Skip to content

Cleanup no-team.yml, implement host expiry on servers, add Windows CSPs #561

Cleanup no-team.yml, implement host expiry on servers, add Windows CSPs

Cleanup no-team.yml, implement host expiry on servers, add Windows CSPs #561

Workflow file for this run

name: 'Apply latest configuration to dogfood with gitops'
on:
push:
branches:
- main
paths:
- 'it-and-security/**'
- '.github/workflows/dogfood-gitops.yml'
pull_request:
paths:
- 'it-and-security/**'
- '.github/workflows/dogfood-gitops.yml'
workflow_dispatch: # allows manual triggering
schedule:
- cron: '0 6 * * *' # Nightly 6AM UTC
# Prevent concurrent runs of this workflow, but allow all runs to finish.
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
defaults:
run:
shell: bash
# Limit permissions of GITHUB_TOKEN.
permissions:
contents: read
jobs:
fleet-gitops:
timeout-minutes: 10
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout our repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Checkout GitOps repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: fleetdm/fleet-gitops
ref: main
path: fleet-gitops
- name: Apply latest configuration to Fleet
uses: ./fleet-gitops/.github/gitops-action
with:
working-directory: ${{ github.workspace }}/fleet-gitops
dry-run-only: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
env:
FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
FLEET_URL: https://dogfood.fleetdm.com
FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
DOGFOOD_APPLE_BM_DEFAULT_TEAM: "💻 Workstations"
DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
DOGFOOD_MDM_SSO_METADATA_URL: ${{ secrets.DOGFOOD_MDM_SSO_METADATA_URL }}
DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL }}
DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}
DOGFOOD_CALENDAR_API_KEY: ${{ secrets.DOGFOOD_CALENDAR_API_KEY }}
DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET }}
DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
- name: Notify on Gitops failure
if: failure() && github.ref_name == 'main'
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "GitOps run failed for ${{ env.RUN_URL }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "GitOps run failed on ${{ github.ref_name }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "For more details see:\n${{ env.RUN_URL }}"
}
}
]
}
env:
RUN_URL: https://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_DOGFOODING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK