Hey Ya'll,
---
I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.
But for now, I share what I learned.
Dependabot has a lot of open source code, including how it processes module metadata.
It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)
It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.
But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.
That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.
Thanks,
Gavin