Resolves#35299.
Triggers on issue create. Tested the same code in
https://github.com/iansltx/fleet/actions/workflows/auto-tag-unreleased-bugs.yml;
check the associated issues on that repo for the comments (or lack
thereof). Grabbed a bunch of issues from this repo to properly catch
edge cases. This only looks at issue body so the titles including
released/unreleased are for testing convenience and have no effect on
whether a comment happens either way.
I expect we'll need to dial this in further but this errs on the side of
categorizing something as unreleased because shipping regressions due to
mis-triage is worse than finding out a bug is released when we weren't
sure to begin with.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
This pull request introduces new configuration profiles to support Okta
conditional access for macOS devices, specifically targeting the
Information Technology department. It also updates the GitHub Actions
workflow to include a new secret for the Okta CA certificate.
Additionally, it removes the `workstations-canary` team configuration,
likely as part of a cleanup or migration.
The most important changes are:
**Conditional Access and Okta Integration:**
* Added a new configuration profile,
`fleet-okta-conditional-access.mobileconfig`, to manage trusted CA
certificates, SCEP enrollment, mTLS identity preferences, and Chrome
mTLS auto-selection for Okta conditional access on macOS. This profile
is applied to devices labeled with "Department: Information Technology".
[[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
* Added a new configuration profile,
`okta-verify-settings.mobileconfig`, to configure privacy preferences,
managed login items, notification settings, and Okta Verify app settings
for macOS devices in the Information Technology department.
[[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
**Workflow and Secrets Management:**
* Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include
the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta
conditional access configuration.
**Configuration Cleanup:**
* Removed the `workstations-canary.yml` team configuration, eliminating
its policies, software, scripts, and settings.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
Resolves#38484. This includes a CI job change to make sure we don't
introduce any more env vars that don't get proxied (and thus turned off
outside `--dev`).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
Manual QA touched hot paths, but did _not_ manually test every
FLEET_DEV_* environment variable change.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Centralized dev-mode environment management for consistent FLEET_DEV_*
handling and test-friendly overrides.
* Dev-mode allows targeted overrides for certain dev-only configuration
when running with --dev.
* **Chores**
* Migrated environment access to the centralized dev-mode helper across
the codebase.
* Added CI checks to enforce proper usage of FLEET_DEV_* variables.
* **Documentation**
* Added guidance on dev-mode environment variable rules and overrides.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
* No direct user-facing changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This pull request introduces automation for keeping the Fleet macOS
Safari update policy current, along with a new script for updating
Safari on endpoints. The main changes include a new GitHub Actions
workflow step to run an automated script that checks for the latest
Safari versions, updates the policy YAML if needed, and creates a pull
request with the changes. Additionally, a new endpoint script is added
to perform Safari updates via `softwareupdate`.
**Automation for Safari Policy Updates:**
* Added `.github/scripts/dogfood-policy-updater-latest-safari.sh`, a
script that fetches the latest Safari versions from the SOFA feed,
compares them to the versions in `update-safari.yml`, updates the YAML
if necessary, and automatically creates a pull request with reviewers
assigned.
* Updated `.github/workflows/dogfood-automated-policy-updates.yml` to
add a step that runs the new Safari version update script as part of the
workflow, using the required automation secrets.
**Policy and Endpoint Script Enhancements:**
* Added a new policy to
`it-and-security/lib/macos/policies/update-safari.yml` that checks if
the installed Safari version matches the latest for macOS 15 (Safari
18.6) and macOS 26 (Safari 26.1).
* Introduced `it-and-security/lib/macos/scripts/update-safari.sh`, a
script for endpoints that runs `softwareupdate` with the `--safari-only`
flag, logging the outcome and requiring root privileges.
This pull request improves the robustness and reliability of the script
and workflows that detect changed or new maintained apps in pull
requests. The main focus is on making the detection script pass
validation when the test is triggered but no new FMAs are detected.
**Script robustness and error handling:**
* The `.github/scripts/detect-new-fmas-in-pr.sh` script is updated to
always exit successfully (status 0) when no changes are detected, and
only exit with error (status 1) for critical failures like missing `jq`.
A new `safe_exit` function is introduced to standardize output and
ensure graceful exits.
[[1]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dR7-R11)
[[2]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL21-R39)
* Improved error handling for missing files, empty variables, and failed
commands throughout the script, including handling cases where
`merge-base`, `git show`, or `jq` fail, and ensuring empty or missing
data does not cause the script to error out.
[[1]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL32-R66)
[[2]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dR87-R108)
[[3]](diffhunk://#diff-f9bbb0340f504713c99d610f3c64bf281fc13ed3cb8a1c06a5366272c9828a8dL75-R155)
**Workflow improvements:**
* The `test-fma-darwin-pr-only.yml` and `test-fma-windows-pr-only.yml`
workflows are updated to default to "no changes" if the detection step
fails or does not set the expected output, preventing false positives or
workflow failures.
[[1]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24L70-R72)
[[2]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaL76-R78)
This pull request adds support for managing 7-Zip as a maintained
Windows application. The changes include configuration for installation
and uninstallation, workflow updates to handle 7-Zip specifically in CI,
and a new icon for the frontend. These updates ensure that 7-Zip can be
detected, installed, uninstalled, and visually represented in the
software management system.
**Windows workflow and detection updates:**
- Updated `.github/workflows/test-fma-windows-pr-only.yml` to detect
changes related to 7-Zip, set a `has_7zip` output variable, and add a
step to remove pre-installed 7-Zip versions before proceeding with
further app verification. This prevents conflicts with pre-existing
installations during CI runs.
[[1]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaR91)
[[2]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaR102)
[[3]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaR117-R124)
[[4]](diffhunk://#diff-51641fd1d2cc19348b81fd8310b62ad270ca5082ceddff2d49064e78f126a1eaR164-R227)
**7-Zip application configuration:**
- Added `ee/maintained-apps/inputs/winget/7-zip.json` to define 7-Zip as
a maintained app with metadata such as slug, package identifier,
installer type, and categories.
- Added `ee/maintained-apps/outputs/7-zip/windows.json` with version
info, installation and uninstallation scripts, SHA256, and upgrade code
for 7-Zip, enabling automated install/uninstall flows.
- Updated `ee/maintained-apps/outputs/apps.json` to include 7-Zip in the
list of available apps, with a description and unique identifier for
display and selection.
**Frontend icon support:**
- Added a new React SVG icon component for 7-Zip at
`frontend/pages/SoftwarePage/components/icons/7Zip.tsx`.
- Registered the 7-Zip icon in the icon index and mapped it in
`SOFTWARE_NAME_TO_ICON_MAP` to display the icon for 7-Zip in the UI.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR7)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR224)
This is to avoid a similar issue that we just faced in the future.
The issue was this PR https://github.com/fleetdm/fleet/pull/37118 was
merged, but all checks passed since it was a html file only PR, go tests
did not run. So we did not catch the integration tests asserting content
in these files was broken.
The following PR fixed it: https://github.com/fleetdm/fleet/pull/37196
This PR proposes to add those two files to GO test triggers in CI to
avoid breaking the tests accidentally in the future.
Resolves#36909.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#32999
The `modernize` linter was discussed some time ago in the backend sync.
We wanted to add it but it was not possible.
Now that it has been added to golangci-lint, we are adding it.
golangci-lint has incremental mode, where only changes vs the base
branch are linted. This is nice when adding new linters without needing
to fix the whole codebase. That said, it would be nice to `modernize`
the whole codebase.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#32999
And fixing newly flagged lint issues.
- Updating the FMA workflows to only uninstall Google Chrome if a new
version of Google Chrome is getting tested. Otherwise this step in the
workflow is unnecessary and makes the workflow take longer to finish.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36052
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Automated failure notifications now include detailed error summaries
* Added code coverage reporting and tracking for Android test suites
* Enhanced test logging and artifact collection for improved visibility
into build issues and failures
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36202
Updated how Android agent starts. See README updates.
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Periodic configuration check scheduled every 15 minutes in the Android
agent
* Improved Android management notification handling and app-role support
* **Documentation**
* Updated Android MDM deployment guide with SHA256 fingerprint
instructions and build configuration snippets
* **Chores**
* Added WorkManager and AMAPI SDK for Android; updated Android/Go
tooling and library versions
* **Tests**
* Added unit test coverage for the periodic config worker
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Currently none of our FMA validation runs are completing successfully.
With 100+ FMAs now available in our library. the workflow for validating
new apps is taking over an hour to run and prone to timeouts because it
validates all apps on every pull request, including checking Windows
apps when a new macOS app is submitted. These new workflows validate
only newly added FMAs while keeping the workflows for validating all
apps available for manual runs.
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
We *don't* want to build these off of main because we only update
published versions when security issues come up, so testing against
`main` would cause false negatives.
Related to #35347.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36005
The code changes are just to clean up lint/compile issues. This is still
a scaffold and not production-grade code.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added automatic certificate installation on device boot using
application restrictions.
* **Chores**
* Implemented code formatting and static analysis tools for code
quality.
* Configured automated Android testing pipeline with emulator-based
testing.
* Updated dependencies: Kotlin 2.2.21, Compose framework 2025.11.01, and
other libraries.
* **Style**
* Applied formatting improvements throughout codebase for consistency.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Refactored the macOS and 1Password policy updater scripts to remove
direct git and PR creation logic, delegating these tasks to the GitHub
Actions workflow. Enhanced the workflow to handle git operations, detect
changes, create or close pull requests, and set appropriate permissions
and concurrency. This improves maintainability and centralizes
automation logic within the workflow.
Updated the workflow to use `$GITHUB_OUTPUT` instead of `::set-output`
which follows the pattern used by other workflows in our repo.
The issue was that `$(date +%s)` was treated as a literal string in YAML
which resulted in the branch name `update-testing-qa-apps-$(date +%s)`,
which Git rejected because `$` and parentheses are invalid in branch
names.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Introduces a GitHub Actions workflow and supporting shell script to
automatically update the `fleet_maintained_apps` list in
`testing-and-qa.yml` with new apps from `apps.json`. The workflow runs
on a schedule or manually, installs dependencies, updates the YAML file,
and creates or updates pull requests as needed.
- Removes timestamp from osquery_perf image
- Adds `default: 0` to loadtest osquery_perf workflow, `variable:
loadtest_containers_starting_index`
- Adds `variable: sleep_time` to loadtest osquery_perf workflow
- Adds osquery_perf docker repository in ECR
- Adds support for `sleep_time` to `enroll.sh`
- Updates terraform variables to enforce `git_branch` or `git_tag` for
osquery_perf
- Adds support for `enroll.sh`, to deploy osquery_perf in batches
- Merges variables `tag` and `git_branch` into `git_tag_branch`. Only
one tag or git_branch should be specified.
- Still used for osquery_perf to check out the correct tag/branch.
- Removes fleet_image requirement for cutting osquery_perf images
---------
Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
