Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[hidden email]> wrote:
> I propose to focus on development tools

Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.

The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.

Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.

> pre-1.0 projects only

Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.

> More repositories can be added if somebody is interested to participate in the Dependabot evaluation.

Sign me up!

I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

I am +1. We should finally move forward with Dependabot for dependencies we considers safe and important to be kept up to date. Allow list is a good way to go, we have a sizeable number if deps. 

On Thu, Dec 10, 2020, 23:58 Baptiste Mathus <[hidden email]> wrote:

Hi all, 

I wanted to raise a discussion on this and thought I'd fork off this answer from Jesse on Oleg's thread.

I see Jesse already configured Dependabot for Xstream: https://github.com/jenkinsci/jenkins/commit/2440a34d8f2ba5626d734c735cb4fc63040c11de

Should we start adding all core components, like the parent pom, internal or test tools like JTH,  and some dependencies we think are safe (build-time things like Maven plugins, I assume)?

AIUI, we would be able to agree on an allowList approach? I.e. adding specific dependencies we want auto-updated (excluding any that's unlisted).

Side note on this: I think if we agree to go this path, it would be great to find a way modify the Core Pipeline so the essentials.yaml values are sourced from some pom.xml (for ATH version) so Dependabot can understand and update this too.

This way, we'd be getting automated updates for https://github.com/jenkinsci/jenkins/blob/53f300d5ec07eb5efa3774d3f12455615d2f3450/essentials.yml#L4-L5 too, which bit us in the arse recently on the latest LTS prep IIRC.

WDYT?

IIUC, we could kinda take an allowList approach on specific components.

Le jeu. 21 févr. 2019 à 15:40, Jesse Glick <[hidden email]> a écrit :

On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[hidden email]> wrote:
> I propose to focus on development tools

Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.

The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.

Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.

> pre-1.0 projects only

Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.

> More repositories can be added if somebody is interested to participate in the Dependabot evaluation.

Sign me up!

I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7JwFRXk%2BX_5q8QDXK30Nif1fKLXbOWKWNWZUFFSXSjew%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDNgdKA2A-85n-ePFMOe7UdRE9%3DCRp%3DvXrP717Jrf4QTA%40mail.gmail.com.