Update Apple config/DDM profiles if secret variables changed (#24995)

#24900 

This PR includes and depends on PR #25012, which should be
reviewed/merged before this one.

Windows profiles are not included in this PR due to issue #25030

This PR adds the following functionality: Apple config/DDM profile is
resent to the device when the profile contains secret variables, and the
values of those variables have changed. For example.
- Upload secret variables
- Upload profile
- Device gets profile
- Upload the same profile
- Nothing happens
- Upload a different secret variable value
- Upload the same profile
- Device gets updated profile

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated tests
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Manual QA for all new/changed functionality

changes/23238-use-secrets-in-scripts-profiles

@@ -2,3 +2,4 @@ Added ability to use secrets ($FLEET_SECRET_YOURNAME) in scripts and profiles.
 - Added `/fleet/spec/secret_variables` API endpoint.
 - fleetctl gitops identifies secrets in scripts and profiles and saves them on the Fleet server.
 - secret values are populated when scripts and profiles are sent to devices.
+- When fleetctl gitops updates profiles, if the secret value has changed, the profile is updated on the host.

cmd/fleetctl/apply_test.go

@@ -208,8 +208,8 @@ func TestApplyTeamSpecs(t *testing.T) {
 	ds.DeleteMDMAppleDeclarationByNameFunc = func(ctx context.Context, teamID *uint, name string) error {
 		return nil
 	}
-	ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) {
-		return document, nil
+	ds.ExpandEmbeddedSecretsAndUpdatedAtFunc = func(ctx context.Context, document string) (string, *time.Time, error) {
+		return document, nil, nil
 	}
 
 	filename := writeTmpYml(t, `
@@ -1362,8 +1362,8 @@ func TestApplyAsGitOps(t *testing.T) {
 	ds.ListVPPTokensFunc = func(ctx context.Context) ([]*fleet.VPPTokenDB, error) {
 		return []*fleet.VPPTokenDB{}, nil
 	}
-	ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) {
-		return document, nil
+	ds.ExpandEmbeddedSecretsAndUpdatedAtFunc = func(ctx context.Context, document string) (string, *time.Time, error) {
+		return document, nil, nil
 	}
 
 	// Apply global config.

cmd/fleetctl/gitops_test.go

@@ -660,8 +660,8 @@ func TestGitOpsFullGlobal(t *testing.T) {
 		return []*fleet.ABMToken{}, nil
 	}
 
-	ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) {
-		return document, nil
+	ds.ExpandEmbeddedSecretsAndUpdatedAtFunc = func(ctx context.Context, document string) (string, *time.Time, error) {
+		return document, nil, nil
 	}
 
 	const (
@@ -865,8 +865,8 @@ func TestGitOpsFullTeam(t *testing.T) {
 		return nil
 	}
 
-	ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) {
-		return document, nil
+	ds.ExpandEmbeddedSecretsAndUpdatedAtFunc = func(ctx context.Context, document string) (string, *time.Time, error) {
+		return document, nil, nil
 	}
 
 	// Queries
@@ -2599,8 +2599,8 @@ func setupFullGitOpsPremiumServer(t *testing.T) (*mock.Store, **fleet.AppConfig,
 	ds.SetSetupExperienceScriptFunc = func(ctx context.Context, script *fleet.Script) error {
 		return nil
 	}
-	ds.ExpandEmbeddedSecretsFunc = func(ctx context.Context, document string) (string, error) {
-		return document, nil
+	ds.ExpandEmbeddedSecretsAndUpdatedAtFunc = func(ctx context.Context, document string) (string, *time.Time, error) {
+		return document, nil, nil
 	}
 
 	t.Setenv("FLEET_SERVER_URL", fleetServerURL)