Backport from master (Weekly) in stable-2.541 for LTS 2.541.1

[dduportal]

Requires jenkinsci/packaging#728

This PR is a backport of required changes pushed to the primary branch since c8c5ac8 (used for the 2.541 weekly release), excluding 0fb5c67 (which initialized the stable-2.541 branch).

Most notable changes required for 2.541.1 LTS release are described in jenkins-infra/helpdesk#4945

Ref:

• LTS 2.541.1 release checklist #811
• LTS 2.541.1 release helpdesk#4945

List of commits pushed on the `master` branch since c8c5ac8 (click to expand)

git rev-list --left-right --pretty=oneline upstream/master...upstream/stable-2.541 2>&1 | grep -v '>' | grep -v 'Merge pull request'

• a5bbe29 Apply suggestions from code review
• a105224 Apply suggestion from @dduportal
• fa3a8a0 Apply suggestions from code review
• c5279ee Apply suggestions from code review
• 489a180 fix(tools/init-lts-line) ensure LTS branches are created from the correct datetime on packaging to avoid carrying unwanted changes to LTS
• 445a93c fixup: mentions existing documentation
• 70ed553 fix(Github/issue-templates/LTS) use correct order for Packaging items and details how to safely create branch
• aada25f feat(utils/package) verify WAR download and publish the signature
• 1e16cfa hotfix(package) remove old references for the old pkg.origin.jenkins.io VM
• 3042357 feat: change Jenkins GPG key from 2023 to 2026 - [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026 helpdesk#4922
• dad3094 fix(package/utils) always bootstrap staging from scratch with only RPM packages from before
• 1b498c1 cleanup(package) stop utilizing the former AWS pkg.origin.jenkins.io virtual machine - [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s helpdesk#3705
• dd4367b fix(release,utils) only check for packaging environment variables from packaging functions to avoid unrelated failures during release build
• ceb20b6 fix(package) ensure fastly decache fails fast if the API answers an error - [release.ci.jenkins.io] Packaging need to decache the pkg.jenkins.io at the end of the build (at the same time as www.jenkins.io) helpdesk#4910
• b754327 fixup: correct shell when using weekly line
• 6a4f284 fix(utils) apply shellcheck recommandations and remove fixed TODO comments
• 74d7351 fix(package) properly initialize staging by only retrieving necessary data from production to avoid conflicts between weekly and LTS lines
• 96ef59a chore(package) move staging bootstrap shell logic to the release.bash toolkit
• 8200f5d doc(README) document the staging/promotion for Security advisory
• e659066 Minor phrasing fix 2
• 2250712 Minor phrasing fix 1
• f9c402a fix(package) use HTTPS instead of SSH to clone jenkinsci/packaging - [release.ci.jenkins.io] Windows packaging fails to clone jenkinsci/packaging with SSH helpdesk#4909
• 2e66412 fix(infra-agents-health) check that we can clone jenkinsci/packaging on Windows
• f04ddad feat(windows): replace Windows 2019 by 2022 in the jnlp pod and node pool of packaging pod template (feat(windows): replace Windows 2019 by 2022 in the jnlp pod and node pool of packaging pod template #813)

---

List of cherry-picked commits (click to expand) with justifications

Note: All mentioned PRs have been "merged" so we can ignore the "Merge commit" (not mentioned to avoid polluting the list).

• f04ddad feat(windows): replace Windows 2019 by 2022 in the jnlp pod and node pool of packaging pod template (feat(windows): replace Windows 2019 by 2022 in the jnlp pod and node pool of packaging pod template #813)

  • Jenkins infrastructure does not provide Windows 2019 Nodes for release.ci.jenkins.io anymore.

• fix(package,infra-agent-health) use HTTPS instead of SSH to clone jenkinsci/packaging #817 (Required as a side effect of Windows 2022 and Git (caused by f04ddad)))
  \

  • 2e66412 fix(infra-agents-health) check that we can clone jenkinsci/packaging on Windows
  • f9c402a fix(package) use HTTPS instead of SSH to clone jenkinsci/packaging - [release.ci.jenkins.io] Windows packaging fails to clone jenkinsci/packaging with SSH helpdesk#4909
  • e659066 Minor phrasing fix 2
  • 2250712 Minor phrasing fix 1

• fix(package) correct staging issues caught during 2025-12-10's security advisory (2.528.3 LTS and 2.541) #816 (Required as a fix of the packaging staging/promotion process)
  \

  • 8200f5d doc(README) document the staging/promotion for Security advisory
  • 96ef59a chore(package) move staging bootstrap shell logic to the release.bash toolkit
  • 74d7351 fix(package) properly initialize staging by only retrieving necessary data from production to avoid conflicts between weekly and LTS lines
  • 6a4f284 fix(utils) apply shellcheck recommandations and remove fixed TODO comments
  • b754327 fixup: correct shell when using weekly line

• fix(package) ensure fastly decache fails fast if the API answers an error #820 (Required as a fix of the packaging staging/promotion process)
  \

  • ceb20b6 fix(package) ensure fastly decache fails fast if the API answers an error - [release.ci.jenkins.io] Packaging need to decache the pkg.jenkins.io at the end of the build (at the same time as www.jenkins.io) helpdesk#4910

• dd4367b fix(release,utils) only check for packaging environment variables from packaging functions to avoid unrelated failures during release build (Fixup of fix(package) correct staging issues caught during 2025-12-10's security advisory (2.528.3 LTS and 2.541) #816, Required as a fix of the packaging staging/promotion process)

• cleanup(package) stop utilizing the former AWS pkg.origin.jenkins.io virtual machine #827 (Required as part of [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s helpdesk#3705)
  \

  • 1b498c1 cleanup(package) stop utilizing the former AWS pkg.origin.jenkins.io virtual machine - [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s helpdesk#3705

• fix(package/utils) always bootstrap staging from scratch with only RPM packages from before  #826 (Required as a fix of the packaging staging/promotion process)
  \

  • dad3094 fix(package/utils) always bootstrap staging from scratch with only RPM packages from before

• feat: change Jenkins GPG key from 2023 to 2026 -  #829 (Required as part of [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026 helpdesk#4922)
  \

  • 3042357 feat: change Jenkins GPG key from 2023 to 2026 - [pkg.jenkins.io/release.ci.jenkins.io] Jenkins Packaging GPG key expires on the 26 March 2026 helpdesk#4922

• 1e16cfa hotfix(package) remove old references for the old pkg.origin.jenkins.io VM (Hotfix of cleanup(package) stop utilizing the former AWS pkg.origin.jenkins.io virtual machine #827, Required as part of [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s helpdesk#3705)

• feat(package) publish the WAR signature file #830 (Required as part of Add .war.asc to get.jenkins.io helpdesk#4055)
  \

  • aada25f feat(utils/package) verify WAR download and publish the signature

• fix(Github/issue-templates/LTS) use correct order for Packaging items and details how to safely create branch #831 (Required as a fix of the LTS release lead tooling)
  \

  • 445a93c fixup: mentions existing documentation
  • 70ed553 fix(Github/issue-templates/LTS) use correct order for Packaging items and details how to safely create branch

• fix(tools/init-lts-line) ensure LTS branches are created from the correct datetime on packaging to avoid carrying unwanted changes to LTS #832 (Required as a fix of the LTS release lead tooling)
  \

  • a5bbe29 Apply suggestions from code review
  • a105224 Apply suggestion from @dduportal
  • fa3a8a0 Apply suggestions from code review
  • c5279ee Apply suggestions from code review
  • 489a180 fix(tools/init-lts-line) ensure LTS branches are created from the correct datetime on packaging to avoid carrying unwanted changes to LTS

---

List of ignored commits (click to expand) with justifications

• ef00711 Revert "Disable weekly build temporarily (Disable weekly build temporarily #802)" (Revert "Disable weekly build temporarily" #812) (Unneeded because Weekly only)
• Weekly only: 28406a8 Start weekly build 6 hours earlier (04:30 AM UTC) (Start weekly build 6 hours earlier (04:30 AM UTC) #815) (Unneeded because Weekly only)
• PR chore(deps): bump updatecli/updatecli-action from 2.97.0 to 2.98.0 #819 (Unneeded because updatecli does not run on branches other than master)
  \
  • 2e9e902 chore(deps): bump updatecli/updatecli-action from 2.97.0 to 2.98.0
• Bump jenkinsciinfra/packaging and/or jenkins/inbound-agent Docker images #824 (Not picked up because 8.2.14 bumps Maven version to 3.9.12)
  \
  • d143cb8 chore: Update the image of the jnlp container of the pod template man...
  • 07aaeb7 chore: Update the image of the jnlp container of the pod template man...
  • 6777ab1 chore: Update jenkins/inbound agent version in package-windows.yaml

[dduportal]

Current diff with the master branch looks good:

git fetch --all --prune --tags
git diff upstream/master

diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
index c2c91b6..dac388f 100644
--- a/.github/workflows/updatecli.yaml
+++ b/.github/workflows/updatecli.yaml
@@ -14,7 +14,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Setup updatecli
-        uses: updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804 # v2.98.0
+        uses: updatecli/updatecli-action@9a21b6911fe58865c8346d4fde3470010f49bf31 # v2.97.0
       - name: Diff
         run: updatecli diff --config ./updatecli/updatecli.d --values ./updatecli/values.github-action.yaml
         env:
diff --git a/Jenkinsfile.d/core/package b/Jenkinsfile.d/core/package
index 67d859f..5aeb97e 100644
--- a/Jenkinsfile.d/core/package
+++ b/Jenkinsfile.d/core/package
@@ -94,7 +94,7 @@ pipeline {
     GPG_PASSPHRASE            = credentials('release-gpg-passphrase-2026')
     // Using HTTPS with no credentials - https://github.com/jenkins-infra/helpdesk/issues/4909 - need a GH app if rate limited or need to write things to git
     PACKAGING_GIT_REPOSITORY  = 'https://github.com/jenkinsci/packaging.git'
-    PACKAGING_GIT_BRANCH      = 'master'
+    PACKAGING_GIT_BRANCH      = 'stable-2.541'
     SIGN_KEYSTORE_FILENAME    = 'jenkins.pfx'
     SIGN_STOREPASS            = credentials('signing-cert-pass-2023')
     WAR_FILENAME              = 'jenkins.war'
diff --git a/Jenkinsfile.d/core/weekly b/Jenkinsfile.d/core/weekly
index d2b3878..4fbd297 100644
--- a/Jenkinsfile.d/core/weekly
+++ b/Jenkinsfile.d/core/weekly
@@ -5,28 +5,15 @@ pipeline {
     disableConcurrentBuilds()
   }
 
-  // Every Tuesday at 4:30:00 AM Coordinated Universal Time;
+  // Every Tuesday at 10:30:00 AM Coordinated Universal Time;
   triggers {
-    cron '30 4 * * 2'
+    cron '30 10 * * 2'
   }
 
   stages {
     stage("Release"){
       steps {
-        build job: "core/release/${ BRANCH_NAME }", parameters: [
-          booleanParam(name: "VALIDATION_ENABLED", value: false),
-          string(name: "RELEASE_PROFILE", value: "weekly")
-        ]
-      }
-    }
-
-    stage("Package"){
-      steps {
-        build job: "core/package/${ BRANCH_NAME }", parameters: [
-          booleanParam(name: "VALIDATION_ENABLED", value: false),
-          string(name: "RELEASE_PROFILE", value: "weekly"),
-          string(name: "JENKINS_VERSION", value: "latest")
-        ]
+        echo "Release build is disabled for security fixes"
       }
     }
   }
diff --git a/PodTemplates.d/package-linux.yaml b/PodTemplates.d/package-linux.yaml
index c4d04ee..92ac36f 100644
--- a/PodTemplates.d/package-linux.yaml
+++ b/PodTemplates.d/package-linux.yaml
@@ -10,7 +10,7 @@ spec:
   serviceAccountName: release-ci-jenkins-io-agents
   containers:
     - name: jnlp
-      image: jenkinsciinfra/packaging:8.2.15
+      image: jenkinsciinfra/packaging:8.2.12
       imagePullPolicy: "IfNotPresent"
       env:
         - name: "JENKINS_JAVA_BIN"
diff --git a/PodTemplates.d/package-windows.yaml b/PodTemplates.d/package-windows.yaml
index a1b4981..95a5760 100644
--- a/PodTemplates.d/package-windows.yaml
+++ b/PodTemplates.d/package-windows.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   serviceAccountName: release-ci-jenkins-io-agents
   containers:
-  - image: jenkins/inbound-agent:3355.v388858a_47b_33-4-jdk21-nanoserver-ltsc2022
+  - image: jenkins/inbound-agent:3355.v388858a_47b_33-3-jdk21-nanoserver-ltsc2022
     imagePullPolicy: "IfNotPresent"
     name: "jnlp"
     env:
diff --git a/PodTemplates.d/release-linux.yaml b/PodTemplates.d/release-linux.yaml
index 957ee73..a575e43 100644
--- a/PodTemplates.d/release-linux.yaml
+++ b/PodTemplates.d/release-linux.yaml
@@ -10,7 +10,7 @@ spec:
   serviceAccountName: release-ci-jenkins-io-agents
   containers:
     - name: jnlp
-      image: jenkinsciinfra/packaging:8.2.15
+      image: jenkinsciinfra/packaging:8.2.12
       imagePullPolicy: "IfNotPresent"
       env:
         - name: "HOME"
diff --git a/profile.d/stable b/profile.d/stable
index 0883bc9..d04ecad 100644
--- a/profile.d/stable
+++ b/profile.d/stable
@@ -2,7 +2,7 @@
 # WARNING: Any variables defined here, override those defined from the Jenkinsfile
 #
 #
-RELEASE_GIT_BRANCH=master
+RELEASE_GIT_BRANCH=stable-2.541
 [email protected]:jenkinsci/jenkins.git
 [email protected]
 GIT_NAME="Jenkins Release Bot"
@@ -15,3 +15,4 @@ SIGN_ALIAS=jenkins
 
 # Used by jenkinsci/packaging
 RELEASELINE=-stable
+JENKINS_VERSION=2.541.1

[lemeurherve]

Final diff and cherry-pick choices LGTM

[dduportal]

jenkinsci/packaging#728 has been merged and I have an approval: proceeding to merge and then triggering a "staging only packaging" build in release.ci.jenkins.io as a test match (with explicit 2.528.3 since 2.541.1 does not exist yet) to verify all packaging stuff is working as expected (unified RPM, new GPG key, bugfixes, etc.)