name: Release Fleet on: workflow_dispatch: inputs: target_repo: description: 'Target repository to build a PR against' required: true default: 'elastic/integrations' target_branch: description: 'Target branch for PR base' required: true default: 'main' draft: type: choice description: 'Create a PR as draft' required: false options: - "yes" - "no" package_maturity: type: choice description: 'Package Maturity' required: true options: - "ga" - "beta" new_package: type: choice description: 'New Package' required: true default: "true" options: - "true" - "false" jobs: fleet-pr: name: Build package and create PR to integrations runs-on: ubuntu-latest steps: - name: Validate the source branch uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 with: script: | if ('refs/heads/main' === '${{github.ref}}') { core.setFailed('Forbidden branch') } - name: Checkout detection-rules uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: path: detection-rules fetch-depth: 0 - name: Extract version lock commit hash run: | cd detection-rules COMMIT_HASH=$(git log --grep='Lock versions for releases' -1 --format='%H') echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV echo "Extracted commit hash: $COMMIT_HASH" - name: Checkout commit hash run: | cd detection-rules echo "Current branch is $GITHUB_REF" echo "Checking out commit hash $COMMIT_HASH" git checkout $COMMIT_HASH - name: Checkout elastic/integrations uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: token: ${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }} repository: ${{github.event.inputs.target_repo}} path: integrations fetch-depth: 0 - name: Set up Python 3.12 uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' - name: Install Python dependencies run: | cd detection-rules python -m pip install --upgrade pip pip cache purge pip install .[dev] - name: Bump prebuilt rules package version env: PACKAGE_MATURITY: "${{github.event.inputs.package_maturity}}" NEW_PACKAGE: "${{github.event.inputs.new_package}}" run: | cd detection-rules python -m detection_rules dev bump-pkg-versions \ --patch-release \ --new-package $NEW_PACKAGE \ --maturity $PACKAGE_MATURITY - name: Store release tag if: github.event.inputs.package_maturity == 'ga' run: | cd detection-rules output=$(cat detection_rules/etc/packages.yaml | grep -oP '(?<=\sversion: )\S+') echo "pkg_version=$output" >> $GITHUB_ENV - name: Create release tag if: github.event.inputs.package_maturity == 'ga' run: | cd detection-rules RELEASE_TAG="integration-v${{ env.pkg_version }}" echo "Creating release tag: $RELEASE_TAG" git tag $RELEASE_TAG git push origin $RELEASE_TAG - name: Check out container repository env: DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} DR_API_KEY: ${{ secrets.dr_api_key }} if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: path: elastic-container repository: peasead/elastic-container - name: Build and run containers env: DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} DR_API_KEY: ${{ secrets.dr_api_key }} if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} run: | cd elastic-container GENERATED_PASSWORD=$(openssl rand -base64 16) sed -i "s|changeme|$GENERATED_PASSWORD|" .env echo "::add-mask::$GENERATED_PASSWORD" echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV set -x bash elastic-container.sh start - name: Get API Key and setup auth env: DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} DR_API_KEY: ${{ secrets.dr_api_key }} DR_ELASTICSEARCH_URL: "https://localhost:9200" ES_USER: "elastic" ES_PASSWORD: ${{ env.GENERATED_PASSWORD }} if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} run: | cd detection-rules response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{ "name": "tmp-api-key", "expiration": "1d" }' "$DR_ELASTICSEARCH_URL/_security/api_key") DR_API_KEY=$(echo "$response" | jq -r '.encoded') echo "::add-mask::$DR_API_KEY" echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV - name: Build release package env: DR_REMOTE_ESQL_VALIDATION: "true" DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }} DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }} DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }} DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }} DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }} run: | cd detection-rules python -m detection_rules dev build-release - name: Set github config run: | git config --global user.email "178941316+tradebot-elastic@users.noreply.github.com" git config --global user.name "tradebot-elastic" - name: Setup go uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3 with: go-version: '^1.20.1' check-latest: true - name: Build elastic-package run: | go install github.com/elastic/elastic-package@latest - name: Create the PR to Integrations env: DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}" TARGET_REPO: "${{github.event.inputs.target_repo}}" TARGET_BRANCH: "${{github.event.inputs.target_branch}}" LOCAL_REPO: "../integrations" GITHUB_TOKEN: "${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }}" run: | cd detection-rules python -m detection_rules dev integrations-pr \ $LOCAL_REPO \ --github-repo $TARGET_REPO \ --base-branch $TARGET_BRANCH \ --assign ${{github.actor}} \ $DRAFT_ARGS - name: Archive production artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-files path: | detection-rules/releases