updatecli: use shared policy

[v1v]

What does this PR do?

Use a shared updatecli policy. The exact configuration is used in different GitHub repositories.

I ran https://github.com/elastic/apm-agent-nodejs/actions/runs/9806099782. And it created the PR:

#4122 vs #4046

Checklist

• Implement code
• Add tests
• Update TypeScript typings
• Update documentation
• Add CHANGELOG.asciidoc entry
• Commit message follows commit guidelines

[trentm]

Approved with some reservations. The end result here feels like a very complex solution to the problem of periodically checking for updates to some files vendored from another repo.

[trentm]

Unfortunately these "name:" Handle ... strings do not appear in the workflow run log at all, e.g.: https://github.com/elastic/apm-agent-nodejs/actions/runs/9806099782/job/27077125378

[v1v]

I'll raise an issue in the upstream project so it can be honoured or at least they know this case. Thanks

[trentm]

These policy files are behind credentials that I don't have, so are uninspectable by me. Do these live in a repo somewhere that I could look at? Here I guess:
https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/apm/apm-data-spec

The "0.2.0" container image label doesn't have a matching git tag in that repository. I see there is a changelog, but it is a bit of a guess which commit a particular container image build corresponds to.

Perhaps at least a clickable URL to be able to go look at the related code? Something like:

Suggested change

	policy: ghcr.io/elastic/oblt-updatecli-policies/apm/apm-data-spec:0.2.0@sha256:7069c0773d44a74c4c8103b4d9957b468f66081ee9d677238072fe11c4d2197c
	# https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/apm/apm-data-spec
	policy: ghcr.io/elastic/oblt-updatecli-policies/apm/apm-data-spec:0.2.0@sha256:7069c0773d44a74c4c8103b4d9957b468f66081ee9d677238072fe11c4d2197c

Though, that is of limited help, because it is very difficult to understand what this workflow is attempting to do and to follow what the policy is doing. I can make guesses, but for example, it isn't clear to me what build process in oblt-updatecli-policies is rendering the https://github.com/elastic/oblt-updatecli-policies/blob/main/updatecli/policies/apm/apm-data-spec/updatecli.d/default.tpl template to a useable final thing that updatecli eventually executes.

[v1v]

These policy files are behind credentials that I don't have

Not at all, you can login to GitHub itself:

• https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

Do these live in a repo somewhere that I could look at?

I didn't want to explicitly write the GitHub repository, it's private at the moment, I'm waiting for an approval to set it public available.

elastic/oblt-updatecli-policies@main/updatecli/policies/apm/apm-data-spec

correct

Perhaps at least a clickable URL to be able to go look at the related code? Something like:

No, I plan to use updatecli to bump the versions automatically; see elastic/apm-agent-go#1633

I'll raise an issue to ask to the upstream project what's the strategy about the changelog automation for those automated-bumps touching the updatecli policies.

[v1v]

Though, that is of limited help, because it is very difficult to understand what this workflow is attempting to do and to follow what the policy is doing.

Do you know how I can help with this? I'm open to making this better.

The idea behind the updatecli shareable policies is to share updatecli pipelines between different GitHub projects and then use 'values' to configure the behaviour. That's why the 'default.tpl' exists and then infer the values.

In this particular case, these changes are all related to syncing up the apm and apm-data specs/gherkins in all the APM Agents, see https://github.com/elastic/observability-robots/issues/1751 (Only for Elastic employees)

[v1v]

The end result here feels like a very complex solution to the problem of periodically checking for updates to some files vendored from another repo.

I'm not sure what's the reason for the complex solution:

• Configure the values in specific YAML files (one per policy)
• Configure the shared policies in the root file update-compose.yaml
• GitHub action to configure the environment (updatecli, credentials) and run the updatecli policies.

It's idempotence and will create Pull Requests with changes if needed.

All the above is required in 8 or 9 different GitHub projects. I already went through changing behaviour in the updatecli pipeline, and had to deal with several PRs.

• updatecli: dynamic specs apm-agent-dotnet#2263
• updatecli: dynamic specs apm-agent-go#1570
• updatecli: dynamic specs apm-agent-java#3497
• chore: updatecli with dynamic specs #3845
• updatecli: dynamic specs  apm-agent-php#1123
• updatecli: dynamic specs apm-agent-python#1957
• updatecli: dynamic specs apm-agent-ruby#1439

Using a centralised shared place for well defined policies will help us by different means:

• easy to onboard new projects
• reduce duplication
• tests those polices in isolation.
• version them

The very end goal is to use automation, therefore if a new version is released for the updatecli policies, the file update-compose.yaml will be automatically updated itself, see elastic/apm-agent-go#1634

Please let me know if I need to clarify anything, I'll raise a few GitHub issues in the updatecli project based on your valuable feedback, 🙏

[trentm]

Please let me know if I need to clarify anything

All good. Thanks for feedback.

Perhaps add that comment at the top of "update-compose.yaml" stating that the file is related to updatecli? If that is a pain because you need this to be common across the many apm-agent repos, then you can skip it. Thanks.

Note to self: I can browse the published ghcr.io packages here:
https://github.com/orgs/elastic/packages?tab=packages&q=oblt
https://github.com/elastic/oblt-updatecli-policies/pkgs/container/oblt-updatecli-policies%2Fapm%2Fapm-data-spec

[v1v]

Perhaps add that comment at the top of "update-compose.yaml" stating that the file is related to updatecli?

Not at all, see 5981a5e (#4121)