This pull request relies on the `mdm-gen-cert` command from
https://github.com/fleetdm/fleet/pull/8884.
Closes: https://github.com/fleetdm/fleet/issues/8223
Changes:
- Updated the deploy Fleet website workflow to:
- Add Go as a dependency
- Build the mdm-gen-cert binary in `/website/.tools/`
- add the `/.tools/` folder to the Heroku app
- Added `deliver-apple-csr.js` - an API that:
- can be called by making a `POST` request to
`/api/v1/deliver-apple-csr`
- accepts `csr` as an input
- runs the `mdm-gen-cert` command with the `csr` set as an environment
variable
- returns an `invalidEmailDomain` response if the user's email domain is
in the array of banned email domains.
- saves the users organization and email address to the website's
database
- Sends an email to the requesting user's email address with the signed
CSR attached as a text file named `apple-apns-request.txt`
- Posts a message to a channel in the Fleet Slack.
- Added a new model: `CertificateSigningRequests` that contains two
required attributes: `emailAddress` and `organization`
- Added a new email template `email-signed-csr-for-apns`
- Updated routes, policies, eslintrc, and rebuilt cloud-sdk
Before this can be merged, we will need to:
- [x] Add new config variables in Heroku
- [x] `sails.config.custom.mdmVendorCertPem`
- [x] `sails.config.custom.mdmVendorKeyPem`
- [x] `sails.config.custom.mdmVendorKeyPassphrase`
- [x] `sails.config.custom.slackWebhookUrlForMDMSignups`
- [x] Add the `CertificateSigningRequests` model to the website's
database
Changes:
- Updated the `build-static-content` script to use a GitHub API token
for requests if one is provided e.g., `sails run build-static-content
--githubAccessToken="foo"`
- Updated the `build-for-prod` npm script to run the
`build-static-content` script with a variable named `BUILD_SCRIPT_ARGS`.
- Updated the "Deploy Fleet website" and "Test Fleet website" workflows
to run the `build-for-prod` script with a GitHub API token
. .
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
* WIP
* Add more logging
* Check rate limit at end of action
* Add github client in more places
* Add new published firefox 93 vulnerabilities to tests
* Remove fmt printfs
* Restore CI check settings
* Readd newline
A customer had a seccomp profile that seemed to be incompatible with the
changes in glibc in ubuntu-22.04. Setting the builder back to 20.04
explicitly to resolve this issue.
* Add quay push to the snapshot pusher to start
* Tags need to be just the tag part in this one
* Put the tag in a variable
* Fix typos
* Switch up how we define registry to see if it finds the image like this
* Add quay push everywhere else
* Update go to 1.19.4
* Comment out failing package test
* Comment out ALL the packaging tests for windows for the moment
* Update go to 1.19.4
* Comment out failing package test
* Comment out ALL the packaging tests for windows for the moment
* Update changelog
* Bump versions
* Update changelog to reflect this being a security release
* Fix confusion with tags on dogfood deploy workflow
* Update .github/workflows/dogfood-deploy.yml
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
We don't have a `matrix.go-version` defined, so the task was using
`go1.17.13` as the default.
This explicitly sets the version to `go1.19.1`, I didn't use a `matrix`
definition because at least for now, we only want to run this test using a
single Go version.
Since I was there, I also updated test-native-tooling-packaging.yml to
use `go1.19.1` too.
* Create .trivyignore
Adding original trivy ignore file. Working to resolve/document more of the findings, especially around go.mod. Will add a github action as well.
* Adding default trivy scan for testing
* Update trivy_scan.yml
Making it manual + daily for now
* Update trivy_scan.yml
updating name
* Renamed + configured Trivy scan
* Adding a new synchronization mechanism between fleet-desktop app and Orbit service. Improved windows service teardown to ensure that fleet-desktop does not get force killed without getting signaled. Improved windows process enumeration to avoid unnecessary delays during windows service start and windows service teardown. Updating windows service to reflect service teardown extra time due to synchronization.
this modifies the migration order CI check to only check for added files
by:
1. Escaping the blob we give to git, so bash doesn't perform expansion,
this lets git handle the blob matching, which for reasons I don't
fully understand allows to find file renames.
2. Applying `--diff-filter=A`, which makes git only list file additions.
Related to #6142, this adds a CI check for the order of migrations.
As I noted in a comment on the workflow file, it's important to keep in mind that some migrations might still go unnoticed even with this check, example:
1. PR1 adds a migration, CI check pass
2. PR2 adds a migration, CI pass, gets merged
3. PR1 can still be merged because the CI checks aren't run again
The check will fail in `main` however, so if we find the current script to be reliable, we could setup a Slack ping or something similar, to make sure somebody takes a look
* Bump go to 1.19.1
* Bump remaining go-version to the 1.19.1
* Add extra paths for test-go
* Oops, putting the right path in the right place
* gofmt file
* gofmt ALL THE THINGS
* Moar changes
* Actually, go.mod doesn't like minor versions
