Jesse Glick

Just curious. Leaving review to @Dohbedoh.

Generally we do not bother merging `bom` updates unless there is a specific reason.

> Are there local testing steps published somewhere? If your dev machine is authorized to make EC2 API requests, simply make sure you have Java and Maven installed and run...

From a ten-second glance this looks like the wrong approach: you should rather implement `StringCredentials` and use the generic binding.

If `PersonalAccessTokenImpl implements StringCredentials` then you should not need `PersonalAccessTokenBinding` at all. Just use the standard `StringBinding`. ```groovy withCredentials([string(credentialsId: 'happens-to-be-gitea', variable: 'GITEA_TOKEN')]) {…} ``` It is not really clear to...

Should this not come from `bom`?

FWIW my customary system is to put any version overrides in `dependencyManagement` and precede them with a `TODO` comment reminding anyone touching the POM to check for a newer BOM...

> I need access to the `FlowNodeMonitoringAction` to get the open telemetry trace parent id. Sorry, I am not familiar with this is. The diff looks reasonable, though as you...

Migration to Java 17 or EE 9 is in a completely different category—that is something forced on us externally. The choice of test framework does not seem to matter much...

> as it is used it directly it should have an explicit dep Perhaps, but the same could be said of 90% of Jenkins plugins, and this is the only...