Republish on dependency bumps; harden configure.sh#211
Merged
Conversation
Bring repo-config in line with the hardened canonical: ruleset_id distinguishes an absent ruleset from a real API error (lets gh surface its own stderr, returns non-zero instead of a silent set -e abort), uses jq --arg, selects the first match inside jq (pipefail-safe), and pages the lookup (per_page=100). The repo-config README states the actual branch cleanup (auto-delete off so a develop -> main promotion does not delete develop; merged bot/feature branches are cleaned up manually). Also aligns the validate/test-pr task comments to the terse canonical form. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Directory.Packages.props to the publisher's shipped-input paths. A NuGet version cannot be re-pushed, so (unlike a Docker image with a weekly base refresh) the only way the published package's declared dependencies get a security/patch update is to republish when a dependency bumps. GitHub-Actions bumps stay excluded - they do not ship in the package. Update WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s CI/publish contract so dependency bumps trigger a republish (to keep NuGet dependency constraints current), and hardens the repo-config configuration script for more reliable auditing/apply behavior.
Changes:
- Treat
Directory.Packages.propsas a shipped input so merges that bump dependencies auto-publish onmain/develop. - Harden
repo-config/configure.sh(ruleset lookup paging/error behavior, jq safety, explicit “no linear history” assertion formain, improved secrets audit behavior). - Adjust CI workflows: skip jobs on branch-deletion push events; simplify workflow lint step configuration.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | Documents dependency-bump republish behavior and updates the shipped-input inclusion list. |
| AGENTS.md | Updates the “merging releases” guidance to include dependency bumps as shipped inputs. |
| .github/workflows/publish-release.yml | Adds Directory.Packages.props to the publish on.push.paths inclusion list. |
| .github/workflows/test-pull-request.yml | Skips CI jobs on branch-deletion push events to avoid all-zero SHA failures. |
| .github/workflows/validate-task.yml | Simplifies the actionlint step configuration. |
| repo-config/configure.sh | Hardens repo configuration auditing/apply logic and adds jq_lacks. |
| repo-config/README.md | Clarifies branch auto-delete behavior and cleanup expectations. |
jq_lacks now propagates a real jq error (exit >1) instead of treating it as "lacks", so a malformed filter/input fails the assert loudly rather than passing. check_secrets stops suppressing gh's stderr (so the API/auth failure cause is visible, like ruleset_id) and its comment matches the actual fail-fast behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This repo's merge-bot merges with `gh pr merge --delete-branch`, so merged bot branches ARE deleted (verified: no leftover dependabot/* branches). Distinguish the repo-wide auto-delete setting (off, so a develop -> main promotion does not delete develop) from the explicit per-merge deletion the merge-bot/maintainer performs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 29, 2026
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
Capture jq's exit code with `|| rc=$?` (a list is exempt from errexit) so an exit-1 no-match returns 'lacks' rather than risking a `set -e` abort outside a conditional, while still propagating a real jq error (>1). Verified under `set -euo pipefail` for match / no-match / jq-error. Follow-up to PR #211. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
WORKFLOW.md said validate/smoke-build run unconditionally, but they carry a `!github.event.deleted` guard. Note the branch-deletion exception in the architecture section, D1.1, and the 5A audit, and add scenario S16. Follow-up to #211/#212. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
ptr727
added a commit
that referenced
this pull request
Jun 29, 2026
This was referenced Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Keeps the push-self-publish model (correct for NuGet - there is no Docker-style refresh, and a NuGet version can't be re-pushed) and closes the stale-dependency window, plus brings repo-config in line with the hardened canonical.
Dependency currency
A NuGet package's declared dependencies only update when a new version is published. With no scheduled rebuild possible, a merged dependency bump must republish or the package keeps shipping old/vulnerable dependency constraints. So
Directory.Packages.propsis now a shipped input: a dependency bump on main/develop auto-publishes that branch, keeping the package current. GitHub-Actions bumps stay excluded (they do not ship in the package).Trade-off (accepted): because versions are centrally managed, a test/codegen dependency bump (e.g.
xunit.v3) also republishes even though it does not ship - cheap version churn in exchange for never shipping a stale dependency. (The shipped library has effectively one runtime dependency,Microsoft.Extensions.Logging.Abstractions.)WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md updated to match.
repo-config hardening
configure.shruleset_iddistinguishes an absent ruleset from a real API error (lets gh surface its stderr; returns non-zero instead of a silentset -eabort), usesjq --arg, selects the first match inside jq (pipefail-safe), and pages the lookup (per_page=100). The repo-config README states the actual branch cleanup (auto-delete off so adevelop -> mainpromotion does not deletedevelop; merged bot/feature branches cleaned up manually). Task comments aligned to the terse canonical form.Verification
actionlint, markdownlint, shellcheck,
bash -nclean; EOL preserved.