It’s not clear to me if the shipped action groups in the sgconfig file need to be explicitly uploaded.
In any case, it would be much simpler from a user perspective to have those hardcoded in the searchguard plugin, so that when something changes in Elasticsearch permissions, search-guard would implement the changes (e.g. SEARCH would be adapted) and the user wouldn’t have to update his/her action groups.
I guess this answers my question, excerpt from Upgrading from 6.x to 7.x | Security for Elasticsearch | Search Guard :
Migrating to the new built-in roles
Search Guard 6 shipped with a couple of demo users, roles and action groups. In Search Guard 7, some of them are now built-in and cannot be changed