Use Dependabot to Verify Templates once generated

[tomarra]

Description

Given the template model the pubspec.yaml that we have in each template has the ability to have an "invalid" pubspec given variables and parameters that we have in the file for generation time. Example being https://github.com/VeryGoodOpenSource/very_good_templates/blob/main/very_good_flutter_package/__brick__/%7B%7Bproject_name.snakeCase()%7D%7D/pubspec.yaml

We still have a need to keep these templates and their dependencies up to date but don't want to have to do this manually. The idea being that we can have a GitHub Action that uses the Dependabot CLI in order to generate a template, run the CLI to see if there are updates, and then open issues to do the updates manually.

Requirements

• There is a GitHub Action for each of the templates.
• The Actions run on a daily basis
• The action will build a template and run the Dependabot CLI.
• If the Dependabot CLI does not detect any needed updates they exit gracefully.
• If the Dependabot CLI does detect changes needed then an issue is opened up on the repo.
  • The issue that is opened up has a title of "chore: bump PACAKGE_NAME_HERE from CURRENT_VERSION to NEW_VERSION"
  • The description of the issue contains a link to the package that is being updated on pub.dev

[alestiago]

Had a brief look over this while I was waiting for some Pull Requests to be reviewed. In all, I think the first and fastest way to get something working would be to write a small Dart tooling script that attempts to gracefully parse those packages listed under dependencies within the pubspec.yaml and that are hosted in pub.dev. Then use our package pub_updater to check if they can be updated. If it can be updated, then use string find and replace to modify them.

If we want to avoid the complexity of parsing the file and then replacing we could template these dependencies into the template. When doing so the actual dependencies (name and version) would be stored within a file (for example, Dart or JSON) and provided through a Mason template variable. The file can then be easily accessed by the tooling script so it would only require to check if they could be updated.

Once the tooling script is defined we could rely on an action that Creates a Pull Request (similar to what we do with the bundles in Very Good CLI) and we would get a Pull Request with all the version bumps.

The Dependabot approach seems nice, but it would require some investigation into how the tooling works internally and how to set everything up for it.