feat: implement Version Bump Automation Phase 3 (#4813)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: olegsu

.buildkite/scripts/release/bump-minor.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Required env vars from PSI trigger params:
+#   BRANCH      — new minor branch name (e.g. 9.3)
+#   NEW_VERSION — first version on that branch (e.g. 9.3.0)
+#   REPO        — repository name (e.g. cloudbeat)
+#   WORKFLOW    — must be "minor"
+: "${BRANCH:?BRANCH is required}"
+: "${NEW_VERSION:?NEW_VERSION is required}"
+: "${REPO:?REPO is required}"
+: "${WORKFLOW:?WORKFLOW is required}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=common.sh
+source "${SCRIPT_DIR}/common.sh"
+
+GH_REPO="elastic/${REPO}"
+BUMP_BRANCH="bump-to-${NEW_VERSION}"
+NEXT_CLOUDBEAT_VERSION="${NEW_VERSION}"
+BACKPORT_LABEL="backport-v${BRANCH}.0"
+DRY_RUN="${DRY_RUN:-false}"
+
+git fetch origin main
+git checkout main
+
+CURRENT_CLOUDBEAT_VERSION=$(grep defaultBeatVersion version/version.go | cut -f2 -d '"')
+
+echo "--- Minor bump parameters"
+echo "  REPO:            ${REPO}"
+echo "  BRANCH:          ${BRANCH}"
+echo "  CURRENT:         ${CURRENT_CLOUDBEAT_VERSION}"
+echo "  NEXT:            ${NEXT_CLOUDBEAT_VERSION}"
+echo "  BACKPORT_LABEL:  ${BACKPORT_LABEL}"
+echo "  DRY_RUN:         ${DRY_RUN}"
+
+setup_git_identity
+
+update_mergify() {
+    if grep -q "backport patches to ${BRANCH} branch" .mergify.yml; then
+        echo "Mergify backport rule for ${BRANCH} already exists — skipping."
+        return
+    fi
+
+    cat >>.mergify.yml <<EOF
+  - name: backport patches to ${BRANCH} branch
+    conditions:
+      - merged
+      - label=${BACKPORT_LABEL}
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "${BRANCH}"
+        labels:
+          - "backport"
+        title: "[{{ destination_branch }}](backport #{{ number }}) {{ title }}"
+EOF
+
+    git add .mergify.yml
+    git commit -m "Add mergify backport rule for ${BRANCH}"
+}
+
+run_minor_bump() {
+    pr_exists && return
+
+    git checkout -b "${BUMP_BRANCH}" origin/main
+
+    update_version_beat
+    update_arm_templates "${NEXT_CLOUDBEAT_VERSION}"
+    update_mergify
+
+    local body
+    body=$(render_template "${SCRIPT_DIR}/templates/pr-body-minor.md")
+
+    # TODO: re-enable `--label "version-bump-auto-approve"` once the first
+    # end-to-end manual run validates the auto-approve workflow + Mergify
+    # auto-merge rule. Until then, the bump PR is created label-free so a
+    # human reviews and merges it manually.
+    if [[ "${DRY_RUN}" == "true" ]]; then
+        echo "--- Dry run: skipping push and PR creation"
+        gh pr create \
+            --repo "${GH_REPO}" \
+            --head "${BUMP_BRANCH}" \
+            --base main \
+            --title "Bump cloudbeat version to ${NEXT_CLOUDBEAT_VERSION}" \
+            --body "${body}" \
+            --label "backport-skip" \
+            --dry-run
+        return
+    fi
+
+    git push --force origin "${BUMP_BRANCH}"
+    gh pr create \
+        --repo "${GH_REPO}" \
+        --head "${BUMP_BRANCH}" \
+        --base main \
+        --title "Bump cloudbeat version to ${NEXT_CLOUDBEAT_VERSION}" \
+        --body "${body}" \
+        --label "backport-skip"
+}
+
+run_minor_bump

.buildkite/scripts/release/bump-patch.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Required env vars from PSI trigger params:
+#   BRANCH      — release branch (e.g. 9.3)
+#   NEW_VERSION — target patch version (e.g. 9.3.4)
+#   REPO        — repository name (e.g. cloudbeat)
+#   WORKFLOW    — must be "patch"
+: "${BRANCH:?BRANCH is required}"
+: "${NEW_VERSION:?NEW_VERSION is required}"
+: "${REPO:?REPO is required}"
+: "${WORKFLOW:?WORKFLOW is required}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=common.sh
+source "${SCRIPT_DIR}/common.sh"
+
+BASE_BRANCH="${BRANCH}"
+BUMP_BRANCH="bump-to-${NEW_VERSION}"
+GH_REPO="elastic/${REPO}"
+
+git fetch origin "${BASE_BRANCH}"
+git checkout "${BASE_BRANCH}"
+
+NEXT_CLOUDBEAT_VERSION="${NEW_VERSION}"
+CURRENT_CLOUDBEAT_VERSION=$(grep defaultBeatVersion version/version.go | cut -f2 -d '"')
+
+DRY_RUN="${DRY_RUN:-false}"
+
+echo "--- Patch bump parameters"
+echo "  REPO:     ${REPO}"
+echo "  BRANCH:   ${BASE_BRANCH}"
+echo "  CURRENT:  ${CURRENT_CLOUDBEAT_VERSION}"
+echo "  NEXT:     ${NEXT_CLOUDBEAT_VERSION}"
+echo "  DRY_RUN:  ${DRY_RUN}"
+
+setup_git_identity
+
+run_patch_bump() {
+    pr_exists && return
+
+    git checkout -b "${BUMP_BRANCH}" "origin/${BASE_BRANCH}"
+
+    update_version_beat
+
+    local body
+    body=$(render_template "${SCRIPT_DIR}/templates/pr-body-patch.md")
+
+    # TODO: re-enable `--label "version-bump-auto-approve"` once the first
+    # end-to-end manual run validates the auto-approve workflow + Mergify
+    # auto-merge rule. Until then, the bump PR is created label-free so a
+    # human reviews and merges it manually.
+    if [[ "${DRY_RUN}" == "true" ]]; then
+        echo "--- Dry run: skipping push and PR creation"
+        gh pr create \
+            --repo "${GH_REPO}" \
+            --head "${BUMP_BRANCH}" \
+            --base "${BASE_BRANCH}" \
+            --title "Bump cloudbeat version ${BASE_BRANCH} to ${NEXT_CLOUDBEAT_VERSION}" \
+            --body "${body}" \
+            --label "backport-skip" \
+            --dry-run
+        return
+    fi
+
+    git push origin "${BUMP_BRANCH}"
+    gh pr create \
+        --repo "${GH_REPO}" \
+        --head "${BUMP_BRANCH}" \
+        --base "${BASE_BRANCH}" \
+        --title "Bump cloudbeat version ${BASE_BRANCH} to ${NEXT_CLOUDBEAT_VERSION}" \
+        --body "${body}" \
+        --label "backport-skip"
+}
+
+run_patch_bump

.buildkite/scripts/release/common.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+# Sourced by bump scripts — do not execute directly.
+# Expects callers to have validated: BRANCH, NEW_VERSION, REPO, WORKFLOW
+# and to have set: BUMP_BRANCH, NEXT_CLOUDBEAT_VERSION, GH_REPO (=elastic/${REPO})
+
+# pr_exists
+# Returns 0 (true) if an open PR already exists for BUMP_BRANCH, 1 otherwise.
+pr_exists() {
+    local existing_pr
+    existing_pr=$(gh pr list --repo "${GH_REPO}" --head "${BUMP_BRANCH}" --state open \
+        --json number --jq '.[0].number' 2>/dev/null || echo "")
+    if [[ -n "${existing_pr}" ]]; then
+        echo "INFO: PR #${existing_pr} already open for ${BUMP_BRANCH} — skipping."
+        return 0
+    fi
+    return 1
+}
+
+setup_git_identity() {
+    git config --global user.email "cloudsecmachine@users.noreply.github.com"
+    git config --global user.name "Cloud Security Machine"
+}
+
+# update_version_beat
+# Updates defaultBeatVersion in version/version.go to NEXT_CLOUDBEAT_VERSION and stages the file.
+update_version_beat() {
+    sed -i'' -E "s/const defaultBeatVersion = .*/const defaultBeatVersion = \"${NEXT_CLOUDBEAT_VERSION}\"/g" version/version.go
+    git add version/version.go
+    if ! git diff --cached --quiet; then
+        git commit -m "Bump to ${NEXT_CLOUDBEAT_VERSION}"
+    fi
+}
+
+# update_arm_templates <version>
+# Updates ElasticAgentVersion in both Azure ARM templates and regenerates dev variants.
+update_arm_templates() {
+    local version="$1"
+    echo "--- Update ARM templates to ${version}"
+    jq --indent 4 ".parameters.ElasticAgentVersion.defaultValue = \"${version}\"" \
+        deploy/azure/ARM-for-single-account.json >tmp.json && mv tmp.json deploy/azure/ARM-for-single-account.json
+    jq --indent 4 ".parameters.ElasticAgentVersion.defaultValue = \"${version}\"" \
+        deploy/azure/ARM-for-organization-account.json >tmp.json && mv tmp.json deploy/azure/ARM-for-organization-account.json
+    ./deploy/azure/generate_dev_template.py --template-type single-account
+    ./deploy/azure/generate_dev_template.py --template-type organization-account
+    git add \
+        deploy/azure/ARM-for-single-account.json \
+        deploy/azure/ARM-for-single-account.dev.json \
+        deploy/azure/ARM-for-organization-account.json \
+        deploy/azure/ARM-for-organization-account.dev.json
+    if ! git diff --cached --quiet; then
+        git commit -m "Update Azure ARM templates to ${version}"
+    fi
+}
+
+# render_template <path>
+# Expands ${VAR} references in a template file using the caller's environment.
+render_template() {
+    local content
+    # shellcheck disable=SC2016
+    # Single quotes are intentional: we need a literal backslash passed to sed.
+    content=$(sed 's/`/\\`/g' "$1")
+    eval "cat <<__EOF__
+${content}
+__EOF__
+"
+}

.buildkite/scripts/release/post-bump.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Post-PR-merge operations for a patch version bump.
+# Runs after the bump PR is merged and DRA artifacts for NEW_VERSION are confirmed.
+#
+# Required env vars from PSI trigger params:
+#   BRANCH      — release branch (e.g. 9.3)
+#   NEW_VERSION — the version that was bumped to (e.g. 9.3.4)
+#   REPO        — repository name (e.g. elastic/cloudbeat)
+#   WORKFLOW    — must be "patch"
+#
+# Secrets (from kv/ci-shared/cloudbeat/* via vault — wired in task-7):
+#   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY  — for CFT upload to S3
+#   SNYK_ORG_ID, SNYK_API_KEY, SNYK_INTEGRATION_ID — for Snyk branch monitoring
+: "${BRANCH:?BRANCH is required}"
+: "${NEW_VERSION:?NEW_VERSION is required}"
+: "${REPO:?REPO is required}"
+: "${WORKFLOW:?WORKFLOW is required}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=common.sh
+source "${SCRIPT_DIR}/common.sh"
+
+echo "--- Post-bump ops for ${NEW_VERSION}"
+
+upload_cloud_formation_templates() {
+    echo "--- Upload CloudFormation templates for ${NEW_VERSION}"
+    aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+    aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
+    aws configure set region us-east-2
+    scripts/publish_cft.sh
+}
+
+bump_snyk_branch_monitoring() {
+    echo "--- Update Snyk branch monitoring"
+    local branches latest_major previous_major latest_major_latest_minor previous_major_latest_minor
+
+    branches=$(git branch -r | grep -Eo '[0-9]+\.[0-9]+' | sort -V | uniq)
+    latest_major=$(echo "${branches}" | cut -d. -f1 | uniq | tail -1)
+    previous_major=$(echo "${branches}" | cut -d. -f1 | uniq | tail -2 | head -1)
+    latest_major_latest_minor=$(echo "${branches}" | grep -E "^${latest_major}\." | tail -1)
+    previous_major_latest_minor=$(echo "${branches}" | grep -E "^${previous_major}\." | tail -1)
+
+    echo "  latest:   ${latest_major_latest_minor}"
+    echo "  previous: ${previous_major_latest_minor}"
+
+    local cloudbeat_id
+    cloudbeat_id=$(curl -sf -X GET \
+        "https://api.snyk.io/rest/orgs/${SNYK_ORG_ID}/targets?version=2024-05-23&display_name=cloudbeat" \
+        -H "accept: application/vnd.api+json" \
+        -H "authorization: ${SNYK_API_KEY}" | jq -r '.data[0].id')
+
+    curl -sf -X DELETE \
+        "https://api.snyk.io/rest/orgs/${SNYK_ORG_ID}/targets/${cloudbeat_id}?version=2024-05-23" \
+        -H "accept: application/vnd.api+json" \
+        -H "authorization: ${SNYK_API_KEY}"
+
+    for branch in main "${latest_major_latest_minor}" "${previous_major_latest_minor}"; do
+        curl -sf -X POST \
+            "https://api.snyk.io/v1/org/${SNYK_ORG_ID}/integrations/${SNYK_INTEGRATION_ID}/import" \
+            -H "Content-Type: application/json; charset=utf-8" \
+            -H "Authorization: token ${SNYK_API_KEY}" \
+            -d "{\"target\":{\"owner\":\"elastic\",\"name\":\"cloudbeat\",\"branch\":\"${branch}\"},\"exclusionGlobs\":\"deploy, scripts, tests, security-policies\"}"
+    done
+}
+
+upload_cloud_formation_templates
+bump_snyk_branch_monitoring