[CI] Add features/* branch support to changeset detection and publish pipeline

[mrodm]

Proposed commit message

WHAT

Extends CI branch handling to treat feature/* branches the same as backport-* branches in two places:

common.sh — get_from_changeset / get_to_changeset

• The outer guard in both functions previously only matched main and backport-*, making the inner feature/ check inside get_from_changeset unreachable (dead code) — feature/* branches never entered the block.
• Both outer guards are updated to ^(backport-|feature/) so feature/* branches benefit from the same previous-successful-commit logic.
• On the first push of a feature/* branch (no previous successful build), from is set to BUILDKITE_COMMIT rather than origin/${BUILDKITE_BRANCH}^, avoiding spurious full-repo diffs that would trigger unnecessary package testing.

catalog-info.yaml — integrations pipeline

• branch_configuration extended from "main backport-*" to "main backport-* feature/*" so the integrations pipeline is triggered for feature/* branches.
• cancel_intermediate_builds_branch_filter and skip_intermediate_builds_branch_filter updated to include !feature/* so intermediate builds on feature/* branches are properly cancelled/skipped, consistent with main and backport-*.

docs/ci_pipelines.md

• Updated the pipeline trigger description, build-cancellation bullet, and changeset-detection bullet to include feature/* alongside main and backport-*.
• Added a new "Feature branches" section documenting that changes are integrated via Pull Requests with CI checks, that changeset detection follows the same logic as backport-* branches, and that publishing is restricted to main and backport-* only.

WHY

feature/* branches are used for long-lived feature development that requires the same CI protections as backport-* branches: accurate changeset detection against a baseline and CI build triggering. The integrations-publish pipeline intentionally remains restricted to main and backport-* branches only.

Author's Checklist

• Verified that feature/* branches were previously excluded from the get_from_changeset/get_to_changeset logic (dead code — inner check was unreachable)
• Verified that integrations-publish pipeline does NOT trigger on feature/* branches
• Updated docs/ci_pipelines.md to document the new feature/* branch workflow

---

This PR was drafted with the assistance of Claude (claude-sonnet-4-6).

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

🔍 Preview links for changed docs

• docs/ci_pipelines.md

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 8404d86

Failed CI Steps

• Check integrations atlassian_jira
• Check integrations aws
• Check integrations aws_bedrock
• Check integrations google_secops
• Check integrations journald
• Check integrations jupiter_one
• Check integrations miniflux
• Check integrations netbox
• :elastic-cloud:📊 [security_detection_engine] Test for OOM issues against 9.5.0-SNAPSHOT ECH
• :elastic-cloud:📊 [security_detection_engine] Test for OOM issues against 9.4.1 ECH

History

• 💔 Build #42730 failed e908652
• 💔 Build #42714 failed 401a954

cc @mrodm

[github-actions]

TL;DR

The failed jobs are not failing in package code/tests; they are failing in Buildkite infrastructure hooks before tests start. Immediate action: re-run the build, and if it fails again, investigate agent egress/auth connectivity to AWS STS and GitHub.

Remediation

• Re-run Buildkite build 42796 (or only the 6 failed jobs). This appears transient (curl timeout/reset to sts.amazonaws.com:443 and git fetch timeout to github.com:443).
• If it reproduces, check Buildkite agent/network path and OIDC auth plugin health for:
  • elastic/oblt-aws-auth#v0.1.0 (STS connectivity)
  • repository post-checkout git fetch connectivity to GitHub
• After infra/network is healthy, re-run package checks to confirm package tests execute.

Investigation details

Root Cause

All 6 failures occur before integration tests run, in CI setup hooks/plugins:

1. AWS auth plugin pre-command failure (4 jobs)

   • Logs show curl: (28) Failed to connect to sts.amazonaws.com port 443 ... Connection timed out or curl: (35) ... Connection reset by peer.
   • Then Buildkite reports: plugin oblt-aws-auth-buildkite-plugin pre-command hook exited.

2. Repository post-checkout network failure (2 jobs)

   • Logs show fatal: unable to access 'https://github.com/elastic/integrations.git/': Failed to connect to github.com port 443 ... Connection timed out.
   • Then Buildkite reports: repository post-checkout hook exited with status 128.

Relevant code paths confirm these failures happen in pipeline infra steps, not package logic:

• .buildkite/scripts/trigger_integrations_in_parallel.sh#L79-L87 adds elastic/oblt-aws-auth#v0.1.0 and elastic/oblt-google-auth#v1.3.0 plugins to each generated package test step.
• .buildkite/hooks/post-checkout#L28 runs git fetch -v origin "${target_branch}" during PR merge checkout.
• .buildkite/hooks/post-checkout#L70 always invokes checkout_merge for PR jobs.

The PR commit itself only touched:

• .buildkite/scripts/build_packages.sh
• .buildkite/scripts/common.sh

No evidence these changes caused the observed hook-level network/auth timeouts.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/42796
• Failed jobs:
  • Check integrations atlassian_jira (exit 28)
  • Check integrations google_secops (exit 35)
  • Check integrations jupiter_one (exit 28)
  • Check integrations miniflux (exit 28)
  • Check integrations aws_bedrock (exit 128)
  • Check integrations journald (exit 128)
• Key log excerpts:
  • curl: (28) Failed to connect to sts.amazonaws.com port 443 ...
  • curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to sts.amazonaws.com:443
  • fatal: unable to access 'https://github.com/elastic/integrations.git/': Failed to connect to github.com port 443 ...

Verification

• Not run locally: failures occur in Buildkite agent infra/auth/network hooks prior to package test execution.

Follow-up

If a retry still fails with the same errors, escalate to CI/platform owners with this build URL and the two failing surfaces (oblt-aws-auth pre-command and repository post-checkout git fetch).

Note

🔒 Integrity filter blocked 7 items

The following items were blocked because they don't meet the GitHub integrity level.

• [CI] Add features/* branch support to changeset detection and publish pipeline #18962 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18962 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 8404d86 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 54eab69 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• e908652 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 401a954 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 17ce815 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.