[FIXED JENKINS-16844] MenuItem.post allows context menu items like Build Now to send a POST request.
Currently just shows a hover notification; TBD if there are use cases for displaying the response.

Not observed in actual usage, but reproducible (for me at least, though apparently not ci.jenkins-ci.org) in a test:
java.lang.AssertionError: null
    at jenkins.model.lazy.AbstractLazyLoadRunMap.load(AbstractLazyLoadRunMap.java:628)
    at jenkins.model.lazy.AbstractLazyLoadRunMap.all(AbstractLazyLoadRunMap.java:581)
    at jenkins.model.lazy.AbstractLazyLoadRunMap.entrySet(AbstractLazyLoadRunMap.java:243)
    at java.util.AbstractMap$2$1.<init>(AbstractMap.java:378)
    at java.util.AbstractMap$2.iterator(AbstractMap.java:377)
    at hudson.util.RunList.iterator(RunList.java:103)
    at hudson.util.RunList.size(RunList.java:114)
    at hudson.maven.MavenProjectTest.testDeleteSetBuildDeletesModuleBuilds(MavenProjectTest.java:159)

[JENKINS-16917] hudson.plugins.downstream_ext.DownstreamTrigger.DescriptorImpl should not be extending BuildTrigger.DescriptorImpl since it does not produce a BuildTrigger from newInstance.
(Generally there is no reason to subclass a Descriptor type which is already an @Extension rather than an explicit abstract supertype, but this is a bit more conservative change than just making it final.)

purged some dislocated messages that survived my former cleanups

removed translations from GlobalSecurityConfiguration and jenkins/model/Jenkins
that should only exist in GlobalCloudConfiguration

removed translations from GlobalSecurityConfiguration and jenkins/model/Jenkins
that should only exist in GlobalQuietPeriodConfiguration and config-quietPeriod
added translations based on messages from corresponding locations

removed translations from GlobalSecurityConfiguration and jenkins/model/Jenkins
that should only exist in GlobalSCMRetryCountConfiguration and config-retryCount
added translation based on messages from corresponding locations
corrected wrong property names

* core/src/main/resources/lib/form/combobox/combobox.js
  Increase index to 100, so that parent form elements can be initialized before
  parameters in fillDependsOn are extracted.

* test/src/test/java/lib/form/ComboBoxTest.java
* test/src/test/resources/lib/form/ComboBoxTest/CompoundField/config.jelly
* test/src/test/resources/lib/form/ComboBoxTest/CompoundFieldComboBoxBuilder/config.jelly
  New test to confirm null is not passed for relative dependent arguments

Traditionally, matrix axis values are only exposed as "build variables", and it was up to individual build steps and others to treat them equally like environment variables.

However, in practice, this distinction between environment variables vs build variables didn't serve any useful purposes, and the down side (of some plugins only expanding env vars in the ${VAR} notation and not build variables) was probably bigger than whatever benefit this distinction was supposed to bring.

In this fix, we are exposing matrix axis values also as environment variables. This will make them recognizable from plugins that only expand environment variables, such as parameterized trigger plugins as indicated in the original bug report.

This was motivated by pull request #701 but fix was made differently.

This change is safe because (i) those actions are read-only and (ii) if they produce data that's bit old, that isn't really noticeable.

The Actionable#getActions() method only needs to be synchronized when lazy loading. After that, the synchronization is superfluous and impacts performance.
Since the field is volatile, the double-check block works in JDK5+. See http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html for more in
Analyzing various thread dumps, many threads and requests stall on this method waiting for the lock. Since the lock isn't necessary in most cases anyway,

- Environment variables are by convention upper case, so I'm switching to upper case. This was what the original ticket requested anyway.
- Since the ".jobName" was never documented to begin with, let's not promote that and stick to "_JOBNAME" as the official version.

added missing translations (save), adjusted an entry to match existing occurrences
corrected missing backslash escapes
deleted dislocated russian property file

removed some translations from GlobalSecurityConfiguration and jenkins/model/Jenkins
that should only exist in MasterComputer, DumbSlave & MasterBuildConfiguration

Introduced ${ITEM_FULL_NAME} to address the ticket without causing the
backward compatibility problem.

This is done by introducing a new base type 'BuildDiscarder' that's
extensible. Plugins can implement their own logics.

(cherry picked from commit 6d99c02b)

This patch makes standard post-build action refuse to let you configure a downstream project you cannot currently build.
The one from parameterized-trigger will show an error in the configure screen but still lets you save the configuration; needs an analogous patch to that plugin.
Does not yet protect against POSTing config.xml with the trigger.
(cherry picked from commit 757bc8a5)

Conflicts:

	core/src/main/java/hudson/model/Descriptor.java

- My second patch, with whitelisted XPath values and forbidden JSONP.
- Disabling JSONP altogether for REST API (unless explicitly allowed).
- Forbid primitive XPath result sets by default.
- Refuse to serve _crumb=123456 as this could (very hypothetically) be exploited.
(cherry picked from commit f4af9b1a)

Conflicts:

	core/src/main/java/hudson/model/Api.java

Require POST for various operations.
(cherry picked from commit 36c86243)

Conflicts:

	core/src/main/java/hudson/model/AbstractBuild.java

(cherry picked from commit 1fb2acfd)

Conflicts:

	core/src/main/java/hudson/model/AbstractProject.java
	core/src/main/java/hudson/model/ParametersDefinitionProperty.java

- Use the proper block cipher mode.
  Or else the information about the plain text still ends up revealing as a pattern without the attacker knowing the key.
- No need to hide SLAVE_SECRET from the encrypted payload.
  jnlpMac is needed to decrypt this payload to begin with, so there's no point in hiding it. This simplifies the code a little bit.
- Using a newer slave installer that uses the -secret option
(cherry picked from commit f4496df1)

Jesse's original patch
(cherry picked from commit 01a24e2c)

- Use the proper block cipher mode.
  Or else the information about the plain text still ends up revealing as a pattern without the attacker knowing the key.
- No need to hide SLAVE_SECRET from the encrypted payload.
  jnlpMac is needed to decrypt this payload to begin with, so there's no point in hiding it. This simplifies the code a little bit.
- Using a newer slave installer that uses the -secret option

Jesse's original patch

This came from pull request #705

Failure to load JNA should be handled graciously