✨ Add dependencies section to release notes tool

[willie-yao]

What this PR does / why we need it:
This PR adds a dependencies section to the release notes generator. It uses the kubernetes release notes tool: https://github.com/kubernetes/release/blob/master/cmd/release-notes/README.md

Example of what is printed:

## Dependencies

### Added
- cloud.google.com/go/dataproc/v2: v2.2.3
- github.com/ProtonMail/go-crypto: [7d5c6f0](https://github.com/ProtonMail/go-crypto/tree/7d5c6f0)

### Changed
- cloud.google.com/go/accessapproval: v1.6.0 → v1.7.4
- cloud.google.com/go/accesscontextmanager: v1.7.0 → v1.8.4

This block is added aft er the Others section of the release notes.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #9854

/area release

[fabriziopandini]

@willie-yao nice!
for sake of documentation it will be great if you can add a preview of how release notes will look like after this change

[cahillsf]

/lgtm 🔥

[sbueringer]

Very nice. Thank you this will be very useful!

In turn we should probably get rid of the "bump" entries for regular Go dependencies in our release notes

(at least as a manual step)

[sbueringer]

We are flagging a lot more than just dependabot go dependency bumps with area/dependency (e.g. Go, Trivy, ... bumps, but I think even more).

I think dropping all area/dependency PRs is too much, we might lose something important there.

Can we drop all PRs from dependabot instead (filter on author:app/dependabot )? (we would additionally drop GitHub actions bumps, but I think that is fine)

[sbueringer]

(also works better with other repositories that don't set the label but are also using dependabot like CAPV and controller-runtime)

[willie-yao]

I'm trying to filter the GitHub API response for the author but I'm a bit confused on how the code works here. How do we go from returning the collection here to the prs []githubPR object here? I tried adding an author field to the githubPR type, but I'm a bit confused where the existing fields (Number, Title, Labels) are populated. pageRead just seems to give me the entire PR page. @g-gaston do you know if there's a way to add an author field to the current flow?

[g-gaston]

Sorry I don't fully understand the question. If the search api returns an author field for pr objects (I'm not sure if it does, you would need to check the docs or just run a query yourself and check the output), then adding it to the githubPR struct will make that available when calling listMergedPRs.

If you want to make it available to the processor (and the printer), you'll need to add the field to the pr struct as well: https://github.com/kubernetes-sigs/cluster-api/blob/main/hack/tools/release/notes/list.go#L117-L121

What I would do here is add the author information to the pr domain object so you have it available in the processor (this is the one responsible from processing each pr and deciding which kind of note entry it should be). In your case it seems you want the processor to discard PRs based on the author, so they should no be converted to notes entries. Beware this will affect the total number of commits printed at the beginning of the notes. If you don't want this to happen, then maybe slightly changing the responsibilities of processor and printer is a better idea.

[willie-yao]

Can we drop all PRs from dependabot instead (filter on author:app/dependabot )?

There still seems to be a good amount of dependencies bump PRs that are not created by dependabot. Should we just leave those as is?

[sbueringer]

I think it's better if we sort through manual bump PRs manually compared to dropping all dependency PRs from the release notes.

We even might just leave them in there. Usually we only create manual bumps if either dependabot can't bump something or if we have to bump manually because we have to change more.

Maybe let's just go with dropping PRs from author dependabot and leaving everything else in the release notes.

[sbueringer]

I would add a new error return parameter and propagate it up (with a bit of error wrapping).

Then we can fail properly

[g-gaston]

Could you run the integration tests and make sure you update the golden files to match the new output?

[g-gaston]

curious why didn't get added to the go.mod?

[willie-yao]

In regards to the broken links: I think there is an issue with the kubernetes dependency tool right now that messes up the links when a tag includes a "/". We faced this issue when creating release notes for the latest CAPZ release. We might need to hold this PR until that issue is fixed.

[sbueringer]

@willie-yao Let's please try to figure out if the markdownlinkchecker can skip this test folder (see .markdownlinkcheck.json)

[g-gaston]

I curious to see why there are new PRs appearing here.
I was expecting to only see two types of diff: PRs being omitted (authored by dependabot) in this section and the new deps section

[willie-yao]

Looks like the tool is listing merged PRs up to the date of the latest commit on the release branch. It looks like there are PRs still being cherry-picked into v1.5.0 which is why these PRs show up. Is this something we should worry about? In a normal release cycle, we'll be generating the release notes at the correct day, but if we retroactively generate them, we might be getting some new commits that aren't part of the release.

I'm thinking maybe we can add a flag for a specific end date, or we can just manually remove the newer PRs since I don't think we'd be retroactively generating release notes in the normal release flow.

[g-gaston]

Umm I see
I suspect there is bug in how the tests are setup then
Because they are supposed to use "static" config so the output doesn't change even if we merge more commits in the original branch.
We might be missing a to ref or the ref might be incorrect

[willie-yao]

I used the command RELEASE_TAG=v1.5.0 make release-notes to generate the golden files so I don't think it's just a bug in the test. I think it looks for the latest commit in the branch rather than when the tag is created: https://github.com/willie-yao/cluster-api/blob/release-notes-dependencies/hack/tools/release/notes/list.go#L65

[willie-yao]

I see that it is being defaulted to heads/branch instead of tags/tagname here. Should we make tags/ the default if RELEASE_TAG is specified? I don't see why a user would need to read from heads/branch if they are generating release notes for a specific release tag.

[g-gaston]

This is great. Thanks a lot for pushing this all the way @willie-yao, I know it took a lot with those bugs in the deps module

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 58d5d9864aba007d8578ee387010d23df78b7cce

[willie-yao]

Squashed and rebased!

[g-gaston]

/lgtm
not sure if @willie-yao wants someone elses review
but i think @cahillsf, you should be able to approve?

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 75bab9edff1b64d19cfbed1e2cc7bcade414f10c

[cahillsf]

dont think i can approve since there are changes in hack/tools (not under release dir)

/lgtm

[cahillsf]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c06d4bf2d84c9795f9801f78f38371705598ddcc

[fabriziopandini]

/lgtm
/approve

/hold cancel

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [fabriziopandini]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment