All buildpacks should use the dep-server for dependency updates

[sophiewigmore]

Summary

The dep-server contained in this repository serves dependencies and their associated metadata at https://api.deps.paketo.io/v1/dependency?name=< dependency-name > .

All versions of dependencies that we support within our implementation buildpacks via the older Dependency Builds pipeline have been ported over to the dep-server, so we can safely begin consuming the dependencies from there.

In order to do this we need to do a few things:

1. Add [[metadata.dependency-constraints]] to the buildpack.toml of each relevant implementation buildpack, for each version line that we currently support. See A Proposal to Manage Dependency Updates packit#140 for details about how this works, and you can check out https://github.com/paketo-buildpacks/node-engine/blob/main/buildpack.toml#L110-L128 to see an example of what this looks like in practice.

The inclusion of this section in the buildpack.toml will allow the newly added update-dependencies workflow that is already present in each repository to start picking up new versions of the defined version lines.

2. Remove the CNBs from the list of buildpacks to receive updates from the old Concourse dependency-builds pipeline. Please follow this example commit of how to remove the CNB version lines only from the pipeline config. This should only include removing the lines that fall under the -cnb suffix. Removing anything else will tamper with dependencies in our V2Bs. Don't forget to re-fly the Concourse pipeline with the changes, and the associated update-<dependency>-<version>-cnb Concourse job will disappear from the pipeline.

To Do

For each of the following language families, please switch over the implementation buildpacks that contain dependencies to use the dep-server. It is the responsibility of each team's maintainers to open issues to do this in the relevant repos:

Issues Filed:

• .Net Core / @paketo-buildpacks/dotnet-core-maintainers
• Go / @paketo-buildpacks/go-maintainers
• NodeJS / @paketo-buildpacks/nodejs-maintainers (should be all set)
• PHP / @paketo-buildpacks/php-maintainers
• Python / @paketo-buildpacks/python-maintainers
• Ruby / @paketo-buildpacks/ruby-maintainers
• Rust (where do dependencies here come from right now?) / @paketo-buildpacks/rust-maintainers
• Web Servers / @paketo-buildpacks/web-servers-maintainers
• Utilities / @paketo-buildpacks/utilities-maintainers

Issues Implemented:

• .Net Core / @paketo-buildpacks/dotnet-core-maintainers
• Go / @paketo-buildpacks/go-maintainers
• NodeJS / @paketo-buildpacks/nodejs-maintainers (should be all set)
• PHP / @paketo-buildpacks/php-maintainers
• Python / @paketo-buildpacks/python-maintainers
• Ruby / @paketo-buildpacks/ruby-maintainers
• Rust (where do dependencies here come from right now?) / @paketo-buildpacks/rust-maintainers
• Web Servers / @paketo-buildpacks/web-servers-maintainers
• Utilities / @paketo-buildpacks/utilities-maintainers

This story can be closed out when the checklist items are all completed.

[fg-j]

Go language family issues have been filed!

[arjun024]

Can you check off Web Servers, Python, PHP, Nodejs? Relevant issues filed.

Edit: Added issue for tini. I don't think dep-server supports upx, watchexec etc. yet like miniconda

[fg-j]

Using the dep server for the Go dependency is blocked due to an issue with the non SemVer version metadata on the go dependency in the dep server. See paketo-buildpacks/go-dist#280 for more details.

[fg-j]

Consuming dep from the dep server is also currently blocked because it seems like the dep server doesn't support that dependency. See paketo-buildpacks/dep#212 for more.

[sophiewigmore]

It looks like Rust-Dist uses it's own workflow: https://github.com/paketo-community/rust-dist/runs/4088804161?check_suite_focus=true to update the dependencies. It still uses the dependency from the dep-server so it can be checked off.

[sophiewigmore]

It appears that all applicable buildpacks have been moved over, so this issue can get closed out!