Skip to content

Cherry-pick #48598: Adding in check to disable recovery lock on personal macos since it doesn't have the required permissions#48601

Merged
georgekarrv merged 1 commit into
rc-minor-fleet-v4.89.0from
georgekarrv/disable-recovery-lock-personal-macos-cp
Jul 2, 2026
Merged

Cherry-pick #48598: Adding in check to disable recovery lock on personal macos since it doesn't have the required permissions#48601
georgekarrv merged 1 commit into
rc-minor-fleet-v4.89.0from
georgekarrv/disable-recovery-lock-personal-macos-cp

Conversation

@georgekarrv

Copy link
Copy Markdown
Member

Cherry-pick of #48598 into the RC branch rc-minor-fleet-v4.89.0.

…oesn't have the required permissions (#48598)

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #48594

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [x] Alerted the release DRI if additional load testing is needed

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Recovery-lock password checks now skip personally owned (BYOD) Apple
devices, avoiding failures on eligible hosts.
* Recovery-lock clear actions are no longer applied to personally owned
enrollments.

* **Tests**
* Added coverage to verify BYOD devices are excluded from both
recovery-lock enforcement and clear workflows.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@georgekarrv georgekarrv requested a review from a team as a code owner July 1, 2026 21:21

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: aggregate-result

Failed stage: Check for failures [❌]

Failed test name: integration-enterprise-mysql8.0.44

Failure summary:

The action failed because at least one test job reported a failed status:
- The status file
./integration-enterprise-mysql8.0.44-status/status contained fail, so the script flagged
integration-enterprise-mysql8.0.44 as failed.
- The workflow step then exited with code 1 after
printing ❌ One or more test jobs failed: integration-enterprise-mysql8.0.44 (line 191), causing the
GitHub Action to fail.

Relevant error logs:
1:  ##[group]Runner Image Provisioner
2:  Hosted Compute Agent
...

126:  Extracting artifact entry: /home/runner/work/fleet/fleet/service-mysql8.0.44-status/status
127:  Artifact download completed successfully.
128:  Artifact download completed successfully.
129:  Extracting artifact entry: /home/runner/work/fleet/fleet/vuln-mysql8.0.44-status/status
130:  Artifact download completed successfully.
131:  Extracting artifact entry: /home/runner/work/fleet/fleet/integration-enterprise-mysql8.0.44-status/status
132:  Artifact download completed successfully.
133:  Extracting artifact entry: /home/runner/work/fleet/fleet/mysql-mysql8.0.44-status/status
134:  Artifact download completed successfully.
135:  Extracting artifact entry: /home/runner/work/fleet/fleet/scripts-status/status
136:  Artifact download completed successfully.
137:  Extracting artifact entry: /home/runner/work/fleet/fleet/integration-core-mysql8.0.44-status/status
138:  Artifact download completed successfully.
139:  Total of 10 artifact(s) downloaded
140:  Download artifact has finished successfully
141:  ##[group]Run failed_tests=""
142:  �[36;1mfailed_tests=""�[0m
143:  �[36;1mstatus_count=0�[0m
144:  �[36;1m# Find all status files (they are in directories like 'fleetctl-mysql8.0.44-status/status')�[0m
145:  �[36;1mfor status_file in $(find ./ -type f -name 'status'); do�[0m
146:  �[36;1m  status_count=$((status_count + 1))�[0m
147:  �[36;1m  # Extract test name from parent directory (e.g., 'fleetctl-mysql8.0.44-status')�[0m
148:  �[36;1m  test_dir=$(basename $(dirname "$status_file"))�[0m
149:  �[36;1m  # Remove '-status' suffix to get the test name�[0m
150:  �[36;1m  test_name="${test_dir%-status}"�[0m
151:  �[36;1m  status_content=$(cat "$status_file")�[0m
152:  �[36;1m  echo "Processing: $status_file (Test: $test_name) with status content: $status_content"�[0m
153:  �[36;1m  if grep -q "fail" "$status_file"; then�[0m
154:  �[36;1m    echo "  ❌ Test failed: $test_name"�[0m
155:  �[36;1m    failed_tests="${failed_tests}${test_name}, "�[0m
156:  �[36;1m  else�[0m
157:  �[36;1m    echo "  ✅ Test passed: $test_name"�[0m
158:  �[36;1m  fi�[0m
159:  �[36;1mdone�[0m
160:  �[36;1mif [[ $status_count -eq 0 ]]; then�[0m
161:  �[36;1m  echo "❌ ERROR: No status files found! This indicates a workflow issue."�[0m
162:  �[36;1m  exit 1�[0m
163:  �[36;1mfi�[0m
164:  �[36;1mif [[ -n "$failed_tests" ]]; then�[0m
165:  �[36;1m  echo "❌ One or more test jobs failed: ${failed_tests%, }"�[0m
166:  �[36;1m  exit 1�[0m
167:  �[36;1mfi�[0m
168:  �[36;1mecho "✅ All test jobs succeeded."�[0m
169:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
170:  ##[endgroup]
171:  Processing: ./fleetctl-mysql8.0.44-status/status (Test: fleetctl-mysql8.0.44) with status content: success
172:  ✅ Test passed: fleetctl-mysql8.0.44
173:  Processing: ./vuln-mysql8.0.44-status/status (Test: vuln-mysql8.0.44) with status content: success
174:  ✅ Test passed: vuln-mysql8.0.44
175:  Processing: ./service-mysql8.0.44-status/status (Test: service-mysql8.0.44) with status content: success
176:  ✅ Test passed: service-mysql8.0.44
177:  Processing: ./integration-core-mysql8.0.44-status/status (Test: integration-core-mysql8.0.44) with status content: success
178:  ✅ Test passed: integration-core-mysql8.0.44
179:  Processing: ./mysql-mysql8.0.44-status/status (Test: mysql-mysql8.0.44) with status content: success
180:  ✅ Test passed: mysql-mysql8.0.44
181:  Processing: ./integration-enterprise-mysql8.0.44-status/status (Test: integration-enterprise-mysql8.0.44) with status content: fail
182:  ❌ Test failed: integration-enterprise-mysql8.0.44
183:  Processing: ./integration-mdm-mysql8.0.44-status/status (Test: integration-mdm-mysql8.0.44) with status content: success
184:  ✅ Test passed: integration-mdm-mysql8.0.44
185:  Processing: ./scripts-status/status (Test: scripts) with status content: success
186:  ✅ Test passed: scripts
187:  Processing: ./fast-status/status (Test: fast) with status content: success
188:  ✅ Test passed: fast
189:  Processing: ./main-mysql8.0.44-status/status (Test: main-mysql8.0.44) with status content: success
190:  ✅ Test passed: main-mysql8.0.44
191:  ❌ One or more test jobs failed: integration-enterprise-mysql8.0.44
192:  ##[error]Process completed with exit code 1.
193:  Post job cleanup.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (rc-minor-fleet-v4.89.0@c99ade5). Learn more about missing BASE report.

Additional details and impacted files
@@                    Coverage Diff                    @@
##             rc-minor-fleet-v4.89.0   #48601   +/-   ##
=========================================================
  Coverage                          ?   67.45%           
=========================================================
  Files                             ?     3676           
  Lines                             ?   233609           
  Branches                          ?    12240           
=========================================================
  Hits                              ?   157581           
  Misses                            ?    61860           
  Partials                          ?    14168           
Flag Coverage Δ
backend 69.00% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@georgekarrv georgekarrv merged commit 241a0d0 into rc-minor-fleet-v4.89.0 Jul 2, 2026
32 of 35 checks passed
@georgekarrv georgekarrv deleted the georgekarrv/disable-recovery-lock-personal-macos-cp branch July 2, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants