ci(bump automation): bump ubi9 for ironbank

[v1v]

Summary

Enable updatecli policies to bump the Ironbank versions automatically, then #182738 won't be manually created but when a new ubit9 version is released and available in the ironbank system.

Those policies can be found at https://github.com/elastic/oblt-updatecli-policies/tree/main/updatecli/policies/ (NOTE: This is a private repository only accessible by Elastic employees)

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Flaky Test Runner was used on any tests changed
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

How to test this PR locally

1. gh pr checkout 191660
2. Install updatecli
3. Login to ghcr.io
4. Diff (dry-run)

$ GITHUB_TOKEN=$(gh auth token) updatecli compose diff --experimental

5. Create Pull Request if new changes

$ GITHUB_REPOSITORY=elastic/kibana \
   GITHUB_ACTOR=v1v \
   GITHUB_TOKEN=$(gh auth token) \
updatecli compose apply --experimental

[obltmachine]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[Ikuni17]

Should this be a bot instead? It seems that actor is not well defined, and would run in the context of an employee with their privlages, which doesn't seem to be ideal.

[v1v]

Interesting. The official docs explained how to use this docker login with the GITHUB_TOKEN:

• https://github.com/docker/login-action#github-container-registry
• https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio

Maybe the issue with github.actor is not the case for this specific use case. We have used this approach so far without any issues, for instance, see the below build for the same kind of code in a different GitHub repository:

• https://github.com/elastic/apm-server/actions/runs/10935341957/job/30356922711#step:4:1

I can see my username, but the following steps do what's expected (download the containers and so on ):

Likely, GitHub does something special with the login, and it's not honoured but the GITHUB_TOKEN.

So far I think we are safe.

[Ikuni17]

Thanks for the links. I think you're correct that the actor is not honored and the GITHUB_TOKEN takes precedence. It's just a bit strange.

[v1v]

/ci

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: f5e9a8f
• Interpreting CI Failures

Failed CI Steps

• Quick Checks

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @v1v

[v1v]

❌ /.buildkite/scripts/steps/checks/file_casing.sh: 1m 16s | 0s
-- | --
  | warn [quick-checks] --- Check File Casing
  | ERROR Filenames MUST use snake_case.
  | - updatecli-compose.yaml

I'm afraid the name of the file is that

[Ikuni17]

❌ /.buildkite/scripts/steps/checks/file_casing.sh: 1m 16s | 0s
-- | --
  | warn [quick-checks] --- Check File Casing
  | ERROR Filenames MUST use snake_case.
  | - updatecli-compose.yaml

I'm afraid the name of the file is that

You can add an exception to src/dev/precommit_hook/casing_check_config.js for this file