I agree with all points, Jesse. Dependabot + pom.xml definition should be our target goal. I am just not sure we ready to source versions in such way immediately.
One of the major issues is lack of the node step where we can retrieve and process POM.xml >From the resources standpoint, it would make sense to have an ACI-based step which does some spotchecks before running full-size test runs on multiple configurations. I did some experiments with such preflight checks in https://github.com/jenkins-infra/pipeline-library/pull/21 , but it is not ready so far. We will also need to inject a mock/test dependency to pom.xml to make the Dependabot operational. Something we can do, but it also needs to be implemented. BR, Oleg On Thursday, August 29, 2019 at 4:50:37 PM UTC+2, Jesse Glick wrote: > > On Thu, Aug 29, 2019 at 10:33 AM Gavin <[email protected] <javascript:>> > wrote: > > it means a plugin doesn't work the same on newer versions > > Possibly, but much more commonly it just means some _test_ does not > work the same on newer versions of Jenkins, sometimes for pretty minor > technical reasons. Yes that ought to get fixed, but there is no rush. > > The problem with changing the library configuration in “YOLO mode” is > that somebody (especially not the plugin maintainer) files a PR, it > gets a test failure, and they waste half a day trying to figure out > what they did wrong…before figuring out that there is nothing wrong > with the PR at all, `master` builds would be broken the same way if > there were any, and the apparent regression is coming from some change > to another repository no one was even paying attention to. Then > somebody then needs to drop whatever they were doing and get the > plugin’s `master` build fixed. > > Using Dependabot would let us avoid this kind of problem, while still > guiding maintainers toward testing against the latest and greatest in > a timely manner. (You would get an automated PR proposing to test > against a new LTS, or more generally proposing to use a new version of > the library; in the normal case that the build passes, you would merge > it; if not, you would track down the issue as soon as you have time to > focus on it; `master` would stay blue, barring infrastructure > problems.) There is not yet any Dependabot support for Jenkins > libraries, however, so we would need to do some groundwork first. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/de81bc3c-6dbd-487b-afc1-8a526cd8be17%40googlegroups.com.
