Skip to content

feat(manager): add apm manager for Agent Package Manager#44390

Open
MPV wants to merge 3 commits into
renovatebot:mainfrom
MPV:claude/renovate-suggestion-plan-0loxk2
Open

feat(manager): add apm manager for Agent Package Manager#44390
MPV wants to merge 3 commits into
renovatebot:mainfrom
MPV:claude/renovate-suggestion-plan-0loxk2

Conversation

@MPV

@MPV MPV commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Changes

Adds a new apm manager that keeps APM (Agent Package Manager) dependencies up to date, as requested in discussion #42507.

APM projects declare git-pinned agent dependencies (skills, plugins, agents, full packages) in an apm.yml manifest and pin the resolved tree in an apm.lock.yaml lockfile. Nothing currently bumps those refs.

The new manager:

  • Parses the string entries under dependencies.apm and devDependencies.apm, of the form [host/]owner/repo[/subpath]#<ref>.
  • Selects the datasource dynamically from the git host (reusing detectPlatform, which also honors hostRules) — no new datasource is required:
    • github.com (and self-hosted GitHub) → github-tags
    • gitlab.com (and self-hosted GitLab) → gitlab-tags
    • any other host (Bitbucket, Azure DevOps, …) → git-tags
  • Only updates entries that pin an exact #<ref>; unpinned entries are skipped.
  • Regenerates apm.lock.yaml (when present) by running apm install, wired through a new apm tool constraint that resolves the CLI from microsoft/apm GitHub releases.

MCP server entries under dependencies.mcp are intentionally not managed: they are identified by an MCP registry name (e.g. io.github.github/github-mcp-server) and carry no version to pin, so there is nothing for Renovate to update.

Lock file maintenance note

Renovate's adding-a-package-manager guide prefers a <tool> update command over delete-then-<tool> install, since the latter can lose platform-specific lock data. APM does not provide an update command, so:

  • After a package-file change, the manager runs apm install to sync apm.lock.yaml to the updated manifest (no delete).
  • During lock file maintenance, it deletes apm.lock.yaml and runs apm install to regenerate it. APM's lockfile records resolved sources and content hashes (no platform-specific fields), so a full regeneration is deterministic and safe here.

Category

I omitted a manager category to keep the diff self-contained (avoiding a change to the shared categories constant). I'm happy to add one if preferred — would maintainers like a new ai category (APM targets AI coding agents), or is leaving it uncategorized better?

Depends on

...which adds install-tool apm to the base image. The apm install lockfile step only works once that PR is merged and a new base image is released; the manager’s unit tests mock exec, so this PR’s CI is green independently.

Context

Please select one of the following:

  • This closes an existing Issue, Closes: #
  • This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

The New Package Manager Questionnaire is completed in discussion #42507.

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

  • No — I did not use AI for this contribution.
  • Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
  • Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).
  • Yes — other (please describe):

The manager code, unit tests, and documentation were drafted with Claude (via Claude Code) and reviewed before submission.

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests, but ran on a real repository, or
  • Both unit tests + ran on a real repository

100% test coverage on the new files (pnpm vitest run lib/modules/manager/apm), plus pnpm check --all and pnpm type-check passing.

Additionally verified with a local extraction dry-run against a representative apm.yml, confirming correct datasource/packageName resolution across hosts:

Entry datasource packageName currentValue
microsoft/apm-sample-package#v1.0.0 github-tags microsoft/apm-sample-package v1.0.0
anthropics/skills/skills/frontend-design#v0.24.0 github-tags anthropics/skills v0.24.0
gitlab.com/acme/agents#v2.3.0 gitlab-tags acme/agents v2.3.0
bitbucket.org/acme/tools#v1.1.0 git-tags https://bitbucket.org/acme/tools v1.1.0
danielmeppiel/design-guide (unpinned) skipped (unspecified-version)
owner/repo#v1.2.3 (devDependencies) github-tags owner/repo v1.2.3

MCP entries under dependencies.mcp were correctly ignored.

The public repository: https://github.com/microsoft/apm

@cla-assistant

cla-assistant Bot commented Jul 6, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@cla-assistant

cla-assistant Bot commented Jul 6, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

MPV and others added 3 commits July 7, 2026 11:03
Add a new `apm` manager that updates git-pinned dependencies in APM
(Agent Package Manager) `apm.yml` manifests, as requested in
renovatebot#42507.

The manager parses the string entries under `dependencies.apm` and
`devDependencies.apm` (`[host/]owner/repo[/subpath]#<ref>`) and selects
the datasource dynamically from the git host, reusing the existing
github-tags, gitlab-tags and git-tags datasources. MCP entries carry no
pinnable version and are ignored.

When an `apm.lock.yaml` lockfile is present, it is refreshed by running
`apm install` via a new `apm` tool constraint (pypi `apm-cli`).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Vfjt3BpqDriiVsvwqVe9M9
APM ships self-contained binaries as GitHub release assets
(apm-linux-<arch>.tar.gz under vX.Y.Z tags), not as the PyPI apm-cli
wheel. Point the apm tool constraint at the github-releases datasource so
the version Renovate resolves matches the artifact that actually gets
installed, stripping the leading `v` from the tag.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Vfjt3BpqDriiVsvwqVe9M9
The APM project's canonical home is github.com/microsoft/apm (originally
danielmeppiel/apm). Update the manager URL and readme accordingly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Vfjt3BpqDriiVsvwqVe9M9
@MPV MPV force-pushed the claude/renovate-suggestion-plan-0loxk2 branch from 3ff6c7b to 9cc5d88 Compare July 7, 2026 09:04
@MPV

MPV commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

(sorry about the force-push, it was necessary to solve the CLA issue, i.e. committing properly as myself)

@MPV MPV marked this pull request as ready for review July 7, 2026 09:09
@github-actions github-actions Bot requested a review from viceice July 7, 2026 09:09
@secustor secustor self-requested a review July 7, 2026 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant