Occasionally we've thought about turning on dependabot for the main WildFly repo, and a couple current discussions (see [1] and [2]) relate to that, so it seems a good time to discuss further and perhaps take action.
My main concern with dependabot is it doesn't integrate with JIRA. JIRA is really important to how we're able to keep a handle on a project as complex as WildFly. And I think it's important to track component upgrades in JIRA so our users can keep an eye on what we're providing. Particularly important in the world of ubiquitous CVE scanners.
But James Perkins has pointed out that such JIRA tracking is kind of overkill for non-production dependencies (e.g. test and build deps) and I agree.
So, how about we turn on dependabot and require a JIRA to be filed and linked to the PR if the proposed upgrade is production code dep? For non-production deps a JIRA would be optional.
The other thing I care about a lot is being able to grep the git log for commits related to a JIRA. That would of course be lost for non-production upgrades with no JIRA. Oh well. Also though dependabot wouldn't put our JIRA in its commit messages. But for PRs where we file a JIRA we can require human edit of the dependabot PR title to reference the JIRA. That will result in the JIRA appearing in the log via the merge commit Github generates. That solves the git log use case adequately enough IMO.
Thoughts?
Best regards,Brian