In general, don't use Jenkins. It is mediocre piece of software with an even worse ecosystem. It self-implodes every now and then. Big tech companies build a lot of custom stuff to get it to work correctly. Once that is done sure, it works. I am not a fan of Github actions but to host GIT and Jenkins is not really a serious option. Pick another CI platform in that case.
This comment makes a lot of assertions without any backing data.
How is it mediocre? Is it because of the CVEs that have been released in the prior years? I recall GitLab also having quite a bad week of CVEs in February[1].
How is it a bad ecosystem? If this is about plugins in order to do things, I actually like this framework - it lets there be specific owners for portions of the open source development.
Self-implodes? This seems like it would be tracked as a bug. I've encountered an instance where Jenkins wouldn't start due to a crypto issue but that was due to a bug and all I needed to do was install a patch.
I think that using Jenkins can be a thought of a serious option if like anything else, you follow security protocols ie: don't allow public access, maintain RBAC standards, have a maintenance schedule.
I have stolen access to production systems though Jenkins. Cause the scrambled pw is always sent to the Jenkins client. And then by default anybody could decode it from the console… They fixed it in 2.0 I believe.
The problem with dependencies is that different plugins need different versions but there is no solution to that. Even more. You update Jenkins. Plugins break. Data gets corrupted. You try to align the plugins to some dependent version. It fails, cause most of the ecosystem is a hobby-project that never gets updated.
Jenkins has absolutely nothing to do on the public Internet as most of these tools.
There are so many CI/CD services. Most are very cheap. You really need to love yak shaving to pick Jenkins over something from the shelf. No major cloud offers Jenkins Saas. Wonder why…
'I don't like it because it's not secure and I was able to get access to prod via this method.'
'That method has been fixed.'
'Well...I still don't like it.'
Bugs are being found and fixed all the time. As for a the different plugins need different versions. Yes. This also occurs in general coding to where every package or library that you want to use in your code is also going to be versioned. If that package or library gets updated, your code might break.
This goes back to having some things in place. Backups and a maintenance and testing schedule. If you don't test things before pushing them out to prod maybe fix that first.
