1 of 41

Dependabot for

Jenkins plugin development

Jenkins Online Meetup. Jan 24, 2020

1

© 2020 CloudBees, Inc. All Rights Reserved.

2 of 41

Jenkins Developer Meetup

  • Hosted as Jenkins Online Meetup
  • “By developers for developers”
    • Developer tools, best practices
    • Show and tell
    • Everyone can participate
  • Looking for speakers!

2

© 2020 CloudBees, Inc. All Rights Reserved.

3 of 41

> whoami

3

@oleg_nenashev

oleg-nenashev

@MarkEWaite

MarkEWaite

© 2020 CloudBees, Inc. All Rights Reserved.

4 of 41

Agenda

  • Dependabot Overview - Why, What, When
  • Using Dependabot in Jenkins
  • What's next?

4

Slides: http://bit.ly/jenkins-and-dependabot

© 2020 CloudBees, Inc. All Rights Reserved.

5 of 41

Questions?

  • Zoom chat
  • “Raise hand” in Zoom for immediate questions
  • Offline Q&A: https://gitter.im/jenkinsci/platform-sig

5

Slides: http://bit.ly/jenkins-and-dependabot

© 2020 CloudBees, Inc. All Rights Reserved.

6 of 41

�What’s common between Maven, NPM, and RPM?

6

© 2020 CloudBees, Inc. All Rights Reserved.

7 of 41

Dependency

Hell

7

© 2020 CloudBees, Inc. All Rights Reserved.

8 of 41

8

Lib 1

Lib 2

Lib 3

Plugin 1

Plugin 2

Plugin 3

Lib 4

Lib 5

Plugin 4

Tool dependencies

No class isolation

© 2020 CloudBees, Inc. All Rights Reserved.

9 of 41

9

https://jokerconf.com/en/2019/talks/rjhhmugp5tzqbmlmg3mcm/

© 2020 CloudBees, Inc. All Rights Reserved.

10 of 41

10

> mvn versions:display-updates

...

? ? ?

© 2020 CloudBees, Inc. All Rights Reserved.

11 of 41

What if we automate updates?

© 2019 CloudBees, Inc. All Rights Reserved.

© 2020 CloudBees, Inc. All Rights Reserved.

12 of 41

12

Dependabot, Renovate, Greenkeeper, etc.

© 2020 CloudBees, Inc. All Rights Reserved.

13 of 41

Dependabot

13

dependabot.com, acquired by GitHub

© 2020 CloudBees, Inc. All Rights Reserved.

14 of 41

Dependabot

  • CLI tool
  • GitHub App / SaaS

14

dependabot.com, acquired by GitHub

© 2020 CloudBees, Inc. All Rights Reserved.

15 of 41

Automatic scans and updates

15

© 2020 CloudBees, Inc. All Rights Reserved.

16 of 41

16

© 2020 CloudBees, Inc. All Rights Reserved.

17 of 41

17

© 2020 CloudBees, Inc. All Rights Reserved.

18 of 41

Step 1. Enable Dependabot

18

© 2020 CloudBees, Inc. All Rights Reserved.

19 of 41

Step 2. Setup permissions

19

In Jenkins:

  • Enable from your repository settings
  • OR: INFRA ticket

© 2020 CloudBees, Inc. All Rights Reserved.

20 of 41

Step 3. Configure Dependabot

20

© 2020 CloudBees, Inc. All Rights Reserved.

21 of 41

Step 4. Just wait a bit…

21

© 2020 CloudBees, Inc. All Rights Reserved.

22 of 41

Not just pull requests!

© 2019 CloudBees, Inc. All Rights Reserved.

© 2020 CloudBees, Inc. All Rights Reserved.

23 of 41

Release note references

23

© 2020 CloudBees, Inc. All Rights Reserved.

24 of 41

CommentOps

24

© 2020 CloudBees, Inc. All Rights Reserved.

25 of 41

Configuration-as-Code

25

https://dependabot.com/docs/config-file/

  • YAML config files
  • Stored in the target repo
  • No org-wide configuration support :(

© 2020 CloudBees, Inc. All Rights Reserved.

26 of 41

Advanced options

  • Filtering of versions and artifacts
  • Validated merge
  • Integration with GitHub security engines

26

© 2020 CloudBees, Inc. All Rights Reserved.

27 of 41

Dependabot in Jenkins

© 2019 CloudBees, Inc. All Rights Reserved.

© 2020 CloudBees, Inc. All Rights Reserved.

28 of 41

Dependabot in Jenkins

  • Evaluation started in June 2019
  • Enabled in 60+ repositories
  • 1750+ pull requests
  • Saves time!

28

© 2020 CloudBees, Inc. All Rights Reserved.

29 of 41

Dependabot for plugins

  • Update Parent POM and dev tools
  • Do not update plugin dependencies to latest versions
  • Do not update Jenkins core to latest versions

29

Dependabot in the Role Strategy plugin

© 2020 CloudBees, Inc. All Rights Reserved.

30 of 41

Library updates

  • Be careful with library updates
  • May conflict with the core
  • May conflict with each other
  • Transitive dependencies

30

© 2020 CloudBees, Inc. All Rights Reserved.

31 of 41

Managing transitive dependencies

  • Maven Enforcer Plugin

  • Extra Enforcer Rules Plugin

31

© 2020 CloudBees, Inc. All Rights Reserved.

32 of 41

32

<plugin>

<artifactId>maven-enforcer-plugin</artifactId>

<executions>

<execution>

<configuration>

<rules>

<requireUpperBoundDeps>

<excludes>

<exclude>commons-logging:commons-logging</exclude>

<exclude>com.google.code.findbugs:jsr305</exclude>

<exclude>net.java.dev.jna:jna</exclude>

</excludes>

</requireUpperBoundDeps>

</executions>

<dependencies>

<artifactId>extra-enforcer-rules</artifactId>

© 2020 CloudBees, Inc. All Rights Reserved.

33 of 41

Bill of Materials for Dependencies

  • Maven supports BOM

  • Jenkins Core BOM

  • Plugin BOM
    • One dependency to manage
    • https://github.com/jenkinsci/bom

33

© 2020 CloudBees, Inc. All Rights Reserved.

34 of 41

Other languages/tools

© 2019 CloudBees, Inc. All Rights Reserved.

© 2020 CloudBees, Inc. All Rights Reserved.

35 of 41

Docker

35

© 2020 CloudBees, Inc. All Rights Reserved.

36 of 41

Javascript

36

© 2020 CloudBees, Inc. All Rights Reserved.

37 of 41

Summary

© 2019 CloudBees, Inc. All Rights Reserved.

© 2020 CloudBees, Inc. All Rights Reserved.

38 of 41

Takeaways

  • Automate dependency management in your projects
  • There are tools for that
  • Beware of transitive dependencies
  • Make sure you have CI and good test coverage

38

© 2020 CloudBees, Inc. All Rights Reserved.

39 of 41

What’s next for us?

  • Global configurations or configuration samples
  • Jenkins-specific documentation
  • Adoption in more repositories

39

© 2020 CloudBees, Inc. All Rights Reserved.

40 of 41

Links

40

© 2020 CloudBees, Inc. All Rights Reserved.

41 of 41

41

Contacts:

E-mail: onenashev@cloudbees.com

GitHub: oleg-nenashev

Twitter: @oleg_nenashev

QUESTIONS?

© 2020 CloudBees, Inc. All Rights Reserved.