diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index da20f480c1..a35a2088c2 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -19,14 +19,14 @@ jobs: - name: Checkout Cloudbeat Repo uses: actions/checkout@v4 with: + ref: ${{ github.ref_name }} token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }} - name: Setup Cloudbeat Versions run: | current=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"") IFS='.' read -r major minor patch <<< "$current" - ((minor++)) - next="$major.$minor.$patch" + next="$major.$((minor+1)).$patch" echo "current: $current" echo "next: $next" echo "CURRENT_CLOUDBEAT_VERSION=$current" >> $GITHUB_ENV @@ -39,6 +39,8 @@ jobs: - name: Bump Cloudbeat # bump_cloudbeat.sh will create multiple PRs with different HEAD branches + env: + GIT_BASE_BRANCH: ${{ github.ref_name }} run: scripts/bump_cloudbeat.sh - name: Bump Cloud Security Posture Integration diff --git a/.github/workflows/sync-internal-cloudbeat-version.yml b/.github/workflows/sync-internal-cloudbeat-version.yml new file mode 100644 index 0000000000..8e474cacf0 --- /dev/null +++ b/.github/workflows/sync-internal-cloudbeat-version.yml @@ -0,0 +1,24 @@ +name: Sync Cloudbeat Versions on release +# Makes sure all cloudbeat versions are updated with release branches +on: + push: + branches: + # matches branches pushed by elasticmachine, e.g. "update-version-next-8.15.3" + - 'update-version-next-*' + +jobs: + synchronize-versions: + runs-on: ubuntu-latest + steps: + - name: Check out the branch + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + - name: Synchronize versions using a script + run: | + ./scripts/sync_internal_cloudbeat_version.sh + - name: Push changes + env: + GITHUB_TOKEN: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }} + run: + git push origin diff --git a/scripts/bump_cloudbeat.sh b/scripts/bump_cloudbeat.sh index cdf8aac989..2afe6fc418 100755 --- a/scripts/bump_cloudbeat.sh +++ b/scripts/bump_cloudbeat.sh @@ -6,6 +6,7 @@ CURRENT_MINOR_VERSION=$(echo "$CURRENT_CLOUDBEAT_VERSION" | cut -d '.' -f1,2) export CURRENT_MINOR_VERSION # branches +export BASE_BRANCH="${GIT_BASE_BRANCH:-main}" export NEXT_CLOUDBEAT_BRANCH="bump-to-$NEXT_CLOUDBEAT_VERSION" export NEXT_CLOUDBEAT_HERMIT_BRANCH="bump-hermit-to-$CURRENT_CLOUDBEAT_VERSION" export RELEASE_CLOUDBEAT_BRANCH="release-$CURRENT_MINOR_VERSION" @@ -74,8 +75,8 @@ update_version_arm_template_default_value() { update_version_arm_template_file_uris() { echo "Replace fileUris git branch in ARM templates" - sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_SINGLE_ACCOUNT_FILE - sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_ORGANIZATION_ACCOUNT_FILE + sed -i'' -E "s/cloudbeat\/$BASE_BRANCH/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_SINGLE_ACCOUNT_FILE + sed -i'' -E "s/cloudbeat\/$BASE_BRANCH/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_ORGANIZATION_ACCOUNT_FILE git add $ARM_SINGLE_ACCOUNT_FILE $ARM_ORGANIZATION_ACCOUNT_FILE if git diff --cached --quiet; then echo "No changes to commit in ARM templates" @@ -95,7 +96,7 @@ update_version_beat() { fi } -create_cloudbeat_versions_pr_for_main() { +create_cloudbeat_versions_pr_for_base_branch() { echo "Create PR for cloudbeat next version" git push origin "$NEXT_CLOUDBEAT_BRANCH" cat <cloudbeat_pr_body @@ -105,11 +106,11 @@ EOF pr_url="$(gh pr create --title "Bump cloudbeat version" \ --body-file cloudbeat_pr_body \ - --base "main" \ + --base "$BASE_BRANCH" \ --head "$NEXT_CLOUDBEAT_BRANCH" \ --label "backport-skip")" # shellcheck disable=SC2086 - echo "[Cloudbeat Version PR to main]($pr_url)" >>$GITHUB_STEP_SUMMARY + echo "[Cloudbeat Version PR to $BASE_BRANCH]($pr_url)" >>$GITHUB_STEP_SUMMARY rm cloudbeat_pr_body } @@ -151,7 +152,7 @@ EOF echo "Create a PR for cloudbeat hermit version" pr_url="$(gh pr create --title "Bump hermit cloudbeat version" \ --body-file hermit_pr_body \ - --base "main" \ + --base "$BASE_BRANCH" \ --head "$NEXT_CLOUDBEAT_HERMIT_BRANCH" \ --label "backport-skip")" # shellcheck disable=SC2086 @@ -170,11 +171,11 @@ upload_cloud_formation_templates() { set -x # enable debug log } -# make changes to 'main' for next version -run_version_changes_for_main() { - # create a new branch from the main branch - git fetch origin main - git checkout -b "$NEXT_CLOUDBEAT_BRANCH" origin/main +# make changes to '$BASE_BRANCH' for next version +run_version_changes_for_base_branch() { + # create a new branch from the $BASE_BRANCH branch + git fetch origin "$BASE_BRANCH" + git checkout -b "$NEXT_CLOUDBEAT_BRANCH" "origin/$BASE_BRANCH" # commit update_version_beat @@ -182,14 +183,14 @@ run_version_changes_for_main() { update_version_arm_template_default_value # push - if git diff origin/main..HEAD --quiet; then - echo "No commits to push to main $NEXT_CLOUDBEAT_BRANCH" + if git diff "origin/$BASE_BRANCH..HEAD" --quiet; then + echo "No commits to push to $BASE_BRANCH $NEXT_CLOUDBEAT_BRANCH" else - create_cloudbeat_versions_pr_for_main + create_cloudbeat_versions_pr_for_base_branch fi # create, commit and push a separate PR for hermit - git checkout -b "$NEXT_CLOUDBEAT_HERMIT_BRANCH" origin/main + git checkout -b "$NEXT_CLOUDBEAT_HERMIT_BRANCH" "origin/$BASE_BRANCH" bump_hermit } @@ -203,7 +204,7 @@ run_version_changes_for_release_branch() { update_version_arm_template_file_uris # push - if git diff origin/main..HEAD --quiet; then + if git diff "origin/$BASE_BRANCH..HEAD" --quiet; then echo "No commits to push to release $RELEASE_CLOUDBEAT_BRANCH" else create_cloudbeat_versions_pr_for_release @@ -224,19 +225,19 @@ bump_snyk_branch_monitoring() { -H "accept: application/vnd.api+json" \ -H "authorization: $SNYK_API_KEY" - # Import cloudbeat/main + # Import cloudbeat/$BASE_BRANCH curl -X POST \ "https://api.snyk.io/v1/org/$SNYK_ORG_ID/integrations/$SNYK_INTEGRATION_ID/import" \ -H 'Content-Type: application/json; charset=utf-8' \ -H "Authorization: token $SNYK_API_KEY" \ - -d '{ - "target": { - "owner": "elastic", - "name": "cloudbeat", - "branch": "main" + -d "{ + \"target\": { + \"owner\": \"elastic\", + \"name\": \"cloudbeat\", + \"branch\": \"$BASE_BRANCH\" }, - "exclusionGlobs": "deploy, scripts, tests, security-policies" -}' + \"exclusionGlobs\": \"deploy, scripts, tests, security-policies\" +}" # Import cloudbeat/$CURRENT_MINOR_VERSION curl -X POST \ "https://api.snyk.io/v1/org/$SNYK_ORG_ID/integrations/$SNYK_INTEGRATION_ID/import" \ @@ -253,6 +254,16 @@ bump_snyk_branch_monitoring() { } -run_version_changes_for_main +validate_base_branch() { + if [[ "$BASE_BRANCH" == "main" || "$BASE_BRANCH" =~ ^[89].x$ || "$BASE_BRANCH" =~ ^[89]\.[0-9]+\.[0-9]+$ ]]; then + echo "Allowed to bump version for $BASE_BRANCH" + return + fi + echo "Not allowed to bump version for $BASE_BRANCH" + exit 1 +} + +validate_base_branch +run_version_changes_for_base_branch run_version_changes_for_release_branch bump_snyk_branch_monitoring diff --git a/scripts/sync_internal_cloudbeat_version.sh b/scripts/sync_internal_cloudbeat_version.sh new file mode 100755 index 0000000000..1560ee1fc1 --- /dev/null +++ b/scripts/sync_internal_cloudbeat_version.sh @@ -0,0 +1,30 @@ +#! /bin/bash +set -xeuo pipefail + +VERSION_FILE="version/version.go" +HERMIT_FILE="bin/hermit.hcl" + +find_current_cloudbeat_version() { + echo "Checking current cloudbeat version" + CLOUDBEAT_VERSION=$(grep -oE 'defaultBeatVersion\s+=\s+".*"' $VERSION_FILE | grep -oE '[0-9]\.[0-9]\.[0-9]') + echo "Cloudbeat version is $CLOUDBEAT_VERSION" +} + +set_hermit_cloudbeat_version() { + echo "Setting cloudbeat version for hermit version" + sed -E -i '' "s/CLOUDBEAT_VERSION\": \".*\"/CLOUDBEAT_VERSION\": \"$CLOUDBEAT_VERSION\"/g" $HERMIT_FILE +} + +commit_if_different() { + if git diff --quiet --exit-code $HERMIT_FILE; then + echo "No changes to $HERMIT_FILE; I'm done" + return + fi + echo "Versions changed, commiting changes" + git add $HERMIT_FILE + git commit -m "bump CLOUDBEAT_VERSION in $HERMIT_FILE to $CLOUDBEAT_VERSION" +} + +find_current_cloudbeat_version +set_hermit_cloudbeat_version +commit_if_different