build: lock NuGet dependencies and pin the SDK via global.json#11
Conversation
Enable RestorePackagesWithLockFile so every project gets a committed packages.lock.json, pinning the full transitive graph (including the floating Hangfire 1.8.* references). Both workflows now restore with --locked-mode, so a missing or out-of-date lock fails the build and restores become reproducible. Pin the SDK in global.json (10.0.300, rollForward latestMinor) and install it in CI/CD via setup-dotnet's global-json-file instead of a floating 10.0.x, and cache NuGet keyed on the committed lock files. Add the dotnet-sdk Dependabot ecosystem so the global.json SDK version is kept current automatically; the existing nuget ecosystem already updates the new lock files.
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughThe PR introduces deterministic NuGet package restoration by pinning the .NET SDK to version 10.0.300 in ChangesReproducible NuGet restore and SDK pinning
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
What
Make restores reproducible and keep the toolchain current automatically.
RestorePackagesWithLockFileinDirectory.Build.props, generating a committedpackages.lock.jsonfor every project. This pins the full transitive graph, including the floatingHangfire 1.8.*references.--locked-mode, which fails the build if any lock file is missing or out of date.global.json(10.0.300,rollForward: latestMinor) and install it viasetup-dotnet'sglobal-json-fileinstead of a floating10.0.x. NuGet is cached keyed on the committed lock files (cache-dependency-path: '**/packages.lock.json').global.json. Add thedotnet-sdkDependabot ecosystem so the pinned SDK version is bumped automatically. The existingnugetecosystem already refreshes the new lock files.Why
10.0.xSDK and floating package versions made builds non-deterministic across machines and over time. Lock files + a pinned SDK give reproducible restores; Dependabot keeps both current without manual edits.Reviewer notes
rollForward: latestMinorkeeps CI on the exact pinned patch (installed bysetup-dotnet) while letting local contributors build with any newer .NET 10 SDK they have.PackageReferencechange is a plaindotnet restore, then commit the updatedpackages.lock.jsonfiles (documented inDirectory.Build.props).NuGetAuditSuppress(transitiveNewtonsoft.Jsonadvisory) still applies; audit stays active for everything else.dotnet restore --locked-mode+dotnet build -c Release --no-restore→ 0 warnings, 0 errors.