fleet/.github/workflows/dogfood-gitops.yml

name: 'Apply latest configuration to dogfood with GitOps'

on:
  push:
    branches:
      - main
    paths:
      - 'it-and-security/**'
      - '.github/workflows/dogfood-gitops.yml'
  pull_request:
    paths:
      - 'it-and-security/**'
      - '.github/workflows/dogfood-gitops.yml'
  workflow_dispatch: # allows manual triggering
  schedule:
  - cron: '0 6 * * *' # Nightly 6AM UTC

# Prevent concurrent runs of this workflow, but allow all runs to finish.
concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false

defaults:
  run:
    shell: bash

# Limit permissions of GITHUB_TOKEN.
permissions:
  contents: read

jobs:
  fleet-gitops:
    timeout-minutes: 10
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout our repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Checkout GitOps repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: fleetdm/fleet-gitops
          ref: main
          path: fleet-gitops

      - name: Apply latest configuration to Fleet
        uses: ./fleet-gitops/.github/gitops-action
        with:
          working-directory: ${{ github.workspace }}/fleet-gitops
          dry-run-only: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
        env:
          FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
          FLEET_URL: https://dogfood.fleetdm.com
          FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
          DOGFOOD_APPLE_BM_DEFAULT_TEAM: "💻 Workstations"
          DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
          DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
          DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
          DOGFOOD_MDM_SSO_METADATA_URL: ${{ secrets.DOGFOOD_MDM_SSO_METADATA_URL }}
          DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
          DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
          DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
          DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
          DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
          DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
          DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}
          DOGFOOD_CALENDAR_API_KEY: ${{ secrets.DOGFOOD_CALENDAR_API_KEY }}
          DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
          DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
          DOGFOOD_COMPANY_OWNED_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_MOBILE_DEVICES_ENROLL_SECRET }}
          DOGFOOD_PERSONAL_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONAL_MOBILE_DEVICES_ENROLL_SECRET }}
          FLEET_SECRET_MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
          DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET }}
          DOGFOOD_ACTIVITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_ACTIVITIES_WEBHOOK_URL }}
          DOGFOOD_CALENDAR_WEBHOOK_URL: ${{ secrets.DOGFOOD_CALENDAR_WEBHOOK_URL }}
          DOGFOOD_HOST_STATUS_WEBHOOK_URL: ${{ secrets.DOGFOOD_HOST_STATUS_WEBHOOK_URL }}
          DOGFOOD_END_USER_SSO_METADATA: ${{ secrets.DOGFOOD_END_USER_SSO_METADATA }}
          DOGFOOD_TESTING_AND_QA_ENROLL_SECRET: ${{ secrets.DOGFOOD_TESTING_AND_QA_ENROLL_SECRET }}
          DOGFOOD_OKTA_CA_CERTIFICATE: ${{ secrets.DOGFOOD_OKTA_CA_CERTIFICATE }}

      - name: Notify on Gitops failure
        if: failure() && github.ref_name == 'main'
        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
        with:
          payload: |
            {
              "text": "GitOps run failed for ${{ env.RUN_URL }}",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "GitOps run failed on ${{ github.ref_name }}"
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "For more details see:\n${{ env.RUN_URL }}"
                  }
                }
              ]
            }            
        env:
          RUN_URL: https://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_DOGFOODING_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK