Announcement: ci.jenkins.io badges will be deactivated

[lemeurherve]

UPDATE:

@MarkEWaite and @darinpope adopted the plugin, thus it doesn't have to be removed from ci.jenkins.io, you'll be able to continue using it.

As indicated in jenkins-infra/helpdesk#3013

plugins.jenkins.io/embeddable-build-status is not actively maintained. The Jenkins security team had to address multiple vulnerabilities in jenkins.io/security/advisory/2022-06-22 to protect Jenkins project infrastructure. While the maintainer (thomas-dee) was happy to let us release the fixes we wrote, i.e. was responsive via email, he also told us he has no capacity to assist in any way. This is unsustainable. Consider removing the plugin from ci.jenkins.io.

We (the Jenkins Infrastructure team) will proceed to the removal of the embeddable-build-status plugin from https://ci.jenkins.io

As a result, all badges using this plugin with a markup containing https://ci.jenkins.io/buildStatus/ (builds from the public instance https://ci.jenkins.io) won't work anymore.

An alternative has been proposed to put in place a self-hosted shield.io instance which would allow serving badges from ci.jenkins.io without this plugin.

Nothing change for badges retrieved from your own instance(s).

A pull request to indicate this deprecation/removal will be done on this repository, and other will be opened on the ~170 concerned repositories.

We invite you to follow the helpdesk issue for progress and/or comments.

[lemeurherve]

cc @thomas-dee

[hbazan-pp]

is there an alternative to this?

[lemeurherve]

If by "this" you mean "this plugin", not that I know of, sorry.
If you mean "this removal" in general, apart from adopting the plugin and taking care of it I'm afraid there isn't.

[hbazan-pp]

sorry, I meant an alternative to show build status badges on a jenkins plan. I have this issue #77 and maybe there is a way to achieve this without the plugin

[lemeurherve]

Anyone is free to continue to use and configure this plugin to display badges from their own instance even if it's not recommanded (cf the security team message), nothing change for this use case.

But for all plugins built on ci.jenkins.io and retrieving their badge images from this public instance like this one, this won't be possible anymore as this plugin will be removed from it.

I've took a look at your suggestion, but it's still using the plugin to work.
I can't say if displaying a badge is possible without this/a plugin but as it exists I suppose not.

EDIT: @hbazan-pp please take a look at jenkins-infra/helpdesk#3013 (comment)
We should be able to replace these badges by shield.io ones if we find a way to whitelist their service IP(s).

[lemeurherve]

@hbazan-pp another alternative I've added to the announcement is to put in place a self-hosted shield.io instance which would allow serving badges from ci.jenkins.io without this plugin.

[lemeurherve]

@hbazan-pp Here is a new twist! @MarkEWaite and @darinpope adopted the plugin, thus it doesn't have to be removed from ci.jenkins.io, you'll be able to continue using it.