Use agentless deployment 'release' field to agentless deployment modes

[MichelLosier]

Summary

• Adds the new release field for agentless deployments to explicitly declare maturity (beta | ga)
  • All current agentless deployments are updated with a release of beta, unless agentless is the only deployment mode and policy template in a package. In that case, maturity defers to package semver.
  • exception is for CSPM which is already GA.
• package-spec support in: [Change Proposal] Allow to declare a maturity level in the agentless deployment mode package-spec#1098

These changes will have a 2-week TTL for package owners to review and confirm release value.

Proposed commit message

Adds the new release field for agentless deployments to explicitly declare maturity (beta | ga)

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes: Add "release" field to agentless deployment modes #18294
• Requires: [Change Proposal] Allow to declare a maturity level in the agentless deployment mode package-spec#1098

Screenshots

[teresaromero]

👍🏻 . i wonder if this is not a patch but a minor version update, as we are adding a new field 🤔

i cross pull requests sorry! this was for the packge-spec one

[MichelLosier]

Build failures expected until spec changes are released:
elastic/package-spec#1130

[rubenruizdegauna]

LGTM from the elastic/ingest-managed-jobs pov

[olegsu]

LGTM from security-cloud-services team

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 2dcde0d

Failed CI Steps

• Check integrations 1password
• Check integrations abnormal_security
• Check integrations admin_by_request_epm
• Check integrations agentless_hello_world
• Check integrations airlock_digital
• Check integrations armis
• Check integrations authentik
• Check integrations aws
• Check integrations aws_securityhub
• Check integrations azure_ai_foundry
• Check integrations azure_application_insights
• Check integrations azure_billing
• Check integrations azure_functions
• Check integrations azure_openai
• Check integrations beyondinsight_password_safe
• Check integrations beyondtrust_pra
• Check integrations bitdefender
• Check integrations bitsight
• Check integrations bitwarden
• Check integrations blacklens
• Check integrations box_events
• Check integrations carbon_black_cloud
• Check integrations checkpoint_email
• Check integrations checkpoint_harmony_endpoint
• Check integrations cisa_kevs
• Check integrations cisco_duo
• Check integrations claroty_xdome
• Check integrations cloud_asset_inventory
• Check integrations cloud_security_posture
• Check integrations cloudflare
• Check integrations crowdstrike
• Check integrations cyera
• Check integrations elastic_connectors
• Check integrations elastic_security
• Check integrations ess_billing
• Check integrations extrahop
• Check integrations github
• Check integrations google_scc
• Check integrations google_secops
• Check integrations google_workspace
• Check integrations ibm_qradar
• Check integrations ironscales
• Check integrations island_browser
• Check integrations jupiter_one
• Check integrations m365_defender
• Check integrations microsoft_defender_cloud
• Check integrations microsoft_defender_endpoint
• Check integrations microsoft_sentinel
• Check integrations mimecast
• Check integrations mongodb_atlas
• Check integrations neon_cyber
• Check integrations nozomi_networks
• Check integrations o365
• Check integrations o365_metrics
• Check integrations okta
• Check integrations panw_cortex_xdr
• Check integrations ping_one
• Check integrations prisma_cloud
• Check integrations proofpoint_essentials
• Check integrations proofpoint_itm
• Check integrations proofpoint_tap
• Check integrations qualys_gav
• Check integrations qualys_vmdr
• Check integrations qualys_was
• Check integrations rapid7_insightvm
• Check integrations sentinel_one
• Check integrations slack
• Check integrations snyk
• Check integrations splunk
• Check integrations sublime_security
• Check integrations tenable_io
• Check integrations tenable_sc
• Check integrations ti_abusech
• Check integrations ti_anomali
• Check integrations ti_crowdstrike
• Check integrations ti_cyware_intel_exchange
• Check integrations ti_flashpoint
• Check integrations ti_google_threat_intelligence
• Check integrations ti_greynoise
• Check integrations ti_rapid7_threat_command
• Check integrations ti_recordedfuture
• Check integrations ti_threatq
• Check integrations trend_micro_vision_one
• Check integrations vectra_rux
• Check integrations verifier_otel
• Check integrations wiz
• Check integrations zscaler_zia

History

• 💔 Build #42664 failed f37763a
• 💔 Build #42508 failed d987789
• 💔 Build #42439 failed 5533230
• 💔 Build #42360 failed 1aeb1e5

[github-actions]

TL;DR

Buildkite failed in all 87 Check integrations * jobs for the same schema validation error: policy_templates.0.deployment_modes.agentless.release is not a valid manifest field. Remove release from the agentless deployment mode blocks (or gate those changes until the spec/tooling supports it).

Remediation

• Remove the nested key policy_templates[].deployment_modes.agentless.release from the updated package manifest.yml files.
• If you need stability metadata, keep using supported fields only (for example package-level release where applicable by spec).
• Re-run Buildkite package checks after removing that key.

Investigation details

Root Cause

This is a configuration/schema failure, not an infrastructure flake. The linter rejects the new nested release property under deployment_modes.agentless.

Schema reference in this repo shows deployment_modes.agentless with additionalProperties: false and only specific allowed keys (enabled, is_default, organization, division, team, resources):

• docs/extend/manifest-spec.md:205-250

The same manifest spec also shows release as a package-level property (/properties/release), not under deployment_modes.agentless:

• docs/extend/manifest-spec.md:687-697

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/42734
• Failed jobs: 87/87 contain the same error string.
• Representative log excerpts:
  • /tmp/gh-aw/buildkite-logs/integrations-check-integrations-agentless_hello_world.txt:117-120
  • /tmp/gh-aw/buildkite-logs/integrations-check-integrations-1password.txt:117-120
  • /tmp/gh-aw/buildkite-logs/integrations-check-integrations-zscaler_zia.txt:117-120

Key excerpt:

Error: checking package failed: linting package failed: found 1 validation error:
  1. file ".../manifest.yml" is invalid: field policy_templates.0.deployment_modes.agentless: Additional property release is not allowed

Verification

• Local reproduction was not run here because the failure is already explicit and consistent across all pre-fetched Buildkite logs (87/87), with identical schema error.

Follow-up

• I could not retrieve PR comment history from the GitHub read API in this environment due integrity restrictions, so I couldn’t perform strict duplicate-comment checking before posting.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• Use agentless deployment 'release' field to agentless deployment modes #18552 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18552 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.