fleetdm · BCTBB · Aug 11, 2025 · Aug 11, 2025 · Aug 11, 2025 · Aug 11, 2025
diff --git a/.github/ISSUE_TEMPLATE/story.md b/.github/ISSUE_TEMPLATE/story.md
@@ -62,7 +62,7 @@ What else should contributors [keep in mind](https://fleetdm.com/handbook/compan
 - [ ] Feature guide changes: TODO <!-- Specify if a new feature guide is required at fleetdm.com/guides, or if a previous guide should be updated to reflect feature changes. -->
 - [ ] Database schema migrations: TODO <!-- Specify what changes to the database schema are required. (This will be used to change migration scripts accordingly.) Remove this checkbox if there are no changes necessary. -->
 - [ ] Load testing: TODO  <!-- List any required scalability testing to be conducted.  Remove this checkbox if there is no scalability testing required. -->
-- [ ] Load testing/osquery-perf improvements: TODO <-- List, or link a subtask for, any osquery-perf or load test environment changes required to comprehensively load test this story if load testing is needed. -->
+- [ ] Load testing/osquery-perf improvements: TODO <!-- List, or link a subtask for, any osquery-perf or load test environment changes required to comprehensively load test this story if load testing is needed. -->
 
 > ℹ️  Please read this issue carefully and understand it.  Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
 

diff --git a/.github/scripts/dogfood-policy-updater-latest-1password-macos.sh b/.github/scripts/dogfood-policy-updater-latest-1password-macos.sh
@@ -115,9 +115,8 @@ if [ "$policy_version_number" != "$latest_1password_macos_version" ]; then
     # Prepare the reviewers data payload
     reviewers_data=$(jq -n \
         --arg r1 "harrisonravazzolo" \
-        --arg r2 "nonpunctual" \
-        --arg r3 "ddribeiro" \
-        '{reviewers: [$r1, $r2, $r3]}')
+        --arg r2 "tux234" \
+        '{reviewers: [$r1, $r2]}')
 
     # Request reviewers for the pull request
     review_response=$(curl -s -X POST \

diff --git a/.github/scripts/dogfood-policy-updater-latest-macos.sh b/.github/scripts/dogfood-policy-updater-latest-macos.sh
@@ -16,24 +16,25 @@ if [ -z "$DOGFOOD_AUTOMATION_TOKEN" ] || [ -z "$DOGFOOD_AUTOMATION_USER_NAME" ]
 fi
 
 # Function to calculate 4 Sundays from today
-calculate_deadline() {
-    # Get current date
-    current_date=$(date +%Y-%m-%d)
-
-    # Calculate days until next Sunday (0 = Sunday, 1 = Monday, ..., 6 = Saturday)
-    current_day=$(date +%u)  # 1-7 (Monday=1, Sunday=7)
-    days_to_next_sunday=$((7 - current_day))
-    if [ $days_to_next_sunday -eq 0 ]; then
-        days_to_next_sunday=7
-    fi
-
-    # Calculate 4 Sundays from today
-    days_to_deadline=$((days_to_next_sunday + 21))  # 3 more weeks (21 days)
-
-    # Calculate the deadline date
-    deadline_date=$(date -d "$current_date + $days_to_deadline days" +%Y-%m-%d)
-    echo "$deadline_date"
-}
+# COMMENTED OUT: Deadline calculation logic temporarily disabled
+# calculate_deadline() {
+#     # Get current date
+#     current_date=$(date +%Y-%m-%d)
+#     
+#     # Calculate days until next Sunday (0 = Sunday, 1 = Monday, ..., 6 = Saturday)
+#     current_day=$(date +%u)  # 1-7 (Monday=1, Sunday=7)
+#     days_to_next_sunday=$((7 - current_day))
+#     if [ $days_to_next_sunday -eq 0 ]; then
+#         days_to_next_sunday=7
+#     fi
+#     
+#     # Calculate 4 Sundays from today
+#     days_to_deadline=$((days_to_next_sunday + 21))  # 3 more weeks (21 days)
+#     
+#     # Calculate the deadline date
+#     deadline_date=$(date -d "$current_date + $days_to_deadline days" +%Y-%m-%d)
+#     echo "$deadline_date"
+# }
 
 # Function to fetch file content from GitHub
 fetch_file_content() {
@@ -58,26 +59,28 @@ extract_minimum_version() {
 }
 
 # Function to extract current deadline from team file content
-extract_deadline() {
-    local content="$1"
-    local deadline=$(echo "$content" | grep -A 5 "macos_updates:" | grep "deadline:" | sed 's/.*deadline: *"\([^"]*\)".*/\1/')
-    echo "$deadline"
-}
+# COMMENTED OUT: Deadline extraction logic temporarily disabled
+# extract_deadline() {
+#     local content="$1"
+#     local deadline=$(echo "$content" | grep -A 5 "macos_updates:" | grep "deadline:" | sed 's/.*deadline: *"\([^"]*\)".*/\1/')
+#     echo "$deadline"
+# }
 
 # Function to update team file content with new version and deadline
-update_team_file_content() {
-    local content="$1"
-    local new_version="$2"
-    local new_deadline="$3"
-
-    # Update minimum_version
-    content=$(echo "$content" | sed "s/minimum_version: \"[^\"]*\"/minimum_version: \"$new_version\"/")
-
-    # Update deadline
-    content=$(echo "$content" | sed "s/deadline: \"[^\"]*\"/deadline: \"$new_deadline\"/")
-
-    echo "$content"
-}
+# COMMENTED OUT: Team file update logic temporarily disabled
+# update_team_file_content() {
+#     local content="$1"
+#     local new_version="$2"
+#     local new_deadline="$3"
+#     
+#     # Update minimum_version
+#     content=$(echo "$content" | sed "s/minimum_version: \"[^\"]*\"/minimum_version: \"$new_version\"/")
+#     
+#     # Update deadline
+#     content=$(echo "$content" | sed "s/deadline: \"[^\"]*\"/deadline: \"$new_deadline\"/")
+#     
+#     echo "$content"
+# }
 
 # Fetch the latest macOS version
 echo "Fetching latest macOS version..."
@@ -93,7 +96,8 @@ echo "Latest macOS version: $latest_macos_version"
 
 # Initialize update flags
 policy_update_needed=false
-team_updates_needed=false
+# COMMENTED OUT: Team updates flag temporarily disabled
+# team_updates_needed=false
 updates_needed=false
 
 # Check policy file
@@ -127,43 +131,53 @@ if [ "$policy_version_number" != "$latest_macos_version" ]; then
     updates_needed=true
 fi
 
+# COMMENTED OUT: Team files check logic temporarily disabled
 # Check team files
-echo "Checking team files..."
-workstations_content=$(fetch_file_content "$WORKSTATIONS_FILE")
-if [ $? -ne 0 ]; then
-    echo "Warning: Could not fetch workstations file, skipping team updates."
-else
-    workstations_canary_content=$(fetch_file_content "$WORKSTATIONS_CANARY_FILE")
-    if [ $? -ne 0 ]; then
-        echo "Warning: Could not fetch workstations-canary file, skipping team updates."
-    else
-        # Extract current versions and deadlines
-        current_workstations_version=$(extract_minimum_version "$workstations_content")
-        current_workstations_deadline=$(extract_deadline "$workstations_content")
-        current_workstations_canary_version=$(extract_minimum_version "$workstations_canary_content")
-        current_workstations_canary_deadline=$(extract_deadline "$workstations_canary_content")
-
-        echo "Current Workstations minimum_version: $current_workstations_version"
-        echo "Current Workstations deadline: $current_workstations_deadline"
-        echo "Current Workstations (canary) minimum_version: $current_workstations_canary_version"
-        echo "Current Workstations (canary) deadline: $current_workstations_canary_deadline"
-
-        # Calculate new deadline
-        new_deadline=$(calculate_deadline)
-        echo "New deadline (4 Sundays from today): $new_deadline"
-
-        # Check if team updates are needed
-        if [ "$current_workstations_version" != "$latest_macos_version" ] || [ "$current_workstations_deadline" != "$new_deadline" ]; then
-            team_updates_needed=true
-            updates_needed=true
-        fi
-
-        if [ "$current_workstations_canary_version" != "$latest_macos_version" ] || [ "$current_workstations_canary_deadline" != "$new_deadline" ]; then
-            team_updates_needed=true
-            updates_needed=true
-        fi
-    fi
-fi
+# echo "Checking team files..."
+# workstations_content=$(fetch_file_content "$WORKSTATIONS_FILE")
+# if [ $? -ne 0 ]; then
+#     echo "Warning: Could not fetch workstations file, skipping team updates."
+# else
+#     workstations_canary_content=$(fetch_file_content "$WORKSTATIONS_CANARY_FILE")
+#     if [ $? -ne 0 ]; then
+#         echo "Warning: Could not fetch workstations-canary file, skipping team updates."
+#     else
+#         # Extract current versions and deadlines
+#         current_workstations_version=$(extract_minimum_version "$workstations_content")
+#         current_workstations_deadline=$(extract_deadline "$workstations_content")
+#         current_workstations_canary_version=$(extract_minimum_version "$workstations_canary_content")
+#         current_workstations_canary_deadline=$(extract_deadline "$workstations_canary_content")
+# 
+#         echo "Current Workstations minimum_version: $current_workstations_version"
+#         echo "Current Workstations deadline: $current_workstations_deadline"
+#         echo "Current Workstations (canary) minimum_version: $current_workstations_canary_version"
+#         echo "Current Workstations (canary) deadline: $current_workstations_canary_deadline"
+# 
+#         # Calculate new deadline
+#         new_deadline=$(calculate_deadline)
+#         echo "New deadline (4 Sundays from today): $new_deadline"
+# 
+#         # Check if team updates are needed
+#         # Only update deadline if there's a new macOS version
+#         if [ "$current_workstations_version" != "$latest_macos_version" ]; then
+#             team_updates_needed=true
+#             updates_needed=true
+#         elif [ "$current_workstations_deadline" != "$new_deadline" ] && [ "$policy_update_needed" = true ]; then
+#             # Only update deadline if policy was updated (meaning there's a new version)
+#             team_updates_needed=true
+#             updates_needed=true
+#         fi
+# 
+#         if [ "$current_workstations_canary_version" != "$latest_macos_version" ]; then
+#             team_updates_needed=true
+#             updates_needed=true
+#         elif [ "$current_workstations_canary_deadline" != "$new_deadline" ] && [ "$policy_update_needed" = true ]; then
+#             # Only update deadline if policy was updated (meaning there's a new version)
+#             team_updates_needed=true
+#             updates_needed=true
+#         fi
+#     fi
+# fi
 
 # Create updates if needed
 if [ "$updates_needed" = true ]; then
@@ -196,17 +210,18 @@ if [ "$updates_needed" = true ]; then
         git add "$POLICY_FILE_PATH"
     fi
 
+    # COMMENTED OUT: Team files update logic temporarily disabled
     # Update team files if needed
-    if [ "$team_updates_needed" = true ]; then
-        echo "Updating team files..."
-        updated_workstations_content=$(update_team_file_content "$workstations_content" "$latest_macos_version" "$new_deadline")
-        updated_canary_content=$(update_team_file_content "$workstations_canary_content" "$latest_macos_version" "$new_deadline")
-
-        echo "$updated_workstations_content" > "$WORKSTATIONS_FILE"
-        echo "$updated_canary_content" > "$WORKSTATIONS_CANARY_FILE"
-
-        git add "$WORKSTATIONS_FILE" "$WORKSTATIONS_CANARY_FILE"
-    fi
+    # if [ "$team_updates_needed" = true ]; then
+    #     echo "Updating team files..."
+    #     updated_workstations_content=$(update_team_file_content "$workstations_content" "$latest_macos_version" "$new_deadline")
+    #     updated_canary_content=$(update_team_file_content "$workstations_canary_content" "$latest_macos_version" "$new_deadline")
+    #     
+    #     echo "$updated_workstations_content" > "$WORKSTATIONS_FILE"
+    #     echo "$updated_canary_content" > "$WORKSTATIONS_CANARY_FILE"
+    #     
+    #     git add "$WORKSTATIONS_FILE" "$WORKSTATIONS_CANARY_FILE"
+    # fi
 
     # Create commit message
     commit_message="Update macOS version to $latest_macos_version"
@@ -215,12 +230,13 @@ if [ "$updates_needed" = true ]; then
 
 - Updated policy version from $policy_version_number to $latest_macos_version"
     fi
-    if [ "$team_updates_needed" = true ]; then
-        commit_message="$commit_message
-- Updated team minimum_version from $current_workstations_version to $latest_macos_version
-- Updated team deadline from $current_workstations_deadline to $new_deadline (4 Sundays from today)
-- Applied to both workstations and workstations-canary teams"
-    fi
+    # COMMENTED OUT: Team updates commit message logic temporarily disabled
+    # if [ "$team_updates_needed" = true ]; then
+    #     commit_message="$commit_message
+    # - Updated team minimum_version from $current_workstations_version to $latest_macos_version
+    # - Updated team deadline from $current_workstations_deadline to $new_deadline (4 Sundays from today)
+    # - Applied to both workstations and workstations-canary teams"
+    # fi
 
     git commit -m "$commit_message"
     git push origin "$NEW_BRANCH"
@@ -257,9 +273,8 @@ if [ "$updates_needed" = true ]; then
     # Prepare the reviewers data payload
     reviewers_data=$(jq -n \
         --arg r1 "harrisonravazzolo" \
-        --arg r2 "nonpunctual" \
-        --arg r3 "ddribeiro" \
-        '{reviewers: [$r1, $r2, $r3]}')
+        --arg r2 "tux234" \
+        '{reviewers: [$r1, $r2]}')
 
     # Request reviewers for the pull request
     review_response=$(curl -s -X POST \

@@ -69,7 +69,11 @@ jobs:
   code-sign:
     needs: build
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
+      attest: "true"
       filename: fleetd-base.msi
       upload_name: fleetd-base-msi
     secrets:

@@ -46,10 +46,10 @@ jobs:
 
       - name: Verify golang generated documentation is up-to-date
         run: |
-          make doc
+          make generate-doc
           if [[ $(git diff) ]]; then
             echo "❌ fail: uncommited changes"
-            echo "please run 'make doc' and commit the changes"
+            echo "please run 'make generate-doc' and commit the changes"
             git --no-pager diff
             exit 1
           fi
@@ -65,3 +65,13 @@ jobs:
             git --no-pager diff
             exit 1
           fi
+
+      - name: Verify VEX report is up-to-date
+        run: |
+          make vex-report
+          if [[ $(git diff) ]]; then
+            echo "❌ fail: uncommited changes"
+            echo "please run 'make vex-report' and commit the changes"
+            git --no-pager diff
+            exit 1
+          fi
@@ -1,4 +1,4 @@
-name: Code sign Windows binaries with DigiCert KeyLocker KSP
+name: Code sign Windows binaries with DigiCert KeyLocker KSP, optionally attest
 
 on:
   workflow_call:
@@ -17,6 +17,11 @@ on:
         required: false
         default: 'signed-windows'
         type: string
+      attest:
+        description: 'Whether to run attestation on the signed binary'
+        required: false
+        type: boolean
+        default: false
     secrets:
       DIGICERT_KEYLOCKER_CERTIFICATE:
         required: true
@@ -31,6 +36,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write # required for attestations
+  attestations: write # required for attestations
 
 jobs:
   code-sign-windows:
@@ -90,6 +97,13 @@ jobs:
           signtool.exe verify /v /pa ${{ inputs.filename }}
         shell: cmd
 
+      - name: Attest binary
+        if: ${{ inputs.attest == 'true' }}
+        continue-on-error: true
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        with:
+          subject-path: ${{ inputs.filename }}
+
       - name: Upload signed artifact
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:

@@ -106,18 +106,29 @@ jobs:
     # > The local config flags make this work in GitHub's environment.
     - run: git add website/.www
     - run: git add website/.tools
+    # Remove the website/assets folder
+    - run: git rm -rf --cached website/assets
     - run: git add -f website/views/partials/built-from-markdown  > /dev/null 2>&1 || echo '* * * WARNING - Silently ignoring the fact that there are no HTML partials generated from markdown to include in automated commit...'
-    - run: git -c "user.name=Fleetwood" -c "user.email=github@example.com" commit -am 'AUTOMATED COMMIT - Deployed the latest, including generated collateral such as compiled documentation, modified HTML layouts, and a .sailsrc file that references minified client-side code assets.'
 
     # Configure the Heroku app we'll be deploying to
     - run: heroku git:remote -a production-fleetdm-website
     - run: git remote -v
 
-    # Deploy to Heroku (by pushing)
-    # > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
-    - run: echo "Unshallowing local repository…"
-    - run: git fetch --prune --unshallow
+    # Deploy to Heroku
     - run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
-    - run: git push heroku +${GITHUB_REF##*/}:master  # note that Heroku, at least as of Jun 10 2021, still uses "master" on their end
+    - name: Deploy to Heroku
+      run: |
+        set -euo pipefail
+        git add -A
+        # Create a git tree object that contains only the changes in the /website folder.
+        TREE=$(git write-tree)
+        # Create a parentless commit from the tree object.
+        COMMIT=$(git -c "user.name=Fleetwood" -c "user.email=github@example.com" \
+          commit-tree "$TREE" \
+          -m 'AUTOMATED COMMIT - Deployed the latest, including generated collateral such as compiled documentation, modified HTML layouts, and a .sailsrc file that references minified client-side code assets.')
+        # Push the parentless commit to Heroku
+        # Note: The commit pushed to Heroku will not contain the full git history.
+        # This lets up deploy the website from the Fleet monorepo while working around Heroku's pack size limits. 
+        git push heroku "$COMMIT":refs/heads/master --force
     - name: 🌐 https://fleetdm.com
       run: echo '' && echo '--' && echo 'OK, done.  It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)' && echo && echo ' 🌐–•  https://fleetdm.com'