Please enable it for * bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin
On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: > > Dear all, > > I would like to follow-up on the Dependabot request from Jesse Glick in > INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot > <https://dependabot.com/> is a service for automated dependency updates > which supports many languages/tools, including Maven, Docker and Gradle > which are being heavily used in Jenkins. > > Dependency management is a problem in Jenkins, because we have hundreds of > repositories with many dependencies there. Maintainers spend a lot of time > on managing dependencies, and sometimes it leads to ancient dependencies in > components. Especially in the development tools which "just work". By > automating dependency updates we could give maintainers more time to focus > on other tasks. > > Dependabot is one of the engines we could use for dependency management. > It is free for open-source projects, and it is a SaaS application which can > be almost completely managed from GitHub. It can just create pull requests > or, if we want, implement validated merge with help of ci.jenkins.io. No > special infrastructure required, and this is an advantage for us. There are > other implementations (including UpdateBot > <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has a > Jenkins plugin), but it would require more efforts to deploy the > infrastructure. It could be considered in the future if we want to have > Jenkins-powered update management in the final implementation. > > My proposal would be to enable Dependabot for a *limited number* of > Jenkins repositories so that we can experiment with it. I propose to focus > on development tools and pre-1.0 projects only for now so that we can > experiment with flow without a risk of impact on components being used in > production in the Jenkins project. And we will be setting up auto-updates > only for projects with existing test automation. > > - Jenkinsfile Runner - Example PRs in my local repo > <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> > - ci.jenkins.io-runner - Example PRs > <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was > disabled after moving the repo) > - plugin-pom - Example PRs in my local repo > <https://github.com/oleg-nenashev/plugin-pom/pulls> > - maven-hpi-plugin - Example PRs in my local Repo > <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> > > More repositories can be added if somebody is interested to participate in > the Dependabot evaluation. If there is a positive feedback after the > initial evaluation, we could proceed with creating a JEP to define the flow > and the usage/administration policies. > > What do you think? > > Thanks in advance, > Oleg > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/10436c0a-e148-4818-925b-c1b101813726%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
