Dear all, I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot <https://dependabot.com/> is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and Gradle which are being heavily used in Jenkins.
Dependency management is a problem in Jenkins, because we have hundreds of repositories with many dependencies there. Maintainers spend a lot of time on managing dependencies, and sometimes it leads to ancient dependencies in components. Especially in the development tools which "just work". By automating dependency updates we could give maintainers more time to focus on other tasks. Dependabot is one of the engines we could use for dependency management. It is free for open-source projects, and it is a SaaS application which can be almost completely managed from GitHub. It can just create pull requests or, if we want, implement validated merge with help of ci.jenkins.io. No special infrastructure required, and this is an advantage for us. There are other implementations (including UpdateBot <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a Jenkins plugin), but it would require more efforts to deploy the infrastructure. It could be considered in the future if we want to have Jenkins-powered update management in the final implementation. My proposal would be to enable Dependabot for a *limited number* of Jenkins repositories so that we can experiment with it. I propose to focus on development tools and pre-1.0 projects only for now so that we can experiment with flow without a risk of impact on components being used in production in the Jenkins project. And we will be setting up auto-updates only for projects with existing test automation. - Jenkinsfile Runner - Example PRs in my local repo <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> - ci.jenkins.io-runner - Example PRs <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was disabled after moving the repo) - plugin-pom - Example PRs in my local repo <https://github.com/oleg-nenashev/plugin-pom/pulls> - maven-hpi-plugin - Example PRs in my local Repo <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> More repositories can be added if somebody is interested to participate in the Dependabot evaluation. If there is a positive feedback after the initial evaluation, we could proceed with creating a JEP to define the flow and the usage/administration policies. What do you think? Thanks in advance, Oleg -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
