Read maven-dependency-plugin version dynamically+ enable dependabot for maven helpers

Author: yeikel

.github/dependabot.yml

@@ -166,3 +166,15 @@ updates:
       interval: "weekly"
       day: "sunday"
       time: "16:00"
+  - package-ecosystem: "maven"
+    directory: "/maven/lib/dependabot/maven/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "16:00"
+  - package-ecosystem: "docker"
+    directory: "/maven"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "16:00"

maven/Dockerfile

@@ -1,11 +1,14 @@
+# This cannot be inlined below (e.g., COPY --from=maven:...) because Dependabot does not support that syntax yet
+FROM maven:3.9.9 as maven
+
 FROM ghcr.io/dependabot/dependabot-updater-core
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     openjdk-21-jdk \
     ca-certificates-java \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=maven:3.9.9 /usr/share/maven /usr/share/maven
+COPY --from=maven /usr/share/maven /usr/share/maven
 
 ENV MAVEN_HOME=/usr/share/maven
 

maven/lib/dependabot/maven/native_helpers.rb

@@ -1,15 +1,22 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "shellwords"
 require "sorbet-runtime"
+require "nokogiri"
 
 module Dependabot
   module Maven
     module NativeHelpers
       extend T::Sig
-      # Latest version of the plugin can be found here - https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-dependency-plugin
-      DEPENDENCY_PLUGIN_VERSION = "3.8.1"
+      pom_path = File.join(__dir__, "pom.xml")
+
+      version = File.open(pom_path) do |f|
+        doc = Nokogiri::XML(f)
+        doc.at_xpath("//project/properties/maven-dependency-plugin.version")&.text
+      end
+
+      DEPENDENCY_PLUGIN_VERSION = T.let(version, T.nilable(String))
 
       sig do
         params(file_name: String).void

maven/lib/dependabot/maven/pom.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+
+  <!--
+  This build is not used directly within the native helper.
+  The goal is to help automate the maintenance overhead of keeping the version of maven-dependency-plugin up to date.
+
+    1. We read the maven-dependency-plugin.version version dynamically from the native_helper
+    2. We use Dependabot keep the version up to date
+  -->
+
+  <properties>
+    <maven-dependency-plugin.version>3.8.1</maven-dependency-plugin.version>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-dependency-plugin</artifactId>
+      <version>${maven-dependency-plugin.version}</version>
+    </dependency>
+  </dependencies>
+</project>