Generate plist for fleetd-base pkg. (#19112)

#19111 Generate plist for fleetd-base pkg. Currently configured for TESTING. Uploaded file: https://download-testing.fleetdm.com/fleetd-base-manifest.plist
2026-05-23 17:08:53 +00:00 · 2024-05-17 13:48:53 -05:00 · 2024-05-17 13:48:53 -05:00 · 550f08d62d
commit 550f08d62d
parent 431d6919fe
2 changed files with 46 additions and 14 deletions
--- a/.github/actions/r2-upload/action.yml
+++ b/.github/actions/r2-upload/action.yml
@ -9,9 +9,8 @@ description: Upload a file to R2
 # - R2_BUCKET: The bucket to upload to

 inputs:
-  filename:
-    # Future improvement: accept array of filenames as JSON string, and loop over it like in https://www.starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/index.html
-    description: 'Name of the file to upload'
+  filenames:
+    description: 'Comma-delimited names of the file(s) to upload. For example: file1,manifest.json,file with spaces.txt'
    required: true

 runs:
@ -27,8 +26,12 @@ runs:
        provider = Cloudflare
        region = auto
        no_check_bucket = true
-        access_key_id = $R2_ACCESS_KEY_ID
-        secret_access_key = $R2_ACCESS_KEY_SECRET
-        endpoint = $R2_ENDPOINT
+        access_key_id = ${{ env.R2_ACCESS_KEY_ID }}
+        secret_access_key = ${{ env.R2_ACCESS_KEY_SECRET }}
+        endpoint = ${{ env.R2_ENDPOINT }}
        " > ~/.config/rclone/rclone.conf
-        rclone copy --verbose ${{ inputs.filename }} r2:${R2_BUCKET}/
+        : # Loop over each filename in the array of filenames and upload each one.
+        IFS=$'\n'
+        for row in $(echo "${{ inputs.filenames }}" | tr "," "\n"); do
+          rclone copy --verbose "$row" r2:${{ env.R2_BUCKET }}/
+        done
--- a/.github/workflows/release-fleetd-base.yml
+++ b/.github/workflows/release-fleetd-base.yml
@ -20,10 +20,10 @@ permissions:

 env:
  R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
-  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
-  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
-  R2_BUCKET: download # Production: download | Testing: download-testing
-  BASE_URL: https://download.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com
+  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
+  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
+  R2_BUCKET: download-testing # Production: download | Testing: download-testing
+  BASE_URL: https://download-testing.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com

 jobs:
  check-for-fleetd-component-updates:
@ -109,11 +109,40 @@ jobs:
        run: |
          fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize
          mv fleet-osquery*.pkg fleetd-base.pkg
+          : # Calculate the SHA256 checksum of the package for the next step
+          echo "FLEETD_BASE_PKG_CHECKSUM=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_ENV
+
+      - name: Create plist
+        run: |
+          echo '<plist version="1.0">
+            <dict>
+              <key>items</key>
+              <array>
+                <dict>
+                  <key>assets</key>
+                  <array>
+                    <dict>
+                      <key>kind</key>
+                      <string>software-package</string>
+                      <key>sha256-size</key>
+                      <integer>32</integer>
+                      <key>sha256s</key>
+                      <array>
+                        <string>${{ env.FLEETD_BASE_PKG_CHECKSUM }}</string>
+                      </array>
+                      <key>url</key>
+                      <string>${{ env.BASE_URL }}/fleetd-base.pkg</string>
+                    </dict>
+                  </array>
+                </dict>
+              </array>
+            </dict>
+          </plist>' > fleetd-base-manifest.plist

      - name: Upload package
        uses: ./.github/actions/r2-upload
        with:
-          filename: fleetd-base.pkg
+          filenames: fleetd-base.pkg,fleetd-base-manifest.plist

  update-fleetd-base-msi:
    needs: [check-for-fleetd-component-updates]
@ -144,7 +173,7 @@ jobs:
      - name: Upload package
        uses: ./.github/actions/r2-upload
        with:
-          filename: fleetd-base.msi
+          filenames: fleetd-base.msi

  update-meta-json:
    needs: [update-fleetd-base-pkg, update-fleetd-base-msi]
@ -174,4 +203,4 @@ jobs:
      - name: Upload meta.json
        uses: ./.github/actions/r2-upload
        with:
-          filename: meta.json
+          filenames: meta.json