Fixes#32347
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added health checks and elapsed-time logging during server startup and
host enrollment in the integration workflow.
- Bug Fixes
- Reduced flakiness by adding bounded login retries and server readiness
verification before proceeding.
- Tests
- Periodic diagnostics for host enrollment status to aid visibility
during runs.
- Chores
- Increased server startup timeout from 10 to 15 minutes in the
integration workflow.
- Minor workflow formatting cleanups for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
CI is failing with:
```
Selecting previously unselected package cloudflared.
(Reading database ... 219352 files and directories currently installed.)
Preparing to unpack cloudflared-linux-amd64.deb ...
Unpacking cloudflared (2025.6.1) ...
Setting up cloudflared (2025.6.1) ...
Processing triggers for man-db (2.12.0-4build2) ...
error parsing tunnel ID: fleet-test-81a7ab03-3e62-43a2-bdc0-8470dbdca600 is neither the ID nor the name of any of your tunnels
Awaiting tunnel ready...
failed to create tunnel: Unknown output format 'default'
Awaiting tunnel ready...
Awaiting tunnel ready...
[...]
```
E.g.:
https://github.com/fleetdm/fleet/actions/runs/15746535584/job/44417207764?pr=30140
It's hard to troubleshoot what's going on with the latest version
without good credentials, so we will pin the version for now as a
workaround.
- Move duplicate scripts out of `scripts/mdm/` and into
`it-and-security/` so we have one version that we can continue to
iterate and improve.
- Remove no longer used scripts out of `scripts/mdm/`
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Done as part of oncall improvements.
`vars.GO_VERSION` can only be changed by admins and it's not public
(Fleet devs don't know the current value of the variable), this approach
uses the version specified in our `go.mod` file.
#6085
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
For #13715, this:
- Upgrades the Go version to `1.21.1`, infrastructure changes are
addressed separately at https://github.com/fleetdm/fleet/pull/13878
- Upgrades the linter version, as the current version doesn't work well
after the Go upgrade
- Fixes new linting errors (we now get errors for memory aliasing in
loops! 🎉 )
After this is merged people will need to:
1. Update their Go version. I use `gvm` and I did it like:
```
$ gvm install go1.21.1
$ gvm use go1.21.1 --default
```
2. Update the local version of `golangci-lint`:
```
$ go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
```
3. (optional) depending on your setup, you might need to re-install some
packages, for example:
```
# goimports to automatically import libraries
$ go install golang.org/x/tools/cmd/goimports@latest
# gopls for the language server
$ go install golang.org/x/tools/gopls@latest
# etc...
```
#13547
This is an attempt to stabilize this workflow that has been broken for
4-6 months.
# Issue and proposed solution
Github runner VMs re-use UUIDs, which is not supported by Orbit (this
causes a host to be enrolled as two hosts in Fleet), thus, until that is
fixed in https://github.com/fleetdm/fleet/issues/8021 I propose we
stabilize this workflow by testing all `stable` channels only (which is
better than having the build broken all the time IMO).
Once https://github.com/fleetdm/fleet/issues/8021 is fixed we can re-add
the edge channels.
After @rfairburn made the DNS change the clouldflared tunnel started
working again (after months of being broken).
#13547
Run: https://github.com/fleetdm/fleet/actions/runs/6025182774
This PR adds some fixes to the two workflows that make use of
cloudflared.
There are still some issues to fix but these are some changes needed to
continue/help troubleshooting.
At the moment, in Github Actions, when a job has `uses:
actions/setup-go` it uses a specific commit from that repo.
In that commit, it used `set-output` somewhere, which is now deprecated
and will be disabled within the next month or so.
See here for more information:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
This PR changes every instance where `actions/setup-go@...` was used and
replaces it with release `v2.1.3`. [From the release
notes](https://github.com/actions/setup-go/releases/tag/v2.1.3):
> Updated communication with runner to use environment files rather then
workflow commands
Which is what the above Github blog recommends doing.
---
Addationally, the latest version of this Github Action is
[`v4.0.0`](https://github.com/actions/setup-go/releases/tag/v4.0.0),
which you may want to update to in the future.
Bumps
[dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
from 2.23.0 to 2.26.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5e780fc7bb"><code>5e780fc</code></a>
Use <code>commit</code> as <code>head_sha</code> to reduce number of API
calls (<a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/227">#227</a>)</li>
<li><a
href="b59d8c6a6c"><code>b59d8c6</code></a>
Add pagination to appropriate listWorkflowRunArtifacts call (<a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/225">#225</a>)</li>
<li><a
href="5004d5476e"><code>5004d54</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/219">#219</a>
from dawidd6/dependabot-npm_and_yarn-actions-artifact...</li>
<li><a
href="b1a9c91d1f"><code>b1a9c91</code></a>
build(deps): bump <code>@actions/artifact</code> from 1.1.0 to
1.1.1</li>
<li><a
href="bd10f381a9"><code>bd10f38</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/218">#218</a>
from dawidd6/dependabot-npm_and_yarn-adm-zip-0.5.10</li>
<li><a
href="61a654a8ce"><code>61a654a</code></a>
build(deps): bump adm-zip from 0.5.9 to 0.5.10</li>
<li><a
href="dcadc4bd45"><code>dcadc4b</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/211">#211</a>
from koplo199/master</li>
<li><a
href="ceeb280c4f"><code>ceeb280</code></a>
Remove unnecessary semicolon</li>
<li><a
href="806bb52fe0"><code>806bb52</code></a>
Catch 'Artifact has expired' error</li>
<li><a
href="e6e25ac3a2"><code>e6e25ac</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/dawidd6/action-download-artifact/issues/209">#209</a>
from dawidd6/v2</li>
<li>Additional commits viewable in <a
href="7847792dd4...5e780fc7bb">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
We don't have a `matrix.go-version` defined, so the task was using
`go1.17.13` as the default.
This explicitly sets the version to `go1.19.1`, I didn't use a `matrix`
definition because at least for now, we only want to run this test using a
single Go version.
Since I was there, I also updated test-native-tooling-packaging.yml to
use `go1.19.1` too.
* fix old root dir in orbit
* add changes
* Add automation for orbit shell (with TUF)
* Fix workflow syntax
* Add logging to latest fleetctl preview action
* Add changes to fix workflow
* Use macOS host for TUF server and package generation
* Remove copy/paste if clause
* Fix orbit logs on macOS, Ubuntu
* Simplify TUF and generation of packages
* Set enroll secret instead of getting it
* Increase timeouts
* Add step id
* Fixes to the upload/download of artifacts
* Rearrange steps to not lose the downloads
* Fix copy/paste
* Add fleetctl login step
* Add missing config set
* Fix quotes on Windows
* Increase timeout
* Fix job termination
* Disable FLEET_DESKTOP for now
* Checkout repository on macOS
* Fix logs path
* Enable fleet desktop
* Use cancel, nitpick
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
* Add logs to troubleshoot orbit
* Run journalctl on a different step
* Add legacy orbit support to opt version of fleetctl
* Fix macos logs permission error
* Checkout repository
* Compile fleetctl from branch
* Added explicit read permissions + tweaked permissions
As a part of #4698 - this should fix the remaining warnings we get from the OSSF scorecard in relation to github workflows. They now all have explicit read permissions with more granular permissions granted in jobs.
* Update tfsec.yml
New workflow that I had not fixed in this PR.
