Re: [DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

OK, I've just filed https://github.com/jenkinsci/jenkins/pull/5108 as Jesse and Tim are suggesting we go the "deny" path. I think indeed the idea to deny/ignore the dependency that we know they shouldn't be automated is probably good as we may see some interesting things. @Oleg Nenashev if you

Re: [DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

On Thu, Dec 10, 2020 at 5:58 PM Baptiste Mathus wrote: > modify the Core Pipeline so the essentials.yaml values are sourced from some > pom.xml (for ATH version) so Dependabot can understand and update this too. Yes, or switch it to a Git submodule which I think it could also handle. The image

Re: [DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

I would suggest using a deny list. You will get an initial spray of PRs, mostly to `bom/pom.xml`. Some we will reject as unsafe (likely breaking change for plugins relying on core classpath), which we can then add as exclusions in Dependabot config. But we may be surprised by helpful updates that

Re: [DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

I’m fine with adding more, We could also try a deny list too and see how it goes On Fri, 11 Dec 2020 at 00:01, Oleg Nenashev wrote: > I am +1. We should finally move forward with Dependabot for dependencies > we considers safe and important to be kept up to date. Allow list is a good > way to

Re: [DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

I am +1. We should finally move forward with Dependabot for dependencies we considers safe and important to be kept up to date. Allow list is a good way to go, we have a sizeable number if deps. On Thu, Dec 10, 2020, 23:58 Baptiste Mathus wrote: > Hi all, > > I wanted to raise a discussion on

[DISCUSS] Dependabot for Jenkins core (was:Re: Proposal: Automating dependency management for repositories inside the jenkinsci org)

Hi all, I wanted to raise a discussion on this and thought I'd fork off this answer from Jesse on Oleg's thread. I see Jesse already configured Dependabot for Xstream: https://github.com/jenkinsci/jenkins/commit/2440a34d8f2ba5626d734c735cb4fc63040c11de Should we start adding all core

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Mon, Nov 2, 2020 at 1:34 PM Chris Kilding wrote: > should I advance to depending on BOM version 2.249.x Note that Dependabot will not _offer_ such a bump—only bumps within, say, `bom-2.235.x`. It is up to you to select a `bom-*.x` matching your current `jenkins.version`, and to decide when to

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Mon, Nov 2, 2020 at 11:34 AM Chris Kilding < chris+jenk...@chriskilding.com> wrote: > I enabled the native Dependabot version updates (the experimental feature) > on my plugin today. Overall it's extremely useful and working well! I > expect I'll soon wonder how I ever managed without it. > >

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I enabled the native Dependabot version updates (the experimental feature) on my plugin today. Overall it's extremely useful and working well! I expect I'll soon wonder how I ever managed without it. Couple of thoughts: 1. The initial splurge of PRs spawns a lot of builds, so it's helpful that

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I've just gone ahead and clicked on all repositories where the button was available. So given I don't have an easy way to request review from current active maintainers. *So Jesse or any maintainer: please review the list :*

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I think that this can be done globally: for each repository a PR will be generated. So in order to finish the transition the repo owner still needs to merge the PR. However, I do not find a button to run this for all repositories :-( > Am 19.10.2020 um 16:44 schrieb Jesse Glick : > > On Mon,

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Mon, Oct 19, 2020 at 7:57 AM Baptiste Mathus wrote: > If anybody still has the previous configuration, and would like to get an > automated PR, please let me/us know and I can request it. I would certainly want this but have no idea which repositories I might “own” which are configured with

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi all, FYI, as I was using the Dependabot admin UI, I just requested Dependabot to file automated PRs on a number of plugins: https://github.com/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot-preview+user%3Ajenkinsci++%22Update+Dependabot+config+file%22+in%3Atitle I was going to configure

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I have started https://github.com/jenkinsci/.github/pull/40 with documentation notes. If anyone is interested to contribute and share your notes / best practices, please do so! Later we can move the page to https://www.jenkins.io/doc/developer/plugin-development/ On Wednesday, June 24, 2020 at

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

FTR Dependabot is now embedded into GitHub. Probably it is a good time to prepare official documentation https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi All, Just in case somebody is interested, today we will have an online meetup about Dependabot in Jenkins. https://www.meetup.com/Jenkins-online-meetup/events/267995271/ Please join us if you are interested! Best regards, Oleg On Thursday, July 25, 2019 at 7:45:33 PM UTC+2, Jesse Glick

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Jul 25, 2019 at 3:01 AM Oleg Nenashev wrote: > Basically every maintainer with Admin permissions can enable Dependabot on > his/her own: And if you lack admin permissions, just file an `INFRA` ticket requesting it. -- You received this message because you are subscribed to the Google

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi, done I enabled Dependabot for Gradle JPI Plugin, Role Strategy Plugin and Jenkins Test Harness. Also added Log CLI Plugin as it was requested by Martin Reinhardt in GitHub. Basically every maintainer with Admin permissions can enable Dependabot on his/her own: 1. Enable the Dependabot

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Could we also enable Dependabot for https://github.com/jenkinsci/gradle-jpi-plugin? Best, Steve On Tuesday, July 23, 2019 at 12:39:26 PM UTC-7, Oleg Nenashev wrote: > > With Dependabot acquisition by GitHub, the project got some development > boost. > Unfortunately, there is still no support

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

With Dependabot acquisition by GitHub, the project got some development boost. Unfortunately, there is still no support of org-wide configurations, so we cannot just put defaults to https://github.com/jenkinsci/.github But we could at least put some samples there. I would also like to enable

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

done! On Mon, Jun 10, 2019 at 6:40 PM Basil Crow wrote: > On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote: >> >> I am fine with going forward with enabling Dependabot for a wider set of >> plugins. >> > > Can you please add the following repositories: > >

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Wednesday, May 22, 2019 at 11:47:09 PM UTC-7, Oleg Nenashev wrote: > > I am fine with going forward with enabling Dependabot for a wider set of > plugins. > Can you please add the following repositories: https://github.com/jenkinsci/swarm-plugin

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

If dependabot is somehow slower than I am at updating dependencies, I'll make sure to complain to them. ;) On Thu, May 23, 2019 at 1:59 AM Gavin Mogan wrote: > > Please go ahead with both, I can always @dependbot ignore on blueocean as > needed. > > On Wed, May 22, 2019 at 11:47 PM Oleg

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Please go ahead with both, I can always @dependbot ignore on blueocean as needed. On Wed, May 22, 2019 at 11:47 PM Oleg Nenashev wrote: > Hi all, > > I am fine with going forward with enabling Dependabot for a wider set of > plugins. But IMHO it is still not ready for GA. Why? > >- We are

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi all, I am fine with going forward with enabling Dependabot for a wider set of plugins. But IMHO it is still not ready for GA. Why? - We are still missing usage guidelines as it was discussed in the original emails - In Dependabot there is also no way to set Dependabot on an

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Can blueocean-display-url-plugin get it enabled? is it setup for all deps or only the parent plugin? Can blueocean-plugin get updated for the parent plugin (or is that a config file somewhere)? On Tue, May 21, 2019 at 12:36 PM Matt Sicker wrote: > I'd really love to see the jackson repo most of

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I'd really love to see the jackson repo most of all because I could get the PR ready to release by the time jackson gets around to announcing that release. Helps speed up resolution of their countless CVEs over time. On Tue, May 21, 2019 at 2:12 PM Mark Waite wrote: > > I've been very happy with

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I've been very happy with dependabot enabled on the platformlabeler-plugin in the Jenkins organization. I've also continued my experiment allowing it to run on my forks of the git plugin and git client plugin. It has been helpful in all cases. By the time I am reviewing a dependabot pull

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Can I have the following added: https://github.com/jenkinsci/jackson2-api-plugin https://github.com/jenkinsci/jsch-plugin https://github.com/jenkinsci/pam-auth-plugin https://github.com/jenkinsci/ssh-credentials-plugin https://github.com/jenkinsci/audit-log-plugin On Thu, May 2, 2019 at 2:35 AM

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Done Carlos. Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez a écrit : > please add https://github.com/jenkinsci/kubernetes-plugin > > thanks > > On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick wrote: > >> Please remove `pipeline-cloudwatch-logs-plugin` since its interesting >> tests are not currently

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

please add https://github.com/jenkinsci/kubernetes-plugin thanks On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick wrote: > Please remove `pipeline-cloudwatch-logs-plugin` since its interesting > tests are not currently run in CI. > > -- > You received this message because you are subscribed to the

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Please remove `pipeline-cloudwatch-logs-plugin` since its interesting tests are not currently run in CI. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi Raphael, Done. BR, Oleg On Monday, March 11, 2019 at 10:54:57 AM UTC+1, Raphael Pionke wrote: > > Hi Oleg, > > i'm also interested! can you please add following repo? > >- https://github.com/jenkinsci/performance-signature-dynatrace-plugin > > Regards, > Raphael > > > Am Montag, 4. März

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi Oleg, i'm also interested! can you please add following repo? - https://github.com/jenkinsci/performance-signature-dynatrace-plugin Regards, Raphael Am Montag, 4. März 2019 15:40:57 UTC+1 schrieb Oleg Nenashev: > > Hi Baptiste, the requested repositories have been added. > > @All I also

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi Baptiste, the requested repositories have been added. @All I also added the Plugin Compat Tester and Custom WAR Packager repositories - https://github.com/jenkinsci/custom-war-packager - https://github.com/jenkinsci/plugin-compat-tester Both of them are development tools, so it

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Thanks for driving this Oleg! I'm in for the plugins I'm maintaining: - https://github.com/jenkinsci/buildtriggerbadge-plugin/ - https://github.com/jenkinsci/chucknorris-plugin - https://github.com/jenkinsci/versioncolumn-plugin -

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi all, I have enabled Dependabot and added the requested components. Enjoy the PR notifications in your Inbox :) I have also started a Google Doc where everybody is welcome to put

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Please enable it for * bitbucket-branch-source-plugin * mstest-plugin * vstestrunner-plugin On Thursday, February 21, 2019 at 2:43:48 PM UTC+1, Oleg Nenashev wrote: > > Dear all, > > I would like to follow-up on the Dependabot request from Jesse Glick in > INFRA-1975

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I like this idea as well. You can enable it for - analysis-model - warnings-ng-plugin > Am 22.02.2019 um 14:30 schrieb Jesse Glick : > > On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev wrote: >> Speaking seriously, we could try to add some Jenkins plugins to the >> experiment if (a) and (b)

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Feb 21, 2019 at 6:25 PM Oleg Nenashev wrote: > Speaking seriously, we could try to add some Jenkins plugins to the > experiment if (a) and (b) conditions are met. To start with, sign me up for: * log-cli * pipeline-cloudwatch-logs * parallel-test-executor * mock-slave which should

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Feb 21, 2019 at 4:25 PM Oleg Nenashev wrote: > Hi all, > > Thanks for the responses! If there is no negative feedback, I will proceed > with the implementation next Monday. Whomever wants to add any extra > components to evaluation, please comment in this thread. > > Jesse: Since the

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Hi all, Thanks for the responses! If there is no negative feedback, I will proceed with the implementation next Monday. Whomever wants to add any extra components to evaluation, please comment in this thread. Jesse: Since the primary use case is offering updates to plugin > repositories, > I

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

Another one to look at is Renovate bot ( https://renovatebot.com/docs/ ) I suspect maven doesn't update nearly as often as node does, but i have greenkeeper on a lot of my node projects, and sometimes when something updates (like the testing framework) i get a huge number of PRs really quickly.

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

I'm game for experimenting with this :D On Thu, 21 Feb 2019, Oleg Nenashev wrote: > Dear all, > > I would like to follow-up on the Dependabot request from Jesse Glick in > INFRA-1975 . Dependabot > is a service for

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Feb 21, 2019 at 6:43 AM Oleg Nenashev wrote: > Dear all, > > My proposal would be to enable Dependabot for a *limited number* of > Jenkins repositories so that we can experiment with it. I propose to focus > on development tools and pre-1.0 projects only for now so that we can >

Re: Proposal: Automating dependency management for repositories inside the jenkinsci org

On Thu, Feb 21, 2019 at 8:43 AM Oleg Nenashev wrote: > I propose to focus on development tools Since the primary use case is offering updates to plugin repositories, I would suggest including at least one example of `*-plugin`. The question is which dependencies ought to be eligible for

Proposal: Automating dependency management for repositories inside the jenkinsci org

Dear all, I would like to follow-up on the Dependabot request from Jesse Glick in INFRA-1975 . Dependabot is a service for automated dependency updates which supports many languages/tools, including Maven, Docker and