Sanitize DEPENDENCY_BUMPs in changelogs

[inFocus7]

When listing the dependency bumps in our changelogs, we should sanitize them to only output the latest semver bump for a specific repo/dependency.

For example, in Gloo OSS release v1.15.0-beta5 there are two dependency bumps listed for solo-io/envoy-gloo although the important bump for readers of changelog is the latest bump of those two.

Rough logic for this would be updating the renderDependencyBumps function to be something like:

func renderDependencyBumps(changelog * Changelog) string {
  // A map to keep track of dependency -> (max) version bump
  var maxDependencyMap map[string] string
  for _, file: = range changelog.Files {
    for _, entry: = range file.Entries {
      if entry.Type == DEPENDENCY_BUMP {
        dependency: = entry.DependencyOwner + "/" + entry.DependencyRepo
        if val,
        ok: = maxDependencyMap[dependency];ok {
          // if the current dependency tag is greater than the one stored, update it (unsure if i'm using the comparison correctly)
          if semver.Compare(entry.DependencyTag, val) > 0 {
            maxDependencyMap[dependency] = entry.DependencyTag
          }
        } else {
          maxDependencyMap[dependency] = entry.DependencyTag
        }
      }
    }
  }

  output: = ""
    // using the map which only stored the max bumps per-repo/dependency, set-up the output
  for dependency, tag: = range maxDependencyMap {
    output = output + "- " + dependency + " has been upgraded to " + tag + ".\n"
  }

  return output
}

relevant code

Definition of Done to be discussed but at the very least

• Updating changelog util logic to only output the max dependency upgrades
• Updating our changelog test(s) to ensure this works as expected
  • Note: There may be issues with the ordering of dependencies and comparing what we expect. We may need to sort dependencies outputted.
• [Maybe] bumping this in solo repos
  • Following the DoD for other solo repositories which don't require releasing, as long as code has merged and has suitable testing/approval.

[inFocus7]

Have a WIP PR for this. While writing the PRs description, the possibility of DEPENDENCY_BUMPs being downgraded hit me, and this approach may not be the best approach.

A different path forward which may be a better approach to show the latest dependency updates, is to automate through a GitHub Action/Workflow...
[On PR Push | in a queued concurrent group, so there's no action clashing]:

1. Parse the new changelog.yaml for dependency bumps
2. For every dependency bumped:
   1. Parse the other changelogs within version folder to see if they bump the same dependency.
   2. If so: Delete the line(s) that bumped the dependency from the older instances
   3. Else: Continue

Through that different path, we could leave the code here as-is, since the action will take care of keeping the important dependency bumps before we generate the release changelog.