PoC dependency updates through events

[e-backmark-ericsson]

Disclaimer: This issue should be put in a general cdevents community repo, but as we lack such I put it here instead.

I'd like to see a PoC on dependency updates through events. The idea is that e.g. artifact published event should trigger a new pull request being created in a repository that depends on that "upstream" repo. It could be a lib->component relation or a component->application relation or similar. The new pull request in that "downstream" repo should then have a change created event sent for it, which somehow relates to the artifact being the cause of that update.

Note: The functionality of triggering downstream dependency updates is today handled by for example Dependabot if both repos are in GitHub, but what if not? And sending such events would also make it possible to visualize and measure on such dependency updates in a generic manner

[e-backmark-ericsson]

This PoC could maybe be based on Mend Renovate - https://www.mend.io/free-developer-tools/renovate/
We could also look in to integrating Dependency Track - https://owasp.org/www-project-dependency-track/
also Defect Dojo - https://github.com/DefectDojo/django-DefectDojo

[mekhanique]

Looks like some of this relates to comments around promotion and test related events you, @afrittoli, @xbcsmith and I made in #143. Thoughts?