Manage Azure SDKs version with Dependabot

[zmoog]

Proposed commit message

Set up Dependabot to manage the Azure SDK version.

With the current reactive and manual process, our dependencies are often outdated. To release a bugfix to a dependency, we need to wait for the following stack release instead of merging it shortly after it's available from Azure.

See #39492 to learn more.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Relates Keep the AWS/Azure/GCP SDK version up to date #39492

Tasks

Preview Give feedback

1. Dependabot: fix cloud providers' SDK dependencies #40125
   Team:obs-ds-hosted-services bug +2
   
2. Dependabot: add CSP SDKs to the allow list #40150
   Team:obs-ds-hosted-services bug +2
   

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @zmoog? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

[axw]

Rather than introducing a new package-ecosystem: gomod block, would it make sense to just update the existing block above with the groups and adding to its allow list?

[zmoog]

Yeah, now I see that apm-server has two blocks because each one targets a different directory.

I'm updating the existing block!

[zmoog]

I just noticed that by adding a package-ecosystem: gomod, we could set a reviewers option to direct PRs to our team.

Do you think it's worth adding a second package-ecosystem: gomod to customize reviewers, or it's better to keep things as simple as possible and just add a group or allow for the Azure dependencies?

I mean something like:

  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "daily"
    reviewers:
      - "elastic/obs-ds-hosted-services"
    groups:
      azure-sdk-for-go:
        patterns:
          - "github.com/Azure/azure-sdk-for-go/*"
      azure-event-hubs-go:
        patterns:
          - "github.com/Azure/azure-event-hubs-go/*"

[axw]

That's a good point. I think it would be ideal if the hosted services team were flagged for review, so having a separate block sounds like the way to go after all.

[zmoog]

Let me try this: I created a block for CSPs, so we can add a group for each CSP and target specific teams.

  # Cloud providers' SDK dependencies
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "daily"
    reviewers:
      - "elastic/obs-ds-hosted-services"
    groups:
      azure-sdks:
        patterns:
          - "github.com/Azure/azure-sdk-for-go/*"
          - "github.com/Azure/azure-event-hubs-go/*"
          - "github.com/Azure/go-autorest/*"
          - "github.com/Azure/azure-storage-blob-go/*"

[zmoog]

Hey @elastic/ingest-eng-prod, whenever you have a moment, could you please take a look at this pull request? 🙇

[dliappis]

Looks good from my PoV, left a question

[dliappis]

since this is an automation task that will open pull request(s) (right?), does it make sense that we also add the corresponding labels to the PR, as e.g. done above:

    labels:
      - automation
      - dependabot

[zmoog]

since this is an automation task that will open pull request(s) (right?)

Yep.

Ouch, I missed the labels! Thank you for pointing this out. Added!

[agithomas]

LGTM!

[dliappis]

LGTM