Dependabot for Docker container refs

[k-wall]

We've started to accumulate container image references in the code base, particularly in integration tests and example content. Currently managing the software currency of those dependencies is a manual chore.

https://github.com/kroxylicious/kroxylicious/blob/d5d680b97dac90d569572c2fedbac2eba773510b/kroxylicious-kms-provider-hashicorp-vault-test-support/src/main/java/io/kroxylicious/kms/provider/hashicorp/vault/VaultTestKmsFacade.java#L39

https://github.com/kroxylicious/kroxylicious/blob/5814e337ca97541b5f7cc7701345946c9c00ed8c/kroxylicious-systemtests/src/main/java/io/kroxylicious/systemtests/Constants.java#L143

GitHub dependabot has Docker integration, but unfortunately it covers only dependencies expressed in Dockerfiles or Helm yamls. It doesn't support (issue) container references in code or other types of configuration.

It'd be nice if we could have some automation that raised a PR when container image refs become stale.

[tombentley]

Might be worth seeing if renovate supports something like this.

[MikeEdgar]

It's a hack, but it would work... add a Dockerfile.kcat or similar in src/test/resources that dependabot updates, that could be loaded to retrieve the FROM image in the test.

FROM quay.io/kroxylicious/kcat:1.7.1
# no other operations

[k-wall]

That's a nice idea. I was thinking about putting the dummy Dockerfiles in .github but your way keeps the image ref closer to the code (and visible to the classloader).