|
|
12
|
|
Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975. Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev < [hidden email]> wrote:
> I propose to focus on development tools
Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.
The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.
Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.
> pre-1.0 projects only
Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.
> More repositories can be added if somebody is interested to participate in the Dependabot evaluation.
Sign me up!
I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote:
Dear all,
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
I added it to my forked repositories of the git plugin, git client plugin, and platform labeler plugin. The experiment has been educational. I like seeing the pull requests which are proposed. Updates to the parent pom could be automerged if CI jobs pass. I believe that updates to test dependencies could be automerged if CI jobs pass. Updates to non-test dependencies are not very helpful for me. When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required. I tell dependabot to stop offering those dependency updates. It closes the pull requests and stops offering updates to that component.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtE1qCFQmL-2bPAYhfyjLOATSFJ8Q5cF_4e%2Bb%3Dsxyg1Zuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
I'm game for experimenting with this :D
On Thu, 21 Feb 2019, Oleg Nenashev wrote:
> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 < https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> < https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> < https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
> - Jenkinsfile Runner - Example PRs in my local repo
> < https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
> - ci.jenkins.io-runner - Example PRs
> < https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
> disabled after moving the repo)
> - plugin-pom - Example PRs in my local repo
> < https://github.com/oleg-nenashev/plugin-pom/pulls>
> - maven-hpi-plugin - Example PRs in my local Repo
> < https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
GitHub: https://github.com/rtylerGPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit https://groups.google.com/d/optout.
|
|
|
I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly.
Renovate bot does have support for auto merging PRs if you want, so it can handle things a little automated.
But I'm +1 for Dependabot
I'm game for experimenting with this :D
On Thu, 21 Feb 2019, Oleg Nenashev wrote:
> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> <https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
> - Jenkinsfile Runner - Example PRs in my local repo
> <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
> - ci.jenkins.io-runner - Example PRs
> <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
> disabled after moving the repo)
> - plugin-pom - Example PRs in my local repo
> <https://github.com/oleg-nenashev/plugin-pom/pulls>
> - maven-hpi-plugin - Example PRs in my local Repo
> <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
GitHub: https://github.com/rtyler
GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96KGGQaf%2Bt_Kz_FODWTYRiaiP%3DUXTsqGkt5kPieXYhbo0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi all,
Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.
Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are
maintained by people actively participating in the trial.
maven-hpi-plugin matches the wildcard :P Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met. If Mark wants to try out his plugins
Mark: Updates to non-test dependencies are not very helpful for me. When
dependabot suggests that the git plugin should rely on the latest
release of some other plugin, it risks placing unnecessary demands on
users to install newer plugins than are required. I tell dependabot to
stop offering those dependency updates. It closes the pull requests and
stops offering updates to that component.
Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.
Jesse: The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.
Same as above, we could somehow configure it via filters somehow though it might be not trivial. I think that we will need to... - Document recommendations in JEP after the evaluation
- Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly
Maybe Dependabot can be configured to request me as a reviewer?
Best regards, Oleg
On Thursday, February 21, 2019 at 5:21:36 PM UTC+1, Gavin Mogan wrote: Another one to look at is Renovate bot ( <a href="https://renovatebot.com/docs/" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Frenovatebot.com%2Fdocs%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHuj7NUcRMxZpUa4EP2rxRn1a5xug';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Frenovatebot.com%2Fdocs%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHuj7NUcRMxZpUa4EP2rxRn1a5xug';return true;">https://renovatebot.com/docs/ )
I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly.
Renovate bot does have support for auto merging PRs if you want, so it can handle things a little automated.
But I'm +1 for Dependabot
On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">ty...@...> wrote:
I'm game for experimenting with this :D
On Thu, 21 Feb 2019, Oleg Nenashev wrote:
> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 <<a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> <<a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> <<a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
> - Jenkinsfile Runner - Example PRs in my local repo
> <<a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
> - ci.jenkins.io-runner - Example PRs
> <<a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
> disabled after moving the repo)
> - plugin-pom - Example PRs in my local repo
> <<a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">https://github.com/oleg-nenashev/plugin-pom/pulls>
> - maven-hpi-plugin - Example PRs in my local Repo
> <<a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com';return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.
--
GitHub: <a href="https://github.com/rtyler" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frtyler\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtsnCUZ085B8982iTQ2KFqz5gYhw';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frtyler\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtsnCUZ085B8982iTQ2KFqz5gYhw';return true;">https://github.com/rtyler
GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape';return true;">https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/9ae69c40-fbc2-4e44-993c-4b22648867dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
On Thu, Feb 21, 2019 at 4:25 PM Oleg Nenashev wrote:
Hi all,
Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.
Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are
maintained by people actively participating in the trial.
maven-hpi-plugin matches the wildcard :P Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met. If Mark wants to try out his plugins
The platformlabeler plugin meets conditions (a) and (b). The other two plugins I maintain don't meet condition (a). Definitely enable it on platformlabeler-plugin.
I'm willing to try it on the other two plugins I maintain, but am also fine skipping them if it is not comfortable for the community.
I will actively participate in the trial. Mark: Updates to non-test dependencies are not very helpful for me. When
dependabot suggests that the git plugin should rely on the latest
release of some other plugin, it risks placing unnecessary demands on
users to install newer plugins than are required. I tell dependabot to
stop offering those dependency updates. It closes the pull requests and
stops offering updates to that component.
Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.
That looks great. I'm happy to try the configuration as code route.
Mark Waite
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtHw_QmYRz%2B%3DQLdJQXmGya-mA0hn%2B6SXov-JwY1t4Qc_jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev < [hidden email]> wrote:
> Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.
To start with, sign me up for:
* log-cli
* pipeline-cloudwatch-logs
* parallel-test-executor
* mock-slave
which should give a decent mix.
> I would recommend configuration-as-code
Yes please.
> Document recommendations in JEP after the evaluation
> Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly
Definitely.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">INFRA-1975. <a href="https://dependabot.com/" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">Example PRs in my local repo
- ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">Example PRs (bot was disabled after moving the repo)
- plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">Example PRs in my local repo
- maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/10436c0a-e148-4818-925b-c1b101813726%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi all,
I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs. Hi Ulli and Joseph,
As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.
BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">Example PRs in my local repo
- ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">Example PRs (bot was disabled after moving the repo)
- plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">Example PRs in my local repo
- maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Thanks for driving this Oleg!
I'm in for the plugins I'm maintaining: If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself. Thanks!
-- Baptiste Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev < [hidden email]> a écrit : Hi all,
I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs. Hi Ulli and Joseph,
As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.
BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975. Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5CmNifB6buiv%3DYy84x-sekMmznu6Ct941EY8KLXg%2BhRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi Baptiste, the requested repositories have been added.
@All I also added the Plugin Compat Tester and Custom WAR Packager repositories
- https://github.com/jenkinsci/custom-war-packager
- https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.
Best regards, Oleg
On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote: Thanks for driving this Oleg!
I'm in for the plugins I'm maintaining: - <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
- <a href="https://github.com/jenkinsci/chucknorris-plugin" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;">https://github.com/jenkinsci/chucknorris-plugin
- <a href="https://github.com/jenkinsci/versioncolumn-plugin" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;">https://github.com/jenkinsci/versioncolumn-plugin
- <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself. Thanks!
-- Baptiste
Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="97c7MC-fBgAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">o.v.ne...@...> a écrit :
Hi all,
I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;" onclick="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
Hi Ulli and Joseph,
As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.
BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">Example PRs in my local repo
- ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">Example PRs (bot was disabled after moving the repo)
- plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">Example PRs in my local repo
- maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="97c7MC-fBgAJ" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4559b7b9-c61f-4488-adfd-4c9c4ff91763%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi Oleg,
i'm also interested! can you please add following repo? - https://github.com/jenkinsci/performance-signature-dynatrace-plugin
Regards, Raphael Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev: Hi Baptiste, the requested repositories have been added.
@All I also added the Plugin Compat Tester and Custom WAR Packager repositories
- <a href="https://github.com/jenkinsci/custom-war-packager" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ';return true;">https://github.com/jenkinsci/custom-war-packager
- <a href="https://github.com/jenkinsci/plugin-compat-tester" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q';return true;">https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.
Best regards, Oleg
On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote: Thanks for driving this Oleg!
I'm in for the plugins I'm maintaining: - <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
- <a href="https://github.com/jenkinsci/chucknorris-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;">https://github.com/jenkinsci/chucknorris-plugin
- <a href="https://github.com/jenkinsci/versioncolumn-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;">https://github.com/jenkinsci/versioncolumn-plugin
- <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself. Thanks!
-- Baptiste
Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev < [hidden email]> a écrit : Hi all,
I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;" onclick="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
Hi Ulli and Joseph,
As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.
BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">Example PRs in my local repo
- ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">Example PRs (bot was disabled after moving the repo)
- plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">Example PRs in my local repo
- maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f8b7bb2e-19a0-4e95-8040-167688340756%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi Raphael,
Done.
BR, Oleg On Monday, March 11, 2019 at 10:54:57 AM UTC+1, Raphael Pionke wrote: Hi Oleg,
i'm also interested! can you please add following repo? - <a href="https://github.com/jenkinsci/performance-signature-dynatrace-plugin" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fperformance-signature-dynatrace-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHRshVJA3SxkcP0OUu1eNGWnR_fZA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fperformance-signature-dynatrace-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHRshVJA3SxkcP0OUu1eNGWnR_fZA';return true;">https://github.com/jenkinsci/performance-signature-dynatrace-plugin
Regards, Raphael Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev: Hi Baptiste, the requested repositories have been added.
@All I also added the Plugin Compat Tester and Custom WAR Packager repositories
- <a href="https://github.com/jenkinsci/custom-war-packager" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ';return true;">https://github.com/jenkinsci/custom-war-packager
- <a href="https://github.com/jenkinsci/plugin-compat-tester" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q';return true;">https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.
Best regards, Oleg
On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote: Thanks for driving this Oleg!
I'm in for the plugins I'm maintaining: - <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA';return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
- <a href="https://github.com/jenkinsci/chucknorris-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg';return true;">https://github.com/jenkinsci/chucknorris-plugin
- <a href="https://github.com/jenkinsci/versioncolumn-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA';return true;">https://github.com/jenkinsci/versioncolumn-plugin
- <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA';return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself. Thanks!
-- Baptiste
Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev < [hidden email]> a écrit : Hi all,
I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;" onclick="this.href='https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing';return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
Hi Ulli and Joseph,
As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.
BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: Please enable it for
* bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: Dear all,
I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA';return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA';return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.
Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q';return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA';return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.
My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
- Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg';return true;">Example PRs in my local repo
- ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg';return true;">Example PRs (bot was disabled after moving the repo)
- plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA';return true;">Example PRs in my local repo
- maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ';return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.
What do you think?
Thanks in advance, Oleg
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" onclick="this.href='https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/62dedd13-d54f-400d-bd60-497e81f8b398%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin. It has been helpful in all cases.
By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available. Can I have the following added:
https://github.com/jenkinsci/jackson2-api-plugin
https://github.com/jenkinsci/jsch-plugin
https://github.com/jenkinsci/pam-auth-plugin
https://github.com/jenkinsci/ssh-credentials-plugin
https://github.com/jenkinsci/audit-log-plugin
On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote:
>
> Done Carlos.
>
> Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
>>
>> please add https://github.com/jenkinsci/kubernetes-plugin
>>
>> thanks
>>
>> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote:
>>>
>>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>>> tests are not currently run in CI.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
Matt Sicker
Senior Software Engineer, CloudBees
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
12
|
Locked
signature.asc (499 bytes)