For #26382
- Attested the signed Windows Orbit binary instead of the unsigned one.
- For both Fleet desktop and Osquery for macOS and Windows artifacts,
attested the binaries inside archives.
Related to: #31753
Changes:
- Updated the "Deploy Fleet website" workflow to remove the
`website/assets` folder from the website's build slug when the website
deploys.
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.
Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
Related to: [#31753](https://github.com/fleetdm/fleet/issues/31753)
Changes:
- Updated the "Deploy Fleet website" workflow to push to the Heroku git
repo from a parentless commit that does not contain the full git
history.
Related to: https://github.com/fleetdm/fleet/issues/31720
Changes:
- Commented out the step that builds Storybook in the "Test Fleet
website" and "Deploy Fleet website" workflows. There is an error caused
by an incompatible version of a Storybook dependency that is preventing
these workflows from running.
Fixes#31693
Manually forced a run for MySQL 8.4.6 to validate.
# Checklist for submitter
- Changes not needed since this is not a product change.
## Testing
- [x] Added/updated automated tests
<ins>*🌐 IT and Enablement:*</ins>
- Rename "🌐 Digital Experience" to "🌐 IT and Enablement" dept
- Rename "digital-experience.rituals.yml" to
"it-and-enablement.rituals.yml"
<ins>*🧑🚀 People*</ins>
- Create 🧑🚀 People dept
- Create "people.rituals.yml"
<ins>*🔭 CEO*</ins> (<= WHY? To maintain the [structure of the
handbook](https://fleetdm.com/handbook/company/leadership#outline-of-departmental-page-structure).)
- Create 🔭 CEO page and link to leadership
- Create ceo.rituals.yml
<ins>*💸 Finance*</ins>
- Renamed label "#g-finance" to ":help-finance" to match the rest of the
departmental labels.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
For #29183
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced automated validation workflows for maintained applications
on both macOS and Windows, ensuring apps can be installed, verified, and
uninstalled as expected.
* Added new command-line tool to validate maintained apps, providing
detailed reporting on validation results.
* Enhanced detection and handling of pre-installed applications during
validation.
* Improved post-installation steps for macOS, including quarantine
removal and system refresh.
* **Chores**
* Added new continuous integration workflows to automate application
validation on pull requests for relevant files.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The impetus for this was #31232 . Some MDM migrations and enrollments
broke because MDM Enrollment Protocol changes snuck in that we didn't
see
Now within 24h of Microsoft publishing changes to the MDM or MDE2
protocols we will get a github issue to review them
See #31423 for an example
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
This attempts to surface load test environment work (e.g. allowing
configuring Cloudfront in a load test environment, or adding
osquery-perf improvements) while spec'ing stories rather than catching
at the QA stage, allowing us to properly estimate effort and parallelize
work.
# Added
- Added kms.tf to support encrypting keys, specifically cloudfront keys.
- Added template/cloudfront.tf.disabled for use in enabling cloudfront.-
Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that
are injected into `local.extra_execution_iam_policies` and `local.iam`.
- Added log-alb.tf to enable logging alb, required by cloudfront.tf.
# Changed
- Modified ecs.tf to support adding of additional secrets from
`local.secrets`.
- Modified firehose.tf to support provider required updates for
deprecated resource configurations.
- Modified init.tf to support `> v5.0` of `hashicorp/aws` provider.
- Modified locals.tf to add `extra_execution_iam_policies`, `iam`,
`software_installers_kms_policy`, `extra_secrets`, secrets, and
`cloudfront_key_basename`, to support cloudfront.
- Modified readme.md with instructions on how to enable cloudfront.tf
- Modified redis.tf to support provider required updates for deprecated
resource configurations
- Modified s3.tf to support kms keys and add kms iam.
- Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0
-> 1.10.4
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
Fixes#29140
Only impacts metrics gathering.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Reviews made by the pull request creator are now filtered out in
addition to bot reviews when viewing pull request review events.
* **Tests**
* Added and updated tests to verify correct filtering of both bot and
pull request creator reviews, including improved logging checks.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Added Grafana query to Engineering Metrics README.md for reference.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a new "Grafana queries" section to the README, providing a
detailed example SQL query for visualizing the "Time to First Review"
metric with dynamic filtering and rolling averages in Grafana
dashboards.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Updating FMA process for adding new apps by internal and external
contributors. Goals:
- A fast-track experience for contributors if the app does not have
complications (don't need to wait for issue prioritization)
- As few handoffs as possible
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood
- Adding creation of secret and secret version for
`FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
Fixes#29140
I intended to add a Slack notification but forgot in the previous PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added automated Slack notifications for failed scheduled workflow
runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29140
This is an engineering initiated story that does not impact product.
This code has been running and manually tested in my own repo:
https://github.com/getvictor/eng-metrics
See
[README.md](https://github.com/fleetdm/fleet/blob/victor/29140-eng-metrics/.github/actions/eng-metrics/README.md)
in this branch for details.
The metrics can be viewed on
https://fleeteng.grafana.net/d/b97a629f-3626-4a28-9781-0fa3c8427897/engineering-metrics
(credentials in 1Password)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced an engineering metrics collection tool that gathers GitHub
metrics (e.g., Time to First Review, Time to Merge) and uploads them to
BigQuery.
* Added support for user group management and product group mapping via
markdown parsing.
* Enabled print-only mode for testing metrics output without uploading
to BigQuery.
* Added automatic handling of bot filtering, weekend-aware time
calculations, and differential syncing of user groups.
* Implemented robust GitHub username validation and retry logic for API
rate limits.
* **Documentation**
* Added comprehensive usage and configuration documentation for the
engineering metrics tool.
* **Chores**
* Added configuration, environment example, and workflow files for
automated metrics collection and testing.
* Specified Node.js version and set up project dependencies and scripts.
* **Tests**
* Added extensive unit and end-to-end test suites to ensure reliability
of metrics collection, configuration, and integrations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new workflow to simulate syncing selected secrets to another
repository in dry-run mode. No actual changes will occur during
execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Also ensures we run integration tests when docker-compose files used by
`fleetctl preview` are changed, so we don't merge any more test failures
due to those.
