Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54834

Create a Dependabot equivalent for CWP plugin lists or add support of Jenkins updates to pom.xml

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Currently Jenkins X Serverless does not have automatic update for Custom WAR Packager definitions. There are 2 options we could use:

      • Option 1: Use pom.xml as plugin list input, it's already supported by Custom War Packager.
        • In such case we also get upper bounds dependency checks for plugins OOTB, so that the build fails on conflicting dependencies even before starting the build
        • Problem: Dependabot does not seem to scan Jenkins Maven repositories. Could it be tweaked somehow
      • Option 2: Implement dependabot plugin for BOM.yml (Jenkins JEP-309)

      CC James Strachan James Rawlings Cosmin Cojocar

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I like the option 1 BTW. Not sure what needs to be done in Jenkins X dependabot to enable it

             

            Show
            oleg_nenashev Oleg Nenashev added a comment - I like the option 1 BTW. Not sure what needs to be done in Jenkins X dependabot to enable it  
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            https://github.com/oleg-nenashev/ci.jenkins.io-runner prototypes the option 1. Once JENKINS-54391 is ready, it can be used for real-world updates CD for Jenkinsfile Runner.

             

            Show
            oleg_nenashev Oleg Nenashev added a comment - https://github.com/oleg-nenashev/ci.jenkins.io-runner prototypes the option 1. Once JENKINS-54391 is ready, it can be used for real-world updates CD for Jenkinsfile Runner.  
            Hide
            jglick Jesse Glick added a comment -

            Option 1 is probably easier from my PoV as well. Either way, the main issue I see is that the input must explicitly mention all transitive dependencies, so that they are all listed as eligible for upgrade by the bot. (Perhaps using dependencyManagement to clearly separate those plugins which are required on their own merits vs. those which are just there to satisfy the transitive closure.) I have had a similar issue with Evergreen and am not sure if it is resolved yet.

            Show
            jglick Jesse Glick added a comment - Option 1 is probably easier from my PoV as well. Either way, the main issue I see is that the input must explicitly mention all transitive dependencies, so that they are all listed as eligible for upgrade by the bot. (Perhaps using dependencyManagement to clearly separate those plugins which are required on their own merits vs. those which are just there to satisfy the transitive closure.) I have had a similar issue with Evergreen and am not sure if it is resolved yet.
            Hide
            egutierrez Evaristo Gutierrez added a comment -

            Option 1 was implemented in CWP 1.5 version and it seems to be enough. Closing then.

            Show
            egutierrez Evaristo Gutierrez added a comment - Option 1 was implemented in CWP 1.5 version and it seems to be enough. Closing then.

              People

              Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              oleg_nenashev Oleg Nenashev
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: