Conversation
📝 WalkthroughWalkthroughThe PR updates the NuGet package bumping script to automatically resolve and apply the latest stable versions for Codebelt packages from NuGet while preserving trigger-based version updates. It also bumps three dependency package versions in Directory.Packages.props. Changes
Sequence DiagramsequenceDiagram
participant Script as bump-nuget.py
participant File as Directory.Packages.props
participant Codebelt as Codebelt Repos
participant NuGet as NuGet Registry
Script->>File: Read package list
Script->>Script: Check if package from trigger source
alt Triggered Package
Script->>File: Update to TRIGGER_VERSION
else Codebelt Package (non-triggered)
Script->>Codebelt: is_codebelt_package()?
alt Is Codebelt Package
Script->>NuGet: get_latest_nuget_version()
NuGet-->>Script: Return latest stable version
Script->>Script: Cache result
Script->>File: Update if newer
else Non-Codebelt (Third-party)
Script->>Script: Skip with message
end
end
Script->>File: Write updated packages
Script->>Script: Print summary (updated/skipped counts)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates CI automation for service updates by enhancing NuGet package version bumping logic (especially for Codebelt-related packages) and refreshing a handful of centrally-managed third-party package versions.
Changes:
- Enhance
.github/scripts/bump-nuget.pyto set triggered-source packages toTRIGGER_VERSIONwhile updating other Codebelt-related packages to the latest stable versions from NuGet (with caching and expanded package prefix mapping). - Expand
SOURCE_PACKAGE_MAPwith additional Codebelt package prefixes (e.g., Carter, ASP.NET Core Newtonsoft/Yaml, SharedKernel). - Bump select third-party package versions in
Directory.Packages.props(AWS SDK, Azure.Identity, RabbitMQ.Client).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/scripts/bump-nuget.py |
Adds NuGet “latest stable” lookup + broader Codebelt package detection; changes update behavior to include non-triggered Codebelt packages. |
Directory.Packages.props |
Updates central versions for several third-party dependencies. |
| def get_latest_nuget_version(package_name: str) -> Optional[str]: | ||
| """Fetch the latest stable version of a package from NuGet.""" | ||
| if package_name in _nuget_version_cache: | ||
| return _nuget_version_cache[package_name] | ||
|
|
||
| url = f"https://api.nuget.org/v3-flatcontainer/{package_name.lower()}/index.json" | ||
| try: | ||
| with urllib.request.urlopen(url, timeout=15) as response: | ||
| data = json.loads(response.read()) | ||
| versions = data.get("versions", []) | ||
| # Stable versions have no hyphen (no pre-release suffix) | ||
| stable = [v for v in versions if "-" not in v] | ||
| result = stable[-1] if stable else (versions[-1] if versions else None) |
There was a problem hiding this comment.
get_latest_nuget_version claims to fetch the latest stable version, but if no stable versions are present it falls back to versions[-1], which can be a prerelease. That can unexpectedly bump packages to prerelease builds. Consider returning None (keep current) when no stable version exists, or make prerelease fallback explicit/opt-in via an env flag and reflect it in the docstring/log output.
| print(f"Trigger: {TRIGGER_SOURCE} @ {target_version}") | ||
| print(f"Only updating packages from: {TRIGGER_SOURCE}") | ||
| print(f"Triggered packages set to {target_version}; other Codebelt packages fetched from NuGet.") | ||
| print() |
There was a problem hiding this comment.
The script prints the trigger source/version but doesn’t validate that TRIGGER_SOURCE is a supported key in SOURCE_PACKAGE_MAP. If an unexpected value is provided (e.g., typo/new repo not yet mapped), no packages will be treated as “triggered source” and they’ll instead be handled by the “other Codebelt packages” path. Consider failing fast with a clear error when TRIGGER_SOURCE.lower() is not in SOURCE_PACKAGE_MAP (and list the allowed values).
| def is_triggered_package(package_name: str) -> bool: | ||
| """Check if package is published by the triggering source repo.""" | ||
| if not TRIGGER_SOURCE: | ||
| return False | ||
| prefixes = SOURCE_PACKAGE_MAP.get(TRIGGER_SOURCE, []) | ||
| return any(package_name.startswith(prefix) for prefix in prefixes) |
There was a problem hiding this comment.
is_triggered_package looks up SOURCE_PACKAGE_MAP using TRIGGER_SOURCE without normalizing case. Since the map keys are lowercase, setting TRIGGER_SOURCE to e.g. CUEMON/Cuemon will cause triggered packages not to be recognized and they’ll be treated as “other Codebelt packages” (bumped from NuGet instead of forced to TRIGGER_VERSION). Normalize TRIGGER_SOURCE once (e.g., TRIGGER_SOURCE = ... .lower()) or use SOURCE_PACKAGE_MAP.get(TRIGGER_SOURCE.lower(), []).
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/scripts/bump-nuget.py (1)
99-113:⚠️ Potential issue | 🟠 MajorFail fast on unknown
TRIGGER_SOURCEto prevent unintended broad bumps.If
TRIGGER_SOURCEis mistyped or unmapped, no package is treated as triggered, and the fallback path (Line 137) can still update other mapped packages from NuGet. Add explicit source validation before processing.Proposed fix
def main(): if not TRIGGER_SOURCE or not TRIGGER_VERSION: print( "Error: TRIGGER_SOURCE and TRIGGER_VERSION environment variables required" ) print(f" TRIGGER_SOURCE={TRIGGER_SOURCE}") print(f" TRIGGER_VERSION={TRIGGER_VERSION}") sys.exit(1) + if TRIGGER_SOURCE not in SOURCE_PACKAGE_MAP: + print(f"Error: Unknown TRIGGER_SOURCE '{TRIGGER_SOURCE}'") + print(f" Valid sources: {', '.join(sorted(SOURCE_PACKAGE_MAP))}") + sys.exit(1)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/bump-nuget.py around lines 99 - 113, The script's main() currently accepts any TRIGGER_SOURCE and silently proceeds, which can cause unintended package bumps; add explicit validation of TRIGGER_SOURCE before continuing: check TRIGGER_SOURCE against the known mapping/key set used later (the mapping referenced by the fallback logic) and if it's missing or unmapped, print an error showing TRIGGER_SOURCE and TRIGGER_VERSION (like the existing prints), then sys.exit(1); place this validation right after computing target_version (or immediately after reading the env vars) so main() fails fast on unknown sources and prevents the fallback NuGet updates from running.
🧹 Nitpick comments (1)
.github/scripts/bump-nuget.py (1)
91-93: Narrow the exception handling in NuGet fetch.Line 91 catches
Exceptionbroadly, which can hide non-network defects and make CI failures harder to diagnose. Narrow it to the specific exceptions that the try block can raise:Proposed fix
+import socket +import urllib.error import urllib.request @@ - except Exception as exc: + except ( + urllib.error.URLError, + socket.timeout, + json.JSONDecodeError, + ) as exc: print(f" Warning: Could not fetch latest version for {package_name}: {exc}") result = NoneNote:
urllib.request.urlopen()can raiseURLError(which coversHTTPErroras a subclass) orsocket.timeoutdirectly;json.loads()raisesJSONDecodeError.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/bump-nuget.py around lines 91 - 93, The broad except Exception hides real errors; narrow the handler around the operations using urllib.request.urlopen and json.loads by catching urllib.error.URLError (covers HTTPError), socket.timeout, and json.JSONDecodeError instead of Exception, so when the fetch of package_name fails you still set result = None but only swallow expected network/JSON errors while letting other exceptions surface for CI; update the except block that currently references package_name and result to catch those three specific exception types.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/scripts/bump-nuget.py:
- Around line 99-113: The script's main() currently accepts any TRIGGER_SOURCE
and silently proceeds, which can cause unintended package bumps; add explicit
validation of TRIGGER_SOURCE before continuing: check TRIGGER_SOURCE against the
known mapping/key set used later (the mapping referenced by the fallback logic)
and if it's missing or unmapped, print an error showing TRIGGER_SOURCE and
TRIGGER_VERSION (like the existing prints), then sys.exit(1); place this
validation right after computing target_version (or immediately after reading
the env vars) so main() fails fast on unknown sources and prevents the fallback
NuGet updates from running.
---
Nitpick comments:
In @.github/scripts/bump-nuget.py:
- Around line 91-93: The broad except Exception hides real errors; narrow the
handler around the operations using urllib.request.urlopen and json.loads by
catching urllib.error.URLError (covers HTTPError), socket.timeout, and
json.JSONDecodeError instead of Exception, so when the fetch of package_name
fails you still set result = None but only swallow expected network/JSON errors
while letting other exceptions surface for CI; update the except block that
currently references package_name and result to catch those three specific
exception types.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #50 +/- ##
=======================================
Coverage 79.11% 79.11%
=======================================
Files 177 177
Lines 3711 3711
Branches 365 365
=======================================
Hits 2936 2936
Misses 774 774
Partials 1 1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
This pull request updates the
.github/scripts/bump-nuget.pyscript to enhance how Codebelt-related NuGet package versions are managed, and bumps several third-party package versions inDirectory.Packages.props. The script now sets triggered source packages to a specified version while updating all other Codebelt packages to their latest stable NuGet versions. It also improves package detection and adds support for additional Codebelt packages.Enhancements to the NuGet bump script:
SOURCE_PACKAGE_MAP, includingCodebelt.Extensions.Carter,Codebelt.Extensions.AspNetCore.Newtonsoft.Json,Codebelt.Extensions.AspNetCore.Text.Yaml, andCodebelt.SharedKernel.Package version bumps in
Directory.Packages.props:AWSSDK.SQSto 4.0.2.15AWSSDK.SimpleNotificationServiceto 4.0.2.17Azure.Identityto 1.18.0RabbitMQ.Clientto 7.2.1 [1] [2]Summary by CodeRabbit