Merge remote-tracking branch 'origin/main' into owen/SUP-6535

Author: omehegan

.agents/skills/buildkite-agent-release/SKILL.md

@@ -20,68 +20,38 @@ Find the latest Buildkite Agent version using `gh`: `gh release view --repo buil
 
 Ask user to decide whether it's a minor version bump or patch version bump.
 
-### 3. Generate a list of changes
+### 3. Update the agent version file
 
-Use [ghch](https://github.com/buildkite/ghch) to generate our changelogs, and
-then human brains to edit them down into something other humans will
-want to read.
-
-To preview the changes run:
-
-```
-ghch --format=markdown --from=v3.xx.yy --next-version=v3.xx.yy+1
-```
-
-This will print a list of all the changes that are ready to go out. Looking at
-the list. You can re-run
-the `ghch` command with a different version number if you decide to change it
-before releasing.
-
-
-Edit [CHANGELOG.md](https://github.com/buildkite/agent/blob/main/CHANGELOG.md) file with paste in the list from the `ghch` output. This will likely need some cleaning up and editing as it only lists the names of the PRs.
-
-Try to make each line short but descriptive - we want people to be able to understand the general gist of the change without having to read paragraphs or go into the PR itself.
-
-The changelog should be split up into sections:
-
-- Security
-    - e.g. “Updated to new version of go-yellow to fix YellowToad CVE”
-- Changed
-    - e.g. “Logs are now all printed in yellow to be easier on the eyes”
-    - If the `go.mod` Go version or toolchan version changed, and it’s not already
-    listed under Security, be sure to list it here!
-- Added
-    - e.g. “Added the buildkite-agent ‘yellow’ subcommand”,
-- Fixed
-    - e.g. “Fixed bug causing all logs to be printed in yellow”
-- Internal
-    - e.g. “Reformatted the pipeline.yml”
-
-Use your best judgement when it comes to putting things in the right section,
-and if a section doesn’t have any PRs in it, get rid of the heading.
+Edit the `version/VERSION` to update the value to the new version number. Use the bare semver (e.g. `3.75.0`), not a `v`-prefixed tag (e.g. not `v3.75.0`).
 
-Conventionally, we lump all the Dependabot updates into a single line in the
-Internal section, since they tend to be invisibile to customers. But if a
-dependency was updated that fixes a big security issue or changes some important
-behaviour (for example), then it should be called out separately!
+### 4. Preview the auto-generated release notes
 
-Also ensure the date is the date the release is being made.
+Generate the same notes GitHub will publish at release time, so they can be reviewed in the PR description:
 
-As an example, see the example_changelog for v3.74.0 in the skill folder.
+```bash
+mkdir -p tmp
+gh api -X POST repos/buildkite/agent/releases/generate-notes \
+  -f tag_name=v3.75.0 \
+  -f target_commitish=main \
+  --jq .body > tmp/release-notes.md
+```
 
-### 4. Update the agent version file
+This is a read-only API call — it does not create a release or tag. GitHub auto-detects the previous stable release and applies the categorisation from [.github/release.yml](../../../.github/release.yml). The `tmp/` directory is gitignored, so the file won't be committed.
 
-Edit the `version/VERSION` to update the value to the new version number. Use the bare semver (e.g. `3.75.0`), not a `v`-prefixed tag (e.g. not `v3.75.0`).
+Inspect `tmp/release-notes.md`. If any PRs are mis-categorised (e.g. landed under 🏠 Internal because they had no labels), fix the labels on those PRs and re-run the command.
 
 ### 5. Create the release PR
 
 * Create a new branch for the release (e.g. `release/v3.75.0`).
-* Commit the `CHANGELOG.md` and `version/VERSION` changes.
+* Commit the `version/VERSION` change.
 * Push the branch and open a PR using `gh pr create` against `main`:
     * Title: `release: v3.75.0` (matching the convention from previous release PRs).
-    * Body: paste the same changelog section that was added to `CHANGELOG.md` for this release (header line, Full Changelog link, and all sections). See [PR #3823](https://github.com/buildkite/agent/pull/3823) for an example.
+    * Body: contents of `tmp/release-notes.md` from the previous step.
+    * Label: `release` — required so the PR-labels workflow passes, and so the release PR itself is excluded from its own auto-generated notes (configured in [.github/release.yml](../../../.github/release.yml)).
+    * Example: `gh pr create --title "release: v3.75.0" --body-file tmp/release-notes.md --label release`.
+
+The PR body is for human review only; the actual release notes are regenerated by `gh release create --generate-notes` in [.buildkite/steps/github-release.sh](../../../.buildkite/steps/github-release.sh) when the release pipeline runs, so they will reflect any label fixes made between PR creation and release.
 
 ### 6. Done
 
-* Remind user to unblock the release.
-* Remind user to update Github Release.
+* No manual GitHub release editing is required, but the user may want to review the auto-generated notes after the release publishes.

.agents/skills/buildkite-agent-release/example_changelog.md

@@ -0,0 +1 @@
+selected_org: buildkite

.bk.yaml

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/golang:1.25.9@sha256:8a7adc288b77e9b787cd2695029eb54d10ae80571b21d44fed68d067ad0a9c96
+FROM public.ecr.aws/docker/library/golang:1.25.10@sha256:c0a2bd0756d92462a0d449124b039100ce447ebf69dc6c80a6d877503b36935e
 COPY build/ssh.conf /etc/ssh/ssh_config.d/
 
 RUN go install github.com/google/go-licenses@latest

.buildkite/Dockerfile-compile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/golang:1.25.9@sha256:8a7adc288b77e9b787cd2695029eb54d10ae80571b21d44fed68d067ad0a9c96
+FROM public.ecr.aws/docker/library/golang:1.25.10@sha256:c0a2bd0756d92462a0d449124b039100ce447ebf69dc6c80a6d877503b36935e
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     unzip \

.buildkite/Dockerfile-e2e

@@ -1 +1 @@
-FROM golangci/golangci-lint:v2.12-alpine@sha256:25cd0933d1a4ced61e907aabac044cfc0182ab067c09c25d568e15750e9695aa
+FROM golangci/golangci-lint:v2.12-alpine@sha256:91b27804074a0bacea298707f016911e60cf0cdbc6c7bf5ccacb5f0606d18d60

.buildkite/Dockerfile-lint

@@ -1 +1 @@
-FROM ruby:4.0.3@sha256:5e3c937aeac53f58a84bf212f7762aecf69221af0159451845ac9b67b79ff234
+FROM ruby:4.0.3@sha256:ae7837a8c6b75077eae4bf7142022993b499305c455f4d53ba7053c875889e26

.buildkite/Dockerfile-ruby

@@ -0,0 +1,233 @@
+steps:
+  - wait
+
+  - name: ":s3: Upload Oldstable Binaries to S3"
+    command: ".buildkite/steps/publish-to-s3.sh"
+    env:
+      CODENAME: "oldstable"
+    plugins:
+      - aws-assume-role-with-web-identity#v1.4.0:
+          role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+          session-tags:
+            - organization_slug
+            - organization_id
+            - pipeline_slug
+            - build_branch
+      - ecr#v2.7.0:
+          login: true
+          account-ids: "032379705303"
+      - docker#v5.8.0:
+          environment:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          image: "032379705303.dkr.ecr.us-east-1.amazonaws.com/deploytools:2022.07"
+          propagate-environment: true
+          mount-buildkite-agent: true
+
+  - name: ":octocat: :rocket: Create Github Release (if necessary)"
+    skip: "TODO(v4 release): unskip when v3 no longer stable"
+    command: ".buildkite/steps/github-release.sh"
+    env:
+      CODENAME: "oldstable"
+    plugins:
+      - aws-assume-role-with-web-identity#v1.4.0:
+          role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+          session-tags:
+            - organization_slug
+            - organization_id
+            - pipeline_slug
+            - build_branch
+      - ecr#v2.7.0:
+          login: true
+          account-ids: "032379705303"
+      - docker#v5.8.0:
+          environment:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          image: "032379705303.dkr.ecr.us-east-1.amazonaws.com/deploytools:2022.07"
+          propagate-environment: true
+          mount-buildkite-agent: true
+
+  - name: ":redhat: Publish Oldstable RPM Package"
+    command: ".buildkite/steps/publish-rpm-package.sh"
+    env:
+      CODENAME: "oldstable"
+      RPM_S3_BUCKET: "yum.buildkite.com"
+    plugins:
+      - aws-assume-role-with-web-identity#v1.4.0:
+          role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+          session-tags:
+            - organization_slug
+            - organization_id
+            - pipeline_slug
+            - build_branch
+      - docker#v5.8.0:
+          environment:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          image: "buildkite/agent:3.55.0-ubuntu"
+          entrypoint: bash
+          propagate-environment: true
+          mount-buildkite-agent: true
+          volumes:
+            - "/yum.buildkite.com"
+    retry:
+      automatic:
+        - exit_status: 1
+          limit: 3
+
+  - group: ":redhat: Publish Oldstable RPM Package to Buildkite Packages"
+    steps:
+      - name: ":redhat: Publish Oldstable {{matrix.pkg_arch}} RPM Package to Buildkite Packages"
+        plugins:
+          - publish-to-packages#v2.2.0:
+              artifacts: "rpm/buildkite-agent_*_{{matrix.pkg_arch}}.rpm"
+              registry: "buildkite/agent-rpm-oldstable"
+              artifact_build_id: "${BUILDKITE_TRIGGERED_FROM_BUILD_ID}"
+              attestations:
+                - "buildkite-agent-linux-{{matrix.go_arch}}.build-attestation.json"
+                - "buildkite-agent-rpm-packages.package-attestation.json"
+        soft_fail: true
+        matrix:
+          setup:
+            go_arch:
+              - "amd64"
+              - "386"
+              - "arm64"
+              - "ppc64"
+              - "ppc64le"
+              - "riscv64"
+            pkg_arch:
+              - "SKIP_FAKE_ARCH"
+          adjustments:
+            - with: { go_arch: "amd64", pkg_arch: "x86_64" }
+            - with: { go_arch: "386", pkg_arch: "i386" }
+            - with: { go_arch: "arm64", pkg_arch: "aarch64" }
+            - with: { go_arch: "ppc64", pkg_arch: "ppc64" }
+            - with: { go_arch: "ppc64le", pkg_arch: "ppc64le" }
+            - with: { go_arch: "riscv64", pkg_arch: "riscv64" }
+            - with: { pkg_arch: "SKIP_FAKE_ARCH" }
+              skip: true
+
+  - name: ":debian: Publish Oldstable Debian Package"
+    command: ".buildkite/steps/publish-debian-package.sh"
+    env:
+      CODENAME: "oldstable"
+      DEB_S3_BUCKET: "apt.buildkite.com/buildkite-agent"
+    plugins:
+      - aws-assume-role-with-web-identity#v1.4.0:
+          role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+          session-tags:
+            - organization_slug
+            - organization_id
+            - pipeline_slug
+            - build_branch
+      - ecr#v2.7.0:
+          login: true
+          account-ids: "032379705303"
+      - docker#v5.8.0:
+          environment:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          image: "032379705303.dkr.ecr.us-east-1.amazonaws.com/deploytools:2022.07"
+          propagate-environment: true
+          mount-buildkite-agent: true
+          tmpfs:
+            - "/root/.gnupg"
+
+  - group: ":debian: Publish Oldstable Debian Package to Buildkite Packages"
+    steps:
+      - name: ":debian: Publish Oldstable {{matrix.pkg_arch}} Debian Package to Buildkite Packages"
+        plugins:
+          - publish-to-packages#v2.2.0:
+              artifacts: "deb/buildkite-agent_*_{{matrix.pkg_arch}}.deb"
+              registry: "buildkite/agent-deb-oldstable"
+              artifact_build_id: "${BUILDKITE_TRIGGERED_FROM_BUILD_ID}"
+              attestations:
+                - "buildkite-agent-linux-{{matrix.go_arch}}.build-attestation.json"
+                - "buildkite-agent-debian-packages.package-attestation.json"
+        soft_fail: true
+        matrix:
+          setup:
+            go_arch:
+              - "amd64"
+              - "386"
+              - "arm"
+              - "armhf"
+              - "arm64"
+              - "ppc64"
+              - "ppc64le"
+              - "riscv64"
+            pkg_arch:
+              - "SKIP_FAKE_ARCH"
+          adjustments:
+            - with: { go_arch: "amd64", pkg_arch: "x86_64" }
+            - with: { go_arch: "386", pkg_arch: "i386" }
+            - with: { go_arch: "arm", pkg_arch: "arm" }
+            - with: { go_arch: "armhf", pkg_arch: "armhf" }
+            - with: { go_arch: "arm64", pkg_arch: "arm64" }
+            - with: { go_arch: "ppc64", pkg_arch: "ppc64" }
+            - with: { go_arch: "ppc64le", pkg_arch: "ppc64el" }
+            - with: { go_arch: "riscv64", pkg_arch: "riscv64" }
+            - with: { pkg_arch: "SKIP_FAKE_ARCH" }
+              skip: true
+
+  - group: ":docker: Publish Oldstable Docker Images"
+    steps:
+      - name: ":docker: Publish Oldstable Images to {{matrix.registry}}"
+        command: ".buildkite/steps/publish-docker-images.sh"
+        env:
+          CODENAME: "oldstable"
+          REGISTRY: "{{matrix.registry}}"
+        plugins:
+          - aws-assume-role-with-web-identity#v1.4.0:
+              role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+              session-tags:
+                - organization_slug
+                - organization_id
+                - pipeline_slug
+                - build_branch
+          - ecr#v2.7.0:
+              login: true
+              account-ids: "445615400570"
+        matrix:
+          setup:
+            registry:
+              - docker.io
+              - ghcr.io
+              - packages.buildkite.com
+          adjustments:
+            - with: { registry: "packages.buildkite.com" }
+              soft_fail: true
+
+  - wait
+
+  - name: ":beer: Publish Oldstable Homebrew Package"
+    skip: "TODO(v4 release): unskip when v3 no longer stable"
+    command: ".buildkite/steps/release-homebrew.sh"
+    artifact_paths: "pkg/*.rb;pkg/*.json"
+    env:
+      CODENAME: "oldstable"
+    plugins:
+      - aws-assume-role-with-web-identity#v1.4.0:
+          role-arn: arn:aws:iam::032379705303:role/pipeline-buildkite-agent-release-oldstable
+          session-tags:
+            - organization_slug
+            - organization_id
+            - pipeline_slug
+            - build_branch
+      - ecr#v2.7.0:
+          login: true
+          account-ids: "032379705303"
+      - docker#v5.8.0:
+          environment:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          image: "032379705303.dkr.ecr.us-east-1.amazonaws.com/deploytools:2022.07"
+          propagate-environment: true
+          mount-buildkite-agent: true

.buildkite/pipeline.release-oldstable.yml

@@ -1,11 +1,6 @@
 steps:
   - wait
 
-  - name: ":spiral_note_pad: Check Changelog"
-    command: ".buildkite/steps/check-changelog.sh"
-
-  - wait
-
   - name: ":s3: Upload Binaries to S3"
     command: ".buildkite/steps/publish-to-s3.sh"
     env:

.buildkite/pipeline.release-stable.yml

@@ -1,11 +1,6 @@
 steps:
   - wait
 
-  - name: ":spiral_note_pad: Check Changelog"
-    command: ".buildkite/steps/check-changelog.sh"
-
-  - wait
-
   - name: ":s3: Upload Unstable Binaries to S3"
     command: ".buildkite/steps/publish-to-s3.sh"
     env: