apm.yml (Agent Package Manager)
#42507
Replies: 3 comments
-
|
Hi there, You're asking us to support a new package manager. We need to know some basic information about this package manager first. Please copy/paste the new package manager questionnaire, and fill it out in full. Once the questionnaire is filled out we'll decide if we want to support this new manager. Good luck, The Renovate team |
Beta Was this translation helpful? Give feedback.
-
New package manager questionnaireDid you read our documentation on adding a package manager?
BasicsWhat's the name of the package manager?APM (Agent Package Manager) — https://github.com/microsoft/apm What language(s) does this package manager support?APM is language-agnostic. It manages AI agent context (instructions, prompts, skills, hooks, MCP server declarations) for any project, regardless of the project's programming language. The tool itself is written in Python and distributed via PyPI ( The closest analogy is pre-commit or Terraform modules — a language-agnostic dependency manager that declares versioned dependencies on external git repos, resolves transitive graphs, and produces a lock file. But instead of git hooks or infrastructure, APM manages AI agent configuration. How popular is this package manager?
Does this language have other (competing?) package managers?
There is no other widely adopted package manager for AI agent context. The space is new. Some adjacent tools exist but serve different purposes:
APM is the only tool in this space that provides a manifest + lock file + transitive dependency resolution model. What are the big selling points for this package manager?
Detecting package filesWhat kind of package files, and names, does this package manager use?
Both files live at the project root. The manifest filename is always exactly Which
|
| Host | Datasource |
|---|---|
github.com (explicit or implicit default) |
github-tags |
gitlab.com (or self-hosted GitLab) |
gitlab-tags |
| All other hosts (Bitbucket, Azure DevOps, self-hosted) | git-tags (generic git ls-remote) |
This is the same pattern used by the pre-commit manager. The manager should also declare versioning: "semver" since the git-tags datasource has no default versioning scheme.
Will users want (or need to) set a custom host or custom registry for Renovate's lookup?
- Yes, provide details.
- No.
APM supports any git-accessible host (GitHub, GitLab, Bitbucket, Azure DevOps, self-hosted instances). Users with dependencies on non-GitHub hosts will need Renovate to look up tags on the correct host.
Where can Renovate find the custom host/registry?
- No custom host or registry is needed.
- In the package file(s), provide details.
- In some other file inside the repository, provide details.
- User needs to configure Renovate where to find the information, provide details.
The host is encoded directly in the dependency string:
gitlab.com/acme/coding-standards#v1.0.0→ host isgitlab.combitbucket.org/team/repo#v2.0.0→ host isbitbucket.orgmicrosoft/apm-sample-package#v1.0.0→ implicit host isgithub.com
Are there any constraints in the package files that Renovate should use in the lookup procedure?
- Yes, there are constraints on the parent language (for example: supports only Python
v3.x), provide details. - Yes, there are constraints on the parent platform (for example: only supports Linux, Windows, etc.), provide details.
- Yes, some other kind of constraint, provide details.
- No constraints.
Will users need the ability to configure language or other constraints using Renovate config?
- Yes, provide details.
- No.
Artifacts
Does the package manager use a lock file or checksum file?
- Yes, uses lock file.
- Yes, uses checksum file.
- Yes, uses lock file and checksum file.
- No lock file or checksum.
APM uses apm.lock.yaml (YAML 1.2). It records every dependency's exact commit SHA, deployed file paths, and content hashes. The lock file also tracks SHA-256 hashes of deployed files for integrity verification, but these are embedded in the lock file itself — there is no separate checksum file.
Is the locksum or checksum mandatory?
- Yes, locksum is mandatory.
- Yes, checksum is mandatory.
- Yes, lock file and checksum are mandatory.
- No mandatory locksum or checksum.
- Package manager does not use locksums or checksums.
The lock file is strongly recommended and should be committed to version control, but apm install works without a pre-existing lock file (it creates one). Enterprise policy rules can enforce lock file presence via apm audit.
If lockfiles or checksums are used: what tool and exact commands should Renovate use to update one (or more) package versions in a dependency file?
After Renovate modifies the version ref in apm.yml:
apm installThis re-resolves affected dependencies and updates apm.lock.yaml. For a full re-resolve of all dependencies:
apm install --updateTooling: apm-cli is a Python package (pip install apm-cli). For Renovate's Containerbase-based environments (binarySource: install), apm-cli would need to be added to the Containerbase tool index. For binarySource: global, users pre-install it on the Renovate host.
Extraction-only fallback: If apm-cli is not available, Renovate can still operate in extraction-only mode — updating the ref in apm.yml without regenerating the lock file. Users would then run apm install in their own CI to update apm.lock.yaml. This matches how other managers degrade gracefully when their tool binary is missing.
Note: apm install writes cloned repositories to apm_modules/ (typically gitignored). Renovate should only commit changes to apm.yml and apm.lock.yaml, not the apm_modules/ directory.
Package manager cache
Does the package manager use a cache?
- Yes, provide details.
- No.
APM caches cloned git repositories in apm_modules/ within the project directory. On subsequent installs, it reuses cached repos and verifies content hashes from the lock file.
If the package manager uses a cache, how can Renovate control the cache?
- Package manager does not use a cache.
- Controlled via command line interface, provide details.
- Controlled via environment variables, provide details.
Running apm install --update forces a full re-resolve, bypassing cached commit SHAs. The apm_modules/ directory can also simply be deleted before install for a clean state.
Should Renovate keep a cache?
- Yes, ignore/disable the cache.
- No.
No special cache handling needed. Renovate modifies apm.yml, then runs apm install which handles caching internally.
Generating a lockfile from scratch
Renovate can perform "lock file maintenance" by getting the package manager to generate a lockfile from scratch.
Can the package manager generate a lockfile from scratch?
- Yes, explain which command Renovate should use to generate the lockfile.
- No, the package manager does not generate a lockfile from scratch.
- No, the package manager does not use lockfiles.
Delete the existing lock file and run:
rm -f apm.lock.yaml && apm installThis resolves all dependencies fresh and produces a new apm.lock.yaml.
Other
What else should we know about this package manager?
-
Git-tag-based versioning only — APM does not use a centralised package registry with its own version index. Versions are git tags. This aligns well with Renovate's existing git-tags datasource. Notably,
gh skill publish(GitHub CLI) creates semver-tagged GitHub releases for skill repositories following the Agent Skills specification. These are the same tags that APM pins inapm.ymland that Renovate would update. -
Virtual packages — a single dependency string can target a subdirectory or file within a larger monorepo (e.g.
ComposioHQ/awesome-claude-skills/brand-guidelines). The version tag applies to the whole repository, not the subdirectory. Renovate should treat the baseowner/repoas the versioned unit. -
MCP dependencies are a separate concern —
dependencies.mcpentries reference MCP (Model Context Protocol) servers. These are structurally different from APM deps and are not yet versioned in a way that lends itself to automated updates. They can be deferred to a future iteration. -
Enterprise policy — organisations can define
apm-policy.ymlfiles that restrict allowed dependency sources, enforce lock file presence, and require content-hash verification. Renovate-generated PRs would need to pass these policy checks, but that happens naturally viaapm installand CI. -
Marketplace and Claude plugin interoperability — APM supports curated plugin marketplaces (
marketplace.jsonindexes hosted as GitHub repos). Users can install plugins viaapm install NAME@MARKETPLACEsyntax. APM also auto-detects native Claude Code plugins (.claude-plugin/plugin.json) and Copilot CLI plugins, normalizing them into standard APM packages with full version locking and transitive resolution. In all cases, marketplace and plugin references are resolved to standardowner/repo#refentries at install time and written toapm.ymlin that canonical form. Renovate does not need to parse marketplace syntax or understand the plugin format — it will only encounter resolved git-based entries. -
Emerging
.well-knownskill discovery and URL-based dependencies — The Agent Skills Discovery spec proposes HTTP-based skill distribution at/.well-known/agent-skills/index.json(skills asSKILL.mdfiles or archives with SHA-256 digests). APM tracks this via microsoft/apm#554, but.well-knownsupport is explicitly deferred pending upstream spec stability (still draft v0.2.0). Related in-flight work: #676 (PR #691) adds URL-based marketplace sources (remotemarketplace.jsonURLs, git URLs with refs, local paths). A follow-up (#692, design phase) would enable direct URL-based package installation with digest pinning. If chore(deps): update dependency semantic-release to v7 #692 ships, it would introduce non-git dependency sources that may require a new Renovate datasource. For now, all APM dependencies resolve to git repositories. -
Stable, versioned formats — The manifest schema and lock file format are versioned (
lockfile_version: "1") and designed for forward compatibility. The project is under active development by Microsoft.
Beta Was this translation helpful? Give feedback.
-
|
I raised PRs for implementing this now, over in: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Tell us more.
For details about APM, see: https://github.com/microsoft/apm
What
apm.ymlfiles.Why
Beta Was this translation helpful? Give feedback.
All reactions