[CI] Update bump version workflow to work for x.x branches (#2757)

.github/workflows/bump-version.yml

@@ -19,14 +19,14 @@ jobs:
       - name: Checkout Cloudbeat Repo
         uses: actions/checkout@v4
         with:
+          ref: ${{ github.ref_name }}
           token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}
 
       - name: Setup Cloudbeat Versions
         run: |
           current=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"")
           IFS='.' read -r major minor patch <<< "$current"
-          ((minor++))
-          next="$major.$minor.$patch"
+          next="$major.$((minor+1)).$patch"
           echo "current: $current"
           echo "next: $next"
           echo "CURRENT_CLOUDBEAT_VERSION=$current" >> $GITHUB_ENV
@@ -39,6 +39,8 @@ jobs:
 
       - name: Bump Cloudbeat
         # bump_cloudbeat.sh will create multiple PRs with different HEAD branches
+        env:
+          GIT_BASE_BRANCH: ${{ github.ref_name }}
         run: scripts/bump_cloudbeat.sh
 
       - name: Bump Cloud Security Posture Integration

.github/workflows/sync-internal-cloudbeat-version.yml

@@ -0,0 +1,24 @@
+name: Sync Cloudbeat Versions on release
+# Makes sure all cloudbeat versions are updated with release branches
+on:
+  push:
+    branches:
+      # matches branches pushed by elasticmachine, e.g. "update-version-next-8.15.3"
+      - 'update-version-next-*'
+
+jobs:
+  synchronize-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+      - name: Synchronize versions using a script
+        run: |
+          ./scripts/sync_internal_cloudbeat_version.sh
+      - name: Push changes
+        env:
+          GITHUB_TOKEN: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}
+        run:
+          git push origin

scripts/bump_cloudbeat.sh

@@ -6,6 +6,7 @@ CURRENT_MINOR_VERSION=$(echo "$CURRENT_CLOUDBEAT_VERSION" | cut -d '.' -f1,2)
 export CURRENT_MINOR_VERSION
 
 # branches
+export BASE_BRANCH="${GIT_BASE_BRANCH:-main}"
 export NEXT_CLOUDBEAT_BRANCH="bump-to-$NEXT_CLOUDBEAT_VERSION"
 export NEXT_CLOUDBEAT_HERMIT_BRANCH="bump-hermit-to-$CURRENT_CLOUDBEAT_VERSION"
 export RELEASE_CLOUDBEAT_BRANCH="release-$CURRENT_MINOR_VERSION"
@@ -74,8 +75,8 @@ update_version_arm_template_default_value() {
 
 update_version_arm_template_file_uris() {
     echo "Replace fileUris git branch in ARM templates"
-    sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_SINGLE_ACCOUNT_FILE
-    sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_ORGANIZATION_ACCOUNT_FILE
+    sed -i'' -E "s/cloudbeat\/$BASE_BRANCH/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_SINGLE_ACCOUNT_FILE
+    sed -i'' -E "s/cloudbeat\/$BASE_BRANCH/cloudbeat\/$CURRENT_MINOR_VERSION/g" $ARM_ORGANIZATION_ACCOUNT_FILE
     git add $ARM_SINGLE_ACCOUNT_FILE $ARM_ORGANIZATION_ACCOUNT_FILE
     if git diff --cached --quiet; then
         echo "No changes to commit in ARM templates"
@@ -95,7 +96,7 @@ update_version_beat() {
     fi
 }
 
-create_cloudbeat_versions_pr_for_main() {
+create_cloudbeat_versions_pr_for_base_branch() {
     echo "Create PR for cloudbeat next version"
     git push origin "$NEXT_CLOUDBEAT_BRANCH"
     cat <<EOF >cloudbeat_pr_body
@@ -105,11 +106,11 @@ EOF
 
     pr_url="$(gh pr create --title "Bump cloudbeat version" \
         --body-file cloudbeat_pr_body \
-        --base "main" \
+        --base "$BASE_BRANCH" \
         --head "$NEXT_CLOUDBEAT_BRANCH" \
         --label "backport-skip")"
     # shellcheck disable=SC2086
-    echo "[Cloudbeat Version PR to main]($pr_url)" >>$GITHUB_STEP_SUMMARY
+    echo "[Cloudbeat Version PR to $BASE_BRANCH]($pr_url)" >>$GITHUB_STEP_SUMMARY
     rm cloudbeat_pr_body
 }
 
@@ -151,7 +152,7 @@ EOF
         echo "Create a PR for cloudbeat hermit version"
         pr_url="$(gh pr create --title "Bump hermit cloudbeat version" \
             --body-file hermit_pr_body \
-            --base "main" \
+            --base "$BASE_BRANCH" \
             --head "$NEXT_CLOUDBEAT_HERMIT_BRANCH" \
             --label "backport-skip")"
         # shellcheck disable=SC2086
@@ -170,26 +171,26 @@ upload_cloud_formation_templates() {
     set -x # enable debug log
 }
 
-# make changes to 'main' for next version
-run_version_changes_for_main() {
-    # create a new branch from the main branch
-    git fetch origin main
-    git checkout -b "$NEXT_CLOUDBEAT_BRANCH" origin/main
+# make changes to '$BASE_BRANCH' for next version
+run_version_changes_for_base_branch() {
+    # create a new branch from the $BASE_BRANCH branch
+    git fetch origin "$BASE_BRANCH"
+    git checkout -b "$NEXT_CLOUDBEAT_BRANCH" "origin/$BASE_BRANCH"
 
     # commit
     update_version_beat
     update_version_mergify
     update_version_arm_template_default_value
 
     # push
-    if git diff origin/main..HEAD --quiet; then
-        echo "No commits to push to main $NEXT_CLOUDBEAT_BRANCH"
+    if git diff "origin/$BASE_BRANCH..HEAD" --quiet; then
+        echo "No commits to push to $BASE_BRANCH $NEXT_CLOUDBEAT_BRANCH"
     else
-        create_cloudbeat_versions_pr_for_main
+        create_cloudbeat_versions_pr_for_base_branch
     fi
 
     # create, commit and push a separate PR for hermit
-    git checkout -b "$NEXT_CLOUDBEAT_HERMIT_BRANCH" origin/main
+    git checkout -b "$NEXT_CLOUDBEAT_HERMIT_BRANCH" "origin/$BASE_BRANCH"
     bump_hermit
 }
 
@@ -203,7 +204,7 @@ run_version_changes_for_release_branch() {
     update_version_arm_template_file_uris
 
     # push
-    if git diff origin/main..HEAD --quiet; then
+    if git diff "origin/$BASE_BRANCH..HEAD" --quiet; then
         echo "No commits to push to release $RELEASE_CLOUDBEAT_BRANCH"
     else
         create_cloudbeat_versions_pr_for_release
@@ -224,19 +225,19 @@ bump_snyk_branch_monitoring() {
         -H "accept: application/vnd.api+json" \
         -H "authorization: $SNYK_API_KEY"
 
-    # Import cloudbeat/main
+    # Import cloudbeat/$BASE_BRANCH
     curl -X POST \
         "https://api.snyk.io/v1/org/$SNYK_ORG_ID/integrations/$SNYK_INTEGRATION_ID/import" \
         -H 'Content-Type: application/json; charset=utf-8' \
         -H "Authorization: token $SNYK_API_KEY" \
-        -d '{
-  "target": {
-    "owner": "elastic",
-    "name": "cloudbeat",
-    "branch": "main"
+        -d "{
+  \"target\": {
+    \"owner\": \"elastic\",
+    \"name\": \"cloudbeat\",
+    \"branch\": \"$BASE_BRANCH\"
   },
-  "exclusionGlobs": "deploy, scripts, tests, security-policies"
-}'
+  \"exclusionGlobs\": \"deploy, scripts, tests, security-policies\"
+}"
     # Import cloudbeat/$CURRENT_MINOR_VERSION
     curl -X POST \
         "https://api.snyk.io/v1/org/$SNYK_ORG_ID/integrations/$SNYK_INTEGRATION_ID/import" \
@@ -253,6 +254,16 @@ bump_snyk_branch_monitoring() {
 
 }
 
-run_version_changes_for_main
+validate_base_branch() {
+    if [[ "$BASE_BRANCH" == "main" || "$BASE_BRANCH" =~ ^[89].x$ || "$BASE_BRANCH" =~ ^[89]\.[0-9]+\.[0-9]+$ ]]; then
+        echo "Allowed to bump version for $BASE_BRANCH"
+        return
+    fi
+    echo "Not allowed to bump version for $BASE_BRANCH"
+    exit 1
+}
+
+validate_base_branch
+run_version_changes_for_base_branch
 run_version_changes_for_release_branch
 bump_snyk_branch_monitoring

scripts/sync_internal_cloudbeat_version.sh

@@ -0,0 +1,30 @@
+#! /bin/bash
+set -xeuo pipefail
+
+VERSION_FILE="version/version.go"
+HERMIT_FILE="bin/hermit.hcl"
+
+find_current_cloudbeat_version() {
+    echo "Checking current cloudbeat version"
+    CLOUDBEAT_VERSION=$(grep -oE 'defaultBeatVersion\s+=\s+".*"' $VERSION_FILE | grep -oE '[0-9]\.[0-9]\.[0-9]')
+    echo "Cloudbeat version is $CLOUDBEAT_VERSION"
+}
+
+set_hermit_cloudbeat_version() {
+    echo "Setting cloudbeat version for hermit version"
+    sed -E -i '' "s/CLOUDBEAT_VERSION\": \".*\"/CLOUDBEAT_VERSION\": \"$CLOUDBEAT_VERSION\"/g" $HERMIT_FILE
+}
+
+commit_if_different() {
+    if git diff --quiet --exit-code $HERMIT_FILE; then
+        echo "No changes to $HERMIT_FILE; I'm done"
+        return
+    fi
+    echo "Versions changed, commiting changes"
+    git add $HERMIT_FILE
+    git commit -m "bump CLOUDBEAT_VERSION in $HERMIT_FILE to $CLOUDBEAT_VERSION"
+}
+
+find_current_cloudbeat_version
+set_hermit_cloudbeat_version
+commit_if_different