Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6f94f40
Dhruv pre CVE dirtyfrag article (#46114)
akuthiala May 23, 2026
1218ffb
Update marketing-assets.md (#46115)
akuthiala May 23, 2026
20f40a7
feat(pg): PostgreSQL datastore compatibility layer
dnplkndll May 14, 2026
164ad14
ci(pg): test-go-postgres + validate-pg-compat gates; private-repo ski…
dnplkndll May 14, 2026
098615c
tools(pg): pgcompat validators — primary-keys, schema-drift, column-d…
dnplkndll May 14, 2026
800e48f
tools(pg): pg-compat-harness — live URL-filter regression matrix
dnplkndll May 14, 2026
0412adf
tools(pg): pg-index-translate — MySQL schema KEY → PG CREATE INDEX
dnplkndll May 14, 2026
d6af031
docs(pg): operator deploy guide for PostgreSQL mode
dnplkndll May 14, 2026
b92e008
fix(pg-goose): ORDER BY version_id DESC, id DESC in PG dbVersionQuery
dnplkndll May 14, 2026
6bbf2d9
fix(pg-baseline): reassign function ownership alongside tables/sequen…
dnplkndll May 14, 2026
7e56b37
docs(pg): pin seedPGMigrationTable version-order invariant in a comment
dnplkndll May 14, 2026
3fc1daa
baseline(pg): regenerate from prod and bump marker to 20260513210000
dnplkndll May 14, 2026
6227e54
fix(pg): explicit-type NULL in setup_experience UNION legs for COALESCE
dnplkndll May 14, 2026
f97a737
test(pg-harness): add orbit + osquery POST endpoint coverage
dnplkndll May 14, 2026
b54c839
fix(pg): add windows_mdm_commands to knownPrimaryKeys
dnplkndll May 14, 2026
0b51e8d
fix(pg): allowlist hosts.orbit_debug_until drift (regen after next de…
dnplkndll May 14, 2026
4c74d8c
fix(pg): support new vpp_client_users table and recent migrations
dnplkndll May 23, 2026
6c40e7c
fix(pg): implement pgMigrationHelper and isPostgres for Postgres migr…
dnplkndll May 23, 2026
2f09202
fix(pg): make renumbered migrations idempotent and PostgreSQL compatible
dnplkndll May 23, 2026
f10744b
baseline(pg): regenerate baseline schema and bump marker to 202605221…
dnplkndll May 23, 2026
f9dab02
fix(pg): remove stale column drift entries from allowlist
dnplkndll May 23, 2026
10cd4d0
fix(pg): repeat aggregates in Windows MDM HAVING for PostgreSQL
dnplkndll Jun 6, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 129 additions & 0 deletions .github/workflows/build-ledo.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
name: Build & Push Ledo Fleet Image

on:
push:
branches: [aggregated]
tags:
- 'fleet-v*'
paths:
- 'cmd/**'
- 'ee/**'
- 'server/**'
- 'frontend/**'
- 'orbit/**'
- 'pkg/**'
- 'go.mod'
- 'go.sum'
- 'package.json'
- 'yarn.lock'
- 'webpack.config.js'
- 'Dockerfile'
- '.github/workflows/build-ledo.yml'
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ledoent/fleet

jobs:
build-and-push:
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true

- name: Derive Fleet version and image tag
id: version
run: |
if [[ "$GITHUB_REF" == refs/tags/fleet-v* ]]; then
BASE_TAG="${GITHUB_REF#refs/tags/}"
else
BASE_TAG=$(git describe --tags --match 'fleet-v*' --abbrev=0 2>/dev/null || echo "fleet-vdev")
fi
FLEET_VERSION="${BASE_TAG#fleet-}"
IMAGE_TAG="${FLEET_VERSION}-ledo"
echo "fleet_version=${FLEET_VERSION}" >> "$GITHUB_OUTPUT"
echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
echo "Fleet version: ${FLEET_VERSION}, image tag: ${IMAGE_TAG}"

# Gate the publish on PG-compat checks passing on this exact SHA. The
# gate runs concurrently with the required workflows on a fresh push,
# so wait (with timeout) for each one to reach a terminal status before
# deciding. Refuse to publish on any non-success conclusion or if the
# required run never starts.
- name: Verify PG-compat checks passed on this SHA
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILD_SHA: ${{ github.sha }}
run: |
set -euo pipefail
required=("test-go-postgres.yaml" "validate-pg-compat.yml")
deadline=$(( $(date +%s) + 30 * 60 )) # 30 min total budget
for wf in "${required[@]}"; do
echo "⏳ Waiting for $wf on $BUILD_SHA..."
while :; do
run_json=$(gh run list \
--workflow "$wf" \
--limit 50 \
--json databaseId,headSha,status,conclusion \
--jq "[.[] | select(.headSha == \"$BUILD_SHA\")] | .[0]")
status=$(echo "$run_json" | jq -r '.status // "missing"')
conclusion=$(echo "$run_json" | jq -r '.conclusion // ""')
if [[ "$status" == "completed" ]]; then
if [[ "$conclusion" != "success" ]]; then
echo "❌ $wf concluded with $conclusion on $BUILD_SHA. Refusing to publish."
exit 1
fi
echo "✅ $wf: success on $BUILD_SHA"
break
fi
if (( $(date +%s) > deadline )); then
echo "❌ Timeout waiting for $wf on $BUILD_SHA (status=$status). Refusing to publish."
exit 1
fi
sleep 30
done
done

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Log in to Zot registry
uses: docker/login-action@v3
with:
registry: ${{ secrets.ZOT_REGISTRY }}
username: ${{ secrets.ZOT_REGISTRY_USER }}
password: ${{ secrets.ZOT_REGISTRY_PASSWORD }}

- uses: docker/setup-buildx-action@v3

- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:${{ steps.version.outputs.image_tag }}
${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:latest
build-args: |
FLEET_VERSION=${{ steps.version.outputs.fleet_version }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Output image info
run: |
echo "## Build Complete" >> $GITHUB_STEP_SUMMARY
echo "Image: \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
echo "Zot: \`${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:${{ steps.version.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
4 changes: 4 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ permissions:
jobs:
dependency-review:
runs-on: ubuntu-latest
# actions/dependency-review-action requires GitHub Advanced Security on
# private repos. Skip on private mirrors (e.g. ledoent/fleet); upstream
# public fleetdm/fleet still runs the check.
if: ${{ !github.event.repository.private }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
Expand Down
41 changes: 41 additions & 0 deletions .github/workflows/sync-upstream.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Sync upstream main

on:
schedule:
- cron: '0 6 * * *'
workflow_dispatch:

permissions:
contents: write

jobs:
sync:
if: github.repository != 'fleetdm/fleet'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
token: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}

- name: Sync from upstream
run: |
set -euo pipefail
git remote add upstream https://github.com/fleetdm/fleet.git || true
git fetch upstream main

# Paranoia: refuse to force-push if `main` has commits not in
# `upstream/main` from anyone other than github-actions[bot].
# Local work belongs on a feature branch, never on `main`.
unexpected=$(git log upstream/main..HEAD \
--pretty='%an <%ae>' \
| grep -v 'github-actions\[bot\]' || true)
if [[ -n "$unexpected" ]]; then
echo "❌ Refusing to force-push: main has non-bot commits not in upstream/main:"
echo "$unexpected"
exit 1
fi

git reset --hard upstream/main
git push --force-with-lease origin main
Loading