Update parent pom + adjustments

[Wadeck]

Update the pom.xml to use latest dependencies and adjust the tests to be compatible.

[jglick]

or use BOM

[ikedam]

+1.
But it's not required for this request.

[oleg-nenashev]

Will do in a follow-up

[jglick]

There is a custom assertion type in CLICommandInvoker BTW.

[ikedam]

+1
Like this: https://github.com/jenkinsci/jenkins/blob/jenkins-2.250/test/src/test/java/hudson/cli/ListPluginsCommandTest.java#L48

[ikedam]

Backgrounds of changes in tests:

• Jenkins.getInstance() and Jenkins.getActiveInstance() are deprecated and replaced with Jenkins.get() in jenkins-2.98: `
• User.get() performs ID resolution, and it's preferred to use User.getById() for id for performance reasons.
• CLI() is deprecated in jenkins-2.54, and removed in jenkins-2.165
• Password fields are no longer implemented with <input type="password"> since jenkins-2.205 (Hide password form fields by default jenkins#3991).
  • It is first set to hidden and toggled to password if clicked.

[ikedam]

The changes look good to me.
But I'm not sure I should merge this request as the latest LTS is not necessary for authorize-project itself. It's only required for #47, which is still in draft.

Is it make sense to create a branch for JENKINS-5303?

[ikedam]

Note: The default behavior of buildPlugin:

• platform=[linux, windows] x jdkVersion=8 x jenkinsVersions=null

It might be better to add jdk11 and latest LTS, but it's another issue and not required for this request.

[ikedam]

Note:
The latest LTS as this is the preparation for #47 to accept a upcoming Jenkins core.

[ikedam]

+1.
But it's not required for this request.

[ikedam]

+1
Like this: https://github.com/jenkinsci/jenkins/blob/jenkins-2.250/test/src/test/java/hudson/cli/ListPluginsCommandTest.java#L48

[Wadeck]

But I'm not sure I should merge

I don't think there is any urgency here :)

[jglick]

the latest LTS is not necessary for authorize-project itself

No, but it is generally helpful to keep the source base fresh by making sure everything works on a current version of Jenkins. After all, if you are using anything older than the current LTS, you are deliberately declining to receive patches for disclosed vulnerabilities…so why would you expect to get updates to a security-related plugin?

[ikedam]

Availavilities and compatibilities are more important than security for some instances, especially instances in almost-offlined environments. It costs much to keep versions up-to-date in those environments. It’s helpful in those environments if you can update a specific plugin to the latest to use new features or to apply bug fixes of that plugin.
That’s why I prefer to use older core.

“Should plugins use the latest LTS?” is supposed to consist of many issues:

• recommendedConfigutation() for buildPlugin() is provided to run tests against the latest core. It assumes that plugins doesn’t use the latest core by default. (anyway, I know recommendedConfigurations are no longer recommended.)
• The plugin compatibility tester is to test plugins against various versions of Jenkins core. It assumes that plugins doesn’t use the latest core.
• A mechanism like dependabot for Jenkins core may be required.
• It might not be applicable to general plugins, but security-releated plugins should be maintained in that policy.
• It looks strange to change of the target core for patch releases like fixing documantations.
• It’s too old even though I prefer older core. (On the other hand, what version is old but not too old.)

I think I can work on the guideline if there’s a community guideline for the target core version.

[jglick]

instances in almost-offlined environments

Remember that even offline servers are not immune to CSRF attacks.

My general preference, FWIW, is to just set a recent LTS baseline in plugin master to make life easier. If and when an important, low-risk bug fix is merged, it is easy enough to cherry-pick it and produce a release compatible with older cores: https://gist.github.com/jglick/86a30894446ed38f918050c1180483e2

[ikedam]

@jglick
OK., I agree that Jenkins administrators must always use the latest LTS core (actually, it’s highly recommended, not only for security reasons, but for every aspects).
Whether to consider about administrators using older cores is up to plugin maintainers, but “it’s unnecessary to consider about older cores” is appropriate as the policy of Jenkins community.

But the policy for plugins to use latest LTS cores results maintainers to update and make new releases so often. So the some automated mechanism like the one you planed are required
(actually, I don’t plan to make a new release after merging this request).

Introducing develop branch is good way for your idea:

• master branch: Points the latest release version. Bug fixes are applied to this branch and target core is updated automatically.
• develop branch: new features for next release are introduced.
• master branch is merged into develop when updated.
• develop branch is merged into master branch when cutting a new release.

[jglick]

I don’t plan to make a new release after merging this request

Does not seem to be marked as being up for adoption yet. It is possible to do this now via a GH repo tag.

A develop branch is a possible workflow. I just have not seen the need for this sort of overhead in practice. Doing everything on master (cutting releases whenever anything of interest is merged) and freshening up master dependencies whenever touching the plugin works fine in my experience, and greatly simplifies project-wide maintenance like running plugin-compat-tester and removing deprecated APIs.

some automated mechanism like the one you planned

Many plugins do use Dependabot for plugin and library deps as well as for parent POM and BOM. Does not currently work for the core dep due to technical limitations.

[ikedam]

I thought this is preparation #47, but #47 is closed. I don't know the background of this pull request... (maybe PCT failed?)
Anyway, I don't plan to keep core updated to the latest LTS without automated updating and releasing mechanisms.

This plugin is now adopt-this-plugin and you can take over maintenance.

[ikedam]

@jglick I suppose it cannot be automated to pick up commits to backport (FIX in your gist) and to resolve errors when they occurred in releasing.
master / develop management makes it easier. The bot can create a pull request and notify maintainers if errors occur in releasing. There would be no target branch if there are only master.

[jglick]

I don't know the background of this pull request

Just that as part of testing the impact of something like jenkinsci/jenkins#4848 it is helpful to be able to take some plugin and run PCT on it, or even more lighter-weight

mvn -f some-plugin test -Djenkins.version=2.xxx-SNAPSHOT

and having a really outdated baseline in the plugin makes that more complicated and painful. The older the baselines in widely used and sensitive plugins, the harder it is to maintain them as part of the whole Jenkins ecosystem.

it cannot be automated to pick up commits to backport

I would only propose a backport of some critical and safe fix to begin with, not every change to trunk.

[oleg-nenashev]

Time to ship it finally

[oleg-nenashev]

Will do in a follow-up