- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood
- Adding creation of secret and secret version for
`FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
Fixes#29140
I intended to add a Slack notification but forgot in the previous PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added automated Slack notifications for failed scheduled workflow
runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29140
This is an engineering initiated story that does not impact product.
This code has been running and manually tested in my own repo:
https://github.com/getvictor/eng-metrics
See
[README.md](https://github.com/fleetdm/fleet/blob/victor/29140-eng-metrics/.github/actions/eng-metrics/README.md)
in this branch for details.
The metrics can be viewed on
https://fleeteng.grafana.net/d/b97a629f-3626-4a28-9781-0fa3c8427897/engineering-metrics
(credentials in 1Password)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced an engineering metrics collection tool that gathers GitHub
metrics (e.g., Time to First Review, Time to Merge) and uploads them to
BigQuery.
* Added support for user group management and product group mapping via
markdown parsing.
* Enabled print-only mode for testing metrics output without uploading
to BigQuery.
* Added automatic handling of bot filtering, weekend-aware time
calculations, and differential syncing of user groups.
* Implemented robust GitHub username validation and retry logic for API
rate limits.
* **Documentation**
* Added comprehensive usage and configuration documentation for the
engineering metrics tool.
* **Chores**
* Added configuration, environment example, and workflow files for
automated metrics collection and testing.
* Specified Node.js version and set up project dependencies and scripts.
* **Tests**
* Added extensive unit and end-to-end test suites to ensure reliability
of metrics collection, configuration, and integrations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new workflow to simulate syncing selected secrets to another
repository in dry-run mode. No actual changes will occur during
execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Also ensures we run integration tests when docker-compose files used by
`fleetctl preview` are changed, so we don't merge any more test failures
due to those.
CI is failing with:
```
Selecting previously unselected package cloudflared.
(Reading database ... 219352 files and directories currently installed.)
Preparing to unpack cloudflared-linux-amd64.deb ...
Unpacking cloudflared (2025.6.1) ...
Setting up cloudflared (2025.6.1) ...
Processing triggers for man-db (2.12.0-4build2) ...
error parsing tunnel ID: fleet-test-81a7ab03-3e62-43a2-bdc0-8470dbdca600 is neither the ID nor the name of any of your tunnels
Awaiting tunnel ready...
failed to create tunnel: Unknown output format 'default'
Awaiting tunnel ready...
Awaiting tunnel ready...
[...]
```
E.g.:
https://github.com/fleetdm/fleet/actions/runs/15746535584/job/44417207764?pr=30140
It's hard to troubleshoot what's going on with the latest version
without good credentials, so we will pin the version for now as a
workaround.
Update dogfood deployment to utilize webhooks for the osquery results
logging destination configuration
@BCTBB already added a tines.io webhook URL to the repo secrets
`DOGFOOD_WEBHOOK_URL` where the value was provided by @harrisonravazzolo
Co-authored-by: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com>
> closes#26403
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Two new improvements for local TUF after feedback from @iansltx and QA
folks:
1. The static `42` was confusing when making or sharing several builds
of locally built fleetd. Locally TUF-built version of orbit will now be:
`YY.MM.XXXXX`, e.g. `25.5.56178` (patch version is a 16-bit number made
from day, hour and minute).
2. Also prompting user to delete `test_tuf` which is usually a source of
confusion/errors.
For #28902
Modified the GitHub Actions workflow to prevent it from hanging at the
"waiting for mysql..." step. The updated workflow now:
- Times out after 5 minutes of unsuccessful MySQL connection attempts
- Logs all connection attempts with timestamps and error messages when a
timeout occurs
- Dumps MySQL container logs when a timeout occurs, providing valuable
diagnostic information
- Automatically stops and restarts all Docker containers using the same
command as the original "Start Infra Dependencies" step
- Retries this process up to 5 times before failing the job
For #28837.
Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.
- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
Replacing MySQL 8.4 with MySQL 9.X in our regular (every commit) tests
to speed up dev feedback. The MySQL 8.4 tests will still run nightly.
The vulnerability feed download CI fails below are not related to this
change.
For https://github.com/fleetdm/fleet/issues/9943
This will help us avoid issues like this where the log message never
worked right:
https://github.com/fleetdm/fleet/pull/28296#discussion_r2047505191
Most of the changes are no-op type changes like removing unneeded
typecast or disabling gosec on reviewed lines of code
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- `issuer_uri` and `enable_jit_role_sync` are deprecated (see
https://github.com/fleetdm/fleet/issues/10688)
- Setting `enable_sso_idp_login` to allow testing logins initiated from
Google.
#27275 and #27274
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
This PR makes several improvements to test-go CI job
- remove ZSH dependency from all test suites except for a new `scripts`
suite
- add a `fast` suite that does not have out-of-process dependencies,
which completes in ~1.5 minutes
- contributors can add their fast tests to this suite so they can see
the results in CI faster
- Rename `core` to `main` test suite to be consistent with Makefile. It
is the default bucket for tests.
- Cleaned up Makefile so that it is more straightforward to add new test
suites or move Go packages between suites
- Do not stop the test suites on a fail.
- We do not want to be blocked by a test fail that another product team
introduced
- Sometimes, we want to see all test failures so we can fix them all at
once.
- Removed `test-schema` and `mock` prerequisites for `test-go` since
they are not needed and just take up time.
- But also added `test-schema` run to one of the test suites just in
case.
Unfortunately, `fleetctl` is still the bottleneck and needs to be
refactored. New issue filed:
https://github.com/fleetdm/fleet/issues/27927
## Before
<img width="248" alt="image"
src="https://github.com/user-attachments/assets/110ffc1d-f090-4d3e-be77-0419b9577d20"
/>
## After
<img width="320" alt="image"
src="https://github.com/user-attachments/assets/8d01ea11-408f-4eb6-81d8-9c25410b8830"
/>
Release notes: https://tip.golang.org/doc/go1.24
> Go modules can now track executable dependencies using tool directives
in go.mod. This removes the need for the previous workaround of adding
tools as blank imports to a file conventionally named “tools.go”. The go
tool command can now run these tools in addition to tools shipped with
the Go distribution. For more information see [the
documentation](https://tip.golang.org/doc/modules/managing-dependencies#tools).
The new -tool flag for go get causes a tool directive to be added to the
current module for named packages in addition to adding require
directives.
I ran:
```
go get -tool github.com/fleetdm/fleet/v4/server/goose
go get -tool github.com/kevinburke/go-bindata
go get -tool github.com/quasilyte/go-ruleguard/dsl
go rm tools.go
go mod tidy
```
`make deps-go` was failing in CI because of the removal of `tools.go`
(my guess is that `go get .` was a nop because there was nothing in `.`
to download).
So, taking the chance of removing `deps-go` because `go` will download
packages during the build process. AFAICS there's no need to download
everything beforehand.
For #21396
# Details
This PR updates the automated release cycle for Orbit desktop, so that
it triggers based on a pushed _tag_ rather than a pushed PR. This has
the following benefits:
* The release can be based off of any branch, rather than always using
`main` as the base, so we can safely do patch release of desktop without
including in-progress code from main
* It brings the desktop release process more in line with the main Orbit
release process -- both are now triggered by a tag push.
We still create a PR for the release, to include a changelog.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
## Testing
To do -- will discuss with @lucasmrod
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
When Go version switched from being hardcoded to being based off of the
deps file, Fleet being checked out into a subdir wasn't taken into
account, so FMA ingest jobs started failing. This adds the (hopefully)
correct dir to fix the issue and get FMA ingest working again.
For #27267.
Below is what's shown immediately after selecting an EXE:
<img width="1254" alt="image"
src="https://github.com/user-attachments/assets/a28d8565-de88-448a-bdbc-92aefc34ad55"
/>
TODO:
* Tests
* GitOps requirements changes
* Disabling add button/adding errors when required scripts aren't
specified
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
For #26713
# Details
This PR updates Fleet and its related tools and binaries to use Go
version 1.24.1.
Scanning through the changelog, I didn't see anything relevant to Fleet
that requires action. The only possible breaking change I spotted was:
> As [announced](https://tip.golang.org/doc/go1.23#linux) in the Go 1.23
release notes, Go 1.24 requires Linux kernel version 3.2 or later.
Linux kernel 3.2 was released in January of 2012, so I think we can
commit to dropping support for earlier kernel versions.
The new [tools directive](https://tip.golang.org/doc/go1.24#tools) is
interesting as it means we can move away from using `tools.go` files,
but it's not a required update.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet
- [x] Orbit runs on macOS ✅ , Linux ✅ and Windows.
- [x] Manual QA must be performed in the three main OSs, macOS ✅,
Windows and Linux ✅.
- Move duplicate scripts out of `scripts/mdm/` and into
`it-and-security/` so we have one version that we can continue to
iterate and improve.
- Remove no longer used scripts out of `scripts/mdm/`
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
We have a scheduled action to create an "Update Fleet-maintained apps"
PR with the latest updates for FMAs. The bot creates a new PR each time,
even if the previous PRs haven't been merged. Since the latest PR will
always have all the latest updates, it's unnecessary to keep the old
ones around. We should have the bot close the old PRs once the new one
is opened. Additionally it was recommended that assignees be added to
the PR.
This PR updates the action to:
1. Find existing "Update Fleet-maintained apps" PRs created by the bot
2. Get the list of Github IDs of the devs on the software product team
3. Creates a new PR as usual, adding the devs as assignees
4. If the new PR is created successfully, closes the old PRs with
comments linking to the new PR
See a successful run
[here](https://github.com/fleetdm/fleet/actions/runs/13977643317/job/39135240445),
+ the resulting PR [here](https://github.com/fleetdm/fleet/pull/27357)
---------
Co-authored-by: Tim Lee <timlee@fleetdm.com>
