Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump promoted-builds optional dependency to 892.vd6219fc0a_efb #378

Conversation

MarkEWaite
Copy link
Contributor

@MarkEWaite MarkEWaite commented May 6, 2024

Bump promoted-builds optional dependency to 892.vd6219fc0a_efb

892.vd6219fc0a_efb was released 2 years ago. Over 55% of all installations of the promoted builds plugin are already using 892.vd6219fc0a_efb or newer. Those users will see no difference from this change, since they are already using 892.vd6219fc0a_efb.

Recent Jenkins versions will display broken icons with older versions of the promoted builds plugin. Fixed in jenkinsci/promoted-builds-plugin#170 as part of 873.v6149db_d64130. Upgrading to 892.vd6219fc0a_efb will fix that issue for users.

Installation statistics show that 892.vd6219fc0a_efb is the second most popular release. It is second only to the most recent release, 945.v597f5c6a_d3fd. A step towards eventually upgrading the promoted-builds optional dependency that is part of the git plugin. Attempts to update that optional dependency have shown consistent failures in the plugin bill of materials.

Bumps promoted-builds from 3.11 to 892.vd6219fc0a_efb

Also removes unnecessary exclusions.

Also upgrades to the most recent parent pom.

Also requires Jenkins 2.426.3 or newer because installation statistics show that 80% of the installations of 787.v665fcf2a_830b_ release (6 months old) are already running Jenkins 2.426.3.

SECURITY-3314 advises users to upgrade to Jenkins 2.426.3 or newer to resolve a critical security vulnerability.

Testing done

Rely on ci.jenkins.io and on a pull request to the plugin bill of materials to check the upgrade.

Testing in plugin bill of materials with:

Test uses builds from this pull request and from a matching git plugin pull request:

Submitter checklist

Preview Give feedback

dependabot bot and others added 3 commits May 5, 2024 18:41
892.vd6219fc0a_efb was released 2 years ago.  Over 50% of all
installations of the promoted builds plugin are already using
892.vd6219fc0a_efb or newer.  Those users will see no difference from
this change, since they are already using 892.vd6219fc0a_efb.

Recent Jenkins versions will display broken icons with
older versions of the promoted builds plugin.  Fixed in
jenkinsci/promoted-builds-plugin#170 as part
of 873.v6149db_d64130

https://stats.jenkins.io/pluginversions/promoted-builds.html shows that
892.vd6219fc0a_efb is the second most popular release.  It is second
only to the most recent release, 945.v597f5c6a_d3fd.

A step towards eventually upgrading the promoted-builds optional
dependency that is part of the git plugin.  Attempts to update that
optional dependency have shown consistent failures in the plugin bill
of materials.

* jenkinsci/bom#3170
* jenkinsci/bom#2809

Bumps [promoted-builds](https://github.com/jenkinsci/promoted-builds-plugin) from 3.11 to 892.vd6219fc0a_efb
- [Release notes](https://github.com/jenkinsci/promoted-builds-plugin/releases/tag/892.vd6219fc0a_efb)

Also removes unnecessary exclusions
https://stats.jenkins.io/pluginversions/parameterized-trigger.html shows
that 80% of the installations of 787.v665fcf2a_830b_ release (6 months
old) are already running Jenkins 2.426.3.

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
advises users to upgrade to Jenkins 2.426.3 or newer to resolve a critical
security vulnerability.
MarkEWaite added a commit to MarkEWaite/bom that referenced this pull request May 6, 2024
The parameterized trigger plugin has an optional dependency on
promoted builds plugin 3.11.  The git plugin also declares an optional
dependency on the promoted builds plugin 3.11.  Attempts to update that
optional dependency in the git plugin have failed.  This is an attempt
to upgrade the dependency in the promoted builds plugin first, in hopes
that will eventually allow the dependency to be updated in the git plugin.

Tests the plugin built from:

* jenkinsci/parameterized-trigger-plugin#378
MarkEWaite added a commit to MarkEWaite/git-plugin that referenced this pull request May 6, 2024
892.vd6219fc0a_efb was released 2 years ago.  Over 50% of all
installations of the promoted builds plugin are already using
892.vd6219fc0a_efb or newer.  Those users will see no difference from
this change, since they are already using 892.vd6219fc0a_efb.

Recent Jenkins versions will display broken icons with
older versions of the promoted builds plugin.  Fixed in
jenkinsci/promoted-builds-plugin#170 as part
of 873.v6149db_d64130.  Upgrading to 892.vd6219fc0a_efb will fix that
issue for users.

https://stats.jenkins.io/pluginversions//promoted-builds.html shows that
892.vd6219fc0a_efb is the second most popular release.  It is second
only to the most recent release, 945.v597f5c6a_d3fd.  Attempts to update
that optional dependency to the most recent release have shown consistent
failures in the plugin bill of materials.

* jenkinsci/bom#3170
* jenkinsci/bom#2809

This likely needs to be combined with the parameterized trigger plugin
upgrade of the same dependency to the same version.  Refer to

* jenkinsci/parameterized-trigger-plugin#378

Bumps [promoted-builds](https://github.com/jenkinsci/promoted-builds-plugin) from 3.11 to 892.vd6219fc0a_efb
- [Release notes](https://github.com/jenkinsci/promoted-builds-plugin/releases/tag/892.vd6219fc0a_efb)
jenkinsci/bom#3171 describes the issue.  The
promoted builds version needs to be kept the same in the git plugin
and in the paramaterized trigger plugin.  If they are not the same,
then tests will fail in the plugin bill of materials.
@MarkEWaite MarkEWaite removed the on-hold label May 6, 2024
@MarkEWaite MarkEWaite marked this pull request as ready for review May 6, 2024 11:16
@MarkEWaite MarkEWaite requested a review from a team as a code owner May 6, 2024 11:16
@MarkEWaite
Copy link
Contributor Author

@gounthar this is ready to review.

Tests pass when the optional dependency on promoted builds plugin is updated to the same new value in both the git plugin and the parameterized trigger plugin. That means we'll need a release of git plugin and a release of parameterized trigger plugin in the same plugin BOM release.

The catalyst for the parameterized trigger release will be the merge of

I still need to identify the catalyst for the git plugin release. I'd like to release this week, but need to be sure that the git plugin release is well tested.

Copy link
Contributor

@gounthar gounthar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Mark, for the detailed explanation and the links. 👍

@gounthar gounthar merged commit e05b39a into jenkinsci:master May 6, 2024
14 checks passed
@MarkEWaite MarkEWaite deleted the dependabot/maven/org.jenkins-ci.plugins-promoted-builds-892.vd6219fc0a_efb branch May 6, 2024 16:24
MarkEWaite added a commit to jenkinsci/git-plugin that referenced this pull request May 7, 2024
* Require Jenkins 2.426.3 or newer

https://stats.jenkins.io/pluginversions/git.html shows that 82% of the
125k installations of the 5.2.1 release (most recent, 6 months old)
are already running 2.426.3 or newer.

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 was
published in Jan 2024 and strongly recommends that users upgrade to
2.426.3 or newer.

* Test with promoted-builds 940.va_9b_59a_717a_b_1

Removes the dependency on project-inheritance.  Previous releases resolved
the security issue that was still open in 3.11.

* Remove recently introduced trailing white space

* Remove dependabot exclusion of promoted builds

* Use (optional) promoted builds 945.v597f5c6a_d3fd

* Remove diff to master branch

* Bump promoted-builds optional dependency to 892.vd6219fc0a_efb

892.vd6219fc0a_efb was released 2 years ago.  Over 50% of all
installations of the promoted builds plugin are already using
892.vd6219fc0a_efb or newer.  Those users will see no difference from
this change, since they are already using 892.vd6219fc0a_efb.

Recent Jenkins versions will display broken icons with
older versions of the promoted builds plugin.  Fixed in
jenkinsci/promoted-builds-plugin#170 as part
of 873.v6149db_d64130.  Upgrading to 892.vd6219fc0a_efb will fix that
issue for users.

https://stats.jenkins.io/pluginversions//promoted-builds.html shows that
892.vd6219fc0a_efb is the second most popular release.  It is second
only to the most recent release, 945.v597f5c6a_d3fd.  Attempts to update
that optional dependency to the most recent release have shown consistent
failures in the plugin bill of materials.

* jenkinsci/bom#3170
* jenkinsci/bom#2809

This likely needs to be combined with the parameterized trigger plugin
upgrade of the same dependency to the same version.  Refer to

* jenkinsci/parameterized-trigger-plugin#378

Bumps [promoted-builds](https://github.com/jenkinsci/promoted-builds-plugin) from 3.11 to 892.vd6219fc0a_efb
- [Release notes](https://github.com/jenkinsci/promoted-builds-plugin/releases/tag/892.vd6219fc0a_efb)

* Do not check for promoted-builds updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants