Small QoL improvement. During standup, speccing, etc we check the board
for stories with open TODOs. There have recently been some TODOs added
in comments so while you can't find a TODO with ctrl+f if you edit the
markdown you'll find one. This just makes them "TO DOs" in the comments
so they don't get flagged by filtering for TODO if not removed. Actual
visual content of template left alone
Resolves: #34771
This moves away from relying on discontinued bitnami charts and instead
adds a small mysql chart, a valkey/redis chart and a brief guide update
on how to migrate from one to the other.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Helm chart bumped to v7.0.0.
* Replaced Redis with Valkey as the caching backend and added Valkey
configuration options.
* Added an optional embedded MySQL chart with configurable auth,
persistence, service, and credentials handling.
* **Chores**
* CI now adds the Valkey Helm repository and builds chart dependencies
before templating.
* .gitignore adjusted to only ignore packaged chart archives (*.tgz).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: georgekarrv <1501415+georgekarrv@users.noreply.github.com>
- Disable performance insights
- Allow redis instance count >=1
- Properly set ecs_cluster logging config path
- Targeted apply with auto approve for pre-creating fleet and execution
roles
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Enhanced ECS cluster logging with CloudWatch integration and extended
log retention to 365 days.
* Adjusted RDS monitoring configuration and disabled performance
insights for operational optimization.
* Reduced minimum Redis instance requirement from 3 to 1 for greater
deployment flexibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated deployment workflow configuration to source Slack
notifications from the correct webhook endpoint.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- We often encounter bugs where the expected behavior is clear, but the
Product Development team cannot provide a specific solution. It often
requires engineer (tech lead) to understand what's broken and provide
technical details in the "To fix" section.
- Some time ago, we added a requirement to change the bug title to
reflect the expected behavior rather than what is broken. I find this
approach counterintuitive and often confusing. Additionally, I believe
we haven't consistently followed this practice, despite it being
documented.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
This pull request introduces support for ingesting Homebrew casks from
third-party taps (not available in the official
`Homebrew/homebrew-cask`) into the Fleet Maintained Apps (FMA) system.
It does this by allowing cask metadata to be committed directly into the
repository and referenced via a new `cask_path` field. The PR also
updates CI workflows to better support Fleet Desktop validation and
documents the new contributor flow.
**Support for custom Homebrew casks:**
* Added a new `cask_path` field to app manifests, allowing the FMA
ingester to read cask metadata from a local JSON file instead of
fetching from the Homebrew API. This enables ingestion of apps from
third-party taps or custom casks not present in the official Homebrew
repository.
[[1]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R270-R276)
* Refactored the Homebrew ingester (`brewIngester`) to use a new
`fetchCask` helper, which reads from the local file if `cask_path` is
set, or falls back to the API otherwise. Includes robust error handling.
[[1]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2L99-R101)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R200-R251)
* Added comprehensive documentation and examples for the custom tap
workflow, including a new `custom-tap/` directory with cask DSL sources,
generated JSON, and a regeneration script.
[[1]](diffhunk://#diff-2dfa2fc79b9becad555db38289a16afe4ce651665a31868d386fed8b4e160740R1-R85)
[[2]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
* Added new custom casks for `fleet-desktop`, `druva-insync`, and
`zoom-rooms` under `inputs/homebrew/custom-tap/Casks/`.
[[1]](diffhunk://#diff-2555a54830de2bfb0ffca8bc487aac67de84dee5d431fe5f42e90e1754f63bb6R1-R36)
[[2]](diffhunk://#diff-db1fa8a43a27c5adf49a5ade04e61405ce1e9420f266e3160156cabf69ed4ea8R1-R40)
[[3]](diffhunk://#diff-effd461583140683d41dc68d9a93692d039be5ad5e52b6b108ece79f17155107R1-R44)
**Testing and validation:**
* Added a new test (`TestIngestCaskPath`) to ensure the ingester
correctly reads from `cask_path` and does not make unnecessary HTTP
requests, with error handling for missing files.
**CI workflow improvements:**
* Updated GitHub Actions workflows to handle Fleet Desktop's installer
requirements in CI by creating a managed preferences stub when
validating Fleet Desktop, ensuring the installer succeeds even without
MDM enrollment.
[[1]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R100)
[[2]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R116-R123)
[[3]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R148-R172)
[[4]](diffhunk://#diff-c263ffc3062c3b5e4e4eb65976080c6cbddac478a5fed3392fe8b23c49bb2da8R69-R92)
These changes make it possible to maintain and test apps from custom
Homebrew taps within the Fleet repo, improving flexibility and
reliability for Fleet-maintained apps.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for three new macOS apps: Fleet Desktop, Druva inSync,
and Zoom Rooms
* Added UI icons for Fleet Desktop and Zoom Rooms
* **Enhancements**
* Fleet Desktop includes an MDM enrollment caveat and improved installer
validation for macOS installers
* Support for overriding Homebrew cask input via a local cask JSON file
* **Tests**
* Added unit coverage for local cask JSON ingestion behavior
* **Chores**
* Added a deterministic script to regenerate Homebrew custom-tap
manifests
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated osqueryd version to 5.23.0 across macOS, Linux, and Windows
build processes.
* Adjusted release tooling behavior so the confirmation prompt only
appears when the corresponding branch/PR creation step will actually
run.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
FYI @AndreyKizimenko @chrstphr84 @xpkoala @Brajim20 @marko-lisica
@melpike as of 4.84, we want to make sure every new API endpoint is
available to be added to API-only users
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43484
# Details
Apple Silicon Macs were being forced down the Wine+local-wix-dir path
because the fleetdm/wix:latest image was deemed unreliable on arm64 in
Jan 2024. Docker Desktop's amd64 emulation has matured since -- the
image builds both amd64 and arm64 MSIs on arm64 macOS successfully. This
PR:
- Drops the arm64-forces-Wine guard in BuildMSI so the Docker path is
the default on every macOS arch when --local-wix-dir isn't provided.
- Drops the macOS "Install wine and wix" + "Build MSI on macOS (using
local Wix)" CI steps. The ubuntu-latest matrix entry already exercises
the Docker path, and the install-wine.sh flow is brittle against Gcenx
release churn and homebrew-cask deprecation.
- Updates the install-wine.sh script to fail and output a message
indicating that Docker should be used, or else Wine installed manually.
```
============================================================
This script no longer installs Wine.
============================================================
Wine is no longer required to build Windows (.msi) packages on macOS.
fleetctl package now uses Docker by default on all macOS architectures.
RECOMMENDED: install Docker Desktop
https://docs.docker.com/get-docker
If you cannot use Docker and still need to build MSIs with Wine on macOS
see the upstream WineHQ wiki for installation instructions:
https://gitlab.winehq.org/wine/wine/-/wikis/MacOS
Automatic Wine installation via Homebrew is no longer attempted here
because the wine-stable cask is deprecated and upstream Wine releases
have caused repeated breakage.
```
- Retains the wix auto-download helper (downloadAndExtractZip,
extractZipFile, wixDownload) for backwards-compatibility when Docker
isn't detected, with a deprecation warning.
The Wine + --local-wix-dir path remains available for macOS users who
opt into it, but is no longer documented. See #43484.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- Dropped MacOS packaging tests. The Ubuntu test already exercises the
Docker path that MacOS now uses.
- [X] QA'd all new/changed functionality manually
- Built and installed both amd64 and arm64 .msi packages successfully
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* MSI packages on macOS now build using Docker by default, removing the
Wine dependency.
* **Documentation**
* Updated macOS setup guidance: Docker Desktop is now required for MSI
packaging instead of Wine.
* **Chores**
* Simplified Wine-related helper scripts and removed outdated
installation logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Updates wording in `.github/workflows/loadtest-osquery-perf.yml`
- `4098` -> `4096`
- Removes: `(should be a multiple of 8, if setting
loadtest_containers_starting_index)`
- Updates `infrastructure/loadtesting/terraform/osquery_perf/enroll.sh`
to handle values that are not multiples of 8. If the value is not a
multiple of 8, logic has been added to apply the remainder.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Updated load testing workflow configuration input descriptions for
improved clarity of parameters and their usage examples.
* **Bug Fixes**
* Fixed container count allocation logic in the load testing process to
ensure the final target count is always properly applied, even when
using increment values that don't divide evenly into the specified total
range.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#40809
Added a few basic tests.
Fixed a small race condition. Manually tested orbit on Windows with the
fix.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed a race during BitLocker worker shutdown on Windows to prevent
hangs or unexpected failures.
* **Tests**
* Added comprehensive Windows-only tests for BitLocker behavior and
related utilities.
* Hardened tests to use stricter assertions and deterministic checks.
* **Chores**
* Added an automated Windows test workflow to run scheduled and
PR-triggered Windows test runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Related to: https://github.com/fleetdm/fleet/issues/40309
Changes:
- Added two workflows to test changes and deploy the
ee/fleet-agent-downloader app on Heroku.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Update .github/workflows/dogfood-gitops.yml to raise the fleet-gitops
job timeout from 10 to 30 minutes. This prevents premature cancellation
for longer-running steps (e.g., runner hardening and related tasks).
Our workflow is starting to timeout now that we have more apps being
applied via GitOps.
### Summary
Adds a new CI workflow that automatically synchronizes
`ee/maintained-apps/outputs` directory contents to a Cloudflare R2
bucket. This enables serving maintained apps output files via CDN with
minimal operational overhead.
### What It Does
- **Automatic sync on changes**: Triggers whenever files in
`ee/maintained-apps/outputs/**` are committed to main
- **Manual trigger support**: Can be run on-demand via Actions UI with
optional dry-run mode
- **Idempotent operations**: Uses `aws s3 sync --delete` to keep bucket
in sync with source
- **Failure notifications**: Posts to Slack (#help-p1) if sync fails
### Key Features
| Feature | Description |
|---------|-------------|
| **Dry-run mode** | Preview what would be synced without uploading (via
workflow_dispatch input) |
| **Concurrency control** | Cancels in-progress runs on same branch to
avoid conflicts |
| **Retry logic** | 10 retry attempts with standard AWS retry mode for
transient failures |
| **Security hardening** | Uses `step-security/harden-runner` for egress
policy enforcement |
### Configuration Status ✅
All required configuration is already in place:
- ✅ R2 bucket `maintained-apps` exists
- ✅ Secret `R2_MAINTAINED_APPS_ACCESS_KEY_ID` configured
- ✅ Secret `R2_MAINTAINED_APPS_ACCESS_KEY_SECRET` configured
- ✅ Secret `R2_ENDPOINT` configured
- ✅ Slack webhook secret `SLACK_G_HELP_P1_WEBHOOK_URL` available
### Validation
- ✅ **actionlint**: Passed with no errors or warnings
- ✅ **YAML syntax**: Validated
### Testing
To verify after merging:
1. Trigger manually via Actions → "Sync Maintained Apps Outputs to R2" →
Run workflow
2. Use dry-run mode first to preview what would be synced without
uploading
### Notes
- Uses AWS CLI (pre-installed on ubuntu-latest) with R2-compatible
endpoint
- Minimal permissions model - only `contents: read` required
- bucket available at https://maintained-apps.fleetdm.com/
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42691
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- I ran the updated snapshot action on this branch and verified that it
pushed the branch-tagged image, but not the SHA-tagged one.
- I ran the cleanup script in dry-run mode and verified that it didn't
expect to delete any non-sha-tagged images
- I wasn't able to test the delete-image-on-branch-delete action for
obvious reasons.
- I haven't tested the cleanup script in non-dry-run mode... I could do
on my personal dockerhub...
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Automated cleanup of Docker images when development branches are
deleted to maintain registry hygiene.
* New utility for managing and cleaning up legacy Docker image tags.
* **Chores**
* Enhanced Docker image tagging in snapshot builds with improved branch
name handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41409
# Details
This PR updates the `ApplyStarterLibrary` method and functionality to
rely on the same templates and mechanisms as `fleetctl new`. The end
result is that running `fleetctl new` and `fleetctl gitops` on a new
instance should be a no-op; no changes should be made. Similarly,
changing the templates in a Fleet release will automatically affect
`fleetctl new` and `ApplyStarterLibrary` in the same exact way for that
release.
> Note that this moves the template files out of `fleetctl` and into
their own shared package. This move comprises the majority of the file
changes in the PR.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Note that
<img width="668" height="44" alt="image"
src="https://github.com/user-attachments/assets/066cd566-f91d-4661-84fc-2aabbfce2ef9"
/>
will fail until the 4.83 Fleet docker image is published, since it's
trying to push 4.83 config (including `exceptions`) to a 4.82 server.
- [X] QA'd all new/changed functionality manually
- [X] Created a new instance and validated that the fleets, policies and
labels created matched the ones created by `fleetctl new`
- [X] Ran `fleetctl new` and verified that it created the expected
folders and files
- [X] Ran `fleetctl gitops` with the files created by `fleetctl new` and
verified that the instance was unchanged.
- [X] Ran `fleetctl preview` successfully using a dev build of the Fleet
server image (since it won't work against the latest published build,
which doesn't support `exceptions`). Verified it shows the expected
teams, policies and labels
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Action items for #40725 postmortem
Added in both places because we should consider these things both when
working on bugs and drafting new features. #40725 happened because what
was thought to be a temporary state had no limits on retries
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Configures internal alb to log to the same bucket as the public alb
- Adds support for osquery-perf task size (cpu/memory) configuration
- Updates defaults for osquery-perf extra_flags
- Updates default enroll.sh loop sleep_time from 60s -> 300s
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42573
Fixes failing test by replacing no-longer-supported `--no-quarantine`
option with manually turning off quarantine for Wine.
Successful run here:
https://github.com/fleetdm/fleet/actions/runs/23661332211
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
Add nightly testing across the following:
OS: mac/Linux/Windows
Updates: enabled/disabled
Channels (for each of orbit/osquery\desktop): edge/stable
Arch: arm/x86
Failures are alerted to Slack.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42226
When doing dev in a remote environment, like a public cloud VM, don't
expose ports to the public.
This is a contributor security improvement.
The localstack fail is present on main, and was not caused by this
change:
https://github.com/fleetdm/fleet/actions/runs/23439965808/job/68187858627
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Docker Compose configuration updated across multiple services (Redis,
MySQL, mail, monitoring, and storage services) to restrict port bindings
to localhost only instead of all network interfaces.
* Documentation Docker Compose examples updated to reflect
localhost-only port binding for core services.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42252
Pins the Localstack image to the last-known-good version (4.5) before
they 🔪 'd the community edition and started requiring an auth token. I
also added a "wait for localstack" as an initial debugging step, and
left it in to catch similar future issues. It's probably redundant since
there likely _is_ no future for Fleet and Localstack beyond this, but it
take milliseconds and would catch any other weird Localstack failures
so, why not.
Updates MySQL version references from 8.0.39 to 8.0.42 in GitHub Actions
workflow test matrices to match current Aurora version as of #42120.
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Updating actions/setup-go to v6.3.0 from a mix of different versions.
This gets us faster CI runs, with improvements such as:
- built in Go module cache AND Go build cache (separate cache no longer
needed)
- using go.mod resulting in fewer cache invalidations
- faster Node 24 runtime
- using go.dev download URL, which is more reliable
Add mobile management hint secrets in the dogfood GitOps workflow by
adding DOGFOOD_OKTA_ANDROID_MANAGEMENT_HINT and
DOGFOOD_OKTA_IOS_MANAGEMENT_HINT to the job environment. These values
are sourced from repository secrets and are intended for Okta
Android/iOS management hint configuration during the workflow run. No
other behavior was changed.
