🔴 Modernizing Jenkins Plugins - Part 5 - Hacktoberfest 2021

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome back to this last we think episode of modernizing jenkins plugins mark welcome back thanks so do we just get into it do you want to recap anything we probably should recap right so this is five of we think five right we think this is it plus we're coming up to the end of hacktoberfest which has sort of been the reasoning why we've been doing these as well so uh just share the screen why not so we've been starting from this document the link do you remember if i put the links down in the description yes you did yeah they're in the description so okay people who look at the video on youtube just need to open up the description section it's got links to this document to all the videos uh and i assume when we get the the tutorials online on jenkins.io we'll put links there as well so got it that's yeah it's there all right so since last time we haven't done hardly any coding changes now i did see one thing weird we'll talk about it after a while uh but don't don't let me forget i saw a pr in my fork that i didn't think i should have seen so we'll talk about it later um so mark's been updating this document a lot so code wise no changes since the video four but mark's been updating this document he's been putting links into the videos as we've been doing them uh he's documented how we do get pods so right now we have get pod on both of our master branches for the two plugins for schedule build and for test and g plug-in plug-in so today we're done with schedule build right we're done we're not going to visit that other than me making a comment a little bit later if we remember to talk about it actually let me talk about it right now okay so i got a pr in my fork here i'm going to get rid of this for just a minute i got a pr in my fork for the parent palm change now we had already resolved that so evidently i had that pr come in on my fork before i before we'd done the final changes in schedule build which actually had merged that because that that repo the jenkins ci repo also received that pr so is there a way i can set up on my repository to not even get those prs i don't know of a way to prevent pr's on your fork uh as an example one of the places where i see those kind of pull requests arrive is because my repository is a fork of the parent of the upstream it has the same depend upon configuration which means i will regularly get pull requests to my fork from dependibot proposing changes and my action there is go into that forked repository and just close those pull requests because they don't help me being being submitted to my repository now there are times when i may get a pull request which looks security sensitive and then i might close it and try to hide it you know it's like that's suppressed the existence of the thing but that's a very very rare case okay so if i get a pr that i know that we're going to deal with it in the upstream then just close it on your on your phone yeah that's that's what i did that was a little annoying i wish i could i might dig into that and see if i can well and and and dependable dependable is known for doing those kind of things and there's been some complaints in the jenkins jenkins developer community hey that might be a reason why you only run updates monthly because you don't want to be spammed any more often than monthly oh that's fair enough okay so today what we're going to do in this in this final session uh hey we have somebody here i they are don't understand the comment just keep going i thought i said hello at first and then i saw something else good uh what we're gonna be doing we've been working on the improve the plugin nope that's not true what have we been doing yeah we have been doing improving that is what we have been doing improve the plug-in pull request that is what we did okay so our first focus was on things we could do without having actually become a maintainer and these are things that anybody could do a hacktoberfest contributor somebody who's just got 20 minutes to contribute to jenkins they could do these things and have a real and positive benefit they haven't become a maintainer they haven't asked for permissions they haven't done anything more than a very simple pull request however there are some things that pull requests are not the right approach you need to be a plug-in maintainer to choose to implement some of these things and that's the next step and i think that should be today's focus right and the comment was the links are in the description thank you i got it i knew i knew i had the links to the videos because trying to keep now five links across five different videos is took a little bit but i couldn't remember if i'd added the document or not so that that was my question um okay so we're gonna go down to this next section which is improve the plug-in by adopting it so let's just go down to this section first so enable release drafter we've done that already on both testing and right twice actually twice okay all right so we did it on both plugins that we're both maintainers of how did you wrote me under this isn't it great congratulations darren and it's not been painful at all has it you're not suffering terribly no it's because you're walking me through every single step right and that's that's great sam good to see you thanks for hanging out today uh or this evening depending on where you are um now we get into some interesting things assigning repository topics now which way do we want to go here do we want to do talk about that and just work our way down through the list now the other thing let's actually walk through the list i'll go ahead yeah we'll go yeah so enable release drafter done done like double check all right we know it's done yep assign repository topics and labels we'll come back to that okay enable jenkins specific security scanning we'll be spending time here right and then enable continuous delivery we've done that on schedule build but not on testing g so correct if we do it today great if we don't that's where we got into it was almost a chicken and egg problem wasn't it it well it's enable enabling continuous delivery requires something outside of our repository control right there's a piece that the repository permissions updater has to do and that requires people who are supervising that repository last last session we got lucky and tim jacom did the merge for us i'd rather not rely on luck for for our live sessions like this but we had recorded it last time yep so we probably won't do that one live but that one will be coming do you think we'll probably version that one the same way we we should look at this thing and see my my hunch is that there's not enough given that test ng hasn't released in almost three years there's not a lot of content in the the version numbers right it's not not not strongly semantic and it's not releasing off multiple branches like the get plug-in sometimes does when you release off multiple branches you have to have version numbers you have to have version numbers more more semantics for your version numbers than just a single number so let's just take a look at it 50 tags so we'll sort of close this one out there's of course there's release drafter right now since i'm a since i'm a committer is that the reason why i see it right now i interact that's correct nobody else sees this because it's not been published yet however you can see and and there's been no release published but now the tags this shows you the the version numbering schema that they're using they're using a major.miner yep and you're proposing we'll probably just flip it over just because even even if we ignore the the good and bad of it just looking at it historically it was reasonably slow almost just once a year right exactly because i i sort of count 11 12 13. as one because they all happened within seven days right right to me and then there was one in july okay that's that's the next bump but then two years later we had another one right so does the version number really matter i i don't think the users of the plugin are attaching significant meaning to the version numbers right it's just oh it's if it's different than the last one and it's bigger yep so i i think that's probably where it'll end up okay so with that in mind we're going to sort of check off this one right and we've already done this one right right now so now which way do you want to go do you want to just look at the topics and labels first i do because that's a that's a relatively brief one and and we'll actually need to be inside that inside that page again because there's a helper tool on that web page on that contributing to open source document so this describes this tool and i'm i'm enamored by the tools so gavin mogan who maintains the plugins.jenkins.io site and is a member of the jenkins governing board has created a tool on his digital ocean application hosting that helps us do this job and and i like that there's a helper that offers suggestions and so so okay there in that second paragraph there's a hyperlink open that up and let's see where it takes us okay okay so now you have to say all right i'm willing to authorize this okay and what it's what it's going to do now is it presents to you the plug-ins you are maintainer on for you it's only two right there we go and there are two two categories of things we can operate with here the github labels which is what i call topics and the plugin labels which are the labels that can be assigned to pull requests so let's go let's look at plug-in labels first so that we get a hint of what's configured which one do you want to look at let's do test ng okay all right okay so these are oh no i think i gave it to you backwards cancel out of this i think i gave you the click github labels okay so these are the pull request labels i said it backwards darren my apologies so so this is the one so when a pull request is created that it can be labeled with uh one of these labels and they're they're actually even tools that will automate the assignment of labels based on the type of file so as an example we could auto label every change to palm.xml as a dependency change it's a pretty good first choice yeah so so what this is showing us is that hey we've got as on the left are the things that we have assigned oh okay so this so on the right is i is the right hand side are candidates and i'm not entirely sure i've still got his his use model nailed down this is more informational for me okay do i have the right things that i want to use for release drafter and right for me i do because i want a feature category i want a chore category which is maintenance right the the word annoys me but it's it's it is it's the word that was chosen dependencies definitely and bug fix um documentation is a nice one to have because it helps people know what we updated docs okay so this was mostly just a review i haven't yet found a way to do much with that apply button if you hit the apply button let's see what it does my experience has been i don't get a lot of changes from that apply button so now go to the repository and open up the pull requests tab and here if you look at labels it's it's now got 21 labels so above above where yeah that label saying click that button and these labels as far as i can tell didn't change in terms of what we got there so yes we've got still got a help wanted and yes we've got a hacktoberfest and yes we've got a question and i'm not a big one for a question label if people submit stuff that's a question i tend to delete it right right so so there that that helps with all right do you have the right set of labels now let's go back to to gavin's page and let's go to the plug-in labels where this helps people find our plug-in better okay so test ng we might say okay should we call it analysis so let's figure out so these are going to end up here exactly they will be in that in that section right there so we see three here now so let's see if we see these two just because good just because if they're not there then keep going should be test nope yup there it is test oh that's interesting so it's so jenkins dash right is prepended so how did the security we'll get to that so i believe i believe code ql will accept either uh jenkins security scan enabled or security scan enabled [Music] okay sorry so testing g is test so it's so so what are the things where test ng applies post build so for me one of the things is it's a good thing for to have the post build label okay because after a build is when we want to display our our results so that even though it calls it cleanup for me it's definitely post build right and then keep keep looking through let's it's definitely a report you got that and then it's let's see if we picked i don't think i would call it ui personally but maybe you and i should talk about that it's it's presenting graphical information but that's true let's sit on it for that we'll put it in the cart right okay we'll just we'll we'll put it in the cart here for a second so i'll wind back up to the top and let's take a look again okay so it's not an administrative monitor we don't want them to put it up for adoption agents now analysis yeah and maybe that yeah because many of the things that do analysis are on reporting things right so that makes sense android api aws azure bitbucket but look at server builder no no no cloud yeah cluster code build configures code yeah and for me sng doesn't have a configures code at all and even even if it did so for instance schedule build does have configuration as code but i would not check the configuration as code label for schedule build because most every plug-in should have that check then and that diminishes the value of the configuration code label right confluence database deployment deprecated devops devsecops docker.net email email ext external fingerprint yeah this one's not doing fingerprints get lab google cloud groovy related ios jira kubernetes library nope must be column localization logging maven miscellaneous nope monitoring must be labeled yeah i don't know what that's for so i i would leave it out okay notification notifier npm observability open shift orchestration page decorator no parameter performance no pipeline pipeline no yeah my fear with pipeline is the same challenge with config is code right it's it's almost everything contributes to pipeline yeah okay post build python we're back almost world war q redis yeah we've we've got it so let's apply it and we'll we can watch and see what happens okay so we do that let me bring up uh one question here talk going back to versions here doesn't the version number scheme by year also make it enticing to update and know how long you haven't updated that would be an interesting one it does and and that's that's an alternative for me unfortunately a version number scheme by year means i've got to do more work as a maintainer to update the version number whereas if i use continuous delivery it will do it for me and because it does it for me without me thinking about a version number i like it better now now the git plugin it's different and there we don't version number by year we have to use a full semantic version with major minor and patch got it okay so let's go back over here and let's do a refresh right yeah and let's see if it applied the topics it did yeah post build analysis for the two that we added right and so then this one i'm assuming was now i didn't see this tag was that his phrasing label i didn't see the plugin label for security scan anywhere did you it was not and i suspect that's probably intentional by gavin making people think carefully they they need to know to do a security scan by enabling that themselves got it okay which are we done with gavs gavin that showed what i wanted to show for me it's a convenient thing it's great that gavin's willing to host the that application and it just works got it okay so i'll close that out so with that in mind we've done one two and four now we're on to security scanning right and we thought long and hard about doing this live yes we did um and conversed with people to find out if we should do it live or not and everybody gave it a thumbs up so that gets back to this tag here right so so about a week ago maybe a week and a half ago i enabled that secure i added that security and scan enabled topic and by assigning that topic to the repository periodically there's machinery that scans all jenkins ci repositories for those labels and adds them to a security scanner that has jenkins-specific security scans implemented daniel beck the jenkins security officer created some code ql rules that know about common mistakes that jenkins developers make which may expose security problems he's implemented those and if you label your if you put the topic security scan enabled or i believe jenkins security scan enabled also works it will then become part of that scanning and you'll get results on the insights tab and let's go there now darren and let's take a look at this plugin what's actually on the security oh oh right no you're right it is it's the security tab you're correct so and the only person only people that can see this are if they're a maintainer of the repository that's correct this is intentionally kept for just maintainers because really we don't want to expose security security vulnerabilities to others without thinking carefully about it right so with that in mind i'm just gonna go down here to code scanning alerts there's 16 of them and it gives you what's going on so in this case we have we're missing a post or require post annotation right so up at the top there you see it says see the documentation go ahead and open that url and and let's talk briefly about what that documentation tells us so this is in form validation so jenkins presents creates its html ui using a using the jelly format which is an xml format that looks very much like html right so it's got that feel and as part of that the form from the web browser will make a call back to the java application to do checks for validity and this is what it's showing is a check of the so in this case of the field name foo it is being checked to be sure that it's a non-empty value if it's empty text will appear below it in red that says foo cannot be empty if it's not empty the form will not show any red text and we'll say it will be okay now go ahead no go ahead go ahead so so the challenge here is that sometimes people make the mistake of forgetting that these check methods are accessible by anything making an http call and because they're accessible by anything making an http call they need to be correctly written and correctly defended so that they don't open us up to attacks right so in this case we're getting in here we could return private information right right that's that's and sometimes sometimes plug-in maintainers don't realize what sorts of plugin of private information they might return for instance the list of usernames might be considered private information the list of groups might be considered private information and so we need to be sensitive to not being open to things like an enumeration attack where if i ask it will come back with a suggestion of something else i offer the letter a and it says did you mean one of these these things that all start with a yeah so also cross site which we know that's our problem right now is a cross site right problem so we'll we'll deal with that in a moment um but here's how you fix it i guess because well actually there's actually two things here so if we take a look at this method result let me go back there's actually two for method result there's this post annotation at line 250 right and then there is also a permission check at 250. so usually these com things come in pairs they because just because well because because we've seen that plug-in maintainers often make both these mistakes at the same time right it's it's not uncommon that both these mistakes happen very close to each other yep and just to reiterate we've talked with people and they said we could do this live well and and the important thing here is that if you're maintaining a plug-in you should not disclose these things without thinking carefully first first choice usually is fix them but look at them carefully to see is there a vulnerability that needs to be disclosed before you publish the fix publicly correct and and that's the that's that's why the security team was consulted before we did this right so and this actually needs to be fixed too um chickens get i do that's not true that's not true anymore right it's get instance or null what or is this the more correct way of saying it i think jenkins.get is the correct way and if you scroll to the right you'll see that yeah it says that it says if you don't have a modern baseline you may have to use get instance but jenkins.get is is a very reasonable choice if you're on a modern baseline me showing my age i guess it's that that get flavor has changed it over two or three times yeah yeah so i'm okay so it's okay if i got confused all right so ignoring that for a moment checking permissions so this first one is how did i decide this permission and and the choice of which permission is required for a particular check needs some thought from from the maintainer about the context as an example in the schedule build plugin i know that it's the operation it's trying to do is to perform a build therefore i do a check that the user who is making this request has permission to execute a build there there would be no point doing an answer to a schedule build request if they don't have jenkins.build permission right this one the one that we see on screen it's assuming that they're performing an action which is an administrative action maybe it's a global configuration or it's setting a setting a credential doing something like that where it it really needs administer permission and therefore that's the permission that's being checked got it so that's how we do permissions and then the other part to this is protecting from csrf and i was actually reading over this and this didn't make too much or it made sense but it didn't make enough sense so okay and it sort of make for this part csrf you should always if you're doing a submit that should always require a post in some flavor which is what this is saying right right and so here the here the guidance is well the the the guidance from the the people in in the web world there are two forms of requests right there's gat and post and the rules say get should never modify state and should not have therefore should not have side effects post is required and the reason there is get does not require authentication post has the ability to demand authentication so we can get enough context to decide who you are right so when i was reading this post limits processing to just the post verb which makes sense uh but then require post is older and more common so this is where i got confused is okay post is the recommended approach but this is the more common approach so i'm trying to figure out why would i choose one over the other i mean obviously it says for simple api actions but what's the right answer today well so so and i'm not sure i've got a healthy answer given that it's the the authors of this page are really smart about security and their recommendation hey choose post we should probably choose post right because specifically for form validation exactly right the reason i like require post is i'm i'm reliant in some cases on old behavior that i like the old behavior for instance on the jenkins job page for a single job there is a build now link and if i copy the url for that build now link and paste it into a new page and change the delay period and hit enter it will tell me no you can't do that you gotta post would you like to post and then it lets me post so so that's one of the for me the benefits of require post but that's that's not a general case that i was just describing right that is a very very special circumstance that thing is not actually validating a form it's accepting input from a click right okay so we're going to go with post and then we have to figure out what the correct permission is that we need to add in order to cover both of those right now uh this is an interesting point here uh i think the security tab should automatically release them after x days if they aren't being maintained um actually i and i so i'm afraid i disagree there if a new maintainer arrives we want that maintainer to see those those scan results embarrassing as they are awkward as they are i like that those scan results are there to remind me if i arrive on the scene as a new maintainer i get told hey this this plug-in has some things you can improve by fixing or by dismissing its security concerns and maybe darren we should as one of our things one of our efforts exercises today dismiss one of these even though we fix it so so there are times when you analyze a security report and say this warning is invalid i just want to dismiss it i'm not going to make a code change right so let me ask this question uh we're going to go through and fix these anyway maybe not all live here but uh once i make the change how does does it how does this get result can it does it auto resolve potentially eventually yes i haven't i haven't yet asked daniel how often the scan runs i assume it's on the order of once a week it will detect so when we've made the code change to fix these those will not immediately be removed they'll still be visible there we won't panic we'll come back in a week or so and see hey did it remove them got it okay so let's see what do we do we just fix them i think we should always fix at least one let's okay so method result 250. all right okay so oh i timed out arg that's the thing about using the free version of get pod is 30 minute timeout with no activity okay which is fine it'll take just a moment here while we're doing that we let it learn that so yeah um let's let's see if we answer this be good if you pulled all the plugins added the label and checked for security see this this is why it's not a good idea um i i my initial reaction is your reaction as well but i there's risk in that as well well well if if there's if this is a this is a tree falls in the forest problem if we push out a bunch of security scanning output to plug-ins where no one is looking at it we actually haven't benefited that plug-in and haven't benefited the project so that's why at least for right now the the expectation is that plug-in maintainers choose to opt in to get the security scanning right testing g results okay why did i not see it uh method result so it should be in source main java okay hudson plugins and then results results oh yes there we go method result okay and it was a line 250 and i don't know the fancy way to do it here so i can just scroll down um let me slide this down here a little bit too so 250 is here the do graph here let's just make sure that we're we'll go back here so this is do graph yep got it okay well that's simple all right so let's see what happens here i'm going to do an at post right now is there and i've not used visual studio enough is there a way for it to ask it to please insert the necessary import oh just lost there no i'm i'm sorry sneeze and i hit the wrong butt i i didn't hit the mute button um the the answer is yes oh cool um the answer the longer answer is i don't remember what it is so especially on this keyboard look at the quick fix look at the quick fix that you just well that would make too much sense right so let's do that so import the i keep forgetting about the so did it did it do it yeah right here it did perfect yes okay and that's and that's the right thing okay so that's that one now we need to go back over to our i'm gonna grab this first wait did i go too far didn't go far enough there we go so i'm gonna grab this right and i'm gonna do this right now the question is well actually here let me do the import first okay so now the question is that right okay so so we're we're where this is prompting for what is it prompting for so it's generating a graph of oh it's this is generating a png file so it's generating an image that will then be passed back to the browser to be displayed to the user this feels like build yeah except don't you want don't you want someone who has has read permission to be able to look at your graphs i would think you do and if so then that means we actually don't need a check permission and we found it by analysis that we don't need it so we've now found one where we'd say hey this one we probably would just dismiss it rather than adding the check permission okay put it there as a comment check permission jenkins.read so what if we do this so if we did does it read i i yeah we'd have to double actually uncomment and let's see if it says that it's okay yeah yep and then comment that out right just to show that hey we we've understood and then comment here would be um yeah so test result graphs should be visible to any user with read permission uh declaring a check permission would be redundant exactly yeah at least that's my understanding is you can't get here if you can't read yeah let me see where let's see what this does so it does a returns a graph instance if needed so it's building a label graph helpful create method chart get url new graph j free chart yeah so i what it's telling us it's going to return it's going to return oh when we need a branch by the way we've oh thank you great new branch let's call this um uh let's call it resolve security issues no yeah resolve resolve code ql warnings that's okay it's still the same thing oh well it's it's and for me i think it's actually closer to what we're doing because these these as far as we can tell there is no security threat in these things it's just a code qr warning that it's healthy for the maintainers to have it resolved yeah okay so with that in mind give me just a moment oh winter is coming um we have that one now while we're in method result it'd probably be healthy to go resolve several others that are in the same file yeah because this yeah because this is going to be there's only eight of these so i'm not as concerned well and only one other in method result oh yeah 264. okay you're right uh was 264. so 264 now becomes do graph map right was that it yep right do oh i don't know i have to get to it i wish it told me yeah do graph map okay that's easy so i'm going to be lazy this time right and not worry about a comment on this one right i'm okay with that crates map to make graph clickable i think it's still okay because it's still making ones that do png and ones that do map exactly all they are both associated with the picture right so one is defining coordinate regions on the picture and the other ones defining the picture itself got it okay so that's okay so we're just being annoying here and being just pragmatic there right okay got it um so what that means though is we can go down actually right so now we should go ahead and mark that that second one as dismissed the permission check just dismissed right well and and i would we oh right and we should dismiss both of them you're you're correct we should do dismiss both permission checks not just one of the two yeah so this one we should dismiss because positive okay i'm curious since i haven't done this one before if i do that oh oh you can do bulk dismiss yes and those alerts are not valid so it's a false positive so two selected false positive now these two are going to get they're not going to get dismissed they'll just get resolved right now what happened what are my options here so dismiss i could false use and test won't okay so that's not true right so i think it's best for us to leave these as they are and let the next run decide that they were resolved yep okay so those two so how many do we have left we've got one two just two more files do you want us to do them sure while we're here because that's absolutely basically testing g prime you don't have anywhere to be right i do not this is a great thing to do this is great for for me one less thing for us to think about um okay so this was and these will be faster but let's let's just take a quick look at them i imagine it's going to be the same thing let's see do graph yep which is exactly the same thing right same logic applies there yep uh the second one is a do graph map okay so same exact logic so test ng project action which is at the root of testing g so we'll come back to that one publisher is again at root all right so that's good i guess there's four here so let's see what happens here okay so do check unstable skips okay so we'll have to think about that one a little bit more that one yeah we are going to have to think about that one okay publisher this is a do check and sample fails okay so just as a quick one now they're all doing the same yeah so the analysis for one of them will probably apply to each of them got it right okay based on job status so that so let's just do project action mm-hmm because we know this one is the same so the rest was 109 and 145. okay so 109 is this one okay and then we'll do our little resolve thing here and then 145 now becomes do graph map okay that's great that's that one okay so now we need to go dismiss the the missing permission check all right okay so for those two that's test and g okay so those two mm-hmm yeah so just double check batch dismiss those there we go okay and now we're down to 12. now the question is what was this last one publisher all right so let's let's pull it up this one too i was trying to figure out just for granted this wasn't an error but it was like figuring out plug-in nipple is no longer a thing so i don't know um okay so here we're talking interesting so 446 450 454 so these are all clumped right together right so open open one of them in in the code ql or in the github interface and then we'll look at it as well in the source code because i like to see what what it says here okay so the warning here says if it connects to user specified urls or modifies state or is expensive then then be sure it's post right so all right so let's just take oh okay so it's basically these four right here right and they're just calling validate and then validate is this string okay so let's take a look at it let's take a look at validate so it's parsing the value into an end the value should be greater than zero it should if it's greater than 100 it gives you a note but it's okay right so it's not doing anything right so so we could perfectly reasonably here say dismiss all of them or it's pretty cheap to just put at post on this thing because i think we should it does no harm to put an at post and say we're going to we're going to limit this thing to only be used in post i i'm old school i think forums should always be post and i think that's a that's a wise choice okay i mean we you can get into arguments about that but i have the keyboard and you don't right now so it's okay um it's a bit of a religious war but it's not as bad as tabs and spaces so okay i'm okay with this that that seems because looking at what validate does right it's either going to give us a form error or it's going to give us a form note yeah it's it's it's going to say it's one either okay or error it's either that or that there's the case where it could say okay with a message but it's still saying okay yeah i'm saying there's no mutation going on there's there's nothing this this is purely for all form-based so it is this is form validation okay that was easier than i thought was going to be okay that's good all right so i'm going to save that so with that in mind what we want to do here is we can go ahead and dismiss these right because permission checking a boundaries check a boundary check on an integer is is not very helpful now the question here is though should this is a publisher should this be this is a publisher this is a publisher so if this is a publisher that means it's billed related it is yeah should there be a permission check for it i we we it would be valid to do a permission check for me the risks associated with it just are not enough to worry about it so so the the the reality of what's the risk behind this thing i don't see a lot of risk that that justifies inserting a permission check okay all right i'm done the downside of a permission check is if we get it wrong and make it too too severe we could lock out read-only users who might be getting data from the publisher okay now they might be seeing a page right right now in this case because it's form validation probably not but i think it's it's safe to dismiss yeah okay so now we've resolved all these things so if we take a look here just for a quick visual let me close this so there's our import and then we have our annotations we have our import our annotation one and then two what's that oh that's other things and then for three whoops okay so now that surprises me nope because we initially put it in oh oh that's an unused import that's why it was being flagged okay yep so then we're here because initially we had it and then we said no just as an example and you're okay with leaving this comment in i am i like vision it just it reminds people that way in addition if somebody looks at this at the text of this commit we can put similar similar verbage in the commit message and they'll see it in the diffs as well oh hey look they made this comment yep now fortunately all three of these are exactly the same the resolution was all exactly the same so i don't mind bulk doing this one so the what of this was yeah result code ql word ql not sql code you all warnings and then the why is to make security happy um that is not the right phrasing i love that phrasing that's not it how about how about what if we said reduce future maintenance by removing warnings okay yeah that's fine because it's these were again these had not been again talking to the security team right that's the only reason we're doing this live right now right if if these were real vulnerabilities then we should not commit the change to a public repository we should notify the security team they'll give us a private repository where we can we can prepare the change they'll coordinate with us to disclose the vulnerability and release the plug-in simultaneously so so yes we we we definitely for for real security vulnerabilities we should follow the jenkins project security process right so we're good with this for right now right yes all right so let's go ahead and commit and then we need a pull request i can do that i have the power origin [Music] and then yes i want to create a pull request you can't do this in emacs mark um actually i can i can do it better in emacs if we're just clear but okay so that that and then create and this is one other thing i learned about so it should pop open for me since i'm who i am i can actually add you as a reviewer since i'm actually allowed now watch this so i can filter out nice so do that but you can't do that in emacs you're right that is for that i go to the web ui yeah and then label i can also add the label here so you can and as a maintainer you probably should so this is i would call this a chore okay and i still i find the the word chore to be sad but it means maintenance it's an improvement to reduce the cost of maintenance right and then there's all those things so and i won't merge it because i did the code right i just don't do that but that's one that is one nice thing that i saw is prior to me becoming a maintainer on the repository i was unable to do these things right which is now i could have tagged you in the commit you could have said at marky right yeah but but that's different than assigning me as a review correct correct but at least you would have gotten pinged versus it going to a black hole for right however long so all right so that's that are you going to do it now or no i just approved it oh okay so i'm going to refresh it now here's the thing we we didn't actually build it locally we did not but our ide told us when we were making a mistake so you could go ahead and build it yeah so let's that's what i want to do because when we were doing this earlier whoops ntp uh clean verify and maybe oh we thought we're gonna be done early we could be done early we might finish one or two minutes early we're thinking more than that yeah [Music] this will be a fun race because now what we can do is compare the git pod performance to the ci.jenkins.io agent performance and see who wins this is this is it's not it's not a fair comparison because it's doing how many it's it's just doing windows and linux though right it is it's just doing windows and linux so the the windows performance penalty will will certainly slow down ci.jenkits.io yeah windows windows for whatever reason has has some some slowness on jenkins development that is is sort of dismaying for those like me who actually run on windows and for anybody that's watching this while we're waiting for this to run if you've watched all five videos uh thank you and i'm so sorry uh hey it's i know uh it's been an interesting experiment uh i i would like to continue this experiment in different ways but uh probably not two a week for three weeks well and and we will embed these videos into those tutorials with segments because watching an hour long video is much more difficult but i think there are pieces of these where a 15-minute view may help someone do that little piece of the task and they're done yep ah oh actually i think that one was okay i think that was the actual i believe that answer was true oh no that wasn't that says that says there's a failure on interesting so so we may have a case where uh where we've got something that actually depends on using a get request well this was uh this was on uh doo doo doo doo doo publisher test interesting good great um okay well here let's just sort of head over here come on close up publisher test so which one blew up at 124. okay that's our assert and this is why you're supposed to build before you push children uh um actually i think we're okay i'm cool with trying to see what's going on and letting the ci server to help us with this okay so what this says is it's expecting it's ex was not null but was expected not null but it was no but wait a sec so that assertion message doesn't match the line we're looking at you said it was assigned 124 right here publisher test 124. yeah i think we may have an argument error there or we've got something else going on so me oh oh look inside oh wait yeah assert equal beings inside the jenkins rule is looking for oh oh it's probably looking for both before and after to be non-null and one of the two is probably no it can't be before because we'd had a null pointer exception previously so and before and before it's definitely and that's that's really strange if after is null because look at the line above it 122 getting a publisher's list should not cause a cause a null to come back that that's interesting this may require some investigation after the session i i am not clear what's going on there so if you were to do a it's on the project get publisher list huh okay let's see what else blew up well and i'm gonna go ahead and check out on my the pull request locally for me and i'm gonna run it just to see if i get the same on my dev environment because that i'm fascinated by that one then i got some like really big red ugly okay yeah another round trip type all right deal on [Music] hello an unknown implementation of simple build step named publisher huh that's interesting now it's supposed to be doing here i want to do this real quick i want to check and that's it those are good good choices for both java and for maven how's the job looking here i guess i could check right let's see am i drawing a blank pull request tab thank you and then in the check section there you have that details so to to most closely mirror the environment we've got on git pod click the the linux build and just fyi i'm not seeing the failure in my um no in fact i did a check out of that exact pull request and built it on my environment and it's it's passing all tests so it probably will pass all tests on ci.jenkins.io and we may need to investigate why it's failing on gitpod that's an interesting failure so based on what i'm seeing here it should be using 1.8 what what down here in the bottom bottom right hand corner i i would expect that's talking about the source code compatibility level yeah from the pom file and that's correct we need to be sure that we code for java 1.8 so that we're not using java 11 specific features or if that's valid maybe just eight it may not be installed oh oh it says it tip run the following to install this version let me let me see what's available to me so i have i have a lot um okay so there's the one i want so let's do i'm i'm interested to see because this one is using so the one we're using is the azul i'm wondering if i was to install java and then that's not what i wanted well that's not useful um i'm curious to see how do i doing this live i know that won't work so they're using the fx zulu right now so what i would want to do is use the eight f just to say is closed i was i was thinking about using the how in the world oh okay i get it so let me do that list again because i need to grab that whoops you have a few more minutes right i do yeah in fact while you're doing this i just switched my configuration to run the test with java 8 and it seems to be passing as well so while you're running that i'll run i'll run similar things just to explore okay so what i'm doing here is java whoops sdk install java whoops come on that's cool so that's the very most recent java release of jdk 1.8 312 was just released only two or three days ago so very fresh and going through all sorts it's been through all sorts of machinery both with oracle with amazon with red hat with the eclipse people all running their tests and releasing and releasing versions for many different platforms sdk use java okay and then if i do maven version just to make sure yep that looks good now if i try and even clean verify let's see if it you know because i'm still using the same distribution just a different version right right you're still using java 8 8 and it's update 312. well no i'm saying i'm using the azul oh right right exactly so i'm i'm just moving from 11 down to eight right with this exact same because i'm curious to know if it's something with that particular distribution or okay or if it's something else yes and so on ci.jenkins.io it runs java 11 on windows and java 8 on linux just to be sure we get both platforms and both java variants and it's passed fully the tests on java 11 on windows and it's it's now passed on linux as well interesting so there's something about that distribution potentially or or some transient thing we may have over stressed something who knows i mean that it's there all sorts of problems oh interesting yeah so which which flavor of java are you running i run on those no on those agents they run adoptium so they run so it's temporary eclipse tamarind right turmeric okay so i can go back and grab that in just a second i'm gonna let this finish just actually oh yeah that's right because you're in git pod you can or because you're using sdk man we can you can use you can readily switch between java versions and you could use tamarind just to see i've got to find it though let's see so it was it was just on your screen there yeah right here so i'm just going to pick the 11 do you need to do 12 or what are you running right now so i'm running 11 11 0 well i've been running 11 0 12 i just installed 13. so either of those is fine and the test that you just did was 13. it would no the test they just did or the test that ci jenkins.o did was on 12 and my test locally uh java minus version is also on oh it was on 302 and then on 12. so if you want to use exactly what i'm using is 12. okay so sdk install java this is what you call live coding right yeah thanks for doing it and really impressive how quickly they they download install and that's great and i know this is boring but for somebody this might if you're using git pod this might be amazing to see after you've hit your head against the wall a few times okay so java oops sdk use java that so now what we should see here is we've got java 1112 eclipse foundation that's right yep okay so which is what you've got now are you running three eight three as well or three are you so i i used 30302 so let's you let's run tests with this one now which oh yes maybe 283 yes raven383 absolutely okay so right now in theory i'm exactly the same as you are locally right okay that's i'm curious to see what happens here this will be a very boring edit today but that's okay that's fine if this doesn't work then that tells me there's other issues yeah and and it's entirely possible for there to be other issues right i've i've seen cases where i had issues that were related to the type of file system mount of one of the file systems so there are all sorts of things that can be environmental that can cause surprising results from tests and we use them to study and learn to see okay what does that tell us about the code if that test failed right so just to clarify again because this may make a change in my git pod yaml the both the windows and linux agents are using the eclipse tamarin that is favorite that's right all right yeah now and as i've not detected anything that was significant difference between the java variants i've got coretto running on some places we use open jdk from the operating system vendor on others but the jenkins project ci instances have consistently aligned themselves to tamarin because it's easy to bundle inside our docker images and it's easy to get installed into our agents in your container images you said docker image oh yes you're right yes in our container images thank you very good it's a hard habit to break yes yes absolutely good point nothing against docker nothing at all just it's a container image it is because yeah that passed so there's something weird with the azul or if you switch back it may have been a temporary thing okay so we'll do that if we'll do that as one last thing just to see where we're at of course now i need to figure out which ones i've got installed um okay so that worked so my results same as your results right and that means since i've approved it while you're doing this i'm going to go ahead and go merge that pull request go do that i'm going to go back over to here i'm going to do it'd be interesting to see which one of the if they're non-fx would work i don't know what the fx is unless it's actually got java fx bundled in yeah i don't know sdk use java okay so i'm going back to the one that we started with i'm going to do this one more time and if it fails in the same way that's good because it's consistent right i don't care if something passes or fails as long as it's consistent it depends depends on your depends on what you're chasing at the time but fair enough yeah okay yeah in general right i agreed it's as long as it's consistent i'm okay flaky is no fun okay so let's get down so we're running publisher test now so it should fail here momentarily if it's going to fail right oh no it wasn't publisher it was well maybe it was i don't remember okay this is really annoying so this is telling me we're doing a clean so we shouldn't have any old right the old classic there shouldn't be old java class files laying around that's what clean is supposed to prevent that supposed to prevent that yeah barring a bug in maven and bugs in maven are far far less likely given the millions and billions of uses of maven that happen every day that is sort of astounding isn't it i wonder how many yarn builds or npm builds happen in comparison to maven right or what fraction of the internet bandwidth is is used by downloading dependencies yeah it looks like this one's going to pass this time good very strange very very strange huh okay well okay so just to recap while it's finishing up uh we did these things today and we've got maintainers for the plugins we've got um tags we've got everything right could you could you for my benefit could you open up the releases page i'd like to see if the release drafter did did a better job this time nope still okay scroll down and click the open read more okay it did good all right i was looking for those headings because this is the first time we've used release draft on this plugin it includes all the changes from all past versions and that means a human being will have to edit this thing to say what actually matters for this release so i have a question going back to schedule build because i didn't see something i was expecting to see um based oh it is there never mind the new version i didn't see the version number actually click that click the releases tab there so this is the specific release and i edit it after the fact to put that text at the top version numbering changed because one of the niceties of github releases is i can i can edit them should you put a link yes that would be a good thing in fact why don't you just go ahead and do it now click the edit icon up at the top and let's fix it because you're a maintainer it's true all right so this is where i have to do bracket right square bracket close the square bracket open parenthesis and now i have to go find that url right so chap 229 and you may need to chop yeah it's jenkins jeff 229 because they have the same trade that there we go that's it this is okay yep that's the one is this the only place it's stocked this this is the authoritative dock for it okay it's it's certainly also described in jenkins in www.jenkins.io but the authoritative location for jab 229 is exactly that okay so i do that and just update release yep right because this doesn't really follow the rest of the normal github changes by the way have you looked at any of the github universe stuff that came out yesterday and today i have not it's interesting oh good um okay so there's that now that's a link excellent good so that way people's like what is jep 229 yes um okay so this actually is what we wanted and we've already got some stuff getting queued up for the next thing now what is going to cause this to trigger so if the next time there is a merged pull request that includes either a bug fix or a feature it would trigger a new release bug fix or feature those are the two trigger points good and that's baked into the cd yaml exactly whatever that is the decision criteria that's in the cd.yaml file yep so as long as there's just dependency updates it doesn't it will just sit on those and let them keep coming got it okay or we could always force a release too if we wanted to but yeah usually i confess the way i usually force a release is i commit a i merge a pull request that's labeled feature feature or bug fix okay yeah i noticed here going back to our jig and security scan enabled this one has jenkins dash on it versus your other one so okay good so did this finish up that finished successfully that is really bizarre yeah i i can't explain it it's i suspect that there's something different and i don't know what i'm starting to lean towards maybe when i'm doing my get pod set up i might go ahead and include the tamarind version too but then that that means i have to maintain it well but but that i would as well i guess it would be worth exploring can we use dependable to up optima or to perform dependency checks on git pod yaml files i wonder how we would test that i don't know yeah submit the poll request see if it see if it see if dependable understands it there is a there's if depend about doesn't there's a more general purpose tool that olivia bernin olivier has done update cli so if we had to we could use we could craft it with update cli okay well that's that's a whole nother thing probably for another series of videos yeah and that's that's when we bring olivier on and we bring damien on and we let them talk about it to talk about all that stuff okay so uh if you've been watching all this thank you hopefully it's been helpful if you're not a plug-in maintainer you want to be i think over these five sessions we've covered other than the actual coding because we really didn't do much coding uh how you can maintain a plugin for jenkins so anything else that you want to say mark that's nothing we'd love to have contributions first step to contributing is pull requests after you get confidence with pull requests the next step is adopt a plug-in thanks darren for adopting a plug-in two of them in fact yeah thanks mark thanks thanks for looping me into this uh if you haven't subscribed to the channel go ahead we have new videos coming out every week uh in fact at the time of recording we had uh what do we have this week we had an integration with octa so if you're now moving doctor there's a 25 minute video for that and then today i think we did a current what is current build in jenkins so very like that's a very interesting object that you can work with some sometime you and i ought to talk about what's the manage object from the groovy pulse build plug-in because i've fallen in love with it so the manage object right so it's and badges oh i've had some more fun with badges and with manage but that's for a future time we don't need no stinking badges movie reference not even pop culture that's like old pop culture that's graham pop culture uh so anyway thanks for hanging out with us and again if you haven't subscribed go and subscribe click the bell and uh i think that's it and we won't be back doing this anymore i don't think but we'll we'll probably be doing some other things so thanks for watching and uh i guess we'll see in the next video you
Info
Channel: CloudBeesTV
Views: 247
Rating: undefined out of 5
Keywords: darin pope, mark waite, jenkins lts, hacktoberfest 2021, jenkins plugins, jenkins plugin development
Id: iUlRnNcqQA8
Channel Id: undefined
Length: 76min 57sec (4617 seconds)
Published: Thu Oct 28 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.