jenkins [JENKINS-60866][JENKINS-71513] Apply Stapler update for CSP-compliant st:bind and renderOnDemand

Downstream of https://github.com/jenkinsci/stapler/pull/385

This takes care of two different previously inline or eval'ed JS snippets that ended up calling makeStaplerProxy to bind objects to JS:

st:bind emitted a script tag with inline script that assigns the result of makeStaplerProxy to a variable (if used with a variable name -- the other mode cannot be fixed, as it's intended for nesting in an inline script).
renderOnDemand.jelly added the makeStaplerProxy call it needed to an HTML attribute, later eval'ing it in https://github.com/jenkinsci/jenkins/blob/d977ee8741ed6362dac282e69a317a070ee9d813/war/src/main/webapp/scripts/hudson-behavior.js#L793

This PR changes Stapler and Jenkins to no longer need either:

st:bind now emits script tags with src. Stapler has been improved to have a separate URL that provides the previously inline script standalone.
renderOnDemand now adds HTML attributes for the function name and its argument values, which are then read in hudson-behavior.js and used to invoke the specified method with the correct arguments.

Testing notes

st:bind is used in core by progressiveRendering, which is used by the "Build History" view.
renderOnDemand is used whenever a form has nontrivial dynamic content (e.g. adding build steps to a freestyle job, or the configuration of a security realm, authorization strategy, or markup formatter after selecting the type in a dropdown box.

Proposed changelog entries

Developer: Update Stapler from 1822.v120278426e1c to 1839.ved17667b_a_eb_5 to no longer generate line JavaScript with Stapler bound objects to improve compatibility with Content-Security-Policy Plugin

Proposed upgrade guidelines

N/A

Submitter checklist

[ ] (If applicable) Jira issue is well described
[ ] Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change) and are in the imperative mood. Examples
- Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
[ ] Appropriate autotests or explanation to why this change has no tests
[ ] New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadoc, as appropriate.
[ ] New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO") if applicable.
[ ] For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

[ ] There are at least 2 approvals for the pull request and no outstanding requests for change
[ ] Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
[ ] Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
[ ] Proper changelog labels are set so that the changelog can be generated automatically
[ ] If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
[ ] If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

Jul 16 '22 21:07 daniel-beck

Probably need to do renderOnDemand.jelly at the same time as these are closely related.

Jul 16 '22 21:07 daniel-beck

Looks like the default branch of Stapler with a bunch of unreleased commits (for incrementals) is incompatible with core. Nice.

[2022-07-17T10:08:49.977Z] [INFO] --- maven-enforcer-plugin:3.1.0:enforce (display-info) @ jenkins-war ---
[2022-07-17T10:08:49.977Z] [INFO] Adding ignore: module-info
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/framework/io/ByteBuffer$1.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler-groovy:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/jelly/groovy/GroovyClassLoaderTearOff$1.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20220630:compile contains org/apache/commons/jelly/util/TagUtils.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler-jelly:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/jelly/package-info.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [ERROR] Rule 1: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler:jar:1721.v6298feb_6eb_8f
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler-groovy:jar:1721.v6298feb_6eb_8f
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20220630
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler-jelly:jar:1721.v6298feb_6eb_8f

Jul 17 '22 10:07 daniel-beck

Looks like the default branch of Stapler with a bunch of unreleased commits (for incrementals) is incompatible with core. Nice.

@daniel-beck Why would it be “nice”? Your sarcasm is not appreciated. The corresponding changes have been ready for review in https://github.com/jenkinsci/jenkins/pull/6801 for 9 days.