Skip to content

Allow multiple packages - migration#48596

Open
jkatz01 wants to merge 8 commits into
feat/28108-multiple-custom-packagesfrom
48396-multi-package-migration
Open

Allow multiple packages - migration#48596
jkatz01 wants to merge 8 commits into
feat/28108-multiple-custom-packagesfrom
48396-multi-package-migration

Conversation

@jkatz01

@jkatz01 jkatz01 commented Jul 1, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #48396

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

  • Timeouts are implemented and retries are limited to avoid infinite loops

  • If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

Database migrations

  • Checked schema for all modified table for columns that will auto-update timestamps during migration.
  • Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
    • shouldn't update timestamps unless the installer was a duplicate
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

  • Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

  • Verified that the setting is exported via fleetctl generate-gitops
  • Verified the setting is documented in a separate PR to the GitOps documentation
  • Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
  • Verified that any relevant UI is disabled when GitOps mode is enabled

Summary by CodeRabbit

  • New Features

    • Software titles can now include multiple custom packages without duplicating the title in lists.
    • Added clearer package details when viewing software tied to a title or team.
  • Bug Fixes

    • Improved installer conflict handling so uploads now show more specific error messages.
    • Prevented duplicate package entries from creating extra title rows or incorrect counts.
    • Fixed package counting and selection so the first-added package is used consistently when multiple exist.
  • Chores

    • Added database changes to enforce the new package-deduplication behavior.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 83.92857% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.03%. Comparing base (ad0a39e) to head (774829d).

Files with missing lines Patch % Lines
server/datastore/mysql/software_installers.go 85.02% 16 Missing and 9 partials ⚠️
...s/20260629163945_MultipleCustomPackagesPerTitle.go 76.74% 6 Missing and 4 partials ⚠️
ee/server/service/software_installers.go 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@                           Coverage Diff                           @@
##           feat/28108-multiple-custom-packages   #48596      +/-   ##
=======================================================================
+ Coverage                                67.99%   68.03%   +0.03%     
=======================================================================
  Files                                     3678     3679       +1     
  Lines                                   233791   233925     +134     
  Branches                                 12305    12305              
=======================================================================
+ Hits                                    158968   159146     +178     
+ Misses                                   60496    60460      -36     
+ Partials                                 14327    14319       -8     
Flag Coverage Δ
backend 69.68% <83.92%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jkatz01 added 7 commits July 2, 2026 10:21
Replace the version-unique key on software_installers with a regime-aware
unique key. A new VIRTUAL dedup_token column resolves to storage_id for custom
packages (dedupe by content hash, so Arm and Intel builds of one version
coexist while identical bytes are rejected) and to version for FMA packages
(version-uniqueness unchanged, so the auto-update cron can cache several
versions backed by the same bytes).

The migration keeps the first-added row per (global_or_team_id, title_id,
dedup_token), re-points policies off the removed rows, and deletes the rest
before adding UNIQUE KEY idx_software_installers_dedup.
…48396)

Allow multiple custom packages per title in MatchOrCreateSoftwareInstaller.
checkSoftwareConflictsByIdentifier keeps the cross-type VPP/in-house checks and
the FMA-vs-custom single-regime guard, then rejects a custom package whose
dedup_token (content hash) already backs the title and enforces a 10-package
limit. The conflict copy now distinguishes VPP apps, Fleet-maintained apps, and
software packages.

The cross-type and FMA checks run before getOrGenerateSoftwareInstallerTitleID
so a rejected upload never triggers its title-create/rename side effects.
…ion fixes (#48396)

GetSoftwareInstallerMetadataByTeamAndTitleID now returns the first-added active
package. Add GetSoftwarePackagesByTeamAndTitleID returning every active package
on a title with per-package label scope, for the API and precedence sub-issues.

Fix the regressions that multiple active rows cause: SoftwareTitleByID counts
use COUNT(DISTINCT) so the installer/VPP/in-house cross-join no longer inflates
them, both ListSoftwareTitles query paths join only the first-added active
installer so a title appears once (hash and package-name filters use EXISTS over
all packages), and the edit path no longer rejects a title with more than one
package.
@jkatz01 jkatz01 force-pushed the 48396-multi-package-migration branch from 127e5ff to 798d435 Compare July 2, 2026 14:36
@jkatz01

jkatz01 commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

I think the test failure is unrelated, and looks like PR 48613 will fix it.

@jkatz01 jkatz01 marked this pull request as ready for review July 2, 2026 15:03
@jkatz01 jkatz01 requested a review from a team as a code owner July 2, 2026 15:03

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@jkatz01

jkatz01 commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

Changes

This PR adds support for multiple custom packages per software title. A new migration adds a dedup_token generated column to software_installers and replaces the version-based unique key with one keyed on (global_or_team_id, title_id, dedup_token), deduplicating existing rows and repointing affected policies. Conflict-detection logic in checkSoftwareConflictsByIdentifier is reworked to standardize error messages, detect FMA/custom mixing, enforce a 10-package-per-title limit, and reject duplicate content hashes (including Linux .deb/.rpm). A new GetSoftwarePackagesByTeamAndTitleID datastore method and interface/mock wiring list all packages for a title with label scoping. GetSoftwareInstallerMetadataByTeamAndTitleID now returns the first-added installer. Software title listing/count queries are fixed to avoid duplication/inflation from multiple installers, and the PATCH edit-path validation now allows more than one installer. Tests and integration test expectations are updated accordingly.

Sequence Diagram(s)

Diagrams included in the hidden review stack artifact illustrate the migration flow, conflict detection flow, and package listing flow.

Possibly related issues

Possibly related PRs

  • fleetdm/fleet#47808: Both PRs modify software installer update/activation flow and installer uniqueness constraints (prior FMA version-key migration this PR builds on).
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main change: supporting multiple packages via migration.
Description check ✅ Passed The PR description matches the template well and includes the issue, testing, and migration sections.
Linked Issues check ✅ Passed The summarized changes cover the migration, hash dedupe, 10-package limit, first-added reads, and regression fixes required by #48396.
Out of Scope Changes check ✅ Passed The changes shown are focused on the linked package-migration work, with no obvious unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 48396-multi-package-migration

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.44.0)
ee/server/service/software_installers.go

[{"text":"tx.Exec(fmt.Sprintf(\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id != dup.keep_id, dupGroups))","range":{"byteOffset":{"start":1460,"end":1823},"start":{"line":36,"column":14},"end":{"line":44,"column":42}},"file":"server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go","lines":"\tif _, err := tx.Exec(fmt.Sprintf(`\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id !=

... [truncated 38263 characters] ...

style":"secondary"},{"text":"Sprintf","range":{"byteOffset":{"start":125221,"end":125228},"start":{"line":3504,"column":37},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf","range":{"byteOffset":{"start":125217,"end":125228},"start":{"line":3504,"column":33},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues)","range":{"byteOffset":{"start":125217,"end":125279},"start":{"line":3504,"column":33},"end":{"line":3504,"column":95}},"style":"secondary"},{"text":"(ctx, fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues), upsertCategoriesArgs...)","range":{"byteOffset":{"start":125211,"end":125305},"start":{"line":3504,"column":27},"end":{"line":3504,"column":121}},"style":"secondary"}]}

server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go

[{"text":"tx.Exec(fmt.Sprintf(\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id != dup.keep_id, dupGroups))","range":{"byteOffset":{"start":1460,"end":1823},"start":{"line":36,"column":14},"end":{"line":44,"column":42}},"file":"server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go","lines":"\tif _, err := tx.Exec(fmt.Sprintf(`\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id !=

... [truncated 38263 characters] ...

style":"secondary"},{"text":"Sprintf","range":{"byteOffset":{"start":125221,"end":125228},"start":{"line":3504,"column":37},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf","range":{"byteOffset":{"start":125217,"end":125228},"start":{"line":3504,"column":33},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues)","range":{"byteOffset":{"start":125217,"end":125279},"start":{"line":3504,"column":33},"end":{"line":3504,"column":95}},"style":"secondary"},{"text":"(ctx, fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues), upsertCategoriesArgs...)","range":{"byteOffset":{"start":125211,"end":125305},"start":{"line":3504,"column":27},"end":{"line":3504,"column":121}},"style":"secondary"}]}

server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle_test.go

[{"text":"tx.Exec(fmt.Sprintf(\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id != dup.keep_id, dupGroups))","range":{"byteOffset":{"start":1460,"end":1823},"start":{"line":36,"column":14},"end":{"line":44,"column":42}},"file":"server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go","lines":"\tif _, err := tx.Exec(fmt.Sprintf(`\n\t\tUPDATE policies p\n\t\tJOIN software_installers si ON si.id = p.software_installer_id\n\t\tJOIN (%s) dup\n\t\t\tON si.global_or_team_id = dup.global_or_team_id\n\t\t\tAND si.title_id = dup.title_id\n\t\t\tAND si.dedup_token = dup.dedup_token\n\t\tSET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at\n\t\tWHERE si.id !=

... [truncated 38263 characters] ...

style":"secondary"},{"text":"Sprintf","range":{"byteOffset":{"start":125221,"end":125228},"start":{"line":3504,"column":37},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf","range":{"byteOffset":{"start":125217,"end":125228},"start":{"line":3504,"column":33},"end":{"line":3504,"column":44}},"style":"secondary"},{"text":"fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues)","range":{"byteOffset":{"start":125217,"end":125279},"start":{"line":3504,"column":33},"end":{"line":3504,"column":95}},"style":"secondary"},{"text":"(ctx, fmt.Sprintf(upsertInstallerCategories, upsertCategoriesValues), upsertCategoriesArgs...)","range":{"byteOffset":{"start":125211,"end":125305},"start":{"line":3504,"column":27},"end":{"line":3504,"column":121}},"style":"secondary"}]}

  • 11 others

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle_test.go (1)

72-92: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add coverage for mixed active/inactive duplicate groups.

All duplicate-group fixtures here use is_active = 1 for every row. Consider adding a case where the lower-id row is inactive and the higher-id row is active (same dedup_token), and assert the active row survives — this would catch the survivor-selection issue flagged in the migration file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle_test.go`
around lines 72 - 92, Add a test fixture in MultipleCustomPackagesPerTitle_test
that covers a duplicate group with mixed active/inactive rows sharing the same
dedup_token. Create the group so the lower-id row is inactive and the higher-id
row is active, then run the migration path that deduplicates installers. Assert
the active installer is the one retained and any references are repointed to it,
using the existing helpers like insertInstaller, execNoErr, and the policy
re-point checks to locate the relevant assertions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go`:
- Around line 26-57: The duplicate-collapsing logic in the migration currently
uses dupGroups with MIN(id) as keep_id, which can preserve an inactive
software_installers row and delete the active one. Update the dedup selection in
this migration so the retained row prefers the active installer (is_active = 1)
when duplicates share global_or_team_id, title_id, and dedup_token, and only
falls back to the lowest id if no active row exists; keep the subsequent
policies re-pointing and delete statements using the chosen keep_id.

In `@server/datastore/mysql/software_installers.go`:
- Around line 493-520: The fallback lookup in softwareInstallerTitleSelect can
still match non-plain software titles because it only filters by name, source,
and extension_for. Update the default branch used by
getExistingSoftwareInstallerTitleID to restrict matches to plain titles only, so
sqlx.GetContext does not return an arbitrary bundle/app/upgrade-code-backed
SoftwareTitle with the same name. Use the softwareInstallerTitleSelect and
getExistingSoftwareInstallerTitleID symbols to locate the change.

---

Nitpick comments:
In
`@server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle_test.go`:
- Around line 72-92: Add a test fixture in MultipleCustomPackagesPerTitle_test
that covers a duplicate group with mixed active/inactive rows sharing the same
dedup_token. Create the group so the lower-id row is inactive and the higher-id
row is active, then run the migration path that deduplicates installers. Assert
the active installer is the one retained and any references are repointed to it,
using the existing helpers like insertInstaller, execNoErr, and the policy
re-point checks to locate the relevant assertions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3cee9533-bf90-4bf5-8c5e-95ed606771e0

📥 Commits

Reviewing files that changed from the base of the PR and between ad0a39e and 798d435.

⛔ Files ignored due to path filters (1)
  • server/datastore/mysql/testdata/select_software_titles_sql_fixture.gz is excluded by !**/*.gz
📒 Files selected for processing (15)
  • ee/server/service/software_installers.go
  • server/datastore/mysql/in_house_apps.go
  • server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go
  • server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle_test.go
  • server/datastore/mysql/schema.sql
  • server/datastore/mysql/software_installers.go
  • server/datastore/mysql/software_installers_test.go
  • server/datastore/mysql/software_titles.go
  • server/datastore/mysql/software_titles_test.go
  • server/fleet/datastore.go
  • server/fleet/errors.go
  • server/fleet/software_installer.go
  • server/mock/datastore_mock.go
  • server/service/integration_enterprise_test.go
  • server/service/integration_vpp_install_test.go
💤 Files with no reviewable changes (1)
  • server/datastore/mysql/in_house_apps.go

Comment on lines +26 to +57
// Collapse rows that would violate the new key: keep the lowest id per group and delete
// the rest. Re-point policies off the deleted rows first, since
// policies.software_installer_id is RESTRICT. Keep policies.updated_at so this
// content-identical swap doesn't read as a policy edit.
const dupGroups = `
SELECT global_or_team_id, title_id, dedup_token, MIN(id) AS keep_id
FROM software_installers
WHERE title_id IS NOT NULL
GROUP BY global_or_team_id, title_id, dedup_token
HAVING COUNT(*) > 1`

if _, err := tx.Exec(fmt.Sprintf(`
UPDATE policies p
JOIN software_installers si ON si.id = p.software_installer_id
JOIN (%s) dup
ON si.global_or_team_id = dup.global_or_team_id
AND si.title_id = dup.title_id
AND si.dedup_token = dup.dedup_token
SET p.software_installer_id = dup.keep_id, p.updated_at = p.updated_at
WHERE si.id != dup.keep_id`, dupGroups)); err != nil {
return fmt.Errorf("re-pointing policies off duplicate installers: %w", err)
}

if _, err := tx.Exec(fmt.Sprintf(`
DELETE si FROM software_installers si
JOIN (%s) dup
ON si.global_or_team_id = dup.global_or_team_id
AND si.title_id = dup.title_id
AND si.dedup_token = dup.dedup_token
WHERE si.id != dup.keep_id`, dupGroups)); err != nil {
return fmt.Errorf("deleting duplicate installers: %w", err)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map and inspect the migration file
ast-grep outline server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go --view expanded

echo '--- MIGRATION ---'
sed -n '1,220p' server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go

echo '--- TESTS ---'
fd -a '20260629163945_MultipleCustomPackagesPerTitle*' server/datastore/mysql | while read -r f; do
  echo "### $f"
  sed -n '1,260p' "$f"
done

echo '--- is_active READ PATHS ---'
rg -n "is_active\s*=\s*1|GetSoftwareInstallerMetadataByTeamAndTitleID|GetSoftwarePackagesByTeamAndTitleID" server/datastore/mysql

Repository: fleetdm/fleet

Length of output: 21345


Prefer the active installer when collapsing duplicates.

MIN(id) can keep an inactive row and delete the active one if a duplicate pair has mixed is_active values. That leaves the title with no row visible to lookups that require is_active = 1. Pick the active row as keep_id instead of always taking the lowest id.

🧰 Tools
🪛 OpenGrep (1.23.0)

[ERROR] 37-45: SQL query built via fmt.Sprintf or string concatenation passed to a database method. Use parameterized queries with placeholder arguments.

(coderabbit.sql-injection.go-query-format)


[ERROR] 49-55: SQL query built via fmt.Sprintf or string concatenation passed to a database method. Use parameterized queries with placeholder arguments.

(coderabbit.sql-injection.go-query-format)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@server/datastore/mysql/migrations/tables/20260629163945_MultipleCustomPackagesPerTitle.go`
around lines 26 - 57, The duplicate-collapsing logic in the migration currently
uses dupGroups with MIN(id) as keep_id, which can preserve an inactive
software_installers row and delete the active one. Update the dedup selection in
this migration so the retained row prefers the active installer (is_active = 1)
when duplicates share global_or_team_id, title_id, and dedup_token, and only
falls back to the lowest id if no active row exists; keep the subsequent
policies re-pointing and delete statements using the chosen keep_id.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

claude:
Finding 1 (migration keeps inactive over active)** — VALID, will fix. keep_id = MIN(id) ignores is_active, but the reads (GetSoftwareInstallerMetadataByTeamAndTitleID) filter is_active = 1 ORDER BY id ASC. So if a same-dedup_token group ever has a lower-id inactive row and higher-id active row, the migration would delete the active one and the read would then return nothing. Cheap, strictly-better fix that keeps the migration consistent with the reads.

Comment on lines +493 to +520
func softwareInstallerTitleSelect(payload *fleet.UploadSoftwareInstallerPayload) (string, []any) {
switch {
case payload.BundleIdentifier != "":
// match by bundle identifier and source first, or standard matching if we don't have a bundle identifier match
return `SELECT id FROM software_titles WHERE (bundle_identifier = ? AND source = ?) OR (name = ? AND source = ? AND extension_for = '') ORDER BY bundle_identifier = ? DESC LIMIT 1`,
[]any{payload.BundleIdentifier, payload.Source, payload.Title, payload.Source, payload.BundleIdentifier}
case payload.Source == "programs" && payload.UpgradeCode != "":
// select by either name or upgrade code, preferring upgrade code
return `SELECT id FROM software_titles WHERE (name = ? AND source = ? AND extension_for = '' AND upgrade_code = '') OR upgrade_code = ? ORDER BY upgrade_code = ? DESC LIMIT 1`,
[]any{payload.Title, payload.Source, payload.UpgradeCode, payload.UpgradeCode}
default:
return `SELECT id FROM software_titles WHERE name = ? AND source = ? AND extension_for = ''`,
[]any{payload.Title, payload.Source}
}
}

func (ds *Datastore) getExistingSoftwareInstallerTitleID(ctx context.Context, payload *fleet.UploadSoftwareInstallerPayload) (uint, error) {
stmt, args := softwareInstallerTitleSelect(payload)
var titleID uint
switch err := sqlx.GetContext(ctx, ds.reader(ctx), &titleID, stmt, args...); {
case err == nil:
return titleID, nil
case errors.Is(err, sql.ErrNoRows):
return 0, notFound("SoftwareTitle")
default:
return 0, ctxerr.Wrap(ctx, err, "get existing software installer title id")
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n "CREATE TABLE \`software_titles\`" -A 40 server/datastore/mysql/schema.sql

Repository: fleetdm/fleet

Length of output: 3276


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate software_titles insert/upsert paths and package-limit query.
rg -n "software_titles|software_installers|is_active = 1|COUNT\(\*\) FROM software_installers|10 packages|package limit" server/datastore/mysql -g'*.go' -g'*.sql'

# Map the relevant file for targeted reading.
ast-grep outline server/datastore/mysql/software_installers.go --view expanded || true

Repository: fleetdm/fleet

Length of output: 50370


🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "software_titles|software_installers|is_active = 1|COUNT\(\*\) FROM software_installers|10 packages|package limit" server/datastore/mysql -g'*.go' -g'*.sql'

ast-grep outline server/datastore/mysql/software_installers.go --view expanded || true

Repository: fleetdm/fleet

Length of output: 50370


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant parts of the datastore code.
sed -n '300,520p' server/datastore/mysql/software_installers.go

# Find how software_titles rows are inserted/upserted elsewhere.
rg -n "INSERT INTO software_titles|ON DUPLICATE KEY UPDATE|software_titles" server/datastore/mysql -g'*.go'

Repository: fleetdm/fleet

Length of output: 50369


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the exact code around the title lookup and package limit.
sed -n '480,530p' server/datastore/mysql/software_installers.go
sed -n '4230,4270p' server/datastore/mysql/software_installers.go

# Find any code that deactivates software installer rows.
rg -n "is_active\s*=\s*false|SET is_active|deactivate.*software_installers|soft.*delete.*software_installers" server/datastore/mysql -g'*.go'

Repository: fleetdm/fleet

Length of output: 6694


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read the package-limit code around the reported lines.
sed -n '4228,4268p' server/datastore/mysql/software_installers.go

# Read the code that toggles active/inactive state.
sed -n '660,710p' server/datastore/mysql/software_installers.go
sed -n '3368,3392p' server/datastore/mysql/software_installers.go

Repository: fleetdm/fleet

Length of output: 4833


Scope the fallback title lookup to plain titles
software_titles is only unique on unique_identifier, source, extension_for, so WHERE name = ? AND source = ? AND extension_for = '' can still match a bundle/app/upgrade-code-backed title with the same name. sqlx.GetContext will then return an arbitrary row; narrow the fallback predicate to plain titles.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/datastore/mysql/software_installers.go` around lines 493 - 520, The
fallback lookup in softwareInstallerTitleSelect can still match non-plain
software titles because it only filters by name, source, and extension_for.
Update the default branch used by getExistingSoftwareInstallerTitleID to
restrict matches to plain titles only, so sqlx.GetContext does not return an
arbitrary bundle/app/upgrade-code-backed SoftwareTitle with the same name. Use
the softwareInstallerTitleSelect and getExistingSoftwareInstallerTitleID symbols
to locate the change.

Source: Path instructions

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ignoring this, we don't want to change this logic. claude:
Finding 2 (default title-select matches non-plain titles)** — SKIP. That default query is main's unchanged title-matching logic, and it's shared with getOrGenerateSoftwareInstallerTitleID (the create path). getExisting must resolve the same title the create path will match/create, or the hash guard would check the wrong title. Restricting only the read breaks that invariant; restricting the shared query changes main's create behavior and risks duplicate titles — out of scope, and the collision (a plain package vs a bundle/upgrade-code title sharing name+source+extension_for='') predates this PR.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: test-go (fleetctl, mysql:8.0.44) / test

Failed stage: Run Go Tests [❌]

Failed test name: TestGitOpsFullGlobal

Failure summary:

The GitHub Action failed because Go tests in ./cmd/fleetctl/... failed, causing make .run-go-tests
to exit non-zero (Makefile:302, then make test-go Makefile:417).
Specifically, TestGitOpsFullGlobal
failed in both subtests:
- TestGitOpsFullGlobal/useDeprecatedKeys=false
-
TestGitOpsFullGlobal/useDeprecatedKeys=true
The failure occurred when the test attempted to apply
GitOps custom settings and the API rejected the request:
- applying custom settings: POST
/api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: cannot set custom
settings: Windows MDM isn't turned on.
The error is reported at:
-
/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/testing_utils_test.go:20
-
/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/gitops_test.go:2244

Relevant error logs:
1:  Runner name: 'ubuntu-8core-1000967693'
2:  Runner group name: 'default larger runners'
...

986:  �[36;1mattempt=1�[0m
987:  �[36;1m�[0m
988:  �[36;1mwhile [ $attempt -le $max_attempts ]; do�[0m
989:  �[36;1m  echo "Attempt $attempt of $max_attempts"�[0m
990:  �[36;1m�[0m
991:  �[36;1m  # Try to connect to MySQL�[0m
992:  �[36;1m  if wait_for_mysql "mysql_test"; then�[0m
993:  �[36;1m    # If MySQL is ready, try to connect to MySQL replica�[0m
994:  �[36;1m    if wait_for_mysql "mysql_replica_test"; then�[0m
995:  �[36;1m      # Both are ready, we're done�[0m
996:  �[36;1m      echo "All MySQL connections successful"�[0m
997:  �[36;1m      exit 0�[0m
998:  �[36;1m    fi�[0m
999:  �[36;1m  fi�[0m
1000:  �[36;1m�[0m
1001:  �[36;1m  # If we get here, at least one connection failed�[0m
1002:  �[36;1m  echo "Failed to connect to MySQL on attempt $attempt"�[0m
1003:  �[36;1m�[0m
1004:  �[36;1m  if [ $attempt -lt $max_attempts ]; then�[0m
1005:  �[36;1m    echo "Restarting containers and trying again..."�[0m
1006:  �[36;1m    restart_containers�[0m
1007:  �[36;1m  else�[0m
1008:  �[36;1m    echo "Maximum attempts reached. Failing the job."�[0m
1009:  �[36;1m    exit 1�[0m
...

1168:  make .run-go-tests PKG_TO_TEST="./cmd/fleetctl/..."
1169:  make[1]: Entering directory '/home/runner/work/fleet/fleet'
1170:  Running Go tests with gotestsum:
1171:  gotestsum --format=testdox --jsonfile=/tmp/test-output.json -- -tags full,fts5,netgo -run=  -v -race=false -timeout=20m  -parallel 8 -coverprofile=coverage.txt -covermode=atomic -coverpkg=github.com/fleetdm/fleet/v4/... ././cmd/fleetctl/... 
1172:  github.com/fleetdm/fleet/v4/cmd/fleetctl:
1173:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest:
1174:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/fleetctltest:
1175:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/goquerycmd:
1176:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/testing_utils:
1177:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/package:
1178:  �[32m✓�[0m Package (3.47s)
1179:  �[32m✓�[0m Package - -use-sytem-configuration can't be used on installers that aren't pkg (0.00s)
1180:  �[32m✓�[0m Package deb (1.60s)
1181:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/preview:
1182:  �[32m✓�[0m Integrations preview (54.56s)
1183:  �[32m✓�[0m Preview fails on invalid license key (0.00s)
1184:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/vuln:
...

1291:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days not a number (0.51s)
1292:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days out of range (0.37s)
1293:  �[32m✓�[0m Apply specs deprecated keys config with FIM values for agent options (#869 9) (0.50s)
1294:  �[32m✓�[0m Apply specs deprecated keys config with blank required org name (0.43s)
1295:  �[32m✓�[0m Apply specs deprecated keys config with blank required server url (0.72s)
1296:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options command-line flags (0.48s)
1297:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type in dry-run (0.46s)
1298:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type with force (0.55s)
1299:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options in dry-run (0.46s)
1300:  �[32m✓�[0m Apply specs deprecated keys config with invalid key type (0.55s)
1301:  �[32m✓�[0m Apply specs deprecated keys config with invalid value for agent options command-line flags (0.36s)
1302:  �[32m✓�[0m Apply specs deprecated keys config with unknown key (0.61s)
1303:  �[32m✓�[0m Apply specs deprecated keys config with valid agent options command-line flags (0.41s)
1304:  �[32m✓�[0m Apply specs deprecated keys dry-run set with unsupported spec (0.40s)
1305:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, appconfig warning for legacy (0.40s)
1306:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, no errors (0.36s)
1307:  �[32m✓�[0m Apply specs deprecated keys empty config (0.36s)
...

1310:  �[32m✓�[0m Apply specs deprecated keys invalid agent options dry-run (0.50s)
1311:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type (0.53s)
1312:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type in overrides (0.43s)
1313:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for existing team (0.39s)
1314:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for new team (0.45s)
1315:  �[32m✓�[0m Apply specs deprecated keys invalid agent options force (0.45s)
1316:  �[32m✓�[0m Apply specs deprecated keys invalid known key's value type for team cannot be forced (0.54s)
1317:  �[32m✓�[0m Apply specs deprecated keys invalid team agent options command-line flag (0.49s)
1318:  �[32m✓�[0m Apply specs deprecated keys invalid top-level key for team (0.45s)
1319:  �[32m✓�[0m Apply specs deprecated keys macos updates deadline set but minimum version empty (0.44s)
1320:  �[32m✓�[0m Apply specs deprecated keys macos updates minimum version set but deadline empty (0.49s)
1321:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with incomplete date (0.50s)
1322:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with invalid date (0.40s)
1323:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with timestamp (0.48s)
1324:  �[32m✓�[0m Apply specs deprecated keys macos updates.minimum version with build version (0.38s)
1325:  �[32m✓�[0m Apply specs deprecated keys missing required failing policies destination url (0.41s)
1326:  �[32m✓�[0m Apply specs deprecated keys missing required host status days count (0.57s)
...

1334:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption true (0.44s)
1335:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption with invalid value type (0.36s)
1336:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption without a value (0.37s)
1337:  �[32m✓�[0m Apply specs deprecated keys unknown key for team can be forced (0.48s)
1338:  �[32m✓�[0m Apply specs deprecated keys valid team agent options command-line flag (0.46s)
1339:  �[32m✓�[0m Apply specs deprecated keys windows updates unset valid (0.49s)
1340:  �[32m✓�[0m Apply specs deprecated keys windows updates valid (0.58s)
1341:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days but grace period empty (0.38s)
1342:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days not a number (0.58s)
1343:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days out of range (0.46s)
1344:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days but deadline empty (0.45s)
1345:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days not a number (0.41s)
1346:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days out of range (0.40s)
1347:  �[32m✓�[0m Apply specs dry-run set with unsupported spec (0.46s)
1348:  �[32m✓�[0m Apply specs dry-run set with various specs, appconfig warning for legacy (0.38s)
1349:  �[32m✓�[0m Apply specs dry-run set with various specs, no errors (0.44s)
1350:  �[32m✓�[0m Apply specs empty config (0.38s)
...

1353:  �[32m✓�[0m Apply specs invalid agent options dry-run (0.45s)
1354:  �[32m✓�[0m Apply specs invalid agent options field type (0.47s)
1355:  �[32m✓�[0m Apply specs invalid agent options field type in overrides (0.51s)
1356:  �[32m✓�[0m Apply specs invalid agent options for existing team (0.50s)
1357:  �[32m✓�[0m Apply specs invalid agent options for new team (0.42s)
1358:  �[32m✓�[0m Apply specs invalid agent options force (0.57s)
1359:  �[32m✓�[0m Apply specs invalid known key's value type for team cannot be forced (0.40s)
1360:  �[32m✓�[0m Apply specs invalid team agent options command-line flag (0.42s)
1361:  �[32m✓�[0m Apply specs invalid top-level key for team (0.55s)
1362:  �[32m✓�[0m Apply specs macos updates deadline set but minimum version empty (0.42s)
1363:  �[32m✓�[0m Apply specs macos updates minimum version set but deadline empty (0.43s)
1364:  �[32m✓�[0m Apply specs macos updates.deadline with incomplete date (0.39s)
1365:  �[32m✓�[0m Apply specs macos updates.deadline with invalid date (0.45s)
1366:  �[32m✓�[0m Apply specs macos updates.deadline with timestamp (0.54s)
1367:  �[32m✓�[0m Apply specs macos updates.minimum version with build version (0.50s)
1368:  �[32m✓�[0m Apply specs missing required failing policies destination url (0.36s)
1369:  �[32m✓�[0m Apply specs missing required host status days count (0.42s)
...

1388:  �[32m✓�[0m Apply specs windows updates.grace period days not a number (0.33s)
1389:  �[32m✓�[0m Apply specs windows updates.grace period days out of range (0.37s)
1390:  �[32m✓�[0m Apply team specs (0.53s)
1391:  �[32m✓�[0m Apply user roles (0.55s)
1392:  �[32m✓�[0m Apply user roles deprecated (0.50s)
1393:  �[32m✓�[0m Apply windows updates (0.41s)
1394:  �[32m✓�[0m Apply windows updates field omitted (0.00s)
1395:  �[32m✓�[0m Apply windows updates with null values (0.00s)
1396:  �[32m✓�[0m Apply windows updates with values (0.00s)
1397:  �[32m✓�[0m Can apply intervals in nanoseconds (0.45s)
1398:  �[32m✓�[0m Can apply intervals using durations (0.64s)
1399:  �[32m✓�[0m Clean status code err (0.00s)
1400:  �[32m✓�[0m Clean status code err bare wrapped status code err (0.00s)
1401:  �[32m✓�[0m Clean status code err nil (0.00s)
1402:  �[32m✓�[0m Clean status code err outer-wrapped status code err (0.00s)
1403:  �[32m✓�[0m Clean status code err plain error untouched (0.00s)
1404:  �[32m✓�[0m Compute label changes (0.00s)
...

1460:  �[32m✓�[0m Filename functions (0.00s)
1461:  �[32m✓�[0m Filename functions outfile name builds a file name using the name provided + current time (0.00s)
1462:  �[32m✓�[0m Filename functions outfile name with ext builds a file name using the name and extension provided + current time (0.00s)
1463:  �[32m✓�[0m FleetctlUpgradePacks empty packs (0.40s)
1464:  �[32m✓�[0m FleetctlUpgradePacks no pack (0.36s)
1465:  �[32m✓�[0m FleetctlUpgradePacks non empty (0.38s)
1466:  �[32m✓�[0m FleetctlUpgradePacks not admin (0.40s)
1467:  �[32m✓�[0m Format XML (0.00s)
1468:  �[32m✓�[0m Format XML XML with attributes (0.00s)
1469:  �[32m✓�[0m Format XML basic XML (0.00s)
1470:  �[32m✓�[0m Format XML empty XML (0.00s)
1471:  �[32m✓�[0m Format XML invalid XML (0.00s)
1472:  �[32m✓�[0m Format XML nested XML (0.00s)
1473:  �[32m✓�[0m Generate MDM apple (0.71s)
1474:  �[32m✓�[0m Generate MDM apple BM (0.36s)
1475:  �[32m✓�[0m Generate MDM apple CSR API call fails (0.40s)
1476:  �[32m✓�[0m Generate MDM apple successful run (0.31s)
1477:  �[32m✓�[0m Generate MDMVPP tokens (0.00s)
1478:  �[32m✓�[0m Generate MDMVPP tokens get VPP tokens error (0.00s)
1479:  �[32m✓�[0m Generate MDMVPP tokens multiple tokens with different teams (0.00s)
...

1497:  �[32m✓�[0m Generate org settings masked google workspace api key (0.00s)
1498:  �[32m✓�[0m Generate policies (0.00s)
1499:  �[32m✓�[0m Generate policies patch policy orphaned from fleet maintained app (0.00s)
1500:  �[32m✓�[0m Generate queries (0.00s)
1501:  �[32m✓�[0m Generate software (0.00s)
1502:  �[32m✓�[0m Generate software auto update schedule (0.00s)
1503:  �[32m✓�[0m Generate software script packages (0.00s)
1504:  �[32m✓�[0m Generate team settings (0.00s)
1505:  �[32m✓�[0m Generate team settings insecure (0.00s)
1506:  �[32m✓�[0m Generated org settings no SSO (0.00s)
1507:  �[32m✓�[0m Generated org settings okta conditional access not included (0.00s)
1508:  �[32m✓�[0m Get MDM command results (0.48s)
1509:  �[32m✓�[0m Get MDM command results command flag required (0.00s)
1510:  �[32m✓�[0m Get MDM command results command not found (0.01s)
1511:  �[32m✓�[0m Get MDM command results command results empty (0.01s)
1512:  �[32m✓�[0m Get MDM command results command results error (0.01s)
1513:  �[32m✓�[0m Get MDM command results darwin command results (0.00s)
1514:  �[32m✓�[0m Get MDM command results host specific results (0.00s)
1515:  �[32m✓�[0m Get MDM command results windows command results (0.00s)
1516:  �[32m✓�[0m Get MDM commands (0.44s)
1517:  �[32m✓�[0m Get apple BM (1.82s)
1518:  �[32m✓�[0m Get apple BM free license (0.47s)
1519:  �[32m✓�[0m Get apple BM premium license, multiple tokens (0.37s)
1520:  �[32m✓�[0m Get apple BM premium license, no token (0.47s)
1521:  �[32m✓�[0m Get apple BM premium license, single token (0.51s)
1522:  �[32m✓�[0m Get apple MDM (0.46s)
1523:  �[32m✓�[0m Get carve (0.37s)
1524:  �[32m✓�[0m Get carve with error (0.31s)
1525:  �[32m✓�[0m Get carves (0.36s)
...

1539:  �[32m✓�[0m Get hosts MDM get hosts - -mdm - -mdm-pending - (0.00s)
1540:  �[32m✓�[0m Get hosts MDM get hosts - -mdm-pending - -yaml - expected list hosts yaml.yml (0.01s)
1541:  �[32m✓�[0m Get hosts get hosts - -json - -remove-deprecated-keys (0.00s)
1542:  �[32m✓�[0m Get hosts get hosts - -json - expected list hosts json.json (0.00s)
1543:  �[32m✓�[0m Get hosts get hosts - -json test host - expected host detail response json.json (0.00s)
1544:  �[32m✓�[0m Get hosts get hosts - -yaml - expected list hosts yaml.yml (0.00s)
1545:  �[32m✓�[0m Get hosts get hosts - -yaml test host - expected host detail response yaml.yml (0.01s)
1546:  �[32m✓�[0m Get label (0.42s)
1547:  �[32m✓�[0m Get label usage include and exclude allowed (0.00s)
1548:  �[32m✓�[0m Get label usage include and exclude allowed macos (0.00s)
1549:  �[32m✓�[0m Get label usage include and exclude allowed macos# 01 (0.00s)
1550:  �[32m✓�[0m Get label usage include and exclude allowed macos# 02 (0.00s)
1551:  �[32m✓�[0m Get label usage include and exclude allowed windows (0.00s)
1552:  �[32m✓�[0m Get label usage include and exclude allowed windows# 01 (0.00s)
1553:  �[32m✓�[0m Get label usage include and exclude allowed windows# 02 (0.00s)
1554:  �[32m✓�[0m Get label usage include exclude overlap error (0.00s)
1555:  �[32m✓�[0m Get label usage include exclude overlap error macos (0.00s)
1556:  �[32m✓�[0m Get label usage include exclude overlap error macos# 01 (0.00s)
1557:  �[32m✓�[0m Get label usage include exclude overlap error macos# 02 (0.00s)
1558:  �[32m✓�[0m Get label usage include exclude overlap error windows (0.00s)
1559:  �[32m✓�[0m Get label usage include exclude overlap error windows# 01 (0.00s)
1560:  �[32m✓�[0m Get label usage include exclude overlap error windows# 02 (0.00s)
1561:  �[32m✓�[0m Get label usage multiple label keys error (0.00s)
1562:  �[32m✓�[0m Get label usage multiple label keys error macos (0.00s)
1563:  �[32m✓�[0m Get label usage multiple label keys error windows (0.00s)
1564:  �[32m✓�[0m Get label usage policy scopes (0.00s)
...

1580:  �[32m✓�[0m Get queries as observer team observer (0.01s)
1581:  �[32m✓�[0m Get query (0.44s)
1582:  �[32m✓�[0m Get query labels include all (0.37s)
1583:  �[32m✓�[0m Get reports labels include all (0.40s)
1584:  �[32m✓�[0m Get software titles (0.33s)
1585:  �[32m✓�[0m Get software versions (0.31s)
1586:  �[32m✓�[0m Get teams (0.94s)
1587:  �[32m✓�[0m Get teams YAML and apply (0.37s)
1588:  �[32m✓�[0m Get teams by name (0.43s)
1589:  �[32m✓�[0m Get teams expired license (0.49s)
1590:  �[32m✓�[0m Get teams not expired license (0.45s)
1591:  �[32m✓�[0m Get teams software from source of truth (0.35s)
1592:  �[32m✓�[0m Get user roles (0.47s)
1593:  �[32m✓�[0m Git ops ABM (5.74s)
1594:  �[32m✓�[0m Git ops ABM backwards compat (0.58s)
1595:  �[32m✓�[0m Git ops ABM both keys errors (0.61s)
1596:  �[32m✓�[0m Git ops ABM deprecated config with two tokens in the db fails (0.44s)
1597:  �[32m✓�[0m Git ops ABM new key all valid (0.72s)
1598:  �[32m✓�[0m Git ops ABM new key multiple elements (0.74s)
1599:  �[32m✓�[0m Git ops ABM no team is supported (0.51s)
1600:  �[32m✓�[0m Git ops ABM non existent org name fails (0.44s)
1601:  �[32m✓�[0m Git ops ABM not provided teams defaults to no team (0.46s)
1602:  �[32m✓�[0m Git ops ABM renamed new key all valid (0.65s)
1603:  �[32m✓�[0m Git ops ABM using an undefined team errors (0.58s)
1604:  �[32m✓�[0m Git ops EULA setting (4.18s)
...

1607:  �[32m✓�[0m Git ops EULA setting not a PDF file (0.48s)
1608:  �[32m✓�[0m Git ops EULA setting relative path to working dir to pdf file (no existing EULA uploaded) (0.50s)
1609:  �[32m✓�[0m Git ops EULA setting relative path to yaml file to pdf file (no existing EULA uploaded) (0.57s)
1610:  �[32m✓�[0m Git ops EULA setting uploading the same EULA again (0.54s)
1611:  �[32m✓�[0m Git ops EULA setting valid new pdf file (different EULA already uploaded) (0.56s)
1612:  �[32m✓�[0m Git ops EULA setting valid pdf file (no existing EULA uploaded) (0.49s)
1613:  �[32m✓�[0m Git ops MDM auth settings (0.41s)
1614:  �[32m✓�[0m Git ops SMTP settings (0.63s)
1615:  �[32m✓�[0m Git ops SSO server URL (0.55s)
1616:  �[32m✓�[0m Git ops SSO settings (0.41s)
1617:  �[32m✓�[0m Git ops android certificates add (0.57s)
1618:  �[32m✓�[0m Git ops android certificates change (0.57s)
1619:  �[32m✓�[0m Git ops android certificates delete all (0.49s)
1620:  �[32m✓�[0m Git ops android certificates delete one (0.52s)
1621:  �[32m✓�[0m Git ops app store app auto update (0.51s)
1622:  �[32m✓�[0m Git ops app store app auto update invalid auto-update window triggers error and does not call update software title auto update config (0.02s)
1623:  �[32m✓�[0m Git ops app store app auto update no auto update settings and no existing schedule does not call update software title auto update config (0.03s)
1624:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is applied for i OS VPP apps (0.02s)
1625:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is not called when no VPP apps provided (0.02s)
1626:  �[32m✓�[0m Git ops apple OS updates (0.45s)
1627:  �[32m✓�[0m Git ops apple OS updates ios updates (0.01s)
1628:  �[32m✓�[0m Git ops apple OS updates ios updates os updated when existing OS update declaration (0.01s)
1629:  �[32m✓�[0m Git ops apple OS updates ipados updates (0.01s)
1630:  �[32m✓�[0m Git ops apple OS updates ipados updates os updated when existing OS update declaration (0.01s)
1631:  �[32m✓�[0m Git ops apple OS updates macos updates (0.01s)
1632:  �[32m✓�[0m Git ops apple OS updates macos updates os updated when existing OS update declaration (0.01s)
1633:  �[32m✓�[0m Git ops basic global and no team (0.70s)
1634:  �[32m✓�[0m Git ops basic global and no team basic global and no-team.yml (0.06s)
1635:  �[32m✓�[0m Git ops basic global and no team both global and no-team.yml define controls -- should fail (0.01s)
1636:  �[32m✓�[0m Git ops basic global and no team controls only defined in no-team.yml (0.05s)
1637:  �[32m✓�[0m Git ops basic global and no team global DOES NOT define controls -- should fail (0.01s)
1638:  �[32m✓�[0m Git ops basic global and no team global and no-team.yml DO NOT define controls -- should fail (0.01s)
1639:  �[32m✓�[0m Git ops basic global and no team global defines software -- should fail (0.01s)
1640:  �[32m✓�[0m Git ops basic global and no team no-team provided without global -- should fail (0.01s)
1641:  �[32m✓�[0m Git ops basic global and no team no-team.yml defines policy with calendar events enabled -- should fail (0.01s)
1642:  �[32m✓�[0m Git ops basic global and no team unassigned provided without global -- should fail (0.01s)
1643:  �[32m✓�[0m Git ops basic global and team (0.64s)
...

1649:  �[32m✓�[0m Git ops custom settings global macos windows custom settings valid.yml (0.44s)
1650:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix 2 .yml (0.49s)
1651:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix.yml (0.51s)
1652:  �[32m✓�[0m Git ops custom settings global windows custom settings unknown label.yml (0.57s)
1653:  �[32m✓�[0m Git ops custom settings team macos custom settings valid deprecated.yml (0.45s)
1654:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix 2 .yml (0.49s)
1655:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix.yml (0.49s)
1656:  �[32m✓�[0m Git ops custom settings team macos windows custom settings unknown label.yml (0.41s)
1657:  �[32m✓�[0m Git ops custom settings team macos windows custom settings valid.yml (0.52s)
1658:  �[32m✓�[0m Git ops dry run rejects invalid label platform (0.48s)
1659:  �[32m✓�[0m Git ops exception enforcement (0.41s)
1660:  �[32m✓�[0m Git ops exception enforcement free tier (0.40s)
1661:  �[32m✓�[0m Git ops exceptions preserve omitted keys (0.38s)
1662:  �[32m✓�[0m Git ops features (0.43s)
1663:  �[32m✓�[0m Git ops filename validation (0.00s)
1664:  �[32m✓�[0m Git ops fleet failing policies webhook policy IDs (0.43s)
1665:  �[32m✓�[0m Git ops fleet webhooks and tickets enabled (0.55s)
...

1822:  �[32m✓�[0m New basic file structure has expected files (0.00s)
1823:  �[32m✓�[0m New basic file structure replaces and escapes org name template var (0.00s)
1824:  �[32m✓�[0m New basic file structure strips .template. from output filenames (0.00s)
1825:  �[32m✓�[0m New dir flag (0.01s)
1826:  �[32m✓�[0m New existing dir with force (0.01s)
1827:  �[32m✓�[0m New existing dir without force (0.00s)
1828:  �[32m✓�[0m New org name YAML quoting (0.01s)
1829:  �[32m✓�[0m New org name validation (0.01s)
1830:  �[32m✓�[0m New org name validation at max length (0.01s)
1831:  �[32m✓�[0m New org name validation control characters stripped (0.01s)
1832:  �[32m✓�[0m New org name validation only control characters (0.00s)
1833:  �[32m✓�[0m New org name validation only whitespace (0.00s)
1834:  �[32m✓�[0m New org name validation too long (0.00s)
1835:  �[32m✓�[0m New output messages (0.01s)
1836:  �[32m✓�[0m New template stripping (0.01s)
1837:  �[32m✓�[0m Print auth error (0.47s)
1838:  �[32m✓�[0m Print auth error SSO disabled shows default login message (0.00s)
1839:  �[32m✓�[0m Print auth error SSO enabled shows SSO instructions (0.00s)
1840:  �[32m✓�[0m Render template (0.00s)
...

1860:  �[32m✓�[0m Run api command get scripts full path missing (0.00s)
1861:  �[32m✓�[0m Run api command get scripts team (0.00s)
1862:  �[32m✓�[0m Run api command get scripts team no cache (0.00s)
1863:  �[32m✓�[0m Run api command get typo (0.00s)
1864:  �[32m✓�[0m Run api command upload script (0.00s)
1865:  �[32m✓�[0m Run script command (0.62s)
1866:  �[32m✓�[0m Run script command disabled scripts globally (0.00s)
1867:  �[32m✓�[0m Run script command host not found (0.01s)
1868:  �[32m✓�[0m Run script command invalid file type (0.00s)
1869:  �[32m✓�[0m Run script command invalid hashbang (0.01s)
1870:  �[32m✓�[0m Run script command invalid utf 8 (0.00s)
1871:  �[32m✓�[0m Run script command missing one of script-path and script-nqme (0.01s)
1872:  �[32m✓�[0m Run script command output truncated (0.01s)
1873:  �[32m✓�[0m Run script command posix shell hashbang (0.01s)
1874:  �[32m✓�[0m Run script command script empty (0.01s)
1875:  �[32m✓�[0m Run script command script failed (0.01s)
1876:  �[32m✓�[0m Run script command script killed (0.01s)
...

1931:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p but the team's in-run file disables EU A: accepted (0.00s)
1932:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p while a stored team keeps EUA on: rejected (#4337 1) (0.00s)
1933:  �[32m✓�[0m Validate git ops group EUA no EUA enabled anywhere is accepted (0.00s)
1934:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds complete id P: accepted (0.00s)
1935:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds id p missing entity id: rejected (0.00s)
1936:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file omits id P, stored has id P: rejected (overwrite clears) (0.00s)
1937:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has id P, no global file: accepted (0.00s)
1938:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has no id P, no global file: rejected (0.00s)
1939:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/gitops:
1940:  �[32m✓�[0m Git ops VPP (4.94s)
1941:  �[32m✓�[0m Git ops VPP all fleets is supported (0.65s)
1942:  �[32m✓�[0m Git ops VPP all teams is supported (0.59s)
1943:  �[32m✓�[0m Git ops VPP new key all valid (0.61s)
1944:  �[32m✓�[0m Git ops VPP new key multiple elements (0.64s)
1945:  �[32m✓�[0m Git ops VPP no team is supported (0.55s)
1946:  �[32m✓�[0m Git ops VPP non existent location fails (0.55s)
1947:  �[32m✓�[0m Git ops VPP not provided teams defaults to no team (0.75s)
1948:  �[32m✓�[0m Git ops VPP using an undefined team errors (0.60s)
1949:  �[32m✓�[0m Git ops existing team VPP apps with missing team (0.57s)
...

2042:  �[32m✓�[0m Git ops team software installers team software installer with display name.yml (1.45s)
2043:  �[32m✓�[0m Integrations enterprise gitops (319.38s)
2044:  �[32m✓�[0m Integrations enterprise gitops test CA integrations (3.93s)
2045:  �[32m✓�[0m Integrations enterprise gitops test FMA labels include all (6.07s)
2046:  �[32m✓�[0m Integrations enterprise gitops test IPA software installers (10.59s)
2047:  �[32m✓�[0m Integrations enterprise gitops test JSON configuration profile escaping (1.29s)
2048:  �[32m✓�[0m Integrations enterprise gitops test add manual labels (1.57s)
2049:  �[32m✓�[0m Integrations enterprise gitops test configuration profile escaping (1.38s)
2050:  �[32m✓�[0m Integrations enterprise gitops test delete CA with certificate templates (6.00s)
2051:  �[32m✓�[0m Integrations enterprise gitops test delete mac OS setup (5.03s)
2052:  �[32m✓�[0m Integrations enterprise gitops test deleting no team YAML (2.66s)
2053:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience (123.77s)
2054:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience all VPP with setup experience (1.23s)
2055:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team VPP (1.16s)
2056:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team installers (60.53s)
2057:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience packages fail (60.67s)
2058:  �[32m✓�[0m Integrations enterprise gitops test dry run mac OS setup script with manual agent install conflict (0.43s)
...

2088:  �[32m✓�[0m Integrations enterprise gitops test omitted top level keys global (2.48s)
2089:  �[32m✓�[0m Integrations enterprise gitops test remove custom settings from default YAML (2.57s)
2090:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps (3.83s)
2091:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps all teams (2.42s)
2092:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps no team (1.25s)
2093:  �[32m✓�[0m Integrations enterprise gitops test unset configuration profile labels (4.96s)
2094:  �[32m✓�[0m Integrations enterprise gitops test unset software installer labels (12.44s)
2095:  �[32m✓�[0m Integrations enterprise starter library (5.01s)
2096:  �[32m✓�[0m Integrations enterprise starter library test apply starter library premium (3.56s)
2097:  �[32m✓�[0m Integrations gitops (2.41s)
2098:  �[32m✓�[0m Integrations gitops test fleet gitops (0.57s)
2099:  �[32m✓�[0m Integrations gitops test fleet gitops DDM fleet vars requires premium (0.11s)
2100:  �[32m✓�[0m Integrations gitops test fleet gitops with fleet secrets (0.25s)
2101:  �[32m✓�[0m Integrations starter library (1.63s)
2102:  �[32m✓�[0m Integrations starter library test apply starter library free (0.19s)
2103:  === �[31mFailed�[0m
2104:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)
2105:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=126.264µs uuid=218c7406-239c-4e0c-8061-66ac60442257 err="not found"
2106:  [-] would've deleted report Query to delete
2107:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=118.43µs uuid=bcaf6987-8bf0-4a0a-a77e-72fd2ee0f5b1 err="not found"
2108:  testing_utils_test.go:20: 
2109:  Error Trace:	/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/testing_utils_test.go:20
2110:  /home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/gitops_test.go:2244
2111:  Error:      	Received unexpected error:
2112:  applying custom settings: POST /api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: cannot set custom settings: Windows MDM isn't turned on. For more information about setting up MDM, please visit https://fleetdm.com/learn-more-about/windows-mdm (API time: 1ms)
2113:  Test:       	TestGitOpsFullGlobal/useDeprecatedKeys=false
2114:  --- FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)
2115:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2116:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=106.998µs uuid=54f7d12e-9fa2-41d9-88d2-d1f901d7f1d6 err="not found"
2117:  [-] would've deleted report Query to delete
2118:  time=level=INFO msg="request error" path=/api/latest/fleet/setup_experience/eula/metadata took=138.598µs uuid=1bc47fa6-97eb-4ce5-86f3-a306c8a7feed err="not found"
2119:  testing_utils_test.go:20: 
2120:  Error Trace:	/home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/testing_utils_test.go:20
2121:  /home/runner/work/fleet/fleet/cmd/fleetctl/fleetctl/gitops_test.go:2244
2122:  Error:      	Received unexpected error:
2123:  applying custom settings: POST /api/latest/fleet/mdm/profiles/batch received status 422 Validation Failed: cannot set custom settings: Windows MDM isn't turned on. For more information about setting up MDM, please visit https://fleetdm.com/learn-more-about/windows-mdm (API time: 1ms)
2124:  Test:       	TestGitOpsFullGlobal/useDeprecatedKeys=true
2125:  --- FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2126:  === �[31mFAIL�[0m: cmd/fleetctl/fleetctl TestGitOpsFullGlobal (0.72s)
2127:  DONE 921 tests, 3 failures in 649.361s
2128:  make[1]: *** [Makefile:302: .run-go-tests] Error 1
2129:  make[1]: Leaving directory '/home/runner/work/fleet/fleet'
2130:  make: *** [Makefile:417: test-go] Error 2
2131:  ##[error]Process completed with exit code 2.
2132:  Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
2133:  ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
2134:  with:
2135:  name: fleetctl-mysql8.0.44-coverage
2136:  path: ./coverage.txt
2137:  if-no-files-found: error
2138:  compression-level: 6
...

2141:  RACE_ENABLED: false
2142:  GO_TEST_TIMEOUT: 20m
2143:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2144:  RUN_TESTS_ARG: 
2145:  CI_TEST_PKG: fleetctl
2146:  NEED_DOCKER: 1
2147:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2148:  GOTOOLCHAIN: local
2149:  ##[endgroup]
2150:  (node:49139) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2151:  (Use `node --trace-deprecation ...` to show where the warning was created)
2152:  With the provided path, there will be 1 file uploaded
2153:  Artifact name is valid!
2154:  Root directory input is valid!
2155:  Beginning upload of artifact content to blob storage
2156:  (node:49139) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2157:  Uploaded bytes 2309973
2158:  Finished uploading artifact content to blob storage!
2159:  SHA256 hash of uploaded artifact zip is a903ae10d9b245a51744d2371e202bb8f2a8f5f336aa551c5c3a6fb88f1535b5
2160:  Finalizing artifact upload
2161:  Artifact fleetctl-mysql8.0.44-coverage.zip successfully finalized. Artifact ID 8044386938
2162:  Artifact fleetctl-mysql8.0.44-coverage has been successfully uploaded! Final size is 2309973 bytes. Artifact ID is 8044386938
2163:  Artifact download URL: https://github.com/fleetdm/fleet/actions/runs/28602701862/artifacts/8044386938
2164:  ##[group]Run c1grep() { grep "$@" || test $? = 1; }
2165:  �[36;1mc1grep() { grep "$@" || test $? = 1; }�[0m
2166:  �[36;1mc1grep -oP 'FAIL: .*$' /tmp/gotest.log > /tmp/summary.txt�[0m
2167:  �[36;1mc1grep 'test timed out after' /tmp/gotest.log >> /tmp/summary.txt�[0m
2168:  �[36;1mc1grep 'fatal error:' /tmp/gotest.log >> /tmp/summary.txt�[0m
2169:  �[36;1mc1grep -A 10 'panic: runtime error: ' /tmp/gotest.log >> /tmp/summary.txt�[0m
2170:  �[36;1mc1grep ' FAIL\t' /tmp/gotest.log >> /tmp/summary.txt�[0m
2171:  �[36;1mGO_FAIL_SUMMARY=$(head -n 5 /tmp/summary.txt | sed ':a;N;$!ba;s/\n/\\n/g')�[0m
2172:  �[36;1mecho "GO_FAIL_SUMMARY=$GO_FAIL_SUMMARY"�[0m
2173:  �[36;1mif [[ -z "$GO_FAIL_SUMMARY" ]]; then�[0m
2174:  �[36;1m  GO_FAIL_SUMMARY="unknown, please check the build URL"�[0m
2175:  �[36;1mfi�[0m
2176:  �[36;1mGO_FAIL_SUMMARY=$GO_FAIL_SUMMARY envsubst < .github/workflows/config/slack_payload_template.json > ./payload.json�[0m
2177:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2178:  env:
2179:  RACE_ENABLED: false
2180:  GO_TEST_TIMEOUT: 20m
2181:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2182:  RUN_TESTS_ARG: 
2183:  CI_TEST_PKG: fleetctl
2184:  NEED_DOCKER: 1
2185:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2186:  GOTOOLCHAIN: local
2187:  ##[endgroup]
2188:  GO_FAIL_SUMMARY=FAIL: TestGitOpsFullGlobal/useDeprecatedKeys=false (0.04s)\nFAIL: TestGitOpsFullGlobal/useDeprecatedKeys=true (0.04s)
2189:  Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
2190:  ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
2191:  with:
2192:  name: fleetctl-mysql8.0.44-test-log
2193:  path: /tmp/gotest.log
2194:  if-no-files-found: error
2195:  compression-level: 6
...

2198:  RACE_ENABLED: false
2199:  GO_TEST_TIMEOUT: 20m
2200:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2201:  RUN_TESTS_ARG: 
2202:  CI_TEST_PKG: fleetctl
2203:  NEED_DOCKER: 1
2204:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2205:  GOTOOLCHAIN: local
2206:  ##[endgroup]
2207:  (node:49164) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2208:  (Use `node --trace-deprecation ...` to show where the warning was created)
2209:  With the provided path, there will be 1 file uploaded
2210:  Artifact name is valid!
2211:  Root directory input is valid!
2212:  Beginning upload of artifact content to blob storage
2213:  (node:49164) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2214:  Uploaded bytes 10952
...

2230:  RACE_ENABLED: false
2231:  GO_TEST_TIMEOUT: 20m
2232:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2233:  RUN_TESTS_ARG: 
2234:  CI_TEST_PKG: fleetctl
2235:  NEED_DOCKER: 1
2236:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2237:  GOTOOLCHAIN: local
2238:  ##[endgroup]
2239:  (node:49176) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2240:  (Use `node --trace-deprecation ...` to show where the warning was created)
2241:  With the provided path, there will be 1 file uploaded
2242:  Artifact name is valid!
2243:  Root directory input is valid!
2244:  Beginning upload of artifact content to blob storage
2245:  (node:49176) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2246:  Uploaded bytes 205
...

2262:  RACE_ENABLED: false
2263:  GO_TEST_TIMEOUT: 20m
2264:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2265:  RUN_TESTS_ARG: 
2266:  CI_TEST_PKG: fleetctl
2267:  NEED_DOCKER: 1
2268:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2269:  GOTOOLCHAIN: local
2270:  ##[endgroup]
2271:  (node:49188) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2272:  (Use `node --trace-deprecation ...` to show where the warning was created)
2273:  With the provided path, there will be 1 file uploaded
2274:  Artifact name is valid!
2275:  Root directory input is valid!
2276:  Beginning upload of artifact content to blob storage
2277:  (node:49188) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2278:  Uploaded bytes 104861
...

2311:  RACE_ENABLED: false
2312:  GO_TEST_TIMEOUT: 20m
2313:  DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test
2314:  RUN_TESTS_ARG: 
2315:  CI_TEST_PKG: fleetctl
2316:  NEED_DOCKER: 1
2317:  ARTIFACT_PREFIX: fleetctl-mysql8.0.44
2318:  GOTOOLCHAIN: local
2319:  ##[endgroup]
2320:  (node:49223) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
2321:  (Use `node --trace-deprecation ...` to show where the warning was created)
2322:  With the provided path, there will be 1 file uploaded
2323:  Artifact name is valid!
2324:  Root directory input is valid!
2325:  Beginning upload of artifact content to blob storage
2326:  (node:49223) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
2327:  Uploaded bytes 133

JOIN (%s) dup
ON si.global_or_team_id = dup.global_or_team_id
AND si.title_id = dup.title_id
AND si.dedup_token = dup.dedup_token

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this re-point setup_experience_software_installers rows onto the surviving installer before deleting duplicates, since that FK is ON DELETE CASCADE (unlike policies, which you already addrewss here) and would otherwise silently drop a setup experience selection that lived only on a deleted row?

WHERE si.global_or_team_id = ? AND st.source = ? AND st.bundle_identifier = ?
AND (si.fleet_maintained_app_id IS NOT NULL) = ?
)`
args = []any{ptr.ValOrZero(payload.TeamID), payload.Source, payload.BundleIdentifier, wantFMA}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add an explicit non-empty BundleIdentifier guard here, just to be defensive?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants