies on macOS by switching from a multi-line YAML
query to a single-line query and streamlining the associated update
script. The changes make the update process more robust, easier to
maintain, and less error-prone, especially when parsing and updating the
policy file.

**Policy and script simplification:**

* Converted the `query` field in `update-safari.yml` from a multi-line
YAML block to a single-line statement, reducing complexity and making it
easier to update programmatically.

**Script robustness and maintainability:**

* Updated `.github/scripts/dogfood-policy-updater-latest-safari.sh` to
extract and update the single-line `query` instead of handling a
multi-line block, greatly simplifying the parsing and replacement logic.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L26-R37)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L97-R123)
* Improved error handling for environment variables, requiring only the
essential `DOGFOOD_AUTOMATION_TOKEN` to be set, and clarified error
messages.
* Enhanced validation of the Safari feed response by checking for valid
JSON and explicit API errors using `jq`, making the update process more
reliable.
* Changed the update workflow to write changes directly to the file and
rely on GitHub Actions to create pull requests, removing the script's
own git and PR logic for a cleaner CI/CD process.
This commit is contained in:
Allen Houchins 2026-01-13 15:04:36 -06:00 committed by GitHub
parent e9b2daa761
commit 0aece4fea4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 35 additions and 150 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

173
.github/scripts/dogfood-policy-updater-latest-safari.sh vendored
View file

@ -7,8 +7,8 @@ FILE_PATH="it-and-security/lib/macos/policies/update-safari.yml"
BRANCH="main"
# Ensure required environment variables are set
if [ -z "$DOGFOOD_AUTOMATION_TOKEN" ] || [ -z "$DOGFOOD_AUTOMATION_USER_NAME" ] || [ -z "$DOGFOOD_AUTOMATION_USER_EMAIL" ]; then
echo "Error: Missing required environment variables."
if [ -z "$DOGFOOD_AUTOMATION_TOKEN" ]; then
echo "Error: Missing required environment variable DOGFOOD_AUTOMATION_TOKEN."
exit 1
fi
@ -23,21 +23,18 @@ if [ -z "$response" ] || [[ "$response" == *"Not Found"* ]]; then
exit 1
fi
# Extract the query section (may be multi-line)
# Handle indented query: (starts with spaces followed by "query:")
# The query is a YAML multiline string that continues until the next key at the same indentation level (2 spaces)
query_section=$(echo "$response" | sed -n '/^[[:space:]]*query:/,/^ [a-zA-Z_-]+:/p' | head -n -1)
if [ -z "$query_section" ]; then
echo "Error: Could not find the query section in the file."
# Extract the query line
query_line=$(echo "$response" | grep 'query:')
if [ -z "$query_line" ]; then
echo "Error: Could not find the query line in the file."
exit 1
fi
# Extract Safari 18 and Safari 26 version numbers from the query
# Extract Safari 18 and Safari 26 version numbers from the query line
# Safari 18 is for macOS 15.x, Safari 26 is for macOS 26.x
# The query uses "version LIKE '15.%'" and "version LIKE '26.%'"
policy_safari_18_version=$(echo "$query_section" | grep -A 5 "version LIKE '15\.%" | grep "version_compare" | grep -oE "'[0-9]+\.[0-9]+(\.[0-9]+)?'" | sed "s/'//g" | head -n 1)
policy_safari_26_version=$(echo "$query_section" | grep -A 5 "version LIKE '26\.%" | grep "version_compare" | grep -oE "'[0-9]+\.[0-9]+(\.[0-9]+)?'" | sed "s/'//g" | head -n 1)
# The query has two version_compare calls - first is Safari 26, second is Safari 18
policy_safari_26_version=$(echo "$query_line" | grep -oE "version_compare\([^,]+,\s*'[0-9]+\.[0-9]+(\.[0-9]+)?'" | head -1 | grep -oE "'[0-9]+\.[0-9]+(\.[0-9]+)?'" | sed "s/'//g")
policy_safari_18_version=$(echo "$query_line" | grep -oE "version_compare\([^,]+,\s*'[0-9]+\.[0-9]+(\.[0-9]+)?'" | tail -1 | grep -oE "'[0-9]+\.[0-9]+(\.[0-9]+)?'" | sed "s/'//g")
if [ -z "$policy_safari_18_version" ] || [ -z "$policy_safari_26_version" ]; then
echo "Error: Failed to extract Safari version numbers from policy."
@ -52,8 +49,22 @@ echo "Policy Safari 26 version: $policy_safari_26_version"
# Fetch the latest Safari version from SOFA feed
echo "Fetching latest Safari version from SOFA feed..."
safari_feed_response=$(curl -s "https://sofafeed.macadmins.io/v2/safari_data_feed.json" 2>/dev/null)
curl_exit_code=$?
if [ -z "$safari_feed_response" ] || [[ "$safari_feed_response" == *"404"* ]] || [[ "$safari_feed_response" == *"Not Found"* ]]; then
# Check if it's valid JSON first
if ! echo "$safari_feed_response" | jq empty 2>/dev/null; then
echo "Error: Failed to fetch Safari feed from SOFA - invalid JSON response."
exit 1
fi
# Check for HTTP errors in the JSON (if the API returns error JSON)
if echo "$safari_feed_response" | jq -e '.error' >/dev/null 2>&1; then
echo "Error: SOFA API returned an error"
echo "$safari_feed_response" | jq '.error'
exit 1
fi
if [ $curl_exit_code -ne 0 ] || [ -z "$safari_feed_response" ]; then
echo "Error: Failed to fetch Safari feed from SOFA."
exit 1
fi
@ -94,138 +105,22 @@ fi
# Update the file if needed
if [ "$update_needed" = true ]; then
echo "Updating policy query with new Safari versions..."
echo "Updating query line with new Safari versions..."
# Prepare the new query section with updated versions
# Match the indentation of the original file (2 spaces)
new_query_section=" query: |
SELECT 1 WHERE
NOT EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari')
OR (
EXISTS (SELECT 1 FROM os_version WHERE version LIKE '26.%')
AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '$safari_26_version') >= 0)
)
OR (
EXISTS (SELECT 1 FROM os_version WHERE version LIKE '15.%')
AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '$safari_18_version') >= 0)
);"
# Prepare the new query line
new_query_line="query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari') OR (EXISTS (SELECT 1 FROM os_version WHERE version LIKE '26.%') AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '$safari_26_version') >= 0)) OR (EXISTS (SELECT 1 FROM os_version WHERE version LIKE '15.%') AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '$safari_18_version') >= 0));"
# Replace the query section in the response
# Use a more robust approach: find the query section and replace it
# Handle indented query: (starts with spaces followed by "query:")
# The query is a YAML multiline string that continues until the next key at the same indentation level
updated_response=$(echo "$response" | awk -v new_query="$new_query_section" '
BEGIN {
in_query = 0
query_started = 0
}
/^[[:space:]]*query:/ {
query_started = 1
in_query = 1
print new_query
next
}
# After query started, skip lines until we find the next key at the same indentation level (2 spaces)
query_started && /^ [a-zA-Z_-]+:/ {
in_query = 0
query_started = 0
print
next
}
# Skip lines that are part of the query block (indented content)
query_started {
next
}
# Print all other lines
{
print
}
')
# Update the response
updated_response=$(echo "$response" | sed "s/query: .*/$new_query_line/")
if [ -z "$updated_response" ]; then
echo "Error: Failed to update the query line."
exit 1
fi
# Create a temporary file for the update
temp_file=$(mktemp)
echo "$updated_response" > "$temp_file"
# Configure Git
git config --global user.name "$DOGFOOD_AUTOMATION_USER_NAME"
git config --global user.email "$DOGFOOD_AUTOMATION_USER_EMAIL"
# Clone the repository and create a new branch
git clone "https://$DOGFOOD_AUTOMATION_TOKEN@github.com/$REPO_OWNER/$REPO_NAME.git" repo || {
echo "Error: Failed to clone repository."
exit 1
}
cd repo || exit
# Generate branch name with timestamp right before use
NEW_BRANCH="update-safari-version-$(date +%s)"
git checkout -b "$NEW_BRANCH"
cp "$temp_file" "$FILE_PATH"
git add "$FILE_PATH"
commit_message="Update Safari versions: Safari 18 (macOS 15) to $safari_18_version, Safari 26 (macOS 26) to $safari_26_version"
if [ "$policy_safari_18_version" != "$safari_18_version" ]; then
commit_message="$commit_message
- Updated Safari 18 version from $policy_safari_18_version to $safari_18_version"
fi
if [ "$policy_safari_26_version" != "$safari_26_version" ]; then
commit_message="$commit_message
- Updated Safari 26 version from $policy_safari_26_version to $safari_26_version"
fi
git commit -m "$commit_message"
git push origin "$NEW_BRANCH"
# Create a pull request
pr_title="Update Safari versions: Safari 18 to $safari_18_version, Safari 26 to $safari_26_version"
pr_data=$(jq -n --arg title "$pr_title" \
--arg head "$NEW_BRANCH" \
--arg base "$BRANCH" \
'{title: $title, head: $head, base: $base}')
pr_response=$(curl -s -H "Authorization: token $DOGFOOD_AUTOMATION_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
-X POST \
-d "$pr_data" \
"https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/pulls")
if [[ "$pr_response" == *"Validation Failed"* ]]; then
echo "Error: Failed to create a pull request. Response: $pr_response"
exit 1
fi
echo "Pull request created successfully."
# Extract the pull request number from the response
pr_number=$(echo "$pr_response" | jq -r '.number')
if [ -z "$pr_number" ] || [ "$pr_number" == "null" ]; then
echo "Error: Failed to retrieve pull request number."
exit 1
fi
echo "Adding reviewers to PR #$pr_number..."
# Prepare the reviewers data payload
reviewers_data=$(jq -n \
--arg r1 "harrisonravazzolo" \
--arg r2 "tux234" \
'{reviewers: [$r1, $r2]}')
# Request reviewers for the pull request
review_response=$(curl -s -X POST \
-H "Authorization: token $DOGFOOD_AUTOMATION_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
-d "$reviewers_data" \
"https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/pulls/$pr_number/requested_reviewers")
if echo "$review_response" | grep -q "errors"; then
echo "Error: Failed to add reviewers. Response: $review_response"
exit 1
fi
echo "Reviewers added successfully."
# Write the updated content to the file
echo "$updated_response" > "$FILE_PATH"
echo "Safari policy file updated: $FILE_PATH"
echo "Files updated successfully. PR will be created by GitHub Actions workflow."
else
echo "No updates needed; Safari versions are current."
fi

12
it-and-security/lib/macos/policies/update-safari.yml
View file

@ -1,15 +1,5 @@
- name: macOS - Safari up to date
query: |
SELECT 1 WHERE
NOT EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari')
OR (
EXISTS (SELECT 1 FROM os_version WHERE version LIKE '26.%')
AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '26.1') >= 0)
)
OR (
EXISTS (SELECT 1 FROM os_version WHERE version LIKE '15.%')
AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '18.6') >= 0)
);
query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari') OR (EXISTS (SELECT 1 FROM os_version WHERE version LIKE '26.%') AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '26.1') >= 0)) OR (EXISTS (SELECT 1 FROM os_version WHERE version LIKE '15.%') AND EXISTS (SELECT 1 FROM apps WHERE bundle_identifier = 'com.apple.Safari' AND version_compare(bundle_short_version, '18.6') >= 0));
critical: false
description: The host may have an outdated version of Safari, potentially risking security vulnerabilities or compatibility issues.
resolution: Update Safari by running the Safari update package from self-service, or manually run Software Update ( > System Settings > Software Update).