Conversation
Keeps the push-self-publish model (correct for NuGet - there is no Docker-style refresh, and a NuGet version can't be re-pushed) and closes the stale-dependency window, plus brings repo-config in line with the hardened canonical. ## Dependency currency A NuGet package's declared dependencies only update when a new version is published. With no scheduled rebuild possible, a merged dependency bump must republish or the package keeps shipping old/vulnerable dependency constraints. So **`Directory.Packages.props` is now a shipped input**: a dependency bump on main/develop auto-publishes that branch, keeping the package current. GitHub-Actions bumps stay excluded (they do not ship in the package). Trade-off (accepted): because versions are centrally managed, a test/codegen dependency bump (e.g. `xunit.v3`) also republishes even though it does not ship - cheap version churn in exchange for never shipping a stale dependency. (The shipped library has effectively one runtime dependency, `Microsoft.Extensions.Logging.Abstractions`.) WORKFLOW.md (glossary, D4.1, D8.2, 5A audit, S11) and AGENTS.md updated to match. ## repo-config hardening `configure.sh` `ruleset_id` distinguishes an absent ruleset from a real API error (lets gh surface its stderr; returns non-zero instead of a silent `set -e` abort), uses `jq --arg`, selects the first match inside jq (pipefail-safe), and pages the lookup (`per_page=100`). The repo-config README states the actual branch cleanup (auto-delete off so a `develop -> main` promotion does not delete `develop`; merged bot/feature branches cleaned up manually). Task comments aligned to the terse canonical form. ## Verification actionlint, markdownlint, shellcheck, `bash -n` clean; EOL preserved. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Promotes develop to main while updating the release trigger definition so dependency version bumps republish the NuGet package, and hardens repo-config/configure.sh plus a few CI/documentation adjustments.
Changes:
- Treat
Directory.Packages.propsas a shipped input (docs + publish workflow path filter) so dependency bumps republish and keep declared dependencies current. - Harden
repo-config/configure.sharound ruleset lookup, jq error handling, and secrets listing behavior. - CI/docs tweaks: skip PR test workflow jobs on branch-deletion pushes; simplify actionlint step configuration and refresh related documentation text.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | Updates shipped-input definition and operational guarantees to include Directory.Packages.props and explain the republish rationale. |
| repo-config/README.md | Clarifies branch deletion behavior (repo setting off; explicit per-merge deletion instead). |
| repo-config/configure.sh | Hardens ruleset lookup, adds jq_lacks, and improves secrets-check error reporting. |
| AGENTS.md | Updates merge/release guidance to reflect dependency bumps now triggering publish. |
| .github/workflows/validate-task.yml | Simplifies workflow-lint step configuration for actionlint. |
| .github/workflows/test-pull-request.yml | Skips reusable-workflow jobs (and the status aggregator) on deleted-branch push events. |
| .github/workflows/publish-release.yml | Adds Directory.Packages.props to the shipped-input on.push.paths trigger and updates comments accordingly. |
Capture jq's exit code with `|| rc=$?` (a list is exempt from errexit) so an exit-1 no-match returns 'lacks' rather than risking a `set -e` abort outside a conditional, while still propagating a real jq error (>1). Verified under `set -euo pipefail` for match / no-match / jq-error. Follow-up to PR #211. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
WORKFLOW.md said validate/smoke-build run unconditionally, but they carry a `!github.event.deleted` guard. Note the branch-deletion exception in the architecture section, D1.1, and the 5A audit, and add scenario S16. Follow-up to #211/#212. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/validate-task.yml:73
- The actionlint step no longer pins the underlying
actionlintbinary version (theversioninput was removed). Per raven-actions/actionlint docs, omittingversiondefaults tolatest, which makes lint results non-reproducible and can cause CI to change behavior without a repo change. Pinversionto a specific actionlint release and bump it intentionally alongside the action SHA.
- name: Lint workflows step
uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2.2.0
This was referenced Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes PR #211 from develop to main.
What lands on main
Directory.Packages.propsis now a shipped input, so a merged dependency bump republishes and the published package's declared dependencies stay current (a NuGet version can't be re-pushed, so there's no Docker-style refresh). GitHub-Actions bumps stay excluded. WORKFLOW.md/AGENTS.md updated.ruleset_id(error-distinction,jq --arg, pipefail-safe,per_page=100),jq_lacks(propagates real jq errors),check_secrets(surfaces gh's stderr, accurate comment).develop; merge-bot deletes bot branches with--delete-branch).Standard promotion PR with review (no admin bypass). No library code change.