updatecli: manage UBI and updatecli versions

Automate elastic#18426 and already applied in other projects see elastic/apm-server#19558

Author: v1v

.ci/updatecli/values.d/ironbank.yml

@@ -0,0 +1,9 @@
+config:
+  - path: docker/templates
+    dockerfile: IronbankDockerfile.erb
+    manifest: hardening_manifest.yaml.erb
+
+pull_request:
+  labels:
+    - dependencies
+    - backport-active-all

.ci/updatecli/values.d/updatecli.yml

@@ -0,0 +1,6 @@
+path: .updatecli-version
+
+pull_request:
+  labels:
+    - dependencies
+    - backport-skip

.github/workflows/update-compose.yml

@@ -0,0 +1,56 @@
+---
+name: update-compose
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  compose:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            apm-server
+          permission-contents: write
+          permission-pull-requests: write
+
+      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: elastic/oblt-actions/updatecli/run@v1
+        with:
+          command: compose diff
+        env:
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
+
+      - uses: elastic/oblt-actions/updatecli/run@v1
+        with:
+          command: compose apply
+        env:
+          GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
+
+      - if: ${{ failure()  }}
+        uses: elastic/oblt-actions/slack/send@v1
+        with:
+          channel-id: '#apm-server'
+          message: ":traffic_cone: updatecli failed for `${{ github.repository }}@${{ github.ref_name }}`, @robots-ci please look what's going on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>"
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}

updatecli-compose.yaml

@@ -0,0 +1,17 @@
+# Config file for `updatecli compose ...`.
+# https://www.updatecli.io/docs/core/compose/
+policies:
+  - name: Handle ironbank bumps
+    policy: ghcr.io/elastic/oblt-updatecli-policies/ironbank/templates:0.5.3@sha256:1d5b2f8ca1c141ebe0368d39ec1cdf8bc32662795a21416907eb02b8bf40d890
+    values:
+      - .ci/updatecli/values.d/scm.yml
+      - .ci/updatecli/values.d/ironbank.yml
+  - name: Handle updatecli bumps
+    policy: ghcr.io/elastic/oblt-updatecli-policies/updatecli/version:0.2.0@sha256:013a37ddcdb627c46e7cba6fb9d1d7bc144584fa9063843ae7ee0f6ef26b4bea
+    values:
+      - .ci/updatecli/values.d/scm.yml
+      - .ci/updatecli/values.d/updatecli.yml
+  - name: Update Updatecli policies
+    policy: ghcr.io/updatecli/policies/autodiscovery/updatecli:0.9.1@sha256:5bbca67a9e31bf5432d5cae1452b9fc770014151ddd856f367ccb9ba46f6f8bb
+    values:
+      - .ci/updatecli/values.d/scm.yml