From 6d5e63e3b4d72ee1fa0c01bd129a4d9d1f45f147 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Fri, 31 Oct 2025 10:13:27 +0100 Subject: [PATCH 1/5] test out the OOM testing pipeline integration --- .buildkite/scripts/common.sh | 13 ++++- .../packages/security_detection_engine.sh | 56 +++++++++++++++++++ .buildkite/scripts/test_one_package.sh | 13 +++++ 3 files changed, 80 insertions(+), 2 deletions(-) create mode 100755 .buildkite/scripts/packages/security_detection_engine.sh diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 7685ba228ec..2ff75355597 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -728,7 +728,7 @@ is_pr_affected() { return 1 fi if ! is_supported_capability ; then - echo "[${package}] PR is not affected: capabilities not mached with the project (${SERVERLESS_PROJECT})" + echo "[${package}] PR is not affected: capabilities not matched with the project (${SERVERLESS_PROJECT})" return 1 fi if [[ "${package}" == "fleet_server" ]]; then @@ -763,10 +763,19 @@ is_pr_affected() { # Example: # https://buildkite.com/elastic/integrations/builds/25606 # https://github.com/elastic/integrations/pull/13810 - if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|CODE_OF_CONDUCT\.md|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml))' > /dev/null; then + if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|CODE_OF_CONDUCT\.md|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml|scripts/packages.+\.sh))' > /dev/null; then echo "[${package}] PR is affected: found non-package files" return 0 fi + echoerr "[${package}] git-diff: check custom package checker script file (${commit_merge}..${to})" + # Avoid using "-q" in grep in this pipe, it could cause that some files updated are not detected due to SIGPIPE errors when "set -o pipefail" + # Example: + # https://buildkite.com/elastic/integrations/builds/25606 + # https://github.com/elastic/integrations/pull/13810 + if git diff --name-only "${commit_merge}" "${to}" | grep -E "^\.buildkite/scripts/packages/${package}.sh" > /dev/null; then + echo "[${package}] PR is affected: found package checker script changes" + return 0 + fi echoerr "[${package}] git-diff: check package files (${commit_merge}..${to})" # Avoid using "-q" in grep in this pipe, it could cause that some files updated are not detected due to SIGPIPE errors when "set -o pipefail" # Example: diff --git a/.buildkite/scripts/packages/security_detection_engine.sh b/.buildkite/scripts/packages/security_detection_engine.sh new file mode 100755 index 00000000000..a1e8b9afeae --- /dev/null +++ b/.buildkite/scripts/packages/security_detection_engine.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +set -euo pipefail + +# Fetch active Kibana versions +ACTIVE_KIBANA_VERSIONS=$(curl -sL https://raw.githubusercontent.com/elastic/kibana/main/versions.json | yq '.versions[].version' | xargs) +echo "Active Kibana versions: $ACTIVE_KIBANA_VERSIONS" + +# Extract version spec from the manifest +KIBANA_REQ=$(yq .conditions.kibana.version ./security_detection_engine/manifest.yml) +echo "Kibana requirement from the security_detection_engine manifest: $KIBANA_REQ" + +# Dump a trivial Go program to filter by semver constrains +TEMP_DIR=$(mktemp -d) +SEMVER_FILTER_PATH="$TEMP_DIR/semver.go" + +cat <<'GO' > "$SEMVER_FILTER_PATH" +package main + +import ( + "fmt" + "os" + "github.com/Masterminds/semver/v3" +) + +func main() { + c, _ := semver.NewConstraint(os.Args[1]) + for _, s := range os.Args[2:] { + if v, _ := semver.NewVersion(s); c.Check(v) { + fmt.Println(s + "-SNAPSHOT") + } + } +} +GO + +# Capture the "returned" array in STACK_VERSIONS +read -r -a STACK_VERSIONS <<< "$(go run "$SEMVER_FILTER_PATH" "$KIBANA_REQ" $ACTIVE_KIBANA_VERSIONS | xargs)" + +# Trigger OOM testing pipeline for each stack version +for STACK_VERSION in "${STACK_VERSIONS[@]}" +do + echo "--- [security_detection_engine] Trigger OOM testing pipeline against $STACK_VERSION ECH" + + cat < /dev/null exit_code=0 if ! process_package "${package}" ; then @@ -32,7 +38,14 @@ if ! process_package "${package}" ; then # is not hidden by the previous collapsed group. echo "--- [${package}] failed" exit_code=1 +elif [ -x "$custom_package_checker_script_path" ]; then + echo "--- [${package}] Run individual package checker" + "$custom_package_checker_script_path" +else + echo "--- [${package}] Individual package checker $custom_package_checker_script_path is not found, continue..." fi popd > /dev/null +pwd + exit "${exit_code}" From 1513c7b530bbbbfd564585aa7dd667487971a4f3 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 19 Nov 2025 16:25:46 +0100 Subject: [PATCH 2/5] simplify test_one_package.sh changes --- .buildkite/scripts/test_one_package.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.buildkite/scripts/test_one_package.sh b/.buildkite/scripts/test_one_package.sh index 1120d050bbe..985f51b994b 100755 --- a/.buildkite/scripts/test_one_package.sh +++ b/.buildkite/scripts/test_one_package.sh @@ -25,11 +25,7 @@ with_kubernetes use_elastic_package -# Detect an absolute path to the individual package checker script. -# This avoids issues caused by changing the working directory. -current_folder=$(dirname "$(realpath $0)") -custom_package_checker_script_path="$current_folder/packages/$package.sh" - +custom_package_checker_script_path="${SCRIPTS_BUILDKITE_PATH}/packages/${package}.sh" pushd packages > /dev/null exit_code=0 @@ -46,6 +42,4 @@ else fi popd > /dev/null -pwd - exit "${exit_code}" From 687f98b3353d493c6e489add2fb1b953a74ad073 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 19 Nov 2025 17:13:31 +0100 Subject: [PATCH 3/5] handle constrain parsing errors --- .../packages/security_detection_engine.sh | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.buildkite/scripts/packages/security_detection_engine.sh b/.buildkite/scripts/packages/security_detection_engine.sh index a1e8b9afeae..95b26f0078b 100755 --- a/.buildkite/scripts/packages/security_detection_engine.sh +++ b/.buildkite/scripts/packages/security_detection_engine.sh @@ -2,6 +2,10 @@ set -euo pipefail +if [[ "${BUILDKITE_PULL_REQUEST}" == "false" ]]; then + exit 0 +fi + # Fetch active Kibana versions ACTIVE_KIBANA_VERSIONS=$(curl -sL https://raw.githubusercontent.com/elastic/kibana/main/versions.json | yq '.versions[].version' | xargs) echo "Active Kibana versions: $ACTIVE_KIBANA_VERSIONS" @@ -18,14 +22,19 @@ cat <<'GO' > "$SEMVER_FILTER_PATH" package main import ( + "strings" "fmt" "os" "github.com/Masterminds/semver/v3" ) func main() { - c, _ := semver.NewConstraint(os.Args[1]) - for _, s := range os.Args[2:] { + c, err := semver.NewConstraint(os.Args[1]) + if err != nil { + panic(err) + } + + for _, s := range strings.Split(os.Args[2], " ") { if v, _ := semver.NewVersion(s); c.Check(v) { fmt.Println(s + "-SNAPSHOT") } @@ -34,7 +43,12 @@ func main() { GO # Capture the "returned" array in STACK_VERSIONS -read -r -a STACK_VERSIONS <<< "$(go run "$SEMVER_FILTER_PATH" "$KIBANA_REQ" $ACTIVE_KIBANA_VERSIONS | xargs)" +read -r -a STACK_VERSIONS <<< "$(go run "${SEMVER_FILTER_PATH}" "${KIBANA_REQ}" "${ACTIVE_KIBANA_VERSIONS}" | xargs)" + +if [[ ! -n "${STACK_VERSIONS+x}" ]]; then + echo "There are no active versions satisfying the constraint ${KIBANA_REQ}." + exit 0 +fi # Trigger OOM testing pipeline for each stack version for STACK_VERSION in "${STACK_VERSIONS[@]}" @@ -44,7 +58,7 @@ do cat < Date: Thu, 20 Nov 2025 14:53:28 +0100 Subject: [PATCH 4/5] fix the diff checker regular expression --- .buildkite/scripts/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 2ff75355597..bf575b23db6 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -763,7 +763,7 @@ is_pr_affected() { # Example: # https://buildkite.com/elastic/integrations/builds/25606 # https://github.com/elastic/integrations/pull/13810 - if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|CODE_OF_CONDUCT\.md|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml|scripts/packages.+\.sh))' > /dev/null; then + if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|CODE_OF_CONDUCT\.md|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml|scripts/packages/.+\.sh))' > /dev/null; then echo "[${package}] PR is affected: found non-package files" return 0 fi From 099bd2fda73e2b1ee3389223fc3da6c279f292b3 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 20 Nov 2025 14:54:28 +0100 Subject: [PATCH 5/5] make security_detection_engine.sh running in the repo root path --- .../packages/security_detection_engine.sh | 2 +- .buildkite/scripts/test_one_package.sh | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.buildkite/scripts/packages/security_detection_engine.sh b/.buildkite/scripts/packages/security_detection_engine.sh index 95b26f0078b..d3be7f6d314 100755 --- a/.buildkite/scripts/packages/security_detection_engine.sh +++ b/.buildkite/scripts/packages/security_detection_engine.sh @@ -11,7 +11,7 @@ ACTIVE_KIBANA_VERSIONS=$(curl -sL https://raw.githubusercontent.com/elastic/kiba echo "Active Kibana versions: $ACTIVE_KIBANA_VERSIONS" # Extract version spec from the manifest -KIBANA_REQ=$(yq .conditions.kibana.version ./security_detection_engine/manifest.yml) +KIBANA_REQ=$(yq .conditions.kibana.version ./packages/security_detection_engine/manifest.yml) echo "Kibana requirement from the security_detection_engine manifest: $KIBANA_REQ" # Dump a trivial Go program to filter by semver constrains diff --git a/.buildkite/scripts/test_one_package.sh b/.buildkite/scripts/test_one_package.sh index 985f51b994b..60c22a54dbe 100755 --- a/.buildkite/scripts/test_one_package.sh +++ b/.buildkite/scripts/test_one_package.sh @@ -25,8 +25,6 @@ with_kubernetes use_elastic_package -custom_package_checker_script_path="${SCRIPTS_BUILDKITE_PATH}/packages/${package}.sh" - pushd packages > /dev/null exit_code=0 if ! process_package "${package}" ; then @@ -34,12 +32,16 @@ if ! process_package "${package}" ; then # is not hidden by the previous collapsed group. echo "--- [${package}] failed" exit_code=1 -elif [ -x "$custom_package_checker_script_path" ]; then - echo "--- [${package}] Run individual package checker" - "$custom_package_checker_script_path" -else - echo "--- [${package}] Individual package checker $custom_package_checker_script_path is not found, continue..." fi popd > /dev/null -exit "${exit_code}" +if [ "${exit_code}" -ne 0 ]] ; then + exit "${exit_code}" +fi + +custom_package_checker_script_path="${SCRIPTS_BUILDKITE_PATH}/packages/${package}.sh" + +if [ -x "$custom_package_checker_script_path" ]; then + echo "--- [${package}] Run individual package checker" + "$custom_package_checker_script_path" +fi \ No newline at end of file