I enabled the native Dependabot version updates (the experimental feature) on my plugin today. Overall it's extremely useful and working well! I expect I'll soon wonder how I ever managed without it.
Couple of thoughts: 1. The initial splurge of PRs spawns a lot of builds, so it's helpful that Dependabot has limited itself to opening 5 PRs at a time (you can raise this limit in configuration if you like). Obviously this is only a one-time concern on the day that you enable it, but it could spam ci.jenkins.io if enabled on lots of plugins at once. 2. You have to be a bit careful when merging if you are using dependencies that interact. E.g. if you're using BOM (which contains Jackson), and a plugin that has particular ideas about the Jackson version it wants. So you can't just point-and-merge, even though they look like one-liner changes that seem easy to reason about. 3. Because Dependabot makes it easy to stay up to date, it's tempting to charge forward and take the latest version of everything suggested - providing the build passes. But is that wise? Do we as plugin authors need to hang back on some changes with the LTS support policy in mind? (For example, should I advance to depending on BOM version 2.249.x if the LTS policy says to support n-3 LTS versions?) Chris On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote: > I've just gone ahead and clicked on all repositories where the button was > available. > > So given I don't have an easy way to request review from current active > maintainers. > *So Jesse or any maintainer: please review the list :* > https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle > > And look for any plugin you're maintaining. > > AFAIU there's unfortunately no way to generate from this UI an automated PR > for all repositories and not just the ones who already had configured > Dependabot (now called "dependabot-preview"). > > But if there's interest, I'm happy to script something to file such a PR on > multiple repos. > I guess I'm not going to do for the whole org upfront just to avoid potential > people complaints. (?) > > I'm not yet fully sure whether Oleg's concern on jenkins.version is still > current. > It _seems_ not anymore in the "dependabot native" app. But it's hard to know > whether this is something GitHub will add back parity for. > 🤔 > And even so, I agree with Jesse that it would be better to request bumps with > some LTS version scheme requirement, rather than making them all ignored. > (See Oleg's PR earlier in this thread for context). > > Anyway, looking at the positive side: thanks a lot Oleg again for making this > happen. > I think overall, whatever happens, keeping dependencies more up-to-date is a > great plus for the health of the Jenkins ecosystem. > > -- Baptiste > > Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner <[email protected]> a > écrit : >> I think that this can be done globally: for each repository a PR will be >> generated. So in order to finish the transition the repo owner still needs >> to merge the PR. However, I do not find a button to run this for all >> repositories :-( >> >> > Am 19.10.2020 um 16:44 schrieb Jesse Glick <[email protected]>: >> > >> > On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[email protected]> wrote: >> >> If anybody still has the previous configuration, and would like to get an >> >> automated PR, please let me/us know and I can request it. >> > >> > I would certainly want this but have no idea which repositories I >> > might “own” which are configured with the preview app. Is there any >> > harm in just requesting the conversion PR for every remaining repo? >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Jenkins Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected] >> > <mailto:jenkinsci-dev%[email protected]>. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:jenkinsci-dev%[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com.
