Skip to content

Republish on dependency bumps; harden configure.sh#211

Merged
ptr727 merged 4 commits into
developfrom
feature/publish-dep-currency
Jun 29, 2026
Merged

Republish on dependency bumps; harden configure.sh#211
ptr727 merged 4 commits into
developfrom
feature/publish-dep-currency

Conversation

@ptr727

@ptr727 ptr727 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Keeps the push-self-publish model (correct for NuGet - there is no Docker-style refresh, and a NuGet version can't be re-pushed) and closes the stale-dependency window, plus brings repo-config in line with the hardened canonical.

Dependency currency

A NuGet package's declared dependencies only update when a new version is published. With no scheduled rebuild possible, a merged dependency bump must republish or the package keeps shipping old/vulnerable dependency constraints. So Directory.Packages.props is now a shipped input: a dependency bump on main/develop auto-publishes that branch, keeping the package current. GitHub-Actions bumps stay excluded (they do not ship in the package).

Trade-off (accepted): because versions are centrally managed, a test/codegen dependency bump (e.g. xunit.v3) also republishes even though it does not ship - cheap version churn in exchange for never shipping a stale dependency. (The shipped library has effectively one runtime dependency, Microsoft.Extensions.Logging.Abstractions.)

WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md updated to match.

repo-config hardening

configure.sh ruleset_id distinguishes an absent ruleset from a real API error (lets gh surface its stderr; returns non-zero instead of a silent set -e abort), uses jq --arg, selects the first match inside jq (pipefail-safe), and pages the lookup (per_page=100). The repo-config README states the actual branch cleanup (auto-delete off so a develop -> main promotion does not delete develop; merged bot/feature branches cleaned up manually). Task comments aligned to the terse canonical form.

Verification

actionlint, markdownlint, shellcheck, bash -n clean; EOL preserved.

ptr727 and others added 2 commits June 28, 2026 17:43
Bring repo-config in line with the hardened canonical: ruleset_id distinguishes an absent
ruleset from a real API error (lets gh surface its own stderr, returns non-zero instead of
a silent set -e abort), uses jq --arg, selects the first match inside jq (pipefail-safe),
and pages the lookup (per_page=100). The repo-config README states the actual branch
cleanup (auto-delete off so a develop -> main promotion does not delete develop; merged
bot/feature branches are cleaned up manually). Also aligns the validate/test-pr task
comments to the terse canonical form.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Directory.Packages.props to the publisher's shipped-input paths. A NuGet version
cannot be re-pushed, so (unlike a Docker image with a weekly base refresh) the only way the
published package's declared dependencies get a security/patch update is to republish when
a dependency bumps. GitHub-Actions bumps stay excluded - they do not ship in the package.
Update WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 29, 2026 00:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repo’s CI/publish contract so dependency bumps trigger a republish (to keep NuGet dependency constraints current), and hardens the repo-config configuration script for more reliable auditing/apply behavior.

Changes:

  • Treat Directory.Packages.props as a shipped input so merges that bump dependencies auto-publish on main/develop.
  • Harden repo-config/configure.sh (ruleset lookup paging/error behavior, jq safety, explicit “no linear history” assertion for main, improved secrets audit behavior).
  • Adjust CI workflows: skip jobs on branch-deletion push events; simplify workflow lint step configuration.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
WORKFLOW.md Documents dependency-bump republish behavior and updates the shipped-input inclusion list.
AGENTS.md Updates the “merging releases” guidance to include dependency bumps as shipped inputs.
.github/workflows/publish-release.yml Adds Directory.Packages.props to the publish on.push.paths inclusion list.
.github/workflows/test-pull-request.yml Skips CI jobs on branch-deletion push events to avoid all-zero SHA failures.
.github/workflows/validate-task.yml Simplifies the actionlint step configuration.
repo-config/configure.sh Hardens repo configuration auditing/apply logic and adds jq_lacks.
repo-config/README.md Clarifies branch auto-delete behavior and cleanup expectations.

Comment thread repo-config/configure.sh Outdated
Comment thread repo-config/configure.sh Outdated
Comment thread repo-config/configure.sh Outdated
jq_lacks now propagates a real jq error (exit >1) instead of treating it as "lacks", so a
malformed filter/input fails the assert loudly rather than passing. check_secrets stops
suppressing gh's stderr (so the API/auth failure cause is visible, like ruleset_id) and its
comment matches the actual fail-fast behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread repo-config/README.md Outdated
This repo's merge-bot merges with `gh pr merge --delete-branch`, so merged bot branches ARE
deleted (verified: no leftover dependabot/* branches). Distinguish the repo-wide auto-delete
setting (off, so a develop -> main promotion does not delete develop) from the explicit
per-merge deletion the merge-bot/maintainer performs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

@ptr727 ptr727 merged commit 8b3a0cf into develop Jun 29, 2026
11 checks passed
@ptr727 ptr727 deleted the feature/publish-dep-currency branch June 29, 2026 00:57
ptr727 added a commit that referenced this pull request Jun 29, 2026
Capture jq's exit code with `|| rc=$?` (a list is exempt from errexit)
so an exit-1 no-match returns 'lacks' rather than risking a `set -e`
abort outside a conditional, while still propagating a real jq error
(>1). Verified under `set -euo pipefail` for match / no-match /
jq-error. Follow-up to PR #211.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
Narrow the publish-release header comment - a package-version
(Directory.Packages.props) bump republishes; only a GitHub-Actions
Dependabot bump does not. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
WORKFLOW.md said validate/smoke-build run unconditionally, but they
carry a `!github.event.deleted` guard. Note the branch-deletion
exception in the architecture section, D1.1, and the 5A audit, and add
scenario S16. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
checkout/build fail -> fails. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
Section 0's model-at-a-glance omitted package versions from the
shipped-input list (the glossary/D4.1 include them). Add it. Follow-up
to #211/#212.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ptr727 added a commit that referenced this pull request Jun 29, 2026
The on.push.paths inclusion list is below the header comment; change
'add a path above' to 'add a path to that list'. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants