build(dotnet): add lock file support and centralize build props#557
Merged
Thorstein Løkensgard (loekensgard) merged 5 commits intointility:mainfrom Apr 9, 2026
Merged
Conversation
Contributor
Author
|
For fully-reproducable builds we should consider a |
Add RuntimeIdentifiers=linux-musl-x64 so NuGet always includes linux-musl-x64 packages in the lock file regardless of the host platform. Also pass lock file properties explicitly in Directory.Solution.targets to handle initial creation on macOS.
…oss-platform restore
Contributor
Author
|
Thorstein Løkensgard (@loekensgard) |
Thorstein Løkensgard (loekensgard)
approved these changes
Apr 9, 2026
Member
Thorstein Løkensgard (loekensgard)
left a comment
Thorstein Løkensgard (loekensgard)
left a comment
There was a problem hiding this comment.
LGTM when we have added a link to the documentation 👍🏼
Thorstein Løkensgard (loekensgard)
merged commit 6560677
into
intility:main
1 check passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is ported from how I solved lock files in https://github.com/intility/sec-center, adapted for the templates. This is my best solution so far. This should be properly tested and iterated on, just thought i could save you some time researching 😄
This adds lock file support so NuGet restores are reproducible in Linux container builds.
Directory.Build.propsandDirectory.Solution.targetsare the natural place for this. MSBuild picks them up automatically for every project in the solution, so we don't have to repeat the same settings in each.csproj. The targets file handles the cross-platform problem: on macOS/Windows it re-runs restore targeting Linux after every normal restore, keeping the lock files in sync. This way you do not need to have three lock files per project, all kept in sync.Test projects are opted out (
RestorePackagesWithLockFile: false) since they're never published, so there's no point enforcing a lock file on them. This is also because dependabot does not seem to support updating lock files in included projects. I could possibly be solved by utilizing central package management with aDirectory.Packages.propsfile, but i have not tested this yet.Also added NuGet audit. It runs on every restore, checks all packages against known CVEs, and warns on anything moderate or above. It will not fail any restores as
TreatWarningsAsErrorsis not enabledSome references:
NuGet/Home#9195
dotnet/sdk#14281
NuGet/Home#8287