I am +1. We should finally move forward with Dependabot for dependencies we considers safe and important to be kept up to date. Allow list is a good way to go, we have a sizeable number if deps.
On Thu, Dec 10, 2020, 23:58 Baptiste Mathus <[email protected]> wrote: > Hi all, > > I wanted to raise a discussion on this and thought I'd fork off this > answer from Jesse on Oleg's thread. > > I see Jesse already configured Dependabot for Xstream: > https://github.com/jenkinsci/jenkins/commit/2440a34d8f2ba5626d734c735cb4fc63040c11de > > Should we start adding all core components, like the parent pom, internal > or test tools like JTH, and some dependencies we think are safe > (build-time things like Maven plugins, I assume)? > > AIUI, we would be able to agree on an allowList approach? I.e. adding > specific dependencies we want auto-updated (excluding any that's unlisted). > > Side note on this: I think if we agree to go this path, it would be great > to find a way modify the Core Pipeline so the essentials.yaml values are > sourced from some pom.xml (for ATH version) so Dependabot can understand > and update this too. > This way, we'd be getting automated updates for > https://github.com/jenkinsci/jenkins/blob/53f300d5ec07eb5efa3774d3f12455615d2f3450/essentials.yml#L4-L5 > too, which bit us in the arse recently on the latest LTS prep IIRC. > > WDYT? > > > IIUC, we could kinda take an allowList approach on specific components. > > Le jeu. 21 févr. 2019 à 15:40, Jesse Glick <[email protected]> a > écrit : > >> On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev <[email protected]> >> wrote: >> > I propose to focus on development tools >> >> Since the primary use case is offering updates to plugin repositories, >> I would suggest including at least one example of `*-plugin`. >> >> The question is which dependencies ought to be eligible for upgrade. I >> do not think we want to update Jenkins core or plugin dependencies >> gratuitously, since this would limit availability of new releases with >> only modest productivity gain: more realistic functional tests, less >> distance from `master` to whatever `plugin-compat-tester` would use. >> >> Definitely we can freely upgrade the parent POM. I would be happy for >> such updates to be auto-merged in fact, so long as the build passes >> obviously. >> >> > pre-1.0 projects only >> >> Or just plugins that (a) have fairly low installation count, (b) are >> maintained by people actively participating in the trial. >> >> > More repositories can be added if somebody is interested to participate >> in the Dependabot evaluation. >> >> Sign me up! >> >> I _do_ need to make sure I get notifications of these PRs in >> Octobox.io, if they are not simply automerged. Merely watching a >> repository is not enough—GH has autosubscribed me to hundreds of >> repos, and the resulting thousands of notifications go to /dev/null. >> Maybe Dependabot can be configured to request me as a reviewer? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7JwFRXk%2BX_5q8QDXK30Nif1fKLXbOWKWNWZUFFSXSjew%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7JwFRXk%2BX_5q8QDXK30Nif1fKLXbOWKWNWZUFFSXSjew%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDNgdKA2A-85n-ePFMOe7UdRE9%3DCRp%3DvXrP717Jrf4QTA%40mail.gmail.com.
