subject:"Re\: Preparing your modules\/library\/plugin to be consumed by dependabot"

Re: Preparing your modules/library/plugin to be consumed by dependabot

2019-08-29 Thread Oleg Nenashev

Thanks for the investigation Gavin!
I plan to document Dependabot usage guidelines eventually, and I will make 
sure to reflect it
It can be also added to 
https://github.com/jenkinsci/.github/blob/master/.github/release-drafter.adoc
 somehow.


BR, Oleg

On Thursday, August 29, 2019 at 2:19:45 AM UTC+2, Joseph P wrote:
>
> Hi Gavin, we actually made that change in JCasC to prepare for 
> https://github.com/jenkins-infra/plugin-site-api/pull/54
> Good that dependabot is something you can depend on 
>
> Original PR 
> https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004
>
> On Tuesday, August 27, 2019 at 6:50:38 PM UTC+2, Gavin Mogan wrote:
>>
>> Hey Ya'll,
>>
>> tl;dr - Make sure project > scm > url is set to github, (example 
>> https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41
>> )
>>
>> ---
>>
>> I thought I'd share my limited findings with all of your. A couple weeks 
>> ago I contacted dependabot support to try and find out why some javascript 
>> modules had changelogs/release notes mentioned. I got a bunch of good 
>> responses back, and nudged them to document this info publicly.
>>
>> But for now, I share what I learned.
>>
>> Dependabot has a lot of open source code, including how it processes 
>> module metadata.
>>
>>
>> https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52
>>
>> It loops through a bunch of properties inside the maven pom file, project 
>> > url (which should point at wiki/plugins site for us), project > scm > url 
>> (which right place to set it), and lastly project > issueManagement > url 
>> (which probably defaults to jira)
>>
>> When that url is set right, dependabot knows where to pull information 
>> from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as 
>> a good example.
>>
>> It'll list the commits between tags. Release Notes if you use github 
>> releases (release drafter makes that easy) and Changelog if it can find a 
>> changelog file in the repo. I can go into more details about this if people 
>> want.
>>
>> *But I strongly recommend at least setting up project > scm > url, and 
>> either a changelog file, or preferably release notes for releases.*
>>
>> That'll make other plugin authors know if its worth upgrading/what 
>> potentially might break when getting a dependabot PR.
>>
>> Thanks,
>> Gavin
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/80fe2e48-f494-4f43-aa13-c4b9735d5e7e%40googlegroups.com.

Re: Preparing your modules/library/plugin to be consumed by dependabot

2019-08-28 Thread Joseph P

Hi Gavin, we actually made that change in JCasC to prepare 
for https://github.com/jenkins-infra/plugin-site-api/pull/54
Good that dependabot is something you can depend on 

Original PR 
https://github.com/jenkinsci/configuration-as-code-plugin/pull/1004

On Tuesday, August 27, 2019 at 6:50:38 PM UTC+2, Gavin Mogan wrote:
>
> Hey Ya'll,
>
> tl;dr - Make sure project > scm > url is set to github, (example 
> https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41
> )
>
> ---
>
> I thought I'd share my limited findings with all of your. A couple weeks 
> ago I contacted dependabot support to try and find out why some javascript 
> modules had changelogs/release notes mentioned. I got a bunch of good 
> responses back, and nudged them to document this info publicly.
>
> But for now, I share what I learned.
>
> Dependabot has a lot of open source code, including how it processes 
> module metadata.
>
>
> https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52
>
> It loops through a bunch of properties inside the maven pom file, project 
> > url (which should point at wiki/plugins site for us), project > scm > url 
> (which right place to set it), and lastly project > issueManagement > url 
> (which probably defaults to jira)
>
> When that url is set right, dependabot knows where to pull information 
> from. See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 as a 
> good example.
>
> It'll list the commits between tags. Release Notes if you use github 
> releases (release drafter makes that easy) and Changelog if it can find a 
> changelog file in the repo. I can go into more details about this if people 
> want.
>
> *But I strongly recommend at least setting up project > scm > url, and 
> either a changelog file, or preferably release notes for releases.*
>
> That'll make other plugin authors know if its worth upgrading/what 
> potentially might break when getting a dependabot PR.
>
> Thanks,
> Gavin
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/73df2ca3-23a2-4ec2-9af5-a34f9b1291e0%40googlegroups.com.

Re: Preparing your modules/library/plugin to be consumed by dependabot

2019-08-27 Thread Jesse Glick

On Tue, Aug 27, 2019 at 12:50 PM 'Gavin Mogan' via Jenkins Developers
 wrote:
> I strongly recommend at least setting up project > scm > url

For example, when using an archetype (recommended):

https://github.com/jenkinsci/archetypes/blob/e546bcbb236539de7c2a958ccddfac190f44efb9/empty-plugin/src/main/resources/archetype-resources/pom.xml#L30

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2pbWZKk%3DZAGxfhWo9RAczR5XxKBnaszx%2BLgs1OOtA8mw%40mail.gmail.com.

Re: Preparing your modules/library/plugin to be consumed by dependabot

2019-08-27 Thread Marky Jackson

+1

> On Aug 27, 2019, at 9:50 AM, 'Gavin Mogan' via Jenkins Developers 
>  wrote:
> 
> Hey Ya'll,
> 
> tl;dr - Make sure project > scm > url is set to github, (example 
> https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/pom.xml#L41
>  
> )
> 
> ---
> 
> I thought I'd share my limited findings with all of your. A couple weeks ago 
> I contacted dependabot support to try and find out why some javascript 
> modules had changelogs/release notes mentioned. I got a bunch of good 
> responses back, and nudged them to document this info publicly.
> 
> But for now, I share what I learned.
> 
> Dependabot has a lot of open source code, including how it processes module 
> metadata.
> 
> https://github.com/dependabot/dependabot-core/blob/e654f214a932672d8ac0ea428ef9d672ac5bba33/maven/lib/dependabot/maven/metadata_finder.rb#L52
>  
> 
> 
> It loops through a bunch of properties inside the maven pom file, project > 
> url (which should point at wiki/plugins site for us), project > scm > url 
> (which right place to set it), and lastly project > issueManagement > url 
> (which probably defaults to jira)
> 
> When that url is set right, dependabot knows where to pull information from. 
> See https://github.com/jenkinsci/ci.jenkins.io-runner/pull/192 
>  as a good 
> example.
> 
> It'll list the commits between tags. Release Notes if you use github releases 
> (release drafter makes that easy) and Changelog if it can find a changelog 
> file in the repo. I can go into more details about this if people want.
> 
> But I strongly recommend at least setting up project > scm > url, and either 
> a changelog file, or preferably release notes for releases.
> 
> That'll make other plugin authors know if its worth upgrading/what 
> potentially might break when getting a dependabot PR.
> 
> Thanks,
> Gavin
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-dev+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DutPg%3DDD8ZseEW1i6VZJ-QMjK0aGs%2BaC34jeDR9u-OOj7w%40mail.gmail.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/3525D81F-BBC2-4CAF-9A47-ACE4F2C4FE64%40gmail.com.

Re: Preparing your modules/library/plugin to be consumed by dependabot

Re: Preparing your modules/library/plugin to be consumed by dependabot

Re: Preparing your modules/library/plugin to be consumed by dependabot

Re: Preparing your modules/library/plugin to be consumed by dependabot

4 matches

Site Navigation

Mail list logo

Footer information