Hi all, I wanted to raise a discussion on this and thought I'd fork off this answer from Jesse on Oleg's thread.
I see Jesse already configured Dependabot for Xstream: https://github.com/jenkinsci/jenkins/commit/2440a34d8f2ba5626d734c735cb4fc63040c11de Should we start adding all core components, like the parent pom, internal or test tools like JTH, and some dependencies we think are safe (build-time things like Maven plugins, I assume)? AIUI, we would be able to agree on an allowList approach? I.e. adding specific dependencies we want auto-updated (excluding any that's unlisted). Side note on this: I think if we agree to go this path, it would be great to find a way modify the Core Pipeline so the essentials.yaml values are sourced from some pom.xml (for ATH version) so Dependabot can understand and update this too. This way, we'd be getting automated updates for https://github.com/jenkinsci/jenkins/blob/53f300d5ec07eb5efa3774d3f12455615d2f3450/essentials.yml#L4-L5 too, which bit us in the arse recently on the latest LTS prep IIRC. WDYT? IIUC, we could kinda take an allowList approach on specific components. Le jeu. 21 févr. 2019 à 15:40, Jesse Glick <[email protected]> a écrit : > On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[email protected]> > wrote: > > I propose to focus on development tools > > Since the primary use case is offering updates to plugin repositories, > I would suggest including at least one example of `*-plugin`. > > The question is which dependencies ought to be eligible for upgrade. I > do not think we want to update Jenkins core or plugin dependencies > gratuitously, since this would limit availability of new releases with > only modest productivity gain: more realistic functional tests, less > distance from `master` to whatever `plugin-compat-tester` would use. > > Definitely we can freely upgrade the parent POM. I would be happy for > such updates to be auto-merged in fact, so long as the build passes > obviously. > > > pre-1.0 projects only > > Or just plugins that (a) have fairly low installation count, (b) are > maintained by people actively participating in the trial. > > > More repositories can be added if somebody is interested to participate > in the Dependabot evaluation. > > Sign me up! > > I _do_ need to make sure I get notifications of these PRs in > Octobox.io, if they are not simply automerged. Merely watching a > repository is not enough—GH has autosubscribed me to hundreds of > repos, and the resulting thousands of notifications go to /dev/null. > Maybe Dependabot can be configured to request me as a reviewer? > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7JwFRXk%2BX_5q8QDXK30Nif1fKLXbOWKWNWZUFFSXSjew%40mail.gmail.com.
