Merge branch 'main' into 23824-msp-dsah-api-to-list-all-software

fleetdm · Dec 20, 2024 · 2f4eb43 · 2f4eb43
2 parents c03cb24 + ccb44a3
commit 2f4eb43
Show file tree

Hide file tree

Showing 284 changed files with 3,710 additions and 939 deletions.
diff --git a/.github/ISSUE_TEMPLATE/release-qa.md b/.github/ISSUE_TEMPLATE/release-qa.md
@@ -3,7 +3,7 @@ name:  Release QA
 about: Checklist of required tests prior to release
 title: 'Release QA:'
 labels: '#g-mdm,#g-endpoint-ops,:release'
-assignees: 'xpkoala,pezhub'
+assignees: 'xpkoala,pezhub,jmwatts'
 
 ---
 
@@ -111,8 +111,8 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 
 1. Verify able to run a script on all host types from CLI.
 2. Verify scripts library upload/download/delete.
-3. From Host details (Windows and macOS) run a script that should PASS, verify.
-4. From Host details (Windows and macOS) run a script that should FAIL, verify.
+3. From Host details (macOS, Windows, & Linux) run a script that should PASS, verify.
+4. From Host details (macOS, Windows, & Linux) run a script that should FAIL, verify.
 5. Verify UI loading state and statuses for scripts.
 6. Disable scripts globally and verify unable to run.
 7. Verify scripts display correctly in Activity feed.
@@ -121,40 +121,51 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 <tr><td>Software</td><td>Verify software library and install / download</td><td>
 
 1. Verify software library upload/download/delete.
-2. From Host details (Windows and macOS) run an install that should PASS, verify.
-3. From My Device (Windows and macOS) software tab should have self-service items available, verify.
+2. From Host details (macOS, Windows, & Linux) run an install that should PASS, verify.
+3. From My Device (macOS, Windows, & Linux) software tab should have self-service items available, verify.
 4. Verify UI loading state and statuses for installing software.
 6. Verify software installs display correctly in Activity feed.
 </td><td>pass/fail</td></tr>
 
 <tr><td>OS settings</td><td>Verify OS settings functionality</td><td>
 
-1. Verify able to configure Disk encryption.
+1. Verify able to configure Disk encryption (macOS, Windows, & Linux).
 2. Verify host enrolled with Disk encryption enforced successfully encrypts.
 3. Verify Profiles upload/download/delete (macOS & Windows).
-4. Verify profiles are delivered to host and applied. 
+4. Verify Profiles are delivered to host and applied. 
 </td><td>pass/fail</td></tr>
 
 <tr><td>Setup experience</td><td>Verify macOS Setup experience</td><td>
 
 1. Configure End user authentication.
 2. Upload a Bootstrap package.
-3. Enroll an ADE-eligible macOS host and verify successful authentication.
-4. Verify Bootstrap package is delivered.
+3. Add software (FMA, VPP, & Custom pkg)
+4. Add a script
+5. Enroll an ADE-eligible macOS host and verify successful authentication.
+6. Verify Bootstrap package is delivered.
+7. Verify SwiftDialogue window displays.
+8. Verify software installs and script runs.
 </td><td>pass/fail</td></tr>
 
 <tr><td>OS updates</td><td>Verify OS updates flow</td><td>
 
 1. Configure OS updates (macOS & Windows).
-2. Verify on-device that Nudge prompt appears (macOS). 
+2. Verify on-device that Nudge prompt appears (macOS 13).
+3. Verify enforce minimumOS occurs during enrollment (macOS 14+).
 </td><td>pass/fail</td></tr>
 
+<tr><td>iOS/iPadOS</td><td>Verify enrollment, profiles, & software installs</td><td>
 
+1. Verify ADE enrollment.
+2. Verify OTA enrollment.
+3. Verify Profiles are delivered to host and applied.
+4. Verify VPP apps install & display correctly in Activity feed.
+
 <tr><td>Certificates Upload</td><td>APNs cert and ABM token renewal workflow</td><td>
 
 1. Renew APNs Certificate.
 2. Renew ABM Token.
-3. Ensure ADE host can enroll.
+3. Ensure ADE hosts can enroll.
 </td><td>pass/fail</td></tr>
 
 <tr><td>Migration Test</td><td>Verify Fleet can migrate to the next version with no issues.</td><td>

diff --git a/.github/scripts/update_osquery_versions.py b/.github/scripts/update_osquery_versions.py
@@ -1,15 +1,21 @@
 import os
-import requests
 import re
+import json
+import http.client
 
 # Use GITHUB_WORKSPACE to get the root of your repository
 repo_root = os.environ.get('GITHUB_WORKSPACE', '')
 FILE_PATH = os.path.join(repo_root, 'frontend', 'utilities', 'constants.tsx')
 
 
 def fetch_osquery_versions():
-    response = requests.get('https://api.github.com/repos/osquery/osquery/releases')
-    releases = response.json()
+    conn = http.client.HTTPSConnection('api.github.com')
+    conn.request('GET', '/repos/osquery/osquery/releases', headers={"User-Agent": "Fleet/osquery-checker"})
+    resp = conn.getresponse()
+    content = resp.read()
+    conn.close()
+    releases = json.loads(content.decode('utf-8'))
+
     return [release['tag_name'] for release in releases if not release['prerelease']]
 
 def update_min_osquery_version_options(new_versions):

diff --git a/.github/workflows/generate-desktop-targets.yml b/.github/workflows/generate-desktop-targets.yml
@@ -22,7 +22,10 @@ env:
   FLEET_DESKTOP_VERSION: 1.37.0
 
 permissions:
-  contents: read
+  contents: write
+  id-token: write
+  attestations: write
+  packages: write
 
 jobs:
   desktop-macos:
@@ -31,7 +34,6 @@ jobs:
     # later, avoiding runtime errors on systems using macOS 13 or newer.
     runs-on: macos-13
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -75,6 +77,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-app-tar-gz
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "desktop.app.tar.gz"
+
       - name: Upload desktop.app.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -84,7 +92,6 @@ jobs:
   desktop-windows:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -103,6 +110,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-windows
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "fleet-desktop.exe"
+
       - name: Upload fleet-desktop.exe
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -125,7 +138,6 @@ jobs:
   desktop-linux:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -144,6 +156,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-linux
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "desktop.tar.gz"
+
       - name: Upload desktop.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
@@ -153,7 +171,6 @@ jobs:
   desktop-linux-arm64:
     runs-on: ubuntu-latest
     steps:
-
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
@@ -172,6 +189,12 @@ jobs:
           FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
           make desktop-linux-arm64
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: 'desktop.tar.gz'
+
       - name: Upload desktop.tar.gz
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:

diff --git a/.github/workflows/generate-osqueryd-targets.yml b/.github/workflows/generate-osqueryd-targets.yml
@@ -27,7 +27,10 @@ env:
   OSQUERY_VERSION: 5.14.1
 
 permissions:
-  contents: read
+  contents: write
+  id-token: write
+  attestations: write
+  packages: write
 
 jobs:
   generate-macos:
@@ -45,6 +48,12 @@ jobs:
         run: |
           make osqueryd-app-tar-gz out-path=. version=$OSQUERY_VERSION
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "osqueryd.app.tar.gz"
+
       - name: Upload osqueryd.app.tar.gz
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -70,6 +79,12 @@ jobs:
           chmod +x ./opt/osquery/bin/osqueryd
           ./opt/osquery/bin/osqueryd --version
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "opt/osquery/bin/osqueryd"
+
       - name: Upload osqueryd for linux
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -99,6 +114,12 @@ jobs:
           chmod +x ./opt/osquery/bin/osqueryd
           file ./opt/osquery/bin/osqueryd | grep aarch64
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: "opt/osquery/bin/osqueryd"
+
       - name: Upload osqueryd for linux-arm64
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
@@ -126,6 +147,12 @@ jobs:
           msiexec /a osquery-${{ env.OSQUERY_VERSION }}.msi /qb TARGETDIR=C:\temp
           C:\temp\osquery\osqueryd\osqueryd.exe --version
 
+      - name: Attest binary
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: C:\temp\osquery\osqueryd\osqueryd.exe
+
       - name: Upload osqueryd for Windows
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:

diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml
@@ -24,6 +24,9 @@ jobs:
     environment: Docker Hub
     permissions:
       contents: write
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -90,7 +93,7 @@ jobs:
       - name: Attest binaries and archives
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         with:
-          subject-path: "dist/fleet*"
+          subject-path: "dist/**"
 
       # Get the commit hash so we can get image digests
       - name: Get the short commit hash
@@ -103,23 +106,23 @@ jobs:
         continue-on-error: true
         id: image_digests
         run: |
-          echo "digest_fleet=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
-          echo "digest_fleetctl=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
+          echo "digest_fleet=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
+          echo "digest_fleetctl=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
 
       - name: Attest Fleet image
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         continue-on-error: true
         with:
           subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
-          subject-name: "fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"
+          subject-name: "fleetdm/fleet"
           push-to-registry: true
 
       - name: Attest FleetCtl image
         uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
         continue-on-error: true
         with:
           subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
-          subject-name: "fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"
+          subject-name: "fleetdm/fleetctl"
           push-to-registry: true
 
       - name: Get tag