Jenkins security issues can be found on their website - https://jenkins.io/security/.
Security issues are also shown as notifications on Jenkins itself; look for the big red number in the top right hand corner. You will need to manually upgrade Jenkins if new security patches are released.
To upgrade Jenkins:
- Let the team know in the #dm-release Slack channel
- Download any plugins you want to upgrade from the Manage Plugins page. They’ll be upgraded once you’ve restarted Jenkins
- Put Jenkins in shutdown mode to ensure that no jobs get interrupted.
- Ensure you have the latest master branch checked out in your digitalmarketplace-jenkins repository.
- Ensure your environment variable
DM_CREDENTIALS_REPOpoints to the latest master branch of digitalmarketplace-credentials.
make jenkins TAGS=jenkinsfrom the digitalmarketplace-jenkins repository.
The version of Jenkins is displayed at the bottom right of its user interface so you can confirm that you have upgraded successfully. The version of Jenkins is pinned to 2.x. This should allow us to easily upgrade to cover new security releases without accidentally hitting a major version bump.
(TODO - this should automated.)