Skip to content

feat: add macOS PKG installer for Console on-prem #571

Open
rsdmike wants to merge 4 commits into
mainfrom
installer/macos
Open

feat: add macOS PKG installer for Console on-prem #571
rsdmike wants to merge 4 commits into
mainfrom
installer/macos

Conversation

@rsdmike
Copy link
Copy Markdown
Member

@rsdmike rsdmike commented May 12, 2026

No description provided.

Copilot AI review requested due to automatic review settings May 12, 2026 22:23
@rsdmike rsdmike marked this pull request as draft May 12, 2026 22:23
@rsdmike rsdmike mentioned this pull request May 12, 2026
Draft
3 tasks
@rsdmike
feat: add macOS PKG installer for Console on-prem
a0e2282 
Adds the native macOS .pkg installer for Device Management Toolkit
Console under installers/macos/:

- build-pkg.sh: drives pkgbuild/productbuild to assemble the .pkg
- distribution.xml: productbuild distribution definition
- scripts/{preinstall,postinstall,postinstall-ui,postinstall-headless}:
  installer lifecycle scripts (creates /usr/local/device-management-toolkit
  layout, /usr/local/bin/dmt-console symlink, optional launchd plist)
- resources/{welcome,readme,conclusion}.html: installer UI panes
- configure.sh, uninstall.sh: post-install configuration / removal helpers

Note: build-pkg.sh currently invokes `go build` against a project root
expected to contain console sources. Follow-up will adapt it to consume
pre-built binaries (release artifacts) or to reference the
services/console submodule, since this repo doesn't carry Go source.
@rsdmike rsdmike force-pushed the installer/macos branch from 858cea3 to e481d4a Compare May 12, 2026 22:27
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds packaging assets to produce a native macOS .pkg installer for the Console on-prem distribution, along with CI workflows to build installer artifacts.

Changes:

  • Added macOS PKG build script, installer scripts (pre/postinstall), configuration and uninstall tooling, and installer UI resources (welcome/readme/conclusion).
  • Added GitHub Actions workflows for building the macOS installer (and stub workflows for Linux/Windows).
  • Updated repo hygiene (dist/ ignored) and made a small docker-compose edit.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
installers/macos/build-pkg.sh Builds UI/headless .pkg artifacts and assembles payload/scripts/resources.
installers/macos/distribution.xml ProductBuild distribution definition for the .pkg.
installers/macos/scripts/preinstall Pre-install cleanup logic.
installers/macos/scripts/postinstall-ui UI edition post-install setup (symlinks, config, auto-launch).
installers/macos/scripts/postinstall-headless Headless edition post-install setup (symlinks, config, auto-launch).
installers/macos/scripts/postinstall Additional postinstall script (currently not referenced by build).
installers/macos/configure.sh Interactive config generator/updater for config.yml.
installers/macos/uninstall.sh Uninstall workflow (files, symlinks, optional data removal).
installers/macos/resources/welcome.html Installer welcome page.
installers/macos/resources/readme.html Installer readme page.
installers/macos/resources/conclusion.html Installer conclusion page.
installers/macos/README.md Documents macOS installer build and scope.
.github/workflows/installer-macos.yml Workflow to build and upload macOS installer artifacts.
.github/workflows/installer-linux.yml Stub workflow for future Linux installer.
.github/workflows/installer-windows.yml Stub workflow for future Windows installer.
.gitignore Ignores dist/ output.
docker-compose.yml Adds a duplicate network entry (needs cleanup).
Comments suppressed due to low confidence (4)

installers/macos/scripts/postinstall-ui:73

  • The default config hard-codes credentials/secrets (auth.adminPassword, auth.jwtKey). Shipping a real default password/key is unsafe; prefer generating unique random values at install-time or forcing an explicit setup step before enabling auth.
auth:
  disabled: false
  adminUsername: standalone
  adminPassword: G@ppm0ym
  jwtKey: your_secret_jwt_key

installers/macos/scripts/postinstall-ui:92

  • The config file is set to chmod 644 (world-readable) even though it includes auth.adminPassword/auth.jwtKey. This exposes credentials to all local users. Write it with restrictive permissions (e.g., 600/640) and ensure ownership is appropriate for the runtime user.
    chmod 644 "$CONFIG_FILE"
    chown "$CONSOLE_USER" "$CONFIG_FILE" 2>/dev/null || true
    echo "Configuration saved to $CONFIG_FILE"

installers/macos/scripts/postinstall-headless:92

  • The config file is set to chmod 644 (world-readable) even though it includes auth.adminPassword/auth.jwtKey. This exposes credentials to all local users. Write it with restrictive permissions (e.g., 600/640) and ensure ownership is appropriate for the runtime user.
    chmod 644 "$CONFIG_FILE"
    chown "$CONSOLE_USER" "$CONFIG_FILE" 2>/dev/null || true
    echo "Configuration saved to $CONFIG_FILE"

installers/macos/configure.sh:162

  • After writing credentials into config.yml, the script sets chmod 644, making the file world-readable. This leaks auth.adminPassword/auth.jwtKey to any local user. Use restrictive permissions (e.g., 600/640) and appropriate ownership.
# Make config readable by all users
chmod 644 "$CONFIG_FILE"
echo "  Configuration saved to $CONFIG_FILE"

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread installers/macos/uninstall.sh Outdated
Comment thread installers/macos/README.md Outdated
Comment thread installers/macos/resources/readme.html Outdated
Comment thread installers/macos/scripts/postinstall Outdated
Comment thread installers/macos/uninstall.sh Outdated
Comment thread installers/macos/scripts/postinstall-headless Outdated
Comment thread installers/macos/scripts/postinstall-headless
Comment thread installers/macos/distribution.xml Outdated
Comment thread installers/macos/build-pkg.sh
Comment thread installers/macos/configure.sh Outdated
@rsdmike rsdmike force-pushed the installer/macos branch from e481d4a to e02ecd9 Compare May 14, 2026 17:31
@rsdmike
fix(installers/macos): adapt build-pkg.sh for deployment-repo layout
fd70389 
The script previously assumed it lived inside the console source repo and
ran `go build` against $PROJECT_ROOT/cmd/app. Adapted for this repo:

- Default to consuming prebuilt binaries from BINARY_DIR (release-train
  path: monthly deployment release pins a console release artifact).
- Fall back to building from the services/console submodule when binaries
  aren't present (local-dev path).
- Fail with an actionable error message when neither path is satisfied.
- LICENSE now comes from the deployment repo root.
- Output paths repointed: BUILD_DIR -> installers/macos/build,
  OUTPUT_DIR -> dist/darwin (both at repo root).

README updated to document the build invocation and BINARY_DIR usage.
@rsdmike rsdmike force-pushed the installer/macos branch from e02ecd9 to fd70389 Compare May 14, 2026 20:53
@graikhel-intel graikhel-intel marked this pull request as ready for review May 18, 2026 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rsdmike @graikhel-intel