Status: Resolved (View Workflow)
Currently Jenkins X Serverless does not have automatic update for Custom WAR Packager definitions. There are 2 options we could use:
- Option 1: Use pom.xml as plugin list input, it's already supported by Custom War Packager.
- In such case we also get upper bounds dependency checks for plugins OOTB, so that the build fails on conflicting dependencies even before starting the build
- Problem: Dependabot does not seem to scan Jenkins Maven repositories. Could it be tweaked somehow
- Option 2: Implement dependabot plugin for BOM.yml (Jenkins JEP-309)
- relates to
JENKINS-54316 Incrementals Tool: Update plugins defined in package-config.yml of CWP
https://github.com/oleg-nenashev/ci.jenkins.io-runner prototypes the option 1. Once
JENKINS-54391 is ready, it can be used for real-world updates CD for Jenkinsfile Runner.
Option 1 is probably easier from my PoV as well. Either way, the main issue I see is that the input must explicitly mention all transitive dependencies, so that they are all listed as eligible for upgrade by the bot. (Perhaps using dependencyManagement to clearly separate those plugins which are required on their own merits vs. those which are just there to satisfy the transitive closure.) I have had a similar issue with Evergreen and am not sure if it is resolved yet.
Option 1 was implemented in CWP 1.5 version and it seems to be enough. Closing then.
I like the option 1 BTW. Not sure what needs to be done in Jenkins X dependabot to enable it