Hey Ya'll, tl;dr - Make sure project > scm > url is set to github, (example https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41 )
--- I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly. But for now, I share what I learned. Dependabot has a lot of open source code, including how it processes module metadata. https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52 It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira) When that url is set right, dependabot knows where to pull information from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example. It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want. *But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.* That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR. Thanks, Gavin -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com.
