elastic / cloudbeat / 26978280525
76%
main: 76%

LAST BUILD BRANCH: evgb-bump-beats-8.19
DEFAULT BRANCH: main
Ran
Jobs 1
Files 235
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.807% (-0.007%) from 75.814%
26978280525

push

github

web-flow 
Automate elastic/beats bump like elastic-agent (#6642)

### What
Automate bumping the `github.com/elastic/beats/v7` go.mod dependency,
modeled on elastic-agent's beats-bump (elastic/elastic-agent#14565), and
make it work across active branches.

### Why
cloudbeat already had a beats bump driven by updatecli, but it has been
**failing on every scheduled run** (main and every backport branch).
updatecli pushed commits and opened the PR itself using
`CLOUDSEC_MACHINE_TOKEN`, which now returns `401 Bad credentials`:

```
ERROR: pushing commits failed ...
unable to query GitHub API rate limit ... 401 Unauthorized body: "Bad credentials"
```

elastic-agent avoids this entirely by keeping git/PR work out of
updatecli and using the built-in `GITHUB_TOKEN`.

### How (aligned with elastic-agent)
- **New `.github/workflows/bump-beats-version.yml`**: an
`elastic/oblt-actions/elastic/active-branches` matrix opens one PR per
active branch. updatecli runs in `apply --commit=false` mode (file edits
only); `peter-evans/create-pull-request` opens the PR using the built-in
`secrets.GITHUB_TOKEN` plus job-level `contents: write` /
`pull-requests: write`. **No machine token / PAT.** Go and mage come
from the existing Hermit action.
- **`.ci/updatecli/updatecli.d/update-beats.yml`** rewritten to
file-edit-only (`beats` + `gomod` sources, `is-already-updated`
condition, `beats` + `export-versions` targets); dropped the
`scms`/`actions` blocks so updatecli no longer authenticates to GitHub.
- **`.github/workflows/updatecli.yml`**: removed `beats` from the main
and backport matrices so the dedicated workflow owns it.

### Prerequisites to enable
- Settings → Actions → General → **"Allow GitHub Actions to create and
approve pull requests"** must be enabled (required for
`create-pull-request` to work with `GITHUB_TOKEN`, same as
elastic-agent).
- Note: PRs opened by `GITHUB_TOKEN` do not auto-trigger CI (GitHub
anti-recursion rule) — this matches elastic-agent's behavior.

### ... (continued)

9726 of 12830 relevant lines covered (75.81%)

16.4 hits per line

Coverage Regressions

Lines Coverage File
3
82.74
 -0.33% internal/resources/providers/gcplib/inventory/provider.go
Jobs
ID Job ID Ran Files Coverage
1 26978280525.1 235
75.81
 GitHub Action Run
Source Files on build 26978280525