Split workflows according to permissions

This splits our single workflow file over multiple.

Ensuring PR's only need read permission and our prerelease flow on main
is separated from the actual release tagging trigger more clearly.

We now also enfore 2 spaces for yml files instead of 4.

.editorconfig

@@ -5,13 +5,13 @@ charset = utf-8
 indent_style = tab
 indent_size = 4
 # Spell checker configuration
-spelling_exclusion_path = ./build/exclusion.dic
+spelling_exclusion_path = "./build/exclusion.dic"
 
-[*.{fs,fsx,yml}]
+[*.{fs,fsx}]
 indent_style = space
 indent_size = 4
 
-[*.{md,markdown,json,js,csproj,fsproj,targets,targets,props}]
+[*.{md,markdown,json,js,yml,csproj,fsproj,targets,targets,props}]
 indent_style = space
 indent_size = 2
 

.github/workflows/bootstrap/action.yml

@@ -0,0 +1,49 @@
+---
+name: Bootstrap Checkout
+description: Ensures all actions bootstrap the same
+
+outputs:
+  agent-version:
+    description: "The current agent version number"
+    value: ${{ steps.dotnet.outputs.agent-version }}
+  major-version:
+    description: "The current major version number, semver"
+    value: ${{ steps.dotnet.outputs.major-version }}
+
+runs:
+  using: "composite"
+  steps:
+    # Ensure we fetch all tags
+    - shell: bash
+      run: |
+        git fetch --prune --unshallow --tags
+        git tag --list
+        
+    - uses: actions/cache@v3
+      with:
+        path: ~/.nuget/packages
+        key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.[cf]sproj*') }}
+        restore-keys: |
+          ${{ runner.os }}-nuget
+          
+    -   name: Setup dotnet
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: |
+            6.0.x
+            8.0.x
+            6.0.x
+    - id: dotnet
+      shell: bash
+      run: |
+        dotnet --list-sdks
+        dotnet tool restore
+        AGENT_VERSION=$(dotnet minver -t=v -p=canary.0 -v=e)
+        echo "Version Number: ${AGENT_VERSION}"
+        echo "AGENT_VERSION=${AGENT_VERSION}" >> $GITHUB_ENV
+        echo "agent-version=${AGENT_VERSION}" >> $GITHUB_OUTPUT
+        echo "major-version=$(echo ${AGENT_VERSION} | cut -d"." -f1)" >> $GITHUB_OUTPUT
+  
+
+    # Setup git config
+    - uses: elastic/apm-pipeline-library/.github/actions/setup-git@current

.github/workflows/license.yml

@@ -1,15 +1,15 @@
 name: License headers
 
-on: [pull_request]
+on: [ pull_request ]
 
 jobs:
   build:
 
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+      - uses: actions/checkout@v2
 
-    - name: Check license headers
-      run: |
-        ./.github/check-license-headers.sh
+      - name: Check license headers
+        run: |
+          ./.github/check-license-headers.sh

.github/workflows/prerelease.yml

@@ -0,0 +1,37 @@
+name: release-main
+
+on:
+  push:
+    branches: [ "main" ]
+
+permissions:
+  contents: write
+  issues: write
+  packages: write
+
+env:
+  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootstrap Action Workspace
+        id: bootstrap
+        uses: ./.github/workflows/bootstrap
+
+      - run: ./build.sh release
+        name: Release
+
+      - name: publish canary packages github package repository
+        shell: bash
+        # this is a best effort to push to GHPR, we've observed it being unavailable intermittently
+        continue-on-error: true
+        run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols
+
+      # Github packages requires authentication, this is likely going away in the future so for now we publish to feedz.io
+      - run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols
+        name: publish canary packages to feedz.io
+        if: false && github.event_name == 'push' && startswith(github.ref, 'refs/heads')
+

.github/workflows/pull-request.yml

@@ -0,0 +1,50 @@
+name: Pull Request Validation
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '*.md'
+      - '*.asciidoc'
+      - 'docs/**'
+  pull_request:
+    paths-ignore:
+      - '*.md'
+      - '*.asciidoc'
+      - 'docs/**'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+env:
+  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+
+jobs:
+  test-windows:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootstrap Action Workspace
+        id: bootstrap
+        uses: ./.github/workflows/bootstrap
+
+      - run: build.bat test
+        shell: cmd
+        name: Test
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootstrap Action Workspace
+        id: bootstrap
+        uses: ./.github/workflows/bootstrap
+
+      # We still run the full release build on pull-requests this ensures packages are validated ahead of time
+      - run: ./build.sh release
+        name: Release

.github/workflows/release.yml

@@ -0,0 +1,112 @@
+name: release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+env:
+  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+  JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+  SLACK_CHANNEL: "#apm-agent-dotnet"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Bootstrap Action Workspace
+      id: bootstrap
+      uses: ./.github/workflows/bootstrap
+
+    - run: ./build.sh release --skiptests
+      name: Release
+
+    - name: Prepare Nuget
+      uses: hashicorp/[email protected]
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        method: approle
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        secrets: |
+          secret/apm-team/ci/elastic-observability-nuget apiKey | REPO_API_KEY ;
+          secret/apm-team/ci/elastic-observability-nuget url | REPO_API_URL
+
+    - name: Release to Nuget
+      run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${REPO_API_KEY} -s  ${REPO_API_URL} --skip-duplicate --no-symbols
+
+    - if: ${{ success() }}
+      uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        channel: ${{ env.SLACK_CHANNEL }}
+        message: |
+          :large_green_circle: [${{ github.repository }}] Release *${{ github.ref_name }}* published.
+          Build: (<${{ env.JOB_URL }}|here>)
+          Release URL: (<https://github.com/elastic/apm-agent-dotnet/releases/tag/${{ github.ref_name }}|${{ github.ref_name }}>)
+
+    - if: ${{ failure() }}
+      uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        channel: ${{ env.SLACK_CHANNEL }}
+        message: |
+          :large_yellow_circle: [${{ github.repository }}] Release *${{ github.ref_name }}* could not be published.
+          Build: (<${{ env.JOB_URL }}|here>)
+          
+  post-release:
+    needs: [ 'release']
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GIT_TAG: v${{ needs.release.outputs.agent-version }}
+      NEW_BRANCH: update/${{ needs.release.outputs.agent-version }}
+      TARGET_BRANCH: ${{ needs.release.outputs.major-version }}.x
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup git config
+        uses: elastic/apm-pipeline-library/.github/actions/setup-git@current
+
+      - name: Create GitHub Pull Request if minor release.
+        run: |
+          echo "as long as there is a major.x branch"
+          existed_in_local=$(git ls-remote --heads origin ${TARGET_BRANCH})
+          if [ -z "${existed_in_local}" ]; then
+            echo -e "::warning::Target branch '${TARGET_BRANCH}' does not exist."
+            exit 0
+          fi
+          git checkout $TARGET_BRANCH
+          git checkout -b ${NEW_BRANCH}
+          git format-patch -k --stdout ${TARGET_BRANCH}...origin/main -- docs CHANGELOG.asciidoc | git am -3 -k
+          git push origin ${NEW_BRANCH}
+          gh pr create \
+            --title "post-release: ${GIT_TAG}" \
+            --body "Generated automatically with ${JOB_URL}" \
+            --head "elastic:${NEW_BRANCH}" \
+            --base "$TARGET_BRANCH" \
+            --repo "${{ github.repository }}"
+
+      - name: Create branch if major release
+        run: |
+          echo "as long as there is no a major.x branch"
+          existed_in_local=$(git ls-remote --heads origin ${TARGET_BRANCH})
+          if [ -n "${existed_in_local}" ]; then
+            echo -e "::warning::Target branch '${TARGET_BRANCH}' does exist."
+            exit 0
+          fi
+          git branch -D $TARGET_BRANCH
+          git push origin $TARGET_BRANCH

build/scripts/CommandLine.fs

@@ -26,6 +26,7 @@ type Build =
     | [<Inherit;AltCommandLine("-s")>] SingleTarget
     | [<Inherit>] Token of string 
     | [<Inherit;AltCommandLine("-c")>] SkipDirtyCheck
+    | [<Inherit;>] SkipTests
 with
     interface IArgParserTemplate with
         member this.Usage =
@@ -49,6 +50,7 @@ with
             | SingleTarget -> "Runs the provided sub command without running their dependencies"
             | Token _ -> "Token to be used to authenticate with github"
             | SkipDirtyCheck -> "Skip the clean checkout check that guards the release/publish targets"
+            | SkipTests -> "Skips running tests"
 
     member this.StepName =
         match FSharpValue.GetUnionFields(this, typeof<Build>) with