Hey Ya'll, tl;dr - Make sure project > scm > url is set to github, (example https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41 )
--- I thought I'd share my limited findings with all of your. A couple weeks ago I contacted dependabot support to try and find out why some javascript modules had changelogs/release notes mentioned. I got a bunch of good responses back, and nudged them to document this info publicly. But for now, I share what I learned. Dependabot has a lot of open source code, including how it processes module metadata. https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52 It loops through a bunch of properties inside the maven pom file, project > url (which should point at wiki/plugins site for us), project > scm > url (which right place to set it), and lastly project > issueManagement > url (which probably defaults to jira) When that url is set right, dependabot knows where to pull information from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a good example. It'll list the commits between tags. Release Notes if you use github releases (release drafter makes that easy) and Changelog if it can find a changelog file in the repo. I can go into more details about this if people want. *But I strongly recommend at least setting up project > scm > url, and either a changelog file, or preferably release notes for releases.* That'll make other plugin authors know if its worth upgrading/what potentially might break when getting a dependabot PR. Thanks, Gavin -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com.
