Proposal: Automating dependency management for repositories inside the jenkinsci org

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Matt Sicker
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.

On Tue, May 21, 2019 at 2:12 PM Mark Waite <[hidden email]> wrote:

>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin.  It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
>>
>> Can I have the following added:
>>
>> https://github.com/jenkinsci/jackson2-api-plugin
>> https://github.com/jenkinsci/jsch-plugin
>> https://github.com/jenkinsci/pam-auth-plugin
>> https://github.com/jenkinsci/ssh-credentials-plugin
>> https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
>> >>
>> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Gavin Mogan-2
Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?

On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.

On Tue, May 21, 2019 at 2:12 PM Mark Waite <[hidden email]> wrote:
>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin.  It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
>>
>> Can I have the following added:
>>
>> https://github.com/jenkinsci/jackson2-api-plugin
>> https://github.com/jenkinsci/jsch-plugin
>> https://github.com/jenkinsci/pam-auth-plugin
>> https://github.com/jenkinsci/ssh-credentials-plugin
>> https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
>> >>
>> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96L9S5s1xXX5Od%3DdF_P6kX71L0s_v-sWCdxe%3DyfCqkuuGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi all,

I am fine with going forward with enabling Dependabot for a wider set of plugins. But IMHO it is still not ready for GA. Why?
  • We are still missing usage guidelines as it was discussed in the original emails
  • In Dependabot there is also no way to set Dependabot on an organization level, and it complicates the adoptions for plugins (dependabot/feedback/issues/353)
  • Dependabot needs write permissions to the repo. If you want to enable it for a mission-critical component, it might make sense to think twice before doing so
  • We are missing feedback from early adopters. There are some comments in this thread + this Google Doc.
Personally I am pretty fine with Dependabot results for my projects, and I am ready to go forward with plugins.


I'd really love to see the jackson repo most of all because I could get the PR ready to release by the time jackson gets around to  announcing that release. Helps speed up resolution of their countless CVEs over time. 
- show quoted text -

With Dependabot you get "eventual security" (c) at best. Delivery of patches may be delivered by a week or so. It does not replace the security process in the Jenkins organization, but I do agree that keeping dependencies up to date reduced number of issues in projects which disclose security fixes post-factum after the release.

is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
  • Dependabot manages all dependencies it can digest. It can handle almost all dependencies in Maven, including ones with versions defined by system properties. Maven plugins will be also updated
  • BlueOcean plugins (multi-module repos) will be also handled by Dependabot. Now it supports multi-module repos 
Can I have the following added: 
 Can blueocean-display-url-plugin get it enabled?

 I can add them if you want to proceed after the comments above.

Best regards,
Oleg


On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?

On Tue, May 21, 2019 at 12:36 PM Matt Sicker <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">msi...@...> wrote:
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.

On Tue, May 21, 2019 at 2:12 PM Mark Waite <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">mark.e...@...> wrote:
>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin.  It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">msi...@...> wrote:
>>
>> Can I have the following added:
>>
>> <a href="https://github.com/jenkinsci/jackson2-api-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjackson2-api-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF99wIna2JMSPfxI22R13Q7wyrZJw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjackson2-api-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF99wIna2JMSPfxI22R13Q7wyrZJw&#39;;return true;">https://github.com/jenkinsci/jackson2-api-plugin
>> <a href="https://github.com/jenkinsci/jsch-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjsch-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEH_GeI_dcCWmjWGBXYXyCohWnB2w&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fjsch-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEH_GeI_dcCWmjWGBXYXyCohWnB2w&#39;;return true;">https://github.com/jenkinsci/jsch-plugin
>> <a href="https://github.com/jenkinsci/pam-auth-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fpam-auth-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEak9YpAusdG9LPZvHQ5grPhPCokw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fpam-auth-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEak9YpAusdG9LPZvHQ5grPhPCokw&#39;;return true;">https://github.com/jenkinsci/pam-auth-plugin
>> <a href="https://github.com/jenkinsci/ssh-credentials-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fssh-credentials-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGLNgusyzsTsqByILfKKahLVWRZrg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fssh-credentials-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGLNgusyzsTsqByILfKKahLVWRZrg&#39;;return true;">https://github.com/jenkinsci/ssh-credentials-plugin
>> <a href="https://github.com/jenkinsci/audit-log-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Faudit-log-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHzDN3i_nq0zWIgD3y303kHPk2B_g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Faudit-log-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHzDN3i_nq0zWIgD3y303kHPk2B_g&#39;;return true;">https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">m...@...> wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">car...@...> a écrit :
>> >>
>> >> please add <a href="https://github.com/jenkinsci/kubernetes-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fkubernetes-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNELoZSzHJHwtveGXdhrPILETqOiYA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fkubernetes-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNELoZSzHJHwtveGXdhrPILETqOiYA&#39;;return true;">https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jgl...@...> wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
>> >>> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
>> >> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
>> > To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
>> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="i_uYDG_CBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39d5d27a-4371-4bf5-b8fb-89e1b77419ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Gavin Mogan-2
Please go ahead with both, I can always @dependbot ignore on blueocean as needed.

On Wed, May 22, 2019 at 11:47 PM Oleg Nenashev <[hidden email]> wrote:
Hi all,

I am fine with going forward with enabling Dependabot for a wider set of plugins. But IMHO it is still not ready for GA. Why?
  • We are still missing usage guidelines as it was discussed in the original emails
  • In Dependabot there is also no way to set Dependabot on an organization level, and it complicates the adoptions for plugins (dependabot/feedback/issues/353)
  • Dependabot needs write permissions to the repo. If you want to enable it for a mission-critical component, it might make sense to think twice before doing so
  • We are missing feedback from early adopters. There are some comments in this thread + this Google Doc.
Personally I am pretty fine with Dependabot results for my projects, and I am ready to go forward with plugins.


I'd really love to see the jackson repo most of all because I could get the PR ready to release by the time jackson gets around to  announcing that release. Helps speed up resolution of their countless CVEs over time. 
- show quoted text -

With Dependabot you get "eventual security" (c) at best. Delivery of patches may be delivered by a week or so. It does not replace the security process in the Jenkins organization, but I do agree that keeping dependencies up to date reduced number of issues in projects which disclose security fixes post-factum after the release.

is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
  • Dependabot manages all dependencies it can digest. It can handle almost all dependencies in Maven, including ones with versions defined by system properties. Maven plugins will be also updated
  • BlueOcean plugins (multi-module repos) will be also handled by Dependabot. Now it supports multi-module repos 
Can I have the following added: 
 Can blueocean-display-url-plugin get it enabled?

 I can add them if you want to proceed after the comments above.

Best regards,
Oleg


On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?

On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.

On Tue, May 21, 2019 at 2:12 PM Mark Waite <[hidden email]> wrote:
>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin.  It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
>>
>> Can I have the following added:
>>
>> https://github.com/jenkinsci/jackson2-api-plugin
>> https://github.com/jenkinsci/jsch-plugin
>> https://github.com/jenkinsci/pam-auth-plugin
>> https://github.com/jenkinsci/ssh-credentials-plugin
>> https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
>> >>
>> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39d5d27a-4371-4bf5-b8fb-89e1b77419ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96%2BuzzLs5r4Atc6vJNVxGq_h3Do-KyCq11GYpG1TFH8XKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Matt Sicker
If dependabot is somehow slower than I am at updating dependencies,
I'll make sure to complain to them. ;)

On Thu, May 23, 2019 at 1:59 AM Gavin Mogan <[hidden email]> wrote:

>
> Please go ahead with both, I can always @dependbot ignore on blueocean as needed.
>
> On Wed, May 22, 2019 at 11:47 PM Oleg Nenashev <[hidden email]> wrote:
>>
>> Hi all,
>>
>> I am fine with going forward with enabling Dependabot for a wider set of plugins. But IMHO it is still not ready for GA. Why?
>>
>> We are still missing usage guidelines as it was discussed in the original emails
>> In Dependabot there is also no way to set Dependabot on an organization level, and it complicates the adoptions for plugins (dependabot/feedback/issues/353)
>> Dependabot needs write permissions to the repo. If you want to enable it for a mission-critical component, it might make sense to think twice before doing so
>> We are missing feedback from early adopters. There are some comments in this thread + this Google Doc.
>>
>> Personally I am pretty fine with Dependabot results for my projects, and I am ready to go forward with plugins.
>>
>>>
>>> I'd really love to see the jackson repo most of all because I could get the PR ready to release by the time jackson gets around to  announcing that release. Helps speed up resolution of their countless CVEs over time.
>>> - show quoted text -
>>
>>
>> With Dependabot you get "eventual security" (c) at best. Delivery of patches may be delivered by a week or so. It does not replace the security process in the Jenkins organization, but I do agree that keeping dependencies up to date reduced number of issues in projects which disclose security fixes post-factum after the release.
>>
>>> is it setup for all deps or only the parent plugin?
>>> Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
>>
>> Dependabot manages all dependencies it can digest. It can handle almost all dependencies in Maven, including ones with versions defined by system properties. Maven plugins will be also updated
>> BlueOcean plugins (multi-module repos) will be also handled by Dependabot. Now it supports multi-module repos
>>>
>>> Can I have the following added:
>>>
>>>  Can blueocean-display-url-plugin get it enabled?
>>
>>
>>  I can add them if you want to proceed after the comments above.
>>
>> Best regards,
>> Oleg
>>
>>
>> On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
>>>
>>> Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin?
>>> Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)?
>>>
>>> On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
>>>>
>>>> I'd really love to see the jackson repo most of all because I could
>>>> get the PR ready to release by the time jackson gets around to
>>>> announcing that release. Helps speed up resolution of their countless
>>>> CVEs over time.
>>>>
>>>> On Tue, May 21, 2019 at 2:12 PM Mark Waite <[hidden email]> wrote:
>>>> >
>>>> > I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization.
>>>> >
>>>> > I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin.  It has been helpful in all cases.
>>>> >
>>>> > By the time I am reviewing a dependabot pull request to update a dependency, the CI job has completed and test results are available.
>>>> >
>>>> > On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[hidden email]> wrote:
>>>> >>
>>>> >> Can I have the following added:
>>>> >>
>>>> >> https://github.com/jenkinsci/jackson2-api-plugin
>>>> >> https://github.com/jenkinsci/jsch-plugin
>>>> >> https://github.com/jenkinsci/pam-auth-plugin
>>>> >> https://github.com/jenkinsci/ssh-credentials-plugin
>>>> >> https://github.com/jenkinsci/audit-log-plugin
>>>> >>
>>>> >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[hidden email]> wrote:
>>>> >> >
>>>> >> > Done Carlos.
>>>> >> >
>>>> >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[hidden email]> a écrit :
>>>> >> >>
>>>> >> >> please add https://github.com/jenkinsci/kubernetes-plugin
>>>> >> >>
>>>> >> >> thanks
>>>> >> >>
>>>> >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[hidden email]> wrote:
>>>> >> >>>
>>>> >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>>>> >> >>> tests are not currently run in CI.
>>>> >> >>>
>>>> >> >>> --
>>>> >> >>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> >> >>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> >> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>>>> >> >>> For more options, visit https://groups.google.com/d/optout.
>>>> >> >>
>>>> >> >> --
>>>> >> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> >> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> >> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>>> >> >
>>>> >> > --
>>>> >> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> >> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>>>> >> > For more options, visit https://groups.google.com/d/optout.
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Matt Sicker
>>>> >> Senior Software Engineer, CloudBees
>>>> >>
>>>> >> --
>>>> >> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>>>> >> For more options, visit https://groups.google.com/d/optout.
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Thanks!
>>>> > Mark Waite
>>>> >
>>>> > --
>>>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker
>>>> Senior Software Engineer, CloudBees
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39d5d27a-4371-4bf5-b8fb-89e1b77419ef%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96%2BuzzLs5r4Atc6vJNVxGq_h3Do-KyCq11GYpG1TFH8XKA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ozx1%2BAXwsRxxZuC3Pia48478Bv%2BRgdMty2dVw%2B1HWE6Ng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Basil Crow
In reply to this post by Oleg Nenashev
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
I am fine with going forward with enabling Dependabot for a wider set of plugins.

 Can you please add the following repositories:

https://github.com/jenkinsci/swarm-plugin
https://github.com/jenkinsci/text-finder-plugin

Thanks,
Basil

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
done!

On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <[hidden email]> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
I am fine with going forward with enabling Dependabot for a wider set of plugins.

 Can you please add the following repositories:


Thanks,
Basil

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDwaJ%3D02fqvaF7vJcL%2BjQ0uVeGeGS026-3sQhRmQwWCHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
With Dependabot acquisition by GitHub, the project got some development boost.
Unfortunately, there is still no support of org-wide configurations, so we cannot just put defaults to https://github.com/jenkinsci/.github 
But we could at least put some samples there.

I would also like to enable Dependabot for Jenkins Test Harness if nobody is against.

Once Jesse finishes his work on https://github.com/jenkinsci/bom/ , it would be great to combine Dependabot and plugins with BOM (especially for Pipeline which is nightmare to handle in Dependabot).

BR, Oleg


On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
done!

On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <[hidden email]> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
I am fine with going forward with enabling Dependabot for a wider set of plugins.

 Can you please add the following repositories:

<a href="https://github.com/jenkinsci/swarm-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;">https://github.com/jenkinsci/swarm-plugin
<a href="https://github.com/jenkinsci/text-finder-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;">https://github.com/jenkinsci/text-finder-plugin

Thanks,
Basil

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5a7200ee-972c-4340-a2a8-77ec9c116eb1%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Steve Hill
Could we also enable Dependabot for https://github.com/jenkinsci/gradle-jpi-plugin?

Best,
Steve

On Tuesday, July 23, 2019 at 12:39:26 PM UTC-7, Oleg Nenashev wrote:
With Dependabot acquisition by GitHub, the project got some development boost.
Unfortunately, there is still no support of org-wide configurations, so we cannot just put defaults to <a href="https://github.com/jenkinsci/.github" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2F.github\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5eeMk7M8DDD8iW7q4h3aHMd-CnQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2F.github\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5eeMk7M8DDD8iW7q4h3aHMd-CnQ&#39;;return true;">https://github.com/jenkinsci/.github 
But we could at least put some samples there.

I would also like to enable Dependabot for Jenkins Test Harness if nobody is against.

Once Jesse finishes his work on <a href="https://github.com/jenkinsci/bom/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF-zPVw-4ipwYb9wlmEZ18WCIWdQA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF-zPVw-4ipwYb9wlmEZ18WCIWdQA&#39;;return true;">https://github.com/jenkinsci/bom/ , it would be great to combine Dependabot and plugins with BOM (especially for Pipeline which is nightmare to handle in Dependabot).

BR, Oleg


On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
done!

On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <<a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="iu8G90vnDwAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">m...@...> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
I am fine with going forward with enabling Dependabot for a wider set of plugins.

 Can you please add the following repositories:

<a href="https://github.com/jenkinsci/swarm-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;">https://github.com/jenkinsci/swarm-plugin
<a href="https://github.com/jenkinsci/text-finder-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;">https://github.com/jenkinsci/text-finder-plugin

Thanks,
Basil

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="iu8G90vnDwAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/aa894124-84b6-46c0-a7e8-0c5c7b5d922d%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi, done

I enabled Dependabot for Gradle JPI Plugin, Role Strategy Plugin and Jenkins Test Harness. 
Also added Log CLI Plugin as it was requested by Martin Reinhardt in GitHub.

Basically every maintainer with Admin permissions can enable Dependabot on his/her own:
  1. Enable the Dependabot GitHub application for the repo
  2. Add a .dependabot/config.yml file to the repo (docs). Once added, the Dependabot will pick up the repo automatically
For new Dependabot requests I suggest to stop adding the configurations manually in DependaBot Web UI.
Let's use .dependabot/config.yml only. 

BR, Oleg

On Thursday, July 25, 2019 at 6:24:28 AM UTC+2, Steve Hill wrote:
Could we also enable Dependabot for <a href="https://github.com/jenkinsci/gradle-jpi-plugin" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fgradle-jpi-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFyDN3CP56ukwFe0wiKJvY-zzLhcA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fgradle-jpi-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFyDN3CP56ukwFe0wiKJvY-zzLhcA&#39;;return true;">https://github.com/jenkinsci/gradle-jpi-plugin?

Best,
Steve

On Tuesday, July 23, 2019 at 12:39:26 PM UTC-7, Oleg Nenashev wrote:
With Dependabot acquisition by GitHub, the project got some development boost.
Unfortunately, there is still no support of org-wide configurations, so we cannot just put defaults to <a href="https://github.com/jenkinsci/.github" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2F.github\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5eeMk7M8DDD8iW7q4h3aHMd-CnQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2F.github\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE5eeMk7M8DDD8iW7q4h3aHMd-CnQ&#39;;return true;">https://github.com/jenkinsci/.github 
But we could at least put some samples there.

I would also like to enable Dependabot for Jenkins Test Harness if nobody is against.

Once Jesse finishes his work on <a href="https://github.com/jenkinsci/bom/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF-zPVw-4ipwYb9wlmEZ18WCIWdQA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fbom%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF-zPVw-4ipwYb9wlmEZ18WCIWdQA&#39;;return true;">https://github.com/jenkinsci/bom/ , it would be great to combine Dependabot and plugins with BOM (especially for Pipeline which is nightmare to handle in Dependabot).

BR, Oleg


On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
done!

On Mon, Jun 10, 2019 at 6:40 PM Basil Crow <[hidden email]> wrote:
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
I am fine with going forward with enabling Dependabot for a wider set of plugins.

 Can you please add the following repositories:

<a href="https://github.com/jenkinsci/swarm-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fswarm-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSUFE0Vwwu70Frr2LVJOaken-X8A&#39;;return true;">https://github.com/jenkinsci/swarm-plugin
<a href="https://github.com/jenkinsci/text-finder-plugin" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Ftext-finder-plugin\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr6GER-7kIOP2Wu2sHjvPhzMIF6Q&#39;;return true;">https://github.com/jenkinsci/text-finder-plugin

Thanks,
Basil

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/59b8c482-dd75-43f7-8d5f-a784ff4c1d42%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Jesse Glick-4
On Thu, Jul 25, 2019 at 3:01 AM Oleg Nenashev <[hidden email]> wrote:
> Basically every maintainer with Admin permissions can enable Dependabot on his/her own:

And if you lack admin permissions, just file an `INFRA` ticket requesting it.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0cW5_zU%2B0ZOWMeAuz3C_dvB7rwBtcjXEuWy4K%2BTk%2Bc%2Bg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
Hi All,

Just in case somebody is interested, today we will have an online meetup about Dependabot in Jenkins.

Please join us if you are interested!

Best regards,
Oleg


On Thursday, July 25, 2019 at 7:45:33 PM UTC+2, Jesse Glick wrote:
On Thu, Jul 25, 2019 at 3:01 AM Oleg Nenashev <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="R8-f73kEDgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">o.v.n...@...> wrote:
> Basically every maintainer with Admin permissions can enable Dependabot on his/her own:

And if you lack admin permissions, just file an `INFRA` ticket requesting it.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/330daad3-586b-4150-b570-b5ba3471f216%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
FTR Dependabot is now embedded into GitHub. Probably it is a good time to prepare official documentation https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a7e984dc-f1ee-4fe1-84c3-76f1c95e2168o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Oleg Nenashev
I have started https://github.com/jenkinsci/.github/pull/40 with documentation notes. If anyone is interested to contribute and share your notes / best practices, please do so!
Later we can move the page to https://www.jenkins.io/doc/developer/plugin-development/

On Wednesday, June 24, 2020 at 11:03:25 PM UTC+2 Oleg Nenashev wrote:
FTR Dependabot is now embedded into GitHub. Probably it is a good time to prepare official documentation https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/af5db0c2-3be6-4efb-b017-c06cbe8ce912n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Baptiste MATHUS
Hi all, 

FYI, as I was using the Dependabot admin UI, I just requested Dependabot to file automated PRs on a number of plugins:


I was going to configure Dependabot on my buildtriggerbadge plugin, but then realized Dependabot now has this nice feature to file automated PRs to migrate from the previous Dependabot settings to the native one.

image.png

If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.

HTH
Cheers

Le jeu. 8 oct. 2020 à 13:29, Oleg Nenashev <[hidden email]> a écrit :
I have started https://github.com/jenkinsci/.github/pull/40 with documentation notes. If anyone is interested to contribute and share your notes / best practices, please do so!
Later we can move the page to https://www.jenkins.io/doc/developer/plugin-development/

On Wednesday, June 24, 2020 at 11:03:25 PM UTC+2 Oleg Nenashev wrote:
FTR Dependabot is now embedded into GitHub. Probably it is a good time to prepare official documentation https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/af5db0c2-3be6-4efb-b017-c06cbe8ce912n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5a6_NedKRH%2BYreUWFohpXNgtyxOwO88uHqERDvTw_v3A%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Jesse Glick-4
On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[hidden email]> wrote:
> If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.

I would certainly want this but have no idea which repositories I
might “own” which are configured with the preview app. Is there any
harm in just requesting the conversion PR for every remaining repo?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Ulli Hafner
I think that this can be done globally: for each repository a PR will be generated. So in order to finish the transition the repo owner still needs to merge the PR. However, I do not find a button to run this for all repositories :-(

> Am 19.10.2020 um 16:44 schrieb Jesse Glick <[hidden email]>:
>
> On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[hidden email]> wrote:
>> If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.
>
> I would certainly want this but have no idea which repositories I
> might “own” which are configured with the preview app. Is there any
> harm in just requesting the conversion PR for every remaining repo?
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Baptiste MATHUS
I've just gone ahead and clicked on all repositories where the button was available.

So given I don't have an easy way to request review from current active maintainers.
So Jesse or any maintainer: please review the list :

And look for any plugin you're maintaining.

AFAIU there's unfortunately no way to generate from this UI an automated PR for all repositories and not just the ones who already had configured Dependabot (now called "dependabot-preview").

But if there's interest, I'm happy to script something to file such a PR on multiple repos.
I guess I'm not going to do for the whole org upfront just to avoid potential people complaints. (?)

I'm not yet fully sure whether Oleg's concern on jenkins.version is still current.
It _seems_ not anymore in the "dependabot native" app. But it's hard to know whether this is something GitHub will add back parity for.
🤔
And even so, I agree with Jesse that it would be better to request bumps with some LTS version scheme requirement, rather than making them all ignored. (See Oleg's PR earlier in this thread for context).

Anyway, looking at the positive side: thanks a lot Oleg again for making this happen.
I think overall, whatever happens, keeping dependencies more up-to-date is a great plus for the health of the Jenkins ecosystem.

-- Baptiste

Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner <[hidden email]> a écrit :
I think that this can be done globally: for each repository a PR will be generated. So in order to finish the transition the repo owner still needs to merge the PR. However, I do not find a button to run this for all repositories :-(

> Am 19.10.2020 um 16:44 schrieb Jesse Glick <[hidden email]>:
>
> On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[hidden email]> wrote:
>> If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.
>
> I would certainly want this but have no idea which repositories I
> might “own” which are configured with the preview app. Is there any
> harm in just requesting the conversion PR for every remaining repo?
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Chris Kilding
I enabled the native Dependabot version updates (the experimental feature) on my plugin today. Overall it's extremely useful and working well! I expect I'll soon wonder how I ever managed without it.

Couple of thoughts:

1. The initial splurge of PRs spawns a lot of builds, so it's helpful that Dependabot has limited itself to opening 5 PRs at a time (you can raise this limit in configuration if you like). Obviously this is only a one-time concern on the day that you enable it, but it could spam ci.jenkins.io if enabled on lots of plugins at once.
2. You have to be a bit careful when merging if you are using dependencies that interact. E.g. if you're using BOM (which contains Jackson), and a plugin that has particular ideas about the Jackson version it wants. So you can't just point-and-merge, even though they look like one-liner changes that seem easy to reason about.
3. Because Dependabot makes it easy to stay up to date, it's tempting to charge forward and take the latest version of everything suggested - providing the build passes. But is that wise? Do we as plugin authors need to hang back on some changes with the LTS support policy in mind? (For example, should I advance to depending on BOM version 2.249.x if the LTS policy says to support n-3 LTS versions?)

Chris

On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote:
I've just gone ahead and clicked on all repositories where the button was available.

So given I don't have an easy way to request review from current active maintainers.
So Jesse or any maintainer: please review the list :

And look for any plugin you're maintaining.

AFAIU there's unfortunately no way to generate from this UI an automated PR for all repositories and not just the ones who already had configured Dependabot (now called "dependabot-preview").

But if there's interest, I'm happy to script something to file such a PR on multiple repos.
I guess I'm not going to do for the whole org upfront just to avoid potential people complaints. (?)

I'm not yet fully sure whether Oleg's concern on jenkins.version is still current.
It _seems_ not anymore in the "dependabot native" app. But it's hard to know whether this is something GitHub will add back parity for.
🤔
And even so, I agree with Jesse that it would be better to request bumps with some LTS version scheme requirement, rather than making them all ignored. (See Oleg's PR earlier in this thread for context).

Anyway, looking at the positive side: thanks a lot Oleg again for making this happen.
I think overall, whatever happens, keeping dependencies more up-to-date is a great plus for the health of the Jenkins ecosystem.

-- Baptiste

Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner <[hidden email]> a écrit :
I think that this can be done globally: for each repository a PR will be generated. So in order to finish the transition the repo owner still needs to merge the PR. However, I do not find a button to run this for all repositories :-(

> Am 19.10.2020 um 16:44 schrieb Jesse Glick <[hidden email]>:
>
> On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[hidden email]> wrote:
>> If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.
>
> I would certainly want this but have no idea which repositories I
> might “own” which are configured with the preview app. Is there any
> harm in just requesting the conversion PR for every remaining repo?
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Mark Waite-2


On Mon, Nov 2, 2020 at 11:34 AM Chris Kilding <[hidden email]> wrote:
I enabled the native Dependabot version updates (the experimental feature) on my plugin today. Overall it's extremely useful and working well! I expect I'll soon wonder how I ever managed without it.

Couple of thoughts:

1. The initial splurge of PRs spawns a lot of builds, so it's helpful that Dependabot has limited itself to opening 5 PRs at a time (you can raise this limit in configuration if you like). Obviously this is only a one-time concern on the day that you enable it, but it could spam ci.jenkins.io if enabled on lots of plugins at once.
2. You have to be a bit careful when merging if you are using dependencies that interact. E.g. if you're using BOM (which contains Jackson), and a plugin that has particular ideas about the Jackson version it wants. So you can't just point-and-merge, even though they look like one-liner changes that seem easy to reason about.
3. Because Dependabot makes it easy to stay up to date, it's tempting to charge forward and take the latest version of everything suggested - providing the build passes. But is that wise? Do we as plugin authors need to hang back on some changes with the LTS support policy in mind? (For example, should I advance to depending on BOM version 2.249.x if the LTS policy says to support n-3 LTS versions?)


https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ describes the compromises involved in the choice of minimum Jenkins version for a plugin.  Jenkins 2.222.1 and Jenkins 2.235.1 are the currently recommended baseline versions.  I think that the recommendations on that page are good for most plugins.  Notable exceptions are described on the page (need an API that is only available in a newer core, etc.).

The pull requests that submitted page also contain good discussion if you'd like more information - https://github.com/jenkins-infra/jenkins.io/pull/3643 and https://github.com/jenkins-infra/jenkins.io/pull/3655

Mark Waite

Chris

On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote:
I've just gone ahead and clicked on all repositories where the button was available.

So given I don't have an easy way to request review from current active maintainers.
So Jesse or any maintainer: please review the list :

And look for any plugin you're maintaining.

AFAIU there's unfortunately no way to generate from this UI an automated PR for all repositories and not just the ones who already had configured Dependabot (now called "dependabot-preview").

But if there's interest, I'm happy to script something to file such a PR on multiple repos.
I guess I'm not going to do for the whole org upfront just to avoid potential people complaints. (?)

I'm not yet fully sure whether Oleg's concern on jenkins.version is still current.
It _seems_ not anymore in the "dependabot native" app. But it's hard to know whether this is something GitHub will add back parity for.
🤔
And even so, I agree with Jesse that it would be better to request bumps with some LTS version scheme requirement, rather than making them all ignored. (See Oleg's PR earlier in this thread for context).

Anyway, looking at the positive side: thanks a lot Oleg again for making this happen.
I think overall, whatever happens, keeping dependencies more up-to-date is a great plus for the health of the Jenkins ecosystem.

-- Baptiste

Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner <[hidden email]> a écrit :
I think that this can be done globally: for each repository a PR will be generated. So in order to finish the transition the repo owner still needs to merge the PR. However, I do not find a button to run this for all repositories :-(

> Am 19.10.2020 um 16:44 schrieb Jesse Glick <[hidden email]>:
>
> On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[hidden email]> wrote:
>> If anybody still has the previous configuration, and would like to get an automated PR, please let me/us know and I can request it.
>
> I would certainly want this but have no idea which repositories I
> might “own” which are configured with the preview app. Is there any
> harm in just requesting the conversion PR for every remaining repo?
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEsQqO1sEeqenEe6pEY1P_-eXJpHQq23de9gxe8MU73eQ%40mail.gmail.com.
123