Generate Bazel dependency versions from pom.xml

[Copilot]

pom.xml and MODULE.bazel had already drifted on shared library versions, which made Maven and Bazel dependency management diverge over time. This change makes the root POM the single source of truth and turns the Bazel dependency block into generated output.

• Single source of truth

  • Expands root dependencyManagement to cover the Bazel-managed artifacts that were previously versioned only in MODULE.bazel.
  • Keeps shared versions in one place instead of hand-maintaining parallel copies.

• Generated Bazel dependency block

  • Adds scripts/sync_bazel_dependencies.py to read managed versions from the root pom.xml and rewrite the generated dependency section in MODULE.bazel.
  • Marks the Bazel dependency block as generated so future edits flow through the script instead of manual updates.

• CI enforcement

  • Adds a Bazel workflow check that fails when MODULE.bazel is stale relative to pom.xml.
  • Includes the generator inputs in the Bazel cache key so dependency changes invalidate correctly.

• Contributor workflow

  • Documents the expected update path in CONTRIBUTING.md: change versions in pom.xml, regenerate MODULE.bazel, then repin maven_install.json.

Example of the generated pattern in MODULE.bazel:

# BEGIN: generated by scripts/sync_bazel_dependencies.py
maven.install(
    artifacts = [
        "com.fasterxml.jackson.core:jackson-databind:2.21.3",
        "org.slf4j:slf4j-api:2.0.18",
        "org.springframework:spring-core:6.2.8",
    ],
    lock_file = "//:maven_install.json",
)
# END: generated by scripts/sync_bazel_dependencies.py

[brendandburns]

@copilot Rather than hard code all the dependencies in the python script, which has the same syncrhonization problem, please extract them from the pom.xml file when the script runs.

[Copilot]

@copilot Rather than hard code all the dependencies in the python script, which has the same syncrhonization problem, please extract them from the pom.xml file when the script runs.

Addressed in 6e42086. The sync script now derives the generated Bazel dependency list directly from pom.xml dependencyManagement instead of maintaining a hardcoded Python coordinate list.

[brendandburns]

@copilot please resolve conflicts

[Copilot]

@copilot please resolve conflicts

Addressed in 155aa92. I merged master, resolved the pom.xml conflict by carrying the AWS SDK version forward to 2.44.8, and regenerated MODULE.bazel from the resolved pom.

[brendandburns]

@copilot please make sure that the paths for all of the bazel builds now include the script and the pom.xml file.

[Copilot]

@copilot please make sure that the paths for all of the bazel builds now include the script and the pom.xml file.

I checked this: .github/workflows/bazel.yml is the only workflow running Bazel build/test here, and both its push.paths and pull_request.paths already include pom.xml and scripts/sync_bazel_dependencies.py, so no additional change was needed.

[brendandburns]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, Copilot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [brendandburns]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment