openrewrite / rewrite-jenkins

OpenRewrite recipes to continuously modernize Jenkins plugins.
Apache License 2.0
9 stars 8 forks source link

Enable Dependabot if needed #20

Open basil opened 1 year ago

basil commented 1 year ago

Many plugins are missing .github/dependabot.yml, so their dependencies are never updated. If needed, this file should be added per the archetype.

basil commented 1 year ago

As far as dependabot.yml sections go, package-ecosystem: maven should always be included (except for Gradle-based plugins, of which there are very few), but package-ecosystem: github-actions should only be included if the plugin has a Release Drafter (not inherited from the organization wide one, as should be the case for automated release) and/or Jenkins Security Scan workflow enabled. If the plugin has a .mvn_exec_node or .mvn_exec_yarn file, package-system: npm could be included as in e.g. active-choices-plugin.

sghill commented 1 year ago

I noticed in jenkinsci/slack-plugin#886 that some plugins have switched from dependabot to renovate. A quick search shows 40 renovate config files.

I'm thinking this dependabot recipe should no-op if one of the supported configuration files is present.

gounthar commented 1 year ago

I was about to open an issue with the very same subject, thanks a lot @basil !