This pull request updates the logic used to check whether macOS
applications (1Password, Firefox, and Slack) are up to date. The new
queries simplify and improve accuracy by directly identifying outdated
app versions, rather than relying on a combination of existence and
version checks.
**Policy query logic updates:**
* Updated the query in `update-1password.yml` to directly select hosts
with outdated 1Password versions, making the check more precise.
* Updated the query in `update-firefox.yml` to directly select hosts
with outdated Firefox versions, improving accuracy.
* Updated the query in `update-slack.yml` to directly select hosts with
outdated Slack versions, ensuring more reliable detection.
**Script logic update:**
* Changed the query line construction in
`.github/scripts/dogfood-policy-updater-latest-1password-macos.sh` to
match the new logic for identifying outdated 1Password installations.
This pull request simplifies and improves the automation for updating
Safari version policies on macOS by switching from a multi-line YAML
query to a single-line query and streamlining the associated update
script. The changes make the update process more robust, easier to
maintain, and less error-prone, especially when parsing and updating the
policy file.
**Policy and script simplification:**
* Converted the `query` field in `update-safari.yml` from a multi-line
YAML block to a single-line statement, reducing complexity and making it
easier to update programmatically.
**Script robustness and maintainability:**
* Updated `.github/scripts/dogfood-policy-updater-latest-safari.sh` to
extract and update the single-line `query` instead of handling a
multi-line block, greatly simplifying the parsing and replacement logic.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L26-R37)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L97-R123)
* Improved error handling for environment variables, requiring only the
essential `DOGFOOD_AUTOMATION_TOKEN` to be set, and clarified error
messages.
* Enhanced validation of the Safari feed response by checking for valid
JSON and explicit API errors using `jq`, making the update process more
reliable.
* Changed the update workflow to write changes directly to the file and
rely on GitHub Actions to create pull requests, removing the script's
own git and PR logic for a cleaner CI/CD process.
This pull request improves the robustness of the
`.github/scripts/dogfood-policy-updater-latest-safari.sh` script for
handling YAML query sections, especially when dealing with indentation
and extracting Safari version numbers. The main changes focus on making
the script more resilient to formatting variations and updating its
logic to match the current query structure.
**Query section handling improvements:**
* Updated the extraction of the `query_section` to correctly handle
indented queries in YAML, ensuring the multiline block is accurately
captured until the next key at the same indentation level.
* Improved the replacement logic for the query section using `awk` to
robustly detect and replace indented query blocks, skipping lines within
the query block until the next key at the same indentation.
**Safari version extraction updates:**
* Modified the logic for extracting Safari 18 and Safari 26 version
numbers to use `version LIKE '15.%'` and `version LIKE '26.%'` instead
of the previous `version >= '15.0'` and `version >= '26.0'` checks,
matching the updated query syntax.
**Formatting and documentation:**
* Added comments to clarify the handling of indentation for the new
query section and to document the changes in logic for extracting and
replacing the query block.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17R100)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17R115-R140)
This pull request introduces automation for keeping the Fleet macOS
Safari update policy current, along with a new script for updating
Safari on endpoints. The main changes include a new GitHub Actions
workflow step to run an automated script that checks for the latest
Safari versions, updates the policy YAML if needed, and creates a pull
request with the changes. Additionally, a new endpoint script is added
to perform Safari updates via `softwareupdate`.
**Automation for Safari Policy Updates:**
* Added `.github/scripts/dogfood-policy-updater-latest-safari.sh`, a
script that fetches the latest Safari versions from the SOFA feed,
compares them to the versions in `update-safari.yml`, updates the YAML
if necessary, and automatically creates a pull request with reviewers
assigned.
* Updated `.github/workflows/dogfood-automated-policy-updates.yml` to
add a step that runs the new Safari version update script as part of the
workflow, using the required automation secrets.
**Policy and Endpoint Script Enhancements:**
* Added a new policy to
`it-and-security/lib/macos/policies/update-safari.yml` that checks if
the installed Safari version matches the latest for macOS 15 (Safari
18.6) and macOS 26 (Safari 26.1).
* Introduced `it-and-security/lib/macos/scripts/update-safari.sh`, a
script for endpoints that runs `softwareupdate` with the `--safari-only`
flag, logging the outcome and requiring root privileges.
This pull request improves the robustness and reliability of the script
and workflows that detect changed or new maintained apps in pull
requests. The main focus is on making the detection script pass
validation when the test is triggered but no new FMAs are detected.
**Script robustness and error handling:**
* The `.github/scripts/detect-new-fmas-in-pr.sh` script is updated to
always exit successfully (status 0) when no changes are detected, and
only exit with error (status 1) for critical failures like missing `jq`.
A new `safe_exit` function is introduced to standardize output and
ensure graceful exits.
[[1]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dR7-R11)
[[2]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL21-R39)
* Improved error handling for missing files, empty variables, and failed
commands throughout the script, including handling cases where
`merge-base`, `git show`, or `jq` fail, and ensuring empty or missing
data does not cause the script to error out.
[[1]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL32-R66)
[[2]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dR87-R108)
[[3]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL75-R155)
**Workflow improvements:**
* The `test-fma-darwin-pr-only.yml` and `test-fma-windows-pr-only.yml`
workflows are updated to default to "no changes" if the detection step
fails or does not set the expected output, preventing false positives or
workflow failures.
[[1]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24L70-R72)
[[2]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaL76-R78)
Currently none of our FMA validation runs are completing successfully.
With 100+ FMAs now available in our library. the workflow for validating
new apps is taking over an hour to run and prone to timeouts because it
validates all apps on every pull request, including checking Windows
apps when a new macOS app is submitted. These new workflows validate
only newly added FMAs while keeping the workflows for validating all
apps available for manual runs.
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Refactored the macOS and 1Password policy updater scripts to remove
direct git and PR creation logic, delegating these tasks to the GitHub
Actions workflow. Enhanced the workflow to handle git operations, detect
changes, create or close pull requests, and set appropriate permissions
and concurrency. This improves maintainability and centralizes
automation logic within the workflow.
Changed file permissions for dogfood-update-testing-qa-apps.sh to make
it executable.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Introduces a GitHub Actions workflow and supporting shell script to
automatically update the `fleet_maintained_apps` list in
`testing-and-qa.yml` with new apps from `apps.json`. The workflow runs
on a schedule or manually, installs dependencies, updates the YAML file,
and creates or updates pull requests as needed.
This is the initial pull request to implement keeping policy logic up to
date automatically. For example, when a new version of macOS releases,
admins don't need to manually update the policy logic for checking
version numbers.
This is currently blocked by this issue: fleetdm/confidential#9470
This is also to support the following issue and demonstrate to customers
a fully automated patch management strategy:
https://github.com/fleetdm/confidential/issues/8825
This current iteration contains a script/workflow that runs every 6
hours to check if a new version of macOS has been released and compares
the version string to what is currently defined in our policy. If it
detects a change, it will automatically create a new branch with the
updated version string and create a pull request to be reviewed before
merging.
Also updates said constant via this script to include 5.15.0. Idea for
this is that including pre-releases as they're published ensures that by
the time the corresponding Fleet release ships we have a current list,
without having to cherry-pick these updates.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
Providing a Helm chart makes it easier for users to deploy to Kubernetes.
I think this is good to go, and I've tested deploying to Kind and GKE using the GKE ingress, sql proxy, and managed certificate, but I haven't tested anything AWS related.
