Preparing your modules/library/plugin to be consumed by dependabot
17 views
Skip to first unread message
Gavin Mogan
Aug 27, 2019, 12:50:38 PM8/27/19
to jenkin...@googlegroups.com
Hey Ya'll,
tl;dr - Make sure project > scm > url is set to github, (example https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41)
---
I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.
But for now, I share what I learned.
Dependabot has a lot of open source code, including how it processes module metadata.
It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)
When that url is set right, dependabot knows where to pull information from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example.
It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.
But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.
That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.
Thanks,
Gavin
Marky Jackson
Aug 27, 2019, 1:04:07 PM8/27/19
to 'Gavin Mogan' via Jenkins Developers
+1
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com.
Jesse Glick
Aug 27, 2019, 4:38:41 PM8/27/19
to Jenkins Dev
On Tue, Aug 27, 2019 at 12:50 PM 'Gavin Mogan' via Jenkins Developers
<jenkin...@googlegroups.com> wrote:
> I strongly recommend at least setting up project > scm > url
For example, when using an archetype (recommended):
<jenkin...@googlegroups.com> wrote:
> I strongly recommend at least setting up project > scm > url
https://github.com/jenkinsci/archetypes/blob/e546bcbb236539de7c2a958ccddfac190f44efb9/empty-plugin/src/main/resources/archetype-resources/pom.xml#L30
Joseph P
Aug 28, 2019, 8:19:45 PM8/28/19
to Jenkins Developers
Hi Gavin, we actually made that change in JCasC to prepare for https://github.com/jenkins-infra/plugin-site-api/pull/54
Good that dependabot is something you can depend on 😁
Oleg Nenashev
Aug 29, 2019, 6:32:45 AM8/29/19
to Jenkins Developers
Thanks for the investigation Gavin!
I plan to document Dependabot usage guidelines eventually, and I will make sure to reflect it
It can be also added to https://github.com/jenkinsci/.github/blob/master/.github/release-drafter.adoc somehow.
BR, Oleg
Reply all
Reply to author
Forward
0 new messages