Merge branch 'main' into docs-v4.64.0

.eslintrc.js

@@ -81,8 +81,7 @@ module.exports = {
     "jsx-a11y/heading-has-content": "off",
     "jsx-a11y/anchor-has-content": "off",
   },
-  overrides: [
-  ],
+  overrides: [],
   settings: {
     "import/resolver": {
       webpack: {

.github/ISSUE_TEMPLATE/bug-report.md

@@ -31,3 +31,4 @@ N/A
 
 <!-- ### 🛠️ To fix -->
 <!-- If this bug requires additional product design work, uncomment the heading above and add instructions to fix, Figma link, etc. here once design changes are settled. -->
+<!-- Product designer: _________________________ --> <!-- Who is the product designer to contact if folks have questions about this fix? -->

.github/workflows/build-fleetd-base-msi.yml

@@ -0,0 +1,109 @@
+# This workflow can be used to build a fleetd-base.msi package
+# that can be hosted on a local server to test Autopilot workflows.
+#
+# Output is the fleetd-base.msi itself and the corresponding meta.json.
+# Both files should be served at the stable/ path.
+name: Build and codesign fleetd-base.msi
+
+on:
+  workflow_dispatch: # allow manual action
+    inputs:
+      orbit-channel:
+        description: "TUF channel for the orbit component"
+        required: false
+        default: "stable"
+        type: string
+      osqueryd-channel:
+        description: "TUF channel for the osqueryd component"
+        required: false
+        default: "stable"
+        type: string
+      desktop-channel:
+        description: "TUF channel for the Fleet Desktop component"
+        required: false
+        default: "stable"
+        type: string
+      base-url:
+        description: "URL that will host the generated fleetd-base.msi and meta.json at stable/"
+        required: true
+        type: string
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Install fleetctl
+        run: npm install -g fleetctl
+
+      - name: Build MSI
+        id: build-msi
+        run: |
+          fleetctl package --type msi \
+            --fleet-desktop \
+            --fleet-url dummy \
+            --enroll-secret dummy \
+            --orbit-channel ${{ github.event.inputs.orbit-channel }} \
+            --osqueryd-channel ${{ github.event.inputs.osqueryd-channel }} \
+            --desktop-channel ${{ github.event.inputs.desktop-channel }}
+          mv fleet-osquery*.msi fleetd-base.msi
+
+      - name: Upload fleetd-base.msi for code signing
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
+        with:
+          name: unsigned-windows
+          path: fleetd-base.msi
+
+  code-sign:
+    needs: build
+    uses: ./.github/workflows/code-sign-windows.yml
+    with:
+      filename: fleetd-base.msi
+      upload_name: fleetd-base-msi
+    secrets:
+      DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
+      DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
+      DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
+      DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
+      DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
+
+  generate:
+    needs: [build, code-sign]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download signed artifact
+        uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
+        with:
+          name: fleetd-base-msi
+
+      - name: Hash fleetd-base.msi
+        run: |
+          echo "fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)" >> $GITHUB_ENV
+
+      - name: Generate meta.json
+        run: |
+          
+          echo '{
+            "fleetd_base_msi_url": "${{ github.event.inputs.base-url }}/stable/fleetd-base.msi",
+            "fleetd_base_msi_sha256": "${{ env.fleetd_base_msi_sha256 }}"
+          }' > meta.json
+          : # Check that meta.json is valid
+          jq -e . >/dev/null 2>&1 <<< $(cat meta.json)
+
+      - name: Upload meta.json
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
+        with:
+          name: meta.json
+          path: meta.json

.github/workflows/build-fleetd_tables.yaml

@@ -34,7 +34,7 @@ jobs:
       - name: Build binaries
         run: make fleetd-tables-all
 
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fleetd_tables
           path: fleetd_tables_*

.github/workflows/build-orbit.yaml

@@ -73,7 +73,7 @@ jobs:
           ORBIT_COMMIT: ${{ github.sha }}
 
       - name: Upload orbit
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: orbit
           path: |

.github/workflows/deploy-fleet-website.yml

@@ -31,7 +31,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [20.x]
 
     steps:
     - name: Harden Runner

.github/workflows/dogfood-gitops.yml

@@ -66,7 +66,6 @@ jobs:
           DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
           DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
           DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
-          DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL }}
           DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
           DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
           DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
@@ -77,6 +76,9 @@ jobs:
           DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
           FLEET_SECRET_MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
           DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET }}
+          DOGFOOD_ACTIVITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_ACTIVITIES_WEBHOOK_URL }}
+          DOGFOOD_CALENDAR_WEBHOOK_URL: ${{ secrets.DOGFOOD_CALENDAR_WEBHOOK_URL }}
+          DOGFOOD_HOST_STATUS_WEBHOOK_URL: ${{ secrets.DOGFOOD_HOST_STATUS_WEBHOOK_URL }}
 
       - name: Notify on Gitops failure
         if: failure() && github.ref_name == 'main'

.github/workflows/generate-desktop-targets.yml

@@ -19,7 +19,7 @@ defaults:
     shell: bash
 
 env:
-  FLEET_DESKTOP_VERSION: 1.37.0
+  FLEET_DESKTOP_VERSION: 1.38.1
 
 permissions:
   contents: write

.github/workflows/test-js.yml

@@ -58,7 +58,7 @@ jobs:
             **/node_modules
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-modules-
+            ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Install JS Dependencies
         if: steps.js-cache.outputs.cache-hit != 'true'

.github/workflows/test-website.yml

@@ -29,7 +29,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [20.x]
 
     steps:
       - name: Harden Runner

.storybook/main.ts

@@ -53,6 +53,7 @@ const config: StorybookConfig = {
     "@storybook/addon-a11y",
     "@storybook/test-runner",
     "@storybook/addon-designs",
+    "@storybook/addon-webpack5-compiler-babel"
   ],
   typescript: {
     check: false,
@@ -68,9 +69,7 @@ const config: StorybookConfig = {
     name: "@storybook/react-webpack5",
     options: {},
   },
-  docs: {
-    autodocs: true,
-  },
+  docs: {},
 };
 
 export default config;

.storybook/preview.js

@@ -1,9 +1,9 @@
 export const parameters = {
-  actions: { argTypesRegex: "^on[A-Z].*" },
   controls: {
     matchers: {
       color: /(background|color)$/i,
       date: /Date$/,
     },
   },
-}
+};
+export const tags = ["autodocs"];

.vscode/launch.json

@@ -101,6 +101,31 @@
                     "path": "${workspaceFolder}/frontend"
                 }
             ]
+        },
+        {
+            "name": "Jest: test current file",
+            "type": "node",
+            "request": "launch",
+            "program": "${workspaceRoot}/node_modules/.bin/jest",
+            "args": [
+                "--config",
+                "./frontend/test/jest.config.ts",
+                "${relativeFile}"
+            ],
+            "console": "integratedTerminal",
+            "internalConsoleOptions": "neverOpen"
+        },
+        {
+            "name": "Jest: run all tests",
+            "type": "node",
+            "request": "launch",
+            "program": "${workspaceRoot}/node_modules/.bin/jest",
+            "args": [
+                "--config",
+                "./frontend/test/jest.config.ts"
+            ],
+            "console": "integratedTerminal",
+            "internalConsoleOptions": "neverOpen"
         }
     ]
 }

CHANGELOG.md

@@ -1,3 +1,14 @@
+## Fleet 4.62.3 (Jan 24, 2025)
+
+### Bug fixes
+
+* Fixed issue verifying Windows CSP profiles that contain ADMX policies.
+* Archived disk encryption keys when they were created or updated. They were never fully deleted from the database.
+* Fixed issue where some Windows MDM profiles were not sent to hosts when hosts came back online.
+* Removed the resend button for failed Windows disk encryption profiles and added messaging that tells the user that Fleet will automatically retry the profile again.
+* Fixed bug where iOS devices were being removed prematurely by expiration policy.
+* Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.
+
 ## Fleet 4.62.2 (Jan 17, 2025)
 
 ### Bug fixes

Makefile

@@ -274,16 +274,6 @@ clean: clean-assets
 clean-assets:
 	git clean -fx assets
 
-docker-build-release: xp-fleet xp-fleetctl
-	docker build -t "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" .
-	docker tag "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" fleetdm/fleet:${VERSION}
-	docker tag "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" fleetdm/fleet:latest
-
-docker-push-release: docker-build-release
-	docker push "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}"
-	docker push fleetdm/fleet:${VERSION}
-	docker push fleetdm/fleet:latest
-
 fleetctl-docker: xp-fleetctl
 	docker build -t fleetdm/fleetctl --platform=linux/amd64 -f tools/fleetctl-docker/Dockerfile .
 

articles/enroll-hosts.md

@@ -331,9 +331,17 @@ Fleetd will send stdout/stderr logs to the following directories:
   - Linux: Orbit and osqueryd stdout/stderr output is sent to syslog (`/var/log/syslog` on Debian systems, `/var/log/messages` on CentOS, and `journalctl -u orbit` on Fedora).
 
 If the `logger_path` agent configuration is set to `filesystem`, fleetd will send osquery's "result" and "status" logs to the following directories:
-  - Windows: C:\Program Files\Orbit\osquery_log
-  - macOS: /opt/orbit/osquery_log
-  - Linux: /opt/orbit/osquery_log
+  - Windows: `C:\Program Files\Orbit\osquery_log`
+  - macOS: `/opt/orbit/osquery_log`
+  - Linux: `/opt/orbit/osquery_log`
+
+The Fleet Desktop log files can be found in the following directories depending on the platform:
+
+  - Linux: `$XDG_STATE_HOME/Fleet or $HOME/.local/state/Fleet`
+  - macOS: `$HOME/Library/Logs/Fleet`
+  - Windows: `%LocalAppData%/Fleet`
+
+The log file name is `fleet-desktop.log`.
 
 ### Using system keystore for enroll secret