[Hermetic Build] Libraries BOM version rendered in README.md may not be up to date #3895
Description
We found out that java-storage had only one of the versions updated in googleapis/java-storage#3267, where the BOM setup section was missing the version update.
This was also found in googleapis/java-bigquerystorage#3070.
The root cause is in owl-bot relying on sample snippets instead of the BOM version of the config yaml. From internal investigation:
"
Turns out that the value of libraries bom doesn't come from a template, but from a snippet in java-storage (link). The template readme will render this if present, which is the case in java-storage.
This seems to be an ambiguous case where hermetic build tries to manage the bom version when rendering templates, but the legacy synthtool under the hood would first try to fetch existing code which may or may not be updated beforehand (renovate-bot takes care of this).
On one hand, we have documentation pointing to libraries bom (this case) and other places, such as root pom.xml files, where the version is used in production code.
What if we simply use the other case for installing it with BOM by default? We can do a survey and find out whether there are any repos using a special version of "install_with_bom" that is not covered by that default template.