Skip to content

build(dotnet): add lock file support and centralize build props#557

Merged
Thorstein Løkensgard (loekensgard) merged 5 commits intointility:mainfrom
erlendellefsen:feat/dotnet-lock-files
Apr 9, 2026
Merged

build(dotnet): add lock file support and centralize build props#557
Thorstein Løkensgard (loekensgard) merged 5 commits intointility:mainfrom
erlendellefsen:feat/dotnet-lock-files

Conversation

@erlendellefsen
Copy link
Copy Markdown
Contributor

@erlendellefsen Erlend Ellefsen (erlendellefsen) commented Mar 26, 2026

This is ported from how I solved lock files in https://github.com/intility/sec-center, adapted for the templates. This is my best solution so far. This should be properly tested and iterated on, just thought i could save you some time researching 😄


This adds lock file support so NuGet restores are reproducible in Linux container builds.

Directory.Build.props and Directory.Solution.targets are the natural place for this. MSBuild picks them up automatically for every project in the solution, so we don't have to repeat the same settings in each .csproj. The targets file handles the cross-platform problem: on macOS/Windows it re-runs restore targeting Linux after every normal restore, keeping the lock files in sync. This way you do not need to have three lock files per project, all kept in sync.

Test projects are opted out (RestorePackagesWithLockFile: false) since they're never published, so there's no point enforcing a lock file on them. This is also because dependabot does not seem to support updating lock files in included projects. I could possibly be solved by utilizing central package management with a Directory.Packages.props file, but i have not tested this yet.

Also added NuGet audit. It runs on every restore, checks all packages against known CVEs, and warns on anything moderate or above. It will not fail any restores as TreatWarningsAsErrors is not enabled


Some references:
NuGet/Home#9195
dotnet/sdk#14281
NuGet/Home#8287

@erlendellefsen
Copy link
Copy Markdown
Contributor Author

For fully-reproducable builds we should consider a global.json as well to pin the SDK? Example

Add RuntimeIdentifiers=linux-musl-x64 so NuGet always includes
linux-musl-x64 packages in the lock file regardless of the host
platform. Also pass lock file properties explicitly in
Directory.Solution.targets to handle initial creation on macOS.
@erlendellefsen
Copy link
Copy Markdown
Contributor Author

Erlend Ellefsen (erlendellefsen) commented Apr 8, 2026

Thorstein Løkensgard (@loekensgard)
Fixed the test project issue. This change makes it so you can not generate new lock files with just dotnet restore if you for some reason delete them. I added a small note about it 4db6bcd

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM when we have added a link to the documentation 👍🏼

Comment thread docusaurus/dotnet/4-setup/1-create-project.mdx
@loekensgard Thorstein Løkensgard (loekensgard) merged commit 6560677 into intility:main Apr 9, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants