Check dependencies

Automate dependency checks with dependabot

Jenkins plugins frequently depend on external libraries and other plugins. Automatic dependency checks help assure that new releases of dependencies are reviewed by plugin maintainers.

The GitHub dependabot tool can be configured to periodically check for new releases of dependencies. When a new release is detected, dependabot submits a pull request to include that update in the plugin pom file.

See the Jenkins Online Meetup video for more details on dependabot with Jenkins.

Create a branch

Create a git branch for your local work with the command:

$ git checkout -b auto-update-deps master

Automated dependency checks by dependabot are defined in a .github/dependabot.yml file.

$ mkdir .github
$ cat > .github/dependabot.yml <<END-OF-HERE-DOC
version: 2
updates:
- package-ecosystem: maven
  directory: "/"
  schedule:
    interval: weekly
  open-pull-requests-limit: 10
  target-branch: master
  reviewers:
  - <insert-maintainers-here-one-per-line>
  labels:
  - skip-changelog
END-OF-HERE-DOC

Commit the file and push it to GitHub with the commands:

Create a pull request

Commit that change:

$ git add .github/dependabot.yml
$ git commit -m "Automate dependency updates"

Push the change to GitHub:

$ git push origin --set-upstream auto-update-deps
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote:
remote: Create a pull request for 'auto-update-deps' on GitHub by visiting:
remote: https://github.com/user/your-plugin/pull/new/auto-update-deps
remote:
To github.com:user/your-plugin.git
 * [new branch]      auto-update-deps -> auto-update-deps
Branch 'auto-update-deps' tracking remote branch 'auto-update-deps'.

Notice that the output of the command includes the URL, which can be used to open a pull request. Copy that URL in your web browser and submit a pull request.