Merge branch 'main' into rebeccaui-patch-1

Author: Drew-P-drawers

.eslintrc.js

@@ -81,8 +81,7 @@ module.exports = {
     "jsx-a11y/heading-has-content": "off",
     "jsx-a11y/anchor-has-content": "off",
   },
-  overrides: [
-  ],
+  overrides: [],
   settings: {
     "import/resolver": {
       webpack: {

.github/ISSUE_TEMPLATE/bug-report.md

@@ -31,3 +31,4 @@ N/A
 
 <!-- ### 🛠️ To fix -->
 <!-- If this bug requires additional product design work, uncomment the heading above and add instructions to fix, Figma link, etc. here once design changes are settled. -->
+<!-- Product designer: _________________________ --> <!-- Who is the product designer to contact if folks have questions about this fix? -->

.github/ISSUE_TEMPLATE/release-qa.md

@@ -2,7 +2,7 @@
 name:  Release QA
 about: Checklist of required tests prior to release
 title: 'Release QA:'
-labels: '#g-mdm,#g-endpoint-ops,:release'
+labels: '#g-mdm,#g-orchestration,#g-software:release'
 assignees: 'xpkoala,pezhub,jmwatts'
 
 ---
@@ -27,11 +27,12 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 
 ### Prerequisites
 
-1. `fleetctl preview` is set up and running the desired test version using [`--tag` parameters.](https://github.com/fleetdm/fleet/blob/main/handbook/product.md#manual-qa )
+1. `fleetctl preview` is set up and running the desired test version using [`--tag` parameters.](https://fleetdm.com/handbook/engineering#run-fleet-locally-for-qa-purposes)
 2. Unless you are explicitly testing older browser versions, browser is up to date.
 3. Certificate & flagfile are in place to create new host.
 4. In your browser, clear local storage using devtools.
 
+### Orchestration
 <table>
 <tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
 <tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
@@ -53,20 +54,6 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 3. forget password link prompts for email
 4. valid credentials result in a successful login.
 5. valid sso credentials result in a successful login</td><td>pass/fail</td></tr>
-<tr><td>Query flow</td><td>Create, edit, run, and delete queries. </td><td>
-
-1. permissions regarding creating/editing/deleting queries are up to date with documentation
-2. syntax errors result in error messaging
-3. queries can be run manually 
-</td><td>pass/fail</td></tr>
-<tr><td>Host Flow</td><td>Verify a new host can be added and removed following modal instructions using your own device.</td><td>
-
-1. Host is added via command line
-2. Host serial number and date added are accurate
-3. Host is not visible after it is deleted
-4. Warning and informational modals show when expected and make sense
-</td><td>pass/fail</td></tr>
-
 <tr><td>Packs flow</td><td>Verify management, operation, and logging of ["2017 packs"](https://fleetdm.com/handbook/company/why-this-way#why-does-fleet-support-query-packs).</td><td>
 
 1. Packs successfully run on host machines after migrations 
@@ -82,16 +69,17 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 2. Software, query, policy, and packs logs are successfully sent to Filesystem log destinations
 
 </td><td>pass/fail</td></tr>
+<tr><td>OS settings</td><td>Verify OS settings functionality</td><td>
 
-
-<tr><td>My device page</td><td>Verify the end user's my device page loads successfully.</td><td>
-
-1. Clicking the Fleet desktop item, then "My device" successfully loads the my device page.
-2. The "My device" page is populated correctly and as expected. 
-3. Styling and padding appears correct.
- 
+1. Verify able to configure Disk encryption (macOS, Windows, & Linux).
+2. Verify host enrolled with Disk encryption enforced successfully encrypts.
 </td><td>pass/fail</td></tr>
+</table>
 
+### MDM
+<table>
+<tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
+<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
 <tr><td>MDM enrollment flow</td><td>Verify MDM enrollments, run MDM commands</td><td>
 
 1. Erase an ADE-eligible macOS host and verify able to complete automated enrollment flow.
@@ -106,45 +94,22 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 3. Turn off MDM on a non ADE-eligible macOS host.
 4. On the My device page, follow the "Turn on MDM" instructions and verify that MDM is turned on.
 </td><td>pass/fail</td></tr>
-
-<tr><td>Scripts</td><td>Verify script library and execution</td><td>
-
-1. Verify able to run a script on all host types from CLI.
-2. Verify scripts library upload/download/delete.
-3. From Host details (macOS, Windows, & Linux) run a script that should PASS, verify.
-4. From Host details (macOS, Windows, & Linux) run a script that should FAIL, verify.
-5. Verify UI loading state and statuses for scripts.
-6. Disable scripts globally and verify unable to run.
-7. Verify scripts display correctly in Activity feed.
-</td><td>pass/fail</td></tr>
-
-<tr><td>Software</td><td>Verify software library and install / download</td><td>
-
-1. Verify software library upload/download/delete.
-2. From Host details (macOS, Windows, & Linux) run an install that should PASS, verify.
-3. From My Device (macOS, Windows, & Linux) software tab should have self-service items available, verify.
-4. Verify UI loading state and statuses for installing software.
-6. Verify software installs display correctly in Activity feed.
-</td><td>pass/fail</td></tr>
-
 <tr><td>OS settings</td><td>Verify OS settings functionality</td><td>
 
-1. Verify able to configure Disk encryption (macOS, Windows, & Linux).
-2. Verify host enrolled with Disk encryption enforced successfully encrypts.
-3. Verify Profiles upload/download/delete (macOS & Windows).
-4. Verify Profiles are delivered to host and applied. 
+1. Verify Profiles upload/download/delete (macOS & Windows).
+2. Verify Profiles are delivered to host and applied. 
 </td><td>pass/fail</td></tr>
 
 <tr><td>Setup experience</td><td>Verify macOS Setup experience</td><td>
 
 1. Configure End user authentication.
-2. Upload a Bootstrap package.
-3. Add software (FMA, VPP, & Custom pkg)
-4. Add a script
-5. Enroll an ADE-eligible macOS host and verify successful authentication.
-6. Verify Bootstrap package is delivered.
-7. Verify SwiftDialogue window displays.
-8. Verify software installs and script runs.
+3. Upload a Bootstrap package.
+4. Add software (FMA, VPP, & Custom pkg)
+5. Add a script
+6. Enroll an ADE-eligible macOS host and verify successful authentication.
+7. Verify Bootstrap package is delivered.
+8. Verify SwiftDialogue window displays.
+9. Verify software installs and script runs.
 </td><td>pass/fail</td></tr>
 
 <tr><td>OS updates</td><td>Verify OS updates flow</td><td>
@@ -161,25 +126,78 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 3. Verify Profiles are delivered to host and applied.
 4. Verify VPP apps install & display correctly in Activity feed.
 
+</td><td>pass/fail</td></tr>
 <tr><td>Certificates Upload</td><td>APNs cert and ABM token renewal workflow</td><td>
 
 1. Renew APNs Certificate.
 2. Renew ABM Token.
 3. Ensure ADE hosts can enroll.
 </td><td>pass/fail</td></tr>
 
+</table>
+
+### Software
+<table>
+<tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
+<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
+<tr><td>Query flow</td><td>Create, edit, run, and delete queries. </td><td>
+
+1. permissions regarding creating/editing/deleting queries are up to date with documentation
+2. syntax errors result in error messaging
+3. queries can be run manually 
+</td><td>pass/fail</td></tr>
+<tr><td>Host Flow</td><td>Verify a new host can be added and removed following modal instructions using your own device.</td><td>
+
+1. Host is added via command line
+2. Host serial number and date added are accurate
+3. Host is not visible after it is deleted
+4. Warning and informational modals show when expected and make sense
+</td><td>pass/fail</td></tr>
+<tr><td>My device page</td><td>Verify the end user's my device page loads successfully.</td><td>
+
+1. Clicking the Fleet desktop item, then "My device" successfully loads the my device page.
+2. The "My device" page is populated correctly and as expected. 
+3. Styling and padding appears correct.
+ 
+</td><td>pass/fail</td></tr>
+<tr><td>Scripts</td><td>Verify script library and execution</td><td>
+
+1. Verify able to run a script on all host types from CLI.
+2. Verify scripts library upload/download/delete.
+3. From Host details (macOS, Windows, & Linux) run a script that should PASS, verify.
+4. From Host details (macOS, Windows, & Linux) run a script that should FAIL, verify.
+5. Verify UI loading state and statuses for scripts.
+8. Disable scripts globally and verify unable to run.
+9. Verify scripts display correctly in Activity feed.
+</td><td>pass/fail</td></tr>
+
+<tr><td>Software</td><td>Verify software library and install / download</td><td>
+
+1. Verify software library upload/download/delete.
+2. From Host details (macOS, Windows, & Linux) run an install that should PASS, verify.
+3. From My Device (macOS, Windows, & Linux) software tab should have self-service items available, verify.
+4. Verify UI loading state and statuses for installing software.
+7. Verify software installs display correctly in Activity feed.
+</td><td>pass/fail</td></tr>
+
+
 <tr><td>Migration Test</td><td>Verify Fleet can migrate to the next version with no issues.</td><td>
 
 Using the migration scripts located in fleet/test/upgrade/
 1. Run the upgrade_test.go script using the most recent stable version of Fleet and `main`.
 2. Upgrade test returns an 'OK' response.
 </td><td>pass/fail</td></tr>
-  
+</table>
+
+### All Product Groups
+<table>
+ <tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
+<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
 <tr><td>Release blockers</td><td>Verify there are no outstanding release blocking tickets.</td><td>
 
 1. Check [this](https://github.com/fleetdm/fleet/labels/~release%20blocker) filter to view all open `~release blocker` tickets.
 2. If any are found raise an alarm in the `#help-engineering` and `#g-mdm` (or `#g-endpoint-ops`)  channels.
-</td><td>pass/fail</td></tr>
+</td><td>pass/fail</td></tr> 
 </table>
 
 ### Notes

.github/ISSUE_TEMPLATE/story.md

@@ -2,7 +2,7 @@
 name: 🎟  Story
 about: Specify an iterative change to the Fleet product.  (e.g. "As a user, I want to sign in with SSO.")
 title: ''
-labels: 'story,:product'
+labels: 'story'
 assignees: ''
 
 ---
@@ -48,11 +48,13 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 - [ ] Permissions changes: TODO <!-- Specify changes in the Manage access doc page as a PR to the reference docs release branch. If doc changes aren't necessary, explicitly mention no changes to the doc page. Put "No changes" if there are no permissions changes. -->
 - [ ] Changes to paid features or tiers: TODO  <!-- Specify changes in pricing-features-table.yml as a PR to reference docs release branch. Specify "Fleet Free" and/or "Fleet Premium" if there are no changes to the pricing page necessary. -->
 - [ ] Transparency changes: TODO <!-- If there are changes to the personal information Fleet can see on end user workstations, make sure wireframes include changes to the My device page. Also, specify changes as a PR to the fleetdm.com/better (aka Transparency page). Put "No changes" if there are no changes necessary. -->
+- [ ] First draft of test plan added
 - [ ] Other reference documentation changes: TODO <!-- Any other reference doc changes? Specify changes as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. -->
 - [ ] Once shipped, requester has been notified
 - [ ] Once shipped, dogfooding issue has been filed
 
 ### Engineering
+- [ ] Test plan is finalized
 - [ ] Feature guide changes: TODO <!-- Specify if a new feature guide is required at fleetdm.com/guides, or if a previous guide should be updated to reflect feature changes. -->
 - [ ] Database schema migrations: TODO <!-- Specify what changes to the database schema are required. (This will be used to change migration scripts accordingly.) Remove this checkbox if there are no changes necessary. -->
 - [ ] Load testing: TODO  <!-- List any required scalability testing to be conducted.  Remove this checkbox if there is no scalability testing required. -->
@@ -67,9 +69,9 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 - Risk level: Low / High TODO <!-- Choose one. Consider: Does this change come with performance risks?  Any risk of accidental log spew? Any particular regressions to watch out for?  Any potential compatibility issues, even if it's not technically a breaking change? -->
 - Risk description: TODO <!-- If the risk level is high, explain why. If low, remove. -->
 
-### Manual testing steps
+### Test plan
 <!-- 
-Add detailed manual testing steps for all affected user roles. 
+Add detailed manual testing steps for all affected user roles.
 -->
 
 1. Step 1
@@ -85,5 +87,5 @@ Add detailed manual testing steps for all affected user roles.
 ### Confirmation
 <!-- The engineer responsible for implementing this user story completes the test plan before moving to the "Ready for QA" column. -->
 
-1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
-2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
+1. [ ] Engineer: Added comment to user story confirming successful completion of test plan.
+2. [ ] QA: Added comment to user story confirming successful completion of test plan.

.github/workflows/build-binaries.yaml

@@ -44,7 +44,7 @@ jobs:
 
       - name: JS Dependency Cache
         id: js-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             **/node_modules
@@ -56,7 +56,7 @@ jobs:
 
       - name: Go Cache
         id: go-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           # In order:
           # * Module download cache
@@ -88,7 +88,7 @@ jobs:
       - name: Build binaries
         run: make
 
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: build
           path: build/

.github/workflows/build-fleetd-base-pkg.yml

@@ -107,14 +107,14 @@ jobs:
           </plist>' > fleetd-base-manifest.plist
 
       - name: Upload fleetd-base.pkg
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fleetd-base.pkg
           path: |
             fleetd-base.pkg
 
       - name: Upload fleetd-base-manifest.plist
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fleetd-base-manifest.plist
           path: |

.github/workflows/build-fleetd_tables.yaml

@@ -34,7 +34,7 @@ jobs:
       - name: Build binaries
         run: make fleetd-tables-all
 
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fleetd_tables
           path: fleetd_tables_*

.github/workflows/build-orbit.yaml

@@ -73,7 +73,7 @@ jobs:
           ORBIT_COMMIT: ${{ github.sha }}
 
       - name: Upload orbit
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: orbit
           path: |

.github/workflows/check-automated-doc.yml

@@ -38,8 +38,6 @@ jobs:
 
       - name: Checkout Code
         uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-        with:
-          fetch-depth: 0
 
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
@@ -51,7 +49,8 @@ jobs:
           make generate-doc
           if [[ $(git diff) ]]; then
             echo "❌ fail: uncommited changes"
-            echo "please run `make generate-doc` and commit the changes"
+            echo "please run 'make generate-doc' and commit the changes"
+            git --no-pager diff
             exit 1
           fi
 
@@ -62,6 +61,7 @@ jobs:
           ./node_modules/sails/bin/sails.js run generate-merged-schema
           if [[ $(git diff) ]]; then
             echo "❌ fail: uncommited changes"
-            echo "please run `cd website && npm install && ./node_modules/sails/bin/sails.js run generate-merged-schema` and commit the changes"
+            echo "please run 'cd website && npm install && ./node_modules/sails/bin/sails.js run generate-merged-schema' and commit the changes"
+            git --no-pager diff
             exit 1
           fi

.github/workflows/config/randokiller.json

@@ -5,4 +5,4 @@
   "pkg_to_test": "server/service",
   "tests_to_run": "^TestIntegrationsMDM\\$$",
   "num_tries": 20
-}
+}

.github/workflows/deploy-fleet-website.yml

@@ -31,7 +31,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [20.x]
 
     steps:
     - name: Harden Runner

.github/workflows/dogfood-gitops.yml

@@ -75,8 +75,9 @@ jobs:
           DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET }}
           DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
           DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
-          MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
+          FLEET_SECRET_MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
           DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET }}
+          DOGFOOD_ACTIVITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_ACTIVITIES_WEBHOOK_URL }}
 
       - name: Notify on Gitops failure
         if: failure() && github.ref_name == 'main'