I'm game for experimenting with this :D
On Thu, 21 Feb 2019, Oleg Nenashev wrote: > Dear all, > > I would like to follow-up on the Dependabot request from Jesse Glick in > INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot > <https://dependabot.com/> is a service for automated dependency updates > which supports many languages/tools, including Maven, Docker and Gradle > which are being heavily used in Jenkins. > > Dependency management is a problem in Jenkins, because we have hundreds of > repositories with many dependencies there. Maintainers spend a lot of time > on managing dependencies, and sometimes it leads to ancient dependencies in > components. Especially in the development tools which "just work". By > automating dependency updates we could give maintainers more time to focus > on other tasks. > > Dependabot is one of the engines we could use for dependency management. It > is free for open-source projects, and it is a SaaS application which can be > almost completely managed from GitHub. It can just create pull requests or, > if we want, implement validated merge with help of ci.jenkins.io. No > special infrastructure required, and this is an advantage for us. There are > other implementations (including UpdateBot > <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a > Jenkins plugin), but it would require more efforts to deploy the > infrastructure. It could be considered in the future if we want to have > Jenkins-powered update management in the final implementation. > > My proposal would be to enable Dependabot for a *limited number* of Jenkins > repositories so that we can experiment with it. I propose to focus on > development tools and pre-1.0 projects only for now so that we can > experiment with flow without a risk of impact on components being used in > production in the Jenkins project. And we will be setting up auto-updates > only for projects with existing test automation. > > - Jenkinsfile Runner - Example PRs in my local repo > <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> > - ci.jenkins.io-runner - Example PRs > <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was > disabled after moving the repo) > - plugin-pom - Example PRs in my local repo > <https://github.com/oleg-nenashev/plugin-pom/pulls> > - maven-hpi-plugin - Example PRs in my local Repo > <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> > > More repositories can be added if somebody is interested to participate in > the Dependabot evaluation. If there is a positive feedback after the > initial evaluation, we could proceed with creating a JEP to define the flow > and the usage/administration policies. > > What do you think? > > Thanks in advance, > Oleg > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- GitHub: https://github.com/rtyler GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2 -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape. For more options, visit https://groups.google.com/d/optout.
