Fix merge conflict

.github/ISSUE_TEMPLATE/release-qa.md

@@ -197,6 +197,12 @@ Using the migration scripts located in fleet/test/upgrade/
 
 1. Check [this](https://github.com/fleetdm/fleet/labels/~release%20blocker) filter to view all open `~release blocker` tickets.
 2. If any are found raise an alarm in the `#help-engineering` and `#g-mdm` (or `#g-endpoint-ops`)  channels.
+</td><td>pass/fail</td>
+<tr><td>Load Tests</td><td>Verify all load test metrics are within acceptable range on final build of RC.</td><td>
+
+1. Check [this Google doc](https://docs.google.com/document/d/1V6QtFzcGDsLnn2PIvGin74DAxdAN_3likjxSssOMMQI/edit?tab=t.0#heading=h.15acjob4ji20) to review load test key metrics and checks.
+2. After all expected changes have been merged to the RC branch, set up a load test environment and allow it at least 24hrs of run time.
+3. Record metrics in [this spreadsheet](https://docs.google.com/spreadsheets/d/1FOF0ykFVoZ7DJSTfrveip0olfyRQsY9oT1uXCCZmuKc/edit?usp=drive_link) for the load test run. 
 </td><td>pass/fail</td></tr> 
 </table>
 
@@ -230,14 +236,13 @@ List versions changes for any component updates below:
 <table>
 <tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
 <tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
-<tr><td>`fleetd` tests</td>
+<tr><td>`fleetd` local testing</td>
 <td>
-1. Create binaries for Mac, Windows, and Ubuntu running against the `edge` channels and install (--orbit-channel edge, --desktop-channel edge).<br>
-2. Work with engineer leading the release to push changes to the `edge` channel.
+1. Following [Testing TUF]([url](https://github.com/fleetdm/fleet/blob/main/tools/tuf/test/README.md)) instructions create binaries for Mac, Windows, and Ubuntu using your local TUF repository and install on macOS, Linux, and Windows hosts.<br>
 </td>
 <td>
-1. Confirm the hosts running on the edge channel receive the update and are working correctly.<br>
-2. Confirm any new features and/or bug fixes associated with this release are working as intended.
+1. Confirm the hosts install with the updated version and are working correctly.<br>
+2. Confirm any new features and/or bug fixes associated with this release are working as intended.<br>
 </td>
 <td>pass/fail</td></tr>
 <td>`fleetd` auto-update tests</td>
@@ -253,6 +258,16 @@ List versions changes for any component updates below:
 4. Confirms agents running on `stable` receive the new update.
 </td>
 <td>pass/fail</td></tr>
+<td>`fleetd` tests</td>
+<td>
+1. Set up a host in your instance to receive updates from the `edge` channels.<br>
+2. Work with engineer leading the release to push changes to the `edge` channel.<br>
+</td>
+<td>
+1. Confirm the hosts running on the edge channel receive the update and are working correctly.<br>
+2. Confirm any new features and/or bug fixes associated with this release are working as intended.
+</td>
+<td>pass/fail</td></tr></tr>
 </table>
 
 

.github/scripts/dogfood-policy-updater-latest-macos.sh

@@ -70,8 +70,8 @@ if [ "$policy_version_number" != "$latest_macos_version" ]; then
     echo "$updated_response" > "$temp_file"
 
     # Configure Git
-    git config --global user.name "$DOGFOOD_GIT_USER_NAME"
-    git config --global user.email "$DOGFOOD_GIT_USER_EMAIL"
+    git config --global user.name "$DOGFOOD_AUTOMATION_USER_NAME"
+    git config --global user.email "$DOGFOOD_AUTOMATION_USER_EMAIL"
 
     # Clone the repository and create a new branch
     git clone "https://$DOGFOOD_AUTOMATION_TOKEN@github.com/$REPO_OWNER/$REPO_NAME.git" repo || {

.github/workflows/fleetd-tuf.yml

@@ -40,6 +40,10 @@ jobs:
       with:
         go-version-file: 'go.mod'
 
+    - name: Update orbit/old-TUF.md
+      run: |
+        make fleetd-old-tuf
+    
     - name: Update orbit/TUF.md
       run: |
         make fleetd-tuf

.github/workflows/generate-desktop-targets.yml

@@ -19,7 +19,7 @@ defaults:
     shell: bash
 
 env:
-  FLEET_DESKTOP_VERSION: 1.38.1
+  FLEET_DESKTOP_VERSION: 1.39.0
 
 permissions:
   contents: write

Makefile

@@ -395,9 +395,17 @@ changelog-chrome:
 	sh -c "cat new-CHANGELOG.md ee/fleetd-chrome/CHANGELOG.md > tmp-CHANGELOG.md && rm new-CHANGELOG.md && mv tmp-CHANGELOG.md ee/fleetd-chrome/CHANGELOG.md"
 	sh -c "git rm ee/fleetd-chrome/changes/*"
 
-# Updates the documentation for the currently released versions of fleetd components in Fleet's TUF.
+# Updates the documentation for the currently released versions of fleetd components in old Fleet's TUF (tuf.fleetctl.com).
+fleetd-old-tuf:
+	sh -c 'echo "<!-- DO NOT EDIT. This document is automatically generated by running \`make fleetd-old-tuf\`. -->\n# tuf.fleetctl.com\n\nFollowing are the currently deployed versions of fleetd components on the \`stable\` and \`edge\` channel.\n" > orbit/old-TUF.md'
+	sh -c 'echo "## \`stable\`\n" >> orbit/old-TUF.md'
+	sh -c 'go run tools/tuf/status/tuf-status.go channel-version -s3-vendor amazon -url https://tuf.fleetctl.com -channel stable -format markdown >> orbit/old-TUF.md'
+	sh -c 'echo "\n## \`edge\`\n" >> orbit/old-TUF.md'
+	sh -c 'go run tools/tuf/status/tuf-status.go channel-version -s3-vendor amazon -url https://tuf.fleetctl.com -channel edge -format markdown >> orbit/old-TUF.md'
+
+# Updates the documentation for the currently released versions of fleetd components in Fleet's TUF (updates.fleetdm.com).
 fleetd-tuf:
-	sh -c 'echo "<!-- DO NOT EDIT. This document is automatically generated by running \`make fleetd-tuf\`. -->\n# tuf.fleetctl.com\n\nFollowing are the currently deployed versions of fleetd components on the \`stable\` and \`edge\` channel.\n" > orbit/TUF.md'
+	sh -c 'echo "<!-- DO NOT EDIT. This document is automatically generated by running \`make fleetd-tuf\`. -->\n# updates.fleetdm.com\n\nFollowing are the currently deployed versions of fleetd components on the \`stable\` and \`edge\` channel.\n" > orbit/TUF.md'
 	sh -c 'echo "## \`stable\`\n" >> orbit/TUF.md'
 	sh -c 'go run tools/tuf/status/tuf-status.go channel-version -channel stable -format markdown >> orbit/TUF.md'
 	sh -c 'echo "\n## \`edge\`\n" >> orbit/TUF.md'

articles/cdn-signed-urls.md

@@ -1,5 +1,7 @@
 # How to use CloudFront signed URLs with Fleet
 
+*Available in Fleet Premium.*
+
 Fleet [v4.63.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.63.0) allows you to use CloudFront signed URLs for downloading MDM bootstrap packages and software installation packages to your hosts. This speeds up onboarding for organizations that onboard new employees at different headquarters across the world. 
 
 CloudFront signed URLs grant access to a specific CloudFront distribution resource and are valid for a specified duration. 

articles/deploy-fleet-on-aws-with-terraform.md

@@ -23,7 +23,7 @@ Remote state can be simple (local state) or complicated (S3, state locking, etc.
 
 ### Modules
 
-[Fleet terraform](https://github.com/fleetdm/fleet/tree/main/terraform) is made up of multiple modules. These modules can be used independently, or as group to stand up an opinionated set of infrastructure that we have found success with.
+[Fleet terraform](https://github.com/fleetdm/fleet-terraform) is made up of multiple modules. These modules can be used independently, or as group to stand up an opinionated set of infrastructure that we have found success with.
 
 Each module defines the required resource and consumes the next nested module. The root module creates the VPC and then pulls in the `byo-vpc` module configuring it as necessary. The `byo-vpc` module creates the database and cache instances that get passed into the `byo-db` module. And finally the `byo-db` module creates the ECS cluster and load balancer to be consumed by the `byo-ecs` module.
 
@@ -45,7 +45,7 @@ terraform {
 }
 
 module "fleet" {
-  source = "github.com/fleetdm/fleet//terraform?ref=main"
+  source = "github.com/fleetdm/fleet-terraform/?ref=tf-mod-root-v1.11.1"
 }
 ```
 This configuration utilizes all the modules Fleet defines with the default configurations. In essence this would provision:
@@ -56,7 +56,7 @@ This configuration utilizes all the modules Fleet defines with the default confi
 ##### Bring your own VPC
 ```hcl
 module "fleet_vpcless" {
-  source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=main"
+  source = "github.com/fleetdm/fleet-terraform//byo-vpc?ref=tf-mod-byo-vpc-v1.12.1"
 
   alb_config = {
     subnets         = ["public-subnet-789"]
@@ -76,7 +76,7 @@ This configuration allows you to bring your own VPC, public & private subnets, a
 ##### Bring only Fleet
 ```hcl
 module "fleet_ecs" {
-  source      = "github.com/fleetdm/fleet//terraform/byo-vpc/byo-db/byo-ecs?ref=main"
+  source      = "github.com/fleetdm/fleet-terraform//byo-vpc/byo-db/byo-ecs?ref=tf-mod-byo-ecs-v1.8.1"
   ecs_cluster = "my_ecs_cluster"
   vpc_id      = "vpc123"
   fleet_config = {
@@ -105,7 +105,7 @@ This configuration assumes you have brought all the required dependencies of Fle
 
 
 ## Infrastructure
-https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws
+https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws-tf-module
 
 ![Architecture Diagram](https://fleetdm.com/images/docs/fleet-aws-reference-arch-diagram-925x886@2x.png)
 
@@ -148,7 +148,7 @@ terraform {
 }
 
 module "fleet" {
-  source = "github.com/fleetdm/fleet//terraform?ref=main"
+  source = "github.com/fleetdm/fleet-terraform/?ref=tf-mod-root-v1.11.1"
 
   fleet_config = {
     image = "fleetdm/fleet:v4.36.0" # override default to deploy the image you desire
@@ -191,7 +191,7 @@ resource "aws_route53_record" "main" {
 Now we can edit the module declaration:
 ```hcl
 module "fleet" {
-  source          = "github.com/fleetdm/fleet//terraform?ref=main"
+  source          = "github.com/fleetdm/fleet-terraform/?ref=tf-mod-root-v1.11.1"
   certificate_arn = module.acm.acm_certificate_arn
   
   fleet_config = {
@@ -203,7 +203,7 @@ module "fleet" {
 We're also going to pull in the auto-migration addon that will ensure Fleet migrations run:
 ```hcl
 module "migrations" {
-  source                   = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=main"
+  source                   = "github.com/fleetdm/fleet-terraform//addons/migrations?ref=tf-mod-addon-migrations-v2.0.1"
   ecs_cluster              = module.fleet.byo-vpc.byo-db.byo-ecs.service.cluster
   task_definition          = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.family
   task_definition_revision = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.revision
@@ -224,7 +224,7 @@ terraform {
 }
 
 module "fleet" {
-  source          = "github.com/fleetdm/fleet//terraform?ref=main"
+  source          = "github.com/fleetdm/fleet-terraform/?ref=tf-mod-root-v1.11.1"
   certificate_arn = module.acm.acm_certificate_arn
 
   fleet_config = {
@@ -233,7 +233,7 @@ module "fleet" {
 }
 
 module "migrations" {
-  source                   = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=main"
+  source                   = "github.com/fleetdm/fleet-terraform//addons/migrations?ref=tf-mod-addon-migrations-v2.0.1"
   ecs_cluster              = module.fleet.byo-vpc.byo-db.byo-ecs.service.cluster
   task_definition          = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.family
   task_definition_revision = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.revision
@@ -296,7 +296,7 @@ Let’s say we own `queryops.com` and have an ACM certificate issued to it. We w
 To modify Fleet, you can override any of the exposed keys in `fleet_config`. Here is an example:
 ```hcl
 module "fleet" {
-  source          = "github.com/fleetdm/fleet//terraform?ref=main"
+  source          = "github.com/fleetdm/fleet-terraform/?ref=tf-mod-root-v1.11.1"
   certificate_arn = module.acm.acm_certificate_arn
   
   fleet_config = {

articles/fleet-software-attestation.md

@@ -1,6 +1,6 @@
 # Fleet software attestation
 
-As of version 4.63.0 Fleet we will be adding [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the `fleet` and `fleetctl` server software, the Orbit and Fleet Desktop software for hosts, and the `osqueryd` updates periodically downloaded by hosts.
+As of version 4.63.0 Fleet added [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the `fleet` and `fleetctl` server software, the fleetd (Orbit, osquery, and Fleet Desktop) agent for hosts.
 
 ## What is software attestation?
 

articles/fleet-terraform-byo-vpc-module.md

@@ -107,7 +107,7 @@ locals {
 }
 
 module "byo-vpc" {
-  source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.4.0"
+  source = "github.com/fleetdm/fleet-terraform//byo-vpc?ref=tf-mod-byo-vpc-v1.12.1"
   vpc_config = {
     vpc_id = module.vpc.vpc_id
     networking = {
@@ -147,7 +147,7 @@ Similar to using the root module, it is recommended to at least include the migr
 ```hcl
 
 module "migrations" {
-  source                   = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=tf-mod-addon-migrations-v1.0.0"
+  source                   = "github.com/fleetdm/fleet-terraform//addons/migrations?ref=tf-mod-addon-migrations-v2.0.1"
   ecs_cluster              = module.byo-vpc.byo-db.byo-ecs.service.cluster
   task_definition          = module.byo-vpc.byo-db.byo-ecs.task_definition.family
   task_definition_revision = module.byo-vpc.byo-db.byo-ecs.task_definition.revision
@@ -237,7 +237,7 @@ module "vpc" {
 }
 
 module "byo-vpc" {
-  source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.4.0"
+  source = "github.com/fleetdm/fleet-terraform//byo-vpc?ref=tf-mod-byo-vpc-v1.12.1"
   vpc_config = {
     vpc_id = module.vpc.vpc_id
     networking = {
@@ -265,7 +265,7 @@ module "byo-vpc" {
 }
 
 module "migrations" {
-  source                   = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=tf-mod-addon-migrations-v1.0.0"
+  source                   = "github.com/fleetdm/fleet-terraform//addons/migrations?ref=tf-mod-addon-migrations-v2.0.1"
   ecs_cluster              = module.byo-vpc.byo-db.byo-ecs.service.cluster
   task_definition          = module.byo-vpc.byo-db.byo-ecs.task_definition.family
   task_definition_revision = module.byo-vpc.byo-db.byo-ecs.task_definition.revision
@@ -286,7 +286,7 @@ terraform apply
 
 ```
 
-The BYO-VPC configuration can be fully customized similar to the [Terraform root module](https://github.com/fleetdm/fleet/tree/main/terraform).  See the [BYO-VPC reference](https://github.com/fleetdm/fleet/tree/main/terraform/byo-vpc) for a full list of variables.
+The BYO-VPC configuration can be fully customized similar to the [Terraform root module](https://github.com/fleetdm/fleet-terraform).  See the [BYO-VPC reference](https://github.com/fleetdm/fleet-terraform/tree/main/byo-vpc) for a full list of variables.
 
 <meta name="category" value="guides">
 <meta name="authorFullName" value="Robert Fairburn">

articles/install-vpp-apps-on-macos-using-fleet.md

@@ -33,9 +33,9 @@ To add apps to Fleet, you must first purchase them through Apple Business Manage
 
 3. **Open the "Add software" modal**: Click on the "Add software" button in the top right of the page.
 
-4. **View your available apps**: Click on the "App Store (VPP)" tab in the "Add software" modal. The modal will list the apps that you have purchased through VPP but still need to add to Fleet.
+4. **View your available apps**: Click on the "App Store (VPP)" tab in the "Add software" page. The page will list the apps that you have purchased through VPP but still need to add to Fleet.
 
-5. **Add an app**: Select an app from the list. You may optionally check the "Self-Service" box at the bottom left of the modal if you wish for the software to be available for user-initiated installs. Finally, click the "Add software" button in the bottom right of the modal. The app should appear in the software list for the selected team.
+5. **Add an app**: Select an app from the list. Select the hosts that you want to target with this app, under "Target". Select "All hosts" if you want the app to be available to all your hosts. Select "Custom" to scope the app to specific groups of hosts based on label membership. You can select "Include any", which will scope the app to hosts that have any of the labels you select, or "Exclude any", which will scope the app to hosts that do _not_ have the selected labels. You may optionally check the "Self-Service" box at the bottom left of the page if you wish for the app to be available for user-initiated installs. Finally, click the "Add software" button in the bottom right of the page. The app should appear in the software list for the selected team.
 
 ## Remove the app from Fleet
 
@@ -45,7 +45,17 @@ To add apps to Fleet, you must first purchase them through Apple Business Manage
 
 3. **Access the app's details page**: Click on the app's name in the table.
 
-4. **Remove the app**: Click on the "Actions" dropdown on the right side of the page. Click "Delete," then click "Delete" on the confirmation modal. Deleting an app will not uninstall the app from the hosts on which it was previously installed.
+4. **Remove the app**: Click on the "Actions" dropdown on the right side of the page. Click "Delete", then click "Delete" on the confirmation modal. Deleting an app will not uninstall the app from the hosts on which it was previously installed.
+
+## Edit the app
+
+1. **Navigate to the Software page**: Click "Software" in the main navigation menu.
+
+2. **Find the app you want to remove**: Search for the app using the search bar in the top right corner of the table.
+
+3. **Access the app's details page**: Click on the app's name in the table.
+
+4. **Edit the app**: Click on the "Actions" dropdown on the right side of the page. Click "Edit". In the "Edit software" modal, you can change the hosts that you want to target with the app as well as the app's self-service status.
 
 ## Install the app
 

changes/22791-redis-default-follow-redirect

@@ -0,0 +1 @@
+- Enabled redis cluster follow redierctions by default

changes/23312-update-policies-empty-state

@@ -1 +1 @@
-- Clarified text on the Policies page when no policies exist for the selected team (or All Teams)
+- Clarified text on the Policies and Queries pages when no policies/queries exist for the selected team (or All Teams)

changes/25648-gitops-bootstrap-profile

@@ -0,0 +1 @@
+Fixed issue where `fleetctl gitops` was NOT deleting macOS setup experience bootstrap package and enrollment profile. GitOps should clear all settings that are not explicitly set in YAML config files.

changes/25662-ij-windows

@@ -0,0 +1 @@
+* Resolved false negatives on vulnerabilities for IntelliJ IDEA Community Edition on Windows.

changes/25731-mdm-windows-user-scoped

@@ -0,0 +1,3 @@
+- Added validations to UI and CLI for Windows MDM profiles; Fleet currently supports only
+  device-scoped profiles for Windows and will reject user-scoped profiles (i.e. any profile where the LocURI
+  begins with `./User/Vendor`).

changes/25770-relative-profile-path-in-no-team

@@ -0,0 +1 @@
+Fixed parsing of relative paths for MDM profiles in gitops no-team.yml

changes/25872-fleetctl-update-wine-10

@@ -0,0 +1 @@
+- Updated wine to version 10.0 to improve support macOS-to-Windows installer creation on M1 chips.

changes/26040-delete-app-reroute-bug

@@ -0,0 +1 @@
+- Fleet UI: Properly re-routed deleting a app on no team to no team software page insteal of all teams software page

charts/fleet/Chart.yaml

@@ -4,7 +4,7 @@ name: fleet
 keywords:
   - fleet
   - osquery
-version: v6.3.5
+version: v6.4.0
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git