…82.vdce2153031a_0 (#652)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [crowdin/github-action](https://github.com/crowdin/github-action) from 1.20.2 to 1.20.3.
- [Release notes](https://github.com/crowdin/github-action/releases)
- [Commits](crowdin/github-action@v1.20.2...v1.20.3)

---
updated-dependencies:
- dependency-name: crowdin/github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

…din/github-action-1.20.3

Bump crowdin/github-action from 1.20.2 to 1.20.3

---
updated-dependencies:
- dependency-name: crowdin/github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

…din/github-action-1.20.4

Bump crowdin/github-action from 1.20.3 to 1.20.4

https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/
recommends Jenkins 2.440.3 rather than 2.440.1.  Let's upgrade the
requirement to 2.440.3 so that the dependabot pull request for BOM can
be merged.

#660 is the
dependabot pull request

Bumps [org.jenkins-ci.plugins:plugin](https://github.com/jenkinsci/plugin-pom) from 4.82 to 4.83.
- [Release notes](https://github.com/jenkinsci/plugin-pom/releases)
- [Changelog](https://github.com/jenkinsci/plugin-pom/blob/master/CHANGELOG.md)
- [Commits](jenkinsci/plugin-pom@plugin-4.82...plugin-4.83)

---
updated-dependencies:
- dependency-name: org.jenkins-ci.plugins:plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [crowdin/github-action](https://github.com/crowdin/github-action) from 1.20.4 to 2.0.0.
- [Release notes](https://github.com/crowdin/github-action/releases)
- [Commits](crowdin/github-action@v1.20.4...v2.0.0)

---
updated-dependencies:
- dependency-name: crowdin/github-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

…din/github-action-2.0.0

Bump crowdin/github-action from 1.20.4 to 2.0.0

…ugin-4.83

…i.plugins-plugin-4.83

Bump org.jenkins-ci.plugins:plugin from 4.82 to 4.83

Bumps [io.jenkins.tools.bom:bom-2.440.x](https://github.com/jenkinsci/bom) from 3105.v672692894683 to 3120.v4d898e1e9fc4.
- [Release notes](https://github.com/jenkinsci/bom/releases)
- [Commits](https://github.com/jenkinsci/bom/commits)

---
updated-dependencies:
- dependency-name: io.jenkins.tools.bom:bom-2.440.x
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

…ols.bom-bom-2.440.x-3120.v4d898e1e9fc4

Bump io.jenkins.tools.bom:bom-2.440.x from 3105.v672692894683 to 3120.v4d898e1e9fc4

Bumps [io.jenkins.tools.bom:bom-2.440.x](https://github.com/jenkinsci/bom) from 3135.v6d6c1f6b_3572 to 3143.v347db_7c6db_6e.
- [Release notes](https://github.com/jenkinsci/bom/releases)
- [Commits](https://github.com/jenkinsci/bom/commits)

---
updated-dependencies:
- dependency-name: io.jenkins.tools.bom:bom-2.440.x
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

…ols.bom-bom-2.440.x-3143.v347db_7c6db_6e

Bump io.jenkins.tools.bom:bom-2.440.x from 3135.v6d6c1f6b_3572 to 3143.v347db_7c6db_6e

Bumps [org.jenkins-ci.plugins:plugin](https://github.com/jenkinsci/plugin-pom) from 4.83 to 4.84.
- [Release notes](https://github.com/jenkinsci/plugin-pom/releases)
- [Changelog](https://github.com/jenkinsci/plugin-pom/blob/master/CHANGELOG.md)
- [Commits](jenkinsci/plugin-pom@plugin-4.83...plugin-4.84)

---
updated-dependencies:
- dependency-name: org.jenkins-ci.plugins:plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

…i.plugins-plugin-4.84

Bump org.jenkins-ci.plugins:plugin from 4.83 to 4.84

* ci: Add auto-approve workflow for owner PRs without review

Adds a daily scheduled workflow (08:00 UTC, also manual trigger) that
auto-approves open PRs from repo OWNER/MEMBER after 3 days without review.

Countdown labels give reviewers clear visibility:
  Day 0 -> merge-in-3-days-without-review
  Day 1 -> merge-in-2-days-without-review
  Day 2 -> merge-in-1-day-without-review
  Day 3 -> approved + merged-without-review (auto-merge takes over)

PRs that already have an approving review are skipped.

* feat: Add comments for auto-approval countdown on owner PRs

* refactor: Simplify auto-approve workflow by removing countdown label creation steps

* Add clarification on support for the plugin

* Restrict author associations to 'OWNER' only

Bumps [io.jenkins.tools.bom:bom-2.528.x](https://github.com/jenkinsci/bom) from 6166.va_a_8b_5eda_8ef5 to 6210.v69ea_fd8a_f010.
- [Release notes](https://github.com/jenkinsci/bom/releases)
- [Commits](https://github.com/jenkinsci/bom/commits)

---
updated-dependencies:
- dependency-name: io.jenkins.tools.bom:bom-2.528.x
  dependency-version: 6210.v69ea_fd8a_f010
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ipt caching (#966)

* Ludicrous Mode: Lockable resources queue contention reduction and script caching

What is ludicrous speed?
------------------------

[Obligatory video of ludicrous speed](https://youtu.be/oApAdwuqtn8?si=uJHPP5OXz9GNllY0)

<details><summary>Ludicrous speed is faster than light speed</summary>

---

![spaceballs ludicrous speed](https://github.com/user-attachments/assets/803d4aa5-4677-40b9-b04b-d4f22ea2cbf3)

</details>

---

Background
----------

I am patching all plugins which affect Jenkins queue maintenance performance as part of an overall initiative to make Jenkins faster for everyone.

Your plugin has been identified for adversely affecting queue performance and so I am opening a proposal pull request to fix the performance issue.

Please keep the `Ludocrous Mode:` prefix in the pull request title so that patches can be tracked across all plugins.

Patch details
-------------

`Queue.maintian()` is a critical path in Jenkins core.  Any performance delays can significantly impact Jenkins scheduling work on agents.  Benchmarking for `Queue.maintain()` should execute in only a few milliseconds even when Jenkins agents reach in the thousands.

This patch provides three key features:

* Lightweight API calls called by `Queue.maintain()` should instantly return.
* Heavyweight API calls are made in the background (e.g. resource evaluation) outside of the `Queue.maintain()` path.
* Since `Queue.maintain()` has extreme performance, `scheduleMaintenance()` can be more aggressively called as locked resources become available.

---

The lockable-resources-plugin hooks into the Queue via a `QueueTaskDispatcher` — its `canRun(Queue.Item)` method is called **under the Queue lock** for every item on every `Queue.maintain()` cycle. Unlike cloud plugins that use `RetentionStrategy` or `Cloud`, a `QueueTaskDispatcher` sits in the absolute innermost loop of Queue maintenance.

Three issues were found:

1. **No `scheduleMaintenance()` triggers anywhere.** When resources are freed (build completes, pipeline lock body finishes, user unreserves via UI), items waiting in the Jenkins Queue for those resources wait up to 5 seconds for the next timer tick. The patch adds immediate `scheduleMaintenance()` calls at 6 resource-freeing events: `unlockResources()`, `unreserve()`, `reset()`, `LockRunListener.onCompleted()`, `LockRunListener.onDeleted()`, and `FreeDeadJobs.freePostMortemResources()`.

2. **`syncResources` lock contention under Queue lock.** The plugin uses a `synchronized(syncResources)` monitor in `tryQueue()` that is also held by threads doing disk I/O (`save()`). When `onCompleted()` holds `syncResources` during a config write, `canRun()` under the Queue lock blocks waiting — transitively extending Queue lock hold time by disk write latency. The patch makes `save()` asynchronous with coalescing and narrows the `syncResources` scope in `tryQueue()` so that candidate resolution (label matching, Groovy script evaluation) runs outside the critical section.

3. **Groovy script and label expression evaluation under Queue lock.** When jobs use `resourceMatchScript`, `canRun()` evaluates a Groovy script for every lockable resource on every cache miss. The existing `cachedCandidates` Guava cache mitigates repeated evaluations, but cache misses (first call, or after resource state change) are heavyweight. Similarly, `isValidLabel()` parses label expressions and allocates `LabelAtom` sets on every call. The patch adds per-resource TTL caches for both script evaluation results and label expression results.

Original Patch series
---------------------

Some background.  This patch is part of a series (ludicrous patch series) which enables my production instance to scale work up to ludicrous amounts of agents.

- [ec2 plugin]
- [job-restrictions plugin]
- [leastload plugin]

AI Analysis
-----------

See detailed [AI analysis for lockable-resources plugin][1].  You're welcome to copy any documentation from the AI analysis that you find you want included.  I purposefully separated the analysis in order to limit how much I am changing in your repository.

Testing done
------------

I do rely on this plugin in production.  I have not tested this patch, yet.  I plan to deploy it to my production instance after non-prod testing completes.  I will follow up in this pull request when I'm successfully running this in production.

Advisory
--------

I plan to update Jenkins core with warnings when there's plugins which adversely affect Jenkins queue performance.  Please keep in mind not merging changes with this strategy will involve this plugin being called out for tanking Jenkins performance.  This patch solves a critical performance issue for your plugin so that it does not tank Jenkins performance (in how fast Jenkins schedules work on agents).

Submitter checklist
-------------------

- [x] Make sure you are opening from a **topic/feature/bugfix branch** (right side) and not your main branch!
- [x] Ensure that the pull request title represents the desired changelog entry
- [x] Please describe what you did
- [ ] Link to relevant issues in GitHub or Jira
- [x] Link to relevant pull requests, esp. upstream and downstream changes
- [ ] Ensure you have provided tests that demonstrate the feature works or the issue is fixed

[1]: https://github.com/samrocketman/jenkins-ai-analysis/tree/main/ludicrous-mode-analysis/lockable-resources-plugin
[ec2 plugin]: jenkinsci/ec2-plugin#2000
[job-restrictions plugin]: jenkinsci/job-restrictions-plugin#210
[leastload plugin]: jenkinsci/leastload-plugin#22

Co-authored-by: sgleske@integralads.com

* Fix async save state loss on restart

with a @Terminator flush hook

Default asyncSaveEnabled to true and add a @Terminator shutdown hook
that flushes any pending coalesced save synchronously before Jenkins
exits.  Also add a null guard in uncacheIfFreeing for defensive safety.

* spotless apply

---------

Co-authored-by: Martin Pokorny <89339813+mPokornyETM@users.noreply.github.com>

… PRs (#979)

* docs: Update Copilot instructions and enhance auto-labeling workflows

* ci: Update countdown label logic for trusted authors in auto-label workflow

* ci: Update auto-approve countdown logic to include COLLABORATOR PRs

Bumps [crowdin/github-action](https://github.com/crowdin/github-action) from 2.15.2 to 2.16.0.
- [Release notes](https://github.com/crowdin/github-action/releases)
- [Commits](crowdin/github-action@v2.15.2...v2.16.0)

---
updated-dependencies:
- dependency-name: crowdin/github-action
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Martin Pokorny <89339813+mPokornyETM@users.noreply.github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Martin Pokorny <89339813+mPokornyETM@users.noreply.github.com>

Add workflow to automatically keep open PRs up-to-date:
- Dependabot PRs: uses @dependabot rebase command
- Other non-draft PRs: uses gh pr update-branch --rebase
- Simplify dependabot-auto-merge.yml by removing redundant update step

- Reduce resource count from 50 to 5 to reduce non-determinism
- Wait for b2's semaphores to start before releasing them
- Use waitForCompletion() and assertBuildStatusSuccess() for
  proper build completion verification instead of waitForMessage()

The test was flaky due to timing issues with 50 parallel resources
and nested locks across 3 builds resuming after Jenkins restart.

* Add updateLock pipeline step for resource management

This step allows pipelines to dynamically manage lockable resources:
- Create new resources (createResource: true)
- Delete existing resources (deleteResource: true)
- Modify labels (setLabels, addLabels, removeLabels)
- Set notes (setNote)

Based on the original design from PR #305 by @gaspardpetit.

Fixes #305

* Remove @SInCE TODO - not applicable for plugins

* Add updateLock step documentation to README

* fix: Add CSRF protection and permission checks to doCheck* methods

Addresses security warnings from github-advanced-security[bot]:
- Add @RequirePOST annotation to doCheckResource, doCheckAddLabels,
  doCheckRemoveLabels, and doCheckDeleteResource
- Add @AncestorInPath Item parameter and permission checks to
  prevent unauthorized form validation calls

…#972)

* feat: Support build parameters in resource names, labels, and numbers

Allow  references in the Required Lockable Resources job property
so that resource names, labels, and resource numbers can be resolved from
build parameters at queue time and build start.

Changes:
- Utils: add requiredResources(Job, EnvVars) overload and
  getParametersAsEnvVars(Queue.Item) to extract build parameters
- LockableResourcesStruct: expand requiredNumber via env.expand()
- LockableResourcesQueueTaskDispatcher: pass build parameters from
  queue item to resource struct for early expansion
- LockRunListener: pass AbstractBuild environment to resource struct
  so parameter references are expanded at build start
- RequiredResourcesProperty: form validation now recognises \
  patterns and shows a warning instead of an error
- Messages.properties: add warning messages for parameter references
- Tests: add parameterizedResourceName, parameterizedLabel,
  parameterizedResourceNumber tests and UtilsTest.containsVariable

Fixes #159, Fixes #202
Replaces #214

* style: Apply spotless formatting

* fix: Narrow exception handling to satisfy SpotBugs REC_CATCH_EXCEPTION

- Utils.getParametersAsEnvVars: remove unnecessary try-catch (APIs do not
  throw checked exceptions)
- LockRunListener.onStarted: catch IOException | InterruptedException
  instead of generic Exception

* test: Add comprehensive unit tests for getParametersAsEnvVars()

Add 7 new test methods covering all code paths:
- No actions (empty list)
- Single parameter
- Multiple parameters in one action
- Multiple ParametersAction instances
- Null parameter value (skipped)
- Non-string value (converted via toString)
- Duplicate key across actions (later wins)

Also fix @NoExternalUse annotations to use @restricted(NoExternalUse.class)
and add missing imports for ExcludeFromJacocoGeneratedReport.

…rce strategy

- Add doFillResourceSelectStrategyItems with @RequirePOST and permission check
- Validate resourceSelectStrategy in setter and throw exception for invalid values
- Change config.jelly to use f:select instead of f:textbox

Fixes security warning for missing permission check.
Addresses review comment about silent failures for invalid strategy values.

Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6.
- [Release notes](https://github.com/actions/labeler/releases)
- [Commits](actions/labeler@v5...v6)

---
updated-dependencies:
- dependency-name: actions/labeler
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

#989)

- Store unmodifiable lists in cache to prevent modification of cached data
- Create mutable copy before retainAll() in tryQueue()
- Take snapshot of cache keys before invalidating in uncacheIfFreeing()
- Tolerate timing variation in LockStepReserveInsideLockHonouredTest

The cache stores unmodifiable lists for thread-safety since multiple
threads may read from the cache concurrently. Selective invalidation
preserves cache for unaffected queue items (important at scale with
1000+ items).

Fixes potential CI timeouts caused by thread deadlocks.

* chore: Use reusable rebase-open-prs-action

Replace inline script with mPokornyETM/rebase-open-prs-action@v1
This makes it easier to reuse across multiple repositories.

* chore: Use reusable rebase-open-prs workflow

Bumps [io.jenkins.tools.bom:bom-2.528.x](https://github.com/jenkinsci/bom) from 6210.v69ea_fd8a_f010 to 6237.v4da_61a_4a_19e5.
- [Release notes](https://github.com/jenkinsci/bom/releases)
- [Commits](https://github.com/jenkinsci/bom/commits)

---
updated-dependencies:
- dependency-name: io.jenkins.tools.bom:bom-2.528.x
  dependency-version: 6237.v4da_61a_4a_19e5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Reusable workflows from external repos may be blocked by org policies.
Using the composite action directly works across orgs.

The composite action needs GH_TOKEN set as env var.
Use github.token which has the required permissions.

Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: Add option to disable automatic ephemeral resource creation (fixes #651)

* chore: Apply code formatting

When using github.token, force-pushes don't trigger other workflows
like Jenkins Security Scan. Using a PAT (GH_TOKEN secret) fixes this.

Falls back to github.token if secret is not configured.

To complete this fix, a repository admin needs to:
1. Create a PAT with 'repo' and 'workflow' scopes
2. Add it as repository secret named GH_TOKEN

- Update LICENSE.txt with current maintainer (Martin Pokorny 2022-2026)
- Replace verbose box-style headers with short MIT reference
- Replace full MIT license headers with short reference
- All files now point to LICENSE.txt for full copyright info

Fixes #981

Bumps [io.jenkins.tools.bom:bom-2.528.x](https://github.com/jenkinsci/bom) from 6237.v4da_61a_4a_19e5 to 6269.v7a_159d68a_366.
- [Release notes](https://github.com/jenkinsci/bom/releases)
- [Commits](https://github.com/jenkinsci/bom/commits)

---
updated-dependencies:
- dependency-name: io.jenkins.tools.bom:bom-2.528.x
  dependency-version: 6269.v7a_159d68a_366
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

When a new resource is added via createResourceWithLabel() or
addResource(), waiting jobs now automatically pick it up instead
of remaining blocked.

Changes:
- Invalidate cachedCandidates and process waiting pipeline contexts
  when adding new resources (inside synchronized block for atomicity)
- Call scheduleQueueMaintenance() to notify freestyle jobs
- Add refreshQueue() public method for users who modify labels on
  existing resources (label changes don't auto-trigger re-evaluation)
- Add documentation explaining dynamic resource behavior and limitations

Fixes #892
See also: JENKINS-46744

Document how to lock resources for individual pipeline stages
using the options block, allowing long-running builds to only
hold resources during the stages that need them.

Fixes #8