Fixes#32347
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added health checks and elapsed-time logging during server startup and
host enrollment in the integration workflow.
- Bug Fixes
- Reduced flakiness by adding bounded login retries and server readiness
verification before proceeding.
- Tests
- Periodic diagnostics for host enrollment status to aid visibility
during runs.
- Chores
- Increased server startup timeout from 10 to 15 minutes in the
integration workflow.
- Minor workflow formatting cleanups for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #26382
- Attested the signed Windows Orbit binary instead of the unsigned one.
- For both Fleet desktop and Osquery for macOS and Windows artifacts,
attested the binaries inside archives.
Related to: #31753
Changes:
- Updated the "Deploy Fleet website" workflow to remove the
`website/assets` folder from the website's build slug when the website
deploys.
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.
Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
Related to: [#31753](https://github.com/fleetdm/fleet/issues/31753)
Changes:
- Updated the "Deploy Fleet website" workflow to push to the Heroku git
repo from a parentless commit that does not contain the full git
history.
Related to: https://github.com/fleetdm/fleet/issues/31720
Changes:
- Commented out the step that builds Storybook in the "Test Fleet
website" and "Deploy Fleet website" workflows. There is an error caused
by an incompatible version of a Storybook dependency that is preventing
these workflows from running.
Fixes#31693
Manually forced a run for MySQL 8.4.6 to validate.
# Checklist for submitter
- Changes not needed since this is not a product change.
## Testing
- [x] Added/updated automated tests
For #29183
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced automated validation workflows for maintained applications
on both macOS and Windows, ensuring apps can be installed, verified, and
uninstalled as expected.
* Added new command-line tool to validate maintained apps, providing
detailed reporting on validation results.
* Enhanced detection and handling of pre-installed applications during
validation.
* Improved post-installation steps for macOS, including quarantine
removal and system refresh.
* **Chores**
* Added new continuous integration workflows to automate application
validation on pull requests for relevant files.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The impetus for this was #31232 . Some MDM migrations and enrollments
broke because MDM Enrollment Protocol changes snuck in that we didn't
see
Now within 24h of Microsoft publishing changes to the MDM or MDE2
protocols we will get a github issue to review them
See #31423 for an example
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
# Added
- Added kms.tf to support encrypting keys, specifically cloudfront keys.
- Added template/cloudfront.tf.disabled for use in enabling cloudfront.-
Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that
are injected into `local.extra_execution_iam_policies` and `local.iam`.
- Added log-alb.tf to enable logging alb, required by cloudfront.tf.
# Changed
- Modified ecs.tf to support adding of additional secrets from
`local.secrets`.
- Modified firehose.tf to support provider required updates for
deprecated resource configurations.
- Modified init.tf to support `> v5.0` of `hashicorp/aws` provider.
- Modified locals.tf to add `extra_execution_iam_policies`, `iam`,
`software_installers_kms_policy`, `extra_secrets`, secrets, and
`cloudfront_key_basename`, to support cloudfront.
- Modified readme.md with instructions on how to enable cloudfront.tf
- Modified redis.tf to support provider required updates for deprecated
resource configurations
- Modified s3.tf to support kms keys and add kms iam.
- Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0
-> 1.10.4
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood
- Adding creation of secret and secret version for
`FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
Fixes#29140
I intended to add a Slack notification but forgot in the previous PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added automated Slack notifications for failed scheduled workflow
runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29140
This is an engineering initiated story that does not impact product.
This code has been running and manually tested in my own repo:
https://github.com/getvictor/eng-metrics
See
[README.md](https://github.com/fleetdm/fleet/blob/victor/29140-eng-metrics/.github/actions/eng-metrics/README.md)
in this branch for details.
The metrics can be viewed on
https://fleeteng.grafana.net/d/b97a629f-3626-4a28-9781-0fa3c8427897/engineering-metrics
(credentials in 1Password)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced an engineering metrics collection tool that gathers GitHub
metrics (e.g., Time to First Review, Time to Merge) and uploads them to
BigQuery.
* Added support for user group management and product group mapping via
markdown parsing.
* Enabled print-only mode for testing metrics output without uploading
to BigQuery.
* Added automatic handling of bot filtering, weekend-aware time
calculations, and differential syncing of user groups.
* Implemented robust GitHub username validation and retry logic for API
rate limits.
* **Documentation**
* Added comprehensive usage and configuration documentation for the
engineering metrics tool.
* **Chores**
* Added configuration, environment example, and workflow files for
automated metrics collection and testing.
* Specified Node.js version and set up project dependencies and scripts.
* **Tests**
* Added extensive unit and end-to-end test suites to ensure reliability
of metrics collection, configuration, and integrations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new workflow to simulate syncing selected secrets to another
repository in dry-run mode. No actual changes will occur during
execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Also ensures we run integration tests when docker-compose files used by
`fleetctl preview` are changed, so we don't merge any more test failures
due to those.
CI is failing with:
```
Selecting previously unselected package cloudflared.
(Reading database ... 219352 files and directories currently installed.)
Preparing to unpack cloudflared-linux-amd64.deb ...
Unpacking cloudflared (2025.6.1) ...
Setting up cloudflared (2025.6.1) ...
Processing triggers for man-db (2.12.0-4build2) ...
error parsing tunnel ID: fleet-test-81a7ab03-3e62-43a2-bdc0-8470dbdca600 is neither the ID nor the name of any of your tunnels
Awaiting tunnel ready...
failed to create tunnel: Unknown output format 'default'
Awaiting tunnel ready...
Awaiting tunnel ready...
[...]
```
E.g.:
https://github.com/fleetdm/fleet/actions/runs/15746535584/job/44417207764?pr=30140
It's hard to troubleshoot what's going on with the latest version
without good credentials, so we will pin the version for now as a
workaround.
Update dogfood deployment to utilize webhooks for the osquery results
logging destination configuration
@BCTBB already added a tines.io webhook URL to the repo secrets
`DOGFOOD_WEBHOOK_URL` where the value was provided by @harrisonravazzolo
Co-authored-by: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com>
> closes#26403
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Two new improvements for local TUF after feedback from @iansltx and QA
folks:
1. The static `42` was confusing when making or sharing several builds
of locally built fleetd. Locally TUF-built version of orbit will now be:
`YY.MM.XXXXX`, e.g. `25.5.56178` (patch version is a 16-bit number made
from day, hour and minute).
2. Also prompting user to delete `test_tuf` which is usually a source of
confusion/errors.
