from:"Daniel Beck"

Re: Updating detached plugins

2024-04-11 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Apr 9, 2024 at 9:34 PM Basil Crow wrote:

> Daniel, I am not aware of any such examples.
>

Thanks for that confirmation.

At this point I'm not entirely convinced JENKINS-69361 is real, and unless
you know more than is present in Jira, we don't understand it well enough
to act on it. Trying to reproduce it by manually dropping instance-identity
113 and bouncycastle-api 2.26 in an otherwise 2.346.x Jenkins home
(reproduction instructions are unclear how this would otherwise work given
its core dependency) and starting 2.361.1, it gets appropriately ignored by
entering the first block and passing the version comparison:
PluginManager#loadDetachedPlugins: Upgraded Jenkins from version 2.346.2 to
version 2.361.1-SNAPSHOT. Loaded detached plugins (and dependencies): []

While updating to a newer Jenkins results in bundled plugins being updated
to the bundled releases if what's installed is older, it's possible to
downgrade plugins afterwards and have that remain, as long as the core
version doesn't change (not entering
https://github.com/jenkinsci/jenkins/blob/16a65758149f71de1fd61dd0d7aa1fa9c06cd8c3/core/src/main/java/hudson/PluginManager.java#L812-L818).
That manual downgrade would need to happen on every bundled version bump
though, which given the regularity of plugin releases would be practically
every LTS bump (not to mention the lack of support for downgrading
configuration). It used to be possible for users to "pin" versions of
plugins, but that was dropped in or around 2.0 when we no longer installed
bundled plugins by default, making it basically an offline fallback only
(resulting in the current policy IIRC).
https://groups.google.com/g/jenkinsci-dev/c/kRobm-cxFw8/m/6V66uhibAwAJ and
related messages may shed some light on how we got here. OTOH you've
applied the pre-emptive updates for a while, as you wrote, and I'm not
aware of many (or any) complaints about being forced to update plugins.

At this point, neither the reasons to implement the policy change nor the
reason not to are very convincing to me. Wearing my security hat I'd prefer
updating everything all the time. As an admin I'd be more hesitant, but for
the rare cases a bundled plugin release causes problems, the existing
ability to downgrade (and wait for maintainers to fix whatever is the
blocker) seems like it might be just enough to move forward with this. I
guess this amounts to +0.5.

Re the test -- I'd skip it for future automatic PRs. When we only updated
bundled dependencies to address security vulnerabilities, we needed a way
to ensure any such PR was complete, as nothing else would increase these
versions until the next PR updating bundled plugins due to vulnerabilities.

--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL%3DCqsbn1P8Rn4mYbA03ey8dSer106bUNOW5%3Db%2BnT_07A%40mail.gmail.com.

Re: Updating detached plugins

2024-04-09 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Apr 9, 2024 at 8:28 PM Basil Crow  wrote:

> Third, we have occasionally seen a need to mitigate the impact of
> JENKINS-69361.

> Since 2022 I have been regularly updating detached plugins, justified
> as an exception to the usual policy in order to mitigate the impact of
> JENKINS-69361.

Are you aware of examples of this problem other than the two Jira issues?
Only instance-identity has been explicitly mentioned (and one comment
mentions unspecified other plugins, which I guess are the javax-* plugins).
I think I have a plausible explanation for the bug that would limit the
problem to just these plugins, but lack further information about the scope
of the problem.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLJMyNgSDbahd%3DCuTK9js_AH56gjVbNBTqE5YU3D9B3UQ%40mail.gmail.com.

Re: Building Jenkins core and plugins with Java 22

2024-04-02 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Apr 2, 2024 at 9:27 PM Ullrich Hafner 
wrote:

> Is it intentional that you are using "Jenkins Developers“ as mail from
> (and not your name Alex anymore)? It is somewhat strange to not see who
> actually sent the mail in the thread (without looking at all the headers)...
>

 This is how Google Groups deals with a restrictive DMARC policy. If that's
set up, senders are rewritten to the list address because Google is not
allowed to send emails from some random domain, and emails would likely be
rejected or classified as spam by list email recipients.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKFrxskC0kiTfHGwjUTosq4dSTY%3DQfJ%2BvKac%2Bvc8N_H3w%40mail.gmail.com.

Re: New plugin

2024-03-22 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Mar 22, 2024 at 11:12 AM DuMaM  wrote:

> My work environment requires from me to give users privileges to create
> new jobs, but I need to lock creation of non pipeline jobs.
> I could take a solution proposed a long time ago by Daniel Beck, but I
> fought that maybe it's a good place for a more universal plugin for that
> purpose, so I tweaked his code a bit.
>

Please note that this doesn't actually do what you seem to claim it does.
It _hides_ the job type from the job creation form, but CLI, remote API,
etc. still allow job creation. See e.g.
https://issues.jenkins.io/browse/JENKINS-52728?focusedId=344840=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-344840
in which I point out this limitation (and suggest ExtensionFilter as
alternative). If I claimed somewhere that hide-maven actually prevents job
creation, I apologize for the mistake.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ3ggDSMoCp9KTHjFZzDA2F0%3DJmPKA3vGP5bn%3DrwKt-0w%40mail.gmail.com.

Re: Wrong administrative monitor for SECURITY-3379?

2024-03-21 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Mar 21, 2024 at 9:40 AM 'Björn Pedersen' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> there is an administrative monitor for SECURITY-3379 popping up in 2.450
> weekly, saying that there is no solution yet, while
> https://www.jenkins.io/security/advisory/2024-03-20/ says that is fixed
> since 2.444.
>

Thanks, I will fix this within the next hour. Accidentally relied on tool
output which doesn't handle non-simultaneous releases for core.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLdJLEjkL7QyJJaOGnTXzp%2Bg3pRB64HyL7Zz1MREwbUCg%40mail.gmail.com.

Re: Retire some of my old plugins

2024-03-19 Thread 'Daniel Beck' via Jenkins Developers

On Sun, Mar 17, 2024 at 9:01 AM 'Alexander Brandes' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> To mark the plugins as EOL, I recommend adding the “deprecated” topic to
> the GitHub repositories, adding a note to the README that the plugin is
> EOL, closing open PRs and archiving the GH repository.
>

In both cases it looks like continued distribution makes no real sense, so
I recommend
https://github.com/jenkins-infra/update-center2/?tab=readme-ov-file#removing-plugins-from-distribution
in addition to the above.

> Finally, you can remove yourself from the repository-permission-updater
> file.
>

To clarify (as this has been a problem in the past): Keep the file, just
remove your 'developers' list entry (likely resulting in `developers: []`
for valid YAML).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLjLhc_5RtfWU1hgUSs2JjuF13busQWiesve8xGMQw6sA%40mail.gmail.com.

Re: GitHub Issues

2024-03-13 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 13, 2024 at 9:08 AM 'Michael Kriese' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> Found it.
>
> - https://maven.apache.org/pom.html#issue-management
> -
> https://github.com/jenkinsci/publish-over-ssh-plugin/blob/d6d29fda86b3db5e19d9130ca80ad7915eb1197c/pom.xml#L122
>

 Nope, those are ignored.

Real solution is
https://github.com/jenkins-infra/repository-permissions-updater?tab=readme-ov-file#managing-issue-trackers

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJqNJJPhpzX%3DhLQ1qQDtTX%3D-iactKYxaUgBwvHKuJtMpw%40mail.gmail.com.

Re: Error: Could not find or load main class com.mathworks.polyspace.jenkins.PolyspaceHelpers

2024-03-01 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Mar 1, 2024 at 11:43 PM Stéphane BOBIN 
wrote:

> - What is the recommended and secure way to have scripts on agents to call
> utilities from the plugin?
>

It's not a common enough use case to have a general recommendation.

Some ideas: publish the utilities separately rather than as part of the
plugin, integrate them as tools into Jenkins (ToolInstallation /
ToolInstaller), implement their functionality as build step(s), provide a
build step to copy them to the workspace, or make them available for
download from Jenkins like the agent.jar (with some care to not allow
downloading anything else).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ%2BvW36L2Qhf4gqc2ebO09UQV7WweWByduxgpsXwhT9Pg%40mail.gmail.com.

Re: CVE-2023-50164 Struts question

2024-02-26 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Dec 22, 2023 at 4:26 PM 'wfoll...@cloudbees.com' via Jenkins
Developers  wrote:

> Now, if you are not sure, you can still contact the security team, but I
> will ask you to provide more details, like which plugin, which CVE, and
> your doubts.
>

After discussing with Wadeck, I'd like to clarify our position:

The Jenkins security team does not generally answer questions about
publicly known vulnerabilities in libraries that may not even be used
anywhere in Jenkins. Any number of commercial or free dependency scanners
can provide an answer. This basically falls into the category of compliance
question/questionnaire (see the highlighted block here
).

For vulnerable libraries determined to actually be dependencies, per
our reporting
guidelines , we do
not consider vulnerabilities in dependencies to be vulnerabilities in
Jenkins unless reporters can demonstrate exploitation, or at least explain
how it *might* work (or it's really obvious). Unfortunately we get too many
folks just dumping unfiltered dependency scanner output into our issue
tracker, so we need to be pretty restrictive here due to our
limited capacity. Similar limitations apply to reports of vulnerabilities
in OS libraries in Docker images
.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ6uA2As806KHtahDdrNpERi299xrB-vxE6HU6AzmkW4g%40mail.gmail.com.

Re: Adopt plugin openid-plugin

2024-02-19 Thread 'Daniel Beck' via Jenkins Developers

On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier <
adrien.lecharpent...@gmail.com> wrote:

> Please note that the plugin has multiple public security issues. I'm sure
> the security team will require you to resolve them before any release can
> be deployed.
>

While we definitely prefer that (new) maintainers address unresolved
vulnerabilities as early as possible, we do not generally require that for
new releases, with two exceptions:

* Plugins blocked from releasing because we identified a vulnerability
introduced since the latest release. Look for "releaseblock" in RPU for
examples.
* Unsuspending plugins. In terms of security, we consider that to be
similar to new plugin hosting, so to restore publication, we ask that
security issues (publicly known or not) be addressed first.

For anything else, the security warnings shown in Jenkins and on the
plugins site will remain active even for new releases.

Some (few) plugins are actively maintained while not addressing previously
announced security vulnerabilities. Administrators can make an informed
decision on whether they want to install (or keep installed) such plugins.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com.

Exclusive JEP-229 CD mode announcement

2023-12-14 Thread 'Daniel Beck' via Jenkins Developers

Hi everyone,

For JEP-229[1] enabled plugins, RPU[2] manages the permissions required to
have CD releases and periodically refreshes the Artifactory token for the
CD action in the GitHub repository.

Until recently, releases through JEP-229 CD were always enabled _in
addition_ to manual uploads (`mvn deploy` or similar from your computer),
something that is neither desirable nor needed with CD enabled.

It is now possible to remove those unnecessary manual upload permissions
from maintainers in CD enabled plugins: Simply add `exclusive: true` to the
`cd` mapping in the YAML file.[3]

Regards
Daniel

1: https://github.com/jenkinsci/jep/tree/master/jep/229
2: https://github.com/jenkins-infra/repository-permissions-updater
3:
https://github.com/jenkins-infra/repository-permissions-updater#managing-continuous-delivery-jep-229-cd

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLhiPT25a-bi-JTjhNLJ6Pcz%3D-um72jhK6wdacOOW6M0Q%40mail.gmail.com.

Re: GetStatic Jelly Tag

2023-12-07 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Dec 7, 2023 at 5:44 PM Bryan Stopp  wrote:

> It does not find my packages/classes in my plugin for referencing static
> values.
>

https://issues.jenkins.io/browse/JENKINS-26579 ?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BrDLqB-kBQfQ3K641VWMKoczdBK0PJYhQwws3ABSGcng%40mail.gmail.com.

Re: does not have help

2023-11-14 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Nov 14, 2023 at 10:27 AM tzach solomon 
wrote:

> From what I can see, checkbox.jelly has the following
>
> 
>   Used for databinding. TBD.
> 
>
> I've also overridden the getHelpFile() method in my descriptor to see
> which fieldName are passed and I do see all other fields besides the
> checkbox.
> Is there a way to troubleshoot this?
>

Is the f:checkbox wrapped in an f:entry?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJJwxK%2BTAKtGKQH3%2BJzbg0nFMGrzynXuenBr-LccH2WwA%40mail.gmail.com.

Re: auto release form branch or manual release of multimodule project

2023-10-26 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Oct 26, 2023 at 2:51 PM Jiri Vanek  wrote:

> [ERROR]  jenkinsci/report-jtreg-plugin-plugin.git/report-jtreg-plugin is
> not a valid repository name
>

Looks like the attributes in
https://github.com/jenkinsci/archetypes/blob/8203c822c89145f74d077c4895fd691c7d61c893/empty-plugin/src/main/resources/archetype-resources/pom.xml#L24
could fix this?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BSUkgtZpw_8D7-dFRpqyxO9A%3D17oY94NXt%3DzytjvitxA%40mail.gmail.com.

Re: Splitting a plugin into a legacy and supported part

2023-10-13 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Oct 13, 2023 at 8:38 AM Ullrich Hafner 
wrote:

> Or is there even anotheroption that I do not see?
>

Depending on the scope of the problem, deprecation and finally removal of
the obsolete stuff you want to remove.

Use usage-in-plugins to identify callers and consider providing PRs with
the necessary changes for the more popular ones (and consider how much you
care about non-public plugins).

Specify hpi.compatibleSinceVersion in the pom to tell admins that the new
release is incompatible with older ones, and write a useful changelog.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKf6UVsE%3DSgePdfmMY6RqANSraJYfbrr2MWdd%2BCEzX1uw%40mail.gmail.com.

Re: 2.426 as Nov 15, 2023 LTS baseline?

2023-10-06 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Oct 6, 2023 at 9:56 AM Jan Meiswinkel 
wrote:

> I would appreciate if PR-7056
>  would make it into the
> next LTS, if that is possible without any downsides.
>

Too much of an API addition IMO. If a decision is made to backport, should
be @Restricted to reduce this to basically some additional log messages.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ1OFDZk9t4VZN5h6voHAO2CEvR1Q-MgcFO1W%3DRnKjL%2BA%40mail.gmail.com.

Re: September 18, 2023 Governance Board Agenda

2023-09-19 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Sep 19, 2023 at 4:32 PM 'Jenkins Developers' via Jenkins Developers
 wrote:

> > In order to limit Java support to two LTS releases, the Jenkins project
> will adopt a “2+2+2” model where a new Java LTS release is supported for
> two years, then becomes the minimum required Java version for two years,
> then is unsupported for two years.
>
> This is because it is not "unsupported" for 2 years, but rather it is
> "will not run at all, ever again" due to the minimum java baseline being
> beyond this unsupported version, thus there is no point mentioning it is
> unsupported for 2 years - it may as well be unsupported for 1 hour or 1000
> years.
>

I think the idea is that during this last 2 year period, Java itself
remains vendor-supported, but cannot run Jenkins anymore. Specifically
mentioning that seems useful.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BU%2BE9EALX66rqqrek8PiWqwmfU6s2F%3DsNL1VtxsjAA7g%40mail.gmail.com.

Re: Request for Status Update on Parasoft Findings Plugin 10.6.3 Release

2023-09-04 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Sep 1, 2023 at 11:05 PM Mark Waite 
wrote:

>
>
> On Friday, September 1, 2023 at 2:38:07 PM UTC-6 Yuqian wrote:
>
> Hi,
>
> This is Yuqian from Parasoft.
>
> I attempted to release the Parasoft Findings Plugin 10.6.3 using "mvn
> release:prepare" and "mvn release:perform." Both commands were successful,
> and I created a corresponding tag:
>
>
> https://github.com/jenkinsci/parasoft-findings-plugin/releases/tag/parasoft-findings-10.6.3
>
> Could you kindly confirm the progress of this release? It's been two days
> since I initiated it, and I'd appreciate an update.
>
> As far as I can tell, you've created a release in GitHub but have not
> uploaded the binaries to the Jenkins artifact repository.  See the
> instructions at
> https://www.jenkins.io/doc/developer/publishing/releasing-manually/ for
> the steps that you need to perform in order to release manually.
>

You uploaded 10.6.3-SNAPSHOT last Wednesday, and 10.6.4-SNAPSHOT now. No
release commits exist in the repo either. Something about how you release
is definitely wrong.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BRRM9v_NefSrCOGtauNj6GryT24qjd_tkjA76P73bRjQ%40mail.gmail.com.

Re: commit access lost to blueocean-plugin

2023-08-02 Thread 'Daniel Beck' via Jenkins Developers

FTR I resolved both issues.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLtdsAcmycFeU1kNesTDcU-NOHgOKyBW-4ZvEQY_v46qg%40mail.gmail.com.

Re: Adopting the remote-jobs-view-plugin plugin

2023-07-31 Thread 'Daniel Beck' via Jenkins Developers

On Sun, Jul 30, 2023 at 11:16 AM Swamy M S  wrote:

> Can we enable this plugin wiki and release this plugin in jenkins again?
>

Distribution will be restored once there is a fix for the security
vulnerability that caused distribution to be suspended, and a release has
been made. The last release is from 2015, so that hasn't happened yet. It
looks like you already have permissions to create a new release.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ6t9K0LuFdqXHUnWt4SFeXtGMMt7-QWvZTgePCH9qSJg%40mail.gmail.com.

Re: Revise "Bug" template fields on Jira

2023-04-17 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Apr 17, 2023 at 6:39 PM Mark Waite 
wrote:

>
> I'd like the Jira experts like Basil Crow and Daniel Beck to voice their
> opinions.
>

Should be doable. It looks like we'd need to copy the field configuration,
mark the fields required in the copy, define a new field configuration
scheme, have the Bug type associated with the field configuration that has
the required fields, all others with the original, and use that scheme for
JENKINS. Does that sound about right?

I don't know how Jira handles new requirements for fields in existing
issues. This might result in updating existing issues being quite
cumbersome.

On Mon, Apr 17, 2023 at 7:57 PM Ullrich Hafner 
wrote:

> Wouldn’t it make more sense to make the affected core version selectable
> with something like a list box?
>

Environment is more than core version. Also, there are _many_ core
versions, most of which are irrelevant for new issues, but would need to be
kept around for historical issues. If we wanted this, it would be a
separate field, and would need to be updated] every week.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ_DA0OHAwKp%3D5U4w4XA_ZHxQEUQQ3VjCQEj7Hodyw-1g%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2023-04-17 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Mar 20, 2023 at 3:13 AM Basil Crow  wrote:

> Does the Jenkins Security Scan need to be adapted to use the artifact
> caching proxy?
>

The workflow would need to be adapted to use the caching proxy, but given
uncertainty around unauthenticated future use of Artifactory I
am hesitant to change something now (potentially requiring callers to
adapt) only to change it again fairly soon. You also mentioned to me a few
weeks ago that this is probably no big deal given GH's caching of Maven
dependencies, so I didn't look into this further.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJi0oGjjNp2cWG7ruhtdaeWK0P9EA%3DDX5FVN%3DMz6j9rgA%40mail.gmail.com.

Re: Trouble with dynamically updating Jelly textbox

2023-03-30 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Mar 31, 2023 at 5:43 AM Dane Wrye  wrote:

> Hey All,
>
> I am a new to Jenkins/Jelly and trying to pick it up as I add
> functionality to a new codebase. With that said, I am looking at
> dynamically updating a textbox on my form when the selected option of a
> select element changes. I think I am 90% of the way there, but need a
> little bit of help to push me to 100%. To do this, I am currently
>
> a.) Calling a javascript function, updateTextbox(stringToUpdateWith), that
> overwrites the textbox in question's current value with stringToUpdateWith.
> It is called onChange from the select element.
> b.) Calling a backend java function,
> getStringToUpdateWith(selectedOption), which takes in the current option
> from the HTML select element as a parameter and returns the string I want
> to update my textbox with
> c.) Getting the currently selected option in my HTML select element, with
> the following code: this.options[this.selectedIndex].text
>
> Now, it gets a little messy: all this code is squished together in the
> select element's onChange, as I want to update the textbox whenever the
> select element is changed.
>
> All together, the line of code looks like this:
>  onChange="updateTextbox('${instance.getStringToUpdateWith(this.options[this.selectedIndex].text)}')"/>
>
> The onChange function, which is what I am currently having trouble with,
> looks like this:
>
> onChange="updateTextbox('${instance.getStringToUpdateWith(this.options[this.selectedIndex].text)}')"
>
> Debugging, it seems that the "this.options[this.selectedIndex].text" shows
> up in the getStringToUpdateWith function as an empty string. If I could get
> the selected option into this function as a parameter, I will have solved
> my problem. Any idea why it could be an empty string instead? I would
> appreciate any and all leads!
>

You're mixing JS (code evaluated by the browser) and Jelly/JEXL (code
evaluated by the server) in a way that doesn't work.

JEXL variables in Jelly get evaluated as the page is rendered the first
time (sent from server to browser). They don't update afterwards. I expect
you'll notice in a debugger you'll call your instance method once per page
load (assuming `instance` is bound to the correct value, another potential
source of problems), if at all, with an unexpected parameter, because
Jelly/JEXL cannot access JS/DOM variables.

Look into JavaScriptProxy to call Java methods from JS, e.g.
https://weekly.ci.jenkins.io/design-library/JavaScriptProxy/ ; or use fetch
from JS to call web methods (usually named doWhatever), passing the current
value as argument that is received as @QueryParameter annotated parameter
of the method.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BX%3DShtecsMbuLoZ%2BmkN3iSmsJA6qsadikTFb8CxEsD7w%40mail.gmail.com.

Re: Can someone delete https://plugins.jenkins.io/packageversion/

2023-02-21 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Feb 21, 2023 at 12:08 AM Alexander Brandes 
wrote:

> impactful enough to justify a suspension of the plugin


In particular, exploitation requires the parameter to be shown on a view
that doesn't mitigate the vulnerability, of which there are few. There's a
good chance nobody is actually affected by this vulnerability.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLxSXUGyHH78uF3y-SKDVgqM1%3DScnDYoLAobxiPUPqouQ%40mail.gmail.com.

Re: How does /monitoring skip starting splash page?

2023-02-08 Thread 'Daniel Beck' via Jenkins Developers

PluginImpl#start adds HudsonMonitoringFilter to the PluginServletFilter
list, which should be happening before PLUGINS_STARTED, so it doesn't wait
for items to load etc.

On Wed, Feb 8, 2023 at 2:47 PM Michael Carter 
wrote:

> "jenkins is starting up" is the screen I'm talking about.
> https://plugins.jenkins.io/monitoring/ is available before the init level
> of COMPLETED is reached so you can troubleshoot things as jenkins is
> starting up.   Analyzed their code and couldn't quite figure out what
> allows them to do it.
>
> They do have stuff in there about the crumb and security so maybe that's
> what is allowing it.
>
> On Wednesday, February 8, 2023 at 2:02:38 AM UTC-5 ga...@gavinmogan.com
> wrote:
>
>> Can you share code? I would assume a root action with no auth wouldn't
>> care about ... wait when you say splash screen, do you mean the "jenkins is
>> starting up" or the "welcome wizard"? I would assume a root action wouldn't
>> care about the welcome wizard, but the starting up screen my only guess is
>> you have to have some sort of init hook that changes the order of things.
>>
>>
>> https://github.com/jenkinsci/prometheus-plugin/blob/master/src/main/java/org/jenkinsci/plugins/prometheus/rest/PrometheusAction.java
>> says unprotecetedrootaction, which probably means it doesn't wait for
>> auth/acl to startup
>>
>> But these are just guesses
>>
>> On Tue, Feb 7, 2023 at 11:47 AM Michael Carter 
>> wrote:
>>
>>> Short version I've got a custom prometheus stats page for my plugin.
>>> But I want to make it available early.  How does the /monitoring plugin
>>> skip the starting splash page?  Want to do the same thing?
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to jenkinsci-de...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/jenkinsci-dev/dc9615d5-8840-4c30-b3f2-da956124d281n%40googlegroups.com
>>> 
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/213135ec-fc02-406a-a203-6a3cfadb401cn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BcbS03o1cuervZ7G%2BTjm0QL744AgcoNYVaWMjLp2uk2w%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2023-02-02 Thread 'Daniel Beck' via Jenkins Developers

Hi everyone,

Some feedback the Jenkins security team received for code scanning was that
it is inconvenient to mark findings as false positives through the GitHub
UI.

Thanks to work by https://github.com/yaroslavafenkin the Jenkins Security
Scan now supports two different ways to suppress findings in code: using
comments or using a @SuppressWarnings annotation.

The detailed finding descriptions on the GitHub UI explain how to use these
to suppress specific findings (re-run the scan if needed to get an updated
description).

Regards
Daniel

On Tue, Feb 22, 2022 at 6:29 PM Daniel Beck  wrote:

> Hi everyone,
>
> I've published the previously private[1] Jenkins code scanning rules for
> CodeQL. These are static analysis rules covering mostly Jenkins-specific
> issues, like unprotected Stapler web methods and use of APIs that are
> generally not a good idea in the context of Jenkins plugins.
>
> While this uses the CodeQL CLI and Java language support, the queries are
> entirely custom, so this is set up so it can run side-by-side with the
> normal GitHub CodeQL security scanner (or any other such tool), which would
> identify more generic issues.
>
> You can now enable them for your plugins by setting up a GitHub Workflow.
> For details about setting this up inside and outside the jenkinsci GitHub
> org, see the documentation on jenkins.io[2].
>
> The existing mechanisms to run this scan on plugin repos -- signing up
> through INFRA tickets and labeling repos with
> jenkins-security-scan-enabled[3] -- will be retired, so I recommend you set
> this up even if you already get scan results.
>
> Regards
> Daniel
>
> 1: https://www.jenkins.io/blog/2020/11/04/codeql/
> 2: https://www.jenkins.io/redirect/jenkins-security-scan
> 3: https://groups.google.com/g/jenkinsci-dev/c/xpsIgJJy44U/m/w-O0JbpTBgAJ
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BYdgepXxQfqZ2rzgjAq4L_b5bAucp6%2Ba6bVsHsFkd%3DnQ%40mail.gmail.com.

Re: Removing inactive Core maintainers to reduce risk

2023-01-30 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jan 30, 2023 at 7:26 PM Basil Crow  wrote:

> A compromised account with unnecessary commit access could very well
> have that level of impact if it is used to introduce malicious content
> into a release.
>

Exactly, which is why this was done.

As a reminder, you originally responded to an explanation why this wasn't
discussed more widely before this was implemented.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtK4vK1z0UZ9UoCO34Dk8pEKQd19nLyPvxrD283bePXBXA%40mail.gmail.com.

Re: Removing inactive Core maintainers to reduce risk

2023-01-30 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jan 30, 2023 at 12:27 PM Daniel Beck  wrote:

> I also see this less as a step to remove maintainers who are not doing any
> maintenance (which goes beyond what the officers' mission is) and more
> limiting risk (which is in scope). IMO if one of the affected folks were to
> show up tomorrow and resume activity in core reviews etc., I would be happy
> with a quick restoration of access, different from how it'd work for a
> newcomer.
>

We could even use a separate team to represent this, like
jenkinsci/inactive-core-maintainers, which would include folks whose
permissions were removed due to inactivity, but who are welcome back if
they want (while we don't have a real process to remove maintainer status).

(While the jenkinsci/alumni team exists, its description indicates
willingness to review things, which is probably not a given here.)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2B64pJVghW33XhzE2tnjHmOxZLsbyC-gjSJ2f6ETkLT_Q%40mail.gmail.com.

Re: Removing inactive Core maintainers to reduce risk

2023-01-30 Thread 'Daniel Beck' via Jenkins Developers

On Sun, Jan 29, 2023 at 8:53 PM Basil Crow  wrote:

> By the same logic, we could dispense with core PR reviews because any
> commit can be reverted without problems. Such an approach would appear
> to go against the consensus-driven nature of the project.
>

If there were votes taken for release readiness, rather than a weekly
release train that ships whatever is on the default branch, maybe. As it
is, it's not a good comparison.

I also see this less as a step to remove maintainers who are not doing any
maintenance (which goes beyond what the officers' mission is) and more
limiting risk (which is in scope). IMO if one of the affected folks were to
show up tomorrow and resume activity in core reviews etc., I would be happy
with a quick restoration of access, different from how it'd work for a
newcomer.

Similarly, if any of the folks affected actually did have recent activity
and it was just missed, access can easily be restored as well with minimal
inconvenience to those affected.

That would make those people eligible to be members of the
> core-pr-reviewers team, which has triage permissions but not write
> permissions. Eligible members of the core team, which has write
> permissions, would be those who have merged or closed a PR during the
> last year. Can you see a flaw in my reasoning?
>

There's a discussion to be had about what activities count as core
maintainer activities. While that's probably useful for us to have at
some point, it'd block removing access from folks who _clearly_ are no
longer involved.

If Wadeck and Damien had removed or downgraded permissions of folks who're
still actively submitting or reviewing PRs (perhaps just not clicking the
"Merge" button), I could see the problems with this approach, as we've
never defined what counts as maintaining. As is, arguments seem to be more
about a hypothetical "what if" than what was actually done. How would you
feel if any of the folks Oleg listed suddenly started to merge or close
PRs? Would you really not be surprised, and "think this is fine"?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKmJwL8U%2BjFbaWPKPV5uRGoVvH8QkhA8Wo_sZEjpVn%2BtQ%40mail.gmail.com.

Re: About the MVN Jenkins upgrade issue

2023-01-12 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Jan 11, 2023 at 2:05 PM hongkeung ling 
wrote:

> -B … -DarchetypeVersion=1.7
>

This specifically chooses a really old version of the archetype. Don't do
that.

But note that even the latest archetypes depend on a slightly older version
of Jenkins than is current. I recommend you mostly ignore the message
informing you about newer Jenkins releases. To learn more,
https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/
is our documentation on the topic.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJQBfw%3DWr0XR0_jOGj1zz8GRzkQjA8mhjx1EBMsoUT7rA%40mail.gmail.com.

Re:

2023-01-09 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jan 9, 2023 at 2:10 PM Kul Bhushan Srivastava 
wrote:

> Until now I was able to compile the maven dependencies against java8.
>
> All of sudden the dependencies which are getting downloaded are compatible
> with java11 and not with java8.
>

You're probably using Jenkins 2.357 or newer as your core dependency:
https://www.jenkins.io/changelog/#v2.357
Alternatively, you've updated the parent pom to 4.52 or newer:
https://github.com/jenkinsci/plugin-pom/releases/tag/plugin-4.52

The version of Stapler specified in the log is used in Jenkins 2.381 and
newer.

Basically, this is intentional. Time to update Java, or revert updates to
your dependencies (which can only be a temporary solution).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BU%3DLbsYV578QnHdTcniaG79TDGrUFhGaKNV_YOisRx9w%40mail.gmail.com.

Re: Towards new kubernetes-client 6.x

2023-01-05 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Jan 5, 2023 at 5:18 PM Vincent Latombe 
wrote:

> A new major version of this library (6.x) has been available for a while
> and has breaking changes (See
> https://github.com/fabric8io/kubernetes-client/blob/v6.3.1/doc/MIGRATION-v6.md
> for details) requiring coordinated changes across plugins using this
> library in the Jenkins ecosystem.
>

Would a new library plugin for the new major release not solve this problem
in a way much less likely to affect existing users? There's already jquery
and jquery3-api, commons-lang-api and commons-lang3-api, jackson-databind
and jackson2-api, bootstrap4-api and bootstrap5-api, etc. all doing it that
way AFAIUI.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLoJKB3o-ugJmoH6DhkbKVzLLEnOcVSqhKZqjv1TgQgGA%40mail.gmail.com.

Re: Proposal to ensure new plugin hosting requests use Maven instead of Gradle

2023-01-02 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Dec 16, 2022 at 7:43 PM sghil...@gmail.com 
wrote:

> > Last I checked, generated poms were also invalid, which is a problem for
> any consumers of these artifacts that do more than just download the hpi.
>
> I believe this was fixed in 2019 as v0.31.0
> .
>

Great, thanks for the correction. Seems "last I checked" was quite a while
ago :)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL4o7HbOOoVnrd3x2qRRm6YExfwE9z7qL4Sgdyfr_tuwg%40mail.gmail.com.

Re: Renaming a plugin

2023-01-02 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Dec 30, 2022 at 7:51 AM Marit M  wrote:

> I changed the name, and I would still like to change the *artifactId *as
> well.
> Please advise the steps that should be taken.
>

You shouldn't, see
https://github.com/jenkins-infra/repository-permissions-updater#changing-plugin-id

If you _really_ want to: It's a new, different plugin. Start over, creating
a new plugin with the new name. Copy all code over. Change the package
name, so the fully qualified class names are different (perhaps use this
opportunity for a little cleanup of backwards compatibility code). Mark the
old plugin as deprecated. Think about the expected behavior when both
plugins are installed, in particular any configuration/data migration (or
don't and let users reconfigure everything). Consider creating an
administrative monitor requesting that users uninstall the old plugin if
both the old and new plugin are installed and enabled. This gets even more
difficult if any other plugins declare a dependency on the obsolete one.

This is really hard to do well, and I don't think it has been done in a
long time in any plugin that can be considered even a little popular. All
of the old Pipeline-related plugins are still named "workflow-whatever"
despite the user-visible name having changed six years ago.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJxZ5dJsAigmvixVe16wa1OARfLGzwo-BAap_B1woZoyg%40mail.gmail.com.

Re: Maintenance with downtime of JFrog Artifactory (repo.jenkins-ci.org) 18 of December of 2022

2022-12-09 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Dec 9, 2022 at 4:55 PM Damien Duportal 
wrote:

> - No artifacts can be downloaded (failing builds on your machines as well
> as builds on ci.jenkins.io)
>

Could you put ci.j.io into quiet down mode for the time to prevent builds
failing for infra reasons?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ2cD1J2U1%3DkY0ZJDRs1MybwAFL9t3CFBO7JoB3pXVkOA%40mail.gmail.com.

Re: Proposal to ensure new plugin hosting requests use Maven instead of Gradle

2022-12-08 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Dec 7, 2022 at 11:20 AM Alexander Brandes 
wrote:

> There's no support for automated releases (CD, JEP-229), missing metadata
> for the plugin page and a few other limitations, which don't make it a
> great experience using it.
> …
> I would be ready to lift this restriction again if the JPI plugin
> developers provide the same scope of tools like we have for Maven.
>

Is the maintainer of Gradle JPI Plugin aware of these requirements and/or
this discussion? I don't see him in cc.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BkEXs0CQ054sugWZaDU-7kmsCsTwPkps_vMQOfi%3D21AQ%40mail.gmail.com.

Re: JDK19 is now available on ci.jenkins.io

2022-12-08 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Dec 8, 2022 at 11:02 AM 'Stephane Merle' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> Hello dear developers,
>
> I’m happy to announce that in order to allow contributors to prepare the
> future of Jenkins by working in advance with new JDK, we’ve added JDK19 on
> ci.jenkins.io.
>

Given this is the first time (I think) that a non-LTS JDK is provided, what
are the plans around supporting this? Will it be removed once JDK 20
exists? Once JDK 21 (next LTS) exists? Will it be supported indefinitely?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2B_oFaaQhu_kL65qNEr%3Dc7qX2%3D-xYERe0M%3DzjrPAM9inw%40mail.gmail.com.

Re: Proposal to ensure new plugin hosting requests use Maven instead of Gradle

2022-12-07 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Dec 7, 2022 at 11:20 AM Alexander Brandes 
wrote:

> There's no support for automated releases (CD, JEP-229), missing metadata
> for the plugin page and a few other limitations, which don't make it a
> great experience using it.
>

Last I checked, generated poms were also invalid, which is a problem for
any consumers of these artifacts that do more than just download the hpi.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ3uDczz36EygL%2BB%2BM%2BsLfcKcMnLzA3%2BwHoy5om2NTd_A%40mail.gmail.com.

Re: End of year holidays and Jenkins 2.375.2 release schedule

2022-11-22 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Nov 22, 2022 at 9:53 PM Tim Jacomb  wrote:

> Is there an issue with what’s already in the calendar?
>

A one month RC period makes it more likely to have requests for post-RC
changes crop up. I'd prefer to shorten it for that reason (like Mark
suggested).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKO_cpKa7SMzGxXD5N6%3DH4wAb6nH1ctEUgDxzZYKnjW6Q%40mail.gmail.com.

Re: Translating some tutorials?

2022-10-26 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Oct 26, 2022 at 11:59 AM 'Alina Strohaya' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> I'm kind of surprised that you said this about maintenance, because if
> it's in OSS, and gets outdated, or people notice something they want to
> improve, they can file a PR and add to it. The community can review and
> assist. On an article on this kind of site, I'm the sole author. If I don't
> maintain or update it, no one will, it's just me.
>

True in the general case, but translations might be special in that a
relatively small group (contributors and reviewers) becomes even smaller
(contributors and reviewers fluent in a specific language). Additionally,
neither many contributors nor the majority of users will be able to even
identify content problems, and if they're identified, getting them
addressed other than just deletion is a new challenge. When KK merged
anonymously contributed translations without review, there was some
embarrassing
nonsense

included
in Jenkins for several years.

In general, we've not had great experiences in the past with bigger
translation projects specifically.
https://plugins.jenkins.io/localization-zh-cn/ , for which there's an
entire JEP, has had two contributions and no releases in the last
two years. Two other contributors wanted to go this route in core PRs #4306
and #4775 (first step: delete all translations that already exist…), and
there was very little followup when we suggested they start contributing
regular translations first.  The Chinese localized version of jenkins.io is
badly outdated: https://www.jenkins.io/zh/changelog-stable/ is probably the
most easily understandable example.

In the case of a localized tutorial, it is unclear what would need to be
done when the source text is substantially updated. In core, we generally
delete affected translations, resulting in a fallback to the updated
English text for a few more strings on the UI, and IIRC there've been some
interesting discrepancies when we didn't do that. Deleting an entire
tutorial doesn't seem practical.

I absolutely do not want to discourage you from contributing translations!
As a project we need to consider how this plays out long-term, including
after you've moved on or lost interest. If you have suggestions how we
would navigate that, it'd make your proposal much stronger.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKwDRqcOZe-79961LG_ah7_DJhQnNNQcg3zuCgEi6jVeg%40mail.gmail.com.

Re: Proposal: Alexander Brandes (@NotMyFault) to join the Core team

2022-10-13 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Oct 13, 2022 at 9:11 AM Tim Jacomb  wrote:

> I would like to propose Alexander Brandes (@NotMyFault
> ) to join the Jenkins Core team.
>

+1

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJFQvvfqtNixCGOk34quz7Fm_bu0as_QNOVxX%2BXY5jvwA%40mail.gmail.com.

Re: Recommendations for updating minimum Jenkins version on plugin

2022-10-10 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Oct 10, 2022 at 10:01 AM Jamie Tanna  wrote:

>
> Would it be best to create a new conversation to chat about this and
> request support / is there a better place I can see if anyone can give a
> hand with it?
>

Please note that the vast majority of plugins are built with Maven, so
expertise on Gradle JPI Plugin isn't as readily available.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJU8mf9XUHK3-_Nqg0EYY5rGW_XxKhGMA4tSCRz7PMgMA%40mail.gmail.com.

Re: Artifactory Problems?

2022-09-28 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Sep 28, 2022 at 3:21 PM DuMaM  wrote:

>
> Could you share sample of correct settings.xml file so i can compare it?
>

The linked documentation has two complete examples of the settings.xml file
you need (just needs replacing username/password entries as appropriate).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BQ3sLctKoNL%2BMK4tAXoV6ajNUH-Jn%2B5KMA81c4LjnvoQ%40mail.gmail.com.

Re: Artifactory Problems?

2022-09-28 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Sep 28, 2022 at 3:19 PM DuMaM  wrote:

> https://repo.jenkins-ci.org/ui/login/
> Following with this tutorial
> https://www.jenkins.io/doc/developer/publishing/releasing-manually/


  Re-read step 7.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLet4HmyMY5nwQLqdYcG3VLWdaqmMoK2b47p4s6%3DnYK4w%40mail.gmail.com.

Re: Artifactory Problems?

2022-09-28 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Sep 28, 2022 at 1:16 PM DuMaM  wrote:

>
>   central (https://repo.jenkins-ci.org/artifactory/remote-snapshot-repos,
> releases=true, snapshots=false),
>   snapshots (https://repo.jenkins-ci.org/artifactory/remote-snapshot-repos,
> releases=true, snapshots=true)
>

This looks like nonsense. Check your Maven settings.xml.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJX6UgzXjPKUzccexzXO6VT8%2By19p6pW257jhu9dYLYzw%40mail.gmail.com.

Re: Random String Parameter Plugin has several vulnerabilities

2022-09-07 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Sep 7, 2022 at 2:11 PM Khachatur Ashotyan <
khachatur.ashot...@gmail.com> wrote:

> I'm not sure, that I want to adopt this plugin, …. I'm ready to maintain
> this plugin.
>

Could you clarify what you mean, because these don't seem to go together?
We call it "adoption" when someone starts maintaining an abandoned plugin.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtK_u4vL2FTLpgb-EVTqka564u5J0KGrWD23bBx%2BxKAESA%40mail.gmail.com.

Re: Error injecting: public org.apache.maven.repository.internal.DefaultVersionResolver org.apache.maven.repository.internal.DefaultVersionResolver.setRepositoryEventDispatcher(org.eclipse.aether.impl

2022-09-01 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Sep 1, 2022 at 1:37 PM Mehul Parmar 
wrote:

> ### Jenkins and plugins versions report
>
> 
>   Environment
>
>   
>   ```text
>   Paste the output here
>   ```
>
> 
>

The instructions Basil provided in
https://github.com/jenkinsci/jenkins-test-harness/issues/480#issuecomment-1226073300
should indicate that what you posted there (and copied here) isn't good
enough.

Please provide the additional information requested in his comment.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKNZxweJFMnVm%2B%2BJAVPgsAZr_pp_UsqVwWapt_PZibKQg%40mail.gmail.com.

Re: Apache Jelly grammar and parser

2022-08-29 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Aug 26, 2022 at 5:04 PM Alceu Rodrigues de Freitas Junior <
alceu.freitas...@gmail.com> wrote:

>
> Supposedly the XML parser is getting the tooltip text as expected, but
> the rest I would need to do an additional effort to parse properly.
>

https://github.com/jenkinsci/stapler/blob/981fdd98007ee50f18b23a0b1ef0ade1120e763b/jelly/src/main/java/org/kohsuke/stapler/jelly/CustomJellyContext.java#L139-L171
might help you parse this. It's how Stapler processes these strings.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKhwKtq6%3DYwnmG%2B6355zCaMVn6rOgURNQZ6qs1c%2BCtq%3Dw%40mail.gmail.com.

Re: Apache Jelly grammar and parser

2022-08-26 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Aug 25, 2022 at 9:28 PM Tim Van Holder 
wrote:

> I would expect that in most cases, the jelly files used by Jenkins and its
> plugins would already be using localized strings (like "${%Hello World}"
> which will use the "Hello World" resource from the bundle matching the
> jelly file's basename.
>

The linked tool is a fork of
https://github.com/jenkinsci/jenkins/blob/master/translation-tool.pl which
finds those %whatever strings and puts them into .properties files so the
people translating don't need to hunt for them in Jelly files.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BrU-AT-uyg-EdQ-HM325Y-gpXtBAXjFC6xgTSUBQOSwQ%40mail.gmail.com.

Re: Apache Jelly grammar and parser

2022-08-26 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Aug 24, 2022 at 6:29 PM Alceu Rodrigues de Freitas Junior <
alceu.freitas...@gmail.com> wrote:

> I've being working in a CLI to parse the properties and Jelly files from
> the Jenkins project, in order to help the translation process from English
> to other languages.
>
> The project is here:
> https://github.com/glasswalk3r/jenkins-translation-tool.
>
> The CLI is still using regular expressions for the Jelly parsing and I've
> struggling to replace that with proper parsers.
>
> I partially reached that by introducing a XML parser and then extracting
> the Jelly strings.
>
> The thing is, Jelly is complex enough that regular expression are still
> not good enough for parsing: I keep finding corner cases that are not being
> covered by an already complex regular expressions.
>
> I decided that is time to stop and try to build a proper grammar to parse
> Jelly.
>

Out of curiosity, what are some of the corner cases that cause problems?
How common are they?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BTjm6vWadirx4km27mwk%2BLM65mYdcXvT6fBkZOSa9nBA%40mail.gmail.com.

Re: ASM in core

2022-08-18 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Aug 18, 2022 at 6:40 AM Basil Crow  wrote:

> Recent weeklies no longer consume ASM. So shall we detach it to a
> library plugin?
>

I might miss some context, as this thread has been going for a while, but
is a clean removal like JNR doable here as well? A quick GH search
indicates that only a few plugins use ASM.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BNYzzXyvvBHbbuKN8Jc9BKgPKoAGYk1-kiBzcZSU96AQ%40mail.gmail.com.

Re: Merging multiple build steps into one (with nested Describables)

2022-08-15 Thread 'Daniel Beck' via Jenkins Developers

On Sun, Aug 14, 2022 at 6:14 PM Tim Van Holder 
wrote:

> The only thing that would be additionally useful is an automated migration
> step; I wonder if there's any way I could have a button/link in the
> config.jelly that would allow me to construct the new step based on the old
> step's properties and have the UI take that new step into account for the
> project being edited?
>

You may be able to readResolve them to the new type on deserialization.
(Won't work for pipelines though).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL8ucwpLFRCH%3DzfLZa1zrfud74d216_DtEmTxcgCugBoQ%40mail.gmail.com.

Re: Advanced button issue

2022-08-12 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Aug 12, 2022 at 12:52 PM Nikhil Bhoski 
wrote:

> Hi I am planning to include advanced section in my plugin I am using this
> documentation as reference
> https://wiki.jenkins.io/display/JENKINS/Jelly-form-controls.html  and
> used following code in the resources folder and action class folder name
>
> 
>   
> 
>   
> 
>
> I am keeping my configure-advanced.jelly in the same folder as of my
> action class next to config.jelly however the page is not getting rendered
> on click. where should i keep my include page to get picked in this case
>

Could you provide a complete example that demonstrates the problem?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL-XyTWcDJBYgQcFbcDCNMrLFSN74YiJehptajBxASVSA%40mail.gmail.com.

Re: unable to perform jenkins release

2022-08-11 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Aug 11, 2022 at 9:29 AM 'Mohammad Jameel Uddin' via Jenkins
Developers  wrote:

> I am unable to perform mvn release:perform, getting error like this
>
>  Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy)
> on project aiq: Failed to deploy artifacts: Could not transfer artifact
> io.jenkins.aiq:1.21 from/to central (https://repo.jenkins-ci.org/releases):
> authentication failed for
> https://repo.jenkins-ci.org/releases/io/jenkins/plugins/aiq/1.21/aiq-1.21.hpi,
> status: 401 Unauthorized -> [Help 1]
>
>
>

See
https://www.jenkins.io/doc/developer/publishing/releasing-manually/#troubleshooting

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLfTD5arPOp%3DeDha0zD1dB-1X7dDWyJJsbK7D0hbXK4kg%40mail.gmail.com.

Re: AIX server is showing out of memory post jenkins upgrade.

2022-07-29 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Jul 29, 2022 at 9:02 PM Damodara Devops 
wrote:

> We have upgraded to  Jenkins 2.332.3 , post
> upgrade all the job ran on AIX server is showing 'out of memory'.
> All the jobs are running fine before the upgrade.
> Would like to know if any one have come across such issue. And would to
> know your resolution steps.
>

Please ask this on the Jenkins users mailing list.

Also, it helps to provide information about the version you upgraded from,
and what else changes (e.g. plugin updates).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJa19OQuamdfVivDS91N646DXEcOuJrwZ-ik0KSrUiv-w%40mail.gmail.com.

Re: Next LTS baseline

2022-07-29 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Jul 29, 2022 at 7:53 PM Alexander Brandes 
wrote:+1 for 2.361

>
> It's worth to mention that 2.361 contains several regression fixes too,
> which you don't want to miss out.
>

They could always be backported into 2.360.x. So the question to ask is, do
we want everything in 2.361?

FWIW I think 2.361 looks reasonable, all bad feedback is about a plugin
that isn't even bundled, and the changes look reasonable enough.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKj6xQzPNc7d3ozpPQC4-03W%3D4ynYCUkVD%3DLyAHF2xO7w%40mail.gmail.com.

Re: Script-security

2022-07-26 Thread 'Daniel Beck' via Jenkins Developers

Are you a Jenkins administrator, whose scripts are automatically
approved, while those methods are invoked?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJoMGxAFAXWntskw6YYeUKhRNJXQyS7h149Oc8pHwKJAw%40mail.gmail.com.

Re: comment-ops-bot available in jenkinsci and jenkins-infra

2022-07-25 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jul 25, 2022 at 12:20 PM Tim Jacomb  wrote:

> > Can we have review requests enabled by default while label changes are
> opt in?
>
> I'm not sure if that would scale across the number of infrequently touched
> repositories that we have.
>

Infrequently touched repos are the problem for overly permissive defaults,
since it would take forever for someone with a higher level of access to
notice vandalism and fix it up.

The link does not discuss opt in, just how to define an opt out. That's the
wrong question to ask.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJNNvbCzLV%3Df%3DD1q3weXnEDA2pawndK-FNpJhW%2BVofP_w%40mail.gmail.com.

Re: comment-ops-bot available in jenkinsci and jenkins-infra

2022-07-25 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jul 25, 2022 at 12:03 PM Alexander Brandes 
wrote:

> opt out.
>

Can we have review requests enabled by default while label changes are opt
in?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BdzMxsgC__3e1BeTMdquGawX35S2KMVe2Duz8T-tsbUA%40mail.gmail.com.

Re: comment-ops-bot available in jenkinsci and jenkins-infra

2022-07-25 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jul 25, 2022 at 10:22 AM Tim Jacomb  wrote:

> It requires no organization permissions, which means anyone can request a
> review and add labels to issues and pull requests.
>

What if I don't want randos on the internet messing up labeling of open PRs
in repos I maintain?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLqpyt4qKhWcG2e-z8ht3Dg4WACTLzje_fqfoEf27dLuw%40mail.gmail.com.

Re: Frontend unit tests in core

2022-07-22 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Jul 22, 2022 at 6:39 PM Basil Crow  wrote:

>
> some sort of tab bar.
>

Looks like it's the tabs over job config forms ("scrollspy" elsewhere). For
freestyle at least they were replaced with sidepanel items with
similar behavior (plus icons) in 2.360.


> I am inclined to vote in favor of ripping this out, unless someone
> wants to take on JENKINS-68975 and JENKINS-69070. Does anyone have any
> thoughts about this?
>

+1

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BSyCFCYoFCUXmW80RtZ06Sb6mCimMoE-H68SACt0k5XQ%40mail.gmail.com.

Re: Grant timja immediate permissions to commons-lang3-api plugin

2022-07-19 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Jul 19, 2022 at 5:31 AM Mark Waite 
wrote:

> The preferred fix needs a new release of the commons-lang3-api plugin
> .  The current
> maintainer has not responded to previous requests nor to the current
> request
> 
> that asks to grant Tim Jacomb permission to maintain the plugin.
>
> The usual process would require a 2 week wait for the adoption request to
> "time out".  I propose an exception in this case based on the need to
> deliver a new release of the commons-lang3-api-plugin.  Tim is the Jenkins
> release officer, a long-standing contributor to the Jenkins project, and a
> strong contributor.
>
> I propose that Tim be granted permission immediately to maintain the  
> commons-lang3-api
> plugin  as
> requested in the RPU pull request
> 
> .
>

As I wrote in the RPU PR, the easy fix without plugin governance challenges
is to remove the ill-advised dependency from configuration-as-code,
reverting jenkinsci/configuration-as-code-plugin#1979
 [of
which Tim is already a maintainer]. It seems unnecessary to go over
maintainers' heads while that's an option. While this is the only plugin
with the dependency, there's no benefit in conflict prevention anyway, and
the PR provides no justification.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJDj1tMO9Sc04b3bar6v3MFXf10NnL555Wg%3DtWoEWCUpA%40mail.gmail.com.

Re: Governance meeting - July 11, 2022

2022-07-11 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jul 11, 2022 at 6:22 PM Mark Waite 
wrote:

>
>-
>
>Trademark usage request
>
>from Luminous Productions Co., Ltd
>
> That's a private mailing list, so this link isn't helpful.

Since when are trademark requests sent to the board list?

Is someone trying to slip something through while nobody's looking?

Preemptive -1 from me if I don't make the meeting.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKxKt6MEr2mw5BH4iWP40DYQFOdH7%3Dt%2B0s6OTcHxPKsSA%40mail.gmail.com.

Re: Is there interest for GitHub issues in core components?

2022-07-01 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Jun 30, 2022 at 10:01 PM Basil Crow  wrote:

> For example, moving from our
> traditional Jira server to Jira Software Cloud (with HTTP redirects if
> necessary) would be almost completely transparent to core and plugin
> maintainers from the perspective of existing Jira issues, which are
> the vast majority of our existing issues.
>

While I would *strongly* prefer this solution, Jira Cloud has a limit of
20k users even on their largest plans. While they plan to support more[1],
their road map ends at 50k users, and there's a chance these slightly
increased limits won't be available to us when migrating and being covered
by their open source program[2].

For comparison, we have 130k users in Jira. While many are probably not
legitimate users of Jira (some have never logged in but were just created
by the account app when someone signed up there), and we can probably
remove ones that haven't been logged in in years, I wouldn't be surprised
if this limit is going to be a real problem for us.

Before we reject alternatives for not being (enough like) Jira, we should
make sure, with support from Atlassian, that we're even in a situation that
allows remaining on Jira for more than two years.

1: https://www.atlassian.com/roadmap/cloud?category=scale
2: https://www.atlassian.com/software/views/open-source-license-request

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJyh3msMPUxmpGksk9L6t3XTZfGBu74946g7uiWkQDotQ%40mail.gmail.com.

Re: New Plugin With Multiple Components Hosting Question

2022-06-30 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Jun 30, 2022 at 8:55 PM Mark Diesburg  wrote:

> We could submit just the source for the test-management plugin portion
> with reference to the other two components on GitHub since they can be used
> independently for other purposes.
>
>  Would this be acceptable?
>
>  Or would we have to submit all three components and also host the
> rest-client and reporting-tool components separately on GitHub in case
> someone wanted to use them for other purposes?
>
If you have general purpose libraries, those artifacts are best hosted e.g.
on Maven Central. I think GH packages need authentication to download,
making their use slightly inconvenient.

General purpose libraries deployed to the Jenkins Maven repo does not
really make sense, as we do not support its use as a general purpose Maven
repository.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJDguxSVapdjtRZcrJaPs69BmdeXBBdrAr%2BoEN54UjgwQ%40mail.gmail.com.

Re: Security approval required on UI-related PRs in Jenkins core

2022-06-22 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Jun 22, 2022 at 9:26 PM 'wfoll...@cloudbees.com' via Jenkins
Developers  wrote:

> Great idea Alex =>  *@jenkinsci/core-security-review* created
>
> Thanks for the feedback and yes Tim, I will allocate more people to those
> reviews, compared to the hosting requests that were mainly out-of-order
> stuff we are doing.
>

I would like to retain the ability to review core PRs without those reviews
automatically counting towards security review, so please be mindful in
the handling of this reviewer group. (In particular, me requesting changes
for other reasons should not carry the same weight as rejecting a PR for
security reasons.)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ3c%2BWmqb98UXrzUsYV7h44LmuA3CTiqizXK5NwS5siNg%40mail.gmail.com.

Re: 401 unauthorized when attempting plugin release

2022-06-22 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Jun 22, 2022 at 4:43 PM Philip Madden 
wrote:

> Plugin: https://github.com/jenkinsci/hashicorp-vault-pipeline-plugin
> Release Tag:
> https://github.com/jenkinsci/hashicorp-vault-pipeline-plugin/tree/hashicorp-vault-pipeline-1.4
> maven version: 3.8.4
>
> After following the instructions here
> ,
> i'm currently receiving a 401 unauthorized error when attempting to run mvn
> release:perform from my new machine.
>
> I can confirm i can log into artifactory (https://repo.jenkins-ci.org) as
> I used this to generate my maven settings file (I have tried both encrypted
> and plain text passwords in my .m2/settings.xml file) but I am unable to
> publish artifacts.
>

401 means your Maven settings are wrong, unrelated to plugin release
permissions. (You can also confirm by trying to `mvn deploy` a snapshot,
there's no permission requirement for that.)

Which of the strategies on the linked docs page did you use to obtain your
settings.xml files? Did you try the other option to see whether the result
is different?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2B9cQkAHLCJObq66T9aQ0-g-BHA_pz1HpKaym%3DWGtrq2g%40mail.gmail.com.

Re: Backporting for LTS 2.346.1 started

2022-06-22 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Jun 22, 2022 at 4:24 PM 'wfoll...@cloudbees.com' via Jenkins
Developers  wrote:

> Hey there, especially Tim,
>
> The next question related to the extra week delay, what do you expect to
> do for the .2 LTS release? It seems that currently it's still scheduled in
> 3 weeks.
>
>
I'd keep the schedule, it aligns with project meetings.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKiCS5Lmk7yMdw7Ef%3DHryN1r0hkoLRsCyeaJbYT-yP9iw%40mail.gmail.com.

Re: TransientActionFactory question

2022-06-20 Thread 'Daniel Beck' via Jenkins Developers

The run is null, so there's nothing to get a sidepanel from.

The RunAction2 special behavior isn't supported by
TransientActionFactory, so you need to add a constructor argument to end
up with a reference to the Run. Could be as designed based on the
RunAction2 Javadoc. The problem it solves is one that isn't trivial to do
otherwise (having a reference to the run after loading from disk), so I can
see why this might get ignored in the transient action factory case,
that's easy to solve.

Here's a patch to make it work:
https://gist.github.com/daniel-beck/34b7a1425f85bfa499bd43823d17f030

On Thu, Jun 16, 2022 at 8:48 PM Nozim Islamov <
mukhammadnozim.isla...@gmail.com> wrote:

> Actually, I am using RunAction2 interface, and I am using
> TransientActionFactory to show it for every Run, please refer to this git:
> https://github.com/M1ZoN/promoted/tree/SimpleBuildWrapper
> ActionFactory:
> https://github.com/M1ZoN/promoted/blob/SimpleBuildWrapper/src/main/java/io/jenkins/plugins/sample/MyActionFactory.java
> RunAction2:
> https://github.com/M1ZoN/promoted/blob/SimpleBuildWrapper/src/main/java/io/jenkins/plugins/sample/PromotedBuildAction.java
> Jelly for Action:
> https://github.com/M1ZoN/promoted/blob/SimpleBuildWrapper/src/main/resources/io/jenkins/plugins/sample/PromotedBuildAction/index.jelly
>
> On Thursday, June 16, 2022 at 4:08:21 AM UTC-7 jn...@cloudbees.com wrote:
>
>> HI,
>>
>> If I understand your question correctly, you just need to return non-null
>> for getDisplayName and getIconFileName in your Action[1]
>>
>> /James
>>
>> [1] https://javadoc.jenkins.io//hudson/model/Action.html
>>
>> On Thursday, June 16, 2022 at 12:17:40 AM UTC+1 mukhammadno...@gmail.com
>> wrote:
>>
>>> Is there any way to include side-panel to actions that are created by
>>> TransientActionFactory?
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/c4e9df21-9b96-4f3f-9acb-a11584cad93cn%40googlegroups.com
> <https://groups.google.com/d/msgid/jenkinsci-dev/c4e9df21-9b96-4f3f-9acb-a11584cad93cn%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2Bb3EHPpz4ei%3D6%2B%3DhHyEYj92%3Dvc%2B-4ayGmCZHme9BqcTA%40mail.gmail.com.

Re: New gradle plugin, attempting to publish or upload hpi for the 1st time

2022-06-14 Thread 'Daniel Beck' via Jenkins Developers

On Tue, Jun 14, 2022 at 8:51 PM 'ggillman ggillman' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> 2022-06-13T10:11:11.174-0500 [ERROR]
> [org.gradle.internal.buildevents.BuildExceptionReporter] > Could not PUT '
> https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/ws-ctm-plugin/1.0.0.0/ws-ctm-plugin-1.0.0.0.pom'.
> Received status code 403 from server:
>

Remove the -plugin suffix in your project settings to match the path
you're allowed to upload to.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLHxPh6O-ZeVmXFq1Xuo%3Do2jv%2BEbJ4xA%3DD5vtkT5ds_LA%40mail.gmail.com.

Re: Is there interest for GitHub issues in core components?

2022-06-13 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jun 13, 2022 at 9:05 PM 'Jesse Glick' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> On Mon, Jun 13, 2022 at 10:02 AM 'Daniel Beck' via Jenkins Developers <
> jenkinsci-dev@googlegroups.com> wrote:
>
>> On Mon, Jun 13, 2022 at 3:55 PM Tim Jacomb  wrote:
>>
>>> The barrier to entry on Jira is a lot higher than on GitHub, many people
>>> struggle to report issues.
>>>
>>
>> Is people not reporting issues they experience really a problem we have?
>>
>
> FWIW I filed JENKINS-68727
> <https://issues.jenkins.io/browse/JENKINS-68727> just a few days ago
> after receiving private email from someone saying
>
> I would like to report a bug, but the bugtracker on jira does not allow me
>> to create a new account.
>
>
Without more information, I cannot check what could have caused this. In
the last 24 hours, 67 people have signed up for new accounts.

I think nobody is currently around anymore to respond to account creation
requests when people fail the (not great) spam filter, but that's about an
email every other week or so.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKad-Fgy7vyKxXSpufX%3Ds%2BFzvpGfzWfPNp0DKsYsoGKyw%40mail.gmail.com.

Re: Is there interest for GitHub issues in core components?

2022-06-13 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Jun 13, 2022 at 3:55 PM Tim Jacomb  wrote:

> The barrier to entry on Jira is a lot higher than on GitHub, many people
> struggle to report issues.
>

Is people not reporting issues they experience really a problem we have?

Unless we step up our responsiveness, having a backlog of issues nobody
cares about is not useful.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLYkfdOAe_t48Q%3Dq3ZzYihA_2pCgo_Q7xnycMKbWpJ%2B7A%40mail.gmail.com.

Re: warnings-ng-plugin-devenv won't build

2022-06-02 Thread 'Daniel Beck' via Jenkins Developers

That URL hasn't worked in a long time. Cloning the devenv repo and running
the clone script, including build, works for me. Are you sure you don't
have a Maven settings.xml file or something that specifies custom URLs?

On Thu, Jun 2, 2022 at 2:18 AM Simon Matthews 
wrote:

> I am running on a fresh install of Ubuntu 22.04 and it won't build (last
> part of clone_repos.sh) for me. I think the error is this line (and
> similar):
>
> Caused by: org.eclipse.aether.resolution.ArtifactResolutionException:
> Could not transfer artifact
> org.jvnet.hudson.plugins:analysis-pom:pom:5.23.0 from/to
> repo.jenkins-ci.org (http://repo.jenkins-ci.org/public/): Transfer failed
> for
> http://repo.jenkins-ci.org/public/org/jvnet/hudson/plugins/analysis-pom/5.23.0/analysis-pom-5.23.0.pom
> 308 Permanent Redirect
>
> Any ideas?
>
> Simon
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/a3f06f34-bdf8-492b-8d83-506fe38c3667n%40googlegroups.com
> 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLGJiQOCQzq2dzo4jE4hQb_d8U02413u_boty9r%3DxkoDg%40mail.gmail.com.

Re: 409 errr on plugin release

2022-05-21 Thread 'Daniel Beck' via Jenkins Developers




> On 21. May 2022, at 20:10, priya jagyasi  wrote:
> 
> Can anyone please tell me what this implies? What am I doing wrong, please 
> help.

You are trying to release a plugin using JEP-229 CD without having it 
configured correctly as documented at 
https://www.jenkins.io/doc/developer/publishing/releasing-cd/

At a glance, the changelist property in the pom.xml looks wrong, but I 
recommend you review everything.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/3CA05132-D049-40C5-A3CA-F3A7276BB1C4%40beckweb.net.

Re: Configure release drafter

2022-05-19 Thread 'Daniel Beck' via Jenkins Developers

On Thu, May 19, 2022 at 1:27 PM priya jagyasi 
wrote:

> I need help in configuring the release drafter to release my Jenkins
> plugin. The step here
> https://www.jenkins.io/doc/developer/publishing/releasing-cd/#configure-release-drafter
> says to include *_extends: .github* on
> https://github.com/jenkinsci/.github/blob/master/.github/release-drafter.yml
> file. Could you help how to do it? I see this file already has some
> content, what is expected here to do?
>

This means to create a directory called ".github" inside your repository
(unrelated to the jenkinsci/.github repository!), add a file called
"release-drafter.yml" inside that directory, and use that as the content.

That'll result in your repo inheriting the configuration in the .github
repository.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLsCYwnQX5xwhh6O49PzAX35ADgx%2B7GHtPh48B65rbBYg%40mail.gmail.com.

Re: How does dropdownList work and what can affect the descriptorImpl

2022-05-09 Thread 'Daniel Beck' via Jenkins Developers

On Mon, May 9, 2022 at 7:13 PM Michael Carter 
wrote:

> debug var.:
> org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition$DescriptorImpl@72d8eb26
>
> debug currDesc:
> org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition$DescriptorImpl@6904e8d2
>

This means there are two different instances of the same descriptor.
Descriptors are expected to be instantiated once, typically during load by
processing the @Extension annotation. So I'd check whether you're
instantiating the descriptor somewhere manually, or otherwise messing with
descriptor/extension lists.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL1Lb1cSDv0Q0HN02zAQAsoX0UyRXkEUMOrajWSecXfMg%40mail.gmail.com.

Re: Next LTS baseline

2022-05-09 Thread 'Daniel Beck' via Jenkins Developers

On Sat, May 7, 2022 at 12:22 AM Mark Waite 
wrote:

> The issues that worried me were:
>
>- JENKINS-68303  -
>Schedule build icon no longer indicates the "scheduled to be built" state
>since 2.321 - merged for 2.347 next Tuesday
>
> …

>
>- JENKINS-68042  -
>Help icon placement incorrect since 2.320 (fix is in review) - merged for
>2.347 next Tuesday
>
> These are already in an LTS line. While it would be nice to not have them
in another, the LTS feedback doesn't indicate these were big issues, and we
can always backport fixes into .1 or .2. It really doesn't look like we
need to hold off further for these specifically.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJTqeFCQ2R4iKpEvcEGkCOJQcp%3DCA2y3ZgO1uN4W04e%3DQ%40mail.gmail.com.

Re: Proposal: Move Jenkins Test Harness issue tracker to GitHub Issues

2022-04-28 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Apr 28, 2022 at 12:20 AM Oleg Nenashev 
wrote:

> Jenkins Test Harness is not a core component, it is a separate deliverable
> with its own release lifecycle
> Same for other developer tools AFAICT
>

Not part of the core deliverable, but core team repos. Projects still
likely cross issue trackers.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKZ8kh1pXQSPRbza4CLrCCb3aW%3DpXF9hN3E%2B%3DhCKv5MZg%40mail.gmail.com.

Re: Correct permission checks to add

2022-04-28 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Apr 28, 2022 at 1:12 AM Tim Van Holder 
wrote:

> For those bits related to the global tool setup, I simply use Jenkins.get
> ().checkPermission(Jenkins.MANAGE); instead. Again, this seems to make
> sense, given the tool setup lives among the Manage Jenkins options.
>

Just in case, please note that Manage is a lesser permission than
Administer. Most stuff in Jenkins is (still) requiring Jenkins.ADMINISTER,
and the UI needs to be adapted too for options to be available to users
with "only" Manage. Some options are also unsafe to make available this way
and it's not always obviou. See
https://github.com/jenkinsci/jep/tree/master/jep/223

> Does this mean I should be testing for FreeStyleProject.CONFIGURE instead
> (these Permission things seem rather hard to discover, I must say)? Or will
> that prevent using the same UI/methods in other contexts (e.g. what
> permissions make the pipeline syntax generator available? that uses the
> same interface as the freestyle project configuration)?
>

Yes, that's correct (well, I'd use Item.CONFIGURE but it's the same thing).

Generic permissions can be *granted*, but should never be *checked*. A
generic permission is any permission never shown in the matrix-auth table.
Note that some permissions may be missing from there, like Item/Artifacts
or Overall/Manage, which are optional and disabled-by-default permissions,
and show up once enabled.

> Am I right in using checkPermission, or should I be using
> checkAnyPermission to check for multiples (say Permission.CONFIGURE,
> FreeStyleProject,CONFIGURE, Jenkins.MANAGE)?
>

Probably not, because Overall/Manage is granted globally (i.e. you'd check
it on Jenkins.get() ), while Item/Configure is granted on an Item, which
you'd get from AncestorInPath in the usual Descriptor form validation
methods. But there are cases where the check/hasAnyPermission methods make
sense. JEP-223/224 define global permissions that make some previously
admin-only stuff available to users with lesser permissions, and so core
has some code to show UI to users that have any of Overall/Manage or
Overall/SystemRead.

> Or should I be using has(Any)Permission() and simply fail silently (i.e.
> return OK validation, or filling no items)?
>

Yes, this is frequently the better UX especially for doCheck/doTest/doFill
methods.

One related complication for permission checks is for Pipeline-compatible
steps (which you mentioned before). If someone opens the Snippet Generator,
there may not be an @AncestorInPath Item, or have the permission
you expect, but you'd still want the user to be able to generate *something*,
because ultimately it ends up in the Jenkinsfile anyway. Fully JCasC
configured instances come to mind here, where no actual user may be an
admin or allowed to configure jobs. No need to return real data though if
you don't have to.

> If the suggestion is "just don't do any checking if there's no real need"
> then I would really appreciate a way to be able to declare that in code so
> that the security scan will not raise an issue for it. E.g. a @Unsecured
> annotation or an empty Jenkins.noPermissionsNeeded() method that will
> satisfy the "Stapler methods must check access rights" requirement.
>

This is a known limitation, tracked in
https://github.com/jenkins-infra/jenkins-codeql/issues/4

Meanwhile, you can mark findings as invalid through the GitHub UI
(unfortunately without an explanation).

> Come to that, if a method doesn't really need @POST, is there any harm
> (e.g. a perf hit) in adding it?
>

If the UI element sends POST anyway, there's no drawback to adding it
(besides it being more annoying to trigger manually e.g. during development
-- choose RequirePOST if that's a likely use case).

> If so, maybe a @GET/@NoPOST annotation to say "this does not need @POST,
> stop bugging me" would be nice too.
> Security scans become less useful if they mostly produce false positives.
>

It's very difficult to distinguish between methods that need protections
(permission checks or POST requirement) from those that don't. I attempted
to exclude some obvious cases of harmless methods, but it can always be
improved! See
https://github.com/jenkins-infra/jenkins-codeql/blob/main/jenkins/java/ql/src/declarations/NonTrivialInvocation.qll
and feel free to suggest additions (via PR or issues)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL%3DRVP2%3DAeyu%3DK-HkTNZ2L5XRypMFFa6u9bKhuGVrMARA%40mail.gmail.com.

Re: Checking whether a step from a plugin is in actual use in an instance

2022-04-18 Thread 'Daniel Beck' via Jenkins Developers




> On 18. Apr 2022, at 10:38, Tim Van Holder  wrote:
> 
> Can a plugin include code that will update a freestyle project that uses the 
> DotNetFoo builder to use the DotNet builder with a Foo argument instead?

Potentially doable via readResolve as well.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/B11CEEEF-9E52-4CAE-A7B7-7171AC4A9881%40beckweb.net.

Re: Checking whether a step from a plugin is in actual use in an instance

2022-04-11 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Apr 11, 2022 at 11:53 PM Tim Van Holder 
wrote:

> I maintain a plugin (dotnet-sdk) that mostly provides a global tool and
> associated wrapper.
> But it also has a bunch (currently 11) convenience steps that can be used
> (instead of the wrapper plus bat/pwsh/...).
> I got a ticket saying that this caused a bit of a clutter for freestyle
> jobs, because the list popped up by "Add build step" gets pretty long,
> which was fair enough. It turned out to be very easy (using isApplicable())
> to have each of the steps optionally "hide" itself based on a flag in a
> GlobalConfiguration.
>

Not what you're asking for, but have you considered migrating to a single
".NET" build step that offers 11 modes? That would cut down on top-level
options offered by default and make the list friendlier for people who need
this variety.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ0J%2BQmYPrZV_j2tLJ4te4w0T%3D-ipB8LWAxiFLxsM-Kiw%40mail.gmail.com.

Re: Jenkins on SQLite

2022-04-03 Thread 'Daniel Beck' via Jenkins Developers



> On 3. Apr 2022, at 03:58, Basil Crow  wrote:
> 
> I put together a quick prototype today at
> https://github.com/basil/jenkins/tree/sqlite.

This is really cool, thanks for sharing!

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/20692305-DFA0-4794-B5F8-34AD3FE78177%40beckweb.net.

Re: Intellij Stapler Framework Support compatibility

2022-03-30 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 30, 2022 at 6:41 AM Denys Digtiar  wrote:

>
> Would anybody be opposed if I bump compatibility to some newer version?
> Maybe 2020.x or something like that?
>
> Go for it.


As with Jenkins, if you don't update the core, you're probably not updating
plugins either.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJmxL6O%2BDN6qaA4eK8ge4d4dFboWS8rX6zH3HV6Zp5L1Q%40mail.gmail.com.

Re: Reverting JENKINS-20679

2022-03-30 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 30, 2022 at 7:32 AM Basil Crow  wrote:

>
> > 1. IIRC I've seen plugins requiring Java 11 that just don't declare it.
> So it's not unused because it isn't needed, but perhaps because plugin
> authors are unaware of it?
>
> I am not familiar with such cases, but I seriously doubt there are
> enough of them to justify a subsystem of this complexity. If it is
> really the case that some plugin requires a newer JRE at runtime it
> can just be documented in the plugin's README rather than with the
> elaborate and hard-to-maintain subsystem that is in place now.
>
> > 2. Will this be replaced by a different system (assuming this is future
> proof in principle)? Or will plugins be unable to require higher Java
> versions than what their core baseline requires to run? Or will there be
> surprises for admins when attempting to install such plugins? I think the
> core support for this was essentially a warning in plugin manager.
>
> Yes the core support for this was essentially a warning in the plugin
> manager, and no I am not planning on replacing this with something
> else. Plugins will just have to evolve in lockstep with the minimum
> Java version required by their core baseline. This is effectively the
> case in practice everywhere I've looked, and it also seems like a
> reasonable requirement to me
>

Makes sense. Worst case is that we change our minds a few years down the
road and restore this subsystem. And if there's a plugin somewhere that
uses this after all, it's basically going to be an unused entry in
the Manifest IIRC.

+1 and thanks for starting this conversation.

(Just in case, I do not think a JEP is needed for what amounts to removal
of unused code.)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLefPYhzwK%3DvDQeNGy-vJMN1B9%3DTPrbOQ9zHc0MvmH5ew%40mail.gmail.com.

Re: Reverting JENKINS-20679

2022-03-29 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 30, 2022 at 7:16 AM Basil Crow  wrote:

> As part of my work on Java platform support in Jenkins, I have
> encountered the subsystem introduced in JENKINS-20679, which allows
> plugins to request a newer version of Java than the corresponding
> core. Based on a preliminary search of sources across the ecosystem,
> this functionality appears to be unused. In my opinion this subsystem
> introduces unnecessary complexity, and I would like to remove it to
> simplify the implementation of future Java platform changes. In other
> words, I am proposing a revert of JENKINS-20679 across all relevant
> repositories: core, plugin-pom, maven-hpi-plugin, update-center2, and
> any other places where JENKINS-20679 code might have spread. I would
> like to thank the original authors of this code for providing a
> valuable subsystem that served its purpose faithfully, having now
> reached what I consider to be end-of-life.
>
> Since the amount of work involved in testing these changes (including
> searching for usages in binaries, both open-source and proprietary)
> and preparing written justifications for the relevant PRs is
> non-trivial, I would like to gather at least notional consensus on
> this list regarding whether this is a direction we would like to go
> in. If the consensus is favorable, I will proceed with testing and
> preparing pull requests. However, if there are non-trivial objections
> I will focus my time and energy on other areas.
>

Seems reasonable if really unused. A few considerations:

1. IIRC I've seen plugins requiring Java 11 that just don't declare it. So
it's not unused because it isn't needed, but perhaps because plugin authors
are unaware of it?
2. Will this be replaced by a different system (assuming this is
future proof in principle)? Or will plugins be unable to require higher
Java versions than what their core baseline requires to run? Or will there
be surprises for admins when attempting to install such plugins? I think
the core support for this was essentially a warning in plugin manager.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLGmu72FmZNvUZ3JX4eAX%3D13fK8hM9neOgNdZgZEhMOGg%40mail.gmail.com.

Re: error occuring during mvn release

2022-03-24 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Mar 24, 2022 at 1:26 PM 'Mohammad Uddin' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> Hi All,
>
> I am getting this error "The initial value of this parameter is ignored,
> and the parameter is overwritten here. This often indicates a mistaken
> belief that the write to the parameter will be conveyed back to the caller.
> "
>

It looks like you're trying to set field values, but since there is a
parameter with the same name you would need to put "this.fieldName".

That said: Do not attempt to set field values in form validation. That is
guaranteed to be wrong.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLd6-Cy%3DQw_Q84EiJ8RJe216nVzOO%3DL%2B9nALwN77eOPxA%40mail.gmail.com.

Re: [jenkins-infra] Re: Missing Version Installation Count

2022-03-23 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 23, 2022 at 3:46 PM Bryan Stopp  wrote:

> I don't suppose there's any way to control the detailed output from a
> config in my project? For example, drop all the 1.x installs?


No. People have those versions installed and report them as such.

The filters that exist attempt to filter out useless submissions from
people who compiled the plugin themselves.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKMCXSVZdaV17riSNF11m0ooSQXC3VCdfQkZjUZRTz8FA%40mail.gmail.com.

Re: Request to add sponsored-issues

2022-03-21 Thread 'Daniel Beck' via Jenkins Developers

This topic seems vaguely related to the Jenkins job board topic from a few
months ago (
https://groups.google.com/g/jenkinsci-dev/c/q2F1AcFBbBE/m/6Ew7pMpDBAAJ );
as this is essentially a variant on contract work. Perhaps there's a
solution covering both?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLbeMLJV8Qg7159M3rJaDPaV9Gav%2BDh_AzfyQKeguPK6g%40mail.gmail.com.

Re: Request to add sponsored-issues

2022-03-21 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Mar 21, 2022 at 9:55 PM 'Gavin Mogan' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

>
> https://app.bountysource.com/issues/106189146-jenkins-67963-add-option-to-save-bandwidth-and-resources-which-are-wasted-unnecessarily
>
> Looks like it just imported all the publish-as-* issues, so yea i'm
> not sure what would need to be approved.
>

It's just a single issue. It looks weird because of a migration of issues
from Jira to GH issues. It seems there are just a handful of actually
bountied issues on that site.

We used to have issue tracker integration of a bounty site in Jira, years
ago. I don't think it had many users. IMO we should first see some traction
in "manual" bounty offers before we should bless one of these sites through
some sort of integration again, assuming that's what's being requested.

(Thanks for the reminder that some dude from Splunk ghosted me after I
implemented a 1000 dollar bounty in 2014.)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKArjWtQBk5P9nbPjYn2mi8CED%3DY8SrDD6vp59f%2B0M3Cw%40mail.gmail.com.

FYI: Problems publishing artifacts in Artifactory

2022-03-04 Thread 'Daniel Beck' via Jenkins Developers

Hi everyone,

We've observed problems publishing artifacts in Artifactory, logs indicate
the disk is full. So if you're unable to release stuff the next few days,
that is probably why.

Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ0hxGf1MHU2MYt%2B4s3y-dp_xcZTbC0SpApMSpV6F0i%2Bg%40mail.gmail.com.

Re: Publishing plugin leads to 401

2022-03-04 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Mar 4, 2022 at 8:23 AM Philipp Straubinger <
philipp.straubin...@uni-passau.de> wrote:

> Yes, I took the whole generated settings.xml to ~/.m2/settings.xml
>

That's wrong. Try doing what the instructions I link to say.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BiTJXe8F1T2JuioCJ%2BoeX4qoS1UzY0H8NWjqAf1e8Cdw%40mail.gmail.com.

Re: Publishing plugin leads to 401

2022-03-03 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Mar 3, 2022 at 1:43 PM Philipp Straubinger <
philipp.straubin...@uni-passau.de> wrote:

> Hi,
>
> this is how it looks like in Artifactory after following the documentation:
> …
>
> The generated settings.xml is in the attachments.
>
Did you take the encrypted password from this file, and set it as your
password in your real settings.xml file? If so, do you still get HTTP 401
responses when 'mvn deploy'ing things?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJbOWSS2GeO_c3tPz6UWH9t2ZSfTp-VQZgEA6bG86Z_sw%40mail.gmail.com.

Re: Jenkins 2.332.1 LTS RC testing started

2022-03-02 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 2, 2022 at 3:47 PM Alex  wrote:

> I still get the warning about the DoS vulnerability with XStream, though
> that fix is included. Does the warning magically vanish once the LTS builds
> are shipped for GA?


Addressed by https://github.com/jenkins-infra/update-center2/pull/573

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2Bjw8nXLb%2B6qS6LgB%2Bppd7SLoc2-y%2B3yv5VizUA7ZSmmA%40mail.gmail.com.

Re: Publishing plugin leads to 401

2022-03-02 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Mar 2, 2022 at 7:19 PM 'Gavin Mogan' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> So i confirmed
> https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/plugin-gamekins.yml
> has the right path (would appreciate a second pair of eyes).
>

That would be 403.


> so my guess is that your maven credentials aren't setup right.
>

As per
https://www.jenkins.io/doc/developer/publishing/releasing-manually/#the-upload-to-the-maven-repository-fails-with-401-unauthorized


>
> You may want to generate your credential information from artifactory,
> it'll make sure your password is setup right, and the ids and stuff.
>

As described in
https://www.jenkins.io/doc/developer/publishing/releasing-manually/#artifactory-credentials-for-maven


> I wish there was a maven whoami like there is for npm :(
>

'mvn deploy' basically tests credentials, since anyone with an account can
deploy snapshots of anything.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLt0isU2o23LSyFK%3DDmNi2AJTSWYWNDY3yKz7YUeoKQwA%40mail.gmail.com.

Re: Governance meeting Feb 23, 2022

2022-02-28 Thread 'Daniel Beck' via Jenkins Developers

On Thu, Feb 24, 2022 at 11:27 PM 'Gavin Mogan' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

> > Or format as a date, like 2022.02.23, so we can issue up to one release
> a day. Or drop MRP and use CD versions…
>
> how would lts work? 2022.02.23.1? I think that'll confuse a lot of
> version parsers.
>

Re versions, please keep the current model of 2 section weeklies and 3
section LTS. I expect quite some stuff to break otherwise.

With that in mind, How about the second part just being a counter, roughly
but not exactly corresponding to week-of-year?

23.1 is the first weekly release of 2023, followed by 23.2, 23.3, … ,
through 23.55 or so, and then 24.1.

LTS might be 23.8.x, then 23.20.x, 23.34.x, etc.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKbTgZYH8BSy8-08USp_afn3_3hEcH4mQ_%3Dxea%3DAh7xrQ%40mail.gmail.com.

Re: Jenkins 2.332.1 LTS RC testing started

2022-02-28 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Feb 25, 2022 at 2:19 PM Tim Jacomb  wrote:

> It'll be update center dynamic update sites most likely.
>

Correct:


$ curl -IL https://updates.jenkins.io/update-center.json?version=2.332.1
HTTP/1.1 302 Found
Date: Mon, 28 Feb 2022 23:45:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Location:
https://updates.jenkins.io/dynamic-stable-2.319.3/update-center.json
Content-Type: text/html; charset=iso-8859-1

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKX97B_S8--GcqfXVsvbNM2tzyjWEgENtZaZLSZjOxGvg%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2022-02-28 Thread 'Daniel Beck' via Jenkins Developers

On Mon, Feb 28, 2022 at 8:00 PM Basil Crow  wrote:

> After upgrading a dozen or so plugins to Security Scan v2, the Jenkins
> Security Scan workflow on the main branch failed with:
>
> Called workflows cannot be queued onto self-hosted runners across
> organisations/enterprises. Failed to queue this job. Labels:
> 'ubuntu-latest'.
>

Interesting, I haven't seen this during development and that includes repos
in jenkinsci.

Some searching indicates you're being rate-limited:
https://github.community/t/called-workflows-cannot-be-queued-onto-self-hosted-runners-across-organisations-enterprises-failed-to-queue-this-job-labels-ubuntu-latest/229355/10
(which got a GH team response, they seem to be looking into this).

If you pushed out the changes to the YAML files in quick succession, that
might explain it? It looks like you were particularly active around 18:10.

Looks like I'll need to look into adding this to the pipeline library
sooner rather than later :-)

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLzWF16%3DODcY%2Bds4zNWojCeceyXAGWGVRYNtQmgxZEyYQ%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2022-02-28 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Feb 25, 2022 at 11:49 AM Daniel Beck  wrote:

>
> It looks like GitHub's action can do what I cannot because it uses an
> undocumented API.
>
>
> I'll update this thread once it works, meanwhile you can watch
> https://github.com/jenkins-infra/jenkins-security-scan/issues/3
>

I've updated the workflow to properly work with pull requests from forks.

The result with the now used GH action to upload the scan result differs
from the scan result upload API's, so I've decided to increase the version
of the workflow to v2. v1 still works as before, but you need v2 for full
PR support.
https://github.com/jenkins-infra/jenkins-security-scan/releases/tag/v2

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLRqSqf6s-9ddmY00gzyhu8-iarZZtLrKPeTAtRip6Grw%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2022-02-25 Thread 'Daniel Beck' via Jenkins Developers

On Fri, Feb 25, 2022 at 2:43 PM Jean-Marc Meessen 
wrote:

>
> In the meantime, I will (try) to turn code scanning off so that I can get
> the PRs through CI.
>

Removing
https://github.com/jenkinsci/.github/blob/011201ac97f9e2757cca0415590952eaee704e5b/workflow-templates/jenkins-security-scan.yaml#L6-L7
should do it. The rest still works.

Sorry for the inconvenience. The existence of a single documented upload
API and an action to do the upload tricked me into thinking this just works
:(

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJTtAR%2B0vCKOEZjWBB%2B73Vn8RWDVH%2BC7rpZ1tMEdXFRHA%40mail.gmail.com.

Re: Jenkins Security Scan now generally available

2022-02-25 Thread 'Daniel Beck' via Jenkins Developers

On Wed, Feb 23, 2022 at 10:03 PM Daniel Beck  wrote:

>
> Interesting. It probably happens because it's a PR from a fork and the
> GITHUB_TOKEN used only has read permission for SecurityEvents. I'll look
> into solutions tomorrow.
>

It looks like GitHub's action can do what I cannot because it uses an
undocumented API.


I'll update this thread once it works, meanwhile you can watch
https://github.com/jenkins-infra/jenkins-security-scan/issues/3

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKKZVTPDQG%3D_zYbf3NHgasJm1weaPBs5TTdTtsreuaHXw%40mail.gmail.com.

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 1930 matches

Mail list logo