Cherry-pick #45742: Adding changes for Fleet v4.86.0

[lukeheath]

Cherry-picks c94e74bcde (PR #45742) from rc-minor-fleet-v4.86.0 into main so main reflects the v4.86.0 version bump (CHANGELOG, Helm chart, dogfood terraform, fleetctl-npm, release tooling).

Conflict resolution

charts/fleet/values.yaml: kept the new imagePullPolicy comment block from main and applied the version bump (v4.85.1 → v4.86.0).

Summary by CodeRabbit

• New Features

  • Added iOS/iPadOS software install support for user-enrolled devices via Account-Driven User Enrollment.
  • Custom organization logo uploads (light/dark variants) now hosted by Fleet.
  • Dashboard now displays "Hosts online" and "Hosts enrolled" charts.
  • SVG support for custom logos with security sanitization.
  • "Include all" and "Custom" label scope options for policies and reports.

• Bug Fixes

  • Improved SMTP error messaging for SSL/TLS configuration issues.
  • Fixed export hosts to match current UI filters, sort, and search state.
  • Corrected host activity permissions for fleet-scoped users.

• Improvements

  • Reduced fleet and fleetctl binary sizes.
  • Enhanced UI empty-state consistency across pages.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Cherry-picks the Fleet v4.86.0 release updates into main, including release notes, version bumps for packaging/deployment artifacts, and removal of consumed changelog fragments.

Changes:

• Added Fleet 4.86.0 changelog section.
• Bumped Helm chart, dogfood Terraform image defaults, fleetctl npm package, and release tooling examples to v4.86.0.
• Removed consumed changes/ entries included in the changelog.

Reviewed changes

Copilot reviewed 7 out of 141 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
CHANGELOG.md	Adds Fleet 4.86.0 release notes.
charts/fleet/Chart.yaml	Bumps chart/app versions.
charts/fleet/values.yaml	Bumps default Fleet image tag.
infrastructure/dogfood/terraform/aws/variables.tf	Bumps AWS dogfood image.
infrastructure/dogfood/terraform/gcp/variables.tf	Bumps GCP dogfood image.
tools/fleetctl-npm/package.json	Bumps fleetctl npm package version.
tools/github-manage/cmd/gm/releases.go	Updates forecast command example milestone.
changes/*	Removes consumed changelog fragments for the v4.86.0 release.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b44a0c9e-5ebe-4406-a4a2-78248b4e5cc0

📥 Commits

Reviewing files that changed from the base of the PR and between ef6a51d and 6bb48fd.

⛔ Files ignored due to path filters (1)

• CHANGELOG.md is excluded by !**/*.md

📒 Files selected for processing (140)

• changes/31138-user-enrolled-software-install
• changes/33555-better-error-handling-of-win-pre-install-setup
• changes/34103-sso-invite-accept
• changes/34104-smtp-starttls-error-message
• changes/34229-gitops-label-validation
• changes/34464-gitops-dry-run-manual-agent-install-script-conflict
• changes/34924-expired-license-cli-banner
• changes/35089-fleetctl-released-as-pkg
• changes/35173-cis-macos-26-v1
• changes/35195-slate-homebrew-cpe-mismatch
• changes/35483-empty-states
• changes/36417-update-enrolling-activities-display-name
• changes/36976-activities-for-labels
• changes/37012-host-details-activity-upcoming-count
• changes/37142-local-admin-password-rotation
• changes/37682-clear-state-on-abm-re-enrollment
• changes/38437-activity-list-date-filter-consistency
• changes/38785-windows-setup-experience-cancel
• changes/38790-ios-ipados-managed-app-configuration
• changes/39016-upload-custom-org-logo
• changes/39096-cis-win11-v5
• changes/39727-creating-queries-back-to-hosts-bug
• changes/40459-wipe-host-cancels-upcoming-activities
• changes/40623-failed-enrollment-renewal
• changes/40905-update-default-automatic-enrollment-profile
• changes/41472-android-cert-san-server
• changes/415640-policy-reports-new-custom-option
• changes/41565-policy-report-new-scopes-frontend
• changes/41566-policy-report-labels-gitops
• changes/41592-eua-broken-with-custom-apple-mdm-url‎
• changes/41985-idp-host-vitals-tahoe-migration
• changes/41996-department-idp-host-vital-not-populating-for-some-users
• changes/42026-show-uninstall-button
• changes/42218-ios-supplemental-os-version-extra
• changes/42477-gitops-dry-run-label-platform
• changes/42503-deprecate-software-under-setup-experience
• changes/42522-labels-not-supported-in-no-team
• changes/42545-windows-profile-reconciliation-batching
• changes/42607-gitops-dry-run-empty-software
• changes/42613-dedupe-network-errors-in-error-store
• changes/42637-clear-stale-broken-label-associations
• changes/42741-fix-goval-dictionary-fd-leak
• changes/42827-macos-mdm-certificate-ingestion
• changes/42874-saml-jit-empty-role-values
• changes/42886-fix-google-cal-gitops-validation
• changes/42930-show-retries-script-software-automations-host-details
• changes/42972-add-fleetctl-msi-to-release
• changes/43027-return-404-for-missing-resources
• changes/43031-post-queries-null-name-or-query-500
• changes/43032-post-packs-null-name
• changes/43091-inaccurate-total-disk-space
• changes/43135-fix-stale-label-hosts
• changes/43279-my-device-page-location-vital-looks-clickable
• changes/43294-sticky-team-enrollment
• changes/43511-gitops-icon-update-recovers
• changes/43598-fix-gitops-glob-path-validation
• changes/43609-gitops-mode-false-positive-activity
• changes/43637-disk-encryption-table-horizontal-scroll
• changes/43640-actions-dropdown-auto-closing
• changes/43643-conditional-access-header-fleet-free
• changes/43645-timestamps-are-not-consistently-styled-as-hoverable-missing-dotted-underlines
• changes/43646-inconsistent-alignment-fleet-premium
• changes/43647-close-policy-details-modal-when-navigating-back-to-host-details
• changes/43656-scim-users-duplicate-host-id
• changes/43659-script-only-hash-ref-preserves-install-script
• changes/43673-sort-software-titles-by-display-name
• changes/43688-fix-text-alignment-issues
• changes/43721-clean-up-gitops-errors
• changes/43767-delete-label-error-msg
• changes/43769-added-charts-to-dashboard
• changes/43846-vpp-app-store-non-us-abm
• changes/43857-improve-error-on-missing-gitops-name
• changes/43928-host-by-nodekey-cache
• changes/43959-duplicate-installers
• changes/43984-setup-experience-users-ui-updates
• changes/43997-orbit-debug-logging-on-enroll
• changes/44046-create-team-labels-before-consumers
• changes/44082-add-script-output-to-gitops
• changes/44084-fix-install-loop-on-deleted-installer
• changes/44111-scep-autorenew-fail
• changes/44124-add-vulnerabilities-chart
• changes/44170-fleetctl-mdm-commands-require-host
• changes/44170-list-mdm-commands-perf
• changes/44189-host-profile-perf
• changes/44190-mdm-queue-cleanup
• changes/44194-team-bitlocker-windows-only
• changes/44196-script-library-gitops-fixes
• changes/44242-fleetctl-vuln-data-stream-osv
• changes/44252-unable-to-edit-existing-user-to-use-2fa-422-error
• changes/44286-deleted-policy-activity-for-patch-policies
• changes/44298-fix-goquery-dependency-side-effects
• changes/44326-empty-states
• changes/44333-gitops-custom-org-logo-upload
• changes/44376-stale-apns-push-cert-not-updated
• changes/44391-osv-vuln-optimizations
• changes/44391-vuln-scan-product-index
• changes/44422-list-mdm-commands-host-identifier-after
• changes/44456-validate-payload-scope-dry-run
• changes/44459-recovery-password-key-team-transfer
• changes/44533-request-pem-certificate
• changes/44630-fix-enable-host-users-default
• changes/44696-add-list-software-perms-for-gitops
• changes/44798-scope-windows-mdm-profiles-query
• changes/44801-end-user-auth-windows-linux-only
• changes/44804-win-mdm-profile-bulk-insert
• changes/44816-fast-fail-device-auth
• changes/44950-gitops-null-label-id
• changes/44980-always-assign-profile-missing-devices
• changes/45018-export-host-bug
• changes/45024-android-sso-missing-profile
• changes/45141-edit-label-form-mention-fleets
• changes/45256-reduce-fleet-and-fleetctl-binary-sizes
• changes/45258-android-host-expiry-loop
• changes/45330-gitops-mode-from-yaml
• changes/45491-mdm-name-from-server-url-nondeterministic
• changes/45520-nil-pointer-panic-in-android-enterprise-pubsub-endpoint
• changes/45705-android-gitops-fix
• changes/45715-implement-roaring-bitmaps
• changes/45720-remove-unneeded-query
• changes/45763-unable-to-issue-dynamic-scep-certificates-after-4850-upgrade
• changes/45844-gitops-vpp-dry-run-label-validation
• changes/46001-android-orbit-enroll-duplicate-host
• changes/46009-fix-host-activity-user-enrichment-authz
• changes/46009-fix-missing-opa-policy-tags
• changes/add-svg-support-custom-logos
• changes/cleanup-list-opts
• changes/fix-android-host-software-filter
• changes/fix-fleetctl-new-checkout-action
• changes/fix-get-policy-id-endpoint-and-unify-access-in-ui
• changes/fix-gitops-controls-set-criteria
• changes/fix-hosts-in-label-filtering
• changes/fix-mdm-commands-filtering
• changes/fleetd-base-windows-secret
• changes/update-go-1.26.3
• charts/fleet/Chart.yaml
• charts/fleet/values.yaml
• infrastructure/dogfood/terraform/aws/variables.tf
• infrastructure/dogfood/terraform/gcp/variables.tf
• tools/fleetctl-npm/package.json
• tools/github-manage/cmd/gm/releases.go

💤 Files with no reviewable changes (134)

• changes/34924-expired-license-cli-banner
• changes/42874-saml-jit-empty-role-values
• changes/40623-failed-enrollment-renewal
• changes/41472-android-cert-san-server
• changes/42522-labels-not-supported-in-no-team
• changes/36417-update-enrolling-activities-display-name
• changes/43647-close-policy-details-modal-when-navigating-back-to-host-details
• changes/fix-gitops-controls-set-criteria
• changes/33555-better-error-handling-of-win-pre-install-setup
• changes/44980-always-assign-profile-missing-devices
• changes/44189-host-profile-perf
• changes/35483-empty-states
• changes/41565-policy-report-new-scopes-frontend
• changes/45715-implement-roaring-bitmaps
• changes/44422-list-mdm-commands-host-identifier-after
• changes/45330-gitops-mode-from-yaml
• changes/37142-local-admin-password-rotation
• changes/46001-android-orbit-enroll-duplicate-host
• changes/41996-department-idp-host-vital-not-populating-for-some-users
• changes/42503-deprecate-software-under-setup-experience
• changes/44196-script-library-gitops-fixes
• changes/40905-update-default-automatic-enrollment-profile
• changes/44286-deleted-policy-activity-for-patch-policies
• changes/44194-team-bitlocker-windows-only
• changes/43646-inconsistent-alignment-fleet-premium
• changes/36976-activities-for-labels
• changes/43959-duplicate-installers
• changes/45763-unable-to-issue-dynamic-scep-certificates-after-4850-upgrade
• changes/415640-policy-reports-new-custom-option
• changes/37012-host-details-activity-upcoming-count
• changes/43511-gitops-icon-update-recovers
• changes/43031-post-queries-null-name-or-query-500
• changes/41985-idp-host-vitals-tahoe-migration
• changes/44190-mdm-queue-cleanup
• changes/44696-add-list-software-perms-for-gitops
• changes/37682-clear-state-on-abm-re-enrollment
• changes/44459-recovery-password-key-team-transfer
• changes/43027-return-404-for-missing-resources
• changes/43135-fix-stale-label-hosts
• changes/34104-smtp-starttls-error-message
• changes/43857-improve-error-on-missing-gitops-name
• changes/39096-cis-win11-v5
• changes/44242-fleetctl-vuln-data-stream-osv
• changes/39016-upload-custom-org-logo
• changes/fix-hosts-in-label-filtering
• changes/43769-added-charts-to-dashboard
• changes/43688-fix-text-alignment-issues
• changes/43721-clean-up-gitops-errors
• changes/42930-show-retries-script-software-automations-host-details
• changes/44804-win-mdm-profile-bulk-insert
• changes/44084-fix-install-loop-on-deleted-installer
• changes/44630-fix-enable-host-users-default
• changes/43609-gitops-mode-false-positive-activity
• changes/43673-sort-software-titles-by-display-name
• changes/45491-mdm-name-from-server-url-nondeterministic
• changes/42827-macos-mdm-certificate-ingestion
• changes/43656-scim-users-duplicate-host-id
• changes/38790-ios-ipados-managed-app-configuration
• changes/34464-gitops-dry-run-manual-agent-install-script-conflict
• changes/43279-my-device-page-location-vital-looks-clickable
• changes/38785-windows-setup-experience-cancel
• changes/46009-fix-missing-opa-policy-tags
• changes/42613-dedupe-network-errors-in-error-store
• changes/45141-edit-label-form-mention-fleets
• changes/44170-list-mdm-commands-perf
• changes/44333-gitops-custom-org-logo-upload
• changes/43640-actions-dropdown-auto-closing
• changes/42741-fix-goval-dictionary-fd-leak
• changes/46009-fix-host-activity-user-enrichment-authz
• changes/44801-end-user-auth-windows-linux-only
• changes/44816-fast-fail-device-auth
• changes/fix-android-host-software-filter
• changes/42545-windows-profile-reconciliation-batching
• changes/39727-creating-queries-back-to-hosts-bug
• changes/43637-disk-encryption-table-horizontal-scroll
• changes/45705-android-gitops-fix
• changes/44798-scope-windows-mdm-profiles-query
• changes/fix-mdm-commands-filtering
• changes/45018-export-host-bug
• changes/fleetd-base-windows-secret
• changes/43997-orbit-debug-logging-on-enroll
• changes/42477-gitops-dry-run-label-platform
• changes/44326-empty-states
• changes/43294-sticky-team-enrollment
• changes/cleanup-list-opts
• changes/40459-wipe-host-cancels-upcoming-activities
• changes/35089-fleetctl-released-as-pkg
• changes/43767-delete-label-error-msg
• changes/42637-clear-stale-broken-label-associations
• changes/44391-osv-vuln-optimizations
• changes/update-go-1.26.3
• changes/fix-get-policy-id-endpoint-and-unify-access-in-ui
• changes/45520-nil-pointer-panic-in-android-enterprise-pubsub-endpoint
• changes/43984-setup-experience-users-ui-updates
• changes/42218-ios-supplemental-os-version-extra
• changes/45256-reduce-fleet-and-fleetctl-binary-sizes
• changes/43598-fix-gitops-glob-path-validation
• changes/44252-unable-to-edit-existing-user-to-use-2fa-422-error
• changes/42607-gitops-dry-run-empty-software
• changes/44391-vuln-scan-product-index
• changes/38437-activity-list-date-filter-consistency
• changes/35195-slate-homebrew-cpe-mismatch
• changes/35173-cis-macos-26-v1
• changes/44111-scep-autorenew-fail
• changes/41592-eua-broken-with-custom-apple-mdm-url‎
• changes/44456-validate-payload-scope-dry-run
• changes/42972-add-fleetctl-msi-to-release
• changes/45024-android-sso-missing-profile
• changes/44950-gitops-null-label-id
• changes/44533-request-pem-certificate
• changes/34103-sso-invite-accept
• changes/41566-policy-report-labels-gitops
• changes/add-svg-support-custom-logos
• changes/34229-gitops-label-validation
• changes/44376-stale-apns-push-cert-not-updated
• changes/43846-vpp-app-store-non-us-abm
• changes/44124-add-vulnerabilities-chart
• changes/43659-script-only-hash-ref-preserves-install-script
• changes/44170-fleetctl-mdm-commands-require-host
• changes/43643-conditional-access-header-fleet-free
• changes/44046-create-team-labels-before-consumers
• changes/43645-timestamps-are-not-consistently-styled-as-hoverable-missing-dotted-underlines
• changes/43032-post-packs-null-name
• changes/43091-inaccurate-total-disk-space
• changes/43928-host-by-nodekey-cache
• changes/44082-add-script-output-to-gitops
• changes/45720-remove-unneeded-query
• changes/fix-fleetctl-new-checkout-action
• changes/45258-android-host-expiry-loop
• changes/42886-fix-google-cal-gitops-validation
• changes/45844-gitops-vpp-dry-run-label-validation
• changes/44298-fix-goquery-dependency-side-effects
• changes/42026-show-uninstall-button
• changes/31138-user-enrolled-software-install

---

Walkthrough

This PR performs a coordinated v4.85.1 to v4.86.0 version bump across Fleet's Helm charts, Terraform infrastructure, npm tooling, and release documentation. It updates version identifiers in Helm chart metadata, Kubernetes deployment values, AWS and GCP Terraform variables, the fleetctl npm package manifest, and CLI release help text. The PR also updates release notes and changelog entries, including removals of documented features and fixes that are being removed from this release's documentation, and updates to configuration and help text hyperlinks.

Possibly related issues

• fleetdm/fleet#44636: The main changes include improvements to host lookup caching logic that extends the Redis-backed cache implementation area referenced in this issue.
• fleetdm/fleet#43032: The changelog documents a fix to the POST /packs endpoint that treats JSON null for the name field as invalid and returns HTTP 400, directly addressing the reported issue.
• fleetdm/fleet#39016: The changelog entry documents support for custom organization logo uploads in light and dark variants with Fleet-hosted assets, which implements the feature described in this issue.
• fleetdm/fleet#31138: The main changes implement iOS/iPadOS app installs and self-service capabilities for Account-Driven User Enrolled hosts using Managed Apple Accounts, directly addressing this feature request.
• fleetdm/fleet#40518: The changelog documents that fleetctl is now distributed as a macOS .pkg, which fulfills the request described in this issue.

Possibly related PRs

• fleetdm/fleet#46108: Both PRs implement VPP user/account flow changes for user-enrolled iOS installs, including VPP client-user registration and Managed Apple Account handling.
• fleetdm/fleet#44174: Both PRs update the same version bump plumbing across Helm charts, infrastructure Terraform files, npm packages, and CLI help text.
• fleetdm/fleet#46332: Both PRs modify the iOS/iPadOS VPP/in-house software install pipeline, including license association behavior and install-service error handling.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main action: cherry-picking a version bump PR for Fleet v4.86.0 into main. It is concise and specific about the change purpose.
Description check	✅ Passed	The description adequately explains the cherry-pick purpose and details the conflict resolution taken. However, most checklist items are not completed or marked as applicable, which is typical for version bump cherry-picks but creates incomplete coverage of the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cherry-pick-version-bump-v4.86.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.81%. Comparing base (ef6a51d) to head (6bb48fd).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #46506      +/-   ##
==========================================
- Coverage   66.81%   66.81%   -0.01%     
==========================================
  Files        2805     2805              
  Lines      223576   223576              
  Branches    11481    11481              
==========================================
- Hits       149380   149374       -6     
- Misses      60640    60644       +4     
- Partials    13556    13558       +2     

Flag	Coverage Δ
backend	68.53% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.