This pull request introduces support for ingesting Homebrew casks from
third-party taps (not available in the official
`Homebrew/homebrew-cask`) into the Fleet Maintained Apps (FMA) system.
It does this by allowing cask metadata to be committed directly into the
repository and referenced via a new `cask_path` field. The PR also
updates CI workflows to better support Fleet Desktop validation and
documents the new contributor flow.
**Support for custom Homebrew casks:**
* Added a new `cask_path` field to app manifests, allowing the FMA
ingester to read cask metadata from a local JSON file instead of
fetching from the Homebrew API. This enables ingestion of apps from
third-party taps or custom casks not present in the official Homebrew
repository.
[[1]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R270-R276)
* Refactored the Homebrew ingester (`brewIngester`) to use a new
`fetchCask` helper, which reads from the local file if `cask_path` is
set, or falls back to the API otherwise. Includes robust error handling.
[[1]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2L99-R101)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R200-R251)
* Added comprehensive documentation and examples for the custom tap
workflow, including a new `custom-tap/` directory with cask DSL sources,
generated JSON, and a regeneration script.
[[1]](diffhunk://#diff-2dfa2fc79b9becad555db38289a16afe4ce651665a31868d386fed8b4e160740R1-R85)
[[2]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
* Added new custom casks for `fleet-desktop`, `druva-insync`, and
`zoom-rooms` under `inputs/homebrew/custom-tap/Casks/`.
[[1]](diffhunk://#diff-2555a54830de2bfb0ffca8bc487aac67de84dee5d431fe5f42e90e1754f63bb6R1-R36)
[[2]](diffhunk://#diff-db1fa8a43a27c5adf49a5ade04e61405ce1e9420f266e3160156cabf69ed4ea8R1-R40)
[[3]](diffhunk://#diff-effd461583140683d41dc68d9a93692d039be5ad5e52b6b108ece79f17155107R1-R44)
**Testing and validation:**
* Added a new test (`TestIngestCaskPath`) to ensure the ingester
correctly reads from `cask_path` and does not make unnecessary HTTP
requests, with error handling for missing files.
**CI workflow improvements:**
* Updated GitHub Actions workflows to handle Fleet Desktop's installer
requirements in CI by creating a managed preferences stub when
validating Fleet Desktop, ensuring the installer succeeds even without
MDM enrollment.
[[1]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R100)
[[2]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R116-R123)
[[3]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R148-R172)
[[4]](diffhunk://#diff-c263ffc3062c3b5e4e4eb65976080c6cbddac478a5fed3392fe8b23c49bb2da8R69-R92)
These changes make it possible to maintain and test apps from custom
Homebrew taps within the Fleet repo, improving flexibility and
reliability for Fleet-maintained apps.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for three new macOS apps: Fleet Desktop, Druva inSync,
and Zoom Rooms
* Added UI icons for Fleet Desktop and Zoom Rooms
* **Enhancements**
* Fleet Desktop includes an MDM enrollment caveat and improved installer
validation for macOS installers
* Support for overriding Homebrew cask input via a local cask JSON file
* **Tests**
* Added unit coverage for local cask JSON ingestion behavior
* **Chores**
* Added a deterministic script to regenerate Homebrew custom-tap
manifests
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Register Google Gemini for macOS: add a Homebrew input
(ee/maintained-apps/inputs/homebrew/gemini.json), update apps index
(ee/maintained-apps/outputs/apps.json), and add a darwin output with
installer/uninstaller scripts and version 1.49.2.233
(ee/maintained-apps/outputs/google-gemini/darwin.json). Also add
frontend icon component and asset
(frontend/pages/SoftwarePage/components/icons/Gemini.tsx, updated icon
index) and a 60x60@2x PNG app icon
(website/assets/images/app-icon-google-gemini-60x60@2x.png). Includes
installer URL and script refs for install/uninstall, plus app relaunch
handling.
This pull request adds support for the Zen Browser across the
application, including its metadata, installation scripts, and UI icon.
The changes ensure Zen Browser is now recognized as a maintained app,
can be installed/uninstalled via scripts, and displays its icon in the
frontend.
**Zen Browser Integration**
* Added Zen Browser metadata to the maintained apps input (`zen.json`)
and output (`apps.json`) files, making it available in the maintained
apps list.
[[1]](diffhunk://#diff-1227fd3d4a73fdd49df2d7e2977fc94f56c8fe606a444ae5d995916abbbccdb5R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R1957-R1963)
* Created a new versioned output file for Zen Browser
(`zen/darwin.json`), including installer and uninstaller scripts,
version information, and download details.
**Frontend/UI Updates**
* Added a new React SVG icon component for Zen Browser (`Zen.tsx`).
* Registered the Zen icon in the icon index and mapped the "zen"
software name to the new icon, enabling its display in the UI.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR249)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR514)
## Summary
- Reduces h2 `font-size` from `$medium` (1.25rem / 20px) to `$small`
(1rem / 16px) across 6 component stylesheets in the Fleet UI frontend.
- set side-nav__container to `align-items` `flex-start` so it's
consistent in **Controls** and **Admin** pages with same layout.
## QA
- Verify h2 headings render at 16px (1rem) across the affected pages:
- Section headers (global component)
- Host query report table
- Device user "Setting up your device" page
- Windows automatic enrollment settings page
- Software vulnerability details page
- Software title details edit icon modal
---
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1775487801759869)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <melpike.dev@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Add support for Druva inSync: new winget input
(ee/maintained-apps/inputs/winget/druva-insync.json), app metadata
(added entry in ee/maintained-apps/outputs/apps.json) and
platform-specific output with version, installer URL,
installer/uninstaller script refs, sha256 and upgrade_code
(ee/maintained-apps/outputs/druva-insync/windows.json). Also add
frontend icon component and mapping
(frontend/pages/SoftwarePage/components/icons/DruvaInSync.tsx and
index.ts) plus the PNG asset
(website/assets/images/app-icon-druva-insync-60x60@2x.png) so the app is
manageable and visually represented in the UI.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43702
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add metadata and install/uninstall automation for Thunderbird on
Windows. Adds ee/maintained-apps/inputs/winget/thunderbird.json plus
PowerShell install/uninstall scripts (NSIS silent /S, install uses
/PreventRebootRequired=true; uninstall resolves registry entry for x64
en-US and appends /S). Update maintained apps outputs: register
Thunderbird in ee/maintained-apps/outputs/apps.json and add
ee/maintained-apps/outputs/thunderbird/windows.json (version 149.0.2,
installer URL and sha256, script refs). Also update frontend icon
component and app PNG asset for Thunderbird.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43526
Add support for Granola (Windows) including winget input,
installer/uninstaller scripts, and output metadata. Added
ee/maintained-apps/inputs/winget/granola.json plus install/uninstall
PowerShell scripts, and new
ee/maintained-apps/outputs/granola/windows.json containing version
7.128.0, installer URL and script refs (with SHA256). Also register
Granola in ee/maintained-apps/outputs/apps.json and update the frontend
icon and website app image assets for Granola.
Add Windows support for Linear: new winget input
(ee/maintained-apps/inputs/winget/linear.json) with installer metadata
and category, plus install/uninstall PowerShell scripts. Add output
metadata (ee/maintained-apps/outputs/linear/windows.json) including a
version entry, installer URL, sha256 and script refs, and register the
app in apps.json. Update frontend icon component to reference a new PNG
and add the image asset.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43501
## Issue
- First batch of @iansltx 's work of cleaning up lint warnings #43387
## Description
- Quick PR review and grabbed as many confirmed low-risk quick wins as I
could `git checkout lint-cleanup <file/path/1> <file/path/2>`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
This release contains internal code improvements with one minor UI
tweak:
* **Style**
* Dropdown menu background color adjusted for clearer contrast in action
lists
* **Refactor**
* Improved type safety across the codebase with stricter TypeScript
annotations
* Removed unused imports and constants to reduce code clutter
* Enhanced React hook dependency arrays for more consistent component
behavior
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Rachel Perkins <rachel@Rachels-MacBook-Pro.local>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Delete AdobeAcrobat.tsx (embedded PNG icon) and update icons index to
remove its import and map 'adobe acrobat' to the existing AcrobatReader
component, consolidating Acrobat icon usage.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43287
Zed + Opus 4.6; prompt: Convert the InputField JSX component to
TypeScript and remove the ts-ignore directives that we no longer need
after doing so.
- [x] Changes file added
- [x] Automated tests updated
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42512
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#42383. Re-roll of #42384 using the relevant helper function.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Enhanced Android software configuration success notifications to
dynamically display the actual software display name, replacing
previously static messaging. This improvement provides users with more
specific and personalized feedback when confirming successful software
configurations, improving clarity and reducing potential confusion when
managing multiple software installations or updates on their Android
devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42047
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
This pull request adds support for the "Google Credential Provider for
Windows" application to the maintained apps system, including its
metadata, installation logic, and user interface icon. The changes
ensure that the app is properly recognized, categorized, and visually
represented in the frontend.
**New application support:**
- Added metadata for "Google Credential Provider for Windows" in
`winget` input, including identifiers, architecture, installer type, and
default category.
- Added output configuration for the app, specifying version, detection
query, installer/uninstaller scripts, installer URL, and SHA256 hash.
- Registered the app in the main `apps.json` output with a description
and platform information.
**Frontend/UI updates:**
- Added a new React SVG icon component for "Google Credential Provider
for Windows" in the software page.
- Registered the new icon in the icons index and mapped the app name to
the icon in the `SOFTWARE_NAME_TO_ICON_MAP`.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR13)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR317)
## Summary
- Changed all modal "Done" dismiss/close button labels to "Close" across
48 frontend component files
- Updated instructional text in `AutoEnrollMdmModal` that referenced the
"Done" button to say "Close" instead
- Updated 7 test files to assert "Close" instead of "Done" for modal
button names
## Excluded (intentionally not changed)
- `LiveResultsHeading.tsx` — "Done" button is a page-level navigation
action, not a modal dismiss
- `AddAbmModal.tsx` — Instructional text referencing Apple Business
Manager's "Done" button
- `Calendars.tsx` — Instructional text referencing Google Calendar's
"Done" button
- `ModalFooter.stories.tsx` — Storybook demo example
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773674157011109?thread_ts=1773673149.649299&cid=D0AKX7DJFCN)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <mel@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
## Summary
- Adds Proxyman (macOS) to the Fleet maintained apps catalog
- Input: `ee/maintained-apps/inputs/homebrew/proxyman.json`
- Output generated via ingester script
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully using manifest install script
- [ ] App exists in software inventory after install
- [ ] App uninstalls successfully using manifest uninstall script
Note: @mention #g-software Product Designer in a comment pointing to the
new icon once added.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40724
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Adds Tor Browser as a Fleet-maintained app for macOS only.
## Changes
- **macOS**: Homebrew cask `tor-browser`, DMG installer, bundle
identifier `org.torproject.torbrowser`
- Icon sourced from the official Tor Project GitHub at 128x128
- Added to `apps.json` catalog in alphabetical order
**Note:** Windows support was dropped. Tor Browser for Windows uses a
portable installer that installs to `%LOCALAPPDATA%` (not `C:\Program
Files`), which is outside the scope of what Fleet's CI validator and
Windows install validation can detect. macOS-only is the correct scope
for this app.
## Test plan
- [ ] Verify `go run cmd/maintained-apps/main.go
--slug="tor-browser/darwin"` produces valid output
- [ ] Confirm icon renders correctly in the software catalog UI
- [ ] Confirm macOS install/uninstall scripts work on a test device
## Summary
Adds [Charles Proxy](https://www.charlesproxy.com/) as a
Fleet-maintained app for macOS.
Charles is an HTTP proxy, monitor, and reverse proxy that lets
developers view all HTTP and HTTPS traffic between their machine and the
internet. It's commonly used for debugging, testing, and network
analysis.
- macOS: DMG installer via Homebrew cask `charles`, bundle ID
`com.xk72.Charles`
- Windows: Not included — the WinGet package (`XK72.Charles`) uses an
`appx` installer type, which is not supported by Fleet's winget ingester
## Test plan
- [ ] Install Charles on a macOS host via Fleet self-service and confirm
it installs to `/Applications/Charles.app`
- [ ] Confirm `SELECT 1 FROM apps WHERE bundle_identifier =
'com.xk72.Charles';` returns a result after installation
- [ ] Uninstall Charles via Fleet and confirm the app is removed
- [ ] Confirm the Charles icon appears correctly in the Fleet UI
software catalog
- [ ] Run `go run cmd/maintained-apps/main.go --slug="charles/darwin"
--debug` and confirm no errors
Adds Krita (free and open-source digital painting application) as a
Fleet Maintained App for macOS and Windows.
## Changes
- **macOS**: Homebrew cask `krita`, DMG installer, bundle ID
`org.kde.krita`
- **Windows**: WinGet `KDE.Krita`, NSIS EXE installer with custom silent
install/uninstall scripts
- Icon generated from KDE official icon (128x128 PNG), added to icon
index
- Both platforms added to `apps.json` alphabetically (after Keka, before
LastPass)
## Testing
- macOS ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/darwin" --debug`
- Windows ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/windows" --debug`
- Output files generated: `ee/maintained-apps/outputs/krita/darwin.json`
and `windows.json`
## Related issue
Add Krita FMA
## Summary
- Adds Arduino IDE (macOS only) as a Fleet maintained app using Homebrew
cask `arduino-ide`
- Bundle identifier: `cc.arduino.IDE2`, installer format: DMG, version
2.3.8
- Includes app icon, install/uninstall scripts, catalog entry, and icon
component
## Test plan
- [ ] Install Arduino IDE via Fleet on a macOS device and verify it
launches
- [ ] Uninstall Arduino IDE via Fleet and verify the app and user data
are removed
- [ ] Verify the Arduino IDE icon renders correctly in the software
catalog UI
- [ ] Confirm the entry appears alphabetically in the software catalog
(after Archaeology, before Asana)
Relates to #