Check dependencies

Automate dependency checks with dependabot

Jenkins plugins frequently depend on external libraries and other plugins. Automatic dependency checks help assure that new releases of dependencies are reviewed by plugin maintainers.

The GitHub dependabot tool can be configured to periodically check for new releases of dependencies. When a new release is detected, dependabot submits a pull request to include that update in the plugin pom file.

See the Jenkins Online Meetup video for more details on dependabot with Jenkins.

Create a branch

In a local copy of your fork of the plugin repository create a git branch for your work with the command:

git checkout -b auto-update-deps master

Automated dependency checks by dependabot are defined in a .github/dependabot.yml file.

mkdir .github
cat > .github/dependabot.yml <<END-OF-HERE-DOC
version: 2
# Maintain dependencies for your plugin
- package-ecosystem: maven
  directory: /
    interval: monthly
  open-pull-requests-limit: 10
  target-branch: master
# Maintain dependencies for GitHub Actions
- package-ecosystem: github-actions
  directory: /
    interval: monthly

Commit the file and push it to GitHub with the commands:

Create a pull request

Commit that change:

git add .github/dependabot.yml
git commit -m "Automate dependency updates"

Push the change to GitHub:

git push origin --set-upstream auto-update-deps
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: Create a pull request for '{task-identifier}' on GitHub by visiting:
 * [new branch]      {task-identifier} -> {task-identifier}
Branch '{task-identifier}' tracking remote branch '{task-identifier}'.

Notice that the output of the command includes the URL, which can be used to open a pull request. Copy that URL in your web browser and submit a pull request.