Dear all,
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - Example PRs in my local repo
- ci.jenkins.io-runner - Example PRs (bot was disabled after moving the repo)
- plugin-pom - Example PRs in my local repo
- maven-hpi-plugin - Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are maintained by people actively participating in the trial.
Mark: Updates to non-test dependencies are not very helpful for me. When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required. I tell dependabot to stop offering those dependency updates. It closes the pull requests and stops offering updates to that component.
Jesse: The question is which dependencies ought to be eligible for upgrade. I do not think we want to update Jenkins core or plugin dependencies gratuitously, since this would limit availability of new releases with only modest productivity gain: more realistic functional tests, less distance from `master` to whatever `plugin-compat-tester` would use.
Maybe Dependabot can be configured to request me as a reviewer?
Hi all,Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are maintained by people actively participating in the trial.maven-hpi-plugin matches the wildcard :PSpeaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.If Mark wants to try out his plugins
Mark: Updates to non-test dependencies are not very helpful for me. When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required. I tell dependabot to stop offering those dependency updates. It closes the pull requests and stops offering updates to that component.Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
tests are not currently run in CI.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
I'd really love to see the jackson repo most of all because I could get the PR ready to release by the time jackson gets around to announcing that release. Helps speed up resolution of their countless CVEs over time.
- show quoted text -
is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
Can I have the following added:
Can blueocean-display-url-plugin get it enabled?
Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin?Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
On Tue, May 21, 2019 at 12:36 PM Matt Sicker <msi...@cloudbees.com> wrote:
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.
On Tue, May 21, 2019 at 2:12 PM Mark Waite <mark.e...@gmail.com> wrote:
>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin. It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <msi...@cloudbees.com> wrote:
>>
>> Can I have the following added:
>>
>> https://github.com/jenkinsci/jackson2-api-plugin
>> https://github.com/jenkinsci/jsch-plugin
>> https://github.com/jenkinsci/pam-auth-plugin
>> https://github.com/jenkinsci/ssh-credentials-plugin
>> https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <m...@batmat.net> wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <car...@apache.org> a écrit :
>> >>
>> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <jgl...@cloudbees.com> wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
>> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
Matt Sicker
Senior Software Engineer, CloudBees
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39d5d27a-4371-4bf5-b8fb-89e1b77419ef%40googlegroups.com.
I am fine with going forward with enabling Dependabot for a wider set of plugins.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
done!
On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <m...@basilcrow.com> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:--I am fine with going forward with enabling Dependabot for a wider set of plugins.Can you please add the following repositories:Thanks,Basil
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
With Dependabot acquisition by GitHub, the project got some development boost.Unfortunately, there is still no support of org-wide configurations, so we cannot just put defaults to https://github.com/jenkinsci/.githubBut we could at least put some samples there.I would also like to enable Dependabot for Jenkins Test Harness if nobody is against.Once Jesse finishes his work on https://github.com/jenkinsci/bom/ , it would be great to combine Dependabot and plugins with BOM (especially for Pipeline which is nightmare to handle in Dependabot).BR, Oleg
On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
done!
On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <m...@basilcrow.com> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:--I am fine with going forward with enabling Dependabot for a wider set of plugins.Can you please add the following repositories:Thanks,Basil
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkin...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/af5db0c2-3be6-4efb-b017-c06cbe8ce912n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com.
I enabled the native Dependabot version updates (the experimental feature) on my plugin today. Overall it's extremely useful and working well! I expect I'll soon wonder how I ever managed without it.Couple of thoughts:1. The initial splurge of PRs spawns a lot of builds, so it's helpful that Dependabot has limited itself to opening 5 PRs at a time (you can raise this limit in configuration if you like). Obviously this is only a one-time concern on the day that you enable it, but it could spam ci.jenkins.io if enabled on lots of plugins at once.2. You have to be a bit careful when merging if you are using dependencies that interact. E.g. if you're using BOM (which contains Jackson), and a plugin that has particular ideas about the Jackson version it wants. So you can't just point-and-merge, even though they look like one-liner changes that seem easy to reason about.3. Because Dependabot makes it easy to stay up to date, it's tempting to charge forward and take the latest version of everything suggested - providing the build passes. But is that wise? Do we as plugin authors need to hang back on some changes with the LTS support policy in mind? (For example, should I advance to depending on BOM version 2.249.x if the LTS policy says to support n-3 LTS versions?)
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com.
On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <o.v.ne...@gmail.com> wrote:
> I propose to focus on development tools
Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.
The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.
Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.
> pre-1.0 projects only
Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.
> More repositories can be added if somebody is interested to participate in the Dependabot evaluation.
Sign me up!
I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7JwFRXk%2BX_5q8QDXK30Nif1fKLXbOWKWNWZUFFSXSjew%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDNgdKA2A-85n-ePFMOe7UdRE9%3DCRp%3DvXrP717Jrf4QTA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3v5CgCcqf%3DMysY8N9-AOpOrFkqh%2BuNLxbSx%3DVw3Q%2Bynw%40mail.gmail.com.