Add test and deploy workflows for ee/fleet-agent-downloader (#43343)

Related to: https://github.com/fleetdm/fleet/issues/40309 Changes: - Added two workflows to test changes and deploy the ee/fleet-agent-downloader app on Heroku. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-21 13:37:30 +00:00 · 2026-04-09 15:26:24 -05:00 · 2026-04-09 15:26:24 -05:00 · b6a3c546ef
commit b6a3c546ef
parent ef405aa4de
3 changed files with 165 additions and 1 deletions
--- a/.github/workflows/deploy-agent-downloader.yml
+++ b/.github/workflows/deploy-agent-downloader.yml
@ -0,0 +1,105 @@
+name: Deploy Fleet agent downloader app to Heroku.
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'ee/fleet-agent-downloader/**'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read
+    if: ${{ github.repository == 'fleetdm/fleet' }}
+
+    runs-on: ubuntu-22.04
+
+    strategy:
+      matrix:
+        node-version: [20.x]
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+    # Configure our access credentials for the Heroku CLI
+    - uses: akhileshns/heroku-deploy@e3eb99d45a8e2ec5dca08735e089607befa4bf28 # v3.14.15
+      with:
+        heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}}
+        heroku_app_name: "" # this has to be blank or it doesn't work
+        heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}}
+        justlogin: true
+    - run: heroku auth:whoami
+    # Install the heroku-repo plugin in the Heroku CLI
+    - run: heroku plugins:install heroku-repo
+
+    # Set the Node.js version
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    # Now start building!
+    # > …but first, get a little crazy for a sec and delete the top-level package.json file
+    # > i.e. the one used by the Fleet server.  This is because require() in node will go
+    # > hunting in ancestral directories for missing dependencies, and since some of the
+    # > bundled transpiler tasks sniff for package availability using require(), this trips
+    # > up when it encounters another Node universe in the parent directory.
+    - run: rm -rf package.json package-lock.json node_modules/
+    # > Turns out there's a similar issue with how eslint plugins are looked up, so we
+    # > delete the top level .eslintrc file too.
+    - run: rm -f .eslintrc.js
+    # > And, as a change to the top-level fleetdm/fleet .gitignore on May 2, 2022 revealed,
+    # > we also need to delete the top level .gitignore file too, so that its rules don't
+    # > interfere with the committing and force-pushing we're doing as part of our deploy
+    # > script here.  For more info, see: https://github.com/fleetdm/fleet/pull/5549
+    - run: rm -f .gitignore
+
+    # Get dependencies (including dev deps)
+    - run: cd ee/fleet-agent-downloader/ && npm install
+
+    # Run sanity checks
+    - run: cd ee/fleet-agent-downloader/ && npm test
+
+    # Compile assets
+    - run: cd ee/fleet-agent-downloader/ && npm run build-for-prod
+
+    # Commit newly-built assets locally so we can push them to Heroku below.
+    # (This commit will never be pushed to GitHub- only to Heroku.)
+    # > The local config flags make this work in GitHub's environment.
+    - run: git add ee/fleet-agent-downloader/.www
+
+    # Configure the Heroku app we'll be deploying to
+    - run: heroku git:remote -a fleet-agent-downloader
+    - run: git remote -v
+
+    # Deploy to Heroku (by pushing)
+    # > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
+    - run: echo "Unshallowing local repository…"
+    - run: git fetch --prune --unshallow
+
+    # Deploy to Heroku
+    - run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
+    - name: Deploy to Heroku
+      run: |
+        set -euo pipefail
+        git add -A
+        # Create a git tree object from the currently staged repository state for this Heroku deploy.
+        TREE=$(git write-tree)
+        # Create a parentless commit from the tree object.
+        COMMIT=$(git -c "user.name=Fleetwood" -c "user.email=github@example.com" \
+          commit-tree "$TREE" \
+          -m 'AUTOMATED COMMIT - Deploy Fleet agent downloader app with the latest staged changes, including generated production assets.')
+        # Push the parentless commit to Heroku
+        # Note: The commit pushed to Heroku will not contain the full git history.
+        # This lets up deploy this app from the Fleet monorepo while working around Heroku's pack size limits.
+        git push heroku "$COMMIT":refs/heads/master --force
+    - name: 🌐 Fleet agent downloader has been deployed
+      run: echo '' && echo '--' && echo 'OK, done.  It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)'
--- a/.github/workflows/test-fleet-agent-downloader-changes.yml
+++ b/.github/workflows/test-fleet-agent-downloader-changes.yml
@ -0,0 +1,58 @@
+on:
+  pull_request:
+    paths:
+      - 'ee/fleet-agent-downloader/**'
+      - '.github/workflows/test-fleet-agent-downloader-changes.yml'
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [20.x]
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+    # Set the Node.js version
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+
+    # Now start building!
+    # > …but first, get a little crazy for a sec and delete the top-level package.json file
+    # > i.e. the one used by the Fleet server.  This is because require() in node will go
+    # > hunting in ancestral directories for missing dependencies, and since some of the
+    # > bundled transpiler tasks sniff for package availability using require(), this trips
+    # > up when it encounters another Node universe in the parent directory.
+    - run: rm -rf package.json package-lock.json node_modules/
+    # > Turns out there's a similar issue with how eslint plugins are looked up, so we
+    # > delete the top level .eslintrc file too.
+    - run: rm -f .eslintrc.js
+
+    # Get dependencies (including dev deps)
+    - run: cd ee/fleet-agent-downloader/ && npm install
+
+    # Run sanity checks
+    - run: cd ee/fleet-agent-downloader/ && npm test
+
+    # Compile assets
+    - run: cd ee/fleet-agent-downloader/ && npm run build-for-prod
--- a/ee/fleet-agent-downloader/package.json
+++ b/ee/fleet-agent-downloader/package.json
@ -30,7 +30,8 @@
    "test": "npm run lint && npm run custom-tests && echo 'Done.'",
    "lint": "./node_modules/eslint/bin/eslint.js . --max-warnings=0 --report-unused-disable-directives && echo '✔  Your .js files look so good.' && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/**/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/**/**/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/**/**/**/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/**/**/**/**/*.ejs && ./node_modules/htmlhint/bin/htmlhint -c ./.htmlhintrc views/**/**/**/**/**/**/*.ejs && echo '✔  So do your .ejs files.' && ./node_modules/lesshint/bin/lesshint assets/styles/ --max-warnings=0 && echo '✔  Your .less files look good, too.'",
    "custom-tests": "echo \"(No other custom tests yet.)\" && echo",
-    "deploy": "echo 'This script assumes a dead-simple, opinionated setup on Heroku.' && echo 'But, of course, you can deploy your app anywhere you like.' && echo '(Node.js/Sails.js apps are supported on all modern hosting platforms.)' && echo && echo 'Warning: Specifically, this script assumes you are on the master branch, and that your app can be deployed simply by force-pushing on top of the *deploy* branch.  It will also temporarily use a local *predeploy* branch for preparing assets, that it will delete after it finishes.  Please make sure there is nothing you care about on either of these two branches!!!' && echo '' && echo '' && echo 'Preparing to deploy...' && echo '--' && git status && echo '' && echo '--' && echo 'I hope you are on the master branch and have everything committed/pulled/pushed and are completely up to date and stuff.' && echo '********************************************'  && echo '** IF NOT THEN PLEASE PRESS <CTRL+C> NOW! **' && echo '********************************************' && echo 'Press CTRL+C to cancel.' && echo '(you have five seconds)' && sleep 1 && echo '...4' && sleep 1 && echo '...3' && sleep 1 && echo '...2' && sleep 1 && echo '...1' && sleep 1  && echo '' && echo 'Alright, here we go.  No turning back now!' && echo 'Trying to switch to master branch...' && git checkout master && echo && echo 'OK.  Now wiping node_modules/ and running npm install...' && rm -rf node_modules && rm -rf package-lock.json && npm install && (git add package-lock.json && git commit -am 'AUTOMATED COMMIT: Did fresh npm install before deploying, and it caused something relevant (probably the package-lock.json file) to change!  This commit tracks that change.' || true) && echo 'Deploying as version:' && npm version patch && echo '' && git push origin master && git push --tags && (git branch -D predeploy > /dev/null 2>&1 || true) && git checkout -b predeploy && (echo 'Now building+minifying assets for production...' && echo '(Hang tight, this could take a while.)' && echo && node node_modules/grunt/bin/grunt buildProd || (echo && echo '------------------------------------------' && echo 'IMPORTANT!  IMPORTANT!  IMPORTANT!' && echo 'ERROR: Could not compile assets for production!' && echo && echo 'Attempting to recover automatically by stashing, ' && echo 'switching back to the master branch, and then ' && echo 'deleting the predeploy branch... ' && echo && echo 'After this, please fix the issues logged above' && echo 'and push that up.  Then, try deploying again.' && echo '------------------------------------------' && echo && echo 'Staging, deleting the predeploy branch, and switching back to master...' && git stash && git checkout master && git branch -D predeploy && false)) && mv www .www && git add .www && node -e 'sailsrc = JSON.parse(require(\"fs\").readFileSync(\"./.sailsrc\", \"utf8\"));  if (sailsrc.paths&&sailsrc.paths.public !== undefined || sailsrc.hooks&&sailsrc.hooks.grunt !== undefined) { throw new Error(\"Cannot complete deployment script: .sailsrc file has conflicting contents!  Please throw away this midway-complete deployment, switch back to your original branch (master), remove the conflicting stuff from .sailsrc, then commit and push that up.\"); }  sailsrc.paths = sailsrc.paths || {};  sailsrc.paths.public = \"./.www\";   sailsrc.hooks = sailsrc.hooks || {};  sailsrc.hooks.grunt = false;  require(\"fs\").writeFileSync(\"./.sailsrc\", JSON.stringify(sailsrc))' && git commit -am 'AUTOMATED COMMIT: Automatically bundling compiled assets as part of deploy, updating the EJS layout and .sailsrc file accordingly.' && git push origin predeploy && git checkout master && git push origin +predeploy:deploy && git push --tags && git branch -D predeploy && git push origin :predeploy && echo '' && echo '--' && echo 'OK, done.  It should be live momentarily on your staging environment.' && echo '(if you get impatient, check the Heroku dashboard for status)' && echo && echo 'Staging environment:' && echo ' 🌐–•  https://staging.example.com' && echo '       (hold ⌘ and click to open links in the terminal)' && echo && echo 'Please review that to make sure it looks good.' && echo 'When you are ready to go to production, visit your pipeline on Heroku and press the PROMOTE TO PRODUCTION button.'"
+    "deploy": "echo 'This script assumes a dead-simple, opinionated setup on Heroku.' && echo 'But, of course, you can deploy your app anywhere you like.' && echo '(Node.js/Sails.js apps are supported on all modern hosting platforms.)' && echo && echo 'Warning: Specifically, this script assumes you are on the master branch, and that your app can be deployed simply by force-pushing on top of the *deploy* branch.  It will also temporarily use a local *predeploy* branch for preparing assets, that it will delete after it finishes.  Please make sure there is nothing you care about on either of these two branches!!!' && echo '' && echo '' && echo 'Preparing to deploy...' && echo '--' && git status && echo '' && echo '--' && echo 'I hope you are on the master branch and have everything committed/pulled/pushed and are completely up to date and stuff.' && echo '********************************************'  && echo '** IF NOT THEN PLEASE PRESS <CTRL+C> NOW! **' && echo '********************************************' && echo 'Press CTRL+C to cancel.' && echo '(you have five seconds)' && sleep 1 && echo '...4' && sleep 1 && echo '...3' && sleep 1 && echo '...2' && sleep 1 && echo '...1' && sleep 1  && echo '' && echo 'Alright, here we go.  No turning back now!' && echo 'Trying to switch to master branch...' && git checkout master && echo && echo 'OK.  Now wiping node_modules/ and running npm install...' && rm -rf node_modules && rm -rf package-lock.json && npm install && (git add package-lock.json && git commit -am 'AUTOMATED COMMIT: Did fresh npm install before deploying, and it caused something relevant (probably the package-lock.json file) to change!  This commit tracks that change.' || true) && echo 'Deploying as version:' && npm version patch && echo '' && git push origin master && git push --tags && (git branch -D predeploy > /dev/null 2>&1 || true) && git checkout -b predeploy && (echo 'Now building+minifying assets for production...' && echo '(Hang tight, this could take a while.)' && echo && node node_modules/grunt/bin/grunt buildProd || (echo && echo '------------------------------------------' && echo 'IMPORTANT!  IMPORTANT!  IMPORTANT!' && echo 'ERROR: Could not compile assets for production!' && echo && echo 'Attempting to recover automatically by stashing, ' && echo 'switching back to the master branch, and then ' && echo 'deleting the predeploy branch... ' && echo && echo 'After this, please fix the issues logged above' && echo 'and push that up.  Then, try deploying again.' && echo '------------------------------------------' && echo && echo 'Staging, deleting the predeploy branch, and switching back to master...' && git stash && git checkout master && git branch -D predeploy && false)) && mv www .www && git add .www && node -e 'sailsrc = JSON.parse(require(\"fs\").readFileSync(\"./.sailsrc\", \"utf8\"));  if (sailsrc.paths&&sailsrc.paths.public !== undefined || sailsrc.hooks&&sailsrc.hooks.grunt !== undefined) { throw new Error(\"Cannot complete deployment script: .sailsrc file has conflicting contents!  Please throw away this midway-complete deployment, switch back to your original branch (master), remove the conflicting stuff from .sailsrc, then commit and push that up.\"); }  sailsrc.paths = sailsrc.paths || {};  sailsrc.paths.public = \"./.www\";   sailsrc.hooks = sailsrc.hooks || {};  sailsrc.hooks.grunt = false;  require(\"fs\").writeFileSync(\"./.sailsrc\", JSON.stringify(sailsrc))' && git commit -am 'AUTOMATED COMMIT: Automatically bundling compiled assets as part of deploy, updating the EJS layout and .sailsrc file accordingly.' && git push origin predeploy && git checkout master && git push origin +predeploy:deploy && git push --tags && git branch -D predeploy && git push origin :predeploy && echo '' && echo '--' && echo 'OK, done.  It should be live momentarily on your staging environment.' && echo '(if you get impatient, check the Heroku dashboard for status)' && echo && echo 'Staging environment:' && echo ' 🌐–•  https://staging.example.com' && echo '       (hold ⌘ and click to open links in the terminal)' && echo && echo 'Please review that to make sure it looks good.' && echo 'When you are ready to go to production, visit your pipeline on Heroku and press the PROMOTE TO PRODUCTION button.'",
+    "build-for-prod": "echo 'Now building+minifying assets for production...' && echo '(Hang tight, this could take a while.)' && echo && node node_modules/grunt/bin/grunt buildProd || (echo && echo '------------------------------------------' && echo 'IMPORTANT!  IMPORTANT!  IMPORTANT!' && echo 'ERROR: Could not compile assets for production!' && echo && echo 'Please fix the issues logged above' && echo 'and push that up.  Then, try deploying again.' && echo '------------------------------------------' && echo) && mv www .www && node -e 'sailsrc = JSON.parse(require(\"fs\").readFileSync(\"./.sailsrc\", \"utf8\"));  if (sailsrc.paths&&sailsrc.paths.public !== undefined || sailsrc.hooks&&sailsrc.hooks.grunt !== undefined) { throw new Error(\"Cannot complete deployment script: .sailsrc file has conflicting contents!  Please remove the conflicting stuff from .sailsrc, then commit and push that up.\"); }  sailsrc.paths = sailsrc.paths || {};  sailsrc.paths.public = \"./.www\";   sailsrc.hooks = sailsrc.hooks || {};  sailsrc.hooks.grunt = false;  require(\"fs\").writeFileSync(\"./.sailsrc\", JSON.stringify(sailsrc))' && echo 'Build is complete.  Ready to deploy.'"
  },
  "main": "app.js",
  "repository": {