Merge branch 'main' into software-installer-package-access

.github/ISSUE_TEMPLATE/story.md

@@ -34,7 +34,8 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 ### Product
 - [ ] Reference documentation changes: TODO <!-- Specify references documentation changes at fleetdm.com/docs -->
 - [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
-- [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
+- [ ] CLI (fleetctl) usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
+- [ ] YAML changes: TODO <!-- Specify changes as a draft PR to the YAML files doc page and request the API DRI for review (codeowner reviews are not automatically requested for drafts). Remove this checkbox if there are no changes necessary. -->
 - [ ] REST API changes: TODO <!-- Specify changes as a draft PR to the REST API doc page and request the API DRI for review (codeowner reviews are not automatically requested for drafts). Remove this checkbox if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes. -->
 - [ ] Fleet's agent (fleetd) changes: TODO <!-- Specify changes to fleetd. If the change requires a new Fleet (server) version, consider specifying to only enable this change in new Fleet versions. Remove this checkbox if there are no changes necessary. -->
 - [ ] Permissions changes: TODO <!-- Specify changes as a draft PR to the Manage access doc page. If doc changes aren't necessary, explicitly mention no changes to the doc page. Remove this checkbox if there are no permissions changes. -->

.github/workflows/build-and-push-fleetctl-docker.yml → .github/workflows/build-and-check-fleetctl-docker-and-deps.yml

@@ -1,13 +1,14 @@
-name: Build and push fleetdm/fleetctl Docker image
+name: Build fleetctl docker dependencies and check vulnerabilities
 
-# Manually trigger this workflow for now
 on:
   workflow_dispatch:
     inputs:
       image_tag:
-        description: 'Docker image tag'
+        description: "Docker image tag"
         required: true
         type: string
+  schedule:
+    - cron: "0 6 * * *"
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
@@ -23,7 +24,7 @@ permissions:
   contents: read
 
 jobs:
-  docker-push:
+  build-and-check:
     runs-on: ubuntu-latest
     environment: Docker Hub
     permissions:
@@ -46,25 +47,46 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: ${{ vars.GO_VERSION }}
+          go-version-file: 'go.mod'
 
       - name: Install Go Dependencies
         run: make deps-go
 
+      - name: Build fleetdm/wix
+        run: make wix-docker
+
+      - name: Build fleetdm/bomutils
+        run: make bomutils-docker
+
       - name: Build fleetdm/fleetctl
         run: make fleetctl-docker
 
-      - name: Push to Docker
-        run: |
-          docker tag fleetdm/fleetctl fleetdm/fleetctl:${{ inputs.image_tag }}
-          docker push fleetdm/fleetctl:${{ inputs.image_tag }}
+      - name: Run Trivy vulnerability scanner on fleetdm/wix
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        with:
+          image-ref: "fleetdm/wix"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"
+
+      - name: Run Trivy vulnerability scanner on fleetdm/bomutils
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        with:
+          image-ref: "fleetdm/bomutils"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"
 
-      - name: Push To quay.io
-        id: push-to-quay
-        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
+      - name: Run Trivy vulnerability scanner on fleetdm/fleetctl
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         with:
-          image: fleetdm/fleetctl
-          tags: ${{ inputs.image_tag }}
-          registry: quay.io/
-          username: fleetdm+fleetreleaser
-          password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
+          image-ref: "fleetdm/fleetctl"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL"

.github/workflows/build-binaries.yaml

@@ -29,20 +29,20 @@ jobs:
         with:
           egress-policy: audit
 
+      - name: Checkout Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: ${{ vars.GO_VERSION }}
+          go-version-file: 'go.mod'
 
       # Set the Node.js version
       - name: Set up Node.js ${{ vars.NODE_VERSION }}
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: ${{ vars.NODE_VERSION }}
 
-      - name: Checkout Code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-
       - name: JS Dependency Cache
         id: js-cache
         uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2

.github/workflows/build-orbit.yaml

@@ -59,7 +59,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: ${{ vars.GO_VERSION }}
+          go-version-file: 'go.mod'
 
       - name: Build, codesign and notarize orbit
         run: go run ./orbit/tools/build/build.go 

.github/workflows/check-automated-doc.yml

@@ -36,15 +36,16 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Install Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          go-version: ${{ vars.GO_VERSION }}
       - name: Checkout Code
         uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
         with:
           fetch-depth: 0
 
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+
       - name: Verify golang generated documentation is up-to-date
         run: |
           make generate-doc

.github/workflows/codeql-analysis.yml

@@ -56,7 +56,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: ${{ vars.GO_VERSION }}
+        go-version-file: 'go.mod'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/deploy-bulk-operations-dashboard.yml

@@ -0,0 +1,89 @@
+name: Deploy app to bulk operations dashboard pipeline on Heroku.
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'ee/bulk-operations-dashboard/**'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: write  # for Git to git push
+    if: ${{ github.repository == 'fleetdm/fleet' }}
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x]
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+    # Configure our access credentials for the Heroku CLI
+    - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8
+      with:
+        heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}}
+        heroku_app_name: "" # this has to be blank or it doesn't work
+        heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}}
+        justlogin: true
+    - run: heroku auth:whoami
+
+    # Set the Node.js version
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    # Now start building!
+    # > …but first, get a little crazy for a sec and delete the top-level package.json file
+    # > i.e. the one used by the Fleet server.  This is because require() in node will go
+    # > hunting in ancestral directories for missing dependencies, and since some of the
+    # > bundled transpiler tasks sniff for package availability using require(), this trips
+    # > up when it encounters another Node universe in the parent directory.
+    - run: rm -rf package.json package-lock.json node_modules/
+    # > Turns out there's a similar issue with how eslint plugins are looked up, so we
+    # > delete the top level .eslintrc file too.
+    - run: rm -f .eslintrc.js
+    # > And, as a change to the top-level fleetdm/fleet .gitignore on May 2, 2022 revealed,
+    # > we also need to delete the top level .gitignore file too, so that its rules don't
+    # > interfere with the committing and force-pushing we're doing as part of our deploy
+    # > script here.  For more info, see: https://github.com/fleetdm/fleet/pull/5549
+    - run: rm -f .gitignore
+
+    # Get dependencies (including dev deps)
+    - run: cd ee/bulk-operations-dashboard/ && npm install
+
+    # Run sanity checks
+    - run: cd ee/bulk-operations-dashboard/ && npm test
+
+    # Compile assets
+    - run: cd ee/bulk-operations-dashboard/ && npm run build-for-prod
+
+    # Commit newly-built assets locally so we can push them to Heroku below.
+    # (This commit will never be pushed to GitHub- only to Heroku.)
+    # > The local config flags make this work in GitHub's environment.
+    - run: git add ee/bulk-operations-dashboard/.www
+    - run: git -c "user.name=GitHub" -c "user.email=github@example.com" commit -am 'AUTOMATED COMMIT - Deployed the latest, including modified HTML layouts and .sailsrc file that reference minified assets.'
+
+    # Configure the Heroku app we'll be deploying to
+    - run: heroku git:remote -a bulk-operations-dashboard
+    - run: git remote -v
+
+    # Deploy to Heroku (by pushing)
+    # > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
+    - run: echo "Unshallowing local repository…"
+    - run: git fetch --prune --unshallow
+    - run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
+    - run: git push heroku +${GITHUB_REF##*/}:master
+    - name: 🌐 The dashboard has been deployed
+      run: echo '' && echo '--' && echo 'OK, done.  It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)'

.github/workflows/deploy-fleet-website.yml

@@ -64,7 +64,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: ${{ vars.GO_VERSION }}
+        go-version-file: 'go.mod'
 
     # Download top-level dependencies and build Storybook in the website's assets/ folder
     - run: npm install --legacy-peer-deps && npm run build-storybook -- -o ./website/assets/storybook --loglevel verbose

.github/workflows/dogfood-deploy.yml

@@ -51,14 +51,17 @@ jobs:
       - id: fail-on-main
         run: "false"
         if: ${{ github.ref == 'main' }}
+
       - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
         with:
           role-to-assume: ${{env.AWS_IAM_ROLE}}
           aws-region: ${{ env.AWS_REGION }}
+
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: ${{ vars.GO_VERSION }}
+          go-version-file: 'go.mod'
+
       - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
           terraform_version: 1.6.3
@@ -77,6 +80,26 @@ jobs:
         id: plan
         run: terraform plan -no-color
         continue-on-error: true
+      - name: Slack Notification
+        if: success()
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+        with:
+          payload: |
+            {
+              "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "🚀 🛠️ Dogfood deploy in progress\nhttps://github.com/fleetdm/fleet/actions/runs/${{  github.run_id }}"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
         # first we'll scale everything down and create the new task definitions
       - name: Terraform Apply
         id: apply

.github/workflows/dogfood-gitops.yml

@@ -69,6 +69,7 @@ jobs:
           DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
           DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
           DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
+          DOGFOOD_MDM_SSO_METADATA_URL: ${{ secrets.DOGFOOD_MDM_SSO_METADATA_URL }}
           DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
           DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
           DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}