Changes:
- Updated the build-static-content script to only build documentation
pages from the `docs/Get started/`, `docs/Deploy/`,
`docs/Configuration/`, and `docs/REST API/` folders
- Document which keys are supported on which platforms.
- Separate feature request to come up with a cross-platform name for
`macos_setup` is here: https://github.com/fleetdm/fleet/issues/33059
This pull request simplifies and improves the automation for updating
Safari version policies on macOS by switching from a multi-line YAML
query to a single-line query and streamlining the associated update
script. The changes make the update process more robust, easier to
maintain, and less error-prone, especially when parsing and updating the
policy file.
**Policy and script simplification:**
* Converted the `query` field in `update-safari.yml` from a multi-line
YAML block to a single-line statement, reducing complexity and making it
easier to update programmatically.
**Script robustness and maintainability:**
* Updated `.github/scripts/dogfood-policy-updater-latest-safari.sh` to
extract and update the single-line `query` instead of handling a
multi-line block, greatly simplifying the parsing and replacement logic.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L26-R37)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L97-R123)
* Improved error handling for environment variables, requiring only the
essential `DOGFOOD_AUTOMATION_TOKEN` to be set, and clarified error
messages.
* Enhanced validation of the Safari feed response by checking for valid
JSON and explicit API errors using `jq`, making the update process more
reliable.
* Changed the update workflow to write changes directly to the file and
rely on GitHub Actions to create pull requests, removing the script's
own git and PR logic for a cleaner CI/CD process.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves
https://github.com/fleetdm/confidential/issues/11074
This pull request updates the security roles and responsibilities
section in the `handbook/finance/security.md` file. The main change is
the reassignment and consolidation of responsibilities related to
information security oversight and third-party risk management.
**Updates to security roles and responsibilities:**
* The `Head of Security` role has been replaced with the `Head of IT`,
who now assumes all previous responsibilities of the Head of Security,
with the addition of explicit oversight over third-party risk management
and vendor service contract reviews.
* The separate `Head of Digital Workplace & GTM Systems` role,
previously responsible for third-party risk management and vendor
contract review, has been removed, consolidating these responsibilities
under the `Head of IT`.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36644
Randomizes the query so we get a new set of 500 every time, and also
improves the index by adding a priority where clause.
It should fine handle up towards 10.000 filtered entries before becoming
slow, and at most we have seen 2k with a customer.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31569
Makes ListHostSoftware filter software installers by the team id to
avoid listing failed installs for an installer that is no longer scoped
to the host's team.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#31916
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Script and software installer policy automations now automatically
retry up to three times on failure.
* Retry attempt counters automatically reset when policies transition
from failing to passing state.
* Enhanced attempt tracking for improved monitoring and troubleshooting
of policy automation executions.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This pull request updates several rituals in the
`handbook/it-and-enablement/it-and-enablement.rituals.yml` file to
better reflect current team responsibilities and terminology. The main
changes involve updating labels, task names, and descriptions to align
with the GTM (Go-To-Market) and Solutions Consulting teams instead of IT
& Enablement.
**Label and terminology updates:**
* Changed auto-issue labels from `:help-it-and-enablement` to
`:help-solutions-consulting` or `:gtm-ops` for relevant tasks,
reflecting new team ownership.
[[1]](diffhunk://#diff-483df03958997b79be68a86398698de7a100112403982bedbd85d63803015abaL10-R20)
[[2]](diffhunk://#diff-483df03958997b79be68a86398698de7a100112403982bedbd85d63803015abaL30-R30)
[[3]](diffhunk://#diff-483df03958997b79be68a86398698de7a100112403982bedbd85d63803015abaL66-R66)
* Updated task names and descriptions from "IT & Enablement KPIs" to
"GTM KPIs" for weekly reporting, clarifying the focus of the ritual.
**Repository assignment adjustments:**
* Changed the repository assignment for auto-issues, ensuring tasks are
routed to the appropriate team repositories.
These changes help ensure rituals are accurately assigned and described
according to current team structures and responsibilities.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#13698
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Fixes#31686.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [ ] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #37271
# Details
Even after patching and verifying #37271 we're still seeing a case of a
host not being successfully paired with the correct SCIM user after
enrolling. Deleting and re-enrolling the host did not fix the issue. See
recent posts in
https://fleetdm.slack.com/archives/C019WG4GH0A/p1765376152824949 for
details.
This PR adds logging to attempt to diagnose the exact issue.
# Checklist for submitter
## Testing
- [X] QA'd all new/changed functionality manually
Enrolled a host locally and saw logs in various scenarios.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #33391
## Testing
- [X] Added/updated automated tests
there's a number of tests for this, if they still pass we're in good
shape
- [X] QA'd all new/changed functionality manually
I tested the front-end successfully, and saw an auto-update go through
on an ipad. Also verified that the activity metadata is correct.
Changes:
- Updated the contact form to have a third form for job applications.
The form is only shown to users who visit the page with the `#apply`
hash.
- Added `deliver-application-submission` an action that sends
information from job application submissions to a zapier webhook.
- Updated the link to the contact form on the open positions template
page to link to /contact#apply
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
This pull request improves the robustness of the
`.github/scripts/dogfood-policy-updater-latest-safari.sh` script for
handling YAML query sections, especially when dealing with indentation
and extracting Safari version numbers. The main changes focus on making
the script more resilient to formatting variations and updating its
logic to match the current query structure.
**Query section handling improvements:**
* Updated the extraction of the `query_section` to correctly handle
indented queries in YAML, ensuring the multiline block is accurately
captured until the next key at the same indentation level.
* Improved the replacement logic for the query section using `awk` to
robustly detect and replace indented query blocks, skipping lines within
the query block until the next key at the same indentation.
**Safari version extraction updates:**
* Modified the logic for extracting Safari 18 and Safari 26 version
numbers to use `version LIKE '15.%'` and `version LIKE '26.%'` instead
of the previous `version >= '15.0'` and `version >= '26.0'` checks,
matching the updated query syntax.
**Formatting and documentation:**
* Added comments to clarify the handling of indentation for the new
query section and to document the changes in logic for extracting and
replacing the query block.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17R100)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17R115-R140)
