Build is extremely brittle due to usage of latest.release

[gsmet]

Hi,

I had two build issues trying to build OpenRewrite lately:

• the new Jackson BOM having problems with Gradle: Gradle module metadata for 2.13.2.1 references non-existent jackson-bom 2.13.2.1 FasterXML/jackson-databind#3428
• and this Sunday morning, Gradle can't downloads the Gradle plugins probably due to a Gradle outage

This, without any change on my side.

This all boils down to the massive use of latest.release as the version of dependencies in the codebase which makes builds non reproducible and very brittle as soon as the latest release has problems or incompatibility issues with the codebase.
Wondering if it would be better to switch to hardcoded versions and using Dependabot to suggest the updates automatically?

That should make the builds more solid and at least a build of the exact same code would lead to the same result from one day to another.

[shanman190]

Related #1484

[tkvangorder]

Going to close this issue as a duplicate of #1484

[jkschneider]

We can commit to once-a-day dependency locking, but we will not rely on Dependabot as it is not nearly sophisticated enough to deal with Gradle dependency management. We can craft a Github action workflow to attempt to update dependencies once a day, and if the tests pass, commit the new lock.