<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42691
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- I ran the updated snapshot action on this branch and verified that it
pushed the branch-tagged image, but not the SHA-tagged one.
- I ran the cleanup script in dry-run mode and verified that it didn't
expect to delete any non-sha-tagged images
- I wasn't able to test the delete-image-on-branch-delete action for
obvious reasons.
- I haven't tested the cleanup script in non-dry-run mode... I could do
on my personal dockerhub...
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Automated cleanup of Docker images when development branches are
deleted to maintain registry hygiene.
* New utility for managing and cleaning up legacy Docker image tags.
* **Chores**
* Enhanced Docker image tagging in snapshot builds with improved branch
name handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Added documents for the case study process and made edits to the process
that we discussed earlier
---------
Co-authored-by: Ashish Kuthiala <53918208+akuthiala@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41409
# Details
This PR updates the `ApplyStarterLibrary` method and functionality to
rely on the same templates and mechanisms as `fleetctl new`. The end
result is that running `fleetctl new` and `fleetctl gitops` on a new
instance should be a no-op; no changes should be made. Similarly,
changing the templates in a Fleet release will automatically affect
`fleetctl new` and `ApplyStarterLibrary` in the same exact way for that
release.
> Note that this moves the template files out of `fleetctl` and into
their own shared package. This move comprises the majority of the file
changes in the PR.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Note that
<img width="668" height="44" alt="image"
src="https://github.com/user-attachments/assets/066cd566-f91d-4661-84fc-2aabbfce2ef9"
/>
will fail until the 4.83 Fleet docker image is published, since it's
trying to push 4.83 config (including `exceptions`) to a 4.82 server.
- [X] QA'd all new/changed functionality manually
- [X] Created a new instance and validated that the fleets, policies and
labels created matched the ones created by `fleetctl new`
- [X] Ran `fleetctl new` and verified that it created the expected
folders and files
- [X] Ran `fleetctl gitops` with the files created by `fleetctl new` and
verified that the instance was unchanged.
- [X] Ran `fleetctl preview` successfully using a dev build of the Fleet
server image (since it won't work against the latest published build,
which doesn't support `exceptions`). Verified it shows the expected
teams, policies and labels
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42964
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
No changes file as this is part of the SHAA feature
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Improved Android release process with automated changelog generation
and streamlined release workflow documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Capture osascript output into a variable and compare it to "true" when
checking if an app is running. Updated quit_application and
quit_and_track_application to use app_running=$(osascript ...) and [[
"$app_running" != "true" ]] rather than relying on the command's exit
status. This makes the running check more reliable across osascript
behaviors and avoids depending on its exit code.
Bumps
[github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from
3.0.4 to 3.0.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="be2f654870"><code>be2f654</code></a>
ci: update Go versions for GHA workflows (<a
href="https://redirect.github.com/go-jose/go-jose/issues/221">#221</a>)</li>
<li><a
href="02464163e1"><code>0246416</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/go-jose/go-jose/compare/v3.0.4...v3.0.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Guide explaining how to configure EAP-TLS Wi-Fi network on Android
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42808
This is another hot path optimization recommended by Claude Code. I QA'd
it with a local osquery perf run.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced performance of the distributed read endpoint by optimizing
lock contention management during jitter table access operations. This
change reduces latency and improves system responsiveness when handling
distributed read requests, particularly benefiting high-concurrency
scenarios. The optimization maintains all existing functionality while
providing better performance characteristics for read-heavy workloads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds a new "Sales Forecast Process: Weekly Update Requirements"
section to `handbook/sales/sales-policies.md`
- Documents the weekly forecast update deadline (Thursday by 5:00 PM
local time) and the Friday morning review cycle
- Placed logically after existing sales policy sections, before the meta
tags
## Changes
- **`handbook/sales/sales-policies.md`**: Added new `## Sales Forecast
Process: Weekly Update Requirements` section with Overview and Schedule
subsections
Built for [Chaz
MacLaughlin](https://fleetdm.slack.com/archives/D0AHH0ZEMLY/p1775153128055729)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
Fixed the typo "annouced"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Fixes#40841
## Summary
The root cause of the URL mismatch described in the issue is unknown. We
couldn't reproduce it and couldn't find a deterministic code path that
explains it.
What we fix in this PR is a code defect that turns an unknown transient
condition into a hard failure. When a policy has both a URL and a hash
(which is always the case for `package_path` references), and the URL
lookup fails for any reason, a continue statement prevented the
hash-based fallback from ever running.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** The entire ACME feature branch merge
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42600
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where Android device certificate template records were
not properly cleared during unenrollment, which previously resulted in
stale certificate statuses after re-enrollment.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- @noahtalerman: For the following quick win:
- #41107
The "Activities run as listed" tooltip on the host details upcoming
activity pane said "Currently, only software and scripts are guaranteed
to run in order" — ambiguous wording that implies the order is
configurable or changeable.
- **`frontend/pages/hosts/details/cards/Activity/Activity.tsx`**:
Replace tooltip text with "Software and scripts are always processed in
order. Each waits until the previous one completes." — accurately
reflects the blocking/sequential behavior described in the contributing
guide.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: getvictor <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Fixes#40785
## Summary
When a GitOps run includes a `volume_purchasing_program` config that
references a team that doesn't exist yet, the code temporarily removes
the entire VPP config from the global AppConfig, clearing ALL VPP
token-to-team assignments on the server. However, the code only deferred
`app_store_apps` for the missing teams, not for existing teams that also
lost their VPP assignments. Those existing teams then failed with "No
available VPP Token" when their `app_store_apps` were applied.
The fix widens the deferral scope to match the clearing scope. When VPP
assignments are temporarily cleared, `app_store_apps` are now deferred
for all teams in the VPP config, not just the missing ones.
Changes:
- Updated the comments in the partners page script,
deliver-deal-registration-submission, and
deliver-partner-registration-submission.
- Removed unused @input functions on the partners page.
This will only fire if Claude adds `math/rand` as an import.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated code style guidelines and enhanced linting configuration to
enforce stricter code quality standards.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41484
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed a server crash that occurred when uploading a Windows MDM
profile to a team on a free license.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds a new "Single sign-on (SSO)" section under `## Salesforce` in
`handbook/finance/gtm-architecture.md`
- Documents Fleet's specific SSO profile configuration in Salesforce —
which profiles to assign to SSO-enabled vs non-SSO users
- Covers four Salesforce profiles:
- **Fleet User** and **System Administrator** for SSO-enabled Fleet
employees
- **externalNonSSOEnabledSystemAdmin** (cloned from System
Administrator) for UTTR integration users and the Integrations admin
account
- **externalNonSSOEnabledFleetUser** for external non-admin users who do
not use SSO
- Provides actionable guidance: "If you need to add an SSO user, assign
X. If you need to add a non-SSO user, assign Y."
- Notes planned future work for automated role/permission provisioning
via OAuth
Built for [Sam
Pfluger](https://fleetdm.slack.com/archives/D0AF8QFBVHB/p1775145501809539?thread_ts=1775094096.519039&cid=D0AF8QFBVHB)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
**Related issue:** Resolves#33555
Wrap Get-ItemProperty calls in try/catch blocks during registry
enumeration to gracefully handle terminating exceptions (e.g.
System.InvalidCastException) from malformed registry entries, logging
the offending path instead of aborting.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Action items for #40725 postmortem
Added in both places because we should consider these things both when
working on bugs and drafting new features. #40725 happened because what
was thought to be a temporary state had no limits on retries
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
