Jenkins 2.204.6

What's new in this version:

- Revamp the layout and icons of the header bar and breadcrumbs. Instances with plugins that depend on details of the Jenkins layout (e.g. Simple Theme Plugin) may experience UI/layout problems. A new experimental header color scheme can be enabled by setting the jenkins.ui.refresh system property to true.
- Add globally configured build discarders that delete old builds not marked as "keep forever" even if there is no, or a less aggressive, per-project build discarder configured, executed periodically and after a build finishes.
- Move cloud configuration from Configure System into its own configuration form on the Manage Nodes page
- Remove Enable Security checkbox in the Global Security configuration
- Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled.
- Redesign password fields to prevent password auto-fill except for the login form. Reduce browsers offering to update stored passwords. Revert by setting the system property hudson.Functions.hidingPasswordFields to false.
- Deprecate the macOS native installer packaging. (Jenkins macOS native installer deprecation)
- Remove old, deprecated, unsupported agent protocols Inbound TCP Agent Protocol/1, Inbound TCP Agent Protocol/2, and Inbound TCP Agent Protocol/3. Update Remoting from 3.36 to 4.2 to remove unsupported protocols and add WebSocket support.
- Add experimental WebSocket support. (JEP-222, blog post)
- Extends the current milestones so plugins can update jobs and configuration during Jenkins initialization. Adds initialization milestones: SYSTEM_CONFIG_LOADED, SYSTEM_CONFIG_ADAPTED, JOB_CONFIG_ADAPTED.
- Introduce a new experimental UI that can be enabled by setting the jenkins.ui.refresh system property to true. Currently it includes a new header color scheme, more changes to be added as a part of the UI/UX revamp.
- Add a new experimental Overall/Manage permission which allows a user to configure parts of the global Jenkins configuration without having the Overall/Administer permission. This is an experimental feature, disabled by default, that can be enabled by setting the jenkins.security.ManagePermission system property to true.
- Add a new experimental Overall/SystemRead permission, which gives (almost) full read access to the Jenkins instance. The permission is disabled by default, install the Extended Read Permission plugin to activate it.
- The environment variable WORKSPACE_TMP may now be used from (non-Pipeline) builds to access a temporary directory associated with the build workspace. (issue 60634)
- Deprecate the Overall/RunScripts, Overall/UploadPlugins, and Overall/ConfigureUpdateCenter permissions. Permissions were announced as dangerous and disabled by default in major authorization plugins in 2017. Custom authorization strategy implementations that grant Overall/Administer without implying one or more of these three permissions will no longer work as expected. Configurations that grant any of these permissions to users without Overall/Administer will no longer work as expected. (pull 4365, issue 60266, JEP-223, 2017-04-10 security advisory for Matrix Authorization plugin, 2017-04-10 security advisory for Role-Based Authorization plugin)
- Fix NullPointerException when getting a list of runs with a status threshold (regression in 2.202)
- User is no longer logged out when authenticating another user
- Winstone 5.9: Fix support of system logging customization (regression in 2.204.5) (pull 4452, issue 57888, Winstone 5.9 changelog, Jetty 9.4.27 changelog)