for #31321
# Details
Small updates from [community
PR](https://github.com/fleetdm/fleet/pull/31134):
* Updated config vars to match
[docs](https://github.com/fleetdm/fleet/blob/docs-v4.75.0/docs/Configuration/fleet-server-configuration.md#server_private_key_region)
* Added support for specifying region in config (already documented)
* Removed parsing of ARN for region
* Made retry backoff intervals a bit longer
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
(already added in the community PR
[here](https://github.com/fleetdm/fleet/blob/sgress454/updates-for-private-key-in-aws-sm/changes/private-key-secrets-manager#L0-L1)
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added support for specifying the AWS region for server private key
retrieval from AWS Secrets Manager via server.private_key_region.
- Chores
- Renamed configuration keys:
- server.private_key_secret_arn → server.private_key_arn
- server.private_key_secret_sts_assume_role_arn →
server.private_key_sts_assume_role_arn
- server.private_key_secret_sts_external_id →
server.private_key_sts_external_id
- Update your configuration to use the new keys.
- Adjusted retry backoff for Secrets Manager retrieval to improve
resilience.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #31675
For #32099
Adds a Github workflow to generate our packaged build of Swift
Dialog(following existing Nudge packager), updates the version to 2.5.6
and modifies the Migration dialog to render properly with the new Swift
Dialog version(it previously rendered it just didn't format as expected
due to changes in the markdown formatter)
Makefile changes are necessary not only because of the version bump but
because the latest package includes xattrs for some strange reason.
Extracting it verbatim on a system(at least with our Go implementation)
creates files that cause Gatekeeper to stop execution of swift dialog.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
We got the following warning today:
<img width="1311" height="200" alt="Screenshot 2025-08-29 at 9 51 52 AM"
src="https://github.com/user-attachments/assets/a62ab52d-fe89-4b96-9082-f1a91d6e8b08"
/>
The process for updating the signature which happens every Tuesday
failed, and nobody realized it failed because we missed adding a Slack
notification to it.
Fixes#32347
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added health checks and elapsed-time logging during server startup and
host enrollment in the integration workflow.
- Bug Fixes
- Reduced flakiness by adding bounded login retries and server readiness
verification before proceeding.
- Tests
- Periodic diagnostics for host enrollment status to aid visibility
during runs.
- Chores
- Increased server startup timeout from 10 to 15 minutes in the
integration workflow.
- Minor workflow formatting cleanups for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #26382
- Attested the signed Windows Orbit binary instead of the unsigned one.
- For both Fleet desktop and Osquery for macOS and Windows artifacts,
attested the binaries inside archives.
Related to: #31753
Changes:
- Updated the "Deploy Fleet website" workflow to remove the
`website/assets` folder from the website's build slug when the website
deploys.
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.
Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
Related to: [#31753](https://github.com/fleetdm/fleet/issues/31753)
Changes:
- Updated the "Deploy Fleet website" workflow to push to the Heroku git
repo from a parentless commit that does not contain the full git
history.
Related to: https://github.com/fleetdm/fleet/issues/31720
Changes:
- Commented out the step that builds Storybook in the "Test Fleet
website" and "Deploy Fleet website" workflows. There is an error caused
by an incompatible version of a Storybook dependency that is preventing
these workflows from running.
Fixes#31693
Manually forced a run for MySQL 8.4.6 to validate.
# Checklist for submitter
- Changes not needed since this is not a product change.
## Testing
- [x] Added/updated automated tests
For #29183
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced automated validation workflows for maintained applications
on both macOS and Windows, ensuring apps can be installed, verified, and
uninstalled as expected.
* Added new command-line tool to validate maintained apps, providing
detailed reporting on validation results.
* Enhanced detection and handling of pre-installed applications during
validation.
* Improved post-installation steps for macOS, including quarantine
removal and system refresh.
* **Chores**
* Added new continuous integration workflows to automate application
validation on pull requests for relevant files.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The impetus for this was #31232 . Some MDM migrations and enrollments
broke because MDM Enrollment Protocol changes snuck in that we didn't
see
Now within 24h of Microsoft publishing changes to the MDM or MDE2
protocols we will get a github issue to review them
See #31423 for an example
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
# Added
- Added kms.tf to support encrypting keys, specifically cloudfront keys.
- Added template/cloudfront.tf.disabled for use in enabling cloudfront.-
Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that
are injected into `local.extra_execution_iam_policies` and `local.iam`.
- Added log-alb.tf to enable logging alb, required by cloudfront.tf.
# Changed
- Modified ecs.tf to support adding of additional secrets from
`local.secrets`.
- Modified firehose.tf to support provider required updates for
deprecated resource configurations.
- Modified init.tf to support `> v5.0` of `hashicorp/aws` provider.
- Modified locals.tf to add `extra_execution_iam_policies`, `iam`,
`software_installers_kms_policy`, `extra_secrets`, secrets, and
`cloudfront_key_basename`, to support cloudfront.
- Modified readme.md with instructions on how to enable cloudfront.tf
- Modified redis.tf to support provider required updates for deprecated
resource configurations
- Modified s3.tf to support kms keys and add kms iam.
- Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0
-> 1.10.4
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood
- Adding creation of secret and secret version for
`FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
Fixes#29140
I intended to add a Slack notification but forgot in the previous PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added automated Slack notifications for failed scheduled workflow
runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29140
This is an engineering initiated story that does not impact product.
This code has been running and manually tested in my own repo:
https://github.com/getvictor/eng-metrics
See
[README.md](https://github.com/fleetdm/fleet/blob/victor/29140-eng-metrics/.github/actions/eng-metrics/README.md)
in this branch for details.
The metrics can be viewed on
https://fleeteng.grafana.net/d/b97a629f-3626-4a28-9781-0fa3c8427897/engineering-metrics
(credentials in 1Password)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced an engineering metrics collection tool that gathers GitHub
metrics (e.g., Time to First Review, Time to Merge) and uploads them to
BigQuery.
* Added support for user group management and product group mapping via
markdown parsing.
* Enabled print-only mode for testing metrics output without uploading
to BigQuery.
* Added automatic handling of bot filtering, weekend-aware time
calculations, and differential syncing of user groups.
* Implemented robust GitHub username validation and retry logic for API
rate limits.
* **Documentation**
* Added comprehensive usage and configuration documentation for the
engineering metrics tool.
* **Chores**
* Added configuration, environment example, and workflow files for
automated metrics collection and testing.
* Specified Node.js version and set up project dependencies and scripts.
* **Tests**
* Added extensive unit and end-to-end test suites to ensure reliability
of metrics collection, configuration, and integrations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new workflow to simulate syncing selected secrets to another
repository in dry-run mode. No actual changes will occur during
execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
