Merge branch 'main' into 24470-bash

fleetdm · Jan 23, 2025 · d5be7af · d5be7af
2 parents 76f2fb9 + 07416c2
commit d5be7af
Show file tree

Hide file tree

Showing 326 changed files with 10,590 additions and 8,168 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -81,8 +81,7 @@ module.exports = {
     "jsx-a11y/heading-has-content": "off",
     "jsx-a11y/anchor-has-content": "off",
   },
-  overrides: [
-  ],
+  overrides: [],
   settings: {
     "import/resolver": {
       webpack: {

diff --git a/.github/ISSUE_TEMPLATE/story.md b/.github/ISSUE_TEMPLATE/story.md
@@ -2,7 +2,7 @@
 name: 🎟  Story
 about: Specify an iterative change to the Fleet product.  (e.g. "As a user, I want to sign in with SSO.")
 title: ''
-labels: 'story,:product'
+labels: 'story'
 assignees: ''
 
 ---

diff --git a/.github/workflows/build-binaries.yaml b/.github/workflows/build-binaries.yaml
@@ -44,7 +44,7 @@ jobs:
 
       - name: JS Dependency Cache
         id: js-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             **/node_modules
@@ -56,7 +56,7 @@ jobs:
 
       - name: Go Cache
         id: go-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           # In order:
           # * Module download cache

diff --git a/.github/workflows/build-fleetd_tables.yaml b/.github/workflows/build-fleetd_tables.yaml
@@ -34,7 +34,7 @@ jobs:
       - name: Build binaries
         run: make fleetd-tables-all
 
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fleetd_tables
           path: fleetd_tables_*
diff --git a/.github/workflows/build-orbit.yaml b/.github/workflows/build-orbit.yaml
@@ -73,7 +73,7 @@ jobs:
           ORBIT_COMMIT: ${{ github.sha }}
 
       - name: Upload orbit
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: orbit
           path: |

diff --git a/.github/workflows/deploy-fleet-website.yml b/.github/workflows/deploy-fleet-website.yml
@@ -31,7 +31,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [20.x]
 
     steps:
     - name: Harden Runner

diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml
@@ -75,8 +75,9 @@ jobs:
           DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET }}
           DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
           DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
-          MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
+          FLEET_SECRET_MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
           DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_PERSONALLY_OWNED_IPHONES_ENROLL_SECRET }}
+          DOGFOOD_ACTIVITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_ACTIVITIES_WEBHOOK_URL }}
 
       - name: Notify on Gitops failure
         if: failure() && github.ref_name == 'main'

diff --git a/.github/workflows/test-fleetd-chrome.yml b/.github/workflows/test-fleetd-chrome.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: JS Dependency Cache
         id: js-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             **/node_modules

diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml
@@ -52,13 +52,13 @@ jobs:
 
       - name: JS Dependency Cache
         id: js-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             **/node_modules
           key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-modules-
+            ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Install JS Dependencies
         if: steps.js-cache.outputs.cache-hit != 'true'
@@ -97,7 +97,7 @@ jobs:
 
       - name: JS Dependency Cache
         id: js-cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             **/node_modules

diff --git a/.github/workflows/test-website.yml b/.github/workflows/test-website.yml
@@ -29,7 +29,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x]
+        node-version: [20.x]
 
     steps:
       - name: Harden Runner

diff --git a/.storybook/main.ts b/.storybook/main.ts
@@ -53,6 +53,7 @@ const config: StorybookConfig = {
     "@storybook/addon-a11y",
     "@storybook/test-runner",
     "@storybook/addon-designs",
+    "@storybook/addon-webpack5-compiler-babel"
   ],
   typescript: {
     check: false,
@@ -68,9 +69,7 @@ const config: StorybookConfig = {
     name: "@storybook/react-webpack5",
     options: {},
   },
-  docs: {
-    autodocs: true,
-  },
+  docs: {},
 };
 
 export default config;
diff --git a/.storybook/preview.js b/.storybook/preview.js
@@ -1,9 +1,9 @@
 export const parameters = {
-  actions: { argTypesRegex: "^on[A-Z].*" },
   controls: {
     matchers: {
       color: /(background|color)$/i,
       date: /Date$/,
     },
   },
-}
+};
+export const tags = ["autodocs"];
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## Fleet 4.62.2 (Jan 17, 2025)
+
+### Bug fixes
+
+* Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.
+* Fixed bug where iOS devices were being removed prematurely by expiration policy.
+
 ## Fleet 4.62.1 (Jan 14, 2025)
 
 ### Bug fixes

diff --git a/articles/enforce-disk-encryption.md b/articles/enforce-disk-encryption.md
@@ -8,7 +8,7 @@ In Fleet, you can enforce disk encryption for your macOS and Windows hosts, and
 
 When disk encryption is enforced, hosts' disk encryption keys will be stored in Fleet.
 
-For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant. For Windows, disk encryption is enforced on the C: volume (default system/OS drive). On Linux, encryption requires user interaction to encrypt the device with LUKS.
+For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant. For Windows, disk encryption is enforced on the C: volume (default system/OS drive). For Linux, encryption requires end user interaction.
 
 ## Enforce disk encryption
 
@@ -48,7 +48,7 @@ You can click each status to view the list of hosts for that status.
 
 ## Enforce disk encryption on Linux
 
-Fleet supports Linux Unified Key Setup (LUKS) for encrypting volumes to enforce disk encryption on Ubuntu Linux, Kubuntu Linux, and Fedora Linux devices. Support for Ubuntu 20.04 will be available soon.
+Fleet supports Linux Unified Key Setup (LUKS) for encrypting volumes to enforce disk encryption on Ubuntu Linux, Kubuntu Linux, and Fedora Linux hosts.
 
 1. Share [this step-by-step guide](https://fleetdm.com/learn-more-about/encrypt-linux-device) with end users setting up a work computer running Ubuntu Linux, Kubuntu Linux or Fedora Linux.
 
@@ -76,7 +76,7 @@ How to view the disk encryption key:
 
 ## Migrate macOS hosts
 
-When migrating macOS hosts from another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must log out or restart their device.
+When migrating macOS hosts from another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must log out or restart their Mac.
 
 Share [these guided instructions](https://fleetdm.com/guides/mdm-migration#how-to-turn-on-disk-encryption) with your end users.
 

diff --git a/articles/enroll-hosts.md b/articles/enroll-hosts.md
@@ -27,6 +27,8 @@ The `--type` flag is used to specify the fleetd installer type.
 
 A `--fleet-url` (Fleet instance URL) and `--enroll-secret` (Fleet enrollment secret) must be specified in order to communicate with Fleet instance.
 
+To build an installer for ARM-based Linux, use the `--arch=arm64` flag with fleetctl.
+
 #### Example
 
 Generate fleetd on macOS (.pkg)

diff --git a/articles/fleet-4.62.0.md b/articles/fleet-4.62.0.md
@@ -22,7 +22,7 @@ Fleet now creates policies automatically when you add a custom package. This eli
 
 ### Hide secrets in configuration profiles and scripts
 
-Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secret-variables).
+Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles).
 
 ## Changes
 

diff --git a/articles/fleet-software-attestation.md b/articles/fleet-software-attestation.md
@@ -0,0 +1,17 @@
+# Fleet software attestation
+
+At Fleet, we understand the importance of having a secure software supply chain.  Our core value of 🟣 [Openness](https://fleetdm.com/handbook/company#openness) extends to ensuring that our users can verify the provenance and authenticity of any Fleet software they install.  With that in mind, as of version 4.63.0 Fleet we will be adding [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the Fleet and Fleetctl server software, the Orbit and Fleet Desktop software for hosts, and the osqueryd updates periodically downloaded by hosts.
+
+## What is software attestation?
+
+A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about [here](https://slsa.dev/).  After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.
+
+## Verifying our release artifacts
+
+Any product of a Fleet release can be _verified_ to prove that it was indeed created by Fleet, using the `gh` command line tool from Github.  See the [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) docs for more info.
+
+<meta name="authorGitHubUsername" value="sgress454">
+<meta name="authorFullName" value="Scott Gress">
+<meta name="publishedOn" value="2025-01-14">
+<meta name="articleTitle" value="Fleet software attestation">
+<meta name="category" value="guides">
diff --git a/articles/secret-variables.md b/articles/secret-variables.md