Merge branch 'main' into marko-lisica-patch-3

.github/ISSUE_TEMPLATE/smoke-tests.md

@@ -78,7 +78,7 @@ Using the migration scripts located in fleet/test/upgrade/
 <tr><td>Release blockers</td><td>Verify there are no outstanding release blocking tickets.</td><td>
 
 1. Check [this](https://github.com/fleetdm/fleet/labels/~release%20blocker) filter to view all open `~release blocker` tickets.
-2. If any are found raise an alarm in the `#help-engineering` and `#help-product` channels.
+2. If any are found raise an alarm in the `#help-engineering` and `#help-product-design` channels.
 </td><td>pass/fail</td></tr>
 </table>
 

.github/ISSUE_TEMPLATE/story.md

@@ -32,7 +32,6 @@ assignees: ''
 
 ### Engineering
 - [ ] Database schema migrations: TODO <!-- Specify what changes to the database schema are required. (This willl be used to change migration scripts accordingly.) Remove this checkbox if there are no changes necessary. -->
-- [ ] Documentation changes complete
 
 > ℹ️  Please read this issue carefully and understand it.  Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
 

.github/dependabot.yml

@@ -1,5 +1,90 @@
+# Basic set up for Actions and Docker. Security updates enabled via GitHub settings for other ecosystems.
+
 version: 2
-# updates intentionally left empty, as we were seeing too much volume of PRs, and breakages
-# introduced by dependency version updates. Dependabot will continue to open security-related PRs,
-# but non-security dependency updates must be done manually.
-updates: []
+updates:
+
+# Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    pull-request-branch-name:
+      # Default is "/" which makes "docker tag" fail with
+      # "not a valid repository/tag: invalid reference format".
+      separator: "-"
+    # Add assignees
+    assignees:
+      - "lukeheath"
+
+# Maintain dependencies for Dockerfiles
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "fleetdm/go"
+      - "fleetdm/infra"
+    pull-request-branch-name:
+      # Default is "/" which makes "docker tag" fail with
+      # "not a valid repository/tag: invalid reference format".
+      separator: "-"
+    # Add assignees
+    assignees:
+      - "fleetdm/go"
+      - "fleetdm/infra"
+
+# Maintain dependencies for website NPM
+  - package-ecosystem: "npm"
+    directory: "/website"
+    labels:
+      - "website"
+    schedule:
+      interval: "daily"
+    # Disable version updates
+    open-pull-requests-limit: 0
+    allow:
+      - dependency-type: "production"
+    reviewers:
+      - "eashaw"
+    pull-request-branch-name:
+      # Default is "/" which makes "docker tag" fail with
+      # "not a valid repository/tag: invalid reference format".
+      separator: "-"
+    assignees:
+      - "eashaw"
+
+# Maintain dependencies for Go
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Disable version updates
+    open-pull-requests-limit: 0
+    reviewers:
+      - lucasmrod
+    pull-request-branch-name:
+      # Default is "/" which makes "docker tag" fail with
+      # "not a valid repository/tag: invalid reference format".
+      separator: "-"
+    # Add assignees
+    assignees:
+      - lucasmrod
+
+# Maintain dependencies for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Disable version updates
+    open-pull-requests-limit: 0
+    reviewers:
+      - lukeheath
+    allow:
+      - dependency-type: "production"
+    pull-request-branch-name:
+      # Default is "/" which makes "docker tag" fail with
+      # "not a valid repository/tag: invalid reference format".
+      separator: "-"
+    # Add assignees
+    assignees:
+      - lukeheath

.github/pull_request_template.md

@@ -4,7 +4,7 @@ If some of the following don't apply, delete the relevant line.
 
 - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`.
   See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.
-- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)
+- [ ] Documented any API changes (docs/REST API/rest-api.md or docs/Contributing/API-for-contributors.md)
 - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md)
 - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)
 - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.

.github/workflows/build-and-push-fleetctl-docker.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: 1.21.1
+          go-version: 1.21.3
 
       - name: Install Go Dependencies
         run: make deps-go

.github/workflows/build-binaries.yaml

@@ -27,7 +27,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: 1.21.1
+        go-version: 1.21.3
 
     - name: Checkout Code
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/build-orbit.yaml

@@ -2,9 +2,15 @@ name: Build, Sign and Notarize Orbit for macOS
 
 on:
   workflow_dispatch: # allow manual action
+  push:
+    paths:
+      # The workflow can be triggered by modifying ORBIT_VERSION env.
+      - '.github/workflows/build-orbit.yaml'
   pull_request:
     paths:
       - 'orbit/**.go'
+      # The workflow can be triggered by modifying ORBIT_VERSION env.
+      - '.github/workflows/build-orbit.yaml'
 
 env:
   ORBIT_VERSION: 1.17.0
@@ -47,7 +53,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: 1.21.1
+          go-version: 1.21.3
 
       - name: Build, codesign and notarize orbit
         run: go run ./orbit/tools/build/build.go 

.github/workflows/deploy-fleet-website.yml

@@ -45,6 +45,9 @@ jobs:
         justlogin: true
     - run: heroku auth:whoami
 
+    # Install the heroku-repo plugin in the Heroku CLI
+    - run: heroku plugins:install heroku-repo
+
     # Set the Node.js version
     - name: Use Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
@@ -89,6 +92,9 @@ jobs:
     # Build the go binary we use to sign APNS certificates in the website/.tools/ folder.
     - run: cd ee/tools/mdm/ && GOOS=linux GOARCH=amd64 go build -o ../../../website/.tools/mdm-gen-cert .
 
+    # Reset the Heroku app's git repo to prevent errors when pushing to the repo. (See https://github.com/fleetdm/fleet/issues/14162 for more details)
+    - run: heroku repo:reset -a production-fleetdm-website
+
     # Commit newly-generated collateral locally so we can push them to Heroku below.
     # (This commit will never be pushed to GitHub- only to Heroku.)
     # > The local config flags make this work in GitHub's environment.

.github/workflows/example-workflow.yaml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Apply configuration profiles and updates
-        uses: fleetdm/fleet-mdm-gitops@026ee84a69cb89c869fedbe27c969bf89def418b
+        uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b
         with:
           FLEET_API_TOKEN: $FLEET_API_TOKEN
           FLEET_URL: $FLEET_URL

.github/workflows/fleet-and-orbit.yml

@@ -57,7 +57,7 @@ jobs:
     timeout-minutes: 60
     strategy:
       matrix:
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
         mysql: ['mysql:5.7']
     runs-on: ubuntu-latest
     needs: gen
@@ -161,7 +161,7 @@ jobs:
     timeout-minutes: 60
     strategy:
       matrix:
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: ubuntu-latest
     needs: gen
     steps:
@@ -201,7 +201,7 @@ jobs:
   build-macos-targets:
     strategy:
       matrix:
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: macos-latest
     steps:
 
@@ -243,7 +243,7 @@ jobs:
     timeout-minutes: 60
     strategy:
       matrix:
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: ubuntu-latest
     needs: [gen, build-macos-targets]
     steps:

.github/workflows/generate-desktop-targets.yml

@@ -37,7 +37,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '^1.21.1'
+          go-version: '^1.21.3'
 
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -85,7 +85,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '^1.21.1'
+          go-version: '^1.21.3'
 
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -108,7 +108,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: '^1.21.1'
+          go-version: '^1.21.3'
 
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/generate-osqueryd-targets.yml

@@ -24,7 +24,7 @@ defaults:
     shell: bash
 
 env:
-  OSQUERY_VERSION: 5.9.1
+  OSQUERY_VERSION: 5.10.1
 
 permissions:
   contents: read

.github/workflows/golangci-lint.yml

@@ -38,7 +38,7 @@ jobs:
       matrix:
         # See #9943, we just need to add windows-latest here once all issues are fixed.
         os: [ubuntu-latest, macos-latest]
-        go-version: ['1.21.1']
+        go-version: ['1.21.3']
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code

.github/workflows/goreleaser-snapshot-fleet.yaml

@@ -2,6 +2,10 @@ name: Docker publish
 
 on:
   push:
+    branches:
+      - 'main'
+      - 'prepare-*'
+      - 'patch-*'
     paths-ignore:
       - 'handbook/**'
       - 'website/**'
@@ -48,7 +52,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: 1.21.1
+          go-version: 1.21.3
 
       - name: Install Dependencies
         run: make deps

.github/workflows/integration.yml

@@ -242,7 +242,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: '^1.21.1'
+        go-version: '^1.21.3'
 
     - name: Checkout Code
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/scorecards-analysis.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/test-db-changes.yml

@@ -33,7 +33,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: '^1.21.1'
+        go-version: '^1.21.3'
     - name: Checkout Code
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
       with:
@@ -82,3 +82,13 @@ jobs:
           fi
           index=$((index+1))
         done
+
+    - name: Prevent hosts foreign keys
+      run: |
+        MATCHES=$(git diff --name-only origin/main | grep "migrations/" | xargs grep -i -E 'references\s*hosts\s*\(\s*id\s*\)' )
+        if [ -n "$MATCHES" ]; then
+          echo "❌ fail: hosts foreign keys are not allowed"
+          echo "$MATCHES"
+          echo "Ref: https://github.com/fleetdm/fleet/blob/main/handbook/engineering/scaling-fleet.md#foreign-keys-and-locking"
+          exit 1
+        fi

.github/workflows/test-go.yaml

@@ -41,7 +41,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
         mysql: ["mysql:5.7.21", "mysql:8.0.28"]
     runs-on: ${{ matrix.os }}
 

.github/workflows/test-native-tooling-packaging.yml

@@ -41,7 +41,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: ${{ matrix.os }}
 
     steps:

.github/workflows/test-packaging.yml

@@ -43,7 +43,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest]
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: ${{ matrix.os }}
 
     steps:

.github/workflows/test-yml-specs.yml

@@ -33,7 +33,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: ['^1.21.1']
+        go-version: ['^1.21.3']
     runs-on: ${{ matrix.os }}
 
     steps:

.storybook/main.ts

@@ -52,7 +52,7 @@ const config: StorybookConfig = {
     "@storybook/addon-mdx-gfm",
     "@storybook/addon-a11y",
     "@storybook/test-runner",
-    "storybook-addon-designs",
+    "@storybook/addon-designs",
   ],
   typescript: {
     check: false,