Jenkins#
Jenkins is the long-running CI server. Open source, plugin-heavy, self-hosted, in production at every Fortune 500 that started its CI/CD journey before 2015. The operator meets it on long-lived enterprise estates, in mixed-stack environments, and any place where a paid SaaS CI is not an option.
Architecture#
Controller (formerly “master”), the central process that hosts the UI, the job definitions, and the queue.
Agent (formerly “slave”), a worker process that executes builds. Connects back to the controller over JNLP or SSH.
Executor, a slot on an agent that runs one build at a time.
Plugins, the extension layer. Almost every integration ships as a plugin; the plugin catalog runs into the thousands.
Pipeline shape#
Two styles. Declarative is the modern default; Scripted is the older Groovy DSL that gives full programming control.
Declarative Jenkinsfile:
pipeline {
agent any
environment {
IMAGE = "ghcr.io/myorg/app:${env.BUILD_TAG}"
}
stages {
stage('Test') {
steps {
sh 'pnpm install --frozen-lockfile'
sh 'pnpm test'
}
}
stage('Build') {
when { branch 'main' }
steps {
withCredentials([usernamePassword(credentialsId: 'ghcr',
usernameVariable: 'USER',
passwordVariable: 'PASS')]) {
sh 'echo "$PASS" | docker login ghcr.io -u "$USER" --password-stdin'
sh 'docker build -t "$IMAGE" .'
sh 'docker push "$IMAGE"'
}
}
}
}
post {
always { junit 'reports/**/*.xml' }
failure { mail to: 'oncall@example.com', subject: "${env.JOB_NAME} failed" }
}
}
Agents#
Agent |
Detail |
|---|---|
Static |
Long-running VM or container. Cheapest, lowest isolation. |
Ephemeral (docker, kubernetes) |
Spun up per build; one of the operator’s defaults today via the Kubernetes plugin. |
SSH agent |
Controller connects to a fixed host via SSH. Useful for legacy. |
JNLP agent |
Worker dials home over a JNLP socket. Standard pattern for agents behind NAT. |
Credentials and secrets#
Credentials Plugin stores secrets at controller scope, folder scope, or job scope.
HashiCorp Vault plugin, AWS Secrets Manager plugin, Azure Key Vault plugin, GCP Secret Manager plugin for short-lived secret injection.
Pipeline syntax
withCredentials,withVaultfor scoped exposure during a step.
Strengths#
Plugin breadth is unmatched. Every legacy system has a Jenkins plugin.
On-prem, air-gapped, and behind-firewall installs are first-class.
Multi-branch pipelines, parallel stages, parameter-driven builds are well-supported.
Weaknesses#
Operational cost. The controller is stateful (XML on disk), upgrades are fiddly, plugins drift in compatibility.
Groovy is the configuration language; full programming control is also full risk surface.
UI is dated; Blue Ocean was the attempt to fix it but is in maintenance mode.
When to pick Jenkins#
Already running, with institutional knowledge and a plugin set built up over years.
Air-gapped or sovereign environments where SaaS CI is not permitted.
Hetereogeneous stacks (mainframe + Java + .NET + Linux) where Jenkins’s plugin catalog covers everything in one tool.
When to pick something else#
Greenfield in 2026; GitHub Actions, GitLab CI, Buildkite, CircleCI all have shorter learning curves and lower ops burden.
Anywhere the ops team’s bandwidth is the constraint; a Jenkins controller is a long-lived production service that pages.
References#
CI / CD for the wider CI / CD context.