orouz · orouz · Dec 18, 2023 · Dec 25, 2023 · Dec 26, 2023 · Dec 28, 2023
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -0,0 +1,34 @@
+name: Bump Cloudbeat version
+
+on:
+  workflow_dispatch:
+    inputs:
+      cloudbeat_version:
+        description: "New cloudbeat version number to bump to (e.g. 8.13.0)"
+        required: true
+
+env:
+  GH_TOKEN: ${{ secrets.CLOUDSEC_CLIENT_TOKEN }}
+  NEXT_CLOUDBEAT_VERSION: ${{ inputs.cloudbeat_version }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.CSPM_CFT_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.CSPM_CFT_SECRET_ACCESS_KEY }}
+
+jobs:
+  bump_version:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Cloudbeat repo
+        uses: actions/checkout@v4
+
+      - name: exract version
+        run: |
+          version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"")
+          echo "CURRENT_CLOUDBEAT_VERSION=$version" >> $GITHUB_ENV
+          echo "Bumping $version to $NEXT_CLOUDBEAT_VERSION"
+
+      - name: Bump cloudbeat
+        run: scripts/bump_cloudbeat.sh
+
+      - name: Bump integration
+        run: scripts/bump_integration.sh
diff --git a/bin/hermit.hcl b/bin/hermit.hcl
@@ -1,4 +1,4 @@
 env = {
-  "CLOUDBEAT_VERSION": "8.12.0",
+  "CLOUDBEAT_VERSION": "8.13.0",
   "ELK_VERSION": "${CLOUDBEAT_VERSION}-SNAPSHOT",
 }
diff --git a/scripts/bump_cloudbeat.sh b/scripts/bump_cloudbeat.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+set -euo pipefail
+
+export NEXT_CLOUDBEAT_BRANCH="bump-to-$NEXT_CLOUDBEAT_VERSION"
+export NEXT_MINOR_VERSION=$(echo $NEXT_CLOUDBEAT_VERSION | cut -d '.' -f1,2)
+export CURRENT_MINOR_VERSION=$(echo $CURRENT_CLOUDBEAT_VERSION | cut -d '.' -f1,2)
+
+echo "NEXT_CLOUDBEAT_VERSION: $NEXT_CLOUDBEAT_VERSION"
+echo "NEXT_MINOR_VERSION: $NEXT_MINOR_VERSION"
+echo "CURRENT_CLOUDBEAT_VERSION: $CURRENT_CLOUDBEAT_VERSION"
+echo "CURRENT_MINOR_VERSION: $CURRENT_MINOR_VERSION"
+
+git config --global user.email "[email protected]"
+git config --global user.name "Cloud Security Machine"
+
+create_release_branch() {
+  if git fetch origin "$CURRENT_MINOR_VERSION" 2>/dev/null; then
+    echo "release branch '$CURRENT_MINOR_VERSION' already exists"
+    git checkout "$CURRENT_MINOR_VERSION"
+    git pull origin $CURRENT_MINOR_VERSION
+  else
+    echo "Create and push a new release branch $CURRENT_MINOR_VERSION from main"
+    git checkout -b "$CURRENT_MINOR_VERSION" main
+    git push origin $CURRENT_MINOR_VERSION
+  fi
+}
+
+update_version_mergify() {
+  echo "Update .mergify.yml with new version"
+  cat <<EOF >>.mergify.yml
+  - name: backport patches to $CURRENT_MINOR_VERSION branch
+    conditions:
+      - merged
+      - label=backport-v$CURRENT_CLOUDBEAT_VERSION
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "$CURRENT_MINOR_VERSION"
+        labels:
+          - "backport"
+        title: "[{{ destination_branch }}](backport #{{ number }}) {{ title }}"
+EOF
+}
+
+update_version_arm_template() {
+  echo "Update ARM template with new version"
+  local single_account_file="deploy/azure/ARM-for-single-account.json"
+  local organization_account_file="deploy/azure/ARM-for-organization-account.json"
+  jq --indent 4 ".parameters.ElasticAgentVersion.defaultValue = \"$NEXT_CLOUDBEAT_VERSION\"" $single_account_file >tmp.json && mv tmp.json $single_account_file
+  jq --indent 4 ".parameters.ElasticAgentVersion.defaultValue = \"$NEXT_CLOUDBEAT_VERSION\"" $organization_account_file >tmp.json && mv tmp.json $organization_account_file
+
+  sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$NEXT_MINOR_VERSION/g" $single_account_file
+  sed -i'' -E "s/cloudbeat\/main/cloudbeat\/$NEXT_MINOR_VERSION/g" $organization_account_file
+}
+
+update_version_beat() {
+  echo "Update version/version.go with new version"
+  sed -i'' -E "s/const defaultBeatVersion = .*/const defaultBeatVersion = \"$NEXT_CLOUDBEAT_VERSION\"/g" version/version.go
+}
+
+create_cloudbeat_versions_pr() {
+  git add .
+  git commit -m "Bump cloudbeat to $NEXT_CLOUDBEAT_VERSION"
+  git push origin "$NEXT_CLOUDBEAT_BRANCH"
+  gh pr create --title "Bump cloudbeat version" \
+    --body "Bump cloudbeat to new version - $NEXT_CLOUDBEAT_VERSION (Automated PR)" \
+    --base "main" \
+    --head "$NEXT_CLOUDBEAT_BRANCH"
+}
+
+bump_cloudbeat() {
+  git checkout -b "$NEXT_CLOUDBEAT_BRANCH" main
+  update_version_mergify
+  update_version_arm_template
+  update_version_beat
+  create_cloudbeat_versions_pr
+}
+
+bump_hermit() {
+  local BRANCH="bump-hermit-to-$NEXT_CLOUDBEAT_VERSION"
+  git checkout -b "$BRANCH" main
+  sed -i'' -E "s/\"CLOUDBEAT_VERSION\": .*/\"CLOUDBEAT_VERSION\": \"$NEXT_CLOUDBEAT_VERSION\",/g" bin/hermit.hcl
+  git add bin/hermit.hcl
+  git commit -m "Bump cloudbeat to $NEXT_CLOUDBEAT_VERSION"
+  git push origin "$BRANCH"
+  gh pr create --title "Bump hermit cloudbeat version" \
+    --body "to be merged after snapshot build for $NEXT_CLOUDBEAT_VERSION is available. (Automated PR)" \
+    --base "main" \
+    --head "$BRANCH"
+}
+
+upload_cloud_formation_templates() {
+  aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+  aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+  aws configure set region us-east-2
+  scripts/publish_cft.sh
+}
+
+create_release_branch
+bump_cloudbeat
+bump_hermit
+# upload_cloud_formation_templates
diff --git a/scripts/bump_integration.sh b/scripts/bump_integration.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+set -euo pipefail
+
+export MANIFEST_PATH="packages/cloud_security_posture/manifest.yml"
+export CHANGELOG_PATH="packages/cloud_security_posture/changelog.yml"
+export INTEGRATION_REPO="orouz/integrations" # TODO: change to elastic/integrations
+export BRANCH="bump-to-$NEXT_CLOUDBEAT_VERSION"
+export MAJOR_MINOR_CLOUDBEAT=$(echo "$NEXT_CLOUDBEAT_VERSION" | cut -d. -f1,2)
+
+git config --global user.email "[email protected]"
+git config --global user.name "Cloud Security Machine"
+
+checkout_integration_repo() {
+    gh auth setup-git
+    gh repo clone $INTEGRATION_REPO
+    cd integrations
+    git checkout -b "$BRANCH" main
+}
+
+get_next_integration_version() {
+    input_line=$(sed -n '3p' $CHANGELOG_PATH) # last version is always on line 3
+    first_version=$(echo $input_line | cut -d' ' -f2)
+    major_minor=$(echo $first_version | cut -d'.' -f1-2)
+    major=$(echo $major_minor | cut -d'.' -f1)
+    minor=$(echo $major_minor | cut -d'.' -f2)
+    next_minor=$((minor + 1))
+    export NEXT_INTEGRATION_VERSION="$major.$next_minor.0"
+}
+
+update_manifest_version_vars() {
+    # cis_gcp
+    sed -i'' -E "s/cloudshell_git_branch=[0-9]+\.[0-9]+/cloudshell_git_branch=$MAJOR_MINOR_CLOUDBEAT/g" $MANIFEST_PATH
+
+    # cis_aws + vuln_mgmt_aws
+    sed -i'' -E "s/cloudformation-cnvm-[0-9]+\.[0-9]+\.[0-9]+/cloudformation-cnvm-$NEXT_CLOUDBEAT_VERSION/g" $MANIFEST_PATH
+    sed -i'' -E "s/cloudformation-cspm-ACCOUNT_TYPE-[0-9]+\.[0-9]+\.[0-9]+/cloudformation-cspm-ACCOUNT_TYPE-$NEXT_CLOUDBEAT_VERSION/g" $MANIFEST_PATH
+
+    # cis_azure
+    sed -i'' -E "s/cloudbeat%2F[0-9]+\.[0-9]+/cloudbeat%2F$MAJOR_MINOR_CLOUDBEAT/g" $MANIFEST_PATH
+
+    git add $MANIFEST_PATH
+    git commit -m "Update manifest template vars"
+    git push origin $BRANCH
+}
+
+create_integrations_pr() {
+    echo 'Creating a PR to update integration'
+
+    export PR_URL="$(gh pr create --title "[Cloud Security] Bump integration" \
+        --body "Bumps integration to new version (Automated PR)" \
+        --base "main" \
+        --head "$BRANCH" \
+        --repo "$INTEGRATION_REPO")"
+}
+
+update_manifest_version() {
+    yq -i ".version = \"$NEXT_INTEGRATION_VERSION\"" $MANIFEST_PATH
+    git add $MANIFEST_PATH
+    git commit -m "Update manifest version"
+    git push origin $BRANCH
+}
+
+update_changelog_version() {
+    yq -i ".[0].version = \"$NEXT_INTEGRATION_VERSION\"" $CHANGELOG_PATH
+    # this line below requires single quotes and env(PR) to interpolate this env var
+    yq -i '.[0].changes += [{"description": "Bump version", "type": "enhancement", "link": env(PR_URL) }]' $CHANGELOG_PATH
+    git add $CHANGELOG_PATH
+    git commit -m "Update changelog version"
+    git push origin $BRANCH
+}
+
+update_changelog_version_map() {
+    next_minor=$(echo "$NEXT_INTEGRATION_VERSION" | cut -d'.' -f1,2)
+    new_comment="# ${next_minor}.x - ${MAJOR_MINOR_CLOUDBEAT}.x"
+    file_content=$(<"$CHANGELOG_PATH")
+    new_file_content=$(awk -v var="$new_comment" 'NR==3 {print var} {print}' "$CHANGELOG_PATH")
+    echo -e "$new_file_content" >temp.yaml
+    mv temp.yaml "$CHANGELOG_PATH"
+    git add $CHANGELOG_PATH
+    git commit -m "Update changelog version map"
+    git push origin $BRANCH
+}
+
+checkout_integration_repo
+get_next_integration_version
+update_manifest_version_vars
+create_integrations_pr
+update_manifest_version
+update_changelog_version
+update_changelog_version_map