-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump copyartifact from 686.v6fd37018d7c2 to 697.v12c6e8c8fb_34 in /bom-weekly and add maven-plugin to managed set #1978
Conversation
Bumps [copyartifact](https://github.com/jenkinsci/copyartifact-plugin) from 686.v6fd37018d7c2 to 697.v12c6e8c8fb_34. - [Release notes](https://github.com/jenkinsci/copyartifact-plugin/releases) - [Commits](https://github.com/jenkinsci/copyartifact-plugin/commits) --- updated-dependencies: - dependency-name: org.jenkins-ci.plugins:copyartifact dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
since |
….plugins-copyartifact-697.v12c6e8c8fb_34
ugh... |
Sorry about that. I thought it was reasonably safe to upgrade the git plugin optional dependency on promoted builds to a slightly newer version. I did that in jenkinsci/git-plugin@7a5afa3 that is included in git plugin 4.14.2, 4.14.3, and 5.0.0. The upgrade was prompted by a (flawed) security warning from dependabot on GitHub. I think it should be feasible to revert jenkinsci/git-plugin#1369 and release a 5.0.1 version of the git plugin with that reduced dependency. A local copy of the git plugin passes tests with that pull request reverted. Is there something that I missed when checking that idea? |
The upgrade itself is fine it's just a pain having to add maven plugin and it's not compatible currently with PCT either it's tests need looking at. Ideally maven plugin deps would be dropped. |
Let me look at the copyartifact plugin to see what it would take to remove the maven-plugin dependency. It is an optional dependency |
The production code portion of copyartifact that depends on maven looks small. It is isolated to a single class src/main/java/hudson/plugins/copyartifact/{CopyArtifact.java and only two methods in that class, Unfortunately, my Java skills with class loading are not sufficient to remove the references so that the optional dependency on the Jenkins maven plugin could be converted to a test dependency. I might be able to look more deeply over the weekend. I definitely won't be able to look at it until the weekend and may not be successful even then. If someone with more Java skills is willing to investigate, I'm happy to be a tester (this weekend). |
Alternate idea being evaluated now. Revert the maven plugin version upgrade that was accepted Mar 1, 2023 in the copyartifact plugin. Running tests now to see if that might help. |
@allancth the copyartifact tests (inside the plugin code) are passing when I revert the dependabot upgraded maven plugin from 3.21 back to 3.16. It will be easier for us to maintain the Jenkins plugin bill of materials and retain the copyartifact plugin in the Jenkins plugin bill of materials if we can revert the upgrade of the optional maven plugin dependency from 3.21 back to 3.16. I'll prepare a draft pull request for the copyartifact plugin reverting that change and then will submit a draft pull request to the Jenkins plugin bill of materials to test the incremental build of the copyartifact plugin with that change. There is no need for you to bother with the draft pull request until the evaluation is complete in both the copyartifact plugin and the Jenkins plugin bill of materials. |
jenkinsci/bom#1978 notes that the upgrade of the optional dependency on the maven plugin from 3.16 to 3.21 caused the Jenkins plugin bill of materials to need an explicit inclusion of the Jenkins maven plugin into the plugin BOM. That's not a desired change because the Jenkins maven plugin tests do not pass when run in the Jenkins plugin BOM test suites. We don't want to invest the effort in the Jenkins maven plugin tests to make them work in the Jenkins plugin BOM. The #174 dependabot proposed upgrade is being reverted to avoid the problem. When dependabot next proposes an upgrade of this dependency, it can be closed or evaluated as an incremental build in the Jenkins plugin BOM before the upgrade is approved.
https://issues.jenkins.io/browse/JENKINS-19508 would help here but the prospect seems dim. From a quick glance, I think the PCT failures would be resolved by adding If fixing |
Closing. Will be replaced with a newer version of copyartifact that does not upgrade its optional dependency on the maven plugin |
Pull request was closed
OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
* Revert "Bump maven-plugin from 3.16 to 3.21" * Explain maven plugin version pin in a comment jenkinsci/bom#1978 notes that the upgrade of the optional dependency on the maven plugin from 3.16 to 3.21 caused the Jenkins plugin bill of materials to need an explicit inclusion of the Jenkins maven plugin into the plugin BOM. That's not a desired change because the Jenkins maven plugin tests do not pass when run in the Jenkins plugin BOM test suites. We don't want to invest the effort in the Jenkins maven plugin tests to make them work in the Jenkins plugin BOM. The #174 dependabot proposed upgrade is being reverted to avoid the problem. When dependabot next proposes an upgrade of this dependency, it can be closed or evaluated as an incremental build in the Jenkins plugin BOM before the upgrade is approved.
jenkinsci/bom#1978 notes that the upgrade of the optional dependency on the maven plugin from 3.16 to 3.21 caused the Jenkins plugin bill of materials to need an explicit inclusion of the Jenkins maven plugin into the plugin BOM. That's not a desired change because the Jenkins maven plugin tests do not pass when run in the Jenkins plugin BOM test suites. We don't want to invest the effort in the Jenkins maven plugin tests to make them work in the Jenkins plugin BOM. The jenkinsci#174 dependabot proposed upgrade is being reverted to avoid the problem. When dependabot next proposes an upgrade of this dependency, it can be closed or evaluated as an incremental build in the Jenkins plugin BOM before the upgrade is approved. This reverts commit 99b537a.
* Revert "Bump maven-plugin from 3.16 to 3.22 (#184)" jenkinsci/bom#1978 notes that the upgrade of the optional dependency on the maven plugin from 3.16 to 3.21 caused the Jenkins plugin bill of materials to need an explicit inclusion of the Jenkins maven plugin into the plugin BOM. That's not a desired change because the Jenkins maven plugin tests do not pass when run in the Jenkins plugin BOM test suites. We don't want to invest the effort in the Jenkins maven plugin tests to make them work in the Jenkins plugin BOM. The #174 dependabot proposed upgrade is being reverted to avoid the problem. When dependabot next proposes an upgrade of this dependency, it can be closed or evaluated as an incremental build in the Jenkins plugin BOM before the upgrade is approved. This reverts commit 99b537a. * Exclude maven plugin from dependabot updates
Bumps copyartifact from 686.v6fd37018d7c2 to 697.v12c6e8c8fb_34.
Release notes
Sourced from copyartifact's releases.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)