Explicitly use Atlassian repository

[basil]

See jenkins-infra/helpdesk#3842. This plugin currently depends on JCenter for Atlassian libraries, but JFrog has asked us to stop caching JCenter dependencies. Based on this page, the dependencies we need are officially published at https://packages.atlassian.com/maven-public/ so fetch them from there directly. We choose maven-public rather than maven-external because Atlassian may one day go through a similar bandwidth reduction exercise as we are currently going through right now, and in such an event they would want us to rely on public repositories for third-party libraries, so proactively anticipate such an event by using the repository that contains just Atlassian libraries.

To test this, I verified that I could run mvn clean verify -DskipTests in a clean Docker container (without ~/.m2) and without the JCenter cache:

  <repositories>
    <repository>
      <releases>
        <enabled>true</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>repo.jenkins-ci.org</id>
      <url>https://repo.jenkins-ci.org/releases/</url>
    </repository>
    <repository>
      <releases>
        <enabled>true</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>orphans</id>
      <url>https://repo.jenkins-ci.org/artifactory/orphans/</url>
    </repository>
    <repository>
      <releases>
        <enabled>true</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>atlassian-maven-public</id>
      <url>https://packages.atlassian.com/maven-public/</url>
    </repository>
  </repositories>

Note that the orphans repository is needed for jbcrypt as explained in jenkins-infra/helpdesk#3842.

[MarkEWaite]

Thanks!

[basil]

In draft pending a decision as to whether we want to create a remote repository for https://packages.atlassian.com/maven-public/ and include it in the https://repo.jenkins-ci.org/public/ virtual repository as described in jenkins-infra/helpdesk#3842 (comment).

[rantoniuk]

I remembered this ringed a bell, we've been there before, @jglick any comments from you?

[MarkEWaite]

I think we should add the Atlassian repository to the pom.xml of this plugin rather than mirror the contents of the Atlassian repository in the Jenkins repository because we're trying to reduce the bandwidth used by the Jenkins repository. Adding another mirror seems like it will increase the bandwidth use rather than reduce it.

[rantoniuk]

Well, #471

[jglick]

🤷 historically our policy as I understood it was to forbid use of other <repository>s from Jenkins plugins; and to ensure either that the Jenkins Artifactory aggregated foreign repositories that were needed, or that specific artifacts that rarely changed were directly uploaded. If that policy has changed, and the implications are well understood (generally I find the semantics of repository definitions in Maven to be rather confounding), then go ahead?