[FEATURE] Enable Renovate on opensearch-project and repos that choose to use it

[dbwiddis]

Is your feature request related to a problem?

The opensearch-sdk-java repo wants to enable automated issues for upgrading dependency versions.

See #185

What solution would you like?

While dependabot is an option, I believe Mend Renovate is a suprerior option. It is endorsed by OpenSSF alongside dependabot as an industry standard tool for dependency updates.

I have switched my external OS repo from dependabot to renovate and found it far superior for a few key reasons:

• it was always faster at alerting on dependency updates than dependabot
• it provides a header on the bump PR showing adoption percentage, test passing rate, age of the dependency, and other metrics that help evaluate if a dependency may break things
• it provides a "Dashboard" issue for a very quick look at pending bump PRs

Enabling this on opensearch-sdk-java requires an owner of opensearch-project enable it. Repos which choose to use it can also be enabled; formally requesting this for opensearch-sdk-java.

The maintainers of the main Opensearch project may wish to consider it as well, as a replacement for dependabot.

What alternatives have you considered?

Dependabot

Do you have any additional context?

Some quick links to my own repo demonstrating some of the benefits outlined above

• Bump PRs have a header with badges displaying the quality of the dependencies. See an example here. What the age of the version is, what percentage of Renovate users have upgraded, what percentage of them have passing tests. This is invaluable for evaluating major version bumps and adoption/quality.
• You can group/batch version bumps together. I have done this to batch my build plugins (to get a single PR instead of 3 for ones that release together, for example) to reduce the PR noise. Here's an example batch PR
• It creates a "Dashboard" issue that shows you any pending bumps or ones you've intentionally suppressed. See example here.
• It has the ability to auto-merge its own PRs, which I've enabled for minor and patch versions of build plugins. We probably don't want that feature here, but it's available

[dblock]

We operate WhiteSource already, @CEHENKLE @davelago isn't that the same thing? Or @hyandell can we just enable the above for the org?

[dbwiddis]

We operate WhiteSource already

Yes, we use that company's (renamed Mend) security check in our CI workflow.

This would add another github app / feature similar to the usage of dependabot.

can we just enable the above for the org?

Enabling it org-wide will create a PR in each Repo (adding the config file) that the maintainers could choose to merge (or not to merge, that is the question). It can be run side-by-side with dependabot for evaluation (would create PRs for same version bump from both systems until one is removed).

[dbwiddis]

Quick update: I've submitted an internal ticket for this, and switched the recommendation to "Forking Renovate" which does not create branches in the repo (requiring write access) but does the traditional fork-and-PR approach that any unprivileged contributor would do.

[dblock]

@dbwiddis Any updates here?

[dbwiddis]

Internal ticket created 2022-10-19 (as noted above) and assigned for review 2022-10-24. No further action taken and I don't think there's an SLA for this priority.

In the meantime I've enabled dependabot on the SDK repo.

I still think it's a better management platform all around and a good fit for OpenSearch (open source, has open source management tools for free).

[dbwiddis]

This was approved and there's an open PR on SDK repo to finish installation that I'll handle later this week.

[dblock]

I think we need documentation in .github that describes what the options are for keeping libraries up-to-date, maybe add a security section with "Keep Dependencies up to Date" and dependabot and renovate subsections in https://github.com/opensearch-project/.github/blob/main/RESPONSIBILITIES.md?

[dbwiddis]

FYI: the recent org-wide installation of Mend includes renovate, which everyone can now enable with a few lines in their .whitesource file.