Proposal: Automating dependency management for repositories inside the jenkinsci org

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975. Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Jesse Glick-4
On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[hidden email]> wrote:
> I propose to focus on development tools

Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.

The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.

Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.

> pre-1.0 projects only

Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.

> More repositories can be added if somebody is interested to participate in the Dependabot evaluation.

Sign me up!

I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Mark Waite-2
In reply to this post by Oleg Nenashev


On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote:
Dear all,

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.


I added it to my forked repositories of the git plugin, git client plugin, and platform labeler plugin.  The experiment has been educational.  I like seeing the pull requests which are proposed.  Updates to the parent pom could be automerged if CI jobs pass.  I believe that updates to test dependencies could be automerged if CI jobs pass.
Updates to non-test dependencies are not very helpful for me.  When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required.  I tell dependabot to stop offering those dependency updates.  It closes the pull requests and stops offering updates to that component.
 
Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtE1qCFQmL-2bPAYhfyjLOATSFJ8Q5cF_4e%2Bb%3Dsxyg1Zuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

R. Tyler Croy
In reply to this post by Oleg Nenashev

I'm game for experimenting with this :D

On Thu, 21 Feb 2019, Oleg Nenashev wrote:

> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> <https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
>    - Jenkinsfile Runner - Example PRs in my local repo
>    <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
>    - ci.jenkins.io-runner - Example PRs
>    <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
>    disabled after moving the repo)
>    - plugin-pom - Example PRs in my local repo
>    <https://github.com/oleg-nenashev/plugin-pom/pulls>
>    - maven-hpi-plugin - Example PRs in my local Repo
>    <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Gavin Mogan-2
Another one to look at is Renovate bot ( https://renovatebot.com/docs/ )

I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly.

Renovate bot does have support for auto merging PRs if you want, so it can handle things a little automated.

But I'm +1 for Dependabot

On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy <[hidden email]> wrote:

I'm game for experimenting with this :D

On Thu, 21 Feb 2019, Oleg Nenashev wrote:

> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> <https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
>    - Jenkinsfile Runner - Example PRs in my local repo
>    <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
>    - ci.jenkins.io-runner - Example PRs
>    <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
>    disabled after moving the repo)
>    - plugin-pom - Example PRs in my local repo
>    <https://github.com/oleg-nenashev/plugin-pom/pulls>
>    - maven-hpi-plugin - Example PRs in my local Repo
>    <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96KGGQaf%2Bt_Kz_FODWTYRiaiP%3DUXTsqGkt5kPieXYhbo0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi all,

Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.

Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are maintained by people actively participating in the trial. 

maven-hpi-plugin matches the wildcard :P
Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.
If Mark wants to try out his plugins

Mark: Updates to non-test dependencies are not very helpful for me.  When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required.  I tell dependabot to stop offering those dependency updates.  It closes the pull requests and stops offering updates to that component.

Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.

Jesse: The question is which dependencies ought to be eligible for upgrade. I do not think we want to update Jenkins core or plugin dependencies gratuitously, since this would limit availability of new releases with only modest productivity gain: more realistic functional tests, less distance from `master` to whatever `plugin-compat-tester` would use.

 Same as above, we could somehow configure it via filters somehow though it might be not trivial. I think that we will need to...
  1. Document recommendations in JEP after the evaluation
  2. Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly
Maybe Dependabot can be configured to request me as a reviewer? 

Yes, it can.

Best regards,
Oleg


On Thursday, February 21, 2019 at 5:21:36 PM UTC+1, Gavin Mogan wrote:
Another one to look at is Renovate bot ( <a href="https://renovatebot.com/docs/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frenovatebot.com%2Fdocs%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHuj7NUcRMxZpUa4EP2rxRn1a5xug&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Frenovatebot.com%2Fdocs%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHuj7NUcRMxZpUa4EP2rxRn1a5xug&#39;;return true;">https://renovatebot.com/docs/ )

I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly.

Renovate bot does have support for auto merging PRs if you want, so it can handle things a little automated.

But I'm +1 for Dependabot

On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">ty...@...> wrote:

I'm game for experimenting with this :D

On Thu, 21 Feb 2019, Oleg Nenashev wrote:

> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 <<a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot
> <<a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">https://dependabot.com/> is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
>
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
> <<a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
>    - Jenkinsfile Runner - Example PRs in my local repo
>    <<a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">https://github.com/oleg-nenashev/jenkinsfile-runner/pulls>
>    - ci.jenkins.io-runner - Example PRs
>    <<a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was
>    disabled after moving the repo)
>    - plugin-pom - Example PRs in my local repo
>    <<a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">https://github.com/oleg-nenashev/plugin-pom/pulls>
>    - maven-hpi-plugin - Example PRs in my local Repo
>    <<a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">https://github.com/oleg-nenashev/maven-hpi-plugin/pulls>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
--
GitHub:  <a href="https://github.com/rtyler" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frtyler\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtsnCUZ085B8982iTQ2KFqz5gYhw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frtyler\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtsnCUZ085B8982iTQ2KFqz5gYhw&#39;;return true;">https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pqEP1zrEBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/9ae69c40-fbc2-4e44-993c-4b22648867dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Mark Waite-2


On Thu, Feb 21, 2019 at 4:25 PM Oleg Nenashev  wrote:
Hi all,

Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.

Jesse: Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`. ..... if (a) have fairly low installation count (b) are maintained by people actively participating in the trial. 

maven-hpi-plugin matches the wildcard :P
Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.
If Mark wants to try out his plugins


The platformlabeler plugin meets conditions (a) and (b).  The other two plugins I maintain don't meet condition (a).   Definitely enable it on platformlabeler-plugin.

I'm willing to try it on the other two plugins I maintain, but am also fine skipping them if it is not comfortable for the community.

I will actively participate in the trial.
 
Mark: Updates to non-test dependencies are not very helpful for me.  When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required.  I tell dependabot to stop offering those dependency updates.  It closes the pull requests and stops offering updates to that component.

Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.


That looks great.  I'm happy to try the configuration as code route.

Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtHw_QmYRz%2B%3DQLdJQXmGya-mA0hn%2B6SXov-JwY1t4Qc_jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Jesse Glick-4
In reply to this post by Oleg Nenashev
On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev <[hidden email]> wrote:
> Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.

To start with, sign me up for:

* log-cli
* pipeline-cloudwatch-logs
* parallel-test-executor
* mock-slave

which should give a decent mix.

> I would recommend configuration-as-code

Yes please.

> Document recommendations in JEP after the evaluation
> Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly

Definitely.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Ulli Hafner
I like this idea as well. You can enable it for

- analysis-model
- warnings-ng-plugin


> Am 22.02.2019 um 14:30 schrieb Jesse Glick <[hidden email]>:
>
> On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev <[hidden email]> wrote:
>> Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met.
>
> To start with, sign me up for:
>
> * log-cli
> * pipeline-cloudwatch-logs
> * parallel-test-executor
> * mock-slave
>
> which should give a decent mix.
>
>> I would recommend configuration-as-code
>
> Yes please.
>
>> Document recommendations in JEP after the evaluation
>> Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly
>
> Definitely.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1E890A29-C6AB-48DA-95CC-C7FC0AFB9314%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Joseph P
In reply to this post by Oleg Nenashev
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">INFRA-1975. <a href="https://dependabot.com/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
  • Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">Example PRs in my local repo
  • ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">Example PRs (bot was disabled after moving the repo)
  • plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">Example PRs in my local repo
  • maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/10436c0a-e148-4818-925b-c1b101813726%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) 

I have also started a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
  • Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">Example PRs in my local repo
  • ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">Example PRs (bot was disabled after moving the repo)
  • plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">Example PRs in my local repo
  • maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Baptiste MATHUS
Thanks for driving this Oleg!

I'm in for the plugins I'm maintaining:

Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <[hidden email]> a écrit :
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) 

I have also started a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975. Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5CmNifB6buiv%3DYy84x-sekMmznu6Ct941EY8KLXg%2BhRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi Baptiste, the requested repositories have been added.

@All I also added the Plugin Compat Tester and Custom WAR Packager repositories

  • https://github.com/jenkinsci/custom-war-packager
  • https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.

Best regards,
Oleg


On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
Thanks for driving this Oleg!

I'm in for the plugins I'm maintaining:
  • <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
  • <a href="https://github.com/jenkinsci/chucknorris-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;">https://github.com/jenkinsci/chucknorris-plugin
  • <a href="https://github.com/jenkinsci/versioncolumn-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;">https://github.com/jenkinsci/versioncolumn-plugin
  • <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself.
Thanks!

-- Baptiste

Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="97c7MC-fBgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">o.v.ne...@...> a écrit :
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) 

I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;" onclick="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
  • Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">Example PRs in my local repo
  • ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">Example PRs (bot was disabled after moving the repo)
  • plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">Example PRs in my local repo
  • maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="97c7MC-fBgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4559b7b9-c61f-4488-adfd-4c9c4ff91763%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Raphael Pionke-2
Hi Oleg,

i'm also interested! can you please add following repo?
  • https://github.com/jenkinsci/performance-signature-dynatrace-plugin
Regards,
Raphael


Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev:
Hi Baptiste, the requested repositories have been added.

@All I also added the Plugin Compat Tester and Custom WAR Packager repositories

  • <a href="https://github.com/jenkinsci/custom-war-packager" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ&#39;;return true;">https://github.com/jenkinsci/custom-war-packager
  • <a href="https://github.com/jenkinsci/plugin-compat-tester" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q&#39;;return true;">https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.

Best regards,
Oleg


On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
Thanks for driving this Oleg!

I'm in for the plugins I'm maintaining:
  • <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
  • <a href="https://github.com/jenkinsci/chucknorris-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;">https://github.com/jenkinsci/chucknorris-plugin
  • <a href="https://github.com/jenkinsci/versioncolumn-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;">https://github.com/jenkinsci/versioncolumn-plugin
  • <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself.
Thanks!

-- Baptiste

Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <[hidden email]> a écrit :
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) 

I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;" onclick="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
  • Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">Example PRs in my local repo
  • ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">Example PRs (bot was disabled after moving the repo)
  • plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">Example PRs in my local repo
  • maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f8b7bb2e-19a0-4e95-8040-167688340756%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi Raphael,

Done.

BR, Oleg

On Monday, March 11, 2019 at 10:54:57 AM UTC+1, Raphael Pionke wrote:
Hi Oleg,

i'm also interested! can you please add following repo?
  • <a href="https://github.com/jenkinsci/performance-signature-dynatrace-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fperformance-signature-dynatrace-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHRshVJA3SxkcP0OUu1eNGWnR_fZA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fperformance-signature-dynatrace-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHRshVJA3SxkcP0OUu1eNGWnR_fZA&#39;;return true;">https://github.com/jenkinsci/performance-signature-dynatrace-plugin
Regards,
Raphael


Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev:
Hi Baptiste, the requested repositories have been added.

@All I also added the Plugin Compat Tester and Custom WAR Packager repositories

  • <a href="https://github.com/jenkinsci/custom-war-packager" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fcustom-war-packager\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGZ8p07iUV2ifEZVyat2n2EvCQjpQ&#39;;return true;">https://github.com/jenkinsci/custom-war-packager
  • <a href="https://github.com/jenkinsci/plugin-compat-tester" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fplugin-compat-tester\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHh-Yx1aPW5vVpPv1o5vpnjkhIL5Q&#39;;return true;">https://github.com/jenkinsci/plugin-compat-tester
Both of them are development tools, so it should be ok.

Best regards,
Oleg


On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
Thanks for driving this Oleg!

I'm in for the plugins I'm maintaining:
  • <a href="https://github.com/jenkinsci/buildtriggerbadge-plugin/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbuildtriggerbadge-plugin%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHM4syC30oens10PJYW9KrCDuXhnA&#39;;return true;">https://github.com/jenkinsci/buildtriggerbadge-plugin/
  • <a href="https://github.com/jenkinsci/chucknorris-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fchucknorris-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFqMEw1Wf8Zabd-x-O341Q_EQRnDg&#39;;return true;">https://github.com/jenkinsci/chucknorris-plugin
  • <a href="https://github.com/jenkinsci/versioncolumn-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fversioncolumn-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFE-WgubogqKAlT2sLHLIKrJ8DzZA&#39;;return true;">https://github.com/jenkinsci/versioncolumn-plugin
  • <a href="https://github.com/jenkinsci/parameterized-scheduler-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fparameterized-scheduler-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGiTy2jxjMMtaKQAp6B-KkViESRDA&#39;;return true;">https://github.com/jenkinsci/parameterized-scheduler-plugin
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself.
Thanks!

-- Baptiste

Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <[hidden email]> a écrit :
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) 

I have also started <a href="https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;" onclick="this.href=&#39;https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp\x3dsharing&#39;;return true;">a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
Dear all,

I would like to follow-up on the Dependabot request from Jesse Glick in <a href="https://issues.jenkins-ci.org/browse/INFRA-1975" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fissues.jenkins-ci.org%2Fbrowse%2FINFRA-1975\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEakpgTSk9YZJk6gSiSXZ0flTHkVA&#39;;return true;">INFRA-1975. <a href="https://dependabot.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdependabot.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFBM2S2KfcVImaSJzZAJa3lhRHgqA&#39;;return true;">Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.

Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks.

Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of <a href="http://ci.jenkins.io" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fci.jenkins.io\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFOz7dbDkaa430NrqJYgXhfPnQC2Q&#39;;return true;">ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including <a href="https://github.com/jenkins-x/updatebot" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkins-x%2Fupdatebot\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvJFMmNWgZTRJTF3Wb99teN8cXlA&#39;;return true;">UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation.

My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
  • Jenkinsfile Runner - <a href="https://github.com/oleg-nenashev/jenkinsfile-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fjenkinsfile-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEGm__nK6MPRM9lV4LVwSuzrXZGxg&#39;;return true;">Example PRs in my local repo
  • ci.jenkins.io-runner - <a href="https://github.com/jenkinsci/ci.jenkins.io-runner/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fci.jenkins.io-runner%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETkFe7Xbx0WTjiNqmSpfCg3RjTZg&#39;;return true;">Example PRs (bot was disabled after moving the repo)
  • plugin-pom - <a href="https://github.com/oleg-nenashev/plugin-pom/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fplugin-pom%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu6d-R90bZBTpEFsCyO6JFLXNmA&#39;;return true;">Example PRs in my local repo
  • maven-hpi-plugin - <a href="https://github.com/oleg-nenashev/maven-hpi-plugin/pulls" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Foleg-nenashev%2Fmaven-hpi-plugin%2Fpulls\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFLxz9-XkS5XV6t9yo-_KB3ckWcyQ&#39;;return true;">Example PRs in my local Repo
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies.

What do you think?

Thanks in advance,
Oleg

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/62dedd13-d54f-400d-bd60-497e81f8b398%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.