Dependabot cannot find my release notes

[huehnerlady]

Select Topic Area

Question

Body

Hi,

I have this gradle plugin: https://github.com/europace/docker-publish-gradle-plugin

My problem ist, that when I get updates via dependabot, I always get the message, that there is unknown code compatibility

I have a test pull request here

I double checked and the website is added to the plugin here.

On the gradle plugin portal the website is shown as well.

What do we do wrong?

[KaganCanSit]

Hello,
I don't have detailed information on this subject, but from what I saw on Stack Overflow, "Make sure there is a CHANGELOG.md or similar file at the root of your repository."

# Changelog.md
## [1.0.0] - 2024-06-17
### Added
- Initial release of the Docker publish plugin.

[huehnerlady]

but dependabot said that they take the release notes from the github release 🤔

Spring-Boot does not have a changelog.md either and works fine :(

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[huehnerlady]

I am currently talking to dependabot support to figure our what is going on. Once we find a solution I will post it here

[joergi]

any update on this? we have a similar problem.

[huehnerlady]

@joergi yes actually I got one just yesterday :)

I add it here as an answer, but unfortunately it is not super good news 😅

[huehnerlady]

I got an answer from GitHub for my specific case:

Details

Hi,

Thank you for your patience. I have some update from our engineers, here are the information.

So basically, even for Gradle, Dependabot looks in the pom file for the release information, i.e the following:

We get this information from these tags:
project > url
project > scm url
project > issueManagement > url

Example:

Here is an example of a pom structure with the correct tags:

<project>
  <url>[https://github.com/username/project<](https://github.com/username/project%3C);/url>
  <scm>
    <url>[https://github.com/username/project<](https://github.com/username/project%3C);/url>
  </scm>
  <issueManagement>
    <url>[https://github.com/username/project/issues<](https://github.com/username/project/issues%3C);/url>
  </issueManagement>
</project>

Replace
organization /
username and
project with your actual GitHub details.

The specific pom.xml file that Dependabot is attempting to retrieve and analyze is located at this URL:

https://plugins.gradle.org:443/m2/de/europace/docker-publish/de.europace.docker-publish.gradle.plugin/2.0.13/de.europace.docker-publish.gradle.plugin-2.0.13.pom

You will need to change your build.gradle.kts, so that the generated de.europace.docker-publish.gradle.plugin-<version>.pom contains the above information.

I then asked in the gradle slack about it and they mentioned that the generated files seems to miss those information.
I was forwarded to this issue.

So it seems at the moment there is nothing we can do, BUT if someone else knows something more about that, please tell me :)