From 241da178dca59cf7462c2647f762a3e795d78f1d Mon Sep 17 00:00:00 2001
From: Christian Decker <christian.decker@lookslikematrix.de>
Date: Thu, 24 Oct 2024 12:18:29 +0200
Subject: [PATCH] Fix dependency updates for Jenkins plugins.

---
 README.md         |  4 ++++
 defaults/main.yml |  1 +
 tasks/plugins.yml | 25 +++++++++++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/README.md b/README.md
index 6bb4144a0..5854acc8a 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,10 @@ Jenkins plugins to be installed automatically during provisioning. Defaults to e
 
 Whether Jenkins plugins to be installed should also install any plugin dependencies.
 
+    jenkins_plugin_update_dependencies: true
+
+Whether the dependencies of Jenkins plugins should be updated. Together with setting `jenkins_plugins_state` to `latest`, this will ensure that all your plugins and dependencies are up to date.
+
     jenkins_plugins_state: present
 
 Use `latest` to ensure all plugins are running the most up-to-date version. For any plugin that has a specific version set in `jenkins_plugins` list, state `present` will be used instead of `jenkins_plugins_state` value.
diff --git a/defaults/main.yml b/defaults/main.yml
index 0148641b1..44d4bf8c8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -29,6 +29,7 @@ jenkins_plugins_state: present
 jenkins_plugin_updates_expiration: 86400
 jenkins_plugin_timeout: 30
 jenkins_plugins_install_dependencies: true
+jenkins_plugin_update_dependencies: false
 jenkins_updates_url: "https://updates.jenkins.io"
 
 jenkins_admin_username: admin
diff --git a/tasks/plugins.yml b/tasks/plugins.yml
index dbc2a2dac..294d2d65e 100644
--- a/tasks/plugins.yml
+++ b/tasks/plugins.yml
@@ -61,3 +61,28 @@
   until: plugin_result is success
   retries: 3
   delay: 2
+
+- name: Update Jenkins plugins dependencies
+  when: jenkins_plugin_update_dependencies
+  ansible.builtin.shell: |
+    set -o pipefail
+    # This will ensure that only plugins with a pending update are updated.
+    # The output of `list-plugin` is a list of all plugins, but only those with a closing bracket ")" at the end have a pending update.
+    UPDATE_LIST=$( \
+      java -jar {{ jenkins_jar_location }} \
+      -auth {{ jenkins_admin_username }}:{{ jenkins_admin_password }} \
+      -s http://{{ jenkins_hostname }}:{{ jenkins_http_port }} \
+      list-plugins | \
+      grep -e ')$' | \
+      awk '{ print $1 }' \
+    );
+    if [ ! -z "${UPDATE_LIST}" ]; then
+        echo Updating Jenkins Plugins: ${UPDATE_LIST};
+        java -jar {{ jenkins_jar_location }} \
+          -auth {{ jenkins_admin_username }}:{{ jenkins_admin_password }} \
+          -s http://{{ jenkins_hostname }}:{{ jenkins_http_port }} \
+          install-plugin ${UPDATE_LIST};
+    fi
+  register: result
+  changed_when: result.stdout.startswith("Updating Jenkins Plugins:")
+  notify: restart jenkins