updatecli: dynamic specs

[v1v]

What does this PR do?

• Use values.yml to define the configuration to be used when running the updatecli apply, see https://www.updatecli.io/docs/commands/updatecli_apply/#updatecli-apply
• Use updatecli scm to fetch the specs in elastic/apm and elastic/apm-data under the different folders.
• To update those files, use tar with the shell target.

Checklist

• This is an enhancement of existing features, or a new feature in existing plugins
  • I have updated CHANGELOG.asciidoc
  • I have added tests that prove my fix is effective or that my feature works
  • Added an API method or config option? Document in which version this will be introduced
  • I have made corresponding changes to the documentation
• This is a bugfix
  • I have updated CHANGELOG.asciidoc
  • I have added tests that would fail without this fix
• This is a new plugin
  • I have updated CHANGELOG.asciidoc
  • My code follows the style guidelines of this project
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have updated supported-technologies.asciidoc
  • Added an API method or config option? Document in which version this will be introduced
  • Added an instrumentation plugin? Describe how you made sure that old, non-supported versions are not instrumented by accident.
• This is something else
  • I have updated CHANGELOG.asciidoc

Test

I iterated in the existing GitHub action by using the upstream branch:

• https://github.com/elastic/apm-agent-java/actions/runs/7545513322/job/20541293368 ran successfully.

Locally:

GITHUB_WORKSPACE=/tmp \
  PATH=/opt/homebrew/bin:$PATH \
  GIT_USER="Victor Martinez" \
  GIT_EMAIL="[email protected]" \
  GITHUB_TOKEN=$(gh auth token) \
  updatecli apply --config .ci/updatecli/updatecli.d --values .ci/updatecli/values.yml --debug

or without pushing any changes

GITHUB_WORKSPACE=/tmp \
  PATH=/opt/homebrew/bin:$PATH \
  GIT_USER="Victor Martinez" \
  GIT_EMAIL="[email protected]" \
  GITHUB_TOKEN=$(gh auth token) \
  updatecli apply --config .ci/updatecli/updatecli.d --values .ci/updatecli/values.yml --push=false --debug

additionally, you can change the org from elastic to your own GitHub avatar.

[v1v]

The tricky thing here is to use # since the value of the sourceid: sha is appended to the command and then produce some unexpected output.

[reakaleek]

I think if you omit the sourceid option, the value is not appended

[v1v]

I think if you omit the sourceid option, the value is not appended

That was expected, but It was not the case for some reason.

Given

diff --git a/.ci/updatecli/updatecli.d/update-specs.yml b/.ci/updatecli/updatecli.d/update-specs.yml
index 0be8fa56a..ca40c47ef 100644
--- a/.ci/updatecli/updatecli.d/update-specs.yml
+++ b/.ci/updatecli/updatecli.d/update-specs.yml
@@ -77,7 +77,6 @@ targets:
   agent-json-schema:
     name: APM agent json server schema {{ source "sha" }}
     scmid: default
-    sourceid: sha
     kind: shell
     spec:
       command: 'tar -xzf {{ requiredEnv "GITHUB_WORKSPACE" }}/json-schema.tgz && git --no-pager diff # required to ignore the sourceid being appended'

When running:

GITHUB_WORKSPACE=/tmp PATH=/opt/homebrew/bin:$PATH GIT_USER="foo" GIT_EMAIL="[email protected]" GITHUB_TOKEN=$(gh auth token) updatecli apply --config .ci/updatecli/updatecli.d/update-specs.yml --values .ci/updatecli/values.yml --push=false --debug

Then it failed with the below error:

+++++++++++
+ PREPARE +
+++++++++++

Loading Pipeline ".ci/updatecli/updatecli.d/update-specs.yml"
ERROR: empty 'sourceid' for target "agent-json-schema"
ERROR: Skipping manifest in position '\x00' from ".ci/updatecli/updatecli.d/update-specs.yml": targets validation error:
wrong updatecli configuration
ERROR: failed loading pipeline(s)
	* ".ci/updatecli/updatecli.d/update-specs.yml" - targets validation error:
wrong updatecli configuration

0 pipeline(s) successfully loaded

SCM repository retrieved: 0

++++++++++++++++++
+ AUTO DISCOVERY +
++++++++++++++++++

ERROR: ✗ no valid pipeline found
ERROR: command failed: no valid pipeline found

While if I run this PR as is then:

TARGETS
========

agent-json-schema
-----------------
DEBUG: No shell success criteria defined, updatecli fallbacks to historical workflow
DEBUG: stage: git-checkout

DEBUG: checkout branch "updatecli_update-schema-specs", based on "main" to directory "/var/folders/t7/ghqdh8cx2g12pwb_w0ncmw900000gn/T/updatecli/github/elastic/apm-agent-java"
DEBUG: 
DEBUG: branch 'updatecli_update-schema-specs' doesn't exist, creating it from branch 'main'
DEBUG: branch "updatecli_update-schema-specs" successfully created
DEBUG: 	command: /bin/sh /var/folders/t7/ghqdh8cx2g12pwb_w0ncmw900000gn/T/updatecli/bin/c3007d0e8db2c2ace0ca4104b167b411531c865a1844a662c648deeecede55b8.sh
DEBUG: Environment variables
DEBUG: 	* UPDATECLI_PIPELINE_STAGE=target
DEBUG: 	* DRY_RUN=false
The shell 🐚 command "/bin/sh /var/folders/t7/ghqdh8cx2g12pwb_w0ncmw900000gn/T/updatecli/bin/c3007d0e8db2c2ace0ca4104b167b411531c865a1844a662c648deeecede55b8.sh" ran successfully with the following output:
----
----
DEBUG: command stderr output was:
----
----
No change detected
✔ - ran shell command "tar -xzf /tmp/json-schema.tgz && git --no-pager diff # required to ignore the sourceid being appended 80b6af8d97e18344df38968bc5b9588961e89492"
DEBUG: Checking if local changes have been done that should be published
DEBUG: no changes detected between branches "main" and "updatecli_update-schema-specs"

ACTIONS
========
=============================

REPORTS:

✔ update-specs:
	Source:
		✔ [agent-specs-tarball] 
		✔ [pull_request] 
		✔ [sha] 
	Target:
		✔ [agent-json-schema] APM agent json server schema 80b6af8d97e18344df38968bc5b9588961e89492

[v1v]

but according to https://www.updatecli.io/docs/plugins/resource/shell/#_shell_condition:

💡 The source associated to this condition (the default source or through the key sourceID) is appended as the last argument to the command line unless the attribute disablesourceinput is set to true.

diff --git a/.ci/updatecli/updatecli.d/update-specs.yml b/.ci/updatecli/updatecli.d/update-specs.yml
index 0be8fa56a..2b3f34ef8 100644
--- a/.ci/updatecli/updatecli.d/update-specs.yml
+++ b/.ci/updatecli/updatecli.d/update-specs.yml
@@ -77,8 +77,8 @@ targets:
   agent-json-schema:
     name: APM agent json server schema {{ source "sha" }}
     scmid: default
-    sourceid: sha
+    disablesourceinput: true
     kind: shell
     spec:
-      command: 'tar -xzf {{ requiredEnv "GITHUB_WORKSPACE" }}/json-schema.tgz && git --no-pager diff # required to ignore the sourceid being appended'
+      command: 'tar -xzf {{ requiredEnv "GITHUB_WORKSPACE" }}/json-schema.tgz && git --no-pager diff'
       workdir: "{{ .apm_agent.server_schema_specs_path  }}"

worked like a charm, so I missed the disablesourceinput argument when I tried this in the past. Let me add the change accordingly.

See 8e86691

[reakaleek]

Ah, right. disablesourceinput does the magic.

[v1v]

We can easily copy the existing updatecli pipelines in .ci/updatecli.d/*.yml in each APM Agent repository and change the relevant values in this file

[v1v]

This could be changed to use gh API /repos/{{ .github.owner }}/{{ .github.apm_data_repository }}/commits --jq '.[0].sha' since it uses the GITHUB_TOKEN variable

This should help with unexpected failures when anonymously accessing GitHub.

[SylvainJuge]

LGTM, I wonder how we could change this ? would introducing few changes in the repo and execute updatecli directly be possible ? If that works then only the trigger when changes are made in the upstream repo would be needed.

[v1v]

I wonder how we could change this?

What do you mean by changing this?

would introducing few changes in the repo and execute updatecli directly be possible ? If that works then only the trigger when changes are made in the upstream repo would be needed.

That's correct; you can use your forked repository to test this and override the vaults.yml for the branch and owner.

diff --git a/.ci/updatecli/values.yml b/.ci/updatecli/values.yml
index 5d1e74685..62d86073a 100644
--- a/.ci/updatecli/values.yml
+++ b/.ci/updatecli/values.yml
@@ -1,9 +1,9 @@
 github:
-  owner: "elastic"
+  owner: "your-gh-avatar"
   repository: "apm-agent-java"
   apm_repository: "apm"
   apm_data_repository: "apm-data"
-  branch: "main"
+  branch: "your-branch"
 specs:
   apm_data_path: "input/elasticapm/docs/spec/v2"
   apm_json_path: "tests/agents/json-specs"

Then you can run this PR locally once you have installed updatecli

$ gh pr checkout 3497
$ GITHUB_WORKSPACE=/tmp \
  GIT_USER="foo" \
  GIT_EMAIL="[email protected]" \
  GITHUB_TOKEN=$(gh auth token) \
  updatecli apply --config .ci/updatecli/updatecli.d --values .ci/updatecli/values.yml --debug

[SylvainJuge]

sorry, I meant "how we could test this", not change it 🤦 , I'll try the commands you've suggested here by artificially reverting those spec files to an older version.

[v1v]

no worries :)

I'll try the commands you've suggested here by artificially reverting those spec files to an older version.

👍

Quick one, you can branch off one old release and use that branch name in the values.yml, though the name of the branch should exist in all the forked repositories (APM Agent Java, apm and apm-data)

[v1v]

@elasticmachine run elasticsearch-ci/docs

[SylvainJuge]

Hi @v1v I haven't been able to find time to test this, do you think it's risky to merge it as-is and adjust with follow-up PRs if needed later ?

[v1v]

Hi @v1v I haven't been able to find time to test this, do you think it's risky to merge it as-is and adjust with follow-up PRs if needed later ?

It's not risky as far as I can see; if something goes wrong, we will receive a notification in Slack anyway, and we can solve it.

I need your 👀 again after refactoring the shell step with a native updatecli support to turn off appending the sha commit; see 8e86691

[reakaleek]

I'm wondering if it would be possible to have the updatecli pipeline in another single place and the values in the respective repos.

In case of changes, we would only have to update the pipeline in a single place.

I'm aware that having it on the consumer side was the initial idea, but I was still wondering what you think about it.

WDYT?

[v1v]

WDYT?

I thought about it, but we don't need it since there are no new APM Agents that often. Hence, as of today, adding such automation will not provide many benefits, plus the caveats with the support for the cross-project GitHub PR creation.

As you mentioned, we used to have a centralised approach in the past, and we moved to a decentralised approach to let teams manage their things.

In any case, if, for some reason, we need to change the same workflow again, we could re-evaluate this question and put the required tooling around it.