Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider Release per Upstream Dependency Change #181

Open
sghill opened this issue Jan 24, 2021 · 2 comments
Open

Consider Release per Upstream Dependency Change #181

sghill opened this issue Jan 24, 2021 · 2 comments

Comments

@sghill
Copy link

sghill commented Jan 24, 2021

In order to minimize breaking changes from dependencies
And maximize time to be notified of deprecations
As a gradle-jpi-plugin user
I want to release more frequently with smaller dependency changes

The release of v0.38.0 saw the jpi plugin bump the jenkins-test-harness version from 2.31 to 2.60 (#133).
This ended up being a breaking change for the jira-trigger-plugin because htmlunit upgraded from 2.18 -> 2.36.0.
A method in htmlunit was deprecated in 2.21 by HtmlUnit/htmlunit@d1697e8. It was removed in 2.25 by HtmlUnit/htmlunit@0371df2. Unfortunately since 29 versions were upgraded at once, the entire deprecation cycle was missed.

Ideally we'll want to strike the right balance, avoiding two things:

  1. Releasing too often, creating a situation where it's nearly impossible to keep up and requires constant maintenance
  2. Releasing so infrequently entire deprecation cycles are missed regularly
sghill added a commit to sghill/jira-trigger-plugin that referenced this issue Jan 24, 2021
@sghill
Replace use of getHtmlElementsByTagName(String)
1daff36 
v0.38.0 of the gradle-jpi-plugin upgrades the jenkins-test-harness from
2.31 -> 2.60, which causes an upgrade of htmlunit from 2.18 -> 2.36.

This method is deprecated in htmlunit 2.21 and removed in 2.25. Its
recommended replacement already exists in 2.18.

jenkinsci/gradle-jpi-plugin#181
sghill added a commit to sghill/jira-trigger-plugin that referenced this issue Jan 24, 2021
@sghill
Upgrade org.jenkins-ci.jpi to 0.39.0
3e61469 
Migrate deprecated configurations to recommended replacements.

jenkinsci/gradle-jpi-plugin#139
jenkinsci/gradle-jpi-plugin#181
@sghill
Copy link
Author

sghill commented Feb 5, 2021

I've been thinking about this problem and wanted to capture some ideas here.

Added Dependencies

The plugin adds these dependencies to the target project when applied:

  • core: org.jenkins-ci.main:jenkins-core:${jenkinsPlugin.jenkinsVersion}
  • war: org.jenkins-ci.main:jenkins-war:${jenkinsPlugin.jenkinsVersion}
  • access-modifier: org.kohsuke:access-modifier-checker:1.21
  • findbugs: com.google.code.findbugs:annotations:3.0.0 or findbugs:annotations:1.0.0
  • groovy: org.codehaus.groovy:groovy-all
  • javapoet: com.squareup:javapoet:1.13.0
  • jcip-annotations: net.jcip:jcip-annotations:1.0
  • junit: only if jenkinsPlugin.jenkinsVersion < 1.505
  • localizer: org.jvnet.localizer:maven-localizer-plugin:1.24
  • servlet-api: javax.servlet:javax.servlet-api:3.1.0 or javax.servlet:servlet-api:2.4
  • sezpoz: net.java.sezpoz:sezpoz:1.13
  • test-harness: org.jenkins-ci.main:jenkins-test-harness:2.60 or 2.0 or jenkinsPlugin.jenkinsVersion
  • ui-samples-plugin: org.jenkins-ci.main:ui-samples-plugin:2.0 or jenkinsPlugin.jenkinsVersion

Categories

I've been thinking of our dependencies as falling into four main categories, ordered here by how easy they are to maintain.

1. Declared

Examples: jenkins-core and jenkins-war. By specifying jenkinsPlugin.jenkinsVersion, we use this version exactly to wire up these dependencies. If the versions are invalid, they fail with a missing dependency.

2. Derived

Example: groovy-all. Groovy is a transitive dependency of jenkins-core. If a user does nothing, they get the version that Jenkins runs with.

3. Latest

Example: javapoet. This is a library used to generate a test class. It isn't deployed anywhere and there is no relationship to Jenkins. It'd be nice to always be on latest.

Example: jenkins-test-harness. This receives fixes and enhancements on its own schedule. It should always be used at latest.

4. Aligned

Example: servlet-api. This is a provided dependency for jenkins-core that is required for better error messages in annotation processing (#177). The version must align with either the embedded jetty version.

Example: sezpoz. This is a dependency whose version we specify today, but would become derived if we started depending on the platform org.jenkins-ci.main:jenkins-bom. This would significantly improve ease of maintenance as the version numbers would simply disappear from the codebase. It would also open the door to generating additional tasks that run against different versions of jenkins-core.

jenkins-bom

There are two main problems to solve with introducing jenkins-bom as a platform dependency.

The first bom version is for 2.164.1 (lts; 2.195 weekly). We'll need to either explicitly stop supporting building Jenkins plugins that depend on core before this version, or generate and publish platforms for previous releases. It'd be helpful to know how many plugins today depend on a version later than or equal to 2.164.1.

The second problem is verifying that each bom version provides all the dependency constraints we need.

sghill added a commit that referenced this issue Feb 5, 2021
@sghill
jenkins-test-harness:2.60 -> 2.71
6030260 
Issue #181
Changes: jenkinsci/jenkins-test-harness@jenkins-test-harness-2.60...jenkins-test-harness-2.71
@sghill
Copy link
Author

sghill commented Jun 2, 2022

Choosing a Jenkins version recommends not going older than 4 minor LTS releases ago, because they're not supported by the update center. For example, if the current release is 2.332.3, the oldest supported version is 2.277.3 from 12 months earlier.

Given the realities of needing to stay up-to-date to address vulnerabilities, it seems reasonable to follow a similar rolling schedule for support in this plugin. This would mean dropping support for anything that pre-dates the bom.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sghill