On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote: > Dear all, > > My proposal would be to enable Dependabot for a *limited number* of > Jenkins repositories so that we can experiment with it. I propose to focus > on development tools and pre-1.0 projects only for now so that we can > experiment with flow without a risk of impact on components being used in > production in the Jenkins project. And we will be setting up auto-updates > only for projects with existing test automation. > > - Jenkinsfile Runner - Example PRs in my local repo > <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> > - ci.jenkins.io-runner - Example PRs > <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was > disabled after moving the repo) > - plugin-pom - Example PRs in my local repo > <https://github.com/oleg-nenashev/plugin-pom/pulls> > - maven-hpi-plugin - Example PRs in my local Repo > <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> > > More repositories can be added if somebody is interested to participate in > the Dependabot evaluation. If there is a positive feedback after the > initial evaluation, we could proceed with creating a JEP to define the flow > and the usage/administration policies. > > I added it to my forked repositories of the git plugin, git client plugin, and platform labeler plugin. The experiment has been educational. I like seeing the pull requests which are proposed. Updates to the parent pom could be automerged if CI jobs pass. I believe that updates to test dependencies could be automerged if CI jobs pass.
- Git client plugin - examples in my local repo <https://github.com/MarkEWaite/git-client-plugin/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies> - Git plugin - examples in my local repo <https://github.com/MarkEWaite/git-plugin/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies> - Platform labeler plugin - examples (closed) in my local repo <https://github.com/MarkEWaite/platformlabeler-plugin/pulls?q=is%3Apr+label%3Adependencies+is%3Aclosed> Updates to non-test dependencies are not very helpful for me. When dependabot suggests that the git plugin should rely on the latest release of some other plugin, it risks placing unnecessary demands on users to install newer plugins than are required. I tell dependabot to stop offering those dependency updates. It closes the pull requests and stops offering updates to that component. Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtE1qCFQmL-2bPAYhfyjLOATSFJ8Q5cF_4e%2Bb%3Dsxyg1Zuw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
