build(dotnet): add lock file support and centralize build props#557
Open
erlendellefsen wants to merge 1 commit intointility:mainfrom
Open
build(dotnet): add lock file support and centralize build props#557erlendellefsen wants to merge 1 commit intointility:mainfrom
erlendellefsen wants to merge 1 commit intointility:mainfrom
Conversation
Author
|
For fully-reproducable builds we should consider a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is ported from how I solved lock files in https://github.com/intility/sec-center, adapted for the templates. This is my best solution so far. This should be properly tested and iterated on, just thought i could save you some time researching 😄
This adds lock file support so NuGet restores are reproducible in Linux container builds.
Directory.Build.propsandDirectory.Solution.targetsare the natural place for this. MSBuild picks them up automatically for every project in the solution, so we don't have to repeat the same settings in each.csproj. The targets file handles the cross-platform problem: on macOS/Windows it re-runs restore targeting Linux after every normal restore, keeping the lock files in sync. This way you do not need to have three lock files per project, all kept in sync.Test projects are opted out (
RestorePackagesWithLockFile: false) since they're never published, so there's no point enforcing a lock file on them. This is also because dependabot does not seem to support updating lock files in included projects. I could possibly be solved by utilizing central package management with aDirectory.Packages.propsfile, but i have not tested this yet.Also added NuGet audit. It runs on every restore, checks all packages against known CVEs, and warns on anything moderate or above. It will not fail any restores as
TreatWarningsAsErrorsis not enabledSome references:
NuGet/Home#9195
dotnet/sdk#14281
NuGet/Home#8287