[automation] Add requires-update workflow

[teresaromero]

Proposed commit message

Add a weekly scheduled workflow that runs mage RequiresUpdate across all integration packages and
opens one PR per codeowner team with the manifest and changelog bumps. When a team's updates are all
Kibana-version-blocked, it opens a GitHub issue instead.

What changed:

mage RequiresUpdate walks packages/, calls elastic-package requires update --format json to get
proposals and apply manifest changes, adds changelog entries, and computes the next version by the
largest semver tier across applied bumps (major > minor > patch). --dry-run is passed only when
DRY_RUN=true.
It writes a JSON report grouped by codeowner team that the shell script reads to do all git and
GitHub operations: branch per team, commit, force-push, gh pr create or gh issue create, and a
second commit that replaces the pull/0 changelog placeholder with the real PR number.

Key decisions:

• One PR per codeowner team — keeps review scope tight; branch is automated/requires-update-<slug>,
  stable and force-pushed so existing open PRs are updated in place rather than duplicated.
• Script, not updatecli — updatecli cannot fan-out to N dynamically-discovered teams, cannot fix
  the changelog link post-PR-create, and cannot share one elastic-package build across targets.
• JSON as the mage→script contract — the report carries applied/skipped proposals, team slugs,
  and file lists so the script needs no git-status parsing or CODEOWNERS re-derivation.
• breaking-change changelog type for major dep bumps — a major input-package version signals
  an incompatible contract change surfaced through the integration's assets.
• continue-on-error: true on the mage step — one failing package should not block PRs for
  teams whose packages succeeded.
• elastic-package pinned to a commit — --format json is not yet in a released version;
  a TODO comment marks the pin for removal once it ships.

Preview (bash .github/scripts/requires-update.sh --preview .github/scripts/testdata/requires-update.json):

======================================== PR
Team:   @elastic/obs-infraobs-integrations
Branch: automated/requires-update-obs-infraobs-integrations
PR title: [automation] Update required package versions for @elastic/obs-infraobs-integrations

## Packages updated

### `nginx_integration_otel`
- **nginx_input_otel** (`input`): `0.2.0` → `0.3.0`

### `apache_otel`
- **apache_input_otel** (`input`): `1.0.0` → `2.0.0`
- ⚠️ **apache_logs_otel** skipped: requires kibana ^9.6.0, incompatible with ^8.13.0

======================================== PR
Team:   @elastic/security-service-integrations
Branch: automated/requires-update-security-service-integrations
PR title: [automation] Update required package versions for @elastic/security-service-integrations

## Packages updated

### `okta`
- **okta_input** (`input`): `0.9.0` → `0.10.0`

======================================== ISSUE
Team:  @elastic/ecosystem
Issue title: [automation] Package version updates blocked for @elastic/ecosystem

The following packages have dependency updates available but could not be applied automatically.

### `some_integration`
- **some_input**: requires kibana ^9.0.0, incompatible with ^8.0.0

/cc @elastic/ecosystem

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• --preview mode tested against testdata/requires-update.json for all three cases (PR with updates, PR with partial skips, issue-only).
• automated/requires-update-* branches must not be branch-protected (same convention as dependabot/updatecli).

How to test this PR locally

# Preview without touching git or GitHub:
bash .github/scripts/requires-update.sh --preview .github/scripts/testdata/requires-update.json

# Dry-run mage target (no files written):
DRY_RUN=true REQUIRES_UPDATE_JSON_OUT=/tmp/out.json mage RequiresUpdate

# Full local run:
REQUIRES_UPDATE_JSON_OUT=/tmp/out.json mage RequiresUpdate

The workflow can also be triggered manually via workflow_dispatch once merged.

Related issues

• Depends on feat: add elastic-package requires update command to bump requires pins from the registry elastic-package#3593
• Resolves Automatically update package dependencies #17404

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 971c6ad

Failed CI Steps

• Check integrations netbox
• Check integrations zipkin_input_otel

History

• 💔 Build #43538 failed f63553e

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package wiz 👍(2) 💚(0) 💔(4)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
audit	3436.43	2881.84	-554.59 (-16.14%)	💔
cloud_configuration_finding	8928.57	6666.67	-2261.9 (-25.33%)	💔
cloud_configuration_finding_full_posture	10101.01	6369.43	-3731.58 (-36.94%)	💔
issue	4115.23	3333.33	-781.9 (-19%)	💔

To see the full report comment with /test benchmark fullreport