- Updates wording in `.github/workflows/loadtest-osquery-perf.yml`
- `4098` -> `4096`
- Removes: `(should be a multiple of 8, if setting
loadtest_containers_starting_index)`
- Updates `infrastructure/loadtesting/terraform/osquery_perf/enroll.sh`
to handle values that are not multiples of 8. If the value is not a
multiple of 8, logic has been added to apply the remainder.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Updated load testing workflow configuration input descriptions for
improved clarity of parameters and their usage examples.
* **Bug Fixes**
* Fixed container count allocation logic in the load testing process to
ensure the final target count is always properly applied, even when
using increment values that don't divide evenly into the specified total
range.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#40809
Added a few basic tests.
Fixed a small race condition. Manually tested orbit on Windows with the
fix.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed a race during BitLocker worker shutdown on Windows to prevent
hangs or unexpected failures.
* **Tests**
* Added comprehensive Windows-only tests for BitLocker behavior and
related utilities.
* Hardened tests to use stricter assertions and deterministic checks.
* **Chores**
* Added an automated Windows test workflow to run scheduled and
PR-triggered Windows test runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Related to: https://github.com/fleetdm/fleet/issues/40309
Changes:
- Added two workflows to test changes and deploy the
ee/fleet-agent-downloader app on Heroku.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Update .github/workflows/dogfood-gitops.yml to raise the fleet-gitops
job timeout from 10 to 30 minutes. This prevents premature cancellation
for longer-running steps (e.g., runner hardening and related tasks).
Our workflow is starting to timeout now that we have more apps being
applied via GitOps.
### Summary
Adds a new CI workflow that automatically synchronizes
`ee/maintained-apps/outputs` directory contents to a Cloudflare R2
bucket. This enables serving maintained apps output files via CDN with
minimal operational overhead.
### What It Does
- **Automatic sync on changes**: Triggers whenever files in
`ee/maintained-apps/outputs/**` are committed to main
- **Manual trigger support**: Can be run on-demand via Actions UI with
optional dry-run mode
- **Idempotent operations**: Uses `aws s3 sync --delete` to keep bucket
in sync with source
- **Failure notifications**: Posts to Slack (#help-p1) if sync fails
### Key Features
| Feature | Description |
|---------|-------------|
| **Dry-run mode** | Preview what would be synced without uploading (via
workflow_dispatch input) |
| **Concurrency control** | Cancels in-progress runs on same branch to
avoid conflicts |
| **Retry logic** | 10 retry attempts with standard AWS retry mode for
transient failures |
| **Security hardening** | Uses `step-security/harden-runner` for egress
policy enforcement |
### Configuration Status ✅
All required configuration is already in place:
- ✅ R2 bucket `maintained-apps` exists
- ✅ Secret `R2_MAINTAINED_APPS_ACCESS_KEY_ID` configured
- ✅ Secret `R2_MAINTAINED_APPS_ACCESS_KEY_SECRET` configured
- ✅ Secret `R2_ENDPOINT` configured
- ✅ Slack webhook secret `SLACK_G_HELP_P1_WEBHOOK_URL` available
### Validation
- ✅ **actionlint**: Passed with no errors or warnings
- ✅ **YAML syntax**: Validated
### Testing
To verify after merging:
1. Trigger manually via Actions → "Sync Maintained Apps Outputs to R2" →
Run workflow
2. Use dry-run mode first to preview what would be synced without
uploading
### Notes
- Uses AWS CLI (pre-installed on ubuntu-latest) with R2-compatible
endpoint
- Minimal permissions model - only `contents: read` required
- bucket available at https://maintained-apps.fleetdm.com/
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42691
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- I ran the updated snapshot action on this branch and verified that it
pushed the branch-tagged image, but not the SHA-tagged one.
- I ran the cleanup script in dry-run mode and verified that it didn't
expect to delete any non-sha-tagged images
- I wasn't able to test the delete-image-on-branch-delete action for
obvious reasons.
- I haven't tested the cleanup script in non-dry-run mode... I could do
on my personal dockerhub...
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Automated cleanup of Docker images when development branches are
deleted to maintain registry hygiene.
* New utility for managing and cleaning up legacy Docker image tags.
* **Chores**
* Enhanced Docker image tagging in snapshot builds with improved branch
name handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41409
# Details
This PR updates the `ApplyStarterLibrary` method and functionality to
rely on the same templates and mechanisms as `fleetctl new`. The end
result is that running `fleetctl new` and `fleetctl gitops` on a new
instance should be a no-op; no changes should be made. Similarly,
changing the templates in a Fleet release will automatically affect
`fleetctl new` and `ApplyStarterLibrary` in the same exact way for that
release.
> Note that this moves the template files out of `fleetctl` and into
their own shared package. This move comprises the majority of the file
changes in the PR.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Note that
<img width="668" height="44" alt="image"
src="https://github.com/user-attachments/assets/066cd566-f91d-4661-84fc-2aabbfce2ef9"
/>
will fail until the 4.83 Fleet docker image is published, since it's
trying to push 4.83 config (including `exceptions`) to a 4.82 server.
- [X] QA'd all new/changed functionality manually
- [X] Created a new instance and validated that the fleets, policies and
labels created matched the ones created by `fleetctl new`
- [X] Ran `fleetctl new` and verified that it created the expected
folders and files
- [X] Ran `fleetctl gitops` with the files created by `fleetctl new` and
verified that the instance was unchanged.
- [X] Ran `fleetctl preview` successfully using a dev build of the Fleet
server image (since it won't work against the latest published build,
which doesn't support `exceptions`). Verified it shows the expected
teams, policies and labels
- Configures internal alb to log to the same bucket as the public alb
- Adds support for osquery-perf task size (cpu/memory) configuration
- Updates defaults for osquery-perf extra_flags
- Updates default enroll.sh loop sleep_time from 60s -> 300s
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42573
Fixes failing test by replacing no-longer-supported `--no-quarantine`
option with manually turning off quarantine for Wine.
Successful run here:
https://github.com/fleetdm/fleet/actions/runs/23661332211
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
Add nightly testing across the following:
OS: mac/Linux/Windows
Updates: enabled/disabled
Channels (for each of orbit/osquery\desktop): edge/stable
Arch: arm/x86
Failures are alerted to Slack.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42226
When doing dev in a remote environment, like a public cloud VM, don't
expose ports to the public.
This is a contributor security improvement.
The localstack fail is present on main, and was not caused by this
change:
https://github.com/fleetdm/fleet/actions/runs/23439965808/job/68187858627
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Docker Compose configuration updated across multiple services (Redis,
MySQL, mail, monitoring, and storage services) to restrict port bindings
to localhost only instead of all network interfaces.
* Documentation Docker Compose examples updated to reflect
localhost-only port binding for core services.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42252
Pins the Localstack image to the last-known-good version (4.5) before
they 🔪 'd the community edition and started requiring an auth token. I
also added a "wait for localstack" as an initial debugging step, and
left it in to catch similar future issues. It's probably redundant since
there likely _is_ no future for Fleet and Localstack beyond this, but it
take milliseconds and would catch any other weird Localstack failures
so, why not.
Updates MySQL version references from 8.0.39 to 8.0.42 in GitHub Actions
workflow test matrices to match current Aurora version as of #42120.
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Updating actions/setup-go to v6.3.0 from a mix of different versions.
This gets us faster CI runs, with improvements such as:
- built in Go module cache AND Go build cache (separate cache no longer
needed)
- using go.mod resulting in fewer cache invalidations
- faster Node 24 runtime
- using go.dev download URL, which is more reliable
Add mobile management hint secrets in the dogfood GitOps workflow by
adding DOGFOOD_OKTA_ANDROID_MANAGEMENT_HINT and
DOGFOOD_OKTA_IOS_MANAGEMENT_HINT to the job environment. These values
are sourced from repository secrets and are intended for Okta
Android/iOS management hint configuration during the workflow run. No
other behavior was changed.
This pull request updates the environment variable configuration for
Okta metadata URLs in the `dogfood-gitops` GitHub Actions workflow.
Instead of using a single metadata URL, the workflow now distinguishes
between admin and end user metadata URLs.
Workflow configuration changes:
* Split the `DOGFOOD_OKTA_METADATA_URL` environment variable into two
separate variables: `DOGFOOD_OKTA_METADATA_URL_ADMINS` and
`DOGFOOD_OKTA_METADATA_URL_END_USERS` in the
`.github/workflows/dogfood-gitops.yml` workflow file.
Add DOGFOOD_OKTA_METADATA_URL to the dogfood GitOps workflow environment
and update SSO configuration to use Okta. it-and-security/default.yml:
change end_user_authentication.entity_id to fleet-end-users and org SSO
entity_id to fleet-admins, set idp_name to Okta for both, remove inline
metadata values, and point metadata_url to $DOGFOOD_OKTA_METADATA_URL.
This centralizes IdP metadata retrieval via a secret URL.
Updates the auto-tag-unreleased-bugs workflow to improve version
detection and handling.
## Changes Made
- **Orbit/Fleetd Version Detection**: Added support for detecting Orbit
and Fleetd versions in addition to Fleet server versions. The workflow
now checks `**Orbit version**:` and `**Fleetd version**:` fields (case
insensitive) and validates them against orbit-v* tags.
- **Optimized API Calls**: The workflow now only fetches the data it
needs:
- Fetches releases only when checking Fleet server versions
- Fetches tags only when checking Orbit/Fleetd versions
- This reduces unnecessary GitHub API calls and improves performance
- **Singular/Plural Field Support**: Updated regex patterns to match
both "version" and "versions" in issue templates (e.g., `**Fleet
version**:` and `**Fleet versions**:`). This handles variations in issue
template formatting where either singular or plural forms may be used.
- **Pagination Support**: Both `listReleases` and `listTags` API calls
now use `github.paginate()` to fetch all results instead of just the
first 100. This ensures older Orbit/Fleetd versions or Fleet versions
won't be misclassified as unreleased when they exist beyond the first
page of results.
- **Fixed 4.x Handling**: Corrected the logic for handling "4.x" version
strings (which represent all 4.x versions). The check now occurs before
the empty versions check, preventing issues reporting only "4.x" from
being incorrectly tagged as unreleased.
## Testing
- ✅ Verified regex patterns match both singular and plural forms for
Fleet, Orbit, and Fleetd version fields
- ✅ Confirmed the workflow correctly parses versions from various issue
formats
- ✅ Tested that API optimization only fetches releases or tags based on
which version types are present
- ✅ Verified pagination logic fetches all releases and tags, not just
first 100
- ✅ Tested 4.x handling logic correctly treats it as released
The changes maintain backward compatibility with existing issue formats
while adding support for Orbit/Fleetd version detection, handling
template variations, and ensuring comprehensive version checking through
pagination.
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: lukeheath <2495927+lukeheath@users.noreply.github.com>
PR created based on this:
https://fleetdm.slack.com/archives/C071NNMSP2R/p1773261307958859
Which will allows us to keep enrolling Windows devices via Autopilot,
currently it will be wiped next Gitops run.
I've added the GH secret with the value Jordan posted.
## Summary
- Adds `windows_entra_tenant_ids` configuration to the Dogfood
`controls` section in `it-and-security/default.yml`, referencing a new
`$DOGFOOD_ENTRA_TENANT_ID` environment variable.
- Adds the corresponding `DOGFOOD_ENTRA_TENANT_ID` secret mapping in
`.github/workflows/dogfood-gitops.yml` so the value is passed through
during deployment.
## Action required
The actual tenant ID value needs to be added as a GitHub Actions secret
named `DOGFOOD_ENTRA_TENANT_ID` in the repository settings before this
will take effect. The tenant ID can be found in [Microsoft Entra admin
center](https://entra.microsoft.com/#home) under **Microsoft Entra ID >
Home**.
Built for [Magnus
Jensen](https://fleetdm.slack.com/archives/D0AG2PPQWV7/p1773271863050969)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This pull request makes a small change to the GitHub Actions workflow
configuration by adding a new secret environment variable for use in the
dogfood environment.
- Added the `DOGFOOD_OKTA_VERIFY_WINDOWS_URL` secret to the environment
variables in the `.github/workflows/dogfood-gitops.yml` workflow file.
Fixes#40975.
8.0.32 (was running in Aurora managed cloud at the time) -> 8.0.39 (what
we're running now) 8.0.36 -> 8.0.44 (latest 8.0.x version supported by
Aurora; holding off on 8.0.45 until Aurora supports it) 8.4.7 -> 8.4.8
9.5.0 -> 9.6.0
Also bumped the supported Aurora version from 3.07.0 to 3.08.2 to match
what we're running in managed cloud right now
Fleet might work on older patch versions but we'll no longer dev/test on
them. MySQL 9.x not testing previous minor versions matches with our
previous approach for that version.
Since these are all patch/minor bumps (and the overnight build cases are
patch bumps/are covered by AWS envs) automated testing should be
sufficient here.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38538
This PR is just refactoring GitHub workflows. No significant functional
differences.
In this PR, we create a reusable workflow for running a single Go test
suite. This eliminates/reduces the complex and hard to maintain strategy
matrix from the original job.
This is pre-work before splitting off activity bounded context tests
into their own job.
Ran `yarn upgrade` to catch things up. Seeing if tests pass, then will
add other items on top.
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
e.g. #39380, #39308, #39618.
We'll have more of these later.
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
We're no longer maintaining the tool, it's not tested against current
versions of Fleet, and customer use has been replaced with other
tooling. Removing this so it doesn't keep collecting npm
vulnerabilities.
**Related issue:** Resolves#32999
- Enhanced internal code quality tooling by implementing a custom
linting build configuration.
- Updated continuous integration workflow to utilize the new custom
build process for improved code analysis and consistency checks.
### Confirmed that running local custom `golangci-lint` build with
`nilaway` plugin catches lots of issues when run on `fleet/`:
<img width="1555" height="939" alt="Screenshot 2026-01-29 at 2 47 50 PM"
src="https://github.com/user-attachments/assets/c6a18400-fdf0-4104-97d8-e117efc28ed6"
/>
<img width="301" height="109" alt="Screenshot 2026-01-29 at 2 48 36 PM"
src="https://github.com/user-attachments/assets/b459ee7b-b391-457a-9191-17d56a80c783"
/>
### Confirmed that new incremental CI step using custom `golangci-lint`
build with `nilaway` plugin _does not_ check any `.go` files when none
have been modified, and so passes successfully (incremental check works
as expected):
<img width="337" height="197" alt="Screenshot 2026-01-29 at 2 45 24 PM"
src="https://github.com/user-attachments/assets/c7ae585e-2e10-4ebf-a3a3-96c26063f1e4"
/>
### Confirmed that new incremental CI step using custom `golangci-lint`
build with `nilaway` plugin _does_ check modified lines of `.go` files,
and so successfully flags a potentially unsafe dereference and fails the
job (incremental check works as expected):
<img width="825" height="491" alt="Screenshot 2026-01-29 at 5 50 01 PM"
src="https://github.com/user-attachments/assets/82bc5616-6fb9-4357-b8bc-c7eebc42c2d8"
/>
### Honorable mention:
`nilaway` agrees that `listHostSoftware` is a wild beast:
<img width="1277" height="190" alt="Screenshot 2026-01-29 at 5 52 32 PM"
src="https://github.com/user-attachments/assets/dfade2a8-fbcc-4bae-98f9-6bf1089620d2"
/>
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Fleet dev cycle reliability improvements**
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Automates bug triage by tagging issues based on age: `~old bug` for bugs
≥180 days, `~aging bug` for bugs ≥90 days.
Relates to #39155.
## Changes
**New workflow: `.github/workflows/tag-aging-bugs.yml`**
- Runs daily at 8:06 UTC via cron, supports manual dispatch
- Dry run mode (default: false) logs actions without modifying labels
- Two-pass processing:
1. Bugs ≥180 days: adds `~old bug`, removes `~aging bug` if present
2. Bugs ≥90 days without either label: adds `~aging bug`
- Uses github-script with pagination for scalability
- Follows repo patterns (harden-runner, proper permissions)
# Checklist for submitter
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] QA'd all new/changed functionality manually
<!-- START COPILOT CODING AGENT SUFFIX -->
<!-- START COPILOT ORIGINAL PROMPT -->
<details>
<summary>Original prompt</summary>
> Add a GitHub Actions workflow that runs daily at 8:06am UTC, and can
be manually dispatched. In that workflow, retrieve all issues labelled
`bug` created >= 180 days ago that don't include the `~old bug` tag,
then for each bug add the `~old bug` tag and remove `~aging bug` if it
is applied. Then retrieve all issues labelled `bug` created >= 90 days
ago that has neither `~aging bug` nor `~old bug` tags, and add the
`~aging bug` tag. Include a dry run workflow parameter, default off,
that logs rather than setting the label.
</details>
<!-- START COPILOT CODING AGENT TIPS -->
---
💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
