Preparing your modules/library/plugin to be consumed by dependabot

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Preparing your modules/library/plugin to be consumed by dependabot

Gavin Mogan
Hey Ya'll,

tl;dr - Make sure project > scm > url is set to github, (example https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41)

---

I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.

But for now, I share what I learned.

Dependabot has a lot of open source code, including how it processes module metadata.


It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)

When that url is set right, dependabot knows where to pull information from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example.

It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.

But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.

That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.

Thanks,
Gavin

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Preparing your modules/library/plugin to be consumed by dependabot

Marky Jackson
+1

On Aug 27, 2019, at 9:50 AM, 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:

Hey Ya'll,

tl;dr - Make sure project > scm > url is set to github, (example https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41)

---

I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.

But for now, I share what I learned.

Dependabot has a lot of open source code, including how it processes module metadata.


It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)

When that url is set right, dependabot knows where to pull information from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example.

It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.

But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.

That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.

Thanks,
Gavin


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3525D81F-BBC2-4CAF-9A47-ACE4F2C4FE64%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Preparing your modules/library/plugin to be consumed by dependabot

Jesse Glick-4
In reply to this post by Gavin Mogan
On Tue, Aug 27, 2019 at 12:50 PM 'Gavin Mogan' via Jenkins Developers
<[hidden email]> wrote:
> I strongly recommend at least setting up project > scm > url

For example, when using an archetype (recommended):

https://github.com/jenkinsci/archetypes/blob/e546bcbb236539de7c2a958ccddfac190f44efb9/empty-plugin/src/main/resources/archetype-resources/pom.xml#L30

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pbWZKk%3DZAGxfhWo9RAczR5XxKBnaszx%2BLgs1OOtA8mw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Preparing your modules/library/plugin to be consumed by dependabot

Joseph P
In reply to this post by Gavin Mogan
Hi Gavin, we actually made that change in JCasC to prepare for https://github.com/jenkins-infra/plugin-site-api/pull/54
Good that dependabot is something you can depend on 😁

Original PR https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004

On Tuesday, August 27, 2019 at 6:50:38 PM UTC+2, Gavin Mogan wrote:
Hey Ya'll,

tl;dr - Make sure project > scm > url is set to github, (example <a href="https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fblob%2Fmaster%2Fpom.xml%23L41\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNbXAgxRgkiECEVu8Ew0BoF3XrcQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fblob%2Fmaster%2Fpom.xml%23L41\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNbXAgxRgkiECEVu8Ew0BoF3XrcQ&#39;;return true;">https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41)

---

I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.

But for now, I share what I learned.

Dependabot has a lot of open source code, including how it processes module metadata.

<a href="https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdependabot%2Fdependabot-core%2Fblob%2Fe654f214a932672d8ac0ea428ef9d672ac5bba33%2Fmaven%2Flib%2Fdependabot%2Fmaven%2Fmetadata_finder.rb%23L52\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO9IyzHnDgzkwG7Zqask-fBNCcQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdependabot%2Fdependabot-core%2Fblob%2Fe654f214a932672d8ac0ea428ef9d672ac5bba33%2Fmaven%2Flib%2Fdependabot%2Fmaven%2Fmetadata_finder.rb%23L52\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO9IyzHnDgzkwG7Zqask-fBNCcQ&#39;;return true;">https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52

It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)

When that url is set right, dependabot knows where to pull information from. See <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpull%2F192\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhJrfMK1ZpfMv2XKTAAIN0d45gRg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpull%2F192\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhJrfMK1ZpfMv2XKTAAIN0d45gRg&#39;;return true;">https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example.

It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.

But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.

That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.

Thanks,
Gavin

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/73df2ca3-23a2-4ec2-9af5-a34f9b1291e0%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Preparing your modules/library/plugin to be consumed by dependabot

Oleg Nenashev
Thanks for the investigation Gavin!
I plan to document Dependabot usage guidelines eventually, and I will make sure to reflect it


BR, Oleg

On Thursday, August 29, 2019 at 2:19:45 AM UTC+2, Joseph P wrote:
Hi Gavin, we actually made that change in JCasC to prepare for <a href="https://github.com/jenkins-infra/plugin-site-api/pull/54" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Fplugin-site-api%2Fpull%2F54\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO_R4dmyAtikAGlFOn1wSlhZUxQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-infra%2Fplugin-site-api%2Fpull%2F54\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO_R4dmyAtikAGlFOn1wSlhZUxQ&#39;;return true;">https://github.com/jenkins-infra/plugin-site-api/pull/54
Good that dependabot is something you can depend on 😁

Original PR <a href="https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F1004\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHdQUWzD_pEtpcuIaGV036QswAabg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F1004\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHdQUWzD_pEtpcuIaGV036QswAabg&#39;;return true;">https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004

On Tuesday, August 27, 2019 at 6:50:38 PM UTC+2, Gavin Mogan wrote:
Hey Ya'll,

tl;dr - Make sure project > scm > url is set to github, (example <a href="https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fblob%2Fmaster%2Fpom.xml%23L41\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNbXAgxRgkiECEVu8Ew0BoF3XrcQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fblob%2Fmaster%2Fpom.xml%23L41\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNbXAgxRgkiECEVu8Ew0BoF3XrcQ&#39;;return true;">https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41)

---

I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly.

But for now, I share what I learned.

Dependabot has a lot of open source code, including how it processes module metadata.

<a href="https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdependabot%2Fdependabot-core%2Fblob%2Fe654f214a932672d8ac0ea428ef9d672ac5bba33%2Fmaven%2Flib%2Fdependabot%2Fmaven%2Fmetadata_finder.rb%23L52\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO9IyzHnDgzkwG7Zqask-fBNCcQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fdependabot%2Fdependabot-core%2Fblob%2Fe654f214a932672d8ac0ea428ef9d672ac5bba33%2Fmaven%2Flib%2Fdependabot%2Fmaven%2Fmetadata_finder.rb%23L52\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGpO9IyzHnDgzkwG7Zqask-fBNCcQ&#39;;return true;">https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52

It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira)

When that url is set right, dependabot knows where to pull information from. See <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpull%2F192\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhJrfMK1ZpfMv2XKTAAIN0d45gRg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpull%2F192\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhJrfMK1ZpfMv2XKTAAIN0d45gRg&#39;;return true;">https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example.

It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want.

But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.

That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR.

Thanks,
Gavin

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/80fe2e48-f494-4f43-aa13-c4b9735d5e7e%40googlegroups.com.