Thanks for the investigation Gavin! I plan to document Dependabot usage guidelines eventually, and I will make sure to reflect it It can be also added to https://github.com/jenkinsci/.github/blob/master/.github/release-drafter.adoc somehow.
BR, Oleg On Thursday, August 29, 2019 at 2:19:45 AM UTC+2, Joseph P wrote: > > Hi Gavin, we actually made that change in JCasC to prepare for > https://github.com/jenkins-infra/plugin-site-api/pull/54 > Good that dependabot is something you can depend on 😁 > > Original PR > https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004 > > On Tuesday, August 27, 2019 at 6:50:38 PM UTC+2, Gavin Mogan wrote: >> >> Hey Ya'll, >> >> tl;dr - Make sure project > scm > url is set to github, (example >> https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41 >> ) >> >> --- >> >> I thought I'd share my limited findings with all of your. A couple weeks >> ago I contacted dependabot support to try and find out why some javascript >> modules had changelogs/release notes mentioned. I got a bunch of good >> responses back, and nudged them to document this info publicly. >> >> But for now, I share what I learned. >> >> Dependabot has a lot of open source code, including how it processes >> module metadata. >> >> >> https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52 >> >> It loops through a bunch of properties inside the maven pom file, project >> > url (which should point at wiki/plugins site for us), project > scm > url >> (which right place to set it), and lastly project > issueManagement > url >> (which probably defaults to jira) >> >> When that url is set right, dependabot knows where to pull information >> from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as >> a good example. >> >> It'll list the commits between tags. Release Notes if you use github >> releases (release drafter makes that easy) and Changelog if it can find a >> changelog file in the repo. I can go into more details about this if people >> want. >> >> *But I strongly recommend at least setting up project > scm > url, and >> either a changelog file, or preferably release notes for releases.* >> >> That'll make other plugin authors know if its worth upgrading/what >> potentially might break when getting a dependabot PR. >> >> Thanks, >> Gavin >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/80fe2e48-f494-4f43-aa13-c4b9735d5e7e%40googlegroups.com.
