Merge branch 'main' into allenhouchins-add-spotify

Author: allenhouchins

.github/ISSUE_TEMPLATE/release-qa.md

@@ -3,7 +3,7 @@ name:  Release QA
 about: Checklist of required tests prior to release
 title: 'Release QA:'
 labels: '#g-mdm,#g-orchestration,#g-software,#g-security-compliance,:release'
-assignees: 'xpkoala,pezhub,jmwatts,andreykizimenko'
+assignees: 'xpkoala,jmwatts,andreykizimenko'
 
 ---
 
@@ -70,6 +70,13 @@ Smoke tests are limited to core functionality and serve as a pre-release final r
 
 </td><td>pass/fail</td></tr>
 
+<tr><td>GitOps and generate-gitops</td><td>
+
+1. `fleetctl generate-gitops` from a version-matched fleetctl successfully outputs YAML from a brand new Fleet server (net of auto-populated teams etc.).
+2. Running GitOps succeeds on the files created in the previous step, either using the `gitops.sh` script directly (from the `fleet-gitops` repo) or by using the GitOps GitHub or GitLab workflow (attempting via one of these three is sufficient).
+ 
+</td><td>pass/fail</td></tr>
+
 </table>
 
 ### MDM

.github/workflows/fleet-and-orbit.yml

@@ -219,8 +219,8 @@ jobs:
   # Here we generate the Fleet Desktop and osqueryd targets for
   # macOS which can only be generated from a macOS host.
   build-macos-targets:
-    # Set macOS version to '13' for building the binary as Fleet's minimum supported macOS version.
-    runs-on: macos-13
+    # Set macOS version to '14' for building the binary as Fleet's minimum supported macOS version.
+    runs-on: macos-14
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0

.github/workflows/generate-desktop-targets.yml

@@ -29,10 +29,10 @@ jobs:
           echo "FLEET_DESKTOP_VERSION=$VERSION" >> "$GITHUB_OUTPUT"
   
   desktop-macos:
-    # Set macOS version to '13' (previously was macos-12, and it was deprecated) for
-    # building the binary. This ensures compatibility with macOS version 13 and
-    # later, avoiding runtime errors on systems using macOS 13 or newer.
-    runs-on: macos-13
+    # Set macOS version to '14' (previously was macos-12/13 until they were deprecated) for
+    # building the binary. This ensures compatibility with macOS version 14 and
+    # later, avoiding runtime errors on systems using macOS 14 or newer.
+    runs-on: macos-14
     needs: set-version
     steps:
       - name: Harden Runner

.github/workflows/loadtest-osquery-perf.yml

@@ -7,20 +7,19 @@ on:
         description: "Terraform workspace that you will be deploying to."
         type: string
         required: true
-      tag:
-        description: "Tag for osquery-perf deployment"
-        type: string
-        default: "v4.72.0"
-        required: true
-      git_branch:
-        description: "git branch for osquery-perf deployment"
+      git_tag_branch:
+        description: "git Tag or Branch to use for osquery-perf deployment"
         type: string
         default: "main"
         required: true
       loadtest_containers:
-        description: "Count of osquery-perf tasks to run"
+        description: "Deploys osquery-perf containers all at once. Total number of osquery-perf tasks to run (should be a multiple of 8, if setting loadtest_containers_starting_index). This is also used as the end index in enroll.sh"
         type: string
         required: true
+      loadtest_containers_starting_index:
+        description: "Optional: Starting Index for enroll.sh (should be a multiple of 8)."
+        type: string
+        required: false
       extra_flags:
         description: "Extra flags for osquery-perf. Example: [\"--orbit_prob\", \"0.0\"]"
         type: string
@@ -52,8 +51,7 @@ env:
   TF_ACTIONS_WORKING_DIR: infrastructure/loadtesting/terraform/osquery_perf
   TF_VAR_extra_flags: "${{ inputs.extra_flags || '[]' }}"
   TF_VAR_loadtest_containers: "${{ inputs.loadtest_containers }}"
-  TF_VAR_tag: "${{ inputs.tag }}"
-  TF_VAR_git_branch: "${{ inputs.git_branch }}"
+  TF_VAR_git_tag_branch: "${{ inputs.git_tag_branch }}"
 
 permissions:
   id-token: write
@@ -145,7 +143,12 @@ jobs:
           if [[ `terraform workspace show` = "${{ inputs.terraform_workspace }}" ]];
           then
             echo "TERRAFORM WORKSPACE: MATCHES - ${{ inputs.terraform_workspace }}"
-            terraform apply -auto-approve
+            if [[ ${{ inputs.loadtest_containers_starting_index}} -gt "0" ]];
+            then
+              ./enroll.sh ${{ inputs.git_tag_branch }} ${{ inputs.loadtest_containers_starting_index}} ${{ inputs.loadtest_containers }}
+            else
+              terraform apply -auto-approve
+            fi
           else
             echo "TERRAFORM WORKSPACE: DOES NOT MATCH INPUT - ${{ inputs.terraform_workspace }}"
           fi
@@ -202,4 +205,4 @@ jobs:
             fi
           else
             echo "TERRAFORM WORKSPACE: DOES NOT MATCH INPUT - ${{ inputs.terraform_workspace }}"
-          fi
+          fi

.gitignore

@@ -30,6 +30,9 @@ frontend/coverage
 # typescript generated test files
 tmp/
 
+# test debug files
+debug.test*
+
 # operating system artifacts
 .DS_Store
 

CHANGELOG.md

@@ -1,3 +1,70 @@
+## Fleet 4.76.0 (Nov 7, 2025)
+
+### Security Engineers
+- Added support for software inventory on Android hosts.
+- Added support for npm packages in software inventory and vulnerability matching for macOS and Linux hosts.
+- Added support for JetBrains inventory on hosts.
+- Added vulnerbaility detection in JetBrains plugins.
+- Added support for VSCode fork (Cursor, Windsurf, VSCodium, VSCodium Insiders, and Trae) extensions in software inventory. 
+- Added Santa tables to fleetd.
+
+### IT Admins
+- Added ability to install software for iOS and iPadOS hosts during the setup experience.
+- Added ability to specify VPP apps for automatic installation during ADE iOS and iPadOS host enrollment.
+- Added the ability to lock iOS and iPadOS devices through lost mode.
+- Added support for locking and unlocking iOS and iPadOS devices from the UI.
+- Added configuration option to setup experience for macOS hosts to halt if any software install fails.
+- Added `gigs_all_disk_space` vital collection, storage, service, and UI rendering for Linux hosts.
+- Added new server config flag for specifying the cleanup age for completed distributed targets.
+
+### Other improvements and bug fixes
+- Added link component shown in the host column to the host details page.
+- Added flash warning when an unauthorized user tries to access teams settings.
+- Added descriptive error in cases of manual MacOS profile download failure. 
+- Updated the MacOS setup experience to use the new web UI.
+- Updated the UI for adding new scripts to the scripts library.
+- Changed display logic for the organization logo component on the My Device page to prevent flickering.
+- Improved performance of `/api/latest/fleet/os_versions` endpoint, especially for deployments with Linux hosts.
+- Optimized MySQL queries on `/api/latest/fleet/vulnerabilities` and `/api/latest/fleet/software/versions` to improve performance for Fleet UI use cases.
+- Optimized `/config` API endpoint to use the primary DB node for both persisting changes and fetching modified app config.
+- Improved live query response times by adding a new server config flag for specifying the cleanup age for completed distributed targets.
+- Improved query performance by using a lighter-weight query for checking if a team is enabled for conditional access.
+- Changed license warning to only show one time during GitOps runs.
+- Updated to allow setting an org support url to use the "file" protocol in the url.
+- Changed the default name of Host Identity CA to 'Fleet Host Identity CA' to avoid conflict with Fleet's Apple MDM CA.
+- Updated host details run script user flows to include a confirmation step.
+- Applied singular word form to GitOps log messages when a single entity is referenced in the message.
+- Updated the "Setting up your device" page to show status of setup script run.
+- Deprecate `browser` in favor of `extension_for` in API responses and JSON/YAML outputs.
+- Added migration to clear the `platform` field on all _builtin_ labels.
+- Added migration to relink missing SCIM user data to hosts.
+- Updated host certificate renewal flow for NDES, Smallstep, custom scep proxy CAs to support $FLEET_VAR_SCEP_RENEWAL_ID in the OU field rather than CN.
+- Updated device mapping API to allow an "idp" source to manually set IDP user mappings.
+- Updated styling to be more consistent in edit policies view for FireFox.
+- Replaced outdated Firefox icon with a new one that follows brand guidelines.
+- Allowed testing a new or edited policy query via live query while in GitOps Mode.
+- Fixed missing "failed" VPP app install activities when installation is canceled due to MDM being turned off for a host.
+- Fixed bug where uploading a software installer failed because it was "not found in the datastore".
+- Fixed missing aboslute timestamp tooltips on script creation date in script list, query modification date in query list.
+- Fixed bug with the ChangeManagement component where the GitOps checkbox local UI state was being reset due to GET request after PATCH request.
+- Fixed MySQL deadlocks when multiple hosts are updating their certificates in host vitals at the same time.
+- Fixed an issue where longer variable names ($FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART) with the same base ($FLEET_VAR_HOST_END_USER_IDP_USERNAME) was not processed in the right order.
+- Fixed UI bug where "Show disk encryption key" option was incorrectly displayed for hosts enrolled with a third-party MDM solution.
+- Fixed WhatsApp and VS Code icons not displaying correctly
+- Fixed bad software ingestion debug message and added filter for invalid software with missing names.
+- Fixed a bug where a software installer could be installed in the same team and same platform (macOS) where an App Store app already existed for the same software title, and vice-versa (App Store app added when a sofware package already existed, this one was only possible just via `fleetctl gitops`).
+- Fixed listing hosts with `populate_software` not returning hash_sha256 for macos apps.
+- Fixed bug where batch setting MDM profiles could cause a nil pointer dereference when processing an invalid profile (e.g., cannot parse mobileconfig because it is bad xml).
+- Fixed bug hiding the UI elements post install script output in Software Install Details modal.
+- Fixed software title host count mismatch that was caused by including software installers in the count.
+- Fixed a scenario where a wiped Windows host re-enrolled as a distinct host row in Fleet and the previous host's page could not be loaded successfully.
+- Fixed an issue where a host transfer on `mdm_enrolled` activity would be reversed by orbit enroll.
+- Fixed a bug in live queries that caused `livequery:{$CAMPAIGN_ID}` Redis keys to not be cleaned up or expire.
+- Fixed inconsistency in GitOps for App store apps if no VPP token was found, so that both dry run and actual run fails.
+- Fixed the software title counts by status to be consistent with the status reported in the host's software list and filter by status.
+- Fixed outdated tooltip on dark background logo URL field in Organization info settings.
+- Fixed `fleetctl generate-gitops` when MDM is not turned on.
+
 ## Fleet 4.75.1 (Oct 21, 2025)
 
 ### Bug fixes

CODEOWNERS

@@ -65,15 +65,15 @@ go.mod @fleetdm/go
 #
 # (see website/config/custom.js for DRIs of other paths not listed here)
 ##############################################################################################
-/docs                                                   @rachaelshaw
+/docs                                                   @noahtalerman
 /docs/solutions                                         @ddribeiro
-/docs/Configuration                                     @rachaelshaw
+/docs/Configuration                                     @noahtalerman
 /docs/Contributing                                      @lukeheath @georgekarrv @sharon-fdm # « Contributing guidelines
 /docs/Contributing/product-groups/orchestration/understanding-host-vitals.md @sharon-fdm @sgress454 @getvictor # software ingestion is security & compliance
-/docs/REST\ API/rest-api.md                             @rachaelshaw # « REST API reference documentation
-/docs/Contributing/reference/api-for-contributors.md    @rachaelshaw @lukeheath # « Advanced / contributors-only API reference documentation
-/docs/Contributing/reference/audit-logs.md              @rachaelshaw @lukeheath # « Advanced / contributors-only audit log documentation
-/docs/Contributing/reference/configuration-for-contributors.md @rachaelshaw @lukeheath # « Advanced / contributors-only configuration documentation
+/docs/REST\ API/rest-api.md                             @noahtalerman # « REST API reference documentation
+/docs/Contributing/reference/api-for-contributors.md    @noahtalerman @lukeheath # « Advanced / contributors-only API reference documentation
+/docs/Contributing/reference/audit-logs.md              @noahtalerman @lukeheath # « Advanced / contributors-only audit log documentation
+/docs/Contributing/reference/configuration-for-contributors.md @noahtalerman @lukeheath # « Advanced / contributors-only configuration documentation
 /schema                                                 @eashaw # « Data tables (osquery/fleetd schema) documentation
 /render.yaml                                            @edwardsb
 /it-and-security                                        @allenhouchins