Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-11-02 Thread Jesse Glick 
On Mon, Nov 2, 2020 at 1:34 PM Chris Kilding
 wrote:
> should I advance to depending on BOM version 2.249.x

Note that Dependabot will not _offer_ such a bump—only bumps within,
say, `bom-2.235.x`. It is up to you to select a `bom-*.x` matching
your current `jenkins.version`, and to decide when to switch to a
newer LTS line.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0pWXSzM4DLqA-DeJr%3D3OXb2CcLGp-8%2BybPEwUdjhOLMQ%40mail.gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-11-02 Thread Mark Waite 
On Mon, Nov 2, 2020 at 11:34 AM Chris Kilding <
chris+jenk...@chriskilding.com> wrote:

> I enabled the native Dependabot version updates (the experimental feature)
> on my plugin today. Overall it's extremely useful and working well! I
> expect I'll soon wonder how I ever managed without it.
>
> Couple of thoughts:
>
> 1. The initial splurge of PRs spawns a lot of builds, so it's helpful that
> Dependabot has limited itself to opening 5 PRs at a time (you can raise
> this limit in configuration if you like). Obviously this is only a one-time
> concern on the day that you enable it, but it could spam ci.jenkins.io if
> enabled on lots of plugins at once.
> 2. You have to be a bit careful when merging if you are using dependencies
> that interact. E.g. if you're using BOM (which contains Jackson), and a
> plugin that has particular ideas about the Jackson version it wants. So you
> can't just point-and-merge, even though they look like one-liner changes
> that seem easy to reason about.
> 3. Because Dependabot makes it easy to stay up to date, it's tempting to
> charge forward and take the latest version of everything suggested -
> providing the build passes. But is that wise? Do we as plugin authors need
> to hang back on some changes with the LTS support policy in mind? (For
> example, should I advance to depending on BOM version 2.249.x if the LTS
> policy says to support n-3 LTS versions?)
>
>
https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/
describes the compromises involved in the choice of minimum Jenkins version
for a plugin.  Jenkins 2.222.1 and Jenkins 2.235.1 are the currently
recommended baseline versions.  I think that the recommendations on that
page are good for most plugins.  Notable exceptions are described on the
page (need an API that is only available in a newer core, etc.).

The pull requests that submitted page also contain good discussion if you'd
like more information -
https://github.com/jenkins-infra/jenkins.io/pull/3643 and
https://github.com/jenkins-infra/jenkins.io/pull/3655

Mark Waite

Chris
>
> On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote:
>
> I've just gone ahead and clicked on all repositories where the button was
> available.
>
> So given I don't have an easy way to request review from current active
> maintainers.
> *So Jesse or any maintainer: please review the list :*
>
> https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle
>
> And look for any plugin you're maintaining.
>
> AFAIU there's unfortunately no way to generate from this UI an automated
> PR for all repositories and not just the ones who already had configured
> Dependabot (now called "dependabot-preview").
>
> But if there's interest, I'm happy to script something to file such a PR
> on multiple repos.
> I guess I'm not going to do for the whole org upfront just to avoid
> potential people complaints. (?)
>
> I'm not yet fully sure whether Oleg's concern on jenkins.version is still
> current.
> It _seems_ not anymore in the "dependabot native" app. But it's hard to
> know whether this is something GitHub will add back parity for.
> 樂
> And even so, I agree with Jesse that it would be better to request bumps
> with some LTS version scheme requirement, rather than making them all
> ignored. (See Oleg's PR earlier in this thread for context).
>
> Anyway, looking at the positive side: thanks a lot Oleg again for making
> this happen.
> I think overall, whatever happens, keeping dependencies more up-to-date is
> a great plus for the health of the Jenkins ecosystem.
>
> -- Baptiste
>
> Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner  a
> écrit :
>
> I think that this can be done globally: for each repository a PR will be
> generated. So in order to finish the transition the repo owner still needs
> to merge the PR. However, I do not find a button to run this for all
> repositories :-(
>
> > Am 19.10.2020 um 16:44 schrieb Jesse Glick :
> >
> > On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus  wrote:
> >> If anybody still has the previous configuration, and would like to get
> an automated PR, please let me/us know and I can request it.
> >
> > I would certainly want this but have no idea which repositories I
> > might “own” which are configured with the preview app. Is there any
> > harm in just requesting the conversion PR for every remaining repo?
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-11-02 Thread Chris Kilding 
I enabled the native Dependabot version updates (the experimental feature) on 
my plugin today. Overall it's extremely useful and working well! I expect I'll 
soon wonder how I ever managed without it.

Couple of thoughts:

1. The initial splurge of PRs spawns a lot of builds, so it's helpful that 
Dependabot has limited itself to opening 5 PRs at a time (you can raise this 
limit in configuration if you like). Obviously this is only a one-time concern 
on the day that you enable it, but it could spam ci.jenkins.io if enabled on 
lots of plugins at once.
2. You have to be a bit careful when merging if you are using dependencies that 
interact. E.g. if you're using BOM (which contains Jackson), and a plugin that 
has particular ideas about the Jackson version it wants. So you can't just 
point-and-merge, even though they look like one-liner changes that seem easy to 
reason about.
3. Because Dependabot makes it easy to stay up to date, it's tempting to charge 
forward and take the latest version of everything suggested - providing the 
build passes. But is that wise? Do we as plugin authors need to hang back on 
some changes with the LTS support policy in mind? (For example, should I 
advance to depending on BOM version 2.249.x if the LTS policy says to support 
n-3 LTS versions?)

Chris

On Tue, 20 Oct 2020, at 5:05 PM, Baptiste Mathus wrote:
> I've just gone ahead and clicked on all repositories where the button was 
> available.
> 
> So given I don't have an easy way to request review from current active 
> maintainers.
> *So Jesse or any maintainer: please review the list :*
> https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle
> 
> And look for any plugin you're maintaining.
> 
> AFAIU there's unfortunately no way to generate from this UI an automated PR 
> for all repositories and not just the ones who already had configured 
> Dependabot (now called "dependabot-preview").
> 
> But if there's interest, I'm happy to script something to file such a PR on 
> multiple repos.
> I guess I'm not going to do for the whole org upfront just to avoid potential 
> people complaints. (?)
> 
> I'm not yet fully sure whether Oleg's concern on jenkins.version is still 
> current.
> It _seems_ not anymore in the "dependabot native" app. But it's hard to know 
> whether this is something GitHub will add back parity for.
> 樂
> And even so, I agree with Jesse that it would be better to request bumps with 
> some LTS version scheme requirement, rather than making them all ignored. 
> (See Oleg's PR earlier in this thread for context).
> 
> Anyway, looking at the positive side: thanks a lot Oleg again for making this 
> happen.
> I think overall, whatever happens, keeping dependencies more up-to-date is a 
> great plus for the health of the Jenkins ecosystem.
> 
> -- Baptiste
> 
> Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner  a 
> écrit :
>> I think that this can be done globally: for each repository a PR will be 
>> generated. So in order to finish the transition the repo owner still needs 
>> to merge the PR. However, I do not find a button to run this for all 
>> repositories :-(
>> 
>> > Am 19.10.2020 um 16:44 schrieb Jesse Glick :
>> > 
>> > On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus  wrote:
>> >> If anybody still has the previous configuration, and would like to get an 
>> >> automated PR, please let me/us know and I can request it.
>> > 
>> > I would certainly want this but have no idea which repositories I
>> > might “own” which are configured with the preview app. Is there any
>> > harm in just requesting the conversion PR for every remaining repo?
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google Groups 
>> > "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to jenkinsci-dev+unsubscr...@googlegroups.com 
>> > .
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkinsci-dev+unsubscr...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com.
> 

> -- 
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
>

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-10-20 Thread Baptiste Mathus 
I've just gone ahead and clicked on all repositories where the button was
available.

So given I don't have an easy way to request review from current active
maintainers.
*So Jesse or any maintainer: please review the list :*
https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle

And look for any plugin you're maintaining.

AFAIU there's unfortunately no way to generate from this UI an automated PR
for all repositories and not just the ones who already had configured
Dependabot (now called "dependabot-preview").

But if there's interest, I'm happy to script something to file such a PR on
multiple repos.
I guess I'm not going to do for the whole org upfront just to avoid
potential people complaints. (?)

I'm not yet fully sure whether Oleg's concern on jenkins.version is still
current.
It _seems_ not anymore in the "dependabot native" app. But it's hard to
know whether this is something GitHub will add back parity for.
樂
And even so, I agree with Jesse that it would be better to request bumps
with some LTS version scheme requirement, rather than making them all
ignored. (See Oleg's PR earlier in this thread for context).

Anyway, looking at the positive side: thanks a lot Oleg again for making
this happen.
I think overall, whatever happens, keeping dependencies more up-to-date is
a great plus for the health of the Jenkins ecosystem.

-- Baptiste

Le lun. 19 oct. 2020 à 21:08, Ullrich Hafner  a
écrit :

> I think that this can be done globally: for each repository a PR will be
> generated. So in order to finish the transition the repo owner still needs
> to merge the PR. However, I do not find a button to run this for all
> repositories :-(
>
> > Am 19.10.2020 um 16:44 schrieb Jesse Glick :
> >
> > On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus  wrote:
> >> If anybody still has the previous configuration, and would like to get
> an automated PR, please let me/us know and I can request it.
> >
> > I would certainly want this but have no idea which repositories I
> > might “own” which are configured with the preview app. Is there any
> > harm in just requesting the conversion PR for every remaining repo?
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5%3DnVdBGEMycgKC21f-uCt%3DV_EUKunCyvd4ipO-rPV-1Q%40mail.gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-10-19 Thread Ullrich Hafner 
I think that this can be done globally: for each repository a PR will be 
generated. So in order to finish the transition the repo owner still needs to 
merge the PR. However, I do not find a button to run this for all repositories 
:-(

> Am 19.10.2020 um 16:44 schrieb Jesse Glick :
> 
> On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus  wrote:
>> If anybody still has the previous configuration, and would like to get an 
>> automated PR, please let me/us know and I can request it.
> 
> I would certainly want this but have no idea which repositories I
> might “own” which are configured with the preview app. Is there any
> harm in just requesting the conversion PR for every remaining repo?
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/7EE25BD9-977B-4D6A-A029-C8F1063DE0B4%40gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-10-19 Thread Jesse Glick 
On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus  wrote:
> If anybody still has the previous configuration, and would like to get an 
> automated PR, please let me/us know and I can request it.

I would certainly want this but have no idea which repositories I
might “own” which are configured with the preview app. Is there any
harm in just requesting the conversion PR for every remaining repo?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3Z_UnaBsWpg%2BwXhut7YOvZUG9X8dsTB-7EXfouOqypvA%40mail.gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-10-19 Thread Baptiste Mathus 
Hi all,

FYI, as I was using the Dependabot admin UI, I just requested Dependabot to
file automated PRs on a number of plugins:

https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle

I was going to configure Dependabot on my buildtriggerbadge plugin, but
then realized Dependabot now has this nice feature to file automated PRs to
migrate from the previous Dependabot settings to the native one.

[image: image.png]

If anybody still has the previous configuration, and would like to get an
automated PR, please let me/us know and I can request it.

HTH
Cheers

Le jeu. 8 oct. 2020 à 13:29, Oleg Nenashev  a
écrit :

> I have started https://github.com/jenkinsci/.github/pull/40 with
> documentation notes. If anyone is interested to contribute and share your
> notes / best practices, please do so!
> Later we can move the page to
> https://www.jenkins.io/doc/developer/plugin-development/
>
> On Wednesday, June 24, 2020 at 11:03:25 PM UTC+2 Oleg Nenashev wrote:
>
>> FTR Dependabot is now embedded into GitHub. Probably it is a good time to
>> prepare official documentation
>> https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/af5db0c2-3be6-4efb-b017-c06cbe8ce912n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS5a6_NedKRH%2BYreUWFohpXNgtyxOwO88uHqERDvTw_v3A%40mail.gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-10-08 Thread Oleg Nenashev 
I have started https://github.com/jenkinsci/.github/pull/40 with 
documentation notes. If anyone is interested to contribute and share your 
notes / best practices, please do so!
Later we can move the page 
to https://www.jenkins.io/doc/developer/plugin-development/

On Wednesday, June 24, 2020 at 11:03:25 PM UTC+2 Oleg Nenashev wrote:

> FTR Dependabot is now embedded into GitHub. Probably it is a good time to 
> prepare official documentation 
> https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/af5db0c2-3be6-4efb-b017-c06cbe8ce912n%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-06-24 Thread Oleg Nenashev 
FTR Dependabot is now embedded into GitHub. Probably it is a good time to 
prepare official documentation 
https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/a7e984dc-f1ee-4fe1-84c3-76f1c95e2168o%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2020-01-24 Thread Oleg Nenashev 
Hi All,

Just in case somebody is interested, today we will have an online meetup 
about Dependabot in Jenkins.
https://www.meetup.com/Jenkins-online-meetup/events/267995271/

Please join us if you are interested!

Best regards,
Oleg


On Thursday, July 25, 2019 at 7:45:33 PM UTC+2, Jesse Glick wrote:
>
> On Thu, Jul 25, 2019 at 3:01 AM Oleg Nenashev  > wrote: 
> > Basically every maintainer with Admin permissions can enable Dependabot 
> on his/her own: 
>
> And if you lack admin permissions, just file an `INFRA` ticket requesting 
> it. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/330daad3-586b-4150-b570-b5ba3471f216%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-07-25 Thread Jesse Glick 
On Thu, Jul 25, 2019 at 3:01 AM Oleg Nenashev  wrote:
> Basically every maintainer with Admin permissions can enable Dependabot on 
> his/her own:

And if you lack admin permissions, just file an `INFRA` ticket requesting it.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0cW5_zU%2B0ZOWMeAuz3C_dvB7rwBtcjXEuWy4K%2BTk%2Bc%2Bg%40mail.gmail.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-07-25 Thread Oleg Nenashev 
Hi, done

I enabled Dependabot for Gradle JPI Plugin, Role Strategy Plugin and 
Jenkins Test Harness. 
Also added Log CLI Plugin as it was requested by Martin Reinhardt in GitHub.

Basically every maintainer with Admin permissions can enable Dependabot on 
his/her own:

   1. Enable the Dependabot GitHub application for the repo
   2. Add a .dependabot/config.yml file to the repo (docs 
   ). Once added, the Dependabot 
   will pick up the repo automatically

For new Dependabot requests I suggest to stop adding the configurations 
manually in DependaBot Web UI.
Let's use .dependabot/config.yml only. 

BR, Oleg

On Thursday, July 25, 2019 at 6:24:28 AM UTC+2, Steve Hill wrote:
>
> Could we also enable Dependabot for 
> https://github.com/jenkinsci/gradle-jpi-plugin?
>
> Best,
> Steve
>
> On Tuesday, July 23, 2019 at 12:39:26 PM UTC-7, Oleg Nenashev wrote:
>>
>> With Dependabot acquisition by GitHub, the project got some development 
>> boost.
>> Unfortunately, there is still no support of org-wide configurations, so 
>> we cannot just put defaults to https://github.com/jenkinsci/.github 
>> But we could at least put some samples there.
>>
>> I would also like to enable Dependabot for Jenkins Test Harness if nobody 
>> is against.
>>
>> Once Jesse finishes his work on https://github.com/jenkinsci/bom/ , it 
>> would be great to combine Dependabot and plugins with BOM (especially for 
>> Pipeline which is nightmare to handle in Dependabot).
>>
>> BR, Oleg
>>
>>
>> On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
>>>
>>> done!
>>>
>>> On Mon, Jun 10, 2019 at 6:40 PM Basil Crow  wrote:
>>>
 On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
>
> I am fine with going forward with enabling Dependabot for a wider set 
> of plugins.
>

  Can you please add the following repositories:

 https://github.com/jenkinsci/swarm-plugin
 https://github.com/jenkinsci/text-finder-plugin

 Thanks,
 Basil

 -- 
 You received this message because you are subscribed to a topic in the 
 Google Groups "Jenkins Developers" group.
 To unsubscribe from this topic, visit 
 https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe
 .
 To unsubscribe from this group and all its topics, send an email to 
 jenkin...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com
  
 
 .
 For more options, visit https://groups.google.com/d/optout.

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/59b8c482-dd75-43f7-8d5f-a784ff4c1d42%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-07-24 Thread Steve Hill 
Could we also enable Dependabot for 
https://github.com/jenkinsci/gradle-jpi-plugin?

Best,
Steve

On Tuesday, July 23, 2019 at 12:39:26 PM UTC-7, Oleg Nenashev wrote:
>
> With Dependabot acquisition by GitHub, the project got some development 
> boost.
> Unfortunately, there is still no support of org-wide configurations, so we 
> cannot just put defaults to https://github.com/jenkinsci/.github 
> But we could at least put some samples there.
>
> I would also like to enable Dependabot for Jenkins Test Harness if nobody 
> is against.
>
> Once Jesse finishes his work on https://github.com/jenkinsci/bom/ , it 
> would be great to combine Dependabot and plugins with BOM (especially for 
> Pipeline which is nightmare to handle in Dependabot).
>
> BR, Oleg
>
>
> On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
>>
>> done!
>>
>> On Mon, Jun 10, 2019 at 6:40 PM Basil Crow > > wrote:
>>
>>> On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:

 I am fine with going forward with enabling Dependabot for a wider set 
 of plugins.

>>>
>>>  Can you please add the following repositories:
>>>
>>> https://github.com/jenkinsci/swarm-plugin
>>> https://github.com/jenkinsci/text-finder-plugin
>>>
>>> Thanks,
>>> Basil
>>>
>>> -- 
>>> You received this message because you are subscribed to a topic in the 
>>> Google Groups "Jenkins Developers" group.
>>> To unsubscribe from this topic, visit 
>>> https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to 
>>> jenkin...@googlegroups.com .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/aa894124-84b6-46c0-a7e8-0c5c7b5d922d%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-07-23 Thread Oleg Nenashev 
With Dependabot acquisition by GitHub, the project got some development 
boost.
Unfortunately, there is still no support of org-wide configurations, so we 
cannot just put defaults to https://github.com/jenkinsci/.github 
But we could at least put some samples there.

I would also like to enable Dependabot for Jenkins Test Harness if nobody 
is against.

Once Jesse finishes his work on https://github.com/jenkinsci/bom/ , it 
would be great to combine Dependabot and plugins with BOM (especially for 
Pipeline which is nightmare to handle in Dependabot).

BR, Oleg


On Monday, June 10, 2019 at 7:04:08 PM UTC+2, Oleg Nenashev wrote:
>
> done!
>
> On Mon, Jun 10, 2019 at 6:40 PM Basil Crow  wrote:
>
>> On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
>>>
>>> I am fine with going forward with enabling Dependabot for a wider set of 
>>> plugins.
>>>
>>
>>  Can you please add the following repositories:
>>
>> https://github.com/jenkinsci/swarm-plugin
>> https://github.com/jenkinsci/text-finder-plugin
>>
>> Thanks,
>> Basil
>>
>> -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "Jenkins Developers" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/5a7200ee-972c-4340-a2a8-77ec9c116eb1%40googlegroups.com.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-06-10 Thread Oleg Nenashev 
done!

On Mon, Jun 10, 2019 at 6:40 PM Basil Crow  wrote:

> On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
>>
>> I am fine with going forward with enabling Dependabot for a wider set of
>> plugins.
>>
>
>  Can you please add the following repositories:
>
> https://github.com/jenkinsci/swarm-plugin
> https://github.com/jenkinsci/text-finder-plugin
>
> Thanks,
> Basil
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Developers" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-dev/XMllKuWLO_8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLDwaJ%3D02fqvaF7vJcL%2BjQ0uVeGeGS026-3sQhRmQwWCHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-06-10 Thread Basil Crow 
On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote:
>
> I am fine with going forward with enabling Dependabot for a wider set of 
> plugins.
>

 Can you please add the following repositories:

https://github.com/jenkinsci/swarm-plugin
https://github.com/jenkinsci/text-finder-plugin

Thanks,
Basil

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/e15d83eb-6fe5-4c80-99a5-d124fbd19134%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-23 Thread Matt Sicker 
If dependabot is somehow slower than I am at updating dependencies,
I'll make sure to complain to them. ;)

On Thu, May 23, 2019 at 1:59 AM Gavin Mogan  wrote:
>
> Please go ahead with both, I can always @dependbot ignore on blueocean as 
> needed.
>
> On Wed, May 22, 2019 at 11:47 PM Oleg Nenashev  wrote:
>>
>> Hi all,
>>
>> I am fine with going forward with enabling Dependabot for a wider set of 
>> plugins. But IMHO it is still not ready for GA. Why?
>>
>> We are still missing usage guidelines as it was discussed in the original 
>> emails
>> In Dependabot there is also no way to set Dependabot on an organization 
>> level, and it complicates the adoptions for plugins 
>> (dependabot/feedback/issues/353)
>> Dependabot needs write permissions to the repo. If you want to enable it for 
>> a mission-critical component, it might make sense to think twice before 
>> doing so
>> We are missing feedback from early adopters. There are some comments in this 
>> thread + this Google Doc.
>>
>> Personally I am pretty fine with Dependabot results for my projects, and I 
>> am ready to go forward with plugins.
>>
>>>
>>> I'd really love to see the jackson repo most of all because I could get the 
>>> PR ready to release by the time jackson gets around to  announcing that 
>>> release. Helps speed up resolution of their countless CVEs over time.
>>> - show quoted text -
>>
>>
>> With Dependabot you get "eventual security" (c) at best. Delivery of patches 
>> may be delivered by a week or so. It does not replace the security process 
>> in the Jenkins organization, but I do agree that keeping dependencies up to 
>> date reduced number of issues in projects which disclose security fixes 
>> post-factum after the release.
>>
>>> is it setup for all deps or only the parent plugin?
>>> Can blueocean-plugin get updated for the parent plugin (or is that a config 
>>> file somewhere)?
>>
>> Dependabot manages all dependencies it can digest. It can handle almost all 
>> dependencies in Maven, including ones with versions defined by system 
>> properties. Maven plugins will be also updated
>> BlueOcean plugins (multi-module repos) will be also handled by Dependabot. 
>> Now it supports multi-module repos
>>>
>>> Can I have the following added:
>>>
>>>  Can blueocean-display-url-plugin get it enabled?
>>
>>
>>  I can add them if you want to proceed after the comments above.
>>
>> Best regards,
>> Oleg
>>
>>
>> On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
>>>
>>> Can blueocean-display-url-plugin get it enabled? is it setup for all deps 
>>> or only the parent plugin?
>>> Can blueocean-plugin get updated for the parent plugin (or is that a config 
>>> file somewhere)?
>>>
>>> On Tue, May 21, 2019 at 12:36 PM Matt Sicker  wrote:

 I'd really love to see the jackson repo most of all because I could
 get the PR ready to release by the time jackson gets around to
 announcing that release. Helps speed up resolution of their countless
 CVEs over time.

 On Tue, May 21, 2019 at 2:12 PM Mark Waite  wrote:
 >
 > I've been very happy with dependabot enabled on the 
 > platformlabeler-plugin in the Jenkins organization.
 >
 > I've also continued my experiment allowing it to run on my forks of the 
 > git plugin and git client plugin.  It has been helpful in all cases.
 >
 > By the time I am reviewing a dependabot pull request to update a 
 > dependency, the CI job has completed and test results are available.
 >
 > On Tue, May 21, 2019 at 12:36 PM Matt Sicker  
 > wrote:
 >>
 >> Can I have the following added:
 >>
 >> https://github.com/jenkinsci/jackson2-api-plugin
 >> https://github.com/jenkinsci/jsch-plugin
 >> https://github.com/jenkinsci/pam-auth-plugin
 >> https://github.com/jenkinsci/ssh-credentials-plugin
 >> https://github.com/jenkinsci/audit-log-plugin
 >>
 >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus  wrote:
 >> >
 >> > Done Carlos.
 >> >
 >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a 
 >> > écrit :
 >> >>
 >> >> please add https://github.com/jenkinsci/kubernetes-plugin
 >> >>
 >> >> thanks
 >> >>
 >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick  
 >> >> wrote:
 >> >>>
 >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its 
 >> >>> interesting
 >> >>> tests are not currently run in CI.
 >> >>>
 >> >>> --
 >> >>> You received this message because you are subscribed to the Google 
 >> >>> Groups "Jenkins Developers" group.
 >> >>> To unsubscribe from this group and stop receiving emails from it, 
 >> >>> send an email to jenkin...@googlegroups.com.
 >> >>> To view this discussion on the web visit 
 >> >>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
 >> >>> For more options, visit

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-23 Thread Gavin Mogan 
Please go ahead with both, I can always @dependbot ignore on blueocean as
needed.

On Wed, May 22, 2019 at 11:47 PM Oleg Nenashev 
wrote:

> Hi all,
>
> I am fine with going forward with enabling Dependabot for a wider set of
> plugins. But IMHO it is still not ready for GA. Why?
>
>- We are still missing usage guidelines as it was discussed in the
>original emails
>- In Dependabot there is also no way to set Dependabot on an
>organization level, and it complicates the adoptions for plugins (
>dependabot/feedback/issues/353
>)
>- Dependabot needs write permissions to the repo. If you want to
>enable it for a mission-critical component, it might make sense to think
>twice before doing so
>- We are missing feedback from early adopters. There are some comments
>in this thread + this Google Doc
>
> 
>.
>
> Personally I am pretty fine with Dependabot results for my projects, and I
> am ready to go forward with plugins.
>
>
>> I'd really love to see the jackson repo most of all because I could get
>> the PR ready to release by the time jackson gets around to  announcing that
>> release. Helps speed up resolution of their countless CVEs over time.
>> - show quoted text -
>>
>
> With Dependabot you get "eventual security" (c) at best. Delivery of
> patches may be delivered by a week or so. It does not replace the security
> process in the Jenkins organization, but I do agree that keeping
> dependencies up to date reduced number of issues in projects which disclose
> security fixes post-factum after the release.
>
> is it setup for all deps or only the parent plugin?
>> Can blueocean-plugin get updated for the parent plugin (or is that a
>> config file somewhere)?
>
>
>- Dependabot manages all dependencies it can digest. It can handle
>almost all dependencies in Maven, including ones with versions defined by
>system properties. Maven plugins will be also updated
>- BlueOcean plugins (multi-module repos) will be also handled by
>Dependabot. Now it supports multi-module repos
>
> Can I have the following added:
>>
>  Can blueocean-display-url-plugin get it enabled?
>
>
>  I can add them if you want to proceed after the comments above.
>
> Best regards,
> Oleg
>
>
> On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
>>
>> Can blueocean-display-url-plugin get it enabled? is it setup for all deps
>> or only the parent plugin?
>> Can blueocean-plugin get updated for the parent plugin (or is that a
>> config file somewhere)?
>>
>> On Tue, May 21, 2019 at 12:36 PM Matt Sicker 
>> wrote:
>>
>>> I'd really love to see the jackson repo most of all because I could
>>> get the PR ready to release by the time jackson gets around to
>>> announcing that release. Helps speed up resolution of their countless
>>> CVEs over time.
>>>
>>> On Tue, May 21, 2019 at 2:12 PM Mark Waite  wrote:
>>> >
>>> > I've been very happy with dependabot enabled on the
>>> platformlabeler-plugin in the Jenkins organization.
>>> >
>>> > I've also continued my experiment allowing it to run on my forks of
>>> the git plugin and git client plugin.  It has been helpful in all cases.
>>> >
>>> > By the time I am reviewing a dependabot pull request to update a
>>> dependency, the CI job has completed and test results are available.
>>> >
>>> > On Tue, May 21, 2019 at 12:36 PM Matt Sicker 
>>> wrote:
>>> >>
>>> >> Can I have the following added:
>>> >>
>>> >> https://github.com/jenkinsci/jackson2-api-plugin
>>> >> https://github.com/jenkinsci/jsch-plugin
>>> >> https://github.com/jenkinsci/pam-auth-plugin
>>> >> https://github.com/jenkinsci/ssh-credentials-plugin
>>> >> https://github.com/jenkinsci/audit-log-plugin
>>> >>
>>> >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus 
>>> wrote:
>>> >> >
>>> >> > Done Carlos.
>>> >> >
>>> >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a
>>> écrit :
>>> >> >>
>>> >> >> please add https://github.com/jenkinsci/kubernetes-plugin
>>> >> >>
>>> >> >> thanks
>>> >> >>
>>> >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick 
>>> wrote:
>>> >> >>>
>>> >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its
>>> interesting
>>> >> >>> tests are not currently run in CI.
>>> >> >>>
>>> >> >>> --
>>> >> >>> You received this message because you are subscribed to the
>>> Google Groups "Jenkins Developers" group.
>>> >> >>> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to jenkin...@googlegroups.com.
>>> >> >>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
>>> .
>>> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >> >>
>>> >> >> --
>>> >> >> You received this message because you are subscribed to the Google
>>> Groups "Jenkins

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-23 Thread Oleg Nenashev 
Hi all,

I am fine with going forward with enabling Dependabot for a wider set of 
plugins. But IMHO it is still not ready for GA. Why?

   - We are still missing usage guidelines as it was discussed in the 
   original emails
   - In Dependabot there is also no way to set Dependabot on an 
   organization level, and it complicates the adoptions for plugins (
   dependabot/feedback/issues/353 
   )
   - Dependabot needs write permissions to the repo. If you want to enable 
   it for a mission-critical component, it might make sense to think twice 
   before doing so
   - We are missing feedback from early adopters. There are some comments 
   in this thread + this Google Doc 
   

   .

Personally I am pretty fine with Dependabot results for my projects, and I 
am ready to go forward with plugins.


> I'd really love to see the jackson repo most of all because I could get 
> the PR ready to release by the time jackson gets around to  announcing that 
> release. Helps speed up resolution of their countless CVEs over time. 
> - show quoted text -
>

With Dependabot you get "eventual security" (c) at best. Delivery of 
patches may be delivered by a week or so. It does not replace the security 
process in the Jenkins organization, but I do agree that keeping 
dependencies up to date reduced number of issues in projects which disclose 
security fixes post-factum after the release.

is it setup for all deps or only the parent plugin?
> Can blueocean-plugin get updated for the parent plugin (or is that a 
> config file somewhere)?


   - Dependabot manages all dependencies it can digest. It can handle 
   almost all dependencies in Maven, including ones with versions defined by 
   system properties. Maven plugins will be also updated
   - BlueOcean plugins (multi-module repos) will be also handled by 
   Dependabot. Now it supports multi-module repos 

Can I have the following added: 
>
 Can blueocean-display-url-plugin get it enabled?


 I can add them if you want to proceed after the comments above.

Best regards,
Oleg


On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote:
>
> Can blueocean-display-url-plugin get it enabled? is it setup for all deps 
> or only the parent plugin?
> Can blueocean-plugin get updated for the parent plugin (or is that a 
> config file somewhere)?
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker  > wrote:
>
>> I'd really love to see the jackson repo most of all because I could
>> get the PR ready to release by the time jackson gets around to
>> announcing that release. Helps speed up resolution of their countless
>> CVEs over time.
>>
>> On Tue, May 21, 2019 at 2:12 PM Mark Waite > > wrote:
>> >
>> > I've been very happy with dependabot enabled on the 
>> platformlabeler-plugin in the Jenkins organization.
>> >
>> > I've also continued my experiment allowing it to run on my forks of the 
>> git plugin and git client plugin.  It has been helpful in all cases.
>> >
>> > By the time I am reviewing a dependabot pull request to update a 
>> dependency, the CI job has completed and test results are available.
>> >
>> > On Tue, May 21, 2019 at 12:36 PM Matt Sicker > > wrote:
>> >>
>> >> Can I have the following added:
>> >>
>> >> https://github.com/jenkinsci/jackson2-api-plugin
>> >> https://github.com/jenkinsci/jsch-plugin
>> >> https://github.com/jenkinsci/pam-auth-plugin
>> >> https://github.com/jenkinsci/ssh-credentials-plugin
>> >> https://github.com/jenkinsci/audit-log-plugin
>> >>
>> >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus > > wrote:
>> >> >
>> >> > Done Carlos.
>> >> >
>> >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez > > a écrit :
>> >> >>
>> >> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >> >>
>> >> >> thanks
>> >> >>
>> >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick > > wrote:
>> >> >>>
>> >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its 
>> interesting
>> >> >>> tests are not currently run in CI.
>> >> >>>
>> >> >>> --
>> >> >>> You received this message because you are subscribed to the Google 
>> Groups "Jenkins Developers" group.
>> >> >>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to jenkin...@googlegroups.com .
>> >> >>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
>> .
>> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >> >>
>> >> >> --
>> >> >> You received this message because you are subscribed to the Google 
>> Groups "Jenkins Developers" group.
>> >> >> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to jenkin...@googlegroups.com .
>> >> >> To view this discussion on the web visit 
>>

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-22 Thread Gavin Mogan 
Can blueocean-display-url-plugin get it enabled? is it setup for all deps
or only the parent plugin?
Can blueocean-plugin get updated for the parent plugin (or is that a config
file somewhere)?

On Tue, May 21, 2019 at 12:36 PM Matt Sicker  wrote:

> I'd really love to see the jackson repo most of all because I could
> get the PR ready to release by the time jackson gets around to
> announcing that release. Helps speed up resolution of their countless
> CVEs over time.
>
> On Tue, May 21, 2019 at 2:12 PM Mark Waite 
> wrote:
> >
> > I've been very happy with dependabot enabled on the
> platformlabeler-plugin in the Jenkins organization.
> >
> > I've also continued my experiment allowing it to run on my forks of the
> git plugin and git client plugin.  It has been helpful in all cases.
> >
> > By the time I am reviewing a dependabot pull request to update a
> dependency, the CI job has completed and test results are available.
> >
> > On Tue, May 21, 2019 at 12:36 PM Matt Sicker 
> wrote:
> >>
> >> Can I have the following added:
> >>
> >> https://github.com/jenkinsci/jackson2-api-plugin
> >> https://github.com/jenkinsci/jsch-plugin
> >> https://github.com/jenkinsci/pam-auth-plugin
> >> https://github.com/jenkinsci/ssh-credentials-plugin
> >> https://github.com/jenkinsci/audit-log-plugin
> >>
> >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus  wrote:
> >> >
> >> > Done Carlos.
> >> >
> >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a
> écrit :
> >> >>
> >> >> please add https://github.com/jenkinsci/kubernetes-plugin
> >> >>
> >> >> thanks
> >> >>
> >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick 
> wrote:
> >> >>>
> >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its
> interesting
> >> >>> tests are not currently run in CI.
> >> >>>
> >> >>> --
> >> >>> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >> >>> To unsubscribe from this group and stop receiving emails from it,
> send an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >> >>> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
> .
> >> >>> For more options, visit https://groups.google.com/d/optout.
> >> >>
> >> >> --
> >> >> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >> >> To unsubscribe from this group and stop receiving emails from it,
> send an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com
> .
> >> >> For more options, visit https://groups.google.com/d/optout.
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com
> .
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >>
> >> --
> >> Matt Sicker
> >> Senior Software Engineer, CloudBees
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com
> .
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Thanks!
> > Mark Waite
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Matt Sicker
> Senior Software Engineer, CloudBees
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-21 Thread Matt Sicker 
I'd really love to see the jackson repo most of all because I could
get the PR ready to release by the time jackson gets around to
announcing that release. Helps speed up resolution of their countless
CVEs over time.

On Tue, May 21, 2019 at 2:12 PM Mark Waite  wrote:
>
> I've been very happy with dependabot enabled on the platformlabeler-plugin in 
> the Jenkins organization.
>
> I've also continued my experiment allowing it to run on my forks of the git 
> plugin and git client plugin.  It has been helpful in all cases.
>
> By the time I am reviewing a dependabot pull request to update a dependency, 
> the CI job has completed and test results are available.
>
> On Tue, May 21, 2019 at 12:36 PM Matt Sicker  wrote:
>>
>> Can I have the following added:
>>
>> https://github.com/jenkinsci/jackson2-api-plugin
>> https://github.com/jenkinsci/jsch-plugin
>> https://github.com/jenkinsci/pam-auth-plugin
>> https://github.com/jenkinsci/ssh-credentials-plugin
>> https://github.com/jenkinsci/audit-log-plugin
>>
>> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus  wrote:
>> >
>> > Done Carlos.
>> >
>> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a écrit :
>> >>
>> >> please add https://github.com/jenkinsci/kubernetes-plugin
>> >>
>> >> thanks
>> >>
>> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick  wrote:
>> >>>
>> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> >>> tests are not currently run in CI.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google 
>> >>> Groups "Jenkins Developers" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send 
>> >>> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> >>> To view this discussion on the web visit 
>> >>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups 
>> >> "Jenkins Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an 
>> >> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> >> To view this discussion on the web visit 
>> >> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups 
>> > "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Thanks!
> Mark Waite
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Matt Sicker
Senior Software Engineer, CloudBees

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-21 Thread Mark Waite 
I've been very happy with dependabot enabled on the platformlabeler-plugin
in the Jenkins organization.

I've also continued my experiment allowing it to run on my forks of the git
plugin and git client plugin.  It has been helpful in all cases.

By the time I am reviewing a dependabot pull request to update a
dependency, the CI job has completed and test results are available.

On Tue, May 21, 2019 at 12:36 PM Matt Sicker  wrote:

> Can I have the following added:
>
> https://github.com/jenkinsci/jackson2-api-plugin
> https://github.com/jenkinsci/jsch-plugin
> https://github.com/jenkinsci/pam-auth-plugin
> https://github.com/jenkinsci/ssh-credentials-plugin
> https://github.com/jenkinsci/audit-log-plugin
>
> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus  wrote:
> >
> > Done Carlos.
> >
> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a écrit :
> >>
> >> please add https://github.com/jenkinsci/kubernetes-plugin
> >>
> >> thanks
> >>
> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick 
> wrote:
> >>>
> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
> >>> tests are not currently run in CI.
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >>> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
> .
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com
> .
> >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Matt Sicker
> Senior Software Engineer, CloudBees
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Thanks!
Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-21 Thread Matt Sicker 
Can I have the following added:

https://github.com/jenkinsci/jackson2-api-plugin
https://github.com/jenkinsci/jsch-plugin
https://github.com/jenkinsci/pam-auth-plugin
https://github.com/jenkinsci/ssh-credentials-plugin
https://github.com/jenkinsci/audit-log-plugin

On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus  wrote:
>
> Done Carlos.
>
> Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a écrit :
>>
>> please add https://github.com/jenkinsci/kubernetes-plugin
>>
>> thanks
>>
>> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick  wrote:
>>>
>>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>>> tests are not currently run in CI.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups 
>>> "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Matt Sicker
Senior Software Engineer, CloudBees

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-02 Thread Baptiste Mathus 
Done Carlos.

Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez  a écrit :

> please add https://github.com/jenkinsci/kubernetes-plugin
>
> thanks
>
> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick  wrote:
>
>> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
>> tests are not currently run in CI.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-05-02 Thread Carlos Sanchez 
please add https://github.com/jenkinsci/kubernetes-plugin

thanks

On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick  wrote:

> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
> tests are not currently run in CI.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-03-27 Thread Jesse Glick 
Please remove `pipeline-cloudwatch-logs-plugin` since its interesting
tests are not currently run in CI.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-03-18 Thread Oleg Nenashev 
Hi Raphael,

Done.

BR, Oleg

On Monday, March 11, 2019 at 10:54:57 AM UTC+1, Raphael Pionke wrote:
>
> Hi Oleg,
>
> i'm also interested! can you please add following repo?
>
>- https://github.com/jenkinsci/performance-signature-dynatrace-plugin
>
> Regards,
> Raphael
>
>
> Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev:
>>
>> Hi Baptiste, the requested repositories have been added.
>>
>> @All I also added the Plugin Compat Tester and Custom WAR Packager 
>> repositories
>>
>>
>>- https://github.com/jenkinsci/custom-war-packager
>>- https://github.com/jenkinsci/plugin-compat-tester
>>
>> Both of them are development tools, so it should be ok.
>>
>> Best regards,
>> Oleg
>>
>>
>> On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus 
>> wrote:
>>>
>>> Thanks for driving this Oleg!
>>>
>>> I'm in for the plugins I'm maintaining:
>>>
>>>- https://github.com/jenkinsci/buildtriggerbadge-plugin/
>>>- https://github.com/jenkinsci/chucknorris-plugin
>>>- https://github.com/jenkinsci/versioncolumn-plugin
>>>- https://github.com/jenkinsci/parameterized-scheduler-plugin
>>>
>>> If I can add them myself, feel free to just point me to some link/docs, 
>>> and I'll handle it myself.
>>> Thanks!
>>>
>>> -- Baptiste
>>>
>>> Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev  a 
>>> écrit :
>>>
 Hi all,

 I have enabled Dependabot and added the requested components. Enjoy the 
 PR notifications in your Inbox :) 

 I have also started a Google Doc 
 
  
 where everybody is welcome to put comments/feedback about the evaluation. 
 It should help us to discuss the experienced issues and to create best 
 practices/policies in the future JEPs.
  
 Hi Ulli and Joseph,

 As discussed above, there is a preference to limit the testing scope to 
 development tools and to plugins with low usage numbers for now. I have 
 added "analysis-model" and "vstestrunner" components for now, but I would 
 prefer to wait a bit before we add other plugins.

 BR, Oleg


 On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
>
> Please enable it for
>
> * bitbucket-branch-source-plugin
> * mstest-plugin
> * vstestrunner-plugin
>
> On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev 
> wrote:
>>
>> Dear all,
>>
>> I would like to follow-up on the Dependabot request from Jesse Glick 
>> in INFRA-1975 . 
>> Dependabot  is a service for automated 
>> dependency updates which supports many languages/tools, including Maven, 
>> Docker and Gradle which are being heavily used in Jenkins. 
>>
>> Dependency management is a problem in Jenkins, because we have 
>> hundreds of repositories with many dependencies there. Maintainers spend 
>> a 
>> lot of time on managing dependencies, and sometimes it leads to ancient 
>> dependencies in components. Especially in the development tools which 
>> "just 
>> work". By automating dependency updates we could give maintainers more 
>> time 
>> to focus on other tasks.
>>
>> Dependabot is one of the engines we could use for dependency 
>> management. It is free for open-source projects, and it is a SaaS 
>> application which can be almost completely managed from GitHub. It can 
>> just 
>> create pull requests or, if we want, implement validated merge with help 
>> of 
>> ci.jenkins.io. No special infrastructure required, and this is an 
>> advantage for us. There are other implementations (including 
>> UpdateBot  by 
>> Fabric8/Jenkins X which has a Jenkins plugin), but it would require more 
>> efforts to deploy the infrastructure. It could be considered in the 
>> future 
>> if we want to have Jenkins-powered update management in the final 
>> implementation.
>>
>> My proposal would be to enable Dependabot for a *limited number* of 
>> Jenkins repositories so that we can experiment with it. I propose to 
>> focus 
>> on development tools and pre-1.0 projects only for now so that we can 
>> experiment with flow without a risk of impact on components being used 
>> in 
>> production in the Jenkins project. And we will be setting up 
>> auto-updates 
>> only for projects with existing test automation.
>>
>>- Jenkinsfile Runner - Example PRs in my local repo 
>>
>>- ci.jenkins.io-runner - Example PRs 
>> (bot 
>>was disabled after moving the repo)
>>- plugin-pom -

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-03-11 Thread Raphael Pionke 
Hi Oleg,

i'm also interested! can you please add following repo?

   - https://github.com/jenkinsci/performance-signature-dynatrace-plugin

Regards,
Raphael


Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev:
>
> Hi Baptiste, the requested repositories have been added.
>
> @All I also added the Plugin Compat Tester and Custom WAR Packager 
> repositories
>
>
>- https://github.com/jenkinsci/custom-war-packager
>- https://github.com/jenkinsci/plugin-compat-tester
>
> Both of them are development tools, so it should be ok.
>
> Best regards,
> Oleg
>
>
> On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
>>
>> Thanks for driving this Oleg!
>>
>> I'm in for the plugins I'm maintaining:
>>
>>- https://github.com/jenkinsci/buildtriggerbadge-plugin/
>>- https://github.com/jenkinsci/chucknorris-plugin
>>- https://github.com/jenkinsci/versioncolumn-plugin
>>- https://github.com/jenkinsci/parameterized-scheduler-plugin
>>
>> If I can add them myself, feel free to just point me to some link/docs, 
>> and I'll handle it myself.
>> Thanks!
>>
>> -- Baptiste
>>
>> Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev  a 
>> écrit :
>>
>>> Hi all,
>>>
>>> I have enabled Dependabot and added the requested components. Enjoy the 
>>> PR notifications in your Inbox :) 
>>>
>>> I have also started a Google Doc 
>>> 
>>>  
>>> where everybody is welcome to put comments/feedback about the evaluation. 
>>> It should help us to discuss the experienced issues and to create best 
>>> practices/policies in the future JEPs.
>>>  
>>> Hi Ulli and Joseph,
>>>
>>> As discussed above, there is a preference to limit the testing scope to 
>>> development tools and to plugins with low usage numbers for now. I have 
>>> added "analysis-model" and "vstestrunner" components for now, but I would 
>>> prefer to wait a bit before we add other plugins.
>>>
>>> BR, Oleg
>>>
>>>
>>> On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:

 Please enable it for

 * bitbucket-branch-source-plugin
 * mstest-plugin
 * vstestrunner-plugin

 On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
>
> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick 
> in INFRA-1975 . 
> Dependabot  is a service for automated 
> dependency updates which supports many languages/tools, including Maven, 
> Docker and Gradle which are being heavily used in Jenkins. 
>
> Dependency management is a problem in Jenkins, because we have 
> hundreds of repositories with many dependencies there. Maintainers spend 
> a 
> lot of time on managing dependencies, and sometimes it leads to ancient 
> dependencies in components. Especially in the development tools which 
> "just 
> work". By automating dependency updates we could give maintainers more 
> time 
> to focus on other tasks.
>
> Dependabot is one of the engines we could use for dependency 
> management. It is free for open-source projects, and it is a SaaS 
> application which can be almost completely managed from GitHub. It can 
> just 
> create pull requests or, if we want, implement validated merge with help 
> of 
> ci.jenkins.io. No special infrastructure required, and this is an 
> advantage for us. There are other implementations (including UpdateBot 
>  by Fabric8/Jenkins X which 
> has a Jenkins plugin), but it would require more efforts to deploy the 
> infrastructure. It could be considered in the future if we want to have 
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of 
> Jenkins repositories so that we can experiment with it. I propose to 
> focus 
> on development tools and pre-1.0 projects only for now so that we can 
> experiment with flow without a risk of impact on components being used in 
> production in the Jenkins project. And we will be setting up auto-updates 
> only for projects with existing test automation.
>
>- Jenkinsfile Runner - Example PRs in my local repo 
>
>- ci.jenkins.io-runner - Example PRs 
> (bot was 
>disabled after moving the repo)
>- plugin-pom - Example PRs in my local repo 
>
>- maven-hpi-plugin - Example PRs in my local Repo 
>
>
> More repositories can be added if somebody is

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-03-04 Thread Oleg Nenashev 
Hi Baptiste, the requested repositories have been added.

@All I also added the Plugin Compat Tester and Custom WAR Packager 
repositories


   - https://github.com/jenkinsci/custom-war-packager
   - https://github.com/jenkinsci/plugin-compat-tester
   
Both of them are development tools, so it should be ok.

Best regards,
Oleg


On Wednesday, February 27, 2019 at 2:04:43 PM UTC+1, Baptiste Mathus wrote:
>
> Thanks for driving this Oleg!
>
> I'm in for the plugins I'm maintaining:
>
>- https://github.com/jenkinsci/buildtriggerbadge-plugin/
>- https://github.com/jenkinsci/chucknorris-plugin
>- https://github.com/jenkinsci/versioncolumn-plugin
>- https://github.com/jenkinsci/parameterized-scheduler-plugin
>
> If I can add them myself, feel free to just point me to some link/docs, 
> and I'll handle it myself.
> Thanks!
>
> -- Baptiste
>
> Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev  > a écrit :
>
>> Hi all,
>>
>> I have enabled Dependabot and added the requested components. Enjoy the 
>> PR notifications in your Inbox :) 
>>
>> I have also started a Google Doc 
>> 
>>  
>> where everybody is welcome to put comments/feedback about the evaluation. 
>> It should help us to discuss the experienced issues and to create best 
>> practices/policies in the future JEPs.
>>  
>> Hi Ulli and Joseph,
>>
>> As discussed above, there is a preference to limit the testing scope to 
>> development tools and to plugins with low usage numbers for now. I have 
>> added "analysis-model" and "vstestrunner" components for now, but I would 
>> prefer to wait a bit before we add other plugins.
>>
>> BR, Oleg
>>
>>
>> On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
>>>
>>> Please enable it for
>>>
>>> * bitbucket-branch-source-plugin
>>> * mstest-plugin
>>> * vstestrunner-plugin
>>>
>>> On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:

 Dear all,

 I would like to follow-up on the Dependabot request from Jesse Glick in 
 INFRA-1975 . 
 Dependabot  is a service for automated 
 dependency updates which supports many languages/tools, including Maven, 
 Docker and Gradle which are being heavily used in Jenkins. 

 Dependency management is a problem in Jenkins, because we have hundreds 
 of repositories with many dependencies there. Maintainers spend a lot of 
 time on managing dependencies, and sometimes it leads to ancient 
 dependencies in components. Especially in the development tools which 
 "just 
 work". By automating dependency updates we could give maintainers more 
 time 
 to focus on other tasks.

 Dependabot is one of the engines we could use for dependency 
 management. It is free for open-source projects, and it is a SaaS 
 application which can be almost completely managed from GitHub. It can 
 just 
 create pull requests or, if we want, implement validated merge with help 
 of 
 ci.jenkins.io. No special infrastructure required, and this is an 
 advantage for us. There are other implementations (including UpdateBot 
  by Fabric8/Jenkins X which 
 has a Jenkins plugin), but it would require more efforts to deploy the 
 infrastructure. It could be considered in the future if we want to have 
 Jenkins-powered update management in the final implementation.

 My proposal would be to enable Dependabot for a *limited number* of 
 Jenkins repositories so that we can experiment with it. I propose to focus 
 on development tools and pre-1.0 projects only for now so that we can 
 experiment with flow without a risk of impact on components being used in 
 production in the Jenkins project. And we will be setting up auto-updates 
 only for projects with existing test automation.

- Jenkinsfile Runner - Example PRs in my local repo 

- ci.jenkins.io-runner - Example PRs 
 (bot was 
disabled after moving the repo)
- plugin-pom - Example PRs in my local repo 

- maven-hpi-plugin - Example PRs in my local Repo 


 More repositories can be added if somebody is interested to participate 
 in the Dependabot evaluation. If there is a positive feedback after the 
 initial evaluation, we could proceed with creating a JEP to define the 
 flow 
 and the usage/administration policies.

 What do you think?

 Thanks in advance,
 Oleg

 -- 
>> You received this message because you are

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-27 Thread Baptiste Mathus 
Thanks for driving this Oleg!

I'm in for the plugins I'm maintaining:

   - https://github.com/jenkinsci/buildtriggerbadge-plugin/
   - https://github.com/jenkinsci/chucknorris-plugin
   - https://github.com/jenkinsci/versioncolumn-plugin
   - https://github.com/jenkinsci/parameterized-scheduler-plugin

If I can add them myself, feel free to just point me to some link/docs, and
I'll handle it myself.
Thanks!

-- Baptiste

Le lun. 25 févr. 2019 à 14:35, Oleg Nenashev  a
écrit :

> Hi all,
>
> I have enabled Dependabot and added the requested components. Enjoy the PR
> notifications in your Inbox :)
>
> I have also started a Google Doc
> 
> where everybody is welcome to put comments/feedback about the evaluation.
> It should help us to discuss the experienced issues and to create best
> practices/policies in the future JEPs.
>
> Hi Ulli and Joseph,
>
> As discussed above, there is a preference to limit the testing scope to
> development tools and to plugins with low usage numbers for now. I have
> added "analysis-model" and "vstestrunner" components for now, but I would
> prefer to wait a bit before we add other plugins.
>
> BR, Oleg
>
>
> On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
>>
>> Please enable it for
>>
>> * bitbucket-branch-source-plugin
>> * mstest-plugin
>> * vstestrunner-plugin
>>
>> On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
>>>
>>> Dear all,
>>>
>>> I would like to follow-up on the Dependabot request from Jesse Glick in
>>> INFRA-1975 . Dependabot
>>>  is a service for automated dependency updates
>>> which supports many languages/tools, including Maven, Docker and Gradle
>>> which are being heavily used in Jenkins.
>>>
>>> Dependency management is a problem in Jenkins, because we have hundreds
>>> of repositories with many dependencies there. Maintainers spend a lot of
>>> time on managing dependencies, and sometimes it leads to ancient
>>> dependencies in components. Especially in the development tools which "just
>>> work". By automating dependency updates we could give maintainers more time
>>> to focus on other tasks.
>>>
>>> Dependabot is one of the engines we could use for dependency management.
>>> It is free for open-source projects, and it is a SaaS application which can
>>> be almost completely managed from GitHub. It can just create pull requests
>>> or, if we want, implement validated merge with help of ci.jenkins.io.
>>> No special infrastructure required, and this is an advantage for us. There
>>> are other implementations (including UpdateBot
>>>  by Fabric8/Jenkins X which has
>>> a Jenkins plugin), but it would require more efforts to deploy the
>>> infrastructure. It could be considered in the future if we want to have
>>> Jenkins-powered update management in the final implementation.
>>>
>>> My proposal would be to enable Dependabot for a *limited number* of
>>> Jenkins repositories so that we can experiment with it. I propose to focus
>>> on development tools and pre-1.0 projects only for now so that we can
>>> experiment with flow without a risk of impact on components being used in
>>> production in the Jenkins project. And we will be setting up auto-updates
>>> only for projects with existing test automation.
>>>
>>>- Jenkinsfile Runner - Example PRs in my local repo
>>>
>>>- ci.jenkins.io-runner - Example PRs
>>> (bot was
>>>disabled after moving the repo)
>>>- plugin-pom - Example PRs in my local repo
>>>
>>>- maven-hpi-plugin - Example PRs in my local Repo
>>>
>>>
>>> More repositories can be added if somebody is interested to participate
>>> in the Dependabot evaluation. If there is a positive feedback after the
>>> initial evaluation, we could proceed with creating a JEP to define the flow
>>> and the usage/administration policies.
>>>
>>> What do you think?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-25 Thread Oleg Nenashev 
Hi all,

I have enabled Dependabot and added the requested components. Enjoy the PR 
notifications in your Inbox :) 

I have also started a Google Doc 

 
where everybody is welcome to put comments/feedback about the evaluation. 
It should help us to discuss the experienced issues and to create best 
practices/policies in the future JEPs.
 
Hi Ulli and Joseph,

As discussed above, there is a preference to limit the testing scope to 
development tools and to plugins with low usage numbers for now. I have 
added "analysis-model" and "vstestrunner" components for now, but I would 
prefer to wait a bit before we add other plugins.

BR, Oleg


On Friday, February 22, 2019 at 11:55:23 PM UTC+1, Joseph P wrote:
>
> Please enable it for
>
> * bitbucket-branch-source-plugin
> * mstest-plugin
> * vstestrunner-plugin
>
> On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
>>
>> Dear all,
>>
>> I would like to follow-up on the Dependabot request from Jesse Glick in 
>> INFRA-1975 . Dependabot 
>>  is a service for automated dependency updates 
>> which supports many languages/tools, including Maven, Docker and Gradle 
>> which are being heavily used in Jenkins. 
>>
>> Dependency management is a problem in Jenkins, because we have hundreds 
>> of repositories with many dependencies there. Maintainers spend a lot of 
>> time on managing dependencies, and sometimes it leads to ancient 
>> dependencies in components. Especially in the development tools which "just 
>> work". By automating dependency updates we could give maintainers more time 
>> to focus on other tasks.
>>
>> Dependabot is one of the engines we could use for dependency management. 
>> It is free for open-source projects, and it is a SaaS application which can 
>> be almost completely managed from GitHub. It can just create pull requests 
>> or, if we want, implement validated merge with help of ci.jenkins.io. No 
>> special infrastructure required, and this is an advantage for us. There are 
>> other implementations (including UpdateBot 
>>  by Fabric8/Jenkins X which has 
>> a Jenkins plugin), but it would require more efforts to deploy the 
>> infrastructure. It could be considered in the future if we want to have 
>> Jenkins-powered update management in the final implementation.
>>
>> My proposal would be to enable Dependabot for a *limited number* of 
>> Jenkins repositories so that we can experiment with it. I propose to focus 
>> on development tools and pre-1.0 projects only for now so that we can 
>> experiment with flow without a risk of impact on components being used in 
>> production in the Jenkins project. And we will be setting up auto-updates 
>> only for projects with existing test automation.
>>
>>- Jenkinsfile Runner - Example PRs in my local repo 
>>
>>- ci.jenkins.io-runner - Example PRs 
>> (bot was 
>>disabled after moving the repo)
>>- plugin-pom - Example PRs in my local repo 
>>
>>- maven-hpi-plugin - Example PRs in my local Repo 
>>
>>
>> More repositories can be added if somebody is interested to participate 
>> in the Dependabot evaluation. If there is a positive feedback after the 
>> initial evaluation, we could proceed with creating a JEP to define the flow 
>> and the usage/administration policies.
>>
>> What do you think?
>>
>> Thanks in advance,
>> Oleg
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/e6357551-d6ac-4b1f-b9b4-1fd55a3a16cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-22 Thread Joseph P 
Please enable it for

* bitbucket-branch-source-plugin
* mstest-plugin
* vstestrunner-plugin

On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote:
>
> Dear all,
>
> I would like to follow-up on the Dependabot request from Jesse Glick in 
> INFRA-1975 . Dependabot 
>  is a service for automated dependency updates 
> which supports many languages/tools, including Maven, Docker and Gradle 
> which are being heavily used in Jenkins. 
>
> Dependency management is a problem in Jenkins, because we have hundreds of 
> repositories with many dependencies there. Maintainers spend a lot of time 
> on managing dependencies, and sometimes it leads to ancient dependencies in 
> components. Especially in the development tools which "just work". By 
> automating dependency updates we could give maintainers more time to focus 
> on other tasks.
>
> Dependabot is one of the engines we could use for dependency management. 
> It is free for open-source projects, and it is a SaaS application which can 
> be almost completely managed from GitHub. It can just create pull requests 
> or, if we want, implement validated merge with help of ci.jenkins.io. No 
> special infrastructure required, and this is an advantage for us. There are 
> other implementations (including UpdateBot 
>  by Fabric8/Jenkins X which has a 
> Jenkins plugin), but it would require more efforts to deploy the 
> infrastructure. It could be considered in the future if we want to have 
> Jenkins-powered update management in the final implementation.
>
> My proposal would be to enable Dependabot for a *limited number* of 
> Jenkins repositories so that we can experiment with it. I propose to focus 
> on development tools and pre-1.0 projects only for now so that we can 
> experiment with flow without a risk of impact on components being used in 
> production in the Jenkins project. And we will be setting up auto-updates 
> only for projects with existing test automation.
>
>- Jenkinsfile Runner - Example PRs in my local repo 
>
>- ci.jenkins.io-runner - Example PRs 
> (bot was 
>disabled after moving the repo)
>- plugin-pom - Example PRs in my local repo 
>
>- maven-hpi-plugin - Example PRs in my local Repo 
>
>
> More repositories can be added if somebody is interested to participate in 
> the Dependabot evaluation. If there is a positive feedback after the 
> initial evaluation, we could proceed with creating a JEP to define the flow 
> and the usage/administration policies.
>
> What do you think?
>
> Thanks in advance,
> Oleg
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/10436c0a-e148-4818-925b-c1b101813726%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-22 Thread Ullrich Hafner 
I like this idea as well. You can enable it for

- analysis-model
- warnings-ng-plugin


> Am 22.02.2019 um 14:30 schrieb Jesse Glick :
> 
> On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev  wrote:
>> Speaking seriously, we could try to add some Jenkins plugins to the 
>> experiment if (a) and (b) conditions are met.
> 
> To start with, sign me up for:
> 
> * log-cli
> * pipeline-cloudwatch-logs
> * parallel-test-executor
> * mock-slave
> 
> which should give a decent mix.
> 
>> I would recommend configuration-as-code
> 
> Yes please.
> 
>> Document recommendations in JEP after the evaluation
>> Provide Config File samples (in JEP) so that maintainers can configure 
>> Dependabot correctly
> 
> Definitely.
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/1E890A29-C6AB-48DA-95CC-C7FC0AFB9314%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-22 Thread Jesse Glick 
On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev  wrote:
> Speaking seriously, we could try to add some Jenkins plugins to the 
> experiment if (a) and (b) conditions are met.

To start with, sign me up for:

* log-cli
* pipeline-cloudwatch-logs
* parallel-test-executor
* mock-slave

which should give a decent mix.

> I would recommend configuration-as-code

Yes please.

> Document recommendations in JEP after the evaluation
> Provide Config File samples (in JEP) so that maintainers can configure 
> Dependabot correctly

Definitely.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0dYNeFLmspUCp_DzZMSdED4fERkQQSUYEEs2tsud6xjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread Mark Waite 
On Thu, Feb 21, 2019 at 4:25 PM Oleg Nenashev  wrote:

> Hi all,
>
> Thanks for the responses! If there is no negative feedback, I will proceed
> with the implementation next Monday. Whomever wants to add any extra
> components to evaluation, please comment in this thread.
>
> Jesse: Since the primary use case is offering updates to plugin
>> repositories,
>> I would suggest including at least one example of `*-plugin`. . if
>> (a) have fairly low installation count (b) are maintained by people
>> actively participating in the trial.
>>
>
> maven-hpi-plugin matches the wildcard :P
> Speaking seriously, we could try to add some Jenkins plugins to the
> experiment if (a) and (b) conditions are met.
> If Mark wants to try out his plugins
>
>
The platformlabeler plugin meets conditions (a) and (b).  The other two
plugins I maintain don't meet condition (a).   Definitely enable it on
platformlabeler-plugin.

I'm willing to try it on the other two plugins I maintain, but am also fine
skipping them if it is not comfortable for the community.

I will actively participate in the trial.


> Mark: Updates to non-test dependencies are not very helpful for me.  When
>> dependabot suggests that the git plugin should rely on the latest release
>> of some other plugin, it risks placing unnecessary demands on users to
>> install newer plugins than are required.  I tell dependabot to stop
>> offering those dependency updates.  It closes the pull requests and stops
>> offering updates to that component.
>>
>
> Yes, dependabot can be controlled by GitHubCommentOps or
> Configuration-as-Code
> . It may require
> maintainers to set up filters, but then it will work like a charm. For
> evaluation purposes I would recommend configuration-as-code tho. It may
> help us to easily verify the configured filters later.
>
>
That looks great.  I'm happy to try the configuration as code route.

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtHw_QmYRz%2B%3DQLdJQXmGya-mA0hn%2B6SXov-JwY1t4Qc_jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread Oleg Nenashev 
Hi all,

Thanks for the responses! If there is no negative feedback, I will proceed 
with the implementation next Monday. Whomever wants to add any extra 
components to evaluation, please comment in this thread.

Jesse: Since the primary use case is offering updates to plugin 
> repositories, 
> I would suggest including at least one example of `*-plugin`. . if (a) 
> have fairly low installation count (b) are maintained by people actively 
> participating in the trial.  
>

maven-hpi-plugin matches the wildcard :P
Speaking seriously, we could try to add some Jenkins plugins to the 
experiment if (a) and (b) conditions are met.
If Mark wants to try out his plugins

Mark: Updates to non-test dependencies are not very helpful for me.  When 
> dependabot suggests that the git plugin should rely on the latest release 
> of some other plugin, it risks placing unnecessary demands on users to 
> install newer plugins than are required.  I tell dependabot to stop 
> offering those dependency updates.  It closes the pull requests and stops 
> offering updates to that component.
>

Yes, dependabot can be controlled by GitHubCommentOps or 
Configuration-as-Code 
. It may require 
maintainers to set up filters, but then it will work like a charm. For 
evaluation purposes I would recommend configuration-as-code tho. It may 
help us to easily verify the configured filters later.

Jesse: The question is which dependencies ought to be eligible for upgrade. 
> I do not think we want to update Jenkins core or plugin dependencies 
> gratuitously, since this would limit availability of new releases with only 
> modest productivity gain: more realistic functional tests, less distance 
> from `master` to whatever `plugin-compat-tester` would use. 
>

 Same as above, we could somehow configure it via filters somehow though it 
might be not trivial. I think that we will need to...

   1. Document recommendations in JEP after the evaluation
   2. Provide Config File samples (in JEP) so that maintainers can 
   configure Dependabot correctly 
   
Maybe Dependabot can be configured to request me as a reviewer?  
>

Yes, it can .

Best regards,
Oleg


On Thursday, February 21, 2019 at 5:21:36 PM UTC+1, Gavin Mogan wrote:
>
> Another one to look at is Renovate bot ( https://renovatebot.com/docs/ )
>
> I suspect maven doesn't update nearly as often as node does, but i have 
> greenkeeper on a lot of my node projects, and sometimes when something 
> updates (like the testing framework) i get a huge number of PRs really 
> quickly.
>
> Renovate bot does have support for auto merging PRs if you want, so it can 
> handle things a little automated.
>
> But I'm +1 for Dependabot
>
> On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy  > wrote:
>
>>
>> I'm game for experimenting with this :D
>>
>> On Thu, 21 Feb 2019, Oleg Nenashev wrote:
>>
>> > Dear all,
>> > 
>> > I would like to follow-up on the Dependabot request from Jesse Glick in
>> > INFRA-1975 . 
>> Dependabot
>> >  is a service for automated dependency updates
>> > which supports many languages/tools, including Maven, Docker and Gradle
>> > which are being heavily used in Jenkins.
>> > 
>> > Dependency management is a problem in Jenkins, because we have hundreds 
>> of
>> > repositories with many dependencies there. Maintainers spend a lot of 
>> time
>> > on managing dependencies, and sometimes it leads to ancient 
>> dependencies in
>> > components. Especially in the development tools which "just work". By
>> > automating dependency updates we could give maintainers more time to 
>> focus
>> > on other tasks.
>> > 
>> > Dependabot is one of the engines we could use for dependency 
>> management. It
>> > is free for open-source projects, and it is a SaaS application which 
>> can be
>> > almost completely managed from GitHub. It can just create pull requests 
>> or,
>> > if we want, implement validated merge with help of ci.jenkins.io. No
>> > special infrastructure required, and this is an advantage for us. There 
>> are
>> > other implementations (including UpdateBot
>> >  by Fabric8/Jenkins X which 
>> has a
>> > Jenkins plugin), but it would require more efforts to deploy the
>> > infrastructure. It could be considered in the future if we want to have
>> > Jenkins-powered update management in the final implementation.
>> > 
>> > My proposal would be to enable Dependabot for a *limited number* of 
>> Jenkins
>> > repositories so that we can experiment with it. I propose to focus on
>> > development tools and pre-1.0 projects only for now so that we can
>> > experiment with flow without a risk of impact on components being used 
>> in
>> > production in the Jenkins project. And we will be setting up 
>> auto-updates
>> > only for projects with existing

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread Gavin Mogan 
Another one to look at is Renovate bot ( https://renovatebot.com/docs/ )

I suspect maven doesn't update nearly as often as node does, but i have
greenkeeper on a lot of my node projects, and sometimes when something
updates (like the testing framework) i get a huge number of PRs really
quickly.

Renovate bot does have support for auto merging PRs if you want, so it can
handle things a little automated.

But I'm +1 for Dependabot

On Thu, Feb 21, 2019 at 8:10 AM R. Tyler Croy  wrote:

>
> I'm game for experimenting with this :D
>
> On Thu, 21 Feb 2019, Oleg Nenashev wrote:
>
> > Dear all,
> >
> > I would like to follow-up on the Dependabot request from Jesse Glick in
> > INFRA-1975 . Dependabot
> >  is a service for automated dependency updates
> > which supports many languages/tools, including Maven, Docker and Gradle
> > which are being heavily used in Jenkins.
> >
> > Dependency management is a problem in Jenkins, because we have hundreds
> of
> > repositories with many dependencies there. Maintainers spend a lot of
> time
> > on managing dependencies, and sometimes it leads to ancient dependencies
> in
> > components. Especially in the development tools which "just work". By
> > automating dependency updates we could give maintainers more time to
> focus
> > on other tasks.
> >
> > Dependabot is one of the engines we could use for dependency management.
> It
> > is free for open-source projects, and it is a SaaS application which can
> be
> > almost completely managed from GitHub. It can just create pull requests
> or,
> > if we want, implement validated merge with help of ci.jenkins.io. No
> > special infrastructure required, and this is an advantage for us. There
> are
> > other implementations (including UpdateBot
> >  by Fabric8/Jenkins X which has
> a
> > Jenkins plugin), but it would require more efforts to deploy the
> > infrastructure. It could be considered in the future if we want to have
> > Jenkins-powered update management in the final implementation.
> >
> > My proposal would be to enable Dependabot for a *limited number* of
> Jenkins
> > repositories so that we can experiment with it. I propose to focus on
> > development tools and pre-1.0 projects only for now so that we can
> > experiment with flow without a risk of impact on components being used in
> > production in the Jenkins project. And we will be setting up auto-updates
> > only for projects with existing test automation.
> >
> >- Jenkinsfile Runner - Example PRs in my local repo
> >
> >- ci.jenkins.io-runner - Example PRs
> > (bot was
> >disabled after moving the repo)
> >- plugin-pom - Example PRs in my local repo
> >
> >- maven-hpi-plugin - Example PRs in my local Repo
> >
> >
> > More repositories can be added if somebody is interested to participate
> in
> > the Dependabot evaluation. If there is a positive feedback after the
> > initial evaluation, we could proceed with creating a JEP to define the
> flow
> > and the usage/administration policies.
> >
> > What do you think?
> >
> > Thanks in advance,
> > Oleg
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-dev+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com
> .
> > For more options, visit https://groups.google.com/d/optout.
> --
> GitHub:  https://github.com/rtyler
>
> GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96KGGQaf%2Bt_Kz_FODWTYRiaiP%3DUXTsqGkt5kPieXYhbo0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread R. Tyler Croy 


I'm game for experimenting with this :D

On Thu, 21 Feb 2019, Oleg Nenashev wrote:

> Dear all,
> 
> I would like to follow-up on the Dependabot request from Jesse Glick in
> INFRA-1975 . Dependabot
>  is a service for automated dependency updates
> which supports many languages/tools, including Maven, Docker and Gradle
> which are being heavily used in Jenkins.
> 
> Dependency management is a problem in Jenkins, because we have hundreds of
> repositories with many dependencies there. Maintainers spend a lot of time
> on managing dependencies, and sometimes it leads to ancient dependencies in
> components. Especially in the development tools which "just work". By
> automating dependency updates we could give maintainers more time to focus
> on other tasks.
> 
> Dependabot is one of the engines we could use for dependency management. It
> is free for open-source projects, and it is a SaaS application which can be
> almost completely managed from GitHub. It can just create pull requests or,
> if we want, implement validated merge with help of ci.jenkins.io. No
> special infrastructure required, and this is an advantage for us. There are
> other implementations (including UpdateBot
>  by Fabric8/Jenkins X which has a
> Jenkins plugin), but it would require more efforts to deploy the
> infrastructure. It could be considered in the future if we want to have
> Jenkins-powered update management in the final implementation.
> 
> My proposal would be to enable Dependabot for a *limited number* of Jenkins
> repositories so that we can experiment with it. I propose to focus on
> development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
> 
>- Jenkinsfile Runner - Example PRs in my local repo
>
>- ci.jenkins.io-runner - Example PRs
> (bot was
>disabled after moving the repo)
>- plugin-pom - Example PRs in my local repo
>
>- maven-hpi-plugin - Example PRs in my local Repo
>
> 
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
> 
> What do you think?
> 
> Thanks in advance,
> Oleg
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLA1W66hN6PmaQaBUai2MJSo1nnWJA1y59tcJQskEPrMvA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
GitHub:  https://github.com/rtyler

GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/20190221161048.2imlqsgphzjf7nnf%40grape.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread Mark Waite 
On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote:

> Dear all,
>
> My proposal would be to enable Dependabot for a *limited number* of
> Jenkins repositories so that we can experiment with it. I propose to focus
> on development tools and pre-1.0 projects only for now so that we can
> experiment with flow without a risk of impact on components being used in
> production in the Jenkins project. And we will be setting up auto-updates
> only for projects with existing test automation.
>
>- Jenkinsfile Runner - Example PRs in my local repo
>
>- ci.jenkins.io-runner - Example PRs
> (bot was
>disabled after moving the repo)
>- plugin-pom - Example PRs in my local repo
>
>- maven-hpi-plugin - Example PRs in my local Repo
>
>
> More repositories can be added if somebody is interested to participate in
> the Dependabot evaluation. If there is a positive feedback after the
> initial evaluation, we could proceed with creating a JEP to define the flow
> and the usage/administration policies.
>
>
I added it to my forked repositories of the git plugin, git client plugin,
and platform labeler plugin.  The experiment has been educational.  I like
seeing the pull requests which are proposed.  Updates to the parent pom
could be automerged if CI jobs pass.  I believe that updates to test
dependencies could be automerged if CI jobs pass.

   - Git client plugin - examples in my local repo
   

   - Git plugin - examples in my local repo
   

   - Platform labeler plugin - examples (closed) in my local repo
   


Updates to non-test dependencies are not very helpful for me.  When
dependabot suggests that the git plugin should rely on the latest release
of some other plugin, it risks placing unnecessary demands on users to
install newer plugins than are required.  I tell dependabot to stop
offering those dependency updates.  It closes the pull requests and stops
offering updates to that component.

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtE1qCFQmL-2bPAYhfyjLOATSFJ8Q5cF_4e%2Bb%3Dsxyg1Zuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

2019-02-21 Thread Jesse Glick 
On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev  wrote:
> I propose to focus on development tools

Since the primary use case is offering updates to plugin repositories,
I would suggest including at least one example of `*-plugin`.

The question is which dependencies ought to be eligible for upgrade. I
do not think we want to update Jenkins core or plugin dependencies
gratuitously, since this would limit availability of new releases with
only modest productivity gain: more realistic functional tests, less
distance from `master` to whatever `plugin-compat-tester` would use.

Definitely we can freely upgrade the parent POM. I would be happy for
such updates to be auto-merged in fact, so long as the build passes
obviously.

> pre-1.0 projects only

Or just plugins that (a) have fairly low installation count, (b) are
maintained by people actively participating in the trial.

> More repositories can be added if somebody is interested to participate in 
> the Dependabot evaluation.

Sign me up!

I _do_ need to make sure I get notifications of these PRs in
Octobox.io, if they are not simply automerged. Merely watching a
repository is not enough—GH has autosubscribed me to hundreds of
repos, and the resulting thousands of notifications go to /dev/null.
Maybe Dependabot can be configured to request me as a reviewer?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pcB-%2BGsnJFKO7sR3drv3F43ADqqwAW0RU_bJUrpKEuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.