Here’s a hypothetical scenario at a company: We have 2 repos that builds and deploys code as tools and libraries for other apps at the company. Let’s call this lib1 and lib2.
There’s a third repo, let’s call it app, that is application code that depends on lib1 and lib2.
The hard part right now is keeping track of which version of lib1 and lib2 are packaged for app at any point in time.
I’d like to know at a glance, say 1 month ago, what versions of app is deployed and what version of lib1 and lib2 they were using. Ideally, I’m looking for a software solution that would be agnostic to any CI/CD build system, and doubly ideally, an open source one. Maybe a simple web service you call with some metadata, and it displays it in a nice UI.
Right now, we accomplish this by looking at logs, git commit history, and stick things together. I know I can build a custom solution pretty easily, but I’m looking for something more out-of-the-box.
I realize that you’re looking for audit style information. Disclaimer: I’m not offering that 😅
You may be interested in automation that helps manage these dependencies and their version. Github offers dependabot as a service for repos on github.com. There’s also renovate which is a little newer and I think has a better open source reputation. You can use them to fully automate dependency patching. Though I suspect most teams use these tools to automatically build PRs for a human to review and test.