## #30730
- Update Go version
- Update the docs for this process
- Confirmed `fleet`, `fleetctl`, and related docker images build
successfully
- Note that failing tests are unrelated: see [Slack
thread](https://fleetdm.slack.com/archives/C019WG4GH0A/p1752175318523689)
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood
- Adding creation of secret and secret version for
`FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
- Disabling firehose log destination
- Re-enabling webhook log destination
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enabled webhook logging by activating environment variables for
webhook URLs.
* Webhook log plugin is now conditionally set based on the presence of a
webhook URL.
* **Chores**
* Updated environment variable management by removing firehose-logging
addon variables from the configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Disabled webhook variables
- Re-enabled firehose variables
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Disabled certain environment variables related to webhook logging.
* Updated environment variable configuration to include additional
logging settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Update dogfood deployment to utilize webhooks for the osquery results
logging destination configuration
@BCTBB already added a tines.io webhook URL to the repo secrets
`DOGFOOD_WEBHOOK_URL` where the value was provided by @harrisonravazzolo
Co-authored-by: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com>
Fixed restore policies to be tied to the correct policy names
- restore -> restore vs restore -> backup
- backup -> backup vs backup -> restore
Fixing the typos. Permissions remain unchanged.
- Will create AWS Backup
- Source Vault and KMS key
- Destination Vault and KMS key
- Backup Plan
- Backup Selection
- Required permissions
- Set permissions required for AWS backup on GHA role (pre-added
manually)
- Set `Tag:backup=true` on Dogfood Aurora clusters via `rds_config`
For #28837.
Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.
- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
For #26713
# Details
This PR updates Fleet and its related tools and binaries to use Go
version 1.24.1.
Scanning through the changelog, I didn't see anything relevant to Fleet
that requires action. The only possible breaking change I spotted was:
> As [announced](https://tip.golang.org/doc/go1.23#linux) in the Go 1.23
release notes, Go 1.24 requires Linux kernel version 3.2 or later.
Linux kernel 3.2 was released in January of 2012, so I think we can
commit to dropping support for earlier kernel versions.
The new [tools directive](https://tip.golang.org/doc/go1.24#tools) is
interesting as it means we can move away from using `tools.go` files,
but it's not a required update.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet
- [x] Orbit runs on macOS ✅ , Linux ✅ and Windows.
- [x] Manual QA must be performed in the three main OSs, macOS ✅,
Windows and Linux ✅.
> no issue. something I ran into the last loadtest I ran.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
Note this has been applied from the branch and is required to merge
before applying dogfood from main going forward. This should
significantly speed up deployments from the clone speed difference.
Only the latest versions of modules have been migrated to the new repo,
so all the module versions needed updated in dogfood.
