Hi all, I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :)
I have also started a Google Doc <https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing> where everybody is welcome to put comments/feedback about the evaluation. It should help us to discuss the experienced issues and to create best practices/policies in the future JEPs. Hi Ulli and Joseph, As discussed above, there is a preference to limit the testing scope to development tools and to plugins with low usage numbers for now. I have added "analysis-model" and "vstestrunner" components for now, but I would prefer to wait a bit before we add other plugins. BR, Oleg On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote: > > Please enable it for > > * bitbucket-branch-source-plugin > * mstest-plugin > * vstestrunner-plugin > > On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: >> >> Dear all, >> >> I would like to follow-up on the Dependabot request from Jesse Glick in >> INFRA-1975 <https://issues.jenkins-ci.org/browse/INFRA-1975>. Dependabot >> <https://dependabot.com/> is a service for automated dependency updates >> which supports many languages/tools, including Maven, Docker and Gradle >> which are being heavily used in Jenkins. >> >> Dependency management is a problem in Jenkins, because we have hundreds >> of repositories with many dependencies there. Maintainers spend a lot of >> time on managing dependencies, and sometimes it leads to ancient >> dependencies in components. Especially in the development tools which "just >> work". By automating dependency updates we could give maintainers more time >> to focus on other tasks. >> >> Dependabot is one of the engines we could use for dependency management. >> It is free for open-source projects, and it is a SaaS application which can >> be almost completely managed from GitHub. It can just create pull requests >> or, if we want, implement validated merge with help of ci.jenkins.io. No >> special infrastructure required, and this is an advantage for us. There are >> other implementations (including UpdateBot >> <https://github.com/jenkins-x/updatebot> by Fabric8/Jenkins X which has >> a Jenkins plugin), but it would require more efforts to deploy the >> infrastructure. It could be considered in the future if we want to have >> Jenkins-powered update management in the final implementation. >> >> My proposal would be to enable Dependabot for a *limited number* of >> Jenkins repositories so that we can experiment with it. I propose to focus >> on development tools and pre-1.0 projects only for now so that we can >> experiment with flow without a risk of impact on components being used in >> production in the Jenkins project. And we will be setting up auto-updates >> only for projects with existing test automation. >> >> - Jenkinsfile Runner - Example PRs in my local repo >> <https://github.com/oleg-nenashev/jenkinsfile-runner/pulls> >> - ci.jenkins.io-runner - Example PRs >> <https://github.com/jenkinsci/ci.jenkins.io-runner/pulls> (bot was >> disabled after moving the repo) >> - plugin-pom - Example PRs in my local repo >> <https://github.com/oleg-nenashev/plugin-pom/pulls> >> - maven-hpi-plugin - Example PRs in my local Repo >> <https://github.com/oleg-nenashev/maven-hpi-plugin/pulls> >> >> More repositories can be added if somebody is interested to participate >> in the Dependabot evaluation. If there is a positive feedback after the >> initial evaluation, we could proceed with creating a JEP to define the flow >> and the usage/administration policies. >> >> What do you think? >> >> Thanks in advance, >> Oleg >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
