Update Fleet-maintained apps

[fleet-release]

Automated ingestion of latest Fleet-maintained app data.

Summary by CodeRabbit

• Chores
  • Updated application version metadata for 15 popular applications across Windows and macOS platforms, including Brave Browser, Claude, ClickUp, Cursor, Firefox ESR, Granola, Microsoft Edge, OneDrive, Signal, Spotify, Telegram, Warp, Zed, Zen Browser, and Zotero. These updates reflect the latest available versions and ensure accurate version tracking.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Walkthrough

This pull request updates installer metadata for 14 maintained applications across Windows and macOS platforms. Each application entry is refreshed with a new version number, corresponding installer URL pointing to the updated release artifact, SHA256 checksum for integrity validation, and SQL version comparison logic for patch detection. Install and uninstall script references remain unchanged. The files updated are distributed across the ee/maintained-apps/outputs/ directory and follow a consistent pattern of version metadata synchronization.

Possibly related PRs

• fleetdm/fleet#43662: Updates the same maintained-app JSON metadata files (claude, zed, etc.) with version and installer URL changes.
• fleetdm/fleet#43739: Modifies the same maintained-app JSONs (brave-browser/windows.json) to update version and installer metadata.
• fleetdm/fleet#44900: Updates the same file (ee/maintained-apps/outputs/zed/darwin.json) with sequential version bumps and installer changes.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks required checklist items specified in the template (e.g., changes files, testing, database migrations). Only a brief statement is provided without completion of mandatory sections.	Complete the description template by addressing relevant checklist items such as testing validation, changes file requirements, and any applicable database/configuration sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Fleet-maintained apps' is directly related to the changeset, which updates version metadata for 16 Fleet-maintained applications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fma-2605090829

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ee/maintained-apps/outputs/signal/darwin.json`:
- Around line 4-12: The metadata lists a non-existent Signal Desktop 8.9.1;
change the "version" field to the actual release (e.g., "8.8.0"), update the
"queries" patched version_compare literal to the same version, and replace
"installer_url" and "sha256" with the official installer URL and validated
checksum for that real release; also verify and update "install_script_ref" and
"uninstall_script_ref" to the correct refs for the real version. Use the exact
keys from the diff ("version", "queries" -> "patched", "installer_url",
"sha256", "install_script_ref", "uninstall_script_ref") so the file consistently
references the actual published Signal Desktop release.

In `@ee/maintained-apps/outputs/warp/darwin.json`:
- Line 12: Replace the placeholder value for the JSON "sha256" key that is
currently set to "no_check" with the actual SHA256 string to enable integrity
validation: change the "sha256" value in the darwin installer entry (the JSON
object containing "sha256": "no_check") to
"45ef976ce14f9bbee8bbb3e1ceb38cb6090bb9c6273647d6fdbf6e908056cc11" so downloads
are checked against the real hash.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6dcbb6fb-ae55-4b63-8135-f4e95dc27e4e

📥 Commits

Reviewing files that changed from the base of the PR and between d439cb1 and f95814f.

📒 Files selected for processing (16)

• ee/maintained-apps/outputs/brave-browser/windows.json
• ee/maintained-apps/outputs/claude/darwin.json
• ee/maintained-apps/outputs/claude/windows.json
• ee/maintained-apps/outputs/clickup/windows.json
• ee/maintained-apps/outputs/cursor/windows.json
• ee/maintained-apps/outputs/firefox@esr/windows.json
• ee/maintained-apps/outputs/granola/windows.json
• ee/maintained-apps/outputs/microsoft-edge/windows.json
• ee/maintained-apps/outputs/onedrive/darwin.json
• ee/maintained-apps/outputs/signal/darwin.json
• ee/maintained-apps/outputs/spotify/windows.json
• ee/maintained-apps/outputs/telegram/windows.json
• ee/maintained-apps/outputs/warp/darwin.json
• ee/maintained-apps/outputs/zed/darwin.json
• ee/maintained-apps/outputs/zen/darwin.json
• ee/maintained-apps/outputs/zotero/windows.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Signal Desktop installer URL and SHA256 checksum

# Download and compute checksum
EXPECTED_SHA256="2a6268bc5bb8c372a17635b441ea6c6a41b7b1ff0a577904f04955596a664987"
URL="https://updates.signal.org/desktop/signal-desktop-mac-arm64-8.9.1.zip"

echo "Downloading installer..."
TEMP_FILE=$(mktemp)
if curl -L -f -o "$TEMP_FILE" "$URL" 2>/dev/null; then
  ACTUAL_SHA256=$(shasum -a 256 "$TEMP_FILE" | awk '{print $1}')
  rm -f "$TEMP_FILE"
  
  echo "Expected SHA256: $EXPECTED_SHA256"
  echo "Actual SHA256:   $ACTUAL_SHA256"
  
  if [ "$EXPECTED_SHA256" = "$ACTUAL_SHA256" ]; then
    echo "✓ Checksum matches"
  else
    echo "✗ Checksum mismatch"
    exit 1
  fi
else
  echo "✗ Failed to download from URL"
  exit 1
fi

Repository: fleetdm/fleet

Length of output: 266

---

🌐 Web query:

Signal Desktop 8.9.1 release SHA256 checksum official

💡 Result:

I can’t find an official Signal Desktop 8.9.1 release page (or installer) that publishes an official SHA-256 checksum. What I did find: - The official GitHub releases page for Signal Desktop exists, but it does not surface a v8.9.1 entry with checksum assets in the results I retrieved.[1] - Signal Desktop “8.9.x” activity in the results appears to be beta (e.g., v8.9.0-beta.1), not a v8.9.1 production release.[2] - Signal’s download site is present but the search results did not expose a 8.9.1 checksum listing.[3] - A community request discusses adding SHA-256 checksums, implying that checksums were (at least historically) not always published directly on signal.org download pages; it also points to verifying updates via.sig files / updater verification rather than relying on a posted checksum list.[4] So, the “official SHA256 checksum” value for Signal Desktop 8.9.1 is not available from the authoritative locations surfaced by my research, and I don’t have a source-backed checksum number to report. If you can share which platform/asset you mean (Windows.exe, macOS.dmg or.zip, Linux.deb/package) and the exact download URL you’re checking, I can re-search specifically for that asset’s corresponding checksum/signature entry (often hosted under updates.signal.org) and extract the official SHA-256 if it’s published alongside the file. References: [1] https://github.com/signalapp/Signal-Desktop/releases [2] https://github.com/signalapp/signal-desktop/releases/tag/v8.9.0-beta.1 [3] https://signal.org/download/ [4] signalapp/Signal-Desktop#1689

Citations:

• 1: https://github.com/signalapp/Signal-Desktop/releases
• 2: https://github.com/signalapp/signal-desktop/releases/tag/v8.9.0-beta.1
• 3: https://signal.org/download/
• 4: Provide GPG Signatures / SHA-256 Checksums for Downloads on signal.org  signalapp/Signal-Desktop#1689

---

🌐 Web query:

Signal Desktop 8.9.1 release github site:github.com

💡 Result:

Signal Desktop 8.9.1 release: I could not find a GitHub release tag/version “v8.9.1” for Signal Desktop in the upstream Signal-Desktop repository. The GitHub evidence instead shows 8.9 development releases (e.g., v8.9.0-beta.1) and a commit labeled “Release notes for 8.9”. [1][2][3] Most likely, “8.9.1” either (a) does not exist as a published GitHub release tag, (b) was produced via internal/distro packaging without a “v8.9.1” GitHub release entry, or (c) the version numbering differs between Signal Desktop builds and the GitHub-tagged releases. The upstream repository’s releases list should be treated as the authoritative place to confirm whether “v8.9.1” exists. [3] If you share the exact URL you saw for “Signal Desktop 8.9.1” (or the installer/packaging platform: Windows/macOS/Linux distro), I can try to locate where that build version is documented.

Citations:

• 1: signalapp/Signal-Desktop@db01cc2
• 2: https://github.com/signalapp/signal-desktop/releases/tag/v8.9.0-beta.1
• 3: https://github.com/signalapp/Signal-Desktop/releases

---

🌐 Web query:

Signal Desktop latest version 2026 release

💡 Result:

As of 2026-05-09, the latest Signal Desktop release is v8.8.0, published 2026-04-26 on the official Signal Desktop GitHub releases page [1]. Signal Desktop is distributed from Signal’s official download page [2].

Citations:

• 1: https://github.com/signalapp/signal-desktop/releases/tag/v8.8.0
• 2: https://signal.org/download/

---

Correct version: Signal Desktop 8.9.1 does not exist.

The latest official Signal Desktop release is v8.8.0 (released April 26, 2026). Version 8.9.1 is not a published release on GitHub or Signal's official channels. The installer URL and SHA256 checksum reference a non-existent version and cannot be validated. Update the version metadata to match an actual Signal Desktop release.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ee/maintained-apps/outputs/signal/darwin.json` around lines 4 - 12, The
metadata lists a non-existent Signal Desktop 8.9.1; change the "version" field
to the actual release (e.g., "8.8.0"), update the "queries" patched
version_compare literal to the same version, and replace "installer_url" and
"sha256" with the official installer URL and validated checksum for that real
release; also verify and update "install_script_ref" and "uninstall_script_ref"
to the correct refs for the real version. Use the exact keys from the diff
("version", "queries" -> "patched", "installer_url", "sha256",
"install_script_ref", "uninstall_script_ref") so the file consistently
references the actual published Signal Desktop release.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Download the Warp installer and compute its SHA256 hash

INSTALLER_URL="https://releases.warp.dev/stable/v0.2026.05.06.15.42.stable_03/Warp.dmg"

echo "Downloading installer from: $INSTALLER_URL"
curl -sL "$INSTALLER_URL" -o /tmp/warp_installer.dmg

if [ $? -eq 0 ]; then
  echo "Computing SHA256 hash..."
  sha256sum /tmp/warp_installer.dmg | awk '{print $1}'
  rm -f /tmp/warp_installer.dmg
else
  echo "Failed to download installer. URL may be invalid."
  exit 1
fi

Repository: fleetdm/fleet

Length of output: 249

---

🏁 Script executed:

#!/bin/bash
# Verify URL accessibility and compute SHA256 hash using Python

INSTALLER_URL="https://releases.warp.dev/stable/v0.2026.05.06.15.42.stable_03/Warp.dmg"

echo "Checking HTTP status of: $INSTALLER_URL"
HTTP_STATUS=$(curl -sL -w "%{http_code}" -o /tmp/warp_installer.dmg "$INSTALLER_URL")

if [ "$HTTP_STATUS" = "200" ]; then
  echo "HTTP Status: $HTTP_STATUS - Download successful"
  echo "Computing SHA256 hash using Python..."
  python3 <<EOF
import hashlib

with open('/tmp/warp_installer.dmg', 'rb') as f:
    sha256_hash = hashlib.sha256(f.read()).hexdigest()
    print(f"SHA256: {sha256_hash}")
EOF
  rm -f /tmp/warp_installer.dmg
else
  echo "HTTP Status: $HTTP_STATUS - Download failed or URL invalid"
  exit 1
fi

Repository: fleetdm/fleet

Length of output: 304

---

Replace "no_check" with actual SHA256 hash to enable integrity validation.

Setting sha256 to "no_check" disables integrity validation of the downloaded installer, creating risk for man-in-the-middle attacks or corrupted downloads. Use the actual hash: 45ef976ce14f9bbee8bbb3e1ceb38cb6090bb9c6273647d6fdbf6e908056cc11

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ee/maintained-apps/outputs/warp/darwin.json` at line 12, Replace the
placeholder value for the JSON "sha256" key that is currently set to "no_check"
with the actual SHA256 string to enable integrity validation: change the
"sha256" value in the darwin installer entry (the JSON object containing
"sha256": "no_check") to
"45ef976ce14f9bbee8bbb3e1ceb38cb6090bb9c6273647d6fdbf6e908056cc11" so downloads
are checked against the real hash.