elastic · mrodm · Jun 16, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
@@ -5,6 +5,7 @@ name: "integrations-backport"
 env:
   SETUP_GVM_VERSION: "v0.6.0"
   YQ_VERSION: 'v4.35.2'
+  GH_CLI_VERSION: "2.29.0"
   # Agent images used in pipeline steps
   LINUX_AGENT_IMAGE: "golang:${GO_VERSION}"
 
@@ -13,11 +14,11 @@ steps:
   - label: "Check that it runs from UI"
     key: "check-ui"
     command:
-      - "buildkite-agent annotate \"The $BUILDKITE_PIPELINE_SLUG is used only for running from UI or a trigger step!\" --style 'warning'"
+      - "buildkite-agent annotate \"The $${BUILDKITE_PIPELINE_SLUG} pipeline can only be triggered from the UI by members of the 'ecosystem' team, or via a trigger step from the 'integrations' pipeline.\" --style 'warning'"
       - "exit 1"
     if: |
       !(
-        build.source == 'ui' ||
+        (build.source == 'ui' && build.creator.teams includes "other") ||
         (build.source == 'trigger_job' && build.env('BUILDKITE_TRIGGERED_FROM_BUILD_PIPELINE_SLUG') == 'integrations')
       )
 
@@ -70,3 +71,20 @@ steps:
     depends_on:
       - step: "input-variables"
         allow_failure: false
+
+  - label: ":github: Notify PR"
+    key: "notify-pr"
+    command: |
+      outcome=$$(buildkite-agent step get "outcome" --step "create-backport-branch")
+      if [[ "$${outcome}" == "passed" ]]; then
+        NOTIFY_STATUS=success .buildkite/scripts/notify_backport_pr.sh
+      else
+        NOTIFY_STATUS=failure .buildkite/scripts/notify_backport_pr.sh
+      fi
+    agents:
+      image: "${LINUX_AGENT_IMAGE}"
+    plugins:
+      - elastic/vault-github-token#v0.1.0:
+    depends_on:
+      - step: "create-backport-branch"
+        allow_failure: true
@@ -86,7 +86,7 @@ steps:
 
   - label: ":git: Trigger backport dry-runs"
     key: "trigger-backport-dryrun"
-    command: ".buildkite/scripts/trigger_backport_dryrun.sh"
+    command: ".buildkite/scripts/trigger_backport.sh"
     agents:
       image: "${LINUX_AGENT_IMAGE}"
     depends_on:
@@ -99,6 +99,20 @@ steps:
       build.env('BUILDKITE_PIPELINE_SLUG') == "integrations" &&
       build.env('BUILDKITE_PULL_REQUEST_BASE_BRANCH') == "main"
 
+  - label: ":git: Create backport branches for new entries"
+    key: "trigger-backport-create"
+    command: ".buildkite/scripts/trigger_backport.sh"
+    agents:
+      image: "${LINUX_AGENT_IMAGE}"
+    plugins:
+      - elastic/vault-github-token#v0.1.0:
+    if_changed:
+      - ".backports.yml"
+    if: |
+      build.env('BUILDKITE_PULL_REQUEST') == "false" &&
+      build.branch == "main" &&
+      build.env('BUILDKITE_PIPELINE_SLUG') == "integrations"
+
   - label: ":junit: Sources Junit annotate"
     agents:
       # requires at least "bash", "curl" and "git"
@@ -148,6 +162,8 @@ steps:
         allow_failure: false
       - step: "check-buildkite-scripts"
         allow_failure: false
+    if: |
+      build.branch == "nonexisting"
 
   - wait: ~
     continue_on_failure: true

@@ -23,6 +23,7 @@
         "^.buildkite/pull-requests.json$",
         "^.buildkite/scripts/backport_branch.sh$",
         "^.buildkite/scripts/build_packages.sh$",
+        "^.buildkite/scripts/notify_backport_pr.sh$",
         "^.github/dependabot.yml$",
         "^.github/workflows/",
         "^.github/stale.yml$",

@@ -789,7 +789,9 @@ is_pr_affected() {
         '\.buildkite/pull-requests\.json'
         '\.buildkite/scripts/backport_branch\.sh'
         '\.buildkite/scripts/check_backports_inventory\.sh'
-        '\.buildkite/scripts/trigger_backport_dryrun\.sh'
+        '\.buildkite/scripts/notify_backport_pr\.sh'
+        '\.buildkite/scripts/trigger_backport\.sh'
+        '\.buildkite/scripts/trigger_backport_lib\.sh'
         '\.buildkite/scripts/build_packages\.sh'
         '\.buildkite/scripts/check_changelog_entries\.sh'
         '\.buildkite/scripts/packages/.+\.sh'
@@ -798,6 +800,7 @@ is_pr_affected() {
         '\.buildkite/scripts/run_dev_scripts_tests\.sh'
         '\.buildkite/scripts/test_check_changelog_entries\.sh'
         '\.buildkite/scripts/test_helpers\.sh'
+        '\.buildkite/scripts/test_trigger_backport\.sh'
         '\.github/dependabot\.yml'
         '\.github/stale\.yml'
         '\.github/workflows/'
@@ -1242,6 +1245,36 @@ delete_and_create_gh_pr_comment() {
         --body "${contents}"
 }
 
+# Posts a new comment on every pipeline run/retry while staying idempotent
+# within a single attempt. Pass a unique id per attempt (e.g. build-number +
+# retry-count) — if a comment with that id already exists the call is a no-op,
+# so transient gh failures can be retried safely without double-posting.
+create_new_gh_pr_comment() {
+    local owner="$1"
+    local repo="$2"
+    local pr_number="$3"
+    local id="$4"
+    local comment_file="$5"
+    local metadata="<!--COMMENT_GENERATED_WITH_ID_${id}-->"
+
+    local comment_id
+    comment_id=$(get_comment_with_pattern "${owner}" "${repo}" "${pr_number}" "${metadata}")
+    if [[ -n "${comment_id}" ]]; then
+        echo "Comment already posted for id=${id}, skipping"
+        return
+    fi
+
+    local contents
+    contents="$(cat "${comment_file}")"
+    printf -v contents '%s\n%s' "${contents}" "${metadata}"
+
+    echo "Creating new comment"
+    gh pr comment \
+        "${pr_number}" \
+        --repo "${owner}/${repo}" \
+        --body "${contents}"
+}
+
 # FIXME: In a Pull Request that there are more than 100 comments,
 # if the comment is older than those 100 comments, it won't be found due to pagination
 get_comment_with_pattern() {

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Posts a comment on the PR that triggered the backport branch creation,
+# reporting success or failure of the branch creation step.
+# Expects env vars: PR_NUMBER, NOTIFY_STATUS (success|failure),
+#                   BACKPORT_BRANCH_NAME, PACKAGE_NAME, PACKAGE_VERSION,
+#                   BUILDKITE_BUILD_URL
+
+source .buildkite/scripts/common.sh
+
+set -euo pipefail
+
+BACKPORT_BRANCH_NAME="$(buildkite-agent meta-data get BACKPORT_BRANCH_NAME --default "${BACKPORT_BRANCH_NAME:-""}")"
+PACKAGE_NAME="$(buildkite-agent meta-data get PACKAGE_NAME --default "${PACKAGE_NAME:-""}")"
+PACKAGE_VERSION="$(buildkite-agent meta-data get PACKAGE_VERSION --default "${PACKAGE_VERSION:-""}")"
+PR_NUMBER="$(buildkite-agent meta-data get PR_NUMBER --default "${PR_NUMBER:-""}")"
+
+# Validate required env vars not available via meta-data.
+echo "--- Validating required env vars"
+: "${NOTIFY_STATUS:?NOTIFY_STATUS must be set to 'success' or 'failure'}"
+
+if [[ -z "${PR_NUMBER}" ]]; then
+    echo "PR_NUMBER not set, skipping PR notification"
+    exit 0
+fi
+
+echo "--- Adding GitHub CLI to PATH"
+add_bin_path
+with_github_cli
+
+echo "--- Creating body file"
+BODY_FILE="$(mktemp)"
+trap 'rm -f "${BODY_FILE}"' EXIT
+
+if [[ "${NOTIFY_STATUS}" == "success" ]]; then
+    cat > "${BODY_FILE}" <<EOF
+:white_check_mark: Backport branch \`${BACKPORT_BRANCH_NAME}\` created successfully for package \`${PACKAGE_NAME}\` \`${PACKAGE_VERSION}\`.
+
+[Buildkite build](${BUILDKITE_BUILD_URL})
+EOF
+else
+    cat > "${BODY_FILE}" <<EOF
+:x: Failed to create backport branch \`${BACKPORT_BRANCH_NAME}\` for package \`${PACKAGE_NAME}\` \`${PACKAGE_VERSION}\`.
+
+Check the [Buildkite build](${BUILDKITE_BUILD_URL}) for details.
+EOF
+fi
+
+echo "--- Creating new GitHub PR comment"
+RUN_ID="backport-${BACKPORT_BRANCH_NAME}-${BUILDKITE_BUILD_NUMBER:-0}-${BUILDKITE_RETRY_COUNT:-0}"
+retry 3 create_new_gh_pr_comment "elastic" "integrations" "${PR_NUMBER}" "${RUN_ID}" "${BODY_FILE}"
@@ -44,3 +44,13 @@ deactivate
 echo ""
 echo "=== Running check_changelog_entries.sh tests ==="
 run_tests_if_exists "${REPO_ROOT}/.buildkite/scripts/test_check_changelog_entries.sh"
+
+echo ""
+echo "=== Running trigger_backport_lib.sh tests ==="
+# yq is required by generate_trigger_pipeline(); install it if not already available.
+if ! command -v yq &>/dev/null; then
+    source "${REPO_ROOT}/.buildkite/scripts/common.sh"
+    add_bin_path
+    with_yq
+fi
+run_tests_if_exists "${REPO_ROOT}/.buildkite/scripts/test_trigger_backport.sh"
@@ -27,3 +27,29 @@ assert_exit_code() {
         (( fail++ )) || true
     fi
 }
+
+assert_file_contains() {
+    local description="$1"
+    local needle="$2"
+    local file="$3"
+    if grep -qF "${needle}" "${file}" 2>/dev/null; then
+        echo "PASS: ${description}"
+        (( pass++ )) || true
+    else
+        echo "FAIL: ${description} — '${needle}' not found in ${file}"
+        (( fail++ )) || true
+    fi
+}
+
+assert_file_not_contains() {
+    local description="$1"
+    local needle="$2"
+    local file="$3"
+    if ! grep -qF "${needle}" "${file}" 2>/dev/null; then
+        echo "PASS: ${description}"
+        (( pass++ )) || true
+    else
+        echo "FAIL: ${description} — '${needle}' unexpectedly found in ${file}"
+        (( fail++ )) || true
+    fi
+}