With almost 2,000 plugins available, Jenkins is still one of the more popular CI/CD tools available on the internet. One feature, or even third-party plugin, I couldn’t find though… a way to automatically upgrade those plugins! I always had to go into my client’s Jenkins dashboard and update everything by hand. While the process to do so was fairly easy (click the “select all” checkbox, then click “upgrade”), I prefer to automate processes whenever possible.

What follows is my ultimate solution for automatic upgrades of plugins in Jenkins. This tutorial assumes both admin access to Jenkins and admin access to the host it’s running on.

Installing the jenkins-cli

Unfortunately, I don’t understand tomcat applications, so I can’t explain why this works. It just works. Using a browser, go to

Copy to Clipboard

to download the cli jar file to your local machine. To download directly to a directory on your server (we’re using /opt for this), cd to that directory then run

Copy to Clipboard

Getting a list of installed plugins

The basic command you’ll be using is:

Copy to Clipboard

On older versions of Jenkins, this will work just fine. But you’re not running an older version of Jenkins, right? Right? You’re up to date for security reasons. So if you run that command, you should receive the error:

ERROR: anonymous is missing the Overall/Administer permission

One solution, of course, is to grant the anonymous user the Administer permissions. I’ll go ahead and show you where to do that, but honestly? Please don’t. It’s an awful security practice.

Under Manage Jenkins->Security, we maintain our permissions with the Project-based Matrix Authorization Strategy. This is a very easy visual to administer. Any users you’ve granted access to will be listed in alphabetical order.

authorization anonymous

Granting Administer to anonymous; please don’t do this!

The better solution is to create a token with the proper permissions. You can use an existing user for this, but what if someone leaves the company and their credentials are deleted? It’s best to create a new user, then generate a token from there.

After you create your user, go to the above Matrix Authorization, click “Add user,” type in the new username, grant them Administer privileges, and Save.

Next, log out of Jenkins, and back in as your new user. Click the drop-down and select Configure.

jenkins cli user

Configure the new user

Generate an API token with the “Add new Token” button.

Copy off the resulting token, now. This is the only chance you’ll have to save it somewhere. If you lose it, you’ll need to generate a new one.

Let’s go back to our original command line and authenticate with the token.

Copy to Clipboard

If all the steps worked right, you should have a list of all the plugins currently installed in your Jenkins, including their descriptions and version numbers.

Now we get into some command line trickery!! If you have any plugins that can be upgraded, the newer version will also display, inside ().

amazon-ecr Amazon ECR plugin 1.107.ve50d37906739 (1.114.vfd22430621f5)

We can use some basic shell scripting to use that to our advantage. The other two Jenkins commands we’ll be using are “install-plugin” and “safe-restart”. Rather than walk you through every line of the script, I’ll leave it to you to deconstruct. At this point, I want to give a huge hat-tip to Michael Wyraz on Stack Overflow for his beautiful answer that pointed me in the right direction.

Copy to Clipboard

Obviously you can use whatever language you like, and you can kick the script off however you like. I’m super old-school and opted for bash and cron.

Copy to Clipboard

As you can see, I’m running mine at 20:15 (UTC), daily. Every morning, I come in to freshly upgraded Jenkins plugins.