Generate a product-dependencies.lock file for Recommended Product Dependencies Plugin

[ash211]

What happened?

When creating an sls service or sls asset, the gradle plugins create a product-dependencies.lock to show changes and drive some internal tooling that prevents too-rapid pdep upgrades.

However, there is no such file created for the Recommended Product Dependencies Plugin.

This means it's easy for a Java library to take a dependency bump that's going to be later blocked when the library is incorporated into a service or asset.

What did you want to happen?

I would like the recommended product dependencies plugin to generate a product-dependencies.lock file, like sls services and assets do. And then I intend to use this, with 0 recommended product dependencies, to collect the transitive pdeps into one file for pdeps-bot to address.

Workaround

In the absence of this feature, I'm now creating a "fake bundle" that has no purpose other than to generate a lock file. This has some hacks, and risk of accidental publish, so I'd prefer direct support in this plugin for generating that lock file.

See internal foundry/pdeps-bot/issues/2831