Skip to content

Promote develop to main: dependency-currency publish + configure.sh hardening#212

Merged
ptr727 merged 7 commits into
mainfrom
develop
Jun 29, 2026
Merged

Promote develop to main: dependency-currency publish + configure.sh hardening#212
ptr727 merged 7 commits into
mainfrom
develop

Conversation

@ptr727

@ptr727 ptr727 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Promotes PR #211 from develop to main.

What lands on main

  • Dependency currency: Directory.Packages.props is now a shipped input, so a merged dependency bump republishes and the published package's declared dependencies stay current (a NuGet version can't be re-pushed, so there's no Docker-style refresh). GitHub-Actions bumps stay excluded. WORKFLOW.md/AGENTS.md updated.
  • configure.sh hardening: ruleset_id (error-distinction, jq --arg, pipefail-safe, per_page=100), jq_lacks (propagates real jq errors), check_secrets (surfaces gh's stderr, accurate comment).
  • repo-config README states the actual branch cleanup (auto-delete setting off to protect develop; merge-bot deletes bot branches with --delete-branch).

Standard promotion PR with review (no admin bypass). No library code change.

Keeps the push-self-publish model (correct for NuGet - there is no
Docker-style refresh, and a NuGet version can't be re-pushed) and closes
the stale-dependency window, plus brings repo-config in line with the
hardened canonical.

## Dependency currency

A NuGet package's declared dependencies only update when a new version
is published. With no scheduled rebuild possible, a merged dependency
bump must republish or the package keeps shipping old/vulnerable
dependency constraints. So **`Directory.Packages.props` is now a shipped
input**: a dependency bump on main/develop auto-publishes that branch,
keeping the package current. GitHub-Actions bumps stay excluded (they do
not ship in the package).

Trade-off (accepted): because versions are centrally managed, a
test/codegen dependency bump (e.g. `xunit.v3`) also republishes even
though it does not ship - cheap version churn in exchange for never
shipping a stale dependency. (The shipped library has effectively one
runtime dependency, `Microsoft.Extensions.Logging.Abstractions`.)

WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md updated
to match.

## repo-config hardening

`configure.sh` `ruleset_id` distinguishes an absent ruleset from a real
API error (lets gh surface its stderr; returns non-zero instead of a
silent `set -e` abort), uses `jq --arg`, selects the first match inside
jq (pipefail-safe), and pages the lookup (`per_page=100`). The
repo-config README states the actual branch cleanup (auto-delete off so
a `develop -> main` promotion does not delete `develop`; merged
bot/feature branches cleaned up manually). Task comments aligned to the
terse canonical form.

## Verification

actionlint, markdownlint, shellcheck, `bash -n` clean; EOL preserved.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 29, 2026 00:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Promotes develop to main while updating the release trigger definition so dependency version bumps republish the NuGet package, and hardens repo-config/configure.sh plus a few CI/documentation adjustments.

Changes:

  • Treat Directory.Packages.props as a shipped input (docs + publish workflow path filter) so dependency bumps republish and keep declared dependencies current.
  • Harden repo-config/configure.sh around ruleset lookup, jq error handling, and secrets listing behavior.
  • CI/docs tweaks: skip PR test workflow jobs on branch-deletion pushes; simplify actionlint step configuration and refresh related documentation text.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
WORKFLOW.md Updates shipped-input definition and operational guarantees to include Directory.Packages.props and explain the republish rationale.
repo-config/README.md Clarifies branch deletion behavior (repo setting off; explicit per-merge deletion instead).
repo-config/configure.sh Hardens ruleset lookup, adds jq_lacks, and improves secrets-check error reporting.
AGENTS.md Updates merge/release guidance to reflect dependency bumps now triggering publish.
.github/workflows/validate-task.yml Simplifies workflow-lint step configuration for actionlint.
.github/workflows/test-pull-request.yml Skips reusable-workflow jobs (and the status aggregator) on deleted-branch push events.
.github/workflows/publish-release.yml Adds Directory.Packages.props to the shipped-input on.push.paths trigger and updates comments accordingly.

Comment thread repo-config/configure.sh Outdated
Capture jq's exit code with `|| rc=$?` (a list is exempt from errexit)
so an exit-1 no-match returns 'lacks' rather than risking a `set -e`
abort outside a conditional, while still propagating a real jq error
(>1). Verified under `set -euo pipefail` for match / no-match /
jq-error. Follow-up to PR #211.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/publish-release.yml Outdated
Narrow the publish-release header comment - a package-version
(Directory.Packages.props) bump republishes; only a GitHub-Actions
Dependabot bump does not. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/test-pull-request.yml Outdated
WORKFLOW.md said validate/smoke-build run unconditionally, but they
carry a `!github.event.deleted` guard. Note the branch-deletion
exception in the architecture section, D1.1, and the 5A audit, and add
scenario S16. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/test-pull-request.yml Outdated
checkout/build fail -> fails. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comment thread WORKFLOW.md
Section 0's model-at-a-glance omitted package versions from the
shipped-input list (the glossary/D4.1 include them). Add it. Follow-up
to #211/#212.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

.github/workflows/validate-task.yml:73

  • The actionlint step no longer pins the underlying actionlint binary version (the version input was removed). Per raven-actions/actionlint docs, omitting version defaults to latest, which makes lint results non-reproducible and can cause CI to change behavior without a repo change. Pin version to a specific actionlint release and bump it intentionally alongside the action SHA.
      - name: Lint workflows step
        uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2.2.0

Comment thread .github/workflows/publish-release.yml Outdated
The on.push.paths inclusion list is below the header comment; change
'add a path above' to 'add a path to that list'. Follow-up to #211/#212.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

@ptr727 ptr727 merged commit db387ac into main Jun 29, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants