Dependabot is reporting jenkins-core to have the wrong release notes

shadycuz · July 7, 2021, 7:48am

I would like to discuss dependabot and how it works with jenkins-core. Is this meeting a good place to do so? I wasn’t sure where in the document to add my topic. Under notes?

olblak · July 7, 2021, 8:39am

I think that depends what you want to discuss about dependabot but the current category (infrastructure) is to discuss about the infrastructure used by the Jenkins project which is an open source infrastructure project so we are pretty transparent on how to maintain services like Jenkins.

Maybe you can explain what you are trying to achieve with dependabot

shadycuz · July 7, 2021, 9:29am

@olblak When ever a new jenkins-core package is published, I get a dependabot alert on my repo.

The problem is that jenkins seems to have miss-configured their repo or something because the PR’s don’t really match.

What is 1.54? Does it actually list the changes in 2.301? Why is it that the repo shows the latest release as 1.65?

I think we should get this fixed so the PR from dependabot when jenkins-core changes contain useful information that can then be used to determine if I should merge this PR or not.

danielbeck · July 7, 2021, 10:12am

The PR includes multiple links to GitHub - jenkinsci/pom: Jenkins Parent POM for libraries and core components which indicates that Dependabot is confused.

This is unrelated to the recent infra team meeting, probably even unrelated to Jenkins project infrastructure and should be discussed separately (mod note: Is it possible to split threads? If so, might make sense here).

olblak · July 7, 2021, 12:34pm

@danielbeck, I don’t see how to convert a post to a new topic.

@shadycuz it’s definitely better to start a new topic to discuss about your issue with a good title.
This current category is about discussing the Jenkins infrastructure project.

I think the closest category would be using Jenkins

halkeye · July 8, 2021, 5:29am

I moved this thread to its own topic, I left it under infrastructure, though I feel like it might be a jenkins core bug.

curl -qs https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-core/2.301/jenkins-core-2.301.pom | grep github
  <url>https://github.com/jenkinsci/pom/jenkins-parent/jenkins-core</url>
    <connection>scm:git:git://github.com/jenkinsci/jenkins.git/jenkins-core</connection>
    <developerConnection>scm:git:ssh://git@github.com/jenkinsci/jenkins.git/jenkins-core</developerConnection>
    <url>https://github.com/jenkinsci/jenkins/jenkins-core</url>

I’m guessing jenkins/pom.xml at 1878f61da736dcd5e7e386dcc7eb86731c2b8ebd · jenkinsci/jenkins · GitHub needs its own scm section? Every sub module i’ve seen in the jenkins project has had interesting data in scm, so I can’t really help

shadycuz · September 25, 2021, 11:07am

Not sure how or when but this appears to be fixed

github.com/DontShaveTheYak/jenkins-std-lib

Bump jenkins-core from 2.312 to 2.313

DontShaveTheYak:develop ← DontShaveTheYak:dependabot/gradle/develop/org.jenkins-ci.main-jenkins-core-2.313

opened 04:18PM - 21 Sep 21 UTC

dependabot[bot]

+1 -1

Bumps [jenkins-core](https://github.com/jenkinsci/jenkins) from 2.312 to 2.313. …<details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jenkinsci/jenkins/releases">jenkins-core's releases</a>.</em></p> <blockquote> <h2>2.313</h2> <p><em>This is an automatically generated changelog draft for Jenkins weekly releases. See <a href="https://www.jenkins.io/changelog/">https://www.jenkins.io/changelog/</a> for the official changelogs.</em></p> <h2>🐛 Bug fixes</h2> <ul> <li><a href="https://issues.jenkins.io/browse/JENKINS-66613">JENKINS-66613</a> - Correct Antlr grammar for LabelExpression (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5722">#5722</a>) <a href="https://github.com/Wadeck"><code>@Wadeck</code></a></li> <li><a href="https://issues.jenkins.io/browse/JENKINS-61212">JENKINS-61212</a> - Update Tyrus (WebSocket client) to 2.0.1 (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5716">#5716</a>) <a href="https://github.com/jglick"><code>@jglick</code></a></li> <li><a href="https://issues.jenkins.io/browse/JENKINS-66470">JENKINS-66470</a> - Register view-related permission groups and permissions prior to the execution of JCasC (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5723">#5723</a>) <a href="https://github.com/basil"><code>@basil</code></a></li> </ul> <h2>👷 Changes for plugin developers</h2> <ul> <li><a href="https://issues.jenkins.io/browse/JENKINS-66563">JENKINS-66563</a> - add a supported API for a plugin to insert jars into its classpath (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5711">#5711</a>) <a href="https://github.com/jtnord"><code>@jtnord</code></a></li> </ul> <h2>📦 Dependency updates</h2> <ul> <li><a href="https://issues.jenkins.io/browse/JENKINS-61212">JENKINS-61212</a> - Update Tyrus (WebSocket client) to 2.0.1 (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5716">#5716</a>) <a href="https://github.com/jglick"><code>@jglick</code></a></li> </ul> <h2>👻 Maintenance</h2> <ul> <li>Remove Akuma (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5561">#5561</a>) <a href="https://github.com/basil"><code>@basil</code></a></li> </ul> <p>All contributors: <a href="https://github.com/Wadeck"><code>@Wadeck</code></a>, <a href="https://github.com/basil"><code>@basil</code></a>, <a href="https://github.com/dependabot"><code>@dependabot</code></a>, <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot], <a href="https://github.com/jenkins-release-bot"><code>@jenkins-release-bot</code></a>, <a href="https://github.com/jglick"><code>@jglick</code></a>, <a href="https://github.com/jtnord"><code>@jtnord</code></a>, <a href="https://github.com/kth496"><code>@kth496</code></a>, <a href="https://github.com/oleg-nenashev"><code>@oleg-nenashev</code></a> and <a href="https://github.com/timja"><code>@timja</code></a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jenkinsci/jenkins/commit/4d6833ea3ace8652bbf28ee516a52be32d2894ab"><code>4d6833e</code></a> [maven-release-plugin] prepare release jenkins-2.313</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/0d94f3a552ba9c3c6b90f74eaab556820a679bdb"><code>0d94f3a</code></a> Introduce <code>Queue.Executable.getParentExecutable</code> (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5733">#5733</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/9ced53cefbedc948d30aa8ffd029f5d7268243a7"><code>9ced53c</code></a> [JENKINS-66613] Correct Antlr grammar for LabelExpression (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5722">#5722</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/af079c926209597428bfc8e5067b76c314a38510"><code>af079c9</code></a> Change freenode to libera (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5741">#5741</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/e01f29ffca8f2326680152d54379a272a0feec52"><code>e01f29f</code></a> Bump jenkins from 1.65 to 1.67 (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5740">#5740</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/f29b4789834a7562b44d8c3a0abcd9fb0c927f27"><code>f29b478</code></a> Fix <code>UnnecessarilyFullyQualified</code> Error Prone violations (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5737">#5737</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/8e942a831c0afec60c55fa8f8e712b5fffe1bb1e"><code>8e942a8</code></a> Remove redundant 'continue' from conditional branches (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5717">#5717</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/4de76b5798a102077b23a8b2735a05d499b1e024"><code>4de76b5</code></a> Prefer <code>assertThrows</code> to try/fail (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5734">#5734</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/195dacbf556fdf0a393d5d139df27ffba3a82b11"><code>195dacb</code></a> Remove Akuma (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5561">#5561</a>)</li> <li><a href="https://github.com/jenkinsci/jenkins/commit/ed292d178d779c375cb16d40accad153ad3768fd"><code>ed292d1</code></a> Bump stapler.version from 1563.v3da2d02f9572 to 1593.v0e838714faae (<a href="https://github-redirect.dependabot.com/jenkinsci/jenkins/issues/5727">#5727</a>)</li> <li>Additional commits viewable in <a href="https://github.com/jenkinsci/jenkins/compare/jenkins-2.312...jenkins-2.313">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.jenkins-ci.main:jenkins-core&package-manager=gradle&previous-version=2.312&new-version=2.313)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

timja · September 26, 2021, 9:10pm

It was fixed in [JENKINS-64666] document urls by tszmytka · Pull Request #5652 · jenkinsci/jenkins · GitHub

Topic		Replies	Views
Infrastructure Weeky Meeting Recap - 2021-07-06 Infrastructure meeting	1	430	July 8, 2021
Infrastructure Team Meeting - August 01, 2023 Infrastructure meeting , sig-infra	0	403	August 6, 2023
Infrastructure Team Meeting - August 22, 2023 Infrastructure meeting , sig-infra	0	381	August 24, 2023
Infrastructure Team Meeting - Dec 11, 2021 Infrastructure meeting , sig-infra	0	274	January 27, 2022
Requesting Approval for installing kodiak for plugin-site Infrastructure plugin-site	6	385	July 5, 2021

Dependabot is reporting jenkins-core to have the wrong release notes

Related topics