diff --git a/.ci/beats-tester.groovy b/.ci/beats-tester.groovy
index 3650246e966..8d96fb1efea 100644
--- a/.ci/beats-tester.groovy
+++ b/.ci/beats-tester.groovy
@@ -24,7 +24,7 @@ pipeline {
   }
   stages {
     stage('Filter build') {
-      agent { label 'ubuntu && immutable' }
+      agent { label 'ubuntu-20' }
       when {
         beforeAgent true
         anyOf {
diff --git a/.ci/build-docker-images.groovy b/.ci/build-docker-images.groovy
index 417e2fefae4..a59aeb8da8f 100644
--- a/.ci/build-docker-images.groovy
+++ b/.ci/build-docker-images.groovy
@@ -3,7 +3,7 @@
 @Library('apm@current') _
 
 pipeline {
-  agent { label 'ubuntu-16 && immutable' }
+  agent { label 'ubuntu-20' }
   environment {
     REPO = 'beats'
     BASE_DIR = "src/github.com/elastic/${env.REPO}"
diff --git a/.ci/scripts/install-tools.bat b/.ci/scripts/install-tools.bat
index 6131997a9c0..438d2dec649 100644
--- a/.ci/scripts/install-tools.bat
+++ b/.ci/scripts/install-tools.bat
@@ -8,10 +8,12 @@ IF NOT EXIST "%PROGRAMFILES(X86)%" (
 )
 set PATH=%WORKSPACE%\bin;C:\ProgramData\chocolatey\bin;C:\tools\mingw%MINGW_ARCH%\bin;%PATH%
 
-where /q curl
-IF ERRORLEVEL 1 (
+curl --version >nul 2>&1 && (
+    echo found curl
+) || (
     choco install curl -y --no-progress --skipdownloadcache
 )
+
 mkdir %WORKSPACE%\bin
 
 IF EXIST "%PROGRAMFILES(X86)%" (
diff --git a/.mergify.yml b/.mergify.yml
new file mode 100644
index 00000000000..d3793facbba
--- /dev/null
+++ b/.mergify.yml
@@ -0,0 +1,42 @@
+pull_request_rules:
+  - name: backport patches to 7.x branch
+    conditions:
+      - merged
+      - base=master
+      - label=backport-v7.13.0
+    actions:
+      backport:
+        branches:
+          - "7.x"
+  - name: backport patches to 7.12 branch
+    conditions:
+      - merged
+      - base=master
+      - label=backport-v7.12.0
+    actions:
+      backport:
+        branches:
+          - "7.12"
+  - name: backport patches to 7.11 branch
+    conditions:
+      - merged
+      - base=master
+      - label=backport-v7.11.0
+    actions:
+      backport:
+        branches:
+          - "7.11"
+  - name: ask to resolve conflict
+    conditions:
+      - conflict
+    actions:
+        comment:
+          message: |
+            This pull request is now in conflicts. Could you fix it? 🙏
+            To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
+            ```
+            git fetch upstream
+            git checkout -b {{head}} upstream/{{head}}
+            git merge upstream/{{base}}
+            git push upstream {{head}}
+            ```
diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml
index cf867d43ad3..5d83516f686 100644
--- a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml
+++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yml
@@ -623,6 +623,11 @@ rules:
       - events
       - pods
     verbs: ["get", "list", "watch"]
+  # Enable this rule only if planing to use kubernetes_secrets provider
+  #- apiGroups: [""]
+  #  resources:
+  #  - secrets
+  #  verbs: ["get"]
   - apiGroups: ["extensions"]
     resources:
       - replicasets
diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml
index dcf2b4a5ff2..13b3554b83c 100644
--- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml
+++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml
@@ -12,6 +12,11 @@ rules:
       - events
       - pods
     verbs: ["get", "list", "watch"]
+  # Enable this rule only if planing to use kubernetes_secrets provider
+  #- apiGroups: [""]
+  #  resources:
+  #  - secrets
+  #  verbs: ["get"]
   - apiGroups: ["extensions"]
     resources:
       - replicasets
diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go
index 30009c2b13b..cebc251fd49 100644
--- a/libbeat/common/transport/tlscommon/config.go
+++ b/libbeat/common/transport/tlscommon/config.go
@@ -19,12 +19,15 @@ package tlscommon
 
 import (
 	"crypto/tls"
+	"sync"
 
 	"github.com/joeshaw/multierror"
 
 	"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
 )
 
+var warnOnce sync.Once
+
 // Config defines the user configurable options in the yaml file.
 type Config struct {
 	Enabled          *bool                   `config:"enabled" yaml:"enabled,omitempty"`
@@ -98,7 +101,9 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {
 // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and
 // a key.
 func (c *Config) Validate() error {
-	cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.")
+	warnOnce.Do(func() {
+		cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.")
+	})
 
 	return c.Certificate.Validate()
 }
diff --git a/x-pack/elastic-agent/pkg/composable/providers/kubernetessecrets/kubernetes_secrets.go b/x-pack/elastic-agent/pkg/composable/providers/kubernetessecrets/kubernetes_secrets.go
index 4af00bc766e..5588a546a29 100644
--- a/x-pack/elastic-agent/pkg/composable/providers/kubernetessecrets/kubernetes_secrets.go
+++ b/x-pack/elastic-agent/pkg/composable/providers/kubernetessecrets/kubernetes_secrets.go
@@ -47,6 +47,9 @@ func ContextProviderBuilder(logger *logger.Logger, c *config.Config) (corecomp.C
 
 func (p *contextProviderK8sSecrets) Fetch(key string) (string, bool) {
 	// key = "kubernetes_secrets.somenamespace.somesecret.value"
+	if p.client == nil {
+		return "", false
+	}
 	tokens := strings.Split(key, ".")
 	if len(tokens) > 0 && tokens[0] != "kubernetes_secrets" {
 		return "", false
diff --git a/x-pack/filebeat/input/httpjson/internal/v2/response.go b/x-pack/filebeat/input/httpjson/internal/v2/response.go
index cc5f6605bc5..31e13cf579b 100644
--- a/x-pack/filebeat/input/httpjson/internal/v2/response.go
+++ b/x-pack/filebeat/input/httpjson/internal/v2/response.go
@@ -118,14 +118,20 @@ func (rp *responseProcessor) startProcessing(stdCtx context.Context, trCtx *tran
 				}
 
 				if err := rp.split.run(trCtx, tr, ch); err != nil {
-					if err == errEmptyField {
+					switch err {
+					case errEmptyField:
 						// nothing else to send for this page
 						rp.log.Debug("split operation finished")
 						continue
+					case errEmptyRootField:
+						// root field not found, most likely the response is empty
+						rp.log.Debug(err)
+						return
+					default:
+						rp.log.Debug("split operation failed")
+						ch <- maybeMsg{err: err}
+						return
 					}
-					rp.log.Debug("split operation failed")
-					ch <- maybeMsg{err: err}
-					return
 				}
 			}
 		}