Dependabot shows wrong changelog for spotless-maven-plugin update

[korthout]

Many projects use dependabot to manage version updates of dependencies. It helps them to keep up to date with new versions, but also to understand what changed between versions. When a new version is available, a pull request with the related change is created. It's body (i.e. description) contains a changelog and list of commits between the different versions. For spotless-maven-plugin this does not work correctly, because it uses the changelog and commits of the root project.

For example https://github.com/camunda-cloud/zeebe/pull/8480 shows that it updates spotless-maven-plugin from 2.17.7 to 2.18.0, but the changelog shows the changes of the root project up to version 2.18.0, instead of the changes of the maven-plugin. In addition, its shows the wrong changelog as source:

Sourced from spotless-maven-plugin's changelog

Looking at the dependabot issues about changelog, this seems to be a common problem. However, it also looks like the dependabot team does not intend to change anything for it. So, I think spotless should improve its setup to correct dependabot's failure to deal with this, because it would help existing users of spotless, to learn about the changes in new versions.

[nedtwigg]

The root changelog has this at the top.

https://github.com/diffplug/spotless/blob/bd2195ecf70b92b065611b6378e612c770af24a4/CHANGES.md#L3-L8

Happy to take a PR which makes this louder somehow, or that improves integration with dependabot.

[blacelle]

Renovate faces the same issue.

[blacelle]

Related info for Dependabot: https://github.com/dependabot/dependabot-core/tree/main/common/lib/dependabot/metadata_finders Related ticket for Renovate: https://github.com/renovatebot/renovate/issues/4724#issuecomment-862680139