create a maven pom subscription of upstream dependencies so we can automate the generation of PRs against projects

[jstrachan]

it'd be nice if we had some canonical file format we could detect in our git repos; something like maven-version-update.yml which describes the maven property names we wish to subscribe to.

The default could be all...

includes: "*"
excludes: "blah-version"
frequency: nightly

Then we could have an automated Jenkins build which iterates through all our repos looking for this marker file. If its found it generates a periodic job of the given frequency.

Then each job would load the root maven pom.xml, look for all the maven properties; for each found one it'd look for a maven dependency (maven plugin or dependency); then check if the version has changed and if so submit a PR updating the versions (assuming there is not a PR existing already for the same versions)

A nice to have would be to be able to use version range (patch/minor/major) rules on a per property basis. e.g. you may only want to enable minor increases OOTB? Though it might be nice to know if a major release breaks the build?

[jstrachan]

this looks interesting https://dependabot.com though it doesn't support Java yet - and supporting Java is actually quite complex (handling maven BOMs, maven properties and so forth plus handling maven dependencies to deduce safe version changes etc)

[jstrachan]

note that if we did include the subscription configuration inside the git repository, we'd need to make sure we list the github org + branch(s) for the subscription to avoid folks creating a fork having PRs generated against it or all branches getting PRs against them.

It might be easier to just store the subscription information elsewhere?