Proposal: Automating dependency management for repositories inside the jenkinsci org
Locked
12
12
Proposal: Automating dependency management for repositories inside the jenkinsci org
 
|
Dear all, I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975. Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins. Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks. Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation. My proposal would be to enable Dependabot for a limited number of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation.
More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies. What do you think? Thanks in advance, Oleg You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[hidden email]> wrote:
> I propose to focus on development tools Since the primary use case is offering updates to plugin repositories, I would suggest including at least one example of `*-plugin`. The question is which dependencies ought to be eligible for upgrade. I do not think we want to update Jenkins core or plugin dependencies gratuitously, since this would limit availability of new releases with only modest productivity gain: more realistic functional tests, less distance from `master` to whatever `plugin-compat-tester` would use. Definitely we can freely upgrade the parent POM. I would be happy for such updates to be auto-merged in fact, so long as the build passes obviously. > pre-1.0 projects only Or just plugins that (a) have fairly low installation count, (b) are maintained by people actively participating in the trial. > More repositories can be added if somebody is interested to participate in the Dependabot evaluation. Sign me up! I _do_ need to make sure I get notifications of these PRs in Octobox.io, if they are not simply automerged. Merely watching a repository is not enough—GH has autosubscribed me to hundreds of repos, and the resulting thousands of notifications go to /dev/null. Maybe Dependabot can be configured to request me as a reviewer? -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
In reply to this post by Oleg Nenashev
On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote:
I added it to my forked repositories of the git plugin, git client plugin, and platform labeler plugin. The experiment has been educational. I like seeing the pull requests which are proposed. Updates to the parent pom could be automerged if CI jobs pass. I believe that updates to test dependencies could be automerged if CI jobs pass.
Updates to non-test dependencies are not very helpful for me. When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required. I tell dependabot to stop offering those dependency updates. It closes the pull requests and stops offering updates to that component. Mark Waite You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtE1qCFQmL-2bPAYhfyjLOATSFJ8Q5cF_4e%2Bb%3Dsxyg1Zuw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
In reply to this post by Oleg Nenashev
I'm game for experimenting with this :D On Thu, 21 Feb 2019, Oleg Nenashev wrote: > Dear all, > > I would like to follow-up on the Dependabot request from Jesse Glick in > INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot > <https://dependabot.com/> is a service for automated dependency updates > which supports many languages/tools, including Maven, Docker and Gradle > which are being heavily used in Jenkins. > > Dependency management is a problem in Jenkins, because we have hundreds of > repositories with many dependencies there. Maintainers spend a lot of time > on managing dependencies, and sometimes it leads to ancient dependencies in > components. Especially in the development tools which "just work". By > automating dependency updates we could give maintainers more time to focus > on other tasks. > > Dependabot is one of the engines we could use for dependency management. It > is free for open-source projects, and it is a SaaS application which can be > almost completely managed from GitHub. It can just create pull requests or, > if we want, implement validated merge with help of ci.jenkins.io. No > special infrastructure required, and this is an advantage for us. There are > other implementations (including UpdateBot > <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a > Jenkins plugin), but it would require more efforts to deploy the > infrastructure. It could be considered in the future if we want to have > Jenkins-powered update management in the final implementation. > > My proposal would be to enable Dependabot for a *limited number* of Jenkins > repositories so that we can experiment with it. I propose to focus on > development tools and pre-1.0 projects only for now so that we can > experiment with flow without a risk of impact on components being used in > production in the Jenkins project. And we will be setting up auto-updates > only for projects with existing test automation. > > - Jenkinsfile Runner - Example PRs in my local repo > <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> > - ci.jenkins.io-runner - Example PRs > <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was > disabled after moving the repo) > - plugin-pom - Example PRs in my local repo > <https://github.com/oleg-nenashev/plugin-pom/pulls> > - maven-hpi-plugin - Example PRs in my local Repo > <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> > > More repositories can be added if somebody is interested to participate in > the Dependabot evaluation. If there is a positive feedback after the > initial evaluation, we could proceed with creating a JEP to define the flow > and the usage/administration policies. > > What do you think? > > Thanks in advance, > Oleg > > -- > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. GitHub: https://github.com/rtyler GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2 -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Another one to look at is Renovate bot ( https://renovatebot.com/docs/ ) I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly. Renovate bot does have support for auto merging PRs if you want, so it can handle things a little automated. But I'm +1 for Dependabot On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy <[hidden email]> wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96KGGQaf%2Bt_Kz_FODWTYRiaiP%3DUXTsqGkt5kPieXYhbo0Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Hi all, Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread.
maven-hpi-plugin matches the wildcard :P Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met. If Mark wants to try out his plugins
Yes, dependabot can be controlled by GitHubCommentOps or Configuration-as-Code. It may require maintainers to set up filters, but then it will work like a charm. For evaluation purposes I would recommend configuration-as-code tho. It may help us to easily verify the configured filters later.
Same as above, we could somehow configure it via filters somehow though it might be not trivial. I think that we will need to...
Yes, it can. Best regards, Oleg On Thursday, February 21, 2019 at 5:21:36 PM UTC+1, Gavin Mogan wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/9ae69c40-fbc2-4e44-993c-4b22648867dd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
On Thu, Feb 21, 2019 at 4:25 PM Oleg Nenashev wrote:
The platformlabeler plugin meets conditions (a) and (b). The other two plugins I maintain don't meet condition (a). Definitely enable it on platformlabeler-plugin. I'm willing to try it on the other two plugins I maintain, but am also fine skipping them if it is not comfortable for the community. I will actively participate in the trial.
That looks great. I'm happy to try the configuration as code route. Mark Waite You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtHw_QmYRz%2B%3DQLdJQXmGya-mA0hn%2B6SXov-JwY1t4Qc_jg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
In reply to this post by Oleg Nenashev
On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev <[hidden email]> wrote:
> Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met. To start with, sign me up for: * log-cli * pipeline-cloudwatch-logs * parallel-test-executor * mock-slave which should give a decent mix. > I would recommend configuration-as-code Yes please. > Document recommendations in JEP after the evaluation > Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly Definitely. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
I like this idea as well. You can enable it for
- analysis-model - warnings-ng-plugin > Am 22.02.2019 um 14:30 schrieb Jesse Glick <[hidden email]>: > > On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev <[hidden email]> wrote: >> Speaking seriously, we could try to add some Jenkins plugins to the experiment if (a) and (b) conditions are met. > > To start with, sign me up for: > > * log-cli > * pipeline-cloudwatch-logs > * parallel-test-executor > * mock-slave > > which should give a decent mix. > >> I would recommend configuration-as-code > > Yes please. > >> Document recommendations in JEP after the evaluation >> Provide Config File samples (in JEP) so that maintainers can configure Dependabot correctly > > Definitely. > > -- > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1E890A29-C6AB-48DA-95CC-C7FC0AFB9314%40gmail.com. For more options, visit https://groups.google.com/d/optout. |
signature.asc (499 bytes) |
|
In reply to this post by Oleg Nenashev
Please enable it for
-- * bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/10436c0a-e148-4818-925b-c1b101813726%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Hi all, I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) I have also started a Google Doc where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs. As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins. BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Thanks for driving this Oleg! I'm in for the plugins I'm maintaining:
If I can add them myself, feel free to just point me to some link/docs, and I'll handle it myself. Thanks! -- Baptiste Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev <[hidden email]> a écrit :
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5CmNifB6buiv%3DYy84x-sekMmznu6Ct941EY8KLXg%2BhRA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Hi Baptiste, the requested repositories have been added.
-- @All I also added the Plugin Compat Tester and Custom WAR Packager repositories
Both of them are development tools, so it should be ok. Best regards, Oleg On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4559b7b9-c61f-4488-adfd-4c9c4ff91763%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Hi Oleg,
-- i'm also interested! can you please add following repo?
Regards, Raphael Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f8b7bb2e-19a0-4e95-8040-167688340756%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Hi Raphael,
-- Done. BR, Oleg On Monday, March 11, 2019 at 10:54:57 AM UTC+1, Raphael Pionke wrote:
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/62dedd13-d54f-400d-bd60-497e81f8b398%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
tests are not currently run in CI. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote: Please remove `pipeline-cloudwatch-logs-plugin` since its interesting You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Done Carlos. Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
Can I have the following added:
https://github.com/jenkinsci/jackson2-api-plugin https://github.com/jenkinsci/jsch-plugin https://github.com/jenkinsci/pam-auth-plugin https://github.com/jenkinsci/ssh-credentials-plugin https://github.com/jenkinsci/audit-log-plugin On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote: > > Done Carlos. > > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit : >> >> please add https://github.com/jenkinsci/kubernetes-plugin >> >> thanks >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote: >>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting >>> tests are not currently run in CI. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: Proposal: Automating dependency management for repositories inside the jenkinsci org
|
|
I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization. I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin. It has been helpful in all cases. By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available. On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote: Can I have the following added: Thanks! Mark Waite You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
«
Return to Jenkins dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |