Create an initial documentation page for Dependabot #40
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,46 @@ | ||||||
| = Dependabot | ||||||
|
|
||||||
| WARNING: This page is under development. Contributions are welcome! | ||||||
|
|
||||||
| In the Jenkins project we use https://dependabot.com/[Dependabot] for automating dependency updates in our repositories. | ||||||
| It includes Java/Maven, Java/Gradle, JavaScript, Docker and other package manager types. | ||||||
| Jenkins project repositories currently use the Github-native Dependabot and the deprecated standalone versions, | ||||||
| migration is pending. | ||||||
|
|
||||||
| This page documents jenkins-specific recommendations for using Dependabot in the Jenkins repositories. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| Please refer to the official https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/keeping-your-dependencies-updated-automatically[Dependabot documentation] for details and examples. | ||||||
|
|
||||||
| == Documentation links | ||||||
|
|
||||||
| * https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates#enabling-github-dependabot-version-updates[Enabling Dependabot in your repository] | ||||||
| * https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates[Configuration file] | ||||||
| * https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/#moving-forward-from-dependabot-com-and-dependabot-preview[Moving to GitHub-native Dependabot from Dependabot.com and dependabot-preview] | ||||||
|
|
||||||
| == Usage recommendations for Jenkins plugins (Maven) | ||||||
|
|
||||||
| * Make sure that you do not disable Maven Enforcer Plugin when using Dependabot. | ||||||
| Otherwise there will be a high risk of unnoticed dependency and binary compatibility conflicts. | ||||||
| * It is **not recommended** to automatically update Jenkins core to the most recent versions, because it will prevent LTS users from using them. | ||||||
|
There was a problem hiding this comment. Huh? First of all, it would be fine to enable Dependabot on Jenkins core, so long as you picked an appropriate pattern: But anyway, as far as I know it does not work; Dependabot does not grok that <jenkins.version>2.176.3</jenkins.version>is fixing the version of an artifact defined in a parent POM and is thus eligible for upgrade. It only looks for artifacts defined in the literal You say you can configure a filter to prevent Dependabot from upgrading Jenkins core, but the plugin example does not do so. There was a problem hiding this comment. Makes sense. I'd rather keep the config file smaller if this is something Dependabot does not do (anymore) I think. There was a problem hiding this comment. BTW, the example to simply ignore Jenkins Core updates would be https://github.com/jenkinsci/configuration-as-code-plugin/blob/0aff116d84574d8880530176269edaef6bc8b023/.github/dependabot.yml#L8-L11. |
||||||
| See https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/[this page] for baseline selection recommendations. | ||||||
| You can configure a filter to prevent Dependabot from updating Jenkins core versions (see the examples) | ||||||
| * There is a https://github.com/jenkinsci/bom/[Plugin Bill of Materials] which defines versions for many most used plugins. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| If you do not have a strong version requirements, it is recommended to supply the versions through BOM instead of letting Dependabot manage each dependency version. | ||||||
| It also reduces likelihood of upper bounds conflicts discovered by Maven Enforcer Plugin. | ||||||
| * Be careful with library dependencies, especially for popular utility libraries. | ||||||
| Requiring recent versions may sometimes cause binary conflicts with other plugins and the core. | ||||||
|
Comment on lines
+29
to
+30
There was a problem hiding this comment. This is threatening yet so vague as to be useless. If you are going to say anything, at least link to https://www.jenkins.io/doc/developer/plugin-development/dependencies-and-class-loading/#bundling-third-party-libraries And the example link is to an obscure plugin that
Better pick a different example. |
||||||
|
|
||||||
| == Jenkins component Configuration Examples | ||||||
|
|
||||||
| * https://github.com/jenkinsci/jenkinsfile-runner/blob/master/.github/dependabot.yml[Jenkinsfile Runner] - Java/Maven example | ||||||
| * https://github.com/jenkinsci/autograding-plugin/blob/master/.github/dependabot.yml[Autograding Plugin] - Java/Maven configuration for a plugin, with ignore filters | ||||||
|
|
||||||
| NOTE: More examples will be added when project migrate to a GitHub-native Dependabot implementation with a v2 configuration format | ||||||
| (`.github/dependabot.yml` files and configurations in GitHub project settings). | ||||||
|
Comment on lines
+37
to
+38
There was a problem hiding this comment. I think it is worth holding off on docs until we have better, more typical examples. The canonical example is far simpler: https://github.com/jenkinsci/archetypes/blob/3e5a8cc4f208c51203cac20b882ccfcba397c657/common-files/.github/dependabot.yml |
||||||
|
|
||||||
| == References | ||||||
|
|
||||||
| * https://groups.google.com/forum/#!topic/jenkinsci-dev/XMllKuWLO_8[Developer Mailing List thread] - For discussion and proposals | ||||||
| * https://speakerdeck.com/onenashev/joker-2019-tame-your-dependencies-with-dependabot[Tame your dependencies with Dependabot!] - | ||||||
| presentation about Dependabot adoption in the Jenkins project made in Oct, 2019. | ||||||
| ** Note: this presentation uses the old Dependabot version with obsolete configuration formats | ||||||
| * https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit?usp=sharing[Dependabot Evaluation notes in Jenkins] - Additional random thoughts and takeaways | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.