On Mon, Nov 2, 2020 at 11:34 AM Chris Kilding < [email protected]> wrote:
> I enabled the native Dependabot version updates (the experimental feature) > on my plugin today. Overall it's extremely useful and working well! I > expect I'll soon wonder how I ever managed without it. > > Couple of thoughts: > > 1. The initial splurge of PRs spawns a lot of builds, so it's helpful that > Dependabot has limited itself to opening 5 PRs at a time (you can raise > this limit in configuration if you like). Obviously this is only a one-time > concern on the day that you enable it, but it could spam ci.jenkins.io if > enabled on lots of plugins at once. > 2. You have to be a bit careful when merging if you are using dependencies > that interact. E.g. if you're using BOM (which contains Jackson), and a > plugin that has particular ideas about the Jackson version it wants. So you > can't just point-and-merge, even though they look like one-liner changes > that seem easy to reason about. > 3. Because Dependabot makes it easy to stay up to date, it's tempting to > charge forward and take the latest version of everything suggested - > providing the build passes. But is that wise? Do we as plugin authors need > to hang back on some changes with the LTS support policy in mind? (For > example, should I advance to depending on BOM version 2.249.x if the LTS > policy says to support n-3 LTS versions?) > > https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ describes the compromises involved in the choice of minimum Jenkins version for a plugin. Jenkins 2.222.1 and Jenkins 2.235.1 are the currently recommended baseline versions. I think that the recommendations on that page are good for most plugins. Notable exceptions are described on the page (need an API that is only available in a newer core, etc.). The pull requests that submitted page also contain good discussion if you'd like more information - https://github.com/jenkins-infra/jenkins.io/pull/3643 and https://github.com/jenkins-infra/jenkins.io/pull/3655 Mark Waite Chris > > On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote: > > I've just gone ahead and clicked on all repositories where the button was > available. > > So given I don't have an easy way to request review from current active > maintainers. > *So Jesse or any maintainer: please review the list :* > > https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle > > And look for any plugin you're maintaining. > > AFAIU there's unfortunately no way to generate from this UI an automated > PR for all repositories and not just the ones who already had configured > Dependabot (now called "dependabot-preview"). > > But if there's interest, I'm happy to script something to file such a PR > on multiple repos. > I guess I'm not going to do for the whole org upfront just to avoid > potential people complaints. (?) > > I'm not yet fully sure whether Oleg's concern on jenkins.version is still > current. > It _seems_ not anymore in the "dependabot native" app. But it's hard to > know whether this is something GitHub will add back parity for. > 🤔 > And even so, I agree with Jesse that it would be better to request bumps > with some LTS version scheme requirement, rather than making them all > ignored. (See Oleg's PR earlier in this thread for context). > > Anyway, looking at the positive side: thanks a lot Oleg again for making > this happen. > I think overall, whatever happens, keeping dependencies more up-to-date is > a great plus for the health of the Jenkins ecosystem. > > -- Baptiste > > Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner <[email protected]> a > écrit : > > I think that this can be done globally: for each repository a PR will be > generated. So in order to finish the transition the repo owner still needs > to merge the PR. However, I do not find a button to run this for all > repositories :-( > > > Am 19.10.2020 um 16:44 schrieb Jesse Glick <[email protected]>: > > > > On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus <[email protected]> wrote: > >> If anybody still has the previous configuration, and would like to get > an automated PR, please let me/us know and I can request it. > > > > I would certainly want this but have no idea which repositories I > > might “own” which are configured with the preview app. Is there any > > harm in just requesting the conversion PR for every remaining repo? > > > > -- > > You received this message because you are subscribed to the Google > Groups "Jenkins Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com > . > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com > . > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/b0e35680-8335-465b-b823-984d31e80e01%40www.fastmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEsQqO1sEeqenEe6pEY1P_-eXJpHQq23de9gxe8MU73eQ%40mail.gmail.com.
