Skip to content

fix mdmproxy build by reverting back to previous but not filtering tags#48264

Merged
rfairburn merged 2 commits into
mainfrom
fix-mdmproxy-build
Jun 29, 2026
Merged

fix mdmproxy build by reverting back to previous but not filtering tags#48264
rfairburn merged 2 commits into
mainfrom
fix-mdmproxy-build

Conversation

@rfairburn

@rfairburn rfairburn commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Related issue: Resolves #

Checklist for submitter

If some of the following don't apply, delete the relevant line.

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

  • Timeouts are implemented and retries are limited to avoid infinite loops

  • If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

For unreleased bug fixes in a release candidate, one of:

  • Confirmed that the fix is not expected to adversely impact load test results
  • Alerted the release DRI if additional load testing is needed

Database migrations

  • Checked schema for all modified table for columns that will auto-update timestamps during migration.
  • Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

  • Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

  • Verified that the setting is exported via fleetctl generate-gitops
  • Verified the setting is documented in a separate PR to the GitOps documentation
  • Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
  • Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

  • Verified compatibility with the latest released version of Fleet (see Must rule)
  • If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
  • Verified that fleetd runs on macOS, Linux and Windows
  • Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

  • Chores
    • Updated the container build process for the migration proxy so the binary is built during image creation.
    • Adjusted the runtime image packaging to copy the generated executable from the build output location while keeping runtime behavior unchanged.

Copilot AI review requested due to automatic review settings June 25, 2026 12:56

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the mdmproxy Docker build to compile the binary from a checked-out Fleet repo (instead of go install ...@TAG), aiming to restore successful builds while allowing the build arg to reference tags/branches as needed.

Changes:

  • Install git in the builder stage and git clone Fleet at the provided TAG.
  • Build mdmproxy via go build from the cloned source.
  • Update the final-stage COPY to pull the binary from the build output path in the cloned repo.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tools/mdm/migration/mdmproxy/Dockerfile
Comment thread tools/mdm/migration/mdmproxy/Dockerfile Outdated
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ef979090-a67b-4992-bced-14ac5b6ddbb0

📥 Commits

Reviewing files that changed from the base of the PR and between 6b61881 and 9822201.

📒 Files selected for processing (1)
  • tools/mdm/migration/mdmproxy/Dockerfile
🚧 Files skipped from review as they are similar to previous changes (1)
  • tools/mdm/migration/mdmproxy/Dockerfile

Walkthrough

The Dockerfile for tools/mdm/migration/mdmproxy now builds mdmproxy by cloning fleet at the build-time TAG, installing git, and running go build in the tool directory. The runtime stage now copies the binary from /go/fleet/tools/mdm/migration/mdmproxy/mdmproxy instead of /go/bin/mdmproxy.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is just the template and lacks a real issue reference, testing details, and filled checklist items. Fill in the related issue, summarize the change, and complete or remove checklist items with any testing details.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the mdmproxy Dockerfile build change and tag-handling adjustment, though phrasing is a bit awkward.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-mdmproxy-build

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/mdm/migration/mdmproxy/Dockerfile`:
- Around line 2-5: The Dockerfile’s git clone step uses TAG unquoted in a shell
RUN, which can allow build-time command injection if the value is
user-controlled. Update the mdmproxy Dockerfile to validate TAG before it
reaches the shell and ensure the git clone invocation in the RUN block treats it
as a safe branch/ref value. Locate the fix around the ARG TAG and the git clone
command so the build only accepts expected tag formats and does not expand
arbitrary shell metacharacters.
- Around line 4-6: The Dockerfile build step that clones Fleet in the mdmproxy
image currently checks out only by tag, which can drift if the tag is moved.
Update the git clone flow to accept a commit SHA input alongside the existing
TAG, then verify the checked-out revision in the same RUN sequence after
checkout before running go build in tools/mdm/migration/mdmproxy. Use the
existing git clone command block as the fix point and ensure the HEAD SHA
matches the expected commit SHA.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 979f0d44-8aa3-4fab-9691-e917b4ba4841

📥 Commits

Reviewing files that changed from the base of the PR and between c041c6c and 6b61881.

📒 Files selected for processing (1)
  • tools/mdm/migration/mdmproxy/Dockerfile

Comment thread tools/mdm/migration/mdmproxy/Dockerfile
Comment thread tools/mdm/migration/mdmproxy/Dockerfile Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@rfairburn rfairburn merged commit 8e80e97 into main Jun 29, 2026
9 checks passed
@rfairburn rfairburn deleted the fix-mdmproxy-build branch June 29, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants