add rule templates sync workflow

[orouz]

Summary of your changes

adds a new workflow that triggers on:

1. every push to main
2. only when some security-policies/bundle/compliance/**/rules/**/data.yaml file changes/added.

when ran, the script will:

• generate the CIS rules templates
• open/update a PR in the integrations repo
• bump integrations version

Screenshot/Data

• Example PR
• Example Workflow run

Related Issues

• closes Automate rule templates creation in integrations repo #1996

[mergify]

This pull request does not have a backport label. Could you fix it @orouz? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  NOTE: backport-skip has been added to this pull request.

[github-actions]

📊 Allure Report - 💚 No failures were reported.

Result	Count
🟥 Failed	0
🟩 Passed	162
⬜ Skipped	0

[orouz]

added new utility functions to bump an integration version. the version bump dispatch workflow also does this and later on it will use these functions

[orouz]

this file is currently excluded from shellcheck and introduces 2 new errors:

In scripts/common.sh line 93:
    local second_version="$(echo "${major2}.${minor2}.x" | xargs)"
          ^------------^ SC2155 (warning): Declare and assign separately to avoid masking return values.


In scripts/common.sh line 124:
        sed -i '' -e '3i\'$'\n'"$next_entry" "$changelog_path"
                        ^-- SC1003 (info): Want to escape a single quote? echo 'This is how it'\''s done'.

it works without resolving them and they don't seem critical. someday later on we'll remove this file from the excluded paths and fix all errors.

[orouz]

a PR to an integration must include a changelog and manifest update. depending on when the PR is made, the current integration version may be one of the following:

1. some preview version, like 1.0.0-preview01, in which case the preview suffix will be incremented. see example PR for actual changes made
2. some version, like 1.0.0, in which case the changes will result in this example diff:

+++ b/packages/cloud_security_posture/changelog.yml
@@ -1,5 +1,6 @@
 # newer versions go on top
 # version map:
+# 1.10.x - 8.15.x
 # 1.9.x - 8.14.x
 # 1.8.x - 8.13.x
 # 1.7.x - 8.12.x
@@ -8,6 +9,11 @@
 # 1.4.x - 8.9.x
 # 1.3.x - 8.8.x
 # 1.2.x - 8.7.x
+- version: 1.10.0-preview01
+  changes:
+    - description: Bump version
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/9328
 - version: "1.9.0"
   changes:
     - description: Convert fields to secrets
diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml
index bda29ce3e..aaa4fcca8 100644
--- a/packages/cloud_security_posture/manifest.yml
+++ b/packages/cloud_security_posture/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: cloud_security_posture
 title: "Security Posture Management"
-version: "1.9.0"
+version: "1.10.0-preview01"
 source:
   license: "Elastic-2.0"
 description: "Identify & remediate configuration risks in your Cloud infrastructure"
@@ -11,7 +11,7 @@ categories:
   - cloudsecurity_cdr
 conditions:
   kibana:
-    version: "^8.14.0"
+    version: "^8.15.0"
   elastic:
     subscription: basic
     capabilities:

[orouz]

this script does the following:

1. checkout a new branch from main or the existing branch, with hard reset to main
   • reset is done to avoid conflicts (in manifest/changelog), or outdated branch if a previous PR was closed and not merged, for some reason
   • checking out existing branch instead of deleting to avoid closing an existing PR
2. generate the rule templates from cloudbeat's main
   • this means that if for example, PR-1 merged a rule and triggered a workflow to open a PR to integrations, then PR-2 was merged to cloudbeat's main with another rule, the generation will include both rules
3. commit new rule templates (PR will always have only 2 commits: adding templates and bumping version)
4. if a PR is not opened, open it and assign labels.
5. bump integration version
6. edit the PR body with a nice markdown table with links to added rule templates

[orouz]

gh api is used instead of gh pr because the latter is buggy

[orouz]

we need to open a PR and update it so we can use the PR link for the changelog.yml entry and the PR body table links

[orouz]

this abomination creates rows with benchmark.id in the 1st column and all of its rules' benchmark.rule_number in the 2nd column. table does look cool though..

[oren-zohar]

😨

[oren-zohar]

LGTM. I think sync_rule_templates.sh became too complex and would be hard to maintain :(

[oren-zohar]

why do we need a token for checkout?

[orouz]

because we need access to push/open PR to the integrations too

[oren-zohar]

We usually install it using a package manager like pip/pipx in other workflows, any reason to install it directly?

Suggested change

	curl -sSL https://install.python-poetry.org | python3 -
	pipx install poetry

[orouz]

looks like most workflows install in via curl. hardly an issue IMO

[oren-zohar]

😨